@luquimbo/bi-superpowers 4.1.2 → 4.1.3

package/skills/report-design/references/textbox.md

@@ -98,4 +98,4 @@ cat > "<reportPath>/definition/pages/<pageName>/visuals/<visualName>/visual.json
 EOF
 ```
 
-A reusable helper script (`scripts/write-textbox.sh`) is a v4.1 candidate; v4.0.0 ships with the heredoc pattern.
+Prefer `scripts/create-visual.js --type textbox` for new textboxes. Keep the heredoc pattern above only as a fallback when the helper script is unavailable.

package/skills/report-design/scripts/create-visual.js

@@ -679,6 +679,66 @@ function nextInt(existing, key) {
   return max + 1;
 }
 
+function validateVisualName(name) {
+  if (typeof name !== 'string' || name.trim() === '') {
+    fail('--name must be a non-empty visual folder name');
+  }
+
+  if (name !== name.trim()) {
+    fail(`--name must not have leading or trailing whitespace (got: ${JSON.stringify(name)})`);
+  }
+
+  if (
+    name === '.' ||
+    name === '..' ||
+    /[\\/]/.test(name) ||
+    path.basename(name) !== name ||
+    path.win32.basename(name) !== name ||
+    path.posix.basename(name) !== name
+  ) {
+    fail(`--name must be a single visual folder name, not a path (got: ${JSON.stringify(name)})`);
+  }
+
+  if (/[\u0000-\u001f<>:"|?*]/.test(name)) {
+    fail(`--name contains characters that are not valid in a Windows folder name (got: ${JSON.stringify(name)})`);
+  }
+}
+
+function validateNumericOptions(args) {
+  const numericOptions = [
+    ['x', '--x'],
+    ['y', '--y'],
+    ['z', '-z'],
+    ['width', '--width'],
+    ['height', '--height'],
+    ['tabOrder', '--tab-order'],
+  ];
+
+  for (const [key, flag] of numericOptions) {
+    if (args[key] != null && !Number.isFinite(args[key])) {
+      fail(`${flag} must be a finite number`);
+    }
+  }
+
+  for (const [key, flag] of [
+    ['width', '--width'],
+    ['height', '--height'],
+  ]) {
+    if (args[key] != null && args[key] <= 0) {
+      fail(`${flag} must be greater than 0`);
+    }
+  }
+}
+
+function assertPathInside(childPath, parentPath, label) {
+  const parent = path.resolve(parentPath);
+  const child = path.resolve(childPath);
+  const relative = path.relative(parent, child);
+  if (!relative || relative.startsWith('..') || path.isAbsolute(relative)) {
+    fail(`${label} resolved outside the expected directory: ${child}`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // main()
 // ---------------------------------------------------------------------------
@@ -698,6 +758,7 @@ function main() {
   if (!args.reportPath) fail('--report-path is required');
   if (!args.page) fail('--page is required');
   if (!args.type) fail('--type is required (use --list-types to see options)');
+  validateNumericOptions(args);
 
   // ---- type validation with friendly errors for known non-native aliases
   if (KNOWN_NON_NATIVE_TYPES[args.type]) {
@@ -727,8 +788,11 @@ function main() {
     } while (existing.some((v) => v.name === candidate));
     name = candidate;
   }
+  validateVisualName(name);
 
-  const visualDir = path.join(pageDir, 'visuals', name);
+  const visualsDir = path.join(pageDir, 'visuals');
+  const visualDir = path.join(visualsDir, name);
+  assertPathInside(visualDir, visualsDir, '--name');
   const visualJsonPath = path.join(visualDir, 'visual.json');
   if (fs.existsSync(visualJsonPath)) {
     fail(

package/skills/report-design/scripts/update-check.js

@@ -47,7 +47,7 @@ const HTTPS_TIMEOUT_MS = 5000;
 // Rewritten at generation time when this helper is copied into
 // `skills/<name>/scripts/update-check.js`. In the canonical source under
 // `bin/commands/`, it stays null and we fall back to package.json.
-const BUNDLED_INSTALLED_VERSION = "4.1.2";
+const BUNDLED_INSTALLED_VERSION = "4.1.3";
 
 // ---------------------------------------------------------------------------
 // Argument parsing

package/skills/report-design/scripts/validate-pbir.js

@@ -130,6 +130,33 @@ function boundRoles(visualData) {
   return bound;
 }
 
+function validatePosition(position) {
+  const errors = [];
+  const requiredFields = ['x', 'y', 'z', 'height', 'width', 'tabOrder'];
+
+  if (!position || typeof position !== 'object') {
+    return requiredFields.map((field) => ({
+      severity: 'error',
+      rule: 'position-number',
+      field,
+      message: `position.${field} must be a finite number`,
+    }));
+  }
+
+  for (const field of requiredFields) {
+    if (!Number.isFinite(position[field])) {
+      errors.push({
+        severity: 'error',
+        rule: 'position-number',
+        field,
+        message: `position.${field} must be a finite number`,
+      });
+    }
+  }
+
+  return errors;
+}
+
 function validateVisual(visual) {
   const errors = [];
   const { data, path: filePath } = visual;
@@ -148,6 +175,8 @@ function validateVisual(visual) {
     errors.push({ severity: 'error', rule: 'name', message: 'missing "name"' });
   }
 
+  errors.push(...validatePosition(data.position));
+
   const vt = data.visual && data.visual.visualType;
   if (!vt) {
     errors.push({ severity: 'error', rule: 'visual-type', message: 'missing visualType' });

package/src/content/skills/report-design/SKILL.md

@@ -266,7 +266,7 @@ Do NOT hand-author `report.json` theme metadata. The canonical PBIR shape (for r
 - `resourcePackages` includes a `{name: "RegisteredResources", type: "RegisteredResources"}` package whose `items[]` has `{name: "<file>.json", path: "<file>.json", type: "CustomTheme"}`
 - the theme file itself lives at `<reportPath>/StaticResources/RegisteredResources/<file>.json`
 
-**Conditional formatting (variance KPI green/red, diverging matrix gradients, signed-color bars) is DEFERRED to v4.1.** The layouts mention conditional color in design notes; in v4.0.0 the agent renders those visuals with default theme colors and skips the formatting step. Do not call `pbi format` from this skill in v4.0.0 — the `pbi format` syntax is not yet documented or tested for our use cases. Better a plain report that renders than a fancy one that breaks.
+**Conditional formatting note.** Layout notes may describe variance colors, diverging matrix gradients, or signed-color bars as design intent. The current `report-design` flow does not author those formatting rules. Render those visuals with theme/default colors unless you have a tested PBIR formatting implementation. Do not invent `pbi format` calls from this skill.
 
 ### 4.4 Validate (two layers)
 

package/src/content/skills/report-design/references/layouts/finance.md

@@ -28,7 +28,7 @@ Roles used below (to be resolved via the MCP):
 | Scenario slicer | slicer (manual JSON — see `references/slicer.md`) | 848, 312, 336, 80 | `Scenario[Scenario]` |
 
 **Design notes:**
-- Variance KPI: conditional formatting (green positive, red negative) is deferred to v4.1 — render as plain card for v4.0.0.
+- Variance KPI: green/red conditional coloring is design intent only. Render as a plain card with theme/default colors unless a tested PBIR formatting implementation is available.
 - Year slicer default: current year (single-select).
 
 ---
@@ -61,5 +61,5 @@ Roles used below (to be resolved via the MCP):
 | Account × Month matrix | matrix | 16, 512, 1168, 144 | rows: `account-dim-column`, cols: `'Date'[Month]`, values: `variance-measure` with diverging gradient |
 
 **Design notes:**
-- Variance-sign coloring (diverging palette) is deferred to v4.1 — render bars/matrix with default theme colors for v4.0.0.
+- Variance-sign coloring (diverging palette) is design intent only. Render bars/matrix with theme/default colors unless a tested PBIR formatting implementation is available.
 - The bottom matrix is short (144px) so it acts as a "heatmap strip" rather than a scrollable table.

package/src/content/skills/report-design/references/native-visuals.md

@@ -311,7 +311,7 @@ Si PBI Desktop introduce un visualType nuevo (o encontrás uno nativo que falta
 
 ## Features de `visual.json` que `create-visual.js` NO soporta todavía
 
-Descubiertos al regenerar la smoke-test "Galería de Visuales" end-to-end con el script (backlog item 2, cycle v4.1). No bloquean el authoring — la shape que emite el script pasa `pbi report validate` y `validate-pbir.js` — pero sí dejan regresiones visuales si el `visual.json` hand-written aprovechaba alguno de estos features:
+Descubiertos al regenerar la smoke-test "Galería de Visuales" end-to-end con el script. No bloquean el authoring — la shape que emite el script pasa `pbi report validate` y `validate-pbir.js` — pero sí dejan regresiones visuales si el `visual.json` hand-written aprovechaba alguno de estos features:
 
 1. **`query.sortDefinition`** — sort explícito por medida/columna con dirección. `create-visual.js` no lo emite, así que un visual "ranking" tipo barChart ordenado descendente por una medida pierde el orden en la regeneración. **Workaround**: ordenar en Desktop manualmente después del `.pbip` abrir, o hand-extender el `visual.json` con `sortDefinition` post-creación. **Fix futuro**: `--sort-by "Role:Field" --sort-dir descending` en `create-visual.js`.
 
@@ -319,7 +319,7 @@ Descubiertos al regenerar la smoke-test "Galería de Visuales" end-to-end con el
 
 3. **`queryState.<Role>.projections[].active`** — las columnas siempre salen con `active: true`, las medidas nunca. Si un visual hand-written tenía `active: true` en una medida (para indicar que la medida es la "default Y") o `active: false` en una columna (hidden projection), el script normaliza. Rara vez significativo para el render pero cambia el shape JSON.
 
-4. **Formato condicional**: colores signados (positivo verde / negativo rojo), gradientes en matriz, data bars en tabla. Ninguno de estos expresa shape via `create-visual.js`. Quedó deferido a v4.1+ en `SKILL.md` PHASE 4.3.
+4. **Formato condicional**: colores signados (positivo verde / negativo rojo), gradientes en matriz, data bars en tabla. Ninguno de estos expresa shape via `create-visual.js`; tratarlos como diseño previsto hasta que exista una implementación PBIR testeada.
 
 Cualquier cambio en el script que cubra estos gaps debe: (a) agregar el flag a `parseArgs`, (b) cubrirlo con tests en `create-visual.test.js`, (c) documentarlo en este archivo, (d) regenerar la Galería para que ejercite el feature.
 

package/src/content/skills/report-design/references/slicer.md

@@ -86,4 +86,4 @@ cat > "<reportPath>/definition/pages/<pageName>/visuals/<visualName>/visual.json
 EOF
 ```
 
-A reusable helper script (`scripts/write-slicer.sh`) is a v4.1 candidate; v4.0.0 ships with the heredoc pattern.
+Prefer `scripts/create-visual.js --type slicer` for new slicers. Keep the heredoc pattern above only as a fallback when the helper script is unavailable.

package/src/content/skills/report-design/references/textbox.md

@@ -98,4 +98,4 @@ cat > "<reportPath>/definition/pages/<pageName>/visuals/<visualName>/visual.json
 EOF
 ```
 
-A reusable helper script (`scripts/write-textbox.sh`) is a v4.1 candidate; v4.0.0 ships with the heredoc pattern.
+Prefer `scripts/create-visual.js --type textbox` for new textboxes. Keep the heredoc pattern above only as a fallback when the helper script is unavailable.

package/src/content/skills/report-design/scripts/create-visual.js

@@ -679,6 +679,66 @@ function nextInt(existing, key) {
   return max + 1;
 }
 
+function validateVisualName(name) {
+  if (typeof name !== 'string' || name.trim() === '') {
+    fail('--name must be a non-empty visual folder name');
+  }
+
+  if (name !== name.trim()) {
+    fail(`--name must not have leading or trailing whitespace (got: ${JSON.stringify(name)})`);
+  }
+
+  if (
+    name === '.' ||
+    name === '..' ||
+    /[\\/]/.test(name) ||
+    path.basename(name) !== name ||
+    path.win32.basename(name) !== name ||
+    path.posix.basename(name) !== name
+  ) {
+    fail(`--name must be a single visual folder name, not a path (got: ${JSON.stringify(name)})`);
+  }
+
+  if (/[\u0000-\u001f<>:"|?*]/.test(name)) {
+    fail(`--name contains characters that are not valid in a Windows folder name (got: ${JSON.stringify(name)})`);
+  }
+}
+
+function validateNumericOptions(args) {
+  const numericOptions = [
+    ['x', '--x'],
+    ['y', '--y'],
+    ['z', '-z'],
+    ['width', '--width'],
+    ['height', '--height'],
+    ['tabOrder', '--tab-order'],
+  ];
+
+  for (const [key, flag] of numericOptions) {
+    if (args[key] != null && !Number.isFinite(args[key])) {
+      fail(`${flag} must be a finite number`);
+    }
+  }
+
+  for (const [key, flag] of [
+    ['width', '--width'],
+    ['height', '--height'],
+  ]) {
+    if (args[key] != null && args[key] <= 0) {
+      fail(`${flag} must be greater than 0`);
+    }
+  }
+}
+
+function assertPathInside(childPath, parentPath, label) {
+  const parent = path.resolve(parentPath);
+  const child = path.resolve(childPath);
+  const relative = path.relative(parent, child);
+  if (!relative || relative.startsWith('..') || path.isAbsolute(relative)) {
+    fail(`${label} resolved outside the expected directory: ${child}`);
+  }
+}
+
 // ---------------------------------------------------------------------------
 // main()
 // ---------------------------------------------------------------------------
@@ -698,6 +758,7 @@ function main() {
   if (!args.reportPath) fail('--report-path is required');
   if (!args.page) fail('--page is required');
   if (!args.type) fail('--type is required (use --list-types to see options)');
+  validateNumericOptions(args);
 
   // ---- type validation with friendly errors for known non-native aliases
   if (KNOWN_NON_NATIVE_TYPES[args.type]) {
@@ -727,8 +788,11 @@ function main() {
     } while (existing.some((v) => v.name === candidate));
     name = candidate;
   }
+  validateVisualName(name);
 
-  const visualDir = path.join(pageDir, 'visuals', name);
+  const visualsDir = path.join(pageDir, 'visuals');
+  const visualDir = path.join(visualsDir, name);
+  assertPathInside(visualDir, visualsDir, '--name');
   const visualJsonPath = path.join(visualDir, 'visual.json');
   if (fs.existsSync(visualJsonPath)) {
     fail(

package/src/content/skills/report-design/scripts/validate-pbir.js

@@ -130,6 +130,33 @@ function boundRoles(visualData) {
   return bound;
 }
 
+function validatePosition(position) {
+  const errors = [];
+  const requiredFields = ['x', 'y', 'z', 'height', 'width', 'tabOrder'];
+
+  if (!position || typeof position !== 'object') {
+    return requiredFields.map((field) => ({
+      severity: 'error',
+      rule: 'position-number',
+      field,
+      message: `position.${field} must be a finite number`,
+    }));
+  }
+
+  for (const field of requiredFields) {
+    if (!Number.isFinite(position[field])) {
+      errors.push({
+        severity: 'error',
+        rule: 'position-number',
+        field,
+        message: `position.${field} must be a finite number`,
+      });
+    }
+  }
+
+  return errors;
+}
+
 function validateVisual(visual) {
   const errors = [];
   const { data, path: filePath } = visual;
@@ -148,6 +175,8 @@ function validateVisual(visual) {
     errors.push({ severity: 'error', rule: 'name', message: 'missing "name"' });
   }
 
+  errors.push(...validatePosition(data.position));
+
   const vt = data.visual && data.visual.visualType;
   if (!vt) {
     errors.push({ severity: 'error', rule: 'visual-type', message: 'missing visualType' });