@cubis/foundry 0.3.71 → 0.3.72

package/workflows/powers/vulnerability-scanner/POWER.md

@@ -2,23 +2,159 @@
 ---
 inclusion: manual
 name: vulnerability-scanner
-description: "Compatibility alias skill. Deprecated: use security-reviewer."
+description: Scan dependencies for CVEs, perform SAST/DAST analysis, manage security advisories, and implement automated vulnerability management workflows.
+license: Apache-2.0
 metadata:
-  deprecated: true
-  replaced_by: security-reviewer
-  removal_target: v0.6.0
+  author: cubis-foundry
+  version: "3.0"
+compatibility: Claude Code, Codex, GitHub Copilot, Gemini CLI
 ---
 
 # Vulnerability Scanner
 
-## Compatibility Alias
+## Purpose
 
-This skill is deprecated and kept for backward compatibility.
+Guide dependency scanning, static/dynamic application security testing, CVE management, and automated vulnerability remediation workflows.
 
-Use `security-reviewer` as the canonical skill.
+## When to Use
 
-## Migration
+- Auditing project dependencies for known vulnerabilities
+- Setting up automated security scanning in CI/CD
+- Triaging and remediating CVEs in dependencies
+- Implementing SAST (static) or DAST (dynamic) security testing
+- Managing security advisories and disclosure
+- Building a software bill of materials (SBOM)
 
-1. Replace direct references to `vulnerability-scanner` with `security-reviewer`.
-2. Apply the full workflow from `security-reviewer` for new work.
+## Instructions
+
+### Step 1 — Scan Dependencies
+
+**Tools by ecosystem**:
+| Ecosystem | Tool | Command |
+|-----------|------|---------|
+| npm | `npm audit` | `npm audit --production` |
+| Node.js | Socket.dev | GitHub App |
+| Python | pip-audit, Safety | `pip-audit` |
+| Go | govulncheck | `govulncheck ./...` |
+| Rust | cargo-audit | `cargo audit` |
+| Multi-lang | Snyk, Dependabot, Trivy | `snyk test`, `trivy fs .` |
+
+**Scan levels**:
+
+- **Direct dependencies**: what you explicitly installed
+- **Transitive dependencies**: dependencies of your dependencies (most vulnerabilities hide here)
+- **Dev dependencies**: lower risk but still scan (supply chain attacks)
+
+### Step 2 — Triage Vulnerabilities
+
+**Severity assessment** (CVSS + context):
+
+| CVSS     | Severity | Response Time                  |
+| -------- | -------- | ------------------------------ |
+| 9.0-10.0 | Critical | Fix within 24 hours            |
+| 7.0-8.9  | High     | Fix within 1 week              |
+| 4.0-6.9  | Medium   | Fix within 1 month             |
+| 0.1-3.9  | Low      | Fix at next maintenance window |
+
+**Context reduces severity**:
+
+- Dev-only dependency? Lower priority (unless it affects build output)
+- Vulnerability requires network access but the dep runs client-side only? Lower priority
+- Vulnerable function isn't used in your code? Document and monitor
+
+**Decision matrix**:
+| Can Update? | Is Exploitable? | Action |
+|-------------|-----------------|--------|
+| Yes | Yes | Update immediately |
+| Yes | No | Update at next opportunity |
+| No (breaking) | Yes | Fork/patch, or find alternative |
+| No | No | Document, monitor, revisit |
+
+### Step 3 — Remediate
+
+**Update strategies**:
+
+1. **Direct update**: bump the vulnerable package (preferred)
+2. **Override/resolution**: force transitive dependency version (npm overrides, yarn resolutions)
+3. **Fork and patch**: fork the dep, apply security fix, use your fork
+4. **Replace**: switch to an alternative package
+5. **Mitigate**: add application-level controls (input validation, WAF rules) while working on a fix
+
+**Testing after remediation**:
+
+- Run full test suite
+- Check for breaking changes in the updated dependency
+- Verify the vulnerability is actually fixed (`npm audit` should show resolved)
+- Deploy to staging before production
+
+### Step 4 — Automate in CI/CD
+
+**Pipeline integration**:
+
+```yaml
+# GitHub Actions example
+security-scan:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v4
+    - run: npm ci
+    - run: npm audit --production --audit-level=high
+    - name: Run Trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: "fs"
+        severity: "HIGH,CRITICAL"
+```
+
+**Policy**:
+
+- Block PRs with critical/high vulnerabilities
+- Auto-create tickets for medium vulnerabilities
+- Dashboard for low-severity tracking
+- Weekly automated dependency update PRs (Dependabot, Renovate)
+
+### Step 5 — Generate SBOM
+
+**Software Bill of Materials** — inventory of all components:
+
+- Use CycloneDX or SPDX format
+- Generate on every release
+- Include in release artifacts
+- Required for many compliance frameworks
+
+**Command examples**:
+
+```bash
+# Node.js
+npx @cyclonedx/cyclonedx-npm --output-file sbom.json
+
+# Container
+trivy image --format cyclonedx myapp:latest > sbom.json
+```
+
+## Output Format
+
+```
+## Scan Results
+[vulnerability count by severity]
+
+## Critical/High Findings
+[CVE ID, package, severity, fix version, exploitability]
+
+## Remediation Plan
+[priority-ordered fixes with commands]
+
+## CI Configuration
+[automated scanning pipeline config]
+```
+
+## Examples
+
+**User**: "Audit our project dependencies for security vulnerabilities"
+
+**Response approach**: Run `npm audit` (or equivalent). List all vulnerabilities by severity. For each critical/high: explain the CVE, check if the vulnerable function is used, provide update command. Suggest adding to CI pipeline.
+
+**User**: "We have a critical CVE in a transitive dependency we can't update"
+
+**Response approach**: Check if the vulnerability is exploitable in context. Use npm overrides to force the patched version of the transitive dep. If not possible, check for alternative packages. Document the mitigation. Set up monitoring for a proper fix.
 ````

package/workflows/powers/vulnerability-scanner/SKILL.md

@@ -1,21 +1,157 @@
 ---
 name: vulnerability-scanner
-description: "Compatibility alias skill. Deprecated: use security-reviewer."
+description: Scan dependencies for CVEs, perform SAST/DAST analysis, manage security advisories, and implement automated vulnerability management workflows.
+license: Apache-2.0
 metadata:
-  deprecated: true
-  replaced_by: security-reviewer
-  removal_target: v0.6.0
+  author: cubis-foundry
+  version: "3.0"
+compatibility: Claude Code, Codex, GitHub Copilot, Gemini CLI
 ---
 
 # Vulnerability Scanner
 
-## Compatibility Alias
+## Purpose
 
-This skill is deprecated and kept for backward compatibility.
+Guide dependency scanning, static/dynamic application security testing, CVE management, and automated vulnerability remediation workflows.
 
-Use `security-reviewer` as the canonical skill.
+## When to Use
 
-## Migration
+- Auditing project dependencies for known vulnerabilities
+- Setting up automated security scanning in CI/CD
+- Triaging and remediating CVEs in dependencies
+- Implementing SAST (static) or DAST (dynamic) security testing
+- Managing security advisories and disclosure
+- Building a software bill of materials (SBOM)
 
-1. Replace direct references to `vulnerability-scanner` with `security-reviewer`.
-2. Apply the full workflow from `security-reviewer` for new work.
+## Instructions
+
+### Step 1 — Scan Dependencies
+
+**Tools by ecosystem**:
+| Ecosystem | Tool | Command |
+|-----------|------|---------|
+| npm | `npm audit` | `npm audit --production` |
+| Node.js | Socket.dev | GitHub App |
+| Python | pip-audit, Safety | `pip-audit` |
+| Go | govulncheck | `govulncheck ./...` |
+| Rust | cargo-audit | `cargo audit` |
+| Multi-lang | Snyk, Dependabot, Trivy | `snyk test`, `trivy fs .` |
+
+**Scan levels**:
+
+- **Direct dependencies**: what you explicitly installed
+- **Transitive dependencies**: dependencies of your dependencies (most vulnerabilities hide here)
+- **Dev dependencies**: lower risk but still scan (supply chain attacks)
+
+### Step 2 — Triage Vulnerabilities
+
+**Severity assessment** (CVSS + context):
+
+| CVSS     | Severity | Response Time                  |
+| -------- | -------- | ------------------------------ |
+| 9.0-10.0 | Critical | Fix within 24 hours            |
+| 7.0-8.9  | High     | Fix within 1 week              |
+| 4.0-6.9  | Medium   | Fix within 1 month             |
+| 0.1-3.9  | Low      | Fix at next maintenance window |
+
+**Context reduces severity**:
+
+- Dev-only dependency? Lower priority (unless it affects build output)
+- Vulnerability requires network access but the dep runs client-side only? Lower priority
+- Vulnerable function isn't used in your code? Document and monitor
+
+**Decision matrix**:
+| Can Update? | Is Exploitable? | Action |
+|-------------|-----------------|--------|
+| Yes | Yes | Update immediately |
+| Yes | No | Update at next opportunity |
+| No (breaking) | Yes | Fork/patch, or find alternative |
+| No | No | Document, monitor, revisit |
+
+### Step 3 — Remediate
+
+**Update strategies**:
+
+1. **Direct update**: bump the vulnerable package (preferred)
+2. **Override/resolution**: force transitive dependency version (npm overrides, yarn resolutions)
+3. **Fork and patch**: fork the dep, apply security fix, use your fork
+4. **Replace**: switch to an alternative package
+5. **Mitigate**: add application-level controls (input validation, WAF rules) while working on a fix
+
+**Testing after remediation**:
+
+- Run full test suite
+- Check for breaking changes in the updated dependency
+- Verify the vulnerability is actually fixed (`npm audit` should show resolved)
+- Deploy to staging before production
+
+### Step 4 — Automate in CI/CD
+
+**Pipeline integration**:
+
+```yaml
+# GitHub Actions example
+security-scan:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v4
+    - run: npm ci
+    - run: npm audit --production --audit-level=high
+    - name: Run Trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: "fs"
+        severity: "HIGH,CRITICAL"
+```
+
+**Policy**:
+
+- Block PRs with critical/high vulnerabilities
+- Auto-create tickets for medium vulnerabilities
+- Dashboard for low-severity tracking
+- Weekly automated dependency update PRs (Dependabot, Renovate)
+
+### Step 5 — Generate SBOM
+
+**Software Bill of Materials** — inventory of all components:
+
+- Use CycloneDX or SPDX format
+- Generate on every release
+- Include in release artifacts
+- Required for many compliance frameworks
+
+**Command examples**:
+
+```bash
+# Node.js
+npx @cyclonedx/cyclonedx-npm --output-file sbom.json
+
+# Container
+trivy image --format cyclonedx myapp:latest > sbom.json
+```
+
+## Output Format
+
+```
+## Scan Results
+[vulnerability count by severity]
+
+## Critical/High Findings
+[CVE ID, package, severity, fix version, exploitability]
+
+## Remediation Plan
+[priority-ordered fixes with commands]
+
+## CI Configuration
+[automated scanning pipeline config]
+```
+
+## Examples
+
+**User**: "Audit our project dependencies for security vulnerabilities"
+
+**Response approach**: Run `npm audit` (or equivalent). List all vulnerabilities by severity. For each critical/high: explain the CVE, check if the vulnerable function is used, provide update command. Suggest adding to CI pipeline.
+
+**User**: "We have a critical CVE in a transitive dependency we can't update"
+
+**Response approach**: Check if the vulnerability is exploitable in context. Use npm overrides to force the patched version of the transitive dep. If not possible, check for alternative packages. Document the mitigation. Set up monitoring for a proper fix.

package/workflows/powers/web-perf/POWER.md

@@ -2,195 +2,68 @@
 ---
 inclusion: manual
 name: web-perf
-description: Analyzes web performance using Chrome DevTools MCP. Measures Core Web Vitals (FCP, LCP, TBT, CLS, Speed Index), identifies render-blocking resources, network dependency chains, layout shifts, caching issues, and accessibility gaps. Use when asked to audit, profile, debug, or optimize page load performance, Lighthouse scores, or site speed.
+description: "Use for measuring and improving web performance with Core Web Vitals, rendering-path analysis, bundle and network prioritization, and framework-aware delivery tradeoffs."
+license: MIT
+metadata:
+  author: cubis-foundry
+  version: "3.0"
+compatibility: Claude Code, Codex, GitHub Copilot
 ---
 
-# Web Performance Audit
+# Web Perf
 
-Audit web page performance using Chrome DevTools MCP tools. This skill focuses on Core Web Vitals, network optimization, and high-level accessibility gaps.
+## Purpose
 
-## FIRST: Verify MCP Tools Available
+Use for measuring and improving web performance with Core Web Vitals, rendering-path analysis, bundle and network prioritization, and framework-aware delivery tradeoffs.
 
-**Run this before starting.** Try calling `navigate_page` or `performance_start_trace`. If unavailable, STOP—the chrome-devtools MCP server isn't configured.
+## When to Use
 
-Ask the user to add this to their MCP config:
+- Auditing or improving Core Web Vitals and page-load behavior.
+- Investigating slow rendering, hydration cost, bundle growth, or network waterfalls.
+- Prioritizing frontend performance work by measured impact.
+- Reviewing whether framework choices are helping or hurting delivery performance.
 
-```json
-"chrome-devtools": {
-  "type": "local",
-  "command": ["npx", "-y", "chrome-devtools-mcp@latest"]
-}
-```
+## Instructions
 
-## Key Guidelines
+1. Measure first and identify the user-visible bottleneck.
+2. Separate document, network, bundle, render, and interaction causes.
+3. Fix the highest-impact path before touching low-value micro-optimizations.
+4. Verify the tradeoff does not regress accessibility, caching, or maintainability.
+5. Re-measure and report impact in concrete terms.
 
-- **Be assertive**: Verify claims by checking network requests, DOM, or codebase—then state findings definitively.
-- **Verify before recommending**: Confirm something is unused before suggesting removal.
-- **Quantify impact**: Use estimated savings from insights. Don't prioritize changes with 0ms impact.
-- **Skip non-issues**: If render-blocking resources have 0ms estimated impact, note but don't recommend action.
-- **Be specific**: Say "compress hero.png (450KB) to WebP" not "optimize images".
-- **Prioritize ruthlessly**: A site with 200ms LCP and 0 CLS is already excellent—say so.
+### Baseline standards
 
-## Quick Reference
+- Prioritize LCP, INP, and CLS with real bottleneck evidence.
+- Keep critical resources discoverable and cacheable.
+- Reduce hydration and JavaScript cost when server rendering can do the work.
+- Treat bundle size, network order, and rendering behavior as one system.
+- Prefer targeted fixes over generic “optimize everything” advice.
 
-| Task | Tool Call |
-|------|-----------|
-| Load page | `navigate_page(url: "...")` |
-| Start trace | `performance_start_trace(autoStop: true, reload: true)` |
-| Analyze insight | `performance_analyze_insight(insightSetId: "...", insightName: "...")` |
-| List requests | `list_network_requests(resourceTypes: ["Script", "Stylesheet", ...])` |
-| Request details | `get_network_request(reqid: <id>)` |
-| A11y snapshot | `take_snapshot(verbose: true)` |
+### Constraints
 
-## Workflow
+- Avoid recommending changes with no measured impact.
+- Avoid fixating on bundle size while ignoring render path or network ordering.
+- Avoid using performance tooling output without codebase context.
+- Avoid trading correctness or accessibility for tiny synthetic wins.
 
-Copy this checklist to track progress:
-
-```
-Audit Progress:
-- [ ] Phase 1: Performance trace (navigate + record)
-- [ ] Phase 2: Core Web Vitals analysis (includes CLS culprits)
-- [ ] Phase 3: Network analysis
-- [ ] Phase 4: Accessibility snapshot
-- [ ] Phase 5: Codebase analysis (skip if third-party site)
-```
-
-### Phase 1: Performance Trace
-
-1. Navigate to the target URL:
-   ```
-   navigate_page(url: "<target-url>")
-   ```
-
-2. Start a performance trace with reload to capture cold-load metrics:
-   ```
-   performance_start_trace(autoStop: true, reload: true)
-   ```
-
-3. Wait for trace completion, then retrieve results.
-
-**Troubleshooting:**
-- If trace returns empty or fails, verify the page loaded correctly with `navigate_page` first
-- If insight names don't match, inspect the trace response to list available insights
-
-### Phase 2: Core Web Vitals Analysis
-
-Use `performance_analyze_insight` to extract key metrics.
-
-**Note:** Insight names may vary across Chrome DevTools versions. If an insight name doesn't work, check the `insightSetId` from the trace response to discover available insights.
-
-Common insight names:
-
-| Metric | Insight Name | What to Look For |
-|--------|--------------|------------------|
-| LCP | `LCPBreakdown` | Time to largest contentful paint; breakdown of TTFB, resource load, render delay |
-| CLS | `CLSCulprits` | Elements causing layout shifts (images without dimensions, injected content, font swaps) |
-| Render Blocking | `RenderBlocking` | CSS/JS blocking first paint |
-| Document Latency | `DocumentLatency` | Server response time issues |
-| Network Dependencies | `NetworkRequestsDepGraph` | Request chains delaying critical resources |
-
-Example:
-```
-performance_analyze_insight(insightSetId: "<id-from-trace>", insightName: "LCPBreakdown")
-```
-
-**Key thresholds (good/needs-improvement/poor):**
-- TTFB: < 800ms / < 1.8s / > 1.8s
-- FCP: < 1.8s / < 3s / > 3s
-- LCP: < 2.5s / < 4s / > 4s
-- INP: < 200ms / < 500ms / > 500ms
-- TBT: < 200ms / < 600ms / > 600ms
-- CLS: < 0.1 / < 0.25 / > 0.25
-- Speed Index: < 3.4s / < 5.8s / > 5.8s
-
-### Phase 3: Network Analysis
-
-List all network requests to identify optimization opportunities:
-```
-list_network_requests(resourceTypes: ["Script", "Stylesheet", "Document", "Font", "Image"])
-```
-
-**Look for:**
-
-1. **Render-blocking resources**: JS/CSS in `<head>` without `async`/`defer`/`media` attributes
-2. **Network chains**: Resources discovered late because they depend on other resources loading first (e.g., CSS imports, JS-loaded fonts)
-3. **Missing preloads**: Critical resources (fonts, hero images, key scripts) not preloaded
-4. **Caching issues**: Missing or weak `Cache-Control`, `ETag`, or `Last-Modified` headers
-5. **Large payloads**: Uncompressed or oversized JS/CSS bundles
-6. **Unused preconnects**: If flagged, verify by checking if ANY requests went to that origin. If zero requests, it's definitively unused—recommend removal. If requests exist but loaded late, the preconnect may still be valuable.
-
-For detailed request info:
-```
-get_network_request(reqid: <id>)
-```
-
-### Phase 4: Accessibility Snapshot
-
-Take an accessibility tree snapshot:
-```
-take_snapshot(verbose: true)
-```
-
-**Flag high-level gaps:**
-- Missing or duplicate ARIA IDs
-- Elements with poor contrast ratios (check against WCAG AA: 4.5:1 for normal text, 3:1 for large text)
-- Focus traps or missing focus indicators
-- Interactive elements without accessible names
-
-## Phase 5: Codebase Analysis
-
-**Skip if auditing a third-party site without codebase access.**
-
-Analyze the codebase to understand where improvements can be made.
-
-### Detect Framework & Bundler
-
-Search for configuration files to identify the stack:
-
-| Tool | Config Files |
-|------|--------------|
-| Webpack | `webpack.config.js`, `webpack.*.js` |
-| Vite | `vite.config.js`, `vite.config.ts` |
-| Rollup | `rollup.config.js`, `rollup.config.mjs` |
-| esbuild | `esbuild.config.js`, build scripts with `esbuild` |
-| Parcel | `.parcelrc`, `package.json` (parcel field) |
-| Next.js | `next.config.js`, `next.config.mjs` |
-| Nuxt | `nuxt.config.js`, `nuxt.config.ts` |
-| SvelteKit | `svelte.config.js` |
-| Astro | `astro.config.mjs` |
-
-Also check `package.json` for framework dependencies and build scripts.
-
-### Tree-Shaking & Dead Code
-
-- **Webpack**: Check for `mode: 'production'`, `sideEffects` in package.json, `usedExports` optimization
-- **Vite/Rollup**: Tree-shaking enabled by default; check for `treeshake` options
-- **Look for**: Barrel files (`index.js` re-exports), large utility libraries imported wholesale (lodash, moment)
-
-### Unused JS/CSS
+## Output Format
 
-- Check for CSS-in-JS vs. static CSS extraction
-- Look for PurgeCSS/UnCSS configuration (Tailwind's `content` config)
-- Identify dynamic imports vs. eager loading
+Provide implementation guidance, code examples, and configuration as appropriate to the task.
 
-### Polyfills
+## References
 
-- Check for `@babel/preset-env` targets and `useBuiltIns` setting
-- Look for `core-js` imports (often oversized)
-- Check `browserslist` config for overly broad targeting
+Load on demand. Do not preload all reference files.
 
-### Compression & Minification
+| File | Load when |
+| --- | --- |
+| `references/core-web-vitals-triage.md` | You need a stronger playbook for CWV bottleneck isolation, bundle/network/render tradeoffs, and verification after a fix. |
 
-- Check for `terser`, `esbuild`, or `swc` minification
-- Look for gzip/brotli compression in build output or server config
-- Check for source maps in production builds (should be external or disabled)
+## Scripts
 
-## Output Format
+No helper scripts are required for this skill right now. Keep execution in `SKILL.md` and `references/` unless repeated automation becomes necessary.
 
-Present findings as:
+## Examples
 
-1. **Core Web Vitals Summary** - Table with metric, value, and rating (good/needs-improvement/poor)
-2. **Top Issues** - Prioritized list of problems with estimated impact (high/medium/low)
-3. **Recommendations** - Specific, actionable fixes with code snippets or config changes
-4. **Codebase Findings** - Framework/bundler detected, optimization opportunities (omit if no codebase access)
+- "Help me with web perf best practices in this project"
+- "Review my web perf implementation for issues"
 ````