@appsforgood/next-supabase-kit 0.1.4 → 0.1.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (49) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/DOGFOOD.md +24 -0
  3. package/LOOP_CODING.md +107 -0
  4. package/MAINTAINER_RELEASE.md +100 -0
  5. package/README.md +40 -4
  6. package/REPOSITORY_SETTINGS.md +7 -3
  7. package/SUPPLY_CHAIN.md +5 -5
  8. package/UPGRADE.md +2 -1
  9. package/antigravity/commands/accessibility-pass.toml +16 -0
  10. package/antigravity/commands/browser-qa.toml +18 -0
  11. package/antigravity/commands/distinctiveness-pass.toml +16 -0
  12. package/antigravity/commands/frontend.toml +5 -4
  13. package/antigravity/commands/layout-cleanup.toml +16 -0
  14. package/antigravity/commands/responsive-cleanup.toml +16 -0
  15. package/antigravity/commands/screenshot-critique.toml +16 -0
  16. package/antigravity/commands/ui-audit.toml +17 -0
  17. package/antigravity/commands/ui-polish.toml +17 -0
  18. package/antigravity/plugin.json +9 -0
  19. package/checklists/ui-acceptance-rubric.md +58 -0
  20. package/checklists/ui-detectors.md +75 -0
  21. package/dist/index.js +1090 -411
  22. package/dist/index.js.map +1 -1
  23. package/dist/studio/office/assets/office.css +188 -29
  24. package/dist/studio/office/assets/office.js +72 -50
  25. package/dist/studio/wizard/assets/wizard.css +157 -26
  26. package/dist/studio/wizard/assets/wizard.js +78 -70
  27. package/examples/next-supabase-installed/.agent-kit/agent-roster.json +7 -3
  28. package/examples/next-supabase-installed/.agent-kit/manifest.json +13 -11
  29. package/examples/next-supabase-installed/audit-output.json +22 -2
  30. package/examples/next-supabase-installed/tree.txt +1 -0
  31. package/package.json +28 -7
  32. package/prompts/ui-command-index.md +124 -0
  33. package/research/summaries/agentic-engineering-maturity-levels.md +54 -0
  34. package/rosters/next-supabase-default-council.json +37 -12
  35. package/runtime-skills/ui-improvement-harness/SKILL.md +12 -0
  36. package/schemas/agentic-level.schema.json +47 -0
  37. package/schemas/onboarding-state.schema.json +4 -1
  38. package/skills/ui-improvement-harness.md +96 -0
  39. package/templates/next-supabase/AGENT_ROSTER.md +6 -3
  40. package/templates/next-supabase/ASSISTANT_ADAPTERS.md +3 -1
  41. package/templates/next-supabase/DECISIONS.md +14 -0
  42. package/templates/next-supabase/DESIGN.md +3 -0
  43. package/templates/next-supabase/DOCS.md +7 -1
  44. package/templates/next-supabase/LOOP_CODING.md +98 -0
  45. package/templates/next-supabase/QUALITY_GATES.md +4 -2
  46. package/templates/next-supabase/SKILLS.md +14 -0
  47. package/templates/next-supabase/SPEC.md +5 -1
  48. package/templates/next-supabase/STYLE_GUIDE.md +3 -1
  49. package/templates/next-supabase/TESTING.md +14 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,17 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.1.6
4
+
5
+ - Added a repo-native UI improvement harness with command-style prompts, deterministic detector checklist, acceptance rubric, portable runtime skill, and focused Antigravity UI commands.
6
+ - Wired UI audit, polish, layout cleanup, responsive cleanup, accessibility, distinctiveness, screenshot critique, and browser QA workflows into roster routing, docs, templates, package validation, and example snapshots.
7
+
8
+ ## 0.1.5
9
+
10
+ - Added computed **Agentic Engineering Level** (L3–L6) in Agent Office and setup wizard: iceberg strip, climb checklist, `/api/state` payload, and `POST /api/agentic-level/refresh`.
11
+ - Added [`src/studio/agentic-level.ts`](src/studio/agentic-level.ts), [`schemas/agentic-level.schema.json`](schemas/agentic-level.schema.json), and maintainer-profile L6 signals for kit source repos.
12
+ - Extended setup wizard with adapter validate chip on IDE activation, audit-readiness vs Agentic level copy, and `LOOP_CODING.md` eval-loop next steps on complete.
13
+ - Added [`research/summaries/agentic-engineering-maturity-levels.md`](research/summaries/agentic-engineering-maturity-levels.md) and cross-links from `DOCS.md`, `HANDOVER.md`, and `LOOP_CODING.md`.
14
+
3
15
  ## 0.1.4
4
16
 
5
17
  - Added true multi-agent IDE activation for **Cursor** (`.cursor/agents/*.md`, `.cursor/skills/*/SKILL.md`, scoped rules) and **Codex** (`.codex/agents/*.toml` with model routing effort) via `agent-kit init --activate cursor|codex`.
package/DOGFOOD.md CHANGED
@@ -34,6 +34,15 @@ Mode: read-only audit; no downstream files were modified.
34
34
  - Assistant adapters and upgrade lifecycle still need real activation/dogfood evidence after publication.
35
35
  - Reference-led design critique still needs a real UI change dogfood pass with screenshots or equivalent visual evidence.
36
36
 
37
+ ## 2026-07-02 Publish Verification And Self-Install Snapshot
38
+
39
+ Date: 2026-07-02
40
+ CLI source: public npm registry (`@appsforgood/next-supabase-kit`, published) plus local `src/` for the self-install.
41
+ Mode: post-publish verification against the live registry, and dogfooding the kit into this repo's own root.
42
+
43
+ - `node scripts/post-publish-verify.mjs` against the published package passed: registry visibility confirmed, `npx` doctor ok, clean temp `init` installed 23 files, and `audit --json --min-readiness baseline-setup` returned 0 failures (readiness `baseline-setup`).
44
+ - This repo now dogfoods its own kit at the root: `agent-kit init` installed the root docs, `.agent-kit/`, and Cursor rules; project context, council session, and overrides were filled with real evidence; `agent-kit audit --min-readiness best-practice-candidate` passes with 0 warnings and 0 failures.
45
+
37
46
  ## 2026-06-07 Agent Studio Dogfood Snapshot
38
47
 
39
48
  Date: 2026-06-07
@@ -119,3 +128,18 @@ Covered by `tests/update.test.ts`.
119
128
  - Activate at least one assistant adapter in a real project and record whether the chosen tool loads the canonical council instructions.
120
129
  - Apply the reference-led design critique gate to one real frontend change with desktop/mobile screenshot evidence.
121
130
  - After public publish, run `npm run publish:verify` to verify registry visibility, public `npx doctor`, clean temp `init`, and `audit --json` with zero failures.
131
+
132
+ ## BaseRepo Maintainer Dogfood Policy
133
+
134
+ Date: 2026-06-17
135
+ Policy: **gitignored local overlay + bootstrap script** (not committed to kit source)
136
+
137
+ | Item | Detail |
138
+ | --- | --- |
139
+ | Bootstrap | `npm run dogfood:init` runs `agent-kit init --stack next-supabase --activate cursor --activate codex` against the repo root |
140
+ | Gitignore | `.agent-kit/`, `.codex/`, init-generated council docs at repo root, and local pack tarballs — see `.gitignore` and [DOCS.md](DOCS.md#maintainer-dogfood) |
141
+ | Validation | `node dist/index.js adapter validate cursor\|codex` after bootstrap |
142
+ | Release evidence | [MAINTAINER_RELEASE.md](MAINTAINER_RELEASE.md) session checklist; loop patterns in [LOOP_CODING.md](LOOP_CODING.md) |
143
+ | Rationale | Kit source stays in `templates/` and tracked maintainer docs; overlay proves Tier B activation without polluting commit history |
144
+
145
+ This policy closes the gap where the kit shipped Level 5 IDE surfaces but BaseRepo maintainers operated at Level 4 day-to-day.
package/LOOP_CODING.md ADDED
@@ -0,0 +1,107 @@
1
+ # Loop Coding
2
+
3
+ Loop coding means the agent repeats **plan → act → check → fix** until a stop condition, instead of finishing in one chat turn. The Agent Kit is opinionated about **which loops are safe** and **which checkpoints must stay in place**.
4
+
5
+ This document describes loop types, kit-safe patterns, and limits. It is the canonical reference for eval-driven development with `@appsforgood/next-supabase-kit`.
6
+
7
+ ## Loop Types
8
+
9
+ | Loop type | What it means | Kit-safe version |
10
+ | --- | --- | --- |
11
+ | **Agent loop** | Same agent iterates on feedback until done | Use scoped prompts (for example `.agent-kit/prompts/implement-feature.md`); review each turn; do not remove Security Reviewer or QA gates |
12
+ | **Eval-driven loop** | Code changes until **tests, audit, or evals pass** | `npm test` + `agent-kit audit` + CI — BaseRepo uses `npm run release:check` as the maintainer merge gate |
13
+ | **Self-improving loop** | Agent critiques its own output and revises | Manual: delegate to `@qa-engineer` or run tests between passes; **avoid fully unsupervised self-critique on auth, RLS, or release tooling** |
14
+ | **Council / team loop** | Planner → specialist → Security → QA handoffs | `agent-kit session handoff` + IDE subagents — the kit's core operating model |
15
+ | **Background / overnight loop** | Runs without a human present | **Defer by default** — requires worktree policy, cost caps, kill switches, and stronger eval gates than agent freedom |
16
+
17
+ ## Practical Rule
18
+
19
+ Climb maturity by adding **checkpoints** (tests, audit, guards, human review), not by removing them. Unsupervised loops are only healthy when **eval gates are stronger than the agent's freedom**.
20
+
21
+ ## Eval-Driven PR Loop (recommended)
22
+
23
+ For feature work in a kit-consuming project:
24
+
25
+ 1. **Plan** — Planner classifies scope; Lead Architect maps affected layers when the change is core.
26
+ 2. **Implement** — Next.js / Supabase engineers (or general agent with council rules loaded).
27
+ 3. **Check** — run the smallest reliable gate set:
28
+ ```bash
29
+ npm test
30
+ agent-kit audit --min-readiness baseline-setup
31
+ agent-kit adapter validate all # when IDE surfaces change
32
+ ```
33
+ 4. **Fix** — repeat implement/check until green or blocked on a documented gap.
34
+ 5. **Record** — `agent-kit session render` and mirror summary in `COUNCIL.md` for meaningful multi-agent work.
35
+
36
+ BaseRepo maintainers use the same pattern at repo scale:
37
+
38
+ ```bash
39
+ npm run release:check # tests, build, package validate, smokes, adapter validate
40
+ npm run smoke:audit-gate
41
+ ```
42
+
43
+ ## Council Loop (multi-agent)
44
+
45
+ The default handoff order lives in `AGENTS.md` and `.agent-kit/agent-roster.json`:
46
+
47
+ 1. Planner — scope, workflow, council selection
48
+ 2. Lead Architect — core changes
49
+ 3. Domain engineers — data, UI, copy as needed
50
+ 4. Security Reviewer — auth, mutations, secrets, dependencies, release risk
51
+ 5. QA Engineer — behavior evidence
52
+ 6. Documentation Maintainer — living docs and council record
53
+
54
+ Use Agent Studio when the CLI is available:
55
+
56
+ ```bash
57
+ agent-kit session start --workflow core-change --request "Short title"
58
+ agent-kit session handoff --from planner --to lead-architect --decision "..." --risk "..." --next "..." --evidence "..."
59
+ agent-kit session verify --command "npm test" --result pass
60
+ agent-kit session output phased-checklist --status complete --evidence "..."
61
+ agent-kit session render
62
+ ```
63
+
64
+ When CLI tooling is unavailable, append the session template in `COUNCIL.md` (see `MAINTAINER_RELEASE.md` for kit release evidence).
65
+
66
+ ## Hooks And Local Automation (Level 6 enablers)
67
+
68
+ The kit does **not** ship unsupervised orchestration. It documents safe local enablers:
69
+
70
+ | Pattern | Purpose | Starting point |
71
+ | --- | --- | --- |
72
+ | Pre-commit test or audit | Catch drift before commit | `.agent-kit/prompts/audit-project-setup.md`, project `npm test` |
73
+ | Post-edit lint/typecheck | Fast feedback on save | Project ESLint / `tsc --noEmit` in editor or CI |
74
+ | PR CI audit gate | Block merge below readiness | `.github/workflows/agent-kit-audit.yml` template |
75
+ | Adapter validate on PR | Prove IDE templates stay shippable | `agent-kit adapter validate all` (BaseRepo: `npm run adapter:validate` in `release:check`) |
76
+
77
+ For Cursor-specific hook/automation patterns, see Cursor Automations docs and keep Planner-first triage **opt-in** — never as a replacement for Security Reviewer or human release approval.
78
+
79
+ ## MCP Routing (delegation hint)
80
+
81
+ Match MCP servers to council roles in consuming projects:
82
+
83
+ | Role | Typical MCP use |
84
+ | --- | --- |
85
+ | Supabase/Postgres Engineer | Schema, migrations, RLS, logs, advisors |
86
+ | Security Reviewer | Dependency/advisory checks; no broad production writes without review |
87
+ | Deployment/Observability Engineer | Hosting logs, release status, error tracking |
88
+ | QA Engineer | Test runners, visual diff tools where configured |
89
+
90
+ Record active MCP surfaces in `ASSISTANT_ADAPTERS.md` when they affect council behavior.
91
+
92
+ ## What Not To Default
93
+
94
+ - Overnight unsupervised agent runs on auth, RLS, or release tooling
95
+ - Agents managing agents without eval harness and kill switches
96
+ - Removing human review from publish, migration, or security-sensitive paths
97
+ - Duplicating runtime product agents inside the kit repo (wrong shape for agent-kit)
98
+
99
+ ## Related Docs
100
+
101
+ - `AGENTS.md` — council roles and default handoffs
102
+ - `QUALITY_GATES.md` — Baseline / Strong / Mature evidence tiers
103
+ - `COUNCIL.md` — session evidence template
104
+ - `MAINTAINER_RELEASE.md` — kit maintainer release session checklist
105
+ - `research/summaries/agentic-engineering-maturity-levels.md` — L3–L8 ladder and office integration
106
+ - `TESTING.md` — project test and CI gate expectations
107
+ - `PUBLISH.md` — npm publish runbook
@@ -0,0 +1,100 @@
1
+ # Maintainer Release Evidence
2
+
3
+ Use this checklist when shipping `@appsforgood/next-supabase-kit` releases. It aligns kit maintainer practice with the **Strong** tier in `QUALITY_GATES.md`: council sessions record workflow, decision, risk, next handoff, required outputs, and evidence.
4
+
5
+ For loop patterns and safe automation limits, see [LOOP_CODING.md](LOOP_CODING.md). For publish steps, see [PUBLISH.md](PUBLISH.md).
6
+
7
+ ## When To Open A Session
8
+
9
+ Start `agent-kit session` (or a `COUNCIL.md` entry) when the release includes any of:
10
+
11
+ - CLI or install behavior changes
12
+ - New or changed IDE adapter surfaces (Cursor, Codex, Claude, Copilot, Antigravity)
13
+ - Audit, roster, schema, or Agent Studio contract changes
14
+ - Security-sensitive dependency or publish pipeline changes
15
+ - Multi-agent work spanning Planner → Architect → QA
16
+
17
+ Skip a formal session only for typo-only doc fixes with no behavioral impact.
18
+
19
+ ## Bootstrap Maintainer Dogfood
20
+
21
+ Maintainers run the kit locally on BaseRepo without committing the overlay:
22
+
23
+ ```bash
24
+ npm run dogfood:init
25
+ node dist/index.js adapter validate cursor
26
+ node dist/index.js adapter validate codex
27
+ ```
28
+
29
+ Generated paths (`.agent-kit/`, `.cursor/`, `.codex/`, root council docs from init) are **gitignored**. Kit source stays in `templates/`, `assistant-adapters/`, and tracked root docs such as `DOCS.md` and `SPEC.md`.
30
+
31
+ ## Release Session Workflow
32
+
33
+ ```bash
34
+ agent-kit session start --workflow release --request "Release vX.Y.Z"
35
+ agent-kit session decision --agent planner --decision "..." --risk "..." --next "lead-architect" --evidence "..."
36
+ agent-kit session verify --command "npm run release:check" --result pass --notes "..."
37
+ agent-kit session verify --command "npm run smoke:audit-gate" --result pass
38
+ agent-kit session output changelog --status complete --evidence "CHANGELOG.md#X.Y.Z"
39
+ agent-kit session output test-evidence --status complete --evidence "vitest + smokes green"
40
+ agent-kit session output publish-evidence --status complete --evidence "npm run publish:verify or GitHub Release vX.Y.Z"
41
+ agent-kit session render
42
+ ```
43
+
44
+ After publish, append a short evidence block to [DOGFOOD.md](DOGFOOD.md) (public-safe, no local paths).
45
+
46
+ ## COUNCIL.md Mirror Template
47
+
48
+ When Agent Studio CLI is unavailable, paste this block into root `COUNCIL.md` (maintainer overlay, gitignored) or into the PR description:
49
+
50
+ ```md
51
+ ## YYYY-MM-DD - Release vX.Y.Z
52
+
53
+ - Workflow: release
54
+ - Status: complete
55
+ - Request: Ship @appsforgood/next-supabase-kit@X.Y.Z
56
+ - Affected layers: CLI, install, adapters, docs, CI, deployment
57
+
58
+ ### Required Outputs
59
+
60
+ | Output | Status | Evidence |
61
+ | --- | --- | --- |
62
+ | Phased checklist | Complete | ROADMAP / PR scope |
63
+ | Architecture decision | Complete/N/A | DECISIONS.md or PR note |
64
+ | Security review | Complete | Dependency audit in release:check; no secret in adapters |
65
+ | Test evidence | Complete | npm run release:check; npm run smoke:audit-gate |
66
+ | Adapter validation | Complete | npm run adapter:validate (all IDE templates) |
67
+ | Docs impact | Complete | CHANGELOG.md, DOCS.md, PUBLISH.md if process changed |
68
+ | Publish verification | Complete | npm run publish:verify or Release workflow green |
69
+
70
+ ### Handoffs
71
+
72
+ | Agent | Decision | Risk | Next Handoff | Evidence |
73
+ | --- | --- | --- | --- | --- |
74
+ | Planner | Release scope approved | Missed breaking change | Lead Architect / QA | PR + CHANGELOG |
75
+ | QA Engineer | release:check green | Residual flake | Documentation Maintainer | CI logs |
76
+ | Documentation Maintainer | CHANGELOG + DOGFOOD updated | Stale public evidence | Deployment/Observability | DOGFOOD.md entry |
77
+
78
+ ### Verification
79
+
80
+ | Command Or Review | Result | Notes |
81
+ | --- | --- | --- |
82
+ | npm run release:check | Pass | Includes adapter:validate |
83
+ | npm run smoke:audit-gate | Pass | baseline-setup, 0 failures |
84
+ | npm run publish:verify | Pass/Skipped | Required after registry publish |
85
+ ```
86
+
87
+ ## Pre-Merge Gate (BaseRepo)
88
+
89
+ Every release PR must pass:
90
+
91
+ 1. `npm run release:check` (tests, build, package validate, smokes, **adapter validate all**, audit, pack dry-run)
92
+ 2. `npm run smoke:audit-gate`
93
+ 3. CHANGELOG section for the target version
94
+ 4. Session render or COUNCIL mirror with verification table filled in
95
+
96
+ ## Post-Publish
97
+
98
+ 1. Run `npm run publish:verify` after registry propagation (or confirm Release workflow verification).
99
+ 2. Update `DOGFOOD.md` with publish verification snapshot (no machine paths).
100
+ 3. Mark release items in `ROADMAP.md`.
package/README.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # Agent Skills Next/Supabase Kit
2
2
 
3
+ [![CI](https://github.com/lukey662/agentsandskills/actions/workflows/ci.yml/badge.svg)](https://github.com/lukey662/agentsandskills/actions/workflows/ci.yml)
4
+ [![npm version](https://img.shields.io/npm/v/%40appsforgood%2Fnext-supabase-kit)](https://www.npmjs.com/package/@appsforgood/next-supabase-kit)
5
+ [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/lukey662/agentsandskills/badge)](https://scorecard.dev/viewer/?uri=github.com/lukey662/agentsandskills)
6
+ [![CodeQL](https://github.com/lukey662/agentsandskills/actions/workflows/codeql.yml/badge.svg)](https://github.com/lukey662/agentsandskills/actions/workflows/codeql.yml)
7
+ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
8
+
3
9
  `@appsforgood/next-supabase-kit` installs an agent operating system for Next.js + Supabase projects.
4
10
 
5
11
  It gives agentic coders a default council roster, reusable skills, handoff rules, model-routing guidance, markdown docs, frontend design gates, Supabase/RLS security checks, upgrade workflows, and audit commands.
@@ -14,7 +20,7 @@ It also includes a local Agent Studio workflow: project context, durable human c
14
20
 
15
21
  ## Quick Start
16
22
 
17
- Use this in a Next.js + Supabase project after the public package is available on npm:
23
+ Use this in a Next.js + Supabase project:
18
24
 
19
25
  ```bash
20
26
  npx @appsforgood/next-supabase-kit init --stack next-supabase --setup --open
@@ -33,6 +39,34 @@ npx @appsforgood/next-supabase-kit adapter validate antigravity
33
39
 
34
40
  The installer preserves existing docs. If a file already exists and differs from the template, the new version is written to `.agent-kit/conflicts/` for review.
35
41
 
42
+ ### See It In Action
43
+
44
+ ```text
45
+ $ agent-kit init --stack next-supabase
46
+ agent-kit installed (stack: next-supabase)
47
+ Created (21)
48
+ AGENTS.md
49
+ AGENT_ROSTER.md
50
+ ASSISTANT_ADAPTERS.md
51
+ ...
52
+ .cursor/rules/cursor-agent-kit.mdc
53
+ .agent-kit/agent-roster.json
54
+ .agent-kit/model-routing.json
55
+
56
+ Manifest: .agent-kit/manifest.json
57
+ Next: run agent-kit audit to check readiness.
58
+
59
+ $ agent-kit audit
60
+ READINESS baseline-setup: Agent kit setup is valid, but project-specific
61
+ evidence still needs to replace starter placeholders.
62
+ SUMMARY pass=60 warn=3 fail=0
63
+ NEXT ACTIONS
64
+ - Run agent-kit onboard or agent-kit init --guided so agents can start
65
+ with project-specific context.
66
+ ```
67
+
68
+ Every command accepts `--json` for machine-readable output, and mutating commands (`init`, `update`, `add skill`) accept `--dry-run`. A `vhs` tape for regenerating the animated demo lives at `docs/demo.tape`.
69
+
36
70
  For local development of this repo:
37
71
 
38
72
  ```bash
@@ -63,7 +97,7 @@ Default routing:
63
97
  - Planner handles plans, roadmaps, scope, and ambiguous requests first.
64
98
  - Lead Architect reviews core changes before implementation.
65
99
  - Security Reviewer joins auth, RLS, data mutation, dependency, secret, external-call, and release-risk work.
66
- - Frontend Design Lead owns content-first design, reference-led critique, distinctiveness benchmarking, product-quality scoring, and visual QA.
100
+ - Frontend Design Lead owns content-first design, reference-led critique, distinctiveness benchmarking, product-quality scoring, UI detector severity review, command-based polish/audit loops, and visual QA.
67
101
  - Marketing Copy Lead owns public-facing and conversion-facing copy, positioning, proof, objections, voice, and CTA hierarchy.
68
102
  - QA Engineer verifies behavior changes before completion.
69
103
  - Documentation Maintainer keeps the living markdown current.
@@ -160,7 +194,7 @@ Agent Kit separates the mechanisms that make AI coding repeatable:
160
194
  - Instructions: `AGENTS.md`, assistant adapters, and IDE-specific rule files.
161
195
  - Roster: `.agent-kit/agent-roster.json` chooses agents, workflows, and handoffs.
162
196
  - Skills: `.agent-kit/skills/` keeps specialist workflows reusable.
163
- - Runtime commands: Antigravity `commands/*.toml` expose `/setup`, `/audit`, `/plan`, `/handoff`, `/frontend`, `/security`, `/copy`, `/ship`, and `/upgrade` as native adapter entrypoints.
197
+ - Runtime commands: Antigravity `commands/*.toml` expose `/setup`, `/audit`, `/plan`, `/handoff`, `/frontend`, focused UI improvement commands, `/security`, `/copy`, `/ship`, and `/upgrade` as native adapter entrypoints.
164
198
  - Portable skills: `runtime-skills/*/SKILL.md` wraps canonical `skills/*.md` files for runtimes that discover skill directories.
165
199
  - Model routing: `MODEL_ROUTING.md` and `.agent-kit/model-routing.json` map agents to model profiles.
166
200
  - Messaging: `MESSAGING.md` records audience, pain, outcome, proof, objections, voice, and conversion evidence for public-facing copy.
@@ -189,6 +223,8 @@ Significant UI work should prove:
189
223
 
190
224
  The Frontend Design Lead should reject work that would still look valid for another product after only changing the logo or headline.
191
225
 
226
+ Operational UI improvement workflows live in `.agent-kit/prompts/ui-command-index.md` and ship as Antigravity commands: `/ui-audit`, `/ui-polish`, `/layout-cleanup`, `/responsive-cleanup`, `/accessibility-pass`, `/distinctiveness-pass`, `/screenshot-critique`, and `/browser-qa`. Use `.agent-kit/checklists/ui-detectors.md` for deterministic blocker/major/minor findings and `.agent-kit/checklists/ui-acceptance-rubric.md` for pass/fail decisions. High-risk UI work requires desktop and mobile screenshots plus authenticated or permission-state evidence when the surface is not public.
227
+
192
228
  ## Security Bar
193
229
 
194
230
  The kit treats these as defaults, not optional polish:
@@ -255,7 +291,7 @@ Release expectations:
255
291
  - Dependency Review, CodeQL, OpenSSF Scorecard, Dependabot, SBOM validation, and SBOM attestation.
256
292
  - Post-publish verification with `npm run publish:verify`.
257
293
 
258
- Public release remains gated until the npm scope/package exists, Trusted Publishing is configured, and post-publish `npx` verification succeeds.
294
+ The package is published to public npm under `@appsforgood/next-supabase-kit`. Every release must pass `npm run release:check` before publish and `npm run publish:verify` after (registry visibility, clean `npx` doctor/init/audit). Post-publish verification was last run 2026-07-02 against the live registry: doctor, init, and `audit --min-readiness baseline-setup` all passed with zero failures.
259
295
 
260
296
  ## Repository Health
261
297
 
@@ -31,9 +31,9 @@ Create environment `npm-publish` with:
31
31
  - Required reviewers enabled.
32
32
  - Prevent self-review enabled where available.
33
33
  - Deployment branches restricted to `main` and release events.
34
- - No npm publish token secret for the trusted-publishing flow.
35
- - Any legacy npm token secrets deleted after Trusted Publishing is confirmed.
36
- - Optional fallback: a maintainer npm publish token secret on the `npm-publish` environment when trusted publishing returns 404 on PUT.
34
+ - Preferred path: no npm publish token secret once Trusted Publishing is confirmed for this package.
35
+ - Current fallback: a maintainer npm publish token secret on the release workflow so manual publish dispatch can complete until npm Trusted Publishing is configured.
36
+ - Any fallback npm token secrets deleted after Trusted Publishing is confirmed.
37
37
 
38
38
  The npm trusted publisher must match:
39
39
 
@@ -66,6 +66,10 @@ Create labels from `.github/labels.yml`. Required label families:
66
66
  - Status: `needs-triage`, `blocked`, `good first issue`, `help wanted`
67
67
  - Risk: `risk: security`, `risk: breaking-change`
68
68
 
69
+ ## GitHub Pages
70
+
71
+ Enable GitHub Pages with source "Deploy from a branch", branch `main`, folder `/docs`. The minimal docs site lives at `docs/index.md` with the `jekyll-theme-minimal` theme configured in `docs/_config.yml`. Update `docs/index.md` when the CLI surface, readiness levels, or quick-start commands change.
72
+
69
73
  ## Review Cadence
70
74
 
71
75
  Review these settings before every public release and after any workflow, release, permission, package, or security-policy change.
package/SUPPLY_CHAIN.md CHANGED
@@ -5,12 +5,12 @@ This package is intended for public npm distribution and downstream project boot
5
5
  ## Publish Identity
6
6
 
7
7
  - Public package: `@appsforgood/next-supabase-kit`.
8
- - Publish path: GitHub Actions release workflow through npm Trusted Publishing.
9
- - Authentication: OIDC trusted publisher, not a long-lived npm automation token.
8
+ - Publish path: GitHub Actions release workflow through npm Trusted Publishing when configured, with a token-backed publish fallback for the current npm package setup.
9
+ - Authentication: prefer OIDC trusted publisher; the fallback uses a scoped npm automation token stored as a GitHub Actions secret.
10
10
  - Environment: `npm-publish`.
11
11
  - Trusted publisher must be scoped to repository `lukey662/agentsandskills`, workflow `release.yml`, and allowed action `npm publish`.
12
12
 
13
- When npm Trusted Publishing is used from a public GitHub repository for a public package, npm generates provenance attestations automatically. The release workflow keeps `id-token: write` for this reason and does not set `NODE_AUTH_TOKEN` for publishing.
13
+ When npm Trusted Publishing is used from a public GitHub repository for a public package, npm generates provenance attestations automatically. Until that package-level publisher is confirmed in npm, the release workflow publishes with the configured secret and `--provenance` so npm still receives GitHub Actions provenance.
14
14
 
15
15
  The release workflow also creates a deterministic package tarball, generates a CycloneDX SBOM from `package-lock.json`, uploads the tarball, SBOM, and pack metadata as release evidence, and attests the SBOM against the exact tarball path that is published to npm.
16
16
 
@@ -47,9 +47,9 @@ The release workflow and `npm run publish:verify` both use `scripts/post-publish
47
47
 
48
48
  ## Maintainer Rules
49
49
 
50
- - Do not use bypass-2FA npm publish tokens for automation.
50
+ - Do not use bypass-2FA npm publish tokens for automation; any fallback token must be scoped for package publishing and stored only as a GitHub Actions secret.
51
51
  - Do not publish from unreviewed branches or untrusted workflow changes.
52
52
  - Treat workflow edits as release-risk changes requiring security and maintainer review.
53
- - Rotate and delete legacy publish secrets after Trusted Publishing is confirmed.
53
+ - Rotate and delete fallback publish secrets after Trusted Publishing is confirmed.
54
54
  - Keep package contents free of secrets, private downstream data, and copied third-party source.
55
55
  - Keep SBOM generation and attestation in the shared release path; do not publish an unattested tarball when the workflow is available.
package/UPGRADE.md CHANGED
@@ -78,4 +78,5 @@ Keep rollback evidence next to the upgrade:
78
78
  | Date | From | To | Scope | Evidence | Owner |
79
79
  | --- | --- | --- | --- | --- | --- |
80
80
  | 2026-06-14 | TypeScript 5 / Node 22 types | TypeScript 6 / Node 25 types | Dev dependency update for package validation and CI parity | `npm run typecheck`, `npm test`, `npm audit --audit-level=moderate` | Maintainers |
81
- | TBD | TBD | TBD | TBD | TBD | TBD |
81
+ | 2026-06 | 0.1.0 | 0.1.1 | Package rename to `@appsforgood/next-supabase-kit`, harness readiness gates, adapter install on init, publish prep | `CHANGELOG.md` 0.1.1 entry, `npm run release:check` green, commit `37e1a0f` | lukey662 |
82
+ | 2026-07-02 | none | 0.1.1 (self-install) | Dogfooded the kit into this repo's own root: `agent-kit init` installed root docs, `.agent-kit/`, and confirmed the Cursor rules' referenced files exist | `.agent-kit/manifest.json`, `agent-kit audit` zero failures, `COUNCIL.md` 2026-07-02 session | lukey662 |
@@ -0,0 +1,16 @@
1
+ name = "accessibility-pass"
2
+ description = "Run a WCAG 2.1 AA-oriented UI pass for semantics, keyboard flow, focus, labels, contrast, and motion."
3
+
4
+ prompt = """
5
+ Run the accessibility pass workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/skills/accessibility-wcag.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Check semantics, headings, landmarks, forms, labels, tables, buttons, and ARIA use.
11
+ 2. Check keyboard navigation, visible focus, tab order, escape/close behavior, and skip path when applicable.
12
+ 3. Check contrast, reduced motion, error association, touch targets, and status announcements.
13
+ 4. Keep accessibility checks separate from visual-only approval.
14
+
15
+ Required outputs: accessibility findings by severity, fixes made or proposed, skipped checks, test evidence, remaining risks.
16
+ """
@@ -0,0 +1,18 @@
1
+ name = "browser-qa"
2
+ description = "Run a live browser QA loop with desktop, mobile, state, and authenticated screen evidence."
3
+
4
+ prompt = """
5
+ Run the live browser QA workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, .agent-kit/prompts/screenshot-review.md, .agent-kit/prompts/visual-qa-plan.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Start or identify the dev/preview server and target routes.
11
+ 2. Open the target with required auth, role, tenant, and data state.
12
+ 3. Capture desktop and mobile screenshots.
13
+ 4. Run detector, screenshot critique, accessibility pass, and responsive cleanup.
14
+ 5. Apply scoped fixes and repeat until no blockers remain and major findings are fixed or documented.
15
+ 6. Record evidence with agent-kit session output when Agent Studio is in use.
16
+
17
+ Required outputs: route, auth state, commands run, screenshots, detector results, fixes, final verdict.
18
+ """
@@ -0,0 +1,16 @@
1
+ name = "distinctiveness-pass"
2
+ description = "Check that UI is product-specific, source-safe, and not generic SaaS or AI-site styling."
3
+
4
+ prompt = """
5
+ Run the visual distinctiveness pass workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, MESSAGING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/skills/frontend-distinctiveness-benchmark.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Compare the first viewport to product category, audience, workflow, and content fingerprint.
11
+ 2. Confirm references were translated into lessons without copying source layouts, copy, assets, or brand marks.
12
+ 3. Identify fake metrics, vague claims, abstract filler, interchangeable card stacks, and generic visual tropes.
13
+ 4. Re-score distinctiveness and product quality where significant UI work is involved.
14
+
15
+ Required outputs: product-specific evidence, generic-risk findings, source-safety notes, required changes, final distinctiveness verdict.
16
+ """
@@ -4,14 +4,15 @@ description = "Route frontend work through content-first design, accessibility,
4
4
  prompt = """
5
5
  Run the frontend-change workflow.
6
6
 
7
- Canonical sources: DESIGN.md, STYLE_GUIDE.md, MESSAGING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/design-briefs/, .agent-kit/prompts/screenshot-review.md, and .agent-kit/skills/frontend-design-system.md.
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, MESSAGING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/design-briefs/, .agent-kit/prompts/screenshot-review.md, .agent-kit/prompts/ui-command-index.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, .agent-kit/skills/frontend-design-system.md, and .agent-kit/skills/ui-improvement-harness.md.
8
8
 
9
9
  Workflow:
10
10
  1. Start with Frontend Design Lead before implementation.
11
11
  2. Confirm brand/content intake, user needs, real content, creative direction, references, anti-references, and source-safety notes.
12
12
  3. Require distinctiveness benchmark and product-quality scorecard for significant UI.
13
- 4. Preserve WCAG 2.1 AA, keyboard flow, responsive states, and loading/error/empty/success states.
14
- 5. Record visual QA and accessibility evidence with `agent-kit session output`.
13
+ 4. Apply the UI improvement command index when auditing, polishing, cleaning layout, reviewing screenshots, or running browser QA.
14
+ 5. Preserve WCAG 2.1 AA, keyboard flow, responsive states, and loading/error/empty/success states.
15
+ 6. Record UI detector findings, visual QA, and accessibility evidence with `agent-kit session output`.
15
16
 
16
- Required outputs: design direction, reference evidence, product-specific UI rationale, state coverage, accessibility checks, desktop/mobile visual QA.
17
+ Required outputs: design direction, reference evidence, product-specific UI rationale, UI detector findings, state coverage, accessibility checks, desktop/mobile visual QA, authenticated screen evidence when applicable.
17
18
  """
@@ -0,0 +1,16 @@
1
+ name = "layout-cleanup"
2
+ description = "Clean crowded layouts, weak hierarchy, card nesting, overflow, and inconsistent spacing."
3
+
4
+ prompt = """
5
+ Run the layout cleanup workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Identify primary task, secondary tasks, content hierarchy, and target viewport range.
11
+ 2. Remove unnecessary nesting, repeated surfaces, card-within-card patterns, arbitrary dividers, and workflow-obscuring decoration.
12
+ 3. Normalize spacing, grouping, alignment, heading scale, and responsive containers.
13
+ 4. Verify text fit, truncation, overlap, and horizontal overflow on desktop and mobile.
14
+
15
+ Required outputs: layout findings, cleanup actions, preserved workflow, desktop/mobile evidence, remaining layout risks.
16
+ """
@@ -0,0 +1,16 @@
1
+ name = "responsive-cleanup"
2
+ description = "Verify and repair mobile and responsive UI behavior with required desktop and mobile evidence."
3
+
4
+ prompt = """
5
+ Run the responsive cleanup workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Review mobile width, desktop width, and project-specific breakpoint assumptions.
11
+ 2. Verify tap targets, text fit, navigation, primary action visibility, sticky UI, scroll behavior, and viewport-safe spacing.
12
+ 3. Verify relevant loading, empty, error, disabled, success, permission, and focus states on mobile.
13
+ 4. Capture or request desktop and mobile screenshots before acceptance.
14
+
15
+ Required outputs: viewports checked, responsive findings, fixes made or proposed, screenshots, remaining risks.
16
+ """
@@ -0,0 +1,16 @@
1
+ name = "screenshot-critique"
2
+ description = "Critique desktop, mobile, state, and authenticated screenshots against design and detector rules."
3
+
4
+ prompt = """
5
+ Run the screenshot critique workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, .agent-kit/prompts/screenshot-review.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Name each screenshot, viewport, route, auth state, data state, and UI state.
11
+ 2. Run screenshot review, detector checklist, and accessibility risk scan.
12
+ 3. Compare against DESIGN.md, STYLE_GUIDE.md, and selected creative direction.
13
+ 4. Return concrete fixes and missing screenshot evidence.
14
+
15
+ Required outputs: screenshot inventory, blockers, high-value fixes, accepted areas, missing screenshots, release verdict.
16
+ """
@@ -0,0 +1,17 @@
1
+ name = "ui-audit"
2
+ description = "Run a deterministic UI audit with severity-based detector findings and release evidence."
3
+
4
+ prompt = """
5
+ Run the UI audit workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Identify target route, component, workflow, auth state, data state, and risk tier.
11
+ 2. Load product/design context and relevant design brief.
12
+ 3. Review desktop and mobile evidence, or state which evidence must still be captured.
13
+ 4. Run the UI detector checklist and classify blockers, majors, minors, passes, and not-applicable items.
14
+ 5. Return required fixes, accepted exceptions, preserved capabilities, and pass/fail verdict.
15
+
16
+ Required outputs: target surface, risk tier, detector findings by severity, missing evidence, release verdict.
17
+ """
@@ -0,0 +1,17 @@
1
+ name = "ui-polish"
2
+ description = "Improve UI hierarchy, spacing, state feedback, and visual finish through detector-guided polish."
3
+
4
+ prompt = """
5
+ Run the UI polish workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Start from detector findings, screenshots, or a named target surface.
11
+ 2. Preserve product behavior, auth boundaries, copy claims, data contracts, and existing component patterns.
12
+ 3. Improve hierarchy, spacing, density, alignment, component states, and interaction feedback.
13
+ 4. Remove decorative clutter and generic SaaS or AI-site defaults.
14
+ 5. Re-run detector and screenshot critique after the scoped polish pass.
15
+
16
+ Required outputs: polish goals, changes made or proposed, detector deltas, screenshot evidence, residual risks.
17
+ """
@@ -21,6 +21,14 @@
21
21
  { "name": "plan", "path": "commands/plan.toml" },
22
22
  { "name": "handoff", "path": "commands/handoff.toml" },
23
23
  { "name": "frontend", "path": "commands/frontend.toml" },
24
+ { "name": "ui-audit", "path": "commands/ui-audit.toml" },
25
+ { "name": "ui-polish", "path": "commands/ui-polish.toml" },
26
+ { "name": "layout-cleanup", "path": "commands/layout-cleanup.toml" },
27
+ { "name": "responsive-cleanup", "path": "commands/responsive-cleanup.toml" },
28
+ { "name": "accessibility-pass", "path": "commands/accessibility-pass.toml" },
29
+ { "name": "distinctiveness-pass", "path": "commands/distinctiveness-pass.toml" },
30
+ { "name": "screenshot-critique", "path": "commands/screenshot-critique.toml" },
31
+ { "name": "browser-qa", "path": "commands/browser-qa.toml" },
24
32
  { "name": "security", "path": "commands/security.toml" },
25
33
  { "name": "copy", "path": "commands/copy.toml" },
26
34
  { "name": "ship", "path": "commands/ship.toml" },
@@ -38,6 +46,7 @@
38
46
  { "name": "frontend-distinctiveness-benchmark", "path": "../runtime-skills/frontend-distinctiveness-benchmark/SKILL.md" },
39
47
  { "name": "frontend-product-quality-rubric", "path": "../runtime-skills/frontend-product-quality-rubric/SKILL.md" },
40
48
  { "name": "landing-page-copy", "path": "../runtime-skills/landing-page-copy/SKILL.md" },
49
+ { "name": "ui-improvement-harness", "path": "../runtime-skills/ui-improvement-harness/SKILL.md" },
41
50
  { "name": "nextjs-app-router", "path": "../runtime-skills/nextjs-app-router/SKILL.md" },
42
51
  { "name": "onboarding-empty-state-copy", "path": "../runtime-skills/onboarding-empty-state-copy/SKILL.md" },
43
52
  { "name": "owasp-security-review", "path": "../runtime-skills/owasp-security-review/SKILL.md" },