pingdotgg · MohAnghabo · May 6, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.agents/skills/source-command-ifrs-audit/SKILL.md b/.agents/skills/source-command-ifrs-audit/SKILL.md
@@ -0,0 +1,73 @@
+---
+name: "source-command-ifrs-audit"
+description: "Scan the current codebase for IFRS Accounting Standards compliance gaps."
+---
+
+# source-command-ifrs-audit
+
+Use this skill when the user asks to run the migrated source command `ifrs-audit`.
+
+## Command Template
+
+Perform an IFRS Accounting Standards compliance audit of the current codebase.
+
+Reference: `.ai/rules/19-ifrs-compliance.md`
+
+Scan for:
+
+### 1. Scope and applicability
+
+- Check `docs/project.md` reporting standards selection
+- Flag financial-reporting features when IFRS scope is unset
+- Confirm IFRS is not mixed into PDPL-only privacy checks
+
+### 2. Monetary precision
+
+- Search for `number`, `float`, `double`, or JavaScript arithmetic used for money
+- Confirm decimal-safe handling for monetary calculations
+- Confirm currency codes are stored explicitly
+
+### 3. Accounting records
+
+- Confirm transaction date, posting date, reporting period, status, source
+  reference, and created/approved metadata where relevant
+- Confirm posted records are not overwritten silently
+- Confirm draft, posted, voided, and reversed states are distinct where relevant
+
+### 4. Audit trail
+
+- Confirm accounting mutations are traceable by actor, timestamp, source, and reason
+- Confirm corrections use adjustments, reversals, or versioned history
+
+### 5. Period close and reversals
+
+- Confirm closed periods cannot be mutated without controlled adjustments
+- Confirm void/reversal behavior exists for posted records
+
+### 6. Reports and exports
+
+- Confirm financial statements include reporting period and basis of preparation
+- Confirm exports are reproducible from persisted source records
+- Confirm comparative-period behavior exists or is explicitly out of scope
+
+### 7. Disclosure and notes
+
+- Flag missing accounting-policy note support where the app generates formal
+  financial statements
+- Flag missing materiality/disclosure inputs where formal IFRS reports are claimed
+
+### 8. Tests
+
+- Confirm tests cover rounding, currency conversion, period boundaries, reversals,
+  report reproducibility, and audit logging
+
+### Output format
+
+Return findings grouped by severity:
+
+- **Critical** — immediate financial-reporting integrity risk
+- **High** — must fix before audited or investor-facing reporting
+- **Medium** — fix before expanding finance/reporting scope
+- **Low** — documentation, process, or explicit-scope gap
+
+End with a summary checklist of compliant items.
diff --git a/.agents/skills/source-command-pdpl-audit/SKILL.md b/.agents/skills/source-command-pdpl-audit/SKILL.md
@@ -0,0 +1,64 @@
+---
+name: "source-command-pdpl-audit"
+description: "Scan the current codebase for PDPL (Oman Royal Decree 6/2022) compliance gaps."
+---
+
+# source-command-pdpl-audit
+
+Use this skill when the user asks to run the migrated source command `pdpl-audit`.
+
+## Command Template
+
+Perform a PDPL compliance audit of the current codebase.
+
+Reference: `.ai/rules/15-pdpl-compliance.md`
+
+Scan for:
+
+### 1. PII in non-production contexts
+
+- Search tests, seeds, fixtures for real email patterns, phone numbers, national IDs
+- Search git history for any PII accidentally committed
+- Flag: `test@gmail.com`, Omani phone patterns (`+968 9...`), names in test data
+
+### 2. Logging
+
+- Search pino/console.log calls that include `email`, `phone`, `nationalId`, `ip`
+- Confirm Sentry `beforeSend` strips user PII fields
+
+### 3. Data schema
+
+- Check DB schema for PII columns — confirm they have `-- pdpl:personal` comments
+- Verify soft-delete pattern exists for user tables
+- Confirm erasure path exists
+
+### 4. Privacy notice
+
+- Confirm Arabic-language privacy notice exists in `messages/ar.json`
+- Confirm it covers: data types, purpose, legal basis, retention, rights, DPO contact
+
+### 5. Consent
+
+- Confirm consent flows are explicit and separate per purpose
+- Confirm withdrawal mechanism exists
+
+### 6. Data residency
+
+- Note which cloud providers store data and in which regions
+- Flag any Level 3/4 data stored outside Oman without documented TRA approval
+
+### 7. Breach response
+
+- Confirm production environment variables are set correctly (no localhost or development-only values where production URLs are required)
+- Check if a breach notification runbook exists (`.local/incidents/` or similar)
+
+### Output format
+
+Return findings grouped by severity:
+
+- **Critical** — immediate compliance risk (e.g. real PII in tests)
+- **High** — must fix before next release
+- **Medium** — fix within 30 days
+- **Low** — documentation or process gap
+
+End with a summary checklist of compliant items.
diff --git a/.ai/README.md b/.ai/README.md
@@ -0,0 +1,52 @@
+# .ai/rules — Rule Map
+
+Tool-agnostic guidance files. Readable by Claude Code, Cursor, Codex, OpenCode, Gemini, and others.
+
+## Always active
+
+| File                         | When to load                                                           |
+| ---------------------------- | ---------------------------------------------------------------------- |
+| `00-constitution.md`         | Every task — non-negotiables                                           |
+| `17-aws-well-architected.md` | Every non-trivial task — architecture, implementation, and review lens |
+| `18-pr-readiness.md`         | Every PR, review, ship, and merge task — docs, tests, and CI gates     |
+
+## Stack-specific (load one)
+
+| File                   | When to load                           |
+| ---------------------- | -------------------------------------- |
+| `01-stack-a-nestjs.md` | NestJS + Drizzle + PostgreSQL → Render |
+| `01-stack-b-convex.md` | Convex → Vercel                        |
+
+## By task area
+
+| File                        | When to load                                                                                                                        |
+| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `02-openapi-contracts.md`   | Any API change (Stack A)                                                                                                            |
+| `03-better-auth.md`         | Auth flows, session management, user management                                                                                     |
+| `04-drizzle-orm.md`         | Database schema, migrations, queries (Stack A)                                                                                      |
+| `05-nestjs-patterns.md`     | NestJS modules, guards, pipes, interceptors (Stack A)                                                                               |
+| `06-convex-patterns.md`     | Convex schema, functions, real-time (Stack B)                                                                                       |
+| `07-vite-react-spa.md`      | apps/web (React SPA, logged-in app)                                                                                                 |
+| `08-nextjs-www.md`          | apps/www (Next.js marketing site)                                                                                                   |
+| `09-next-intl-i18n.md`      | Any user-facing text (AR/EN, RTL)                                                                                                   |
+| `10-error-handling.md`      | Error boundaries, Problem+JSON, retry logic                                                                                         |
+| `11-testing.md`             | Unit, integration, E2E, accessibility tests                                                                                         |
+| `12-telemetry.md`           | Sentry, pino, OTEL, SLOs                                                                                                            |
+| `13-security.md`            | OWASP, ZAP, headers, input validation                                                                                               |
+| `14-secret-management.md`   | Doppler, secret rotation, per-app config                                                                                            |
+| `15-pdpl-compliance.md`     | Oman PDPL (always) + opt-in TRA/CDC/CBO/FSA/MOH privacy/regulatory overlays                                                         |
+| `16-deployment.md`          | Render vs Vercel, Docker, CI/CD                                                                                                     |
+| `19-ifrs-compliance.md`     | Financial statements, accounting records, ledgers, revenue recognition, leases, impairments, audit exports, or IFRS-scoped projects |
+| `20-environments.md`        | Environment topology, Doppler/provider tiers, preview envs, and env drift enforcement                                               |
+| `21-agent-orchestration.md` | Task lifecycle, GitHub Issues/Projects workflow, slash-command sequencing, and Claude/Codex handoff                                 |
+| `22-kanban-console.md`      | Every product change in this T3 Code fork - architecture, GitHub Projects SSOT, GitOps, UI/i18n, and validation                     |
+
+## Product Note
+
+This repo intentionally uses the minimal governance profile plus `22-kanban-console.md`. Stack A/B rules are not active unless a future phase explicitly adopts that architecture.
+
+## Philosophy
+
+- "Earn your rules" — load only what the task needs
+- Concise by default (~60–100 lines); deeper specs linked, not embedded
+- Single source of truth: AGENTS.md → .ai/rules/ → task-specific context
diff --git a/.ai/i18n/agent-banners.json b/.ai/i18n/agent-banners.json
@@ -0,0 +1,14 @@
+{
+  "preflight.passed": {
+    "en": "Preflight passed",
+    "ar": "اكتمل الفحص المسبق"
+  },
+  "envAudit.passed": {
+    "en": "Env audit passed",
+    "ar": "اكتمل تدقيق البيئات"
+  },
+  "initProject.environmentTiers.prompt": {
+    "en": "How many environment tiers should this project use: 2 or 3?",
+    "ar": "كم عدد طبقات البيئة التي يجب أن يستخدمها هذا المشروع: 2 أم 3؟"
+  }
+}
diff --git a/.ai/rules/00-constitution.md b/.ai/rules/00-constitution.md
@@ -0,0 +1,46 @@
+# 00 — Constitution
+
+Non-negotiable rules. Apply to every task, every stack.
+
+## Code quality
+
+- `any` is banned — use `unknown` with type guards
+- `class-validator` is banned — Zod only
+- TypeScript strict mode always on (`noUncheckedIndexedAccess`, `exactOptionalPropertyTypes`)
+- No hardcoded secrets — Doppler only; see `14-secret-management.md`
+- Conventional Commits: `feat|fix|chore|docs|refactor|test|perf|ops`
+- No `--no-verify` or `--no-gpg-sign` unless user explicitly requests
+
+## Data & privacy
+
+- **PDPL (Royal Decree 6/2022)** applies to every project — see `15-pdpl-compliance.md`
+- No real PII in tests, logs, commits, PR text, or screenshots — use synthetic/anonymized data only
+- Arabic-language privacy notices are mandatory (PDPL Art. 4)
+
+## i18n
+
+- AR (Arabic) and EN (English) strings required for every user-facing change
+- RTL layout required wherever Arabic strings render
+- Reference: `09-next-intl-i18n.md`
+
+## Auth
+
+- Better Auth **v1.4** is pinned — do not upgrade to 1.5 without reading migration notes
+  - 1.5 breaking: drizzle-adapter extracted to `@better-auth/drizzle-adapter`, InferUser/InferSession removed, API Key plugin moved to `@better-auth/api-key`, `$ERROR_CODES` type changed to `RawError`
+- `BETTER_AUTH_URL` must match the exact request origin and be in `trustedOrigins`
+
+## Output rules
+
+- Non-code files (reports, docs, analysis, temp outputs) → `.local/`, never project root
+- PRs ≤ 400 LOC excluding generated files — split scope and open follow-up issue if larger
+- Generated files (Zod schemas, HTTP clients) must never be edited by hand
+
+## Validation
+
+Run before every commit:
+
+```bash
+bun check   # types + lint + tests — fix failures, do not skip
+```
+
+If CI fails on a clean check, investigate before bypassing.
diff --git a/.ai/rules/13-security.md b/.ai/rules/13-security.md
@@ -0,0 +1,113 @@
+# 13 — Security
+
+OWASP Top 10 controls, CI security scanning, and security headers.
+
+## OWASP Top 10 controls
+
+| Risk                          | Control                                                              |
+| ----------------------------- | -------------------------------------------------------------------- |
+| A01 Broken Access Control     | AuthGuard on all protected routes; no client-side-only auth          |
+| A02 Cryptographic Failures    | Secrets via Doppler; HTTPS everywhere; never log tokens              |
+| A03 Injection                 | Zod validation at all boundaries; Drizzle parameterized queries only |
+| A04 Insecure Design           | Problem+JSON error format; PDPL privacy by design                    |
+| A05 Security Misconfiguration | Security headers (see below); no debug mode in prod                  |
+| A06 Vulnerable Components     | Dependabot + bun audit in CI; Trivy remains future scope             |
+| A07 Auth Failures             | Better Auth v1.4; CSRF on by default; rate limiting                  |
+| A08 Software Integrity        | TruffleHog in CI; gitleaks pre-commit; SBOM remains future scope     |
+| A09 Logging Failures          | pino structured logs; Sentry error tracking; no PII in logs          |
+| A10 SSRF                      | Validate and allowlist all outbound URLs in server-side fetch        |
+
+## Security headers
+
+Set these on every response (NestJS `helmet`, Next.js `headers()` config):
+
+```
+# Customize per app (nonces/hashes for inline scripts, real API origins for connect-src).
+Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'; form-action 'self'; upgrade-insecure-requests
+X-Frame-Options: DENY
+X-Content-Type-Options: nosniff
+Referrer-Policy: strict-origin-when-cross-origin
+Permissions-Policy: camera=(), microphone=(), geolocation=()
+Strict-Transport-Security: max-age=31536000; includeSubDomains
+```
+
+## CI security scan pipeline
+
+| Tool                | What it scans                                                     |
+| ------------------- | ----------------------------------------------------------------- |
+| TruffleHog          | Verified secrets in git history                                   |
+| Semgrep             | SAST — OWASP rules, secret patterns, custom rules in `.semgrep/`  |
+| bun audit           | Dependency CVEs                                                   |
+| Dependabot          | npm/Bun-compatible dependency and GitHub Actions updates          |
+| Claude Code Action  | Optional PR security review when Anthropic secrets are configured |
+| Trivy (filesystem)  | Future scope — dependencies + config files                        |
+| Trivy (Docker)      | Future scope — container image vulnerabilities                    |
+| OWASP ZAP           | Future scope — running app HTTP attacks                           |
+| gitleaks            | Local/pre-commit secret scanning                                  |
+| Anchore (CycloneDX) | Future scope — SBOM generation                                    |
+
+Baseline CI lives in `.github/workflows/security.yml` and runs on PRs, pushes
+to `main`, and `workflow_call` from derived repos. Semgrep Cloud upload is
+enabled when `SEMGREP_APP_TOKEN` is configured; otherwise CI still runs in OSS
+mode.
+
+## On-demand deep audit
+
+Use `/security-audit [target]` when a PR touches auth, secrets, CI workflow
+execution, multitenancy, payment/accounting boundaries, or another high-risk
+surface. The command runs `scripts/security-audit.sh`, writes reports under
+`.local/security-audit/<timestamp>/`, and must stay local-only through Claude
+Code CLI. Do not route the Carlini-style probe through a raw API runner.
+
+## Semgrep custom rules
+
+Add project-specific rules in `.semgrep/`:
+
+```yaml
+# .semgrep/no-console-log.yaml
+rules:
+  - id: no-console-log-in-prod
+    pattern: console.log(...)
+    message: Use pino logger instead of console.log
+    severity: WARNING
+    languages: [typescript]
+```
+
+## Secret scanning (gitleaks)
+
+Configure `.gitleaks.toml`:
+
+```toml
+# Prefer narrow paths — a broad *.test.ts allowlist can hide real secrets in tests.
+[allowlist]
+  paths = [".local/"]
+```
+
+Run pre-commit: `gitleaks detect --source . --verbose`
+
+## Consuming repo workflow snippet
+
+```yaml
+jobs:
+  security:
+    uses: <owner>/<repo>/.github/workflows/security.yml@main
+```
+
+## OWASP ZAP (DAST)
+
+Run ZAP against the dev/staging environment in CI:
+
+```bash
+docker run -t owasp/zap2docker-stable zap-baseline.py \
+  -t https://staging.example.com \
+  -r .local/zap-report.html
+```
+
+Results in `.local/zap-report.html` (gitignored).
+
+## Input validation checklist
+
+- [ ] All user input validated with Zod before use
+- [ ] File uploads: type check, size limit, no executable extensions
+- [ ] URL parameters: validate and sanitize before use in queries or redirects
+- [ ] SQL: never interpolate user input — always use Drizzle ORM or parameterized queries