@funara/wevr 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (74) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +397 -0
  3. package/bin/wevr.js +4 -0
  4. package/package.json +48 -0
  5. package/src/cli/commands/doctor.js +137 -0
  6. package/src/cli/commands/init.js +156 -0
  7. package/src/cli/commands/launch.js +122 -0
  8. package/src/cli/commands/theme.js +67 -0
  9. package/src/cli/commands/theme.test.js +28 -0
  10. package/src/cli/commands/uninstall.js +103 -0
  11. package/src/cli/commands/update.js +9 -0
  12. package/src/cli/index.js +63 -0
  13. package/src/cli/wizard/selectModelTier.js +40 -0
  14. package/src/core/agentPromptWriter.js +45 -0
  15. package/src/core/agentPromptWriter.test.js +56 -0
  16. package/src/core/backup.js +46 -0
  17. package/src/core/backup.test.js +51 -0
  18. package/src/core/commandsWriter.js +26 -0
  19. package/src/core/commandsWriter.test.js +29 -0
  20. package/src/core/configBuilder.js +32 -0
  21. package/src/core/configBuilder.test.js +93 -0
  22. package/src/core/configWriter.js +10 -0
  23. package/src/core/configWriter.test.js +26 -0
  24. package/src/core/identityHeader.js +8 -0
  25. package/src/core/identityHeader.test.js +15 -0
  26. package/src/core/paths.js +13 -0
  27. package/src/core/paths.test.js +33 -0
  28. package/src/core/pluginWriter.js +29 -0
  29. package/src/core/pluginWriter.test.js +41 -0
  30. package/src/core/skillsWriter.js +13 -0
  31. package/src/core/skillsWriter.test.js +30 -0
  32. package/src/core/themeWriter.js +26 -0
  33. package/src/core/themeWriter.test.js +29 -0
  34. package/src/core/tuiConfigWriter.js +22 -0
  35. package/src/core/tuiConfigWriter.test.js +38 -0
  36. package/src/core/version.js +8 -0
  37. package/src/core/versionCheck.js +44 -0
  38. package/src/core/versionCheck.test.js +34 -0
  39. package/src/plugins/README.md +57 -0
  40. package/src/plugins/wevr-flow.js +137 -0
  41. package/src/plugins/wevr-squeeze.js +3630 -0
  42. package/src/templates/agent-prompts/analyze.txt +43 -0
  43. package/src/templates/agent-prompts/builder.txt +10 -0
  44. package/src/templates/agent-prompts/compose.txt +45 -0
  45. package/src/templates/agent-prompts/debug.txt +43 -0
  46. package/src/templates/agent-prompts/explorer.txt +10 -0
  47. package/src/templates/agent-prompts/hierarchy.txt +95 -0
  48. package/src/templates/agent-prompts/reporter.txt +10 -0
  49. package/src/templates/agent-prompts/verifier.txt +10 -0
  50. package/src/templates/commands/squeeze-dashboard.md +5 -0
  51. package/src/templates/commands/squeeze-health.md +10 -0
  52. package/src/templates/commands/squeeze-quick.md +10 -0
  53. package/src/templates/model-defaults.json +59 -0
  54. package/src/templates/opencode.config.json +243 -0
  55. package/src/templates/skills/brooks-lint-rca/SKILL.md +48 -0
  56. package/src/templates/skills/codebase-fact-finding/SKILL.md +39 -0
  57. package/src/templates/skills/diff-review/SKILL.md +42 -0
  58. package/src/templates/skills/general-coding/SKILL.md +43 -0
  59. package/src/templates/skills/minimal-fixing/SKILL.md +25 -0
  60. package/src/templates/skills/plan-checking/SKILL.md +33 -0
  61. package/src/templates/skills/ponytail-patching/SKILL.md +20 -0
  62. package/src/templates/skills/prd-formatting/SKILL.md +45 -0
  63. package/src/templates/skills/refactoring-patterns/SKILL.md +37 -0
  64. package/src/templates/skills/security-auditing/SKILL.md +35 -0
  65. package/src/templates/skills/security-remediation/SKILL.md +37 -0
  66. package/src/templates/skills/summary-reporting/SKILL.md +83 -0
  67. package/src/templates/skills/test-assurance/SKILL.md +44 -0
  68. package/src/templates/skills/test-mocking-strategy/SKILL.md +18 -0
  69. package/src/templates/skills/ui-design-audit/SKILL.md +23 -0
  70. package/src/templates/skills/ui-design-system/SKILL.md +37 -0
  71. package/src/templates/skills/wstg-recon/SKILL.md +33 -0
  72. package/src/templates/themes/wevr-colorful.json +241 -0
  73. package/src/templates/themes/wevr-dark.json +177 -0
  74. package/src/templates/themes/wevr-light.json +241 -0
@@ -0,0 +1,39 @@
1
+ ---
2
+ name: codebase-fact-finding
3
+ description: Perform initial codebase exploration, fact-finding, and precedent checks before designing requirements or writing code. Use when asked to research technical context or precedents.
4
+ ---
5
+
6
+ # Codebase Fact-Finding & Precedent Check
7
+
8
+ ## Core Principles
9
+
10
+ - **Fail Fast**: If a recommended library or API is not verified as available or compatible in the codebase, flag it immediately. Never assume availability.
11
+ - **Principle of Least Astonishment**: Prioritize patterns that already exist in the codebase over introducing new ones. Choose the most predictable solutions.
12
+ - **DRY (Don't Repeat Yourself)**: Before researching a solution, check if a precedent already exists in the codebase.
13
+ - **Source Verification**: Explicitly distinguish between "confirmed from codebase/docs" (with exact source citation) and "inferred/recommended" (with rationale).
14
+
15
+ ## Mandatory Output Schema
16
+ You must output exactly these four sections, even if a section is empty:
17
+
18
+ ```markdown
19
+ ## confirmed_facts
20
+ - <fact> — Source: <file:line | doc URL | command output>
21
+ (Only include what you directly observed/verified — read the file, ran the command, fetched the doc. No exceptions.)
22
+
23
+ ## inferred_facts
24
+ - <inference> — Basis: <what confirmed_fact(s) this is inferred from>
25
+ (Label clearly. This is your reasoning extrapolated from confirmed facts.)
26
+
27
+ ## unknowns
28
+ - <what you could not determine, and why>
29
+
30
+ ## risks
31
+ - <risk introduced by an unknown or inference, if acted upon as-is>
32
+ ```
33
+
34
+ ## Hard Rules
35
+ - Never put something in `confirmed_facts` unless you directly checked it.
36
+ - Never blend confirmed and inferred in the same bullet.
37
+ - If you didn't check something because it was out of scope, state it in `unknowns`.
38
+ - If the research request involves UI elements or layout design, include a detailed ASCII mockup in your output.
39
+ - Do not recommend a course of action. State facts/inferences/risks and hand back.
@@ -0,0 +1,42 @@
1
+ ---
2
+ name: diff-review
3
+ description: Compare code implementations and diffs against PRD requirements and definitions-of-done. Act as a strict PASS/FAIL review gate.
4
+ ---
5
+
6
+ # Diff Review & Implementation Verification
7
+
8
+ ## Core Principles
9
+
10
+ - **Definition-of-Done Grounding**: Compare changes strictly against the PRD's explicit definition-of-done (DoD) for each task. Do not evaluate style/completeness against unstated standards.
11
+ - **Binary Verdict per Task**: Each task receives PASS or FAIL individually. A partial pass is a FAIL.
12
+ - **Regression Awareness**: Verify that code changes did not break previously passed requirements.
13
+ - **Fail Fast**: If the implementation cannot be matched due to missing info or contradictions, flag it as a gap immediately. Do not guess.
14
+ - **No Scope Creep Judgment**: Flag code that exists but does not map to any DoD item as "extra scope" — but do not fail it unless it contradicts a requirement.
15
+
16
+ ## Over-Engineering Lens (BLOAT List)
17
+ Evaluate the implementation against the BLOAT list:
18
+ - **B**: Boilerplate that nobody asked for.
19
+ - **L**: Library or external dependencies added when stdlib/native features suffice.
20
+ - **O**: Over-abstraction (classes, interfaces, wrappers) not explicitly requested.
21
+ - **A**: Additional features or logic beyond the PRD definition-of-done.
22
+ - **T**: Too many files where a simpler, single-file implementation would work.
23
+
24
+ Report any found BLOAT as gaps.
25
+
26
+ ## Hard Rules
27
+ - Output *only* PASS/FAIL and the Gap List (with task_id, expected, actual, and gap).
28
+ - Do NOT suggest code, improvements, architectural re-designs, or decisions.
29
+ - Any sentence starting with "I suggest..." or "it would be better to..." is strictly out of scope.
30
+
31
+ ## Mandatory Output Schema
32
+
33
+ ```markdown
34
+ ## Verdict: PASS | FAIL
35
+
36
+ ## Mapping
37
+ | Requirement/Expectation | Found in artifact? | Note |
38
+ |---|---|---|
39
+
40
+ ## Gaps (if FAIL)
41
+ - <item>: <expected> vs <actual>
42
+ ```
@@ -0,0 +1,43 @@
1
+ ---
2
+ name: general-coding
3
+ description: Implementation guidelines for writing clean, defensive, and modular code during feature construction. Follows the Decision Ladder.
4
+ ---
5
+
6
+ # General Coding & Architecture (Decision Ladder)
7
+
8
+ ## Coding Principles
9
+
10
+ - **KISS (Keep It Simple, Stupid)**: Choose the simplest implementation that satisfies the requirement. If a complex approach is chosen, explain why in a comment.
11
+ - **DRY (Don't Repeat Yourself)**: Before writing new logic, check if equivalent logic already exists in the codebase.
12
+ - **Fail Fast / Defensive Programming**: Validate all inputs at function/API boundaries. Never assume upstream data is valid — raise explicit errors.
13
+ - **SOLID (Dependency Inversion)**: Depend on abstractions (interfaces, protocols) rather than concrete implementations, especially for external services (database, API clients).
14
+ - **Clean Code Naming**: Meaningful names — no abbreviations unless domain-standard (e.g., `id`, `db`).
15
+ - **Clean Code Structure**: Small functions (one function does one thing), no hidden side effects, and minimize comments (comment only "why", not "what").
16
+ - **Single Level of Abstraction**: A function should not mix high-level orchestration with low-level details (e.g., business logic + raw SQL in the same function).
17
+
18
+ ## Decision Ladder
19
+ Before writing any code, stop at the first rung that holds:
20
+ 1. Does this need to be built at all? (YAGNI)
21
+ 2. Does it already exist in this codebase? Reuse the helper, utility, or pattern that's already here, don't re-write it.
22
+ 3. Does the standard library already do this? Use it.
23
+ 4. Does a native platform feature cover it? Use it.
24
+ 5. Does an already-installed dependency solve it? Use it.
25
+ 6. Can this be one line? Make it one line.
26
+ 7. Only then: write the minimum code that works.
27
+
28
+ The ladder runs after you understand the problem: read the task and the code it touches, trace the real flow end to end, then climb.
29
+
30
+ ## Never-Simplify Rules
31
+ You must never cut corners on:
32
+ - Understanding the problem: Trace the real flow before coding.
33
+ - Input validation at trust boundaries.
34
+ - Error handling that prevents data loss.
35
+ - Security and accessibility.
36
+ - Anything explicitly requested.
37
+ - No abstractions that weren't explicitly requested.
38
+ - No new dependency if it can be avoided.
39
+ - No boilerplate nobody asked for.
40
+ - Deletion over addition. Boring over clever. Fewest files possible.
41
+
42
+ ## Simplification Comment Convention
43
+ Mark intentional simplifications with a `simplification:` comment. If the shortcut has a known ceiling (global lock, O(n²) scan, naive heuristic), the comment must name the ceiling and the upgrade path.
@@ -0,0 +1,25 @@
1
+ ---
2
+ name: minimal-fixing
3
+ description: Applying minimal, targeted bug fixes addressing the root cause identified in Brooks-Lint RCA findings.
4
+ ---
5
+
6
+ # Minimal Corrective Fixing
7
+
8
+ ## Core Principles
9
+
10
+ - **Minimal Change**: Apply only the change needed to fix the root cause. Do not refactor surrounding code, "improve" style, or fix unrelated issues in the same pass. If you see additional problems, flag them but do not fix them.
11
+ - **Root-Cause Targeting**: The fix must address the root cause identified in the RCA findings, not just the symptom.
12
+ - **Brooks-Lint Aligned**: The fix must address the *Source* of the bug, not just the *Symptom*. A fix that only addresses the symptom will not prevent recurrence.
13
+ - **SOLID-S (Single Responsibility)**: If a proper fix would require a function to take on more than its original responsibility, flag this rather than recommending an inline patch. The fix should not create new SRP violations.
14
+ - **Test-Aware**: Confirms the fix works and does not break existing behavior. If tests were missing for the buggy code, flag this.
15
+ - **Revertible**: Each fix should be structured as a discrete change that can be easily reverted or reviewed independently. Do not bundle multiple logical fixes in the same edit.
16
+
17
+ ## Efficiency Constraints
18
+ - **Smallest Diff**: Implement the most targeted fix possible.
19
+ - **Delete the Cause**: Prefer deleting buggy code or the root cause over adding conditional guard patches.
20
+ - **10-Line Limit**: If a fix requires more than 10 lines of changes, stop and surface this complexity to the primary agent before proceeding.
21
+
22
+ ## Output Format
23
+ - Code changes, with a brief note on what root cause was addressed.
24
+ - Test results confirming the fix.
25
+ - Any residual risks or related issues discovered during the fix.
@@ -0,0 +1,33 @@
1
+ ---
2
+ name: plan-checking
3
+ description: Validate draft requirement documents (PRDs) against original user requests. Act as a strict PASS/FAIL gate with a Gap List.
4
+ ---
5
+
6
+ # Plan Checking & PRD Validation
7
+
8
+ ## Core Principles
9
+
10
+ - **Complete Coverage**: Every element of the original user request must map to at least one requirement in the PRD. Any request element with no corresponding requirement is a FAIL gap.
11
+ - **Ambiguity Detection**: Flag any requirement that can be read in two or more materially different ways. The PRD must be unambiguous.
12
+ - **Contradiction Detection**: Flag any pair of requirements whose literal reading conflicts.
13
+ - **Principle of Least Astonishment**: Evaluate whether each requirement would be clear and unambiguous to the builder during implementation. Flag technically complete but surprising/misleading items.
14
+ - **Scope Containment**: Flag any requirement that adds scope not traceable to the original request (scope creep).
15
+
16
+ ## Hard Rules
17
+ - Output *only* the PASS/FAIL verdict, requirement-to-artifact mapping, and gap list.
18
+ - Do NOT propose new features, redesign architecture, suggest alternative approaches, or make decisions.
19
+ - Do NOT suggest improvements. Only report expectation vs. reality.
20
+ - If you lack enough information to render a verdict, count it as a gap ("cannot verify X -- insufficient input"). Do not treat silence as PASS.
21
+
22
+ ## Mandatory Output Schema
23
+
24
+ ```markdown
25
+ ## Verdict: PASS | FAIL
26
+
27
+ ## Mapping
28
+ | Requirement/Expectation | Found in artifact? | Note |
29
+ |---|---|---|
30
+
31
+ ## Gaps (if FAIL)
32
+ - <item>: <expected> vs <actual>
33
+ ```
@@ -0,0 +1,20 @@
1
+ ---
2
+ name: ponytail-patching
3
+ description: Implement minimal, security-targeted patches for vulnerabilities under severe constraints using the Ponytail developer mindset.
4
+ ---
5
+
6
+ # Ponytail Secure Patching
7
+
8
+ ## Ponytail Minimal Fix Constraints
9
+ You must strictly apply the lazy senior developer mindset:
10
+ - **Smallest Diff**: Implement the smallest possible correct change.
11
+ - **Delete the Cause**: Prefer deleting vulnerable or dead code entirely over wrapping it in complex validations.
12
+ - **Size Boundary**: If a patch requires changing or adding more than 10 lines of code, STOP and report this complexity to the primary agent instead of coding it.
13
+ - **Boilerplate**: Write no abstractions or unnecessary helper functions.
14
+ - **Safety**: Do not sacrifice input validation or error boundaries for brevity. Mark intentional simplifications with a `// ponytail:` comment.
15
+
16
+ ## Corrective Strategy
17
+ If you receive a Gap List and BLOAT List:
18
+ 1. Treat it as your primary corrective requirements.
19
+ 2. Focus on fixing the remaining security vulnerabilities highlighted in the Gap List.
20
+ 3. Refactor and simplify any code structures flagged in the BLOAT List.
@@ -0,0 +1,45 @@
1
+ ---
2
+ name: prd-formatting
3
+ description: Transform raw inputs, requirements, and codebase context into a formal Product Requirement Document (PRD).
4
+ ---
5
+
6
+ # PRD Formatting
7
+
8
+ ## Core Principles
9
+
10
+ - **Principle of Least Astonishment**: The PRD must follow a predictable structure. The implementer should not be surprised by the format, terminology, or requirements organization.
11
+ - **Self-documenting**: Each section of the PRD should be intelligible on its own without requiring cross-references or external context.
12
+ - **Separation of Concerns**: Each requirement must map to one concern. Do not bundle unrelated requirements.
13
+
14
+ ## Hard Rules
15
+ - Do NOT make inferences about what the user "probably means."
16
+ - Do NOT make decisions (e.g., which approach is better).
17
+ - Do NOT add analysis, recommendations, or opinions.
18
+ - If you lack enough information to fill a section, write `TBD` and move on. Never invent details or assume information.
19
+ - Write ONLY to the `docs/plans/` directory.
20
+
21
+ ## Mandatory Output Schema
22
+
23
+ ```markdown
24
+ # PRD: <title>
25
+
26
+ ## Goal
27
+ <one sentence, as given>
28
+
29
+ ## Requirements
30
+ - R1: <as given>
31
+ - R2: ...
32
+
33
+ ## Assumptions
34
+ - <as given, or "None">
35
+
36
+ ## Out of Scope
37
+ - <as given, or "Not specified — TBD">
38
+ ```
39
+
40
+ ## Handoff Note
41
+ When instructed to perform a handoff, append a **Handoff Note** section after Out of Scope containing:
42
+ - Unresolved questions / open items (if any)
43
+ - Key decisions made during planning (with rationale)
44
+ - Summary of researcher's findings that may be relevant to implementation
45
+ - Any assumptions that could affect implementation order or strategy
@@ -0,0 +1,37 @@
1
+ ---
2
+ name: refactoring-patterns
3
+ description: Guidelines and step-by-step checklists for safely performing code refactoring patterns (Fowler) without breaking existing interfaces.
4
+ ---
5
+
6
+ # Architectural Refactoring Patterns
7
+
8
+ ## Refactoring Best Practices
9
+
10
+ - **Zero-Regression Focus**: Run the test suite after every incremental modification. Do not make multiple unrelated refactoring edits at the same time.
11
+ - **Maintain Public Interfaces**: Do not change public function signatures or API endpoints unless explicitly requested. Use deprecation notices or adapters if structural changes are necessary.
12
+ - **Separate Refactoring from Features**: Do not mix refactoring with adding new features. Refactor first, commit, then implement the new feature on top of the clean design.
13
+
14
+ ## Standard Fowler Checklists
15
+
16
+ ### 1. Extract Function
17
+ 1. Create a new function and name it after its intent (what it does, not how it does it).
18
+ 2. Copy the extracted code block into the new function.
19
+ 3. Pass any variables that are read but not modified inside the extracted block as arguments.
20
+ 4. Pass any variables that are modified inside the extracted block as return values.
21
+ 5. Replace the original code block with a call to the new function.
22
+ 6. Run tests to verify correctness.
23
+
24
+ ### 2. Move Field / Method
25
+ 1. Ensure the source object and target object are accessible in both scopes.
26
+ 2. Implement the method or field on the target object.
27
+ 3. Update the source method/field to delegate calls to the target object.
28
+ 4. Replace direct references to the source method/field across the codebase with references to the target object.
29
+ 5. Remove the source implementation once no references remain.
30
+ 6. Run tests to verify correctness.
31
+
32
+ ### 3. Replace Conditional with Polymorphism
33
+ 1. Identify the class or interface that represents the conditional variations.
34
+ 2. Create sub-classes or polymorphic implementations for each branch of the conditional statement.
35
+ 3. Move the branch-specific execution code into overridden methods in each sub-class.
36
+ 4. Replace the original conditional check with a polymorphic method call on the object instance.
37
+ 5. Run tests to verify correctness.
@@ -0,0 +1,35 @@
1
+ ---
2
+ name: security-auditing
3
+ description: Act as a validation gate checking if security patches resolved vulnerabilities without introducing regressions or over-engineering (Bloat analysis).
4
+ ---
5
+
6
+ # Security Auditing & Quality Gate
7
+
8
+ ## Core Work
9
+ - Inspect modified codebase files and run test commands to verify vulnerability elimination.
10
+ - Perform a security regression review: ensure the applied patches did not introduce new vulnerability pathways (e.g., input bypasses or insecure error handling).
11
+ - Perform an over-engineering review (Ponytail audit lens).
12
+
13
+ ## Ponytail Audit Lens (Bloat Analysis)
14
+ Analyze changes for cognitive overload, accidental complexity, or redundant logic. Check for:
15
+ - Unrequested abstractions
16
+ - Boilerplate
17
+ - Excessive lines of code (more than necessary to resolve the vulnerability)
18
+ - Redundant logic
19
+
20
+ ## Hard Rules
21
+ - Output *only* the PASS/FAIL verdict, Gap List, and BLOAT List.
22
+ - Do NOT propose remedies, suggest code adjustments, or edit code.
23
+
24
+ ## Mandatory Output Schema
25
+ Your output must consist ONLY of:
26
+
27
+ ```markdown
28
+ ## Verdict: PASS | FAIL
29
+
30
+ ## Gap List
31
+ - List of specific files/lines where vulnerabilities are still active or regression was detected (FAIL cases only).
32
+
33
+ ## BLOAT List
34
+ - List of over-engineered constructs, abstractions, or boilerplate found in the patches.
35
+ ```
@@ -0,0 +1,37 @@
1
+ ---
2
+ name: security-remediation
3
+ description: Standard code patterns and recipes for safely fixing common OWASP Top 10 vulnerabilities (SQLi, XSS, CSRF, SSRF, broken auth) without introducing bloat.
4
+ ---
5
+
6
+ # Secure Remediation Patterns
7
+
8
+ ## Vulnerability Remediation Recipes
9
+
10
+ ### 1. SQL Injection (SQLi)
11
+ - **Remedy**: Always parameterize query bindings. Never concatenate or interpolate user input directly into query strings.
12
+ - **Example (Bad)**:
13
+ `db.execute("SELECT * FROM users WHERE name = '" + input + "'")`
14
+ - **Example (Good)**:
15
+ `db.execute("SELECT * FROM users WHERE name = ?", [input])`
16
+
17
+ ### 2. Cross-Site Scripting (XSS)
18
+ - **Remedy**: Contextually encode all dynamic data output to HTML. Prioritize framework default binding mechanisms (e.g. JSX expression, textContent) over direct DOM injection.
19
+ - **Example (Bad)**:
20
+ `element.innerHTML = userInput`
21
+ - **Example (Good)**:
22
+ `element.textContent = userInput`
23
+
24
+ ### 3. Server-Side Request Forgery (SSRF)
25
+ - **Remedy**: Implement a strict IP/Domain allow-list for external fetches. Block resolve paths pointing to internal private metadata or loopback addresses.
26
+ - **Forbidden Ranges**: `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.169.254`.
27
+
28
+ ### 4. Broken Object Level Authorization (BOLA / IDOR)
29
+ - **Remedy**: Check that the authenticated session user actually owns the resource identifier requested before executing read, update, or delete commands.
30
+ - **Example (Bad)**:
31
+ `db.getInvoice(req.params.id)`
32
+ - **Example (Good)**:
33
+ `invoice = db.getInvoice(req.params.id); if (invoice.userId !== req.session.userId) throw new UnauthorizedError();`
34
+
35
+ ## General Safety Checklist
36
+ - Never log raw passwords, access tokens, or sensitive API keys.
37
+ - Ensure all error messages returned to the API client are generic and do not expose internal stack traces or database configurations.
@@ -0,0 +1,83 @@
1
+ ---
2
+ name: summary-reporting
3
+ description: Format raw facts, outcomes, RCA findings, and validation results into formal execution and summary reports.
4
+ ---
5
+
6
+ # Summary & Execution Reporting
7
+
8
+ ## Core Principles
9
+
10
+ - **Fidelity to Sources**: Every claim in the report must trace back verbatim to a source output (e.g. Tracer findings, Patcher changes, Auditor verdict, Debugger diagnosis). No claim or interpretation may originate from the reporter.
11
+ - **Audience-First**: Tailor detail level and vocabulary for the target reader (technical lead, maintainer, end-user) if specified. Default to technical summary.
12
+ - **DRY for Docs**: Present findings exactly once; use cross-references instead of repeating data across sections.
13
+ - **Priority Ordering**: Order findings by severity (blocking failures/confirmed vulnerabilities first, then open risks/suspected vulnerabilities, then informational notes/bloat).
14
+ - **Stateless formatting**: Do not remember context across runs. Do not make inferences or assumptions.
15
+ - **Target Output Directory**: Write ONLY to the `docs/reports/` directory.
16
+
17
+ ## Hard Rules
18
+ - Do NOT make inferences or assume facts. If input is missing or incomplete, write `TBD` or `N/A`.
19
+ - Do NOT add analysis, recommendations, or opinions beyond what was provided.
20
+ - Do NOT run bash commands.
21
+
22
+ ## Standard Formats
23
+
24
+ ### Format A: Compose Completion Report
25
+ ```markdown
26
+ # Report: <subject>
27
+
28
+ ## For: <audience>
29
+
30
+ ## Outcome
31
+ <PASS/FAIL or completion status, as given>
32
+
33
+ ## Details
34
+ <compressed from input, no added interpretation>
35
+ ```
36
+
37
+ ### Format B: Brooks-Lint Diagnosis Report (Debugger)
38
+ ```markdown
39
+ # Diagnosis Report: <subject>
40
+
41
+ ## For: <audience>
42
+
43
+ ## Decay Risk Classification
44
+ <R1-R6 or T1-T6 risk(s) identified>
45
+
46
+ ## Findings
47
+ ### Finding 1: <decay risk> — <brief title>
48
+ **Symptom:** ...
49
+ **Source:** ...
50
+ **Consequence:** ...
51
+ **Remedy:** ...
52
+
53
+ ### Finding 2: ...
54
+ ```
55
+
56
+ ### Format C: Security & Quality Audit Report (Analyze)
57
+ ```markdown
58
+ # Security & Quality Audit Report: <Date/Subject>
59
+
60
+ ## Executive Summary
61
+ - **Auditor Verdict:** <PASS/FAIL>
62
+ - **Confirmed Vulnerabilities:** <count>
63
+ - **Suspected Vulnerabilities:** <count>
64
+ - **Patches Applied:** <summary of Patcher changes, or "None">
65
+
66
+ ## Vulnerability Findings
67
+ ### Confirmed Vulnerabilities
68
+ <verbatim from Tracer confirmed_vulns — OWASP category, location, data flow>
69
+
70
+ ### Suspected Vulnerabilities
71
+ <verbatim from Tracer suspected_vulns>
72
+
73
+ ### Quality & Decay Risks
74
+ <verbatim from Tracer quality & decay risks>
75
+
76
+ ## Patches Applied
77
+ <verbatim diff summary from Patcher, or "N/A — audit only mode">
78
+
79
+ ## Auditor Verdict Detail
80
+ - **Verdict:** <PASS/FAIL>
81
+ - **Gap List:** <verbatim from Auditor — files/lines still vulnerable, or "None">
82
+ - **BLOAT List:** <verbatim from Auditor — over-engineered constructs, or "None">
83
+ ```
@@ -0,0 +1,44 @@
1
+ ---
2
+ name: test-assurance
3
+ description: Write, run, and evaluate test suites to confirm correctness and identify regressions or coverage gaps.
4
+ ---
5
+
6
+ # Test Validation & Test Assurance
7
+
8
+ ## Core Principles
9
+
10
+ - **Regression Awareness**: Separate new failures (introduced by current changes) from pre-existing failures. Pre-existing failures are context, not a gap to close in this pass.
11
+ - **Coverage Gaps**: Any code written or modified that lacks a corresponding test is a reportable gap.
12
+ - **Test Independence**: If tests share mutable state or depend on execution order, flag it as a structural risk.
13
+ - **Blocked Status**: If you cannot run the test suite (missing dependencies, no framework), report it as BLOCKED. Do not attempt to install packages or configure settings.
14
+
15
+ ## Efficiency Constraints (Minimal Testing)
16
+ - **Minimal Testing**: Test only the smallest thing that fails if the logic breaks.
17
+ - **No Speculative Edge Cases**: Write tests for actual requirements, not imagined inputs.
18
+ - **One Assertion per Behavior**: Keep assertions focused on a single logical outcome.
19
+ - **No Complex Fixtures**: Write the simplest assertions or test files possible.
20
+ - **No Tests for Trivial Code**: Trivial one-liners need no tests.
21
+
22
+ ## Hard Rules
23
+ - Report the PASS/FAIL/BLOCKED status, results table, regressions, and coverage gaps.
24
+ - Do NOT fix failing tests, rewrite suites, or decide whether failures are blocking. Let the primary agent decide.
25
+ - Do NOT install dependencies or configure frameworks.
26
+
27
+ ## Mandatory Output Schema
28
+
29
+ ```markdown
30
+ ## Status: PASS | FAIL | BLOCKED
31
+
32
+ ## Test Results
33
+ | Test suite | Passed | Failed | New failure? |
34
+ |---|---|---|---|
35
+
36
+ ## New Failures (regressions from current changes)
37
+ - <test name>: <failure message>
38
+
39
+ ## Pre-existing Failures (not caused by current changes)
40
+ - <test name>: <note>
41
+
42
+ ## Coverage Gaps (code written/modified without tests)
43
+ - <file/function>: <note>
44
+ ```
@@ -0,0 +1,18 @@
1
+ ---
2
+ name: test-mocking-strategy
3
+ description: Guidelines on when and how to mock external services (databases, network requests, third-party APIs) during test creation.
4
+ ---
5
+
6
+ # Mocking & Test Double Strategy
7
+
8
+ ## Core Principles
9
+
10
+ - **No Over-Mocking**: Limit mocks to external trust boundaries (e.g., external HTTP endpoints, third-party API clients). Never mock internal domain models, database queries, helper utilities, or core business logic unless absolutely necessary.
11
+ - **Contract Verification**: Ensure mock payloads and responses strictly match the actual schema of the external API. Stale mocks that hide schema drift are a major regression risk.
12
+ - **Prefer Stubs over Mocks**: Use simple stubs (returning canned data) over complex mock objects with verified call counts and expectations, keeping test setup clean and readable.
13
+ - **Standardized Mock Tools**: Utilize standard community tools (e.g., `nock`, `msw`, `unittest.mock`) instead of writing custom, proprietary mock engines.
14
+
15
+ ## Decisions & Boundaries
16
+ - **Database Mocks**: Prefer using a lightweight in-memory database (e.g., SQLite in-memory) or database transactions that rollback after each test over mocking SQL connections or ORM calls.
17
+ - **HTTP Requests**: Mock network calls at the HTTP layer (using tools like `msw` or `nock`) rather than patching the application-level API client wrapper, ensuring client serialization logic is tested.
18
+ - **Time/Date Mocking**: Use deterministic clock wrapper utilities or standard mock timers (e.g., `sinon.useFakeTimers`, `freezegun`) when testing time-sensitive operations (e.g., token expiration, transaction limits).
@@ -0,0 +1,23 @@
1
+ ---
2
+ name: ui-design-audit
3
+ description: Quality assurance playbook for auditing user interfaces for accessibility (WCAG), layout defects, responsive scaling, and over-engineering.
4
+ ---
5
+
6
+ # UI Design Audit & QA Playbook
7
+
8
+ ## 1. Accessibility (WCAG 2.1 AA Compliance)
9
+ - **Contrast Check**: Verify hex color values for text and interactive indicators against backgrounds. Normal text must satisfy $\ge 4.5:1$ contrast ratio, and large text must satisfy $\ge 3:1$.
10
+ - **Focus Rings**: Verify that all interactive elements have visible `:focus` or `:focus-visible` outline rings to support keyboard-only navigation.
11
+ - **Semantic Structure**: Ensure proper HTML heading hierarchy (never skip heading levels like `h1` directly to `h3`). Ensure proper ARIA roles and labels on dynamic components (modals, dropdowns).
12
+
13
+ ## 2. Layout & Responsiveness
14
+ - **Breakpoint Overflows**: Check for hardcoded pixel widths (`width: 500px`) that cause horizontal scrolling on smaller viewports. Ensure flexible percentage or viewport-based units (`w-full`, `max-w-*`) are used.
15
+ - **Alignment Integrity**: Check that grids, flexboxes, and columns do not overlap or misalign at intermediate screen widths.
16
+ - **Empty States**: Ensure any dynamic layout accounts for loading or empty states with clean indicators.
17
+
18
+ ## 3. Performance & Asset Optimization
19
+ - **Static Assets**: Verify that images are loaded in modern formats (e.g. `.webp` instead of high-resolution `.png` / `.jpg`) and contain explicit width/height parameters to avoid cumulative layout shifts (CLS).
20
+ - **Fonts**: Ensure external web fonts are preloaded or styled with a proper fallback font stack (e.g., `font-family: 'Inter', sans-serif;`) to prevent layout flickering.
21
+
22
+ ## 4. Visual Over-Engineering Check
23
+ - Ensure that the CSS is clean and organized, avoiding excessive layers of unneeded nested rules, duplicate styling declarations, or unused CSS utility classes.
@@ -0,0 +1,37 @@
1
+ ---
2
+ name: ui-design-system
3
+ description: Playbook and guidelines for creating visually rich, innovative, and modern user interfaces (design system, spacing, typography, and micro-interactions).
4
+ ---
5
+
6
+ # UI Design System & Guidelines
7
+
8
+ ## 1. Typography & Hierarchy
9
+ - **Primary Font**: Use modern, clean typography (e.g., from Google Fonts like `Inter` for body/ui elements and `Outfit` or `Space Grotesk` for headings).
10
+ - **Scale**:
11
+ - Headings (`h1`, `h2`): Semibold/Bold, tighter line-height (`1.2`), tracking tight.
12
+ - Body: Regular, line-height `1.5` or `1.6`, tracking normal.
13
+ - Labels/Buttons: Medium, uppercase or medium weight, tracking wide.
14
+
15
+ ## 2. Spacing & Grid System
16
+ - **Spacing Scale**: Enforce a strict spacing scale based on multiples of 4px/8px (e.g., Tailwind's `p-2`, `p-4`, `p-6`, `p-8` scales). Never use random "magic numbers" for margins or padding.
17
+ - **Grids & Flexbox**: Always align elements using responsive flexbox or grid layouts. Center content cleanly, keep columns proportional, and ensure proper padding at container edges.
18
+
19
+ ## 3. Visual Depth & Aesthetics
20
+ - **Elevations & Depth**: Use subtle border strokes (e.g. `rgba(255,255,255,0.08)` in dark mode) paired with soft shadows to define elevation.
21
+ - **Gradients**: Utilize smooth, harmonious color gradients for key accent elements, headers, and call-to-action buttons.
22
+ - **Glassmorphism**: When creating modern panels or modals, prefer semi-transparent backgrounds with background blur (e.g., `backdrop-filter: blur(12px)`).
23
+ - **Color Accents**: Avoid primary saturated primaries (e.g., plain `#ff0000`, `#0000ff`). Use tailored palettes (e.g. HSL tailored neon/pastel gradients, sleek slate/charcoal backgrounds).
24
+
25
+ ## 4. Micro-Interactions & Transitions
26
+ - **Interactive States**: Every interactive element (buttons, cards, inputs) must have explicit `:hover`, `:focus-visible`, and `:active` styles.
27
+ - **Transitions**: Apply smooth transition effects (`transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1)`) to avoid sudden visual snapping on hover or state change.
28
+
29
+ ## 5. Mobile-First Responsiveness
30
+ - Start layouts mobile-first. Apply breakpoint prefixes (`sm:`, `md:`, `lg:`) to scale grids, font sizes, and container widths gracefully to desktop viewports.
31
+
32
+ ## 6. Mockup & Prototype Delivery Protocol
33
+ When tasked with generating a visual layout, mockup, or interface prototype:
34
+ - **No ASCII Drawing**: Do not output textual ASCII grids or drawings.
35
+ - **Self-Contained File**: Generate a complete, valid HTML5 file.
36
+ - **Embedded CSS**: Include a `<style>` block containing fonts (Inter/Outfit), layout variables, component styles, states (:hover, :focus), and smooth transition curves.
37
+ - **Embedded JS**: Include a `<script>` block implementing DOM interactions (tab switching, theme toggles, modal open/close) so it works as a fully responsive, interactive live prototype.
@@ -0,0 +1,33 @@
1
+ ---
2
+ name: wstg-recon
3
+ description: Scan project directory structure, map attack surfaces, and trace vulnerability data-flow paths using secure code review and WSTG principles.
4
+ ---
5
+
6
+ # WSTG Threat Model & Vulnerability Tracing
7
+
8
+ ## Scope of Work
9
+ - Scan the directory structure and codebase to identify potential entry points, routes, API endpoints, and security weaknesses.
10
+ - Perform a breadth-first assessment: map outer interfaces and entry points before analyzing deep business logic.
11
+ - Trace data flows from untrusted inputs to dangerous sinks (e.g., raw SQL query calls, shell execution points, eval functions).
12
+ - Guide your checks using WSTG (Web Security Testing Guide) methodologies and secure code review practices.
13
+
14
+ ## Hard Rules
15
+ - Focus on locating vulnerability paths. Do NOT propose remedies, write code fixes, or modify files.
16
+ - Do NOT decide remediation priorities.
17
+ - Classify findings strictly into the target output format.
18
+
19
+ ## Mandatory Output Schema
20
+ Your output must be structured exactly as follows:
21
+
22
+ ```markdown
23
+ ### Confirmed Vulnerabilities
24
+ 1. **[OWASP Category / WSTG ID]** Description of vulnerability path.
25
+ - **Location:** [file path & line numbers]
26
+ - **Data Flow:** [input -> path -> sink]
27
+
28
+ ### Suspected Vulnerabilities
29
+ - List potential issues requiring manual verification.
30
+
31
+ ### Quality & Decay Risks
32
+ - List security-adjacent decay risks (e.g., hardcoded secrets, missing input validation rules, lack of trust boundaries).
33
+ ```