@caoscompanybr/merlin 3.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (762) hide show
  1. package/.claude/CLAUDE.md +216 -0
  2. package/.claude/hooks/README-license-gate.md +45 -0
  3. package/.claude/hooks/auto-summarize.js +47 -0
  4. package/.claude/hooks/context-monitor.js +60 -0
  5. package/.claude/hooks/doc-sync.js +111 -0
  6. package/.claude/hooks/license-gate.cjs +59 -0
  7. package/.claude/hooks/session-reset.js +27 -0
  8. package/.claude/hooks/thoughts-indexer.js +80 -0
  9. package/.claude/rules/merlin-constitution.md +27 -0
  10. package/.merlin-core/commands/README.md +19 -0
  11. package/.merlin-core/commands/founder-mode.md +51 -0
  12. package/.merlin-core/commands/git/commit.md +35 -0
  13. package/.merlin-core/commands/git/describe-pr.md +43 -0
  14. package/.merlin-core/commands/git/safe-commit.md +182 -0
  15. package/.merlin-core/commands/implementation/implement-plan.md +129 -0
  16. package/.merlin-core/commands/implementation/oneshot.md +63 -0
  17. package/.merlin-core/commands/implementation/tdd.md +152 -0
  18. package/.merlin-core/commands/planning/create-plan.md +184 -0
  19. package/.merlin-core/commands/planning/iterate-plan.md +45 -0
  20. package/.merlin-core/commands/planning/validate-plan.md +48 -0
  21. package/.merlin-core/commands/research/analyze-issue.md +155 -0
  22. package/.merlin-core/commands/research/research-codebase.md +157 -0
  23. package/.merlin-core/commands/review/adversarial-review.md +112 -0
  24. package/.merlin-core/commands/review/check.md +91 -0
  25. package/.merlin-core/commands/review/debug.md +135 -0
  26. package/.merlin-core/commands/review/doubts.md +178 -0
  27. package/.merlin-core/commands/review/engineering-audit.md +87 -0
  28. package/.merlin-core/commands/review/local-review.md +48 -0
  29. package/.merlin-core/commands/review/verify-goals.md +83 -0
  30. package/.merlin-core/commands/session/capture-feedback.md +74 -0
  31. package/.merlin-core/commands/session/capture-learning.md +155 -0
  32. package/.merlin-core/commands/session/check-objectives.md +85 -0
  33. package/.merlin-core/commands/session/conclude.md +125 -0
  34. package/.merlin-core/commands/session/create-handoff.md +88 -0
  35. package/.merlin-core/commands/session/create-objective.md +111 -0
  36. package/.merlin-core/commands/session/create-process.md +105 -0
  37. package/.merlin-core/commands/session/create-reminder.md +86 -0
  38. package/.merlin-core/commands/session/fast-start.md +261 -0
  39. package/.merlin-core/commands/session/recall-learnings.md +79 -0
  40. package/.merlin-core/commands/session/recall-processes.md +74 -0
  41. package/.merlin-core/commands/session/resume-handoff.md +51 -0
  42. package/.merlin-core/commands/session/run-process.md +53 -0
  43. package/.merlin-core/commands/special/beauty.md +89 -0
  44. package/.merlin-core/commands/special/common-ground.md +114 -0
  45. package/.merlin-core/commands/special/elicit.md +98 -0
  46. package/.merlin-core/commands/special/party.md +66 -0
  47. package/.merlin-core/commands/special/scrape.md +78 -0
  48. package/.merlin-core/commands/special/skill-audit.md +128 -0
  49. package/.merlin-core/commands/special/start-here.md +132 -0
  50. package/.merlin-core/constitution.md +442 -0
  51. package/.merlin-core/core/README.md +19 -0
  52. package/.merlin-core/core/alkimia/README.md +20 -0
  53. package/.merlin-core/core/alkimia/context/context-tracker.js +209 -0
  54. package/.merlin-core/core/alkimia/domain/domain-loader.js +215 -0
  55. package/.merlin-core/core/alkimia/engine.js +284 -0
  56. package/.merlin-core/core/alkimia/layers/l0-constitution.js +47 -0
  57. package/.merlin-core/core/alkimia/layers/l1-global.js +58 -0
  58. package/.merlin-core/core/alkimia/layers/l2-agent.js +58 -0
  59. package/.merlin-core/core/alkimia/layers/l3-workflow.js +54 -0
  60. package/.merlin-core/core/alkimia/layers/l4-task.js +45 -0
  61. package/.merlin-core/core/alkimia/layers/l5-squad.js +161 -0
  62. package/.merlin-core/core/alkimia/layers/l6-skill.js +520 -0
  63. package/.merlin-core/core/alkimia/layers/l7-star-command.js +87 -0
  64. package/.merlin-core/core/alkimia/layers/layer-processor.js +78 -0
  65. package/.merlin-core/core/alkimia/mandate.js +46 -0
  66. package/.merlin-core/core/alkimia/memory/doc-sync.js +201 -0
  67. package/.merlin-core/core/alkimia/memory/document-sharder.js +272 -0
  68. package/.merlin-core/core/alkimia/memory/git-history-retriever.js +225 -0
  69. package/.merlin-core/core/alkimia/memory/memory-bridge.js +97 -0
  70. package/.merlin-core/core/alkimia/memory/session-analyzer.js +400 -0
  71. package/.merlin-core/core/alkimia/memory/thoughts-indexer.js +477 -0
  72. package/.merlin-core/core/alkimia/memory/thoughts-provider.js +603 -0
  73. package/.merlin-core/core/alkimia/output/formatter.js +464 -0
  74. package/.merlin-core/core/alkimia/security/content-sanitizer.js +140 -0
  75. package/.merlin-core/core/alkimia/skill-importer.js +440 -0
  76. package/.merlin-core/core/alkimia/squads/default/.synapse/manifest +17 -0
  77. package/.merlin-core/core/alkimia/utils/frontmatter.js +321 -0
  78. package/.merlin-core/core/alkimia/utils/tokens.js +24 -0
  79. package/.merlin-core/core/approval/README.md +16 -0
  80. package/.merlin-core/core/approval/approval-engine.js +380 -0
  81. package/.merlin-core/core/approval/channels/cli-channel.js +50 -0
  82. package/.merlin-core/core/config/README.md +17 -0
  83. package/.merlin-core/core/config/config-cache.js +182 -0
  84. package/.merlin-core/core/config/config-loader.js +279 -0
  85. package/.merlin-core/core/config/config-resolver.js +411 -0
  86. package/.merlin-core/core/config/env-interpolator.js +123 -0
  87. package/.merlin-core/core/config/merge-utils.js +102 -0
  88. package/.merlin-core/core/config/schemas/core-config.schema.json +41 -0
  89. package/.merlin-core/core/config/schemas/framework-config.schema.json +24 -0
  90. package/.merlin-core/core/config/schemas/local-config.schema.json +23 -0
  91. package/.merlin-core/core/config/schemas/project-config.schema.json +189 -0
  92. package/.merlin-core/core/docs-consistency.js +140 -0
  93. package/.merlin-core/core/events/event-bus.js +344 -0
  94. package/.merlin-core/core/events/hook-handler.js +419 -0
  95. package/.merlin-core/core/execution/README.md +17 -0
  96. package/.merlin-core/core/execution/attempt-journal.js +380 -0
  97. package/.merlin-core/core/execution/autonomous-build-loop.js +637 -0
  98. package/.merlin-core/core/execution/build-orchestrator.js +296 -0
  99. package/.merlin-core/core/execution/build-state-manager.js +196 -0
  100. package/.merlin-core/core/execution/context-injector.js +204 -0
  101. package/.merlin-core/core/execution/cron-engine.js +247 -0
  102. package/.merlin-core/core/execution/cron-expression.js +148 -0
  103. package/.merlin-core/core/execution/env-preflight.js +423 -0
  104. package/.merlin-core/core/execution/guardrail-engine.js +745 -0
  105. package/.merlin-core/core/execution/heartbeat-engine.js +198 -0
  106. package/.merlin-core/core/execution/model-router.js +282 -0
  107. package/.merlin-core/core/execution/parallel-executor.js +378 -0
  108. package/.merlin-core/core/execution/parallel-monitor.js +201 -0
  109. package/.merlin-core/core/execution/party-session.js +311 -0
  110. package/.merlin-core/core/execution/rate-limit-manager.js +152 -0
  111. package/.merlin-core/core/execution/result-aggregator.js +215 -0
  112. package/.merlin-core/core/execution/semantic-merge-engine.js +320 -0
  113. package/.merlin-core/core/execution/subagent-dispatcher.js +721 -0
  114. package/.merlin-core/core/execution/success-verifier.js +227 -0
  115. package/.merlin-core/core/execution/task-metadata.js +105 -0
  116. package/.merlin-core/core/execution/team-executor.js +195 -0
  117. package/.merlin-core/core/execution/two-tier-editor.js +290 -0
  118. package/.merlin-core/core/execution/version-snapshot.js +294 -0
  119. package/.merlin-core/core/execution/wave-executor.js +224 -0
  120. package/.merlin-core/core/health-check/health-engine.js +415 -0
  121. package/.merlin-core/core/licensing/activation.js +281 -0
  122. package/.merlin-core/core/licensing/crc.js +103 -0
  123. package/.merlin-core/core/licensing/entitlement.js +99 -0
  124. package/.merlin-core/core/licensing/fingerprint.js +104 -0
  125. package/.merlin-core/core/licensing/gate.js +133 -0
  126. package/.merlin-core/core/licensing/hmac.js +42 -0
  127. package/.merlin-core/core/licensing/key.js +144 -0
  128. package/.merlin-core/core/licensing/license.js +212 -0
  129. package/.merlin-core/core/mcp/README.md +16 -0
  130. package/.merlin-core/core/mcp/browser-capability.js +191 -0
  131. package/.merlin-core/core/mcp/capability-mapper.js +92 -0
  132. package/.merlin-core/core/mcp/mcp-connector.js +278 -0
  133. package/.merlin-core/core/mcp/mcp-registry.js +101 -0
  134. package/.merlin-core/core/orchestration/README.md +17 -0
  135. package/.merlin-core/core/orchestration/agent-invoker.js +456 -0
  136. package/.merlin-core/core/orchestration/condition-evaluator.js +250 -0
  137. package/.merlin-core/core/orchestration/decision-tree.js +192 -0
  138. package/.merlin-core/core/orchestration/executor-assignment.js +372 -0
  139. package/.merlin-core/core/orchestration/gate-evaluator.js +653 -0
  140. package/.merlin-core/core/orchestration/intent-classifier.js +579 -0
  141. package/.merlin-core/core/orchestration/lock-manager.js +308 -0
  142. package/.merlin-core/core/orchestration/master-orchestrator.js +363 -0
  143. package/.merlin-core/core/orchestration/phase-tool-masks.js +194 -0
  144. package/.merlin-core/core/orchestration/recovery-handler.js +402 -0
  145. package/.merlin-core/core/orchestration/reflect-checkpoint.js +431 -0
  146. package/.merlin-core/core/orchestration/session-state.js +430 -0
  147. package/.merlin-core/core/orchestration/skill-dispatcher.js +255 -0
  148. package/.merlin-core/core/orchestration/step-loader.js +226 -0
  149. package/.merlin-core/core/orchestration/workflow-executor.js +864 -0
  150. package/.merlin-core/core/process/executor.js +231 -0
  151. package/.merlin-core/core/process/process-file.js +50 -0
  152. package/.merlin-core/core/process/secret-scan.js +86 -0
  153. package/.merlin-core/core/process/signature.js +77 -0
  154. package/.merlin-core/core/quality-gates/README.md +17 -0
  155. package/.merlin-core/core/quality-gates/layer1-precommit.js +110 -0
  156. package/.merlin-core/core/quality-gates/layer2-pr-automation.js +116 -0
  157. package/.merlin-core/core/quality-gates/layer3-human-review.js +133 -0
  158. package/.merlin-core/core/registry/service-registry.js +140 -0
  159. package/.merlin-core/core-config.yaml +159 -0
  160. package/.merlin-core/development/README.md +17 -0
  161. package/.merlin-core/development/agents/README.md +16 -0
  162. package/.merlin-core/development/agents/analyst.md +214 -0
  163. package/.merlin-core/development/agents/architect.md +166 -0
  164. package/.merlin-core/development/agents/data-engineer.md +154 -0
  165. package/.merlin-core/development/agents/dev.md +203 -0
  166. package/.merlin-core/development/agents/devops.md +236 -0
  167. package/.merlin-core/development/agents/grimorio.md +125 -0
  168. package/.merlin-core/development/agents/merlin-master.md +173 -0
  169. package/.merlin-core/development/agents/meta.md +190 -0
  170. package/.merlin-core/development/agents/pm.md +145 -0
  171. package/.merlin-core/development/agents/po.md +172 -0
  172. package/.merlin-core/development/agents/qa.md +275 -0
  173. package/.merlin-core/development/agents/researcher.md +218 -0
  174. package/.merlin-core/development/agents/scout.md +179 -0
  175. package/.merlin-core/development/agents/sm.md +148 -0
  176. package/.merlin-core/development/agents/ux.md +169 -0
  177. package/.merlin-core/development/agents/web-researcher.md +203 -0
  178. package/.merlin-core/development/checklists/adversarial-review-checklist.md +70 -0
  179. package/.merlin-core/development/checklists/operations-ci-checklist.md +40 -0
  180. package/.merlin-core/development/checklists/operations-deploy-checklist.md +54 -0
  181. package/.merlin-core/development/checklists/operations-publish-checklist.md +47 -0
  182. package/.merlin-core/development/checklists/source-verification-checklist.md +38 -0
  183. package/.merlin-core/development/templates/HEARTBEAT-template.md +46 -0
  184. package/.merlin-core/development/templates/ears-requirements-template.md +93 -0
  185. package/.merlin-core/development/templates/handoff-template.md +50 -0
  186. package/.merlin-core/development/templates/prd-template.md +62 -0
  187. package/.merlin-core/development/templates/research-template.md +53 -0
  188. package/.merlin-core/development/templates/spec-template.md +84 -0
  189. package/.merlin-core/development/workflows/brownfield-discovery.yaml +166 -0
  190. package/.merlin-core/development/workflows/brownfield-service.yaml +52 -0
  191. package/.merlin-core/development/workflows/development-cycle.yaml +57 -0
  192. package/.merlin-core/development/workflows/epic-orchestration.yaml +47 -0
  193. package/.merlin-core/development/workflows/folloni-funnel.yaml +177 -0
  194. package/.merlin-core/development/workflows/greenfield-fullstack.yaml +167 -0
  195. package/.merlin-core/development/workflows/greenfield-service.yaml +56 -0
  196. package/.merlin-core/development/workflows/qa-loop.yaml +115 -0
  197. package/.merlin-core/development/workflows/spec-pipeline.yaml +185 -0
  198. package/.merlin-core/development/workflows/steps/folloni-01-research.yaml +35 -0
  199. package/.merlin-core/development/workflows/steps/folloni-02-architecture.yaml +41 -0
  200. package/.merlin-core/development/workflows/steps/folloni-03-implementation.yaml +52 -0
  201. package/.merlin-core/development/workflows/story-development-cycle.yaml +67 -0
  202. package/.merlin-core/docs/GUIDE.md +413 -0
  203. package/.merlin-core/docs/merlin-commands-guide-pt.md +183 -0
  204. package/.merlin-core/framework-config.yaml +148 -0
  205. package/.merlin-core/hooks/README.md +16 -0
  206. package/.merlin-core/hooks/precompact-memory-flush.js +69 -0
  207. package/.merlin-core/hooks/pretooluse-remote-approve.js +113 -0
  208. package/.merlin-core/hooks/spikes/spike-b-hook.js +70 -0
  209. package/.merlin-core/hooks/spikes/spike-b-stub.js +70 -0
  210. package/.merlin-core/index.js +91 -0
  211. package/.merlin-core/local-config.yaml.template +31 -0
  212. package/.merlin-core/mcp-servers/lsp-bridge/index.js +397 -0
  213. package/.merlin-core/modules/scraping/module.json +23 -0
  214. package/.merlin-core/project-config.yaml +89 -0
  215. package/.merlin-core/schemas/README.md +18 -0
  216. package/.merlin-core/schemas/agent-hook-schema.json +152 -0
  217. package/.merlin-core/schemas/agent-schema.json +31 -0
  218. package/.merlin-core/schemas/command-schema.json +18 -0
  219. package/.merlin-core/schemas/feedback-schema.json +36 -0
  220. package/.merlin-core/schemas/handoff-schema.json +19 -0
  221. package/.merlin-core/schemas/learning-schema.json +51 -0
  222. package/.merlin-core/schemas/module.schema.json +124 -0
  223. package/.merlin-core/schemas/must-haves-schema.json +95 -0
  224. package/.merlin-core/schemas/objective-schema.json +23 -0
  225. package/.merlin-core/schemas/plan-schema.json +20 -0
  226. package/.merlin-core/schemas/process-schema.json +82 -0
  227. package/.merlin-core/schemas/reminder-schema.json +20 -0
  228. package/.merlin-core/schemas/skill-eval-schema.json +92 -0
  229. package/.merlin-core/schemas/skill-schema.json +77 -0
  230. package/.merlin-core/schemas/workflow-schema.json +38 -0
  231. package/.merlin-core/skills/README.md +16 -0
  232. package/.merlin-core/skills/domain/azure-cloud/SKILL.md +211 -0
  233. package/.merlin-core/skills/domain/azure-cloud/references/appinsights-instrumentation.md +63 -0
  234. package/.merlin-core/skills/domain/azure-cloud/references/azure-compliance.md +99 -0
  235. package/.merlin-core/skills/domain/azure-cloud/references/azure-cost-optimization.md +419 -0
  236. package/.merlin-core/skills/domain/azure-cloud/references/azure-deploy.md +82 -0
  237. package/.merlin-core/skills/domain/azure-cloud/references/azure-diagnostics.md +130 -0
  238. package/.merlin-core/skills/domain/azure-cloud/references/azure-prepare.md +134 -0
  239. package/.merlin-core/skills/domain/azure-cloud/references/azure-quotas.md +290 -0
  240. package/.merlin-core/skills/domain/azure-cloud/references/azure-rbac.md +11 -0
  241. package/.merlin-core/skills/domain/azure-cloud/references/azure-resource-lookup.md +97 -0
  242. package/.merlin-core/skills/domain/azure-cloud/references/azure-resource-visualizer.md +178 -0
  243. package/.merlin-core/skills/domain/azure-cloud/references/azure-storage.md +91 -0
  244. package/.merlin-core/skills/domain/azure-cloud/references/azure-validate.md +58 -0
  245. package/.merlin-core/skills/domain/azure-cloud/references/entra-app-registration.md +192 -0
  246. package/.merlin-core/skills/domain/browser-automation/SKILL.md +311 -0
  247. package/.merlin-core/skills/domain/browser-automation/references/agent-browser-skill.md +632 -0
  248. package/.merlin-core/skills/domain/browser-automation/references/authentication.md +308 -0
  249. package/.merlin-core/skills/domain/browser-automation/references/commands.md +266 -0
  250. package/.merlin-core/skills/domain/browser-automation/references/profiling.md +120 -0
  251. package/.merlin-core/skills/domain/browser-automation/references/proxy-support.md +194 -0
  252. package/.merlin-core/skills/domain/browser-automation/references/session-management.md +194 -0
  253. package/.merlin-core/skills/domain/browser-automation/references/snapshot-refs.md +196 -0
  254. package/.merlin-core/skills/domain/browser-automation/references/video-recording.md +173 -0
  255. package/.merlin-core/skills/domain/browser-automation/templates/authenticated-session.sh +105 -0
  256. package/.merlin-core/skills/domain/browser-automation/templates/capture-workflow.sh +69 -0
  257. package/.merlin-core/skills/domain/browser-automation/templates/form-automation.sh +62 -0
  258. package/.merlin-core/skills/domain/digital-marketing/SKILL.md +292 -0
  259. package/.merlin-core/skills/domain/digital-marketing/references/content-strategy.md +320 -0
  260. package/.merlin-core/skills/domain/digital-marketing/references/copy-formats.md +298 -0
  261. package/.merlin-core/skills/domain/digital-marketing/references/copy-methodology.md +180 -0
  262. package/.merlin-core/skills/domain/digital-marketing/references/email-sequences.md +135 -0
  263. package/.merlin-core/skills/domain/digital-marketing/references/launch-strategy.md +213 -0
  264. package/.merlin-core/skills/domain/digital-marketing/references/pricing-strategy.md +160 -0
  265. package/.merlin-core/skills/domain/digital-marketing/references/programmatic-seo.md +237 -0
  266. package/.merlin-core/skills/domain/digital-marketing/references/revops-lifecycle.md +170 -0
  267. package/.merlin-core/skills/domain/digital-marketing/references/revops-operations.md +167 -0
  268. package/.merlin-core/skills/domain/digital-marketing/references/schema-markup.md +190 -0
  269. package/.merlin-core/skills/domain/digital-marketing/references/strategy-frameworks.md +324 -0
  270. package/.merlin-core/skills/domain/digital-marketing/references/traffic-management.md +350 -0
  271. package/.merlin-core/skills/domain/expo-native-ui/SKILL.md +348 -0
  272. package/.merlin-core/skills/domain/expo-native-ui/references/animations.md +220 -0
  273. package/.merlin-core/skills/domain/expo-native-ui/references/api-routes.md +361 -0
  274. package/.merlin-core/skills/domain/expo-native-ui/references/cicd-workflows.md +84 -0
  275. package/.merlin-core/skills/domain/expo-native-ui/references/controls.md +266 -0
  276. package/.merlin-core/skills/domain/expo-native-ui/references/data-fetching.md +553 -0
  277. package/.merlin-core/skills/domain/expo-native-ui/references/deployment-stores.md +1353 -0
  278. package/.merlin-core/skills/domain/expo-native-ui/references/deployment.md +183 -0
  279. package/.merlin-core/skills/domain/expo-native-ui/references/dev-client.md +166 -0
  280. package/.merlin-core/skills/domain/expo-native-ui/references/dom-components.md +410 -0
  281. package/.merlin-core/skills/domain/expo-native-ui/references/form-sheet.md +253 -0
  282. package/.merlin-core/skills/domain/expo-native-ui/references/gradients.md +117 -0
  283. package/.merlin-core/skills/domain/expo-native-ui/references/icons.md +218 -0
  284. package/.merlin-core/skills/domain/expo-native-ui/references/media.md +245 -0
  285. package/.merlin-core/skills/domain/expo-native-ui/references/platform-native.md +75 -0
  286. package/.merlin-core/skills/domain/expo-native-ui/references/route-structure.md +229 -0
  287. package/.merlin-core/skills/domain/expo-native-ui/references/search.md +249 -0
  288. package/.merlin-core/skills/domain/expo-native-ui/references/storage.md +121 -0
  289. package/.merlin-core/skills/domain/expo-native-ui/references/tabs.md +433 -0
  290. package/.merlin-core/skills/domain/expo-native-ui/references/tailwind-native.md +473 -0
  291. package/.merlin-core/skills/domain/expo-native-ui/references/toolbar-and-headers.md +284 -0
  292. package/.merlin-core/skills/domain/expo-native-ui/references/upgrading-guides.md +674 -0
  293. package/.merlin-core/skills/domain/expo-native-ui/references/upgrading.md +127 -0
  294. package/.merlin-core/skills/domain/expo-native-ui/references/visual-effects.md +199 -0
  295. package/.merlin-core/skills/domain/expo-native-ui/references/webgpu-three.md +605 -0
  296. package/.merlin-core/skills/domain/expo-native-ui/references/zoom-transitions.md +161 -0
  297. package/.merlin-core/skills/domain/marketing-ops/SKILL.md +117 -0
  298. package/.merlin-core/skills/domain/marketing-ops/references/_index.md +78 -0
  299. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ad-creative/references/generative-tools.md +19 -0
  300. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ad-creative/references/platform-specs.md +19 -0
  301. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ad-creative.md +251 -0
  302. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/ad-copy-templates.md +19 -0
  303. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/audience-targeting.md +19 -0
  304. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/conversion-tracking.md +19 -0
  305. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads/references/platform-setup-checklists.md +19 -0
  306. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ads.md +322 -0
  307. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo/references/content-patterns.md +19 -0
  308. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo/references/content-types.md +19 -0
  309. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo/references/platform-ranking-factors.md +19 -0
  310. package/.merlin-core/skills/domain/marketing-ops/references/acquire/ai-seo.md +388 -0
  311. package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/apple-specs.md +19 -0
  312. package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/benchmarks.md +19 -0
  313. package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/google-play-specs.md +19 -0
  314. package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/report-template.md +19 -0
  315. package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso/references/scoring-criteria.md +19 -0
  316. package/.merlin-core/skills/domain/marketing-ops/references/acquire/aso.md +316 -0
  317. package/.merlin-core/skills/domain/marketing-ops/references/acquire/co-marketing.md +305 -0
  318. package/.merlin-core/skills/domain/marketing-ops/references/acquire/community-marketing.md +169 -0
  319. package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitor-profiling/references/templates.md +19 -0
  320. package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitor-profiling/references/tool-reference.md +19 -0
  321. package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitor-profiling.md +442 -0
  322. package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitors/references/content-architecture.md +19 -0
  323. package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitors/references/templates.md +19 -0
  324. package/.merlin-core/skills/domain/marketing-ops/references/acquire/competitors.md +281 -0
  325. package/.merlin-core/skills/domain/marketing-ops/references/acquire/content-strategy.md +16 -0
  326. package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions/references/directory-list.md +19 -0
  327. package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions/references/positioning-variations.md +19 -0
  328. package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions/references/submission-tracker-template.md +19 -0
  329. package/.merlin-core/skills/domain/marketing-ops/references/acquire/directory-submissions.md +396 -0
  330. package/.merlin-core/skills/domain/marketing-ops/references/acquire/free-tools/references/tool-types.md +19 -0
  331. package/.merlin-core/skills/domain/marketing-ops/references/acquire/free-tools.md +196 -0
  332. package/.merlin-core/skills/domain/marketing-ops/references/acquire/image/references/ai-image-prompting.md +19 -0
  333. package/.merlin-core/skills/domain/marketing-ops/references/acquire/image.md +352 -0
  334. package/.merlin-core/skills/domain/marketing-ops/references/acquire/launch.md +18 -0
  335. package/.merlin-core/skills/domain/marketing-ops/references/acquire/lead-magnets/references/benchmarks.md +19 -0
  336. package/.merlin-core/skills/domain/marketing-ops/references/acquire/lead-magnets/references/format-guide.md +19 -0
  337. package/.merlin-core/skills/domain/marketing-ops/references/acquire/lead-magnets.md +333 -0
  338. package/.merlin-core/skills/domain/marketing-ops/references/acquire/programmatic-seo.md +16 -0
  339. package/.merlin-core/skills/domain/marketing-ops/references/acquire/schema.md +16 -0
  340. package/.merlin-core/skills/domain/marketing-ops/references/acquire/seo-audit/references/ai-writing-detection.md +19 -0
  341. package/.merlin-core/skills/domain/marketing-ops/references/acquire/seo-audit/references/international-seo.md +19 -0
  342. package/.merlin-core/skills/domain/marketing-ops/references/acquire/seo-audit.md +546 -0
  343. package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture/references/mermaid-templates.md +19 -0
  344. package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture/references/navigation-patterns.md +19 -0
  345. package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture/references/site-type-templates.md +19 -0
  346. package/.merlin-core/skills/domain/marketing-ops/references/acquire/site-architecture.md +371 -0
  347. package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/platform-limits.md +19 -0
  348. package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/platforms.md +19 -0
  349. package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/post-templates.md +19 -0
  350. package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/reverse-engineering.md +19 -0
  351. package/.merlin-core/skills/domain/marketing-ops/references/acquire/social/references/short-form-video.md +19 -0
  352. package/.merlin-core/skills/domain/marketing-ops/references/acquire/social.md +431 -0
  353. package/.merlin-core/skills/domain/marketing-ops/references/acquire/video/references/ai-video-prompting.md +19 -0
  354. package/.merlin-core/skills/domain/marketing-ops/references/acquire/video.md +353 -0
  355. package/.merlin-core/skills/domain/marketing-ops/references/activate/ab-testing/references/sample-size-guide.md +19 -0
  356. package/.merlin-core/skills/domain/marketing-ops/references/activate/ab-testing/references/test-templates.md +19 -0
  357. package/.merlin-core/skills/domain/marketing-ops/references/activate/ab-testing.md +379 -0
  358. package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics/references/event-library.md +19 -0
  359. package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics/references/ga4-implementation.md +19 -0
  360. package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics/references/gtm-implementation.md +19 -0
  361. package/.merlin-core/skills/domain/marketing-ops/references/activate/analytics.md +323 -0
  362. package/.merlin-core/skills/domain/marketing-ops/references/activate/copy-editing.md +18 -0
  363. package/.merlin-core/skills/domain/marketing-ops/references/activate/copywriting.md +18 -0
  364. package/.merlin-core/skills/domain/marketing-ops/references/activate/cro/references/experiments.md +19 -0
  365. package/.merlin-core/skills/domain/marketing-ops/references/activate/cro/references/form.md +19 -0
  366. package/.merlin-core/skills/domain/marketing-ops/references/activate/cro.md +211 -0
  367. package/.merlin-core/skills/domain/marketing-ops/references/activate/emails.md +18 -0
  368. package/.merlin-core/skills/domain/marketing-ops/references/activate/paywalls/references/experiments.md +19 -0
  369. package/.merlin-core/skills/domain/marketing-ops/references/activate/paywalls.md +255 -0
  370. package/.merlin-core/skills/domain/marketing-ops/references/activate/popups.md +518 -0
  371. package/.merlin-core/skills/domain/marketing-ops/references/activate/pricing.md +18 -0
  372. package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/deck-frameworks.md +19 -0
  373. package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/demo-scripts.md +19 -0
  374. package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/objection-library.md +19 -0
  375. package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement/references/one-pager-templates.md +19 -0
  376. package/.merlin-core/skills/domain/marketing-ops/references/activate/sales-enablement.md +371 -0
  377. package/.merlin-core/skills/domain/marketing-ops/references/activate/signup.md +406 -0
  378. package/.merlin-core/skills/domain/marketing-ops/references/expand/co-marketing.md +18 -0
  379. package/.merlin-core/skills/domain/marketing-ops/references/expand/community-marketing.md +18 -0
  380. package/.merlin-core/skills/domain/marketing-ops/references/expand/referrals/references/affiliate-programs.md +19 -0
  381. package/.merlin-core/skills/domain/marketing-ops/references/expand/referrals/references/program-examples.md +19 -0
  382. package/.merlin-core/skills/domain/marketing-ops/references/expand/referrals.md +278 -0
  383. package/.merlin-core/skills/domain/marketing-ops/references/foundation/customer-research/references/source-guides.md +425 -0
  384. package/.merlin-core/skills/domain/marketing-ops/references/foundation/customer-research.md +284 -0
  385. package/.merlin-core/skills/domain/marketing-ops/references/foundation/marketing-ideas/references/ideas-by-category.md +216 -0
  386. package/.merlin-core/skills/domain/marketing-ops/references/foundation/marketing-ideas.md +188 -0
  387. package/.merlin-core/skills/domain/marketing-ops/references/foundation/marketing-psychology.md +532 -0
  388. package/.merlin-core/skills/domain/marketing-ops/references/foundation/product-marketing.md +276 -0
  389. package/.merlin-core/skills/domain/marketing-ops/references/retain/churn-prevention/references/cancel-flow-patterns.md +19 -0
  390. package/.merlin-core/skills/domain/marketing-ops/references/retain/churn-prevention/references/dunning-playbook.md +19 -0
  391. package/.merlin-core/skills/domain/marketing-ops/references/retain/churn-prevention.md +442 -0
  392. package/.merlin-core/skills/domain/marketing-ops/references/retain/onboarding/references/experiments.md +19 -0
  393. package/.merlin-core/skills/domain/marketing-ops/references/retain/onboarding.md +243 -0
  394. package/.merlin-core/skills/domain/marketing-ops/references/retain/revops-lifecycle.md +18 -0
  395. package/.merlin-core/skills/domain/marketing-ops/references/retain/revops-operations.md +18 -0
  396. package/.merlin-core/skills/domain/n8n-automation/SKILL.md +149 -0
  397. package/.merlin-core/skills/domain/n8n-automation/references/code-javascript.md +3744 -0
  398. package/.merlin-core/skills/domain/n8n-automation/references/code-python.md +3293 -0
  399. package/.merlin-core/skills/domain/n8n-automation/references/expression-syntax.md +1662 -0
  400. package/.merlin-core/skills/domain/n8n-automation/references/mcp-tools-expert.md +2111 -0
  401. package/.merlin-core/skills/domain/n8n-automation/references/node-configuration.md +2523 -0
  402. package/.merlin-core/skills/domain/n8n-automation/references/validation-expert.md +2491 -0
  403. package/.merlin-core/skills/domain/n8n-automation/references/workflow-patterns.md +4624 -0
  404. package/.merlin-core/skills/domain/ops-manual/SKILL.md +225 -0
  405. package/.merlin-core/skills/domain/ops-manual/references/elicitation-questions.md +141 -0
  406. package/.merlin-core/skills/domain/ops-manual/references/external-skills-registry.md +63 -0
  407. package/.merlin-core/skills/domain/ops-manual/references/operations-template.yaml +132 -0
  408. package/.merlin-core/skills/domain/remotion-best-practices/SKILL.md +99 -0
  409. package/.merlin-core/skills/domain/remotion-best-practices/rules/3d.md +86 -0
  410. package/.merlin-core/skills/domain/remotion-best-practices/rules/animations.md +27 -0
  411. package/.merlin-core/skills/domain/remotion-best-practices/rules/assets/charts-bar-chart.tsx +173 -0
  412. package/.merlin-core/skills/domain/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +100 -0
  413. package/.merlin-core/skills/domain/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +108 -0
  414. package/.merlin-core/skills/domain/remotion-best-practices/rules/assets.md +78 -0
  415. package/.merlin-core/skills/domain/remotion-best-practices/rules/audio.md +172 -0
  416. package/.merlin-core/skills/domain/remotion-best-practices/rules/calculate-metadata.md +131 -0
  417. package/.merlin-core/skills/domain/remotion-best-practices/rules/can-decode.md +75 -0
  418. package/.merlin-core/skills/domain/remotion-best-practices/rules/charts.md +68 -0
  419. package/.merlin-core/skills/domain/remotion-best-practices/rules/compositions.md +154 -0
  420. package/.merlin-core/skills/domain/remotion-best-practices/rules/display-captions.md +126 -0
  421. package/.merlin-core/skills/domain/remotion-best-practices/rules/extract-frames.md +229 -0
  422. package/.merlin-core/skills/domain/remotion-best-practices/rules/fonts.md +152 -0
  423. package/.merlin-core/skills/domain/remotion-best-practices/rules/get-audio-duration.md +58 -0
  424. package/.merlin-core/skills/domain/remotion-best-practices/rules/get-video-dimensions.md +68 -0
  425. package/.merlin-core/skills/domain/remotion-best-practices/rules/get-video-duration.md +58 -0
  426. package/.merlin-core/skills/domain/remotion-best-practices/rules/gifs.md +144 -0
  427. package/.merlin-core/skills/domain/remotion-best-practices/rules/images.md +134 -0
  428. package/.merlin-core/skills/domain/remotion-best-practices/rules/import-srt-captions.md +67 -0
  429. package/.merlin-core/skills/domain/remotion-best-practices/rules/lottie.md +70 -0
  430. package/.merlin-core/skills/domain/remotion-best-practices/rules/maps.md +414 -0
  431. package/.merlin-core/skills/domain/remotion-best-practices/rules/measuring-dom-nodes.md +34 -0
  432. package/.merlin-core/skills/domain/remotion-best-practices/rules/measuring-text.md +143 -0
  433. package/.merlin-core/skills/domain/remotion-best-practices/rules/parameters.md +109 -0
  434. package/.merlin-core/skills/domain/remotion-best-practices/rules/sequencing.md +118 -0
  435. package/.merlin-core/skills/domain/remotion-best-practices/rules/tailwind.md +11 -0
  436. package/.merlin-core/skills/domain/remotion-best-practices/rules/text-animations.md +20 -0
  437. package/.merlin-core/skills/domain/remotion-best-practices/rules/timing.md +179 -0
  438. package/.merlin-core/skills/domain/remotion-best-practices/rules/transcribe-captions.md +19 -0
  439. package/.merlin-core/skills/domain/remotion-best-practices/rules/transitions.md +137 -0
  440. package/.merlin-core/skills/domain/remotion-best-practices/rules/transparent-videos.md +106 -0
  441. package/.merlin-core/skills/domain/remotion-best-practices/rules/trimming.md +51 -0
  442. package/.merlin-core/skills/domain/remotion-best-practices/rules/videos.md +171 -0
  443. package/.merlin-core/skills/domain/resend-email/SKILL.md +377 -0
  444. package/.merlin-core/skills/general/adversarial-review/SKILL.md +144 -0
  445. package/.merlin-core/skills/general/api-design/SKILL.md +513 -0
  446. package/.merlin-core/skills/general/apify-scrape/SKILL.md +137 -0
  447. package/.merlin-core/skills/general/apify-scrape/scripts/apify-scrape.sh +68 -0
  448. package/.merlin-core/skills/general/backup/SKILL.md +87 -0
  449. package/.merlin-core/skills/general/blkskrn/SKILL.md +392 -0
  450. package/.merlin-core/skills/general/blkskrn/references/animation-patterns.md +521 -0
  451. package/.merlin-core/skills/general/blkskrn/references/design-system.md +637 -0
  452. package/.merlin-core/skills/general/blkskrn/references/html-templates.md +440 -0
  453. package/.merlin-core/skills/general/blkskrn/references/presenter-template.md +45 -0
  454. package/.merlin-core/skills/general/blkskrn/references/slide-types.md +424 -0
  455. package/.merlin-core/skills/general/blkskrn/scripts/canvas-manager.js +502 -0
  456. package/.merlin-core/skills/general/blkskrn/scripts/presenter.js +90 -0
  457. package/.merlin-core/skills/general/blkskrn/templates/presenter.html +273 -0
  458. package/.merlin-core/skills/general/blkskrn/templates/slide-base.html +277 -0
  459. package/.merlin-core/skills/general/blkskrn/templates/viewer.html +165 -0
  460. package/.merlin-core/skills/general/browser-takeover/SKILL.md +53 -0
  461. package/.merlin-core/skills/general/claude-api/SKILL.md +90 -0
  462. package/.merlin-core/skills/general/code-javascript/SKILL.md +268 -0
  463. package/.merlin-core/skills/general/code-python/SKILL.md +424 -0
  464. package/.merlin-core/skills/general/code-style/SKILL.md +97 -0
  465. package/.merlin-core/skills/general/code-typescript/SKILL.md +361 -0
  466. package/.merlin-core/skills/general/cold-email/SKILL.md +164 -0
  467. package/.merlin-core/skills/general/cold-email/references/benchmarks.md +18 -0
  468. package/.merlin-core/skills/general/cold-email/references/follow-up-sequences.md +18 -0
  469. package/.merlin-core/skills/general/cold-email/references/frameworks.md +18 -0
  470. package/.merlin-core/skills/general/cold-email/references/personalization.md +18 -0
  471. package/.merlin-core/skills/general/cold-email/references/subject-lines.md +18 -0
  472. package/.merlin-core/skills/general/container-security/SKILL.md +462 -0
  473. package/.merlin-core/skills/general/context-management/SKILL.md +79 -0
  474. package/.merlin-core/skills/general/copy-editing/SKILL.md +501 -0
  475. package/.merlin-core/skills/general/copy-editing/references/checklist.md +18 -0
  476. package/.merlin-core/skills/general/copy-editing/references/content-refresh.md +18 -0
  477. package/.merlin-core/skills/general/copy-editing/references/plain-english-alternatives.md +18 -0
  478. package/.merlin-core/skills/general/copywriting/SKILL.md +294 -0
  479. package/.merlin-core/skills/general/copywriting/references/copy-frameworks.md +392 -0
  480. package/.merlin-core/skills/general/copywriting/references/natural-transitions.md +276 -0
  481. package/.merlin-core/skills/general/database/SKILL.md +561 -0
  482. package/.merlin-core/skills/general/database/references/postgres-concurrency.md +182 -0
  483. package/.merlin-core/skills/general/database/references/postgres-connections.md +97 -0
  484. package/.merlin-core/skills/general/database/references/postgres-data-patterns.md +159 -0
  485. package/.merlin-core/skills/general/database/references/postgres-monitoring.md +136 -0
  486. package/.merlin-core/skills/general/database/references/postgres-rls.md +140 -0
  487. package/.merlin-core/skills/general/database-provision/SKILL.md +56 -0
  488. package/.merlin-core/skills/general/deploy/SKILL.md +65 -0
  489. package/.merlin-core/skills/general/design-inspiration/SKILL.md +146 -0
  490. package/.merlin-core/skills/general/design-palette/SKILL.md +99 -0
  491. package/.merlin-core/skills/general/design-palette/references/full-palettes.md +144 -0
  492. package/.merlin-core/skills/general/design-system/SKILL.md +94 -0
  493. package/.merlin-core/skills/general/design-typography/SKILL.md +115 -0
  494. package/.merlin-core/skills/general/design-typography/references/full-pairings.md +144 -0
  495. package/.merlin-core/skills/general/design-ux-patterns/SKILL.md +155 -0
  496. package/.merlin-core/skills/general/design-ux-patterns/references/charts-data-guidelines.md +197 -0
  497. package/.merlin-core/skills/general/design-ux-patterns/references/landing-patterns.md +199 -0
  498. package/.merlin-core/skills/general/design-ux-patterns/references/professional-ui-checklist.md +56 -0
  499. package/.merlin-core/skills/general/design-ux-patterns/references/style-catalog.md +89 -0
  500. package/.merlin-core/skills/general/design-ux-patterns/references/ux-guidelines.md +837 -0
  501. package/.merlin-core/skills/general/discover-cloud/SKILL.md +108 -0
  502. package/.merlin-core/skills/general/doc-sync/SKILL.md +52 -0
  503. package/.merlin-core/skills/general/document-sharding/SKILL.md +53 -0
  504. package/.merlin-core/skills/general/docx/SKILL.md +418 -0
  505. package/.merlin-core/skills/general/docx/references/windows-setup.md +27 -0
  506. package/.merlin-core/skills/general/docx/scripts/__init__.py +1 -0
  507. package/.merlin-core/skills/general/docx/scripts/accept_changes.py +135 -0
  508. package/.merlin-core/skills/general/docx/scripts/comment.py +318 -0
  509. package/.merlin-core/skills/general/docx/scripts/office/__init__.py +0 -0
  510. package/.merlin-core/skills/general/docx/scripts/office/helpers/__init__.py +0 -0
  511. package/.merlin-core/skills/general/docx/scripts/office/helpers/merge_runs.py +199 -0
  512. package/.merlin-core/skills/general/docx/scripts/office/helpers/simplify_redlines.py +197 -0
  513. package/.merlin-core/skills/general/docx/scripts/office/pack.py +159 -0
  514. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
  515. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
  516. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
  517. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
  518. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
  519. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
  520. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
  521. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
  522. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
  523. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
  524. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
  525. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
  526. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
  527. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
  528. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
  529. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
  530. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
  531. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
  532. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
  533. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
  534. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
  535. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
  536. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
  537. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
  538. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
  539. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
  540. package/.merlin-core/skills/general/docx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
  541. package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
  542. package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
  543. package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
  544. package/.merlin-core/skills/general/docx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
  545. package/.merlin-core/skills/general/docx/scripts/office/schemas/mce/mc.xsd +75 -0
  546. package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
  547. package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
  548. package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
  549. package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
  550. package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
  551. package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
  552. package/.merlin-core/skills/general/docx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
  553. package/.merlin-core/skills/general/docx/scripts/office/soffice.py +183 -0
  554. package/.merlin-core/skills/general/docx/scripts/office/unpack.py +132 -0
  555. package/.merlin-core/skills/general/docx/scripts/office/validate.py +111 -0
  556. package/.merlin-core/skills/general/docx/scripts/office/validators/__init__.py +15 -0
  557. package/.merlin-core/skills/general/docx/scripts/office/validators/base.py +847 -0
  558. package/.merlin-core/skills/general/docx/scripts/office/validators/docx.py +446 -0
  559. package/.merlin-core/skills/general/docx/scripts/office/validators/pptx.py +275 -0
  560. package/.merlin-core/skills/general/docx/scripts/office/validators/redlining.py +247 -0
  561. package/.merlin-core/skills/general/docx/scripts/templates/comments.xml +3 -0
  562. package/.merlin-core/skills/general/docx/scripts/templates/commentsExtended.xml +3 -0
  563. package/.merlin-core/skills/general/docx/scripts/templates/commentsExtensible.xml +3 -0
  564. package/.merlin-core/skills/general/docx/scripts/templates/commentsIds.xml +3 -0
  565. package/.merlin-core/skills/general/docx/scripts/templates/people.xml +3 -0
  566. package/.merlin-core/skills/general/elicitation/SKILL.md +188 -0
  567. package/.merlin-core/skills/general/engineering-audit/SKILL.md +122 -0
  568. package/.merlin-core/skills/general/find-and-edit/SKILL.md +102 -0
  569. package/.merlin-core/skills/general/first-party-docs/SKILL.md +51 -0
  570. package/.merlin-core/skills/general/frontend-design/SKILL.md +204 -0
  571. package/.merlin-core/skills/general/guardrails/SKILL.md +144 -0
  572. package/.merlin-core/skills/general/image-gen/SKILL.md +49 -0
  573. package/.merlin-core/skills/general/learning-capture/SKILL.md +192 -0
  574. package/.merlin-core/skills/general/lgpd-compliance-audit/SKILL.md +448 -0
  575. package/.merlin-core/skills/general/load-testing/SKILL.md +114 -0
  576. package/.merlin-core/skills/general/load-testing/docker/Dockerfile.dashboard +21 -0
  577. package/.merlin-core/skills/general/load-testing/docker/docker-compose.locust.yml +39 -0
  578. package/.merlin-core/skills/general/load-testing/requirements.txt +1 -0
  579. package/.merlin-core/skills/general/load-testing/scripts/compare_baseline.py +172 -0
  580. package/.merlin-core/skills/general/load-testing/scripts/run_local.py +245 -0
  581. package/.merlin-core/skills/general/load-testing/templates/load_shape_stepped.py +35 -0
  582. package/.merlin-core/skills/general/load-testing/templates/locustfile_dashboard.py +47 -0
  583. package/.merlin-core/skills/general/load-testing/templates/threshold_hook.py +36 -0
  584. package/.merlin-core/skills/general/mage-beauty/SKILL.md +89 -0
  585. package/.merlin-core/skills/general/mage-beauty/references/anti-patterns.md +148 -0
  586. package/.merlin-core/skills/general/mage-beauty/references/color-and-contrast.md +87 -0
  587. package/.merlin-core/skills/general/mage-beauty/references/interaction-design.md +99 -0
  588. package/.merlin-core/skills/general/mage-beauty/references/motion-design.md +90 -0
  589. package/.merlin-core/skills/general/mage-beauty/references/remotion-bridge.md +187 -0
  590. package/.merlin-core/skills/general/mage-beauty/references/responsive-and-multi-format.md +98 -0
  591. package/.merlin-core/skills/general/mage-beauty/references/spatial-design.md +88 -0
  592. package/.merlin-core/skills/general/mage-beauty/references/typography.md +60 -0
  593. package/.merlin-core/skills/general/mage-beauty/references/verb-adapt.md +102 -0
  594. package/.merlin-core/skills/general/mage-beauty/references/verb-animate.md +97 -0
  595. package/.merlin-core/skills/general/mage-beauty/references/verb-audit.md +99 -0
  596. package/.merlin-core/skills/general/mage-beauty/references/verb-bolder.md +94 -0
  597. package/.merlin-core/skills/general/mage-beauty/references/verb-cinematic.md +128 -0
  598. package/.merlin-core/skills/general/mage-beauty/references/verb-clarify.md +107 -0
  599. package/.merlin-core/skills/general/mage-beauty/references/verb-colorize.md +106 -0
  600. package/.merlin-core/skills/general/mage-beauty/references/verb-critique.md +88 -0
  601. package/.merlin-core/skills/general/mage-beauty/references/verb-delight.md +98 -0
  602. package/.merlin-core/skills/general/mage-beauty/references/verb-distill.md +97 -0
  603. package/.merlin-core/skills/general/mage-beauty/references/verb-harden.md +79 -0
  604. package/.merlin-core/skills/general/mage-beauty/references/verb-layout.md +104 -0
  605. package/.merlin-core/skills/general/mage-beauty/references/verb-onboard.md +98 -0
  606. package/.merlin-core/skills/general/mage-beauty/references/verb-optimize.md +124 -0
  607. package/.merlin-core/skills/general/mage-beauty/references/verb-overdrive.md +105 -0
  608. package/.merlin-core/skills/general/mage-beauty/references/verb-polish.md +91 -0
  609. package/.merlin-core/skills/general/mage-beauty/references/verb-quieter.md +95 -0
  610. package/.merlin-core/skills/general/mage-beauty/references/verb-rebrand.md +127 -0
  611. package/.merlin-core/skills/general/mage-beauty/references/verb-shape.md +160 -0
  612. package/.merlin-core/skills/general/mage-beauty/references/verb-typeset.md +109 -0
  613. package/.merlin-core/skills/general/mage-beauty/references/voice-and-microcopy.md +137 -0
  614. package/.merlin-core/skills/general/mcp-builder/SKILL.md +92 -0
  615. package/.merlin-core/skills/general/network-debug/SKILL.md +51 -0
  616. package/.merlin-core/skills/general/next-best-practices/SKILL.md +177 -0
  617. package/.merlin-core/skills/general/next-best-practices/references/async-patterns.md +87 -0
  618. package/.merlin-core/skills/general/next-best-practices/references/bundling.md +182 -0
  619. package/.merlin-core/skills/general/next-best-practices/references/data-patterns.md +306 -0
  620. package/.merlin-core/skills/general/next-best-practices/references/debug-tricks.md +125 -0
  621. package/.merlin-core/skills/general/next-best-practices/references/directives.md +74 -0
  622. package/.merlin-core/skills/general/next-best-practices/references/error-handling.md +232 -0
  623. package/.merlin-core/skills/general/next-best-practices/references/file-conventions.md +141 -0
  624. package/.merlin-core/skills/general/next-best-practices/references/font.md +257 -0
  625. package/.merlin-core/skills/general/next-best-practices/references/functions.md +108 -0
  626. package/.merlin-core/skills/general/next-best-practices/references/hydration-error.md +88 -0
  627. package/.merlin-core/skills/general/next-best-practices/references/image.md +179 -0
  628. package/.merlin-core/skills/general/next-best-practices/references/metadata.md +296 -0
  629. package/.merlin-core/skills/general/next-best-practices/references/parallel-routes.md +298 -0
  630. package/.merlin-core/skills/general/next-best-practices/references/route-handlers.md +146 -0
  631. package/.merlin-core/skills/general/next-best-practices/references/rsc-boundaries.md +164 -0
  632. package/.merlin-core/skills/general/next-best-practices/references/runtime-selection.md +40 -0
  633. package/.merlin-core/skills/general/next-best-practices/references/scripts.md +141 -0
  634. package/.merlin-core/skills/general/next-best-practices/references/self-hosting.md +384 -0
  635. package/.merlin-core/skills/general/next-best-practices/references/suspense-boundaries.md +67 -0
  636. package/.merlin-core/skills/general/next-steps/SKILL.md +43 -0
  637. package/.merlin-core/skills/general/party-mode/SKILL.md +57 -0
  638. package/.merlin-core/skills/general/pdf/SKILL.md +298 -0
  639. package/.merlin-core/skills/general/pdf/references/forms.md +312 -0
  640. package/.merlin-core/skills/general/pdf/references/reference.md +640 -0
  641. package/.merlin-core/skills/general/pdf/references/windows-setup.md +40 -0
  642. package/.merlin-core/skills/general/pdf/scripts/check_bounding_boxes.py +65 -0
  643. package/.merlin-core/skills/general/pdf/scripts/check_fillable_fields.py +11 -0
  644. package/.merlin-core/skills/general/pdf/scripts/convert_pdf_to_images.py +33 -0
  645. package/.merlin-core/skills/general/pdf/scripts/create_validation_image.py +37 -0
  646. package/.merlin-core/skills/general/pdf/scripts/extract_form_field_info.py +122 -0
  647. package/.merlin-core/skills/general/pdf/scripts/extract_form_structure.py +115 -0
  648. package/.merlin-core/skills/general/pdf/scripts/fill_fillable_fields.py +98 -0
  649. package/.merlin-core/skills/general/pdf/scripts/fill_pdf_form_with_annotations.py +107 -0
  650. package/.merlin-core/skills/general/pptx/SKILL.md +133 -0
  651. package/.merlin-core/skills/general/pptx/references/editing.md +213 -0
  652. package/.merlin-core/skills/general/pptx/references/pptxgenjs.md +581 -0
  653. package/.merlin-core/skills/general/pptx/references/windows-setup.md +27 -0
  654. package/.merlin-core/skills/general/pptx/scripts/__init__.py +0 -0
  655. package/.merlin-core/skills/general/pptx/scripts/add_slide.py +195 -0
  656. package/.merlin-core/skills/general/pptx/scripts/clean.py +286 -0
  657. package/.merlin-core/skills/general/pptx/scripts/thumbnail.py +289 -0
  658. package/.merlin-core/skills/general/property-testing/SKILL.md +214 -0
  659. package/.merlin-core/skills/general/purge-leaked-secret/SKILL.md +383 -0
  660. package/.merlin-core/skills/general/reflection/SKILL.md +100 -0
  661. package/.merlin-core/skills/general/secret-safe-commit/SKILL.md +246 -0
  662. package/.merlin-core/skills/general/secret-safe-commit/templates/.gitleaks.toml +91 -0
  663. package/.merlin-core/skills/general/secret-safe-commit/templates/.pre-commit-config.yaml +57 -0
  664. package/.merlin-core/skills/general/secret-safe-commit/templates/secret-scan.yml +48 -0
  665. package/.merlin-core/skills/general/semantic-search/SKILL.md +79 -0
  666. package/.merlin-core/skills/general/skill-creator/SKILL.md +342 -0
  667. package/.merlin-core/skills/general/skill-creator/agents/analyzer.md +283 -0
  668. package/.merlin-core/skills/general/skill-creator/agents/comparator.md +211 -0
  669. package/.merlin-core/skills/general/skill-creator/agents/grader.md +227 -0
  670. package/.merlin-core/skills/general/skill-creator/assets/eval_review.html +146 -0
  671. package/.merlin-core/skills/general/skill-creator/eval-viewer/generate_review.py +471 -0
  672. package/.merlin-core/skills/general/skill-creator/eval-viewer/viewer.html +1325 -0
  673. package/.merlin-core/skills/general/skill-creator/references/schemas.md +439 -0
  674. package/.merlin-core/skills/general/skill-creator/scripts/__init__.py +0 -0
  675. package/.merlin-core/skills/general/skill-creator/scripts/aggregate_benchmark.py +401 -0
  676. package/.merlin-core/skills/general/skill-creator/scripts/generate_report.py +326 -0
  677. package/.merlin-core/skills/general/skill-creator/scripts/improve_description.py +247 -0
  678. package/.merlin-core/skills/general/skill-creator/scripts/package_skill.py +136 -0
  679. package/.merlin-core/skills/general/skill-creator/scripts/quick_validate.py +103 -0
  680. package/.merlin-core/skills/general/skill-creator/scripts/run_eval.py +310 -0
  681. package/.merlin-core/skills/general/skill-creator/scripts/run_loop.py +328 -0
  682. package/.merlin-core/skills/general/skill-creator/scripts/utils.py +47 -0
  683. package/.merlin-core/skills/general/start-here/SKILL.md +63 -0
  684. package/.merlin-core/skills/general/start-here/recipes.json +758 -0
  685. package/.merlin-core/skills/general/start-here/recipes.schema.json +57 -0
  686. package/.merlin-core/skills/general/static-analysis/SKILL.md +151 -0
  687. package/.merlin-core/skills/general/tailwind-design-system/SKILL.md +201 -0
  688. package/.merlin-core/skills/general/tailwind-design-system/references/advanced-v4.md +152 -0
  689. package/.merlin-core/skills/general/tailwind-design-system/references/component-patterns.md +353 -0
  690. package/.merlin-core/skills/general/teach-method/SKILL.md +86 -0
  691. package/.merlin-core/skills/general/team-execution/SKILL.md +67 -0
  692. package/.merlin-core/skills/general/testing/SKILL.md +412 -0
  693. package/.merlin-core/skills/general/token-economy/SKILL.md +55 -0
  694. package/.merlin-core/skills/general/vps-security-hardening/SKILL.md +406 -0
  695. package/.merlin-core/skills/general/web-quality/SKILL.md +180 -0
  696. package/.merlin-core/skills/general/webapp-testing/SKILL.md +153 -0
  697. package/.merlin-core/skills/general/webapp-testing/scripts/screenshot_compare.py +72 -0
  698. package/.merlin-core/skills/general/webapp-testing/scripts/with_server.py +103 -0
  699. package/.merlin-core/skills/general/xlsx/SKILL.md +167 -0
  700. package/.merlin-core/skills/general/xlsx/references/nodejs-sheetjs-styled-reports.md +141 -0
  701. package/.merlin-core/skills/general/xlsx/references/windows-setup.md +17 -0
  702. package/.merlin-core/skills/general/xlsx/scripts/recalc.py +184 -0
  703. package/.merlin-core/skills/general/xlsx/scripts/styled-report.js +130 -0
  704. package/.merlin-core/skills/general/yolo-mode/SKILL.md +60 -0
  705. package/.merlin-core/skills/general/youtube-transcript/SKILL.md +177 -0
  706. package/.merlin-core/skills/general/youtube-transcript/scripts/fetch_transcript.py +188 -0
  707. package/.merlin-core/skills/general/youtube-transcript/scripts/gladia_transcribe.mjs +230 -0
  708. package/.merlin-core/tools/commands/activate.js +72 -0
  709. package/.merlin-core/tools/commands/archive-thoughts.js +181 -0
  710. package/.merlin-core/tools/commands/backup.js +156 -0
  711. package/.merlin-core/tools/commands/certify-process.js +196 -0
  712. package/.merlin-core/tools/commands/convert.js +87 -0
  713. package/.merlin-core/tools/commands/cron.js +147 -0
  714. package/.merlin-core/tools/commands/disable.js +73 -0
  715. package/.merlin-core/tools/commands/doc-sync.js +127 -0
  716. package/.merlin-core/tools/commands/eval-skill.js +193 -0
  717. package/.merlin-core/tools/commands/frontmatter.js +49 -0
  718. package/.merlin-core/tools/commands/heartbeat.js +43 -0
  719. package/.merlin-core/tools/commands/index-thoughts.js +35 -0
  720. package/.merlin-core/tools/commands/install-remote-approve.js +184 -0
  721. package/.merlin-core/tools/commands/install.js +81 -0
  722. package/.merlin-core/tools/commands/lib/__verify__/diff-reports.js +170 -0
  723. package/.merlin-core/tools/commands/lib/fs-safe.js +186 -0
  724. package/.merlin-core/tools/commands/lib/preflight.js +607 -0
  725. package/.merlin-core/tools/commands/lib/preserve.js +232 -0
  726. package/.merlin-core/tools/commands/lib/project-config.template.yaml +69 -0
  727. package/.merlin-core/tools/commands/lib/report.js +231 -0
  728. package/.merlin-core/tools/commands/lib/settings-merge.js +134 -0
  729. package/.merlin-core/tools/commands/license.js +52 -0
  730. package/.merlin-core/tools/commands/list.js +125 -0
  731. package/.merlin-core/tools/commands/migrate-alkimia.js +271 -0
  732. package/.merlin-core/tools/commands/modules.js +68 -0
  733. package/.merlin-core/tools/commands/provision.js +83 -0
  734. package/.merlin-core/tools/commands/prune-feedback.js +114 -0
  735. package/.merlin-core/tools/commands/run-process.js +28 -0
  736. package/.merlin-core/tools/commands/state.js +79 -0
  737. package/.merlin-core/tools/commands/sync-bridges.js +197 -0
  738. package/.merlin-core/tools/commands/upgrade.js +1135 -0
  739. package/.merlin-core/tools/commands/validate-recipes.js +218 -0
  740. package/.merlin-core/tools/commands/validate.js +159 -0
  741. package/.merlin-core/tools/commands/yolo.js +82 -0
  742. package/.merlin-core/tools/compose-rules.mjs +179 -0
  743. package/.merlin-core/tools/disable-module.mjs +150 -0
  744. package/.merlin-core/tools/lib/deployer.mjs +131 -0
  745. package/.merlin-core/tools/lib/modules-activation.mjs +225 -0
  746. package/.merlin-core/tools/merlin-tools.js +153 -0
  747. package/.merlin-core/tools/migrate-frontmatter-v3.js +192 -0
  748. package/.merlin-core/tools/modules-catalog.mjs +174 -0
  749. package/.merlin-core/tools/provision-module.mjs +191 -0
  750. package/.merlin-core/tools/verify-module.mjs +99 -0
  751. package/.merlin-core/tools/vps-security-audit.sh +234 -0
  752. package/INSTALL.md +312 -0
  753. package/LICENSE +118 -0
  754. package/PRIVACY-LICENSING.md +65 -0
  755. package/README.md +391 -0
  756. package/bin/README.md +15 -0
  757. package/bin/convert-to-merlin.sh +109 -0
  758. package/bin/fleet-patch-hooks.sh +144 -0
  759. package/bin/fleet-patch-v3-fixes.sh +127 -0
  760. package/bin/merlin-init.js +232 -0
  761. package/bin/merlin.js +321 -0
  762. package/package.json +127 -0
package/.merlin-core/skills/general/secret-safe-commit/SKILL.md ADDED
@@ -0,0 +1,246 @@
1
+ ---
2
+ name: secret-safe-commit
3
+ description: Pre-commit gitleaks scanning + project bootstrap. Refuses commits that expose secrets. Backed by .gitleaks.toml allowlist, .pre-commit-config.yaml, and CI workflow templates. Used by /commit and /safe-commit.
4
+ license: Apache-2.0
5
+ metadata:
6
+ author: merlin-framework
7
+ version: "3.0.0"
8
+ auto_activate:
9
+ [
10
+ safe-commit,
11
+ gitleaks,
12
+ secret-scan,
13
+ pre-commit-hook,
14
+ leak-prevention,
15
+ api-key-leak,
16
+ ]
17
+ tool_reminders:
18
+ [
19
+ Pre-commit hooks can be bypassed with --no-verify — always pair with CI scan,
20
+ On any gitleaks finding ABORT the commit and recommend purge-leaked-secret skill,
21
+ Never edit .gitleaks.toml allowlist without documenting why each entry exists,
22
+ gitleaks redact mode hides values in output — use it by default to avoid leaking secrets in agent logs,
23
+ Test fixtures with intentionally fake secrets need explicit allowlist or --skip-secret-scan flag with reason,
24
+ ]
25
+ ---
26
+
27
+ # Secret-Safe Commit Skill
28
+
29
+ **Mission:** Make it physically impossible for a Merlin-project commit to ship
30
+ a secret to git history without explicit human bypass + audit log. Every
31
+ project gets the same gitleaks setup; every commit goes through the same
32
+ pre-flight check.
33
+
34
+ The skill exists because we once discovered 3 credential files
35
+ sitting in a client project's working tree (Firebase Admin SDK private key, Google
36
+ OAuth client secret, YouTube tokens) that any `git add -A` would have
37
+ committed instantly. We cannot rely on humans noticing — we need the tooling
38
+ to refuse.
39
+
40
+ ---
41
+
42
+ ## When this skill activates
43
+
44
+ - User invokes `/safe-commit` or `/commit`
45
+ - User mentions: "gitleaks", "secret scan", "pre-commit", "leaked", "credential"
46
+ - A new project is being bootstrapped (initial commit not yet made)
47
+ - After `purge-leaked-secret` cleans up an incident — to prevent recurrence
48
+
49
+ ---
50
+
51
+ ## What this skill provides
52
+
53
+ ### A. Bootstrap command (one-time per project)
54
+
55
+ ```bash
56
+ # 1. Install pre-commit framework + gitleaks
57
+ pip install pre-commit
58
+ # OR via brew/apt: brew install gitleaks / apt install gitleaks
59
+
60
+ # 2. Drop in the templates (from this skill's templates/ directory)
61
+ cp <skill-dir>/templates/.pre-commit-config.yaml .
62
+ cp <skill-dir>/templates/.gitleaks.toml .
63
+ mkdir -p .github/workflows
64
+ cp <skill-dir>/templates/secret-scan.yml .github/workflows/
65
+
66
+ # 3. Activate pre-commit hooks
67
+ pre-commit install
68
+
69
+ # 4. Run baseline scan to detect existing secrets in working tree
70
+ gitleaks detect --source . --redact --verbose
71
+
72
+ # 5. Run baseline scan on git history (full repo)
73
+ gitleaks detect --source . --log-opts="--all" --redact --verbose
74
+ ```
75
+
76
+ The baseline scan in step 4-5 is critical — we need to know NOW if past
77
+ commits have secrets, not discover it later. If findings appear, immediately
78
+ invoke the **`purge-leaked-secret`** skill.
79
+
80
+ ### B. Per-commit pre-flight (every `/safe-commit`)
81
+
82
+ ```bash
83
+ gitleaks protect --source . --staged --redact --verbose
84
+ ```
85
+
86
+ `protect` mode (vs `detect`) only scans STAGED changes — fast (<2s typical).
87
+ `--redact` hides the actual secret value in output (so the agent log doesn't
88
+ leak the secret it just caught).
89
+
90
+ ### C. CI defense-in-depth
91
+
92
+ The included `.github/workflows/secret-scan.yml` runs on every push + PR with
93
+ `gitleaks detect`. This catches:
94
+
95
+ - Commits made with `--no-verify` (bypassing pre-commit)
96
+ - Commits made with `--skip-secret-scan` (legitimate edge cases that still need to be reviewed)
97
+ - Secrets that match patterns added to the gitleaks DB AFTER the local scan ran
98
+
99
+ ### D. Allowlist convention (`.gitleaks.toml`)
100
+
101
+ Allowlists are technical debt — every entry must be justified. Convention:
102
+
103
+ ```toml
104
+ [allowlist]
105
+ description = "<project> allowlist — every entry must be approved + documented"
106
+
107
+ # Each entry has 3 required fields: regex/path, reason, approver, date
108
+ [[allowlist.regexes]]
109
+ description = "Test fixture for AWS regex testing — fake key, never real"
110
+ regex = '''AKIAIOSFODNN7EXAMPLE'''
111
+ # approver: <name>, date: <YYYY-MM-DD>, see: tests/aws-mock.ts
112
+ ```
113
+
114
+ If an allowlist grows past 5 entries, run `engineering-audit` on it — most
115
+ entries are usually code smells (real secrets in tests, fake secrets in prod
116
+ code by mistake, etc.).
117
+
118
+ ---
119
+
120
+ ## The `--skip-secret-scan` flag (governance)
121
+
122
+ When a user invokes `/safe-commit --skip-secret-scan`:
123
+
124
+ 1. **Require a written reason** in the commit body: `secret-scan-skip: <why>`
125
+ 2. **Print the warning** to console (not just log):
126
+ ```
127
+ ⚠️ SECRET SCAN BYPASSED
128
+ Reason: <reason>
129
+ This bypass is logged to .merlin-core/thoughts/shared/incidents/secret-scan-bypass.log
130
+ The CI scan will still run on push.
131
+ ```
132
+ 3. **Log to** `.merlin-core/thoughts/shared/incidents/secret-scan-bypass.log` with:
133
+ - Timestamp (ISO 8601)
134
+ - Git user (from `git config user.email`)
135
+ - Commit SHA (after commit completes)
136
+ - Files staged (full list)
137
+ - Reason text
138
+
139
+ 4. **Periodic review** of the bypass log — recommend monthly audit during
140
+ `engineering-audit` on the project. Repeated bypasses for the same reason
141
+ indicate a process gap (e.g., test fixtures need permanent allowlist entries).
142
+
143
+ ---
144
+
145
+ ## Common gotchas
146
+
147
+ ### Gotcha #1 — `pre-commit install` not run after `pip install pre-commit`
148
+
149
+ `pip install pre-commit` only installs the binary. Each repo needs `pre-commit
150
+ install` to wire it into `.git/hooks/pre-commit`. Without that, the
151
+ `.pre-commit-config.yaml` is just a sitting file. Always verify with
152
+ `cat .git/hooks/pre-commit | head -5` after install.
153
+
154
+ ### Gotcha #2 — gitleaks runs from repo root, not subdirectory
155
+
156
+ If your project has a monorepo structure (e.g. `firebase/functions/`
157
+ and `firebase/hosting/`), gitleaks scans the entire tree by default. This is
158
+ usually what you want. To restrict, use `--source <subdir>` but be aware that
159
+ secrets can leak across subdirs (e.g., a `.env` at root affects both).
160
+
161
+ ### Gotcha #3 — Custom rules need `[[rules]]` not `[rules]`
162
+
163
+ TOML array-of-tables syntax is `[[double brackets]]`. `[single]` defines a
164
+ table, not a list. Easy to get wrong; gitleaks will silently load 0 custom
165
+ rules with the wrong syntax.
166
+
167
+ ### Gotcha #4 — `gitleaks detect` is slow on large repos
168
+
169
+ `detect` mode scans the entire git log. On a small repo it's <5s; on
170
+ larger repos (>10k commits) it can take minutes. For routine scans, use
171
+ `gitleaks protect --staged` (fast, only staged). Run `detect` on the full
172
+ history only at bootstrap and weekly via cron/GitHub Action.
173
+
174
+ ### Gotcha #5 — Agent log captures the redacted secret name
175
+
176
+ When the agent logs `gitleaks` output, even with `--redact`, the rule name
177
+
178
+ - file path is captured. This is fine usually, but if a rule is named
179
+ something sensitive (e.g., "<Company> Internal API Key"), the rule name
180
+ itself can be a leak. Use generic rule names or anonymize.
181
+
182
+ ---
183
+
184
+ ## Templates included in this skill
185
+
186
+ | File | Purpose | Drop-in path |
187
+ | ----------------------------------- | ------------------------------------------------------------------------------ | -------------------- |
188
+ | `templates/.pre-commit-config.yaml` | Hooks: gitleaks + lint-staged + commitlint + check-merge-conflict | Project root |
189
+ | `templates/.gitleaks.toml` | Custom rules + allowlist (start with allowlist empty + project-specific rules) | Project root |
190
+ | `templates/secret-scan.yml` | GitHub Action — runs on push + PR | `.github/workflows/` |
191
+
192
+ After dropping templates, edit the project-specific rules section of
193
+ `.gitleaks.toml` to add patterns unique to the project (e.g., custom JWT
194
+ prefixes, internal service tokens).
195
+
196
+ ---
197
+
198
+ ## How this composes with other skills
199
+
200
+ - **`/safe-commit` command** — invokes Step 0 of this skill (`gitleaks protect --staged`) before drafting commit message
201
+ - **`purge-leaked-secret`** skill — invoked when this skill DETECTS a leak (proactive → reactive)
202
+ - **`engineering-audit`** skill — its security axis includes verifying gitleaks is installed + active in the audited project
203
+ - **`ci-security-baseline`** skill (Tier 2 roadmap) — extends the GitHub Action with Trivy + npm audit + Semgrep
204
+ - **`vps-security-hardening`** skill — references this skill in its "operational hygiene" section
205
+
206
+ ---
207
+
208
+ ## Verification (after bootstrapping a project)
209
+
210
+ ```bash
211
+ # 1. Verify pre-commit installed
212
+ test -f .git/hooks/pre-commit && echo "✓ pre-commit hook installed" || echo "✗ MISSING"
213
+
214
+ # 2. Verify gitleaks runs
215
+ gitleaks version && echo "✓ gitleaks available" || echo "✗ MISSING"
216
+
217
+ # 3. Test with a fake secret (creates a fake AWS key, attempts commit, expects abort)
218
+ echo 'AWS_KEY="AKIAIOSFODNN7EXAMPLE"' > /tmp/test-leak.env
219
+ git add /tmp/test-leak.env 2>/dev/null
220
+ gitleaks protect --source . --staged --redact && echo "✗ FAIL: should have detected" || echo "✓ gitleaks correctly aborted"
221
+ git restore --staged /tmp/test-leak.env 2>/dev/null
222
+ rm -f /tmp/test-leak.env
223
+
224
+ # 4. Verify CI workflow file
225
+ test -f .github/workflows/secret-scan.yml && echo "✓ CI workflow installed" || echo "✗ MISSING"
226
+ ```
227
+
228
+ If any check fails, re-run the bootstrap. All four must pass before declaring
229
+ the project "secret-safe".
230
+
231
+ ---
232
+
233
+ ## Maintenance
234
+
235
+ - **Quarterly:** Review `.gitleaks.toml` allowlist — remove entries that no longer apply
236
+ - **Monthly:** Review `.merlin-core/thoughts/shared/incidents/secret-scan-bypass.log` — flag repeated bypass patterns
237
+ - **On gitleaks update:** Re-run `gitleaks detect --source . --log-opts="--all"` to catch newly-recognized secret patterns in old commits
238
+ - **On new project:** Run the bootstrap as part of `merlin-tools upgrade`
239
+
240
+ ---
241
+
242
+ ## References
243
+
244
+ - [Gitleaks official docs](https://gitleaks.org/)
245
+ - [pre-commit framework](https://pre-commit.com/)
246
+ - A fleet security audit (internal) — the origin incident that motivated this skill
package/.merlin-core/skills/general/secret-safe-commit/templates/.gitleaks.toml ADDED
@@ -0,0 +1,91 @@
1
+ # Merlin baseline gitleaks config — extends defaults with project-specific rules.
2
+ # Includes critical custom rules to catch markdown-table-formatted secrets that
3
+ # default gitleaks rules miss (the format that once exposed a vendor production
4
+ # secret in a real project — see purge-leaked-secret skill).
5
+ #
6
+ # Schema: gitleaks v8.x — `[allowlist]` uses simple list-of-strings, NOT
7
+ # `[[allowlist.paths]]` with sub-tables (deprecated in v8).
8
+ #
9
+ # Docs: https://github.com/gitleaks/gitleaks/blob/master/README.md#configuration
10
+
11
+ # Inherit all default rules (AWS, GitHub, Google, Stripe, OpenAI, etc.)
12
+ [extend]
13
+ useDefault = true
14
+
15
+ # ---------- CRITICAL: catch markdown-table formatted secrets ----------
16
+ # Default gitleaks rules require key=value or "key": "value" format.
17
+ # Markdown handoff docs frequently use: | key | `value` | which slips through.
18
+ [[rules]]
19
+ id = "markdown-table-secret"
20
+ description = "Secret embedded in a markdown table cell (| key | `value` |)"
21
+ regex = '''(?i)\|\s*[^|]*(?:secret|password|token|api[_-]?key|client[_-]?secret|access[_-]?token|refresh[_-]?token|auth[_-]?token|private[_-]?key|webhook[_-]?secret)[^|]*\|\s*`([A-Za-z0-9_+\/=\-]{30,})`'''
22
+ secretGroup = 1
23
+ entropy = 3.5
24
+ tags = ["markdown", "table", "high-priority"]
25
+
26
+ # Catches: **Client Secret:** `Bp07...` or "Webhook secret: `whsec_...`"
27
+ [[rules]]
28
+ id = "backtick-secret-near-keyword"
29
+ description = "High-entropy string in backticks near a secret keyword"
30
+ regex = '''(?i)(?:secret|password|token|api[_-]?key|client[_-]?secret|access[_-]?token|webhook[_-]?secret)["'\s:*]*`([A-Za-z0-9_+\/=\-]{30,})`'''
31
+ secretGroup = 1
32
+ entropy = 3.5
33
+ tags = ["markdown", "high-priority"]
34
+
35
+ # ---------- Common provider rules (uncomment + adapt per project) ----------
36
+
37
+ # Mercado Pago credentials
38
+ # [[rules]]
39
+ # id = "mercadopago-access-token"
40
+ # description = "Mercado Pago Access Token (production or test)"
41
+ # regex = '''(?i)(APP_USR|TEST)-[0-9]{8,}-[0-9]{6}-[a-f0-9]{32}-[0-9]{8,}'''
42
+ # tags = ["key", "mercadopago"]
43
+
44
+ # Resend API keys
45
+ # [[rules]]
46
+ # id = "resend-api-key"
47
+ # description = "Resend API Key"
48
+ # regex = '''re_[A-Za-z0-9_]{40,}'''
49
+ # tags = ["key", "resend"]
50
+
51
+ # Example vendor JWTs
52
+ # [[rules]]
53
+ # id = "vendor-jwt"
54
+ # description = "Example vendor production JWT (RS256, 30-day)"
55
+ # regex = '''eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIs[A-Za-z0-9_=\-]{100,}'''
56
+ # tags = ["jwt", "vendor"]
57
+
58
+ # Firebase service account private key block
59
+ # [[rules]]
60
+ # id = "firebase-private-key-block"
61
+ # description = "Firebase service account private_key field"
62
+ # regex = '''"private_key"\s*:\s*"-----BEGIN PRIVATE KEY-----'''
63
+ # tags = ["key", "firebase"]
64
+
65
+ # ---------- Allowlist — every entry MUST be documented in comments ----------
66
+ # gitleaks v8 uses simple list-of-strings format. Documentation goes in comments
67
+ # IMMEDIATELY ABOVE each entry (approver, date, reason).
68
+ [allowlist]
69
+ description = "Documented exceptions — review monthly"
70
+
71
+ paths = [
72
+ # Skill templates contain secret regex patterns AS DOCUMENTATION (not real leaks)
73
+ # approver: <name>, date: <YYYY-MM-DD>, reason: skill templates illustrate gitleaks rules
74
+ '''\.merlin-core/skills/.+/templates/.+''',
75
+
76
+ # Lock files (large auto-generated, no secrets)
77
+ '''package-lock\.json''',
78
+ '''yarn\.lock''',
79
+ ]
80
+
81
+ regexes = [
82
+ # Generic AWS example key from gitleaks docs (universally fake)
83
+ # approver: <name>, date: <YYYY-MM-DD>, reason: AWS official documentation example
84
+ '''AKIAIOSFODNN7EXAMPLE''',
85
+
86
+ # Redaction marker we use after purging real secrets (not an actual secret)
87
+ # approver: <name>, date: <YYYY-MM-DD>, reason: redaction placeholder
88
+ '''<REDACTED[^>]*>''',
89
+ ]
90
+
91
+ # Add project-specific exceptions above — keep documented in comments
package/.merlin-core/skills/general/secret-safe-commit/templates/.pre-commit-config.yaml ADDED
@@ -0,0 +1,57 @@
1
+ # Merlin baseline pre-commit config — secret scanning + lint + commit message format.
2
+ # Drop into project root, then run: pre-commit install
3
+ #
4
+ # Hooks run in order. Any failure aborts the commit.
5
+
6
+ repos:
7
+ # ---------- Secret scanning (THIS IS THE CRITICAL ONE) ----------
8
+ - repo: https://github.com/gitleaks/gitleaks
9
+ rev: v8.21.1
10
+ hooks:
11
+ - id: gitleaks
12
+ # Scan staged changes only — fast (<2s typical)
13
+ # --redact hides secret values in output (so logs don't leak)
14
+ args: ['protect', '--staged', '--redact', '--verbose']
15
+
16
+ # ---------- Generic safety hooks (small + universal) ----------
17
+ - repo: https://github.com/pre-commit/pre-commit-hooks
18
+ rev: v4.6.0
19
+ hooks:
20
+ - id: check-added-large-files
21
+ args: ['--maxkb=500'] # Block files >500KB (likely binaries or accidentally committed assets)
22
+ - id: check-merge-conflict # Refuses commits with <<<<<<< markers
23
+ - id: check-yaml # Validates YAML files (catches typos in CI configs early)
24
+ - id: check-json # Validates JSON files (catches typos in package.json early)
25
+ - id: detect-private-key # Refuses files containing -----BEGIN PRIVATE KEY----- markers
26
+ # Exclude our own config files that REFERENCE the BEGIN PRIVATE KEY pattern as documentation
27
+ exclude: '^(\.gitleaks\.toml|\.pre-commit-config\.yaml|\.merlin-core/skills/.+/templates/.+|\.merlin-core/thoughts/shared/(research|plans|handoffs)/.+\.md)$'
28
+ - id: detect-aws-credentials # Belt-and-suspenders with gitleaks for AWS
29
+ args: ['--allow-missing-credentials']
30
+ - id: end-of-file-fixer # Ensures files end with newline (poka-yoke)
31
+ - id: trailing-whitespace # Removes trailing whitespace on save
32
+
33
+ # ---------- Conventional commit message validation ----------
34
+ - repo: https://github.com/compilerla/conventional-pre-commit
35
+ rev: v3.4.0
36
+ hooks:
37
+ - id: conventional-pre-commit
38
+ stages: [commit-msg]
39
+ args: ['--strict', '--force-scope', 'feat', 'fix', 'docs', 'style', 'refactor', 'perf', 'test', 'chore', 'ci', 'build', 'security']
40
+
41
+ # ---------- Project-specific lint hooks (uncomment + adapt per project) ----------
42
+ # For Node projects:
43
+ # - repo: local
44
+ # hooks:
45
+ # - id: eslint
46
+ # name: eslint
47
+ # entry: npx eslint --fix
48
+ # language: system
49
+ # types_or: [javascript, ts, tsx]
50
+ # require_serial: false
51
+ #
52
+ # For Python projects:
53
+ # - repo: https://github.com/astral-sh/ruff-pre-commit
54
+ # rev: v0.6.9
55
+ # hooks:
56
+ # - id: ruff # Lint
57
+ # - id: ruff-format # Format
package/.merlin-core/skills/general/secret-safe-commit/templates/secret-scan.yml ADDED
@@ -0,0 +1,48 @@
1
+ # Defense-in-depth: scan all pushes + PRs for leaked secrets.
2
+ # Catches commits made with --no-verify or --skip-secret-scan that bypassed the local hook.
3
+ #
4
+ # Drop into .github/workflows/secret-scan.yml
5
+
6
+ name: Secret Scan (gitleaks)
7
+
8
+ on:
9
+ push:
10
+ branches: ['**']
11
+ pull_request:
12
+ branches: ['**']
13
+ schedule:
14
+ # Weekly full-history rescan — catches patterns added to gitleaks DB after the fact
15
+ - cron: '0 4 * * 1' # Monday 04:00 UTC
16
+ workflow_dispatch: # Allow manual trigger
17
+
18
+ permissions:
19
+ contents: read
20
+ security-events: write # For uploading SARIF results
21
+
22
+ jobs:
23
+ gitleaks:
24
+ name: gitleaks scan
25
+ runs-on: ubuntu-latest
26
+ steps:
27
+ - name: Checkout (full history for accurate scan)
28
+ uses: actions/checkout@v4
29
+ with:
30
+ fetch-depth: 0 # Required for full-history scan
31
+
32
+ - name: Run gitleaks
33
+ uses: gitleaks/gitleaks-action@v2
34
+ env:
35
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
36
+ # GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }} # Only needed for private orgs (free for public)
37
+ GITLEAKS_ENABLE_COMMENTS: true # Comment on PR with findings
38
+ GITLEAKS_ENABLE_UPLOAD_ARTIFACT: true # Upload SARIF for security tab
39
+ GITLEAKS_ENABLE_SUMMARY: true # Show summary in workflow log
40
+
41
+ - name: Notify on finding (Slack/Discord/etc — adapt per project)
42
+ if: failure()
43
+ run: |
44
+ echo "::error::Gitleaks detected leaked secrets. See findings above."
45
+ # Example: notify Slack
46
+ # curl -X POST -H 'Content-type: application/json' \
47
+ # --data '{"text":"🚨 Secret leak detected in ${{ github.repository }} — see ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"}' \
48
+ # ${{ secrets.SLACK_WEBHOOK_URL }}
package/.merlin-core/skills/general/semantic-search/SKILL.md ADDED
@@ -0,0 +1,79 @@
1
+ ---
2
+ name: semantic-search
3
+ description: Symbol-aware code search patterns that distinguish definitions from references, classes from instances, and imports from usages.
4
+ license: Apache-2.0
5
+ metadata:
6
+ author: merlin-framework
7
+ version: "3.0.0"
8
+ auto_activate: [find-definition, find-class, find-function, find-usage, go-to-symbol]
9
+ file_triggers: [*.js, *.ts, *.py, *.java, *.go]
10
+ tool_reminders: [For 'find definition': search for class/function/const DECLARATION patterns, not all mentions, For 'find usage': exclude import lines and the definition itself]
11
+ ---
12
+
13
+ ## Symbol-Aware Search Patterns
14
+
15
+ When searching for code symbols, use language-specific patterns to distinguish definitions from references. This prevents false positives and gives more precise results.
16
+
17
+ ## JavaScript / TypeScript
18
+
19
+ ### Find Definition
20
+
21
+ ```
22
+ class ClassName → /class\s+ClassName\b/
23
+ function funcName → /function\s+funcName\b/
24
+ const/let/var varName → /(const|let|var)\s+varName\b/
25
+ export default → /export\s+default\s+(class|function)\s+Name/
26
+ arrow function → /const\s+funcName\s*=/
27
+ interface/type → /(interface|type)\s+TypeName\b/
28
+ ```
29
+
30
+ ### Find Usage (exclude definition + imports)
31
+
32
+ ```
33
+ Exclude: /^import\s.*ClassName/
34
+ Exclude: /^(class|function|const|let|var|interface|type)\s+SymbolName/
35
+ Include: all other occurrences of SymbolName
36
+ ```
37
+
38
+ ### Find Exports
39
+
40
+ ```
41
+ Named export → /export\s+(const|function|class|type|interface)\s+Name/
42
+ Re-export → /export\s*\{[^}]*Name[^}]*\}\s*from/
43
+ Default export → /export\s+default\s+Name/
44
+ ```
45
+
46
+ ## Python
47
+
48
+ ### Find Definition
49
+
50
+ ```
51
+ class ClassName → /^class\s+ClassName[\s(:]/
52
+ def funcName → /^def\s+funcName\s*\(/
53
+ variable → /^ClassName\s*=/ (module-level assignment)
54
+ ```
55
+
56
+ ### Find Usage (exclude definition + imports)
57
+
58
+ ```
59
+ Exclude: /^(from\s.*import|import)\s.*ClassName/
60
+ Exclude: /^(class|def)\s+SymbolName/
61
+ ```
62
+
63
+ ## Go
64
+
65
+ ### Find Definition
66
+
67
+ ```
68
+ func funcName → /^func\s+funcName\b/
69
+ type TypeName → /^type\s+TypeName\s+(struct|interface)/
70
+ var/const → /^(var|const)\s+varName\b/
71
+ method → /^func\s*\([^)]+\)\s*funcName\b/
72
+ ```
73
+
74
+ ## Search Strategy
75
+
76
+ 1. **Definition search**: Use the language-specific declaration patterns above
77
+ 2. **Usage search**: Grep for the symbol, then EXCLUDE import lines and the definition itself
78
+ 3. **Reference search**: Find all occurrences including imports and definition (full picture)
79
+ 4. **When LSP MCP is available**: Prefer `go_to_definition` and `find_references` tools for precise resolution