@qball-inc/the-bulwark 1.0.0

package/skills/bug-magnet-data/data/collections/arrays.yaml

@@ -0,0 +1,114 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: collections
+subcategory: arrays
+tier: T0
+
+bugs_caught:
+  - "Index out of bounds"
+  - "Empty array handling"
+  - "Array mutation bugs"
+
+values:
+  empty:
+    value: []
+    bugs_caught:
+      - "Empty array iteration"
+      - "First/last element access on empty"
+      - "Reduce without initial value"
+    safe_for_automation: true
+
+  single_element:
+    value: ["only"]
+    bugs_caught:
+      - "Single element handling"
+      - "prev/next navigation edge"
+    safe_for_automation: true
+
+  two_elements:
+    value: ["first", "last"]
+    bugs_caught:
+      - "Two-element array"
+      - "First !== last distinction"
+    safe_for_automation: true
+
+  large_array:
+    value_template: "Array(10000).fill('item')"
+    bugs_caught:
+      - "Performance with large arrays"
+      - "Memory allocation"
+    safe_for_automation: true
+
+  nested_arrays:
+    value: [["a", "b"], ["c", "d"]]
+    bugs_caught:
+      - "Nested array handling"
+      - "Flattening operations"
+    safe_for_automation: true
+
+  deeply_nested:
+    value: [[[[["deep"]]]]]
+    bugs_caught:
+      - "Deep nesting handling"
+      - "Stack overflow on recursion"
+    safe_for_automation: true
+
+  mixed_types:
+    value: [1, "two", true, null, {"key": "value"}]
+    bugs_caught:
+      - "Mixed type array handling"
+      - "Type assumptions"
+    safe_for_automation: true
+
+  sparse_array:
+    value_template: "[1, , , 4]"
+    bugs_caught:
+      - "Sparse array holes"
+      - "undefined vs hole distinction"
+    safe_for_automation: true
+    note: "Array with holes (not undefined values)"
+
+  array_with_undefined:
+    value: [1, "undefined", 3]
+    bugs_caught:
+      - "Explicit undefined values"
+    safe_for_automation: true
+
+  array_with_null:
+    value: [1, null, 3]
+    bugs_caught:
+      - "Null values in array"
+      - "Filter/map with nulls"
+    safe_for_automation: true
+
+  duplicate_elements:
+    value: ["a", "b", "a", "c", "a"]
+    bugs_caught:
+      - "Duplicate handling"
+      - "Set conversion edge cases"
+    safe_for_automation: true
+
+  array_like:
+    value_template: "{0: 'a', 1: 'b', length: 2}"
+    bugs_caught:
+      - "Array-like object handling"
+      - "Array.from requirements"
+    safe_for_automation: true
+    note: "Object with numeric keys and length"
+
+  negative_index:
+    access: "arr[-1]"
+    bugs_caught:
+      - "Negative index access"
+      - "Language-specific behavior (Python vs JS)"
+    safe_for_automation: true
+
+  float_index:
+    access: "arr[1.5]"
+    bugs_caught:
+      - "Non-integer index"
+      - "Implicit truncation"
+    safe_for_automation: true

package/skills/bug-magnet-data/data/collections/objects.yaml

@@ -0,0 +1,123 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: collections
+subcategory: objects
+tier: T0
+
+bugs_caught:
+  - "Null reference on property access"
+  - "Prototype pollution"
+  - "Circular reference handling"
+
+values:
+  empty:
+    value: {}
+    bugs_caught:
+      - "Empty object handling"
+      - "Object.keys empty check"
+    safe_for_automation: true
+
+  single_property:
+    value: {"key": "value"}
+    bugs_caught:
+      - "Single property access"
+    safe_for_automation: true
+
+  nested:
+    value: {"a": {"b": {"c": "deep"}}}
+    bugs_caught:
+      - "Nested property access"
+      - "Optional chaining need"
+    safe_for_automation: true
+
+  deeply_nested:
+    value: {"l1": {"l2": {"l3": {"l4": {"l5": "value"}}}}}
+    bugs_caught:
+      - "Deep nesting handling"
+      - "Stack overflow on recursion"
+    safe_for_automation: true
+
+  null_value:
+    value: {"key": null}
+    bugs_caught:
+      - "Null property value"
+      - "hasOwnProperty vs truthy check"
+    safe_for_automation: true
+
+  undefined_value:
+    value: {"key": "undefined"}
+    bugs_caught:
+      - "Undefined property value"
+    safe_for_automation: true
+
+  numeric_keys:
+    value: {"0": "zero", "1": "one"}
+    bugs_caught:
+      - "Numeric string keys"
+      - "Array-like object confusion"
+    safe_for_automation: true
+
+  special_keys:
+    value: {"": "empty", " ": "space", "a.b": "dotted"}
+    bugs_caught:
+      - "Special key handling"
+      - "Dot notation failure"
+    safe_for_automation: true
+
+  # Prototype pollution vectors
+  proto_key:
+    value: {"__proto__": {"polluted": true}}
+    bugs_caught:
+      - "Prototype pollution"
+      - "__proto__ key handling"
+    safe_for_automation: true
+    severity: security
+
+  constructor_key:
+    value: {"constructor": {"prototype": {}}}
+    bugs_caught:
+      - "Constructor pollution"
+    safe_for_automation: true
+    severity: security
+
+  prototype_key:
+    value: {"prototype": {"polluted": true}}
+    bugs_caught:
+      - "Prototype key confusion"
+    safe_for_automation: true
+
+  # Special built-in keys
+  hasownproperty_key:
+    value: {"hasOwnProperty": "overwritten"}
+    bugs_caught:
+      - "Built-in method shadowing"
+    safe_for_automation: true
+
+  tostring_key:
+    value: {"toString": "not a function"}
+    bugs_caught:
+      - "toString override"
+      - "String coercion failure"
+    safe_for_automation: true
+
+  # Circular reference
+  circular:
+    value_template: "let obj = {}; obj.self = obj;"
+    bugs_caught:
+      - "Circular reference handling"
+      - "JSON.stringify failure"
+      - "Infinite recursion"
+    safe_for_automation: true
+    note: "Object containing reference to itself"
+
+  # Symbol keys
+  symbol_key:
+    value_template: "{[Symbol('key')]: 'value'}"
+    bugs_caught:
+      - "Symbol key enumeration"
+      - "Object.keys misses symbols"
+    safe_for_automation: true
+    note: "JavaScript Symbol as key"

package/skills/bug-magnet-data/data/concurrency/race-conditions.yaml

@@ -0,0 +1,118 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: concurrency
+subcategory: race-conditions
+tier: T2
+type: scenario_pattern
+
+bugs_caught:
+  - "Race conditions"
+  - "Data corruption"
+  - "Lost updates"
+
+scenarios:
+  double_submit:
+    description: "User submits form twice rapidly"
+    setup: "Create pending transaction or form state"
+    action: "Submit same request 2x with <100ms delay"
+    expected_behavior: "Second request rejected or idempotent"
+    bugs_caught:
+      - "Duplicate records created"
+      - "Double charge/action"
+      - "Non-idempotent operations"
+    safe_for_automation: true
+
+  concurrent_edit:
+    description: "Two users edit same record simultaneously"
+    setup: "User A and B both load record #123"
+    action: "User A saves, then User B saves"
+    expected_behavior: "Conflict detection or last-write-wins"
+    bugs_caught:
+      - "Lost updates"
+      - "Data corruption"
+      - "No optimistic locking"
+    safe_for_automation: true
+
+  read_modify_write:
+    description: "Increment counter from multiple sources"
+    setup: "Counter at value 10"
+    action: "Two processes read 10, add 1, write 11"
+    expected_behavior: "Final value should be 12"
+    bugs_caught:
+      - "Non-atomic operations"
+      - "Counter drift"
+    safe_for_automation: true
+
+  check_then_act:
+    description: "File exists check before operation"
+    setup: "File may or may not exist"
+    action: "Check exists, then read/delete"
+    expected_behavior: "Handle file disappearing between check and act"
+    bugs_caught:
+      - "TOCTOU (time-of-check-time-of-use)"
+      - "File deleted between check and use"
+    safe_for_automation: true
+
+  lazy_initialization:
+    description: "Singleton or lazy init from multiple threads"
+    setup: "Uninitialized shared resource"
+    action: "Multiple threads trigger initialization"
+    expected_behavior: "Only one instance created"
+    bugs_caught:
+      - "Multiple singleton instances"
+      - "Initialization race"
+    safe_for_automation: true
+
+  cache_stampede:
+    description: "Cache expires while many requests arrive"
+    setup: "Cached value about to expire"
+    action: "Many requests hit as cache expires"
+    expected_behavior: "Only one backend call, others wait"
+    bugs_caught:
+      - "Thundering herd"
+      - "Backend overload"
+    safe_for_automation: true
+
+  publish_subscribe_ordering:
+    description: "Message ordering in pub/sub"
+    setup: "Subscriber expecting ordered events"
+    action: "Publisher sends A, B, C rapidly"
+    expected_behavior: "Subscriber receives A, B, C in order"
+    bugs_caught:
+      - "Out-of-order messages"
+      - "Lost messages"
+    safe_for_automation: true
+
+  connection_pool_exhaustion:
+    description: "All connections in use when new request arrives"
+    setup: "Pool at max capacity"
+    action: "New request needs connection"
+    expected_behavior: "Timeout or queue, not hang"
+    bugs_caught:
+      - "Deadlock"
+      - "Infinite wait"
+    safe_for_automation: true
+
+  transaction_isolation:
+    description: "Concurrent transactions reading/writing same data"
+    setup: "Transaction A reads, Transaction B writes"
+    action: "A reads again after B commits"
+    expected_behavior: "Consistent read based on isolation level"
+    bugs_caught:
+      - "Phantom reads"
+      - "Non-repeatable reads"
+      - "Dirty reads"
+    safe_for_automation: true
+
+  websocket_reconnect:
+    description: "Reconnection during active operation"
+    setup: "WebSocket connection active with pending request"
+    action: "Connection drops, client reconnects"
+    expected_behavior: "Pending operation handled correctly"
+    bugs_caught:
+      - "Lost requests"
+      - "Duplicate processing on retry"
+    safe_for_automation: true

package/skills/bug-magnet-data/data/concurrency/state-machines.yaml

@@ -0,0 +1,115 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: concurrency
+subcategory: state-machines
+tier: T2
+type: scenario_pattern
+
+bugs_caught:
+  - "Invalid state transitions"
+  - "Stuck states"
+  - "Interrupted workflows"
+
+scenarios:
+  invalid_transition:
+    description: "Attempt transition that shouldn't be allowed"
+    setup: "Order in 'shipped' state"
+    action: "Try to mark as 'pending'"
+    expected_behavior: "Transition rejected with error"
+    bugs_caught:
+      - "Invalid state transition allowed"
+      - "Business rule violation"
+    safe_for_automation: true
+
+  skip_required_state:
+    description: "Jump directly to final state"
+    setup: "Order in 'pending' state"
+    action: "Try to mark as 'delivered' without 'shipped'"
+    expected_behavior: "Transition rejected"
+    bugs_caught:
+      - "Skipped required state"
+      - "Missing validation"
+    safe_for_automation: true
+
+  duplicate_transition:
+    description: "Apply same transition twice"
+    setup: "Order in 'pending' state"
+    action: "Ship order twice"
+    expected_behavior: "Second transition no-op or error"
+    bugs_caught:
+      - "Duplicate action processing"
+      - "Non-idempotent transitions"
+    safe_for_automation: true
+
+  interrupted_flow:
+    description: "Process crashes mid-transition"
+    setup: "Multi-step state change in progress"
+    action: "Crash after first step, before commit"
+    expected_behavior: "Rollback or resumable state"
+    bugs_caught:
+      - "Inconsistent state"
+      - "Orphaned records"
+    safe_for_automation: true
+
+  terminal_state_escape:
+    description: "Try to exit terminal state"
+    setup: "Order in 'cancelled' (terminal) state"
+    action: "Try to reopen or ship"
+    expected_behavior: "Transition rejected"
+    bugs_caught:
+      - "Terminal state escape"
+      - "Zombie records"
+    safe_for_automation: true
+
+  parallel_conflicting_transitions:
+    description: "Two valid transitions attempted simultaneously"
+    setup: "Order in 'pending' state"
+    action: "User A ships, User B cancels at same time"
+    expected_behavior: "One succeeds, one fails"
+    bugs_caught:
+      - "Both transitions applied"
+      - "Inconsistent final state"
+    safe_for_automation: true
+
+  timeout_transition:
+    description: "State expires without action"
+    setup: "Order in 'awaiting_payment' with 30min timeout"
+    action: "Wait for timeout"
+    expected_behavior: "Auto-transition to 'expired'"
+    bugs_caught:
+      - "Stuck in waiting state"
+      - "Timer not firing"
+    safe_for_automation: true
+
+  retry_failed_transition:
+    description: "Transition fails, then retry"
+    setup: "Payment transition failed"
+    action: "User retries payment"
+    expected_behavior: "Retry allowed from failed state"
+    bugs_caught:
+      - "Retry blocked"
+      - "Wrong state after failure"
+    safe_for_automation: true
+
+  conditional_branch:
+    description: "State transition with conditions"
+    setup: "Order with mixed inventory (some available, some not)"
+    action: "Process order"
+    expected_behavior: "Correct branch based on condition"
+    bugs_caught:
+      - "Wrong branch taken"
+      - "Condition evaluated incorrectly"
+    safe_for_automation: true
+
+  reentry_same_state:
+    description: "Transition to current state"
+    setup: "Order in 'processing' state"
+    action: "Mark as 'processing' again"
+    expected_behavior: "No-op or trigger side effects?"
+    bugs_caught:
+      - "Unexpected side effects on re-entry"
+      - "Counter increment on no-op"
+    safe_for_automation: true

package/skills/bug-magnet-data/data/dates/boundaries.yaml

@@ -0,0 +1,137 @@
+metadata:
+  version: "1.0.0"
+  last_updated: "2026-02-01"
+  source_urls: []
+
+category: dates
+subcategory: boundaries
+tier: T2
+
+bugs_caught:
+  - "Epoch handling"
+  - "Y2K38 overflow"
+  - "Leap year calculations"
+
+values:
+  epoch:
+    value: "1970-01-01T00:00:00Z"
+    timestamp: 0
+    bugs_caught:
+      - "Epoch/zero date handling"
+      - "Default date confusion"
+    safe_for_automation: true
+
+  before_epoch:
+    value: "1969-12-31T23:59:59Z"
+    timestamp: -1
+    bugs_caught:
+      - "Negative timestamp handling"
+      - "Pre-epoch dates"
+    safe_for_automation: true
+
+  y2k:
+    value: "2000-01-01T00:00:00Z"
+    bugs_caught:
+      - "Y2K date handling"
+    safe_for_automation: true
+
+  y2k38:
+    value: "2038-01-19T03:14:07Z"
+    timestamp: 2147483647
+    bugs_caught:
+      - "Y2K38 32-bit overflow"
+      - "Unix timestamp max"
+    safe_for_automation: true
+
+  y2k38_plus_1:
+    value: "2038-01-19T03:14:08Z"
+    timestamp: 2147483648
+    bugs_caught:
+      - "Y2K38 overflow"
+      - "32-bit signed integer overflow"
+    safe_for_automation: true
+
+  leap_year_feb_29:
+    value: "2024-02-29"
+    bugs_caught:
+      - "Leap year February 29"
+    safe_for_automation: true
+
+  non_leap_year_feb_28:
+    value: "2023-02-28"
+    bugs_caught:
+      - "Non-leap year February end"
+    safe_for_automation: true
+
+  century_non_leap:
+    value: "1900-02-28"
+    bugs_caught:
+      - "Century year not divisible by 400"
+      - "1900 was not a leap year"
+    safe_for_automation: true
+
+  century_leap:
+    value: "2000-02-29"
+    bugs_caught:
+      - "Century year divisible by 400"
+      - "2000 was a leap year"
+    safe_for_automation: true
+
+  month_31_days:
+    value: "2024-01-31"
+    bugs_caught:
+      - "31-day month end"
+    safe_for_automation: true
+
+  month_30_days:
+    value: "2024-04-30"
+    bugs_caught:
+      - "30-day month end"
+    safe_for_automation: true
+
+  year_end:
+    value: "2024-12-31T23:59:59Z"
+    bugs_caught:
+      - "Year end handling"
+      - "New Year rollover"
+    safe_for_automation: true
+
+  year_start:
+    value: "2024-01-01T00:00:00Z"
+    bugs_caught:
+      - "Year start handling"
+    safe_for_automation: true
+
+  far_future:
+    value: "9999-12-31T23:59:59Z"
+    bugs_caught:
+      - "Far future date handling"
+    safe_for_automation: true
+
+  far_past:
+    value: "0001-01-01T00:00:00Z"
+    bugs_caught:
+      - "Far past date handling"
+      - "Year 1 AD"
+    safe_for_automation: true
+
+  midnight:
+    value: "2024-06-15T00:00:00Z"
+    bugs_caught:
+      - "Midnight handling"
+      - "Day boundary"
+    safe_for_automation: true
+
+  end_of_day:
+    value: "2024-06-15T23:59:59Z"
+    bugs_caught:
+      - "End of day"
+      - "23:59:59 vs 24:00:00"
+    safe_for_automation: true
+
+  noon:
+    value: "2024-06-15T12:00:00Z"
+    bugs_caught:
+      - "Noon/12 PM handling"
+      - "AM/PM boundary"
+    safe_for_automation: true