@caoscompanybr/merlin 3.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/CLAUDE.md +216 -0
- package/.claude/hooks/README-license-gate.md +45 -0
- package/.claude/hooks/auto-summarize.js +47 -0
- package/.claude/hooks/context-monitor.js +60 -0
- package/.claude/hooks/doc-sync.js +111 -0
- package/.claude/hooks/license-gate.cjs +59 -0
- package/.claude/hooks/session-reset.js +27 -0
- package/.claude/hooks/thoughts-indexer.js +80 -0
- package/.claude/rules/merlin-constitution.md +27 -0
- package/.merlin-core/commands/README.md +19 -0
- package/.merlin-core/commands/founder-mode.md +51 -0
- package/.merlin-core/commands/git/commit.md +35 -0
- package/.merlin-core/commands/git/describe-pr.md +43 -0
- package/.merlin-core/commands/git/safe-commit.md +182 -0
- package/.merlin-core/commands/implementation/implement-plan.md +129 -0
- package/.merlin-core/commands/implementation/oneshot.md +63 -0
- package/.merlin-core/commands/implementation/tdd.md +152 -0
- package/.merlin-core/commands/planning/create-plan.md +184 -0
- package/.merlin-core/commands/planning/iterate-plan.md +45 -0
- package/.merlin-core/commands/planning/validate-plan.md +48 -0
- package/.merlin-core/commands/research/analyze-issue.md +155 -0
- package/.merlin-core/commands/research/research-codebase.md +157 -0
- package/.merlin-core/commands/review/adversarial-review.md +112 -0
- package/.merlin-core/commands/review/check.md +91 -0
- package/.merlin-core/commands/review/debug.md +135 -0
- package/.merlin-core/commands/review/doubts.md +178 -0
- package/.merlin-core/commands/review/engineering-audit.md +87 -0
- package/.merlin-core/commands/review/local-review.md +48 -0
- package/.merlin-core/commands/review/verify-goals.md +83 -0
- package/.merlin-core/commands/session/capture-feedback.md +74 -0
- package/.merlin-core/commands/session/capture-learning.md +155 -0
- package/.merlin-core/commands/session/check-objectives.md +85 -0
- package/.merlin-core/commands/session/conclude.md +125 -0
- package/.merlin-core/commands/session/create-handoff.md +88 -0
- package/.merlin-core/commands/session/create-objective.md +111 -0
- package/.merlin-core/commands/session/create-process.md +105 -0
- package/.merlin-core/commands/session/create-reminder.md +86 -0
- package/.merlin-core/commands/session/fast-start.md +261 -0
- package/.merlin-core/commands/session/recall-learnings.md +79 -0
- package/.merlin-core/commands/session/recall-processes.md +74 -0
- package/.merlin-core/commands/session/resume-handoff.md +51 -0
- package/.merlin-core/commands/session/run-process.md +53 -0
- package/.merlin-core/commands/special/beauty.md +89 -0
- package/.merlin-core/commands/special/common-ground.md +114 -0
- package/.merlin-core/commands/special/elicit.md +98 -0
- package/.merlin-core/commands/special/party.md +66 -0
- package/.merlin-core/commands/special/scrape.md +78 -0
- package/.merlin-core/commands/special/skill-audit.md +128 -0
- package/.merlin-core/commands/special/start-here.md +132 -0
- package/.merlin-core/constitution.md +442 -0
- package/.merlin-core/core/README.md +19 -0
- package/.merlin-core/core/alkimia/README.md +20 -0
- package/.merlin-core/core/alkimia/context/context-tracker.js +209 -0
- package/.merlin-core/core/alkimia/domain/domain-loader.js +215 -0
- package/.merlin-core/core/alkimia/engine.js +284 -0
- package/.merlin-core/core/alkimia/layers/l0-constitution.js +47 -0
- package/.merlin-core/core/alkimia/layers/l1-global.js +58 -0
- package/.merlin-core/core/alkimia/layers/l2-agent.js +58 -0
- package/.merlin-core/core/alkimia/layers/l3-workflow.js +54 -0
- package/.merlin-core/core/alkimia/layers/l4-task.js +45 -0
- package/.merlin-core/core/alkimia/layers/l5-squad.js +161 -0
- package/.merlin-core/core/alkimia/layers/l6-skill.js +520 -0
- package/.merlin-core/core/alkimia/layers/l7-star-command.js +87 -0
- package/.merlin-core/core/alkimia/layers/layer-processor.js +78 -0
- package/.merlin-core/core/alkimia/mandate.js +46 -0
- package/.merlin-core/core/alkimia/memory/doc-sync.js +201 -0
- package/.merlin-core/core/alkimia/memory/document-sharder.js +272 -0
- package/.merlin-core/core/alkimia/memory/git-history-retriever.js +225 -0
- package/.merlin-core/core/alkimia/memory/memory-bridge.js +97 -0
- package/.merlin-core/core/alkimia/memory/session-analyzer.js +400 -0
- package/.merlin-core/core/alkimia/memory/thoughts-indexer.js +477 -0
- package/.merlin-core/core/alkimia/memory/thoughts-provider.js +603 -0
- package/.merlin-core/core/alkimia/output/formatter.js +464 -0
- package/.merlin-core/core/alkimia/security/content-sanitizer.js +140 -0
- package/.merlin-core/core/alkimia/skill-importer.js +440 -0
- package/.merlin-core/core/alkimia/squads/default/.synapse/manifest +17 -0
- package/.merlin-core/core/alkimia/utils/frontmatter.js +321 -0
- package/.merlin-core/core/alkimia/utils/tokens.js +24 -0
- package/.merlin-core/core/approval/README.md +16 -0
- package/.merlin-core/core/approval/approval-engine.js +380 -0
- package/.merlin-core/core/approval/channels/cli-channel.js +50 -0
- package/.merlin-core/core/config/README.md +17 -0
- package/.merlin-core/core/config/config-cache.js +182 -0
- package/.merlin-core/core/config/config-loader.js +279 -0
- package/.merlin-core/core/config/config-resolver.js +411 -0
- package/.merlin-core/core/config/env-interpolator.js +123 -0
- package/.merlin-core/core/config/merge-utils.js +102 -0
- package/.merlin-core/core/config/schemas/core-config.schema.json +41 -0
- package/.merlin-core/core/config/schemas/framework-config.schema.json +24 -0
- package/.merlin-core/core/config/schemas/local-config.schema.json +23 -0
- package/.merlin-core/core/config/schemas/project-config.schema.json +189 -0
- package/.merlin-core/core/docs-consistency.js +140 -0
- package/.merlin-core/core/events/event-bus.js +344 -0
- package/.merlin-core/core/events/hook-handler.js +419 -0
- package/.merlin-core/core/execution/README.md +17 -0
- package/.merlin-core/core/execution/attempt-journal.js +380 -0
- package/.merlin-core/core/execution/autonomous-build-loop.js +637 -0
- package/.merlin-core/core/execution/build-orchestrator.js +296 -0
- package/.merlin-core/core/execution/build-state-manager.js +196 -0
- package/.merlin-core/core/execution/context-injector.js +204 -0
- package/.merlin-core/core/execution/cron-engine.js +247 -0
- package/.merlin-core/core/execution/cron-expression.js +148 -0
- package/.merlin-core/core/execution/env-preflight.js +423 -0
- package/.merlin-core/core/execution/guardrail-engine.js +745 -0
- package/.merlin-core/core/execution/heartbeat-engine.js +198 -0
- package/.merlin-core/core/execution/model-router.js +282 -0
- package/.merlin-core/core/execution/parallel-executor.js +378 -0
- package/.merlin-core/core/execution/parallel-monitor.js +201 -0
- package/.merlin-core/core/execution/party-session.js +311 -0
- package/.merlin-core/core/execution/rate-limit-manager.js +152 -0
- package/.merlin-core/core/execution/result-aggregator.js +215 -0
- package/.merlin-core/core/execution/semantic-merge-engine.js +320 -0
- package/.merlin-core/core/execution/subagent-dispatcher.js +721 -0
- package/.merlin-core/core/execution/success-verifier.js +227 -0
- package/.merlin-core/core/execution/task-metadata.js +105 -0
- package/.merlin-core/core/execution/team-executor.js +195 -0
- package/.merlin-core/core/execution/two-tier-editor.js +290 -0
- package/.merlin-core/core/execution/version-snapshot.js +294 -0
- package/.merlin-core/core/execution/wave-executor.js +224 -0
- package/.merlin-core/core/health-check/health-engine.js +415 -0
- package/.merlin-core/core/licensing/activation.js +281 -0
- package/.merlin-core/core/licensing/crc.js +103 -0
- package/.merlin-core/core/licensing/entitlement.js +99 -0
- package/.merlin-core/core/licensing/fingerprint.js +104 -0
- package/.merlin-core/core/licensing/gate.js +133 -0
- package/.merlin-core/core/licensing/hmac.js +42 -0
- package/.merlin-core/core/licensing/key.js +144 -0
- package/.merlin-core/core/licensing/license.js +212 -0
- package/.merlin-core/core/mcp/README.md +16 -0
- package/.merlin-core/core/mcp/browser-capability.js +191 -0
- package/.merlin-core/core/mcp/capability-mapper.js +92 -0
- package/.merlin-core/core/mcp/mcp-connector.js +278 -0
- package/.merlin-core/core/mcp/mcp-registry.js +101 -0
- package/.merlin-core/core/orchestration/README.md +17 -0
- package/.merlin-core/core/orchestration/agent-invoker.js +456 -0
- package/.merlin-core/core/orchestration/condition-evaluator.js +250 -0
- package/.merlin-core/core/orchestration/decision-tree.js +192 -0
- package/.merlin-core/core/orchestration/executor-assignment.js +372 -0
- package/.merlin-core/core/orchestration/gate-evaluator.js +653 -0
- package/.merlin-core/core/orchestration/intent-classifier.js +579 -0
- package/.merlin-core/core/orchestration/lock-manager.js +308 -0
- package/.merlin-core/core/orchestration/master-orchestrator.js +363 -0
- package/.merlin-core/core/orchestration/phase-tool-masks.js +194 -0
- package/.merlin-core/core/orchestration/recovery-handler.js +402 -0
- package/.merlin-core/core/orchestration/reflect-checkpoint.js +431 -0
- package/.merlin-core/core/orchestration/session-state.js +430 -0
- package/.merlin-core/core/orchestration/skill-dispatcher.js +255 -0
- package/.merlin-core/core/orchestration/step-loader.js +226 -0
- package/.merlin-core/core/orchestration/workflow-executor.js +864 -0
- package/.merlin-core/core/process/executor.js +231 -0
- package/.merlin-core/core/process/process-file.js +50 -0
- package/.merlin-core/core/process/secret-scan.js +86 -0
- package/.merlin-core/core/process/signature.js +77 -0
- package/.merlin-core/core/quality-gates/README.md +17 -0
- package/.merlin-core/core/quality-gates/layer1-precommit.js +110 -0
- package/.merlin-core/core/quality-gates/layer2-pr-automation.js +116 -0
- package/.merlin-core/core/quality-gates/layer3-human-review.js +133 -0
- package/.merlin-core/core/registry/service-registry.js +140 -0
- package/.merlin-core/core-config.yaml +159 -0
- package/.merlin-core/development/README.md +17 -0
- package/.merlin-core/development/agents/README.md +16 -0
- package/.merlin-core/development/agents/analyst.md +214 -0
- package/.merlin-core/development/agents/architect.md +166 -0
- package/.merlin-core/development/agents/data-engineer.md +154 -0
- package/.merlin-core/development/agents/dev.md +203 -0
- package/.merlin-core/development/agents/devops.md +236 -0
- package/.merlin-core/development/agents/grimorio.md +125 -0
- package/.merlin-core/development/agents/merlin-master.md +173 -0
- package/.merlin-core/development/agents/meta.md +190 -0
- package/.merlin-core/development/agents/pm.md +145 -0
- package/.merlin-core/development/agents/po.md +172 -0
- package/.merlin-core/development/agents/qa.md +275 -0
- package/.merlin-core/development/agents/researcher.md +218 -0
- package/.merlin-core/development/agents/scout.md +179 -0
- package/.merlin-core/development/agents/sm.md +148 -0
- package/.merlin-core/development/agents/ux.md +169 -0
- package/.merlin-core/development/agents/web-researcher.md +203 -0
- package/.merlin-core/development/checklists/adversarial-review-checklist.md +70 -0
- package/.merlin-core/development/checklists/operations-ci-checklist.md +40 -0
- package/.merlin-core/development/checklists/operations-deploy-checklist.md +54 -0
- package/.merlin-core/development/checklists/operations-publish-checklist.md +47 -0
- package/.merlin-core/development/checklists/source-verification-checklist.md +38 -0
- package/.merlin-core/development/templates/HEARTBEAT-template.md +46 -0
- package/.merlin-core/development/templates/ears-requirements-template.md +93 -0
- package/.merlin-core/development/templates/handoff-template.md +50 -0
- package/.merlin-core/development/templates/prd-template.md +62 -0
- package/.merlin-core/development/templates/research-template.md +53 -0
- package/.merlin-core/development/templates/spec-template.md +84 -0
- package/.merlin-core/development/workflows/brownfield-discovery.yaml +166 -0
- package/.merlin-core/development/workflows/brownfield-service.yaml +52 -0
- package/.merlin-core/development/workflows/development-cycle.yaml +57 -0
- package/.merlin-core/development/workflows/epic-orchestration.yaml +47 -0
- package/.merlin-core/development/workflows/folloni-funnel.yaml +177 -0
- package/.merlin-core/development/workflows/greenfield-fullstack.yaml +167 -0
- package/.merlin-core/development/workflows/greenfield-service.yaml +56 -0
- package/.merlin-core/development/workflows/qa-loop.yaml +115 -0
- package/.merlin-core/development/workflows/spec-pipeline.yaml +185 -0
- package/.merlin-core/development/workflows/steps/folloni-01-research.yaml +35 -0
- package/.merlin-core/development/workflows/steps/folloni-02-architecture.yaml +41 -0
- package/.merlin-core/development/workflows/steps/folloni-03-implementation.yaml +52 -0
- package/.merlin-core/development/workflows/story-development-cycle.yaml +67 -0
- package/.merlin-core/docs/GUIDE.md +413 -0
- package/.merlin-core/docs/merlin-commands-guide-pt.md +183 -0
- package/.merlin-core/framework-config.yaml +148 -0
- package/.merlin-core/hooks/README.md +16 -0
- package/.merlin-core/hooks/precompact-memory-flush.js +69 -0
- package/.merlin-core/hooks/pretooluse-remote-approve.js +113 -0
- package/.merlin-core/hooks/spikes/spike-b-hook.js +70 -0
- package/.merlin-core/hooks/spikes/spike-b-stub.js +70 -0
- package/.merlin-core/index.js +91 -0
- package/.merlin-core/local-config.yaml.template +31 -0
- package/.merlin-core/mcp-servers/lsp-bridge/index.js +397 -0
- package/.merlin-core/modules/scraping/module.json +23 -0
- package/.merlin-core/project-config.yaml +89 -0
- package/.merlin-core/schemas/README.md +18 -0
- package/.merlin-core/schemas/agent-hook-schema.json +152 -0
- package/.merlin-core/schemas/agent-schema.json +31 -0
- package/.merlin-core/schemas/command-schema.json +18 -0
- package/.merlin-core/schemas/feedback-schema.json +36 -0
- package/.merlin-core/schemas/handoff-schema.json +19 -0
- package/.merlin-core/schemas/learning-schema.json +51 -0
- package/.merlin-core/schemas/module.schema.json +124 -0
- package/.merlin-core/schemas/must-haves-schema.json +95 -0
- package/.merlin-core/schemas/objective-schema.json +23 -0
- package/.merlin-core/schemas/plan-schema.json +20 -0
- package/.merlin-core/schemas/process-schema.json +82 -0
- package/.merlin-core/schemas/reminder-schema.json +20 -0
- package/.merlin-core/schemas/skill-eval-schema.json +92 -0
- package/.merlin-core/schemas/skill-schema.json +77 -0
- package/.merlin-core/schemas/workflow-schema.json +38 -0
- package/.merlin-core/skills/README.md +16 -0
- package/.merlin-core/skills/domain/azure-cloud/SKILL.md +211 -0
- package/.merlin-core/skills/domain/azure-cloud/references/appinsights-instrumentation.md +63 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-compliance.md +99 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-cost-optimization.md +419 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-deploy.md +82 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-diagnostics.md +130 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-prepare.md +134 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-quotas.md +290 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-rbac.md +11 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-resource-lookup.md +97 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-resource-visualizer.md +178 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-storage.md +91 -0
- package/.merlin-core/skills/domain/azure-cloud/references/azure-validate.md +58 -0
- package/.merlin-core/skills/domain/azure-cloud/references/entra-app-registration.md +192 -0
- package/.merlin-core/skills/domain/browser-automation/SKILL.md +311 -0
- package/.merlin-core/skills/domain/browser-automation/references/agent-browser-skill.md +632 -0
- package/.merlin-core/skills/domain/browser-automation/references/authentication.md +308 -0
- package/.merlin-core/skills/domain/browser-automation/references/commands.md +266 -0
- package/.merlin-core/skills/domain/browser-automation/references/profiling.md +120 -0
- package/.merlin-core/skills/domain/browser-automation/references/proxy-support.md +194 -0
- package/.merlin-core/skills/domain/browser-automation/references/session-management.md +194 -0
- package/.merlin-core/skills/domain/browser-automation/references/snapshot-refs.md +196 -0
- package/.merlin-core/skills/domain/browser-automation/references/video-recording.md +173 -0
- package/.merlin-core/skills/domain/browser-automation/templates/authenticated-session.sh +105 -0
- package/.merlin-core/skills/domain/browser-automation/templates/capture-workflow.sh +69 -0
- package/.merlin-core/skills/domain/browser-automation/templates/form-automation.sh +62 -0
- package/.merlin-core/skills/domain/digital-marketing/SKILL.md +292 -0
- package/.merlin-core/skills/domain/digital-marketing/references/content-strategy.md +320 -0
- package/.merlin-core/skills/domain/digital-marketing/references/copy-formats.md +298 -0
- package/.merlin-core/skills/domain/digital-marketing/references/copy-methodology.md +180 -0
- package/.merlin-core/skills/domain/digital-marketing/references/email-sequences.md +135 -0
- package/.merlin-core/skills/domain/digital-marketing/references/launch-strategy.md +213 -0
- package/.merlin-core/skills/domain/digital-marketing/references/pricing-strategy.md +160 -0
- package/.merlin-core/skills/domain/digital-marketing/references/programmatic-seo.md +237 -0
- package/.merlin-core/skills/domain/digital-marketing/references/revops-lifecycle.md +170 -0
- package/.merlin-core/skills/domain/digital-marketing/references/revops-operations.md +167 -0
- package/.merlin-core/skills/domain/digital-marketing/references/schema-markup.md +190 -0
- package/.merlin-core/skills/domain/digital-marketing/references/strategy-frameworks.md +324 -0
- package/.merlin-core/skills/domain/digital-marketing/references/traffic-management.md +350 -0
- package/.merlin-core/skills/domain/expo-native-ui/SKILL.md +348 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/animations.md +220 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/api-routes.md +361 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/cicd-workflows.md +84 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/controls.md +266 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/data-fetching.md +553 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/deployment-stores.md +1353 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/deployment.md +183 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/dev-client.md +166 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/dom-components.md +410 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/form-sheet.md +253 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/gradients.md +117 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/icons.md +218 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/media.md +245 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/platform-native.md +75 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/route-structure.md +229 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/search.md +249 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/storage.md +121 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/tabs.md +433 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/tailwind-native.md +473 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/toolbar-and-headers.md +284 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/upgrading-guides.md +674 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/upgrading.md +127 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/visual-effects.md +199 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/webgpu-three.md +605 -0
- package/.merlin-core/skills/domain/expo-native-ui/references/zoom-transitions.md +161 -0
- package/.merlin-core/skills/domain/marketing-ops/SKILL.md +117 -0
- package/.merlin-core/skills/domain/marketing-ops/references/_index.md +78 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ad-creative/references/generative-tools.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ad-creative/references/platform-specs.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ad-creative.md +251 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/ad-copy-templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/audience-targeting.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/conversion-tracking.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/platform-setup-checklists.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads.md +322 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo/references/content-patterns.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo/references/content-types.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo/references/platform-ranking-factors.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo.md +388 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/apple-specs.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/benchmarks.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/google-play-specs.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/report-template.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/scoring-criteria.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso.md +316 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/co-marketing.md +305 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/community-marketing.md +169 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitor-profiling/references/templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitor-profiling/references/tool-reference.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitor-profiling.md +442 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitors/references/content-architecture.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitors/references/templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitors.md +281 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/content-strategy.md +16 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions/references/directory-list.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions/references/positioning-variations.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions/references/submission-tracker-template.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions.md +396 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/free-tools/references/tool-types.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/free-tools.md +196 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/image/references/ai-image-prompting.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/image.md +352 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/launch.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/lead-magnets/references/benchmarks.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/lead-magnets/references/format-guide.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/lead-magnets.md +333 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/programmatic-seo.md +16 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/schema.md +16 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/seo-audit/references/ai-writing-detection.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/seo-audit/references/international-seo.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/seo-audit.md +546 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture/references/mermaid-templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture/references/navigation-patterns.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture/references/site-type-templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture.md +371 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/platform-limits.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/platforms.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/post-templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/reverse-engineering.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/short-form-video.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/social.md +431 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/video/references/ai-video-prompting.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/acquire/video.md +353 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/ab-testing/references/sample-size-guide.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/ab-testing/references/test-templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/ab-testing.md +379 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics/references/event-library.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics/references/ga4-implementation.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics/references/gtm-implementation.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics.md +323 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/copy-editing.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/copywriting.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/cro/references/experiments.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/cro/references/form.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/cro.md +211 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/emails.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/paywalls/references/experiments.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/paywalls.md +255 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/popups.md +518 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/pricing.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/deck-frameworks.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/demo-scripts.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/objection-library.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/one-pager-templates.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement.md +371 -0
- package/.merlin-core/skills/domain/marketing-ops/references/activate/signup.md +406 -0
- package/.merlin-core/skills/domain/marketing-ops/references/expand/co-marketing.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/expand/community-marketing.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/expand/referrals/references/affiliate-programs.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/expand/referrals/references/program-examples.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/expand/referrals.md +278 -0
- package/.merlin-core/skills/domain/marketing-ops/references/foundation/customer-research/references/source-guides.md +425 -0
- package/.merlin-core/skills/domain/marketing-ops/references/foundation/customer-research.md +284 -0
- package/.merlin-core/skills/domain/marketing-ops/references/foundation/marketing-ideas/references/ideas-by-category.md +216 -0
- package/.merlin-core/skills/domain/marketing-ops/references/foundation/marketing-ideas.md +188 -0
- package/.merlin-core/skills/domain/marketing-ops/references/foundation/marketing-psychology.md +532 -0
- package/.merlin-core/skills/domain/marketing-ops/references/foundation/product-marketing.md +276 -0
- package/.merlin-core/skills/domain/marketing-ops/references/retain/churn-prevention/references/cancel-flow-patterns.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/retain/churn-prevention/references/dunning-playbook.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/retain/churn-prevention.md +442 -0
- package/.merlin-core/skills/domain/marketing-ops/references/retain/onboarding/references/experiments.md +19 -0
- package/.merlin-core/skills/domain/marketing-ops/references/retain/onboarding.md +243 -0
- package/.merlin-core/skills/domain/marketing-ops/references/retain/revops-lifecycle.md +18 -0
- package/.merlin-core/skills/domain/marketing-ops/references/retain/revops-operations.md +18 -0
- package/.merlin-core/skills/domain/n8n-automation/SKILL.md +149 -0
- package/.merlin-core/skills/domain/n8n-automation/references/code-javascript.md +3744 -0
- package/.merlin-core/skills/domain/n8n-automation/references/code-python.md +3293 -0
- package/.merlin-core/skills/domain/n8n-automation/references/expression-syntax.md +1662 -0
- package/.merlin-core/skills/domain/n8n-automation/references/mcp-tools-expert.md +2111 -0
- package/.merlin-core/skills/domain/n8n-automation/references/node-configuration.md +2523 -0
- package/.merlin-core/skills/domain/n8n-automation/references/validation-expert.md +2491 -0
- package/.merlin-core/skills/domain/n8n-automation/references/workflow-patterns.md +4624 -0
- package/.merlin-core/skills/domain/ops-manual/SKILL.md +225 -0
- package/.merlin-core/skills/domain/ops-manual/references/elicitation-questions.md +141 -0
- package/.merlin-core/skills/domain/ops-manual/references/external-skills-registry.md +63 -0
- package/.merlin-core/skills/domain/ops-manual/references/operations-template.yaml +132 -0
- package/.merlin-core/skills/domain/remotion-best-practices/SKILL.md +99 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/3d.md +86 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/animations.md +27 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/assets/charts-bar-chart.tsx +173 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +100 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +108 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/assets.md +78 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/audio.md +172 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/calculate-metadata.md +131 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/can-decode.md +75 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/charts.md +68 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/compositions.md +154 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/display-captions.md +126 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/extract-frames.md +229 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/fonts.md +152 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/get-audio-duration.md +58 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/get-video-dimensions.md +68 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/get-video-duration.md +58 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/gifs.md +144 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/images.md +134 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/import-srt-captions.md +67 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/lottie.md +70 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/maps.md +414 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/measuring-dom-nodes.md +34 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/measuring-text.md +143 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/parameters.md +109 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/sequencing.md +118 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/tailwind.md +11 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/text-animations.md +20 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/timing.md +179 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/transcribe-captions.md +19 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/transitions.md +137 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/transparent-videos.md +106 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/trimming.md +51 -0
- package/.merlin-core/skills/domain/remotion-best-practices/rules/videos.md +171 -0
- package/.merlin-core/skills/domain/resend-email/SKILL.md +377 -0
- package/.merlin-core/skills/general/adversarial-review/SKILL.md +144 -0
- package/.merlin-core/skills/general/api-design/SKILL.md +513 -0
- package/.merlin-core/skills/general/apify-scrape/SKILL.md +137 -0
- package/.merlin-core/skills/general/apify-scrape/scripts/apify-scrape.sh +68 -0
- package/.merlin-core/skills/general/backup/SKILL.md +87 -0
- package/.merlin-core/skills/general/blkskrn/SKILL.md +392 -0
- package/.merlin-core/skills/general/blkskrn/references/animation-patterns.md +521 -0
- package/.merlin-core/skills/general/blkskrn/references/design-system.md +637 -0
- package/.merlin-core/skills/general/blkskrn/references/html-templates.md +440 -0
- package/.merlin-core/skills/general/blkskrn/references/presenter-template.md +45 -0
- package/.merlin-core/skills/general/blkskrn/references/slide-types.md +424 -0
- package/.merlin-core/skills/general/blkskrn/scripts/canvas-manager.js +502 -0
- package/.merlin-core/skills/general/blkskrn/scripts/presenter.js +90 -0
- package/.merlin-core/skills/general/blkskrn/templates/presenter.html +273 -0
- package/.merlin-core/skills/general/blkskrn/templates/slide-base.html +277 -0
- package/.merlin-core/skills/general/blkskrn/templates/viewer.html +165 -0
- package/.merlin-core/skills/general/browser-takeover/SKILL.md +53 -0
- package/.merlin-core/skills/general/claude-api/SKILL.md +90 -0
- package/.merlin-core/skills/general/code-javascript/SKILL.md +268 -0
- package/.merlin-core/skills/general/code-python/SKILL.md +424 -0
- package/.merlin-core/skills/general/code-style/SKILL.md +97 -0
- package/.merlin-core/skills/general/code-typescript/SKILL.md +361 -0
- package/.merlin-core/skills/general/cold-email/SKILL.md +164 -0
- package/.merlin-core/skills/general/cold-email/references/benchmarks.md +18 -0
- package/.merlin-core/skills/general/cold-email/references/follow-up-sequences.md +18 -0
- package/.merlin-core/skills/general/cold-email/references/frameworks.md +18 -0
- package/.merlin-core/skills/general/cold-email/references/personalization.md +18 -0
- package/.merlin-core/skills/general/cold-email/references/subject-lines.md +18 -0
- package/.merlin-core/skills/general/container-security/SKILL.md +462 -0
- package/.merlin-core/skills/general/context-management/SKILL.md +79 -0
- package/.merlin-core/skills/general/copy-editing/SKILL.md +501 -0
- package/.merlin-core/skills/general/copy-editing/references/checklist.md +18 -0
- package/.merlin-core/skills/general/copy-editing/references/content-refresh.md +18 -0
- package/.merlin-core/skills/general/copy-editing/references/plain-english-alternatives.md +18 -0
- package/.merlin-core/skills/general/copywriting/SKILL.md +294 -0
- package/.merlin-core/skills/general/copywriting/references/copy-frameworks.md +392 -0
- package/.merlin-core/skills/general/copywriting/references/natural-transitions.md +276 -0
- package/.merlin-core/skills/general/database/SKILL.md +561 -0
- package/.merlin-core/skills/general/database/references/postgres-concurrency.md +182 -0
- package/.merlin-core/skills/general/database/references/postgres-connections.md +97 -0
- package/.merlin-core/skills/general/database/references/postgres-data-patterns.md +159 -0
- package/.merlin-core/skills/general/database/references/postgres-monitoring.md +136 -0
- package/.merlin-core/skills/general/database/references/postgres-rls.md +140 -0
- package/.merlin-core/skills/general/database-provision/SKILL.md +56 -0
- package/.merlin-core/skills/general/deploy/SKILL.md +65 -0
- package/.merlin-core/skills/general/design-inspiration/SKILL.md +146 -0
- package/.merlin-core/skills/general/design-palette/SKILL.md +99 -0
- package/.merlin-core/skills/general/design-palette/references/full-palettes.md +144 -0
- package/.merlin-core/skills/general/design-system/SKILL.md +94 -0
- package/.merlin-core/skills/general/design-typography/SKILL.md +115 -0
- package/.merlin-core/skills/general/design-typography/references/full-pairings.md +144 -0
- package/.merlin-core/skills/general/design-ux-patterns/SKILL.md +155 -0
- package/.merlin-core/skills/general/design-ux-patterns/references/charts-data-guidelines.md +197 -0
- package/.merlin-core/skills/general/design-ux-patterns/references/landing-patterns.md +199 -0
- package/.merlin-core/skills/general/design-ux-patterns/references/professional-ui-checklist.md +56 -0
- package/.merlin-core/skills/general/design-ux-patterns/references/style-catalog.md +89 -0
- package/.merlin-core/skills/general/design-ux-patterns/references/ux-guidelines.md +837 -0
- package/.merlin-core/skills/general/discover-cloud/SKILL.md +108 -0
- package/.merlin-core/skills/general/doc-sync/SKILL.md +52 -0
- package/.merlin-core/skills/general/document-sharding/SKILL.md +53 -0
- package/.merlin-core/skills/general/docx/SKILL.md +418 -0
- package/.merlin-core/skills/general/docx/references/windows-setup.md +27 -0
- package/.merlin-core/skills/general/docx/scripts/__init__.py +1 -0
- package/.merlin-core/skills/general/docx/scripts/accept_changes.py +135 -0
- package/.merlin-core/skills/general/docx/scripts/comment.py +318 -0
- package/.merlin-core/skills/general/docx/scripts/office/__init__.py +0 -0
- package/.merlin-core/skills/general/docx/scripts/office/helpers/__init__.py +0 -0
- package/.merlin-core/skills/general/docx/scripts/office/helpers/merge_runs.py +199 -0
- package/.merlin-core/skills/general/docx/scripts/office/helpers/simplify_redlines.py +197 -0
- package/.merlin-core/skills/general/docx/scripts/office/pack.py +159 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/mce/mc.xsd +75 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
- package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
- package/.merlin-core/skills/general/docx/scripts/office/soffice.py +183 -0
- package/.merlin-core/skills/general/docx/scripts/office/unpack.py +132 -0
- package/.merlin-core/skills/general/docx/scripts/office/validate.py +111 -0
- package/.merlin-core/skills/general/docx/scripts/office/validators/__init__.py +15 -0
- package/.merlin-core/skills/general/docx/scripts/office/validators/base.py +847 -0
- package/.merlin-core/skills/general/docx/scripts/office/validators/docx.py +446 -0
- package/.merlin-core/skills/general/docx/scripts/office/validators/pptx.py +275 -0
- package/.merlin-core/skills/general/docx/scripts/office/validators/redlining.py +247 -0
- package/.merlin-core/skills/general/docx/scripts/templates/comments.xml +3 -0
- package/.merlin-core/skills/general/docx/scripts/templates/commentsExtended.xml +3 -0
- package/.merlin-core/skills/general/docx/scripts/templates/commentsExtensible.xml +3 -0
- package/.merlin-core/skills/general/docx/scripts/templates/commentsIds.xml +3 -0
- package/.merlin-core/skills/general/docx/scripts/templates/people.xml +3 -0
- package/.merlin-core/skills/general/elicitation/SKILL.md +188 -0
- package/.merlin-core/skills/general/engineering-audit/SKILL.md +122 -0
- package/.merlin-core/skills/general/find-and-edit/SKILL.md +102 -0
- package/.merlin-core/skills/general/first-party-docs/SKILL.md +51 -0
- package/.merlin-core/skills/general/frontend-design/SKILL.md +204 -0
- package/.merlin-core/skills/general/guardrails/SKILL.md +144 -0
- package/.merlin-core/skills/general/image-gen/SKILL.md +49 -0
- package/.merlin-core/skills/general/learning-capture/SKILL.md +192 -0
- package/.merlin-core/skills/general/lgpd-compliance-audit/SKILL.md +448 -0
- package/.merlin-core/skills/general/load-testing/SKILL.md +114 -0
- package/.merlin-core/skills/general/load-testing/docker/Dockerfile.dashboard +21 -0
- package/.merlin-core/skills/general/load-testing/docker/docker-compose.locust.yml +39 -0
- package/.merlin-core/skills/general/load-testing/requirements.txt +1 -0
- package/.merlin-core/skills/general/load-testing/scripts/compare_baseline.py +172 -0
- package/.merlin-core/skills/general/load-testing/scripts/run_local.py +245 -0
- package/.merlin-core/skills/general/load-testing/templates/load_shape_stepped.py +35 -0
- package/.merlin-core/skills/general/load-testing/templates/locustfile_dashboard.py +47 -0
- package/.merlin-core/skills/general/load-testing/templates/threshold_hook.py +36 -0
- package/.merlin-core/skills/general/mage-beauty/SKILL.md +89 -0
- package/.merlin-core/skills/general/mage-beauty/references/anti-patterns.md +148 -0
- package/.merlin-core/skills/general/mage-beauty/references/color-and-contrast.md +87 -0
- package/.merlin-core/skills/general/mage-beauty/references/interaction-design.md +99 -0
- package/.merlin-core/skills/general/mage-beauty/references/motion-design.md +90 -0
- package/.merlin-core/skills/general/mage-beauty/references/remotion-bridge.md +187 -0
- package/.merlin-core/skills/general/mage-beauty/references/responsive-and-multi-format.md +98 -0
- package/.merlin-core/skills/general/mage-beauty/references/spatial-design.md +88 -0
- package/.merlin-core/skills/general/mage-beauty/references/typography.md +60 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-adapt.md +102 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-animate.md +97 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-audit.md +99 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-bolder.md +94 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-cinematic.md +128 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-clarify.md +107 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-colorize.md +106 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-critique.md +88 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-delight.md +98 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-distill.md +97 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-harden.md +79 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-layout.md +104 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-onboard.md +98 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-optimize.md +124 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-overdrive.md +105 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-polish.md +91 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-quieter.md +95 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-rebrand.md +127 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-shape.md +160 -0
- package/.merlin-core/skills/general/mage-beauty/references/verb-typeset.md +109 -0
- package/.merlin-core/skills/general/mage-beauty/references/voice-and-microcopy.md +137 -0
- package/.merlin-core/skills/general/mcp-builder/SKILL.md +92 -0
- package/.merlin-core/skills/general/network-debug/SKILL.md +51 -0
- package/.merlin-core/skills/general/next-best-practices/SKILL.md +177 -0
- package/.merlin-core/skills/general/next-best-practices/references/async-patterns.md +87 -0
- package/.merlin-core/skills/general/next-best-practices/references/bundling.md +182 -0
- package/.merlin-core/skills/general/next-best-practices/references/data-patterns.md +306 -0
- package/.merlin-core/skills/general/next-best-practices/references/debug-tricks.md +125 -0
- package/.merlin-core/skills/general/next-best-practices/references/directives.md +74 -0
- package/.merlin-core/skills/general/next-best-practices/references/error-handling.md +232 -0
- package/.merlin-core/skills/general/next-best-practices/references/file-conventions.md +141 -0
- package/.merlin-core/skills/general/next-best-practices/references/font.md +257 -0
- package/.merlin-core/skills/general/next-best-practices/references/functions.md +108 -0
- package/.merlin-core/skills/general/next-best-practices/references/hydration-error.md +88 -0
- package/.merlin-core/skills/general/next-best-practices/references/image.md +179 -0
- package/.merlin-core/skills/general/next-best-practices/references/metadata.md +296 -0
- package/.merlin-core/skills/general/next-best-practices/references/parallel-routes.md +298 -0
- package/.merlin-core/skills/general/next-best-practices/references/route-handlers.md +146 -0
- package/.merlin-core/skills/general/next-best-practices/references/rsc-boundaries.md +164 -0
- package/.merlin-core/skills/general/next-best-practices/references/runtime-selection.md +40 -0
- package/.merlin-core/skills/general/next-best-practices/references/scripts.md +141 -0
- package/.merlin-core/skills/general/next-best-practices/references/self-hosting.md +384 -0
- package/.merlin-core/skills/general/next-best-practices/references/suspense-boundaries.md +67 -0
- package/.merlin-core/skills/general/next-steps/SKILL.md +43 -0
- package/.merlin-core/skills/general/party-mode/SKILL.md +57 -0
- package/.merlin-core/skills/general/pdf/SKILL.md +298 -0
- package/.merlin-core/skills/general/pdf/references/forms.md +312 -0
- package/.merlin-core/skills/general/pdf/references/reference.md +640 -0
- package/.merlin-core/skills/general/pdf/references/windows-setup.md +40 -0
- package/.merlin-core/skills/general/pdf/scripts/check_bounding_boxes.py +65 -0
- package/.merlin-core/skills/general/pdf/scripts/check_fillable_fields.py +11 -0
- package/.merlin-core/skills/general/pdf/scripts/convert_pdf_to_images.py +33 -0
- package/.merlin-core/skills/general/pdf/scripts/create_validation_image.py +37 -0
- package/.merlin-core/skills/general/pdf/scripts/extract_form_field_info.py +122 -0
- package/.merlin-core/skills/general/pdf/scripts/extract_form_structure.py +115 -0
- package/.merlin-core/skills/general/pdf/scripts/fill_fillable_fields.py +98 -0
- package/.merlin-core/skills/general/pdf/scripts/fill_pdf_form_with_annotations.py +107 -0
- package/.merlin-core/skills/general/pptx/SKILL.md +133 -0
- package/.merlin-core/skills/general/pptx/references/editing.md +213 -0
- package/.merlin-core/skills/general/pptx/references/pptxgenjs.md +581 -0
- package/.merlin-core/skills/general/pptx/references/windows-setup.md +27 -0
- package/.merlin-core/skills/general/pptx/scripts/__init__.py +0 -0
- package/.merlin-core/skills/general/pptx/scripts/add_slide.py +195 -0
- package/.merlin-core/skills/general/pptx/scripts/clean.py +286 -0
- package/.merlin-core/skills/general/pptx/scripts/thumbnail.py +289 -0
- package/.merlin-core/skills/general/property-testing/SKILL.md +214 -0
- package/.merlin-core/skills/general/purge-leaked-secret/SKILL.md +383 -0
- package/.merlin-core/skills/general/reflection/SKILL.md +100 -0
- package/.merlin-core/skills/general/secret-safe-commit/SKILL.md +246 -0
- package/.merlin-core/skills/general/secret-safe-commit/templates/.gitleaks.toml +91 -0
- package/.merlin-core/skills/general/secret-safe-commit/templates/.pre-commit-config.yaml +57 -0
- package/.merlin-core/skills/general/secret-safe-commit/templates/secret-scan.yml +48 -0
- package/.merlin-core/skills/general/semantic-search/SKILL.md +79 -0
- package/.merlin-core/skills/general/skill-creator/SKILL.md +342 -0
- package/.merlin-core/skills/general/skill-creator/agents/analyzer.md +283 -0
- package/.merlin-core/skills/general/skill-creator/agents/comparator.md +211 -0
- package/.merlin-core/skills/general/skill-creator/agents/grader.md +227 -0
- package/.merlin-core/skills/general/skill-creator/assets/eval_review.html +146 -0
- package/.merlin-core/skills/general/skill-creator/eval-viewer/generate_review.py +471 -0
- package/.merlin-core/skills/general/skill-creator/eval-viewer/viewer.html +1325 -0
- package/.merlin-core/skills/general/skill-creator/references/schemas.md +439 -0
- package/.merlin-core/skills/general/skill-creator/scripts/__init__.py +0 -0
- package/.merlin-core/skills/general/skill-creator/scripts/aggregate_benchmark.py +401 -0
- package/.merlin-core/skills/general/skill-creator/scripts/generate_report.py +326 -0
- package/.merlin-core/skills/general/skill-creator/scripts/improve_description.py +247 -0
- package/.merlin-core/skills/general/skill-creator/scripts/package_skill.py +136 -0
- package/.merlin-core/skills/general/skill-creator/scripts/quick_validate.py +103 -0
- package/.merlin-core/skills/general/skill-creator/scripts/run_eval.py +310 -0
- package/.merlin-core/skills/general/skill-creator/scripts/run_loop.py +328 -0
- package/.merlin-core/skills/general/skill-creator/scripts/utils.py +47 -0
- package/.merlin-core/skills/general/start-here/SKILL.md +63 -0
- package/.merlin-core/skills/general/start-here/recipes.json +758 -0
- package/.merlin-core/skills/general/start-here/recipes.schema.json +57 -0
- package/.merlin-core/skills/general/static-analysis/SKILL.md +151 -0
- package/.merlin-core/skills/general/tailwind-design-system/SKILL.md +201 -0
- package/.merlin-core/skills/general/tailwind-design-system/references/advanced-v4.md +152 -0
- package/.merlin-core/skills/general/tailwind-design-system/references/component-patterns.md +353 -0
- package/.merlin-core/skills/general/teach-method/SKILL.md +86 -0
- package/.merlin-core/skills/general/team-execution/SKILL.md +67 -0
- package/.merlin-core/skills/general/testing/SKILL.md +412 -0
- package/.merlin-core/skills/general/token-economy/SKILL.md +55 -0
- package/.merlin-core/skills/general/vps-security-hardening/SKILL.md +406 -0
- package/.merlin-core/skills/general/web-quality/SKILL.md +180 -0
- package/.merlin-core/skills/general/webapp-testing/SKILL.md +153 -0
- package/.merlin-core/skills/general/webapp-testing/scripts/screenshot_compare.py +72 -0
- package/.merlin-core/skills/general/webapp-testing/scripts/with_server.py +103 -0
- package/.merlin-core/skills/general/xlsx/SKILL.md +167 -0
- package/.merlin-core/skills/general/xlsx/references/nodejs-sheetjs-styled-reports.md +141 -0
- package/.merlin-core/skills/general/xlsx/references/windows-setup.md +17 -0
- package/.merlin-core/skills/general/xlsx/scripts/recalc.py +184 -0
- package/.merlin-core/skills/general/xlsx/scripts/styled-report.js +130 -0
- package/.merlin-core/skills/general/yolo-mode/SKILL.md +60 -0
- package/.merlin-core/skills/general/youtube-transcript/SKILL.md +177 -0
- package/.merlin-core/skills/general/youtube-transcript/scripts/fetch_transcript.py +188 -0
- package/.merlin-core/skills/general/youtube-transcript/scripts/gladia_transcribe.mjs +230 -0
- package/.merlin-core/tools/commands/activate.js +72 -0
- package/.merlin-core/tools/commands/archive-thoughts.js +181 -0
- package/.merlin-core/tools/commands/backup.js +156 -0
- package/.merlin-core/tools/commands/certify-process.js +196 -0
- package/.merlin-core/tools/commands/convert.js +87 -0
- package/.merlin-core/tools/commands/cron.js +147 -0
- package/.merlin-core/tools/commands/disable.js +73 -0
- package/.merlin-core/tools/commands/doc-sync.js +127 -0
- package/.merlin-core/tools/commands/eval-skill.js +193 -0
- package/.merlin-core/tools/commands/frontmatter.js +49 -0
- package/.merlin-core/tools/commands/heartbeat.js +43 -0
- package/.merlin-core/tools/commands/index-thoughts.js +35 -0
- package/.merlin-core/tools/commands/install-remote-approve.js +184 -0
- package/.merlin-core/tools/commands/install.js +81 -0
- package/.merlin-core/tools/commands/lib/__verify__/diff-reports.js +170 -0
- package/.merlin-core/tools/commands/lib/fs-safe.js +186 -0
- package/.merlin-core/tools/commands/lib/preflight.js +607 -0
- package/.merlin-core/tools/commands/lib/preserve.js +232 -0
- package/.merlin-core/tools/commands/lib/project-config.template.yaml +69 -0
- package/.merlin-core/tools/commands/lib/report.js +231 -0
- package/.merlin-core/tools/commands/lib/settings-merge.js +134 -0
- package/.merlin-core/tools/commands/license.js +52 -0
- package/.merlin-core/tools/commands/list.js +125 -0
- package/.merlin-core/tools/commands/migrate-alkimia.js +271 -0
- package/.merlin-core/tools/commands/modules.js +68 -0
- package/.merlin-core/tools/commands/provision.js +83 -0
- package/.merlin-core/tools/commands/prune-feedback.js +114 -0
- package/.merlin-core/tools/commands/run-process.js +28 -0
- package/.merlin-core/tools/commands/state.js +79 -0
- package/.merlin-core/tools/commands/sync-bridges.js +197 -0
- package/.merlin-core/tools/commands/upgrade.js +1135 -0
- package/.merlin-core/tools/commands/validate-recipes.js +218 -0
- package/.merlin-core/tools/commands/validate.js +159 -0
- package/.merlin-core/tools/commands/yolo.js +82 -0
- package/.merlin-core/tools/compose-rules.mjs +179 -0
- package/.merlin-core/tools/disable-module.mjs +150 -0
- package/.merlin-core/tools/lib/deployer.mjs +131 -0
- package/.merlin-core/tools/lib/modules-activation.mjs +225 -0
- package/.merlin-core/tools/merlin-tools.js +153 -0
- package/.merlin-core/tools/migrate-frontmatter-v3.js +192 -0
- package/.merlin-core/tools/modules-catalog.mjs +174 -0
- package/.merlin-core/tools/provision-module.mjs +191 -0
- package/.merlin-core/tools/verify-module.mjs +99 -0
- package/.merlin-core/tools/vps-security-audit.sh +234 -0
- package/INSTALL.md +312 -0
- package/LICENSE +118 -0
- package/PRIVACY-LICENSING.md +65 -0
- package/README.md +391 -0
- package/bin/README.md +15 -0
- package/bin/convert-to-merlin.sh +109 -0
- package/bin/fleet-patch-hooks.sh +144 -0
- package/bin/fleet-patch-v3-fixes.sh +127 -0
- package/bin/merlin-init.js +232 -0
- package/bin/merlin.js +321 -0
- package/package.json +127 -0
|
@@ -0,0 +1,383 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: purge-leaked-secret
|
|
3
|
+
description: Reactive runbook for when a credential is exposed (committed to git, pushed to GitHub, or visible in working tree). Rotate first, clean second, audit third. Companion to secret-safe-commit (which prevents the leak in the first place).
|
|
4
|
+
license: Apache-2.0
|
|
5
|
+
metadata:
|
|
6
|
+
author: merlin-framework
|
|
7
|
+
version: "3.0.0"
|
|
8
|
+
auto_activate:
|
|
9
|
+
[
|
|
10
|
+
purge-secret,
|
|
11
|
+
leaked-secret,
|
|
12
|
+
credential-rotation,
|
|
13
|
+
gitleaks-finding,
|
|
14
|
+
secret-incident,
|
|
15
|
+
git-history-clean,
|
|
16
|
+
]
|
|
17
|
+
tool_reminders:
|
|
18
|
+
[
|
|
19
|
+
Rotate the credential FIRST before doing any cleanup — every minute the old key works is a window of exposure,
|
|
20
|
+
Assume the secret is compromised even if exposure was brief — never skip rotation,
|
|
21
|
+
Git history rewrites (filter-repo) are usually overkill once the secret is rotated — focus effort on rotation + future prevention,
|
|
22
|
+
Document the incident in thoughts/shared/incidents/ even for self-caught leaks (pattern data informs prevention),
|
|
23
|
+
Never paste the leaked secret into agent logs / chat / commit messages — even after rotation it's a habit that breeds future leaks,
|
|
24
|
+
]
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
# Purge Leaked Secret Skill
|
|
28
|
+
|
|
29
|
+
**Mission:** When a secret leaks — whether caught by gitleaks before commit,
|
|
30
|
+
discovered post-commit by audit, or reported by an external party — execute a
|
|
31
|
+
deterministic 5-phase response that minimizes exposure window and prevents
|
|
32
|
+
recurrence.
|
|
33
|
+
|
|
34
|
+
This skill is the reactive twin of `secret-safe-commit` (preventive). The
|
|
35
|
+
preventive skill stops 99% of leaks from happening; this one handles the 1%
|
|
36
|
+
that get through (or were there before the preventive skill was installed —
|
|
37
|
+
e.g., the 3 credential files we found in a real project).
|
|
38
|
+
|
|
39
|
+
---
|
|
40
|
+
|
|
41
|
+
## When this skill activates
|
|
42
|
+
|
|
43
|
+
- Gitleaks detects a finding (during `/safe-commit` or CI)
|
|
44
|
+
- User mentions "leaked", "exposed credential", "rotate", "key compromised"
|
|
45
|
+
- Engineering audit flags hardcoded credentials in code review
|
|
46
|
+
- External party (security researcher, GitHub secret scanning) reports an exposed secret
|
|
47
|
+
- After running baseline `gitleaks detect --log-opts="--all"` on a project for the first time
|
|
48
|
+
|
|
49
|
+
---
|
|
50
|
+
|
|
51
|
+
## Core principle: Rotation > Cleanup
|
|
52
|
+
|
|
53
|
+
**Every minute the old credential is valid is a window of exposure.** A
|
|
54
|
+
rotated credential that exists in git history is harmless (the value no
|
|
55
|
+
longer authorizes anything). An unrotated credential that's been "scrubbed"
|
|
56
|
+
from git history with `filter-repo` is still active in attacker tooling that
|
|
57
|
+
cloned before the scrub.
|
|
58
|
+
|
|
59
|
+
Order of operations is non-negotiable:
|
|
60
|
+
|
|
61
|
+
1. **Rotate** (revokes the leaked value upstream)
|
|
62
|
+
2. **Remove from disk** (working tree + .gitignore)
|
|
63
|
+
3. **Optionally clean git history** (only if compliance requires it)
|
|
64
|
+
4. **Audit + document** (what leaked, when, blast radius)
|
|
65
|
+
5. **Prevent recurrence** (install secret-safe-commit if not already)
|
|
66
|
+
|
|
67
|
+
---
|
|
68
|
+
|
|
69
|
+
## The 5-phase protocol
|
|
70
|
+
|
|
71
|
+
### Phase 1 — IDENTIFY (60 seconds)
|
|
72
|
+
|
|
73
|
+
For each leaked credential, answer:
|
|
74
|
+
|
|
75
|
+
| Question | Where to look |
|
|
76
|
+
| ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
77
|
+
| What type of credential? | The secret prefix usually identifies it: `AKIA*`=AWS, `ghp_*`=GitHub PAT, `AIza*`=Google API key, `sk_*`=Stripe, `re_*`=Resend, `eyJ*`=JWT, `-----BEGIN*`=private key, `GOCSPX-*`=Google OAuth client secret, `APP_USR-*`=Mercado Pago |
|
|
78
|
+
| Which file? | gitleaks output reports `File:` and `Line:` |
|
|
79
|
+
| Is it in git history? | `git log --all --full-history -p -S "<partial_secret>" -- '*'` |
|
|
80
|
+
| When was it first committed? | `git log --all --full-history --diff-filter=A -- <filepath>` |
|
|
81
|
+
| Has it been pushed to remote? | `git log @{upstream}.. --oneline` shows unpushed; if missing, it's pushed |
|
|
82
|
+
| Public or private repo? | `gh repo view --json visibility -q .visibility` |
|
|
83
|
+
|
|
84
|
+
**Severity matrix:**
|
|
85
|
+
|
|
86
|
+
| Pushed to public repo | Pushed to private repo | Local commit only | Working tree only |
|
|
87
|
+
| ------------------------------------------------------------------------------- | -------------------------------------------------------------------- | --------------------------------------------- | ------------------------------------- |
|
|
88
|
+
| 🔴 CRITICAL — assume compromised within minutes (bots scrape GH within seconds) | 🟠 HIGH — assume compromised if anyone with repo access is untrusted | 🟡 MEDIUM — exposure to local OS/backup tools | 🟢 LOW — exposure to dev machine only |
|
|
89
|
+
|
|
90
|
+
### Phase 2 — ROTATE (5–30 minutes, depending on credential type)
|
|
91
|
+
|
|
92
|
+
This is the ONLY step that actually closes the exposure. Do it FIRST, before
|
|
93
|
+
any cleanup. Do NOT skip "because I'll clean it up quick" — assume the secret
|
|
94
|
+
is compromised.
|
|
95
|
+
|
|
96
|
+
**Rotation procedures by credential type:**
|
|
97
|
+
|
|
98
|
+
| Credential | Where to rotate | Approximate time |
|
|
99
|
+
| ---------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- |
|
|
100
|
+
| **Firebase Admin SDK key** | console.firebase.google.com → Project Settings → Service Accounts → "Generate new private key" → after testing new key works, click "Delete" on old | 5 min |
|
|
101
|
+
| **Google OAuth client secret** | console.cloud.google.com → APIs & Services → Credentials → click client → "Reset Secret" | 3 min |
|
|
102
|
+
| **Google API key** | console.cloud.google.com → APIs & Services → Credentials → "Regenerate key" | 2 min |
|
|
103
|
+
| **GitHub PAT (`ghp_*`)** | github.com/settings/tokens → revoke old, generate new with same scopes | 5 min |
|
|
104
|
+
| **GitHub fine-grained token (`github_pat_*`)** | github.com/settings/personal-access-tokens → revoke + regenerate | 5 min |
|
|
105
|
+
| **AWS access key (`AKIA*`)** | IAM console → Users → Security Credentials → Make active key Inactive → Create new → Test → Delete inactive | 10 min |
|
|
106
|
+
| **Stripe (`sk_live_*` / `sk_test_*`)** | dashboard.stripe.com → Developers → API keys → Roll | 3 min |
|
|
107
|
+
| **Mercado Pago access token (`APP_USR-*`)** | mercadopago.com.br → Aplicações → Credentials → Reset | 5 min |
|
|
108
|
+
| **OpenAI API key (`sk-*`)** | platform.openai.com → API keys → Revoke + Create new | 3 min |
|
|
109
|
+
| **Anthropic API key (`sk-ant-*`)** | console.anthropic.com → API Keys → Delete + Create | 3 min |
|
|
110
|
+
| **Resend API key (`re_*`)** | resend.com/api-keys → Delete + Create | 3 min |
|
|
111
|
+
| **Mailgun / Sendgrid** | Provider dashboard → API keys section | 5 min |
|
|
112
|
+
| **Database password** | Connect via root, `ALTER USER ... PASSWORD ...`, update env vars across all consumers atomically | 15 min |
|
|
113
|
+
| **SSH private key** | Generate new keypair (`ssh-keygen -t ed25519`), install on server, REMOVE OLD pubkey from authorized_keys | 10 min |
|
|
114
|
+
| **JWT signing secret** | Rotate the signing key in your auth service config — invalidates ALL outstanding tokens (users will need to re-login) | 15 min |
|
|
115
|
+
| **Webhook signing secret** | Provider dashboard → Webhooks → Roll secret → update consumer env var | 10 min |
|
|
116
|
+
|
|
117
|
+
**Universal rotation checklist (after generating new value):**
|
|
118
|
+
|
|
119
|
+
- [ ] Update env var / secret manager (Firebase Secrets, Infisical, GitHub Secrets, etc.)
|
|
120
|
+
- [ ] Test the new value works (smoke test the integration)
|
|
121
|
+
- [ ] Revoke / delete the old value upstream
|
|
122
|
+
- [ ] Update local `.env` (NOT committed) if used in development
|
|
123
|
+
- [ ] Notify any teammate who might have the old value cached
|
|
124
|
+
- [ ] If the secret is in CI: confirm CI now uses the new value before next deploy
|
|
125
|
+
|
|
126
|
+
### Phase 3 — REMOVE (5 minutes)
|
|
127
|
+
|
|
128
|
+
Now that the upstream is rotated, clean up the leaked file:
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
# 1. Remove from working tree
|
|
132
|
+
rm <leaked-file>
|
|
133
|
+
|
|
134
|
+
# 2. Add to .gitignore by literal name (don't rely on patterns)
|
|
135
|
+
echo "<leaked-file>" >> .gitignore
|
|
136
|
+
|
|
137
|
+
# 3. Stage the .gitignore change + the deletion
|
|
138
|
+
git add .gitignore
|
|
139
|
+
git rm --cached <leaked-file> # if it was tracked
|
|
140
|
+
|
|
141
|
+
# 4. Commit (use /safe-commit which now has gitleaks pre-flight)
|
|
142
|
+
/safe-commit "security: remove rotated credential file <name>"
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
If the leaked credential was hardcoded INSIDE source code (not a separate
|
|
146
|
+
file), edit the code to use an env var / secret manager reference, then
|
|
147
|
+
commit normally.
|
|
148
|
+
|
|
149
|
+
### Phase 4 — DECIDE: clean git history or accept?
|
|
150
|
+
|
|
151
|
+
This is the hardest phase. Most teams over-rotate to git-filter-repo when
|
|
152
|
+
it's not necessary.
|
|
153
|
+
|
|
154
|
+
**When to leave history alone (common case):**
|
|
155
|
+
|
|
156
|
+
- Credential is rotated → old value is dead → presence in history is a
|
|
157
|
+
historical curiosity, not a vulnerability
|
|
158
|
+
- Repo is private → blast radius is limited to people who already have access
|
|
159
|
+
- Rewrite would require force-push + everyone re-cloning + breaks any open PRs
|
|
160
|
+
- Cost > benefit for already-invalid secrets
|
|
161
|
+
|
|
162
|
+
**When to actually clean history:**
|
|
163
|
+
|
|
164
|
+
- Compliance requires it (SOC 2 Type II, HIPAA, PCI-DSS audit explicit clause)
|
|
165
|
+
- The credential is a long-lived shared resource that can't be fully rotated
|
|
166
|
+
(e.g., a hardcoded customer's actual phone number that violates LGPD)
|
|
167
|
+
- Repo is public AND the secret is for an account that contains regulated data
|
|
168
|
+
|
|
169
|
+
**If you decide to clean (use git-filter-repo, NOT the deprecated git filter-branch):**
|
|
170
|
+
|
|
171
|
+
```bash
|
|
172
|
+
# Install
|
|
173
|
+
pip install git-filter-repo
|
|
174
|
+
|
|
175
|
+
# Backup the repo first (filter-repo is destructive)
|
|
176
|
+
git clone --mirror <repo> <repo>-backup
|
|
177
|
+
|
|
178
|
+
# Remove a specific file from all history
|
|
179
|
+
git filter-repo --path <leaked-file> --invert-paths
|
|
180
|
+
|
|
181
|
+
# OR remove a specific string from all history (more surgical, slower)
|
|
182
|
+
git filter-repo --replace-text <(echo "<leaked-string>==>REDACTED")
|
|
183
|
+
|
|
184
|
+
# Force-push to remote (this is destructive — coordinate with team)
|
|
185
|
+
git push --force-with-lease --all
|
|
186
|
+
git push --force-with-lease --tags
|
|
187
|
+
|
|
188
|
+
# Notify all collaborators to re-clone (their local refs will be diverged)
|
|
189
|
+
```
|
|
190
|
+
|
|
191
|
+
**After force-push:** GitHub may still cache the old commits via the API for
|
|
192
|
+
~24h. The data is no longer reachable but old SHAs may resolve briefly. Do
|
|
193
|
+
NOT count history rewrite as "the secret is now gone" — count rotation as
|
|
194
|
+
that.
|
|
195
|
+
|
|
196
|
+
### Phase 5 — DOCUMENT + PREVENT (15 minutes)
|
|
197
|
+
|
|
198
|
+
#### Incident document
|
|
199
|
+
|
|
200
|
+
Create `.merlin-core/thoughts/shared/incidents/YYYY-MM-DD-<short-name>.md`:
|
|
201
|
+
|
|
202
|
+
```markdown
|
|
203
|
+
---
|
|
204
|
+
date: 2026-04-27
|
|
205
|
+
incident_type: secret_leak
|
|
206
|
+
severity: HIGH # CRITICAL/HIGH/MEDIUM/LOW per matrix in Phase 1
|
|
207
|
+
status: resolved
|
|
208
|
+
---
|
|
209
|
+
|
|
210
|
+
# Incident: <Short name>
|
|
211
|
+
|
|
212
|
+
## What leaked
|
|
213
|
+
|
|
214
|
+
- Credential type: <e.g., Firebase Admin SDK private key>
|
|
215
|
+
- File: <path>
|
|
216
|
+
- First committed: <date or "working tree only">
|
|
217
|
+
- Pushed to remote: yes/no, when
|
|
218
|
+
- Repo visibility at time of leak: public/private
|
|
219
|
+
|
|
220
|
+
## How discovered
|
|
221
|
+
|
|
222
|
+
- Detection method: <gitleaks pre-commit / CI scan / external report / manual audit>
|
|
223
|
+
- Detected by: <person or system>
|
|
224
|
+
- Detection date: <ISO 8601>
|
|
225
|
+
|
|
226
|
+
## Blast radius
|
|
227
|
+
|
|
228
|
+
- Estimated exposure window: <minutes/hours/days>
|
|
229
|
+
- Systems accessible with leaked credential: <list>
|
|
230
|
+
- Evidence of unauthorized access in logs: <yes/no, summary>
|
|
231
|
+
|
|
232
|
+
## Response timeline
|
|
233
|
+
|
|
234
|
+
- HH:MM - leak detected
|
|
235
|
+
- HH:MM - rotation started for credential X
|
|
236
|
+
- HH:MM - rotation complete + tested
|
|
237
|
+
- HH:MM - file removed from working tree + .gitignore updated
|
|
238
|
+
- HH:MM - decision: <history rewrite yes/no, reasoning>
|
|
239
|
+
- HH:MM - incident closed
|
|
240
|
+
|
|
241
|
+
## Root cause
|
|
242
|
+
|
|
243
|
+
- <e.g., file was generated by `firebase init` and not auto-added to .gitignore>
|
|
244
|
+
- <e.g., developer pasted secret into code instead of env var because deadline pressure>
|
|
245
|
+
|
|
246
|
+
## Prevention actions
|
|
247
|
+
|
|
248
|
+
- [ ] Installed `secret-safe-commit` skill / verified gitleaks pre-commit active
|
|
249
|
+
- [ ] Added file pattern to project `.gitleaks.toml` if applicable
|
|
250
|
+
- [ ] Added file by literal name to `.gitignore`
|
|
251
|
+
- [ ] Documented in team runbook
|
|
252
|
+
```
|
|
253
|
+
|
|
254
|
+
#### Install secret-safe-commit if not already
|
|
255
|
+
|
|
256
|
+
If this leak happened because the project didn't have gitleaks pre-commit:
|
|
257
|
+
|
|
258
|
+
```bash
|
|
259
|
+
# In the affected project root:
|
|
260
|
+
pip install pre-commit
|
|
261
|
+
cp <merlin-skills>/secret-safe-commit/templates/.pre-commit-config.yaml .
|
|
262
|
+
cp <merlin-skills>/secret-safe-commit/templates/.gitleaks.toml .
|
|
263
|
+
mkdir -p .github/workflows
|
|
264
|
+
cp <merlin-skills>/secret-safe-commit/templates/secret-scan.yml .github/workflows/
|
|
265
|
+
pre-commit install
|
|
266
|
+
```
|
|
267
|
+
|
|
268
|
+
#### Pattern feedback
|
|
269
|
+
|
|
270
|
+
If the leaked credential type wasn't caught by default gitleaks rules
|
|
271
|
+
(unusual prefix, custom internal token), add a custom rule to the project's
|
|
272
|
+
`.gitleaks.toml` AND consider contributing the rule upstream to gitleaks.
|
|
273
|
+
|
|
274
|
+
---
|
|
275
|
+
|
|
276
|
+
## Common gotchas
|
|
277
|
+
|
|
278
|
+
### Gotcha #1 — "I'll just delete the file, no one will notice"
|
|
279
|
+
|
|
280
|
+
If the file was ever committed (even briefly), it's in git history. `rm` only
|
|
281
|
+
removes from working tree. The credential is still discoverable via
|
|
282
|
+
`git log -p`. Always rotate first; never assume "no one saw it".
|
|
283
|
+
|
|
284
|
+
### Gotcha #2 — Rotating in the wrong order leaves a downtime window
|
|
285
|
+
|
|
286
|
+
If you rotate a database password by:
|
|
287
|
+
|
|
288
|
+
1. Update DB to require new password
|
|
289
|
+
2. Update app env var to use new password
|
|
290
|
+
|
|
291
|
+
Step 1 will break the running app until step 2 completes. Reverse the order:
|
|
292
|
+
|
|
293
|
+
1. Add the new password as a SECONDARY accepted password (if your DB supports)
|
|
294
|
+
2. Update app env var
|
|
295
|
+
3. Verify app works with new password
|
|
296
|
+
4. Revoke old password
|
|
297
|
+
|
|
298
|
+
For databases without dual-password support, accept brief downtime and
|
|
299
|
+
schedule rotation during low-traffic window.
|
|
300
|
+
|
|
301
|
+
### Gotcha #3 — Rotating Firebase Admin key invalidates active sessions
|
|
302
|
+
|
|
303
|
+
Firebase Admin SDK service account keys, when rotated, invalidate any cached
|
|
304
|
+
auth state in running Cloud Functions instances. Functions will throw auth
|
|
305
|
+
errors briefly until they re-fetch the new key. Plan rotation during low
|
|
306
|
+
traffic.
|
|
307
|
+
|
|
308
|
+
### Gotcha #4 — `git filter-repo` requires fresh clone
|
|
309
|
+
|
|
310
|
+
`git filter-repo` refuses to operate on a regular working clone (it expects
|
|
311
|
+
a fresh clone or `--force` flag). The intent: prevent accidental rewriting
|
|
312
|
+
of work-in-progress branches. Always clone fresh into a temp dir for
|
|
313
|
+
filter-repo operations.
|
|
314
|
+
|
|
315
|
+
### Gotcha #5 — Force-push doesn't clear GitHub forks
|
|
316
|
+
|
|
317
|
+
If anyone forked the repo before the leak, the secret is in their fork. You
|
|
318
|
+
cannot force-push someone else's fork. Reach out to known forkers; otherwise
|
|
319
|
+
accept the residual exposure (rotation makes it irrelevant anyway).
|
|
320
|
+
|
|
321
|
+
### Gotcha #6 — Cached secrets in dev machines
|
|
322
|
+
|
|
323
|
+
Even after rotation, the OLD credential may still be cached in:
|
|
324
|
+
|
|
325
|
+
- Local `.env` files (update them)
|
|
326
|
+
- Shell history (`history -d <line>`)
|
|
327
|
+
- Editor session restore data
|
|
328
|
+
- Browser autofill (developer tools / API testers)
|
|
329
|
+
- Postman / Insomnia / Bruno collections (rotate stored secrets)
|
|
330
|
+
|
|
331
|
+
Notify all team members to update their local copies.
|
|
332
|
+
|
|
333
|
+
---
|
|
334
|
+
|
|
335
|
+
## Specific runbook: a real 3-credential-file incident
|
|
336
|
+
|
|
337
|
+
This skill was created in response to discovering 3 credential files in the
|
|
338
|
+
working tree:
|
|
339
|
+
|
|
340
|
+
| File | Credential type | Severity | Action |
|
|
341
|
+
| ------------------------------------------------------------------ | ------------------------------------ | --------------------------------------------- | --------------------------------------------------------------- |
|
|
342
|
+
| `client_secret_<PROJECT_NUMBER>-*.apps.googleusercontent.com.json` | Google OAuth client secret | HIGH (if pushed) / LOW (if working-tree only) | Rotate via console.cloud.google.com |
|
|
343
|
+
| `<project>-firebase-adminsdk-fbsvc-<hash>.json` | Firebase Admin SDK private key (RSA) | CRITICAL | Rotate via console.firebase.google.com |
|
|
344
|
+
| `youtube_token.json` | Google OAuth refresh + access tokens | MEDIUM | Revoke via myaccount.google.com → Security → Third-party access |
|
|
345
|
+
|
|
346
|
+
**Pre-flight investigation (CRITICAL — do before deciding severity):**
|
|
347
|
+
|
|
348
|
+
```bash
|
|
349
|
+
cd /path/to/project
|
|
350
|
+
|
|
351
|
+
# Check if any of these files are in git history (any branch, any commit)
|
|
352
|
+
git log --all --oneline -- \
|
|
353
|
+
'client_secret_*.json' \
|
|
354
|
+
'*-firebase-adminsdk-*.json' \
|
|
355
|
+
'youtube_token.json' 2>&1
|
|
356
|
+
|
|
357
|
+
# If output is EMPTY: working-tree only, severity = LOW for all 3
|
|
358
|
+
# If output has commits: pushed status determines CRITICAL vs HIGH
|
|
359
|
+
git log --remotes --oneline -- \
|
|
360
|
+
'client_secret_*.json' \
|
|
361
|
+
'*-firebase-adminsdk-*.json' \
|
|
362
|
+
'youtube_token.json' 2>&1
|
|
363
|
+
|
|
364
|
+
# If second command shows commits: pushed = CRITICAL severity
|
|
365
|
+
```
|
|
366
|
+
|
|
367
|
+
Then proceed through Phases 2-5 above.
|
|
368
|
+
|
|
369
|
+
---
|
|
370
|
+
|
|
371
|
+
## Related skills
|
|
372
|
+
|
|
373
|
+
- **`secret-safe-commit`** — preventive twin (stops the leak from happening)
|
|
374
|
+
- **`engineering-audit`** — security axis includes "leaked credentials in code"
|
|
375
|
+
- **`vps-security-hardening`** — recovery kit pattern (USB) referenced in Phase 2
|
|
376
|
+
- **`incident-response-runbook`** (Tier 3 roadmap) — broader template for any incident type
|
|
377
|
+
|
|
378
|
+
---
|
|
379
|
+
|
|
380
|
+
## References
|
|
381
|
+
|
|
382
|
+
- [GitHub: removing sensitive data from a repository](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)
|
|
383
|
+
- [git-filter-repo official docs](https://github.com/newren/git-filter-repo)
|
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: reflection
|
|
3
|
+
description: Structured metacognition checkpoints for deep reasoning. Forces agents to pause and examine their own thought process before making decisions.
|
|
4
|
+
license: Apache-2.0
|
|
5
|
+
metadata:
|
|
6
|
+
author: merlin-framework
|
|
7
|
+
version: "3.0.0"
|
|
8
|
+
auto_activate: [reflect, rethink, reconsider, reasoning, assumption-check]
|
|
9
|
+
tool_reminders:
|
|
10
|
+
[
|
|
11
|
+
Run the 4-Question Pause before finalizing any plan or architecture decision,
|
|
12
|
+
Use DEEP reflection (with Devil's Advocate) after test failures,
|
|
13
|
+
]
|
|
14
|
+
---
|
|
15
|
+
|
|
16
|
+
# Reflection — Think Tool
|
|
17
|
+
|
|
18
|
+
Structured metacognition protocol for agents to examine their reasoning before committing to decisions.
|
|
19
|
+
|
|
20
|
+
## When to Reflect
|
|
21
|
+
|
|
22
|
+
Trigger a reflection checkpoint at these moments:
|
|
23
|
+
|
|
24
|
+
- After completing research synthesis (before writing the document)
|
|
25
|
+
- Before finalizing an implementation plan
|
|
26
|
+
- When encountering unexpected or contradictory findings
|
|
27
|
+
- Before making architectural trade-offs
|
|
28
|
+
- When uncertain about a decision's implications
|
|
29
|
+
- When switching approaches mid-task
|
|
30
|
+
|
|
31
|
+
## Reflection Protocol
|
|
32
|
+
|
|
33
|
+
### The 4-Question Pause
|
|
34
|
+
|
|
35
|
+
1. **GOAL CHECK:** What am I trying to achieve? Has the original goal drifted? Am I solving the right problem?
|
|
36
|
+
|
|
37
|
+
2. **EVIDENCE CHECK:** What have I found so far? What is the strongest evidence supporting my current direction? What contradicts it? Are there findings I'm ignoring?
|
|
38
|
+
|
|
39
|
+
3. **UNCERTAINTY CHECK:** What am I uncertain about? What assumptions am I making that I haven't validated? What information would change my conclusion?
|
|
40
|
+
|
|
41
|
+
4. **NEXT STEP CHECK:** Given the above, what should I do next? Should I continue on this path, pivot to a different approach, or escalate to the user?
|
|
42
|
+
|
|
43
|
+
## Depth Levels
|
|
44
|
+
|
|
45
|
+
### QUICK Reflection
|
|
46
|
+
|
|
47
|
+
- **Use during:** implementation, debugging, simple decisions
|
|
48
|
+
- **Questions:** GOAL CHECK + NEXT STEP CHECK only
|
|
49
|
+
- **Format:** 2-3 sentences inline
|
|
50
|
+
|
|
51
|
+
### STANDARD Reflection
|
|
52
|
+
|
|
53
|
+
- **Use during:** research synthesis, plan drafting, code review
|
|
54
|
+
- **Questions:** All 4 questions
|
|
55
|
+
- **Format:** Structured block with `> [REFLECTION]` prefix
|
|
56
|
+
|
|
57
|
+
### DEEP Reflection
|
|
58
|
+
|
|
59
|
+
- **Use during:** major architectural decisions, strategy pivots, risk assessment, test failures
|
|
60
|
+
- **Questions:** All 4 questions + Devil's Advocate (argue against your own conclusion)
|
|
61
|
+
- **5th Question — DEVIL'S ADVOCATE:** What could go wrong? What am I missing? Argue against your own conclusion with the strongest counter-arguments you can find.
|
|
62
|
+
- **Format:** Full structured block with counter-argument section
|
|
63
|
+
|
|
64
|
+
## Output Format
|
|
65
|
+
|
|
66
|
+
```markdown
|
|
67
|
+
> [REFLECTION — STANDARD]
|
|
68
|
+
> **Goal:** Building the authentication middleware for the API gateway.
|
|
69
|
+
> **Evidence:** Found 3 existing auth patterns in the codebase. JWT is used everywhere.
|
|
70
|
+
> **Uncertainty:** Unclear if refresh token rotation is required — spec doesn't mention it.
|
|
71
|
+
> **Next:** Proceed with JWT but ask user about refresh token requirement before finalizing.
|
|
72
|
+
```
|
|
73
|
+
|
|
74
|
+
## Anti-Patterns
|
|
75
|
+
|
|
76
|
+
- **Not analysis paralysis.** Reflection is a brief, structured pause — not an excuse to delay.
|
|
77
|
+
- **Not second-guessing.** Don't re-question decisions already validated by evidence.
|
|
78
|
+
- **Not recursive.** One reflection per checkpoint. Don't reflect on your reflection.
|
|
79
|
+
- **Not a substitute for asking.** If you're truly blocked, escalate to the user instead of reflecting indefinitely.
|
|
80
|
+
|
|
81
|
+
## Mandatory Transitions (v2.6.0)
|
|
82
|
+
|
|
83
|
+
The following phase transitions trigger **automatic** reflection checkpoints enforced by `ReflectCheckpointEngine`. These are NOT optional — the gate evaluator will block advancement if reflection fails.
|
|
84
|
+
|
|
85
|
+
| Transition | Depth | Questions |
|
|
86
|
+
| -------------------------------- | -------- | ------------------------------------------------------- |
|
|
87
|
+
| `research_to_architecture` | STANDARD | GOAL, EVIDENCE, UNCERTAINTY, NEXT_STEP |
|
|
88
|
+
| `architecture_to_implementation` | STANDARD | GOAL, EVIDENCE, UNCERTAINTY, NEXT_STEP |
|
|
89
|
+
| `before_commit` | QUICK | GOAL, NEXT_STEP |
|
|
90
|
+
| `after_test_failure` | DEEP | GOAL, EVIDENCE, UNCERTAINTY, NEXT_STEP, DEVILS_ADVOCATE |
|
|
91
|
+
|
|
92
|
+
The reflection output is scored (0.0–1.0) and concerns are classified as NONE/LOW/MEDIUM/HIGH/CRITICAL. A CRITICAL or HIGH concern level causes the `reflection_passed` gate check to fail.
|
|
93
|
+
|
|
94
|
+
## Integration Points
|
|
95
|
+
|
|
96
|
+
- `/research` — STANDARD reflection after Step 4 (Synthesize Findings)
|
|
97
|
+
- `/plan` — STANDARD reflection after Step 2 (Draft the Plan)
|
|
98
|
+
- `/implement` — QUICK reflection at each phase boundary
|
|
99
|
+
- `/adversarial-review` — DEEP reflection before issuing final verdict
|
|
100
|
+
- **WorkflowExecutor** — automatic checkpoint at every phase transition (v2.6.0)
|