@funara/wevr 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +397 -0
- package/bin/wevr.js +4 -0
- package/package.json +48 -0
- package/src/cli/commands/doctor.js +137 -0
- package/src/cli/commands/init.js +156 -0
- package/src/cli/commands/launch.js +122 -0
- package/src/cli/commands/theme.js +67 -0
- package/src/cli/commands/theme.test.js +28 -0
- package/src/cli/commands/uninstall.js +103 -0
- package/src/cli/commands/update.js +9 -0
- package/src/cli/index.js +63 -0
- package/src/cli/wizard/selectModelTier.js +40 -0
- package/src/core/agentPromptWriter.js +45 -0
- package/src/core/agentPromptWriter.test.js +56 -0
- package/src/core/backup.js +46 -0
- package/src/core/backup.test.js +51 -0
- package/src/core/commandsWriter.js +26 -0
- package/src/core/commandsWriter.test.js +29 -0
- package/src/core/configBuilder.js +32 -0
- package/src/core/configBuilder.test.js +93 -0
- package/src/core/configWriter.js +10 -0
- package/src/core/configWriter.test.js +26 -0
- package/src/core/identityHeader.js +8 -0
- package/src/core/identityHeader.test.js +15 -0
- package/src/core/paths.js +13 -0
- package/src/core/paths.test.js +33 -0
- package/src/core/pluginWriter.js +29 -0
- package/src/core/pluginWriter.test.js +41 -0
- package/src/core/skillsWriter.js +13 -0
- package/src/core/skillsWriter.test.js +30 -0
- package/src/core/themeWriter.js +26 -0
- package/src/core/themeWriter.test.js +29 -0
- package/src/core/tuiConfigWriter.js +22 -0
- package/src/core/tuiConfigWriter.test.js +38 -0
- package/src/core/version.js +8 -0
- package/src/core/versionCheck.js +44 -0
- package/src/core/versionCheck.test.js +34 -0
- package/src/plugins/README.md +57 -0
- package/src/plugins/wevr-flow.js +137 -0
- package/src/plugins/wevr-squeeze.js +3630 -0
- package/src/templates/agent-prompts/analyze.txt +43 -0
- package/src/templates/agent-prompts/builder.txt +10 -0
- package/src/templates/agent-prompts/compose.txt +45 -0
- package/src/templates/agent-prompts/debug.txt +43 -0
- package/src/templates/agent-prompts/explorer.txt +10 -0
- package/src/templates/agent-prompts/hierarchy.txt +95 -0
- package/src/templates/agent-prompts/reporter.txt +10 -0
- package/src/templates/agent-prompts/verifier.txt +10 -0
- package/src/templates/commands/squeeze-dashboard.md +5 -0
- package/src/templates/commands/squeeze-health.md +10 -0
- package/src/templates/commands/squeeze-quick.md +10 -0
- package/src/templates/model-defaults.json +59 -0
- package/src/templates/opencode.config.json +243 -0
- package/src/templates/skills/brooks-lint-rca/SKILL.md +48 -0
- package/src/templates/skills/codebase-fact-finding/SKILL.md +39 -0
- package/src/templates/skills/diff-review/SKILL.md +42 -0
- package/src/templates/skills/general-coding/SKILL.md +43 -0
- package/src/templates/skills/minimal-fixing/SKILL.md +25 -0
- package/src/templates/skills/plan-checking/SKILL.md +33 -0
- package/src/templates/skills/ponytail-patching/SKILL.md +20 -0
- package/src/templates/skills/prd-formatting/SKILL.md +45 -0
- package/src/templates/skills/refactoring-patterns/SKILL.md +37 -0
- package/src/templates/skills/security-auditing/SKILL.md +35 -0
- package/src/templates/skills/security-remediation/SKILL.md +37 -0
- package/src/templates/skills/summary-reporting/SKILL.md +83 -0
- package/src/templates/skills/test-assurance/SKILL.md +44 -0
- package/src/templates/skills/test-mocking-strategy/SKILL.md +18 -0
- package/src/templates/skills/ui-design-audit/SKILL.md +23 -0
- package/src/templates/skills/ui-design-system/SKILL.md +37 -0
- package/src/templates/skills/wstg-recon/SKILL.md +33 -0
- package/src/templates/themes/wevr-colorful.json +241 -0
- package/src/templates/themes/wevr-dark.json +177 -0
- package/src/templates/themes/wevr-light.json +241 -0
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: codebase-fact-finding
|
|
3
|
+
description: Perform initial codebase exploration, fact-finding, and precedent checks before designing requirements or writing code. Use when asked to research technical context or precedents.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Codebase Fact-Finding & Precedent Check
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **Fail Fast**: If a recommended library or API is not verified as available or compatible in the codebase, flag it immediately. Never assume availability.
|
|
11
|
+
- **Principle of Least Astonishment**: Prioritize patterns that already exist in the codebase over introducing new ones. Choose the most predictable solutions.
|
|
12
|
+
- **DRY (Don't Repeat Yourself)**: Before researching a solution, check if a precedent already exists in the codebase.
|
|
13
|
+
- **Source Verification**: Explicitly distinguish between "confirmed from codebase/docs" (with exact source citation) and "inferred/recommended" (with rationale).
|
|
14
|
+
|
|
15
|
+
## Mandatory Output Schema
|
|
16
|
+
You must output exactly these four sections, even if a section is empty:
|
|
17
|
+
|
|
18
|
+
```markdown
|
|
19
|
+
## confirmed_facts
|
|
20
|
+
- <fact> — Source: <file:line | doc URL | command output>
|
|
21
|
+
(Only include what you directly observed/verified — read the file, ran the command, fetched the doc. No exceptions.)
|
|
22
|
+
|
|
23
|
+
## inferred_facts
|
|
24
|
+
- <inference> — Basis: <what confirmed_fact(s) this is inferred from>
|
|
25
|
+
(Label clearly. This is your reasoning extrapolated from confirmed facts.)
|
|
26
|
+
|
|
27
|
+
## unknowns
|
|
28
|
+
- <what you could not determine, and why>
|
|
29
|
+
|
|
30
|
+
## risks
|
|
31
|
+
- <risk introduced by an unknown or inference, if acted upon as-is>
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
## Hard Rules
|
|
35
|
+
- Never put something in `confirmed_facts` unless you directly checked it.
|
|
36
|
+
- Never blend confirmed and inferred in the same bullet.
|
|
37
|
+
- If you didn't check something because it was out of scope, state it in `unknowns`.
|
|
38
|
+
- If the research request involves UI elements or layout design, include a detailed ASCII mockup in your output.
|
|
39
|
+
- Do not recommend a course of action. State facts/inferences/risks and hand back.
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: diff-review
|
|
3
|
+
description: Compare code implementations and diffs against PRD requirements and definitions-of-done. Act as a strict PASS/FAIL review gate.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Diff Review & Implementation Verification
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **Definition-of-Done Grounding**: Compare changes strictly against the PRD's explicit definition-of-done (DoD) for each task. Do not evaluate style/completeness against unstated standards.
|
|
11
|
+
- **Binary Verdict per Task**: Each task receives PASS or FAIL individually. A partial pass is a FAIL.
|
|
12
|
+
- **Regression Awareness**: Verify that code changes did not break previously passed requirements.
|
|
13
|
+
- **Fail Fast**: If the implementation cannot be matched due to missing info or contradictions, flag it as a gap immediately. Do not guess.
|
|
14
|
+
- **No Scope Creep Judgment**: Flag code that exists but does not map to any DoD item as "extra scope" — but do not fail it unless it contradicts a requirement.
|
|
15
|
+
|
|
16
|
+
## Over-Engineering Lens (BLOAT List)
|
|
17
|
+
Evaluate the implementation against the BLOAT list:
|
|
18
|
+
- **B**: Boilerplate that nobody asked for.
|
|
19
|
+
- **L**: Library or external dependencies added when stdlib/native features suffice.
|
|
20
|
+
- **O**: Over-abstraction (classes, interfaces, wrappers) not explicitly requested.
|
|
21
|
+
- **A**: Additional features or logic beyond the PRD definition-of-done.
|
|
22
|
+
- **T**: Too many files where a simpler, single-file implementation would work.
|
|
23
|
+
|
|
24
|
+
Report any found BLOAT as gaps.
|
|
25
|
+
|
|
26
|
+
## Hard Rules
|
|
27
|
+
- Output *only* PASS/FAIL and the Gap List (with task_id, expected, actual, and gap).
|
|
28
|
+
- Do NOT suggest code, improvements, architectural re-designs, or decisions.
|
|
29
|
+
- Any sentence starting with "I suggest..." or "it would be better to..." is strictly out of scope.
|
|
30
|
+
|
|
31
|
+
## Mandatory Output Schema
|
|
32
|
+
|
|
33
|
+
```markdown
|
|
34
|
+
## Verdict: PASS | FAIL
|
|
35
|
+
|
|
36
|
+
## Mapping
|
|
37
|
+
| Requirement/Expectation | Found in artifact? | Note |
|
|
38
|
+
|---|---|---|
|
|
39
|
+
|
|
40
|
+
## Gaps (if FAIL)
|
|
41
|
+
- <item>: <expected> vs <actual>
|
|
42
|
+
```
|
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: general-coding
|
|
3
|
+
description: Implementation guidelines for writing clean, defensive, and modular code during feature construction. Follows the Decision Ladder.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# General Coding & Architecture (Decision Ladder)
|
|
7
|
+
|
|
8
|
+
## Coding Principles
|
|
9
|
+
|
|
10
|
+
- **KISS (Keep It Simple, Stupid)**: Choose the simplest implementation that satisfies the requirement. If a complex approach is chosen, explain why in a comment.
|
|
11
|
+
- **DRY (Don't Repeat Yourself)**: Before writing new logic, check if equivalent logic already exists in the codebase.
|
|
12
|
+
- **Fail Fast / Defensive Programming**: Validate all inputs at function/API boundaries. Never assume upstream data is valid — raise explicit errors.
|
|
13
|
+
- **SOLID (Dependency Inversion)**: Depend on abstractions (interfaces, protocols) rather than concrete implementations, especially for external services (database, API clients).
|
|
14
|
+
- **Clean Code Naming**: Meaningful names — no abbreviations unless domain-standard (e.g., `id`, `db`).
|
|
15
|
+
- **Clean Code Structure**: Small functions (one function does one thing), no hidden side effects, and minimize comments (comment only "why", not "what").
|
|
16
|
+
- **Single Level of Abstraction**: A function should not mix high-level orchestration with low-level details (e.g., business logic + raw SQL in the same function).
|
|
17
|
+
|
|
18
|
+
## Decision Ladder
|
|
19
|
+
Before writing any code, stop at the first rung that holds:
|
|
20
|
+
1. Does this need to be built at all? (YAGNI)
|
|
21
|
+
2. Does it already exist in this codebase? Reuse the helper, utility, or pattern that's already here, don't re-write it.
|
|
22
|
+
3. Does the standard library already do this? Use it.
|
|
23
|
+
4. Does a native platform feature cover it? Use it.
|
|
24
|
+
5. Does an already-installed dependency solve it? Use it.
|
|
25
|
+
6. Can this be one line? Make it one line.
|
|
26
|
+
7. Only then: write the minimum code that works.
|
|
27
|
+
|
|
28
|
+
The ladder runs after you understand the problem: read the task and the code it touches, trace the real flow end to end, then climb.
|
|
29
|
+
|
|
30
|
+
## Never-Simplify Rules
|
|
31
|
+
You must never cut corners on:
|
|
32
|
+
- Understanding the problem: Trace the real flow before coding.
|
|
33
|
+
- Input validation at trust boundaries.
|
|
34
|
+
- Error handling that prevents data loss.
|
|
35
|
+
- Security and accessibility.
|
|
36
|
+
- Anything explicitly requested.
|
|
37
|
+
- No abstractions that weren't explicitly requested.
|
|
38
|
+
- No new dependency if it can be avoided.
|
|
39
|
+
- No boilerplate nobody asked for.
|
|
40
|
+
- Deletion over addition. Boring over clever. Fewest files possible.
|
|
41
|
+
|
|
42
|
+
## Simplification Comment Convention
|
|
43
|
+
Mark intentional simplifications with a `simplification:` comment. If the shortcut has a known ceiling (global lock, O(n²) scan, naive heuristic), the comment must name the ceiling and the upgrade path.
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: minimal-fixing
|
|
3
|
+
description: Applying minimal, targeted bug fixes addressing the root cause identified in Brooks-Lint RCA findings.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Minimal Corrective Fixing
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **Minimal Change**: Apply only the change needed to fix the root cause. Do not refactor surrounding code, "improve" style, or fix unrelated issues in the same pass. If you see additional problems, flag them but do not fix them.
|
|
11
|
+
- **Root-Cause Targeting**: The fix must address the root cause identified in the RCA findings, not just the symptom.
|
|
12
|
+
- **Brooks-Lint Aligned**: The fix must address the *Source* of the bug, not just the *Symptom*. A fix that only addresses the symptom will not prevent recurrence.
|
|
13
|
+
- **SOLID-S (Single Responsibility)**: If a proper fix would require a function to take on more than its original responsibility, flag this rather than recommending an inline patch. The fix should not create new SRP violations.
|
|
14
|
+
- **Test-Aware**: Confirms the fix works and does not break existing behavior. If tests were missing for the buggy code, flag this.
|
|
15
|
+
- **Revertible**: Each fix should be structured as a discrete change that can be easily reverted or reviewed independently. Do not bundle multiple logical fixes in the same edit.
|
|
16
|
+
|
|
17
|
+
## Efficiency Constraints
|
|
18
|
+
- **Smallest Diff**: Implement the most targeted fix possible.
|
|
19
|
+
- **Delete the Cause**: Prefer deleting buggy code or the root cause over adding conditional guard patches.
|
|
20
|
+
- **10-Line Limit**: If a fix requires more than 10 lines of changes, stop and surface this complexity to the primary agent before proceeding.
|
|
21
|
+
|
|
22
|
+
## Output Format
|
|
23
|
+
- Code changes, with a brief note on what root cause was addressed.
|
|
24
|
+
- Test results confirming the fix.
|
|
25
|
+
- Any residual risks or related issues discovered during the fix.
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: plan-checking
|
|
3
|
+
description: Validate draft requirement documents (PRDs) against original user requests. Act as a strict PASS/FAIL gate with a Gap List.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Plan Checking & PRD Validation
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **Complete Coverage**: Every element of the original user request must map to at least one requirement in the PRD. Any request element with no corresponding requirement is a FAIL gap.
|
|
11
|
+
- **Ambiguity Detection**: Flag any requirement that can be read in two or more materially different ways. The PRD must be unambiguous.
|
|
12
|
+
- **Contradiction Detection**: Flag any pair of requirements whose literal reading conflicts.
|
|
13
|
+
- **Principle of Least Astonishment**: Evaluate whether each requirement would be clear and unambiguous to the builder during implementation. Flag technically complete but surprising/misleading items.
|
|
14
|
+
- **Scope Containment**: Flag any requirement that adds scope not traceable to the original request (scope creep).
|
|
15
|
+
|
|
16
|
+
## Hard Rules
|
|
17
|
+
- Output *only* the PASS/FAIL verdict, requirement-to-artifact mapping, and gap list.
|
|
18
|
+
- Do NOT propose new features, redesign architecture, suggest alternative approaches, or make decisions.
|
|
19
|
+
- Do NOT suggest improvements. Only report expectation vs. reality.
|
|
20
|
+
- If you lack enough information to render a verdict, count it as a gap ("cannot verify X -- insufficient input"). Do not treat silence as PASS.
|
|
21
|
+
|
|
22
|
+
## Mandatory Output Schema
|
|
23
|
+
|
|
24
|
+
```markdown
|
|
25
|
+
## Verdict: PASS | FAIL
|
|
26
|
+
|
|
27
|
+
## Mapping
|
|
28
|
+
| Requirement/Expectation | Found in artifact? | Note |
|
|
29
|
+
|---|---|---|
|
|
30
|
+
|
|
31
|
+
## Gaps (if FAIL)
|
|
32
|
+
- <item>: <expected> vs <actual>
|
|
33
|
+
```
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: ponytail-patching
|
|
3
|
+
description: Implement minimal, security-targeted patches for vulnerabilities under severe constraints using the Ponytail developer mindset.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Ponytail Secure Patching
|
|
7
|
+
|
|
8
|
+
## Ponytail Minimal Fix Constraints
|
|
9
|
+
You must strictly apply the lazy senior developer mindset:
|
|
10
|
+
- **Smallest Diff**: Implement the smallest possible correct change.
|
|
11
|
+
- **Delete the Cause**: Prefer deleting vulnerable or dead code entirely over wrapping it in complex validations.
|
|
12
|
+
- **Size Boundary**: If a patch requires changing or adding more than 10 lines of code, STOP and report this complexity to the primary agent instead of coding it.
|
|
13
|
+
- **Boilerplate**: Write no abstractions or unnecessary helper functions.
|
|
14
|
+
- **Safety**: Do not sacrifice input validation or error boundaries for brevity. Mark intentional simplifications with a `// ponytail:` comment.
|
|
15
|
+
|
|
16
|
+
## Corrective Strategy
|
|
17
|
+
If you receive a Gap List and BLOAT List:
|
|
18
|
+
1. Treat it as your primary corrective requirements.
|
|
19
|
+
2. Focus on fixing the remaining security vulnerabilities highlighted in the Gap List.
|
|
20
|
+
3. Refactor and simplify any code structures flagged in the BLOAT List.
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: prd-formatting
|
|
3
|
+
description: Transform raw inputs, requirements, and codebase context into a formal Product Requirement Document (PRD).
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# PRD Formatting
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **Principle of Least Astonishment**: The PRD must follow a predictable structure. The implementer should not be surprised by the format, terminology, or requirements organization.
|
|
11
|
+
- **Self-documenting**: Each section of the PRD should be intelligible on its own without requiring cross-references or external context.
|
|
12
|
+
- **Separation of Concerns**: Each requirement must map to one concern. Do not bundle unrelated requirements.
|
|
13
|
+
|
|
14
|
+
## Hard Rules
|
|
15
|
+
- Do NOT make inferences about what the user "probably means."
|
|
16
|
+
- Do NOT make decisions (e.g., which approach is better).
|
|
17
|
+
- Do NOT add analysis, recommendations, or opinions.
|
|
18
|
+
- If you lack enough information to fill a section, write `TBD` and move on. Never invent details or assume information.
|
|
19
|
+
- Write ONLY to the `docs/plans/` directory.
|
|
20
|
+
|
|
21
|
+
## Mandatory Output Schema
|
|
22
|
+
|
|
23
|
+
```markdown
|
|
24
|
+
# PRD: <title>
|
|
25
|
+
|
|
26
|
+
## Goal
|
|
27
|
+
<one sentence, as given>
|
|
28
|
+
|
|
29
|
+
## Requirements
|
|
30
|
+
- R1: <as given>
|
|
31
|
+
- R2: ...
|
|
32
|
+
|
|
33
|
+
## Assumptions
|
|
34
|
+
- <as given, or "None">
|
|
35
|
+
|
|
36
|
+
## Out of Scope
|
|
37
|
+
- <as given, or "Not specified — TBD">
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
## Handoff Note
|
|
41
|
+
When instructed to perform a handoff, append a **Handoff Note** section after Out of Scope containing:
|
|
42
|
+
- Unresolved questions / open items (if any)
|
|
43
|
+
- Key decisions made during planning (with rationale)
|
|
44
|
+
- Summary of researcher's findings that may be relevant to implementation
|
|
45
|
+
- Any assumptions that could affect implementation order or strategy
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: refactoring-patterns
|
|
3
|
+
description: Guidelines and step-by-step checklists for safely performing code refactoring patterns (Fowler) without breaking existing interfaces.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Architectural Refactoring Patterns
|
|
7
|
+
|
|
8
|
+
## Refactoring Best Practices
|
|
9
|
+
|
|
10
|
+
- **Zero-Regression Focus**: Run the test suite after every incremental modification. Do not make multiple unrelated refactoring edits at the same time.
|
|
11
|
+
- **Maintain Public Interfaces**: Do not change public function signatures or API endpoints unless explicitly requested. Use deprecation notices or adapters if structural changes are necessary.
|
|
12
|
+
- **Separate Refactoring from Features**: Do not mix refactoring with adding new features. Refactor first, commit, then implement the new feature on top of the clean design.
|
|
13
|
+
|
|
14
|
+
## Standard Fowler Checklists
|
|
15
|
+
|
|
16
|
+
### 1. Extract Function
|
|
17
|
+
1. Create a new function and name it after its intent (what it does, not how it does it).
|
|
18
|
+
2. Copy the extracted code block into the new function.
|
|
19
|
+
3. Pass any variables that are read but not modified inside the extracted block as arguments.
|
|
20
|
+
4. Pass any variables that are modified inside the extracted block as return values.
|
|
21
|
+
5. Replace the original code block with a call to the new function.
|
|
22
|
+
6. Run tests to verify correctness.
|
|
23
|
+
|
|
24
|
+
### 2. Move Field / Method
|
|
25
|
+
1. Ensure the source object and target object are accessible in both scopes.
|
|
26
|
+
2. Implement the method or field on the target object.
|
|
27
|
+
3. Update the source method/field to delegate calls to the target object.
|
|
28
|
+
4. Replace direct references to the source method/field across the codebase with references to the target object.
|
|
29
|
+
5. Remove the source implementation once no references remain.
|
|
30
|
+
6. Run tests to verify correctness.
|
|
31
|
+
|
|
32
|
+
### 3. Replace Conditional with Polymorphism
|
|
33
|
+
1. Identify the class or interface that represents the conditional variations.
|
|
34
|
+
2. Create sub-classes or polymorphic implementations for each branch of the conditional statement.
|
|
35
|
+
3. Move the branch-specific execution code into overridden methods in each sub-class.
|
|
36
|
+
4. Replace the original conditional check with a polymorphic method call on the object instance.
|
|
37
|
+
5. Run tests to verify correctness.
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-auditing
|
|
3
|
+
description: Act as a validation gate checking if security patches resolved vulnerabilities without introducing regressions or over-engineering (Bloat analysis).
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Security Auditing & Quality Gate
|
|
7
|
+
|
|
8
|
+
## Core Work
|
|
9
|
+
- Inspect modified codebase files and run test commands to verify vulnerability elimination.
|
|
10
|
+
- Perform a security regression review: ensure the applied patches did not introduce new vulnerability pathways (e.g., input bypasses or insecure error handling).
|
|
11
|
+
- Perform an over-engineering review (Ponytail audit lens).
|
|
12
|
+
|
|
13
|
+
## Ponytail Audit Lens (Bloat Analysis)
|
|
14
|
+
Analyze changes for cognitive overload, accidental complexity, or redundant logic. Check for:
|
|
15
|
+
- Unrequested abstractions
|
|
16
|
+
- Boilerplate
|
|
17
|
+
- Excessive lines of code (more than necessary to resolve the vulnerability)
|
|
18
|
+
- Redundant logic
|
|
19
|
+
|
|
20
|
+
## Hard Rules
|
|
21
|
+
- Output *only* the PASS/FAIL verdict, Gap List, and BLOAT List.
|
|
22
|
+
- Do NOT propose remedies, suggest code adjustments, or edit code.
|
|
23
|
+
|
|
24
|
+
## Mandatory Output Schema
|
|
25
|
+
Your output must consist ONLY of:
|
|
26
|
+
|
|
27
|
+
```markdown
|
|
28
|
+
## Verdict: PASS | FAIL
|
|
29
|
+
|
|
30
|
+
## Gap List
|
|
31
|
+
- List of specific files/lines where vulnerabilities are still active or regression was detected (FAIL cases only).
|
|
32
|
+
|
|
33
|
+
## BLOAT List
|
|
34
|
+
- List of over-engineered constructs, abstractions, or boilerplate found in the patches.
|
|
35
|
+
```
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-remediation
|
|
3
|
+
description: Standard code patterns and recipes for safely fixing common OWASP Top 10 vulnerabilities (SQLi, XSS, CSRF, SSRF, broken auth) without introducing bloat.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Secure Remediation Patterns
|
|
7
|
+
|
|
8
|
+
## Vulnerability Remediation Recipes
|
|
9
|
+
|
|
10
|
+
### 1. SQL Injection (SQLi)
|
|
11
|
+
- **Remedy**: Always parameterize query bindings. Never concatenate or interpolate user input directly into query strings.
|
|
12
|
+
- **Example (Bad)**:
|
|
13
|
+
`db.execute("SELECT * FROM users WHERE name = '" + input + "'")`
|
|
14
|
+
- **Example (Good)**:
|
|
15
|
+
`db.execute("SELECT * FROM users WHERE name = ?", [input])`
|
|
16
|
+
|
|
17
|
+
### 2. Cross-Site Scripting (XSS)
|
|
18
|
+
- **Remedy**: Contextually encode all dynamic data output to HTML. Prioritize framework default binding mechanisms (e.g. JSX expression, textContent) over direct DOM injection.
|
|
19
|
+
- **Example (Bad)**:
|
|
20
|
+
`element.innerHTML = userInput`
|
|
21
|
+
- **Example (Good)**:
|
|
22
|
+
`element.textContent = userInput`
|
|
23
|
+
|
|
24
|
+
### 3. Server-Side Request Forgery (SSRF)
|
|
25
|
+
- **Remedy**: Implement a strict IP/Domain allow-list for external fetches. Block resolve paths pointing to internal private metadata or loopback addresses.
|
|
26
|
+
- **Forbidden Ranges**: `127.0.0.0/8`, `10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`, `169.254.169.254`.
|
|
27
|
+
|
|
28
|
+
### 4. Broken Object Level Authorization (BOLA / IDOR)
|
|
29
|
+
- **Remedy**: Check that the authenticated session user actually owns the resource identifier requested before executing read, update, or delete commands.
|
|
30
|
+
- **Example (Bad)**:
|
|
31
|
+
`db.getInvoice(req.params.id)`
|
|
32
|
+
- **Example (Good)**:
|
|
33
|
+
`invoice = db.getInvoice(req.params.id); if (invoice.userId !== req.session.userId) throw new UnauthorizedError();`
|
|
34
|
+
|
|
35
|
+
## General Safety Checklist
|
|
36
|
+
- Never log raw passwords, access tokens, or sensitive API keys.
|
|
37
|
+
- Ensure all error messages returned to the API client are generic and do not expose internal stack traces or database configurations.
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: summary-reporting
|
|
3
|
+
description: Format raw facts, outcomes, RCA findings, and validation results into formal execution and summary reports.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Summary & Execution Reporting
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **Fidelity to Sources**: Every claim in the report must trace back verbatim to a source output (e.g. Tracer findings, Patcher changes, Auditor verdict, Debugger diagnosis). No claim or interpretation may originate from the reporter.
|
|
11
|
+
- **Audience-First**: Tailor detail level and vocabulary for the target reader (technical lead, maintainer, end-user) if specified. Default to technical summary.
|
|
12
|
+
- **DRY for Docs**: Present findings exactly once; use cross-references instead of repeating data across sections.
|
|
13
|
+
- **Priority Ordering**: Order findings by severity (blocking failures/confirmed vulnerabilities first, then open risks/suspected vulnerabilities, then informational notes/bloat).
|
|
14
|
+
- **Stateless formatting**: Do not remember context across runs. Do not make inferences or assumptions.
|
|
15
|
+
- **Target Output Directory**: Write ONLY to the `docs/reports/` directory.
|
|
16
|
+
|
|
17
|
+
## Hard Rules
|
|
18
|
+
- Do NOT make inferences or assume facts. If input is missing or incomplete, write `TBD` or `N/A`.
|
|
19
|
+
- Do NOT add analysis, recommendations, or opinions beyond what was provided.
|
|
20
|
+
- Do NOT run bash commands.
|
|
21
|
+
|
|
22
|
+
## Standard Formats
|
|
23
|
+
|
|
24
|
+
### Format A: Compose Completion Report
|
|
25
|
+
```markdown
|
|
26
|
+
# Report: <subject>
|
|
27
|
+
|
|
28
|
+
## For: <audience>
|
|
29
|
+
|
|
30
|
+
## Outcome
|
|
31
|
+
<PASS/FAIL or completion status, as given>
|
|
32
|
+
|
|
33
|
+
## Details
|
|
34
|
+
<compressed from input, no added interpretation>
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
### Format B: Brooks-Lint Diagnosis Report (Debugger)
|
|
38
|
+
```markdown
|
|
39
|
+
# Diagnosis Report: <subject>
|
|
40
|
+
|
|
41
|
+
## For: <audience>
|
|
42
|
+
|
|
43
|
+
## Decay Risk Classification
|
|
44
|
+
<R1-R6 or T1-T6 risk(s) identified>
|
|
45
|
+
|
|
46
|
+
## Findings
|
|
47
|
+
### Finding 1: <decay risk> — <brief title>
|
|
48
|
+
**Symptom:** ...
|
|
49
|
+
**Source:** ...
|
|
50
|
+
**Consequence:** ...
|
|
51
|
+
**Remedy:** ...
|
|
52
|
+
|
|
53
|
+
### Finding 2: ...
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
### Format C: Security & Quality Audit Report (Analyze)
|
|
57
|
+
```markdown
|
|
58
|
+
# Security & Quality Audit Report: <Date/Subject>
|
|
59
|
+
|
|
60
|
+
## Executive Summary
|
|
61
|
+
- **Auditor Verdict:** <PASS/FAIL>
|
|
62
|
+
- **Confirmed Vulnerabilities:** <count>
|
|
63
|
+
- **Suspected Vulnerabilities:** <count>
|
|
64
|
+
- **Patches Applied:** <summary of Patcher changes, or "None">
|
|
65
|
+
|
|
66
|
+
## Vulnerability Findings
|
|
67
|
+
### Confirmed Vulnerabilities
|
|
68
|
+
<verbatim from Tracer confirmed_vulns — OWASP category, location, data flow>
|
|
69
|
+
|
|
70
|
+
### Suspected Vulnerabilities
|
|
71
|
+
<verbatim from Tracer suspected_vulns>
|
|
72
|
+
|
|
73
|
+
### Quality & Decay Risks
|
|
74
|
+
<verbatim from Tracer quality & decay risks>
|
|
75
|
+
|
|
76
|
+
## Patches Applied
|
|
77
|
+
<verbatim diff summary from Patcher, or "N/A — audit only mode">
|
|
78
|
+
|
|
79
|
+
## Auditor Verdict Detail
|
|
80
|
+
- **Verdict:** <PASS/FAIL>
|
|
81
|
+
- **Gap List:** <verbatim from Auditor — files/lines still vulnerable, or "None">
|
|
82
|
+
- **BLOAT List:** <verbatim from Auditor — over-engineered constructs, or "None">
|
|
83
|
+
```
|
|
@@ -0,0 +1,44 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: test-assurance
|
|
3
|
+
description: Write, run, and evaluate test suites to confirm correctness and identify regressions or coverage gaps.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Test Validation & Test Assurance
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **Regression Awareness**: Separate new failures (introduced by current changes) from pre-existing failures. Pre-existing failures are context, not a gap to close in this pass.
|
|
11
|
+
- **Coverage Gaps**: Any code written or modified that lacks a corresponding test is a reportable gap.
|
|
12
|
+
- **Test Independence**: If tests share mutable state or depend on execution order, flag it as a structural risk.
|
|
13
|
+
- **Blocked Status**: If you cannot run the test suite (missing dependencies, no framework), report it as BLOCKED. Do not attempt to install packages or configure settings.
|
|
14
|
+
|
|
15
|
+
## Efficiency Constraints (Minimal Testing)
|
|
16
|
+
- **Minimal Testing**: Test only the smallest thing that fails if the logic breaks.
|
|
17
|
+
- **No Speculative Edge Cases**: Write tests for actual requirements, not imagined inputs.
|
|
18
|
+
- **One Assertion per Behavior**: Keep assertions focused on a single logical outcome.
|
|
19
|
+
- **No Complex Fixtures**: Write the simplest assertions or test files possible.
|
|
20
|
+
- **No Tests for Trivial Code**: Trivial one-liners need no tests.
|
|
21
|
+
|
|
22
|
+
## Hard Rules
|
|
23
|
+
- Report the PASS/FAIL/BLOCKED status, results table, regressions, and coverage gaps.
|
|
24
|
+
- Do NOT fix failing tests, rewrite suites, or decide whether failures are blocking. Let the primary agent decide.
|
|
25
|
+
- Do NOT install dependencies or configure frameworks.
|
|
26
|
+
|
|
27
|
+
## Mandatory Output Schema
|
|
28
|
+
|
|
29
|
+
```markdown
|
|
30
|
+
## Status: PASS | FAIL | BLOCKED
|
|
31
|
+
|
|
32
|
+
## Test Results
|
|
33
|
+
| Test suite | Passed | Failed | New failure? |
|
|
34
|
+
|---|---|---|---|
|
|
35
|
+
|
|
36
|
+
## New Failures (regressions from current changes)
|
|
37
|
+
- <test name>: <failure message>
|
|
38
|
+
|
|
39
|
+
## Pre-existing Failures (not caused by current changes)
|
|
40
|
+
- <test name>: <note>
|
|
41
|
+
|
|
42
|
+
## Coverage Gaps (code written/modified without tests)
|
|
43
|
+
- <file/function>: <note>
|
|
44
|
+
```
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: test-mocking-strategy
|
|
3
|
+
description: Guidelines on when and how to mock external services (databases, network requests, third-party APIs) during test creation.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# Mocking & Test Double Strategy
|
|
7
|
+
|
|
8
|
+
## Core Principles
|
|
9
|
+
|
|
10
|
+
- **No Over-Mocking**: Limit mocks to external trust boundaries (e.g., external HTTP endpoints, third-party API clients). Never mock internal domain models, database queries, helper utilities, or core business logic unless absolutely necessary.
|
|
11
|
+
- **Contract Verification**: Ensure mock payloads and responses strictly match the actual schema of the external API. Stale mocks that hide schema drift are a major regression risk.
|
|
12
|
+
- **Prefer Stubs over Mocks**: Use simple stubs (returning canned data) over complex mock objects with verified call counts and expectations, keeping test setup clean and readable.
|
|
13
|
+
- **Standardized Mock Tools**: Utilize standard community tools (e.g., `nock`, `msw`, `unittest.mock`) instead of writing custom, proprietary mock engines.
|
|
14
|
+
|
|
15
|
+
## Decisions & Boundaries
|
|
16
|
+
- **Database Mocks**: Prefer using a lightweight in-memory database (e.g., SQLite in-memory) or database transactions that rollback after each test over mocking SQL connections or ORM calls.
|
|
17
|
+
- **HTTP Requests**: Mock network calls at the HTTP layer (using tools like `msw` or `nock`) rather than patching the application-level API client wrapper, ensuring client serialization logic is tested.
|
|
18
|
+
- **Time/Date Mocking**: Use deterministic clock wrapper utilities or standard mock timers (e.g., `sinon.useFakeTimers`, `freezegun`) when testing time-sensitive operations (e.g., token expiration, transaction limits).
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: ui-design-audit
|
|
3
|
+
description: Quality assurance playbook for auditing user interfaces for accessibility (WCAG), layout defects, responsive scaling, and over-engineering.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# UI Design Audit & QA Playbook
|
|
7
|
+
|
|
8
|
+
## 1. Accessibility (WCAG 2.1 AA Compliance)
|
|
9
|
+
- **Contrast Check**: Verify hex color values for text and interactive indicators against backgrounds. Normal text must satisfy $\ge 4.5:1$ contrast ratio, and large text must satisfy $\ge 3:1$.
|
|
10
|
+
- **Focus Rings**: Verify that all interactive elements have visible `:focus` or `:focus-visible` outline rings to support keyboard-only navigation.
|
|
11
|
+
- **Semantic Structure**: Ensure proper HTML heading hierarchy (never skip heading levels like `h1` directly to `h3`). Ensure proper ARIA roles and labels on dynamic components (modals, dropdowns).
|
|
12
|
+
|
|
13
|
+
## 2. Layout & Responsiveness
|
|
14
|
+
- **Breakpoint Overflows**: Check for hardcoded pixel widths (`width: 500px`) that cause horizontal scrolling on smaller viewports. Ensure flexible percentage or viewport-based units (`w-full`, `max-w-*`) are used.
|
|
15
|
+
- **Alignment Integrity**: Check that grids, flexboxes, and columns do not overlap or misalign at intermediate screen widths.
|
|
16
|
+
- **Empty States**: Ensure any dynamic layout accounts for loading or empty states with clean indicators.
|
|
17
|
+
|
|
18
|
+
## 3. Performance & Asset Optimization
|
|
19
|
+
- **Static Assets**: Verify that images are loaded in modern formats (e.g. `.webp` instead of high-resolution `.png` / `.jpg`) and contain explicit width/height parameters to avoid cumulative layout shifts (CLS).
|
|
20
|
+
- **Fonts**: Ensure external web fonts are preloaded or styled with a proper fallback font stack (e.g., `font-family: 'Inter', sans-serif;`) to prevent layout flickering.
|
|
21
|
+
|
|
22
|
+
## 4. Visual Over-Engineering Check
|
|
23
|
+
- Ensure that the CSS is clean and organized, avoiding excessive layers of unneeded nested rules, duplicate styling declarations, or unused CSS utility classes.
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: ui-design-system
|
|
3
|
+
description: Playbook and guidelines for creating visually rich, innovative, and modern user interfaces (design system, spacing, typography, and micro-interactions).
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# UI Design System & Guidelines
|
|
7
|
+
|
|
8
|
+
## 1. Typography & Hierarchy
|
|
9
|
+
- **Primary Font**: Use modern, clean typography (e.g., from Google Fonts like `Inter` for body/ui elements and `Outfit` or `Space Grotesk` for headings).
|
|
10
|
+
- **Scale**:
|
|
11
|
+
- Headings (`h1`, `h2`): Semibold/Bold, tighter line-height (`1.2`), tracking tight.
|
|
12
|
+
- Body: Regular, line-height `1.5` or `1.6`, tracking normal.
|
|
13
|
+
- Labels/Buttons: Medium, uppercase or medium weight, tracking wide.
|
|
14
|
+
|
|
15
|
+
## 2. Spacing & Grid System
|
|
16
|
+
- **Spacing Scale**: Enforce a strict spacing scale based on multiples of 4px/8px (e.g., Tailwind's `p-2`, `p-4`, `p-6`, `p-8` scales). Never use random "magic numbers" for margins or padding.
|
|
17
|
+
- **Grids & Flexbox**: Always align elements using responsive flexbox or grid layouts. Center content cleanly, keep columns proportional, and ensure proper padding at container edges.
|
|
18
|
+
|
|
19
|
+
## 3. Visual Depth & Aesthetics
|
|
20
|
+
- **Elevations & Depth**: Use subtle border strokes (e.g. `rgba(255,255,255,0.08)` in dark mode) paired with soft shadows to define elevation.
|
|
21
|
+
- **Gradients**: Utilize smooth, harmonious color gradients for key accent elements, headers, and call-to-action buttons.
|
|
22
|
+
- **Glassmorphism**: When creating modern panels or modals, prefer semi-transparent backgrounds with background blur (e.g., `backdrop-filter: blur(12px)`).
|
|
23
|
+
- **Color Accents**: Avoid primary saturated primaries (e.g., plain `#ff0000`, `#0000ff`). Use tailored palettes (e.g. HSL tailored neon/pastel gradients, sleek slate/charcoal backgrounds).
|
|
24
|
+
|
|
25
|
+
## 4. Micro-Interactions & Transitions
|
|
26
|
+
- **Interactive States**: Every interactive element (buttons, cards, inputs) must have explicit `:hover`, `:focus-visible`, and `:active` styles.
|
|
27
|
+
- **Transitions**: Apply smooth transition effects (`transition: all 0.2s cubic-bezier(0.4, 0, 0.2, 1)`) to avoid sudden visual snapping on hover or state change.
|
|
28
|
+
|
|
29
|
+
## 5. Mobile-First Responsiveness
|
|
30
|
+
- Start layouts mobile-first. Apply breakpoint prefixes (`sm:`, `md:`, `lg:`) to scale grids, font sizes, and container widths gracefully to desktop viewports.
|
|
31
|
+
|
|
32
|
+
## 6. Mockup & Prototype Delivery Protocol
|
|
33
|
+
When tasked with generating a visual layout, mockup, or interface prototype:
|
|
34
|
+
- **No ASCII Drawing**: Do not output textual ASCII grids or drawings.
|
|
35
|
+
- **Self-Contained File**: Generate a complete, valid HTML5 file.
|
|
36
|
+
- **Embedded CSS**: Include a `<style>` block containing fonts (Inter/Outfit), layout variables, component styles, states (:hover, :focus), and smooth transition curves.
|
|
37
|
+
- **Embedded JS**: Include a `<script>` block implementing DOM interactions (tab switching, theme toggles, modal open/close) so it works as a fully responsive, interactive live prototype.
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: wstg-recon
|
|
3
|
+
description: Scan project directory structure, map attack surfaces, and trace vulnerability data-flow paths using secure code review and WSTG principles.
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
# WSTG Threat Model & Vulnerability Tracing
|
|
7
|
+
|
|
8
|
+
## Scope of Work
|
|
9
|
+
- Scan the directory structure and codebase to identify potential entry points, routes, API endpoints, and security weaknesses.
|
|
10
|
+
- Perform a breadth-first assessment: map outer interfaces and entry points before analyzing deep business logic.
|
|
11
|
+
- Trace data flows from untrusted inputs to dangerous sinks (e.g., raw SQL query calls, shell execution points, eval functions).
|
|
12
|
+
- Guide your checks using WSTG (Web Security Testing Guide) methodologies and secure code review practices.
|
|
13
|
+
|
|
14
|
+
## Hard Rules
|
|
15
|
+
- Focus on locating vulnerability paths. Do NOT propose remedies, write code fixes, or modify files.
|
|
16
|
+
- Do NOT decide remediation priorities.
|
|
17
|
+
- Classify findings strictly into the target output format.
|
|
18
|
+
|
|
19
|
+
## Mandatory Output Schema
|
|
20
|
+
Your output must be structured exactly as follows:
|
|
21
|
+
|
|
22
|
+
```markdown
|
|
23
|
+
### Confirmed Vulnerabilities
|
|
24
|
+
1. **[OWASP Category / WSTG ID]** Description of vulnerability path.
|
|
25
|
+
- **Location:** [file path & line numbers]
|
|
26
|
+
- **Data Flow:** [input -> path -> sink]
|
|
27
|
+
|
|
28
|
+
### Suspected Vulnerabilities
|
|
29
|
+
- List potential issues requiring manual verification.
|
|
30
|
+
|
|
31
|
+
### Quality & Decay Risks
|
|
32
|
+
- List security-adjacent decay risks (e.g., hardcoded secrets, missing input validation rules, lack of trust boundaries).
|
|
33
|
+
```
|