AI Prompts plugin
Vibe code with guardrails. A plugin of agent-readable docs that teaches Claude (and any other AI assistant that reads files) the right way to write code on UserSpice.
Vibe code, but with guardrails.
Whether you're pair-programming with Claude on a careful refactor, or vibe-coding an entire
app from a one-paragraph idea, the same problem shows up: the model writes code that
looks fine and ships an SQL injection. Direct $_POST access. Missing
CSRF tokens. header('Location: ' . $_GET['next']). md5(uniqid())
for password reset codes. Every one of them is clean on a diff. Every one of them is the
wrong way to do it on this framework.
The AI Prompts plugin fixes that at the source. It drops a folder of agent-readable docs
into your project that tells your AI assistant the framework's actual conventions — which
helper escapes HTML, where AJAX endpoints have to live, how to wire CSRF, what
Input::exists() really takes as an argument. Your assistant reads them first;
the code it writes follows the framework instead of generic PHP defaults.
And because UserSpice is a security-first framework with an active maintenance lifecycle — patches when CVEs land, helpers updated as new attack patterns appear — your project keeps getting safer over time. A vibe-coded site that started as a weekend experiment doesn't have to stay a one-shot wonder. It sits on top of code that gets maintained.
What's in the plugin
A folder at usersc/plugins/ai_prompts/ with seven markdown prompts that an AI
assistant reads to learn how to work on UserSpice:
00_start_here.md.php— the index. Lists the five non-negotiables (don't touchusers/, use the framework helpers, every mutating endpoint checks CSRF, etc.) and routes the assistant to the right deeper prompt for the task at hand. Also enumerates the common gotchas (Input::exists()takes a type not a field,tokenHere()emitsname="csrf",$db->insert()returnsbool, the literal?>-in-a-comment trap, and others).secure_page_pattern.md.php— the canonical page recipe. Shows the three-line bootstrap (init.php,prep.php,securePage), the form-with-handler dance (CSRF → validate → write → redirect), the AJAX parser pattern (parsers/folder with re-checked auth), and a do/don't table mapping raw-PHP anti-patterns to the right helper.customizing_core.md.php— which override points belong inusersc/versus regular page work at the project root.permissions.md.php— the access-control model: groups, page permissions,hasPerm()versus$user->hasPermission().debugging.md.php— what to check when something doesn't work the way the docs say it should.where_to_look.md.php— the file map. Where do helpers live? Where does the template system load from? Where does an AJAX URL actually resolve to on disk?new_project.md.php— the bootstrap-a-feature-from-zero walkthrough.
Every prompt is a .md.php file with a one-line __halt_compiler()
wrapper that blocks direct HTTP access. Skip the first line and the rest is plain markdown.
Read or copy the prompts directly
Want to skim what's in them before installing — or feed the raw markdown to a non-Claude assistant — they're all viewable on GitHub:
github.com/mudmin/usplugins/tree/master/src/ai_prompts
Same content, no install required. Use the GitHub view to copy individual prompts into your
own CLAUDE.md, paste them into a chat, or just read what the plugin will be
telling your assistant before you give it permission.
How to install
The plugin installs through UserSpice's built-in plugin manager (Spice Shaker). On any UserSpice install at 6.0.9 or newer:
- Log into the admin dashboard.
- Open Plugins → Spice Shaker.
- Find AI Prompts in the catalog, click Install, then Activate.
- Prompt files now live at
usersc/plugins/ai_prompts/prompts/. Your AI assistant can read them directly; the__halt_compiler()wrapper protects them from direct HTTP access.
Point your assistant at the plugin with a one-liner in your project's CLAUDE.md (or equivalent):
Plays well with the rest of the toolkit
The plugin works on its own — any AI assistant that can read project files benefits. It also pairs with our other two tools, and they're more useful together:
-
Claude Code skills —
/userspice-audit,/userspice-helper-lookup, and/userspice-page-scaffoldall detect the plugin on the install they're working with. When it's there, they read its prompts as the most current canonical reference for framework patterns; when it isn't, they fall back to the public best-practices guide. The plugin is the brain; the skills are the hands. - Security Scanner — runs the same rules at a tool level (Semgrep, Psalm, ZAP, and friends) with UserSpice-aware rule packs. The prompts teach your assistant how to write code the scanner won't flag; the scanner verifies nothing slipped through. Belt and suspenders.
Customizing for your project
Files in custom_prompts/ with the same filename as a shipped prompt override the
shipped version. That folder is yours — it survives plugin updates, gets version-controlled
with the rest of your site, and is the right place for project-specific conventions
(database naming, permission IDs, custom templates, internal APIs). Drop a
conventions.md.php in there and your assistant reads it alongside the shipped
prompts.
Requirements
- UserSpice 6.0.9 or newer. Earlier versions may have different helper signatures than the prompts describe.
- An AI assistant (or human) that reads from
usersc/plugins/ai_prompts/prompts/. The three companion Claude Code skills do this automatically. - No PHP extensions, no Composer packages — it's markdown behind a PHP wrapper.
Where the source lives
Source: github.com/mudmin/usplugins/tree/master/src/ai_prompts.
The canonical install copy ships inside any UserSpice site at
usersc/plugins/ai_prompts/; the GitHub view is the same content, browsable
without installing anything.