@fenixforce/edition-pro 0.1.0

package/skills/builtin/web-assessment-executor/SKILL.md

@@ -0,0 +1,66 @@
+# Web Assessment Executor
+
+## Purpose
+Run assigned web tests without scope drift while preserving strong proof quality.
+
+## Inputs
+- `target_url`
+- `test_cases`
+- `auth_context`
+- `scope_constraints`
+- `runtime_limits`
+
+## Execution Policy
+- Complete one test case end-to-end before moving on.
+- Use browser automation for stateful UX flows.
+- Use HTTP tooling for deterministic replay.
+- Keep payload variants bounded and logged.
+
+## Workflow
+### Phase 1: Session and Baseline
+1. Validate authentication and role.
+2. Capture normal behavior baseline for target action.
+3. Define success and failure signal for the case.
+
+### Phase 2: Case Execution
+1. Run base payload.
+2. Run controlled payload variants.
+3. Capture request context and response deltas.
+
+### Phase 3: Escalation
+1. If vulnerable signal appears, escalate toward measurable impact.
+2. If blocked by filter, pivot to bypass testing.
+3. If no signal after bounded variants, classify negative.
+
+### Phase 4: Evidence Packaging
+1. Include replay steps, payloads, and artifacts.
+2. Map evidence to case ID and vulnerability type.
+3. Store explicit rationale for verdict.
+
+## Minimum Variant Policy
+| Vulnerability Type | Minimum Variants |
+|---|---|
+| XSS | context-aware payloads across HTML/attr/JS contexts |
+| SQLi | boolean, error, and time-control checks |
+| IDOR | object ID and role/tenant permutations |
+| CSRF/workflow | token, sequence, and method variations |
+
+## Output Contract
+```json
+{
+  "executed_cases": [],
+  "confirmed_findings": [],
+  "negative_cases": [],
+  "blocked_cases": [],
+  "evidence_index": []
+}
+```
+
+## Constraints
+- Do not invent unrelated tests.
+- Do not claim exploitation without execution proof.
+
+## Quality Checklist
+- [ ] Every case has terminal status.
+- [ ] Variant set is sufficient and bounded.
+- [ ] Confirmed findings are replayable.

package/skills/builtin/web-exploit-prover/SKILL.md

@@ -0,0 +1,58 @@
+# Web Exploit Prover
+
+## Purpose
+Convert initial web vulnerability leads into high-confidence exploit outcomes.
+
+## Inputs
+- `initial_findings`
+- `target_context`
+- `auth_and_role_data`
+- `environment_constraints`
+
+## Evidence Levels
+- `L1`: suspicious behavior only
+- `L2`: exploit primitive observed
+- `L3`: code path executed in attacker-controlled way
+- `L4`: business impact demonstrated
+
+## Workflow
+### Phase 1: Independent Reproduction
+1. Reproduce lead with alternate technique.
+2. Validate preconditions and dependencies.
+3. Confirm baseline-control difference.
+
+### Phase 2: Impact Demonstration
+1. Move from primitive to measurable impact.
+2. Demonstrate confidentiality, integrity, or authorization breach.
+3. Capture minimal proof with clear stop condition.
+
+### Phase 3: Robustness Testing
+1. Re-test across fresh session and role context.
+2. Re-test with slight payload and transport changes.
+3. Downgrade confidence on instability.
+
+### Phase 4: Final Classification
+1. `confirmed` when L3+ is reproducible.
+2. `plausible` when primitive exists but impact blocked.
+3. `disputed` when mitigation is proven.
+4. `inconclusive` when environmental blockers remain.
+
+## Output Contract
+```json
+{
+  "confirmed_exploits": [],
+  "plausible_findings": [],
+  "disputed_findings": [],
+  "inconclusive_findings": [],
+  "impact_evidence": []
+}
+```
+
+## Constraints
+- No severity inflation from weak indicators.
+- Distinguish security mitigation from test-environment failure.
+
+## Quality Checklist
+- [ ] Impact, not just signal, is demonstrated.
+- [ ] Confirmation uses independent method.
+- [ ] Confidence aligns with stability.

package/skills/builtin/web-scraping/SKILL.md

@@ -0,0 +1,63 @@
+---
+name: web-scraping
+description: "Use this skill when the user asks to extract data from websites, scrape web pages, build content pipelines, or automate data collection from the web. Triggers: 'scrape', 'extract from website', 'web data', 'crawl', 'parse HTML', or requests to programmatically collect information from web pages."
+license: MIT
+---
+
+# Web Scraping
+
+## What This Skill Does
+
+Extract structured data from web pages. HTML parsing, content extraction, batch scraping, anti-detection, and data pipeline construction.
+
+## Approaches
+
+| Method | When to Use |
+|--------|-------------|
+| fetch + HTML parser | Simple pages, no JS rendering needed |
+| Playwright/Puppeteer | JS-rendered content, SPAs, interactive pages |
+| API first | Always check if the site has an API before scraping |
+| Scrapling MCP | Batch scraping with anti-bot bypass (Fenix integration) |
+
+## Basic Scraping
+
+```typescript
+import * as cheerio from "cheerio";
+
+const html = await fetch(url).then(r => r.text());
+const $ = cheerio.load(html);
+
+const items = $(".product-card").map((_, el) => ({
+  title: $(el).find("h2").text().trim(),
+  price: $(el).find(".price").text().trim(),
+  link: $(el).find("a").attr("href"),
+})).get();
+```
+
+## Rules
+
+- Check robots.txt and terms of service before scraping
+- Rate limit requests (1-2 seconds between requests minimum)
+- Set a proper User-Agent header
+- Handle pagination and infinite scroll
+- Store raw HTML alongside extracted data (for debugging)
+- Validate extracted data (check for empty fields, unexpected formats)
+- Build resilient selectors (prefer data attributes over CSS classes)
+
+## Structured Scraping with Typed Output
+
+Define the output schema before scraping:
+```typescript
+interface ScrapedProduct {
+  title: string;
+  price: number;
+  currency: string;
+  description: string;
+  imageUrl: string;
+  availability: "in_stock" | "out_of_stock" | "pre_order";
+}
+```
+
+Validate every scraped item against the schema. Log items that fail validation rather than silently dropping fields.
+
+Firecrawl integration: use Firecrawl MCP for sites that require JavaScript rendering and anti-bot bypass. Fall back to cheerio for simple HTML pages.

package/skills/builtin/webapp-testing/SKILL.md

@@ -0,0 +1,86 @@
+---
+name: webapp-testing
+description: "Use this skill when writing end-to-end tests, browser automation, visual regression tests, or accessibility tests for web applications. Triggers: 'E2E test', 'Playwright', 'end-to-end', 'browser test', 'visual regression', 'accessibility test', 'integration test', or requests to verify web application behavior from the user's perspective."
+license: MIT
+---
+
+# Web Application Testing
+
+## What This Skill Does
+
+End-to-end testing with Playwright. Browser automation, visual regression, accessibility testing, and cross-browser verification.
+
+## Before You Start
+
+**Context7:** Fetch Playwright docs before writing tests. The API evolves.
+
+## Test Structure
+
+```typescript
+import { test, expect } from "@playwright/test";
+
+test.describe("Authentication", () => {
+  test("user can register and login", async ({ page }) => {
+    await page.goto("/register");
+    await page.fill('[name="email"]', "test@example.com");
+    await page.fill('[name="password"]', "SecurePass123!");
+    await page.click('button[type="submit"]');
+
+    await expect(page).toHaveURL("/dashboard");
+    await expect(page.locator("h1")).toContainText("Welcome");
+  });
+
+  test("shows error for invalid credentials", async ({ page }) => {
+    await page.goto("/login");
+    await page.fill('[name="email"]', "wrong@example.com");
+    await page.fill('[name="password"]', "wrong");
+    await page.click('button[type="submit"]');
+
+    await expect(page.locator(".error")).toContainText("Invalid credentials");
+    await expect(page).toHaveURL("/login");
+  });
+});
+```
+
+## Playwright Config
+
+```typescript
+import { defineConfig } from "@playwright/test";
+
+export default defineConfig({
+  testDir: "./tests/e2e",
+  timeout: 30_000,
+  retries: 2,
+  use: {
+    baseURL: "http://localhost:3000",
+    screenshot: "only-on-failure",
+    trace: "on-first-retry",
+  },
+  webServer: {
+    command: "bun run dev",
+    port: 3000,
+    reuseExistingServer: !process.env.CI,
+  },
+});
+```
+
+## What to Test E2E
+
+- Critical user journeys (registration, login, core feature, payment)
+- Cross-browser (Chromium, Firefox, WebKit)
+- Mobile viewports
+- Error states and edge cases
+
+## What NOT to Test E2E
+
+- Unit-testable logic (calculations, transformations)
+- API responses (use API tests)
+- Every possible input combination (use unit tests)
+
+## Rules
+
+- Use data-testid attributes for selectors (stable across CSS changes)
+- Each test must be independent (own setup, own teardown)
+- Tests must run in CI and locally
+- Screenshot on failure for debugging
+- Keep E2E test count small (10-30 for most apps). Pyramid: many unit, some integration, few E2E.

package/skills/builtin/webhook-development/SKILL.md

@@ -0,0 +1,62 @@
+---
+name: webhook-development
+description: "Use this skill when building webhook endpoints, processing webhook events, implementing retry logic, or verifying webhook signatures. Triggers: 'webhook', 'callback URL', 'event notification', 'webhook handler', 'signature verification', or requests to receive events from external services."
+license: MIT
+---
+
+# Webhook Development
+
+## What This Skill Does
+
+Build reliable webhook endpoints. Receive events from external services, verify authenticity, process idempotently, and handle failures.
+
+## Webhook Handler Pattern
+
+```typescript
+app.post("/webhooks/:provider", async (c) => {
+  const provider = c.req.param("provider");
+  const signature = c.req.header("x-signature-256");
+  const body = await c.req.text();
+
+  // 1. Verify signature
+  if (!verifySignature(body, signature, secrets[provider])) {
+    return c.json({ error: "Invalid signature" }, 401);
+  }
+
+  // 2. Parse event
+  const event = JSON.parse(body);
+
+  // 3. Idempotency check
+  const eventId = event.id || c.req.header("x-event-id");
+  if (await isProcessed(eventId)) {
+    return c.json({ status: "already_processed" }, 200);
+  }
+
+  // 4. Queue for async processing
+  await queue.add("webhook", { provider, event, eventId });
+
+  // 5. Respond immediately (don't process inline)
+  return c.json({ status: "accepted" }, 202);
+});
+```
+
+## Signature Verification
+
+```typescript
+import { createHmac, timingSafeEqual } from "crypto";
+
+function verifySignature(body: string, signature: string, secret: string): boolean {
+  const expected = createHmac("sha256", secret).update(body).digest("hex");
+  const sig = signature.replace("sha256=", "");
+  return timingSafeEqual(Buffer.from(sig), Buffer.from(expected));
+}
+```
+
+## Rules
+
+- Always verify webhook signatures (never trust unverified events)
+- Always respond with 200/202 within 5 seconds (process async)
+- Always implement idempotency (webhooks can be delivered multiple times)
+- Use timing-safe comparison for signatures (prevent timing attacks)
+- Log every received webhook with event type and processing result
+- Store raw webhook payloads for debugging and replay

package/skills/builtin/writing-skills/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: writing-skills
+description: "Use this skill when creating new skills for the agent, evaluating skill quality, or improving existing skills. Triggers: 'create a skill', 'write a skill', 'new skill', 'skill template', 'improve this skill', or any meta-work on the skill system itself."
+license: MIT
+---
+
+# Writing Skills (Meta-Skill)
+
+## What This Skill Does
+
+Create, evaluate, and improve agent skills. TDD for skill authoring: test that the skill changes agent behavior before shipping.
+
+## Skill File Structure
+
+```
+skill-name/
+├── SKILL.md           # Primary skill document
+├── skill.yaml         # Optional: Fenix-native metadata (triggers, owns, handoffs)
+└── references/        # Optional: deep-dive docs loaded on demand
+    ├── patterns.md
+    └── examples.md
+```
+
+## SKILL.md Template
+
+```markdown
+---
+name: skill-name
+description: "Aggressive trigger description. Claude undertriggers skills, so write descriptions that activate on any related query. Include specific trigger words."
+license: MIT
+---
+
+# Skill Title
+
+## What This Skill Does
+One paragraph. What capability does the agent gain?
+
+## When to Activate
+Bullet list of trigger conditions.
+
+## [Core Content]
+The actual knowledge, patterns, and procedures.
+
+## Rules
+Non-negotiable constraints.
+
+## Verification
+How to confirm the skill worked correctly.
+
+## Integration with Other Skills
+Cross-references to complementary skills.
+```
+
+## Testing a Skill
+
+1. Write 5 test prompts that SHOULD trigger the skill
+2. Write 3 test prompts that should NOT trigger the skill
+3. Run each through the agent
+4. Verify: correct triggers fire, incorrect triggers don't, output quality improves
+
+## Rules
+
+- Description field is the most important part (it's the activation mechanism)
+- Write descriptions aggressively. Better to overtrigger than undertrigger.
+- Every skill must have a verification section
+- Skills should be self-contained (readable without loading other skills)
+- Test with real prompts before shipping

package/skills/builtin/xlsx-generation/SKILL.md

@@ -0,0 +1,116 @@
+---
+name: xlsx-generation
+description: "Use this skill when the user asks to create or edit Excel spreadsheets (.xlsx). Triggers: 'spreadsheet', 'Excel', '.xlsx', '.csv', 'data table', 'pivot table', 'chart', 'formulas', or requests for tabular data with calculations and formatting."
+license: MIT
+---
+
+# XLSX Generation
+
+## What This Skill Does
+
+Create and edit Excel spreadsheets using the `exceljs` npm package (MIT, pure JavaScript, runs on Bun).
+
+## Dependencies
+
+```bash
+bun add exceljs
+```
+
+## Creation
+
+```typescript
+import ExcelJS from "exceljs";
+
+const workbook = new ExcelJS.Workbook();
+workbook.creator = "Fenix Agent";
+workbook.created = new Date();
+
+const sheet = workbook.addWorksheet("Data");
+
+// Define columns
+sheet.columns = [
+  { header: "Name", key: "name", width: 25 },
+  { header: "Email", key: "email", width: 30 },
+  { header: "Amount", key: "amount", width: 15 },
+  { header: "Date", key: "date", width: 15 },
+];
+
+// Add rows
+sheet.addRows([
+  { name: "Alice", email: "alice@example.com", amount: 1500, date: new Date("2025-01-15") },
+  { name: "Bob", email: "bob@example.com", amount: 2300, date: new Date("2025-02-20") },
+  { name: "Carol", email: "carol@example.com", amount: 980, date: new Date("2025-03-10") },
+]);
+
+// Style header row
+const headerRow = sheet.getRow(1);
+headerRow.font = { bold: true, color: { argb: "FFFFFFFF" } };
+headerRow.fill = { type: "pattern", pattern: "solid", fgColor: { argb: "FF2563EB" } };
+headerRow.alignment = { vertical: "middle", horizontal: "center" };
+
+// Format amount column as currency
+sheet.getColumn("amount").numFmt = "$#,##0.00";
+
+// Format date column
+sheet.getColumn("date").numFmt = "yyyy-mm-dd";
+
+// Add formula for total
+const lastRow = sheet.rowCount;
+const totalRow = sheet.addRow({ name: "TOTAL" });
+totalRow.getCell("amount").value = { formula: `SUM(C2:C${lastRow})` };
+totalRow.font = { bold: true };
+
+// Freeze header row
+sheet.views = [{ state: "frozen", ySplit: 1 }];
+
+// Auto-filter
+sheet.autoFilter = { from: "A1", to: `D${lastRow}` };
+
+// Conditional formatting (highlight amounts over 2000)
+sheet.addConditionalFormatting({
+  ref: `C2:C${lastRow}`,
+  rules: [{
+    type: "cellIs",
+    operator: "greaterThan",
+    formulae: [2000],
+    style: { fill: { type: "pattern", pattern: "solid", bgColor: { argb: "FF22C55E" } } },
+  }],
+});
+
+// Write file
+await workbook.xlsx.writeFile("output.xlsx");
+// Or get buffer: const buffer = await workbook.xlsx.writeBuffer();
+```
+
+## Reading Existing .xlsx
+
+```typescript
+const workbook = new ExcelJS.Workbook();
+await workbook.xlsx.readFile("input.xlsx");
+
+const sheet = workbook.getWorksheet("Sheet1");
+sheet.eachRow((row, rowNumber) => {
+  console.log(`Row ${rowNumber}:`, row.values);
+});
+```
+
+## Reading CSV
+
+```typescript
+const workbook = new ExcelJS.Workbook();
+const sheet = await workbook.csv.readFile("input.csv");
+```
+
+## Charts
+
+ExcelJS has limited chart support. For charts, create the data in ExcelJS, then add charts by manipulating the underlying XML with `adm-zip`, or recommend the user opens in Excel/Sheets for chart creation.
+
+## Rules
+
+- Use `exceljs` for creation and editing (pure JS, Bun-compatible)
+- Always freeze the header row
+- Always format numbers with appropriate decimal places
+- Include totals/summaries for numeric columns
+- Use auto-filter on data tables
+- Test output opens in Excel or LibreOffice Calc
+- All packages are MIT licensed, no Python required