@agentlee5/agent-skills 1.0.0

package/LeeWay-Standards/src/agents/security/policy-agent.js

@@ -0,0 +1,100 @@
+/*
+LEEWAY HEADER — DO NOT REMOVE
+
+REGION: SECURITY.AGENT.POLICY
+TAG: SECURITY.POLICY.AGENT.MAIN
+
+COLOR_ONION_HEX:
+NEON=#39FF14
+FLUO=#0DFF94
+PASTEL=#C7FFD8
+
+ICON_ASCII:
+family=lucide
+glyph=scroll
+
+5WH:
+WHAT = Policy agent — enforces LEEWAY policy bundles across the codebase
+WHY = Governance requires consistent enforcement of named policy sets
+WHO = Rapid Web Development
+WHERE = src/agents/security/policy-agent.js
+WHEN = 2026
+HOW = Loads policy bundles from .leeway/policies.json, evaluates against file metadata
+
+AGENTS:
+POLICY
+AUDIT
+PERMISSION
+
+LICENSE:
+MIT
+*/
+
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+
+const DEFAULT_POLICIES = {
+  NO_SECRETS_IN_CODE: { description: 'No hardcoded secrets or credentials', enforced: true },
+  HEADERS_REQUIRED: { description: 'All code files must have LEEWAY headers', enforced: true },
+  TAGS_REQUIRED: { description: 'All code files must have valid TAGs', enforced: true },
+  NO_CIRCULAR_DEPS: { description: 'No circular module dependencies', enforced: true },
+  NAMING_CONVENTIONS: { description: 'Files must follow naming conventions', enforced: false },
+  PLACEMENT_RULES: { description: 'Files must be in correct directories', enforced: false },
+};
+
+/**
+ * PolicyAgent enforces named LEEWAY policy bundles.
+ */
+export class PolicyAgent {
+  constructor(options = {}) {
+    this.rootDir = options.rootDir || process.cwd();
+    this.policies = { ...DEFAULT_POLICIES };
+  }
+
+  /**
+   * Load policies from .leeway/policies.json (merges with defaults).
+   */
+  async loadPolicies() {
+    const policyPath = join(this.rootDir, '.leeway', 'policies.json');
+    try {
+      const raw = await readFile(policyPath, 'utf8');
+      const loaded = JSON.parse(raw);
+      this.policies = { ...DEFAULT_POLICIES, ...loaded };
+    } catch {
+      // Use defaults
+    }
+    return this.policies;
+  }
+
+  /**
+   * Get all currently active (enforced) policies.
+   * @returns {string[]}
+   */
+  getActivePolicies() {
+    return Object.entries(this.policies)
+      .filter(([, p]) => p.enforced)
+      .map(([name]) => name);
+  }
+
+  /**
+   * Check if a specific policy is active.
+   *
+   * @param {string} policyName
+   * @returns {boolean}
+   */
+  isPolicyActive(policyName) {
+    return this.policies[policyName]?.enforced === true;
+  }
+
+  /**
+   * List all policies with their enforcement status.
+   * @returns {object}
+   */
+  listPolicies() {
+    return Object.entries(this.policies).map(([name, data]) => ({
+      name,
+      description: data.description,
+      enforced: data.enforced,
+    }));
+  }
+}

package/LeeWay-Standards/src/agents/security/privacy-agent.js

@@ -0,0 +1,83 @@
+/*
+LEEWAY HEADER — DO NOT REMOVE
+
+REGION: SECURITY.AGENT.PRIVACY
+TAG: SECURITY.PRIVACY.AGENT.MAIN
+
+COLOR_ONION_HEX:
+NEON=#39FF14
+FLUO=#0DFF94
+PASTEL=#C7FFD8
+
+ICON_ASCII:
+family=lucide
+glyph=user-x
+
+5WH:
+WHAT = Privacy agent — checks privacy and data handling declarations in code
+WHY = Systems handling personal data must declare their data handling intent
+WHO = Rapid Web Development
+WHERE = src/agents/security/privacy-agent.js
+WHEN = 2026
+HOW = Scans for PII patterns in logs and data structures, checks for privacy declarations
+
+AGENTS:
+PRIVACY
+POLICY
+SECRET
+
+LICENSE:
+MIT
+*/
+
+const PII_PATTERNS = [
+  { id: 'email_log', label: 'Email in log output', pattern: /(?:console\.|log\.|logger\.)[a-z]+\([^)]*[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-z]+/i },
+  { id: 'phone_inline', label: 'Phone number pattern', pattern: /\b(?:\+?1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}\b/ },
+  { id: 'ssn_pattern', label: 'SSN-like pattern', pattern: /\b\d{3}-\d{2}-\d{4}\b/ },
+  { id: 'pii_in_logs', label: 'PII field logged', pattern: /(?:log|print|console)\.[a-z]+\([^)]*(?:password|ssn|social_security|credit_card|dob|date_of_birth)/i },
+];
+
+/**
+ * PrivacyAgent checks for privacy violations and PII exposure risks.
+ */
+export class PrivacyAgent {
+  constructor(options = {}) {
+    this.patterns = options.patterns || PII_PATTERNS;
+  }
+
+  /**
+   * Scan content for privacy violations.
+   *
+   * @param {string} content
+   * @param {{ filePath?: string }} [options]
+   * @returns {{ compliant: boolean, findings: Finding[] }}
+   */
+  scanContent(content, options = {}) {
+    if (!content || typeof content !== 'string') {
+      return { compliant: true, findings: [] };
+    }
+
+    const findings = [];
+    const lines = content.split('\n');
+
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+      if (/^\s*\/\//.test(line) || /^\s*#/.test(line)) continue;
+
+      for (const { id, label, pattern } of this.patterns) {
+        if (pattern.test(line)) {
+          findings.push({
+            rule: id,
+            label,
+            line: lineNum + 1,
+            preview: line.trim().slice(0, 80),
+            file: options.filePath,
+            severity: 'high',
+          });
+        }
+      }
+    }
+
+    return { compliant: findings.length === 0, findings };
+  }
+}

package/LeeWay-Standards/src/agents/security/prompt-security-agent.js

@@ -0,0 +1,103 @@
+/*
+LEEWAY HEADER — DO NOT REMOVE
+
+REGION: SECURITY.AGENT.PROMPT
+TAG: SECURITY.SCANNER.PROMPT.MAIN
+
+COLOR_ONION_HEX:
+NEON=#39FF14
+FLUO=#0DFF94
+PASTEL=#C7FFD8
+
+ICON_ASCII:
+family=lucide
+glyph=shield-alert
+
+5WH:
+WHAT = Prompt security agent — scans prompt files and agent instructions for unsafe patterns
+WHY = Malicious prompt injection can compromise AI agent behavior and expose sensitive operations
+WHO = Rapid Web Development
+WHERE = src/agents/security/prompt-security-agent.js
+WHEN = 2026
+HOW = Pattern matching against known prompt injection techniques and unsafe instruction patterns
+
+AGENTS:
+PROMPT
+POLICY
+SECRET
+
+LICENSE:
+MIT
+*/
+
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+
+const INJECTION_PATTERNS = [
+  { id: 'ignore_instructions', label: 'Ignore instructions injection', pattern: /ignore\s+(?:all\s+)?(?:previous|above)\s+instructions/i },
+  { id: 'jailbreak_attempt', label: 'Jailbreak attempt', pattern: /(?:pretend|act as if|you are now|new mode|developer mode)/i },
+  { id: 'data_exfil', label: 'Data exfiltration attempt', pattern: /(?:send|email|post|upload)\s+(?:all|the|your)\s+(?:data|files|secrets|passwords|keys)/i },
+  { id: 'role_override', label: 'Role override attempt', pattern: /you\s+(?:must|shall|will)\s+(?:now\s+)?(?:act|behave|respond)\s+as/i },
+  { id: 'system_override', label: 'System prompt override', pattern: /\[SYSTEM\]|\{\{system\}\}|<system>/i },
+  { id: 'base64_injection', label: 'Encoded injection', pattern: /eval\s*\(\s*atob\s*\(|base64_decode\s*\(/ },
+];
+
+/**
+ * PromptSecurityAgent scans prompt templates and agent instructions for injection risks.
+ */
+export class PromptSecurityAgent {
+  constructor(options = {}) {
+    this.rootDir = options.rootDir || process.cwd();
+    this.patterns = options.patterns || INJECTION_PATTERNS;
+  }
+
+  /**
+   * Scan content for prompt injection patterns.
+   *
+   * @param {string} content
+   * @param {{ filePath?: string }} [options]
+   * @returns {{ safe: boolean, findings: Finding[] }}
+   */
+  scanContent(content, options = {}) {
+    if (!content || typeof content !== 'string') {
+      return { safe: true, findings: [] };
+    }
+
+    const findings = [];
+    const lines = content.split('\n');
+
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+      for (const { id, label, pattern } of this.patterns) {
+        if (pattern.test(line)) {
+          findings.push({
+            rule: id,
+            label,
+            line: lineNum + 1,
+            preview: line.trim().slice(0, 80),
+            file: options.filePath,
+            severity: 'critical',
+          });
+        }
+      }
+    }
+
+    return { safe: findings.length === 0, findings };
+  }
+
+  /**
+   * Scan a prompt file.
+   *
+   * @param {string} filePath
+   * @returns {Promise<{ safe: boolean, findings: Finding[] }>}
+   */
+  async scanFile(filePath) {
+    const fullPath = filePath.startsWith('/') ? filePath : join(this.rootDir, filePath);
+    try {
+      const content = await readFile(fullPath, 'utf8');
+      return this.scanContent(content, { filePath });
+    } catch {
+      return { safe: true, findings: [], error: 'Cannot read file' };
+    }
+  }
+}

package/LeeWay-Standards/src/agents/security/secret-scan-agent.js

@@ -0,0 +1,108 @@
+/*
+LEEWAY HEADER — DO NOT REMOVE
+
+REGION: SECURITY.AGENT.SCANNER
+TAG: SECURITY.SCANNER.SECRET.MAIN
+
+COLOR_ONION_HEX:
+NEON=#39FF14
+FLUO=#0DFF94
+PASTEL=#C7FFD8
+
+ICON_ASCII:
+family=lucide
+glyph=eye-off
+
+5WH:
+WHAT = Secret scan agent — looks for secrets and unsafe credential handling in source code
+WHY = Committed secrets are a critical security vulnerability; this agent prevents them
+WHO = Rapid Web Development
+WHERE = src/agents/security/secret-scan-agent.js
+WHEN = 2026
+HOW = Pattern matching against known secret formats, env var names, and credential patterns
+
+AGENTS:
+SECRET
+POLICY
+AUDIT
+
+LICENSE:
+MIT
+*/
+
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+
+const SECRET_PATTERNS = [
+  { id: 'api_key_inline', label: 'Inline API key', pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"`][a-zA-Z0-9\-_]{16,}['"`]/i },
+  { id: 'password_inline', label: 'Inline password', pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"`][^'"`\s]{8,}['"`]/i },
+  { id: 'secret_inline', label: 'Inline secret', pattern: /(?:secret|private[_-]?key)\s*[:=]\s*['"`][a-zA-Z0-9\-_+/]{16,}['"`]/i },
+  { id: 'token_inline', label: 'Inline token', pattern: /(?:token|auth[_-]?token)\s*[:=]\s*['"`][a-zA-Z0-9\-_.]{16,}['"`]/i },
+  { id: 'openai_key', label: 'OpenAI API key', pattern: /sk-[a-zA-Z0-9]{32,}/  },
+  { id: 'jwt_inline', label: 'Hardcoded JWT', pattern: /eyJ[a-zA-Z0-9\-_]+\.eyJ[a-zA-Z0-9\-_]+\.[a-zA-Z0-9\-_]+/ },
+  { id: 'aws_key', label: 'AWS access key', pattern: /AKIA[0-9A-Z]{16}/ },
+  { id: 'connection_string', label: 'Database connection string', pattern: /(?:mongodb|postgres|mysql|redis):\/\/[a-zA-Z0-9._%+\-]+:[a-zA-Z0-9._%+\-@]+\/[a-zA-Z0-9]+/ },
+];
+
+/**
+ * SecretScanAgent scans source files for hardcoded secrets.
+ */
+export class SecretScanAgent {
+  constructor(options = {}) {
+    this.rootDir = options.rootDir || process.cwd();
+    this.patterns = options.patterns || SECRET_PATTERNS;
+  }
+
+  /**
+   * Scan file content for secret patterns.
+   *
+   * @param {string} content
+   * @param {{ filePath?: string }} [options]
+   * @returns {{ clean: boolean, findings: Finding[] }}
+   */
+  scanContent(content, options = {}) {
+    if (!content || typeof content !== 'string') {
+      return { clean: true, findings: [] };
+    }
+
+    const findings = [];
+    const lines = content.split('\n');
+
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+
+      if (/^\s*\/\//.test(line) || /^\s*#/.test(line)) continue;
+      if (/process\.env\[/.test(line) || /process\.env\./.test(line)) continue;
+
+      for (const { id, label, pattern } of this.patterns) {
+        if (pattern.test(line)) {
+          findings.push({
+            rule: id,
+            label,
+            line: lineNum + 1,
+            preview: line.trim().slice(0, 80),
+            file: options.filePath,
+          });
+        }
+      }
+    }
+
+    return { clean: findings.length === 0, findings };
+  }
+
+  /**
+   * Scan a file for secrets.
+   *
+   * @param {string} filePath
+   * @returns {Promise<{ clean: boolean, findings: Finding[] }>}
+   */
+  async scanFile(filePath) {
+    const fullPath = filePath.startsWith('/') ? filePath : join(this.rootDir, filePath);
+    try {
+      const content = await readFile(fullPath, 'utf8');
+      return this.scanContent(content, { filePath });
+    } catch {
+      return { clean: true, findings: [], error: 'Cannot read file' };
+    }
+  }
+}

package/LeeWay-Standards/src/agents/security/tool-access-agent.js

@@ -0,0 +1,105 @@
+/*
+LEEWAY HEADER — DO NOT REMOVE
+
+REGION: SECURITY.AGENT.ACCESS
+TAG: SECURITY.ACCESS.TOOL.MAIN
+
+COLOR_ONION_HEX:
+NEON=#39FF14
+FLUO=#0DFF94
+PASTEL=#C7FFD8
+
+ICON_ASCII:
+family=lucide
+glyph=key
+
+5WH:
+WHAT = Tool access agent — ensures tools are called only through approved paths
+WHY = Unapproved tool invocation paths create unauditable side effects and security gaps
+WHO = Rapid Web Development
+WHERE = src/agents/security/tool-access-agent.js
+WHEN = 2026
+HOW = Validates tool call paths against an approved routes registry
+
+AGENTS:
+TOOL
+POLICY
+PERMISSION
+
+LICENSE:
+MIT
+*/
+
+/**
+ * ToolAccessAgent validates that tool invocations follow approved access paths.
+ */
+export class ToolAccessAgent {
+  constructor(options = {}) {
+    this.approvedRoutes = options.approvedRoutes || new Map();
+    this.deniedRoutes = options.deniedRoutes || new Set();
+  }
+
+  /**
+   * Register an approved tool invocation route.
+   *
+   * @param {string} toolName
+   * @param {string[]} allowedCallers - Agent names permitted to call this tool
+   */
+  registerApprovedRoute(toolName, allowedCallers) {
+    this.approvedRoutes.set(toolName.toUpperCase(), allowedCallers.map(c => c.toUpperCase()));
+  }
+
+  /**
+   * Register a denied tool invocation route.
+   *
+   * @param {string} toolName
+   */
+  denyTool(toolName) {
+    this.deniedRoutes.add(toolName.toUpperCase());
+  }
+
+  /**
+   * Check if a tool invocation is allowed.
+   *
+   * @param {string} toolName
+   * @param {string} callerAgent
+   * @returns {{ allowed: boolean, reason: string }}
+   */
+  checkAccess(toolName, callerAgent) {
+    const tool = toolName.toUpperCase();
+    const caller = callerAgent.toUpperCase();
+
+    if (this.deniedRoutes.has(tool)) {
+      return { allowed: false, reason: `Tool "${toolName}" is explicitly denied` };
+    }
+
+    const approvedCallers = this.approvedRoutes.get(tool);
+    if (!approvedCallers) {
+      return { allowed: true, reason: `Tool "${toolName}" has no access restrictions` };
+    }
+
+    if (approvedCallers.includes('*') || approvedCallers.includes(caller)) {
+      return { allowed: true, reason: `Caller "${callerAgent}" is approved for tool "${toolName}"` };
+    }
+
+    return {
+      allowed: false,
+      reason: `Caller "${callerAgent}" is not in approved list for tool "${toolName}": [${approvedCallers.join(', ')}]`,
+    };
+  }
+
+  /**
+   * Validate a batch of tool invocations.
+   *
+   * @param {{ tool: string, caller: string }[]} invocations
+   * @returns {{ valid: boolean, violations: object[] }}
+   */
+  validateBatch(invocations) {
+    const violations = [];
+    for (const { tool, caller } of invocations) {
+      const result = this.checkAccess(tool, caller);
+      if (!result.allowed) violations.push({ tool, caller, reason: result.reason });
+    }
+    return { valid: violations.length === 0, violations };
+  }
+}

package/LeeWay-Standards/src/agents/standards/authority-agent.js

@@ -0,0 +1,114 @@
+/*
+LEEWAY HEADER — DO NOT REMOVE
+
+REGION: AI.AGENT.STANDARDS
+TAG: AI.AGENT.AUTHORITY.MAIN
+
+COLOR_ONION_HEX:
+NEON=#39FF14
+FLUO=#0DFF94
+PASTEL=#C7FFD8
+
+ICON_ASCII:
+family=lucide
+glyph=shield
+
+5WH:
+WHAT = Authority agent — declares allowed actions, denied actions, and execution scope per file/module
+WHY = Governance requires explicit declaration of what each file is permitted to do
+WHO = Rapid Web Development
+WHERE = src/agents/standards/authority-agent.js
+WHEN = 2026
+HOW = Reads LEEWAY headers and .leeway/authority.json to validate action permissions
+
+AGENTS:
+AUTHORITY
+POLICY
+AUDIT
+
+LICENSE:
+MIT
+*/
+
+import { readFile } from 'node:fs/promises';
+import { join } from 'node:path';
+import { parseHeader } from '../../core/header-parser.js';
+
+const DEFAULT_AUTHORITY = {
+  allowedActions: ['read', 'write', 'transform', 'export'],
+  deniedActions: ['execute_shell', 'network_request', 'modify_secrets', 'delete_files'],
+  executionScope: 'module',
+};
+
+/**
+ * AuthorityAgent declares and validates what actions a file or module is permitted to perform.
+ */
+export class AuthorityAgent {
+  constructor(options = {}) {
+    this.rootDir = options.rootDir || process.cwd();
+    this.authorityConfig = null;
+  }
+
+  /**
+   * Load the project-level authority configuration.
+   */
+  async loadConfig() {
+    const configPath = join(this.rootDir, '.leeway', 'authority.json');
+    try {
+      const raw = await readFile(configPath, 'utf8');
+      this.authorityConfig = JSON.parse(raw);
+    } catch {
+      this.authorityConfig = { default: DEFAULT_AUTHORITY };
+    }
+    return this.authorityConfig;
+  }
+
+  /**
+   * Get the authority declaration for a file.
+   *
+   * @param {string} filePath
+   * @returns {Promise<AuthorityDeclaration>}
+   */
+  async getFileAuthority(filePath) {
+    if (!this.authorityConfig) await this.loadConfig();
+
+    const fullPath = filePath.startsWith('/') ? filePath : join(this.rootDir, filePath);
+    let content = '';
+    try {
+      content = await readFile(fullPath, 'utf8');
+    } catch {
+      return { file: filePath, status: 'error' };
+    }
+
+    const header = parseHeader(content);
+    const region = header?.region?.split('.')?.[0] || 'UNKNOWN';
+
+    const authority = this.authorityConfig[region]
+      || this.authorityConfig['default']
+      || DEFAULT_AUTHORITY;
+
+    return {
+      file: filePath,
+      region,
+      agents: header?.agents || [],
+      authority,
+      status: 'resolved',
+    };
+  }
+
+  /**
+   * Check if a specific action is allowed for a file.
+   *
+   * @param {string} filePath
+   * @param {string} action
+   * @returns {Promise<boolean>}
+   */
+  async isActionAllowed(filePath, action) {
+    const decl = await this.getFileAuthority(filePath);
+    if (decl.status !== 'resolved') return false;
+
+    const { allowedActions, deniedActions } = decl.authority;
+    if (deniedActions.includes(action)) return false;
+    return allowedActions.includes(action) || allowedActions.includes('*');
+  }
+}

package/LeeWay-Standards/src/agents/standards/discovery-pipeline-agent.js

@@ -0,0 +1,91 @@
+/*
+LEEWAY HEADER — DO NOT REMOVE
+
+REGION: AI.AGENT.STANDARDS
+TAG: AI.AGENT.DISCOVERY.PIPELINE
+
+COLOR_ONION_HEX:
+NEON=#39FF14
+FLUO=#0DFF94
+PASTEL=#C7FFD8
+
+ICON_ASCII:
+family=lucide
+glyph=git-merge
+
+5WH:
+WHAT = Discovery pipeline agent — ensures every artifact has the discovery chain metadata
+WHY = LEEWAY applications must be visible to search engines, AI tools, and voice assistants
+WHO = Rapid Web Development
+WHERE = src/agents/standards/discovery-pipeline-agent.js
+WHEN = 2026
+HOW = Checks for Schema.org JSON-LD, OpenGraph, sitemap, and FAQ structured data presence
+
+AGENTS:
+DISCOVERY
+SCHEMA
+SITEMAP
+
+LICENSE:
+MIT
+*/
+
+import { readFile } from 'node:fs/promises';
+import { join, extname } from 'node:path';
+
+const DISCOVERY_CHECKS = [
+  { id: 'jsonld', label: 'Schema.org JSON-LD', pattern: /<script[^>]+type="application\/ld\+json"/i },
+  { id: 'opengraph', label: 'OpenGraph meta tags', pattern: /<meta[^>]+property="og:/i },
+  { id: 'twitter_card', label: 'Twitter Card meta', pattern: /<meta[^>]+name="twitter:/i },
+  { id: 'canonical', label: 'Canonical URL', pattern: /<link[^>]+rel="canonical"/i },
+  { id: 'faq', label: 'FAQ structured data', pattern: /"@type"\s*:\s*"FAQPage"/i },
+];
+
+/**
+ * DiscoveryPipelineAgent checks that HTML/JSX files include required discovery metadata.
+ */
+export class DiscoveryPipelineAgent {
+  constructor(options = {}) {
+    this.rootDir = options.rootDir || process.cwd();
+  }
+
+  /**
+   * Check a file for discovery chain completeness.
+   *
+   * @param {string} filePath
+   * @returns {Promise<DiscoveryCheckResult>}
+   */
+  async checkFile(filePath) {
+    const ext = extname(filePath).toLowerCase();
+    const htmlLike = ['.html', '.htm', '.jsx', '.tsx', '.vue', '.svelte'];
+
+    if (!htmlLike.includes(ext)) {
+      return { file: filePath, applicable: false, reason: 'Not an HTML-like file' };
+    }
+
+    const fullPath = filePath.startsWith('/') ? filePath : join(this.rootDir, filePath);
+    let content = '';
+    try {
+      content = await readFile(fullPath, 'utf8');
+    } catch {
+      return { file: filePath, applicable: true, status: 'error' };
+    }
+
+    const checks = DISCOVERY_CHECKS.map(check => ({
+      ...check,
+      present: check.pattern.test(content),
+    }));
+
+    const presentCount = checks.filter(c => c.present).length;
+    const score = Math.round((presentCount / DISCOVERY_CHECKS.length) * 100);
+
+    return {
+      file: filePath,
+      applicable: true,
+      score,
+      checks,
+      missing: checks.filter(c => !c.present).map(c => c.label),
+      status: score === 100 ? 'complete' : score >= 60 ? 'partial' : 'incomplete',
+    };
+  }
+}