npm - @heyai-rules/pilo-masterkit - Versions diffs - 2.1.0 → 3.1.0 - Mend

@heyai-rules/pilo-masterkit 2.1.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (739) hide show

package/.agent/agents/PILO_MASTER.md +77 -77
package/.agent/agents/architect.md +211 -211
package/.agent/agents/backend-specialist.md +263 -263
package/.agent/agents/build-error-resolver.md +114 -114
package/.agent/agents/chief-of-staff.md +151 -151
package/.agent/agents/code-archaeologist.md +106 -106
package/.agent/agents/code-reviewer.md +237 -237
package/.agent/agents/cpp-build-resolver.md +90 -90
package/.agent/agents/cpp-reviewer.md +72 -72
package/.agent/agents/csharp-reviewer.md +101 -101
package/.agent/agents/dart-build-resolver.md +201 -201
package/.agent/agents/database-architect.md +226 -226
package/.agent/agents/database-reviewer.md +91 -91
package/.agent/agents/debugger.md +225 -225
package/.agent/agents/devops-engineer.md +242 -242
package/.agent/agents/doc-updater.md +107 -107
package/.agent/agents/docs-lookup.md +68 -68
package/.agent/agents/documentation-writer.md +104 -104
package/.agent/agents/e2e-runner.md +107 -107
package/.agent/agents/explorer-agent.md +73 -73
package/.agent/agents/flutter-reviewer.md +243 -243
package/.agent/agents/frontend-specialist.md +593 -593
package/.agent/agents/game-developer.md +162 -162
package/.agent/agents/gan-evaluator.md +209 -209
package/.agent/agents/gan-generator.md +131 -131
package/.agent/agents/gan-planner.md +99 -99
package/.agent/agents/go-build-resolver.md +94 -94
package/.agent/agents/go-reviewer.md +76 -76
package/.agent/agents/harness-optimizer.md +35 -35
package/.agent/agents/healthcare-reviewer.md +83 -83
package/.agent/agents/java-build-resolver.md +153 -153
package/.agent/agents/java-reviewer.md +92 -92
package/.agent/agents/kotlin-build-resolver.md +118 -118
package/.agent/agents/kotlin-reviewer.md +159 -159
package/.agent/agents/loop-operator.md +36 -36
package/.agent/agents/mobile-developer.md +377 -377
package/.agent/agents/opensource-forker.md +198 -198
package/.agent/agents/opensource-packager.md +249 -249
package/.agent/agents/opensource-sanitizer.md +188 -188
package/.agent/agents/orchestrator.md +416 -416
package/.agent/agents/penetration-tester.md +188 -188
package/.agent/agents/performance-optimizer.md +446 -446
package/.agent/agents/personas/athena-agent/agent.json +10 -10
package/.agent/agents/personas/athena-agent/athena-backend-logic-architecture-profile.md +3 -3
package/.agent/agents/personas/athena-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/athena-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/athena-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/athena-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/athena-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/athena-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/da-vinci-agent/agent.json +10 -10
package/.agent/agents/personas/da-vinci-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/da-vinci-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/da-vinci-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/da-vinci-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/da-vinci-agent/da-vinci-frontend-ui-ux-design-profile.md +3 -3
package/.agent/agents/personas/da-vinci-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/da-vinci-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/duong-tang-agent/agent.json +10 -10
package/.agent/agents/personas/duong-tang-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/duong-tang-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/duong-tang-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/duong-tang-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/duong-tang-agent/tang-monk-quality-testing-documentation-profile.md +3 -3
package/.agent/agents/personas/duong-tang-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/duong-tang-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/gia-cat-luong-agent/agent.json +10 -10
package/.agent/agents/personas/gia-cat-luong-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/gia-cat-luong-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/gia-cat-luong-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/gia-cat-luong-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/gia-cat-luong-agent/kongming-research-strategy-analysis-profile.md +3 -3
package/.agent/agents/personas/gia-cat-luong-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/gia-cat-luong-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/mihata-agent/agent.json +10 -10
package/.agent/agents/personas/mihata-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/mihata-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/mihata-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/mihata-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/mihata-agent/mihata-multi-agent-orchestration-profile.md +3 -3
package/.agent/agents/personas/mihata-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/mihata-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/tesla-agent/agent.json +10 -10
package/.agent/agents/personas/tesla-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/tesla-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/tesla-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/tesla-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/tesla-agent/tesla-fullstack-system-optimization-profile.md +3 -3
package/.agent/agents/personas/tesla-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/tesla-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/tu-ma-y-agent/agent.json +10 -10
package/.agent/agents/personas/tu-ma-y-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/tu-ma-y-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/tu-ma-y-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/tu-ma-y-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/tu-ma-y-agent/simayi-feasibility-risk-control-profile.md +3 -3
package/.agent/agents/personas/tu-ma-y-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/tu-ma-y-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/venti-agent/agent.json +10 -10
package/.agent/agents/personas/venti-agent/context-files/agents.md +1 -1
package/.agent/agents/personas/venti-agent/context-files/identity.md +1 -1
package/.agent/agents/personas/venti-agent/context-files/soul.md +1 -1
package/.agent/agents/personas/venti-agent/context-files/user-predefined.md +1 -1
package/.agent/agents/personas/venti-agent/user-context-files/system/bootstrap.md +1 -1
package/.agent/agents/personas/venti-agent/user-context-files/system/user.md +1 -1
package/.agent/agents/personas/venti-agent/venti-learning-communication-mentoring-profile.md +3 -3
package/.agent/agents/planner.md +212 -212
package/.agent/agents/product-manager.md +112 -112
package/.agent/agents/product-owner.md +95 -95
package/.agent/agents/project-planner.md +406 -406
package/.agent/agents/python-reviewer.md +98 -98
package/.agent/agents/pytorch-build-resolver.md +120 -120
package/.agent/agents/qa-automation-engineer.md +103 -103
package/.agent/agents/refactor-cleaner.md +85 -85
package/.agent/agents/rust-build-resolver.md +148 -148
package/.agent/agents/rust-reviewer.md +94 -94
package/.agent/agents/security-auditor.md +170 -170
package/.agent/agents/security-reviewer.md +108 -108
package/.agent/agents/seo-specialist.md +111 -111
package/.agent/agents/tdd-guide.md +91 -91
package/.agent/agents/test-engineer.md +158 -158
package/.agent/agents/typescript-reviewer.md +112 -112
package/.agent/contexts/dev.md +20 -20
package/.agent/contexts/research.md +26 -26
package/.agent/contexts/review.md +22 -22
package/.agent/hooks/hooks.json +395 -395
package/.agent/hooks/readme.md +222 -222
package/.agent/mcp-configs/mcp-servers.json +181 -181
package/.agent/rules/ARCHITECTURAL_BLUEPRINTS.md +62 -62
package/.agent/rules/CODE_CRAFTSMANSHIP.md +69 -69
package/.agent/rules/CORE_RULES.md +72 -72
package/.agent/rules/PROJECT_MAP.md +58 -58
package/.agent/rules/QUALITY_ASSURANCE.md +54 -54
package/.agent/rules/SECURITY_ARMOR.md +44 -44
package/.agent/rules/VERSION_ORCHESTRATION.md +64 -64
package/.agent/rules/WORKFLOW_ORCHESTRATION.md +55 -55
package/.agent/rules/common/agents.md +50 -50
package/.agent/rules/common/code-review.md +124 -124
package/.agent/rules/common/coding-style.md +48 -48
package/.agent/rules/common/development-workflow.md +44 -44
package/.agent/rules/common/git-workflow.md +24 -24
package/.agent/rules/common/hooks.md +30 -30
package/.agent/rules/common/patterns.md +31 -31
package/.agent/rules/common/performance.md +55 -55
package/.agent/rules/common/security.md +29 -29
package/.agent/rules/common/testing.md +29 -29
package/.agent/rules/cpp/coding-style.md +44 -44
package/.agent/rules/cpp/hooks.md +39 -39
package/.agent/rules/cpp/patterns.md +51 -51
package/.agent/rules/cpp/security.md +51 -51
package/.agent/rules/cpp/testing.md +44 -44
package/.agent/rules/csharp/coding-style.md +72 -72
package/.agent/rules/csharp/hooks.md +25 -25
package/.agent/rules/csharp/patterns.md +50 -50
package/.agent/rules/csharp/security.md +58 -58
package/.agent/rules/csharp/testing.md +46 -46
package/.agent/rules/dart/coding-style.md +159 -159
package/.agent/rules/dart/hooks.md +66 -66
package/.agent/rules/dart/patterns.md +261 -261
package/.agent/rules/dart/security.md +135 -135
package/.agent/rules/dart/testing.md +215 -215
package/.agent/rules/golang/coding-style.md +32 -32
package/.agent/rules/golang/hooks.md +17 -17
package/.agent/rules/golang/patterns.md +45 -45
package/.agent/rules/golang/security.md +34 -34
package/.agent/rules/golang/testing.md +31 -31
package/.agent/rules/java/coding-style.md +114 -114
package/.agent/rules/java/hooks.md +18 -18
package/.agent/rules/java/patterns.md +146 -146
package/.agent/rules/java/security.md +100 -100
package/.agent/rules/java/testing.md +131 -131
package/.agent/rules/kotlin/coding-style.md +86 -86
package/.agent/rules/kotlin/hooks.md +17 -17
package/.agent/rules/kotlin/patterns.md +146 -146
package/.agent/rules/kotlin/security.md +82 -82
package/.agent/rules/kotlin/testing.md +128 -128
package/.agent/rules/perl/coding-style.md +46 -46
package/.agent/rules/perl/hooks.md +22 -22
package/.agent/rules/perl/patterns.md +76 -76
package/.agent/rules/perl/security.md +69 -69
package/.agent/rules/perl/testing.md +54 -54
package/.agent/rules/php/coding-style.md +40 -40
package/.agent/rules/php/hooks.md +24 -24
package/.agent/rules/php/patterns.md +33 -33
package/.agent/rules/php/security.md +37 -37
package/.agent/rules/php/testing.md +39 -39
package/.agent/rules/python/coding-style.md +42 -42
package/.agent/rules/python/hooks.md +19 -19
package/.agent/rules/python/patterns.md +39 -39
package/.agent/rules/python/security.md +30 -30
package/.agent/rules/python/testing.md +38 -38
package/.agent/rules/readme.md +111 -111
package/.agent/rules/rust/coding-style.md +151 -151
package/.agent/rules/rust/hooks.md +16 -16
package/.agent/rules/rust/patterns.md +168 -168
package/.agent/rules/rust/security.md +141 -141
package/.agent/rules/rust/testing.md +154 -154
package/.agent/rules/swift/coding-style.md +47 -47
package/.agent/rules/swift/hooks.md +20 -20
package/.agent/rules/swift/patterns.md +66 -66
package/.agent/rules/swift/security.md +33 -33
package/.agent/rules/swift/testing.md +45 -45
package/.agent/rules/typescript/coding-style.md +199 -199
package/.agent/rules/typescript/hooks.md +22 -22
package/.agent/rules/typescript/patterns.md +52 -52
package/.agent/rules/typescript/security.md +28 -28
package/.agent/rules/typescript/testing.md +18 -18
package/.agent/rules/web/coding-style.md +96 -96
package/.agent/rules/web/design-quality.md +63 -63
package/.agent/rules/web/hooks.md +120 -120
package/.agent/rules/web/patterns.md +79 -79
package/.agent/rules/web/performance.md +64 -64
package/.agent/rules/web/security.md +57 -57
package/.agent/rules/web/testing.md +55 -55
package/.agent/rules/zh/agents.md +50 -50
package/.agent/rules/zh/code-review.md +124 -124
package/.agent/rules/zh/coding-style.md +48 -48
package/.agent/rules/zh/development-workflow.md +44 -44
package/.agent/rules/zh/git-workflow.md +24 -24
package/.agent/rules/zh/hooks.md +30 -30
package/.agent/rules/zh/patterns.md +31 -31
package/.agent/rules/zh/performance.md +55 -55
package/.agent/rules/zh/readme.md +108 -108
package/.agent/rules/zh/security.md +29 -29
package/.agent/rules/zh/testing.md +29 -29
package/.agent/scripts/auto_preview.py +148 -148
package/.agent/scripts/checklist.py +217 -217
package/.agent/scripts/session_manager.py +120 -120
package/.agent/scripts/verify_all.py +327 -327
package/.agent/skills/agent-eval/SKILL.md +145 -145
package/.agent/skills/agent-harness-construction/SKILL.md +73 -73
package/.agent/skills/agent-payment-x402/SKILL.md +178 -178
package/.agent/skills/agentic-engineering/SKILL.md +63 -63
package/.agent/skills/ai-first-engineering/SKILL.md +51 -51
package/.agent/skills/ai-regression-testing/SKILL.md +385 -385
package/.agent/skills/android-clean-architecture/SKILL.md +339 -339
package/.agent/skills/api-design/SKILL.md +523 -523
package/.agent/skills/api-patterns/SKILL.md +81 -81
package/.agent/skills/api-patterns/api-style.md +42 -42
package/.agent/skills/api-patterns/auth.md +24 -24
package/.agent/skills/api-patterns/documentation.md +26 -26
package/.agent/skills/api-patterns/graphql.md +41 -41
package/.agent/skills/api-patterns/rate-limiting.md +31 -31
package/.agent/skills/api-patterns/response.md +37 -37
package/.agent/skills/api-patterns/rest.md +40 -40
package/.agent/skills/api-patterns/scripts/api_validator.py +211 -211
package/.agent/skills/api-patterns/security-testing.md +122 -122
package/.agent/skills/api-patterns/trpc.md +41 -41
package/.agent/skills/api-patterns/versioning.md +22 -22
package/.agent/skills/app-builder/SKILL.md +75 -75
package/.agent/skills/app-builder/agent-coordination.md +71 -71
package/.agent/skills/app-builder/feature-building.md +53 -53
package/.agent/skills/app-builder/project-detection.md +34 -34
package/.agent/skills/app-builder/scaffolding.md +118 -118
package/.agent/skills/app-builder/tech-stack.md +41 -41
package/.agent/skills/app-builder/templates/SKILL.md +39 -39
package/.agent/skills/app-builder/templates/astro-static/TEMPLATE.md +76 -76
package/.agent/skills/app-builder/templates/chrome-extension/TEMPLATE.md +92 -92
package/.agent/skills/app-builder/templates/cli-tool/TEMPLATE.md +88 -88
package/.agent/skills/app-builder/templates/electron-desktop/TEMPLATE.md +88 -88
package/.agent/skills/app-builder/templates/express-api/TEMPLATE.md +83 -83
package/.agent/skills/app-builder/templates/flutter-app/TEMPLATE.md +90 -90
package/.agent/skills/app-builder/templates/monorepo-turborepo/TEMPLATE.md +90 -90
package/.agent/skills/app-builder/templates/nextjs-fullstack/TEMPLATE.md +122 -122
package/.agent/skills/app-builder/templates/nextjs-saas/TEMPLATE.md +122 -122
package/.agent/skills/app-builder/templates/nextjs-static/TEMPLATE.md +169 -169
package/.agent/skills/app-builder/templates/nuxt-app/TEMPLATE.md +134 -134
package/.agent/skills/app-builder/templates/python-fastapi/TEMPLATE.md +83 -83
package/.agent/skills/app-builder/templates/react-native-app/TEMPLATE.md +119 -119
package/.agent/skills/architecture/SKILL.md +55 -55
package/.agent/skills/architecture/context-discovery.md +43 -43
package/.agent/skills/architecture/examples.md +94 -94
package/.agent/skills/architecture/pattern-selection.md +68 -68
package/.agent/skills/architecture/patterns-reference.md +50 -50
package/.agent/skills/architecture/trade-off-analysis.md +77 -77
package/.agent/skills/architecture-decision-records/SKILL.md +179 -179
package/.agent/skills/article-writing/SKILL.md +79 -79
package/.agent/skills/autonomous-agent-harness/SKILL.md +267 -267
package/.agent/skills/autonomous-loops/SKILL.md +610 -610
package/.agent/skills/backend-patterns/SKILL.md +598 -598
package/.agent/skills/bash-linux/SKILL.md +199 -199
package/.agent/skills/behavioral-modes/SKILL.md +242 -242
package/.agent/skills/benchmark/SKILL.md +93 -93
package/.agent/skills/blueprint/SKILL.md +105 -105
package/.agent/skills/brainstorming/SKILL.md +163 -163
package/.agent/skills/brainstorming/dynamic-questioning.md +350 -350
package/.agent/skills/brand-voice/SKILL.md +97 -97
package/.agent/skills/brand-voice/references/voice-profile-schema.md +55 -55
package/.agent/skills/browser-qa/SKILL.md +87 -87
package/.agent/skills/bun-runtime/SKILL.md +84 -84
package/.agent/skills/canary-watch/SKILL.md +99 -99
package/.agent/skills/carrier-relationship-management/SKILL.md +212 -212
package/.agent/skills/ck/SKILL.md +147 -147
package/.agent/skills/ck/commands/forget.mjs +44 -44
package/.agent/skills/ck/commands/info.mjs +24 -24
package/.agent/skills/ck/commands/init.mjs +143 -143
package/.agent/skills/ck/commands/list.mjs +40 -40
package/.agent/skills/ck/commands/migrate.mjs +202 -202
package/.agent/skills/ck/commands/resume.mjs +36 -36
package/.agent/skills/ck/commands/save.mjs +210 -210
package/.agent/skills/ck/commands/shared.mjs +387 -387
package/.agent/skills/ck/hooks/session-start.mjs +224 -224
package/.agent/skills/claude-api/SKILL.md +337 -337
package/.agent/skills/claude-devfleet/SKILL.md +103 -103
package/.agent/skills/clean-code/SKILL.md +201 -201
package/.agent/skills/click-path-audit/SKILL.md +244 -244
package/.agent/skills/clickhouse-io/SKILL.md +439 -439
package/.agent/skills/code-review-checklist/SKILL.md +109 -109
package/.agent/skills/codebase-onboarding/SKILL.md +233 -233
package/.agent/skills/coding-standards/SKILL.md +530 -530
package/.agent/skills/compose-multiplatform-patterns/SKILL.md +299 -299
package/.agent/skills/configure-ecc/SKILL.md +367 -367
package/.agent/skills/connections-optimizer/SKILL.md +189 -189
package/.agent/skills/content-engine/SKILL.md +131 -131
package/.agent/skills/content-hash-cache-pattern/SKILL.md +161 -161
package/.agent/skills/context-budget/SKILL.md +135 -135
package/.agent/skills/continuous-agent-loop/SKILL.md +45 -45
package/.agent/skills/continuous-learning/SKILL.md +119 -119
package/.agent/skills/continuous-learning/config.json +18 -18
package/.agent/skills/continuous-learning/evaluate-session.sh +69 -69
package/.agent/skills/continuous-learning-v2/SKILL.md +365 -365
package/.agent/skills/continuous-learning-v2/agents/observer-loop.sh +271 -271
package/.agent/skills/continuous-learning-v2/agents/observer.md +198 -198
package/.agent/skills/continuous-learning-v2/agents/session-guardian.sh +150 -150
package/.agent/skills/continuous-learning-v2/agents/start-observer.sh +244 -244
package/.agent/skills/continuous-learning-v2/config.json +8 -8
package/.agent/skills/continuous-learning-v2/hooks/observe.sh +428 -428
package/.agent/skills/continuous-learning-v2/scripts/detect-project.sh +228 -228
package/.agent/skills/continuous-learning-v2/scripts/instinct-cli.py +1426 -1426
package/.agent/skills/continuous-learning-v2/scripts/test-parse-instinct.py +984 -984
package/.agent/skills/cost-aware-llm-pipeline/SKILL.md +183 -183
package/.agent/skills/cpp-coding-standards/SKILL.md +723 -723
package/.agent/skills/cpp-testing/SKILL.md +324 -324
package/.agent/skills/crosspost/SKILL.md +111 -111
package/.agent/skills/csharp-testing/SKILL.md +321 -321
package/.agent/skills/customer-billing-ops/SKILL.md +140 -140
package/.agent/skills/customs-trade-compliance/SKILL.md +263 -263
package/.agent/skills/dart-flutter-patterns/SKILL.md +563 -563
package/.agent/skills/data-scraper-agent/SKILL.md +764 -764
package/.agent/skills/database-design/SKILL.md +52 -52
package/.agent/skills/database-design/database-selection.md +43 -43
package/.agent/skills/database-design/indexing.md +39 -39
package/.agent/skills/database-design/migrations.md +48 -48
package/.agent/skills/database-design/optimization.md +36 -36
package/.agent/skills/database-design/orm-selection.md +30 -30
package/.agent/skills/database-design/schema-design.md +56 -56
package/.agent/skills/database-design/scripts/schema_validator.py +172 -172
package/.agent/skills/database-migrations/SKILL.md +429 -429
package/.agent/skills/deep-research/SKILL.md +155 -155
package/.agent/skills/deployment-patterns/SKILL.md +427 -427
package/.agent/skills/deployment-procedures/SKILL.md +241 -241
package/.agent/skills/design-system/SKILL.md +82 -82
package/.agent/skills/django-patterns/SKILL.md +734 -734
package/.agent/skills/django-security/SKILL.md +593 -593
package/.agent/skills/django-tdd/SKILL.md +729 -729
package/.agent/skills/django-verification/SKILL.md +469 -469
package/.agent/skills/dmux-workflows/SKILL.md +191 -191
package/.agent/skills/doc.md +177 -177
package/.agent/skills/docker-patterns/SKILL.md +364 -364
package/.agent/skills/documentation-lookup/SKILL.md +90 -90
package/.agent/skills/documentation-templates/SKILL.md +194 -194
package/.agent/skills/dotnet-patterns/SKILL.md +321 -321
package/.agent/skills/e2e-testing/SKILL.md +326 -326
package/.agent/skills/energy-procurement/SKILL.md +228 -228
package/.agent/skills/enterprise-agent-ops/SKILL.md +50 -50
package/.agent/skills/eval-harness/SKILL.md +270 -270
package/.agent/skills/exa-search/SKILL.md +103 -103
package/.agent/skills/fal-ai-media/SKILL.md +284 -284
package/.agent/skills/flutter-dart-code-review/SKILL.md +435 -435
package/.agent/skills/foundation-models-on-device/SKILL.md +243 -243
package/.agent/skills/frontend-design/SKILL.md +452 -452
package/.agent/skills/frontend-design/animation-guide.md +331 -331
package/.agent/skills/frontend-design/color-system.md +311 -311
package/.agent/skills/frontend-design/decision-trees.md +418 -418
package/.agent/skills/frontend-design/motion-graphics.md +306 -306
package/.agent/skills/frontend-design/scripts/accessibility_checker.py +183 -183
package/.agent/skills/frontend-design/scripts/ux_audit.py +722 -722
package/.agent/skills/frontend-design/typography-system.md +345 -345
package/.agent/skills/frontend-design/ux-psychology.md +1116 -1116
package/.agent/skills/frontend-design/visual-effects.md +383 -383
package/.agent/skills/frontend-patterns/SKILL.md +642 -642
package/.agent/skills/frontend-slides/SKILL.md +184 -184
package/.agent/skills/frontend-slides/style-presets.md +330 -330
package/.agent/skills/game-development/2d-games/SKILL.md +119 -119
package/.agent/skills/game-development/3d-games/SKILL.md +135 -135
package/.agent/skills/game-development/SKILL.md +167 -167
package/.agent/skills/game-development/game-art/SKILL.md +185 -185
package/.agent/skills/game-development/game-audio/SKILL.md +190 -190
package/.agent/skills/game-development/game-design/SKILL.md +129 -129
package/.agent/skills/game-development/mobile-games/SKILL.md +108 -108
package/.agent/skills/game-development/multiplayer/SKILL.md +132 -132
package/.agent/skills/game-development/pc-games/SKILL.md +144 -144
package/.agent/skills/game-development/vr-ar/SKILL.md +123 -123
package/.agent/skills/game-development/web-games/SKILL.md +150 -150
package/.agent/skills/gan-style-harness/SKILL.md +278 -278
package/.agent/skills/geo-fundamentals/SKILL.md +156 -156
package/.agent/skills/geo-fundamentals/scripts/geo_checker.py +289 -289
package/.agent/skills/git-workflow/SKILL.md +715 -715
package/.agent/skills/golang-patterns/SKILL.md +674 -674
package/.agent/skills/golang-testing/SKILL.md +720 -720
package/.agent/skills/google-workspace-ops/SKILL.md +95 -95
package/.agent/skills/healthcare-cdss-patterns/SKILL.md +245 -245
package/.agent/skills/healthcare-emr-patterns/SKILL.md +159 -159
package/.agent/skills/healthcare-eval-harness/SKILL.md +207 -207
package/.agent/skills/healthcare-phi-compliance/SKILL.md +145 -145
package/.agent/skills/hexagonal-architecture/SKILL.md +276 -276
package/.agent/skills/i18n-localization/SKILL.md +154 -154
package/.agent/skills/i18n-localization/scripts/i18n_checker.py +241 -241
package/.agent/skills/intelligent-routing/SKILL.md +335 -335
package/.agent/skills/inventory-demand-planning/SKILL.md +247 -247
package/.agent/skills/investor-materials/SKILL.md +96 -96
package/.agent/skills/investor-outreach/SKILL.md +91 -91
package/.agent/skills/iterative-retrieval/SKILL.md +211 -211
package/.agent/skills/java-coding-standards/SKILL.md +147 -147
package/.agent/skills/jira-integration/SKILL.md +293 -293
package/.agent/skills/jpa-patterns/SKILL.md +151 -151
package/.agent/skills/kotlin-coroutines-flows/SKILL.md +284 -284
package/.agent/skills/kotlin-exposed-patterns/SKILL.md +719 -719
package/.agent/skills/kotlin-ktor-patterns/SKILL.md +689 -689
package/.agent/skills/kotlin-patterns/SKILL.md +711 -711
package/.agent/skills/kotlin-testing/SKILL.md +824 -824
package/.agent/skills/laravel-patterns/SKILL.md +415 -415
package/.agent/skills/laravel-plugin-discovery/SKILL.md +229 -229
package/.agent/skills/laravel-security/SKILL.md +285 -285
package/.agent/skills/laravel-tdd/SKILL.md +283 -283
package/.agent/skills/laravel-verification/SKILL.md +179 -179
package/.agent/skills/lead-intelligence/SKILL.md +321 -321
package/.agent/skills/lead-intelligence/agents/enrichment-agent.md +85 -85
package/.agent/skills/lead-intelligence/agents/mutual-mapper.md +75 -75
package/.agent/skills/lead-intelligence/agents/outreach-drafter.md +98 -98
package/.agent/skills/lead-intelligence/agents/signal-scorer.md +60 -60
package/.agent/skills/lint-and-validate/SKILL.md +45 -45
package/.agent/skills/lint-and-validate/scripts/lint_runner.py +184 -184
package/.agent/skills/lint-and-validate/scripts/type_coverage.py +173 -173
package/.agent/skills/liquid-glass-design/SKILL.md +279 -279
package/.agent/skills/logistics-exception-management/SKILL.md +222 -222
package/.agent/skills/manim-video/SKILL.md +89 -89
package/.agent/skills/manim-video/assets/network-graph-scene.py +52 -52
package/.agent/skills/market-research/SKILL.md +75 -75
package/.agent/skills/mcp-server-patterns/SKILL.md +67 -67
package/.agent/skills/mobile-design/SKILL.md +394 -394
package/.agent/skills/mobile-design/decision-trees.md +516 -516
package/.agent/skills/mobile-design/mobile-backend.md +491 -491
package/.agent/skills/mobile-design/mobile-color-system.md +420 -420
package/.agent/skills/mobile-design/mobile-debugging.md +122 -122
package/.agent/skills/mobile-design/mobile-design-thinking.md +357 -357
package/.agent/skills/mobile-design/mobile-navigation.md +458 -458
package/.agent/skills/mobile-design/mobile-performance.md +767 -767
package/.agent/skills/mobile-design/mobile-testing.md +356 -356
package/.agent/skills/mobile-design/mobile-typography.md +433 -433
package/.agent/skills/mobile-design/platform-android.md +666 -666
package/.agent/skills/mobile-design/platform-ios.md +561 -561
package/.agent/skills/mobile-design/scripts/mobile_audit.py +670 -670
package/.agent/skills/mobile-design/touch-psychology.md +537 -537
package/.agent/skills/nanoclaw-repl/SKILL.md +33 -33
package/.agent/skills/nestjs-patterns/SKILL.md +230 -230
package/.agent/skills/nextjs-react-expert/1-async-eliminating-waterfalls.md +351 -351
package/.agent/skills/nextjs-react-expert/2-bundle-bundle-size-optimization.md +240 -240
package/.agent/skills/nextjs-react-expert/3-server-server-side-performance.md +490 -490
package/.agent/skills/nextjs-react-expert/4-client-client-side-data-fetching.md +264 -264
package/.agent/skills/nextjs-react-expert/5-rerender-re-render-optimization.md +581 -581
package/.agent/skills/nextjs-react-expert/6-rendering-rendering-performance.md +432 -432
package/.agent/skills/nextjs-react-expert/7-js-javascript-performance.md +684 -684
package/.agent/skills/nextjs-react-expert/8-advanced-advanced-patterns.md +150 -150
package/.agent/skills/nextjs-react-expert/9-cache-components.md +103 -103
package/.agent/skills/nextjs-react-expert/SKILL.md +293 -293
package/.agent/skills/nextjs-react-expert/scripts/convert_rules.py +222 -222
package/.agent/skills/nextjs-react-expert/scripts/react_performance_checker.py +252 -252
package/.agent/skills/nextjs-turbopack/SKILL.md +44 -44
package/.agent/skills/nodejs-best-practices/SKILL.md +333 -333
package/.agent/skills/nutrient-document-processing/SKILL.md +167 -167
package/.agent/skills/nuxt4-patterns/SKILL.md +100 -100
package/.agent/skills/openclaw-persona-forge/SKILL.md +296 -296
package/.agent/skills/openclaw-persona-forge/gacha.py +224 -224
package/.agent/skills/openclaw-persona-forge/gacha.sh +5 -5
package/.agent/skills/openclaw-persona-forge/references/avatar-style.md +124 -124
package/.agent/skills/openclaw-persona-forge/references/boundary-rules.md +53 -53
package/.agent/skills/openclaw-persona-forge/references/error-handling.md +53 -53
package/.agent/skills/openclaw-persona-forge/references/identity-tension.md +48 -48
package/.agent/skills/openclaw-persona-forge/references/naming-system.md +39 -39
package/.agent/skills/openclaw-persona-forge/references/output-template.md +166 -166
package/.agent/skills/opensource-pipeline/SKILL.md +255 -255
package/.agent/skills/parallel-agents/SKILL.md +175 -175
package/.agent/skills/performance-profiling/SKILL.md +143 -143
package/.agent/skills/performance-profiling/scripts/lighthouse_audit.py +76 -76
package/.agent/skills/perl-patterns/SKILL.md +504 -504
package/.agent/skills/perl-security/SKILL.md +503 -503
package/.agent/skills/perl-testing/SKILL.md +475 -475
package/.agent/skills/plan-writing/SKILL.md +152 -152
package/.agent/skills/plankton-code-quality/SKILL.md +236 -236
package/.agent/skills/postgres-patterns/SKILL.md +147 -147
package/.agent/skills/powershell-windows/SKILL.md +167 -167
package/.agent/skills/product-lens/SKILL.md +85 -85
package/.agent/skills/production-scheduling/SKILL.md +238 -238
package/.agent/skills/project-flow-ops/SKILL.md +111 -111
package/.agent/skills/project-guidelines-example/SKILL.md +349 -349
package/.agent/skills/prompt-optimizer/SKILL.md +397 -397
package/.agent/skills/python-patterns/SKILL.md +750 -750
package/.agent/skills/python-testing/SKILL.md +816 -816
package/.agent/skills/pytorch-patterns/SKILL.md +396 -396
package/.agent/skills/quality-nonconformance/SKILL.md +260 -260
package/.agent/skills/ralphinho-rfc-pipeline/SKILL.md +67 -67
package/.agent/skills/red-team-tactics/SKILL.md +199 -199
package/.agent/skills/regex-vs-llm-structured-text/SKILL.md +220 -220
package/.agent/skills/remotion-video-creation/SKILL.md +43 -43
package/.agent/skills/remotion-video-creation/rules/3d.md +86 -86
package/.agent/skills/remotion-video-creation/rules/animations.md +29 -29
package/.agent/skills/remotion-video-creation/rules/assets/charts-bar-chart.tsx +173 -173
package/.agent/skills/remotion-video-creation/rules/assets/text-animations-typewriter.tsx +100 -100
package/.agent/skills/remotion-video-creation/rules/assets/text-animations-word-highlight.tsx +108 -108
package/.agent/skills/remotion-video-creation/rules/assets.md +78 -78
package/.agent/skills/remotion-video-creation/rules/audio.md +172 -172
package/.agent/skills/remotion-video-creation/rules/calculate-metadata.md +104 -104
package/.agent/skills/remotion-video-creation/rules/can-decode.md +75 -75
package/.agent/skills/remotion-video-creation/rules/charts.md +58 -58
package/.agent/skills/remotion-video-creation/rules/compositions.md +146 -146
package/.agent/skills/remotion-video-creation/rules/display-captions.md +126 -126
package/.agent/skills/remotion-video-creation/rules/extract-frames.md +229 -229
package/.agent/skills/remotion-video-creation/rules/fonts.md +152 -152
package/.agent/skills/remotion-video-creation/rules/get-audio-duration.md +58 -58
package/.agent/skills/remotion-video-creation/rules/get-video-dimensions.md +68 -68
package/.agent/skills/remotion-video-creation/rules/get-video-duration.md +58 -58
package/.agent/skills/remotion-video-creation/rules/gifs.md +138 -138
package/.agent/skills/remotion-video-creation/rules/images.md +130 -130
package/.agent/skills/remotion-video-creation/rules/import-srt-captions.md +67 -67
package/.agent/skills/remotion-video-creation/rules/lottie.md +67 -67
package/.agent/skills/remotion-video-creation/rules/measuring-dom-nodes.md +34 -34
package/.agent/skills/remotion-video-creation/rules/measuring-text.md +143 -143
package/.agent/skills/remotion-video-creation/rules/sequencing.md +106 -106
package/.agent/skills/remotion-video-creation/rules/tailwind.md +11 -11
package/.agent/skills/remotion-video-creation/rules/text-animations.md +20 -20
package/.agent/skills/remotion-video-creation/rules/timing.md +179 -179
package/.agent/skills/remotion-video-creation/rules/transcribe-captions.md +19 -19
package/.agent/skills/remotion-video-creation/rules/transitions.md +122 -122
package/.agent/skills/remotion-video-creation/rules/trimming.md +52 -52
package/.agent/skills/remotion-video-creation/rules/videos.md +171 -171
package/.agent/skills/repo-scan/SKILL.md +63 -63
package/.agent/skills/returns-reverse-logistics/SKILL.md +240 -240
package/.agent/skills/rules-distill/SKILL.md +264 -264
package/.agent/skills/rules-distill/scripts/scan-rules.sh +58 -58
package/.agent/skills/rules-distill/scripts/scan-skills.sh +129 -129
package/.agent/skills/rust-patterns/SKILL.md +499 -499
package/.agent/skills/rust-pro/SKILL.md +175 -175
package/.agent/skills/rust-testing/SKILL.md +500 -500
package/.agent/skills/safety-guard/SKILL.md +75 -75
package/.agent/skills/santa-method/SKILL.md +306 -306
package/.agent/skills/search-first/SKILL.md +161 -161
package/.agent/skills/security-review/SKILL.md +495 -495
package/.agent/skills/security-review/cloud-infrastructure-security.md +361 -361
package/.agent/skills/security-scan/SKILL.md +165 -165
package/.agent/skills/seo-fundamentals/SKILL.md +129 -129
package/.agent/skills/seo-fundamentals/scripts/seo_checker.py +219 -219
package/.agent/skills/server-management/SKILL.md +161 -161
package/.agent/skills/skill-comply/SKILL.md +58 -58
package/.agent/skills/skill-comply/fixtures/compliant-trace.jsonl +5 -5
package/.agent/skills/skill-comply/fixtures/noncompliant-trace.jsonl +3 -3
package/.agent/skills/skill-comply/fixtures/tdd-spec.yaml +44 -44
package/.agent/skills/skill-comply/prompts/classifier.md +24 -24
package/.agent/skills/skill-comply/prompts/scenario-generator.md +62 -62
package/.agent/skills/skill-comply/prompts/spec-generator.md +42 -42
package/.agent/skills/skill-comply/pyproject.toml +15 -15
package/.agent/skills/skill-comply/scripts/classifier.py +85 -85
package/.agent/skills/skill-comply/scripts/grader.py +122 -122
package/.agent/skills/skill-comply/scripts/parser.py +107 -107
package/.agent/skills/skill-comply/scripts/report.py +170 -170
package/.agent/skills/skill-comply/scripts/run.py +127 -127
package/.agent/skills/skill-comply/scripts/runner.py +161 -161
package/.agent/skills/skill-comply/scripts/scenario-generator.py +70 -70
package/.agent/skills/skill-comply/scripts/spec-generator.py +72 -72
package/.agent/skills/skill-comply/scripts/utils.py +13 -13
package/.agent/skills/skill-comply/tests/test-grader.py +137 -137
package/.agent/skills/skill-comply/tests/test-parser.py +90 -90
package/.agent/skills/skill-stocktake/SKILL.md +193 -193
package/.agent/skills/skill-stocktake/scripts/quick-diff.sh +87 -87
package/.agent/skills/skill-stocktake/scripts/save-results.sh +56 -56
package/.agent/skills/skill-stocktake/scripts/scan.sh +170 -170
package/.agent/skills/social-graph-ranker/SKILL.md +154 -154
package/.agent/skills/springboot-patterns/SKILL.md +314 -314
package/.agent/skills/springboot-security/SKILL.md +272 -272
package/.agent/skills/springboot-tdd/SKILL.md +158 -158
package/.agent/skills/springboot-verification/SKILL.md +231 -231
package/.agent/skills/strategic-compact/SKILL.md +131 -131
package/.agent/skills/strategic-compact/suggest-compact.sh +54 -54
package/.agent/skills/swift-actor-persistence/SKILL.md +143 -143
package/.agent/skills/swift-concurrency-6-2/SKILL.md +216 -216
package/.agent/skills/swift-protocol-di-testing/SKILL.md +190 -190
package/.agent/skills/swiftui-patterns/SKILL.md +259 -259
package/.agent/skills/systematic-debugging/SKILL.md +109 -109
package/.agent/skills/tailwind-patterns/SKILL.md +269 -269
package/.agent/skills/tdd-workflow/SKILL.md +463 -463
package/.agent/skills/team-builder/SKILL.md +168 -168
package/.agent/skills/testing-patterns/SKILL.md +178 -178
package/.agent/skills/testing-patterns/scripts/test_runner.py +219 -219
package/.agent/skills/token-budget-advisor/SKILL.md +133 -133
package/.agent/skills/ui-demo/SKILL.md +465 -465
package/.agent/skills/ui-ux-pro-max/SKILL.md +292 -292
package/.agent/skills/ui-ux-pro-max/data/charts.csv +26 -26
package/.agent/skills/ui-ux-pro-max/data/colors.csv +97 -97
package/.agent/skills/ui-ux-pro-max/data/icons.csv +101 -101
package/.agent/skills/ui-ux-pro-max/data/landing.csv +31 -31
package/.agent/skills/ui-ux-pro-max/data/products.csv +96 -96
package/.agent/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
package/.agent/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
package/.agent/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
package/.agent/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
package/.agent/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
package/.agent/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
package/.agent/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
package/.agent/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
package/.agent/skills/ui-ux-pro-max/data/stacks/react-native.csv +52 -52
package/.agent/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
package/.agent/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
package/.agent/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
package/.agent/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
package/.agent/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
package/.agent/skills/ui-ux-pro-max/data/styles.csv +68 -68
package/.agent/skills/ui-ux-pro-max/data/typography.csv +57 -57
package/.agent/skills/ui-ux-pro-max/data/ui-reasoning.csv +101 -101
package/.agent/skills/ui-ux-pro-max/data/ux-guidelines.csv +99 -99
package/.agent/skills/ui-ux-pro-max/data/web-interface.csv +31 -31
package/.agent/skills/ui-ux-pro-max/scripts/core.py +253 -253
package/.agent/skills/ui-ux-pro-max/scripts/design_system.py +1067 -1067
package/.agent/skills/ui-ux-pro-max/scripts/search.py +114 -114
package/.agent/skills/verification-loop/SKILL.md +126 -126
package/.agent/skills/video-editing/SKILL.md +310 -310
package/.agent/skills/videodb/SKILL.md +374 -374
package/.agent/skills/videodb/reference/api-reference.md +550 -550
package/.agent/skills/videodb/reference/capture-reference.md +407 -407
package/.agent/skills/videodb/reference/capture.md +101 -101
package/.agent/skills/videodb/reference/editor.md +443 -443
package/.agent/skills/videodb/reference/generative.md +331 -331
package/.agent/skills/videodb/reference/rtstream-reference.md +564 -564
package/.agent/skills/videodb/reference/rtstream.md +65 -65
package/.agent/skills/videodb/reference/search.md +230 -230
package/.agent/skills/videodb/reference/streaming.md +406 -406
package/.agent/skills/videodb/reference/use-cases.md +118 -118
package/.agent/skills/videodb/scripts/ws-listener.py +282 -282
package/.agent/skills/visa-doc-translate/SKILL.md +117 -117
package/.agent/skills/visa-doc-translate/readme.md +86 -86
package/.agent/skills/vulnerability-scanner/SKILL.md +276 -276
package/.agent/skills/vulnerability-scanner/checklists.md +121 -121
package/.agent/skills/vulnerability-scanner/scripts/security_scan.py +458 -458
package/.agent/skills/web-design-guidelines/SKILL.md +57 -57
package/.agent/skills/webapp-testing/SKILL.md +187 -187
package/.agent/skills/webapp-testing/scripts/playwright_runner.py +173 -173
package/.agent/skills/workspace-surface-audit/SKILL.md +125 -125
package/.agent/skills/x-api/SKILL.md +230 -230
package/.agent/tasks/lessons.md +40 -40
package/.agent/tasks/todo.md +33 -33
package/.agent/tasks/two-track-merge-contract.md +1 -1
package/.agent/workflows/aside.md +164 -164
package/.agent/workflows/brainstorm.md +113 -113
package/.agent/workflows/build-fix.md +62 -62
package/.agent/workflows/checkpoint.md +74 -74
package/.agent/workflows/claw.md +23 -23
package/.agent/workflows/clean-memory.md +34 -34
package/.agent/workflows/code-review.md +289 -289
package/.agent/workflows/context-budget.md +23 -23
package/.agent/workflows/cpp-build.md +173 -173
package/.agent/workflows/cpp-review.md +132 -132
package/.agent/workflows/cpp-test.md +251 -251
package/.agent/workflows/create.md +59 -59
package/.agent/workflows/debug.md +103 -103
package/.agent/workflows/deploy.md +176 -176
package/.agent/workflows/devfleet.md +23 -23
package/.agent/workflows/docs.md +23 -23
package/.agent/workflows/e2e.md +268 -268
package/.agent/workflows/enhance.md +63 -63
package/.agent/workflows/eval.md +23 -23
package/.agent/workflows/evolve.md +178 -178
package/.agent/workflows/flutter-build.md +164 -164
package/.agent/workflows/flutter-review.md +116 -116
package/.agent/workflows/flutter-test.md +144 -144
package/.agent/workflows/gan-build.md +99 -99
package/.agent/workflows/gan-design.md +35 -35
package/.agent/workflows/go-build.md +183 -183
package/.agent/workflows/go-review.md +148 -148
package/.agent/workflows/go-test.md +268 -268
package/.agent/workflows/gradle-build.md +70 -70
package/.agent/workflows/harness-audit.md +73 -73
package/.agent/workflows/init-docs.md +46 -46
package/.agent/workflows/instinct-export.md +66 -66
package/.agent/workflows/instinct-import.md +114 -114
package/.agent/workflows/instinct-status.md +59 -59
package/.agent/workflows/jira.md +106 -106
package/.agent/workflows/kotlin-build.md +174 -174
package/.agent/workflows/kotlin-review.md +140 -140
package/.agent/workflows/kotlin-test.md +312 -312
package/.agent/workflows/learn-eval.md +116 -116
package/.agent/workflows/learn.md +70 -70
package/.agent/workflows/loop-start.md +32 -32
package/.agent/workflows/loop-status.md +24 -24
package/.agent/workflows/model-route.md +26 -26
package/.agent/workflows/multi-backend.md +158 -158
package/.agent/workflows/multi-execute.md +315 -315
package/.agent/workflows/multi-frontend.md +158 -158
package/.agent/workflows/multi-plan.md +268 -268
package/.agent/workflows/multi-workflow.md +191 -191
package/.agent/workflows/orchestrate.md +135 -135
package/.agent/workflows/plan.md +117 -117
package/.agent/workflows/pm2.md +272 -272
package/.agent/workflows/preview.md +81 -81
package/.agent/workflows/projects.md +39 -39
package/.agent/workflows/promote.md +41 -41
package/.agent/workflows/prompt-optimize.md +23 -23
package/.agent/workflows/prp-commit.md +112 -112
package/.agent/workflows/prp-implement.md +385 -385
package/.agent/workflows/prp-plan.md +502 -502
package/.agent/workflows/prp-pr.md +184 -184
package/.agent/workflows/prp-prd.md +447 -447
package/.agent/workflows/prune.md +31 -31
package/.agent/workflows/python-review.md +297 -297
package/.agent/workflows/quality-gate.md +29 -29
package/.agent/workflows/refactor-clean.md +80 -80
package/.agent/workflows/resume-session.md +156 -156
package/.agent/workflows/rules-distill.md +20 -20
package/.agent/workflows/rust-build.md +187 -187
package/.agent/workflows/rust-review.md +142 -142
package/.agent/workflows/rust-test.md +308 -308
package/.agent/workflows/santa-loop.md +175 -175
package/.agent/workflows/save-session.md +275 -275
package/.agent/workflows/sessions.md +333 -333
package/.agent/workflows/setup-pm.md +80 -80
package/.agent/workflows/skill-create.md +174 -174
package/.agent/workflows/skill-health.md +54 -54
package/.agent/workflows/status.md +86 -86
package/.agent/workflows/tdd.md +231 -231
package/.agent/workflows/test-coverage.md +69 -69
package/.agent/workflows/test.md +144 -144
package/.agent/workflows/ui-ux-pro-max.md +295 -295
package/.agent/workflows/update-codemaps.md +72 -72
package/.agent/workflows/update-docs.md +84 -84
package/.agent/workflows/verify.md +23 -23
package/LICENSE +176 -176
package/README.md +144 -144
package/package.json +1 -1
package/scripts/release-check.js +55 -55
package/src/bin/cli.js +424 -354
package/src/lib/installer.js +223 -11

package/.agent/skills/perl-security/SKILL.md CHANGED Viewed

@@ -1,503 +1,503 @@
----
-name: perl-security
-description: Comprehensive Perl security covering taint mode, input validation, safe process execution, DBI parameterized queries, web security (XSS/SQLi/CSRF), and perlcritic security policies.
-origin: ECC
----
-# Perl Security Patterns
-Comprehensive security guidelines for Perl applications covering input validation, injection prevention, and secure coding practices.
-## When to Activate
-- Handling user input in Perl applications
-- Building Perl web applications (CGI, Mojolicious, Dancer2, Catalyst)
-- Reviewing Perl code for security vulnerabilities
-- Performing file operations with user-supplied paths
-- Executing system commands from Perl
-- Writing DBI database queries
-## How It Works
-Start with taint-aware input boundaries, then move outward: validate and untaint inputs, keep filesystem and process execution constrained, and use parameterized DBI queries everywhere. The examples below show the safe defaults this skill expects you to apply before shipping Perl code that touches user input, the shell, or the network.
-## Taint Mode
-Perl's taint mode (`-T`) tracks data from external sources and prevents it from being used in unsafe operations without explicit validation.
-### Enabling Taint Mode
-```perl
-#!/usr/bin/perl -T
-use v5.36;
-# Tainted: anything from outside the program
-my $input    = $ARGV[0];        # Tainted
-my $env_path = $ENV{PATH};      # Tainted
-my $form     = <STDIN>;         # Tainted
-my $query    = $ENV{QUERY_STRING}; # Tainted
-# Sanitize PATH early (required in taint mode)
-$ENV{PATH} = '/usr/local/bin:/usr/bin:/bin';
-delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
-```
-### Untainting Pattern
-```perl
-use v5.36;
-# Good: Validate and untaint with a specific regex
-sub untaint_username($input) {
-    if ($input =~ /^([a-zA-Z0-9_]{3,30})$/) {
-        return $1;  # $1 is untainted
-    }
-    die "Invalid username: must be 3-30 alphanumeric characters\n";
-}
-# Good: Validate and untaint a file path
-sub untaint_filename($input) {
-    if ($input =~ m{^([a-zA-Z0-9._-]+)$}) {
-        return $1;
-    }
-    die "Invalid filename: contains unsafe characters\n";
-}
-# Bad: Overly permissive untainting (defeats the purpose)
-sub bad_untaint($input) {
-    $input =~ /^(.*)$/s;
-    return $1;  # Accepts ANYTHING — pointless
-}
-```
-## Input Validation
-### Allowlist Over Blocklist
-```perl
-use v5.36;
-# Good: Allowlist — define exactly what's permitted
-sub validate_sort_field($field) {
-    my %allowed = map { $_ => 1 } qw(name email created_at updated_at);
-    die "Invalid sort field: $field\n" unless $allowed{$field};
-    return $field;
-}
-# Good: Validate with specific patterns
-sub validate_email($email) {
-    if ($email =~ /^([a-zA-Z0-9._%+-]+\@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$/) {
-        return $1;
-    }
-    die "Invalid email address\n";
-}
-sub validate_integer($input) {
-    if ($input =~ /^(-?\d{1,10})$/) {
-        return $1 + 0;  # Coerce to number
-    }
-    die "Invalid integer\n";
-}
-# Bad: Blocklist — always incomplete
-sub bad_validate($input) {
-    die "Invalid" if $input =~ /[<>"';&|]/;  # Misses encoded attacks
-    return $input;
-}
-```
-### Length Constraints
-```perl
-use v5.36;
-sub validate_comment($text) {
-    die "Comment is required\n"        unless length($text) > 0;
-    die "Comment exceeds 10000 chars\n" if length($text) > 10_000;
-    return $text;
-}
-```
-## Safe Regular Expressions
-### ReDoS Prevention
-Catastrophic backtracking occurs with nested quantifiers on overlapping patterns.
-```perl
-use v5.36;
-# Bad: Vulnerable to ReDoS (exponential backtracking)
-my $bad_re = qr/^(a+)+$/;           # Nested quantifiers
-my $bad_re2 = qr/^([a-zA-Z]+)*$/;   # Nested quantifiers on class
-my $bad_re3 = qr/^(.*?,){10,}$/;    # Repeated greedy/lazy combo
-# Good: Rewrite without nesting
-my $good_re = qr/^a+$/;             # Single quantifier
-my $good_re2 = qr/^[a-zA-Z]+$/;     # Single quantifier on class
-# Good: Use possessive quantifiers or atomic groups to prevent backtracking
-my $safe_re = qr/^[a-zA-Z]++$/;             # Possessive (5.10+)
-my $safe_re2 = qr/^(?>a+)$/;                # Atomic group
-# Good: Enforce timeout on untrusted patterns
-use POSIX qw(alarm);
-sub safe_match($string, $pattern, $timeout = 2) {
-    my $matched;
-    eval {
-        local $SIG{ALRM} = sub { die "Regex timeout\n" };
-        alarm($timeout);
-        $matched = $string =~ $pattern;
-        alarm(0);
-    };
-    alarm(0);
-    die $@ if $@;
-    return $matched;
-}
-```
-## Safe File Operations
-### Three-Argument Open
-```perl
-use v5.36;
-# Good: Three-arg open, lexical filehandle, check return
-sub read_file($path) {
-    open my $fh, '<:encoding(UTF-8)', $path
-        or die "Cannot open '$path': $!\n";
-    local $/;
-    my $content = <$fh>;
-    close $fh;
-    return $content;
-}
-# Bad: Two-arg open with user data (command injection)
-sub bad_read($path) {
-    open my $fh, $path;        # If $path = "|rm -rf /", runs command!
-    open my $fh, "< $path";   # Shell metacharacter injection
-}
-```
-### TOCTOU Prevention and Path Traversal
-```perl
-use v5.36;
-use Fcntl qw(:DEFAULT :flock);
-use File::Spec;
-use Cwd qw(realpath);
-# Atomic file creation
-sub create_file_safe($path) {
-    sysopen(my $fh, $path, O_WRONLY | O_CREAT | O_EXCL, 0600)
-        or die "Cannot create '$path': $!\n";
-    return $fh;
-}
-# Validate path stays within allowed directory
-sub safe_path($base_dir, $user_path) {
-    my $real = realpath(File::Spec->catfile($base_dir, $user_path))
-        // die "Path does not exist\n";
-    my $base_real = realpath($base_dir)
-        // die "Base dir does not exist\n";
-    die "Path traversal blocked\n" unless $real =~ /^\Q$base_real\E(?:\/|\z)/;
-    return $real;
-}
-```
-Use `File::Temp` for temporary files (`tempfile(UNLINK => 1)`) and `flock(LOCK_EX)` to prevent race conditions.
-## Safe Process Execution
-### List-Form system and exec
-```perl
-use v5.36;
-# Good: List form — no shell interpolation
-sub run_command(@cmd) {
-    system(@cmd) == 0
-        or die "Command failed: @cmd\n";
-}
-run_command('grep', '-r', $user_pattern, '/var/log/app/');
-# Good: Capture output safely with IPC::Run3
-use IPC::Run3;
-sub capture_output(@cmd) {
-    my ($stdout, $stderr);
-    run3(\@cmd, \undef, \$stdout, \$stderr);
-    if ($?) {
-        die "Command failed (exit $?): $stderr\n";
-    }
-    return $stdout;
-}
-# Bad: String form — shell injection!
-sub bad_search($pattern) {
-    system("grep -r '$pattern' /var/log/app/");  # If $pattern = "'; rm -rf / #"
-}
-# Bad: Backticks with interpolation
-my $output = `ls $user_dir`;   # Shell injection risk
-```
-Also use `Capture::Tiny` for capturing stdout/stderr from external commands safely.
-## SQL Injection Prevention
-### DBI Placeholders
-```perl
-use v5.36;
-use DBI;
-my $dbh = DBI->connect($dsn, $user, $pass, {
-    RaiseError => 1,
-    PrintError => 0,
-    AutoCommit => 1,
-});
-# Good: Parameterized queries — always use placeholders
-sub find_user($dbh, $email) {
-    my $sth = $dbh->prepare('SELECT * FROM users WHERE email = ?');
-    $sth->execute($email);
-    return $sth->fetchrow_hashref;
-}
-sub search_users($dbh, $name, $status) {
-    my $sth = $dbh->prepare(
-        'SELECT * FROM users WHERE name LIKE ? AND status = ? ORDER BY name'
-    );
-    $sth->execute("%$name%", $status);
-    return $sth->fetchall_arrayref({});
-}
-# Bad: String interpolation in SQL (SQLi vulnerability!)
-sub bad_find($dbh, $email) {
-    my $sth = $dbh->prepare("SELECT * FROM users WHERE email = '$email'");
-    # If $email = "' OR 1=1 --", returns all users
-    $sth->execute;
-    return $sth->fetchrow_hashref;
-}
-```
-### Dynamic Column Allowlists
-```perl
-use v5.36;
-# Good: Validate column names against an allowlist
-sub order_by($dbh, $column, $direction) {
-    my %allowed_cols = map { $_ => 1 } qw(name email created_at);
-    my %allowed_dirs = map { $_ => 1 } qw(ASC DESC);
-    die "Invalid column: $column\n"    unless $allowed_cols{$column};
-    die "Invalid direction: $direction\n" unless $allowed_dirs{uc $direction};
-    my $sth = $dbh->prepare("SELECT * FROM users ORDER BY $column $direction");
-    $sth->execute;
-    return $sth->fetchall_arrayref({});
-}
-# Bad: Directly interpolating user-chosen column
-sub bad_order($dbh, $column) {
-    $dbh->prepare("SELECT * FROM users ORDER BY $column");  # SQLi!
-}
-```
-### DBIx::Class (ORM Safety)
-```perl
-use v5.36;
-# DBIx::Class generates safe parameterized queries
-my @users = $schema->resultset('User')->search({
-    status => 'active',
-    email  => { -like => '%@example.com' },
-}, {
-    order_by => { -asc => 'name' },
-    rows     => 50,
-});
-```
-## Web Security
-### XSS Prevention
-```perl
-use v5.36;
-use HTML::Entities qw(encode_entities);
-use URI::Escape qw(uri_escape_utf8);
-# Good: Encode output for HTML context
-sub safe_html($user_input) {
-    return encode_entities($user_input);
-}
-# Good: Encode for URL context
-sub safe_url_param($value) {
-    return uri_escape_utf8($value);
-}
-# Good: Encode for JSON context
-use JSON::MaybeXS qw(encode_json);
-sub safe_json($data) {
-    return encode_json($data);  # Handles escaping
-}
-# Template auto-escaping (Mojolicious)
-# <%= $user_input %>   — auto-escaped (safe)
-# <%== $raw_html %>    — raw output (dangerous, use only for trusted content)
-# Template auto-escaping (Template Toolkit)
-# [% user_input | html %]  — explicit HTML encoding
-# Bad: Raw output in HTML
-sub bad_html($input) {
-    print "<div>$input</div>";  # XSS if $input contains <script>
-}
-```
-### CSRF Protection
-```perl
-use v5.36;
-use Crypt::URandom qw(urandom);
-use MIME::Base64 qw(encode_base64url);
-sub generate_csrf_token() {
-    return encode_base64url(urandom(32));
-}
-```
-Use constant-time comparison when verifying tokens. Most web frameworks (Mojolicious, Dancer2, Catalyst) provide built-in CSRF protection — prefer those over hand-rolled solutions.
-### Session and Header Security
-```perl
-use v5.36;
-# Mojolicious session + headers
-$app->secrets(['long-random-secret-rotated-regularly']);
-$app->sessions->secure(1);          # HTTPS only
-$app->sessions->samesite('Lax');
-$app->hook(after_dispatch => sub ($c) {
-    $c->res->headers->header('X-Content-Type-Options' => 'nosniff');
-    $c->res->headers->header('X-Frame-Options'        => 'DENY');
-    $c->res->headers->header('Content-Security-Policy' => "default-src 'self'");
-    $c->res->headers->header('Strict-Transport-Security' => 'max-age=31536000; includeSubDomains');
-});
-```
-## Output Encoding
-Always encode output for its context: `HTML::Entities::encode_entities()` for HTML, `URI::Escape::uri_escape_utf8()` for URLs, `JSON::MaybeXS::encode_json()` for JSON.
-## CPAN Module Security
-- **Pin versions** in cpanfile: `requires 'DBI', '== 1.643';`
-- **Prefer maintained modules**: Check MetaCPAN for recent releases
-- **Minimize dependencies**: Each dependency is an attack surface
-## Security Tooling
-### perlcritic Security Policies
-```ini
-# .perlcriticrc — security-focused configuration
-severity = 3
-theme = security + core
-# Require three-arg open
-[InputOutput::RequireThreeArgOpen]
-severity = 5
-# Require checked system calls
-[InputOutput::RequireCheckedSyscalls]
-functions = :builtins
-severity = 4
-# Prohibit string eval
-[BuiltinFunctions::ProhibitStringyEval]
-severity = 5
-# Prohibit backtick operators
-[InputOutput::ProhibitBacktickOperators]
-severity = 4
-# Require taint checking in CGI
-[Modules::RequireTaintChecking]
-severity = 5
-# Prohibit two-arg open
-[InputOutput::ProhibitTwoArgOpen]
-severity = 5
-# Prohibit bare-word filehandles
-[InputOutput::ProhibitBarewordFileHandles]
-severity = 5
-```
-### Running perlcritic
-```bash
-# Check a file
-perlcritic --severity 3 --theme security lib/MyApp/Handler.pm
-# Check entire project
-perlcritic --severity 3 --theme security lib/
-# CI integration
-perlcritic --severity 4 --theme security --quiet lib/ || exit 1
-```
-## Quick Security Checklist
-| Check | What to Verify |
-|---|---|
-| Taint mode | `-T` flag on CGI/web scripts |
-| Input validation | Allowlist patterns, length limits |
-| File operations | Three-arg open, path traversal checks |
-| Process execution | List-form system, no shell interpolation |
-| SQL queries | DBI placeholders, never interpolate |
-| HTML output | `encode_entities()`, template auto-escape |
-| CSRF tokens | Generated, verified on state-changing requests |
-| Session config | Secure, HttpOnly, SameSite cookies |
-| HTTP headers | CSP, X-Frame-Options, HSTS |
-| Dependencies | Pinned versions, audited modules |
-| Regex safety | No nested quantifiers, anchored patterns |
-| Error messages | No stack traces or paths leaked to users |
-## Anti-Patterns
-```perl
-# 1. Two-arg open with user data (command injection)
-open my $fh, $user_input;               # CRITICAL vulnerability
-# 2. String-form system (shell injection)
-system("convert $user_file output.png"); # CRITICAL vulnerability
-# 3. SQL string interpolation
-$dbh->do("DELETE FROM users WHERE id = $id");  # SQLi
-# 4. eval with user input (code injection)
-eval $user_code;                         # Remote code execution
-# 5. Trusting $ENV without sanitizing
-my $path = $ENV{UPLOAD_DIR};             # Could be manipulated
-system("ls $path");                      # Double vulnerability
-# 6. Disabling taint without validation
-($input) = $input =~ /(.*)/s;           # Lazy untaint — defeats purpose
-# 7. Raw user data in HTML
-print "<div>Welcome, $username!</div>";  # XSS
-# 8. Unvalidated redirects
-print $cgi->redirect($user_url);         # Open redirect
-```
-**Remember**: Perl's flexibility is powerful but requires discipline. Use taint mode for web-facing code, validate all input with allowlists, use DBI placeholders for every query, and encode all output for its context. Defense in depth — never rely on a single layer.
+---
+name: perl-security
+description: Comprehensive Perl security covering taint mode, input validation, safe process execution, DBI parameterized queries, web security (XSS/SQLi/CSRF), and perlcritic security policies.
+origin: ECC
+---
+# Perl Security Patterns
+Comprehensive security guidelines for Perl applications covering input validation, injection prevention, and secure coding practices.
+## When to Activate
+- Handling user input in Perl applications
+- Building Perl web applications (CGI, Mojolicious, Dancer2, Catalyst)
+- Reviewing Perl code for security vulnerabilities
+- Performing file operations with user-supplied paths
+- Executing system commands from Perl
+- Writing DBI database queries
+## How It Works
+Start with taint-aware input boundaries, then move outward: validate and untaint inputs, keep filesystem and process execution constrained, and use parameterized DBI queries everywhere. The examples below show the safe defaults this skill expects you to apply before shipping Perl code that touches user input, the shell, or the network.
+## Taint Mode
+Perl's taint mode (`-T`) tracks data from external sources and prevents it from being used in unsafe operations without explicit validation.
+### Enabling Taint Mode
+```perl
+#!/usr/bin/perl -T
+use v5.36;
+# Tainted: anything from outside the program
+my $input    = $ARGV[0];        # Tainted
+my $env_path = $ENV{PATH};      # Tainted
+my $form     = <STDIN>;         # Tainted
+my $query    = $ENV{QUERY_STRING}; # Tainted
+# Sanitize PATH early (required in taint mode)
+$ENV{PATH} = '/usr/local/bin:/usr/bin:/bin';
+delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
+```
+### Untainting Pattern
+```perl
+use v5.36;
+# Good: Validate and untaint with a specific regex
+sub untaint_username($input) {
+    if ($input =~ /^([a-zA-Z0-9_]{3,30})$/) {
+        return $1;  # $1 is untainted
+    }
+    die "Invalid username: must be 3-30 alphanumeric characters\n";
+}
+# Good: Validate and untaint a file path
+sub untaint_filename($input) {
+    if ($input =~ m{^([a-zA-Z0-9._-]+)$}) {
+        return $1;
+    }
+    die "Invalid filename: contains unsafe characters\n";
+}
+# Bad: Overly permissive untainting (defeats the purpose)
+sub bad_untaint($input) {
+    $input =~ /^(.*)$/s;
+    return $1;  # Accepts ANYTHING — pointless
+}
+```
+## Input Validation
+### Allowlist Over Blocklist
+```perl
+use v5.36;
+# Good: Allowlist — define exactly what's permitted
+sub validate_sort_field($field) {
+    my %allowed = map { $_ => 1 } qw(name email created_at updated_at);
+    die "Invalid sort field: $field\n" unless $allowed{$field};
+    return $field;
+}
+# Good: Validate with specific patterns
+sub validate_email($email) {
+    if ($email =~ /^([a-zA-Z0-9._%+-]+\@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$/) {
+        return $1;
+    }
+    die "Invalid email address\n";
+}
+sub validate_integer($input) {
+    if ($input =~ /^(-?\d{1,10})$/) {
+        return $1 + 0;  # Coerce to number
+    }
+    die "Invalid integer\n";
+}
+# Bad: Blocklist — always incomplete
+sub bad_validate($input) {
+    die "Invalid" if $input =~ /[<>"';&|]/;  # Misses encoded attacks
+    return $input;
+}
+```
+### Length Constraints
+```perl
+use v5.36;
+sub validate_comment($text) {
+    die "Comment is required\n"        unless length($text) > 0;
+    die "Comment exceeds 10000 chars\n" if length($text) > 10_000;
+    return $text;
+}
+```
+## Safe Regular Expressions
+### ReDoS Prevention
+Catastrophic backtracking occurs with nested quantifiers on overlapping patterns.
+```perl
+use v5.36;
+# Bad: Vulnerable to ReDoS (exponential backtracking)
+my $bad_re = qr/^(a+)+$/;           # Nested quantifiers
+my $bad_re2 = qr/^([a-zA-Z]+)*$/;   # Nested quantifiers on class
+my $bad_re3 = qr/^(.*?,){10,}$/;    # Repeated greedy/lazy combo
+# Good: Rewrite without nesting
+my $good_re = qr/^a+$/;             # Single quantifier
+my $good_re2 = qr/^[a-zA-Z]+$/;     # Single quantifier on class
+# Good: Use possessive quantifiers or atomic groups to prevent backtracking
+my $safe_re = qr/^[a-zA-Z]++$/;             # Possessive (5.10+)
+my $safe_re2 = qr/^(?>a+)$/;                # Atomic group
+# Good: Enforce timeout on untrusted patterns
+use POSIX qw(alarm);
+sub safe_match($string, $pattern, $timeout = 2) {
+    my $matched;
+    eval {
+        local $SIG{ALRM} = sub { die "Regex timeout\n" };
+        alarm($timeout);
+        $matched = $string =~ $pattern;
+        alarm(0);
+    };
+    alarm(0);
+    die $@ if $@;
+    return $matched;
+}
+```
+## Safe File Operations
+### Three-Argument Open
+```perl
+use v5.36;
+# Good: Three-arg open, lexical filehandle, check return
+sub read_file($path) {
+    open my $fh, '<:encoding(UTF-8)', $path
+        or die "Cannot open '$path': $!\n";
+    local $/;
+    my $content = <$fh>;
+    close $fh;
+    return $content;
+}
+# Bad: Two-arg open with user data (command injection)
+sub bad_read($path) {
+    open my $fh, $path;        # If $path = "|rm -rf /", runs command!
+    open my $fh, "< $path";   # Shell metacharacter injection
+}
+```
+### TOCTOU Prevention and Path Traversal
+```perl
+use v5.36;
+use Fcntl qw(:DEFAULT :flock);
+use File::Spec;
+use Cwd qw(realpath);
+# Atomic file creation
+sub create_file_safe($path) {
+    sysopen(my $fh, $path, O_WRONLY | O_CREAT | O_EXCL, 0600)
+        or die "Cannot create '$path': $!\n";
+    return $fh;
+}
+# Validate path stays within allowed directory
+sub safe_path($base_dir, $user_path) {
+    my $real = realpath(File::Spec->catfile($base_dir, $user_path))
+        // die "Path does not exist\n";
+    my $base_real = realpath($base_dir)
+        // die "Base dir does not exist\n";
+    die "Path traversal blocked\n" unless $real =~ /^\Q$base_real\E(?:\/|\z)/;
+    return $real;
+}
+```
+Use `File::Temp` for temporary files (`tempfile(UNLINK => 1)`) and `flock(LOCK_EX)` to prevent race conditions.
+## Safe Process Execution
+### List-Form system and exec
+```perl
+use v5.36;
+# Good: List form — no shell interpolation
+sub run_command(@cmd) {
+    system(@cmd) == 0
+        or die "Command failed: @cmd\n";
+}
+run_command('grep', '-r', $user_pattern, '/var/log/app/');
+# Good: Capture output safely with IPC::Run3
+use IPC::Run3;
+sub capture_output(@cmd) {
+    my ($stdout, $stderr);
+    run3(\@cmd, \undef, \$stdout, \$stderr);
+    if ($?) {
+        die "Command failed (exit $?): $stderr\n";
+    }
+    return $stdout;
+}
+# Bad: String form — shell injection!
+sub bad_search($pattern) {
+    system("grep -r '$pattern' /var/log/app/");  # If $pattern = "'; rm -rf / #"
+}
+# Bad: Backticks with interpolation
+my $output = `ls $user_dir`;   # Shell injection risk
+```
+Also use `Capture::Tiny` for capturing stdout/stderr from external commands safely.
+## SQL Injection Prevention
+### DBI Placeholders
+```perl
+use v5.36;
+use DBI;
+my $dbh = DBI->connect($dsn, $user, $pass, {
+    RaiseError => 1,
+    PrintError => 0,
+    AutoCommit => 1,
+});
+# Good: Parameterized queries — always use placeholders
+sub find_user($dbh, $email) {
+    my $sth = $dbh->prepare('SELECT * FROM users WHERE email = ?');
+    $sth->execute($email);
+    return $sth->fetchrow_hashref;
+}
+sub search_users($dbh, $name, $status) {
+    my $sth = $dbh->prepare(
+        'SELECT * FROM users WHERE name LIKE ? AND status = ? ORDER BY name'
+    );
+    $sth->execute("%$name%", $status);
+    return $sth->fetchall_arrayref({});
+}
+# Bad: String interpolation in SQL (SQLi vulnerability!)
+sub bad_find($dbh, $email) {
+    my $sth = $dbh->prepare("SELECT * FROM users WHERE email = '$email'");
+    # If $email = "' OR 1=1 --", returns all users
+    $sth->execute;
+    return $sth->fetchrow_hashref;
+}
+```
+### Dynamic Column Allowlists
+```perl
+use v5.36;
+# Good: Validate column names against an allowlist
+sub order_by($dbh, $column, $direction) {
+    my %allowed_cols = map { $_ => 1 } qw(name email created_at);
+    my %allowed_dirs = map { $_ => 1 } qw(ASC DESC);
+    die "Invalid column: $column\n"    unless $allowed_cols{$column};
+    die "Invalid direction: $direction\n" unless $allowed_dirs{uc $direction};
+    my $sth = $dbh->prepare("SELECT * FROM users ORDER BY $column $direction");
+    $sth->execute;
+    return $sth->fetchall_arrayref({});
+}
+# Bad: Directly interpolating user-chosen column
+sub bad_order($dbh, $column) {
+    $dbh->prepare("SELECT * FROM users ORDER BY $column");  # SQLi!
+}
+```
+### DBIx::Class (ORM Safety)
+```perl
+use v5.36;
+# DBIx::Class generates safe parameterized queries
+my @users = $schema->resultset('User')->search({
+    status => 'active',
+    email  => { -like => '%@example.com' },
+}, {
+    order_by => { -asc => 'name' },
+    rows     => 50,
+});
+```
+## Web Security
+### XSS Prevention
+```perl
+use v5.36;
+use HTML::Entities qw(encode_entities);
+use URI::Escape qw(uri_escape_utf8);
+# Good: Encode output for HTML context
+sub safe_html($user_input) {
+    return encode_entities($user_input);
+}
+# Good: Encode for URL context
+sub safe_url_param($value) {
+    return uri_escape_utf8($value);
+}
+# Good: Encode for JSON context
+use JSON::MaybeXS qw(encode_json);
+sub safe_json($data) {
+    return encode_json($data);  # Handles escaping
+}
+# Template auto-escaping (Mojolicious)
+# <%= $user_input %>   — auto-escaped (safe)
+# <%== $raw_html %>    — raw output (dangerous, use only for trusted content)
+# Template auto-escaping (Template Toolkit)
+# [% user_input | html %]  — explicit HTML encoding
+# Bad: Raw output in HTML
+sub bad_html($input) {
+    print "<div>$input</div>";  # XSS if $input contains <script>
+}
+```
+### CSRF Protection
+```perl
+use v5.36;
+use Crypt::URandom qw(urandom);
+use MIME::Base64 qw(encode_base64url);
+sub generate_csrf_token() {
+    return encode_base64url(urandom(32));
+}
+```
+Use constant-time comparison when verifying tokens. Most web frameworks (Mojolicious, Dancer2, Catalyst) provide built-in CSRF protection — prefer those over hand-rolled solutions.
+### Session and Header Security
+```perl
+use v5.36;
+# Mojolicious session + headers
+$app->secrets(['long-random-secret-rotated-regularly']);
+$app->sessions->secure(1);          # HTTPS only
+$app->sessions->samesite('Lax');
+$app->hook(after_dispatch => sub ($c) {
+    $c->res->headers->header('X-Content-Type-Options' => 'nosniff');
+    $c->res->headers->header('X-Frame-Options'        => 'DENY');
+    $c->res->headers->header('Content-Security-Policy' => "default-src 'self'");
+    $c->res->headers->header('Strict-Transport-Security' => 'max-age=31536000; includeSubDomains');
+});
+```
+## Output Encoding
+Always encode output for its context: `HTML::Entities::encode_entities()` for HTML, `URI::Escape::uri_escape_utf8()` for URLs, `JSON::MaybeXS::encode_json()` for JSON.
+## CPAN Module Security
+- **Pin versions** in cpanfile: `requires 'DBI', '== 1.643';`
+- **Prefer maintained modules**: Check MetaCPAN for recent releases
+- **Minimize dependencies**: Each dependency is an attack surface
+## Security Tooling
+### perlcritic Security Policies
+```ini
+# .perlcriticrc — security-focused configuration
+severity = 3
+theme = security + core
+# Require three-arg open
+[InputOutput::RequireThreeArgOpen]
+severity = 5
+# Require checked system calls
+[InputOutput::RequireCheckedSyscalls]
+functions = :builtins
+severity = 4
+# Prohibit string eval
+[BuiltinFunctions::ProhibitStringyEval]
+severity = 5
+# Prohibit backtick operators
+[InputOutput::ProhibitBacktickOperators]
+severity = 4
+# Require taint checking in CGI
+[Modules::RequireTaintChecking]
+severity = 5
+# Prohibit two-arg open
+[InputOutput::ProhibitTwoArgOpen]
+severity = 5
+# Prohibit bare-word filehandles
+[InputOutput::ProhibitBarewordFileHandles]
+severity = 5
+```
+### Running perlcritic
+```bash
+# Check a file
+perlcritic --severity 3 --theme security lib/MyApp/Handler.pm
+# Check entire project
+perlcritic --severity 3 --theme security lib/
+# CI integration
+perlcritic --severity 4 --theme security --quiet lib/ || exit 1
+```
+## Quick Security Checklist
+| Check | What to Verify |
+|---|---|
+| Taint mode | `-T` flag on CGI/web scripts |
+| Input validation | Allowlist patterns, length limits |
+| File operations | Three-arg open, path traversal checks |
+| Process execution | List-form system, no shell interpolation |
+| SQL queries | DBI placeholders, never interpolate |
+| HTML output | `encode_entities()`, template auto-escape |
+| CSRF tokens | Generated, verified on state-changing requests |
+| Session config | Secure, HttpOnly, SameSite cookies |
+| HTTP headers | CSP, X-Frame-Options, HSTS |
+| Dependencies | Pinned versions, audited modules |
+| Regex safety | No nested quantifiers, anchored patterns |
+| Error messages | No stack traces or paths leaked to users |
+## Anti-Patterns
+```perl
+# 1. Two-arg open with user data (command injection)
+open my $fh, $user_input;               # CRITICAL vulnerability
+# 2. String-form system (shell injection)
+system("convert $user_file output.png"); # CRITICAL vulnerability
+# 3. SQL string interpolation
+$dbh->do("DELETE FROM users WHERE id = $id");  # SQLi
+# 4. eval with user input (code injection)
+eval $user_code;                         # Remote code execution
+# 5. Trusting $ENV without sanitizing
+my $path = $ENV{UPLOAD_DIR};             # Could be manipulated
+system("ls $path");                      # Double vulnerability
+# 6. Disabling taint without validation
+($input) = $input =~ /(.*)/s;           # Lazy untaint — defeats purpose
+# 7. Raw user data in HTML
+print "<div>Welcome, $username!</div>";  # XSS
+# 8. Unvalidated redirects
+print $cgi->redirect($user_url);         # Open redirect
+```
+**Remember**: Perl's flexibility is powerful but requires discipline. Use taint mode for web-facing code, validate all input with allowlists, use DBI placeholders for every query, and encode all output for its context. Defense in depth — never rely on a single layer.