penguintechinc · PenguinzTech · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025 · Dec 16, 2025
diff --git a/.claude/.claude/README.md b/.claude/.claude/README.md
@@ -0,0 +1,60 @@
+# Claude Context Files
+
+This directory contains focused standards files for Claude Code to reference when working on specific parts of the codebase.
+
+## 🚫 DO NOT MODIFY EXISTING FILES
+
+**These are centralized template standards that will be overwritten when updated.**
+
+Files you must **NEVER modify**:
+- `go.md`, `python.md`, `react.md` (language standards)
+- `flask-backend.md`, `go-backend.md`, `webui.md` (service standards)
+- `database.md`, `security.md`, `testing.md`, `containers.md`, `kubernetes.md` (domain standards)
+- `README.md` (this file)
+
+**Instead, CREATE NEW FILES for app-specific context:**
+- `.claude/app.md` - App-specific rules and context
+- `.claude/[feature].md` - Feature-specific context (e.g., `billing.md`, `notifications.md`)
+- `docs/APP_STANDARDS.md` - Human-readable app-specific documentation
+
+---
+
+## ⚠️ CRITICAL RULES
+
+Every file in this directory starts with a "CRITICAL RULES" section. Claude should read and follow these rules strictly.
+
+## File Index
+
+### Language Standards
+| File | When to Read |
+|------|--------------|
+| `go.md` | Working on Go code (*.go files) |
+| `python.md` | Working on Python code (*.py files) |
+| `react.md` | Working on React/frontend code (*.jsx, *.tsx files) |
+
+### Service Standards
+| File | When to Read |
+|------|--------------|
+| `flask-backend.md` | Working on Flask backend service |
+| `go-backend.md` | Working on Go backend service |
+| `webui.md` | Working on WebUI/React service |
+
+### Domain Standards
+| File | When to Read |
+|------|--------------|
+| `database.md` | Any database operations (PyDAL, SQLAlchemy, GORM) |
+| `security.md` | Authentication, authorization, security scanning |
+| `testing.md` | Running tests, beta infrastructure, smoke tests |
+| `containers.md` | Docker images, Dockerfiles, container configuration |
+| `kubernetes.md` | K8s deployments, Helm v3 charts, Kustomize overlays |
+
+## Usage
+
+Claude should:
+1. Read the main `CLAUDE.md` for project overview and critical rules
+2. Read relevant `.claude/*.md` files based on the task at hand
+3. Follow the CRITICAL RULES sections strictly - these are non-negotiable
+
+## File Size Limit
+
+All files in this directory should be under 5000 characters to ensure Claude can process them effectively.
diff --git a/.claude/app.md → .claude/.claude/app.md b/.claude/app.md → .claude/.claude/app.md
diff --git a/.claude/.claude/containers.md b/.claude/.claude/containers.md
@@ -0,0 +1,114 @@
+# Container Image Standards
+
+## ⚠️ CRITICAL RULES
+
+1. **Debian 12 (bookworm) ONLY** - all container images must use Debian-based images
+2. **NEVER use Alpine** - causes glibc/musl compatibility issues, missing packages, debugging difficulties
+3. **Use `-slim` variants** when available for smaller image sizes
+4. **PostgreSQL 16.x** standard for all database containers
+5. **Multi-arch builds required** - support both amd64 and arm64
+
+---
+
+## Base Image Selection
+
+### Priority Order (MUST follow)
+
+1. **Debian 12 (bookworm)** - PRIMARY, always use if available
+2. **Debian 11 (bullseye)** - fallback if bookworm unavailable
+3. **Debian 13 (trixie)** - fallback for newer packages
+4. **Ubuntu LTS** - ONLY if no Debian option exists
+5. ❌ **NEVER Alpine** - forbidden, causes too many issues
+
+---
+
+## Standard Images
+
+| Service | Image | Notes |
+|---------|-------|-------|
+| PostgreSQL | `postgres:16-bookworm` | Primary database |
+| MySQL | `mysql:8.0-debian` | Alternative database |
+| Redis | `redis:7-bookworm` | Cache/session store |
+| Python | `python:3.13-slim-bookworm` | Flask backend |
+| Node.js | `node:18-bookworm-slim` | WebUI build |
+| Nginx | `nginx:stable-bookworm-slim` | Reverse proxy |
+| Go | `golang:1.24-bookworm` | Build stage only |
+| Runtime | `debian:bookworm-slim` | Go runtime stage |
+
+---
+
+## Dockerfile Patterns
+
+### Python Service
+```dockerfile
+FROM python:3.13-slim-bookworm AS builder
+WORKDIR /app
+COPY requirements.txt .
+RUN pip install --no-cache-dir -r requirements.txt
+COPY . .
+
+FROM python:3.13-slim-bookworm
+WORKDIR /app
+COPY --from=builder /app /app
+CMD ["gunicorn", "-b", "0.0.0.0:8080", "app:app"]
+```
+
+### Go Service
+```dockerfile
+FROM golang:1.24-bookworm AS builder
+WORKDIR /app
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+RUN CGO_ENABLED=0 go build -o /app/server
+
+FROM debian:bookworm-slim
+COPY --from=builder /app/server /server
+CMD ["/server"]
+```
+
+### Node.js/React Service
+```dockerfile
+FROM node:18-bookworm-slim AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+FROM nginx:stable-bookworm-slim
+COPY --from=builder /app/dist /usr/share/nginx/html
+```
+
+---
+
+## Why Not Alpine?
+
+❌ **glibc vs musl** - Many Python packages require glibc, Alpine uses musl
+❌ **Missing packages** - Common tools often unavailable or different versions
+❌ **Debugging harder** - No bash by default, limited tooling
+❌ **DNS issues** - Known DNS resolution problems in some scenarios
+❌ **Build failures** - C extensions often fail to compile
+
+✅ **Debian-slim** - Only ~30MB larger than Alpine but zero compatibility issues
+
+---
+
+## Docker Compose Example
+
+```yaml
+services:
+  postgres:
+    image: postgres:16-bookworm
+
+  redis:
+    image: redis:7-bookworm
+
+  api:
+    build:
+      context: ./services/flask-backend
+    # Uses python:3.13-slim-bookworm internally
+
+  web:
+    image: nginx:stable-bookworm-slim
+```
diff --git a/.claude/.claude/database.md b/.claude/.claude/database.md
@@ -0,0 +1,206 @@
+# Database Standards Quick Reference
+
+## ⚠️ CRITICAL RULES
+
+1. **PyDAL MANDATORY for ALL runtime operations** - no exceptions
+2. **SQLAlchemy + Alembic for schema/migrations only** - never for runtime queries
+3. **Support ALL databases by default**: PostgreSQL, MySQL, MariaDB Galera, SQLite
+4. **DB_TYPE environment variable required** - maps to connection string prefix
+5. **Connection pooling REQUIRED** - use PyDAL built-in pool_size configuration
+6. **Thread-safe connections MANDATORY** - thread-local storage for multi-threaded apps
+7. **Retry logic with exponential backoff** - handle database initialization delays
+8. **MariaDB Galera special handling** - WSREP checks, short transactions, charset utf8mb4
+
+---
+
+## Database Support Matrix
+
+| Database | DB_TYPE | Version | Default Port | Use Case |
+|----------|---------|---------|--------------|----------|
+| PostgreSQL | `postgresql` | **16.x** | 5432 | Production (primary) |
+| MySQL | `mysql` | 8.0+ | 3306 | Production alternative |
+| MariaDB Galera | `mysql` | 10.11+ | 3306 | HA clusters (special config) |
+| SQLite | `sqlite` | 3.x | N/A | Development/lightweight |
+
+---
+
+## Dual-Library Architecture (Python)
+
+### SQLAlchemy + Alembic
+- **Purpose**: Schema definition and version-controlled migrations ONLY
+- **When**: Application first-time setup
+- **What**: Define tables, columns, relationships
+- **Not for**: Runtime queries, data operations
+
+### PyDAL
+- **Purpose**: ALL runtime database operations
+- **When**: Every request, transaction, query
+- **What**: Queries, inserts, updates, deletes, transactions
+- **Built-in**: Connection pooling, thread safety, retry logic
+
+---
+
+## Environment Variables
+
+```bash
+DB_TYPE=postgresql        # Database type
+DB_HOST=localhost         # Database host
+DB_PORT=5432             # Database port
+DB_NAME=app_db           # Database name
+DB_USER=app_user         # Database username
+DB_PASS=app_pass         # Database password
+DB_POOL_SIZE=10          # Connection pool size (default: 10)
+DB_MAX_RETRIES=5         # Maximum connection retries (default: 5)
+DB_RETRY_DELAY=5         # Retry delay in seconds (default: 5)
+```
+
+---
+
+## PyDAL Connection Pattern
+
+```python
+from pydal import DAL
+
+def get_db():
+    db_type = os.getenv('DB_TYPE', 'postgresql')
+    db_uri = f"{db_type}://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}"
+
+    db = DAL(
+        db_uri,
+        pool_size=int(os.getenv('DB_POOL_SIZE', '10')),
+        migrate=True,
+        check_reserved=['all'],
+        lazy_tables=True
+    )
+    return db
+```
+
+---
+
+## Thread-Safe Usage Pattern
+
+**NEVER share DAL instance across threads. Use thread-local storage:**
+
+```python
+import threading
+
+thread_local = threading.local()
+
+def get_thread_db():
+    if not hasattr(thread_local, 'db'):
+        thread_local.db = DAL(db_uri, pool_size=10, migrate=False)
+    return thread_local.db
+```
+
+**Flask pattern (automatic via g context):**
+
+```python
+from flask import g
+
+def get_db():
+    if 'db' not in g:
+        g.db = DAL(db_uri, pool_size=10)
+    return g.db
+
+@app.teardown_appcontext
+def close_db(error):
+    db = g.pop('db', None)
+    if db: db.close()
+```
+
+---
+
+## MariaDB Galera Special Requirements
+
+1. **Connection String**: Use `mysql://` (same as MySQL)
+2. **Driver Args**: Set charset to utf8mb4
+3. **WSREP Checks**: Verify `wsrep_ready` before critical writes
+4. **Auto-Increment**: Configure `innodb_autoinc_lock_mode=2` for interleaved mode
+5. **Transactions**: Keep short to avoid certification conflicts
+6. **DDL Operations**: Plan during low-traffic periods (uses Total Order Isolation)
+
+```python
+# Galera-specific configuration
+db = DAL(
+    f"mysql://{DB_USER}:{DB_PASS}@{DB_HOST}:{DB_PORT}/{DB_NAME}",
+    pool_size=10,
+    driver_args={'charset': 'utf8mb4'}
+)
+```
+
+---
+
+## Connection Pooling & Retry Logic
+
+```python
+import time
+
+def wait_for_database(max_retries=5, retry_delay=5):
+    """Wait for DB with retry logic"""
+    for attempt in range(max_retries):
+        try:
+            db = get_db()
+            db.close()
+            return True
+        except Exception as e:
+            print(f"Attempt {attempt+1}/{max_retries} failed: {e}")
+            if attempt < max_retries - 1:
+                time.sleep(retry_delay)
+    return False
+
+# Application startup
+if not wait_for_database():
+    sys.exit(1)
+db = get_db()
+```
+
+---
+
+## Concurrency Selection
+
+| Workload | Approach | Libraries | Pool Size Formula |
+|----------|----------|-----------|-------------------|
+| I/O-bound (>100 concurrent) | Async | `asyncio`, `databases` | pool = concurrent / 2 |
+| CPU-bound | Multi-processing | `multiprocessing` | pool = CPU cores |
+| Mixed/Blocking I/O | Multi-threading | `threading`, `ThreadPoolExecutor` | pool = (2 × cores) + spindles |
+
+---
+
+## Go Database Requirements
+
+When using Go for high-performance apps:
+- **GORM** (preferred): Full ORM with PostgreSQL/MySQL support
+- **sqlx** (alternative): Lightweight, more control
+- Must support PostgreSQL, MySQL, SQLite
+- Active maintenance required
+
+```go
+import (
+    "gorm.io/driver/postgres"
+    "gorm.io/driver/mysql"
+    "gorm.io/gorm"
+)
+
+func initDB() (*gorm.DB, error) {
+    dbType := os.Getenv("DB_TYPE")
+    dsn := os.Getenv("DATABASE_URL")
+
+    var dialector gorm.Dialector
+    switch dbType {
+    case "mysql":
+        dialector = mysql.Open(dsn)
+    default:
+        dialector = postgres.Open(dsn)
+    }
+
+    return gorm.Open(dialector, &gorm.Config{})
+}
+```
+
+---
+
+## See Also
+
+- `/home/penguin/code/project-template/docs/standards/DATABASE.md` - Full documentation
+- Alembic migrations: https://alembic.sqlalchemy.org/
+- PyDAL docs: https://py4web.io/en_US/chapter-12.html