@appsforgood/next-supabase-kit 0.1.5 → 0.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (47) hide show
  1. package/CHANGELOG.md +12 -0
  2. package/DOGFOOD.md +40 -0
  3. package/README.md +246 -43
  4. package/REPOSITORY_SETTINGS.md +7 -3
  5. package/SUPPLY_CHAIN.md +5 -5
  6. package/UPGRADE.md +2 -1
  7. package/antigravity/commands/accessibility-pass.toml +16 -0
  8. package/antigravity/commands/browser-qa.toml +18 -0
  9. package/antigravity/commands/distinctiveness-pass.toml +16 -0
  10. package/antigravity/commands/frontend.toml +5 -4
  11. package/antigravity/commands/layout-cleanup.toml +16 -0
  12. package/antigravity/commands/responsive-cleanup.toml +16 -0
  13. package/antigravity/commands/review.toml +16 -0
  14. package/antigravity/commands/screenshot-critique.toml +16 -0
  15. package/antigravity/commands/spec.toml +17 -0
  16. package/antigravity/commands/test.toml +17 -0
  17. package/antigravity/commands/ui-audit.toml +17 -0
  18. package/antigravity/commands/ui-polish.toml +17 -0
  19. package/antigravity/plugin.json +13 -1
  20. package/assistant-adapters/antigravity.md +7 -0
  21. package/checklists/ui-acceptance-rubric.md +58 -0
  22. package/checklists/ui-detectors.md +75 -0
  23. package/dist/index.js +796 -458
  24. package/dist/index.js.map +1 -1
  25. package/dist/studio/office/assets/office.css +109 -28
  26. package/dist/studio/office/assets/office.js +14 -63
  27. package/dist/studio/wizard/assets/wizard.css +105 -26
  28. package/dist/studio/wizard/assets/wizard.js +22 -85
  29. package/examples/next-supabase-installed/.agent-kit/agent-roster.json +53 -14
  30. package/examples/next-supabase-installed/.agent-kit/manifest.json +12 -12
  31. package/examples/next-supabase-installed/audit-output.json +380 -375
  32. package/package.json +21 -5
  33. package/prompts/lifecycle-command-index.md +180 -0
  34. package/prompts/ui-command-index.md +124 -0
  35. package/rosters/next-supabase-default-council.json +53 -14
  36. package/runtime-skills/ui-improvement-harness/SKILL.md +12 -0
  37. package/skills/ui-improvement-harness.md +96 -0
  38. package/templates/next-supabase/AGENT_ROSTER.md +6 -3
  39. package/templates/next-supabase/ASSISTANT_ADAPTERS.md +3 -1
  40. package/templates/next-supabase/DECISIONS.md +14 -0
  41. package/templates/next-supabase/DESIGN.md +3 -0
  42. package/templates/next-supabase/DOCS.md +5 -1
  43. package/templates/next-supabase/QUALITY_GATES.md +4 -2
  44. package/templates/next-supabase/SKILLS.md +14 -0
  45. package/templates/next-supabase/SPEC.md +5 -1
  46. package/templates/next-supabase/STYLE_GUIDE.md +3 -1
  47. package/templates/next-supabase/TESTING.md +4 -0
package/CHANGELOG.md CHANGED
@@ -1,5 +1,17 @@
1
1
  # Changelog
2
2
 
3
+ ## 0.1.7
4
+
5
+ - Added **Workflow Commands** section to README and docs site: lifecycle diagram, 12 core + 8 UI slash commands, council table, skills-by-phase grouping, and explicit separation from package CLI commands.
6
+ - Added `prompts/lifecycle-command-index.md` as the canonical delivery lifecycle command index (parallel to `prompts/ui-command-index.md`).
7
+ - Added Antigravity native commands `/spec`, `/test`, and `/review` (20 total runtime commands) with roster `testing` and `code-review` workflows.
8
+ - Added "How skills work" guidance to `SKILLS.md` and updated assistant adapter docs for lifecycle command discoverability.
9
+
10
+ ## 0.1.6
11
+
12
+ - Added a repo-native UI improvement harness with command-style prompts, deterministic detector checklist, acceptance rubric, portable runtime skill, and focused Antigravity UI commands.
13
+ - Wired UI audit, polish, layout cleanup, responsive cleanup, accessibility, distinctiveness, screenshot critique, and browser QA workflows into roster routing, docs, templates, package validation, and example snapshots.
14
+
3
15
  ## 0.1.5
4
16
 
5
17
  - Added computed **Agentic Engineering Level** (L3–L6) in Agent Office and setup wizard: iceberg strip, climb checklist, `/api/state` payload, and `POST /api/agentic-level/refresh`.
package/DOGFOOD.md CHANGED
@@ -34,6 +34,32 @@ Mode: read-only audit; no downstream files were modified.
34
34
  - Assistant adapters and upgrade lifecycle still need real activation/dogfood evidence after publication.
35
35
  - Reference-led design critique still needs a real UI change dogfood pass with screenshots or equivalent visual evidence.
36
36
 
37
+ ## 2026-07-04 Publish @0.1.7 Snapshot
38
+
39
+ Date: 2026-07-04
40
+ CLI source: public npm registry `@appsforgood/next-supabase-kit@0.1.7`
41
+
42
+ - Published `@appsforgood/next-supabase-kit@0.1.7` with lifecycle README commands, `/spec`/`/test`/`/review` Antigravity adapters, and `prompts/lifecycle-command-index.md`.
43
+ - Post-publish: `npm run publish:verify` against live registry.
44
+
45
+ ## 2026-07-04 Publish @0.1.6 Snapshot
46
+
47
+ Date: 2026-07-04
48
+ CLI source: public npm registry `@appsforgood/next-supabase-kit@0.1.6`
49
+ Mode: local maintainer publish (token) after `npm run release:check`, then `npm run publish:verify`.
50
+
51
+ - Published `@appsforgood/next-supabase-kit@0.1.6` to public npm (local token publish with `--provenance=false`; CI releases continue to use OIDC + provenance).
52
+ - `npm run publish:verify` passed: registry visibility confirmed, `npx` doctor ok, clean temp `init` installed current baseline assets, and `audit --json --min-readiness baseline-setup` returned 0 failures (67 pass / 4 warn / readiness `baseline-setup`).
53
+
54
+ ## 2026-07-02 Publish Verification And Self-Install Snapshot
55
+
56
+ Date: 2026-07-02
57
+ CLI source: public npm registry (`@appsforgood/next-supabase-kit`, published) plus local `src/` for the self-install.
58
+ Mode: post-publish verification against the live registry, and dogfooding the kit into this repo's own root.
59
+
60
+ - `node scripts/post-publish-verify.mjs` against the published package passed: registry visibility confirmed, `npx` doctor ok, clean temp `init` installed 23 files, and `audit --json --min-readiness baseline-setup` returned 0 failures (readiness `baseline-setup`).
61
+ - This repo now dogfoods its own kit at the root: `agent-kit init` installed the root docs, `.agent-kit/`, and Cursor rules; project context, council session, and overrides were filled with real evidence; `agent-kit audit --min-readiness best-practice-candidate` passes with 0 warnings and 0 failures.
62
+
37
63
  ## 2026-06-07 Agent Studio Dogfood Snapshot
38
64
 
39
65
  Date: 2026-06-07
@@ -134,3 +160,17 @@ Policy: **gitignored local overlay + bootstrap script** (not committed to kit so
134
160
  | Rationale | Kit source stays in `templates/` and tracked maintainer docs; overlay proves Tier B activation without polluting commit history |
135
161
 
136
162
  This policy closes the gap where the kit shipped Level 5 IDE surfaces but BaseRepo maintainers operated at Level 4 day-to-day.
163
+
164
+ ## 2026-07-04 - Lifecycle Commands README Parity
165
+
166
+ Date: 2026-07-04
167
+ Scope: README/docs discoverability + three new Antigravity adapters
168
+
169
+ | Item | Detail |
170
+ | --- | --- |
171
+ | README | Added **Workflow Commands** section: lifecycle diagram, 12 core + 8 UI slash commands, council table, skills-by-phase, skill activation narrative |
172
+ | Canonical index | `prompts/lifecycle-command-index.md` for delivery commands (parallel to `prompts/ui-command-index.md`) |
173
+ | New adapters | `/spec`, `/test`, `/review` in `antigravity/commands/` (20 total native commands) |
174
+ | Roster | `testing` and `code-review` workflows; planning triggers for spec keywords |
175
+ | Out of scope | `/build`, `/webperf`, `/code-simplify`, `/build auto` — documented as future orchestration |
176
+ | Verification | `npm test`, `agent-kit adapter validate antigravity` after build |
package/README.md CHANGED
@@ -1,5 +1,11 @@
1
1
  # Agent Skills Next/Supabase Kit
2
2
 
3
+ [![CI](https://github.com/lukey662/agentsandskills/actions/workflows/ci.yml/badge.svg)](https://github.com/lukey662/agentsandskills/actions/workflows/ci.yml)
4
+ [![npm version](https://img.shields.io/npm/v/%40appsforgood%2Fnext-supabase-kit)](https://www.npmjs.com/package/@appsforgood/next-supabase-kit)
5
+ [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/lukey662/agentsandskills/badge)](https://scorecard.dev/viewer/?uri=github.com/lukey662/agentsandskills)
6
+ [![CodeQL](https://github.com/lukey662/agentsandskills/actions/workflows/codeql.yml/badge.svg)](https://github.com/lukey662/agentsandskills/actions/workflows/codeql.yml)
7
+ [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
8
+
3
9
  `@appsforgood/next-supabase-kit` installs an agent operating system for Next.js + Supabase projects.
4
10
 
5
11
  It gives agentic coders a default council roster, reusable skills, handoff rules, model-routing guidance, markdown docs, frontend design gates, Supabase/RLS security checks, upgrade workflows, and audit commands.
@@ -14,10 +20,10 @@ It also includes a local Agent Studio workflow: project context, durable human c
14
20
 
15
21
  ## Quick Start
16
22
 
17
- Use this in a Next.js + Supabase project after the public package is available on npm:
23
+ Use this in a Next.js + Supabase project (latest: **v0.1.7** on npm):
18
24
 
19
25
  ```bash
20
- npx @appsforgood/next-supabase-kit init --stack next-supabase --setup --open
26
+ npx @appsforgood/next-supabase-kit@0.1.7 init --stack next-supabase --setup --open
21
27
  npx @appsforgood/next-supabase-kit audit
22
28
  npx @appsforgood/next-supabase-kit audit --min-readiness baseline-setup
23
29
  ```
@@ -27,12 +33,45 @@ After install, the **Agent Office** setup view teaches agents about your project
27
33
  ```bash
28
34
  npx @appsforgood/next-supabase-kit setup --open
29
35
  npx @appsforgood/next-supabase-kit setup --status
30
- npx @appsforgood/next-supabase-kit init --activate antigravity
31
- npx @appsforgood/next-supabase-kit adapter validate antigravity
36
+ ```
37
+
38
+ Promote IDE/runtime adapters after install:
39
+
40
+ ```bash
41
+ npx @appsforgood/next-supabase-kit init --activate cursor --activate antigravity
42
+ npx @appsforgood/next-supabase-kit adapter validate all
32
43
  ```
33
44
 
34
45
  The installer preserves existing docs. If a file already exists and differs from the template, the new version is written to `.agent-kit/conflicts/` for review.
35
46
 
47
+ ### See It In Action
48
+
49
+ ```text
50
+ $ agent-kit init --stack next-supabase
51
+ agent-kit installed (stack: next-supabase)
52
+ Created (21)
53
+ AGENTS.md
54
+ AGENT_ROSTER.md
55
+ ASSISTANT_ADAPTERS.md
56
+ ...
57
+ .cursor/rules/cursor-agent-kit.mdc
58
+ .agent-kit/agent-roster.json
59
+ .agent-kit/model-routing.json
60
+
61
+ Manifest: .agent-kit/manifest.json
62
+ Next: run agent-kit audit to check readiness.
63
+
64
+ $ agent-kit audit
65
+ READINESS baseline-setup: Agent kit setup is valid, but project-specific
66
+ evidence still needs to replace starter placeholders.
67
+ SUMMARY pass=60 warn=3 fail=0
68
+ NEXT ACTIONS
69
+ - Run agent-kit onboard or agent-kit init --guided so agents can start
70
+ with project-specific context.
71
+ ```
72
+
73
+ Every command accepts `--json` for machine-readable output, and mutating commands (`init`, `update`, `add skill`) accept `--dry-run`. A `vhs` tape for regenerating the animated demo lives at `docs/demo.tape`.
74
+
36
75
  For local development of this repo:
37
76
 
38
77
  ```bash
@@ -44,6 +83,83 @@ npm run release:check
44
83
 
45
84
  `npm run release:check` is the main pre-release proof command. It typechecks, tests, builds, install-smokes the package, checks examples, runs dependency audit, validates SBOM generation, and dry-runs packaging.
46
85
 
86
+ ## Workflow Commands
87
+
88
+ Twenty slash commands map to the delivery lifecycle. Each one activates the right council agents and skills automatically. Use them in Antigravity after `init --activate antigravity`, or as prompt prefixes in any IDE. Canonical workflow steps live in `.agent-kit/prompts/lifecycle-command-index.md` (delivery) and `.agent-kit/prompts/ui-command-index.md` (UI polish).
89
+
90
+ ```text
91
+ SETUP → SPEC/PLAN → BUILD → VERIFY → REVIEW → SHIP
92
+ ```
93
+
94
+ **Workflow commands** (`/setup`, `/spec`, …) are runtime adapters. **Package CLI** commands (`agent-kit init`, `audit`, `session`, …) are documented under [CLI Reference](#cli-reference) below. Cursor loads rules and skills from `init`; Antigravity gets native slash commands from `init --activate antigravity`. See `ASSISTANT_ADAPTERS.md` for per-IDE setup.
95
+
96
+ ### Core lifecycle commands
97
+
98
+ | What you're doing | Command | Key principle | Skills / council |
99
+ | --- | --- | --- | --- |
100
+ | Onboard project context | `/setup` | Context before code | Agent Office, project-context |
101
+ | Define what to build | `/spec` | Spec before code | Planner, docs-maintainer |
102
+ | Plan how to build it | `/plan` | Council before implementation | planning-council, lead-architect |
103
+ | Route between agents | `/handoff` | Explicit handoffs | agent-handoff-tracing |
104
+ | Build frontend/UI | `/frontend` | Content-first design | frontend-design-lead skills |
105
+ | Check kit readiness | `/audit` | Evidence before claims | best-practice-maturity-review |
106
+ | Prove behavior | `/test` | Tests are proof | testing-qa, qa-engineer |
107
+ | Review before merge | `/review` | Improve code health | qa-engineer + security-reviewer |
108
+ | Security signoff | `/security` | RLS at the boundary | owasp-security-review, supabase-auth-rls |
109
+ | Public copy | `/copy` | Proof before publish | marketing-copy-lead |
110
+ | Ship release | `/ship` | Faster is safer | deployment-observability, release gates |
111
+ | Upgrade kit/deps | `/upgrade` | Diff before overwrite | upgrade-maintenance |
112
+
113
+ ### UI harness commands
114
+
115
+ Focused UI improvement commands. Full steps: `.agent-kit/prompts/ui-command-index.md`.
116
+
117
+ | What you're doing | Command | Key principle |
118
+ | --- | --- | --- |
119
+ | Audit UI before release | `/ui-audit` | Detect before ship |
120
+ | Improve visual quality | `/ui-polish` | Scope-safe polish |
121
+ | Repair layout structure | `/layout-cleanup` | Hierarchy over decoration |
122
+ | Fix responsive behavior | `/responsive-cleanup` | Mobile is not an afterthought |
123
+ | WCAG 2.1 AA pass | `/accessibility-pass` | Keyboard and contrast matter |
124
+ | Prove product distinctiveness | `/distinctiveness-pass` | Not interchangeable SaaS |
125
+ | Critique screenshots | `/screenshot-critique` | Evidence over opinion |
126
+ | Live browser QA loop | `/browser-qa` | Measure in the real UI |
127
+
128
+ Skills activate from task keywords and roster `defaultFor` tags—for example, schema/RLS work routes to **Supabase/Postgres Engineer** with `supabase-auth-rls` and `postgres-migrations`; App Router work routes to **Next.js Engineer** with `nextjs-app-router`. See `SKILLS.md` and `.agent-kit/agent-roster.json`.
129
+
130
+ ### Council
131
+
132
+ | Agent | Owns | Key skills |
133
+ | --- | --- | --- |
134
+ | Planner | Scope, roadmap, ambiguous requests | planning-council, agent-handoff-tracing |
135
+ | Lead Architect | Core and cross-layer changes | nextjs-app-router, supabase-auth-rls, owasp-security-review |
136
+ | Supabase/Postgres Engineer | Schema, migrations, RLS, auth | supabase-auth-rls, postgres-migrations |
137
+ | Next.js Engineer | App Router, Server Actions, UI state | nextjs-app-router, frontend-design-system |
138
+ | Frontend Design Lead | Design gates, visual QA, anti-generic UI | content-first-design, ui-improvement-harness |
139
+ | Marketing Copy Lead | Positioning, conversion copy, CTAs | positioning-messaging, conversion-copywriting |
140
+ | Security Reviewer | OWASP, auth boundaries, secrets | owasp-security-review, supabase-auth-rls |
141
+ | QA Engineer | Tests, regression, acceptance evidence | testing-qa, visual-regression-qa |
142
+ | Documentation Maintainer | Living docs, spec, decisions | docs-maintainer, planning-council |
143
+ | Deployment/Observability Engineer | Release, rollback, monitoring | deployment-observability |
144
+
145
+ ### Skills by lifecycle phase
146
+
147
+ Full skill list: `SKILLS.md`.
148
+
149
+ **Define:** planning-council, agent-handoff-tracing, best-practice-maturity-review, docs-maintainer
150
+
151
+ **Build:** nextjs-app-router, supabase-auth-rls, postgres-migrations, content-first-design, frontend-design-system, ui-improvement-harness, positioning-messaging
152
+
153
+ **Verify:** testing-qa, visual-regression-qa, owasp-security-review, accessibility-wcag, reference-led-design-critique, frontend-product-quality-rubric
154
+
155
+ **Ship:** deployment-observability, upgrade-maintenance
156
+
157
+ ### How skills work
158
+
159
+ - **Canonical skills** live in `.agent-kit/skills/` as markdown checklists agents load for a task type.
160
+ - **Runtime wrappers** in `runtime-skills/*/SKILL.md` expose the same content to Antigravity and other skill-directory runtimes.
161
+ - **Roster routing** in `.agent-kit/agent-roster.json` maps `defaultFor` keywords and workflows to agents and their default skill sets—slash commands and natural-language requests both use the same contract.
162
+
47
163
  ## How Agentic Coders Should Use It
48
164
 
49
165
  Start with the installed files:
@@ -63,29 +179,142 @@ Default routing:
63
179
  - Planner handles plans, roadmaps, scope, and ambiguous requests first.
64
180
  - Lead Architect reviews core changes before implementation.
65
181
  - Security Reviewer joins auth, RLS, data mutation, dependency, secret, external-call, and release-risk work.
66
- - Frontend Design Lead owns content-first design, reference-led critique, distinctiveness benchmarking, product-quality scoring, and visual QA.
182
+ - Frontend Design Lead owns content-first design, reference-led critique, distinctiveness benchmarking, product-quality scoring, UI detector severity review, command-based polish/audit loops, and visual QA.
67
183
  - Marketing Copy Lead owns public-facing and conversion-facing copy, positioning, proof, objections, voice, and CTA hierarchy.
68
184
  - QA Engineer verifies behavior changes before completion.
69
185
  - Documentation Maintainer keeps the living markdown current.
70
186
 
71
187
  For meaningful multi-agent work, record the decision, risk, next handoff, required outputs, and verification evidence in `COUNCIL.md` or `.agent-kit/council-sessions/*.json`.
72
188
 
73
- For local Agent Studio sessions, use:
189
+ ## CLI Reference
190
+
191
+ Every command accepts `--json` for machine-readable output. Mutating commands (`init`, `update`, `add skill`, `correction apply`) also accept `--dry-run`.
192
+
193
+ ### Install and upgrade
194
+
195
+ | Command | Purpose |
196
+ | --- | --- |
197
+ | `init` | Install docs, roster, skills, schemas, Cursor rules, and project context |
198
+ | `diff` | Compare local docs against bundled templates |
199
+ | `update` | Hash-aware upgrade: pristine docs refresh, local edits kept, conflicts for review |
200
+ | `add skill <name>` | Copy one skill into `.agent-kit/skills/` |
201
+ | `onboard` | Print the recommended first-run checklist |
74
202
 
75
203
  ```bash
76
- agent-kit setup
77
- agent-kit init --guided
204
+ agent-kit init --stack next-supabase --guided --dry-run
205
+ agent-kit init --activate cursor --activate codex --no-setup
206
+ agent-kit diff
207
+ agent-kit update --dry-run
208
+ agent-kit add skill ui-improvement-harness
209
+ ```
210
+
211
+ `init` flags: `--stack`, `--guided`, `--dry-run`, `--activate <targets...>`, `--setup`, `--no-setup`, `--open`, `--force`, `--json`.
212
+ `update` flags: `--dry-run`, `--force`, `--json`.
213
+
214
+ ### Setup and Agent Office
215
+
216
+ | Command | Purpose |
217
+ | --- | --- |
218
+ | `setup` | Serve local Agent Office (default) and form wizard at `http://127.0.0.1:9321` |
219
+ | `setup --status` | Print onboarding progress as JSON |
220
+
221
+ Routes: `/` or `/office` (pixel office, default), `/wizard` (form fallback).
222
+
223
+ ```bash
224
+ agent-kit setup --open
225
+ agent-kit setup --status
226
+ ```
227
+
228
+ ### Audit and validation
229
+
230
+ | Command | Purpose |
231
+ | --- | --- |
232
+ | `audit` | Readiness report with pass/warn/fail findings |
233
+ | `doctor` | Validate CLI runtime prerequisites |
234
+ | `adapter validate [target]` | Validate IDE/runtime adapter assets (`cursor`, `claude`, `codex`, `copilot`, `antigravity`, `all`) |
235
+ | `package validate` | Source-repo release asset validation (maintainers) |
236
+
237
+ ```bash
238
+ agent-kit audit --json --min-readiness baseline-setup
239
+ agent-kit adapter validate cursor
240
+ agent-kit doctor --json
241
+ ```
242
+
243
+ Readiness levels: `needs-setup`, `baseline-setup`, `needs-improvement`, `best-practice-candidate`. Use `--min-readiness <level>` in CI.
244
+
245
+ ### Project context
246
+
247
+ | Command | Purpose |
248
+ | --- | --- |
249
+ | `context init` | Create or refresh `.agent-kit/project-context.json` |
250
+ | `context scan` | Print inferred context without writing |
251
+ | `context ask` | List unanswered high-value context questions |
252
+ | `context render` | Render `.agent-kit/project-context.md` |
253
+ | `context validate` | Validate context against schema |
254
+ | `context show` | Print current context JSON |
255
+
256
+ ```bash
257
+ agent-kit context init
78
258
  agent-kit context validate
259
+ ```
260
+
261
+ ### Council sessions
262
+
263
+ | Command | Purpose |
264
+ | --- | --- |
265
+ | `session start` | Open a council session with workflow routing |
266
+ | `session list` / `session active` | Inspect sessions |
267
+ | `session note` / `decision` / `handoff` | Record collaboration events |
268
+ | `session correct` / `artifact` / `verify` / `output` | Record corrections, files, checks, required outputs |
269
+ | `session checkpoint` | Batch-apply events from a JSON file |
270
+ | `session render` / `session close` | Render Markdown and close the session |
271
+
272
+ ```bash
79
273
  agent-kit session start "Build checkout flow" --workflow frontend-change
80
- agent-kit session decision --agent planner --risk "Generic UI risk" "Use frontend-change workflow."
81
274
  agent-kit session handoff --from planner --to frontend-design-lead --decision "Start design intake." --risk "Generic UI risk."
82
- agent-kit session correct --agent frontend-design-lead --scope project "Keep UI dense and operational."
83
275
  agent-kit session verify --command "npm test" --result pass --notes "Tests passed."
84
276
  agent-kit session output "visual QA evidence" --status not-applicable --evidence "No UI change."
277
+ agent-kit session checkpoint --file .agent-kit/checkpoint.json
85
278
  agent-kit session render
86
- agent-kit correction list
279
+ agent-kit session close --status complete
280
+ ```
281
+
282
+ ### Corrections
283
+
284
+ | Command | Purpose |
285
+ | --- | --- |
286
+ | `correction list` | List durable project and agent correction rules |
287
+ | `correction add` | Add a correction (`--scope project\|agent\|session`) |
288
+ | `correction apply` | Promote a correction into active rules |
289
+ | `correction retire` | Retire a correction with reason |
290
+ | `correction propose-upstream` | Flag a correction for kit promotion |
291
+
292
+ ```bash
293
+ agent-kit correction add --scope project "Prefer operational density over hero-style marketing layout."
294
+ agent-kit correction apply --id project-ui-density
295
+ ```
296
+
297
+ ### Studio views
298
+
299
+ | Command | Purpose |
300
+ | --- | --- |
301
+ | `studio export` | Generate self-contained static HTML at `.agent-kit/studio/index.html` |
302
+ | `studio serve` | Live localhost Agent Office with SSE session events (default port `9331`) |
303
+
304
+ ```bash
87
305
  agent-kit studio export
88
- agent-kit audit --json
306
+ agent-kit studio serve --open
307
+ ```
308
+
309
+ ### Research (maintainers)
310
+
311
+ Requires `GITHUB_TOKEN` in the environment.
312
+
313
+ ```bash
314
+ agent-kit research discover --limit 100
315
+ agent-kit research scan
316
+ agent-kit research summarize
317
+ agent-kit research propose-updates
89
318
  ```
90
319
 
91
320
  ## What Gets Installed
@@ -124,35 +353,6 @@ The `.agent-kit/` folder includes:
124
353
  - `design-briefs/` for SaaS, admin, marketplace, content, tool, ecommerce, portfolio/venue, education, community/social, and AI workflow surfaces.
125
354
  - `profiles/` for product-type and adjacent-stack adaptation.
126
355
 
127
- ## Everyday Commands
128
-
129
- ```bash
130
- agent-kit audit
131
- agent-kit audit --json
132
- agent-kit audit --min-readiness baseline-setup
133
- agent-kit adapter validate antigravity
134
- agent-kit package validate
135
- agent-kit context init
136
- agent-kit session start "Short task name"
137
- agent-kit session output "verification evidence" --status complete --evidence "npm test"
138
- agent-kit session render
139
- agent-kit correction list
140
- agent-kit studio export
141
- agent-kit diff
142
- agent-kit update
143
- agent-kit add skill frontend-design-system
144
- agent-kit doctor
145
- ```
146
-
147
- Readiness levels from `agent-kit audit --json`:
148
-
149
- - `needs-setup`: required install or council contracts are failing.
150
- - `baseline-setup`: setup is valid, but starter evidence placeholders remain.
151
- - `needs-improvement`: no failures, but warnings remain.
152
- - `best-practice-candidate`: static audit found no failures or warnings.
153
-
154
- Use `agent-kit audit --min-readiness <level>` in CI when a project wants a merge or release threshold.
155
-
156
356
  ## AI Mechanisms
157
357
 
158
358
  Agent Kit separates the mechanisms that make AI coding repeatable:
@@ -160,7 +360,7 @@ Agent Kit separates the mechanisms that make AI coding repeatable:
160
360
  - Instructions: `AGENTS.md`, assistant adapters, and IDE-specific rule files.
161
361
  - Roster: `.agent-kit/agent-roster.json` chooses agents, workflows, and handoffs.
162
362
  - Skills: `.agent-kit/skills/` keeps specialist workflows reusable.
163
- - Runtime commands: Antigravity `commands/*.toml` expose `/setup`, `/audit`, `/plan`, `/handoff`, `/frontend`, `/security`, `/copy`, `/ship`, and `/upgrade` as native adapter entrypoints.
363
+ - Runtime commands: Antigravity `commands/*.toml` expose `/setup`, `/spec`, `/audit`, `/plan`, `/handoff`, `/frontend`, `/test`, `/review`, focused UI improvement commands, `/security`, `/copy`, `/ship`, and `/upgrade` as native adapter entrypoints.
164
364
  - Portable skills: `runtime-skills/*/SKILL.md` wraps canonical `skills/*.md` files for runtimes that discover skill directories.
165
365
  - Model routing: `MODEL_ROUTING.md` and `.agent-kit/model-routing.json` map agents to model profiles.
166
366
  - Messaging: `MESSAGING.md` records audience, pain, outcome, proof, objections, voice, and conversion evidence for public-facing copy.
@@ -189,6 +389,8 @@ Significant UI work should prove:
189
389
 
190
390
  The Frontend Design Lead should reject work that would still look valid for another product after only changing the logo or headline.
191
391
 
392
+ Operational UI improvement workflows live in `.agent-kit/prompts/ui-command-index.md` and ship as Antigravity commands: `/ui-audit`, `/ui-polish`, `/layout-cleanup`, `/responsive-cleanup`, `/accessibility-pass`, `/distinctiveness-pass`, `/screenshot-critique`, and `/browser-qa`. Use `.agent-kit/checklists/ui-detectors.md` for deterministic blocker/major/minor findings and `.agent-kit/checklists/ui-acceptance-rubric.md` for pass/fail decisions. High-risk UI work requires desktop and mobile screenshots plus authenticated or permission-state evidence when the surface is not public.
393
+
192
394
  ## Security Bar
193
395
 
194
396
  The kit treats these as defaults, not optional polish:
@@ -206,6 +408,7 @@ Use the upgrade flow instead of overwriting project-owned docs:
206
408
 
207
409
  ```bash
208
410
  agent-kit diff
411
+ agent-kit update --dry-run
209
412
  agent-kit update
210
413
  agent-kit audit --min-readiness baseline-setup
211
414
  ```
@@ -255,7 +458,7 @@ Release expectations:
255
458
  - Dependency Review, CodeQL, OpenSSF Scorecard, Dependabot, SBOM validation, and SBOM attestation.
256
459
  - Post-publish verification with `npm run publish:verify`.
257
460
 
258
- Public release remains gated until the npm scope/package exists, Trusted Publishing is configured, and post-publish `npx` verification succeeds.
461
+ The package is published to public npm under `@appsforgood/next-supabase-kit@0.1.7`. Every release must pass `npm run release:check` before publish and `npm run publish:verify` after (registry visibility, clean `npx` doctor/init/audit). Post-publish verification last passed **2026-07-04** against the live registry: `@0.1.7` doctor, clean init, and `audit --min-readiness baseline-setup` with zero failures.
259
462
 
260
463
  ## Repository Health
261
464
 
@@ -31,9 +31,9 @@ Create environment `npm-publish` with:
31
31
  - Required reviewers enabled.
32
32
  - Prevent self-review enabled where available.
33
33
  - Deployment branches restricted to `main` and release events.
34
- - No npm publish token secret for the trusted-publishing flow.
35
- - Any legacy npm token secrets deleted after Trusted Publishing is confirmed.
36
- - Optional fallback: a maintainer npm publish token secret on the `npm-publish` environment when trusted publishing returns 404 on PUT.
34
+ - Preferred path: no npm publish token secret once Trusted Publishing is confirmed for this package.
35
+ - Current fallback: a maintainer npm publish token secret on the release workflow so manual publish dispatch can complete until npm Trusted Publishing is configured.
36
+ - Any fallback npm token secrets deleted after Trusted Publishing is confirmed.
37
37
 
38
38
  The npm trusted publisher must match:
39
39
 
@@ -66,6 +66,10 @@ Create labels from `.github/labels.yml`. Required label families:
66
66
  - Status: `needs-triage`, `blocked`, `good first issue`, `help wanted`
67
67
  - Risk: `risk: security`, `risk: breaking-change`
68
68
 
69
+ ## GitHub Pages
70
+
71
+ Enable GitHub Pages with source "Deploy from a branch", branch `main`, folder `/docs`. The minimal docs site lives at `docs/index.md` with the `jekyll-theme-minimal` theme configured in `docs/_config.yml`. Update `docs/index.md` when the CLI surface, readiness levels, or quick-start commands change.
72
+
69
73
  ## Review Cadence
70
74
 
71
75
  Review these settings before every public release and after any workflow, release, permission, package, or security-policy change.
package/SUPPLY_CHAIN.md CHANGED
@@ -5,12 +5,12 @@ This package is intended for public npm distribution and downstream project boot
5
5
  ## Publish Identity
6
6
 
7
7
  - Public package: `@appsforgood/next-supabase-kit`.
8
- - Publish path: GitHub Actions release workflow through npm Trusted Publishing.
9
- - Authentication: OIDC trusted publisher, not a long-lived npm automation token.
8
+ - Publish path: GitHub Actions release workflow through npm Trusted Publishing when configured, with a token-backed publish fallback for the current npm package setup.
9
+ - Authentication: prefer OIDC trusted publisher; the fallback uses a scoped npm automation token stored as a GitHub Actions secret.
10
10
  - Environment: `npm-publish`.
11
11
  - Trusted publisher must be scoped to repository `lukey662/agentsandskills`, workflow `release.yml`, and allowed action `npm publish`.
12
12
 
13
- When npm Trusted Publishing is used from a public GitHub repository for a public package, npm generates provenance attestations automatically. The release workflow keeps `id-token: write` for this reason and does not set `NODE_AUTH_TOKEN` for publishing.
13
+ When npm Trusted Publishing is used from a public GitHub repository for a public package, npm generates provenance attestations automatically. Until that package-level publisher is confirmed in npm, the release workflow publishes with the configured secret and `--provenance` so npm still receives GitHub Actions provenance.
14
14
 
15
15
  The release workflow also creates a deterministic package tarball, generates a CycloneDX SBOM from `package-lock.json`, uploads the tarball, SBOM, and pack metadata as release evidence, and attests the SBOM against the exact tarball path that is published to npm.
16
16
 
@@ -47,9 +47,9 @@ The release workflow and `npm run publish:verify` both use `scripts/post-publish
47
47
 
48
48
  ## Maintainer Rules
49
49
 
50
- - Do not use bypass-2FA npm publish tokens for automation.
50
+ - Do not use bypass-2FA npm publish tokens for automation; any fallback token must be scoped for package publishing and stored only as a GitHub Actions secret.
51
51
  - Do not publish from unreviewed branches or untrusted workflow changes.
52
52
  - Treat workflow edits as release-risk changes requiring security and maintainer review.
53
- - Rotate and delete legacy publish secrets after Trusted Publishing is confirmed.
53
+ - Rotate and delete fallback publish secrets after Trusted Publishing is confirmed.
54
54
  - Keep package contents free of secrets, private downstream data, and copied third-party source.
55
55
  - Keep SBOM generation and attestation in the shared release path; do not publish an unattested tarball when the workflow is available.
package/UPGRADE.md CHANGED
@@ -78,4 +78,5 @@ Keep rollback evidence next to the upgrade:
78
78
  | Date | From | To | Scope | Evidence | Owner |
79
79
  | --- | --- | --- | --- | --- | --- |
80
80
  | 2026-06-14 | TypeScript 5 / Node 22 types | TypeScript 6 / Node 25 types | Dev dependency update for package validation and CI parity | `npm run typecheck`, `npm test`, `npm audit --audit-level=moderate` | Maintainers |
81
- | TBD | TBD | TBD | TBD | TBD | TBD |
81
+ | 2026-06 | 0.1.0 | 0.1.1 | Package rename to `@appsforgood/next-supabase-kit`, harness readiness gates, adapter install on init, publish prep | `CHANGELOG.md` 0.1.1 entry, `npm run release:check` green, commit `37e1a0f` | lukey662 |
82
+ | 2026-07-02 | none | 0.1.1 (self-install) | Dogfooded the kit into this repo's own root: `agent-kit init` installed root docs, `.agent-kit/`, and confirmed the Cursor rules' referenced files exist | `.agent-kit/manifest.json`, `agent-kit audit` zero failures, `COUNCIL.md` 2026-07-02 session | lukey662 |
@@ -0,0 +1,16 @@
1
+ name = "accessibility-pass"
2
+ description = "Run a WCAG 2.1 AA-oriented UI pass for semantics, keyboard flow, focus, labels, contrast, and motion."
3
+
4
+ prompt = """
5
+ Run the accessibility pass workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/skills/accessibility-wcag.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Check semantics, headings, landmarks, forms, labels, tables, buttons, and ARIA use.
11
+ 2. Check keyboard navigation, visible focus, tab order, escape/close behavior, and skip path when applicable.
12
+ 3. Check contrast, reduced motion, error association, touch targets, and status announcements.
13
+ 4. Keep accessibility checks separate from visual-only approval.
14
+
15
+ Required outputs: accessibility findings by severity, fixes made or proposed, skipped checks, test evidence, remaining risks.
16
+ """
@@ -0,0 +1,18 @@
1
+ name = "browser-qa"
2
+ description = "Run a live browser QA loop with desktop, mobile, state, and authenticated screen evidence."
3
+
4
+ prompt = """
5
+ Run the live browser QA workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, .agent-kit/prompts/screenshot-review.md, .agent-kit/prompts/visual-qa-plan.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Start or identify the dev/preview server and target routes.
11
+ 2. Open the target with required auth, role, tenant, and data state.
12
+ 3. Capture desktop and mobile screenshots.
13
+ 4. Run detector, screenshot critique, accessibility pass, and responsive cleanup.
14
+ 5. Apply scoped fixes and repeat until no blockers remain and major findings are fixed or documented.
15
+ 6. Record evidence with agent-kit session output when Agent Studio is in use.
16
+
17
+ Required outputs: route, auth state, commands run, screenshots, detector results, fixes, final verdict.
18
+ """
@@ -0,0 +1,16 @@
1
+ name = "distinctiveness-pass"
2
+ description = "Check that UI is product-specific, source-safe, and not generic SaaS or AI-site styling."
3
+
4
+ prompt = """
5
+ Run the visual distinctiveness pass workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, MESSAGING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/skills/frontend-distinctiveness-benchmark.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Compare the first viewport to product category, audience, workflow, and content fingerprint.
11
+ 2. Confirm references were translated into lessons without copying source layouts, copy, assets, or brand marks.
12
+ 3. Identify fake metrics, vague claims, abstract filler, interchangeable card stacks, and generic visual tropes.
13
+ 4. Re-score distinctiveness and product quality where significant UI work is involved.
14
+
15
+ Required outputs: product-specific evidence, generic-risk findings, source-safety notes, required changes, final distinctiveness verdict.
16
+ """
@@ -4,14 +4,15 @@ description = "Route frontend work through content-first design, accessibility,
4
4
  prompt = """
5
5
  Run the frontend-change workflow.
6
6
 
7
- Canonical sources: DESIGN.md, STYLE_GUIDE.md, MESSAGING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/design-briefs/, .agent-kit/prompts/screenshot-review.md, and .agent-kit/skills/frontend-design-system.md.
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, MESSAGING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/design-briefs/, .agent-kit/prompts/screenshot-review.md, .agent-kit/prompts/ui-command-index.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, .agent-kit/skills/frontend-design-system.md, and .agent-kit/skills/ui-improvement-harness.md.
8
8
 
9
9
  Workflow:
10
10
  1. Start with Frontend Design Lead before implementation.
11
11
  2. Confirm brand/content intake, user needs, real content, creative direction, references, anti-references, and source-safety notes.
12
12
  3. Require distinctiveness benchmark and product-quality scorecard for significant UI.
13
- 4. Preserve WCAG 2.1 AA, keyboard flow, responsive states, and loading/error/empty/success states.
14
- 5. Record visual QA and accessibility evidence with `agent-kit session output`.
13
+ 4. Apply the UI improvement command index when auditing, polishing, cleaning layout, reviewing screenshots, or running browser QA.
14
+ 5. Preserve WCAG 2.1 AA, keyboard flow, responsive states, and loading/error/empty/success states.
15
+ 6. Record UI detector findings, visual QA, and accessibility evidence with `agent-kit session output`.
15
16
 
16
- Required outputs: design direction, reference evidence, product-specific UI rationale, state coverage, accessibility checks, desktop/mobile visual QA.
17
+ Required outputs: design direction, reference evidence, product-specific UI rationale, UI detector findings, state coverage, accessibility checks, desktop/mobile visual QA, authenticated screen evidence when applicable.
17
18
  """
@@ -0,0 +1,16 @@
1
+ name = "layout-cleanup"
2
+ description = "Clean crowded layouts, weak hierarchy, card nesting, overflow, and inconsistent spacing."
3
+
4
+ prompt = """
5
+ Run the layout cleanup workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Identify primary task, secondary tasks, content hierarchy, and target viewport range.
11
+ 2. Remove unnecessary nesting, repeated surfaces, card-within-card patterns, arbitrary dividers, and workflow-obscuring decoration.
12
+ 3. Normalize spacing, grouping, alignment, heading scale, and responsive containers.
13
+ 4. Verify text fit, truncation, overlap, and horizontal overflow on desktop and mobile.
14
+
15
+ Required outputs: layout findings, cleanup actions, preserved workflow, desktop/mobile evidence, remaining layout risks.
16
+ """
@@ -0,0 +1,16 @@
1
+ name = "responsive-cleanup"
2
+ description = "Verify and repair mobile and responsive UI behavior with required desktop and mobile evidence."
3
+
4
+ prompt = """
5
+ Run the responsive cleanup workflow.
6
+
7
+ Canonical sources: DESIGN.md, STYLE_GUIDE.md, TESTING.md, QUALITY_GATES.md, .agent-kit/agent-roster.json, .agent-kit/skills/ui-improvement-harness.md, .agent-kit/checklists/ui-detectors.md, .agent-kit/checklists/ui-acceptance-rubric.md, and .agent-kit/prompts/ui-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Review mobile width, desktop width, and project-specific breakpoint assumptions.
11
+ 2. Verify tap targets, text fit, navigation, primary action visibility, sticky UI, scroll behavior, and viewport-safe spacing.
12
+ 3. Verify relevant loading, empty, error, disabled, success, permission, and focus states on mobile.
13
+ 4. Capture or request desktop and mobile screenshots before acceptance.
14
+
15
+ Required outputs: viewports checked, responsive findings, fixes made or proposed, screenshots, remaining risks.
16
+ """
@@ -0,0 +1,16 @@
1
+ name = "review"
2
+ description = "Run pre-merge code health review with QA and conditional Security Reviewer routing."
3
+
4
+ prompt = """
5
+ Run the code-review workflow.
6
+
7
+ Canonical sources: TESTING.md, SECURITY.md, QUALITY_GATES.md, AGENTS.md, .agent-kit/agent-roster.json, .agent-kit/skills/testing-qa.md, .agent-kit/skills/owasp-security-review.md, and .agent-kit/prompts/lifecycle-command-index.md.
8
+
9
+ Workflow:
10
+ 1. Route through QA Engineer for behavior, regression, and test evidence.
11
+ 2. Include Security Reviewer when auth, RLS, data mutation, dependency, secret, or external-call boundaries changed.
12
+ 3. Return findings by severity with concrete remediation.
13
+ 4. Distinguish this from release GO/NO-GO, which belongs to `/ship`.
14
+
15
+ Required outputs: reviewed scope, findings by severity, required fixes, security notes when applicable, merge recommendation.
16
+ """