# Wave 0 Stabilization Prompts

Goal: make the repo clean, safe, observable, and ready for serious feature work.

Run these prompts in order.

## Prompt 0.0 Repo Audit Before Any Fixes

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Task:
Create a full repo audit before changing anything.

Do not edit files yet.

Check:
1. git status
2. branch name
3. package manager setup
4. apps/api status
5. apps/mobile status
6. apps/dashboard status
7. apps/website status
8. packages status
9. docs status
10. env files and secret risk
11. CI status if available
12. test scripts available
13. current untracked files
14. current modified files
15. architecture separation issues
16. obvious broken imports or missing packages
17. where demo data exists
18. where real integration interfaces already exist

Output:
1. Current repo health
2. Risks
3. Files that look unsafe
4. Files that should be moved
5. Files that should be committed
6. Files that should be ignored
7. Recommended order for Wave 0
8. Exact next prompt to run

Do not make code changes.
```

## Prompt 0.1 Working Tree Cleanup

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Branch:
wave0/repo-cleanup

Task:
Clean the working tree safely.

Scope:
1. Inspect all modified and untracked files.
2. Group them by feature or document purpose.
3. Do not bundle unrelated work.
4. Move large artifacts such as PDF, PPTX, ZIP files into docs/_artifacts if appropriate.
5. Add docs/_artifacts/INDEX.md with filename, purpose, SHA/hash if possible, and date.
6. Remove only obvious temporary files after confirming they are not referenced.
7. Update docs/README.md with the document taxonomy.
8. Do not change application logic unless required to fix broken references caused by file moves.

Acceptance criteria:
1. Repo root is clean from random artifacts.
2. docs/README.md explains the docs structure.
3. Large files are not sitting randomly in repo root.
4. Temporary files are removed or documented.
5. git status shows only intentional changes.

Run:
pnpm lint if available.

Final report:
1. Files moved
2. Files removed
3. Files changed
4. Why each change was safe
5. Test/check results
6. Rollback plan
```

## Prompt 0.2 Secrets And Env Safety

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Branch:
wave0/secrets-env-safety

Task:
Set up safe secrets handling documentation and secret scanning.

Scope:
1. Inspect all .env, .env.example, env template, config files.
2. Do not print secret values in the output.
3. Ensure .env.example files contain placeholder names only, never real values.
4. Add docs/operations/secrets-matrix.md.
5. Add docs/operations/runbook-secret-rotation.md.
6. Add gitleaks config if missing.
7. Add gitleaks pre-commit hook using existing Husky setup if present. If Husky is missing, document the safe installation plan before changing.
8. Add CI secret scan step only if CI already exists; otherwise create docs/operations/ci-secret-scan-plan.md.

Secrets to document:
DATABASE_URL
REDIS_URL
JWT_ACCESS_SECRET
JWT_REFRESH_SECRET
WEBHOOK_SECRET
STRIPE keys
TELR keys
SENTRY DSNs
ANTHROPIC key
SMS provider keys
Email provider keys
Storage keys
Maps keys
OCR provider keys
Translation provider keys

Acceptance criteria:
1. No value-bearing env examples.
2. Secret rotation runbook exists.
3. Secret matrix exists.
4. Gitleaks is configured or a clear implementation plan exists.
5. No secrets are exposed in logs or report.

Run:
pnpm lint if available.
gitleaks detect --redact if installed.

Final report:
1. Files changed
2. Secrets risk found
3. What was fixed
4. What still needs manual setup in Doppler or 1Password
5. Commands run
6. Rollback plan
```

## Prompt 0.3 GitHub PR Rails

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Branch:
wave0/pr-rails

Task:
Add GitHub collaboration rails.

Scope:
1. Add .github/PULL_REQUEST_TEMPLATE.md.
2. Add .github/CODEOWNERS.
3. Add .github/ISSUE_TEMPLATE/bug.md.
4. Add .github/ISSUE_TEMPLATE/feature.md.
5. Add .github/ISSUE_TEMPLATE/incident.md.
6. Add .github/dependabot.yml if missing.
7. Update CHANGELOG.md with Wave 0 stabilization section.

CODEOWNERS mapping:
apps/api -> backend owner placeholder
apps/mobile -> mobile owner placeholder
apps/dashboard and apps/website -> web owner placeholder
packages -> platform owner placeholder
docs -> leadership owner placeholder

Use placeholders if GitHub teams do not exist yet, and document that they must be replaced.

Acceptance criteria:
1. PR template forces summary, files changed, schema changes, env changes, test plan, rollback plan, screenshots if UI, security note, risk note.
2. Issue templates exist.
3. Dependabot runs weekly for npm and GitHub Actions.
4. CHANGELOG updated.

Run:
No app build required unless package files changed.

Final report:
1. Files changed
2. GitHub team placeholders used
3. Manual follow-up needed
4. Rollback plan
```

## Prompt 0.4 API Observability Foundation

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Branch:
wave0/api-observability

Task:
Add minimum API observability only.

Scope:
1. Inspect current API bootstrap, logger, request context, health routes, and middleware.
2. Add or confirm request ID handling.
3. Ensure requestId or traceId is returned as x-request-id.
4. Store requestId/traceId in RequestContextStore if existing.
5. Add or improve /healthz for process health.
6. Add or improve /readyz for Postgres and Redis readiness with timeout.
7. Add pino or nestjs-pino only if it matches the current API setup.
8. Redact authorization, cookie, password, card, cvv from logs.
9. Do not add Sentry to all apps in this prompt. API only if safe and already partially configured.

Acceptance criteria:
1. /healthz returns 200 when API is running.
2. /readyz returns 200 when DB and Redis are reachable.
3. /readyz returns 503 when DB or Redis is down.
4. Logs include requestId or traceId.
5. Sensitive fields are redacted.

Tests:
Add unit or e2e tests for health/readiness where practical.

Run:
pnpm typecheck
pnpm lint
pnpm test for api if available

Final report:
1. Files changed
2. Endpoints added or confirmed
3. Test results
4. Manual verification commands
5. Risks
6. Rollback plan
```

## Prompt 0.5 Security Headers And Rate Limits

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Branch:
wave0/security-headers-rate-limits

Task:
Add basic API security hardening.

Scope:
1. Inspect current Fastify/NestJS security setup.
2. Add helmet or Fastify-compatible security headers if missing.
3. Configure CSP carefully without breaking app calls.
4. Add HSTS, frameguard, nosniff where appropriate.
5. Confirm or add rate limit tiers:
   auth: 5 per minute
   payment: 20 per minute
   search: 120 per minute
   default: 60 per minute
6. Document the policy in docs/architecture/security-headers.md and docs/api/rate-limits.md.
7. Do not weaken existing throttling or auth.

Acceptance criteria:
1. API responses include security headers.
2. Rate limit decorators or configuration exist.
3. Documentation exists.
4. Existing routes still work.

Run:
pnpm typecheck
pnpm lint
pnpm test for api if available

Final report:
1. Files changed
2. Headers added
3. Rate limits added
4. Tests run
5. Risks
6. Rollback plan
```

## Prompt 0.6 CI Gates

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Branch:
wave0/ci-quality-gates

Task:
Add or improve CI quality gates.

Scope:
1. Inspect existing GitHub Actions or CI config.
2. Add or improve PR workflow for:
   pnpm install
   pnpm typecheck
   pnpm lint
   pnpm test
   gitleaks secret scan if configured
3. Add concurrency cancellation for same branch.
4. Do not add deployment in this task.
5. Document CI in docs/operations/ci-quality-gates.md.

Acceptance criteria:
1. PR CI checks exist.
2. Old runs cancel on same branch.
3. CI includes typecheck, lint, test, and secret scan where available.
4. Documentation exists.

Final report:
1. Files changed
2. CI checks added
3. Any checks that are missing because scripts do not exist
4. Risks
5. Rollback plan
```

## Prompt 0.7 Wave 0 Close Report

```text
You are operating on the Navi monorepo at:

/Users/start-tech/Documents/Claude/Projects/Navi

Navi is a UAE travel companion platform with a standalone iOS and Android mobile app, standalone public website, standalone admin and partner dashboard, and central API backend.

Repo structure:
apps/api
apps/mobile
apps/dashboard
apps/website
packages/ui
packages/types
packages/validators
packages/config
packages/api-client
docs

Tech direction:
API: NestJS, Fastify, Prisma, Postgres, Redis
Mobile: Expo Router, React Native, TypeScript
Dashboard: Next.js, TypeScript
Website: Next.js, TypeScript
Package manager: pnpm
Monorepo: turbo
Languages: English and Arabic
UI must support RTL.

Operating rules:
1. One focused task only.
2. Branch name must match the task.
3. Use conventional commits.
4. Do not delete code unless replacing it with a safer working version.
5. Never weaken auth, RBAC, validation, audit logs, rate limits, payment safety, or security.
6. Never commit secrets.
7. Do not touch unrelated files.
8. If you find conflicts or uncertainty, stop and report before making risky changes.
9. Follow existing repo patterns.
10. Keep mobile, dashboard, website, and API separated.
11. Business logic belongs in the API, not frontend screens.
12. Shared packages may contain only types, validators, config, API client, telemetry, money utilities, or design tokens.
13. All third party integrations must use provider interfaces and adapter classes.
14. Do not create fake production logic. Local demo mode is allowed only when isolated, clearly named, and impossible to enable in production by accident.
15. Every finished task must include summary, files changed, tests run, risks, rollback plan, and next recommended step.

Before editing files:
1. Run git status.
2. Inspect relevant folders.
3. Explain what you found.
4. Then implement only the requested task.

Finish format:
1. Summary
2. Files changed
3. Commands run
4. What works now
5. What is mocked or local only
6. What still needs real credentials or provider approval
7. Risks
8. Rollback plan
9. Next recommended prompt


Branch:
wave0/wave0-close-report

Task:
Create the Wave 0 stabilization report.

Do not change application code.

Create:
docs/release/wave0-stabilization.md

Include:
1. What Wave 0 changed
2. Branches or PRs completed
3. Current repo status
4. Security improvements
5. CI improvements
6. Observability improvements
7. Documentation improvements
8. Remaining risks
9. What Wave 1 inherits
10. Go or no-go recommendation for starting Wave 1

Run:
git status
List relevant commands available for future checks.

Final report:
1. File created
2. Key recommendation
3. Next prompt to run
```