curiositech/recovery-coach-patterns
skills/recovery-coach-patterns/SKILL.md
Follow Recovery Coach codebase patterns and conventions. Use when writing new code, components, API routes, or database queries. Activates for general development, code organization, styling, and architectural decisions in this project.
development
Updated Apr 4, 2026
$ install --global
skillsauthnpx skillsauth add curiositech/windags-skills recovery-coach-patternsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 4, 2026, 2:40 PM182.7s1 file scanned
SKILL.md
- license:
- Apache-2.0
- name:
- recovery-coach-patterns
- description:
- Follow Recovery Coach codebase patterns and conventions. Use when writing new code, components, API routes, or database queries. Activates for general development, code organization, styling, and architectural decisions in this project.
- allowed-tools:
- Read,Write,Edit,Bash(npm:*,npx:*)
- category:
- Recovery & Wellness
Recovery Coach Development Patterns
Decision Points
Component Architecture Selection
Is this component handling user data?
├─ YES: Does it need real-time updates?
│ ├─ YES: Use Client Component with useEffect + fetch
│ └─ NO: Use Server Component with direct DB query
└─ NO: Is it interactive (forms, buttons, state)?
├─ YES: Use Client Component
└─ NO: Use Server Component
API Route Security Level
What data does this route access?
├─ Public data only → Basic rate limiting (100/min)
├─ User's own data → Auth + RLS + moderate rate limiting (30/min)
├─ Cross-user data → Auth + explicit permission check + PHI audit
└─ Admin data → requireAdmin() + strict rate limiting (10/min) + security audit
Database Query Pattern
Who can access this data?
├─ User's own data only
│ └─ Use secure-db with RLS (filters automatically)
├─ Admin accessing any data
│ ├─ Call requireAdmin() first
│ └─ Log admin access with logSecurityEvent()
└─ System/background job
└─ Use regular db connection with explicit WHERE clauses
Failure Modes
Anti-Pattern: RLS Bypass Attempt
Symptoms: Using regular db instead of secure-db for user data queries
Detection: import { db } from '@/lib/db' in user-facing code
Fix:
- Change to
import { db } from '@/db/secure-db' - Ensure RLS policies exist for the table
- Test with different user sessions
Anti-Pattern: Missing Rate Limit
Symptoms: API route accepts unlimited requests, potential DoS
Detection: No createRateLimiter call in route handler
Fix:
- Add rate limiter with appropriate limits for endpoint type
- Apply
rateLimitResultcheck before processing - Return 429 status with retry headers
Anti-Pattern: PHI Logging Leak
Symptoms: User health data appears in console.log or error messages
Detection: console.log or throw new Error containing user data
Fix:
- Remove sensitive data from logs
- Use
logPHIAccess()for legitimate audit trails - Return generic error messages to client
Anti-Pattern: Schema Validation Skip
Symptoms: API accepts malformed data, causing runtime errors
Detection: Missing z.object() schema or .safeParse() call
Fix:
- Define Zod schema for all inputs
- Use
.safeParse()and checksuccessproperty - Return validation errors with 400 status
Anti-Pattern: Unhandled Auth State
Symptoms: Component crashes when user logs out mid-session Detection: Assuming session exists without null checks Fix:
- Check
if (!session)before using session data - Show login prompt or redirect to auth page
- Handle loading states during auth checks
Worked Examples
Creating a New Check-In API Route
Scenario: Add endpoint for users to submit daily wellness check-ins with mood and notes.
Expert Decision Process:
- Security Assessment: User's own health data → needs auth + RLS + PHI audit
- Rate Limiting: Personal health data → moderate limits (30/min)
- Validation: User input → strict Zod schema required
Implementation:
// src/app/api/check-in/route.ts
import { NextResponse } from 'next/server';
import { getSession } from '@/lib/auth';
import { createRateLimiter } from '@/lib/rate-limit';
import { logPHIAccess } from '@/lib/hipaa/audit';
import { db, checkIns } from '@/db/secure-db';
import { z } from 'zod';
const rateLimiter = createRateLimiter({
windowMs: 60000,
maxRequests: 30, // Health data = moderate limit
keyPrefix: 'api:check-in'
});
const CheckInSchema = z.object({
mood: z.number().min(1).max(10),
notes: z.string().max(1000).optional(),
symptoms: z.array(z.string()).max(10)
});
export async function POST(request: Request) {
// Auth check (required for user data)
const session = await getSession();
if (!session) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
}
// Rate limiting (prevent abuse)
const rateLimitResult = await rateLimiter.check(session.userId);
if (!rateLimitResult.allowed) {
return NextResponse.json({ error: 'Rate limit exceeded' }, { status: 429 });
}
// Input validation (prevent bad data)
const body = await request.json();
const parsed = CheckInSchema.safeParse(body);
if (!parsed.success) {
return NextResponse.json({
error: 'Invalid input',
details: parsed.error.issues
}, { status: 400 });
}
// Database operation (RLS auto-filters to user's data)
const checkIn = await db.insert(checkIns).values({
userId: session.userId,
mood: parsed.data.mood,
notes: parsed.data.notes,
symptoms: parsed.data.symptoms,
createdAt: new Date()
}).returning();
// PHI audit log (required for health data)
await logPHIAccess(session.userId, 'check-in', checkIn[0].id, 'CREATE');
return NextResponse.json(checkIn[0]);
}
What novices miss: Skip rate limiting, forget PHI audit logging, use console.log for debugging user data What experts catch: Health data needs all security layers, RLS handles user isolation automatically
Quality Gates
Pre-submit checklist for all code changes:
- [ ] Authentication verified:
getSession()called for protected routes - [ ] Rate limiting configured: Appropriate limits for endpoint type
- [ ] Input validation: Zod schemas defined and
.safeParse()used - [ ] RLS enabled: Using
secure-dbfor user data queries - [ ] PHI audit logging:
logPHIAccess()called for health data operations - [ ] Error handling: No user data in error messages or logs
- [ ] Type safety: TypeScript strict mode passes without
anytypes - [ ] Testing: Unit tests cover happy path and error conditions
- [ ] HIPAA compliance: No PHI in client-side storage or URLs
- [ ] Accessibility: Semantic HTML and ARIA labels for interactive elements
NOT-FOR Boundaries
DO NOT use this skill for:
- Crisis intervention features → Use
crisis-response-protocolinstead - Content moderation rules → Use
recovery-community-moderatorinstead - AI coaching logic → Use
modern-drug-rehab-computerinstead - General Next.js patterns → Use Next.js documentation instead
- Third-party integrations → Create specific integration skills instead
When to delegate:
- For mental health crisis detection:
crisis-response-protocol - For inappropriate content handling:
recovery-community-moderator - For AI conversation flows:
modern-drug-rehab-computer - For deployment and infrastructure: Create DevOps-specific skill
Related Skills
curiositech/circuit-breakers-and-retries
tools
VerifiedTrustedCommunity
Building resilient distributed systems with circuit breakers, retries with full-jitter exponential backoff, retry budgets (per-request 3-attempt + per-client 10% ratio per Google SRE), deadline propagation, and the cascading-failure math (4 layers × 3 retries = 64x amplification). Grounded in Resilience4j, Microsoft Cloud Patterns, AWS Architecture Blog (Marc Brooker), and Google SRE Book.
4SKILL.mdUpdated May 6, 2026
curiositech/cdn-cache-control-headers
testing
VerifiedTrustedCommunity
Designing HTTP cache headers that work correctly across browsers, CDNs, and shared proxies — `Cache-Control` directives per RFC 9111, `stale-while-revalidate` and `stale-if-error` per RFC 5861, the Vary header for varying responses, and surrogate keys for tag-based purging. Grounded in IETF RFCs and Cloudflare/Fastly docs.
4SKILL.mdUpdated May 5, 2026
curiositech/content-security-policy-headers
development
VerifiedTrustedCommunity
Use when designing or fixing a Content Security Policy on a real site, choosing between nonce-based and hash-based CSP, adding strict-dynamic, debugging "Refused to execute inline script" errors, deploying CSP in report-only mode first, configuring report-to / report-uri, or auditing an existing policy for unsafe-inline / unsafe-eval / wildcards. Triggers: "CSP blocks legitimate inline script", strict-dynamic, nonce-{RANDOM}, sha256-{HASH}, object-src none, base-uri none, frame-ancestors, Trusted Types, X-Content-Security-Policy obsolete, report-only vs enforced. NOT for general HTTP security headers (HSTS, COOP/COEP), Trusted Types deep dive, CORS configuration, or building a WAF.
3SKILL.mdUpdated May 4, 2026
curiositech/api-versioning-strategy
tools
VerifiedTrustedCommunity
Choosing and operating an HTTP API versioning strategy that doesn't break clients — Stripe's date-based pinned versions, the Deprecation/Sunset header pair (RFC 9745 + RFC 8594), URI vs header vs media-type approaches, and the version-transformer pattern. Grounded in Stripe's published architecture and IETF RFCs.
3SKILL.mdUpdated May 4, 2026