From a18df0a91ebb790d40468a81c14afe2a30f234ad Mon Sep 17 00:00:00 2001 From: kidkender Date: Thu, 23 Apr 2026 17:31:47 +0700 Subject: [PATCH] =?UTF-8?q?feat:=20release=20v1.0.7=20=E2=80=94=20Claude?= =?UTF-8?q?=20Code=20&=20Cursor=20agent=20addons?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add --claude-code and --cursor addons that inject pre-configured AI agent skills into generated projects. Both addons bundle relevant skills from the everything-claude-code collection, enabling any developer to use Claude Code or Cursor agent with full project context immediately after scaffolding. - Claude Code addon: CLAUDE.md + .claude/skills/ (SKILL.md per skill) - Cursor addon: .cursor/skills/ (skill.md per skill, same content) - Interactive multiselect prompt when neither flag is passed - Node.js skills: backend-patterns, api-design, database-migrations, docker-patterns, security-review, tdd-workflow, deployment-patterns - Python skills: python-patterns, python-testing, backend-patterns, postgres-patterns, database-migrations, docker-patterns, security-review - Fix integration snapshot tests: mockFs.exists now returns true for template paths so addon conditions evaluate correctly --- .gitignore | 6 + CHANGELOG.md | 11 + README.md | 7 + cli/command/index.ts | 2 + cli/prompts.ts | 23 +- package.json | 2 +- plugins/node/config.ts | 2 +- plugins/node/index.ts | 19 + .../.claude/skills/api-design/SKILL.md | 523 +++++++++++ .../.claude/skills/backend-patterns/SKILL.md | 598 +++++++++++++ .../skills/database-migrations/SKILL.md | 429 +++++++++ .../skills/deployment-patterns/SKILL.md | 427 +++++++++ .../.claude/skills/docker-patterns/SKILL.md | 364 ++++++++ .../.claude/skills/security-review/SKILL.md | 495 +++++++++++ .../.claude/skills/tdd-workflow/SKILL.md | 463 ++++++++++ .../template/addons/claude-code/CLAUDE.md | 58 ++ .../cursor/.cursor/skills/api-design/skill.md | 523 +++++++++++ .../.cursor/skills/backend-patterns/skill.md | 598 +++++++++++++ .../skills/database-migrations/skill.md | 429 +++++++++ .../skills/deployment-patterns/skill.md | 427 +++++++++ .../.cursor/skills/docker-patterns/skill.md | 364 ++++++++ .../.cursor/skills/security-review/skill.md | 495 +++++++++++ .../.cursor/skills/tdd-workflow/skill.md | 463 ++++++++++ plugins/python/config.ts | 2 +- plugins/python/index.ts | 19 + .../.claude/skills/backend-patterns/SKILL.md | 598 +++++++++++++ .../skills/database-migrations/SKILL.md | 429 +++++++++ .../.claude/skills/docker-patterns/SKILL.md | 364 ++++++++ .../.claude/skills/postgres-patterns/SKILL.md | 147 ++++ .../.claude/skills/python-patterns/SKILL.md | 750 ++++++++++++++++ .../.claude/skills/python-testing/SKILL.md | 816 ++++++++++++++++++ .../.claude/skills/security-review/SKILL.md | 495 +++++++++++ .../template/addons/claude-code/CLAUDE.md | 66 ++ .../.cursor/skills/backend-patterns/skill.md | 598 +++++++++++++ .../skills/database-migrations/skill.md | 429 +++++++++ .../.cursor/skills/docker-patterns/skill.md | 364 ++++++++ .../.cursor/skills/postgres-patterns/skill.md | 147 ++++ .../.cursor/skills/python-patterns/skill.md | 750 ++++++++++++++++ .../.cursor/skills/python-testing/skill.md | 816 ++++++++++++++++++ .../.cursor/skills/security-review/skill.md | 495 +++++++++++ .../__snapshots__/snapshot.test.ts.snap | 36 + tests/integration/snapshot.test.ts | 10 +- tests/unit/claude-code-addon.test.ts | 208 +++++ types/index.ts | 2 + 44 files changed, 14263 insertions(+), 6 deletions(-) create mode 100644 plugins/node/template/addons/claude-code/.claude/skills/api-design/SKILL.md create mode 100644 plugins/node/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md create mode 100644 plugins/node/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md create mode 100644 plugins/node/template/addons/claude-code/.claude/skills/deployment-patterns/SKILL.md create mode 100644 plugins/node/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md create mode 100644 plugins/node/template/addons/claude-code/.claude/skills/security-review/SKILL.md create mode 100644 plugins/node/template/addons/claude-code/.claude/skills/tdd-workflow/SKILL.md create mode 100644 plugins/node/template/addons/claude-code/CLAUDE.md create mode 100644 plugins/node/template/addons/cursor/.cursor/skills/api-design/skill.md create mode 100644 plugins/node/template/addons/cursor/.cursor/skills/backend-patterns/skill.md create mode 100644 plugins/node/template/addons/cursor/.cursor/skills/database-migrations/skill.md create mode 100644 plugins/node/template/addons/cursor/.cursor/skills/deployment-patterns/skill.md create mode 100644 plugins/node/template/addons/cursor/.cursor/skills/docker-patterns/skill.md create mode 100644 plugins/node/template/addons/cursor/.cursor/skills/security-review/skill.md create mode 100644 plugins/node/template/addons/cursor/.cursor/skills/tdd-workflow/skill.md create mode 100644 plugins/python/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md create mode 100644 plugins/python/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md create mode 100644 plugins/python/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md create mode 100644 plugins/python/template/addons/claude-code/.claude/skills/postgres-patterns/SKILL.md create mode 100644 plugins/python/template/addons/claude-code/.claude/skills/python-patterns/SKILL.md create mode 100644 plugins/python/template/addons/claude-code/.claude/skills/python-testing/SKILL.md create mode 100644 plugins/python/template/addons/claude-code/.claude/skills/security-review/SKILL.md create mode 100644 plugins/python/template/addons/claude-code/CLAUDE.md create mode 100644 plugins/python/template/addons/cursor/.cursor/skills/backend-patterns/skill.md create mode 100644 plugins/python/template/addons/cursor/.cursor/skills/database-migrations/skill.md create mode 100644 plugins/python/template/addons/cursor/.cursor/skills/docker-patterns/skill.md create mode 100644 plugins/python/template/addons/cursor/.cursor/skills/postgres-patterns/skill.md create mode 100644 plugins/python/template/addons/cursor/.cursor/skills/python-patterns/skill.md create mode 100644 plugins/python/template/addons/cursor/.cursor/skills/python-testing/skill.md create mode 100644 plugins/python/template/addons/cursor/.cursor/skills/security-review/skill.md create mode 100644 tests/integration/__snapshots__/snapshot.test.ts.snap create mode 100644 tests/unit/claude-code-addon.test.ts diff --git a/.gitignore b/.gitignore index 5921e33..3a25d2f 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,9 @@ /dist/ .env +# Added by code-review-graph +.code-review-graph/ + +# Override global ignore for template addon files +!plugins/*/template/addons/claude-code/.claude/ +!plugins/*/template/addons/claude-code/.claude/** diff --git a/CHANGELOG.md b/CHANGELOG.md index aa79716..efd4a4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). +## [1.0.7] - 2026-04-23 + +### Added +- **Claude Code addon** (`--claude-code`) — injects `CLAUDE.md` (project context with stack, commands, architecture) and `.claude/skills/` with pre-configured skills into generated projects: `backend-patterns`, `api-design`, `database-migrations`, `docker-patterns`, `security-review`, `tdd-workflow`, `deployment-patterns` (Node.js); `python-patterns`, `python-testing`, `backend-patterns`, `postgres-patterns`, `database-migrations`, `docker-patterns`, `security-review` (Python) +- **Cursor addon** (`--cursor`) — injects `.cursor/skills/` with the same skill set (same content, `skill.md` format) for Cursor Agent +- **AI agent multi-select prompt** — when neither `--claude-code` nor `--cursor` is passed, interactive mode shows a multiselect: `Claude Code` and `Cursor` can be selected independently or together +- Both addons work with `archgen add claude-code` and `archgen add cursor` on existing projects + +### Fixed +- Integration snapshot tests: `mockFs.exists` now returns `true` for template/addon paths so addon conditions are correctly evaluated in test environment + ## [1.0.6] - 2026-04-10 ### Fixed diff --git a/README.md b/README.md index 9b910de..f0dcb68 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,8 @@ Answer a few prompts. Your project is ready in under a second. - Optional WebSocket support with Socket.io + JWT auth - Optional OAuth2 (Google + GitHub) via `@fastify/oauth2` - Optional API documentation via Scalar + Swagger UI +- Optional Claude Code setup — `CLAUDE.md` + pre-configured skills for Claude Code agent +- Optional Cursor setup — `.cursor/skills/` with pre-configured skills for Cursor agent - Auto update notifier — hints when a new version is available - Interactive CLI prompts — no flags required - Post-scaffold addon injection with `archgen add` @@ -58,6 +60,9 @@ archgen create my-api --language node --docker --testing --ci archgen create my-api --language node --all # enable all addons at once archgen create my-service --language python --author "John Doe" archgen create my-app --database postgresql +archgen create my-app --claude-code # add Claude Code setup (CLAUDE.md + skills) +archgen create my-app --cursor # add Cursor agent setup (.cursor/skills/) +archgen create my-app --claude-code --cursor # add both AI agent setups archgen create my-app --force # overwrite existing directory archgen create my-app --dry-run # preview files without writing archgen create my-app --skip-git # skip automatic git init @@ -73,6 +78,8 @@ archgen add ci archgen add websocket # Socket.io + JWT auth + notification helpers archgen add oauth # Google + GitHub OAuth2 routes archgen add api-docs # Scalar UI at /reference + Swagger UI at /docs +archgen add claude-code # Claude Code setup (CLAUDE.md + .claude/skills/) +archgen add cursor # Cursor agent setup (.cursor/skills/) archgen add ci --dry-run # preview changes without writing ``` diff --git a/cli/command/index.ts b/cli/command/index.ts index eaf2f53..6438786 100644 --- a/cli/command/index.ts +++ b/cli/command/index.ts @@ -17,6 +17,8 @@ export const createCommand = new Command("create") .option("--websocket", "Include WebSocket support via Socket.io (Node.js only)") .option("--oauth", "Include OAuth2 providers — Google + GitHub (Node.js only)") .option("--api-docs", "Include Scalar API reference UI (Node.js only)") + .option("--claude-code", "Include Claude Code setup (CLAUDE.md + .claude/skills/)") + .option("--cursor", "Include Cursor agent setup (.cursor/skills/)") .option("--all", "Include all addons (docker + testing + ci)", false) .option("-a, --author ", "Author name") .option("-d, --description ", "Project description") diff --git a/cli/prompts.ts b/cli/prompts.ts index 7fb6554..f5f02d9 100644 --- a/cli/prompts.ts +++ b/cli/prompts.ts @@ -13,6 +13,8 @@ export async function promptMissingOptions( testing: false, ci: false, husky: false, + claudeCode: false, + cursor: false, ...options, language: options.language ?? "node", }; @@ -97,6 +99,19 @@ export async function promptMissingOptions( }); } + if (options.claudeCode === undefined && options.cursor === undefined) { + questions.push({ + type: "multiselect", + name: "aiAgents", + message: "Include AI agent setup? (Space to select, Enter to confirm)", + choices: [ + { title: "Claude Code (CLAUDE.md + .claude/skills/)", value: "claude", selected: false }, + { title: "Cursor (.cursor/skills/)", value: "cursor", selected: false }, + ], + hint: "none to skip", + }); + } + if (questions.length === 0) return options; const answers = await prompts(questions, { @@ -115,5 +130,11 @@ export async function promptMissingOptions( process.exit(0); } - return { ...options, ...answers }; + const raw = { ...options, ...answers } as Record; + if (Array.isArray(raw.aiAgents)) { + raw.claudeCode = (raw.aiAgents as string[]).includes("claude"); + raw.cursor = (raw.aiAgents as string[]).includes("cursor"); + delete raw.aiAgents; + } + return raw as unknown as GenerateOptions; } diff --git a/package.json b/package.json index 16fe4d2..88be6e9 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@kidkender/archgen", - "version": "1.0.6", + "version": "1.0.7", "description": "Generate production-ready Node.js and Python project structures in seconds", "main": "dist/index.js", "module": "dist/index.mjs", diff --git a/plugins/node/config.ts b/plugins/node/config.ts index 4bdac7d..a24df83 100644 --- a/plugins/node/config.ts +++ b/plugins/node/config.ts @@ -3,5 +3,5 @@ import { PluginConfig } from "../../types"; export const nodeConfig: PluginConfig = { name: "node-typescript", description: "Node.js Typescript backend with Fastify", - addons: ["docker", "testing", "ci", "husky", "websocket", "oauth", "api-docs"], + addons: ["docker", "testing", "ci", "husky", "websocket", "oauth", "api-docs", "claude-code", "cursor"], }; diff --git a/plugins/node/index.ts b/plugins/node/index.ts index 9b97035..28dd352 100644 --- a/plugins/node/index.ts +++ b/plugins/node/index.ts @@ -77,6 +77,16 @@ export class NodePlugin extends BasePlugin { path: path.join(addonsPath, "api-docs"), label: "API docs (Scalar)", }, + { + condition: !!options.claudeCode, + path: path.join(addonsPath, "claude-code"), + label: "Claude Code setup", + }, + { + condition: !!options.cursor, + path: path.join(addonsPath, "cursor"), + label: "Cursor agent setup", + }, ]; } @@ -181,6 +191,15 @@ export class NodePlugin extends BasePlugin { if (options.apiDocs) { console.log(" Scalar API reference available at: http://localhost:3000/reference"); } + if (options.claudeCode) { + console.log(""); + console.log(" Claude Code — open this project in Claude Code to use pre-configured skills"); + console.log(" Skills: /backend-patterns /api-design /tdd-workflow and more"); + } + if (options.cursor) { + console.log(""); + console.log(" Cursor — .cursor/skills/ ready, open project in Cursor to use agent skills"); + } console.log(""); } } diff --git a/plugins/node/template/addons/claude-code/.claude/skills/api-design/SKILL.md b/plugins/node/template/addons/claude-code/.claude/skills/api-design/SKILL.md new file mode 100644 index 0000000..a45aca0 --- /dev/null +++ b/plugins/node/template/addons/claude-code/.claude/skills/api-design/SKILL.md @@ -0,0 +1,523 @@ +--- +name: api-design +description: REST API design patterns including resource naming, status codes, pagination, filtering, error responses, versioning, and rate limiting for production APIs. +origin: ECC +--- + +# API Design Patterns + +Conventions and best practices for designing consistent, developer-friendly REST APIs. + +## When to Activate + +- Designing new API endpoints +- Reviewing existing API contracts +- Adding pagination, filtering, or sorting +- Implementing error handling for APIs +- Planning API versioning strategy +- Building public or partner-facing APIs + +## Resource Design + +### URL Structure + +``` +# Resources are nouns, plural, lowercase, kebab-case +GET /api/v1/users +GET /api/v1/users/:id +POST /api/v1/users +PUT /api/v1/users/:id +PATCH /api/v1/users/:id +DELETE /api/v1/users/:id + +# Sub-resources for relationships +GET /api/v1/users/:id/orders +POST /api/v1/users/:id/orders + +# Actions that don't map to CRUD (use verbs sparingly) +POST /api/v1/orders/:id/cancel +POST /api/v1/auth/login +POST /api/v1/auth/refresh +``` + +### Naming Rules + +``` +# GOOD +/api/v1/team-members # kebab-case for multi-word resources +/api/v1/orders?status=active # query params for filtering +/api/v1/users/123/orders # nested resources for ownership + +# BAD +/api/v1/getUsers # verb in URL +/api/v1/user # singular (use plural) +/api/v1/team_members # snake_case in URLs +/api/v1/users/123/getOrders # verb in nested resource +``` + +## HTTP Methods and Status Codes + +### Method Semantics + +| Method | Idempotent | Safe | Use For | +|--------|-----------|------|---------| +| GET | Yes | Yes | Retrieve resources | +| POST | No | No | Create resources, trigger actions | +| PUT | Yes | No | Full replacement of a resource | +| PATCH | No* | No | Partial update of a resource | +| DELETE | Yes | No | Remove a resource | + +*PATCH can be made idempotent with proper implementation + +### Status Code Reference + +``` +# Success +200 OK — GET, PUT, PATCH (with response body) +201 Created — POST (include Location header) +204 No Content — DELETE, PUT (no response body) + +# Client Errors +400 Bad Request — Validation failure, malformed JSON +401 Unauthorized — Missing or invalid authentication +403 Forbidden — Authenticated but not authorized +404 Not Found — Resource doesn't exist +409 Conflict — Duplicate entry, state conflict +422 Unprocessable Entity — Semantically invalid (valid JSON, bad data) +429 Too Many Requests — Rate limit exceeded + +# Server Errors +500 Internal Server Error — Unexpected failure (never expose details) +502 Bad Gateway — Upstream service failed +503 Service Unavailable — Temporary overload, include Retry-After +``` + +### Common Mistakes + +``` +# BAD: 200 for everything +{ "status": 200, "success": false, "error": "Not found" } + +# GOOD: Use HTTP status codes semantically +HTTP/1.1 404 Not Found +{ "error": { "code": "not_found", "message": "User not found" } } + +# BAD: 500 for validation errors +# GOOD: 400 or 422 with field-level details + +# BAD: 200 for created resources +# GOOD: 201 with Location header +HTTP/1.1 201 Created +Location: /api/v1/users/abc-123 +``` + +## Response Format + +### Success Response + +```json +{ + "data": { + "id": "abc-123", + "email": "alice@example.com", + "name": "Alice", + "created_at": "2025-01-15T10:30:00Z" + } +} +``` + +### Collection Response (with Pagination) + +```json +{ + "data": [ + { "id": "abc-123", "name": "Alice" }, + { "id": "def-456", "name": "Bob" } + ], + "meta": { + "total": 142, + "page": 1, + "per_page": 20, + "total_pages": 8 + }, + "links": { + "self": "/api/v1/users?page=1&per_page=20", + "next": "/api/v1/users?page=2&per_page=20", + "last": "/api/v1/users?page=8&per_page=20" + } +} +``` + +### Error Response + +```json +{ + "error": { + "code": "validation_error", + "message": "Request validation failed", + "details": [ + { + "field": "email", + "message": "Must be a valid email address", + "code": "invalid_format" + }, + { + "field": "age", + "message": "Must be between 0 and 150", + "code": "out_of_range" + } + ] + } +} +``` + +### Response Envelope Variants + +```typescript +// Option A: Envelope with data wrapper (recommended for public APIs) +interface ApiResponse { + data: T; + meta?: PaginationMeta; + links?: PaginationLinks; +} + +interface ApiError { + error: { + code: string; + message: string; + details?: FieldError[]; + }; +} + +// Option B: Flat response (simpler, common for internal APIs) +// Success: just return the resource directly +// Error: return error object +// Distinguish by HTTP status code +``` + +## Pagination + +### Offset-Based (Simple) + +``` +GET /api/v1/users?page=2&per_page=20 + +# Implementation +SELECT * FROM users +ORDER BY created_at DESC +LIMIT 20 OFFSET 20; +``` + +**Pros:** Easy to implement, supports "jump to page N" +**Cons:** Slow on large offsets (OFFSET 100000), inconsistent with concurrent inserts + +### Cursor-Based (Scalable) + +``` +GET /api/v1/users?cursor=eyJpZCI6MTIzfQ&limit=20 + +# Implementation +SELECT * FROM users +WHERE id > :cursor_id +ORDER BY id ASC +LIMIT 21; -- fetch one extra to determine has_next +``` + +```json +{ + "data": [...], + "meta": { + "has_next": true, + "next_cursor": "eyJpZCI6MTQzfQ" + } +} +``` + +**Pros:** Consistent performance regardless of position, stable with concurrent inserts +**Cons:** Cannot jump to arbitrary page, cursor is opaque + +### When to Use Which + +| Use Case | Pagination Type | +|----------|----------------| +| Admin dashboards, small datasets (<10K) | Offset | +| Infinite scroll, feeds, large datasets | Cursor | +| Public APIs | Cursor (default) with offset (optional) | +| Search results | Offset (users expect page numbers) | + +## Filtering, Sorting, and Search + +### Filtering + +``` +# Simple equality +GET /api/v1/orders?status=active&customer_id=abc-123 + +# Comparison operators (use bracket notation) +GET /api/v1/products?price[gte]=10&price[lte]=100 +GET /api/v1/orders?created_at[after]=2025-01-01 + +# Multiple values (comma-separated) +GET /api/v1/products?category=electronics,clothing + +# Nested fields (dot notation) +GET /api/v1/orders?customer.country=US +``` + +### Sorting + +``` +# Single field (prefix - for descending) +GET /api/v1/products?sort=-created_at + +# Multiple fields (comma-separated) +GET /api/v1/products?sort=-featured,price,-created_at +``` + +### Full-Text Search + +``` +# Search query parameter +GET /api/v1/products?q=wireless+headphones + +# Field-specific search +GET /api/v1/users?email=alice +``` + +### Sparse Fieldsets + +``` +# Return only specified fields (reduces payload) +GET /api/v1/users?fields=id,name,email +GET /api/v1/orders?fields=id,total,status&include=customer.name +``` + +## Authentication and Authorization + +### Token-Based Auth + +``` +# Bearer token in Authorization header +GET /api/v1/users +Authorization: Bearer eyJhbGciOiJIUzI1NiIs... + +# API key (for server-to-server) +GET /api/v1/data +X-API-Key: sk_live_abc123 +``` + +### Authorization Patterns + +```typescript +// Resource-level: check ownership +app.get("/api/v1/orders/:id", async (req, res) => { + const order = await Order.findById(req.params.id); + if (!order) return res.status(404).json({ error: { code: "not_found" } }); + if (order.userId !== req.user.id) return res.status(403).json({ error: { code: "forbidden" } }); + return res.json({ data: order }); +}); + +// Role-based: check permissions +app.delete("/api/v1/users/:id", requireRole("admin"), async (req, res) => { + await User.delete(req.params.id); + return res.status(204).send(); +}); +``` + +## Rate Limiting + +### Headers + +``` +HTTP/1.1 200 OK +X-RateLimit-Limit: 100 +X-RateLimit-Remaining: 95 +X-RateLimit-Reset: 1640000000 + +# When exceeded +HTTP/1.1 429 Too Many Requests +Retry-After: 60 +{ + "error": { + "code": "rate_limit_exceeded", + "message": "Rate limit exceeded. Try again in 60 seconds." + } +} +``` + +### Rate Limit Tiers + +| Tier | Limit | Window | Use Case | +|------|-------|--------|----------| +| Anonymous | 30/min | Per IP | Public endpoints | +| Authenticated | 100/min | Per user | Standard API access | +| Premium | 1000/min | Per API key | Paid API plans | +| Internal | 10000/min | Per service | Service-to-service | + +## Versioning + +### URL Path Versioning (Recommended) + +``` +/api/v1/users +/api/v2/users +``` + +**Pros:** Explicit, easy to route, cacheable +**Cons:** URL changes between versions + +### Header Versioning + +``` +GET /api/users +Accept: application/vnd.myapp.v2+json +``` + +**Pros:** Clean URLs +**Cons:** Harder to test, easy to forget + +### Versioning Strategy + +``` +1. Start with /api/v1/ — don't version until you need to +2. Maintain at most 2 active versions (current + previous) +3. Deprecation timeline: + - Announce deprecation (6 months notice for public APIs) + - Add Sunset header: Sunset: Sat, 01 Jan 2026 00:00:00 GMT + - Return 410 Gone after sunset date +4. Non-breaking changes don't need a new version: + - Adding new fields to responses + - Adding new optional query parameters + - Adding new endpoints +5. Breaking changes require a new version: + - Removing or renaming fields + - Changing field types + - Changing URL structure + - Changing authentication method +``` + +## Implementation Patterns + +### TypeScript (Next.js API Route) + +```typescript +import { z } from "zod"; +import { NextRequest, NextResponse } from "next/server"; + +const createUserSchema = z.object({ + email: z.string().email(), + name: z.string().min(1).max(100), +}); + +export async function POST(req: NextRequest) { + const body = await req.json(); + const parsed = createUserSchema.safeParse(body); + + if (!parsed.success) { + return NextResponse.json({ + error: { + code: "validation_error", + message: "Request validation failed", + details: parsed.error.issues.map(i => ({ + field: i.path.join("."), + message: i.message, + code: i.code, + })), + }, + }, { status: 422 }); + } + + const user = await createUser(parsed.data); + + return NextResponse.json( + { data: user }, + { + status: 201, + headers: { Location: `/api/v1/users/${user.id}` }, + }, + ); +} +``` + +### Python (Django REST Framework) + +```python +from rest_framework import serializers, viewsets, status +from rest_framework.response import Response + +class CreateUserSerializer(serializers.Serializer): + email = serializers.EmailField() + name = serializers.CharField(max_length=100) + +class UserSerializer(serializers.ModelSerializer): + class Meta: + model = User + fields = ["id", "email", "name", "created_at"] + +class UserViewSet(viewsets.ModelViewSet): + serializer_class = UserSerializer + permission_classes = [IsAuthenticated] + + def get_serializer_class(self): + if self.action == "create": + return CreateUserSerializer + return UserSerializer + + def create(self, request): + serializer = CreateUserSerializer(data=request.data) + serializer.is_valid(raise_exception=True) + user = UserService.create(**serializer.validated_data) + return Response( + {"data": UserSerializer(user).data}, + status=status.HTTP_201_CREATED, + headers={"Location": f"/api/v1/users/{user.id}"}, + ) +``` + +### Go (net/http) + +```go +func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) { + var req CreateUserRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + writeError(w, http.StatusBadRequest, "invalid_json", "Invalid request body") + return + } + + if err := req.Validate(); err != nil { + writeError(w, http.StatusUnprocessableEntity, "validation_error", err.Error()) + return + } + + user, err := h.service.Create(r.Context(), req) + if err != nil { + switch { + case errors.Is(err, domain.ErrEmailTaken): + writeError(w, http.StatusConflict, "email_taken", "Email already registered") + default: + writeError(w, http.StatusInternalServerError, "internal_error", "Internal error") + } + return + } + + w.Header().Set("Location", fmt.Sprintf("/api/v1/users/%s", user.ID)) + writeJSON(w, http.StatusCreated, map[string]any{"data": user}) +} +``` + +## API Design Checklist + +Before shipping a new endpoint: + +- [ ] Resource URL follows naming conventions (plural, kebab-case, no verbs) +- [ ] Correct HTTP method used (GET for reads, POST for creates, etc.) +- [ ] Appropriate status codes returned (not 200 for everything) +- [ ] Input validated with schema (Zod, Pydantic, Bean Validation) +- [ ] Error responses follow standard format with codes and messages +- [ ] Pagination implemented for list endpoints (cursor or offset) +- [ ] Authentication required (or explicitly marked as public) +- [ ] Authorization checked (user can only access their own resources) +- [ ] Rate limiting configured +- [ ] Response does not leak internal details (stack traces, SQL errors) +- [ ] Consistent naming with existing endpoints (camelCase vs snake_case) +- [ ] Documented (OpenAPI/Swagger spec updated) diff --git a/plugins/node/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md b/plugins/node/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md new file mode 100644 index 0000000..30898b4 --- /dev/null +++ b/plugins/node/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md @@ -0,0 +1,598 @@ +--- +name: backend-patterns +description: Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes. +origin: ECC +--- + +# Backend Development Patterns + +Backend architecture patterns and best practices for scalable server-side applications. + +## When to Activate + +- Designing REST or GraphQL API endpoints +- Implementing repository, service, or controller layers +- Optimizing database queries (N+1, indexing, connection pooling) +- Adding caching (Redis, in-memory, HTTP cache headers) +- Setting up background jobs or async processing +- Structuring error handling and validation for APIs +- Building middleware (auth, logging, rate limiting) + +## API Design Patterns + +### RESTful API Structure + +```typescript +// PASS: Resource-based URLs +GET /api/markets # List resources +GET /api/markets/:id # Get single resource +POST /api/markets # Create resource +PUT /api/markets/:id # Replace resource +PATCH /api/markets/:id # Update resource +DELETE /api/markets/:id # Delete resource + +// PASS: Query parameters for filtering, sorting, pagination +GET /api/markets?status=active&sort=volume&limit=20&offset=0 +``` + +### Repository Pattern + +```typescript +// Abstract data access logic +interface MarketRepository { + findAll(filters?: MarketFilters): Promise + findById(id: string): Promise + create(data: CreateMarketDto): Promise + update(id: string, data: UpdateMarketDto): Promise + delete(id: string): Promise +} + +class SupabaseMarketRepository implements MarketRepository { + async findAll(filters?: MarketFilters): Promise { + let query = supabase.from('markets').select('*') + + if (filters?.status) { + query = query.eq('status', filters.status) + } + + if (filters?.limit) { + query = query.limit(filters.limit) + } + + const { data, error } = await query + + if (error) throw new Error(error.message) + return data + } + + // Other methods... +} +``` + +### Service Layer Pattern + +```typescript +// Business logic separated from data access +class MarketService { + constructor(private marketRepo: MarketRepository) {} + + async searchMarkets(query: string, limit: number = 10): Promise { + // Business logic + const embedding = await generateEmbedding(query) + const results = await this.vectorSearch(embedding, limit) + + // Fetch full data + const markets = await this.marketRepo.findByIds(results.map(r => r.id)) + + // Sort by similarity + return markets.sort((a, b) => { + const scoreA = results.find(r => r.id === a.id)?.score || 0 + const scoreB = results.find(r => r.id === b.id)?.score || 0 + return scoreA - scoreB + }) + } + + private async vectorSearch(embedding: number[], limit: number) { + // Vector search implementation + } +} +``` + +### Middleware Pattern + +```typescript +// Request/response processing pipeline +export function withAuth(handler: NextApiHandler): NextApiHandler { + return async (req, res) => { + const token = req.headers.authorization?.replace('Bearer ', '') + + if (!token) { + return res.status(401).json({ error: 'Unauthorized' }) + } + + try { + const user = await verifyToken(token) + req.user = user + return handler(req, res) + } catch (error) { + return res.status(401).json({ error: 'Invalid token' }) + } + } +} + +// Usage +export default withAuth(async (req, res) => { + // Handler has access to req.user +}) +``` + +## Database Patterns + +### Query Optimization + +```typescript +// PASS: GOOD: Select only needed columns +const { data } = await supabase + .from('markets') + .select('id, name, status, volume') + .eq('status', 'active') + .order('volume', { ascending: false }) + .limit(10) + +// FAIL: BAD: Select everything +const { data } = await supabase + .from('markets') + .select('*') +``` + +### N+1 Query Prevention + +```typescript +// FAIL: BAD: N+1 query problem +const markets = await getMarkets() +for (const market of markets) { + market.creator = await getUser(market.creator_id) // N queries +} + +// PASS: GOOD: Batch fetch +const markets = await getMarkets() +const creatorIds = markets.map(m => m.creator_id) +const creators = await getUsers(creatorIds) // 1 query +const creatorMap = new Map(creators.map(c => [c.id, c])) + +markets.forEach(market => { + market.creator = creatorMap.get(market.creator_id) +}) +``` + +### Transaction Pattern + +```typescript +async function createMarketWithPosition( + marketData: CreateMarketDto, + positionData: CreatePositionDto +) { + // Use Supabase transaction + const { data, error } = await supabase.rpc('create_market_with_position', { + market_data: marketData, + position_data: positionData + }) + + if (error) throw new Error('Transaction failed') + return data +} + +// SQL function in Supabase +CREATE OR REPLACE FUNCTION create_market_with_position( + market_data jsonb, + position_data jsonb +) +RETURNS jsonb +LANGUAGE plpgsql +AS $$ +BEGIN + -- Start transaction automatically + INSERT INTO markets VALUES (market_data); + INSERT INTO positions VALUES (position_data); + RETURN jsonb_build_object('success', true); +EXCEPTION + WHEN OTHERS THEN + -- Rollback happens automatically + RETURN jsonb_build_object('success', false, 'error', SQLERRM); +END; +$$; +``` + +## Caching Strategies + +### Redis Caching Layer + +```typescript +class CachedMarketRepository implements MarketRepository { + constructor( + private baseRepo: MarketRepository, + private redis: RedisClient + ) {} + + async findById(id: string): Promise { + // Check cache first + const cached = await this.redis.get(`market:${id}`) + + if (cached) { + return JSON.parse(cached) + } + + // Cache miss - fetch from database + const market = await this.baseRepo.findById(id) + + if (market) { + // Cache for 5 minutes + await this.redis.setex(`market:${id}`, 300, JSON.stringify(market)) + } + + return market + } + + async invalidateCache(id: string): Promise { + await this.redis.del(`market:${id}`) + } +} +``` + +### Cache-Aside Pattern + +```typescript +async function getMarketWithCache(id: string): Promise { + const cacheKey = `market:${id}` + + // Try cache + const cached = await redis.get(cacheKey) + if (cached) return JSON.parse(cached) + + // Cache miss - fetch from DB + const market = await db.markets.findUnique({ where: { id } }) + + if (!market) throw new Error('Market not found') + + // Update cache + await redis.setex(cacheKey, 300, JSON.stringify(market)) + + return market +} +``` + +## Error Handling Patterns + +### Centralized Error Handler + +```typescript +class ApiError extends Error { + constructor( + public statusCode: number, + public message: string, + public isOperational = true + ) { + super(message) + Object.setPrototypeOf(this, ApiError.prototype) + } +} + +export function errorHandler(error: unknown, req: Request): Response { + if (error instanceof ApiError) { + return NextResponse.json({ + success: false, + error: error.message + }, { status: error.statusCode }) + } + + if (error instanceof z.ZodError) { + return NextResponse.json({ + success: false, + error: 'Validation failed', + details: error.errors + }, { status: 400 }) + } + + // Log unexpected errors + console.error('Unexpected error:', error) + + return NextResponse.json({ + success: false, + error: 'Internal server error' + }, { status: 500 }) +} + +// Usage +export async function GET(request: Request) { + try { + const data = await fetchData() + return NextResponse.json({ success: true, data }) + } catch (error) { + return errorHandler(error, request) + } +} +``` + +### Retry with Exponential Backoff + +```typescript +async function fetchWithRetry( + fn: () => Promise, + maxRetries = 3 +): Promise { + let lastError: Error + + for (let i = 0; i < maxRetries; i++) { + try { + return await fn() + } catch (error) { + lastError = error as Error + + if (i < maxRetries - 1) { + // Exponential backoff: 1s, 2s, 4s + const delay = Math.pow(2, i) * 1000 + await new Promise(resolve => setTimeout(resolve, delay)) + } + } + } + + throw lastError! +} + +// Usage +const data = await fetchWithRetry(() => fetchFromAPI()) +``` + +## Authentication & Authorization + +### JWT Token Validation + +```typescript +import jwt from 'jsonwebtoken' + +interface JWTPayload { + userId: string + email: string + role: 'admin' | 'user' +} + +export function verifyToken(token: string): JWTPayload { + try { + const payload = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload + return payload + } catch (error) { + throw new ApiError(401, 'Invalid token') + } +} + +export async function requireAuth(request: Request) { + const token = request.headers.get('authorization')?.replace('Bearer ', '') + + if (!token) { + throw new ApiError(401, 'Missing authorization token') + } + + return verifyToken(token) +} + +// Usage in API route +export async function GET(request: Request) { + const user = await requireAuth(request) + + const data = await getDataForUser(user.userId) + + return NextResponse.json({ success: true, data }) +} +``` + +### Role-Based Access Control + +```typescript +type Permission = 'read' | 'write' | 'delete' | 'admin' + +interface User { + id: string + role: 'admin' | 'moderator' | 'user' +} + +const rolePermissions: Record = { + admin: ['read', 'write', 'delete', 'admin'], + moderator: ['read', 'write', 'delete'], + user: ['read', 'write'] +} + +export function hasPermission(user: User, permission: Permission): boolean { + return rolePermissions[user.role].includes(permission) +} + +export function requirePermission(permission: Permission) { + return (handler: (request: Request, user: User) => Promise) => { + return async (request: Request) => { + const user = await requireAuth(request) + + if (!hasPermission(user, permission)) { + throw new ApiError(403, 'Insufficient permissions') + } + + return handler(request, user) + } + } +} + +// Usage - HOF wraps the handler +export const DELETE = requirePermission('delete')( + async (request: Request, user: User) => { + // Handler receives authenticated user with verified permission + return new Response('Deleted', { status: 200 }) + } +) +``` + +## Rate Limiting + +### Simple In-Memory Rate Limiter + +```typescript +class RateLimiter { + private requests = new Map() + + async checkLimit( + identifier: string, + maxRequests: number, + windowMs: number + ): Promise { + const now = Date.now() + const requests = this.requests.get(identifier) || [] + + // Remove old requests outside window + const recentRequests = requests.filter(time => now - time < windowMs) + + if (recentRequests.length >= maxRequests) { + return false // Rate limit exceeded + } + + // Add current request + recentRequests.push(now) + this.requests.set(identifier, recentRequests) + + return true + } +} + +const limiter = new RateLimiter() + +export async function GET(request: Request) { + const ip = request.headers.get('x-forwarded-for') || 'unknown' + + const allowed = await limiter.checkLimit(ip, 100, 60000) // 100 req/min + + if (!allowed) { + return NextResponse.json({ + error: 'Rate limit exceeded' + }, { status: 429 }) + } + + // Continue with request +} +``` + +## Background Jobs & Queues + +### Simple Queue Pattern + +```typescript +class JobQueue { + private queue: T[] = [] + private processing = false + + async add(job: T): Promise { + this.queue.push(job) + + if (!this.processing) { + this.process() + } + } + + private async process(): Promise { + this.processing = true + + while (this.queue.length > 0) { + const job = this.queue.shift()! + + try { + await this.execute(job) + } catch (error) { + console.error('Job failed:', error) + } + } + + this.processing = false + } + + private async execute(job: T): Promise { + // Job execution logic + } +} + +// Usage for indexing markets +interface IndexJob { + marketId: string +} + +const indexQueue = new JobQueue() + +export async function POST(request: Request) { + const { marketId } = await request.json() + + // Add to queue instead of blocking + await indexQueue.add({ marketId }) + + return NextResponse.json({ success: true, message: 'Job queued' }) +} +``` + +## Logging & Monitoring + +### Structured Logging + +```typescript +interface LogContext { + userId?: string + requestId?: string + method?: string + path?: string + [key: string]: unknown +} + +class Logger { + log(level: 'info' | 'warn' | 'error', message: string, context?: LogContext) { + const entry = { + timestamp: new Date().toISOString(), + level, + message, + ...context + } + + console.log(JSON.stringify(entry)) + } + + info(message: string, context?: LogContext) { + this.log('info', message, context) + } + + warn(message: string, context?: LogContext) { + this.log('warn', message, context) + } + + error(message: string, error: Error, context?: LogContext) { + this.log('error', message, { + ...context, + error: error.message, + stack: error.stack + }) + } +} + +const logger = new Logger() + +// Usage +export async function GET(request: Request) { + const requestId = crypto.randomUUID() + + logger.info('Fetching markets', { + requestId, + method: 'GET', + path: '/api/markets' + }) + + try { + const markets = await fetchMarkets() + return NextResponse.json({ success: true, data: markets }) + } catch (error) { + logger.error('Failed to fetch markets', error as Error, { requestId }) + return NextResponse.json({ error: 'Internal error' }, { status: 500 }) + } +} +``` + +**Remember**: Backend patterns enable scalable, maintainable server-side applications. Choose patterns that fit your complexity level. diff --git a/plugins/node/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md b/plugins/node/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md new file mode 100644 index 0000000..b1562c2 --- /dev/null +++ b/plugins/node/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md @@ -0,0 +1,429 @@ +--- +name: database-migrations +description: Database migration best practices for schema changes, data migrations, rollbacks, and zero-downtime deployments across PostgreSQL, MySQL, and common ORMs (Prisma, Drizzle, Kysely, Django, TypeORM, golang-migrate). +origin: ECC +--- + +# Database Migration Patterns + +Safe, reversible database schema changes for production systems. + +## When to Activate + +- Creating or altering database tables +- Adding/removing columns or indexes +- Running data migrations (backfill, transform) +- Planning zero-downtime schema changes +- Setting up migration tooling for a new project + +## Core Principles + +1. **Every change is a migration** — never alter production databases manually +2. **Migrations are forward-only in production** — rollbacks use new forward migrations +3. **Schema and data migrations are separate** — never mix DDL and DML in one migration +4. **Test migrations against production-sized data** — a migration that works on 100 rows may lock on 10M +5. **Migrations are immutable once deployed** — never edit a migration that has run in production + +## Migration Safety Checklist + +Before applying any migration: + +- [ ] Migration has both UP and DOWN (or is explicitly marked irreversible) +- [ ] No full table locks on large tables (use concurrent operations) +- [ ] New columns have defaults or are nullable (never add NOT NULL without default) +- [ ] Indexes created concurrently (not inline with CREATE TABLE for existing tables) +- [ ] Data backfill is a separate migration from schema change +- [ ] Tested against a copy of production data +- [ ] Rollback plan documented + +## PostgreSQL Patterns + +### Adding a Column Safely + +```sql +-- GOOD: Nullable column, no lock +ALTER TABLE users ADD COLUMN avatar_url TEXT; + +-- GOOD: Column with default (Postgres 11+ is instant, no rewrite) +ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT true; + +-- BAD: NOT NULL without default on existing table (requires full rewrite) +ALTER TABLE users ADD COLUMN role TEXT NOT NULL; +-- This locks the table and rewrites every row +``` + +### Adding an Index Without Downtime + +```sql +-- BAD: Blocks writes on large tables +CREATE INDEX idx_users_email ON users (email); + +-- GOOD: Non-blocking, allows concurrent writes +CREATE INDEX CONCURRENTLY idx_users_email ON users (email); + +-- Note: CONCURRENTLY cannot run inside a transaction block +-- Most migration tools need special handling for this +``` + +### Renaming a Column (Zero-Downtime) + +Never rename directly in production. Use the expand-contract pattern: + +```sql +-- Step 1: Add new column (migration 001) +ALTER TABLE users ADD COLUMN display_name TEXT; + +-- Step 2: Backfill data (migration 002, data migration) +UPDATE users SET display_name = username WHERE display_name IS NULL; + +-- Step 3: Update application code to read/write both columns +-- Deploy application changes + +-- Step 4: Stop writing to old column, drop it (migration 003) +ALTER TABLE users DROP COLUMN username; +``` + +### Removing a Column Safely + +```sql +-- Step 1: Remove all application references to the column +-- Step 2: Deploy application without the column reference +-- Step 3: Drop column in next migration +ALTER TABLE orders DROP COLUMN legacy_status; + +-- For Django: use SeparateDatabaseAndState to remove from model +-- without generating DROP COLUMN (then drop in next migration) +``` + +### Large Data Migrations + +```sql +-- BAD: Updates all rows in one transaction (locks table) +UPDATE users SET normalized_email = LOWER(email); + +-- GOOD: Batch update with progress +DO $$ +DECLARE + batch_size INT := 10000; + rows_updated INT; +BEGIN + LOOP + UPDATE users + SET normalized_email = LOWER(email) + WHERE id IN ( + SELECT id FROM users + WHERE normalized_email IS NULL + LIMIT batch_size + FOR UPDATE SKIP LOCKED + ); + GET DIAGNOSTICS rows_updated = ROW_COUNT; + RAISE NOTICE 'Updated % rows', rows_updated; + EXIT WHEN rows_updated = 0; + COMMIT; + END LOOP; +END $$; +``` + +## Prisma (TypeScript/Node.js) + +### Workflow + +```bash +# Create migration from schema changes +npx prisma migrate dev --name add_user_avatar + +# Apply pending migrations in production +npx prisma migrate deploy + +# Reset database (dev only) +npx prisma migrate reset + +# Generate client after schema changes +npx prisma generate +``` + +### Schema Example + +```prisma +model User { + id String @id @default(cuid()) + email String @unique + name String? + avatarUrl String? @map("avatar_url") + createdAt DateTime @default(now()) @map("created_at") + updatedAt DateTime @updatedAt @map("updated_at") + orders Order[] + + @@map("users") + @@index([email]) +} +``` + +### Custom SQL Migration + +For operations Prisma cannot express (concurrent indexes, data backfills): + +```bash +# Create empty migration, then edit the SQL manually +npx prisma migrate dev --create-only --name add_email_index +``` + +```sql +-- migrations/20240115_add_email_index/migration.sql +-- Prisma cannot generate CONCURRENTLY, so we write it manually +CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_users_email ON users (email); +``` + +## Drizzle (TypeScript/Node.js) + +### Workflow + +```bash +# Generate migration from schema changes +npx drizzle-kit generate + +# Apply migrations +npx drizzle-kit migrate + +# Push schema directly (dev only, no migration file) +npx drizzle-kit push +``` + +### Schema Example + +```typescript +import { pgTable, text, timestamp, uuid, boolean } from "drizzle-orm/pg-core"; + +export const users = pgTable("users", { + id: uuid("id").primaryKey().defaultRandom(), + email: text("email").notNull().unique(), + name: text("name"), + isActive: boolean("is_active").notNull().default(true), + createdAt: timestamp("created_at").notNull().defaultNow(), + updatedAt: timestamp("updated_at").notNull().defaultNow(), +}); +``` + +## Kysely (TypeScript/Node.js) + +### Workflow (kysely-ctl) + +```bash +# Initialize config file (kysely.config.ts) +kysely init + +# Create a new migration file +kysely migrate make add_user_avatar + +# Apply all pending migrations +kysely migrate latest + +# Rollback last migration +kysely migrate down + +# Show migration status +kysely migrate list +``` + +### Migration File + +```typescript +// migrations/2024_01_15_001_create_user_profile.ts +import { type Kysely, sql } from 'kysely' + +// IMPORTANT: Always use Kysely, not your typed DB interface. +// Migrations are frozen in time and must not depend on current schema types. +export async function up(db: Kysely): Promise { + await db.schema + .createTable('user_profile') + .addColumn('id', 'serial', (col) => col.primaryKey()) + .addColumn('email', 'varchar(255)', (col) => col.notNull().unique()) + .addColumn('avatar_url', 'text') + .addColumn('created_at', 'timestamp', (col) => + col.defaultTo(sql`now()`).notNull() + ) + .execute() + + await db.schema + .createIndex('idx_user_profile_avatar') + .on('user_profile') + .column('avatar_url') + .execute() +} + +export async function down(db: Kysely): Promise { + await db.schema.dropTable('user_profile').execute() +} +``` + +### Programmatic Migrator + +```typescript +import { Migrator, FileMigrationProvider } from 'kysely' +import { promises as fs } from 'fs' +import * as path from 'path' +// ESM only — CJS can use __dirname directly +import { fileURLToPath } from 'url' +const migrationFolder = path.join( + path.dirname(fileURLToPath(import.meta.url)), + './migrations', +) + +// `db` is your Kysely database instance +const migrator = new Migrator({ + db, + provider: new FileMigrationProvider({ + fs, + path, + migrationFolder, + }), + // WARNING: Only enable in development. Disables timestamp-ordering + // validation, which can cause schema drift between environments. + // allowUnorderedMigrations: true, +}) + +const { error, results } = await migrator.migrateToLatest() + +results?.forEach((it) => { + if (it.status === 'Success') { + console.log(`migration "${it.migrationName}" executed successfully`) + } else if (it.status === 'Error') { + console.error(`failed to execute migration "${it.migrationName}"`) + } +}) + +if (error) { + console.error('migration failed', error) + process.exit(1) +} +``` + +## Django (Python) + +### Workflow + +```bash +# Generate migration from model changes +python manage.py makemigrations + +# Apply migrations +python manage.py migrate + +# Show migration status +python manage.py showmigrations + +# Generate empty migration for custom SQL +python manage.py makemigrations --empty app_name -n description +``` + +### Data Migration + +```python +from django.db import migrations + +def backfill_display_names(apps, schema_editor): + User = apps.get_model("accounts", "User") + batch_size = 5000 + users = User.objects.filter(display_name="") + while users.exists(): + batch = list(users[:batch_size]) + for user in batch: + user.display_name = user.username + User.objects.bulk_update(batch, ["display_name"], batch_size=batch_size) + +def reverse_backfill(apps, schema_editor): + pass # Data migration, no reverse needed + +class Migration(migrations.Migration): + dependencies = [("accounts", "0015_add_display_name")] + + operations = [ + migrations.RunPython(backfill_display_names, reverse_backfill), + ] +``` + +### SeparateDatabaseAndState + +Remove a column from the Django model without dropping it from the database immediately: + +```python +class Migration(migrations.Migration): + operations = [ + migrations.SeparateDatabaseAndState( + state_operations=[ + migrations.RemoveField(model_name="user", name="legacy_field"), + ], + database_operations=[], # Don't touch the DB yet + ), + ] +``` + +## golang-migrate (Go) + +### Workflow + +```bash +# Create migration pair +migrate create -ext sql -dir migrations -seq add_user_avatar + +# Apply all pending migrations +migrate -path migrations -database "$DATABASE_URL" up + +# Rollback last migration +migrate -path migrations -database "$DATABASE_URL" down 1 + +# Force version (fix dirty state) +migrate -path migrations -database "$DATABASE_URL" force VERSION +``` + +### Migration Files + +```sql +-- migrations/000003_add_user_avatar.up.sql +ALTER TABLE users ADD COLUMN avatar_url TEXT; +CREATE INDEX CONCURRENTLY idx_users_avatar ON users (avatar_url) WHERE avatar_url IS NOT NULL; + +-- migrations/000003_add_user_avatar.down.sql +DROP INDEX IF EXISTS idx_users_avatar; +ALTER TABLE users DROP COLUMN IF EXISTS avatar_url; +``` + +## Zero-Downtime Migration Strategy + +For critical production changes, follow the expand-contract pattern: + +``` +Phase 1: EXPAND + - Add new column/table (nullable or with default) + - Deploy: app writes to BOTH old and new + - Backfill existing data + +Phase 2: MIGRATE + - Deploy: app reads from NEW, writes to BOTH + - Verify data consistency + +Phase 3: CONTRACT + - Deploy: app only uses NEW + - Drop old column/table in separate migration +``` + +### Timeline Example + +``` +Day 1: Migration adds new_status column (nullable) +Day 1: Deploy app v2 — writes to both status and new_status +Day 2: Run backfill migration for existing rows +Day 3: Deploy app v3 — reads from new_status only +Day 7: Migration drops old status column +``` + +## Anti-Patterns + +| Anti-Pattern | Why It Fails | Better Approach | +|-------------|-------------|-----------------| +| Manual SQL in production | No audit trail, unrepeatable | Always use migration files | +| Editing deployed migrations | Causes drift between environments | Create new migration instead | +| NOT NULL without default | Locks table, rewrites all rows | Add nullable, backfill, then add constraint | +| Inline index on large table | Blocks writes during build | CREATE INDEX CONCURRENTLY | +| Schema + data in one migration | Hard to rollback, long transactions | Separate migrations | +| Dropping column before removing code | Application errors on missing column | Remove code first, drop column next deploy | diff --git a/plugins/node/template/addons/claude-code/.claude/skills/deployment-patterns/SKILL.md b/plugins/node/template/addons/claude-code/.claude/skills/deployment-patterns/SKILL.md new file mode 100644 index 0000000..bcccaf9 --- /dev/null +++ b/plugins/node/template/addons/claude-code/.claude/skills/deployment-patterns/SKILL.md @@ -0,0 +1,427 @@ +--- +name: deployment-patterns +description: Deployment workflows, CI/CD pipeline patterns, Docker containerization, health checks, rollback strategies, and production readiness checklists for web applications. +origin: ECC +--- + +# Deployment Patterns + +Production deployment workflows and CI/CD best practices. + +## When to Activate + +- Setting up CI/CD pipelines +- Dockerizing an application +- Planning deployment strategy (blue-green, canary, rolling) +- Implementing health checks and readiness probes +- Preparing for a production release +- Configuring environment-specific settings + +## Deployment Strategies + +### Rolling Deployment (Default) + +Replace instances gradually — old and new versions run simultaneously during rollout. + +``` +Instance 1: v1 → v2 (update first) +Instance 2: v1 (still running v1) +Instance 3: v1 (still running v1) + +Instance 1: v2 +Instance 2: v1 → v2 (update second) +Instance 3: v1 + +Instance 1: v2 +Instance 2: v2 +Instance 3: v1 → v2 (update last) +``` + +**Pros:** Zero downtime, gradual rollout +**Cons:** Two versions run simultaneously — requires backward-compatible changes +**Use when:** Standard deployments, backward-compatible changes + +### Blue-Green Deployment + +Run two identical environments. Switch traffic atomically. + +``` +Blue (v1) ← traffic +Green (v2) idle, running new version + +# After verification: +Blue (v1) idle (becomes standby) +Green (v2) ← traffic +``` + +**Pros:** Instant rollback (switch back to blue), clean cutover +**Cons:** Requires 2x infrastructure during deployment +**Use when:** Critical services, zero-tolerance for issues + +### Canary Deployment + +Route a small percentage of traffic to the new version first. + +``` +v1: 95% of traffic +v2: 5% of traffic (canary) + +# If metrics look good: +v1: 50% of traffic +v2: 50% of traffic + +# Final: +v2: 100% of traffic +``` + +**Pros:** Catches issues with real traffic before full rollout +**Cons:** Requires traffic splitting infrastructure, monitoring +**Use when:** High-traffic services, risky changes, feature flags + +## Docker + +### Multi-Stage Dockerfile (Node.js) + +```dockerfile +# Stage 1: Install dependencies +FROM node:22-alpine AS deps +WORKDIR /app +COPY package.json package-lock.json ./ +RUN npm ci --production=false + +# Stage 2: Build +FROM node:22-alpine AS builder +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +RUN npm run build +RUN npm prune --production + +# Stage 3: Production image +FROM node:22-alpine AS runner +WORKDIR /app + +RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 +USER appuser + +COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules +COPY --from=builder --chown=appuser:appgroup /app/dist ./dist +COPY --from=builder --chown=appuser:appgroup /app/package.json ./ + +ENV NODE_ENV=production +EXPOSE 3000 + +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1 + +CMD ["node", "dist/server.js"] +``` + +### Multi-Stage Dockerfile (Go) + +```dockerfile +FROM golang:1.22-alpine AS builder +WORKDIR /app +COPY go.mod go.sum ./ +RUN go mod download +COPY . . +RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server + +FROM alpine:3.19 AS runner +RUN apk --no-cache add ca-certificates +RUN adduser -D -u 1001 appuser +USER appuser + +COPY --from=builder /server /server + +EXPOSE 8080 +HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:8080/health || exit 1 +CMD ["/server"] +``` + +### Multi-Stage Dockerfile (Python/Django) + +```dockerfile +FROM python:3.12-slim AS builder +WORKDIR /app +RUN pip install --no-cache-dir uv +COPY requirements.txt . +RUN uv pip install --system --no-cache -r requirements.txt + +FROM python:3.12-slim AS runner +WORKDIR /app + +RUN useradd -r -u 1001 appuser +USER appuser + +COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages +COPY --from=builder /usr/local/bin /usr/local/bin +COPY . . + +ENV PYTHONUNBUFFERED=1 +EXPOSE 8000 + +HEALTHCHECK --interval=30s --timeout=3s CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health/')" || exit 1 +CMD ["gunicorn", "config.wsgi:application", "--bind", "0.0.0.0:8000", "--workers", "4"] +``` + +### Docker Best Practices + +``` +# GOOD practices +- Use specific version tags (node:22-alpine, not node:latest) +- Multi-stage builds to minimize image size +- Run as non-root user +- Copy dependency files first (layer caching) +- Use .dockerignore to exclude node_modules, .git, tests +- Add HEALTHCHECK instruction +- Set resource limits in docker-compose or k8s + +# BAD practices +- Running as root +- Using :latest tags +- Copying entire repo in one COPY layer +- Installing dev dependencies in production image +- Storing secrets in image (use env vars or secrets manager) +``` + +## CI/CD Pipeline + +### GitHub Actions (Standard Pipeline) + +```yaml +name: CI/CD + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 22 + cache: npm + - run: npm ci + - run: npm run lint + - run: npm run typecheck + - run: npm test -- --coverage + - uses: actions/upload-artifact@v4 + if: always() + with: + name: coverage + path: coverage/ + + build: + needs: test + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + steps: + - uses: actions/checkout@v4 + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - uses: docker/build-push-action@v5 + with: + push: true + tags: ghcr.io/${{ github.repository }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=max + + deploy: + needs: build + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + environment: production + steps: + - name: Deploy to production + run: | + # Platform-specific deployment command + # Railway: railway up + # Vercel: vercel --prod + # K8s: kubectl set image deployment/app app=ghcr.io/${{ github.repository }}:${{ github.sha }} + echo "Deploying ${{ github.sha }}" +``` + +### Pipeline Stages + +``` +PR opened: + lint → typecheck → unit tests → integration tests → preview deploy + +Merged to main: + lint → typecheck → unit tests → integration tests → build image → deploy staging → smoke tests → deploy production +``` + +## Health Checks + +### Health Check Endpoint + +```typescript +// Simple health check +app.get("/health", (req, res) => { + res.status(200).json({ status: "ok" }); +}); + +// Detailed health check (for internal monitoring) +app.get("/health/detailed", async (req, res) => { + const checks = { + database: await checkDatabase(), + redis: await checkRedis(), + externalApi: await checkExternalApi(), + }; + + const allHealthy = Object.values(checks).every(c => c.status === "ok"); + + res.status(allHealthy ? 200 : 503).json({ + status: allHealthy ? "ok" : "degraded", + timestamp: new Date().toISOString(), + version: process.env.APP_VERSION || "unknown", + uptime: process.uptime(), + checks, + }); +}); + +async function checkDatabase(): Promise { + try { + await db.query("SELECT 1"); + return { status: "ok", latency_ms: 2 }; + } catch (err) { + return { status: "error", message: "Database unreachable" }; + } +} +``` + +### Kubernetes Probes + +```yaml +livenessProbe: + httpGet: + path: /health + port: 3000 + initialDelaySeconds: 10 + periodSeconds: 30 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /health + port: 3000 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 2 + +startupProbe: + httpGet: + path: /health + port: 3000 + initialDelaySeconds: 0 + periodSeconds: 5 + failureThreshold: 30 # 30 * 5s = 150s max startup time +``` + +## Environment Configuration + +### Twelve-Factor App Pattern + +```bash +# All config via environment variables — never in code +DATABASE_URL=postgres://user:pass@host:5432/db +REDIS_URL=redis://host:6379/0 +API_KEY=${API_KEY} # injected by secrets manager +LOG_LEVEL=info +PORT=3000 + +# Environment-specific behavior +NODE_ENV=production # or staging, development +APP_ENV=production # explicit app environment +``` + +### Configuration Validation + +```typescript +import { z } from "zod"; + +const envSchema = z.object({ + NODE_ENV: z.enum(["development", "staging", "production"]), + PORT: z.coerce.number().default(3000), + DATABASE_URL: z.string().url(), + REDIS_URL: z.string().url(), + JWT_SECRET: z.string().min(32), + LOG_LEVEL: z.enum(["debug", "info", "warn", "error"]).default("info"), +}); + +// Validate at startup — fail fast if config is wrong +export const env = envSchema.parse(process.env); +``` + +## Rollback Strategy + +### Instant Rollback + +```bash +# Docker/Kubernetes: point to previous image +kubectl rollout undo deployment/app + +# Vercel: promote previous deployment +vercel rollback + +# Railway: redeploy previous commit +railway up --commit + +# Database: rollback migration (if reversible) +npx prisma migrate resolve --rolled-back +``` + +### Rollback Checklist + +- [ ] Previous image/artifact is available and tagged +- [ ] Database migrations are backward-compatible (no destructive changes) +- [ ] Feature flags can disable new features without deploy +- [ ] Monitoring alerts configured for error rate spikes +- [ ] Rollback tested in staging before production release + +## Production Readiness Checklist + +Before any production deployment: + +### Application +- [ ] All tests pass (unit, integration, E2E) +- [ ] No hardcoded secrets in code or config files +- [ ] Error handling covers all edge cases +- [ ] Logging is structured (JSON) and does not contain PII +- [ ] Health check endpoint returns meaningful status + +### Infrastructure +- [ ] Docker image builds reproducibly (pinned versions) +- [ ] Environment variables documented and validated at startup +- [ ] Resource limits set (CPU, memory) +- [ ] Horizontal scaling configured (min/max instances) +- [ ] SSL/TLS enabled on all endpoints + +### Monitoring +- [ ] Application metrics exported (request rate, latency, errors) +- [ ] Alerts configured for error rate > threshold +- [ ] Log aggregation set up (structured logs, searchable) +- [ ] Uptime monitoring on health endpoint + +### Security +- [ ] Dependencies scanned for CVEs +- [ ] CORS configured for allowed origins only +- [ ] Rate limiting enabled on public endpoints +- [ ] Authentication and authorization verified +- [ ] Security headers set (CSP, HSTS, X-Frame-Options) + +### Operations +- [ ] Rollback plan documented and tested +- [ ] Database migration tested against production-sized data +- [ ] Runbook for common failure scenarios +- [ ] On-call rotation and escalation path defined diff --git a/plugins/node/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md b/plugins/node/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md new file mode 100644 index 0000000..c438c4a --- /dev/null +++ b/plugins/node/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md @@ -0,0 +1,364 @@ +--- +name: docker-patterns +description: Docker and Docker Compose patterns for local development, container security, networking, volume strategies, and multi-service orchestration. +origin: ECC +--- + +# Docker Patterns + +Docker and Docker Compose best practices for containerized development. + +## When to Activate + +- Setting up Docker Compose for local development +- Designing multi-container architectures +- Troubleshooting container networking or volume issues +- Reviewing Dockerfiles for security and size +- Migrating from local dev to containerized workflow + +## Docker Compose for Local Development + +### Standard Web App Stack + +```yaml +# docker-compose.yml +services: + app: + build: + context: . + target: dev # Use dev stage of multi-stage Dockerfile + ports: + - "3000:3000" + volumes: + - .:/app # Bind mount for hot reload + - /app/node_modules # Anonymous volume -- preserves container deps + environment: + - DATABASE_URL=postgres://postgres:postgres@db:5432/app_dev + - REDIS_URL=redis://redis:6379/0 + - NODE_ENV=development + depends_on: + db: + condition: service_healthy + redis: + condition: service_started + command: npm run dev + + db: + image: postgres:16-alpine + ports: + - "5432:5432" + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + POSTGRES_DB: app_dev + volumes: + - pgdata:/var/lib/postgresql/data + - ./scripts/init-db.sql:/docker-entrypoint-initdb.d/init.sql + healthcheck: + test: ["CMD-SHELL", "pg_isready -U postgres"] + interval: 5s + timeout: 3s + retries: 5 + + redis: + image: redis:7-alpine + ports: + - "6379:6379" + volumes: + - redisdata:/data + + mailpit: # Local email testing + image: axllent/mailpit + ports: + - "8025:8025" # Web UI + - "1025:1025" # SMTP + +volumes: + pgdata: + redisdata: +``` + +### Development vs Production Dockerfile + +```dockerfile +# Stage: dependencies +FROM node:22-alpine AS deps +WORKDIR /app +COPY package.json package-lock.json ./ +RUN npm ci + +# Stage: dev (hot reload, debug tools) +FROM node:22-alpine AS dev +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +EXPOSE 3000 +CMD ["npm", "run", "dev"] + +# Stage: build +FROM node:22-alpine AS build +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +RUN npm run build && npm prune --production + +# Stage: production (minimal image) +FROM node:22-alpine AS production +WORKDIR /app +RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 +USER appuser +COPY --from=build --chown=appuser:appgroup /app/dist ./dist +COPY --from=build --chown=appuser:appgroup /app/node_modules ./node_modules +COPY --from=build --chown=appuser:appgroup /app/package.json ./ +ENV NODE_ENV=production +EXPOSE 3000 +HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:3000/health || exit 1 +CMD ["node", "dist/server.js"] +``` + +### Override Files + +```yaml +# docker-compose.override.yml (auto-loaded, dev-only settings) +services: + app: + environment: + - DEBUG=app:* + - LOG_LEVEL=debug + ports: + - "9229:9229" # Node.js debugger + +# docker-compose.prod.yml (explicit for production) +services: + app: + build: + target: production + restart: always + deploy: + resources: + limits: + cpus: "1.0" + memory: 512M +``` + +```bash +# Development (auto-loads override) +docker compose up + +# Production +docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d +``` + +## Networking + +### Service Discovery + +Services in the same Compose network resolve by service name: +``` +# From "app" container: +postgres://postgres:postgres@db:5432/app_dev # "db" resolves to the db container +redis://redis:6379/0 # "redis" resolves to the redis container +``` + +### Custom Networks + +```yaml +services: + frontend: + networks: + - frontend-net + + api: + networks: + - frontend-net + - backend-net + + db: + networks: + - backend-net # Only reachable from api, not frontend + +networks: + frontend-net: + backend-net: +``` + +### Exposing Only What's Needed + +```yaml +services: + db: + ports: + - "127.0.0.1:5432:5432" # Only accessible from host, not network + # Omit ports entirely in production -- accessible only within Docker network +``` + +## Volume Strategies + +```yaml +volumes: + # Named volume: persists across container restarts, managed by Docker + pgdata: + + # Bind mount: maps host directory into container (for development) + # - ./src:/app/src + + # Anonymous volume: preserves container-generated content from bind mount override + # - /app/node_modules +``` + +### Common Patterns + +```yaml +services: + app: + volumes: + - .:/app # Source code (bind mount for hot reload) + - /app/node_modules # Protect container's node_modules from host + - /app/.next # Protect build cache + + db: + volumes: + - pgdata:/var/lib/postgresql/data # Persistent data + - ./scripts/init.sql:/docker-entrypoint-initdb.d/init.sql # Init scripts +``` + +## Container Security + +### Dockerfile Hardening + +```dockerfile +# 1. Use specific tags (never :latest) +FROM node:22.12-alpine3.20 + +# 2. Run as non-root +RUN addgroup -g 1001 -S app && adduser -S app -u 1001 +USER app + +# 3. Drop capabilities (in compose) +# 4. Read-only root filesystem where possible +# 5. No secrets in image layers +``` + +### Compose Security + +```yaml +services: + app: + security_opt: + - no-new-privileges:true + read_only: true + tmpfs: + - /tmp + - /app/.cache + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE # Only if binding to ports < 1024 +``` + +### Secret Management + +```yaml +# GOOD: Use environment variables (injected at runtime) +services: + app: + env_file: + - .env # Never commit .env to git + environment: + - API_KEY # Inherits from host environment + +# GOOD: Docker secrets (Swarm mode) +secrets: + db_password: + file: ./secrets/db_password.txt + +services: + db: + secrets: + - db_password + +# BAD: Hardcoded in image +# ENV API_KEY=sk-proj-xxxxx # NEVER DO THIS +``` + +## .dockerignore + +``` +node_modules +.git +.env +.env.* +dist +coverage +*.log +.next +.cache +docker-compose*.yml +Dockerfile* +README.md +tests/ +``` + +## Debugging + +### Common Commands + +```bash +# View logs +docker compose logs -f app # Follow app logs +docker compose logs --tail=50 db # Last 50 lines from db + +# Execute commands in running container +docker compose exec app sh # Shell into app +docker compose exec db psql -U postgres # Connect to postgres + +# Inspect +docker compose ps # Running services +docker compose top # Processes in each container +docker stats # Resource usage + +# Rebuild +docker compose up --build # Rebuild images +docker compose build --no-cache app # Force full rebuild + +# Clean up +docker compose down # Stop and remove containers +docker compose down -v # Also remove volumes (DESTRUCTIVE) +docker system prune # Remove unused images/containers +``` + +### Debugging Network Issues + +```bash +# Check DNS resolution inside container +docker compose exec app nslookup db + +# Check connectivity +docker compose exec app wget -qO- http://api:3000/health + +# Inspect network +docker network ls +docker network inspect _default +``` + +## Anti-Patterns + +``` +# BAD: Using docker compose in production without orchestration +# Use Kubernetes, ECS, or Docker Swarm for production multi-container workloads + +# BAD: Storing data in containers without volumes +# Containers are ephemeral -- all data lost on restart without volumes + +# BAD: Running as root +# Always create and use a non-root user + +# BAD: Using :latest tag +# Pin to specific versions for reproducible builds + +# BAD: One giant container with all services +# Separate concerns: one process per container + +# BAD: Putting secrets in docker-compose.yml +# Use .env files (gitignored) or Docker secrets +``` diff --git a/plugins/node/template/addons/claude-code/.claude/skills/security-review/SKILL.md b/plugins/node/template/addons/claude-code/.claude/skills/security-review/SKILL.md new file mode 100644 index 0000000..af848b9 --- /dev/null +++ b/plugins/node/template/addons/claude-code/.claude/skills/security-review/SKILL.md @@ -0,0 +1,495 @@ +--- +name: security-review +description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns. +origin: ECC +--- + +# Security Review Skill + +This skill ensures all code follows security best practices and identifies potential vulnerabilities. + +## When to Activate + +- Implementing authentication or authorization +- Handling user input or file uploads +- Creating new API endpoints +- Working with secrets or credentials +- Implementing payment features +- Storing or transmitting sensitive data +- Integrating third-party APIs + +## Security Checklist + +### 1. Secrets Management + +#### FAIL: NEVER Do This +```typescript +const apiKey = "sk-proj-xxxxx" // Hardcoded secret +const dbPassword = "password123" // In source code +``` + +#### PASS: ALWAYS Do This +```typescript +const apiKey = process.env.OPENAI_API_KEY +const dbUrl = process.env.DATABASE_URL + +// Verify secrets exist +if (!apiKey) { + throw new Error('OPENAI_API_KEY not configured') +} +``` + +#### Verification Steps +- [ ] No hardcoded API keys, tokens, or passwords +- [ ] All secrets in environment variables +- [ ] `.env.local` in .gitignore +- [ ] No secrets in git history +- [ ] Production secrets in hosting platform (Vercel, Railway) + +### 2. Input Validation + +#### Always Validate User Input +```typescript +import { z } from 'zod' + +// Define validation schema +const CreateUserSchema = z.object({ + email: z.string().email(), + name: z.string().min(1).max(100), + age: z.number().int().min(0).max(150) +}) + +// Validate before processing +export async function createUser(input: unknown) { + try { + const validated = CreateUserSchema.parse(input) + return await db.users.create(validated) + } catch (error) { + if (error instanceof z.ZodError) { + return { success: false, errors: error.errors } + } + throw error + } +} +``` + +#### File Upload Validation +```typescript +function validateFileUpload(file: File) { + // Size check (5MB max) + const maxSize = 5 * 1024 * 1024 + if (file.size > maxSize) { + throw new Error('File too large (max 5MB)') + } + + // Type check + const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'] + if (!allowedTypes.includes(file.type)) { + throw new Error('Invalid file type') + } + + // Extension check + const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'] + const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0] + if (!extension || !allowedExtensions.includes(extension)) { + throw new Error('Invalid file extension') + } + + return true +} +``` + +#### Verification Steps +- [ ] All user inputs validated with schemas +- [ ] File uploads restricted (size, type, extension) +- [ ] No direct use of user input in queries +- [ ] Whitelist validation (not blacklist) +- [ ] Error messages don't leak sensitive info + +### 3. SQL Injection Prevention + +#### FAIL: NEVER Concatenate SQL +```typescript +// DANGEROUS - SQL Injection vulnerability +const query = `SELECT * FROM users WHERE email = '${userEmail}'` +await db.query(query) +``` + +#### PASS: ALWAYS Use Parameterized Queries +```typescript +// Safe - parameterized query +const { data } = await supabase + .from('users') + .select('*') + .eq('email', userEmail) + +// Or with raw SQL +await db.query( + 'SELECT * FROM users WHERE email = $1', + [userEmail] +) +``` + +#### Verification Steps +- [ ] All database queries use parameterized queries +- [ ] No string concatenation in SQL +- [ ] ORM/query builder used correctly +- [ ] Supabase queries properly sanitized + +### 4. Authentication & Authorization + +#### JWT Token Handling +```typescript +// FAIL: WRONG: localStorage (vulnerable to XSS) +localStorage.setItem('token', token) + +// PASS: CORRECT: httpOnly cookies +res.setHeader('Set-Cookie', + `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`) +``` + +#### Authorization Checks +```typescript +export async function deleteUser(userId: string, requesterId: string) { + // ALWAYS verify authorization first + const requester = await db.users.findUnique({ + where: { id: requesterId } + }) + + if (requester.role !== 'admin') { + return NextResponse.json( + { error: 'Unauthorized' }, + { status: 403 } + ) + } + + // Proceed with deletion + await db.users.delete({ where: { id: userId } }) +} +``` + +#### Row Level Security (Supabase) +```sql +-- Enable RLS on all tables +ALTER TABLE users ENABLE ROW LEVEL SECURITY; + +-- Users can only view their own data +CREATE POLICY "Users view own data" + ON users FOR SELECT + USING (auth.uid() = id); + +-- Users can only update their own data +CREATE POLICY "Users update own data" + ON users FOR UPDATE + USING (auth.uid() = id); +``` + +#### Verification Steps +- [ ] Tokens stored in httpOnly cookies (not localStorage) +- [ ] Authorization checks before sensitive operations +- [ ] Row Level Security enabled in Supabase +- [ ] Role-based access control implemented +- [ ] Session management secure + +### 5. XSS Prevention + +#### Sanitize HTML +```typescript +import DOMPurify from 'isomorphic-dompurify' + +// ALWAYS sanitize user-provided HTML +function renderUserContent(html: string) { + const clean = DOMPurify.sanitize(html, { + ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'], + ALLOWED_ATTR: [] + }) + return
+} +``` + +#### Content Security Policy +```typescript +// next.config.js +const securityHeaders = [ + { + key: 'Content-Security-Policy', + value: ` + default-src 'self'; + script-src 'self' 'unsafe-eval' 'unsafe-inline'; + style-src 'self' 'unsafe-inline'; + img-src 'self' data: https:; + font-src 'self'; + connect-src 'self' https://api.example.com; + `.replace(/\s{2,}/g, ' ').trim() + } +] +``` + +#### Verification Steps +- [ ] User-provided HTML sanitized +- [ ] CSP headers configured +- [ ] No unvalidated dynamic content rendering +- [ ] React's built-in XSS protection used + +### 6. CSRF Protection + +#### CSRF Tokens +```typescript +import { csrf } from '@/lib/csrf' + +export async function POST(request: Request) { + const token = request.headers.get('X-CSRF-Token') + + if (!csrf.verify(token)) { + return NextResponse.json( + { error: 'Invalid CSRF token' }, + { status: 403 } + ) + } + + // Process request +} +``` + +#### SameSite Cookies +```typescript +res.setHeader('Set-Cookie', + `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`) +``` + +#### Verification Steps +- [ ] CSRF tokens on state-changing operations +- [ ] SameSite=Strict on all cookies +- [ ] Double-submit cookie pattern implemented + +### 7. Rate Limiting + +#### API Rate Limiting +```typescript +import rateLimit from 'express-rate-limit' + +const limiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // 100 requests per window + message: 'Too many requests' +}) + +// Apply to routes +app.use('/api/', limiter) +``` + +#### Expensive Operations +```typescript +// Aggressive rate limiting for searches +const searchLimiter = rateLimit({ + windowMs: 60 * 1000, // 1 minute + max: 10, // 10 requests per minute + message: 'Too many search requests' +}) + +app.use('/api/search', searchLimiter) +``` + +#### Verification Steps +- [ ] Rate limiting on all API endpoints +- [ ] Stricter limits on expensive operations +- [ ] IP-based rate limiting +- [ ] User-based rate limiting (authenticated) + +### 8. Sensitive Data Exposure + +#### Logging +```typescript +// FAIL: WRONG: Logging sensitive data +console.log('User login:', { email, password }) +console.log('Payment:', { cardNumber, cvv }) + +// PASS: CORRECT: Redact sensitive data +console.log('User login:', { email, userId }) +console.log('Payment:', { last4: card.last4, userId }) +``` + +#### Error Messages +```typescript +// FAIL: WRONG: Exposing internal details +catch (error) { + return NextResponse.json( + { error: error.message, stack: error.stack }, + { status: 500 } + ) +} + +// PASS: CORRECT: Generic error messages +catch (error) { + console.error('Internal error:', error) + return NextResponse.json( + { error: 'An error occurred. Please try again.' }, + { status: 500 } + ) +} +``` + +#### Verification Steps +- [ ] No passwords, tokens, or secrets in logs +- [ ] Error messages generic for users +- [ ] Detailed errors only in server logs +- [ ] No stack traces exposed to users + +### 9. Blockchain Security (Solana) + +#### Wallet Verification +```typescript +import { verify } from '@solana/web3.js' + +async function verifyWalletOwnership( + publicKey: string, + signature: string, + message: string +) { + try { + const isValid = verify( + Buffer.from(message), + Buffer.from(signature, 'base64'), + Buffer.from(publicKey, 'base64') + ) + return isValid + } catch (error) { + return false + } +} +``` + +#### Transaction Verification +```typescript +async function verifyTransaction(transaction: Transaction) { + // Verify recipient + if (transaction.to !== expectedRecipient) { + throw new Error('Invalid recipient') + } + + // Verify amount + if (transaction.amount > maxAmount) { + throw new Error('Amount exceeds limit') + } + + // Verify user has sufficient balance + const balance = await getBalance(transaction.from) + if (balance < transaction.amount) { + throw new Error('Insufficient balance') + } + + return true +} +``` + +#### Verification Steps +- [ ] Wallet signatures verified +- [ ] Transaction details validated +- [ ] Balance checks before transactions +- [ ] No blind transaction signing + +### 10. Dependency Security + +#### Regular Updates +```bash +# Check for vulnerabilities +npm audit + +# Fix automatically fixable issues +npm audit fix + +# Update dependencies +npm update + +# Check for outdated packages +npm outdated +``` + +#### Lock Files +```bash +# ALWAYS commit lock files +git add package-lock.json + +# Use in CI/CD for reproducible builds +npm ci # Instead of npm install +``` + +#### Verification Steps +- [ ] Dependencies up to date +- [ ] No known vulnerabilities (npm audit clean) +- [ ] Lock files committed +- [ ] Dependabot enabled on GitHub +- [ ] Regular security updates + +## Security Testing + +### Automated Security Tests +```typescript +// Test authentication +test('requires authentication', async () => { + const response = await fetch('/api/protected') + expect(response.status).toBe(401) +}) + +// Test authorization +test('requires admin role', async () => { + const response = await fetch('/api/admin', { + headers: { Authorization: `Bearer ${userToken}` } + }) + expect(response.status).toBe(403) +}) + +// Test input validation +test('rejects invalid input', async () => { + const response = await fetch('/api/users', { + method: 'POST', + body: JSON.stringify({ email: 'not-an-email' }) + }) + expect(response.status).toBe(400) +}) + +// Test rate limiting +test('enforces rate limits', async () => { + const requests = Array(101).fill(null).map(() => + fetch('/api/endpoint') + ) + + const responses = await Promise.all(requests) + const tooManyRequests = responses.filter(r => r.status === 429) + + expect(tooManyRequests.length).toBeGreaterThan(0) +}) +``` + +## Pre-Deployment Security Checklist + +Before ANY production deployment: + +- [ ] **Secrets**: No hardcoded secrets, all in env vars +- [ ] **Input Validation**: All user inputs validated +- [ ] **SQL Injection**: All queries parameterized +- [ ] **XSS**: User content sanitized +- [ ] **CSRF**: Protection enabled +- [ ] **Authentication**: Proper token handling +- [ ] **Authorization**: Role checks in place +- [ ] **Rate Limiting**: Enabled on all endpoints +- [ ] **HTTPS**: Enforced in production +- [ ] **Security Headers**: CSP, X-Frame-Options configured +- [ ] **Error Handling**: No sensitive data in errors +- [ ] **Logging**: No sensitive data logged +- [ ] **Dependencies**: Up to date, no vulnerabilities +- [ ] **Row Level Security**: Enabled in Supabase +- [ ] **CORS**: Properly configured +- [ ] **File Uploads**: Validated (size, type) +- [ ] **Wallet Signatures**: Verified (if blockchain) + +## Resources + +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Next.js Security](https://nextjs.org/docs/security) +- [Supabase Security](https://supabase.com/docs/guides/auth) +- [Web Security Academy](https://portswigger.net/web-security) + +--- + +**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution. diff --git a/plugins/node/template/addons/claude-code/.claude/skills/tdd-workflow/SKILL.md b/plugins/node/template/addons/claude-code/.claude/skills/tdd-workflow/SKILL.md new file mode 100644 index 0000000..76aaaa1 --- /dev/null +++ b/plugins/node/template/addons/claude-code/.claude/skills/tdd-workflow/SKILL.md @@ -0,0 +1,463 @@ +--- +name: tdd-workflow +description: Use this skill when writing new features, fixing bugs, or refactoring code. Enforces test-driven development with 80%+ coverage including unit, integration, and E2E tests. +origin: ECC +--- + +# Test-Driven Development Workflow + +This skill ensures all code development follows TDD principles with comprehensive test coverage. + +## When to Activate + +- Writing new features or functionality +- Fixing bugs or issues +- Refactoring existing code +- Adding API endpoints +- Creating new components + +## Core Principles + +### 1. Tests BEFORE Code +ALWAYS write tests first, then implement code to make tests pass. + +### 2. Coverage Requirements +- Minimum 80% coverage (unit + integration + E2E) +- All edge cases covered +- Error scenarios tested +- Boundary conditions verified + +### 3. Test Types + +#### Unit Tests +- Individual functions and utilities +- Component logic +- Pure functions +- Helpers and utilities + +#### Integration Tests +- API endpoints +- Database operations +- Service interactions +- External API calls + +#### E2E Tests (Playwright) +- Critical user flows +- Complete workflows +- Browser automation +- UI interactions + +### 4. Git Checkpoints +- If the repository is under Git, create a checkpoint commit after each TDD stage +- Do not squash or rewrite these checkpoint commits until the workflow is complete +- Each checkpoint commit message must describe the stage and the exact evidence captured +- Count only commits created on the current active branch for the current task +- Do not treat commits from other branches, earlier unrelated work, or distant branch history as valid checkpoint evidence +- Before treating a checkpoint as satisfied, verify that the commit is reachable from the current `HEAD` on the active branch and belongs to the current task sequence +- The preferred compact workflow is: + - one commit for failing test added and RED validated + - one commit for minimal fix applied and GREEN validated + - one optional commit for refactor complete +- Separate evidence-only commits are not required if the test commit clearly corresponds to RED and the fix commit clearly corresponds to GREEN + +## TDD Workflow Steps + +### Step 1: Write User Journeys +``` +As a [role], I want to [action], so that [benefit] + +Example: +As a user, I want to search for markets semantically, +so that I can find relevant markets even without exact keywords. +``` + +### Step 2: Generate Test Cases +For each user journey, create comprehensive test cases: + +```typescript +describe('Semantic Search', () => { + it('returns relevant markets for query', async () => { + // Test implementation + }) + + it('handles empty query gracefully', async () => { + // Test edge case + }) + + it('falls back to substring search when Redis unavailable', async () => { + // Test fallback behavior + }) + + it('sorts results by similarity score', async () => { + // Test sorting logic + }) +}) +``` + +### Step 3: Run Tests (They Should Fail) +```bash +npm test +# Tests should fail - we haven't implemented yet +``` + +This step is mandatory and is the RED gate for all production changes. + +Before modifying business logic or other production code, you must verify a valid RED state via one of these paths: +- Runtime RED: + - The relevant test target compiles successfully + - The new or changed test is actually executed + - The result is RED +- Compile-time RED: + - The new test newly instantiates, references, or exercises the buggy code path + - The compile failure is itself the intended RED signal +- In either case, the failure is caused by the intended business-logic bug, undefined behavior, or missing implementation +- The failure is not caused only by unrelated syntax errors, broken test setup, missing dependencies, or unrelated regressions + +A test that was only written but not compiled and executed does not count as RED. + +Do not edit production code until this RED state is confirmed. + +If the repository is under Git, create a checkpoint commit immediately after this stage is validated. +Recommended commit message format: +- `test: add reproducer for ` +- This commit may also serve as the RED validation checkpoint if the reproducer was compiled and executed and failed for the intended reason +- Verify that this checkpoint commit is on the current active branch before continuing + +### Step 4: Implement Code +Write minimal code to make tests pass: + +```typescript +// Implementation guided by tests +export async function searchMarkets(query: string) { + // Implementation here +} +``` + +If the repository is under Git, stage the minimal fix now but defer the checkpoint commit until GREEN is validated in Step 5. + +### Step 5: Run Tests Again +```bash +npm test +# Tests should now pass +``` + +Rerun the same relevant test target after the fix and confirm the previously failing test is now GREEN. + +Only after a valid GREEN result may you proceed to refactor. + +If the repository is under Git, create a checkpoint commit immediately after GREEN is validated. +Recommended commit message format: +- `fix: ` +- The fix commit may also serve as the GREEN validation checkpoint if the same relevant test target was rerun and passed +- Verify that this checkpoint commit is on the current active branch before continuing + +### Step 6: Refactor +Improve code quality while keeping tests green: +- Remove duplication +- Improve naming +- Optimize performance +- Enhance readability + +If the repository is under Git, create a checkpoint commit immediately after refactoring is complete and tests remain green. +Recommended commit message format: +- `refactor: clean up after implementation` +- Verify that this checkpoint commit is on the current active branch before considering the TDD cycle complete + +### Step 7: Verify Coverage +```bash +npm run test:coverage +# Verify 80%+ coverage achieved +``` + +## Testing Patterns + +### Unit Test Pattern (Jest/Vitest) +```typescript +import { render, screen, fireEvent } from '@testing-library/react' +import { Button } from './Button' + +describe('Button Component', () => { + it('renders with correct text', () => { + render() + expect(screen.getByText('Click me')).toBeInTheDocument() + }) + + it('calls onClick when clicked', () => { + const handleClick = jest.fn() + render() + + fireEvent.click(screen.getByRole('button')) + + expect(handleClick).toHaveBeenCalledTimes(1) + }) + + it('is disabled when disabled prop is true', () => { + render() + expect(screen.getByRole('button')).toBeDisabled() + }) +}) +``` + +### API Integration Test Pattern +```typescript +import { NextRequest } from 'next/server' +import { GET } from './route' + +describe('GET /api/markets', () => { + it('returns markets successfully', async () => { + const request = new NextRequest('http://localhost/api/markets') + const response = await GET(request) + const data = await response.json() + + expect(response.status).toBe(200) + expect(data.success).toBe(true) + expect(Array.isArray(data.data)).toBe(true) + }) + + it('validates query parameters', async () => { + const request = new NextRequest('http://localhost/api/markets?limit=invalid') + const response = await GET(request) + + expect(response.status).toBe(400) + }) + + it('handles database errors gracefully', async () => { + // Mock database failure + const request = new NextRequest('http://localhost/api/markets') + // Test error handling + }) +}) +``` + +### E2E Test Pattern (Playwright) +```typescript +import { test, expect } from '@playwright/test' + +test('user can search and filter markets', async ({ page }) => { + // Navigate to markets page + await page.goto('/') + await page.click('a[href="/markets"]') + + // Verify page loaded + await expect(page.locator('h1')).toContainText('Markets') + + // Search for markets + await page.fill('input[placeholder="Search markets"]', 'election') + + // Wait for debounce and results + await page.waitForTimeout(600) + + // Verify search results displayed + const results = page.locator('[data-testid="market-card"]') + await expect(results).toHaveCount(5, { timeout: 5000 }) + + // Verify results contain search term + const firstResult = results.first() + await expect(firstResult).toContainText('election', { ignoreCase: true }) + + // Filter by status + await page.click('button:has-text("Active")') + + // Verify filtered results + await expect(results).toHaveCount(3) +}) + +test('user can create a new market', async ({ page }) => { + // Login first + await page.goto('/creator-dashboard') + + // Fill market creation form + await page.fill('input[name="name"]', 'Test Market') + await page.fill('textarea[name="description"]', 'Test description') + await page.fill('input[name="endDate"]', '2025-12-31') + + // Submit form + await page.click('button[type="submit"]') + + // Verify success message + await expect(page.locator('text=Market created successfully')).toBeVisible() + + // Verify redirect to market page + await expect(page).toHaveURL(/\/markets\/test-market/) +}) +``` + +## Test File Organization + +``` +src/ +├── components/ +│ ├── Button/ +│ │ ├── Button.tsx +│ │ ├── Button.test.tsx # Unit tests +│ │ └── Button.stories.tsx # Storybook +│ └── MarketCard/ +│ ├── MarketCard.tsx +│ └── MarketCard.test.tsx +├── app/ +│ └── api/ +│ └── markets/ +│ ├── route.ts +│ └── route.test.ts # Integration tests +└── e2e/ + ├── markets.spec.ts # E2E tests + ├── trading.spec.ts + └── auth.spec.ts +``` + +## Mocking External Services + +### Supabase Mock +```typescript +jest.mock('@/lib/supabase', () => ({ + supabase: { + from: jest.fn(() => ({ + select: jest.fn(() => ({ + eq: jest.fn(() => Promise.resolve({ + data: [{ id: 1, name: 'Test Market' }], + error: null + })) + })) + })) + } +})) +``` + +### Redis Mock +```typescript +jest.mock('@/lib/redis', () => ({ + searchMarketsByVector: jest.fn(() => Promise.resolve([ + { slug: 'test-market', similarity_score: 0.95 } + ])), + checkRedisHealth: jest.fn(() => Promise.resolve({ connected: true })) +})) +``` + +### OpenAI Mock +```typescript +jest.mock('@/lib/openai', () => ({ + generateEmbedding: jest.fn(() => Promise.resolve( + new Array(1536).fill(0.1) // Mock 1536-dim embedding + )) +})) +``` + +## Test Coverage Verification + +### Run Coverage Report +```bash +npm run test:coverage +``` + +### Coverage Thresholds +```json +{ + "jest": { + "coverageThresholds": { + "global": { + "branches": 80, + "functions": 80, + "lines": 80, + "statements": 80 + } + } + } +} +``` + +## Common Testing Mistakes to Avoid + +### FAIL: WRONG: Testing Implementation Details +```typescript +// Don't test internal state +expect(component.state.count).toBe(5) +``` + +### PASS: CORRECT: Test User-Visible Behavior +```typescript +// Test what users see +expect(screen.getByText('Count: 5')).toBeInTheDocument() +``` + +### FAIL: WRONG: Brittle Selectors +```typescript +// Breaks easily +await page.click('.css-class-xyz') +``` + +### PASS: CORRECT: Semantic Selectors +```typescript +// Resilient to changes +await page.click('button:has-text("Submit")') +await page.click('[data-testid="submit-button"]') +``` + +### FAIL: WRONG: No Test Isolation +```typescript +// Tests depend on each other +test('creates user', () => { /* ... */ }) +test('updates same user', () => { /* depends on previous test */ }) +``` + +### PASS: CORRECT: Independent Tests +```typescript +// Each test sets up its own data +test('creates user', () => { + const user = createTestUser() + // Test logic +}) + +test('updates user', () => { + const user = createTestUser() + // Update logic +}) +``` + +## Continuous Testing + +### Watch Mode During Development +```bash +npm test -- --watch +# Tests run automatically on file changes +``` + +### Pre-Commit Hook +```bash +# Runs before every commit +npm test && npm run lint +``` + +### CI/CD Integration +```yaml +# GitHub Actions +- name: Run Tests + run: npm test -- --coverage +- name: Upload Coverage + uses: codecov/codecov-action@v3 +``` + +## Best Practices + +1. **Write Tests First** - Always TDD +2. **One Assert Per Test** - Focus on single behavior +3. **Descriptive Test Names** - Explain what's tested +4. **Arrange-Act-Assert** - Clear test structure +5. **Mock External Dependencies** - Isolate unit tests +6. **Test Edge Cases** - Null, undefined, empty, large +7. **Test Error Paths** - Not just happy paths +8. **Keep Tests Fast** - Unit tests < 50ms each +9. **Clean Up After Tests** - No side effects +10. **Review Coverage Reports** - Identify gaps + +## Success Metrics + +- 80%+ code coverage achieved +- All tests passing (green) +- No skipped or disabled tests +- Fast test execution (< 30s for unit tests) +- E2E tests cover critical user flows +- Tests catch bugs before production + +--- + +**Remember**: Tests are not optional. They are the safety net that enables confident refactoring, rapid development, and production reliability. diff --git a/plugins/node/template/addons/claude-code/CLAUDE.md b/plugins/node/template/addons/claude-code/CLAUDE.md new file mode 100644 index 0000000..c5a141c --- /dev/null +++ b/plugins/node/template/addons/claude-code/CLAUDE.md @@ -0,0 +1,58 @@ +# {{PROJECT_NAME}} + +## Stack +- Runtime: Node.js 18+ (TypeScript) +- Framework: Fastify v5 +- ORM: Prisma v7 +- Database: MariaDB / MySQL or PostgreSQL +- Cache: Redis 7 (ioredis) +- Auth: JWT (jsonwebtoken) +- Validation: Zod v4 + +## Common Commands +```bash +npm run dev # start dev server (watch mode) +npm run build # compile to dist/ +npm test # run Jest tests +npx prisma migrate dev --name # create and run migration +npx prisma studio # open Prisma GUI +npx prisma generate # regenerate client after schema change +``` + +## Architecture +``` +src/ +├── modules/ # feature modules — each has controller, service, routes, schema +├── plugins/ # Fastify plugins (prisma, redis, response) +├── middleware/ # auth, validation, rate-limit, error, logger +├── shared/ # utils, cache service, interfaces, types +├── config/ # env config validated by Zod +├── constants/ # error codes, regex +└── jobs/ # cron jobs (APScheduler-style via node-cron) +``` + +## Module convention +Each feature module follows: +``` +src/modules// +├── .controller.ts # request handlers +├── .service.ts # business logic +├── .routes.ts # route registration +└── .schema.ts # Zod schemas + TypeScript types +``` + +## Available Skills +Use these skills when working on this project: + +| Skill | When to use | +|-------|-------------| +| `/backend-patterns` | Fastify conventions, plugin patterns, module structure | +| `/api-design` | REST API design, response format, status codes | +| `/database-migrations` | Prisma schema changes, migration workflow | +| `/docker-patterns` | Docker & docker-compose setup | +| `/security-review` | Auth, JWT, input validation, OWASP checks | +| `/tdd-workflow` | Jest TDD approach, test structure | +| `/deployment-patterns` | CI/CD, environment config, production readiness | + +## Author +{{AUTHOR}} diff --git a/plugins/node/template/addons/cursor/.cursor/skills/api-design/skill.md b/plugins/node/template/addons/cursor/.cursor/skills/api-design/skill.md new file mode 100644 index 0000000..a45aca0 --- /dev/null +++ b/plugins/node/template/addons/cursor/.cursor/skills/api-design/skill.md @@ -0,0 +1,523 @@ +--- +name: api-design +description: REST API design patterns including resource naming, status codes, pagination, filtering, error responses, versioning, and rate limiting for production APIs. +origin: ECC +--- + +# API Design Patterns + +Conventions and best practices for designing consistent, developer-friendly REST APIs. + +## When to Activate + +- Designing new API endpoints +- Reviewing existing API contracts +- Adding pagination, filtering, or sorting +- Implementing error handling for APIs +- Planning API versioning strategy +- Building public or partner-facing APIs + +## Resource Design + +### URL Structure + +``` +# Resources are nouns, plural, lowercase, kebab-case +GET /api/v1/users +GET /api/v1/users/:id +POST /api/v1/users +PUT /api/v1/users/:id +PATCH /api/v1/users/:id +DELETE /api/v1/users/:id + +# Sub-resources for relationships +GET /api/v1/users/:id/orders +POST /api/v1/users/:id/orders + +# Actions that don't map to CRUD (use verbs sparingly) +POST /api/v1/orders/:id/cancel +POST /api/v1/auth/login +POST /api/v1/auth/refresh +``` + +### Naming Rules + +``` +# GOOD +/api/v1/team-members # kebab-case for multi-word resources +/api/v1/orders?status=active # query params for filtering +/api/v1/users/123/orders # nested resources for ownership + +# BAD +/api/v1/getUsers # verb in URL +/api/v1/user # singular (use plural) +/api/v1/team_members # snake_case in URLs +/api/v1/users/123/getOrders # verb in nested resource +``` + +## HTTP Methods and Status Codes + +### Method Semantics + +| Method | Idempotent | Safe | Use For | +|--------|-----------|------|---------| +| GET | Yes | Yes | Retrieve resources | +| POST | No | No | Create resources, trigger actions | +| PUT | Yes | No | Full replacement of a resource | +| PATCH | No* | No | Partial update of a resource | +| DELETE | Yes | No | Remove a resource | + +*PATCH can be made idempotent with proper implementation + +### Status Code Reference + +``` +# Success +200 OK — GET, PUT, PATCH (with response body) +201 Created — POST (include Location header) +204 No Content — DELETE, PUT (no response body) + +# Client Errors +400 Bad Request — Validation failure, malformed JSON +401 Unauthorized — Missing or invalid authentication +403 Forbidden — Authenticated but not authorized +404 Not Found — Resource doesn't exist +409 Conflict — Duplicate entry, state conflict +422 Unprocessable Entity — Semantically invalid (valid JSON, bad data) +429 Too Many Requests — Rate limit exceeded + +# Server Errors +500 Internal Server Error — Unexpected failure (never expose details) +502 Bad Gateway — Upstream service failed +503 Service Unavailable — Temporary overload, include Retry-After +``` + +### Common Mistakes + +``` +# BAD: 200 for everything +{ "status": 200, "success": false, "error": "Not found" } + +# GOOD: Use HTTP status codes semantically +HTTP/1.1 404 Not Found +{ "error": { "code": "not_found", "message": "User not found" } } + +# BAD: 500 for validation errors +# GOOD: 400 or 422 with field-level details + +# BAD: 200 for created resources +# GOOD: 201 with Location header +HTTP/1.1 201 Created +Location: /api/v1/users/abc-123 +``` + +## Response Format + +### Success Response + +```json +{ + "data": { + "id": "abc-123", + "email": "alice@example.com", + "name": "Alice", + "created_at": "2025-01-15T10:30:00Z" + } +} +``` + +### Collection Response (with Pagination) + +```json +{ + "data": [ + { "id": "abc-123", "name": "Alice" }, + { "id": "def-456", "name": "Bob" } + ], + "meta": { + "total": 142, + "page": 1, + "per_page": 20, + "total_pages": 8 + }, + "links": { + "self": "/api/v1/users?page=1&per_page=20", + "next": "/api/v1/users?page=2&per_page=20", + "last": "/api/v1/users?page=8&per_page=20" + } +} +``` + +### Error Response + +```json +{ + "error": { + "code": "validation_error", + "message": "Request validation failed", + "details": [ + { + "field": "email", + "message": "Must be a valid email address", + "code": "invalid_format" + }, + { + "field": "age", + "message": "Must be between 0 and 150", + "code": "out_of_range" + } + ] + } +} +``` + +### Response Envelope Variants + +```typescript +// Option A: Envelope with data wrapper (recommended for public APIs) +interface ApiResponse { + data: T; + meta?: PaginationMeta; + links?: PaginationLinks; +} + +interface ApiError { + error: { + code: string; + message: string; + details?: FieldError[]; + }; +} + +// Option B: Flat response (simpler, common for internal APIs) +// Success: just return the resource directly +// Error: return error object +// Distinguish by HTTP status code +``` + +## Pagination + +### Offset-Based (Simple) + +``` +GET /api/v1/users?page=2&per_page=20 + +# Implementation +SELECT * FROM users +ORDER BY created_at DESC +LIMIT 20 OFFSET 20; +``` + +**Pros:** Easy to implement, supports "jump to page N" +**Cons:** Slow on large offsets (OFFSET 100000), inconsistent with concurrent inserts + +### Cursor-Based (Scalable) + +``` +GET /api/v1/users?cursor=eyJpZCI6MTIzfQ&limit=20 + +# Implementation +SELECT * FROM users +WHERE id > :cursor_id +ORDER BY id ASC +LIMIT 21; -- fetch one extra to determine has_next +``` + +```json +{ + "data": [...], + "meta": { + "has_next": true, + "next_cursor": "eyJpZCI6MTQzfQ" + } +} +``` + +**Pros:** Consistent performance regardless of position, stable with concurrent inserts +**Cons:** Cannot jump to arbitrary page, cursor is opaque + +### When to Use Which + +| Use Case | Pagination Type | +|----------|----------------| +| Admin dashboards, small datasets (<10K) | Offset | +| Infinite scroll, feeds, large datasets | Cursor | +| Public APIs | Cursor (default) with offset (optional) | +| Search results | Offset (users expect page numbers) | + +## Filtering, Sorting, and Search + +### Filtering + +``` +# Simple equality +GET /api/v1/orders?status=active&customer_id=abc-123 + +# Comparison operators (use bracket notation) +GET /api/v1/products?price[gte]=10&price[lte]=100 +GET /api/v1/orders?created_at[after]=2025-01-01 + +# Multiple values (comma-separated) +GET /api/v1/products?category=electronics,clothing + +# Nested fields (dot notation) +GET /api/v1/orders?customer.country=US +``` + +### Sorting + +``` +# Single field (prefix - for descending) +GET /api/v1/products?sort=-created_at + +# Multiple fields (comma-separated) +GET /api/v1/products?sort=-featured,price,-created_at +``` + +### Full-Text Search + +``` +# Search query parameter +GET /api/v1/products?q=wireless+headphones + +# Field-specific search +GET /api/v1/users?email=alice +``` + +### Sparse Fieldsets + +``` +# Return only specified fields (reduces payload) +GET /api/v1/users?fields=id,name,email +GET /api/v1/orders?fields=id,total,status&include=customer.name +``` + +## Authentication and Authorization + +### Token-Based Auth + +``` +# Bearer token in Authorization header +GET /api/v1/users +Authorization: Bearer eyJhbGciOiJIUzI1NiIs... + +# API key (for server-to-server) +GET /api/v1/data +X-API-Key: sk_live_abc123 +``` + +### Authorization Patterns + +```typescript +// Resource-level: check ownership +app.get("/api/v1/orders/:id", async (req, res) => { + const order = await Order.findById(req.params.id); + if (!order) return res.status(404).json({ error: { code: "not_found" } }); + if (order.userId !== req.user.id) return res.status(403).json({ error: { code: "forbidden" } }); + return res.json({ data: order }); +}); + +// Role-based: check permissions +app.delete("/api/v1/users/:id", requireRole("admin"), async (req, res) => { + await User.delete(req.params.id); + return res.status(204).send(); +}); +``` + +## Rate Limiting + +### Headers + +``` +HTTP/1.1 200 OK +X-RateLimit-Limit: 100 +X-RateLimit-Remaining: 95 +X-RateLimit-Reset: 1640000000 + +# When exceeded +HTTP/1.1 429 Too Many Requests +Retry-After: 60 +{ + "error": { + "code": "rate_limit_exceeded", + "message": "Rate limit exceeded. Try again in 60 seconds." + } +} +``` + +### Rate Limit Tiers + +| Tier | Limit | Window | Use Case | +|------|-------|--------|----------| +| Anonymous | 30/min | Per IP | Public endpoints | +| Authenticated | 100/min | Per user | Standard API access | +| Premium | 1000/min | Per API key | Paid API plans | +| Internal | 10000/min | Per service | Service-to-service | + +## Versioning + +### URL Path Versioning (Recommended) + +``` +/api/v1/users +/api/v2/users +``` + +**Pros:** Explicit, easy to route, cacheable +**Cons:** URL changes between versions + +### Header Versioning + +``` +GET /api/users +Accept: application/vnd.myapp.v2+json +``` + +**Pros:** Clean URLs +**Cons:** Harder to test, easy to forget + +### Versioning Strategy + +``` +1. Start with /api/v1/ — don't version until you need to +2. Maintain at most 2 active versions (current + previous) +3. Deprecation timeline: + - Announce deprecation (6 months notice for public APIs) + - Add Sunset header: Sunset: Sat, 01 Jan 2026 00:00:00 GMT + - Return 410 Gone after sunset date +4. Non-breaking changes don't need a new version: + - Adding new fields to responses + - Adding new optional query parameters + - Adding new endpoints +5. Breaking changes require a new version: + - Removing or renaming fields + - Changing field types + - Changing URL structure + - Changing authentication method +``` + +## Implementation Patterns + +### TypeScript (Next.js API Route) + +```typescript +import { z } from "zod"; +import { NextRequest, NextResponse } from "next/server"; + +const createUserSchema = z.object({ + email: z.string().email(), + name: z.string().min(1).max(100), +}); + +export async function POST(req: NextRequest) { + const body = await req.json(); + const parsed = createUserSchema.safeParse(body); + + if (!parsed.success) { + return NextResponse.json({ + error: { + code: "validation_error", + message: "Request validation failed", + details: parsed.error.issues.map(i => ({ + field: i.path.join("."), + message: i.message, + code: i.code, + })), + }, + }, { status: 422 }); + } + + const user = await createUser(parsed.data); + + return NextResponse.json( + { data: user }, + { + status: 201, + headers: { Location: `/api/v1/users/${user.id}` }, + }, + ); +} +``` + +### Python (Django REST Framework) + +```python +from rest_framework import serializers, viewsets, status +from rest_framework.response import Response + +class CreateUserSerializer(serializers.Serializer): + email = serializers.EmailField() + name = serializers.CharField(max_length=100) + +class UserSerializer(serializers.ModelSerializer): + class Meta: + model = User + fields = ["id", "email", "name", "created_at"] + +class UserViewSet(viewsets.ModelViewSet): + serializer_class = UserSerializer + permission_classes = [IsAuthenticated] + + def get_serializer_class(self): + if self.action == "create": + return CreateUserSerializer + return UserSerializer + + def create(self, request): + serializer = CreateUserSerializer(data=request.data) + serializer.is_valid(raise_exception=True) + user = UserService.create(**serializer.validated_data) + return Response( + {"data": UserSerializer(user).data}, + status=status.HTTP_201_CREATED, + headers={"Location": f"/api/v1/users/{user.id}"}, + ) +``` + +### Go (net/http) + +```go +func (h *UserHandler) CreateUser(w http.ResponseWriter, r *http.Request) { + var req CreateUserRequest + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + writeError(w, http.StatusBadRequest, "invalid_json", "Invalid request body") + return + } + + if err := req.Validate(); err != nil { + writeError(w, http.StatusUnprocessableEntity, "validation_error", err.Error()) + return + } + + user, err := h.service.Create(r.Context(), req) + if err != nil { + switch { + case errors.Is(err, domain.ErrEmailTaken): + writeError(w, http.StatusConflict, "email_taken", "Email already registered") + default: + writeError(w, http.StatusInternalServerError, "internal_error", "Internal error") + } + return + } + + w.Header().Set("Location", fmt.Sprintf("/api/v1/users/%s", user.ID)) + writeJSON(w, http.StatusCreated, map[string]any{"data": user}) +} +``` + +## API Design Checklist + +Before shipping a new endpoint: + +- [ ] Resource URL follows naming conventions (plural, kebab-case, no verbs) +- [ ] Correct HTTP method used (GET for reads, POST for creates, etc.) +- [ ] Appropriate status codes returned (not 200 for everything) +- [ ] Input validated with schema (Zod, Pydantic, Bean Validation) +- [ ] Error responses follow standard format with codes and messages +- [ ] Pagination implemented for list endpoints (cursor or offset) +- [ ] Authentication required (or explicitly marked as public) +- [ ] Authorization checked (user can only access their own resources) +- [ ] Rate limiting configured +- [ ] Response does not leak internal details (stack traces, SQL errors) +- [ ] Consistent naming with existing endpoints (camelCase vs snake_case) +- [ ] Documented (OpenAPI/Swagger spec updated) diff --git a/plugins/node/template/addons/cursor/.cursor/skills/backend-patterns/skill.md b/plugins/node/template/addons/cursor/.cursor/skills/backend-patterns/skill.md new file mode 100644 index 0000000..30898b4 --- /dev/null +++ b/plugins/node/template/addons/cursor/.cursor/skills/backend-patterns/skill.md @@ -0,0 +1,598 @@ +--- +name: backend-patterns +description: Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes. +origin: ECC +--- + +# Backend Development Patterns + +Backend architecture patterns and best practices for scalable server-side applications. + +## When to Activate + +- Designing REST or GraphQL API endpoints +- Implementing repository, service, or controller layers +- Optimizing database queries (N+1, indexing, connection pooling) +- Adding caching (Redis, in-memory, HTTP cache headers) +- Setting up background jobs or async processing +- Structuring error handling and validation for APIs +- Building middleware (auth, logging, rate limiting) + +## API Design Patterns + +### RESTful API Structure + +```typescript +// PASS: Resource-based URLs +GET /api/markets # List resources +GET /api/markets/:id # Get single resource +POST /api/markets # Create resource +PUT /api/markets/:id # Replace resource +PATCH /api/markets/:id # Update resource +DELETE /api/markets/:id # Delete resource + +// PASS: Query parameters for filtering, sorting, pagination +GET /api/markets?status=active&sort=volume&limit=20&offset=0 +``` + +### Repository Pattern + +```typescript +// Abstract data access logic +interface MarketRepository { + findAll(filters?: MarketFilters): Promise + findById(id: string): Promise + create(data: CreateMarketDto): Promise + update(id: string, data: UpdateMarketDto): Promise + delete(id: string): Promise +} + +class SupabaseMarketRepository implements MarketRepository { + async findAll(filters?: MarketFilters): Promise { + let query = supabase.from('markets').select('*') + + if (filters?.status) { + query = query.eq('status', filters.status) + } + + if (filters?.limit) { + query = query.limit(filters.limit) + } + + const { data, error } = await query + + if (error) throw new Error(error.message) + return data + } + + // Other methods... +} +``` + +### Service Layer Pattern + +```typescript +// Business logic separated from data access +class MarketService { + constructor(private marketRepo: MarketRepository) {} + + async searchMarkets(query: string, limit: number = 10): Promise { + // Business logic + const embedding = await generateEmbedding(query) + const results = await this.vectorSearch(embedding, limit) + + // Fetch full data + const markets = await this.marketRepo.findByIds(results.map(r => r.id)) + + // Sort by similarity + return markets.sort((a, b) => { + const scoreA = results.find(r => r.id === a.id)?.score || 0 + const scoreB = results.find(r => r.id === b.id)?.score || 0 + return scoreA - scoreB + }) + } + + private async vectorSearch(embedding: number[], limit: number) { + // Vector search implementation + } +} +``` + +### Middleware Pattern + +```typescript +// Request/response processing pipeline +export function withAuth(handler: NextApiHandler): NextApiHandler { + return async (req, res) => { + const token = req.headers.authorization?.replace('Bearer ', '') + + if (!token) { + return res.status(401).json({ error: 'Unauthorized' }) + } + + try { + const user = await verifyToken(token) + req.user = user + return handler(req, res) + } catch (error) { + return res.status(401).json({ error: 'Invalid token' }) + } + } +} + +// Usage +export default withAuth(async (req, res) => { + // Handler has access to req.user +}) +``` + +## Database Patterns + +### Query Optimization + +```typescript +// PASS: GOOD: Select only needed columns +const { data } = await supabase + .from('markets') + .select('id, name, status, volume') + .eq('status', 'active') + .order('volume', { ascending: false }) + .limit(10) + +// FAIL: BAD: Select everything +const { data } = await supabase + .from('markets') + .select('*') +``` + +### N+1 Query Prevention + +```typescript +// FAIL: BAD: N+1 query problem +const markets = await getMarkets() +for (const market of markets) { + market.creator = await getUser(market.creator_id) // N queries +} + +// PASS: GOOD: Batch fetch +const markets = await getMarkets() +const creatorIds = markets.map(m => m.creator_id) +const creators = await getUsers(creatorIds) // 1 query +const creatorMap = new Map(creators.map(c => [c.id, c])) + +markets.forEach(market => { + market.creator = creatorMap.get(market.creator_id) +}) +``` + +### Transaction Pattern + +```typescript +async function createMarketWithPosition( + marketData: CreateMarketDto, + positionData: CreatePositionDto +) { + // Use Supabase transaction + const { data, error } = await supabase.rpc('create_market_with_position', { + market_data: marketData, + position_data: positionData + }) + + if (error) throw new Error('Transaction failed') + return data +} + +// SQL function in Supabase +CREATE OR REPLACE FUNCTION create_market_with_position( + market_data jsonb, + position_data jsonb +) +RETURNS jsonb +LANGUAGE plpgsql +AS $$ +BEGIN + -- Start transaction automatically + INSERT INTO markets VALUES (market_data); + INSERT INTO positions VALUES (position_data); + RETURN jsonb_build_object('success', true); +EXCEPTION + WHEN OTHERS THEN + -- Rollback happens automatically + RETURN jsonb_build_object('success', false, 'error', SQLERRM); +END; +$$; +``` + +## Caching Strategies + +### Redis Caching Layer + +```typescript +class CachedMarketRepository implements MarketRepository { + constructor( + private baseRepo: MarketRepository, + private redis: RedisClient + ) {} + + async findById(id: string): Promise { + // Check cache first + const cached = await this.redis.get(`market:${id}`) + + if (cached) { + return JSON.parse(cached) + } + + // Cache miss - fetch from database + const market = await this.baseRepo.findById(id) + + if (market) { + // Cache for 5 minutes + await this.redis.setex(`market:${id}`, 300, JSON.stringify(market)) + } + + return market + } + + async invalidateCache(id: string): Promise { + await this.redis.del(`market:${id}`) + } +} +``` + +### Cache-Aside Pattern + +```typescript +async function getMarketWithCache(id: string): Promise { + const cacheKey = `market:${id}` + + // Try cache + const cached = await redis.get(cacheKey) + if (cached) return JSON.parse(cached) + + // Cache miss - fetch from DB + const market = await db.markets.findUnique({ where: { id } }) + + if (!market) throw new Error('Market not found') + + // Update cache + await redis.setex(cacheKey, 300, JSON.stringify(market)) + + return market +} +``` + +## Error Handling Patterns + +### Centralized Error Handler + +```typescript +class ApiError extends Error { + constructor( + public statusCode: number, + public message: string, + public isOperational = true + ) { + super(message) + Object.setPrototypeOf(this, ApiError.prototype) + } +} + +export function errorHandler(error: unknown, req: Request): Response { + if (error instanceof ApiError) { + return NextResponse.json({ + success: false, + error: error.message + }, { status: error.statusCode }) + } + + if (error instanceof z.ZodError) { + return NextResponse.json({ + success: false, + error: 'Validation failed', + details: error.errors + }, { status: 400 }) + } + + // Log unexpected errors + console.error('Unexpected error:', error) + + return NextResponse.json({ + success: false, + error: 'Internal server error' + }, { status: 500 }) +} + +// Usage +export async function GET(request: Request) { + try { + const data = await fetchData() + return NextResponse.json({ success: true, data }) + } catch (error) { + return errorHandler(error, request) + } +} +``` + +### Retry with Exponential Backoff + +```typescript +async function fetchWithRetry( + fn: () => Promise, + maxRetries = 3 +): Promise { + let lastError: Error + + for (let i = 0; i < maxRetries; i++) { + try { + return await fn() + } catch (error) { + lastError = error as Error + + if (i < maxRetries - 1) { + // Exponential backoff: 1s, 2s, 4s + const delay = Math.pow(2, i) * 1000 + await new Promise(resolve => setTimeout(resolve, delay)) + } + } + } + + throw lastError! +} + +// Usage +const data = await fetchWithRetry(() => fetchFromAPI()) +``` + +## Authentication & Authorization + +### JWT Token Validation + +```typescript +import jwt from 'jsonwebtoken' + +interface JWTPayload { + userId: string + email: string + role: 'admin' | 'user' +} + +export function verifyToken(token: string): JWTPayload { + try { + const payload = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload + return payload + } catch (error) { + throw new ApiError(401, 'Invalid token') + } +} + +export async function requireAuth(request: Request) { + const token = request.headers.get('authorization')?.replace('Bearer ', '') + + if (!token) { + throw new ApiError(401, 'Missing authorization token') + } + + return verifyToken(token) +} + +// Usage in API route +export async function GET(request: Request) { + const user = await requireAuth(request) + + const data = await getDataForUser(user.userId) + + return NextResponse.json({ success: true, data }) +} +``` + +### Role-Based Access Control + +```typescript +type Permission = 'read' | 'write' | 'delete' | 'admin' + +interface User { + id: string + role: 'admin' | 'moderator' | 'user' +} + +const rolePermissions: Record = { + admin: ['read', 'write', 'delete', 'admin'], + moderator: ['read', 'write', 'delete'], + user: ['read', 'write'] +} + +export function hasPermission(user: User, permission: Permission): boolean { + return rolePermissions[user.role].includes(permission) +} + +export function requirePermission(permission: Permission) { + return (handler: (request: Request, user: User) => Promise) => { + return async (request: Request) => { + const user = await requireAuth(request) + + if (!hasPermission(user, permission)) { + throw new ApiError(403, 'Insufficient permissions') + } + + return handler(request, user) + } + } +} + +// Usage - HOF wraps the handler +export const DELETE = requirePermission('delete')( + async (request: Request, user: User) => { + // Handler receives authenticated user with verified permission + return new Response('Deleted', { status: 200 }) + } +) +``` + +## Rate Limiting + +### Simple In-Memory Rate Limiter + +```typescript +class RateLimiter { + private requests = new Map() + + async checkLimit( + identifier: string, + maxRequests: number, + windowMs: number + ): Promise { + const now = Date.now() + const requests = this.requests.get(identifier) || [] + + // Remove old requests outside window + const recentRequests = requests.filter(time => now - time < windowMs) + + if (recentRequests.length >= maxRequests) { + return false // Rate limit exceeded + } + + // Add current request + recentRequests.push(now) + this.requests.set(identifier, recentRequests) + + return true + } +} + +const limiter = new RateLimiter() + +export async function GET(request: Request) { + const ip = request.headers.get('x-forwarded-for') || 'unknown' + + const allowed = await limiter.checkLimit(ip, 100, 60000) // 100 req/min + + if (!allowed) { + return NextResponse.json({ + error: 'Rate limit exceeded' + }, { status: 429 }) + } + + // Continue with request +} +``` + +## Background Jobs & Queues + +### Simple Queue Pattern + +```typescript +class JobQueue { + private queue: T[] = [] + private processing = false + + async add(job: T): Promise { + this.queue.push(job) + + if (!this.processing) { + this.process() + } + } + + private async process(): Promise { + this.processing = true + + while (this.queue.length > 0) { + const job = this.queue.shift()! + + try { + await this.execute(job) + } catch (error) { + console.error('Job failed:', error) + } + } + + this.processing = false + } + + private async execute(job: T): Promise { + // Job execution logic + } +} + +// Usage for indexing markets +interface IndexJob { + marketId: string +} + +const indexQueue = new JobQueue() + +export async function POST(request: Request) { + const { marketId } = await request.json() + + // Add to queue instead of blocking + await indexQueue.add({ marketId }) + + return NextResponse.json({ success: true, message: 'Job queued' }) +} +``` + +## Logging & Monitoring + +### Structured Logging + +```typescript +interface LogContext { + userId?: string + requestId?: string + method?: string + path?: string + [key: string]: unknown +} + +class Logger { + log(level: 'info' | 'warn' | 'error', message: string, context?: LogContext) { + const entry = { + timestamp: new Date().toISOString(), + level, + message, + ...context + } + + console.log(JSON.stringify(entry)) + } + + info(message: string, context?: LogContext) { + this.log('info', message, context) + } + + warn(message: string, context?: LogContext) { + this.log('warn', message, context) + } + + error(message: string, error: Error, context?: LogContext) { + this.log('error', message, { + ...context, + error: error.message, + stack: error.stack + }) + } +} + +const logger = new Logger() + +// Usage +export async function GET(request: Request) { + const requestId = crypto.randomUUID() + + logger.info('Fetching markets', { + requestId, + method: 'GET', + path: '/api/markets' + }) + + try { + const markets = await fetchMarkets() + return NextResponse.json({ success: true, data: markets }) + } catch (error) { + logger.error('Failed to fetch markets', error as Error, { requestId }) + return NextResponse.json({ error: 'Internal error' }, { status: 500 }) + } +} +``` + +**Remember**: Backend patterns enable scalable, maintainable server-side applications. Choose patterns that fit your complexity level. diff --git a/plugins/node/template/addons/cursor/.cursor/skills/database-migrations/skill.md b/plugins/node/template/addons/cursor/.cursor/skills/database-migrations/skill.md new file mode 100644 index 0000000..b1562c2 --- /dev/null +++ b/plugins/node/template/addons/cursor/.cursor/skills/database-migrations/skill.md @@ -0,0 +1,429 @@ +--- +name: database-migrations +description: Database migration best practices for schema changes, data migrations, rollbacks, and zero-downtime deployments across PostgreSQL, MySQL, and common ORMs (Prisma, Drizzle, Kysely, Django, TypeORM, golang-migrate). +origin: ECC +--- + +# Database Migration Patterns + +Safe, reversible database schema changes for production systems. + +## When to Activate + +- Creating or altering database tables +- Adding/removing columns or indexes +- Running data migrations (backfill, transform) +- Planning zero-downtime schema changes +- Setting up migration tooling for a new project + +## Core Principles + +1. **Every change is a migration** — never alter production databases manually +2. **Migrations are forward-only in production** — rollbacks use new forward migrations +3. **Schema and data migrations are separate** — never mix DDL and DML in one migration +4. **Test migrations against production-sized data** — a migration that works on 100 rows may lock on 10M +5. **Migrations are immutable once deployed** — never edit a migration that has run in production + +## Migration Safety Checklist + +Before applying any migration: + +- [ ] Migration has both UP and DOWN (or is explicitly marked irreversible) +- [ ] No full table locks on large tables (use concurrent operations) +- [ ] New columns have defaults or are nullable (never add NOT NULL without default) +- [ ] Indexes created concurrently (not inline with CREATE TABLE for existing tables) +- [ ] Data backfill is a separate migration from schema change +- [ ] Tested against a copy of production data +- [ ] Rollback plan documented + +## PostgreSQL Patterns + +### Adding a Column Safely + +```sql +-- GOOD: Nullable column, no lock +ALTER TABLE users ADD COLUMN avatar_url TEXT; + +-- GOOD: Column with default (Postgres 11+ is instant, no rewrite) +ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT true; + +-- BAD: NOT NULL without default on existing table (requires full rewrite) +ALTER TABLE users ADD COLUMN role TEXT NOT NULL; +-- This locks the table and rewrites every row +``` + +### Adding an Index Without Downtime + +```sql +-- BAD: Blocks writes on large tables +CREATE INDEX idx_users_email ON users (email); + +-- GOOD: Non-blocking, allows concurrent writes +CREATE INDEX CONCURRENTLY idx_users_email ON users (email); + +-- Note: CONCURRENTLY cannot run inside a transaction block +-- Most migration tools need special handling for this +``` + +### Renaming a Column (Zero-Downtime) + +Never rename directly in production. Use the expand-contract pattern: + +```sql +-- Step 1: Add new column (migration 001) +ALTER TABLE users ADD COLUMN display_name TEXT; + +-- Step 2: Backfill data (migration 002, data migration) +UPDATE users SET display_name = username WHERE display_name IS NULL; + +-- Step 3: Update application code to read/write both columns +-- Deploy application changes + +-- Step 4: Stop writing to old column, drop it (migration 003) +ALTER TABLE users DROP COLUMN username; +``` + +### Removing a Column Safely + +```sql +-- Step 1: Remove all application references to the column +-- Step 2: Deploy application without the column reference +-- Step 3: Drop column in next migration +ALTER TABLE orders DROP COLUMN legacy_status; + +-- For Django: use SeparateDatabaseAndState to remove from model +-- without generating DROP COLUMN (then drop in next migration) +``` + +### Large Data Migrations + +```sql +-- BAD: Updates all rows in one transaction (locks table) +UPDATE users SET normalized_email = LOWER(email); + +-- GOOD: Batch update with progress +DO $$ +DECLARE + batch_size INT := 10000; + rows_updated INT; +BEGIN + LOOP + UPDATE users + SET normalized_email = LOWER(email) + WHERE id IN ( + SELECT id FROM users + WHERE normalized_email IS NULL + LIMIT batch_size + FOR UPDATE SKIP LOCKED + ); + GET DIAGNOSTICS rows_updated = ROW_COUNT; + RAISE NOTICE 'Updated % rows', rows_updated; + EXIT WHEN rows_updated = 0; + COMMIT; + END LOOP; +END $$; +``` + +## Prisma (TypeScript/Node.js) + +### Workflow + +```bash +# Create migration from schema changes +npx prisma migrate dev --name add_user_avatar + +# Apply pending migrations in production +npx prisma migrate deploy + +# Reset database (dev only) +npx prisma migrate reset + +# Generate client after schema changes +npx prisma generate +``` + +### Schema Example + +```prisma +model User { + id String @id @default(cuid()) + email String @unique + name String? + avatarUrl String? @map("avatar_url") + createdAt DateTime @default(now()) @map("created_at") + updatedAt DateTime @updatedAt @map("updated_at") + orders Order[] + + @@map("users") + @@index([email]) +} +``` + +### Custom SQL Migration + +For operations Prisma cannot express (concurrent indexes, data backfills): + +```bash +# Create empty migration, then edit the SQL manually +npx prisma migrate dev --create-only --name add_email_index +``` + +```sql +-- migrations/20240115_add_email_index/migration.sql +-- Prisma cannot generate CONCURRENTLY, so we write it manually +CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_users_email ON users (email); +``` + +## Drizzle (TypeScript/Node.js) + +### Workflow + +```bash +# Generate migration from schema changes +npx drizzle-kit generate + +# Apply migrations +npx drizzle-kit migrate + +# Push schema directly (dev only, no migration file) +npx drizzle-kit push +``` + +### Schema Example + +```typescript +import { pgTable, text, timestamp, uuid, boolean } from "drizzle-orm/pg-core"; + +export const users = pgTable("users", { + id: uuid("id").primaryKey().defaultRandom(), + email: text("email").notNull().unique(), + name: text("name"), + isActive: boolean("is_active").notNull().default(true), + createdAt: timestamp("created_at").notNull().defaultNow(), + updatedAt: timestamp("updated_at").notNull().defaultNow(), +}); +``` + +## Kysely (TypeScript/Node.js) + +### Workflow (kysely-ctl) + +```bash +# Initialize config file (kysely.config.ts) +kysely init + +# Create a new migration file +kysely migrate make add_user_avatar + +# Apply all pending migrations +kysely migrate latest + +# Rollback last migration +kysely migrate down + +# Show migration status +kysely migrate list +``` + +### Migration File + +```typescript +// migrations/2024_01_15_001_create_user_profile.ts +import { type Kysely, sql } from 'kysely' + +// IMPORTANT: Always use Kysely, not your typed DB interface. +// Migrations are frozen in time and must not depend on current schema types. +export async function up(db: Kysely): Promise { + await db.schema + .createTable('user_profile') + .addColumn('id', 'serial', (col) => col.primaryKey()) + .addColumn('email', 'varchar(255)', (col) => col.notNull().unique()) + .addColumn('avatar_url', 'text') + .addColumn('created_at', 'timestamp', (col) => + col.defaultTo(sql`now()`).notNull() + ) + .execute() + + await db.schema + .createIndex('idx_user_profile_avatar') + .on('user_profile') + .column('avatar_url') + .execute() +} + +export async function down(db: Kysely): Promise { + await db.schema.dropTable('user_profile').execute() +} +``` + +### Programmatic Migrator + +```typescript +import { Migrator, FileMigrationProvider } from 'kysely' +import { promises as fs } from 'fs' +import * as path from 'path' +// ESM only — CJS can use __dirname directly +import { fileURLToPath } from 'url' +const migrationFolder = path.join( + path.dirname(fileURLToPath(import.meta.url)), + './migrations', +) + +// `db` is your Kysely database instance +const migrator = new Migrator({ + db, + provider: new FileMigrationProvider({ + fs, + path, + migrationFolder, + }), + // WARNING: Only enable in development. Disables timestamp-ordering + // validation, which can cause schema drift between environments. + // allowUnorderedMigrations: true, +}) + +const { error, results } = await migrator.migrateToLatest() + +results?.forEach((it) => { + if (it.status === 'Success') { + console.log(`migration "${it.migrationName}" executed successfully`) + } else if (it.status === 'Error') { + console.error(`failed to execute migration "${it.migrationName}"`) + } +}) + +if (error) { + console.error('migration failed', error) + process.exit(1) +} +``` + +## Django (Python) + +### Workflow + +```bash +# Generate migration from model changes +python manage.py makemigrations + +# Apply migrations +python manage.py migrate + +# Show migration status +python manage.py showmigrations + +# Generate empty migration for custom SQL +python manage.py makemigrations --empty app_name -n description +``` + +### Data Migration + +```python +from django.db import migrations + +def backfill_display_names(apps, schema_editor): + User = apps.get_model("accounts", "User") + batch_size = 5000 + users = User.objects.filter(display_name="") + while users.exists(): + batch = list(users[:batch_size]) + for user in batch: + user.display_name = user.username + User.objects.bulk_update(batch, ["display_name"], batch_size=batch_size) + +def reverse_backfill(apps, schema_editor): + pass # Data migration, no reverse needed + +class Migration(migrations.Migration): + dependencies = [("accounts", "0015_add_display_name")] + + operations = [ + migrations.RunPython(backfill_display_names, reverse_backfill), + ] +``` + +### SeparateDatabaseAndState + +Remove a column from the Django model without dropping it from the database immediately: + +```python +class Migration(migrations.Migration): + operations = [ + migrations.SeparateDatabaseAndState( + state_operations=[ + migrations.RemoveField(model_name="user", name="legacy_field"), + ], + database_operations=[], # Don't touch the DB yet + ), + ] +``` + +## golang-migrate (Go) + +### Workflow + +```bash +# Create migration pair +migrate create -ext sql -dir migrations -seq add_user_avatar + +# Apply all pending migrations +migrate -path migrations -database "$DATABASE_URL" up + +# Rollback last migration +migrate -path migrations -database "$DATABASE_URL" down 1 + +# Force version (fix dirty state) +migrate -path migrations -database "$DATABASE_URL" force VERSION +``` + +### Migration Files + +```sql +-- migrations/000003_add_user_avatar.up.sql +ALTER TABLE users ADD COLUMN avatar_url TEXT; +CREATE INDEX CONCURRENTLY idx_users_avatar ON users (avatar_url) WHERE avatar_url IS NOT NULL; + +-- migrations/000003_add_user_avatar.down.sql +DROP INDEX IF EXISTS idx_users_avatar; +ALTER TABLE users DROP COLUMN IF EXISTS avatar_url; +``` + +## Zero-Downtime Migration Strategy + +For critical production changes, follow the expand-contract pattern: + +``` +Phase 1: EXPAND + - Add new column/table (nullable or with default) + - Deploy: app writes to BOTH old and new + - Backfill existing data + +Phase 2: MIGRATE + - Deploy: app reads from NEW, writes to BOTH + - Verify data consistency + +Phase 3: CONTRACT + - Deploy: app only uses NEW + - Drop old column/table in separate migration +``` + +### Timeline Example + +``` +Day 1: Migration adds new_status column (nullable) +Day 1: Deploy app v2 — writes to both status and new_status +Day 2: Run backfill migration for existing rows +Day 3: Deploy app v3 — reads from new_status only +Day 7: Migration drops old status column +``` + +## Anti-Patterns + +| Anti-Pattern | Why It Fails | Better Approach | +|-------------|-------------|-----------------| +| Manual SQL in production | No audit trail, unrepeatable | Always use migration files | +| Editing deployed migrations | Causes drift between environments | Create new migration instead | +| NOT NULL without default | Locks table, rewrites all rows | Add nullable, backfill, then add constraint | +| Inline index on large table | Blocks writes during build | CREATE INDEX CONCURRENTLY | +| Schema + data in one migration | Hard to rollback, long transactions | Separate migrations | +| Dropping column before removing code | Application errors on missing column | Remove code first, drop column next deploy | diff --git a/plugins/node/template/addons/cursor/.cursor/skills/deployment-patterns/skill.md b/plugins/node/template/addons/cursor/.cursor/skills/deployment-patterns/skill.md new file mode 100644 index 0000000..bcccaf9 --- /dev/null +++ b/plugins/node/template/addons/cursor/.cursor/skills/deployment-patterns/skill.md @@ -0,0 +1,427 @@ +--- +name: deployment-patterns +description: Deployment workflows, CI/CD pipeline patterns, Docker containerization, health checks, rollback strategies, and production readiness checklists for web applications. +origin: ECC +--- + +# Deployment Patterns + +Production deployment workflows and CI/CD best practices. + +## When to Activate + +- Setting up CI/CD pipelines +- Dockerizing an application +- Planning deployment strategy (blue-green, canary, rolling) +- Implementing health checks and readiness probes +- Preparing for a production release +- Configuring environment-specific settings + +## Deployment Strategies + +### Rolling Deployment (Default) + +Replace instances gradually — old and new versions run simultaneously during rollout. + +``` +Instance 1: v1 → v2 (update first) +Instance 2: v1 (still running v1) +Instance 3: v1 (still running v1) + +Instance 1: v2 +Instance 2: v1 → v2 (update second) +Instance 3: v1 + +Instance 1: v2 +Instance 2: v2 +Instance 3: v1 → v2 (update last) +``` + +**Pros:** Zero downtime, gradual rollout +**Cons:** Two versions run simultaneously — requires backward-compatible changes +**Use when:** Standard deployments, backward-compatible changes + +### Blue-Green Deployment + +Run two identical environments. Switch traffic atomically. + +``` +Blue (v1) ← traffic +Green (v2) idle, running new version + +# After verification: +Blue (v1) idle (becomes standby) +Green (v2) ← traffic +``` + +**Pros:** Instant rollback (switch back to blue), clean cutover +**Cons:** Requires 2x infrastructure during deployment +**Use when:** Critical services, zero-tolerance for issues + +### Canary Deployment + +Route a small percentage of traffic to the new version first. + +``` +v1: 95% of traffic +v2: 5% of traffic (canary) + +# If metrics look good: +v1: 50% of traffic +v2: 50% of traffic + +# Final: +v2: 100% of traffic +``` + +**Pros:** Catches issues with real traffic before full rollout +**Cons:** Requires traffic splitting infrastructure, monitoring +**Use when:** High-traffic services, risky changes, feature flags + +## Docker + +### Multi-Stage Dockerfile (Node.js) + +```dockerfile +# Stage 1: Install dependencies +FROM node:22-alpine AS deps +WORKDIR /app +COPY package.json package-lock.json ./ +RUN npm ci --production=false + +# Stage 2: Build +FROM node:22-alpine AS builder +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +RUN npm run build +RUN npm prune --production + +# Stage 3: Production image +FROM node:22-alpine AS runner +WORKDIR /app + +RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 +USER appuser + +COPY --from=builder --chown=appuser:appgroup /app/node_modules ./node_modules +COPY --from=builder --chown=appuser:appgroup /app/dist ./dist +COPY --from=builder --chown=appuser:appgroup /app/package.json ./ + +ENV NODE_ENV=production +EXPOSE 3000 + +HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ + CMD wget --no-verbose --tries=1 --spider http://localhost:3000/health || exit 1 + +CMD ["node", "dist/server.js"] +``` + +### Multi-Stage Dockerfile (Go) + +```dockerfile +FROM golang:1.22-alpine AS builder +WORKDIR /app +COPY go.mod go.sum ./ +RUN go mod download +COPY . . +RUN CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o /server ./cmd/server + +FROM alpine:3.19 AS runner +RUN apk --no-cache add ca-certificates +RUN adduser -D -u 1001 appuser +USER appuser + +COPY --from=builder /server /server + +EXPOSE 8080 +HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:8080/health || exit 1 +CMD ["/server"] +``` + +### Multi-Stage Dockerfile (Python/Django) + +```dockerfile +FROM python:3.12-slim AS builder +WORKDIR /app +RUN pip install --no-cache-dir uv +COPY requirements.txt . +RUN uv pip install --system --no-cache -r requirements.txt + +FROM python:3.12-slim AS runner +WORKDIR /app + +RUN useradd -r -u 1001 appuser +USER appuser + +COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages +COPY --from=builder /usr/local/bin /usr/local/bin +COPY . . + +ENV PYTHONUNBUFFERED=1 +EXPOSE 8000 + +HEALTHCHECK --interval=30s --timeout=3s CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health/')" || exit 1 +CMD ["gunicorn", "config.wsgi:application", "--bind", "0.0.0.0:8000", "--workers", "4"] +``` + +### Docker Best Practices + +``` +# GOOD practices +- Use specific version tags (node:22-alpine, not node:latest) +- Multi-stage builds to minimize image size +- Run as non-root user +- Copy dependency files first (layer caching) +- Use .dockerignore to exclude node_modules, .git, tests +- Add HEALTHCHECK instruction +- Set resource limits in docker-compose or k8s + +# BAD practices +- Running as root +- Using :latest tags +- Copying entire repo in one COPY layer +- Installing dev dependencies in production image +- Storing secrets in image (use env vars or secrets manager) +``` + +## CI/CD Pipeline + +### GitHub Actions (Standard Pipeline) + +```yaml +name: CI/CD + +on: + push: + branches: [main] + pull_request: + branches: [main] + +jobs: + test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 + with: + node-version: 22 + cache: npm + - run: npm ci + - run: npm run lint + - run: npm run typecheck + - run: npm test -- --coverage + - uses: actions/upload-artifact@v4 + if: always() + with: + name: coverage + path: coverage/ + + build: + needs: test + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + steps: + - uses: actions/checkout@v4 + - uses: docker/setup-buildx-action@v3 + - uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - uses: docker/build-push-action@v5 + with: + push: true + tags: ghcr.io/${{ github.repository }}:${{ github.sha }} + cache-from: type=gha + cache-to: type=gha,mode=max + + deploy: + needs: build + runs-on: ubuntu-latest + if: github.ref == 'refs/heads/main' + environment: production + steps: + - name: Deploy to production + run: | + # Platform-specific deployment command + # Railway: railway up + # Vercel: vercel --prod + # K8s: kubectl set image deployment/app app=ghcr.io/${{ github.repository }}:${{ github.sha }} + echo "Deploying ${{ github.sha }}" +``` + +### Pipeline Stages + +``` +PR opened: + lint → typecheck → unit tests → integration tests → preview deploy + +Merged to main: + lint → typecheck → unit tests → integration tests → build image → deploy staging → smoke tests → deploy production +``` + +## Health Checks + +### Health Check Endpoint + +```typescript +// Simple health check +app.get("/health", (req, res) => { + res.status(200).json({ status: "ok" }); +}); + +// Detailed health check (for internal monitoring) +app.get("/health/detailed", async (req, res) => { + const checks = { + database: await checkDatabase(), + redis: await checkRedis(), + externalApi: await checkExternalApi(), + }; + + const allHealthy = Object.values(checks).every(c => c.status === "ok"); + + res.status(allHealthy ? 200 : 503).json({ + status: allHealthy ? "ok" : "degraded", + timestamp: new Date().toISOString(), + version: process.env.APP_VERSION || "unknown", + uptime: process.uptime(), + checks, + }); +}); + +async function checkDatabase(): Promise { + try { + await db.query("SELECT 1"); + return { status: "ok", latency_ms: 2 }; + } catch (err) { + return { status: "error", message: "Database unreachable" }; + } +} +``` + +### Kubernetes Probes + +```yaml +livenessProbe: + httpGet: + path: /health + port: 3000 + initialDelaySeconds: 10 + periodSeconds: 30 + failureThreshold: 3 + +readinessProbe: + httpGet: + path: /health + port: 3000 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 2 + +startupProbe: + httpGet: + path: /health + port: 3000 + initialDelaySeconds: 0 + periodSeconds: 5 + failureThreshold: 30 # 30 * 5s = 150s max startup time +``` + +## Environment Configuration + +### Twelve-Factor App Pattern + +```bash +# All config via environment variables — never in code +DATABASE_URL=postgres://user:pass@host:5432/db +REDIS_URL=redis://host:6379/0 +API_KEY=${API_KEY} # injected by secrets manager +LOG_LEVEL=info +PORT=3000 + +# Environment-specific behavior +NODE_ENV=production # or staging, development +APP_ENV=production # explicit app environment +``` + +### Configuration Validation + +```typescript +import { z } from "zod"; + +const envSchema = z.object({ + NODE_ENV: z.enum(["development", "staging", "production"]), + PORT: z.coerce.number().default(3000), + DATABASE_URL: z.string().url(), + REDIS_URL: z.string().url(), + JWT_SECRET: z.string().min(32), + LOG_LEVEL: z.enum(["debug", "info", "warn", "error"]).default("info"), +}); + +// Validate at startup — fail fast if config is wrong +export const env = envSchema.parse(process.env); +``` + +## Rollback Strategy + +### Instant Rollback + +```bash +# Docker/Kubernetes: point to previous image +kubectl rollout undo deployment/app + +# Vercel: promote previous deployment +vercel rollback + +# Railway: redeploy previous commit +railway up --commit + +# Database: rollback migration (if reversible) +npx prisma migrate resolve --rolled-back +``` + +### Rollback Checklist + +- [ ] Previous image/artifact is available and tagged +- [ ] Database migrations are backward-compatible (no destructive changes) +- [ ] Feature flags can disable new features without deploy +- [ ] Monitoring alerts configured for error rate spikes +- [ ] Rollback tested in staging before production release + +## Production Readiness Checklist + +Before any production deployment: + +### Application +- [ ] All tests pass (unit, integration, E2E) +- [ ] No hardcoded secrets in code or config files +- [ ] Error handling covers all edge cases +- [ ] Logging is structured (JSON) and does not contain PII +- [ ] Health check endpoint returns meaningful status + +### Infrastructure +- [ ] Docker image builds reproducibly (pinned versions) +- [ ] Environment variables documented and validated at startup +- [ ] Resource limits set (CPU, memory) +- [ ] Horizontal scaling configured (min/max instances) +- [ ] SSL/TLS enabled on all endpoints + +### Monitoring +- [ ] Application metrics exported (request rate, latency, errors) +- [ ] Alerts configured for error rate > threshold +- [ ] Log aggregation set up (structured logs, searchable) +- [ ] Uptime monitoring on health endpoint + +### Security +- [ ] Dependencies scanned for CVEs +- [ ] CORS configured for allowed origins only +- [ ] Rate limiting enabled on public endpoints +- [ ] Authentication and authorization verified +- [ ] Security headers set (CSP, HSTS, X-Frame-Options) + +### Operations +- [ ] Rollback plan documented and tested +- [ ] Database migration tested against production-sized data +- [ ] Runbook for common failure scenarios +- [ ] On-call rotation and escalation path defined diff --git a/plugins/node/template/addons/cursor/.cursor/skills/docker-patterns/skill.md b/plugins/node/template/addons/cursor/.cursor/skills/docker-patterns/skill.md new file mode 100644 index 0000000..c438c4a --- /dev/null +++ b/plugins/node/template/addons/cursor/.cursor/skills/docker-patterns/skill.md @@ -0,0 +1,364 @@ +--- +name: docker-patterns +description: Docker and Docker Compose patterns for local development, container security, networking, volume strategies, and multi-service orchestration. +origin: ECC +--- + +# Docker Patterns + +Docker and Docker Compose best practices for containerized development. + +## When to Activate + +- Setting up Docker Compose for local development +- Designing multi-container architectures +- Troubleshooting container networking or volume issues +- Reviewing Dockerfiles for security and size +- Migrating from local dev to containerized workflow + +## Docker Compose for Local Development + +### Standard Web App Stack + +```yaml +# docker-compose.yml +services: + app: + build: + context: . + target: dev # Use dev stage of multi-stage Dockerfile + ports: + - "3000:3000" + volumes: + - .:/app # Bind mount for hot reload + - /app/node_modules # Anonymous volume -- preserves container deps + environment: + - DATABASE_URL=postgres://postgres:postgres@db:5432/app_dev + - REDIS_URL=redis://redis:6379/0 + - NODE_ENV=development + depends_on: + db: + condition: service_healthy + redis: + condition: service_started + command: npm run dev + + db: + image: postgres:16-alpine + ports: + - "5432:5432" + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + POSTGRES_DB: app_dev + volumes: + - pgdata:/var/lib/postgresql/data + - ./scripts/init-db.sql:/docker-entrypoint-initdb.d/init.sql + healthcheck: + test: ["CMD-SHELL", "pg_isready -U postgres"] + interval: 5s + timeout: 3s + retries: 5 + + redis: + image: redis:7-alpine + ports: + - "6379:6379" + volumes: + - redisdata:/data + + mailpit: # Local email testing + image: axllent/mailpit + ports: + - "8025:8025" # Web UI + - "1025:1025" # SMTP + +volumes: + pgdata: + redisdata: +``` + +### Development vs Production Dockerfile + +```dockerfile +# Stage: dependencies +FROM node:22-alpine AS deps +WORKDIR /app +COPY package.json package-lock.json ./ +RUN npm ci + +# Stage: dev (hot reload, debug tools) +FROM node:22-alpine AS dev +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +EXPOSE 3000 +CMD ["npm", "run", "dev"] + +# Stage: build +FROM node:22-alpine AS build +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +RUN npm run build && npm prune --production + +# Stage: production (minimal image) +FROM node:22-alpine AS production +WORKDIR /app +RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 +USER appuser +COPY --from=build --chown=appuser:appgroup /app/dist ./dist +COPY --from=build --chown=appuser:appgroup /app/node_modules ./node_modules +COPY --from=build --chown=appuser:appgroup /app/package.json ./ +ENV NODE_ENV=production +EXPOSE 3000 +HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:3000/health || exit 1 +CMD ["node", "dist/server.js"] +``` + +### Override Files + +```yaml +# docker-compose.override.yml (auto-loaded, dev-only settings) +services: + app: + environment: + - DEBUG=app:* + - LOG_LEVEL=debug + ports: + - "9229:9229" # Node.js debugger + +# docker-compose.prod.yml (explicit for production) +services: + app: + build: + target: production + restart: always + deploy: + resources: + limits: + cpus: "1.0" + memory: 512M +``` + +```bash +# Development (auto-loads override) +docker compose up + +# Production +docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d +``` + +## Networking + +### Service Discovery + +Services in the same Compose network resolve by service name: +``` +# From "app" container: +postgres://postgres:postgres@db:5432/app_dev # "db" resolves to the db container +redis://redis:6379/0 # "redis" resolves to the redis container +``` + +### Custom Networks + +```yaml +services: + frontend: + networks: + - frontend-net + + api: + networks: + - frontend-net + - backend-net + + db: + networks: + - backend-net # Only reachable from api, not frontend + +networks: + frontend-net: + backend-net: +``` + +### Exposing Only What's Needed + +```yaml +services: + db: + ports: + - "127.0.0.1:5432:5432" # Only accessible from host, not network + # Omit ports entirely in production -- accessible only within Docker network +``` + +## Volume Strategies + +```yaml +volumes: + # Named volume: persists across container restarts, managed by Docker + pgdata: + + # Bind mount: maps host directory into container (for development) + # - ./src:/app/src + + # Anonymous volume: preserves container-generated content from bind mount override + # - /app/node_modules +``` + +### Common Patterns + +```yaml +services: + app: + volumes: + - .:/app # Source code (bind mount for hot reload) + - /app/node_modules # Protect container's node_modules from host + - /app/.next # Protect build cache + + db: + volumes: + - pgdata:/var/lib/postgresql/data # Persistent data + - ./scripts/init.sql:/docker-entrypoint-initdb.d/init.sql # Init scripts +``` + +## Container Security + +### Dockerfile Hardening + +```dockerfile +# 1. Use specific tags (never :latest) +FROM node:22.12-alpine3.20 + +# 2. Run as non-root +RUN addgroup -g 1001 -S app && adduser -S app -u 1001 +USER app + +# 3. Drop capabilities (in compose) +# 4. Read-only root filesystem where possible +# 5. No secrets in image layers +``` + +### Compose Security + +```yaml +services: + app: + security_opt: + - no-new-privileges:true + read_only: true + tmpfs: + - /tmp + - /app/.cache + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE # Only if binding to ports < 1024 +``` + +### Secret Management + +```yaml +# GOOD: Use environment variables (injected at runtime) +services: + app: + env_file: + - .env # Never commit .env to git + environment: + - API_KEY # Inherits from host environment + +# GOOD: Docker secrets (Swarm mode) +secrets: + db_password: + file: ./secrets/db_password.txt + +services: + db: + secrets: + - db_password + +# BAD: Hardcoded in image +# ENV API_KEY=sk-proj-xxxxx # NEVER DO THIS +``` + +## .dockerignore + +``` +node_modules +.git +.env +.env.* +dist +coverage +*.log +.next +.cache +docker-compose*.yml +Dockerfile* +README.md +tests/ +``` + +## Debugging + +### Common Commands + +```bash +# View logs +docker compose logs -f app # Follow app logs +docker compose logs --tail=50 db # Last 50 lines from db + +# Execute commands in running container +docker compose exec app sh # Shell into app +docker compose exec db psql -U postgres # Connect to postgres + +# Inspect +docker compose ps # Running services +docker compose top # Processes in each container +docker stats # Resource usage + +# Rebuild +docker compose up --build # Rebuild images +docker compose build --no-cache app # Force full rebuild + +# Clean up +docker compose down # Stop and remove containers +docker compose down -v # Also remove volumes (DESTRUCTIVE) +docker system prune # Remove unused images/containers +``` + +### Debugging Network Issues + +```bash +# Check DNS resolution inside container +docker compose exec app nslookup db + +# Check connectivity +docker compose exec app wget -qO- http://api:3000/health + +# Inspect network +docker network ls +docker network inspect _default +``` + +## Anti-Patterns + +``` +# BAD: Using docker compose in production without orchestration +# Use Kubernetes, ECS, or Docker Swarm for production multi-container workloads + +# BAD: Storing data in containers without volumes +# Containers are ephemeral -- all data lost on restart without volumes + +# BAD: Running as root +# Always create and use a non-root user + +# BAD: Using :latest tag +# Pin to specific versions for reproducible builds + +# BAD: One giant container with all services +# Separate concerns: one process per container + +# BAD: Putting secrets in docker-compose.yml +# Use .env files (gitignored) or Docker secrets +``` diff --git a/plugins/node/template/addons/cursor/.cursor/skills/security-review/skill.md b/plugins/node/template/addons/cursor/.cursor/skills/security-review/skill.md new file mode 100644 index 0000000..af848b9 --- /dev/null +++ b/plugins/node/template/addons/cursor/.cursor/skills/security-review/skill.md @@ -0,0 +1,495 @@ +--- +name: security-review +description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns. +origin: ECC +--- + +# Security Review Skill + +This skill ensures all code follows security best practices and identifies potential vulnerabilities. + +## When to Activate + +- Implementing authentication or authorization +- Handling user input or file uploads +- Creating new API endpoints +- Working with secrets or credentials +- Implementing payment features +- Storing or transmitting sensitive data +- Integrating third-party APIs + +## Security Checklist + +### 1. Secrets Management + +#### FAIL: NEVER Do This +```typescript +const apiKey = "sk-proj-xxxxx" // Hardcoded secret +const dbPassword = "password123" // In source code +``` + +#### PASS: ALWAYS Do This +```typescript +const apiKey = process.env.OPENAI_API_KEY +const dbUrl = process.env.DATABASE_URL + +// Verify secrets exist +if (!apiKey) { + throw new Error('OPENAI_API_KEY not configured') +} +``` + +#### Verification Steps +- [ ] No hardcoded API keys, tokens, or passwords +- [ ] All secrets in environment variables +- [ ] `.env.local` in .gitignore +- [ ] No secrets in git history +- [ ] Production secrets in hosting platform (Vercel, Railway) + +### 2. Input Validation + +#### Always Validate User Input +```typescript +import { z } from 'zod' + +// Define validation schema +const CreateUserSchema = z.object({ + email: z.string().email(), + name: z.string().min(1).max(100), + age: z.number().int().min(0).max(150) +}) + +// Validate before processing +export async function createUser(input: unknown) { + try { + const validated = CreateUserSchema.parse(input) + return await db.users.create(validated) + } catch (error) { + if (error instanceof z.ZodError) { + return { success: false, errors: error.errors } + } + throw error + } +} +``` + +#### File Upload Validation +```typescript +function validateFileUpload(file: File) { + // Size check (5MB max) + const maxSize = 5 * 1024 * 1024 + if (file.size > maxSize) { + throw new Error('File too large (max 5MB)') + } + + // Type check + const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'] + if (!allowedTypes.includes(file.type)) { + throw new Error('Invalid file type') + } + + // Extension check + const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'] + const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0] + if (!extension || !allowedExtensions.includes(extension)) { + throw new Error('Invalid file extension') + } + + return true +} +``` + +#### Verification Steps +- [ ] All user inputs validated with schemas +- [ ] File uploads restricted (size, type, extension) +- [ ] No direct use of user input in queries +- [ ] Whitelist validation (not blacklist) +- [ ] Error messages don't leak sensitive info + +### 3. SQL Injection Prevention + +#### FAIL: NEVER Concatenate SQL +```typescript +// DANGEROUS - SQL Injection vulnerability +const query = `SELECT * FROM users WHERE email = '${userEmail}'` +await db.query(query) +``` + +#### PASS: ALWAYS Use Parameterized Queries +```typescript +// Safe - parameterized query +const { data } = await supabase + .from('users') + .select('*') + .eq('email', userEmail) + +// Or with raw SQL +await db.query( + 'SELECT * FROM users WHERE email = $1', + [userEmail] +) +``` + +#### Verification Steps +- [ ] All database queries use parameterized queries +- [ ] No string concatenation in SQL +- [ ] ORM/query builder used correctly +- [ ] Supabase queries properly sanitized + +### 4. Authentication & Authorization + +#### JWT Token Handling +```typescript +// FAIL: WRONG: localStorage (vulnerable to XSS) +localStorage.setItem('token', token) + +// PASS: CORRECT: httpOnly cookies +res.setHeader('Set-Cookie', + `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`) +``` + +#### Authorization Checks +```typescript +export async function deleteUser(userId: string, requesterId: string) { + // ALWAYS verify authorization first + const requester = await db.users.findUnique({ + where: { id: requesterId } + }) + + if (requester.role !== 'admin') { + return NextResponse.json( + { error: 'Unauthorized' }, + { status: 403 } + ) + } + + // Proceed with deletion + await db.users.delete({ where: { id: userId } }) +} +``` + +#### Row Level Security (Supabase) +```sql +-- Enable RLS on all tables +ALTER TABLE users ENABLE ROW LEVEL SECURITY; + +-- Users can only view their own data +CREATE POLICY "Users view own data" + ON users FOR SELECT + USING (auth.uid() = id); + +-- Users can only update their own data +CREATE POLICY "Users update own data" + ON users FOR UPDATE + USING (auth.uid() = id); +``` + +#### Verification Steps +- [ ] Tokens stored in httpOnly cookies (not localStorage) +- [ ] Authorization checks before sensitive operations +- [ ] Row Level Security enabled in Supabase +- [ ] Role-based access control implemented +- [ ] Session management secure + +### 5. XSS Prevention + +#### Sanitize HTML +```typescript +import DOMPurify from 'isomorphic-dompurify' + +// ALWAYS sanitize user-provided HTML +function renderUserContent(html: string) { + const clean = DOMPurify.sanitize(html, { + ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'], + ALLOWED_ATTR: [] + }) + return
+} +``` + +#### Content Security Policy +```typescript +// next.config.js +const securityHeaders = [ + { + key: 'Content-Security-Policy', + value: ` + default-src 'self'; + script-src 'self' 'unsafe-eval' 'unsafe-inline'; + style-src 'self' 'unsafe-inline'; + img-src 'self' data: https:; + font-src 'self'; + connect-src 'self' https://api.example.com; + `.replace(/\s{2,}/g, ' ').trim() + } +] +``` + +#### Verification Steps +- [ ] User-provided HTML sanitized +- [ ] CSP headers configured +- [ ] No unvalidated dynamic content rendering +- [ ] React's built-in XSS protection used + +### 6. CSRF Protection + +#### CSRF Tokens +```typescript +import { csrf } from '@/lib/csrf' + +export async function POST(request: Request) { + const token = request.headers.get('X-CSRF-Token') + + if (!csrf.verify(token)) { + return NextResponse.json( + { error: 'Invalid CSRF token' }, + { status: 403 } + ) + } + + // Process request +} +``` + +#### SameSite Cookies +```typescript +res.setHeader('Set-Cookie', + `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`) +``` + +#### Verification Steps +- [ ] CSRF tokens on state-changing operations +- [ ] SameSite=Strict on all cookies +- [ ] Double-submit cookie pattern implemented + +### 7. Rate Limiting + +#### API Rate Limiting +```typescript +import rateLimit from 'express-rate-limit' + +const limiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // 100 requests per window + message: 'Too many requests' +}) + +// Apply to routes +app.use('/api/', limiter) +``` + +#### Expensive Operations +```typescript +// Aggressive rate limiting for searches +const searchLimiter = rateLimit({ + windowMs: 60 * 1000, // 1 minute + max: 10, // 10 requests per minute + message: 'Too many search requests' +}) + +app.use('/api/search', searchLimiter) +``` + +#### Verification Steps +- [ ] Rate limiting on all API endpoints +- [ ] Stricter limits on expensive operations +- [ ] IP-based rate limiting +- [ ] User-based rate limiting (authenticated) + +### 8. Sensitive Data Exposure + +#### Logging +```typescript +// FAIL: WRONG: Logging sensitive data +console.log('User login:', { email, password }) +console.log('Payment:', { cardNumber, cvv }) + +// PASS: CORRECT: Redact sensitive data +console.log('User login:', { email, userId }) +console.log('Payment:', { last4: card.last4, userId }) +``` + +#### Error Messages +```typescript +// FAIL: WRONG: Exposing internal details +catch (error) { + return NextResponse.json( + { error: error.message, stack: error.stack }, + { status: 500 } + ) +} + +// PASS: CORRECT: Generic error messages +catch (error) { + console.error('Internal error:', error) + return NextResponse.json( + { error: 'An error occurred. Please try again.' }, + { status: 500 } + ) +} +``` + +#### Verification Steps +- [ ] No passwords, tokens, or secrets in logs +- [ ] Error messages generic for users +- [ ] Detailed errors only in server logs +- [ ] No stack traces exposed to users + +### 9. Blockchain Security (Solana) + +#### Wallet Verification +```typescript +import { verify } from '@solana/web3.js' + +async function verifyWalletOwnership( + publicKey: string, + signature: string, + message: string +) { + try { + const isValid = verify( + Buffer.from(message), + Buffer.from(signature, 'base64'), + Buffer.from(publicKey, 'base64') + ) + return isValid + } catch (error) { + return false + } +} +``` + +#### Transaction Verification +```typescript +async function verifyTransaction(transaction: Transaction) { + // Verify recipient + if (transaction.to !== expectedRecipient) { + throw new Error('Invalid recipient') + } + + // Verify amount + if (transaction.amount > maxAmount) { + throw new Error('Amount exceeds limit') + } + + // Verify user has sufficient balance + const balance = await getBalance(transaction.from) + if (balance < transaction.amount) { + throw new Error('Insufficient balance') + } + + return true +} +``` + +#### Verification Steps +- [ ] Wallet signatures verified +- [ ] Transaction details validated +- [ ] Balance checks before transactions +- [ ] No blind transaction signing + +### 10. Dependency Security + +#### Regular Updates +```bash +# Check for vulnerabilities +npm audit + +# Fix automatically fixable issues +npm audit fix + +# Update dependencies +npm update + +# Check for outdated packages +npm outdated +``` + +#### Lock Files +```bash +# ALWAYS commit lock files +git add package-lock.json + +# Use in CI/CD for reproducible builds +npm ci # Instead of npm install +``` + +#### Verification Steps +- [ ] Dependencies up to date +- [ ] No known vulnerabilities (npm audit clean) +- [ ] Lock files committed +- [ ] Dependabot enabled on GitHub +- [ ] Regular security updates + +## Security Testing + +### Automated Security Tests +```typescript +// Test authentication +test('requires authentication', async () => { + const response = await fetch('/api/protected') + expect(response.status).toBe(401) +}) + +// Test authorization +test('requires admin role', async () => { + const response = await fetch('/api/admin', { + headers: { Authorization: `Bearer ${userToken}` } + }) + expect(response.status).toBe(403) +}) + +// Test input validation +test('rejects invalid input', async () => { + const response = await fetch('/api/users', { + method: 'POST', + body: JSON.stringify({ email: 'not-an-email' }) + }) + expect(response.status).toBe(400) +}) + +// Test rate limiting +test('enforces rate limits', async () => { + const requests = Array(101).fill(null).map(() => + fetch('/api/endpoint') + ) + + const responses = await Promise.all(requests) + const tooManyRequests = responses.filter(r => r.status === 429) + + expect(tooManyRequests.length).toBeGreaterThan(0) +}) +``` + +## Pre-Deployment Security Checklist + +Before ANY production deployment: + +- [ ] **Secrets**: No hardcoded secrets, all in env vars +- [ ] **Input Validation**: All user inputs validated +- [ ] **SQL Injection**: All queries parameterized +- [ ] **XSS**: User content sanitized +- [ ] **CSRF**: Protection enabled +- [ ] **Authentication**: Proper token handling +- [ ] **Authorization**: Role checks in place +- [ ] **Rate Limiting**: Enabled on all endpoints +- [ ] **HTTPS**: Enforced in production +- [ ] **Security Headers**: CSP, X-Frame-Options configured +- [ ] **Error Handling**: No sensitive data in errors +- [ ] **Logging**: No sensitive data logged +- [ ] **Dependencies**: Up to date, no vulnerabilities +- [ ] **Row Level Security**: Enabled in Supabase +- [ ] **CORS**: Properly configured +- [ ] **File Uploads**: Validated (size, type) +- [ ] **Wallet Signatures**: Verified (if blockchain) + +## Resources + +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Next.js Security](https://nextjs.org/docs/security) +- [Supabase Security](https://supabase.com/docs/guides/auth) +- [Web Security Academy](https://portswigger.net/web-security) + +--- + +**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution. diff --git a/plugins/node/template/addons/cursor/.cursor/skills/tdd-workflow/skill.md b/plugins/node/template/addons/cursor/.cursor/skills/tdd-workflow/skill.md new file mode 100644 index 0000000..76aaaa1 --- /dev/null +++ b/plugins/node/template/addons/cursor/.cursor/skills/tdd-workflow/skill.md @@ -0,0 +1,463 @@ +--- +name: tdd-workflow +description: Use this skill when writing new features, fixing bugs, or refactoring code. Enforces test-driven development with 80%+ coverage including unit, integration, and E2E tests. +origin: ECC +--- + +# Test-Driven Development Workflow + +This skill ensures all code development follows TDD principles with comprehensive test coverage. + +## When to Activate + +- Writing new features or functionality +- Fixing bugs or issues +- Refactoring existing code +- Adding API endpoints +- Creating new components + +## Core Principles + +### 1. Tests BEFORE Code +ALWAYS write tests first, then implement code to make tests pass. + +### 2. Coverage Requirements +- Minimum 80% coverage (unit + integration + E2E) +- All edge cases covered +- Error scenarios tested +- Boundary conditions verified + +### 3. Test Types + +#### Unit Tests +- Individual functions and utilities +- Component logic +- Pure functions +- Helpers and utilities + +#### Integration Tests +- API endpoints +- Database operations +- Service interactions +- External API calls + +#### E2E Tests (Playwright) +- Critical user flows +- Complete workflows +- Browser automation +- UI interactions + +### 4. Git Checkpoints +- If the repository is under Git, create a checkpoint commit after each TDD stage +- Do not squash or rewrite these checkpoint commits until the workflow is complete +- Each checkpoint commit message must describe the stage and the exact evidence captured +- Count only commits created on the current active branch for the current task +- Do not treat commits from other branches, earlier unrelated work, or distant branch history as valid checkpoint evidence +- Before treating a checkpoint as satisfied, verify that the commit is reachable from the current `HEAD` on the active branch and belongs to the current task sequence +- The preferred compact workflow is: + - one commit for failing test added and RED validated + - one commit for minimal fix applied and GREEN validated + - one optional commit for refactor complete +- Separate evidence-only commits are not required if the test commit clearly corresponds to RED and the fix commit clearly corresponds to GREEN + +## TDD Workflow Steps + +### Step 1: Write User Journeys +``` +As a [role], I want to [action], so that [benefit] + +Example: +As a user, I want to search for markets semantically, +so that I can find relevant markets even without exact keywords. +``` + +### Step 2: Generate Test Cases +For each user journey, create comprehensive test cases: + +```typescript +describe('Semantic Search', () => { + it('returns relevant markets for query', async () => { + // Test implementation + }) + + it('handles empty query gracefully', async () => { + // Test edge case + }) + + it('falls back to substring search when Redis unavailable', async () => { + // Test fallback behavior + }) + + it('sorts results by similarity score', async () => { + // Test sorting logic + }) +}) +``` + +### Step 3: Run Tests (They Should Fail) +```bash +npm test +# Tests should fail - we haven't implemented yet +``` + +This step is mandatory and is the RED gate for all production changes. + +Before modifying business logic or other production code, you must verify a valid RED state via one of these paths: +- Runtime RED: + - The relevant test target compiles successfully + - The new or changed test is actually executed + - The result is RED +- Compile-time RED: + - The new test newly instantiates, references, or exercises the buggy code path + - The compile failure is itself the intended RED signal +- In either case, the failure is caused by the intended business-logic bug, undefined behavior, or missing implementation +- The failure is not caused only by unrelated syntax errors, broken test setup, missing dependencies, or unrelated regressions + +A test that was only written but not compiled and executed does not count as RED. + +Do not edit production code until this RED state is confirmed. + +If the repository is under Git, create a checkpoint commit immediately after this stage is validated. +Recommended commit message format: +- `test: add reproducer for ` +- This commit may also serve as the RED validation checkpoint if the reproducer was compiled and executed and failed for the intended reason +- Verify that this checkpoint commit is on the current active branch before continuing + +### Step 4: Implement Code +Write minimal code to make tests pass: + +```typescript +// Implementation guided by tests +export async function searchMarkets(query: string) { + // Implementation here +} +``` + +If the repository is under Git, stage the minimal fix now but defer the checkpoint commit until GREEN is validated in Step 5. + +### Step 5: Run Tests Again +```bash +npm test +# Tests should now pass +``` + +Rerun the same relevant test target after the fix and confirm the previously failing test is now GREEN. + +Only after a valid GREEN result may you proceed to refactor. + +If the repository is under Git, create a checkpoint commit immediately after GREEN is validated. +Recommended commit message format: +- `fix: ` +- The fix commit may also serve as the GREEN validation checkpoint if the same relevant test target was rerun and passed +- Verify that this checkpoint commit is on the current active branch before continuing + +### Step 6: Refactor +Improve code quality while keeping tests green: +- Remove duplication +- Improve naming +- Optimize performance +- Enhance readability + +If the repository is under Git, create a checkpoint commit immediately after refactoring is complete and tests remain green. +Recommended commit message format: +- `refactor: clean up after implementation` +- Verify that this checkpoint commit is on the current active branch before considering the TDD cycle complete + +### Step 7: Verify Coverage +```bash +npm run test:coverage +# Verify 80%+ coverage achieved +``` + +## Testing Patterns + +### Unit Test Pattern (Jest/Vitest) +```typescript +import { render, screen, fireEvent } from '@testing-library/react' +import { Button } from './Button' + +describe('Button Component', () => { + it('renders with correct text', () => { + render() + expect(screen.getByText('Click me')).toBeInTheDocument() + }) + + it('calls onClick when clicked', () => { + const handleClick = jest.fn() + render() + + fireEvent.click(screen.getByRole('button')) + + expect(handleClick).toHaveBeenCalledTimes(1) + }) + + it('is disabled when disabled prop is true', () => { + render() + expect(screen.getByRole('button')).toBeDisabled() + }) +}) +``` + +### API Integration Test Pattern +```typescript +import { NextRequest } from 'next/server' +import { GET } from './route' + +describe('GET /api/markets', () => { + it('returns markets successfully', async () => { + const request = new NextRequest('http://localhost/api/markets') + const response = await GET(request) + const data = await response.json() + + expect(response.status).toBe(200) + expect(data.success).toBe(true) + expect(Array.isArray(data.data)).toBe(true) + }) + + it('validates query parameters', async () => { + const request = new NextRequest('http://localhost/api/markets?limit=invalid') + const response = await GET(request) + + expect(response.status).toBe(400) + }) + + it('handles database errors gracefully', async () => { + // Mock database failure + const request = new NextRequest('http://localhost/api/markets') + // Test error handling + }) +}) +``` + +### E2E Test Pattern (Playwright) +```typescript +import { test, expect } from '@playwright/test' + +test('user can search and filter markets', async ({ page }) => { + // Navigate to markets page + await page.goto('/') + await page.click('a[href="/markets"]') + + // Verify page loaded + await expect(page.locator('h1')).toContainText('Markets') + + // Search for markets + await page.fill('input[placeholder="Search markets"]', 'election') + + // Wait for debounce and results + await page.waitForTimeout(600) + + // Verify search results displayed + const results = page.locator('[data-testid="market-card"]') + await expect(results).toHaveCount(5, { timeout: 5000 }) + + // Verify results contain search term + const firstResult = results.first() + await expect(firstResult).toContainText('election', { ignoreCase: true }) + + // Filter by status + await page.click('button:has-text("Active")') + + // Verify filtered results + await expect(results).toHaveCount(3) +}) + +test('user can create a new market', async ({ page }) => { + // Login first + await page.goto('/creator-dashboard') + + // Fill market creation form + await page.fill('input[name="name"]', 'Test Market') + await page.fill('textarea[name="description"]', 'Test description') + await page.fill('input[name="endDate"]', '2025-12-31') + + // Submit form + await page.click('button[type="submit"]') + + // Verify success message + await expect(page.locator('text=Market created successfully')).toBeVisible() + + // Verify redirect to market page + await expect(page).toHaveURL(/\/markets\/test-market/) +}) +``` + +## Test File Organization + +``` +src/ +├── components/ +│ ├── Button/ +│ │ ├── Button.tsx +│ │ ├── Button.test.tsx # Unit tests +│ │ └── Button.stories.tsx # Storybook +│ └── MarketCard/ +│ ├── MarketCard.tsx +│ └── MarketCard.test.tsx +├── app/ +│ └── api/ +│ └── markets/ +│ ├── route.ts +│ └── route.test.ts # Integration tests +└── e2e/ + ├── markets.spec.ts # E2E tests + ├── trading.spec.ts + └── auth.spec.ts +``` + +## Mocking External Services + +### Supabase Mock +```typescript +jest.mock('@/lib/supabase', () => ({ + supabase: { + from: jest.fn(() => ({ + select: jest.fn(() => ({ + eq: jest.fn(() => Promise.resolve({ + data: [{ id: 1, name: 'Test Market' }], + error: null + })) + })) + })) + } +})) +``` + +### Redis Mock +```typescript +jest.mock('@/lib/redis', () => ({ + searchMarketsByVector: jest.fn(() => Promise.resolve([ + { slug: 'test-market', similarity_score: 0.95 } + ])), + checkRedisHealth: jest.fn(() => Promise.resolve({ connected: true })) +})) +``` + +### OpenAI Mock +```typescript +jest.mock('@/lib/openai', () => ({ + generateEmbedding: jest.fn(() => Promise.resolve( + new Array(1536).fill(0.1) // Mock 1536-dim embedding + )) +})) +``` + +## Test Coverage Verification + +### Run Coverage Report +```bash +npm run test:coverage +``` + +### Coverage Thresholds +```json +{ + "jest": { + "coverageThresholds": { + "global": { + "branches": 80, + "functions": 80, + "lines": 80, + "statements": 80 + } + } + } +} +``` + +## Common Testing Mistakes to Avoid + +### FAIL: WRONG: Testing Implementation Details +```typescript +// Don't test internal state +expect(component.state.count).toBe(5) +``` + +### PASS: CORRECT: Test User-Visible Behavior +```typescript +// Test what users see +expect(screen.getByText('Count: 5')).toBeInTheDocument() +``` + +### FAIL: WRONG: Brittle Selectors +```typescript +// Breaks easily +await page.click('.css-class-xyz') +``` + +### PASS: CORRECT: Semantic Selectors +```typescript +// Resilient to changes +await page.click('button:has-text("Submit")') +await page.click('[data-testid="submit-button"]') +``` + +### FAIL: WRONG: No Test Isolation +```typescript +// Tests depend on each other +test('creates user', () => { /* ... */ }) +test('updates same user', () => { /* depends on previous test */ }) +``` + +### PASS: CORRECT: Independent Tests +```typescript +// Each test sets up its own data +test('creates user', () => { + const user = createTestUser() + // Test logic +}) + +test('updates user', () => { + const user = createTestUser() + // Update logic +}) +``` + +## Continuous Testing + +### Watch Mode During Development +```bash +npm test -- --watch +# Tests run automatically on file changes +``` + +### Pre-Commit Hook +```bash +# Runs before every commit +npm test && npm run lint +``` + +### CI/CD Integration +```yaml +# GitHub Actions +- name: Run Tests + run: npm test -- --coverage +- name: Upload Coverage + uses: codecov/codecov-action@v3 +``` + +## Best Practices + +1. **Write Tests First** - Always TDD +2. **One Assert Per Test** - Focus on single behavior +3. **Descriptive Test Names** - Explain what's tested +4. **Arrange-Act-Assert** - Clear test structure +5. **Mock External Dependencies** - Isolate unit tests +6. **Test Edge Cases** - Null, undefined, empty, large +7. **Test Error Paths** - Not just happy paths +8. **Keep Tests Fast** - Unit tests < 50ms each +9. **Clean Up After Tests** - No side effects +10. **Review Coverage Reports** - Identify gaps + +## Success Metrics + +- 80%+ code coverage achieved +- All tests passing (green) +- No skipped or disabled tests +- Fast test execution (< 30s for unit tests) +- E2E tests cover critical user flows +- Tests catch bugs before production + +--- + +**Remember**: Tests are not optional. They are the safety net that enables confident refactoring, rapid development, and production reliability. diff --git a/plugins/python/config.ts b/plugins/python/config.ts index ac04c29..7aa3725 100644 --- a/plugins/python/config.ts +++ b/plugins/python/config.ts @@ -4,5 +4,5 @@ import { PluginConfig } from "../../types"; export const pythonConfig: PluginConfig = { name: "python-fastapi", description: "Python FastAPI backend with full production features", - addons: ["docker", "testing", "ci"] + addons: ["docker", "testing", "ci", "claude-code", "cursor"] } diff --git a/plugins/python/index.ts b/plugins/python/index.ts index 959aba9..f6c81e7 100644 --- a/plugins/python/index.ts +++ b/plugins/python/index.ts @@ -55,6 +55,16 @@ export class PythonPlugin extends BasePlugin { path: path.join(addonsPath, "ci"), label: "GitHub Actions CI", }, + { + condition: !!options.claudeCode, + path: path.join(addonsPath, "claude-code"), + label: "Claude Code setup", + }, + { + condition: !!options.cursor, + path: path.join(addonsPath, "cursor"), + label: "Cursor agent setup", + }, ]; } @@ -90,6 +100,15 @@ export class PythonPlugin extends BasePlugin { } console.log(` uvicorn main:app --reload`); } + if (options.claudeCode) { + console.log(""); + console.log(" Claude Code — open this project in Claude Code to use pre-configured skills"); + console.log(" Skills: /python-patterns /python-testing /backend-patterns and more"); + } + if (options.cursor) { + console.log(""); + console.log(" Cursor — .cursor/skills/ ready, open project in Cursor to use agent skills"); + } console.log(""); } } diff --git a/plugins/python/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md b/plugins/python/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md new file mode 100644 index 0000000..30898b4 --- /dev/null +++ b/plugins/python/template/addons/claude-code/.claude/skills/backend-patterns/SKILL.md @@ -0,0 +1,598 @@ +--- +name: backend-patterns +description: Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes. +origin: ECC +--- + +# Backend Development Patterns + +Backend architecture patterns and best practices for scalable server-side applications. + +## When to Activate + +- Designing REST or GraphQL API endpoints +- Implementing repository, service, or controller layers +- Optimizing database queries (N+1, indexing, connection pooling) +- Adding caching (Redis, in-memory, HTTP cache headers) +- Setting up background jobs or async processing +- Structuring error handling and validation for APIs +- Building middleware (auth, logging, rate limiting) + +## API Design Patterns + +### RESTful API Structure + +```typescript +// PASS: Resource-based URLs +GET /api/markets # List resources +GET /api/markets/:id # Get single resource +POST /api/markets # Create resource +PUT /api/markets/:id # Replace resource +PATCH /api/markets/:id # Update resource +DELETE /api/markets/:id # Delete resource + +// PASS: Query parameters for filtering, sorting, pagination +GET /api/markets?status=active&sort=volume&limit=20&offset=0 +``` + +### Repository Pattern + +```typescript +// Abstract data access logic +interface MarketRepository { + findAll(filters?: MarketFilters): Promise + findById(id: string): Promise + create(data: CreateMarketDto): Promise + update(id: string, data: UpdateMarketDto): Promise + delete(id: string): Promise +} + +class SupabaseMarketRepository implements MarketRepository { + async findAll(filters?: MarketFilters): Promise { + let query = supabase.from('markets').select('*') + + if (filters?.status) { + query = query.eq('status', filters.status) + } + + if (filters?.limit) { + query = query.limit(filters.limit) + } + + const { data, error } = await query + + if (error) throw new Error(error.message) + return data + } + + // Other methods... +} +``` + +### Service Layer Pattern + +```typescript +// Business logic separated from data access +class MarketService { + constructor(private marketRepo: MarketRepository) {} + + async searchMarkets(query: string, limit: number = 10): Promise { + // Business logic + const embedding = await generateEmbedding(query) + const results = await this.vectorSearch(embedding, limit) + + // Fetch full data + const markets = await this.marketRepo.findByIds(results.map(r => r.id)) + + // Sort by similarity + return markets.sort((a, b) => { + const scoreA = results.find(r => r.id === a.id)?.score || 0 + const scoreB = results.find(r => r.id === b.id)?.score || 0 + return scoreA - scoreB + }) + } + + private async vectorSearch(embedding: number[], limit: number) { + // Vector search implementation + } +} +``` + +### Middleware Pattern + +```typescript +// Request/response processing pipeline +export function withAuth(handler: NextApiHandler): NextApiHandler { + return async (req, res) => { + const token = req.headers.authorization?.replace('Bearer ', '') + + if (!token) { + return res.status(401).json({ error: 'Unauthorized' }) + } + + try { + const user = await verifyToken(token) + req.user = user + return handler(req, res) + } catch (error) { + return res.status(401).json({ error: 'Invalid token' }) + } + } +} + +// Usage +export default withAuth(async (req, res) => { + // Handler has access to req.user +}) +``` + +## Database Patterns + +### Query Optimization + +```typescript +// PASS: GOOD: Select only needed columns +const { data } = await supabase + .from('markets') + .select('id, name, status, volume') + .eq('status', 'active') + .order('volume', { ascending: false }) + .limit(10) + +// FAIL: BAD: Select everything +const { data } = await supabase + .from('markets') + .select('*') +``` + +### N+1 Query Prevention + +```typescript +// FAIL: BAD: N+1 query problem +const markets = await getMarkets() +for (const market of markets) { + market.creator = await getUser(market.creator_id) // N queries +} + +// PASS: GOOD: Batch fetch +const markets = await getMarkets() +const creatorIds = markets.map(m => m.creator_id) +const creators = await getUsers(creatorIds) // 1 query +const creatorMap = new Map(creators.map(c => [c.id, c])) + +markets.forEach(market => { + market.creator = creatorMap.get(market.creator_id) +}) +``` + +### Transaction Pattern + +```typescript +async function createMarketWithPosition( + marketData: CreateMarketDto, + positionData: CreatePositionDto +) { + // Use Supabase transaction + const { data, error } = await supabase.rpc('create_market_with_position', { + market_data: marketData, + position_data: positionData + }) + + if (error) throw new Error('Transaction failed') + return data +} + +// SQL function in Supabase +CREATE OR REPLACE FUNCTION create_market_with_position( + market_data jsonb, + position_data jsonb +) +RETURNS jsonb +LANGUAGE plpgsql +AS $$ +BEGIN + -- Start transaction automatically + INSERT INTO markets VALUES (market_data); + INSERT INTO positions VALUES (position_data); + RETURN jsonb_build_object('success', true); +EXCEPTION + WHEN OTHERS THEN + -- Rollback happens automatically + RETURN jsonb_build_object('success', false, 'error', SQLERRM); +END; +$$; +``` + +## Caching Strategies + +### Redis Caching Layer + +```typescript +class CachedMarketRepository implements MarketRepository { + constructor( + private baseRepo: MarketRepository, + private redis: RedisClient + ) {} + + async findById(id: string): Promise { + // Check cache first + const cached = await this.redis.get(`market:${id}`) + + if (cached) { + return JSON.parse(cached) + } + + // Cache miss - fetch from database + const market = await this.baseRepo.findById(id) + + if (market) { + // Cache for 5 minutes + await this.redis.setex(`market:${id}`, 300, JSON.stringify(market)) + } + + return market + } + + async invalidateCache(id: string): Promise { + await this.redis.del(`market:${id}`) + } +} +``` + +### Cache-Aside Pattern + +```typescript +async function getMarketWithCache(id: string): Promise { + const cacheKey = `market:${id}` + + // Try cache + const cached = await redis.get(cacheKey) + if (cached) return JSON.parse(cached) + + // Cache miss - fetch from DB + const market = await db.markets.findUnique({ where: { id } }) + + if (!market) throw new Error('Market not found') + + // Update cache + await redis.setex(cacheKey, 300, JSON.stringify(market)) + + return market +} +``` + +## Error Handling Patterns + +### Centralized Error Handler + +```typescript +class ApiError extends Error { + constructor( + public statusCode: number, + public message: string, + public isOperational = true + ) { + super(message) + Object.setPrototypeOf(this, ApiError.prototype) + } +} + +export function errorHandler(error: unknown, req: Request): Response { + if (error instanceof ApiError) { + return NextResponse.json({ + success: false, + error: error.message + }, { status: error.statusCode }) + } + + if (error instanceof z.ZodError) { + return NextResponse.json({ + success: false, + error: 'Validation failed', + details: error.errors + }, { status: 400 }) + } + + // Log unexpected errors + console.error('Unexpected error:', error) + + return NextResponse.json({ + success: false, + error: 'Internal server error' + }, { status: 500 }) +} + +// Usage +export async function GET(request: Request) { + try { + const data = await fetchData() + return NextResponse.json({ success: true, data }) + } catch (error) { + return errorHandler(error, request) + } +} +``` + +### Retry with Exponential Backoff + +```typescript +async function fetchWithRetry( + fn: () => Promise, + maxRetries = 3 +): Promise { + let lastError: Error + + for (let i = 0; i < maxRetries; i++) { + try { + return await fn() + } catch (error) { + lastError = error as Error + + if (i < maxRetries - 1) { + // Exponential backoff: 1s, 2s, 4s + const delay = Math.pow(2, i) * 1000 + await new Promise(resolve => setTimeout(resolve, delay)) + } + } + } + + throw lastError! +} + +// Usage +const data = await fetchWithRetry(() => fetchFromAPI()) +``` + +## Authentication & Authorization + +### JWT Token Validation + +```typescript +import jwt from 'jsonwebtoken' + +interface JWTPayload { + userId: string + email: string + role: 'admin' | 'user' +} + +export function verifyToken(token: string): JWTPayload { + try { + const payload = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload + return payload + } catch (error) { + throw new ApiError(401, 'Invalid token') + } +} + +export async function requireAuth(request: Request) { + const token = request.headers.get('authorization')?.replace('Bearer ', '') + + if (!token) { + throw new ApiError(401, 'Missing authorization token') + } + + return verifyToken(token) +} + +// Usage in API route +export async function GET(request: Request) { + const user = await requireAuth(request) + + const data = await getDataForUser(user.userId) + + return NextResponse.json({ success: true, data }) +} +``` + +### Role-Based Access Control + +```typescript +type Permission = 'read' | 'write' | 'delete' | 'admin' + +interface User { + id: string + role: 'admin' | 'moderator' | 'user' +} + +const rolePermissions: Record = { + admin: ['read', 'write', 'delete', 'admin'], + moderator: ['read', 'write', 'delete'], + user: ['read', 'write'] +} + +export function hasPermission(user: User, permission: Permission): boolean { + return rolePermissions[user.role].includes(permission) +} + +export function requirePermission(permission: Permission) { + return (handler: (request: Request, user: User) => Promise) => { + return async (request: Request) => { + const user = await requireAuth(request) + + if (!hasPermission(user, permission)) { + throw new ApiError(403, 'Insufficient permissions') + } + + return handler(request, user) + } + } +} + +// Usage - HOF wraps the handler +export const DELETE = requirePermission('delete')( + async (request: Request, user: User) => { + // Handler receives authenticated user with verified permission + return new Response('Deleted', { status: 200 }) + } +) +``` + +## Rate Limiting + +### Simple In-Memory Rate Limiter + +```typescript +class RateLimiter { + private requests = new Map() + + async checkLimit( + identifier: string, + maxRequests: number, + windowMs: number + ): Promise { + const now = Date.now() + const requests = this.requests.get(identifier) || [] + + // Remove old requests outside window + const recentRequests = requests.filter(time => now - time < windowMs) + + if (recentRequests.length >= maxRequests) { + return false // Rate limit exceeded + } + + // Add current request + recentRequests.push(now) + this.requests.set(identifier, recentRequests) + + return true + } +} + +const limiter = new RateLimiter() + +export async function GET(request: Request) { + const ip = request.headers.get('x-forwarded-for') || 'unknown' + + const allowed = await limiter.checkLimit(ip, 100, 60000) // 100 req/min + + if (!allowed) { + return NextResponse.json({ + error: 'Rate limit exceeded' + }, { status: 429 }) + } + + // Continue with request +} +``` + +## Background Jobs & Queues + +### Simple Queue Pattern + +```typescript +class JobQueue { + private queue: T[] = [] + private processing = false + + async add(job: T): Promise { + this.queue.push(job) + + if (!this.processing) { + this.process() + } + } + + private async process(): Promise { + this.processing = true + + while (this.queue.length > 0) { + const job = this.queue.shift()! + + try { + await this.execute(job) + } catch (error) { + console.error('Job failed:', error) + } + } + + this.processing = false + } + + private async execute(job: T): Promise { + // Job execution logic + } +} + +// Usage for indexing markets +interface IndexJob { + marketId: string +} + +const indexQueue = new JobQueue() + +export async function POST(request: Request) { + const { marketId } = await request.json() + + // Add to queue instead of blocking + await indexQueue.add({ marketId }) + + return NextResponse.json({ success: true, message: 'Job queued' }) +} +``` + +## Logging & Monitoring + +### Structured Logging + +```typescript +interface LogContext { + userId?: string + requestId?: string + method?: string + path?: string + [key: string]: unknown +} + +class Logger { + log(level: 'info' | 'warn' | 'error', message: string, context?: LogContext) { + const entry = { + timestamp: new Date().toISOString(), + level, + message, + ...context + } + + console.log(JSON.stringify(entry)) + } + + info(message: string, context?: LogContext) { + this.log('info', message, context) + } + + warn(message: string, context?: LogContext) { + this.log('warn', message, context) + } + + error(message: string, error: Error, context?: LogContext) { + this.log('error', message, { + ...context, + error: error.message, + stack: error.stack + }) + } +} + +const logger = new Logger() + +// Usage +export async function GET(request: Request) { + const requestId = crypto.randomUUID() + + logger.info('Fetching markets', { + requestId, + method: 'GET', + path: '/api/markets' + }) + + try { + const markets = await fetchMarkets() + return NextResponse.json({ success: true, data: markets }) + } catch (error) { + logger.error('Failed to fetch markets', error as Error, { requestId }) + return NextResponse.json({ error: 'Internal error' }, { status: 500 }) + } +} +``` + +**Remember**: Backend patterns enable scalable, maintainable server-side applications. Choose patterns that fit your complexity level. diff --git a/plugins/python/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md b/plugins/python/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md new file mode 100644 index 0000000..b1562c2 --- /dev/null +++ b/plugins/python/template/addons/claude-code/.claude/skills/database-migrations/SKILL.md @@ -0,0 +1,429 @@ +--- +name: database-migrations +description: Database migration best practices for schema changes, data migrations, rollbacks, and zero-downtime deployments across PostgreSQL, MySQL, and common ORMs (Prisma, Drizzle, Kysely, Django, TypeORM, golang-migrate). +origin: ECC +--- + +# Database Migration Patterns + +Safe, reversible database schema changes for production systems. + +## When to Activate + +- Creating or altering database tables +- Adding/removing columns or indexes +- Running data migrations (backfill, transform) +- Planning zero-downtime schema changes +- Setting up migration tooling for a new project + +## Core Principles + +1. **Every change is a migration** — never alter production databases manually +2. **Migrations are forward-only in production** — rollbacks use new forward migrations +3. **Schema and data migrations are separate** — never mix DDL and DML in one migration +4. **Test migrations against production-sized data** — a migration that works on 100 rows may lock on 10M +5. **Migrations are immutable once deployed** — never edit a migration that has run in production + +## Migration Safety Checklist + +Before applying any migration: + +- [ ] Migration has both UP and DOWN (or is explicitly marked irreversible) +- [ ] No full table locks on large tables (use concurrent operations) +- [ ] New columns have defaults or are nullable (never add NOT NULL without default) +- [ ] Indexes created concurrently (not inline with CREATE TABLE for existing tables) +- [ ] Data backfill is a separate migration from schema change +- [ ] Tested against a copy of production data +- [ ] Rollback plan documented + +## PostgreSQL Patterns + +### Adding a Column Safely + +```sql +-- GOOD: Nullable column, no lock +ALTER TABLE users ADD COLUMN avatar_url TEXT; + +-- GOOD: Column with default (Postgres 11+ is instant, no rewrite) +ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT true; + +-- BAD: NOT NULL without default on existing table (requires full rewrite) +ALTER TABLE users ADD COLUMN role TEXT NOT NULL; +-- This locks the table and rewrites every row +``` + +### Adding an Index Without Downtime + +```sql +-- BAD: Blocks writes on large tables +CREATE INDEX idx_users_email ON users (email); + +-- GOOD: Non-blocking, allows concurrent writes +CREATE INDEX CONCURRENTLY idx_users_email ON users (email); + +-- Note: CONCURRENTLY cannot run inside a transaction block +-- Most migration tools need special handling for this +``` + +### Renaming a Column (Zero-Downtime) + +Never rename directly in production. Use the expand-contract pattern: + +```sql +-- Step 1: Add new column (migration 001) +ALTER TABLE users ADD COLUMN display_name TEXT; + +-- Step 2: Backfill data (migration 002, data migration) +UPDATE users SET display_name = username WHERE display_name IS NULL; + +-- Step 3: Update application code to read/write both columns +-- Deploy application changes + +-- Step 4: Stop writing to old column, drop it (migration 003) +ALTER TABLE users DROP COLUMN username; +``` + +### Removing a Column Safely + +```sql +-- Step 1: Remove all application references to the column +-- Step 2: Deploy application without the column reference +-- Step 3: Drop column in next migration +ALTER TABLE orders DROP COLUMN legacy_status; + +-- For Django: use SeparateDatabaseAndState to remove from model +-- without generating DROP COLUMN (then drop in next migration) +``` + +### Large Data Migrations + +```sql +-- BAD: Updates all rows in one transaction (locks table) +UPDATE users SET normalized_email = LOWER(email); + +-- GOOD: Batch update with progress +DO $$ +DECLARE + batch_size INT := 10000; + rows_updated INT; +BEGIN + LOOP + UPDATE users + SET normalized_email = LOWER(email) + WHERE id IN ( + SELECT id FROM users + WHERE normalized_email IS NULL + LIMIT batch_size + FOR UPDATE SKIP LOCKED + ); + GET DIAGNOSTICS rows_updated = ROW_COUNT; + RAISE NOTICE 'Updated % rows', rows_updated; + EXIT WHEN rows_updated = 0; + COMMIT; + END LOOP; +END $$; +``` + +## Prisma (TypeScript/Node.js) + +### Workflow + +```bash +# Create migration from schema changes +npx prisma migrate dev --name add_user_avatar + +# Apply pending migrations in production +npx prisma migrate deploy + +# Reset database (dev only) +npx prisma migrate reset + +# Generate client after schema changes +npx prisma generate +``` + +### Schema Example + +```prisma +model User { + id String @id @default(cuid()) + email String @unique + name String? + avatarUrl String? @map("avatar_url") + createdAt DateTime @default(now()) @map("created_at") + updatedAt DateTime @updatedAt @map("updated_at") + orders Order[] + + @@map("users") + @@index([email]) +} +``` + +### Custom SQL Migration + +For operations Prisma cannot express (concurrent indexes, data backfills): + +```bash +# Create empty migration, then edit the SQL manually +npx prisma migrate dev --create-only --name add_email_index +``` + +```sql +-- migrations/20240115_add_email_index/migration.sql +-- Prisma cannot generate CONCURRENTLY, so we write it manually +CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_users_email ON users (email); +``` + +## Drizzle (TypeScript/Node.js) + +### Workflow + +```bash +# Generate migration from schema changes +npx drizzle-kit generate + +# Apply migrations +npx drizzle-kit migrate + +# Push schema directly (dev only, no migration file) +npx drizzle-kit push +``` + +### Schema Example + +```typescript +import { pgTable, text, timestamp, uuid, boolean } from "drizzle-orm/pg-core"; + +export const users = pgTable("users", { + id: uuid("id").primaryKey().defaultRandom(), + email: text("email").notNull().unique(), + name: text("name"), + isActive: boolean("is_active").notNull().default(true), + createdAt: timestamp("created_at").notNull().defaultNow(), + updatedAt: timestamp("updated_at").notNull().defaultNow(), +}); +``` + +## Kysely (TypeScript/Node.js) + +### Workflow (kysely-ctl) + +```bash +# Initialize config file (kysely.config.ts) +kysely init + +# Create a new migration file +kysely migrate make add_user_avatar + +# Apply all pending migrations +kysely migrate latest + +# Rollback last migration +kysely migrate down + +# Show migration status +kysely migrate list +``` + +### Migration File + +```typescript +// migrations/2024_01_15_001_create_user_profile.ts +import { type Kysely, sql } from 'kysely' + +// IMPORTANT: Always use Kysely, not your typed DB interface. +// Migrations are frozen in time and must not depend on current schema types. +export async function up(db: Kysely): Promise { + await db.schema + .createTable('user_profile') + .addColumn('id', 'serial', (col) => col.primaryKey()) + .addColumn('email', 'varchar(255)', (col) => col.notNull().unique()) + .addColumn('avatar_url', 'text') + .addColumn('created_at', 'timestamp', (col) => + col.defaultTo(sql`now()`).notNull() + ) + .execute() + + await db.schema + .createIndex('idx_user_profile_avatar') + .on('user_profile') + .column('avatar_url') + .execute() +} + +export async function down(db: Kysely): Promise { + await db.schema.dropTable('user_profile').execute() +} +``` + +### Programmatic Migrator + +```typescript +import { Migrator, FileMigrationProvider } from 'kysely' +import { promises as fs } from 'fs' +import * as path from 'path' +// ESM only — CJS can use __dirname directly +import { fileURLToPath } from 'url' +const migrationFolder = path.join( + path.dirname(fileURLToPath(import.meta.url)), + './migrations', +) + +// `db` is your Kysely database instance +const migrator = new Migrator({ + db, + provider: new FileMigrationProvider({ + fs, + path, + migrationFolder, + }), + // WARNING: Only enable in development. Disables timestamp-ordering + // validation, which can cause schema drift between environments. + // allowUnorderedMigrations: true, +}) + +const { error, results } = await migrator.migrateToLatest() + +results?.forEach((it) => { + if (it.status === 'Success') { + console.log(`migration "${it.migrationName}" executed successfully`) + } else if (it.status === 'Error') { + console.error(`failed to execute migration "${it.migrationName}"`) + } +}) + +if (error) { + console.error('migration failed', error) + process.exit(1) +} +``` + +## Django (Python) + +### Workflow + +```bash +# Generate migration from model changes +python manage.py makemigrations + +# Apply migrations +python manage.py migrate + +# Show migration status +python manage.py showmigrations + +# Generate empty migration for custom SQL +python manage.py makemigrations --empty app_name -n description +``` + +### Data Migration + +```python +from django.db import migrations + +def backfill_display_names(apps, schema_editor): + User = apps.get_model("accounts", "User") + batch_size = 5000 + users = User.objects.filter(display_name="") + while users.exists(): + batch = list(users[:batch_size]) + for user in batch: + user.display_name = user.username + User.objects.bulk_update(batch, ["display_name"], batch_size=batch_size) + +def reverse_backfill(apps, schema_editor): + pass # Data migration, no reverse needed + +class Migration(migrations.Migration): + dependencies = [("accounts", "0015_add_display_name")] + + operations = [ + migrations.RunPython(backfill_display_names, reverse_backfill), + ] +``` + +### SeparateDatabaseAndState + +Remove a column from the Django model without dropping it from the database immediately: + +```python +class Migration(migrations.Migration): + operations = [ + migrations.SeparateDatabaseAndState( + state_operations=[ + migrations.RemoveField(model_name="user", name="legacy_field"), + ], + database_operations=[], # Don't touch the DB yet + ), + ] +``` + +## golang-migrate (Go) + +### Workflow + +```bash +# Create migration pair +migrate create -ext sql -dir migrations -seq add_user_avatar + +# Apply all pending migrations +migrate -path migrations -database "$DATABASE_URL" up + +# Rollback last migration +migrate -path migrations -database "$DATABASE_URL" down 1 + +# Force version (fix dirty state) +migrate -path migrations -database "$DATABASE_URL" force VERSION +``` + +### Migration Files + +```sql +-- migrations/000003_add_user_avatar.up.sql +ALTER TABLE users ADD COLUMN avatar_url TEXT; +CREATE INDEX CONCURRENTLY idx_users_avatar ON users (avatar_url) WHERE avatar_url IS NOT NULL; + +-- migrations/000003_add_user_avatar.down.sql +DROP INDEX IF EXISTS idx_users_avatar; +ALTER TABLE users DROP COLUMN IF EXISTS avatar_url; +``` + +## Zero-Downtime Migration Strategy + +For critical production changes, follow the expand-contract pattern: + +``` +Phase 1: EXPAND + - Add new column/table (nullable or with default) + - Deploy: app writes to BOTH old and new + - Backfill existing data + +Phase 2: MIGRATE + - Deploy: app reads from NEW, writes to BOTH + - Verify data consistency + +Phase 3: CONTRACT + - Deploy: app only uses NEW + - Drop old column/table in separate migration +``` + +### Timeline Example + +``` +Day 1: Migration adds new_status column (nullable) +Day 1: Deploy app v2 — writes to both status and new_status +Day 2: Run backfill migration for existing rows +Day 3: Deploy app v3 — reads from new_status only +Day 7: Migration drops old status column +``` + +## Anti-Patterns + +| Anti-Pattern | Why It Fails | Better Approach | +|-------------|-------------|-----------------| +| Manual SQL in production | No audit trail, unrepeatable | Always use migration files | +| Editing deployed migrations | Causes drift between environments | Create new migration instead | +| NOT NULL without default | Locks table, rewrites all rows | Add nullable, backfill, then add constraint | +| Inline index on large table | Blocks writes during build | CREATE INDEX CONCURRENTLY | +| Schema + data in one migration | Hard to rollback, long transactions | Separate migrations | +| Dropping column before removing code | Application errors on missing column | Remove code first, drop column next deploy | diff --git a/plugins/python/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md b/plugins/python/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md new file mode 100644 index 0000000..c438c4a --- /dev/null +++ b/plugins/python/template/addons/claude-code/.claude/skills/docker-patterns/SKILL.md @@ -0,0 +1,364 @@ +--- +name: docker-patterns +description: Docker and Docker Compose patterns for local development, container security, networking, volume strategies, and multi-service orchestration. +origin: ECC +--- + +# Docker Patterns + +Docker and Docker Compose best practices for containerized development. + +## When to Activate + +- Setting up Docker Compose for local development +- Designing multi-container architectures +- Troubleshooting container networking or volume issues +- Reviewing Dockerfiles for security and size +- Migrating from local dev to containerized workflow + +## Docker Compose for Local Development + +### Standard Web App Stack + +```yaml +# docker-compose.yml +services: + app: + build: + context: . + target: dev # Use dev stage of multi-stage Dockerfile + ports: + - "3000:3000" + volumes: + - .:/app # Bind mount for hot reload + - /app/node_modules # Anonymous volume -- preserves container deps + environment: + - DATABASE_URL=postgres://postgres:postgres@db:5432/app_dev + - REDIS_URL=redis://redis:6379/0 + - NODE_ENV=development + depends_on: + db: + condition: service_healthy + redis: + condition: service_started + command: npm run dev + + db: + image: postgres:16-alpine + ports: + - "5432:5432" + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + POSTGRES_DB: app_dev + volumes: + - pgdata:/var/lib/postgresql/data + - ./scripts/init-db.sql:/docker-entrypoint-initdb.d/init.sql + healthcheck: + test: ["CMD-SHELL", "pg_isready -U postgres"] + interval: 5s + timeout: 3s + retries: 5 + + redis: + image: redis:7-alpine + ports: + - "6379:6379" + volumes: + - redisdata:/data + + mailpit: # Local email testing + image: axllent/mailpit + ports: + - "8025:8025" # Web UI + - "1025:1025" # SMTP + +volumes: + pgdata: + redisdata: +``` + +### Development vs Production Dockerfile + +```dockerfile +# Stage: dependencies +FROM node:22-alpine AS deps +WORKDIR /app +COPY package.json package-lock.json ./ +RUN npm ci + +# Stage: dev (hot reload, debug tools) +FROM node:22-alpine AS dev +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +EXPOSE 3000 +CMD ["npm", "run", "dev"] + +# Stage: build +FROM node:22-alpine AS build +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +RUN npm run build && npm prune --production + +# Stage: production (minimal image) +FROM node:22-alpine AS production +WORKDIR /app +RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 +USER appuser +COPY --from=build --chown=appuser:appgroup /app/dist ./dist +COPY --from=build --chown=appuser:appgroup /app/node_modules ./node_modules +COPY --from=build --chown=appuser:appgroup /app/package.json ./ +ENV NODE_ENV=production +EXPOSE 3000 +HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:3000/health || exit 1 +CMD ["node", "dist/server.js"] +``` + +### Override Files + +```yaml +# docker-compose.override.yml (auto-loaded, dev-only settings) +services: + app: + environment: + - DEBUG=app:* + - LOG_LEVEL=debug + ports: + - "9229:9229" # Node.js debugger + +# docker-compose.prod.yml (explicit for production) +services: + app: + build: + target: production + restart: always + deploy: + resources: + limits: + cpus: "1.0" + memory: 512M +``` + +```bash +# Development (auto-loads override) +docker compose up + +# Production +docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d +``` + +## Networking + +### Service Discovery + +Services in the same Compose network resolve by service name: +``` +# From "app" container: +postgres://postgres:postgres@db:5432/app_dev # "db" resolves to the db container +redis://redis:6379/0 # "redis" resolves to the redis container +``` + +### Custom Networks + +```yaml +services: + frontend: + networks: + - frontend-net + + api: + networks: + - frontend-net + - backend-net + + db: + networks: + - backend-net # Only reachable from api, not frontend + +networks: + frontend-net: + backend-net: +``` + +### Exposing Only What's Needed + +```yaml +services: + db: + ports: + - "127.0.0.1:5432:5432" # Only accessible from host, not network + # Omit ports entirely in production -- accessible only within Docker network +``` + +## Volume Strategies + +```yaml +volumes: + # Named volume: persists across container restarts, managed by Docker + pgdata: + + # Bind mount: maps host directory into container (for development) + # - ./src:/app/src + + # Anonymous volume: preserves container-generated content from bind mount override + # - /app/node_modules +``` + +### Common Patterns + +```yaml +services: + app: + volumes: + - .:/app # Source code (bind mount for hot reload) + - /app/node_modules # Protect container's node_modules from host + - /app/.next # Protect build cache + + db: + volumes: + - pgdata:/var/lib/postgresql/data # Persistent data + - ./scripts/init.sql:/docker-entrypoint-initdb.d/init.sql # Init scripts +``` + +## Container Security + +### Dockerfile Hardening + +```dockerfile +# 1. Use specific tags (never :latest) +FROM node:22.12-alpine3.20 + +# 2. Run as non-root +RUN addgroup -g 1001 -S app && adduser -S app -u 1001 +USER app + +# 3. Drop capabilities (in compose) +# 4. Read-only root filesystem where possible +# 5. No secrets in image layers +``` + +### Compose Security + +```yaml +services: + app: + security_opt: + - no-new-privileges:true + read_only: true + tmpfs: + - /tmp + - /app/.cache + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE # Only if binding to ports < 1024 +``` + +### Secret Management + +```yaml +# GOOD: Use environment variables (injected at runtime) +services: + app: + env_file: + - .env # Never commit .env to git + environment: + - API_KEY # Inherits from host environment + +# GOOD: Docker secrets (Swarm mode) +secrets: + db_password: + file: ./secrets/db_password.txt + +services: + db: + secrets: + - db_password + +# BAD: Hardcoded in image +# ENV API_KEY=sk-proj-xxxxx # NEVER DO THIS +``` + +## .dockerignore + +``` +node_modules +.git +.env +.env.* +dist +coverage +*.log +.next +.cache +docker-compose*.yml +Dockerfile* +README.md +tests/ +``` + +## Debugging + +### Common Commands + +```bash +# View logs +docker compose logs -f app # Follow app logs +docker compose logs --tail=50 db # Last 50 lines from db + +# Execute commands in running container +docker compose exec app sh # Shell into app +docker compose exec db psql -U postgres # Connect to postgres + +# Inspect +docker compose ps # Running services +docker compose top # Processes in each container +docker stats # Resource usage + +# Rebuild +docker compose up --build # Rebuild images +docker compose build --no-cache app # Force full rebuild + +# Clean up +docker compose down # Stop and remove containers +docker compose down -v # Also remove volumes (DESTRUCTIVE) +docker system prune # Remove unused images/containers +``` + +### Debugging Network Issues + +```bash +# Check DNS resolution inside container +docker compose exec app nslookup db + +# Check connectivity +docker compose exec app wget -qO- http://api:3000/health + +# Inspect network +docker network ls +docker network inspect _default +``` + +## Anti-Patterns + +``` +# BAD: Using docker compose in production without orchestration +# Use Kubernetes, ECS, or Docker Swarm for production multi-container workloads + +# BAD: Storing data in containers without volumes +# Containers are ephemeral -- all data lost on restart without volumes + +# BAD: Running as root +# Always create and use a non-root user + +# BAD: Using :latest tag +# Pin to specific versions for reproducible builds + +# BAD: One giant container with all services +# Separate concerns: one process per container + +# BAD: Putting secrets in docker-compose.yml +# Use .env files (gitignored) or Docker secrets +``` diff --git a/plugins/python/template/addons/claude-code/.claude/skills/postgres-patterns/SKILL.md b/plugins/python/template/addons/claude-code/.claude/skills/postgres-patterns/SKILL.md new file mode 100644 index 0000000..f306dfd --- /dev/null +++ b/plugins/python/template/addons/claude-code/.claude/skills/postgres-patterns/SKILL.md @@ -0,0 +1,147 @@ +--- +name: postgres-patterns +description: PostgreSQL database patterns for query optimization, schema design, indexing, and security. Based on Supabase best practices. +origin: ECC +--- + +# PostgreSQL Patterns + +Quick reference for PostgreSQL best practices. For detailed guidance, use the `database-reviewer` agent. + +## When to Activate + +- Writing SQL queries or migrations +- Designing database schemas +- Troubleshooting slow queries +- Implementing Row Level Security +- Setting up connection pooling + +## Quick Reference + +### Index Cheat Sheet + +| Query Pattern | Index Type | Example | +|--------------|------------|---------| +| `WHERE col = value` | B-tree (default) | `CREATE INDEX idx ON t (col)` | +| `WHERE col > value` | B-tree | `CREATE INDEX idx ON t (col)` | +| `WHERE a = x AND b > y` | Composite | `CREATE INDEX idx ON t (a, b)` | +| `WHERE jsonb @> '{}'` | GIN | `CREATE INDEX idx ON t USING gin (col)` | +| `WHERE tsv @@ query` | GIN | `CREATE INDEX idx ON t USING gin (col)` | +| Time-series ranges | BRIN | `CREATE INDEX idx ON t USING brin (col)` | + +### Data Type Quick Reference + +| Use Case | Correct Type | Avoid | +|----------|-------------|-------| +| IDs | `bigint` | `int`, random UUID | +| Strings | `text` | `varchar(255)` | +| Timestamps | `timestamptz` | `timestamp` | +| Money | `numeric(10,2)` | `float` | +| Flags | `boolean` | `varchar`, `int` | + +### Common Patterns + +**Composite Index Order:** +```sql +-- Equality columns first, then range columns +CREATE INDEX idx ON orders (status, created_at); +-- Works for: WHERE status = 'pending' AND created_at > '2024-01-01' +``` + +**Covering Index:** +```sql +CREATE INDEX idx ON users (email) INCLUDE (name, created_at); +-- Avoids table lookup for SELECT email, name, created_at +``` + +**Partial Index:** +```sql +CREATE INDEX idx ON users (email) WHERE deleted_at IS NULL; +-- Smaller index, only includes active users +``` + +**RLS Policy (Optimized):** +```sql +CREATE POLICY policy ON orders + USING ((SELECT auth.uid()) = user_id); -- Wrap in SELECT! +``` + +**UPSERT:** +```sql +INSERT INTO settings (user_id, key, value) +VALUES (123, 'theme', 'dark') +ON CONFLICT (user_id, key) +DO UPDATE SET value = EXCLUDED.value; +``` + +**Cursor Pagination:** +```sql +SELECT * FROM products WHERE id > $last_id ORDER BY id LIMIT 20; +-- O(1) vs OFFSET which is O(n) +``` + +**Queue Processing:** +```sql +UPDATE jobs SET status = 'processing' +WHERE id = ( + SELECT id FROM jobs WHERE status = 'pending' + ORDER BY created_at LIMIT 1 + FOR UPDATE SKIP LOCKED +) RETURNING *; +``` + +### Anti-Pattern Detection + +```sql +-- Find unindexed foreign keys +SELECT conrelid::regclass, a.attname +FROM pg_constraint c +JOIN pg_attribute a ON a.attrelid = c.conrelid AND a.attnum = ANY(c.conkey) +WHERE c.contype = 'f' + AND NOT EXISTS ( + SELECT 1 FROM pg_index i + WHERE i.indrelid = c.conrelid AND a.attnum = ANY(i.indkey) + ); + +-- Find slow queries +SELECT query, mean_exec_time, calls +FROM pg_stat_statements +WHERE mean_exec_time > 100 +ORDER BY mean_exec_time DESC; + +-- Check table bloat +SELECT relname, n_dead_tup, last_vacuum +FROM pg_stat_user_tables +WHERE n_dead_tup > 1000 +ORDER BY n_dead_tup DESC; +``` + +### Configuration Template + +```sql +-- Connection limits (adjust for RAM) +ALTER SYSTEM SET max_connections = 100; +ALTER SYSTEM SET work_mem = '8MB'; + +-- Timeouts +ALTER SYSTEM SET idle_in_transaction_session_timeout = '30s'; +ALTER SYSTEM SET statement_timeout = '30s'; + +-- Monitoring +CREATE EXTENSION IF NOT EXISTS pg_stat_statements; + +-- Security defaults +REVOKE ALL ON SCHEMA public FROM public; + +SELECT pg_reload_conf(); +``` + +## Related + +- Agent: `database-reviewer` - Full database review workflow +- Skill: `clickhouse-io` - ClickHouse analytics patterns +- Skill: `backend-patterns` - API and backend patterns + +--- + +*Based on Supabase Agent Skills (credit: Supabase team) (MIT License)* diff --git a/plugins/python/template/addons/claude-code/.claude/skills/python-patterns/SKILL.md b/plugins/python/template/addons/claude-code/.claude/skills/python-patterns/SKILL.md new file mode 100644 index 0000000..ba1156d --- /dev/null +++ b/plugins/python/template/addons/claude-code/.claude/skills/python-patterns/SKILL.md @@ -0,0 +1,750 @@ +--- +name: python-patterns +description: Pythonic idioms, PEP 8 standards, type hints, and best practices for building robust, efficient, and maintainable Python applications. +origin: ECC +--- + +# Python Development Patterns + +Idiomatic Python patterns and best practices for building robust, efficient, and maintainable applications. + +## When to Activate + +- Writing new Python code +- Reviewing Python code +- Refactoring existing Python code +- Designing Python packages/modules + +## Core Principles + +### 1. Readability Counts + +Python prioritizes readability. Code should be obvious and easy to understand. + +```python +# Good: Clear and readable +def get_active_users(users: list[User]) -> list[User]: + """Return only active users from the provided list.""" + return [user for user in users if user.is_active] + + +# Bad: Clever but confusing +def get_active_users(u): + return [x for x in u if x.a] +``` + +### 2. Explicit is Better Than Implicit + +Avoid magic; be clear about what your code does. + +```python +# Good: Explicit configuration +import logging + +logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(name)s - %(levelname)s - %(message)s' +) + +# Bad: Hidden side effects +import some_module +some_module.setup() # What does this do? +``` + +### 3. EAFP - Easier to Ask Forgiveness Than Permission + +Python prefers exception handling over checking conditions. + +```python +# Good: EAFP style +def get_value(dictionary: dict, key: str) -> Any: + try: + return dictionary[key] + except KeyError: + return default_value + +# Bad: LBYL (Look Before You Leap) style +def get_value(dictionary: dict, key: str) -> Any: + if key in dictionary: + return dictionary[key] + else: + return default_value +``` + +## Type Hints + +### Basic Type Annotations + +```python +from typing import Optional, List, Dict, Any + +def process_user( + user_id: str, + data: Dict[str, Any], + active: bool = True +) -> Optional[User]: + """Process a user and return the updated User or None.""" + if not active: + return None + return User(user_id, data) +``` + +### Modern Type Hints (Python 3.9+) + +```python +# Python 3.9+ - Use built-in types +def process_items(items: list[str]) -> dict[str, int]: + return {item: len(item) for item in items} + +# Python 3.8 and earlier - Use typing module +from typing import List, Dict + +def process_items(items: List[str]) -> Dict[str, int]: + return {item: len(item) for item in items} +``` + +### Type Aliases and TypeVar + +```python +from typing import TypeVar, Union + +# Type alias for complex types +JSON = Union[dict[str, Any], list[Any], str, int, float, bool, None] + +def parse_json(data: str) -> JSON: + return json.loads(data) + +# Generic types +T = TypeVar('T') + +def first(items: list[T]) -> T | None: + """Return the first item or None if list is empty.""" + return items[0] if items else None +``` + +### Protocol-Based Duck Typing + +```python +from typing import Protocol + +class Renderable(Protocol): + def render(self) -> str: + """Render the object to a string.""" + +def render_all(items: list[Renderable]) -> str: + """Render all items that implement the Renderable protocol.""" + return "\n".join(item.render() for item in items) +``` + +## Error Handling Patterns + +### Specific Exception Handling + +```python +# Good: Catch specific exceptions +def load_config(path: str) -> Config: + try: + with open(path) as f: + return Config.from_json(f.read()) + except FileNotFoundError as e: + raise ConfigError(f"Config file not found: {path}") from e + except json.JSONDecodeError as e: + raise ConfigError(f"Invalid JSON in config: {path}") from e + +# Bad: Bare except +def load_config(path: str) -> Config: + try: + with open(path) as f: + return Config.from_json(f.read()) + except: + return None # Silent failure! +``` + +### Exception Chaining + +```python +def process_data(data: str) -> Result: + try: + parsed = json.loads(data) + except json.JSONDecodeError as e: + # Chain exceptions to preserve the traceback + raise ValueError(f"Failed to parse data: {data}") from e +``` + +### Custom Exception Hierarchy + +```python +class AppError(Exception): + """Base exception for all application errors.""" + pass + +class ValidationError(AppError): + """Raised when input validation fails.""" + pass + +class NotFoundError(AppError): + """Raised when a requested resource is not found.""" + pass + +# Usage +def get_user(user_id: str) -> User: + user = db.find_user(user_id) + if not user: + raise NotFoundError(f"User not found: {user_id}") + return user +``` + +## Context Managers + +### Resource Management + +```python +# Good: Using context managers +def process_file(path: str) -> str: + with open(path, 'r') as f: + return f.read() + +# Bad: Manual resource management +def process_file(path: str) -> str: + f = open(path, 'r') + try: + return f.read() + finally: + f.close() +``` + +### Custom Context Managers + +```python +from contextlib import contextmanager + +@contextmanager +def timer(name: str): + """Context manager to time a block of code.""" + start = time.perf_counter() + yield + elapsed = time.perf_counter() - start + print(f"{name} took {elapsed:.4f} seconds") + +# Usage +with timer("data processing"): + process_large_dataset() +``` + +### Context Manager Classes + +```python +class DatabaseTransaction: + def __init__(self, connection): + self.connection = connection + + def __enter__(self): + self.connection.begin_transaction() + return self + + def __exit__(self, exc_type, exc_val, exc_tb): + if exc_type is None: + self.connection.commit() + else: + self.connection.rollback() + return False # Don't suppress exceptions + +# Usage +with DatabaseTransaction(conn): + user = conn.create_user(user_data) + conn.create_profile(user.id, profile_data) +``` + +## Comprehensions and Generators + +### List Comprehensions + +```python +# Good: List comprehension for simple transformations +names = [user.name for user in users if user.is_active] + +# Bad: Manual loop +names = [] +for user in users: + if user.is_active: + names.append(user.name) + +# Complex comprehensions should be expanded +# Bad: Too complex +result = [x * 2 for x in items if x > 0 if x % 2 == 0] + +# Good: Use a generator function +def filter_and_transform(items: Iterable[int]) -> list[int]: + result = [] + for x in items: + if x > 0 and x % 2 == 0: + result.append(x * 2) + return result +``` + +### Generator Expressions + +```python +# Good: Generator for lazy evaluation +total = sum(x * x for x in range(1_000_000)) + +# Bad: Creates large intermediate list +total = sum([x * x for x in range(1_000_000)]) +``` + +### Generator Functions + +```python +def read_large_file(path: str) -> Iterator[str]: + """Read a large file line by line.""" + with open(path) as f: + for line in f: + yield line.strip() + +# Usage +for line in read_large_file("huge.txt"): + process(line) +``` + +## Data Classes and Named Tuples + +### Data Classes + +```python +from dataclasses import dataclass, field +from datetime import datetime + +@dataclass +class User: + """User entity with automatic __init__, __repr__, and __eq__.""" + id: str + name: str + email: str + created_at: datetime = field(default_factory=datetime.now) + is_active: bool = True + +# Usage +user = User( + id="123", + name="Alice", + email="alice@example.com" +) +``` + +### Data Classes with Validation + +```python +@dataclass +class User: + email: str + age: int + + def __post_init__(self): + # Validate email format + if "@" not in self.email: + raise ValueError(f"Invalid email: {self.email}") + # Validate age range + if self.age < 0 or self.age > 150: + raise ValueError(f"Invalid age: {self.age}") +``` + +### Named Tuples + +```python +from typing import NamedTuple + +class Point(NamedTuple): + """Immutable 2D point.""" + x: float + y: float + + def distance(self, other: 'Point') -> float: + return ((self.x - other.x) ** 2 + (self.y - other.y) ** 2) ** 0.5 + +# Usage +p1 = Point(0, 0) +p2 = Point(3, 4) +print(p1.distance(p2)) # 5.0 +``` + +## Decorators + +### Function Decorators + +```python +import functools +import time + +def timer(func: Callable) -> Callable: + """Decorator to time function execution.""" + @functools.wraps(func) + def wrapper(*args, **kwargs): + start = time.perf_counter() + result = func(*args, **kwargs) + elapsed = time.perf_counter() - start + print(f"{func.__name__} took {elapsed:.4f}s") + return result + return wrapper + +@timer +def slow_function(): + time.sleep(1) + +# slow_function() prints: slow_function took 1.0012s +``` + +### Parameterized Decorators + +```python +def repeat(times: int): + """Decorator to repeat a function multiple times.""" + def decorator(func: Callable) -> Callable: + @functools.wraps(func) + def wrapper(*args, **kwargs): + results = [] + for _ in range(times): + results.append(func(*args, **kwargs)) + return results + return wrapper + return decorator + +@repeat(times=3) +def greet(name: str) -> str: + return f"Hello, {name}!" + +# greet("Alice") returns ["Hello, Alice!", "Hello, Alice!", "Hello, Alice!"] +``` + +### Class-Based Decorators + +```python +class CountCalls: + """Decorator that counts how many times a function is called.""" + def __init__(self, func: Callable): + functools.update_wrapper(self, func) + self.func = func + self.count = 0 + + def __call__(self, *args, **kwargs): + self.count += 1 + print(f"{self.func.__name__} has been called {self.count} times") + return self.func(*args, **kwargs) + +@CountCalls +def process(): + pass + +# Each call to process() prints the call count +``` + +## Concurrency Patterns + +### Threading for I/O-Bound Tasks + +```python +import concurrent.futures +import threading + +def fetch_url(url: str) -> str: + """Fetch a URL (I/O-bound operation).""" + import urllib.request + with urllib.request.urlopen(url) as response: + return response.read().decode() + +def fetch_all_urls(urls: list[str]) -> dict[str, str]: + """Fetch multiple URLs concurrently using threads.""" + with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor: + future_to_url = {executor.submit(fetch_url, url): url for url in urls} + results = {} + for future in concurrent.futures.as_completed(future_to_url): + url = future_to_url[future] + try: + results[url] = future.result() + except Exception as e: + results[url] = f"Error: {e}" + return results +``` + +### Multiprocessing for CPU-Bound Tasks + +```python +def process_data(data: list[int]) -> int: + """CPU-intensive computation.""" + return sum(x ** 2 for x in data) + +def process_all(datasets: list[list[int]]) -> list[int]: + """Process multiple datasets using multiple processes.""" + with concurrent.futures.ProcessPoolExecutor() as executor: + results = list(executor.map(process_data, datasets)) + return results +``` + +### Async/Await for Concurrent I/O + +```python +import asyncio + +async def fetch_async(url: str) -> str: + """Fetch a URL asynchronously.""" + import aiohttp + async with aiohttp.ClientSession() as session: + async with session.get(url) as response: + return await response.text() + +async def fetch_all(urls: list[str]) -> dict[str, str]: + """Fetch multiple URLs concurrently.""" + tasks = [fetch_async(url) for url in urls] + results = await asyncio.gather(*tasks, return_exceptions=True) + return dict(zip(urls, results)) +``` + +## Package Organization + +### Standard Project Layout + +``` +myproject/ +├── src/ +│ └── mypackage/ +│ ├── __init__.py +│ ├── main.py +│ ├── api/ +│ │ ├── __init__.py +│ │ └── routes.py +│ ├── models/ +│ │ ├── __init__.py +│ │ └── user.py +│ └── utils/ +│ ├── __init__.py +│ └── helpers.py +├── tests/ +│ ├── __init__.py +│ ├── conftest.py +│ ├── test_api.py +│ └── test_models.py +├── pyproject.toml +├── README.md +└── .gitignore +``` + +### Import Conventions + +```python +# Good: Import order - stdlib, third-party, local +import os +import sys +from pathlib import Path + +import requests +from fastapi import FastAPI + +from mypackage.models import User +from mypackage.utils import format_name + +# Good: Use isort for automatic import sorting +# pip install isort +``` + +### __init__.py for Package Exports + +```python +# mypackage/__init__.py +"""mypackage - A sample Python package.""" + +__version__ = "1.0.0" + +# Export main classes/functions at package level +from mypackage.models import User, Post +from mypackage.utils import format_name + +__all__ = ["User", "Post", "format_name"] +``` + +## Memory and Performance + +### Using __slots__ for Memory Efficiency + +```python +# Bad: Regular class uses __dict__ (more memory) +class Point: + def __init__(self, x: float, y: float): + self.x = x + self.y = y + +# Good: __slots__ reduces memory usage +class Point: + __slots__ = ['x', 'y'] + + def __init__(self, x: float, y: float): + self.x = x + self.y = y +``` + +### Generator for Large Data + +```python +# Bad: Returns full list in memory +def read_lines(path: str) -> list[str]: + with open(path) as f: + return [line.strip() for line in f] + +# Good: Yields lines one at a time +def read_lines(path: str) -> Iterator[str]: + with open(path) as f: + for line in f: + yield line.strip() +``` + +### Avoid String Concatenation in Loops + +```python +# Bad: O(n²) due to string immutability +result = "" +for item in items: + result += str(item) + +# Good: O(n) using join +result = "".join(str(item) for item in items) + +# Good: Using StringIO for building +from io import StringIO + +buffer = StringIO() +for item in items: + buffer.write(str(item)) +result = buffer.getvalue() +``` + +## Python Tooling Integration + +### Essential Commands + +```bash +# Code formatting +black . +isort . + +# Linting +ruff check . +pylint mypackage/ + +# Type checking +mypy . + +# Testing +pytest --cov=mypackage --cov-report=html + +# Security scanning +bandit -r . + +# Dependency management +pip-audit +safety check +``` + +### pyproject.toml Configuration + +```toml +[project] +name = "mypackage" +version = "1.0.0" +requires-python = ">=3.9" +dependencies = [ + "requests>=2.31.0", + "pydantic>=2.0.0", +] + +[project.optional-dependencies] +dev = [ + "pytest>=7.4.0", + "pytest-cov>=4.1.0", + "black>=23.0.0", + "ruff>=0.1.0", + "mypy>=1.5.0", +] + +[tool.black] +line-length = 88 +target-version = ['py39'] + +[tool.ruff] +line-length = 88 +select = ["E", "F", "I", "N", "W"] + +[tool.mypy] +python_version = "3.9" +warn_return_any = true +warn_unused_configs = true +disallow_untyped_defs = true + +[tool.pytest.ini_options] +testpaths = ["tests"] +addopts = "--cov=mypackage --cov-report=term-missing" +``` + +## Quick Reference: Python Idioms + +| Idiom | Description | +|-------|-------------| +| EAFP | Easier to Ask Forgiveness than Permission | +| Context managers | Use `with` for resource management | +| List comprehensions | For simple transformations | +| Generators | For lazy evaluation and large datasets | +| Type hints | Annotate function signatures | +| Dataclasses | For data containers with auto-generated methods | +| `__slots__` | For memory optimization | +| f-strings | For string formatting (Python 3.6+) | +| `pathlib.Path` | For path operations (Python 3.4+) | +| `enumerate` | For index-element pairs in loops | + +## Anti-Patterns to Avoid + +```python +# Bad: Mutable default arguments +def append_to(item, items=[]): + items.append(item) + return items + +# Good: Use None and create new list +def append_to(item, items=None): + if items is None: + items = [] + items.append(item) + return items + +# Bad: Checking type with type() +if type(obj) == list: + process(obj) + +# Good: Use isinstance +if isinstance(obj, list): + process(obj) + +# Bad: Comparing to None with == +if value == None: + process() + +# Good: Use is +if value is None: + process() + +# Bad: from module import * +from os.path import * + +# Good: Explicit imports +from os.path import join, exists + +# Bad: Bare except +try: + risky_operation() +except: + pass + +# Good: Specific exception +try: + risky_operation() +except SpecificError as e: + logger.error(f"Operation failed: {e}") +``` + +__Remember__: Python code should be readable, explicit, and follow the principle of least surprise. When in doubt, prioritize clarity over cleverness. diff --git a/plugins/python/template/addons/claude-code/.claude/skills/python-testing/SKILL.md b/plugins/python/template/addons/claude-code/.claude/skills/python-testing/SKILL.md new file mode 100644 index 0000000..85e3661 --- /dev/null +++ b/plugins/python/template/addons/claude-code/.claude/skills/python-testing/SKILL.md @@ -0,0 +1,816 @@ +--- +name: python-testing +description: Python testing strategies using pytest, TDD methodology, fixtures, mocking, parametrization, and coverage requirements. +origin: ECC +--- + +# Python Testing Patterns + +Comprehensive testing strategies for Python applications using pytest, TDD methodology, and best practices. + +## When to Activate + +- Writing new Python code (follow TDD: red, green, refactor) +- Designing test suites for Python projects +- Reviewing Python test coverage +- Setting up testing infrastructure + +## Core Testing Philosophy + +### Test-Driven Development (TDD) + +Always follow the TDD cycle: + +1. **RED**: Write a failing test for the desired behavior +2. **GREEN**: Write minimal code to make the test pass +3. **REFACTOR**: Improve code while keeping tests green + +```python +# Step 1: Write failing test (RED) +def test_add_numbers(): + result = add(2, 3) + assert result == 5 + +# Step 2: Write minimal implementation (GREEN) +def add(a, b): + return a + b + +# Step 3: Refactor if needed (REFACTOR) +``` + +### Coverage Requirements + +- **Target**: 80%+ code coverage +- **Critical paths**: 100% coverage required +- Use `pytest --cov` to measure coverage + +```bash +pytest --cov=mypackage --cov-report=term-missing --cov-report=html +``` + +## pytest Fundamentals + +### Basic Test Structure + +```python +import pytest + +def test_addition(): + """Test basic addition.""" + assert 2 + 2 == 4 + +def test_string_uppercase(): + """Test string uppercasing.""" + text = "hello" + assert text.upper() == "HELLO" + +def test_list_append(): + """Test list append.""" + items = [1, 2, 3] + items.append(4) + assert 4 in items + assert len(items) == 4 +``` + +### Assertions + +```python +# Equality +assert result == expected + +# Inequality +assert result != unexpected + +# Truthiness +assert result # Truthy +assert not result # Falsy +assert result is True # Exactly True +assert result is False # Exactly False +assert result is None # Exactly None + +# Membership +assert item in collection +assert item not in collection + +# Comparisons +assert result > 0 +assert 0 <= result <= 100 + +# Type checking +assert isinstance(result, str) + +# Exception testing (preferred approach) +with pytest.raises(ValueError): + raise ValueError("error message") + +# Check exception message +with pytest.raises(ValueError, match="invalid input"): + raise ValueError("invalid input provided") + +# Check exception attributes +with pytest.raises(ValueError) as exc_info: + raise ValueError("error message") +assert str(exc_info.value) == "error message" +``` + +## Fixtures + +### Basic Fixture Usage + +```python +import pytest + +@pytest.fixture +def sample_data(): + """Fixture providing sample data.""" + return {"name": "Alice", "age": 30} + +def test_sample_data(sample_data): + """Test using the fixture.""" + assert sample_data["name"] == "Alice" + assert sample_data["age"] == 30 +``` + +### Fixture with Setup/Teardown + +```python +@pytest.fixture +def database(): + """Fixture with setup and teardown.""" + # Setup + db = Database(":memory:") + db.create_tables() + db.insert_test_data() + + yield db # Provide to test + + # Teardown + db.close() + +def test_database_query(database): + """Test database operations.""" + result = database.query("SELECT * FROM users") + assert len(result) > 0 +``` + +### Fixture Scopes + +```python +# Function scope (default) - runs for each test +@pytest.fixture +def temp_file(): + with open("temp.txt", "w") as f: + yield f + os.remove("temp.txt") + +# Module scope - runs once per module +@pytest.fixture(scope="module") +def module_db(): + db = Database(":memory:") + db.create_tables() + yield db + db.close() + +# Session scope - runs once per test session +@pytest.fixture(scope="session") +def shared_resource(): + resource = ExpensiveResource() + yield resource + resource.cleanup() +``` + +### Fixture with Parameters + +```python +@pytest.fixture(params=[1, 2, 3]) +def number(request): + """Parameterized fixture.""" + return request.param + +def test_numbers(number): + """Test runs 3 times, once for each parameter.""" + assert number > 0 +``` + +### Using Multiple Fixtures + +```python +@pytest.fixture +def user(): + return User(id=1, name="Alice") + +@pytest.fixture +def admin(): + return User(id=2, name="Admin", role="admin") + +def test_user_admin_interaction(user, admin): + """Test using multiple fixtures.""" + assert admin.can_manage(user) +``` + +### Autouse Fixtures + +```python +@pytest.fixture(autouse=True) +def reset_config(): + """Automatically runs before every test.""" + Config.reset() + yield + Config.cleanup() + +def test_without_fixture_call(): + # reset_config runs automatically + assert Config.get_setting("debug") is False +``` + +### Conftest.py for Shared Fixtures + +```python +# tests/conftest.py +import pytest + +@pytest.fixture +def client(): + """Shared fixture for all tests.""" + app = create_app(testing=True) + with app.test_client() as client: + yield client + +@pytest.fixture +def auth_headers(client): + """Generate auth headers for API testing.""" + response = client.post("/api/login", json={ + "username": "test", + "password": "test" + }) + token = response.json["token"] + return {"Authorization": f"Bearer {token}"} +``` + +## Parametrization + +### Basic Parametrization + +```python +@pytest.mark.parametrize("input,expected", [ + ("hello", "HELLO"), + ("world", "WORLD"), + ("PyThOn", "PYTHON"), +]) +def test_uppercase(input, expected): + """Test runs 3 times with different inputs.""" + assert input.upper() == expected +``` + +### Multiple Parameters + +```python +@pytest.mark.parametrize("a,b,expected", [ + (2, 3, 5), + (0, 0, 0), + (-1, 1, 0), + (100, 200, 300), +]) +def test_add(a, b, expected): + """Test addition with multiple inputs.""" + assert add(a, b) == expected +``` + +### Parametrize with IDs + +```python +@pytest.mark.parametrize("input,expected", [ + ("valid@email.com", True), + ("invalid", False), + ("@no-domain.com", False), +], ids=["valid-email", "missing-at", "missing-domain"]) +def test_email_validation(input, expected): + """Test email validation with readable test IDs.""" + assert is_valid_email(input) is expected +``` + +### Parametrized Fixtures + +```python +@pytest.fixture(params=["sqlite", "postgresql", "mysql"]) +def db(request): + """Test against multiple database backends.""" + if request.param == "sqlite": + return Database(":memory:") + elif request.param == "postgresql": + return Database("postgresql://localhost/test") + elif request.param == "mysql": + return Database("mysql://localhost/test") + +def test_database_operations(db): + """Test runs 3 times, once for each database.""" + result = db.query("SELECT 1") + assert result is not None +``` + +## Markers and Test Selection + +### Custom Markers + +```python +# Mark slow tests +@pytest.mark.slow +def test_slow_operation(): + time.sleep(5) + +# Mark integration tests +@pytest.mark.integration +def test_api_integration(): + response = requests.get("https://api.example.com") + assert response.status_code == 200 + +# Mark unit tests +@pytest.mark.unit +def test_unit_logic(): + assert calculate(2, 3) == 5 +``` + +### Run Specific Tests + +```bash +# Run only fast tests +pytest -m "not slow" + +# Run only integration tests +pytest -m integration + +# Run integration or slow tests +pytest -m "integration or slow" + +# Run tests marked as unit but not slow +pytest -m "unit and not slow" +``` + +### Configure Markers in pytest.ini + +```ini +[pytest] +markers = + slow: marks tests as slow + integration: marks tests as integration tests + unit: marks tests as unit tests + django: marks tests as requiring Django +``` + +## Mocking and Patching + +### Mocking Functions + +```python +from unittest.mock import patch, Mock + +@patch("mypackage.external_api_call") +def test_with_mock(api_call_mock): + """Test with mocked external API.""" + api_call_mock.return_value = {"status": "success"} + + result = my_function() + + api_call_mock.assert_called_once() + assert result["status"] == "success" +``` + +### Mocking Return Values + +```python +@patch("mypackage.Database.connect") +def test_database_connection(connect_mock): + """Test with mocked database connection.""" + connect_mock.return_value = MockConnection() + + db = Database() + db.connect() + + connect_mock.assert_called_once_with("localhost") +``` + +### Mocking Exceptions + +```python +@patch("mypackage.api_call") +def test_api_error_handling(api_call_mock): + """Test error handling with mocked exception.""" + api_call_mock.side_effect = ConnectionError("Network error") + + with pytest.raises(ConnectionError): + api_call() + + api_call_mock.assert_called_once() +``` + +### Mocking Context Managers + +```python +@patch("builtins.open", new_callable=mock_open) +def test_file_reading(mock_file): + """Test file reading with mocked open.""" + mock_file.return_value.read.return_value = "file content" + + result = read_file("test.txt") + + mock_file.assert_called_once_with("test.txt", "r") + assert result == "file content" +``` + +### Using Autospec + +```python +@patch("mypackage.DBConnection", autospec=True) +def test_autospec(db_mock): + """Test with autospec to catch API misuse.""" + db = db_mock.return_value + db.query("SELECT * FROM users") + + # This would fail if DBConnection doesn't have query method + db_mock.assert_called_once() +``` + +### Mock Class Instances + +```python +class TestUserService: + @patch("mypackage.UserRepository") + def test_create_user(self, repo_mock): + """Test user creation with mocked repository.""" + repo_mock.return_value.save.return_value = User(id=1, name="Alice") + + service = UserService(repo_mock.return_value) + user = service.create_user(name="Alice") + + assert user.name == "Alice" + repo_mock.return_value.save.assert_called_once() +``` + +### Mock Property + +```python +@pytest.fixture +def mock_config(): + """Create a mock with a property.""" + config = Mock() + type(config).debug = PropertyMock(return_value=True) + type(config).api_key = PropertyMock(return_value="test-key") + return config + +def test_with_mock_config(mock_config): + """Test with mocked config properties.""" + assert mock_config.debug is True + assert mock_config.api_key == "test-key" +``` + +## Testing Async Code + +### Async Tests with pytest-asyncio + +```python +import pytest + +@pytest.mark.asyncio +async def test_async_function(): + """Test async function.""" + result = await async_add(2, 3) + assert result == 5 + +@pytest.mark.asyncio +async def test_async_with_fixture(async_client): + """Test async with async fixture.""" + response = await async_client.get("/api/users") + assert response.status_code == 200 +``` + +### Async Fixture + +```python +@pytest.fixture +async def async_client(): + """Async fixture providing async test client.""" + app = create_app() + async with app.test_client() as client: + yield client + +@pytest.mark.asyncio +async def test_api_endpoint(async_client): + """Test using async fixture.""" + response = await async_client.get("/api/data") + assert response.status_code == 200 +``` + +### Mocking Async Functions + +```python +@pytest.mark.asyncio +@patch("mypackage.async_api_call") +async def test_async_mock(api_call_mock): + """Test async function with mock.""" + api_call_mock.return_value = {"status": "ok"} + + result = await my_async_function() + + api_call_mock.assert_awaited_once() + assert result["status"] == "ok" +``` + +## Testing Exceptions + +### Testing Expected Exceptions + +```python +def test_divide_by_zero(): + """Test that dividing by zero raises ZeroDivisionError.""" + with pytest.raises(ZeroDivisionError): + divide(10, 0) + +def test_custom_exception(): + """Test custom exception with message.""" + with pytest.raises(ValueError, match="invalid input"): + validate_input("invalid") +``` + +### Testing Exception Attributes + +```python +def test_exception_with_details(): + """Test exception with custom attributes.""" + with pytest.raises(CustomError) as exc_info: + raise CustomError("error", code=400) + + assert exc_info.value.code == 400 + assert "error" in str(exc_info.value) +``` + +## Testing Side Effects + +### Testing File Operations + +```python +import tempfile +import os + +def test_file_processing(): + """Test file processing with temp file.""" + with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.txt') as f: + f.write("test content") + temp_path = f.name + + try: + result = process_file(temp_path) + assert result == "processed: test content" + finally: + os.unlink(temp_path) +``` + +### Testing with pytest's tmp_path Fixture + +```python +def test_with_tmp_path(tmp_path): + """Test using pytest's built-in temp path fixture.""" + test_file = tmp_path / "test.txt" + test_file.write_text("hello world") + + result = process_file(str(test_file)) + assert result == "hello world" + # tmp_path automatically cleaned up +``` + +### Testing with tmpdir Fixture + +```python +def test_with_tmpdir(tmpdir): + """Test using pytest's tmpdir fixture.""" + test_file = tmpdir.join("test.txt") + test_file.write("data") + + result = process_file(str(test_file)) + assert result == "data" +``` + +## Test Organization + +### Directory Structure + +``` +tests/ +├── conftest.py # Shared fixtures +├── __init__.py +├── unit/ # Unit tests +│ ├── __init__.py +│ ├── test_models.py +│ ├── test_utils.py +│ └── test_services.py +├── integration/ # Integration tests +│ ├── __init__.py +│ ├── test_api.py +│ └── test_database.py +└── e2e/ # End-to-end tests + ├── __init__.py + └── test_user_flow.py +``` + +### Test Classes + +```python +class TestUserService: + """Group related tests in a class.""" + + @pytest.fixture(autouse=True) + def setup(self): + """Setup runs before each test in this class.""" + self.service = UserService() + + def test_create_user(self): + """Test user creation.""" + user = self.service.create_user("Alice") + assert user.name == "Alice" + + def test_delete_user(self): + """Test user deletion.""" + user = User(id=1, name="Bob") + self.service.delete_user(user) + assert not self.service.user_exists(1) +``` + +## Best Practices + +### DO + +- **Follow TDD**: Write tests before code (red-green-refactor) +- **Test one thing**: Each test should verify a single behavior +- **Use descriptive names**: `test_user_login_with_invalid_credentials_fails` +- **Use fixtures**: Eliminate duplication with fixtures +- **Mock external dependencies**: Don't depend on external services +- **Test edge cases**: Empty inputs, None values, boundary conditions +- **Aim for 80%+ coverage**: Focus on critical paths +- **Keep tests fast**: Use marks to separate slow tests + +### DON'T + +- **Don't test implementation**: Test behavior, not internals +- **Don't use complex conditionals in tests**: Keep tests simple +- **Don't ignore test failures**: All tests must pass +- **Don't test third-party code**: Trust libraries to work +- **Don't share state between tests**: Tests should be independent +- **Don't catch exceptions in tests**: Use `pytest.raises` +- **Don't use print statements**: Use assertions and pytest output +- **Don't write tests that are too brittle**: Avoid over-specific mocks + +## Common Patterns + +### Testing API Endpoints (FastAPI/Flask) + +```python +@pytest.fixture +def client(): + app = create_app(testing=True) + return app.test_client() + +def test_get_user(client): + response = client.get("/api/users/1") + assert response.status_code == 200 + assert response.json["id"] == 1 + +def test_create_user(client): + response = client.post("/api/users", json={ + "name": "Alice", + "email": "alice@example.com" + }) + assert response.status_code == 201 + assert response.json["name"] == "Alice" +``` + +### Testing Database Operations + +```python +@pytest.fixture +def db_session(): + """Create a test database session.""" + session = Session(bind=engine) + session.begin_nested() + yield session + session.rollback() + session.close() + +def test_create_user(db_session): + user = User(name="Alice", email="alice@example.com") + db_session.add(user) + db_session.commit() + + retrieved = db_session.query(User).filter_by(name="Alice").first() + assert retrieved.email == "alice@example.com" +``` + +### Testing Class Methods + +```python +class TestCalculator: + @pytest.fixture + def calculator(self): + return Calculator() + + def test_add(self, calculator): + assert calculator.add(2, 3) == 5 + + def test_divide_by_zero(self, calculator): + with pytest.raises(ZeroDivisionError): + calculator.divide(10, 0) +``` + +## pytest Configuration + +### pytest.ini + +```ini +[pytest] +testpaths = tests +python_files = test_*.py +python_classes = Test* +python_functions = test_* +addopts = + --strict-markers + --disable-warnings + --cov=mypackage + --cov-report=term-missing + --cov-report=html +markers = + slow: marks tests as slow + integration: marks tests as integration tests + unit: marks tests as unit tests +``` + +### pyproject.toml + +```toml +[tool.pytest.ini_options] +testpaths = ["tests"] +python_files = ["test_*.py"] +python_classes = ["Test*"] +python_functions = ["test_*"] +addopts = [ + "--strict-markers", + "--cov=mypackage", + "--cov-report=term-missing", + "--cov-report=html", +] +markers = [ + "slow: marks tests as slow", + "integration: marks tests as integration tests", + "unit: marks tests as unit tests", +] +``` + +## Running Tests + +```bash +# Run all tests +pytest + +# Run specific file +pytest tests/test_utils.py + +# Run specific test +pytest tests/test_utils.py::test_function + +# Run with verbose output +pytest -v + +# Run with coverage +pytest --cov=mypackage --cov-report=html + +# Run only fast tests +pytest -m "not slow" + +# Run until first failure +pytest -x + +# Run and stop on N failures +pytest --maxfail=3 + +# Run last failed tests +pytest --lf + +# Run tests with pattern +pytest -k "test_user" + +# Run with debugger on failure +pytest --pdb +``` + +## Quick Reference + +| Pattern | Usage | +|---------|-------| +| `pytest.raises()` | Test expected exceptions | +| `@pytest.fixture()` | Create reusable test fixtures | +| `@pytest.mark.parametrize()` | Run tests with multiple inputs | +| `@pytest.mark.slow` | Mark slow tests | +| `pytest -m "not slow"` | Skip slow tests | +| `@patch()` | Mock functions and classes | +| `tmp_path` fixture | Automatic temp directory | +| `pytest --cov` | Generate coverage report | +| `assert` | Simple and readable assertions | + +**Remember**: Tests are code too. Keep them clean, readable, and maintainable. Good tests catch bugs; great tests prevent them. diff --git a/plugins/python/template/addons/claude-code/.claude/skills/security-review/SKILL.md b/plugins/python/template/addons/claude-code/.claude/skills/security-review/SKILL.md new file mode 100644 index 0000000..af848b9 --- /dev/null +++ b/plugins/python/template/addons/claude-code/.claude/skills/security-review/SKILL.md @@ -0,0 +1,495 @@ +--- +name: security-review +description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns. +origin: ECC +--- + +# Security Review Skill + +This skill ensures all code follows security best practices and identifies potential vulnerabilities. + +## When to Activate + +- Implementing authentication or authorization +- Handling user input or file uploads +- Creating new API endpoints +- Working with secrets or credentials +- Implementing payment features +- Storing or transmitting sensitive data +- Integrating third-party APIs + +## Security Checklist + +### 1. Secrets Management + +#### FAIL: NEVER Do This +```typescript +const apiKey = "sk-proj-xxxxx" // Hardcoded secret +const dbPassword = "password123" // In source code +``` + +#### PASS: ALWAYS Do This +```typescript +const apiKey = process.env.OPENAI_API_KEY +const dbUrl = process.env.DATABASE_URL + +// Verify secrets exist +if (!apiKey) { + throw new Error('OPENAI_API_KEY not configured') +} +``` + +#### Verification Steps +- [ ] No hardcoded API keys, tokens, or passwords +- [ ] All secrets in environment variables +- [ ] `.env.local` in .gitignore +- [ ] No secrets in git history +- [ ] Production secrets in hosting platform (Vercel, Railway) + +### 2. Input Validation + +#### Always Validate User Input +```typescript +import { z } from 'zod' + +// Define validation schema +const CreateUserSchema = z.object({ + email: z.string().email(), + name: z.string().min(1).max(100), + age: z.number().int().min(0).max(150) +}) + +// Validate before processing +export async function createUser(input: unknown) { + try { + const validated = CreateUserSchema.parse(input) + return await db.users.create(validated) + } catch (error) { + if (error instanceof z.ZodError) { + return { success: false, errors: error.errors } + } + throw error + } +} +``` + +#### File Upload Validation +```typescript +function validateFileUpload(file: File) { + // Size check (5MB max) + const maxSize = 5 * 1024 * 1024 + if (file.size > maxSize) { + throw new Error('File too large (max 5MB)') + } + + // Type check + const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'] + if (!allowedTypes.includes(file.type)) { + throw new Error('Invalid file type') + } + + // Extension check + const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'] + const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0] + if (!extension || !allowedExtensions.includes(extension)) { + throw new Error('Invalid file extension') + } + + return true +} +``` + +#### Verification Steps +- [ ] All user inputs validated with schemas +- [ ] File uploads restricted (size, type, extension) +- [ ] No direct use of user input in queries +- [ ] Whitelist validation (not blacklist) +- [ ] Error messages don't leak sensitive info + +### 3. SQL Injection Prevention + +#### FAIL: NEVER Concatenate SQL +```typescript +// DANGEROUS - SQL Injection vulnerability +const query = `SELECT * FROM users WHERE email = '${userEmail}'` +await db.query(query) +``` + +#### PASS: ALWAYS Use Parameterized Queries +```typescript +// Safe - parameterized query +const { data } = await supabase + .from('users') + .select('*') + .eq('email', userEmail) + +// Or with raw SQL +await db.query( + 'SELECT * FROM users WHERE email = $1', + [userEmail] +) +``` + +#### Verification Steps +- [ ] All database queries use parameterized queries +- [ ] No string concatenation in SQL +- [ ] ORM/query builder used correctly +- [ ] Supabase queries properly sanitized + +### 4. Authentication & Authorization + +#### JWT Token Handling +```typescript +// FAIL: WRONG: localStorage (vulnerable to XSS) +localStorage.setItem('token', token) + +// PASS: CORRECT: httpOnly cookies +res.setHeader('Set-Cookie', + `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`) +``` + +#### Authorization Checks +```typescript +export async function deleteUser(userId: string, requesterId: string) { + // ALWAYS verify authorization first + const requester = await db.users.findUnique({ + where: { id: requesterId } + }) + + if (requester.role !== 'admin') { + return NextResponse.json( + { error: 'Unauthorized' }, + { status: 403 } + ) + } + + // Proceed with deletion + await db.users.delete({ where: { id: userId } }) +} +``` + +#### Row Level Security (Supabase) +```sql +-- Enable RLS on all tables +ALTER TABLE users ENABLE ROW LEVEL SECURITY; + +-- Users can only view their own data +CREATE POLICY "Users view own data" + ON users FOR SELECT + USING (auth.uid() = id); + +-- Users can only update their own data +CREATE POLICY "Users update own data" + ON users FOR UPDATE + USING (auth.uid() = id); +``` + +#### Verification Steps +- [ ] Tokens stored in httpOnly cookies (not localStorage) +- [ ] Authorization checks before sensitive operations +- [ ] Row Level Security enabled in Supabase +- [ ] Role-based access control implemented +- [ ] Session management secure + +### 5. XSS Prevention + +#### Sanitize HTML +```typescript +import DOMPurify from 'isomorphic-dompurify' + +// ALWAYS sanitize user-provided HTML +function renderUserContent(html: string) { + const clean = DOMPurify.sanitize(html, { + ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'], + ALLOWED_ATTR: [] + }) + return
+} +``` + +#### Content Security Policy +```typescript +// next.config.js +const securityHeaders = [ + { + key: 'Content-Security-Policy', + value: ` + default-src 'self'; + script-src 'self' 'unsafe-eval' 'unsafe-inline'; + style-src 'self' 'unsafe-inline'; + img-src 'self' data: https:; + font-src 'self'; + connect-src 'self' https://api.example.com; + `.replace(/\s{2,}/g, ' ').trim() + } +] +``` + +#### Verification Steps +- [ ] User-provided HTML sanitized +- [ ] CSP headers configured +- [ ] No unvalidated dynamic content rendering +- [ ] React's built-in XSS protection used + +### 6. CSRF Protection + +#### CSRF Tokens +```typescript +import { csrf } from '@/lib/csrf' + +export async function POST(request: Request) { + const token = request.headers.get('X-CSRF-Token') + + if (!csrf.verify(token)) { + return NextResponse.json( + { error: 'Invalid CSRF token' }, + { status: 403 } + ) + } + + // Process request +} +``` + +#### SameSite Cookies +```typescript +res.setHeader('Set-Cookie', + `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`) +``` + +#### Verification Steps +- [ ] CSRF tokens on state-changing operations +- [ ] SameSite=Strict on all cookies +- [ ] Double-submit cookie pattern implemented + +### 7. Rate Limiting + +#### API Rate Limiting +```typescript +import rateLimit from 'express-rate-limit' + +const limiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // 100 requests per window + message: 'Too many requests' +}) + +// Apply to routes +app.use('/api/', limiter) +``` + +#### Expensive Operations +```typescript +// Aggressive rate limiting for searches +const searchLimiter = rateLimit({ + windowMs: 60 * 1000, // 1 minute + max: 10, // 10 requests per minute + message: 'Too many search requests' +}) + +app.use('/api/search', searchLimiter) +``` + +#### Verification Steps +- [ ] Rate limiting on all API endpoints +- [ ] Stricter limits on expensive operations +- [ ] IP-based rate limiting +- [ ] User-based rate limiting (authenticated) + +### 8. Sensitive Data Exposure + +#### Logging +```typescript +// FAIL: WRONG: Logging sensitive data +console.log('User login:', { email, password }) +console.log('Payment:', { cardNumber, cvv }) + +// PASS: CORRECT: Redact sensitive data +console.log('User login:', { email, userId }) +console.log('Payment:', { last4: card.last4, userId }) +``` + +#### Error Messages +```typescript +// FAIL: WRONG: Exposing internal details +catch (error) { + return NextResponse.json( + { error: error.message, stack: error.stack }, + { status: 500 } + ) +} + +// PASS: CORRECT: Generic error messages +catch (error) { + console.error('Internal error:', error) + return NextResponse.json( + { error: 'An error occurred. Please try again.' }, + { status: 500 } + ) +} +``` + +#### Verification Steps +- [ ] No passwords, tokens, or secrets in logs +- [ ] Error messages generic for users +- [ ] Detailed errors only in server logs +- [ ] No stack traces exposed to users + +### 9. Blockchain Security (Solana) + +#### Wallet Verification +```typescript +import { verify } from '@solana/web3.js' + +async function verifyWalletOwnership( + publicKey: string, + signature: string, + message: string +) { + try { + const isValid = verify( + Buffer.from(message), + Buffer.from(signature, 'base64'), + Buffer.from(publicKey, 'base64') + ) + return isValid + } catch (error) { + return false + } +} +``` + +#### Transaction Verification +```typescript +async function verifyTransaction(transaction: Transaction) { + // Verify recipient + if (transaction.to !== expectedRecipient) { + throw new Error('Invalid recipient') + } + + // Verify amount + if (transaction.amount > maxAmount) { + throw new Error('Amount exceeds limit') + } + + // Verify user has sufficient balance + const balance = await getBalance(transaction.from) + if (balance < transaction.amount) { + throw new Error('Insufficient balance') + } + + return true +} +``` + +#### Verification Steps +- [ ] Wallet signatures verified +- [ ] Transaction details validated +- [ ] Balance checks before transactions +- [ ] No blind transaction signing + +### 10. Dependency Security + +#### Regular Updates +```bash +# Check for vulnerabilities +npm audit + +# Fix automatically fixable issues +npm audit fix + +# Update dependencies +npm update + +# Check for outdated packages +npm outdated +``` + +#### Lock Files +```bash +# ALWAYS commit lock files +git add package-lock.json + +# Use in CI/CD for reproducible builds +npm ci # Instead of npm install +``` + +#### Verification Steps +- [ ] Dependencies up to date +- [ ] No known vulnerabilities (npm audit clean) +- [ ] Lock files committed +- [ ] Dependabot enabled on GitHub +- [ ] Regular security updates + +## Security Testing + +### Automated Security Tests +```typescript +// Test authentication +test('requires authentication', async () => { + const response = await fetch('/api/protected') + expect(response.status).toBe(401) +}) + +// Test authorization +test('requires admin role', async () => { + const response = await fetch('/api/admin', { + headers: { Authorization: `Bearer ${userToken}` } + }) + expect(response.status).toBe(403) +}) + +// Test input validation +test('rejects invalid input', async () => { + const response = await fetch('/api/users', { + method: 'POST', + body: JSON.stringify({ email: 'not-an-email' }) + }) + expect(response.status).toBe(400) +}) + +// Test rate limiting +test('enforces rate limits', async () => { + const requests = Array(101).fill(null).map(() => + fetch('/api/endpoint') + ) + + const responses = await Promise.all(requests) + const tooManyRequests = responses.filter(r => r.status === 429) + + expect(tooManyRequests.length).toBeGreaterThan(0) +}) +``` + +## Pre-Deployment Security Checklist + +Before ANY production deployment: + +- [ ] **Secrets**: No hardcoded secrets, all in env vars +- [ ] **Input Validation**: All user inputs validated +- [ ] **SQL Injection**: All queries parameterized +- [ ] **XSS**: User content sanitized +- [ ] **CSRF**: Protection enabled +- [ ] **Authentication**: Proper token handling +- [ ] **Authorization**: Role checks in place +- [ ] **Rate Limiting**: Enabled on all endpoints +- [ ] **HTTPS**: Enforced in production +- [ ] **Security Headers**: CSP, X-Frame-Options configured +- [ ] **Error Handling**: No sensitive data in errors +- [ ] **Logging**: No sensitive data logged +- [ ] **Dependencies**: Up to date, no vulnerabilities +- [ ] **Row Level Security**: Enabled in Supabase +- [ ] **CORS**: Properly configured +- [ ] **File Uploads**: Validated (size, type) +- [ ] **Wallet Signatures**: Verified (if blockchain) + +## Resources + +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Next.js Security](https://nextjs.org/docs/security) +- [Supabase Security](https://supabase.com/docs/guides/auth) +- [Web Security Academy](https://portswigger.net/web-security) + +--- + +**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution. diff --git a/plugins/python/template/addons/claude-code/CLAUDE.md b/plugins/python/template/addons/claude-code/CLAUDE.md new file mode 100644 index 0000000..17baa9c --- /dev/null +++ b/plugins/python/template/addons/claude-code/CLAUDE.md @@ -0,0 +1,66 @@ +# {{PROJECT_NAME}} + +## Stack +- Runtime: Python 3.11+ +- Framework: FastAPI +- ORM: SQLAlchemy 2.0 + Alembic +- Database: PostgreSQL (default) or SQLite +- Cache: Redis 7 (redis-py) +- Auth: PyJWT + passlib[bcrypt] +- Validation: Pydantic v2 + +## Common Commands +```bash +python -m venv venv +source venv/bin/activate # Windows: venv\Scripts\activate +pip install -e . +cp .env.example .env + +uvicorn main:app --reload # start dev server +alembic upgrade head # run migrations +alembic revision --autogenerate -m "" # create migration +pytest # run tests +pytest --cov=app --cov-report=term-missing # with coverage +ruff check . && ruff format . # lint + format +``` + +## Architecture +``` +app/ +├── api/ # route handlers (FastAPI routers) +├── core/ # config, security, dependencies +├── models/ # SQLAlchemy models +├── schemas/ # Pydantic schemas (request/response) +├── services/ # business logic +├── repositories/ # database access layer +└── jobs/ # scheduled tasks (APScheduler) +alembic/ # migration files +tests/ # pytest test suite +``` + +## Module convention +Each feature follows: +``` +app/ +├── api/.py # FastAPI router + handlers +├── models/.py # SQLAlchemy model +├── schemas/.py # Pydantic request/response schemas +├── services/.py # business logic +└── repositories/.py # DB queries +``` + +## Available Skills +Use these skills when working on this project: + +| Skill | When to use | +|-------|-------------| +| `/python-patterns` | FastAPI conventions, Pythonic idioms, type hints | +| `/python-testing` | pytest setup, fixtures, async testing | +| `/backend-patterns` | API conventions, service layer, repository pattern | +| `/postgres-patterns` | SQLAlchemy queries, indexes, transactions | +| `/database-migrations` | Alembic migration workflow | +| `/docker-patterns` | Docker & docker-compose setup | +| `/security-review` | Auth, JWT, input validation, OWASP checks | + +## Author +{{AUTHOR}} diff --git a/plugins/python/template/addons/cursor/.cursor/skills/backend-patterns/skill.md b/plugins/python/template/addons/cursor/.cursor/skills/backend-patterns/skill.md new file mode 100644 index 0000000..30898b4 --- /dev/null +++ b/plugins/python/template/addons/cursor/.cursor/skills/backend-patterns/skill.md @@ -0,0 +1,598 @@ +--- +name: backend-patterns +description: Backend architecture patterns, API design, database optimization, and server-side best practices for Node.js, Express, and Next.js API routes. +origin: ECC +--- + +# Backend Development Patterns + +Backend architecture patterns and best practices for scalable server-side applications. + +## When to Activate + +- Designing REST or GraphQL API endpoints +- Implementing repository, service, or controller layers +- Optimizing database queries (N+1, indexing, connection pooling) +- Adding caching (Redis, in-memory, HTTP cache headers) +- Setting up background jobs or async processing +- Structuring error handling and validation for APIs +- Building middleware (auth, logging, rate limiting) + +## API Design Patterns + +### RESTful API Structure + +```typescript +// PASS: Resource-based URLs +GET /api/markets # List resources +GET /api/markets/:id # Get single resource +POST /api/markets # Create resource +PUT /api/markets/:id # Replace resource +PATCH /api/markets/:id # Update resource +DELETE /api/markets/:id # Delete resource + +// PASS: Query parameters for filtering, sorting, pagination +GET /api/markets?status=active&sort=volume&limit=20&offset=0 +``` + +### Repository Pattern + +```typescript +// Abstract data access logic +interface MarketRepository { + findAll(filters?: MarketFilters): Promise + findById(id: string): Promise + create(data: CreateMarketDto): Promise + update(id: string, data: UpdateMarketDto): Promise + delete(id: string): Promise +} + +class SupabaseMarketRepository implements MarketRepository { + async findAll(filters?: MarketFilters): Promise { + let query = supabase.from('markets').select('*') + + if (filters?.status) { + query = query.eq('status', filters.status) + } + + if (filters?.limit) { + query = query.limit(filters.limit) + } + + const { data, error } = await query + + if (error) throw new Error(error.message) + return data + } + + // Other methods... +} +``` + +### Service Layer Pattern + +```typescript +// Business logic separated from data access +class MarketService { + constructor(private marketRepo: MarketRepository) {} + + async searchMarkets(query: string, limit: number = 10): Promise { + // Business logic + const embedding = await generateEmbedding(query) + const results = await this.vectorSearch(embedding, limit) + + // Fetch full data + const markets = await this.marketRepo.findByIds(results.map(r => r.id)) + + // Sort by similarity + return markets.sort((a, b) => { + const scoreA = results.find(r => r.id === a.id)?.score || 0 + const scoreB = results.find(r => r.id === b.id)?.score || 0 + return scoreA - scoreB + }) + } + + private async vectorSearch(embedding: number[], limit: number) { + // Vector search implementation + } +} +``` + +### Middleware Pattern + +```typescript +// Request/response processing pipeline +export function withAuth(handler: NextApiHandler): NextApiHandler { + return async (req, res) => { + const token = req.headers.authorization?.replace('Bearer ', '') + + if (!token) { + return res.status(401).json({ error: 'Unauthorized' }) + } + + try { + const user = await verifyToken(token) + req.user = user + return handler(req, res) + } catch (error) { + return res.status(401).json({ error: 'Invalid token' }) + } + } +} + +// Usage +export default withAuth(async (req, res) => { + // Handler has access to req.user +}) +``` + +## Database Patterns + +### Query Optimization + +```typescript +// PASS: GOOD: Select only needed columns +const { data } = await supabase + .from('markets') + .select('id, name, status, volume') + .eq('status', 'active') + .order('volume', { ascending: false }) + .limit(10) + +// FAIL: BAD: Select everything +const { data } = await supabase + .from('markets') + .select('*') +``` + +### N+1 Query Prevention + +```typescript +// FAIL: BAD: N+1 query problem +const markets = await getMarkets() +for (const market of markets) { + market.creator = await getUser(market.creator_id) // N queries +} + +// PASS: GOOD: Batch fetch +const markets = await getMarkets() +const creatorIds = markets.map(m => m.creator_id) +const creators = await getUsers(creatorIds) // 1 query +const creatorMap = new Map(creators.map(c => [c.id, c])) + +markets.forEach(market => { + market.creator = creatorMap.get(market.creator_id) +}) +``` + +### Transaction Pattern + +```typescript +async function createMarketWithPosition( + marketData: CreateMarketDto, + positionData: CreatePositionDto +) { + // Use Supabase transaction + const { data, error } = await supabase.rpc('create_market_with_position', { + market_data: marketData, + position_data: positionData + }) + + if (error) throw new Error('Transaction failed') + return data +} + +// SQL function in Supabase +CREATE OR REPLACE FUNCTION create_market_with_position( + market_data jsonb, + position_data jsonb +) +RETURNS jsonb +LANGUAGE plpgsql +AS $$ +BEGIN + -- Start transaction automatically + INSERT INTO markets VALUES (market_data); + INSERT INTO positions VALUES (position_data); + RETURN jsonb_build_object('success', true); +EXCEPTION + WHEN OTHERS THEN + -- Rollback happens automatically + RETURN jsonb_build_object('success', false, 'error', SQLERRM); +END; +$$; +``` + +## Caching Strategies + +### Redis Caching Layer + +```typescript +class CachedMarketRepository implements MarketRepository { + constructor( + private baseRepo: MarketRepository, + private redis: RedisClient + ) {} + + async findById(id: string): Promise { + // Check cache first + const cached = await this.redis.get(`market:${id}`) + + if (cached) { + return JSON.parse(cached) + } + + // Cache miss - fetch from database + const market = await this.baseRepo.findById(id) + + if (market) { + // Cache for 5 minutes + await this.redis.setex(`market:${id}`, 300, JSON.stringify(market)) + } + + return market + } + + async invalidateCache(id: string): Promise { + await this.redis.del(`market:${id}`) + } +} +``` + +### Cache-Aside Pattern + +```typescript +async function getMarketWithCache(id: string): Promise { + const cacheKey = `market:${id}` + + // Try cache + const cached = await redis.get(cacheKey) + if (cached) return JSON.parse(cached) + + // Cache miss - fetch from DB + const market = await db.markets.findUnique({ where: { id } }) + + if (!market) throw new Error('Market not found') + + // Update cache + await redis.setex(cacheKey, 300, JSON.stringify(market)) + + return market +} +``` + +## Error Handling Patterns + +### Centralized Error Handler + +```typescript +class ApiError extends Error { + constructor( + public statusCode: number, + public message: string, + public isOperational = true + ) { + super(message) + Object.setPrototypeOf(this, ApiError.prototype) + } +} + +export function errorHandler(error: unknown, req: Request): Response { + if (error instanceof ApiError) { + return NextResponse.json({ + success: false, + error: error.message + }, { status: error.statusCode }) + } + + if (error instanceof z.ZodError) { + return NextResponse.json({ + success: false, + error: 'Validation failed', + details: error.errors + }, { status: 400 }) + } + + // Log unexpected errors + console.error('Unexpected error:', error) + + return NextResponse.json({ + success: false, + error: 'Internal server error' + }, { status: 500 }) +} + +// Usage +export async function GET(request: Request) { + try { + const data = await fetchData() + return NextResponse.json({ success: true, data }) + } catch (error) { + return errorHandler(error, request) + } +} +``` + +### Retry with Exponential Backoff + +```typescript +async function fetchWithRetry( + fn: () => Promise, + maxRetries = 3 +): Promise { + let lastError: Error + + for (let i = 0; i < maxRetries; i++) { + try { + return await fn() + } catch (error) { + lastError = error as Error + + if (i < maxRetries - 1) { + // Exponential backoff: 1s, 2s, 4s + const delay = Math.pow(2, i) * 1000 + await new Promise(resolve => setTimeout(resolve, delay)) + } + } + } + + throw lastError! +} + +// Usage +const data = await fetchWithRetry(() => fetchFromAPI()) +``` + +## Authentication & Authorization + +### JWT Token Validation + +```typescript +import jwt from 'jsonwebtoken' + +interface JWTPayload { + userId: string + email: string + role: 'admin' | 'user' +} + +export function verifyToken(token: string): JWTPayload { + try { + const payload = jwt.verify(token, process.env.JWT_SECRET!) as JWTPayload + return payload + } catch (error) { + throw new ApiError(401, 'Invalid token') + } +} + +export async function requireAuth(request: Request) { + const token = request.headers.get('authorization')?.replace('Bearer ', '') + + if (!token) { + throw new ApiError(401, 'Missing authorization token') + } + + return verifyToken(token) +} + +// Usage in API route +export async function GET(request: Request) { + const user = await requireAuth(request) + + const data = await getDataForUser(user.userId) + + return NextResponse.json({ success: true, data }) +} +``` + +### Role-Based Access Control + +```typescript +type Permission = 'read' | 'write' | 'delete' | 'admin' + +interface User { + id: string + role: 'admin' | 'moderator' | 'user' +} + +const rolePermissions: Record = { + admin: ['read', 'write', 'delete', 'admin'], + moderator: ['read', 'write', 'delete'], + user: ['read', 'write'] +} + +export function hasPermission(user: User, permission: Permission): boolean { + return rolePermissions[user.role].includes(permission) +} + +export function requirePermission(permission: Permission) { + return (handler: (request: Request, user: User) => Promise) => { + return async (request: Request) => { + const user = await requireAuth(request) + + if (!hasPermission(user, permission)) { + throw new ApiError(403, 'Insufficient permissions') + } + + return handler(request, user) + } + } +} + +// Usage - HOF wraps the handler +export const DELETE = requirePermission('delete')( + async (request: Request, user: User) => { + // Handler receives authenticated user with verified permission + return new Response('Deleted', { status: 200 }) + } +) +``` + +## Rate Limiting + +### Simple In-Memory Rate Limiter + +```typescript +class RateLimiter { + private requests = new Map() + + async checkLimit( + identifier: string, + maxRequests: number, + windowMs: number + ): Promise { + const now = Date.now() + const requests = this.requests.get(identifier) || [] + + // Remove old requests outside window + const recentRequests = requests.filter(time => now - time < windowMs) + + if (recentRequests.length >= maxRequests) { + return false // Rate limit exceeded + } + + // Add current request + recentRequests.push(now) + this.requests.set(identifier, recentRequests) + + return true + } +} + +const limiter = new RateLimiter() + +export async function GET(request: Request) { + const ip = request.headers.get('x-forwarded-for') || 'unknown' + + const allowed = await limiter.checkLimit(ip, 100, 60000) // 100 req/min + + if (!allowed) { + return NextResponse.json({ + error: 'Rate limit exceeded' + }, { status: 429 }) + } + + // Continue with request +} +``` + +## Background Jobs & Queues + +### Simple Queue Pattern + +```typescript +class JobQueue { + private queue: T[] = [] + private processing = false + + async add(job: T): Promise { + this.queue.push(job) + + if (!this.processing) { + this.process() + } + } + + private async process(): Promise { + this.processing = true + + while (this.queue.length > 0) { + const job = this.queue.shift()! + + try { + await this.execute(job) + } catch (error) { + console.error('Job failed:', error) + } + } + + this.processing = false + } + + private async execute(job: T): Promise { + // Job execution logic + } +} + +// Usage for indexing markets +interface IndexJob { + marketId: string +} + +const indexQueue = new JobQueue() + +export async function POST(request: Request) { + const { marketId } = await request.json() + + // Add to queue instead of blocking + await indexQueue.add({ marketId }) + + return NextResponse.json({ success: true, message: 'Job queued' }) +} +``` + +## Logging & Monitoring + +### Structured Logging + +```typescript +interface LogContext { + userId?: string + requestId?: string + method?: string + path?: string + [key: string]: unknown +} + +class Logger { + log(level: 'info' | 'warn' | 'error', message: string, context?: LogContext) { + const entry = { + timestamp: new Date().toISOString(), + level, + message, + ...context + } + + console.log(JSON.stringify(entry)) + } + + info(message: string, context?: LogContext) { + this.log('info', message, context) + } + + warn(message: string, context?: LogContext) { + this.log('warn', message, context) + } + + error(message: string, error: Error, context?: LogContext) { + this.log('error', message, { + ...context, + error: error.message, + stack: error.stack + }) + } +} + +const logger = new Logger() + +// Usage +export async function GET(request: Request) { + const requestId = crypto.randomUUID() + + logger.info('Fetching markets', { + requestId, + method: 'GET', + path: '/api/markets' + }) + + try { + const markets = await fetchMarkets() + return NextResponse.json({ success: true, data: markets }) + } catch (error) { + logger.error('Failed to fetch markets', error as Error, { requestId }) + return NextResponse.json({ error: 'Internal error' }, { status: 500 }) + } +} +``` + +**Remember**: Backend patterns enable scalable, maintainable server-side applications. Choose patterns that fit your complexity level. diff --git a/plugins/python/template/addons/cursor/.cursor/skills/database-migrations/skill.md b/plugins/python/template/addons/cursor/.cursor/skills/database-migrations/skill.md new file mode 100644 index 0000000..b1562c2 --- /dev/null +++ b/plugins/python/template/addons/cursor/.cursor/skills/database-migrations/skill.md @@ -0,0 +1,429 @@ +--- +name: database-migrations +description: Database migration best practices for schema changes, data migrations, rollbacks, and zero-downtime deployments across PostgreSQL, MySQL, and common ORMs (Prisma, Drizzle, Kysely, Django, TypeORM, golang-migrate). +origin: ECC +--- + +# Database Migration Patterns + +Safe, reversible database schema changes for production systems. + +## When to Activate + +- Creating or altering database tables +- Adding/removing columns or indexes +- Running data migrations (backfill, transform) +- Planning zero-downtime schema changes +- Setting up migration tooling for a new project + +## Core Principles + +1. **Every change is a migration** — never alter production databases manually +2. **Migrations are forward-only in production** — rollbacks use new forward migrations +3. **Schema and data migrations are separate** — never mix DDL and DML in one migration +4. **Test migrations against production-sized data** — a migration that works on 100 rows may lock on 10M +5. **Migrations are immutable once deployed** — never edit a migration that has run in production + +## Migration Safety Checklist + +Before applying any migration: + +- [ ] Migration has both UP and DOWN (or is explicitly marked irreversible) +- [ ] No full table locks on large tables (use concurrent operations) +- [ ] New columns have defaults or are nullable (never add NOT NULL without default) +- [ ] Indexes created concurrently (not inline with CREATE TABLE for existing tables) +- [ ] Data backfill is a separate migration from schema change +- [ ] Tested against a copy of production data +- [ ] Rollback plan documented + +## PostgreSQL Patterns + +### Adding a Column Safely + +```sql +-- GOOD: Nullable column, no lock +ALTER TABLE users ADD COLUMN avatar_url TEXT; + +-- GOOD: Column with default (Postgres 11+ is instant, no rewrite) +ALTER TABLE users ADD COLUMN is_active BOOLEAN NOT NULL DEFAULT true; + +-- BAD: NOT NULL without default on existing table (requires full rewrite) +ALTER TABLE users ADD COLUMN role TEXT NOT NULL; +-- This locks the table and rewrites every row +``` + +### Adding an Index Without Downtime + +```sql +-- BAD: Blocks writes on large tables +CREATE INDEX idx_users_email ON users (email); + +-- GOOD: Non-blocking, allows concurrent writes +CREATE INDEX CONCURRENTLY idx_users_email ON users (email); + +-- Note: CONCURRENTLY cannot run inside a transaction block +-- Most migration tools need special handling for this +``` + +### Renaming a Column (Zero-Downtime) + +Never rename directly in production. Use the expand-contract pattern: + +```sql +-- Step 1: Add new column (migration 001) +ALTER TABLE users ADD COLUMN display_name TEXT; + +-- Step 2: Backfill data (migration 002, data migration) +UPDATE users SET display_name = username WHERE display_name IS NULL; + +-- Step 3: Update application code to read/write both columns +-- Deploy application changes + +-- Step 4: Stop writing to old column, drop it (migration 003) +ALTER TABLE users DROP COLUMN username; +``` + +### Removing a Column Safely + +```sql +-- Step 1: Remove all application references to the column +-- Step 2: Deploy application without the column reference +-- Step 3: Drop column in next migration +ALTER TABLE orders DROP COLUMN legacy_status; + +-- For Django: use SeparateDatabaseAndState to remove from model +-- without generating DROP COLUMN (then drop in next migration) +``` + +### Large Data Migrations + +```sql +-- BAD: Updates all rows in one transaction (locks table) +UPDATE users SET normalized_email = LOWER(email); + +-- GOOD: Batch update with progress +DO $$ +DECLARE + batch_size INT := 10000; + rows_updated INT; +BEGIN + LOOP + UPDATE users + SET normalized_email = LOWER(email) + WHERE id IN ( + SELECT id FROM users + WHERE normalized_email IS NULL + LIMIT batch_size + FOR UPDATE SKIP LOCKED + ); + GET DIAGNOSTICS rows_updated = ROW_COUNT; + RAISE NOTICE 'Updated % rows', rows_updated; + EXIT WHEN rows_updated = 0; + COMMIT; + END LOOP; +END $$; +``` + +## Prisma (TypeScript/Node.js) + +### Workflow + +```bash +# Create migration from schema changes +npx prisma migrate dev --name add_user_avatar + +# Apply pending migrations in production +npx prisma migrate deploy + +# Reset database (dev only) +npx prisma migrate reset + +# Generate client after schema changes +npx prisma generate +``` + +### Schema Example + +```prisma +model User { + id String @id @default(cuid()) + email String @unique + name String? + avatarUrl String? @map("avatar_url") + createdAt DateTime @default(now()) @map("created_at") + updatedAt DateTime @updatedAt @map("updated_at") + orders Order[] + + @@map("users") + @@index([email]) +} +``` + +### Custom SQL Migration + +For operations Prisma cannot express (concurrent indexes, data backfills): + +```bash +# Create empty migration, then edit the SQL manually +npx prisma migrate dev --create-only --name add_email_index +``` + +```sql +-- migrations/20240115_add_email_index/migration.sql +-- Prisma cannot generate CONCURRENTLY, so we write it manually +CREATE INDEX CONCURRENTLY IF NOT EXISTS idx_users_email ON users (email); +``` + +## Drizzle (TypeScript/Node.js) + +### Workflow + +```bash +# Generate migration from schema changes +npx drizzle-kit generate + +# Apply migrations +npx drizzle-kit migrate + +# Push schema directly (dev only, no migration file) +npx drizzle-kit push +``` + +### Schema Example + +```typescript +import { pgTable, text, timestamp, uuid, boolean } from "drizzle-orm/pg-core"; + +export const users = pgTable("users", { + id: uuid("id").primaryKey().defaultRandom(), + email: text("email").notNull().unique(), + name: text("name"), + isActive: boolean("is_active").notNull().default(true), + createdAt: timestamp("created_at").notNull().defaultNow(), + updatedAt: timestamp("updated_at").notNull().defaultNow(), +}); +``` + +## Kysely (TypeScript/Node.js) + +### Workflow (kysely-ctl) + +```bash +# Initialize config file (kysely.config.ts) +kysely init + +# Create a new migration file +kysely migrate make add_user_avatar + +# Apply all pending migrations +kysely migrate latest + +# Rollback last migration +kysely migrate down + +# Show migration status +kysely migrate list +``` + +### Migration File + +```typescript +// migrations/2024_01_15_001_create_user_profile.ts +import { type Kysely, sql } from 'kysely' + +// IMPORTANT: Always use Kysely, not your typed DB interface. +// Migrations are frozen in time and must not depend on current schema types. +export async function up(db: Kysely): Promise { + await db.schema + .createTable('user_profile') + .addColumn('id', 'serial', (col) => col.primaryKey()) + .addColumn('email', 'varchar(255)', (col) => col.notNull().unique()) + .addColumn('avatar_url', 'text') + .addColumn('created_at', 'timestamp', (col) => + col.defaultTo(sql`now()`).notNull() + ) + .execute() + + await db.schema + .createIndex('idx_user_profile_avatar') + .on('user_profile') + .column('avatar_url') + .execute() +} + +export async function down(db: Kysely): Promise { + await db.schema.dropTable('user_profile').execute() +} +``` + +### Programmatic Migrator + +```typescript +import { Migrator, FileMigrationProvider } from 'kysely' +import { promises as fs } from 'fs' +import * as path from 'path' +// ESM only — CJS can use __dirname directly +import { fileURLToPath } from 'url' +const migrationFolder = path.join( + path.dirname(fileURLToPath(import.meta.url)), + './migrations', +) + +// `db` is your Kysely database instance +const migrator = new Migrator({ + db, + provider: new FileMigrationProvider({ + fs, + path, + migrationFolder, + }), + // WARNING: Only enable in development. Disables timestamp-ordering + // validation, which can cause schema drift between environments. + // allowUnorderedMigrations: true, +}) + +const { error, results } = await migrator.migrateToLatest() + +results?.forEach((it) => { + if (it.status === 'Success') { + console.log(`migration "${it.migrationName}" executed successfully`) + } else if (it.status === 'Error') { + console.error(`failed to execute migration "${it.migrationName}"`) + } +}) + +if (error) { + console.error('migration failed', error) + process.exit(1) +} +``` + +## Django (Python) + +### Workflow + +```bash +# Generate migration from model changes +python manage.py makemigrations + +# Apply migrations +python manage.py migrate + +# Show migration status +python manage.py showmigrations + +# Generate empty migration for custom SQL +python manage.py makemigrations --empty app_name -n description +``` + +### Data Migration + +```python +from django.db import migrations + +def backfill_display_names(apps, schema_editor): + User = apps.get_model("accounts", "User") + batch_size = 5000 + users = User.objects.filter(display_name="") + while users.exists(): + batch = list(users[:batch_size]) + for user in batch: + user.display_name = user.username + User.objects.bulk_update(batch, ["display_name"], batch_size=batch_size) + +def reverse_backfill(apps, schema_editor): + pass # Data migration, no reverse needed + +class Migration(migrations.Migration): + dependencies = [("accounts", "0015_add_display_name")] + + operations = [ + migrations.RunPython(backfill_display_names, reverse_backfill), + ] +``` + +### SeparateDatabaseAndState + +Remove a column from the Django model without dropping it from the database immediately: + +```python +class Migration(migrations.Migration): + operations = [ + migrations.SeparateDatabaseAndState( + state_operations=[ + migrations.RemoveField(model_name="user", name="legacy_field"), + ], + database_operations=[], # Don't touch the DB yet + ), + ] +``` + +## golang-migrate (Go) + +### Workflow + +```bash +# Create migration pair +migrate create -ext sql -dir migrations -seq add_user_avatar + +# Apply all pending migrations +migrate -path migrations -database "$DATABASE_URL" up + +# Rollback last migration +migrate -path migrations -database "$DATABASE_URL" down 1 + +# Force version (fix dirty state) +migrate -path migrations -database "$DATABASE_URL" force VERSION +``` + +### Migration Files + +```sql +-- migrations/000003_add_user_avatar.up.sql +ALTER TABLE users ADD COLUMN avatar_url TEXT; +CREATE INDEX CONCURRENTLY idx_users_avatar ON users (avatar_url) WHERE avatar_url IS NOT NULL; + +-- migrations/000003_add_user_avatar.down.sql +DROP INDEX IF EXISTS idx_users_avatar; +ALTER TABLE users DROP COLUMN IF EXISTS avatar_url; +``` + +## Zero-Downtime Migration Strategy + +For critical production changes, follow the expand-contract pattern: + +``` +Phase 1: EXPAND + - Add new column/table (nullable or with default) + - Deploy: app writes to BOTH old and new + - Backfill existing data + +Phase 2: MIGRATE + - Deploy: app reads from NEW, writes to BOTH + - Verify data consistency + +Phase 3: CONTRACT + - Deploy: app only uses NEW + - Drop old column/table in separate migration +``` + +### Timeline Example + +``` +Day 1: Migration adds new_status column (nullable) +Day 1: Deploy app v2 — writes to both status and new_status +Day 2: Run backfill migration for existing rows +Day 3: Deploy app v3 — reads from new_status only +Day 7: Migration drops old status column +``` + +## Anti-Patterns + +| Anti-Pattern | Why It Fails | Better Approach | +|-------------|-------------|-----------------| +| Manual SQL in production | No audit trail, unrepeatable | Always use migration files | +| Editing deployed migrations | Causes drift between environments | Create new migration instead | +| NOT NULL without default | Locks table, rewrites all rows | Add nullable, backfill, then add constraint | +| Inline index on large table | Blocks writes during build | CREATE INDEX CONCURRENTLY | +| Schema + data in one migration | Hard to rollback, long transactions | Separate migrations | +| Dropping column before removing code | Application errors on missing column | Remove code first, drop column next deploy | diff --git a/plugins/python/template/addons/cursor/.cursor/skills/docker-patterns/skill.md b/plugins/python/template/addons/cursor/.cursor/skills/docker-patterns/skill.md new file mode 100644 index 0000000..c438c4a --- /dev/null +++ b/plugins/python/template/addons/cursor/.cursor/skills/docker-patterns/skill.md @@ -0,0 +1,364 @@ +--- +name: docker-patterns +description: Docker and Docker Compose patterns for local development, container security, networking, volume strategies, and multi-service orchestration. +origin: ECC +--- + +# Docker Patterns + +Docker and Docker Compose best practices for containerized development. + +## When to Activate + +- Setting up Docker Compose for local development +- Designing multi-container architectures +- Troubleshooting container networking or volume issues +- Reviewing Dockerfiles for security and size +- Migrating from local dev to containerized workflow + +## Docker Compose for Local Development + +### Standard Web App Stack + +```yaml +# docker-compose.yml +services: + app: + build: + context: . + target: dev # Use dev stage of multi-stage Dockerfile + ports: + - "3000:3000" + volumes: + - .:/app # Bind mount for hot reload + - /app/node_modules # Anonymous volume -- preserves container deps + environment: + - DATABASE_URL=postgres://postgres:postgres@db:5432/app_dev + - REDIS_URL=redis://redis:6379/0 + - NODE_ENV=development + depends_on: + db: + condition: service_healthy + redis: + condition: service_started + command: npm run dev + + db: + image: postgres:16-alpine + ports: + - "5432:5432" + environment: + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + POSTGRES_DB: app_dev + volumes: + - pgdata:/var/lib/postgresql/data + - ./scripts/init-db.sql:/docker-entrypoint-initdb.d/init.sql + healthcheck: + test: ["CMD-SHELL", "pg_isready -U postgres"] + interval: 5s + timeout: 3s + retries: 5 + + redis: + image: redis:7-alpine + ports: + - "6379:6379" + volumes: + - redisdata:/data + + mailpit: # Local email testing + image: axllent/mailpit + ports: + - "8025:8025" # Web UI + - "1025:1025" # SMTP + +volumes: + pgdata: + redisdata: +``` + +### Development vs Production Dockerfile + +```dockerfile +# Stage: dependencies +FROM node:22-alpine AS deps +WORKDIR /app +COPY package.json package-lock.json ./ +RUN npm ci + +# Stage: dev (hot reload, debug tools) +FROM node:22-alpine AS dev +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +EXPOSE 3000 +CMD ["npm", "run", "dev"] + +# Stage: build +FROM node:22-alpine AS build +WORKDIR /app +COPY --from=deps /app/node_modules ./node_modules +COPY . . +RUN npm run build && npm prune --production + +# Stage: production (minimal image) +FROM node:22-alpine AS production +WORKDIR /app +RUN addgroup -g 1001 -S appgroup && adduser -S appuser -u 1001 +USER appuser +COPY --from=build --chown=appuser:appgroup /app/dist ./dist +COPY --from=build --chown=appuser:appgroup /app/node_modules ./node_modules +COPY --from=build --chown=appuser:appgroup /app/package.json ./ +ENV NODE_ENV=production +EXPOSE 3000 +HEALTHCHECK --interval=30s --timeout=3s CMD wget -qO- http://localhost:3000/health || exit 1 +CMD ["node", "dist/server.js"] +``` + +### Override Files + +```yaml +# docker-compose.override.yml (auto-loaded, dev-only settings) +services: + app: + environment: + - DEBUG=app:* + - LOG_LEVEL=debug + ports: + - "9229:9229" # Node.js debugger + +# docker-compose.prod.yml (explicit for production) +services: + app: + build: + target: production + restart: always + deploy: + resources: + limits: + cpus: "1.0" + memory: 512M +``` + +```bash +# Development (auto-loads override) +docker compose up + +# Production +docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d +``` + +## Networking + +### Service Discovery + +Services in the same Compose network resolve by service name: +``` +# From "app" container: +postgres://postgres:postgres@db:5432/app_dev # "db" resolves to the db container +redis://redis:6379/0 # "redis" resolves to the redis container +``` + +### Custom Networks + +```yaml +services: + frontend: + networks: + - frontend-net + + api: + networks: + - frontend-net + - backend-net + + db: + networks: + - backend-net # Only reachable from api, not frontend + +networks: + frontend-net: + backend-net: +``` + +### Exposing Only What's Needed + +```yaml +services: + db: + ports: + - "127.0.0.1:5432:5432" # Only accessible from host, not network + # Omit ports entirely in production -- accessible only within Docker network +``` + +## Volume Strategies + +```yaml +volumes: + # Named volume: persists across container restarts, managed by Docker + pgdata: + + # Bind mount: maps host directory into container (for development) + # - ./src:/app/src + + # Anonymous volume: preserves container-generated content from bind mount override + # - /app/node_modules +``` + +### Common Patterns + +```yaml +services: + app: + volumes: + - .:/app # Source code (bind mount for hot reload) + - /app/node_modules # Protect container's node_modules from host + - /app/.next # Protect build cache + + db: + volumes: + - pgdata:/var/lib/postgresql/data # Persistent data + - ./scripts/init.sql:/docker-entrypoint-initdb.d/init.sql # Init scripts +``` + +## Container Security + +### Dockerfile Hardening + +```dockerfile +# 1. Use specific tags (never :latest) +FROM node:22.12-alpine3.20 + +# 2. Run as non-root +RUN addgroup -g 1001 -S app && adduser -S app -u 1001 +USER app + +# 3. Drop capabilities (in compose) +# 4. Read-only root filesystem where possible +# 5. No secrets in image layers +``` + +### Compose Security + +```yaml +services: + app: + security_opt: + - no-new-privileges:true + read_only: true + tmpfs: + - /tmp + - /app/.cache + cap_drop: + - ALL + cap_add: + - NET_BIND_SERVICE # Only if binding to ports < 1024 +``` + +### Secret Management + +```yaml +# GOOD: Use environment variables (injected at runtime) +services: + app: + env_file: + - .env # Never commit .env to git + environment: + - API_KEY # Inherits from host environment + +# GOOD: Docker secrets (Swarm mode) +secrets: + db_password: + file: ./secrets/db_password.txt + +services: + db: + secrets: + - db_password + +# BAD: Hardcoded in image +# ENV API_KEY=sk-proj-xxxxx # NEVER DO THIS +``` + +## .dockerignore + +``` +node_modules +.git +.env +.env.* +dist +coverage +*.log +.next +.cache +docker-compose*.yml +Dockerfile* +README.md +tests/ +``` + +## Debugging + +### Common Commands + +```bash +# View logs +docker compose logs -f app # Follow app logs +docker compose logs --tail=50 db # Last 50 lines from db + +# Execute commands in running container +docker compose exec app sh # Shell into app +docker compose exec db psql -U postgres # Connect to postgres + +# Inspect +docker compose ps # Running services +docker compose top # Processes in each container +docker stats # Resource usage + +# Rebuild +docker compose up --build # Rebuild images +docker compose build --no-cache app # Force full rebuild + +# Clean up +docker compose down # Stop and remove containers +docker compose down -v # Also remove volumes (DESTRUCTIVE) +docker system prune # Remove unused images/containers +``` + +### Debugging Network Issues + +```bash +# Check DNS resolution inside container +docker compose exec app nslookup db + +# Check connectivity +docker compose exec app wget -qO- http://api:3000/health + +# Inspect network +docker network ls +docker network inspect _default +``` + +## Anti-Patterns + +``` +# BAD: Using docker compose in production without orchestration +# Use Kubernetes, ECS, or Docker Swarm for production multi-container workloads + +# BAD: Storing data in containers without volumes +# Containers are ephemeral -- all data lost on restart without volumes + +# BAD: Running as root +# Always create and use a non-root user + +# BAD: Using :latest tag +# Pin to specific versions for reproducible builds + +# BAD: One giant container with all services +# Separate concerns: one process per container + +# BAD: Putting secrets in docker-compose.yml +# Use .env files (gitignored) or Docker secrets +``` diff --git a/plugins/python/template/addons/cursor/.cursor/skills/postgres-patterns/skill.md b/plugins/python/template/addons/cursor/.cursor/skills/postgres-patterns/skill.md new file mode 100644 index 0000000..f306dfd --- /dev/null +++ b/plugins/python/template/addons/cursor/.cursor/skills/postgres-patterns/skill.md @@ -0,0 +1,147 @@ +--- +name: postgres-patterns +description: PostgreSQL database patterns for query optimization, schema design, indexing, and security. Based on Supabase best practices. +origin: ECC +--- + +# PostgreSQL Patterns + +Quick reference for PostgreSQL best practices. For detailed guidance, use the `database-reviewer` agent. + +## When to Activate + +- Writing SQL queries or migrations +- Designing database schemas +- Troubleshooting slow queries +- Implementing Row Level Security +- Setting up connection pooling + +## Quick Reference + +### Index Cheat Sheet + +| Query Pattern | Index Type | Example | +|--------------|------------|---------| +| `WHERE col = value` | B-tree (default) | `CREATE INDEX idx ON t (col)` | +| `WHERE col > value` | B-tree | `CREATE INDEX idx ON t (col)` | +| `WHERE a = x AND b > y` | Composite | `CREATE INDEX idx ON t (a, b)` | +| `WHERE jsonb @> '{}'` | GIN | `CREATE INDEX idx ON t USING gin (col)` | +| `WHERE tsv @@ query` | GIN | `CREATE INDEX idx ON t USING gin (col)` | +| Time-series ranges | BRIN | `CREATE INDEX idx ON t USING brin (col)` | + +### Data Type Quick Reference + +| Use Case | Correct Type | Avoid | +|----------|-------------|-------| +| IDs | `bigint` | `int`, random UUID | +| Strings | `text` | `varchar(255)` | +| Timestamps | `timestamptz` | `timestamp` | +| Money | `numeric(10,2)` | `float` | +| Flags | `boolean` | `varchar`, `int` | + +### Common Patterns + +**Composite Index Order:** +```sql +-- Equality columns first, then range columns +CREATE INDEX idx ON orders (status, created_at); +-- Works for: WHERE status = 'pending' AND created_at > '2024-01-01' +``` + +**Covering Index:** +```sql +CREATE INDEX idx ON users (email) INCLUDE (name, created_at); +-- Avoids table lookup for SELECT email, name, created_at +``` + +**Partial Index:** +```sql +CREATE INDEX idx ON users (email) WHERE deleted_at IS NULL; +-- Smaller index, only includes active users +``` + +**RLS Policy (Optimized):** +```sql +CREATE POLICY policy ON orders + USING ((SELECT auth.uid()) = user_id); -- Wrap in SELECT! +``` + +**UPSERT:** +```sql +INSERT INTO settings (user_id, key, value) +VALUES (123, 'theme', 'dark') +ON CONFLICT (user_id, key) +DO UPDATE SET value = EXCLUDED.value; +``` + +**Cursor Pagination:** +```sql +SELECT * FROM products WHERE id > $last_id ORDER BY id LIMIT 20; +-- O(1) vs OFFSET which is O(n) +``` + +**Queue Processing:** +```sql +UPDATE jobs SET status = 'processing' +WHERE id = ( + SELECT id FROM jobs WHERE status = 'pending' + ORDER BY created_at LIMIT 1 + FOR UPDATE SKIP LOCKED +) RETURNING *; +``` + +### Anti-Pattern Detection + +```sql +-- Find unindexed foreign keys +SELECT conrelid::regclass, a.attname +FROM pg_constraint c +JOIN pg_attribute a ON a.attrelid = c.conrelid AND a.attnum = ANY(c.conkey) +WHERE c.contype = 'f' + AND NOT EXISTS ( + SELECT 1 FROM pg_index i + WHERE i.indrelid = c.conrelid AND a.attnum = ANY(i.indkey) + ); + +-- Find slow queries +SELECT query, mean_exec_time, calls +FROM pg_stat_statements +WHERE mean_exec_time > 100 +ORDER BY mean_exec_time DESC; + +-- Check table bloat +SELECT relname, n_dead_tup, last_vacuum +FROM pg_stat_user_tables +WHERE n_dead_tup > 1000 +ORDER BY n_dead_tup DESC; +``` + +### Configuration Template + +```sql +-- Connection limits (adjust for RAM) +ALTER SYSTEM SET max_connections = 100; +ALTER SYSTEM SET work_mem = '8MB'; + +-- Timeouts +ALTER SYSTEM SET idle_in_transaction_session_timeout = '30s'; +ALTER SYSTEM SET statement_timeout = '30s'; + +-- Monitoring +CREATE EXTENSION IF NOT EXISTS pg_stat_statements; + +-- Security defaults +REVOKE ALL ON SCHEMA public FROM public; + +SELECT pg_reload_conf(); +``` + +## Related + +- Agent: `database-reviewer` - Full database review workflow +- Skill: `clickhouse-io` - ClickHouse analytics patterns +- Skill: `backend-patterns` - API and backend patterns + +--- + +*Based on Supabase Agent Skills (credit: Supabase team) (MIT License)* diff --git a/plugins/python/template/addons/cursor/.cursor/skills/python-patterns/skill.md b/plugins/python/template/addons/cursor/.cursor/skills/python-patterns/skill.md new file mode 100644 index 0000000..ba1156d --- /dev/null +++ b/plugins/python/template/addons/cursor/.cursor/skills/python-patterns/skill.md @@ -0,0 +1,750 @@ +--- +name: python-patterns +description: Pythonic idioms, PEP 8 standards, type hints, and best practices for building robust, efficient, and maintainable Python applications. +origin: ECC +--- + +# Python Development Patterns + +Idiomatic Python patterns and best practices for building robust, efficient, and maintainable applications. + +## When to Activate + +- Writing new Python code +- Reviewing Python code +- Refactoring existing Python code +- Designing Python packages/modules + +## Core Principles + +### 1. Readability Counts + +Python prioritizes readability. Code should be obvious and easy to understand. + +```python +# Good: Clear and readable +def get_active_users(users: list[User]) -> list[User]: + """Return only active users from the provided list.""" + return [user for user in users if user.is_active] + + +# Bad: Clever but confusing +def get_active_users(u): + return [x for x in u if x.a] +``` + +### 2. Explicit is Better Than Implicit + +Avoid magic; be clear about what your code does. + +```python +# Good: Explicit configuration +import logging + +logging.basicConfig( + level=logging.INFO, + format='%(asctime)s - %(name)s - %(levelname)s - %(message)s' +) + +# Bad: Hidden side effects +import some_module +some_module.setup() # What does this do? +``` + +### 3. EAFP - Easier to Ask Forgiveness Than Permission + +Python prefers exception handling over checking conditions. + +```python +# Good: EAFP style +def get_value(dictionary: dict, key: str) -> Any: + try: + return dictionary[key] + except KeyError: + return default_value + +# Bad: LBYL (Look Before You Leap) style +def get_value(dictionary: dict, key: str) -> Any: + if key in dictionary: + return dictionary[key] + else: + return default_value +``` + +## Type Hints + +### Basic Type Annotations + +```python +from typing import Optional, List, Dict, Any + +def process_user( + user_id: str, + data: Dict[str, Any], + active: bool = True +) -> Optional[User]: + """Process a user and return the updated User or None.""" + if not active: + return None + return User(user_id, data) +``` + +### Modern Type Hints (Python 3.9+) + +```python +# Python 3.9+ - Use built-in types +def process_items(items: list[str]) -> dict[str, int]: + return {item: len(item) for item in items} + +# Python 3.8 and earlier - Use typing module +from typing import List, Dict + +def process_items(items: List[str]) -> Dict[str, int]: + return {item: len(item) for item in items} +``` + +### Type Aliases and TypeVar + +```python +from typing import TypeVar, Union + +# Type alias for complex types +JSON = Union[dict[str, Any], list[Any], str, int, float, bool, None] + +def parse_json(data: str) -> JSON: + return json.loads(data) + +# Generic types +T = TypeVar('T') + +def first(items: list[T]) -> T | None: + """Return the first item or None if list is empty.""" + return items[0] if items else None +``` + +### Protocol-Based Duck Typing + +```python +from typing import Protocol + +class Renderable(Protocol): + def render(self) -> str: + """Render the object to a string.""" + +def render_all(items: list[Renderable]) -> str: + """Render all items that implement the Renderable protocol.""" + return "\n".join(item.render() for item in items) +``` + +## Error Handling Patterns + +### Specific Exception Handling + +```python +# Good: Catch specific exceptions +def load_config(path: str) -> Config: + try: + with open(path) as f: + return Config.from_json(f.read()) + except FileNotFoundError as e: + raise ConfigError(f"Config file not found: {path}") from e + except json.JSONDecodeError as e: + raise ConfigError(f"Invalid JSON in config: {path}") from e + +# Bad: Bare except +def load_config(path: str) -> Config: + try: + with open(path) as f: + return Config.from_json(f.read()) + except: + return None # Silent failure! +``` + +### Exception Chaining + +```python +def process_data(data: str) -> Result: + try: + parsed = json.loads(data) + except json.JSONDecodeError as e: + # Chain exceptions to preserve the traceback + raise ValueError(f"Failed to parse data: {data}") from e +``` + +### Custom Exception Hierarchy + +```python +class AppError(Exception): + """Base exception for all application errors.""" + pass + +class ValidationError(AppError): + """Raised when input validation fails.""" + pass + +class NotFoundError(AppError): + """Raised when a requested resource is not found.""" + pass + +# Usage +def get_user(user_id: str) -> User: + user = db.find_user(user_id) + if not user: + raise NotFoundError(f"User not found: {user_id}") + return user +``` + +## Context Managers + +### Resource Management + +```python +# Good: Using context managers +def process_file(path: str) -> str: + with open(path, 'r') as f: + return f.read() + +# Bad: Manual resource management +def process_file(path: str) -> str: + f = open(path, 'r') + try: + return f.read() + finally: + f.close() +``` + +### Custom Context Managers + +```python +from contextlib import contextmanager + +@contextmanager +def timer(name: str): + """Context manager to time a block of code.""" + start = time.perf_counter() + yield + elapsed = time.perf_counter() - start + print(f"{name} took {elapsed:.4f} seconds") + +# Usage +with timer("data processing"): + process_large_dataset() +``` + +### Context Manager Classes + +```python +class DatabaseTransaction: + def __init__(self, connection): + self.connection = connection + + def __enter__(self): + self.connection.begin_transaction() + return self + + def __exit__(self, exc_type, exc_val, exc_tb): + if exc_type is None: + self.connection.commit() + else: + self.connection.rollback() + return False # Don't suppress exceptions + +# Usage +with DatabaseTransaction(conn): + user = conn.create_user(user_data) + conn.create_profile(user.id, profile_data) +``` + +## Comprehensions and Generators + +### List Comprehensions + +```python +# Good: List comprehension for simple transformations +names = [user.name for user in users if user.is_active] + +# Bad: Manual loop +names = [] +for user in users: + if user.is_active: + names.append(user.name) + +# Complex comprehensions should be expanded +# Bad: Too complex +result = [x * 2 for x in items if x > 0 if x % 2 == 0] + +# Good: Use a generator function +def filter_and_transform(items: Iterable[int]) -> list[int]: + result = [] + for x in items: + if x > 0 and x % 2 == 0: + result.append(x * 2) + return result +``` + +### Generator Expressions + +```python +# Good: Generator for lazy evaluation +total = sum(x * x for x in range(1_000_000)) + +# Bad: Creates large intermediate list +total = sum([x * x for x in range(1_000_000)]) +``` + +### Generator Functions + +```python +def read_large_file(path: str) -> Iterator[str]: + """Read a large file line by line.""" + with open(path) as f: + for line in f: + yield line.strip() + +# Usage +for line in read_large_file("huge.txt"): + process(line) +``` + +## Data Classes and Named Tuples + +### Data Classes + +```python +from dataclasses import dataclass, field +from datetime import datetime + +@dataclass +class User: + """User entity with automatic __init__, __repr__, and __eq__.""" + id: str + name: str + email: str + created_at: datetime = field(default_factory=datetime.now) + is_active: bool = True + +# Usage +user = User( + id="123", + name="Alice", + email="alice@example.com" +) +``` + +### Data Classes with Validation + +```python +@dataclass +class User: + email: str + age: int + + def __post_init__(self): + # Validate email format + if "@" not in self.email: + raise ValueError(f"Invalid email: {self.email}") + # Validate age range + if self.age < 0 or self.age > 150: + raise ValueError(f"Invalid age: {self.age}") +``` + +### Named Tuples + +```python +from typing import NamedTuple + +class Point(NamedTuple): + """Immutable 2D point.""" + x: float + y: float + + def distance(self, other: 'Point') -> float: + return ((self.x - other.x) ** 2 + (self.y - other.y) ** 2) ** 0.5 + +# Usage +p1 = Point(0, 0) +p2 = Point(3, 4) +print(p1.distance(p2)) # 5.0 +``` + +## Decorators + +### Function Decorators + +```python +import functools +import time + +def timer(func: Callable) -> Callable: + """Decorator to time function execution.""" + @functools.wraps(func) + def wrapper(*args, **kwargs): + start = time.perf_counter() + result = func(*args, **kwargs) + elapsed = time.perf_counter() - start + print(f"{func.__name__} took {elapsed:.4f}s") + return result + return wrapper + +@timer +def slow_function(): + time.sleep(1) + +# slow_function() prints: slow_function took 1.0012s +``` + +### Parameterized Decorators + +```python +def repeat(times: int): + """Decorator to repeat a function multiple times.""" + def decorator(func: Callable) -> Callable: + @functools.wraps(func) + def wrapper(*args, **kwargs): + results = [] + for _ in range(times): + results.append(func(*args, **kwargs)) + return results + return wrapper + return decorator + +@repeat(times=3) +def greet(name: str) -> str: + return f"Hello, {name}!" + +# greet("Alice") returns ["Hello, Alice!", "Hello, Alice!", "Hello, Alice!"] +``` + +### Class-Based Decorators + +```python +class CountCalls: + """Decorator that counts how many times a function is called.""" + def __init__(self, func: Callable): + functools.update_wrapper(self, func) + self.func = func + self.count = 0 + + def __call__(self, *args, **kwargs): + self.count += 1 + print(f"{self.func.__name__} has been called {self.count} times") + return self.func(*args, **kwargs) + +@CountCalls +def process(): + pass + +# Each call to process() prints the call count +``` + +## Concurrency Patterns + +### Threading for I/O-Bound Tasks + +```python +import concurrent.futures +import threading + +def fetch_url(url: str) -> str: + """Fetch a URL (I/O-bound operation).""" + import urllib.request + with urllib.request.urlopen(url) as response: + return response.read().decode() + +def fetch_all_urls(urls: list[str]) -> dict[str, str]: + """Fetch multiple URLs concurrently using threads.""" + with concurrent.futures.ThreadPoolExecutor(max_workers=10) as executor: + future_to_url = {executor.submit(fetch_url, url): url for url in urls} + results = {} + for future in concurrent.futures.as_completed(future_to_url): + url = future_to_url[future] + try: + results[url] = future.result() + except Exception as e: + results[url] = f"Error: {e}" + return results +``` + +### Multiprocessing for CPU-Bound Tasks + +```python +def process_data(data: list[int]) -> int: + """CPU-intensive computation.""" + return sum(x ** 2 for x in data) + +def process_all(datasets: list[list[int]]) -> list[int]: + """Process multiple datasets using multiple processes.""" + with concurrent.futures.ProcessPoolExecutor() as executor: + results = list(executor.map(process_data, datasets)) + return results +``` + +### Async/Await for Concurrent I/O + +```python +import asyncio + +async def fetch_async(url: str) -> str: + """Fetch a URL asynchronously.""" + import aiohttp + async with aiohttp.ClientSession() as session: + async with session.get(url) as response: + return await response.text() + +async def fetch_all(urls: list[str]) -> dict[str, str]: + """Fetch multiple URLs concurrently.""" + tasks = [fetch_async(url) for url in urls] + results = await asyncio.gather(*tasks, return_exceptions=True) + return dict(zip(urls, results)) +``` + +## Package Organization + +### Standard Project Layout + +``` +myproject/ +├── src/ +│ └── mypackage/ +│ ├── __init__.py +│ ├── main.py +│ ├── api/ +│ │ ├── __init__.py +│ │ └── routes.py +│ ├── models/ +│ │ ├── __init__.py +│ │ └── user.py +│ └── utils/ +│ ├── __init__.py +│ └── helpers.py +├── tests/ +│ ├── __init__.py +│ ├── conftest.py +│ ├── test_api.py +│ └── test_models.py +├── pyproject.toml +├── README.md +└── .gitignore +``` + +### Import Conventions + +```python +# Good: Import order - stdlib, third-party, local +import os +import sys +from pathlib import Path + +import requests +from fastapi import FastAPI + +from mypackage.models import User +from mypackage.utils import format_name + +# Good: Use isort for automatic import sorting +# pip install isort +``` + +### __init__.py for Package Exports + +```python +# mypackage/__init__.py +"""mypackage - A sample Python package.""" + +__version__ = "1.0.0" + +# Export main classes/functions at package level +from mypackage.models import User, Post +from mypackage.utils import format_name + +__all__ = ["User", "Post", "format_name"] +``` + +## Memory and Performance + +### Using __slots__ for Memory Efficiency + +```python +# Bad: Regular class uses __dict__ (more memory) +class Point: + def __init__(self, x: float, y: float): + self.x = x + self.y = y + +# Good: __slots__ reduces memory usage +class Point: + __slots__ = ['x', 'y'] + + def __init__(self, x: float, y: float): + self.x = x + self.y = y +``` + +### Generator for Large Data + +```python +# Bad: Returns full list in memory +def read_lines(path: str) -> list[str]: + with open(path) as f: + return [line.strip() for line in f] + +# Good: Yields lines one at a time +def read_lines(path: str) -> Iterator[str]: + with open(path) as f: + for line in f: + yield line.strip() +``` + +### Avoid String Concatenation in Loops + +```python +# Bad: O(n²) due to string immutability +result = "" +for item in items: + result += str(item) + +# Good: O(n) using join +result = "".join(str(item) for item in items) + +# Good: Using StringIO for building +from io import StringIO + +buffer = StringIO() +for item in items: + buffer.write(str(item)) +result = buffer.getvalue() +``` + +## Python Tooling Integration + +### Essential Commands + +```bash +# Code formatting +black . +isort . + +# Linting +ruff check . +pylint mypackage/ + +# Type checking +mypy . + +# Testing +pytest --cov=mypackage --cov-report=html + +# Security scanning +bandit -r . + +# Dependency management +pip-audit +safety check +``` + +### pyproject.toml Configuration + +```toml +[project] +name = "mypackage" +version = "1.0.0" +requires-python = ">=3.9" +dependencies = [ + "requests>=2.31.0", + "pydantic>=2.0.0", +] + +[project.optional-dependencies] +dev = [ + "pytest>=7.4.0", + "pytest-cov>=4.1.0", + "black>=23.0.0", + "ruff>=0.1.0", + "mypy>=1.5.0", +] + +[tool.black] +line-length = 88 +target-version = ['py39'] + +[tool.ruff] +line-length = 88 +select = ["E", "F", "I", "N", "W"] + +[tool.mypy] +python_version = "3.9" +warn_return_any = true +warn_unused_configs = true +disallow_untyped_defs = true + +[tool.pytest.ini_options] +testpaths = ["tests"] +addopts = "--cov=mypackage --cov-report=term-missing" +``` + +## Quick Reference: Python Idioms + +| Idiom | Description | +|-------|-------------| +| EAFP | Easier to Ask Forgiveness than Permission | +| Context managers | Use `with` for resource management | +| List comprehensions | For simple transformations | +| Generators | For lazy evaluation and large datasets | +| Type hints | Annotate function signatures | +| Dataclasses | For data containers with auto-generated methods | +| `__slots__` | For memory optimization | +| f-strings | For string formatting (Python 3.6+) | +| `pathlib.Path` | For path operations (Python 3.4+) | +| `enumerate` | For index-element pairs in loops | + +## Anti-Patterns to Avoid + +```python +# Bad: Mutable default arguments +def append_to(item, items=[]): + items.append(item) + return items + +# Good: Use None and create new list +def append_to(item, items=None): + if items is None: + items = [] + items.append(item) + return items + +# Bad: Checking type with type() +if type(obj) == list: + process(obj) + +# Good: Use isinstance +if isinstance(obj, list): + process(obj) + +# Bad: Comparing to None with == +if value == None: + process() + +# Good: Use is +if value is None: + process() + +# Bad: from module import * +from os.path import * + +# Good: Explicit imports +from os.path import join, exists + +# Bad: Bare except +try: + risky_operation() +except: + pass + +# Good: Specific exception +try: + risky_operation() +except SpecificError as e: + logger.error(f"Operation failed: {e}") +``` + +__Remember__: Python code should be readable, explicit, and follow the principle of least surprise. When in doubt, prioritize clarity over cleverness. diff --git a/plugins/python/template/addons/cursor/.cursor/skills/python-testing/skill.md b/plugins/python/template/addons/cursor/.cursor/skills/python-testing/skill.md new file mode 100644 index 0000000..85e3661 --- /dev/null +++ b/plugins/python/template/addons/cursor/.cursor/skills/python-testing/skill.md @@ -0,0 +1,816 @@ +--- +name: python-testing +description: Python testing strategies using pytest, TDD methodology, fixtures, mocking, parametrization, and coverage requirements. +origin: ECC +--- + +# Python Testing Patterns + +Comprehensive testing strategies for Python applications using pytest, TDD methodology, and best practices. + +## When to Activate + +- Writing new Python code (follow TDD: red, green, refactor) +- Designing test suites for Python projects +- Reviewing Python test coverage +- Setting up testing infrastructure + +## Core Testing Philosophy + +### Test-Driven Development (TDD) + +Always follow the TDD cycle: + +1. **RED**: Write a failing test for the desired behavior +2. **GREEN**: Write minimal code to make the test pass +3. **REFACTOR**: Improve code while keeping tests green + +```python +# Step 1: Write failing test (RED) +def test_add_numbers(): + result = add(2, 3) + assert result == 5 + +# Step 2: Write minimal implementation (GREEN) +def add(a, b): + return a + b + +# Step 3: Refactor if needed (REFACTOR) +``` + +### Coverage Requirements + +- **Target**: 80%+ code coverage +- **Critical paths**: 100% coverage required +- Use `pytest --cov` to measure coverage + +```bash +pytest --cov=mypackage --cov-report=term-missing --cov-report=html +``` + +## pytest Fundamentals + +### Basic Test Structure + +```python +import pytest + +def test_addition(): + """Test basic addition.""" + assert 2 + 2 == 4 + +def test_string_uppercase(): + """Test string uppercasing.""" + text = "hello" + assert text.upper() == "HELLO" + +def test_list_append(): + """Test list append.""" + items = [1, 2, 3] + items.append(4) + assert 4 in items + assert len(items) == 4 +``` + +### Assertions + +```python +# Equality +assert result == expected + +# Inequality +assert result != unexpected + +# Truthiness +assert result # Truthy +assert not result # Falsy +assert result is True # Exactly True +assert result is False # Exactly False +assert result is None # Exactly None + +# Membership +assert item in collection +assert item not in collection + +# Comparisons +assert result > 0 +assert 0 <= result <= 100 + +# Type checking +assert isinstance(result, str) + +# Exception testing (preferred approach) +with pytest.raises(ValueError): + raise ValueError("error message") + +# Check exception message +with pytest.raises(ValueError, match="invalid input"): + raise ValueError("invalid input provided") + +# Check exception attributes +with pytest.raises(ValueError) as exc_info: + raise ValueError("error message") +assert str(exc_info.value) == "error message" +``` + +## Fixtures + +### Basic Fixture Usage + +```python +import pytest + +@pytest.fixture +def sample_data(): + """Fixture providing sample data.""" + return {"name": "Alice", "age": 30} + +def test_sample_data(sample_data): + """Test using the fixture.""" + assert sample_data["name"] == "Alice" + assert sample_data["age"] == 30 +``` + +### Fixture with Setup/Teardown + +```python +@pytest.fixture +def database(): + """Fixture with setup and teardown.""" + # Setup + db = Database(":memory:") + db.create_tables() + db.insert_test_data() + + yield db # Provide to test + + # Teardown + db.close() + +def test_database_query(database): + """Test database operations.""" + result = database.query("SELECT * FROM users") + assert len(result) > 0 +``` + +### Fixture Scopes + +```python +# Function scope (default) - runs for each test +@pytest.fixture +def temp_file(): + with open("temp.txt", "w") as f: + yield f + os.remove("temp.txt") + +# Module scope - runs once per module +@pytest.fixture(scope="module") +def module_db(): + db = Database(":memory:") + db.create_tables() + yield db + db.close() + +# Session scope - runs once per test session +@pytest.fixture(scope="session") +def shared_resource(): + resource = ExpensiveResource() + yield resource + resource.cleanup() +``` + +### Fixture with Parameters + +```python +@pytest.fixture(params=[1, 2, 3]) +def number(request): + """Parameterized fixture.""" + return request.param + +def test_numbers(number): + """Test runs 3 times, once for each parameter.""" + assert number > 0 +``` + +### Using Multiple Fixtures + +```python +@pytest.fixture +def user(): + return User(id=1, name="Alice") + +@pytest.fixture +def admin(): + return User(id=2, name="Admin", role="admin") + +def test_user_admin_interaction(user, admin): + """Test using multiple fixtures.""" + assert admin.can_manage(user) +``` + +### Autouse Fixtures + +```python +@pytest.fixture(autouse=True) +def reset_config(): + """Automatically runs before every test.""" + Config.reset() + yield + Config.cleanup() + +def test_without_fixture_call(): + # reset_config runs automatically + assert Config.get_setting("debug") is False +``` + +### Conftest.py for Shared Fixtures + +```python +# tests/conftest.py +import pytest + +@pytest.fixture +def client(): + """Shared fixture for all tests.""" + app = create_app(testing=True) + with app.test_client() as client: + yield client + +@pytest.fixture +def auth_headers(client): + """Generate auth headers for API testing.""" + response = client.post("/api/login", json={ + "username": "test", + "password": "test" + }) + token = response.json["token"] + return {"Authorization": f"Bearer {token}"} +``` + +## Parametrization + +### Basic Parametrization + +```python +@pytest.mark.parametrize("input,expected", [ + ("hello", "HELLO"), + ("world", "WORLD"), + ("PyThOn", "PYTHON"), +]) +def test_uppercase(input, expected): + """Test runs 3 times with different inputs.""" + assert input.upper() == expected +``` + +### Multiple Parameters + +```python +@pytest.mark.parametrize("a,b,expected", [ + (2, 3, 5), + (0, 0, 0), + (-1, 1, 0), + (100, 200, 300), +]) +def test_add(a, b, expected): + """Test addition with multiple inputs.""" + assert add(a, b) == expected +``` + +### Parametrize with IDs + +```python +@pytest.mark.parametrize("input,expected", [ + ("valid@email.com", True), + ("invalid", False), + ("@no-domain.com", False), +], ids=["valid-email", "missing-at", "missing-domain"]) +def test_email_validation(input, expected): + """Test email validation with readable test IDs.""" + assert is_valid_email(input) is expected +``` + +### Parametrized Fixtures + +```python +@pytest.fixture(params=["sqlite", "postgresql", "mysql"]) +def db(request): + """Test against multiple database backends.""" + if request.param == "sqlite": + return Database(":memory:") + elif request.param == "postgresql": + return Database("postgresql://localhost/test") + elif request.param == "mysql": + return Database("mysql://localhost/test") + +def test_database_operations(db): + """Test runs 3 times, once for each database.""" + result = db.query("SELECT 1") + assert result is not None +``` + +## Markers and Test Selection + +### Custom Markers + +```python +# Mark slow tests +@pytest.mark.slow +def test_slow_operation(): + time.sleep(5) + +# Mark integration tests +@pytest.mark.integration +def test_api_integration(): + response = requests.get("https://api.example.com") + assert response.status_code == 200 + +# Mark unit tests +@pytest.mark.unit +def test_unit_logic(): + assert calculate(2, 3) == 5 +``` + +### Run Specific Tests + +```bash +# Run only fast tests +pytest -m "not slow" + +# Run only integration tests +pytest -m integration + +# Run integration or slow tests +pytest -m "integration or slow" + +# Run tests marked as unit but not slow +pytest -m "unit and not slow" +``` + +### Configure Markers in pytest.ini + +```ini +[pytest] +markers = + slow: marks tests as slow + integration: marks tests as integration tests + unit: marks tests as unit tests + django: marks tests as requiring Django +``` + +## Mocking and Patching + +### Mocking Functions + +```python +from unittest.mock import patch, Mock + +@patch("mypackage.external_api_call") +def test_with_mock(api_call_mock): + """Test with mocked external API.""" + api_call_mock.return_value = {"status": "success"} + + result = my_function() + + api_call_mock.assert_called_once() + assert result["status"] == "success" +``` + +### Mocking Return Values + +```python +@patch("mypackage.Database.connect") +def test_database_connection(connect_mock): + """Test with mocked database connection.""" + connect_mock.return_value = MockConnection() + + db = Database() + db.connect() + + connect_mock.assert_called_once_with("localhost") +``` + +### Mocking Exceptions + +```python +@patch("mypackage.api_call") +def test_api_error_handling(api_call_mock): + """Test error handling with mocked exception.""" + api_call_mock.side_effect = ConnectionError("Network error") + + with pytest.raises(ConnectionError): + api_call() + + api_call_mock.assert_called_once() +``` + +### Mocking Context Managers + +```python +@patch("builtins.open", new_callable=mock_open) +def test_file_reading(mock_file): + """Test file reading with mocked open.""" + mock_file.return_value.read.return_value = "file content" + + result = read_file("test.txt") + + mock_file.assert_called_once_with("test.txt", "r") + assert result == "file content" +``` + +### Using Autospec + +```python +@patch("mypackage.DBConnection", autospec=True) +def test_autospec(db_mock): + """Test with autospec to catch API misuse.""" + db = db_mock.return_value + db.query("SELECT * FROM users") + + # This would fail if DBConnection doesn't have query method + db_mock.assert_called_once() +``` + +### Mock Class Instances + +```python +class TestUserService: + @patch("mypackage.UserRepository") + def test_create_user(self, repo_mock): + """Test user creation with mocked repository.""" + repo_mock.return_value.save.return_value = User(id=1, name="Alice") + + service = UserService(repo_mock.return_value) + user = service.create_user(name="Alice") + + assert user.name == "Alice" + repo_mock.return_value.save.assert_called_once() +``` + +### Mock Property + +```python +@pytest.fixture +def mock_config(): + """Create a mock with a property.""" + config = Mock() + type(config).debug = PropertyMock(return_value=True) + type(config).api_key = PropertyMock(return_value="test-key") + return config + +def test_with_mock_config(mock_config): + """Test with mocked config properties.""" + assert mock_config.debug is True + assert mock_config.api_key == "test-key" +``` + +## Testing Async Code + +### Async Tests with pytest-asyncio + +```python +import pytest + +@pytest.mark.asyncio +async def test_async_function(): + """Test async function.""" + result = await async_add(2, 3) + assert result == 5 + +@pytest.mark.asyncio +async def test_async_with_fixture(async_client): + """Test async with async fixture.""" + response = await async_client.get("/api/users") + assert response.status_code == 200 +``` + +### Async Fixture + +```python +@pytest.fixture +async def async_client(): + """Async fixture providing async test client.""" + app = create_app() + async with app.test_client() as client: + yield client + +@pytest.mark.asyncio +async def test_api_endpoint(async_client): + """Test using async fixture.""" + response = await async_client.get("/api/data") + assert response.status_code == 200 +``` + +### Mocking Async Functions + +```python +@pytest.mark.asyncio +@patch("mypackage.async_api_call") +async def test_async_mock(api_call_mock): + """Test async function with mock.""" + api_call_mock.return_value = {"status": "ok"} + + result = await my_async_function() + + api_call_mock.assert_awaited_once() + assert result["status"] == "ok" +``` + +## Testing Exceptions + +### Testing Expected Exceptions + +```python +def test_divide_by_zero(): + """Test that dividing by zero raises ZeroDivisionError.""" + with pytest.raises(ZeroDivisionError): + divide(10, 0) + +def test_custom_exception(): + """Test custom exception with message.""" + with pytest.raises(ValueError, match="invalid input"): + validate_input("invalid") +``` + +### Testing Exception Attributes + +```python +def test_exception_with_details(): + """Test exception with custom attributes.""" + with pytest.raises(CustomError) as exc_info: + raise CustomError("error", code=400) + + assert exc_info.value.code == 400 + assert "error" in str(exc_info.value) +``` + +## Testing Side Effects + +### Testing File Operations + +```python +import tempfile +import os + +def test_file_processing(): + """Test file processing with temp file.""" + with tempfile.NamedTemporaryFile(mode='w', delete=False, suffix='.txt') as f: + f.write("test content") + temp_path = f.name + + try: + result = process_file(temp_path) + assert result == "processed: test content" + finally: + os.unlink(temp_path) +``` + +### Testing with pytest's tmp_path Fixture + +```python +def test_with_tmp_path(tmp_path): + """Test using pytest's built-in temp path fixture.""" + test_file = tmp_path / "test.txt" + test_file.write_text("hello world") + + result = process_file(str(test_file)) + assert result == "hello world" + # tmp_path automatically cleaned up +``` + +### Testing with tmpdir Fixture + +```python +def test_with_tmpdir(tmpdir): + """Test using pytest's tmpdir fixture.""" + test_file = tmpdir.join("test.txt") + test_file.write("data") + + result = process_file(str(test_file)) + assert result == "data" +``` + +## Test Organization + +### Directory Structure + +``` +tests/ +├── conftest.py # Shared fixtures +├── __init__.py +├── unit/ # Unit tests +│ ├── __init__.py +│ ├── test_models.py +│ ├── test_utils.py +│ └── test_services.py +├── integration/ # Integration tests +│ ├── __init__.py +│ ├── test_api.py +│ └── test_database.py +└── e2e/ # End-to-end tests + ├── __init__.py + └── test_user_flow.py +``` + +### Test Classes + +```python +class TestUserService: + """Group related tests in a class.""" + + @pytest.fixture(autouse=True) + def setup(self): + """Setup runs before each test in this class.""" + self.service = UserService() + + def test_create_user(self): + """Test user creation.""" + user = self.service.create_user("Alice") + assert user.name == "Alice" + + def test_delete_user(self): + """Test user deletion.""" + user = User(id=1, name="Bob") + self.service.delete_user(user) + assert not self.service.user_exists(1) +``` + +## Best Practices + +### DO + +- **Follow TDD**: Write tests before code (red-green-refactor) +- **Test one thing**: Each test should verify a single behavior +- **Use descriptive names**: `test_user_login_with_invalid_credentials_fails` +- **Use fixtures**: Eliminate duplication with fixtures +- **Mock external dependencies**: Don't depend on external services +- **Test edge cases**: Empty inputs, None values, boundary conditions +- **Aim for 80%+ coverage**: Focus on critical paths +- **Keep tests fast**: Use marks to separate slow tests + +### DON'T + +- **Don't test implementation**: Test behavior, not internals +- **Don't use complex conditionals in tests**: Keep tests simple +- **Don't ignore test failures**: All tests must pass +- **Don't test third-party code**: Trust libraries to work +- **Don't share state between tests**: Tests should be independent +- **Don't catch exceptions in tests**: Use `pytest.raises` +- **Don't use print statements**: Use assertions and pytest output +- **Don't write tests that are too brittle**: Avoid over-specific mocks + +## Common Patterns + +### Testing API Endpoints (FastAPI/Flask) + +```python +@pytest.fixture +def client(): + app = create_app(testing=True) + return app.test_client() + +def test_get_user(client): + response = client.get("/api/users/1") + assert response.status_code == 200 + assert response.json["id"] == 1 + +def test_create_user(client): + response = client.post("/api/users", json={ + "name": "Alice", + "email": "alice@example.com" + }) + assert response.status_code == 201 + assert response.json["name"] == "Alice" +``` + +### Testing Database Operations + +```python +@pytest.fixture +def db_session(): + """Create a test database session.""" + session = Session(bind=engine) + session.begin_nested() + yield session + session.rollback() + session.close() + +def test_create_user(db_session): + user = User(name="Alice", email="alice@example.com") + db_session.add(user) + db_session.commit() + + retrieved = db_session.query(User).filter_by(name="Alice").first() + assert retrieved.email == "alice@example.com" +``` + +### Testing Class Methods + +```python +class TestCalculator: + @pytest.fixture + def calculator(self): + return Calculator() + + def test_add(self, calculator): + assert calculator.add(2, 3) == 5 + + def test_divide_by_zero(self, calculator): + with pytest.raises(ZeroDivisionError): + calculator.divide(10, 0) +``` + +## pytest Configuration + +### pytest.ini + +```ini +[pytest] +testpaths = tests +python_files = test_*.py +python_classes = Test* +python_functions = test_* +addopts = + --strict-markers + --disable-warnings + --cov=mypackage + --cov-report=term-missing + --cov-report=html +markers = + slow: marks tests as slow + integration: marks tests as integration tests + unit: marks tests as unit tests +``` + +### pyproject.toml + +```toml +[tool.pytest.ini_options] +testpaths = ["tests"] +python_files = ["test_*.py"] +python_classes = ["Test*"] +python_functions = ["test_*"] +addopts = [ + "--strict-markers", + "--cov=mypackage", + "--cov-report=term-missing", + "--cov-report=html", +] +markers = [ + "slow: marks tests as slow", + "integration: marks tests as integration tests", + "unit: marks tests as unit tests", +] +``` + +## Running Tests + +```bash +# Run all tests +pytest + +# Run specific file +pytest tests/test_utils.py + +# Run specific test +pytest tests/test_utils.py::test_function + +# Run with verbose output +pytest -v + +# Run with coverage +pytest --cov=mypackage --cov-report=html + +# Run only fast tests +pytest -m "not slow" + +# Run until first failure +pytest -x + +# Run and stop on N failures +pytest --maxfail=3 + +# Run last failed tests +pytest --lf + +# Run tests with pattern +pytest -k "test_user" + +# Run with debugger on failure +pytest --pdb +``` + +## Quick Reference + +| Pattern | Usage | +|---------|-------| +| `pytest.raises()` | Test expected exceptions | +| `@pytest.fixture()` | Create reusable test fixtures | +| `@pytest.mark.parametrize()` | Run tests with multiple inputs | +| `@pytest.mark.slow` | Mark slow tests | +| `pytest -m "not slow"` | Skip slow tests | +| `@patch()` | Mock functions and classes | +| `tmp_path` fixture | Automatic temp directory | +| `pytest --cov` | Generate coverage report | +| `assert` | Simple and readable assertions | + +**Remember**: Tests are code too. Keep them clean, readable, and maintainable. Good tests catch bugs; great tests prevent them. diff --git a/plugins/python/template/addons/cursor/.cursor/skills/security-review/skill.md b/plugins/python/template/addons/cursor/.cursor/skills/security-review/skill.md new file mode 100644 index 0000000..af848b9 --- /dev/null +++ b/plugins/python/template/addons/cursor/.cursor/skills/security-review/skill.md @@ -0,0 +1,495 @@ +--- +name: security-review +description: Use this skill when adding authentication, handling user input, working with secrets, creating API endpoints, or implementing payment/sensitive features. Provides comprehensive security checklist and patterns. +origin: ECC +--- + +# Security Review Skill + +This skill ensures all code follows security best practices and identifies potential vulnerabilities. + +## When to Activate + +- Implementing authentication or authorization +- Handling user input or file uploads +- Creating new API endpoints +- Working with secrets or credentials +- Implementing payment features +- Storing or transmitting sensitive data +- Integrating third-party APIs + +## Security Checklist + +### 1. Secrets Management + +#### FAIL: NEVER Do This +```typescript +const apiKey = "sk-proj-xxxxx" // Hardcoded secret +const dbPassword = "password123" // In source code +``` + +#### PASS: ALWAYS Do This +```typescript +const apiKey = process.env.OPENAI_API_KEY +const dbUrl = process.env.DATABASE_URL + +// Verify secrets exist +if (!apiKey) { + throw new Error('OPENAI_API_KEY not configured') +} +``` + +#### Verification Steps +- [ ] No hardcoded API keys, tokens, or passwords +- [ ] All secrets in environment variables +- [ ] `.env.local` in .gitignore +- [ ] No secrets in git history +- [ ] Production secrets in hosting platform (Vercel, Railway) + +### 2. Input Validation + +#### Always Validate User Input +```typescript +import { z } from 'zod' + +// Define validation schema +const CreateUserSchema = z.object({ + email: z.string().email(), + name: z.string().min(1).max(100), + age: z.number().int().min(0).max(150) +}) + +// Validate before processing +export async function createUser(input: unknown) { + try { + const validated = CreateUserSchema.parse(input) + return await db.users.create(validated) + } catch (error) { + if (error instanceof z.ZodError) { + return { success: false, errors: error.errors } + } + throw error + } +} +``` + +#### File Upload Validation +```typescript +function validateFileUpload(file: File) { + // Size check (5MB max) + const maxSize = 5 * 1024 * 1024 + if (file.size > maxSize) { + throw new Error('File too large (max 5MB)') + } + + // Type check + const allowedTypes = ['image/jpeg', 'image/png', 'image/gif'] + if (!allowedTypes.includes(file.type)) { + throw new Error('Invalid file type') + } + + // Extension check + const allowedExtensions = ['.jpg', '.jpeg', '.png', '.gif'] + const extension = file.name.toLowerCase().match(/\.[^.]+$/)?.[0] + if (!extension || !allowedExtensions.includes(extension)) { + throw new Error('Invalid file extension') + } + + return true +} +``` + +#### Verification Steps +- [ ] All user inputs validated with schemas +- [ ] File uploads restricted (size, type, extension) +- [ ] No direct use of user input in queries +- [ ] Whitelist validation (not blacklist) +- [ ] Error messages don't leak sensitive info + +### 3. SQL Injection Prevention + +#### FAIL: NEVER Concatenate SQL +```typescript +// DANGEROUS - SQL Injection vulnerability +const query = `SELECT * FROM users WHERE email = '${userEmail}'` +await db.query(query) +``` + +#### PASS: ALWAYS Use Parameterized Queries +```typescript +// Safe - parameterized query +const { data } = await supabase + .from('users') + .select('*') + .eq('email', userEmail) + +// Or with raw SQL +await db.query( + 'SELECT * FROM users WHERE email = $1', + [userEmail] +) +``` + +#### Verification Steps +- [ ] All database queries use parameterized queries +- [ ] No string concatenation in SQL +- [ ] ORM/query builder used correctly +- [ ] Supabase queries properly sanitized + +### 4. Authentication & Authorization + +#### JWT Token Handling +```typescript +// FAIL: WRONG: localStorage (vulnerable to XSS) +localStorage.setItem('token', token) + +// PASS: CORRECT: httpOnly cookies +res.setHeader('Set-Cookie', + `token=${token}; HttpOnly; Secure; SameSite=Strict; Max-Age=3600`) +``` + +#### Authorization Checks +```typescript +export async function deleteUser(userId: string, requesterId: string) { + // ALWAYS verify authorization first + const requester = await db.users.findUnique({ + where: { id: requesterId } + }) + + if (requester.role !== 'admin') { + return NextResponse.json( + { error: 'Unauthorized' }, + { status: 403 } + ) + } + + // Proceed with deletion + await db.users.delete({ where: { id: userId } }) +} +``` + +#### Row Level Security (Supabase) +```sql +-- Enable RLS on all tables +ALTER TABLE users ENABLE ROW LEVEL SECURITY; + +-- Users can only view their own data +CREATE POLICY "Users view own data" + ON users FOR SELECT + USING (auth.uid() = id); + +-- Users can only update their own data +CREATE POLICY "Users update own data" + ON users FOR UPDATE + USING (auth.uid() = id); +``` + +#### Verification Steps +- [ ] Tokens stored in httpOnly cookies (not localStorage) +- [ ] Authorization checks before sensitive operations +- [ ] Row Level Security enabled in Supabase +- [ ] Role-based access control implemented +- [ ] Session management secure + +### 5. XSS Prevention + +#### Sanitize HTML +```typescript +import DOMPurify from 'isomorphic-dompurify' + +// ALWAYS sanitize user-provided HTML +function renderUserContent(html: string) { + const clean = DOMPurify.sanitize(html, { + ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'p'], + ALLOWED_ATTR: [] + }) + return
+} +``` + +#### Content Security Policy +```typescript +// next.config.js +const securityHeaders = [ + { + key: 'Content-Security-Policy', + value: ` + default-src 'self'; + script-src 'self' 'unsafe-eval' 'unsafe-inline'; + style-src 'self' 'unsafe-inline'; + img-src 'self' data: https:; + font-src 'self'; + connect-src 'self' https://api.example.com; + `.replace(/\s{2,}/g, ' ').trim() + } +] +``` + +#### Verification Steps +- [ ] User-provided HTML sanitized +- [ ] CSP headers configured +- [ ] No unvalidated dynamic content rendering +- [ ] React's built-in XSS protection used + +### 6. CSRF Protection + +#### CSRF Tokens +```typescript +import { csrf } from '@/lib/csrf' + +export async function POST(request: Request) { + const token = request.headers.get('X-CSRF-Token') + + if (!csrf.verify(token)) { + return NextResponse.json( + { error: 'Invalid CSRF token' }, + { status: 403 } + ) + } + + // Process request +} +``` + +#### SameSite Cookies +```typescript +res.setHeader('Set-Cookie', + `session=${sessionId}; HttpOnly; Secure; SameSite=Strict`) +``` + +#### Verification Steps +- [ ] CSRF tokens on state-changing operations +- [ ] SameSite=Strict on all cookies +- [ ] Double-submit cookie pattern implemented + +### 7. Rate Limiting + +#### API Rate Limiting +```typescript +import rateLimit from 'express-rate-limit' + +const limiter = rateLimit({ + windowMs: 15 * 60 * 1000, // 15 minutes + max: 100, // 100 requests per window + message: 'Too many requests' +}) + +// Apply to routes +app.use('/api/', limiter) +``` + +#### Expensive Operations +```typescript +// Aggressive rate limiting for searches +const searchLimiter = rateLimit({ + windowMs: 60 * 1000, // 1 minute + max: 10, // 10 requests per minute + message: 'Too many search requests' +}) + +app.use('/api/search', searchLimiter) +``` + +#### Verification Steps +- [ ] Rate limiting on all API endpoints +- [ ] Stricter limits on expensive operations +- [ ] IP-based rate limiting +- [ ] User-based rate limiting (authenticated) + +### 8. Sensitive Data Exposure + +#### Logging +```typescript +// FAIL: WRONG: Logging sensitive data +console.log('User login:', { email, password }) +console.log('Payment:', { cardNumber, cvv }) + +// PASS: CORRECT: Redact sensitive data +console.log('User login:', { email, userId }) +console.log('Payment:', { last4: card.last4, userId }) +``` + +#### Error Messages +```typescript +// FAIL: WRONG: Exposing internal details +catch (error) { + return NextResponse.json( + { error: error.message, stack: error.stack }, + { status: 500 } + ) +} + +// PASS: CORRECT: Generic error messages +catch (error) { + console.error('Internal error:', error) + return NextResponse.json( + { error: 'An error occurred. Please try again.' }, + { status: 500 } + ) +} +``` + +#### Verification Steps +- [ ] No passwords, tokens, or secrets in logs +- [ ] Error messages generic for users +- [ ] Detailed errors only in server logs +- [ ] No stack traces exposed to users + +### 9. Blockchain Security (Solana) + +#### Wallet Verification +```typescript +import { verify } from '@solana/web3.js' + +async function verifyWalletOwnership( + publicKey: string, + signature: string, + message: string +) { + try { + const isValid = verify( + Buffer.from(message), + Buffer.from(signature, 'base64'), + Buffer.from(publicKey, 'base64') + ) + return isValid + } catch (error) { + return false + } +} +``` + +#### Transaction Verification +```typescript +async function verifyTransaction(transaction: Transaction) { + // Verify recipient + if (transaction.to !== expectedRecipient) { + throw new Error('Invalid recipient') + } + + // Verify amount + if (transaction.amount > maxAmount) { + throw new Error('Amount exceeds limit') + } + + // Verify user has sufficient balance + const balance = await getBalance(transaction.from) + if (balance < transaction.amount) { + throw new Error('Insufficient balance') + } + + return true +} +``` + +#### Verification Steps +- [ ] Wallet signatures verified +- [ ] Transaction details validated +- [ ] Balance checks before transactions +- [ ] No blind transaction signing + +### 10. Dependency Security + +#### Regular Updates +```bash +# Check for vulnerabilities +npm audit + +# Fix automatically fixable issues +npm audit fix + +# Update dependencies +npm update + +# Check for outdated packages +npm outdated +``` + +#### Lock Files +```bash +# ALWAYS commit lock files +git add package-lock.json + +# Use in CI/CD for reproducible builds +npm ci # Instead of npm install +``` + +#### Verification Steps +- [ ] Dependencies up to date +- [ ] No known vulnerabilities (npm audit clean) +- [ ] Lock files committed +- [ ] Dependabot enabled on GitHub +- [ ] Regular security updates + +## Security Testing + +### Automated Security Tests +```typescript +// Test authentication +test('requires authentication', async () => { + const response = await fetch('/api/protected') + expect(response.status).toBe(401) +}) + +// Test authorization +test('requires admin role', async () => { + const response = await fetch('/api/admin', { + headers: { Authorization: `Bearer ${userToken}` } + }) + expect(response.status).toBe(403) +}) + +// Test input validation +test('rejects invalid input', async () => { + const response = await fetch('/api/users', { + method: 'POST', + body: JSON.stringify({ email: 'not-an-email' }) + }) + expect(response.status).toBe(400) +}) + +// Test rate limiting +test('enforces rate limits', async () => { + const requests = Array(101).fill(null).map(() => + fetch('/api/endpoint') + ) + + const responses = await Promise.all(requests) + const tooManyRequests = responses.filter(r => r.status === 429) + + expect(tooManyRequests.length).toBeGreaterThan(0) +}) +``` + +## Pre-Deployment Security Checklist + +Before ANY production deployment: + +- [ ] **Secrets**: No hardcoded secrets, all in env vars +- [ ] **Input Validation**: All user inputs validated +- [ ] **SQL Injection**: All queries parameterized +- [ ] **XSS**: User content sanitized +- [ ] **CSRF**: Protection enabled +- [ ] **Authentication**: Proper token handling +- [ ] **Authorization**: Role checks in place +- [ ] **Rate Limiting**: Enabled on all endpoints +- [ ] **HTTPS**: Enforced in production +- [ ] **Security Headers**: CSP, X-Frame-Options configured +- [ ] **Error Handling**: No sensitive data in errors +- [ ] **Logging**: No sensitive data logged +- [ ] **Dependencies**: Up to date, no vulnerabilities +- [ ] **Row Level Security**: Enabled in Supabase +- [ ] **CORS**: Properly configured +- [ ] **File Uploads**: Validated (size, type) +- [ ] **Wallet Signatures**: Verified (if blockchain) + +## Resources + +- [OWASP Top 10](https://owasp.org/www-project-top-ten/) +- [Next.js Security](https://nextjs.org/docs/security) +- [Supabase Security](https://supabase.com/docs/guides/auth) +- [Web Security Academy](https://portswigger.net/web-security) + +--- + +**Remember**: Security is not optional. One vulnerability can compromise the entire platform. When in doubt, err on the side of caution. diff --git a/tests/integration/__snapshots__/snapshot.test.ts.snap b/tests/integration/__snapshots__/snapshot.test.ts.snap new file mode 100644 index 0000000..1dff37d --- /dev/null +++ b/tests/integration/__snapshots__/snapshot.test.ts.snap @@ -0,0 +1,36 @@ +// Vitest Snapshot v1, https://vitest.dev/guide/snapshot.html + +exports[`ArchGen snapshot — Node.js > base project calls processTemplate with expected paths 1`] = ` +[ + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\node\\template\\base", +] +`; + +exports[`ArchGen snapshot — Node.js > with --all applies docker, testing and ci addons 1`] = ` +[ + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\node\\template\\base", + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\node\\template\\addons\\docker", + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\node\\template\\addons\\testing", + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\node\\template\\addons\\ci", +] +`; + +exports[`ArchGen snapshot — Node.js > with --docker applies docker addon 1`] = ` +[ + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\node\\template\\base", + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\node\\template\\addons\\docker", +] +`; + +exports[`ArchGen snapshot — Python > base project calls processTemplate with expected paths 1`] = ` +[ + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\python\\template\\base", +] +`; + +exports[`ArchGen snapshot — Python > with --database sqlite applies sqlite addon 1`] = ` +[ + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\python\\template\\base", + "C:\\Users\\Admin\\Desktop\\DuckCode\\Node\\archgen\\core\\plugins\\python\\template\\addons\\database\\sqlite", +] +`; diff --git a/tests/integration/snapshot.test.ts b/tests/integration/snapshot.test.ts index d309652..17ac401 100644 --- a/tests/integration/snapshot.test.ts +++ b/tests/integration/snapshot.test.ts @@ -43,7 +43,11 @@ describe("ArchGen snapshot — Node.js", () => { beforeEach(() => { vi.clearAllMocks(); mockProcessTemplate.mockResolvedValue([]); - mockFs.exists.mockReturnValue(false); + // Return true for template/addon paths so addons are applied, + // false for project output paths so DIR_EXISTS is not triggered + mockFs.exists.mockImplementation((p: string) => + typeof p === "string" && (p.includes("template") || p.includes("plugins")), + ); archgen = new ArchGen(); }); @@ -99,7 +103,9 @@ describe("ArchGen snapshot — Python", () => { beforeEach(() => { vi.clearAllMocks(); mockProcessTemplate.mockResolvedValue([]); - mockFs.exists.mockReturnValue(false); + mockFs.exists.mockImplementation((p: string) => + typeof p === "string" && (p.includes("template") || p.includes("plugins")), + ); archgen = new ArchGen(); }); diff --git a/tests/unit/claude-code-addon.test.ts b/tests/unit/claude-code-addon.test.ts new file mode 100644 index 0000000..3d96ade --- /dev/null +++ b/tests/unit/claude-code-addon.test.ts @@ -0,0 +1,208 @@ +import { describe, it, expect, vi, beforeEach } from "vitest"; +import path from "path"; + +const { mockFs, mockProcessTemplate } = vi.hoisted(() => { + const mockProcessTemplate = vi.fn().mockResolvedValue([]); + const mockFs = { + exists: vi.fn().mockReturnValue(true), + removeDir: vi.fn().mockResolvedValue(undefined), + ensureDir: vi.fn().mockResolvedValue(undefined), + writeFile: vi.fn().mockResolvedValue(undefined), + readFile: vi.fn().mockResolvedValue(""), + copyFile: vi.fn().mockResolvedValue(undefined), + getAllFiles: vi.fn().mockResolvedValue([]), + }; + return { mockFs, mockProcessTemplate }; +}); + +vi.mock("../../core/file-system", () => ({ + // eslint-disable-next-line @typescript-eslint/no-explicit-any + FileSystem: vi.fn().mockImplementation(function (this: any) { return mockFs; }), +})); + +vi.mock("../../core/template-engine", () => ({ + // eslint-disable-next-line @typescript-eslint/no-explicit-any + TemplateEngine: vi.fn().mockImplementation(function (this: any) { + return { processTemplate: mockProcessTemplate }; + }), +})); + +import { NodePlugin } from "../../plugins/node"; +import { PythonPlugin } from "../../plugins/python"; + +describe("claude-code addon — NodePlugin", () => { + let plugin: NodePlugin; + + beforeEach(() => { + vi.clearAllMocks(); + mockProcessTemplate.mockResolvedValue([]); + mockFs.exists.mockReturnValue(true); + plugin = new NodePlugin(); + }); + + it("includes claude-code in addon list", () => { + expect(plugin.addons).toContain("claude-code"); + }); + + it("generate() applies claude-code addon when claudeCode=true", async () => { + await plugin.generate("my-app", { + language: "node", + claudeCode: true, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + const claudeCodeCall = calls.find((p) => p.includes("claude-code")); + expect(claudeCodeCall).toBeDefined(); + expect(claudeCodeCall).toContain(path.join("addons", "claude-code")); + }); + + it("generate() skips claude-code addon when claudeCode=false", async () => { + await plugin.generate("my-app", { + language: "node", + claudeCode: false, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + const claudeCodeCall = calls.find((p) => p.includes("claude-code")); + expect(claudeCodeCall).toBeUndefined(); + }); + + it("generate() skips claude-code addon when claudeCode is undefined", async () => { + await plugin.generate("my-app", { + language: "node", + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + expect(calls.find((p) => p.includes("claude-code"))).toBeUndefined(); + }); +}); + +describe("claude-code addon — PythonPlugin", () => { + let plugin: PythonPlugin; + + beforeEach(() => { + vi.clearAllMocks(); + mockProcessTemplate.mockResolvedValue([]); + mockFs.exists.mockReturnValue(true); + plugin = new PythonPlugin(); + }); + + it("includes claude-code in addon list", () => { + expect(plugin.addons).toContain("claude-code"); + }); + + it("generate() applies claude-code addon when claudeCode=true", async () => { + await plugin.generate("my-app", { + language: "python", + claudeCode: true, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + const claudeCodeCall = calls.find((p) => p.includes("claude-code")); + expect(claudeCodeCall).toBeDefined(); + expect(claudeCodeCall).toContain(path.join("addons", "claude-code")); + }); + + it("generate() skips claude-code addon when claudeCode=false", async () => { + await plugin.generate("my-app", { + language: "python", + claudeCode: false, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + expect(calls.find((p) => p.includes("claude-code"))).toBeUndefined(); + }); +}); + +describe("cursor addon — NodePlugin", () => { + let plugin: NodePlugin; + + beforeEach(() => { + vi.clearAllMocks(); + mockProcessTemplate.mockResolvedValue([]); + mockFs.exists.mockReturnValue(true); + plugin = new NodePlugin(); + }); + + it("includes cursor in addon list", () => { + expect(plugin.addons).toContain("cursor"); + }); + + it("generate() applies cursor addon when cursor=true", async () => { + await plugin.generate("my-app", { + language: "node", + cursor: true, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + const cursorCall = calls.find((p) => p.includes(path.join("addons", "cursor"))); + expect(cursorCall).toBeDefined(); + }); + + it("generate() skips cursor addon when cursor=false", async () => { + await plugin.generate("my-app", { + language: "node", + cursor: false, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + expect(calls.find((p) => p.includes(path.join("addons", "cursor")))).toBeUndefined(); + }); + + it("generate() applies both claude-code and cursor when both=true", async () => { + await plugin.generate("my-app", { + language: "node", + claudeCode: true, + cursor: true, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + expect(calls.find((p) => p.includes("claude-code"))).toBeDefined(); + expect(calls.find((p) => p.includes(path.join("addons", "cursor")))).toBeDefined(); + }); +}); + +describe("cursor addon — PythonPlugin", () => { + let plugin: PythonPlugin; + + beforeEach(() => { + vi.clearAllMocks(); + mockProcessTemplate.mockResolvedValue([]); + mockFs.exists.mockReturnValue(true); + plugin = new PythonPlugin(); + }); + + it("includes cursor in addon list", () => { + expect(plugin.addons).toContain("cursor"); + }); + + it("generate() applies cursor addon when cursor=true", async () => { + await plugin.generate("my-app", { + language: "python", + cursor: true, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + expect(calls.find((p) => p.includes(path.join("addons", "cursor")))).toBeDefined(); + }); + + it("generate() skips cursor addon when cursor=false", async () => { + await plugin.generate("my-app", { + language: "python", + cursor: false, + outputDir: "/tmp/my-app", + }); + + const calls = mockProcessTemplate.mock.calls.map((c) => c[0] as string); + expect(calls.find((p) => p.includes(path.join("addons", "cursor")))).toBeUndefined(); + }); +}); diff --git a/types/index.ts b/types/index.ts index e944a2e..93e202b 100644 --- a/types/index.ts +++ b/types/index.ts @@ -14,6 +14,8 @@ export interface GenerateOptions { database?: string; skipGit?: boolean; output?: string; + claudeCode?: boolean; + cursor?: boolean; /** Resolved absolute output path — set internally by ArchGen before calling plugin.generate() */ outputDir?: string; }