@fenixforce/edition-pro 0.1.0

package/skills/builtin/eval-harness/SKILL.md

@@ -0,0 +1,197 @@
+# Eval Harness
+
+A formal evaluation framework for Claude Code sessions, implementing eval-driven development (EDD) principles.
+
+## When to Activate
+
+- Setting up eval-driven development (EDD) for AI-assisted workflows
+- Defining pass/fail criteria for Claude Code task completion
+- Measuring agent reliability with pass@k metrics
+- Creating regression test suites for prompt or agent changes
+- Benchmarking agent performance across model versions
+
+## Philosophy
+
+Eval-Driven Development treats evals as the "unit tests of AI development":
+- Define expected behavior BEFORE implementation
+- Run evals continuously during development
+- Track regressions with each change
+- Use pass@k metrics for reliability measurement
+
+## Eval Types
+
+### Capability Evals
+Test if Claude can do something it couldn't before:
+```markdown
+[CAPABILITY EVAL: feature-name]
+Task: Description of what Claude should accomplish
+Success Criteria:
+  - [ ] Criterion 1
+  - [ ] Criterion 2
+  - [ ] Criterion 3
+Expected Output: Description of expected result
+```
+
+### Regression Evals
+Ensure changes don't break existing functionality:
+```markdown
+[REGRESSION EVAL: feature-name]
+Baseline: SHA or checkpoint name
+Tests:
+  - existing-test-1: PASS/FAIL
+  - existing-test-2: PASS/FAIL
+  - existing-test-3: PASS/FAIL
+Result: X/Y passed (previously Y/Y)
+```
+
+## Grader Types
+
+### 1. Code-Based Grader
+Deterministic checks using code:
+```bash
+# Check if file contains expected pattern
+grep -q "export function handleAuth" src/auth.ts && echo "PASS" || echo "FAIL"
+
+# Check if tests pass
+npm test -- --testPathPattern="auth" && echo "PASS" || echo "FAIL"
+
+# Check if build succeeds
+npm run build && echo "PASS" || echo "FAIL"
+```
+
+### 2. Model-Based Grader
+Use Claude to evaluate open-ended outputs:
+```markdown
+[MODEL GRADER PROMPT]
+Evaluate the following code change:
+1. Does it solve the stated problem?
+2. Is it well-structured?
+3. Are edge cases handled?
+4. Is error handling appropriate?
+
+Score: 1-5 (1=poor, 5=excellent)
+Reasoning: [explanation]
+```
+
+### 3. Human Grader
+Flag for manual review:
+```markdown
+[HUMAN REVIEW REQUIRED]
+Change: Description of what changed
+Reason: Why human review is needed
+Risk Level: LOW/MEDIUM/HIGH
+```
+
+## Metrics
+
+### pass@k
+"At least one success in k attempts"
+- pass@1: First attempt success rate
+- pass@3: Success within 3 attempts
+- Typical target: pass@3 > 90%
+
+### pass^k
+"All k trials succeed"
+- Higher bar for reliability
+- pass^3: 3 consecutive successes
+- Use for critical paths
+
+## Eval Workflow
+
+### 1. Define (Before Coding)
+```markdown
+## EVAL DEFINITION: feature-xyz
+
+### Capability Evals
+1. Can create new user account
+2. Can validate email format
+3. Can hash password securely
+
+### Regression Evals
+1. Existing login still works
+2. Session management unchanged
+3. Logout flow intact
+
+### Success Metrics
+- pass@3 > 90% for capability evals
+- pass^3 = 100% for regression evals
+```
+
+### 2. Implement
+Write code to pass the defined evals.
+
+### 3. Evaluate
+```bash
+# Run capability evals
+[Run each capability eval, record PASS/FAIL]
+
+# Run regression evals
+npm test -- --testPathPattern="existing"
+
+# Generate report
+```
+
+### 4. Report
+```markdown
+EVAL REPORT: feature-xyz
+========================
+
+Capability Evals:
+  create-user:     PASS (pass@1)
+  validate-email:  PASS (pass@2)
+  hash-password:   PASS (pass@1)
+  Overall:         3/3 passed
+
+Regression Evals:
+  login-flow:      PASS
+  session-mgmt:    PASS
+  logout-flow:     PASS
+  Overall:         3/3 passed
+
+Metrics:
+  pass@1: 67% (2/3)
+  pass@3: 100% (3/3)
+
+Status: READY FOR REVIEW
+```
+
+## Integration Patterns
+
+### Pre-Implementation
+```
+/eval define feature-name
+```
+Creates eval definition file at `.claude/evals/feature-name.md`
+
+### During Implementation
+```
+/eval check feature-name
+```
+Runs current evals and reports status
+
+### Post-Implementation
+```
+/eval report feature-name
+```
+Generates full eval report
+
+## Eval Storage
+
+Store evals in project:
+```
+.claude/
+  evals/
+    feature-xyz.md      # Eval definition
+    feature-xyz.log     # Eval run history
+    baseline.json       # Regression baselines
+```
+
+## Best Practices
+
+1. **Define evals BEFORE coding** — Forces clear thinking about success criteria
+2. **Run evals frequently** — Catch regressions early
+3. **Track pass@k over time** — Monitor reliability trends
+4. **Use code graders when possible** — Deterministic > probabilistic
+5. **Human review for security** — Never fully automate security checks
+6. **Keep evals fast** — Slow evals don't get run
+7. **Version evals with code** — Evals are first-class artifacts

package/skills/builtin/evaluation-framework/SKILL.md

@@ -0,0 +1,51 @@
+---
+name: evaluation-framework
+description: "Use this skill when evaluating output quality, comparing approaches, scoring responses, or setting up quality benchmarks. Triggers: 'evaluate', 'assess', 'score', 'compare quality', 'judge', 'benchmark', 'quality check', or requests to measure how good an output is."
+license: MIT
+---
+
+# Evaluation Framework
+
+## What This Skill Does
+
+Evaluate LLM outputs and agent work products using structured rubrics. LLM-as-judge, pairwise comparison, and bias mitigation.
+
+## Rubric Dimensions
+
+| Dimension | 1 (Poor) | 3 (Adequate) | 5 (Excellent) |
+|-----------|----------|--------------|---------------|
+| Accuracy | Factual errors | Mostly correct | Completely correct |
+| Completeness | Missing major elements | Covers basics | Comprehensive |
+| Clarity | Confusing, unclear | Understandable | Clear and well-organized |
+| Relevance | Off-topic | Generally relevant | Precisely targeted |
+| Actionability | No clear next steps | Some guidance | Specific, implementable |
+
+## LLM-as-Judge Pattern
+
+```
+System: You are an expert evaluator. Score the following output on each dimension from 1-5.
+Provide your reasoning BEFORE your score to avoid anchoring.
+
+[Output to evaluate]
+
+Score each dimension:
+1. Accuracy: [reasoning] → [score]
+2. Completeness: [reasoning] → [score]
+3. Clarity: [reasoning] → [score]
+4. Relevance: [reasoning] → [score]
+5. Actionability: [reasoning] → [score]
+```
+
+## Bias Mitigation
+
+- **Position bias:** Randomize order when comparing options
+- **Length bias:** Longer responses aren't automatically better
+- **Self-enhancement:** Don't let the same model evaluate its own output
+- **Anchoring:** Generate reasoning before scores, not after
+
+## Rules
+
+- Define evaluation criteria BEFORE looking at outputs
+- Use blind comparison when comparing two approaches
+- Multiple evaluators are better than one (even if all are LLMs)
+- Document the evaluation methodology and reproduce it

package/skills/builtin/exploit-writer/SKILL.md

@@ -0,0 +1,63 @@
+# Exploit Writer
+
+## Purpose
+Transform confirmed primitives into reproducible proof-of-exploit artifacts and stepwise execution plans.
+
+## Inputs
+- `validated_primitive`
+- `target_context`
+- `environment_constraints`
+- `success_criteria`
+
+## Workflow
+### Phase 1: Objective and Boundaries
+1. Define exploit goal (data read, privilege gain, state change).
+2. Define explicit stop condition.
+3. Define prohibited actions and safety constraints.
+
+### Phase 2: Chain Design
+1. Break exploit into stages: setup, trigger, control gain, impact verification.
+2. Include fallback branches for unstable stages.
+
+### Phase 3: Procedure Authoring
+1. Write deterministic steps with required inputs.
+2. Include expected output per step.
+3. Include failure diagnostics per step.
+
+### Phase 4: Robustness Checks
+1. Re-run in fresh session/environment.
+2. Validate whether exploit is deterministic or probabilistic.
+3. Capture conditions that break reliability.
+
+### Phase 5: Reporting Package
+1. Provide concise replay instructions.
+2. Provide artifact index.
+3. Provide impact statement tied to observed behavior.
+
+## Exploit Procedure Template
+- Preconditions
+- Setup commands/actions
+- Trigger sequence
+- Verification checks
+- Cleanup and rollback
+- Failure troubleshooting
+
+## Output Contract
+```json
+{
+  "exploit_plan": [],
+  "stepwise_procedure": [],
+  "success_signals": [],
+  "failure_diagnostics": [],
+  "safety_notes": []
+}
+```
+
+## Constraints
+- Build only from validated primitives.
+- Do not fabricate impact or reliability.
+
+## Quality Checklist
+- [ ] Another tester can replay from instructions.
+- [ ] Preconditions are explicit.
+- [ ] Impact claim matches observed result.

package/skills/builtin/fact-checker/SKILL.md

@@ -0,0 +1,51 @@
+# Fact Checker
+
+## Rating Scale
+
+- **TRUE**: accurate, supported by reliable evidence
+- **MOSTLY TRUE**: accurate but missing important context
+- **MIXED**: contains both true and false elements
+- **MOSTLY FALSE**: misleading or largely inaccurate
+- **FALSE**: demonstrably wrong
+- **UNVERIFIABLE**: cannot be confirmed or denied
+
+## Verification Process
+
+1. **Extract the claim**: isolate the specific factual assertion, separate fact from opinion
+2. **Determine evidence needed**: what would prove/disprove this?
+3. **Evaluate evidence**: check authoritative sources, primary data, publication dates
+4. **Rate the claim**: assess accuracy, note confidence, explain reasoning
+5. **Provide context**: why it matters, common misconceptions, proper interpretation
+
+## Manipulation Patterns to Watch
+
+- **Cherry-picking**: selective data that supports a predetermined conclusion
+- **Context removal**: quotes taken out of context, missing qualifiers
+- **False equivalences**: treating unequal sources as equally valid
+- **Correlation as causation**: two things happen together therefore one caused the other
+- **Misleading scales**: graphs with truncated axes, inconsistent intervals
+
+## Output Format
+
+```markdown
+## Claim
+[Exact statement being verified]
+
+## Verdict: [RATING]
+
+## Analysis
+[Why this rating. Evidence for and against.]
+
+## Correct Information
+[If claim is false, what's actually true]
+
+## Sources
+[Numbered with credibility notes]
+```
+
+## Rules
+
+- Always search for counter-evidence, not just confirming evidence
+- Rate the claim, not the person making it
+- "UNVERIFIABLE" is a valid and honest answer
+- Never present absence of evidence as evidence of absence

package/skills/builtin/filesystem-context/SKILL.md

@@ -0,0 +1,47 @@
+---
+name: filesystem-context
+description: "Use this skill for long-running tasks, multi-session work, or any task where context might be lost. Triggers: 'long task', 'context limit', 'multi-session', 'persist', 'remember across sessions', 'pick up where I left off', or any task spanning multiple context windows."
+license: MIT
+---
+
+# Filesystem Context
+
+## What This Skill Does
+
+Use the filesystem as extended agent memory. Persist state, decisions, and progress across context windows and sessions.
+
+## Directory Convention
+
+```
+workspace/
+├── session-state.md    # Current task, progress, what to do next
+├── decisions.md        # Decisions made and their rationale
+├── open-questions.md   # Unresolved questions needing answers
+└── scratchpad.md       # Rough notes, temporary data
+```
+
+## Session Start (Orient)
+
+```
+1. Read session-state.md → understand current task and progress
+2. Read decisions.md → recall prior decisions (don't re-decide)
+3. Read open-questions.md → identify what needs resolution
+4. Resume work from where it left off
+```
+
+## Session End (Persist)
+
+```
+1. Update session-state.md with current progress
+2. Add any new decisions to decisions.md
+3. Update open-questions.md (add new, mark resolved)
+4. Clear scratchpad of obsolete notes
+```
+
+## Rules
+
+- Always read state files at session start before doing anything
+- Always update state files before session ends
+- Decisions are permanent. Once recorded, don't re-debate without new information.
+- Keep session-state.md under 50 lines (summary, not transcript)
+- Use scratchpad.md for temporary reasoning (can be deleted).

package/skills/builtin/financial-coach/SKILL.md

@@ -0,0 +1,18 @@
+# Financial Coach
+## Multi-Agent Pipeline
+1. **Data Analyzer**: parse financial documents (CSV, statements), compute metrics
+2. **Risk Assessor**: evaluate risk tolerance, current exposure, concentration
+3. **Recommendation Generator**: actionable advice grounded in analyzed data
+
+## Visualization Output
+Generate Plotly chart specifications for:
+- Income vs expenses over time (line chart)
+- Expense breakdown (donut chart)
+- Net worth trajectory (area chart)
+- Debt payoff projections (stacked bar)
+
+## Rules
+- Every recommendation must reference specific data from the analysis
+- Include both optimistic and conservative projections
+- Note: informational guidance, not professional financial advice
+- Never recommend specific securities or funds.

package/skills/builtin/finding-chain-correlator/SKILL.md

@@ -0,0 +1,70 @@
+# Finding Chain Correlator
+
+## Purpose
+Reveal compounding risk that isolated findings understate.
+
+## Inputs
+- `finding_set`
+- `application_context`
+- `auth_model`
+- `data_sensitivity_map`
+
+## Workflow
+### Phase 1: Normalization
+1. Standardize findings into capability statements.
+2. Extract prerequisites, required role, and affected assets.
+
+### Phase 2: Link Construction
+1. Connect findings where output of one enables next.
+2. Identify dependency order and branching options.
+3. Reject links lacking technical preconditions.
+
+### Phase 3: Chain Validation
+1. Validate each step is feasible in target context.
+2. Validate session and state transitions between steps.
+3. Validate operational reliability of full chain.
+
+### Phase 4: Impact Aggregation
+1. Evaluate confidentiality, integrity, and availability impact.
+2. Estimate blast radius and tenant crossover risk.
+3. Rank by attacker effort vs outcome.
+
+### Phase 5: Defensive Breakpoints
+1. Identify minimal controls that break the chain.
+2. Prioritize controls by implementation cost and risk reduction.
+
+## Chain Scoring Factors
+- prerequisite complexity
+- execution reliability
+- privilege needed
+- detectability
+- business impact
+
+## Output Contract
+```json
+{
+  "attack_chains": [],
+  "prerequisite_graph": [],
+  "aggregate_impact": [],
+  "defensive_breakpoints": [],
+  "priority_order": []
+}
+```
+
+## Constraints
+- No speculative chain links.
+- No additive severity without chain feasibility.
+
+## Quality Checklist
+- [ ] Every link has evidence.
+- [ ] Chain order is technically valid.
+- [ ] Defensive breakpoints are practical.
+
+## Conditional Decision Matrix
+| Condition | Action | Evidence Requirement |
+|---|---|---|
+| Finding signal unstable | downgrade confidence and add retest plan | repeated run variance log |
+| Chain link missing prerequisite | split chain and mark dependency blocker | prerequisite graph |
+| Impact appears low in isolation | evaluate chain amplification paths | chain-level impact narrative |
+| Mitigation claim is partial | verify alternate path and state variants | mitigation bypass check |
+| Environment blocker dominates | classify inconclusive with unblock requests | blocker evidence |

package/skills/builtin/finding-verifier/SKILL.md

@@ -0,0 +1,65 @@
+# Finding Verifier
+
+## Purpose
+Ensure reported findings are accurate, reproducible, and correctly classified.
+
+## Inputs
+- `finding_report`
+- `evidence_bundle`
+- `environment_notes`
+
+## Verification Workflow
+### Phase 1: Evidence Integrity
+1. Verify artifact completeness and timestamps.
+2. Verify request-response pairing and context consistency.
+
+### Phase 2: Independent Replay
+1. Reproduce with original method.
+2. Reproduce with alternate method when possible.
+3. Compare behavior consistency.
+
+### Phase 3: Confounder Analysis
+1. Caching and stale session effects.
+2. Timing and infrastructure noise.
+3. Seed-data drift and race artifacts.
+
+### Phase 4: Final Status
+1. `confirmed` if replayable with clear impact.
+2. `disputed` if strong counter-evidence exists.
+3. `inconclusive` if unresolved blockers remain.
+
+## Acceptance Criteria by Class
+| Class | Confirmed Requires |
+|---|---|
+| Injection | parser/engine effect + attacker control |
+| XSS | controlled script execution in target context |
+| Authz | unauthorized action/object access proven |
+| SSRF | outbound request influence or protected target reach |
+
+## Output Contract
+```json
+{
+  "verification_status": [],
+  "replay_results": [],
+  "confounder_notes": [],
+  "required_follow_up": []
+}
+```
+
+## Constraints
+- Do not confirm from single unstable run.
+- Do not dispute on intuition alone.
+
+## Quality Checklist
+- [ ] Independent replay attempted.
+- [ ] Confounders addressed.
+- [ ] Status rationale is explicit.
+
+## Conditional Decision Matrix
+| Condition | Action | Evidence Requirement |
+|---|---|---|
+| Finding signal unstable | downgrade confidence and add retest plan | repeated run variance log |
+| Chain link missing prerequisite | split chain and mark dependency blocker | prerequisite graph |
+| Impact appears low in isolation | evaluate chain amplification paths | chain-level impact narrative |
+| Mitigation claim is partial | verify alternate path and state variants | mitigation bypass check |
+| Environment blocker dominates | classify inconclusive with unblock requests | blocker evidence |

package/skills/builtin/frontend-design/SKILL.md

@@ -0,0 +1,104 @@
+---
+name: frontend-design
+description: "Use this skill when the user asks to build a website, web page, landing page, web UI, HTML/CSS/JS project, or any browser-based interface. Triggers: 'build me a website', 'create a landing page', 'make a web app', 'HTML page', 'frontend', 'web UI', 'responsive layout', 'CSS', styling tasks, accessibility fixes, or any request to create something that runs in a browser. Covers HTML, CSS, JavaScript, responsive design, accessibility, and modern web standards."
+license: MIT
+---
+
+# Frontend Design
+
+## What This Skill Does
+
+Build complete, production-quality web interfaces. HTML, CSS, JavaScript. Responsive layouts, accessibility, modern patterns. From single landing pages to multi-page sites.
+
+## Before You Start
+
+1. **Fetch current docs** via Context7 if using any CSS framework (Tailwind, Bootstrap) or JS library
+2. **Check DeepWiki** if integrating with an unfamiliar frontend framework or build tool
+3. **Ask the user** about target browsers, mobile requirements, and any existing design system
+
+## HTML Standards
+
+Write semantic HTML5. Every page needs:
+
+```html
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <meta name="description" content="Page description for SEO">
+  <title>Page Title</title>
+</head>
+<body>
+  <header>...</header>
+  <nav>...</nav>
+  <main>...</main>
+  <footer>...</footer>
+</body>
+</html>
+```
+
+Semantic elements over divs: `<header>`, `<nav>`, `<main>`, `<section>`, `<article>`, `<aside>`, `<footer>`. Use `<div>` only when no semantic element fits.
+
+## CSS Patterns
+
+### Layout (use modern CSS)
+- **Flexbox** for one-dimensional layouts (navbars, card rows, centering)
+- **CSS Grid** for two-dimensional layouts (page layouts, dashboards, galleries)
+- **Container queries** for component-level responsiveness
+- Never use floats for layout
+
+### Responsive Design
+```css
+/* Mobile-first breakpoints */
+/* Base styles = mobile */
+@media (min-width: 768px)  { /* Tablet */ }
+@media (min-width: 1024px) { /* Desktop */ }
+@media (min-width: 1440px) { /* Large desktop */ }
+```
+
+Use `clamp()` for fluid typography: `font-size: clamp(1rem, 2.5vw, 2rem);`
+
+### CSS Variables for Theming
+```css
+:root {
+  --color-primary: #2563eb;
+  --color-surface: #ffffff;
+  --color-text: #1a1a2e;
+  --radius: 8px;
+  --shadow: 0 2px 8px rgba(0,0,0,0.08);
+  --transition: 200ms ease;
+}
+
+@media (prefers-color-scheme: dark) {
+  :root {
+    --color-surface: #0f0f1a;
+    --color-text: #e2e2e8;
+  }
+}
+```
+
+## Accessibility Checklist
+
+- All images have `alt` text (decorative images get `alt=""`)
+- All interactive elements are keyboard-accessible (Tab, Enter, Escape)
+- Color contrast ratio meets WCAG AA (4.5:1 for text, 3:1 for large text)
+- Form inputs have associated `<label>` elements
+- Page has a single `<h1>` and heading hierarchy doesn't skip levels
+- Focus states are visible (never `outline: none` without a replacement)
+- ARIA attributes used correctly: `aria-label`, `aria-expanded`, `aria-hidden`
+
+## Performance
+
+- Images: use `loading="lazy"`, provide `width` and `height`, use modern formats (WebP, AVIF)
+- Fonts: `font-display: swap`, preload critical fonts, limit to 2 families max
+- CSS: critical styles inline in `<head>`, rest loaded async
+- JS: `defer` attribute on scripts, avoid render-blocking
+
+## Rules
+
+- Design for the most common use case, accommodate edge cases
+- Every interactive element needs: default, hover, active, focus, disabled states
+- Error messages must tell the user what went wrong AND how to fix it
+- Test with real content, not lorem ipsum
+- Mobile-first: write base styles for mobile, enhance for larger screens