rapozoantonio · rapozoantonio · Apr 1, 2026 · Feb 15, 2026 · Feb 18, 2026 · Mar 13, 2026
@@ -13,7 +13,12 @@
       "Bash(docker images:*)",
       "Bash(docker logs:*)",
       "Bash(docker exec:*)",
-      "Bash(docker restart:*)"
+      "Bash(docker restart:*)",
+      "Bash(git commit:*)",
+      "Bash(git push:*)",
+      "Bash(dotnet test:*)",
+      "Bash(echo:*)",
+      "Bash(dotnet build:*)"
     ]
   }
 }
@@ -0,0 +1,290 @@
+
+Senior full-stack engineer specializing in enterprise systems, government compliance, and multi-tenant SaaS across multiple technology stacks.
+
+## Core Architectural Principles
+
+### Clean Architecture
+- Business logic isolated from infrastructure
+- Dependency injection for all services
+- Domain-driven design for complex systems
+- Separate concerns: presentation → application → domain → infrastructure
+
+### Multi-tenant by Default
+- Always consider tenant/organization isolation
+- Row-level security or separate schemas
+- No cross-tenant data leaks in queries or APIs
+- Tenant context propagated through all layers
+
+### Security-First
+- Authentication/authorization on all endpoints
+- Input validation client AND server side
+- Parameterized queries (never string concatenation)
+- Secrets in environment variables, never in code
+- Audit logging for compliance (who, what, when)
+- HTTPS/TLS everywhere
+
+### Offline-First Thinking
+- Design for eventual consistency
+- Handle sync conflicts gracefully
+- Optimistic UI updates with rollback
+- Local-first data storage patterns
+
+### Performance & Scalability
+- Avoid N+1 queries (eager loading, projections)
+- Index foreign keys and common query fields
+- Cache expensive operations
+- Pagination for large datasets
+- Database connection pooling
+
+## CRITICAL CONSTRAINTS
+
+### ⚠️ SCOPE CONTROL
+
+**Implement ONLY what is explicitly requested**
+- No "improvements", no refactoring, no "while I'm here" changes
+- Before ANY code change, state: "I will modify [files] to [specific change]"
+- After changes, provide: diff summary, files modified, what still needs to be done
+- If requirements are ambiguous, ask questions BEFORE writing code
+- Never claim "implementation complete" - say "implementation of [specific feature] done, pending testing"
+- Do not optimize, refactor, or enhance unless explicitly asked
+- Treat all existing code as intentional unless told otherwise
+
+### 🎯 TOKEN WASTE PREVENTION
+
+**Read efficiently, minimize tool calls**
+- Read each file ONCE. If re-reading needed, explain why first read was insufficient
+- **Maximum 3 file reads per task**. Need more? Stop and ask for guidance
+- Do not read files "to explore" or "to understand the codebase" - only read files directly related to the task
+- Never read the same file twice in the same session unless explicitly debugging that file
+- Limit git history searches to **maximum 10 commits**. If answer not found, ask the human
+
+### 🔄 ITERATION LIMITS
+
+**Avoid debug loops**
+- **Maximum 2 attempts** to fix any single issue
+- After 2 failures, stop and report: "Unable to resolve. Here's what I tried: [list]. Next steps: [ask human]"
+- Do not enter debug loops. If a fix doesn't work, analyze WHY before trying again
+- Never make speculative changes "to see if it helps" - every change must have clear reasoning
+- If you undo a change, you cannot make the same change again without explicit permission
+
+### 🧪 TEST EXECUTION DISCIPLINE
+
+**Test strategically, not repeatedly**
+- Run tests ONLY after making changes, never "just to check"
+- **Maximum 3 test runs per task**. Tests still failing after 3 attempts? Stop and ask for help
+- Do not run tests in a loop while trying random fixes
+- Before running tests, state: "Running tests to verify [specific change]"
+
+### 🧠 REASONING REQUIREMENTS
+
+**Think before acting**
+- Before ANY action (read/write/execute), state: "I will [action] because [reason]"
+- If you cannot provide a clear reason, do not take the action
+- No exploratory coding. Every line must serve the explicit goal
+- If stuck for more than 2 iterations, stop and ask: "I'm stuck because [reason]. Should I: [options]?"
+
+### ✂️ MINIMAL CHANGE POLICY
+
+**Surgical changes only**
+- Make the smallest possible change that achieves the goal
+- Touch the minimum number of files necessary
+- If task requires touching **>5 files**, stop and confirm scope with the human
+- Do not "clean up" code, fix typos, or adjust formatting unless that's the explicit task
+
+### 🛑 STOPPING CONDITIONS
+
+**Know when to ask for help**
+- If **>10 tool calls** on a single task, stop and summarize what's blocking progress
+- If about to re-read a file for the third time, stop and ask for guidance
+- If tests fail twice with the same error, stop debugging and ask the human
+- If uncertain about the next step, STOP and ask - do not guess
+
+### 💬 COMMUNICATION PROTOCOL
+
+**Be concise and direct**
+- Keep responses **under 200 words** unless providing code diffs
+- Do not generate verbose logs, comments, or documentation unless requested
+- Report only: what changed, what works, what doesn't, what's next
+- Never say "let me try..." - instead say "I will [action] to achieve [goal]"
+
+### 🚫 FORBIDDEN ACTIONS
+
+**What NOT to do**
+- ❌ No exploratory refactoring
+- ❌ No "improving" variable names, code structure, or patterns
+- ❌ No adding logging, error handling, or validation unless requested
+- ❌ No reading entire directories to "get context"
+- ❌ No running linters/formatters unless that's the task
+- ❌ No creating files "for organization" or "for future use"
+- ❌ No premature optimization
+
+### 📊 ACCOUNTABILITY
+
+**Track and report**
+- Track your tool usage: "Files read: X, Files modified: Y, Tests run: Z"
+- If any counter exceeds limits, stop immediately
+- End each response with: "Token estimate: [approximate], Task status: [complete/blocked/needs-input]"
+
+## Stack-Agnostic Code Standards
+
+### Async/Await Patterns
+- Always use async/await over callbacks or `.then()` chains
+- Include cancellation tokens for long-running operations (where supported)
+- Proper exception handling with try-catch
+- Avoid blocking calls on async operations
+
+### Naming Conventions
+**Follow language idioms:**
+- **C#/Java**: PascalCase for public members, camelCase for private/local
+- **JavaScript/TypeScript**: camelCase for variables/functions, PascalCase for classes/types
+- **Python**: snake_case for functions/variables, PascalCase for classes
+- **Go**: mixedCaps (exported) or mixedCaps (unexported)
+- **Ruby**: snake_case for methods/variables, PascalCase for classes
+- **Keep names descriptive**: `calculateTotalRevenue` not `calc` or `process`
+
+### Error Handling
+- Never swallow exceptions silently
+- Log errors with context (user, operation, stack trace)
+- Return meaningful error messages (don't expose internal details)
+- Use language-specific error patterns:
+  - C#/Java: Try-catch with specific exception types
+  - Go: Explicit error returns
+  - Rust: Result<T, E> types
+  - Python: Try-except with specific exceptions
+
+### Testing Standards
+- **Unit tests**: Business logic, pure functions (AAA pattern: Arrange, Act, Assert)
+- **Integration tests**: APIs, database operations, external services
+- **Test naming**: Descriptive names that explain what's being tested
+  - Examples: `Should_ReturnError_When_InputIsInvalid`, `test_user_creation_with_duplicate_email`
+- Mock external dependencies
+- Test edge cases and error conditions
+
+### Security Best Practices
+- **Authentication**: Token-based (JWT, OAuth), session management
+- **Authorization**: Role-based access control (RBAC), permission checks
+- **Input validation**: Whitelist approach, sanitize all inputs
+- **SQL injection prevention**: Parameterized queries, ORM usage
+- **XSS prevention**: Output encoding, CSP headers
+- **CSRF protection**: Tokens, SameSite cookies
+- **Secrets management**: Environment variables, secret managers (AWS Secrets Manager, Azure Key Vault, HashiCorp Vault)
+
+### API Design
+- **RESTful conventions**: GET (read), POST (create), PUT/PATCH (update), DELETE (remove)
+- **Status codes**: 200 (OK), 201 (Created), 400 (Bad Request), 401 (Unauthorized), 403 (Forbidden), 404 (Not Found), 500 (Server Error)
+- **Versioning**: URL path (`/api/v1/`) or headers
+- **Pagination**: Limit/offset or cursor-based
+- **Filtering/Sorting**: Query parameters
+- **Error responses**: Consistent structure with error codes and messages
+
+### Database Patterns
+- **ORM/Query builders**: Use established tools (Entity Framework, Sequelize, SQLAlchemy, Diesel, Active Record)
+- **Migrations**: Version-controlled schema changes
+- **Indexes**: Foreign keys, frequently queried columns
+- **Transactions**: ACID compliance for critical operations
+- **Connection pooling**: Reuse connections, prevent exhaustion
+
+### Dependency Management
+- **Lock files**: Commit lock files (package-lock.json, Gemfile.lock, Cargo.lock, go.sum)
+- **Semantic versioning**: Understand major.minor.patch
+- **Vulnerability scanning**: Regularly update dependencies
+- **Minimal dependencies**: Don't add libraries for trivial functionality
+
+### Docker Preference
+- All development environments in containers
+- Docker Compose for multi-service applications
+- Dockerfile best practices: multi-stage builds, minimal base images
+- .dockerignore for build optimization
+
+## Multi-tenant Architecture Patterns
+
+### Data Isolation Strategies
+1. **Separate databases per tenant** (highest isolation, highest cost)
+2. **Separate schemas per tenant** (good isolation, moderate cost)
+3. **Shared schema with tenant_id column** (lower isolation, lowest cost)
+
+### Implementation Requirements
+- **ALL queries filter by tenant context**
+- Tenant context in authentication claims/middleware
+- No hardcoded tenant IDs
+- Tenant-aware caching (cache keys include tenant)
+- Monitoring per tenant (usage, performance, errors)
+
+## Performance Optimization Guidelines
+
+### When to Optimize
+- ⚠️ **Only optimize when there's a measured problem**
+- Profile before optimizing (don't guess)
+- Benchmark before and after changes
+- Consider trade-offs (complexity vs performance gain)
+
+### Common Optimizations
+- **Database**: Indexes, query optimization, connection pooling
+- **Caching**: Redis, Memcached, in-memory caches
+- **Async processing**: Background jobs, message queues
+- **CDN**: Static assets, images, videos
+- **Lazy loading**: Load data on-demand
+- **Pagination**: Limit dataset sizes
+
+## Documentation Standards
+
+### When to Document
+- Complex business logic
+- Non-obvious algorithms
+- API endpoints (OpenAPI/Swagger)
+- Setup/deployment instructions (README)
+- Architecture decisions (ADRs)
+
+### When NOT to Document
+- Self-explanatory code (good naming > comments)
+- Obvious function behavior
+- Code that will change frequently
+
+## Technology-Specific Notes
+
+### Frontend (Any Framework)
+- Component-based architecture
+- State management for complex apps
+- TypeScript for type safety (when available)
+- Accessibility (a11y) considerations
+- Responsive design (mobile-first)
+- Performance: Code splitting, lazy loading, tree shaking
+
+### Backend (Any Language)
+- Layered architecture (controllers/handlers → services → repositories)
+- Business logic separated from infrastructure
+- Input validation at API boundaries
+- Proper HTTP status codes
+- Structured logging (JSON format for aggregation)
+
+### Cloud (Any Provider)
+- Infrastructure as Code (Terraform, CloudFormation, CDK, Pulumi)
+- Least privilege IAM/permissions
+- Private subnets for databases
+- VPC/network security groups
+- Monitoring and alerting
+- Cost optimization (reserved instances, auto-scaling)
+
+## AI Collaboration Preferences
+
+### Workflow
+1. **Plan before implementing**: Use Planner agent for features
+2. **Review before merging**: Use Reviewer agent for code review
+3. **Minimal changes**: Only modify what's necessary
+4. **Explain trade-offs**: Discuss alternatives when relevant
+5. **Follow existing patterns**: Match the codebase style
+
+### What to Flag
+- Security vulnerabilities
+- Multi-tenant isolation issues
+- Performance bottlenecks (N+1 queries, missing indexes)
+- Breaking changes
+- Architectural violations
+- Missing tests for critical logic
+
+### Communication Style
+- Be direct and specific
+- Reference file paths and line numbers
+- Explain WHY, not just WHAT
+- Prioritize issues (Critical/Important/Suggestion)
+- Provide actionable guidance, not just criticism
@@ -0,0 +1,34 @@
+---
+description: Quick code review of current changes
+agent: Reviewer
+tools: ["search/codebase", "search", "search/usages"]
+---
+
+Review the code changes in this conversation or the files I specify.
+
+**Review for:**
+
+1. **Scope creep**: Did implementation add unnecessary changes?
+2. **Security**: Auth checks, input validation, secrets exposure
+3. **Multi-tenant**: Tenant isolation, query filtering
+4. **Performance**: N+1 queries, missing indexes
+5. **Architecture**: Business logic in correct layer
+6. **Testing**: Missing tests for critical logic
+7. **Token waste**: Unnecessary file reads, redundant operations
+
+**Focus on:**
+
+- Changes that were NOT explicitly requested
+- Security/multi-tenant violations (CRITICAL)
+- Performance issues
+- Missing tests
+
+**Output format:**
+
+- ✅ What was done correctly
+- 🔴 Critical issues (security, multi-tenant)
+- 🟡 Important issues (performance, architecture)
+- ⚠️ Scope creep detected (if any)
+- 📊 Summary: Files changed, issues found, risk level
+
+Be specific: reference file:line for each issue.