@raishin/vanguard-frontier-agentic 3.0.1 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (873) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15389 -12589
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +3 -2
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/generate-docs-data.mjs +1 -0
  333. package/scripts/generate-kiro-powers.mjs +12 -0
  334. package/scripts/update-catalog-new-agents.py +6 -1
  335. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  336. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  340. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  341. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  342. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  344. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  345. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  346. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  348. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  353. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  354. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  355. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  356. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  357. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  358. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  359. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  360. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  361. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  362. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  363. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  368. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  374. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  375. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  376. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  377. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  378. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  379. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  380. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  381. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  382. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  383. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  384. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  385. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  386. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  387. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  390. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  391. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  392. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  393. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  394. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  395. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  396. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  399. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  404. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  405. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  406. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  407. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  408. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  409. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  410. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  411. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  413. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  414. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  415. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  418. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  419. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  420. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  422. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  423. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  424. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  425. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  426. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  427. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  434. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  439. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  443. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  444. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  445. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  446. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  447. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  448. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  449. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  454. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  459. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  460. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  461. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  463. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  464. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  465. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  469. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  470. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  471. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  472. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  473. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  474. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  475. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  476. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  479. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  484. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  485. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  486. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  489. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  494. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  495. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  496. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  498. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  499. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  500. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  503. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  507. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  512. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  513. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  514. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  515. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  516. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  517. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  523. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  524. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  525. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  528. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  529. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  530. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  534. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  535. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  536. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  539. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  540. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  541. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  542. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  543. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  548. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  549. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  550. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  551. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  552. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  553. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  554. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  555. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  556. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  557. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  558. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  559. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  564. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  569. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  570. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  571. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  572. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  573. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  574. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  579. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  583. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  584. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  585. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  587. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  592. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  593. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  594. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  595. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  596. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  597. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  598. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  599. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  602. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  607. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  608. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  609. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  613. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  614. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  615. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  616. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  617. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  618. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  619. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  620. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  621. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  622. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  623. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  624. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  629. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  671. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  713. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  714. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  725. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  736. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  764. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  775. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  786. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  797. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  808. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  819. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  830. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  841. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  861. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  872. package/tests/validate-catalog.py +1 -0
  873. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,116 @@
1
+ # Bundler Chunking APIs
2
+
3
+ Use this reference when prescribing or reviewing chunking configuration for Vite, webpack, or Rollup. Every claim below was confirmed against Context7-indexed official documentation as of this skill's `updated` date; re-verify against the installed bundler major before use — see the Context7 Documentation Protocol in `SKILL.md`.
4
+
5
+ > Version note: bundler chunking surfaces are actively evolving (Vite's Rolldown migration in particular). Verify the installed major version before applying any snippet in this file to a real project.
6
+
7
+ ## What people get wrong
8
+
9
+ The naive story is:
10
+
11
+ > "manualChunks is the Vite way to split vendor code, and that's stable."
12
+
13
+ Wrong, as of Vite 8. Confirmed via Context7 against `/vitejs/vite`'s migration guide: the **object form** of `build.rollupOptions.output.manualChunks` is removed entirely in Vite 8 (Rolldown-powered), and the **function form** is deprecated. Handing a Vite 8+ project the classic object-form snippet produces a config that silently does not apply the intended grouping.
14
+
15
+ ## Vite: manualChunks → codeSplitting
16
+
17
+ **Deprecated / removed (pre-Vite-8 object form — removed in Vite 8):**
18
+
19
+ ```javascript
20
+ // Vite <8, object form — REMOVED in Vite 8
21
+ build: {
22
+ rollupOptions: {
23
+ output: {
24
+ manualChunks: {
25
+ vendor: ['react', 'vue'],
26
+ },
27
+ },
28
+ },
29
+ },
30
+ ```
31
+
32
+ **Deprecated but still functional (function form, pre-Vite-8 and transitional):**
33
+
34
+ ```javascript
35
+ // Still works pre-Vite-8; deprecated, flag as a forward-migration item
36
+ manualChunks(id) {
37
+ if (id.includes('some-heavy-lib')) {
38
+ return 'heavy-lib-chunk'
39
+ }
40
+ },
41
+ ```
42
+
43
+ **Current documented replacement (Vite 8+, Rolldown):**
44
+
45
+ ```javascript
46
+ build: {
47
+ rolldownOptions: {
48
+ output: {
49
+ codeSplitting: {
50
+ groups: [
51
+ { name: 'vendor', test: /[\\/]node_modules[\\/]/ },
52
+ ],
53
+ },
54
+ },
55
+ },
56
+ }
57
+ ```
58
+
59
+ Decision rule: confirm the installed Vite major first.
60
+ - Vite 8+: use `rolldownOptions.output.codeSplitting.groups`. Do not offer the object-form `manualChunks` snippet — it does not apply.
61
+ - Vite <8: function-form `manualChunks(id) {...}` is valid today but is a deprecated pattern; note the future migration to `codeSplitting` as a forward-looking item rather than presenting it as the long-term answer.
62
+
63
+ ## webpack: splitChunks / cacheGroups
64
+
65
+ Confirmed via Context7 against `/websites/webpack_js` guides (caching, printable, code-splitting). This surface is comparatively stable across recent majors, but `chunks` defaults and `cacheGroups` shape still depend on the installed major — confirm before prescribing.
66
+
67
+ **Vendor chunk extraction:**
68
+
69
+ ```javascript
70
+ optimization: {
71
+ runtimeChunk: 'single',
72
+ splitChunks: {
73
+ cacheGroups: {
74
+ vendor: {
75
+ test: /[\\/]node_modules[\\/]/,
76
+ name: 'vendors',
77
+ chunks: 'all',
78
+ },
79
+ },
80
+ },
81
+ },
82
+ ```
83
+
84
+ Notes:
85
+ - `chunks: 'all'` makes both synchronously and dynamically imported modules eligible for the cache group; the webpack default for `optimization.splitChunks.chunks` (when not explicitly set) is `'async'`, which only splits dynamically imported modules. Confirm which behavior the review target actually wants — a review that recommends `cacheGroups` without checking the effective `chunks` mode can silently miss the synchronous-import case.
86
+ - Merging all of `node_modules` into a single `vendors` chunk (as shown) is explicitly called out in webpack's own guidance as not generally recommended for typical apps — it produces a single large chunk that invalidates entirely on any dependency bump. Prefer scoping `cacheGroups` to specific heavy dependencies over a single monolithic vendor bucket unless the project's caching strategy specifically wants long-term vendor-chunk stability at the cost of granularity.
87
+
88
+ **Dynamic import as a split point:**
89
+
90
+ ```javascript
91
+ function onClick() {
92
+ import("./module")
93
+ .then((module) => module.default)
94
+ .catch((err) => {
95
+ console.log("Chunk loading failed")
96
+ })
97
+ }
98
+ ```
99
+
100
+ **Named dynamic-import chunk (magic comment):**
101
+
102
+ ```javascript
103
+ import(
104
+ /* webpackChunkName: "app" */
105
+ "./app.jsx"
106
+ ).then((App) => {
107
+ // ...
108
+ })
109
+ ```
110
+
111
+ Use `webpackChunkName` when the review needs a stable, human-readable chunk name for budget tracking across builds — an unnamed dynamic-import chunk gets a content-hashed name that is harder to track budget deltas against over time.
112
+
113
+ ## Cross-bundler decision rule
114
+
115
+ - Do not present a Rollup, Vite, or webpack chunking snippet as bundler-agnostic; the option names and defaults are not interchangeable, and copying a webpack `cacheGroups` shape into a Vite config (or vice versa) will not work.
116
+ - Every chunking recommendation in a review must state which bundler and which major version it targets, resolved via Context7 for that specific project, not assumed from the most common current pattern in training data.
@@ -0,0 +1,53 @@
1
+ # CI Enforcement and Verification
2
+
3
+ Use this reference for every review to specify the CI-enforced budget mechanism, the verification command, and the adversarial checklist before a size finding can be closed.
4
+
5
+ ## Non-negotiable: no finding closes without a CI-enforced budget
6
+
7
+ A one-time manual fix — splitting a chunk, removing a dependency, adjusting `cacheGroups` — proves the bundle is smaller *today*. It proves nothing about tomorrow's dependency bump, an unreviewed import added six weeks from now, or a well-intentioned refactor that quietly reintroduces the same weight. Require one of the following, tied to the numeric budget established in [Budget methodology](budget-methodology.md), before marking any size finding resolved:
8
+
9
+ - A `bundlesize`-style check (or equivalent size-limit tool) wired into CI that fails the build/PR when a named entry or chunk exceeds its budget.
10
+ - A Lighthouse CI budget (`budgets.json` / `lighthouserc` budget assertions) that fails on `resource-summary` script/stylesheet byte-size thresholds.
11
+ - A bundler-plugin size check (e.g., a Rollup/Vite/webpack plugin that asserts output size at build time) that fails the build rather than just reporting.
12
+
13
+ If none of these exist in the project, state that as an explicit gap in the finding — do not let a review close as "fixed" when the only evidence is a single local `npm run build` byte count with no enforcement wired into CI.
14
+
15
+ ## Verification command
16
+
17
+ State the exact command used to produce the before/after comparison, matching the project's actual tooling rather than assuming a generic one:
18
+
19
+ - `npm run build -- --report` (or the project's equivalent analyzer-invoking build script) to regenerate the analyzer report.
20
+ - For Vite projects, confirm whether `rollup-plugin-visualizer` (or an equivalent) is wired into the build config; if not present, state that as a prerequisite gap before a byte-level review can be evidence-backed rather than estimated.
21
+ - For webpack projects, confirm `webpack-bundle-analyzer` (or the `--json` stats output piped into an equivalent tool) is available.
22
+ - Always compare gzipped (or brotli, matching production `Content-Encoding`) sizes, not raw/parsed sizes, unless the budget was explicitly defined in a different compression form — see [Budget methodology](budget-methodology.md).
23
+
24
+ ## Adversarial checklist
25
+
26
+ Before closing a bundle-size finding, answer these:
27
+
28
+ - Is the budget tied to a percentile and a device/network class, or is it vague ("keep it small")? If vague, it is not a budget yet — fix that first.
29
+ - Is the prescribed bundler chunking API confirmed against the installed major version via Context7, or is it a memorized snippet that might target a removed/deprecated API shape?
30
+ - Does the proposed split reduce byte weight without increasing request count enough to net-negative the change? Was that comparison actually made, or only the byte number?
31
+ - Is a CI-enforced budget check part of the deliverable, or only a one-time manual diff?
32
+ - Was the ranking done by byte size alone, or also by main-thread execution cost? A large but rarely-executed module and a small but hot-path module do not carry equal INP risk.
33
+ - If a dependency was flagged as "too heavy," was a lighter alternative actually identified with a size delta, or was "split it" offered as a substitute for that harder analysis?
34
+ - If a dynamic `import()` specifier is built from any user-controlled input (route param, query string, feature flag value sourced externally), was that flagged as a code-injection risk, not filed only as a performance note?
35
+
36
+ If any of these cannot be answered affirmatively, the finding is not ready to close — say so explicitly rather than presenting a partial analysis as complete.
37
+
38
+ ## When to push back
39
+
40
+ Push back if the user asks for:
41
+
42
+ - a one-time size fix with no request to add or verify a CI budget check — explain why that guarantees regression.
43
+ - inlining a third-party script "to save a request" without acknowledging the CSP/SRI trade-off.
44
+ - splitting every component in a route "to be safe," without a request-count comparison — that is not caution, it is trading one unverified assumption for another.
45
+ - a chunking config copied from a different bundler or an unconfirmed version, because "it's probably still the same API" — that is exactly the failure mode this skill's Context7 protocol exists to prevent.
46
+
47
+ Those are not shortcuts. They convert a measurable problem into an unmeasured one.
48
+
49
+ ## Handoff boundaries
50
+
51
+ - If the root cause is unused exports inside an otherwise-necessary, correctly-split dependency: hand off to `tree-shaking-dead-code-review`.
52
+ - If the user's starting complaint is a vague "it feels slow" with no analyzer report yet and JS weight has not been confirmed as the dominant contributor: hand off to `core-web-vitals-triage` first, then return here once bundle weight is confirmed as the cause.
53
+ - If the fix under discussion is caching strategy for repeat visits rather than first-load byte weight: hand off to `service-worker-cache-strategy-review` (or the closest equivalent asset in scope) rather than stretching this skill's budget framing to cover caching.
@@ -0,0 +1,46 @@
1
+ # Code-Splitting Boundaries
2
+
3
+ Use this reference when deciding where to add route- or component-level splitting, or when diagnosing a duplicated-dependency-across-chunks finding or an over-splitting regression.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "More `import()` calls always make the bundle better."
10
+
11
+ Wrong. Splitting trades parse/execute weight on one chunk for request-count and coordination overhead across chunks. Per web.dev's code-splitting guidance, the goal is to defer weight that is not needed for the current route/interaction — not to fragment the bundle for its own sake. Every additional chunk is an additional request the browser must schedule, and on a constrained connection or a cold cache, that overhead is real and can offset the byte savings the split was meant to deliver.
12
+
13
+ ## Classification per contributor
14
+
15
+ For each large module identified in the analyzer report, classify it into exactly one path:
16
+
17
+ 1. **Needed on the critical path (keep, minimize).** The module is required to render the current route's above-the-fold content or its primary interaction. Do not split it away; instead look for a lighter alternative or confirm it is already tree-shaken (hand off to `tree-shaking-dead-code-review` if unused exports are suspected within an otherwise-necessary dependency).
18
+ 2. **Needed but deferrable (route/component-split candidate).** The module is required somewhere in the app but not on the current route's critical render/interaction path — e.g., a charting library only used on a `/reports` route, a modal's rich-text editor only needed after a user action. Split via dynamic `import()` at the route or component boundary where it is actually invoked.
19
+ 3. **Duplicated across chunks.** The same dependency (or a near-duplicate version) appears in the byte weight of more than one chunk. This is a chunk-grouping configuration defect, not an application-code defect — fix it via the bundler's vendor-chunk / `cacheGroups` / `codeSplitting.groups` configuration (see [Bundler chunking APIs](bundler-chunking-apis.md)), not by rewriting application imports.
20
+ 4. **Heavier than necessary for its purpose.** The dependency itself is oversized relative to what the app uses from it (e.g., importing a full date-utility library for one format call). Recommend a lighter alternative and state the size delta; do not default to "just split it" when the real fix is not depending on the heavy library at all.
21
+
22
+ ## Route-level vs. component-level splitting
23
+
24
+ - **Route-level splitting** is the default first move: split at the router boundary so an entire route's code (including its route-specific dependencies) loads only when that route is navigated to. This is the highest-leverage split because it aligns with actual user navigation and typically yields one request per route transition, not per component.
25
+ - **Component-level splitting** is for a specific heavy component *within* an already-loaded route that is not needed immediately — e.g., a modal, a below-the-fold widget, a rarely-used settings panel. Reach for this only after route-level splitting is exhausted; splitting every individual component inside an already-necessary route multiplies request count without changing what must load before the route is usable.
26
+ - Do not recommend component-level splitting for something the user will interact with immediately on route entry — that just moves the same byte weight into a second network round trip with no benefit, and adds a loading-state flash that can itself become a CLS or perceived-jank complaint (hand off wording/attribution disagreements to `core-web-vitals-triage`).
27
+
28
+ ## Over-splitting: a real regression, not just a missed optimization
29
+
30
+ Before endorsing any new split point, require a request-count comparison alongside the byte comparison:
31
+
32
+ - If a split reduces the shared/critical-path bundle by N KB but adds M new chunks that are each fetched on the same route transition (e.g., several components all lazy-loaded on the same screen, each producing its own round trip), the net effect can be worse: more connection/scheduling overhead, more parse/compile invocations, and a longer time to fully interactive — even though the "critical path" number looks smaller in isolation.
33
+ - HTTP/2+ multiplexing reduces but does not eliminate this cost: each chunk still has its own parse, compile, and module-registration cost on the main thread, which is the more INP-relevant number per `core-web-vitals-triage`'s execution-cost framing.
34
+ - The correct test is: does total time-to-interactive (or the relevant INP-adjacent metric) improve, not just does the critical-path byte number shrink. State this comparison explicitly in the finding; do not accept a smaller entry-chunk number alone as proof of improvement.
35
+
36
+ ## Duplicated dependency across chunks — diagnosis path
37
+
38
+ 1. Confirm via the analyzer report (most bundle-analyzer tools flag this directly, e.g. webpack-bundle-analyzer's treemap showing the same module path under multiple chunk nodes) that the same module resolves into more than one output chunk.
39
+ 2. Check for version skew first — two different semver ranges of the same dependency resolving to two separate copies is an application-level (`package.json`/lockfile) defect, not a chunking-config defect; recommend a dependency dedupe/resolution fix, not a chunking change.
40
+ 3. If it is genuinely one version pulled into multiple chunks because multiple entry points or route chunks each import it, this is the textbook case for a shared vendor chunk (webpack `cacheGroups`) or an equivalent shared-group rule (Vite `codeSplitting.groups`) — see [Bundler chunking APIs](bundler-chunking-apis.md).
41
+
42
+ ## Non-negotiables
43
+
44
+ - Do not recommend a component-level split for anything visible immediately on route entry.
45
+ - Do not endorse a split without the request-count comparison alongside the byte comparison.
46
+ - Do not treat a duplicated-dependency finding as an application-code problem before checking for version skew.
@@ -0,0 +1,75 @@
1
+ ---
2
+ name: core-web-vitals-triage
3
+ description: Decomposes LCP, INP, and CLS regressions into their documented sub-phases using lab and field evidence, and refuses to declare a metric fixed without a field-data or CI-budget verification path.
4
+ allowed-tools: Read Grep Glob Bash(lighthouse:*) WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: operational
10
+ ---
11
+
12
+ # Core Web Vitals Triage
13
+
14
+ ## Purpose
15
+
16
+ Teams routinely shotgun-fix Core Web Vitals: compress an image, preload a font, and split a bundle in the same PR, then declare victory off one green Lighthouse run. That never isolates the actual cause, frequently doesn't move the field percentile Google's page-experience signal and real users actually experience, and burns engineering cycles on the wrong sub-phase. This skill decomposes an LCP, INP, or CLS regression into its documented sub-phases (per web.dev's LCP four-phase model, INP three-phase model, and the W3C Largest Contentful Paint / Event Timing specs), attributes each phase to a concrete verifiable cause, and refuses to close the loop without a field-data or CI-budget verification path — because a single lab run proves nothing about the field percentile that ranking and users actually see.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - diagnose a Core Web Vitals regression (LCP, INP, or CLS) reported by Lighthouse, PageSpeed Insights, CrUX, or Search Console's page-experience report,
23
+ - explain why a page "feels slow" or "feels janky" in terms of a specific, verifiable rendering or interaction sub-phase,
24
+ - reconcile a lab score change with (or without) a corresponding field percentile shift,
25
+ - decide which downstream skill should implement a Core Web Vitals fix (bundle/code-splitting vs. caching vs. server/CDN).
26
+
27
+ ## When NOT to use
28
+
29
+ - Pure server/infra latency tuning with no client-rendering component (TTFB-dominant LCP with no client-side contribution) — hand off to an infra/CDN-focused review; this skill identifies that TTFB is the dominant phase but does not own backend latency remediation.
30
+ - Native mobile app performance — different metric model, not Core Web Vitals.
31
+ - Implementing the fix. This skill diagnoses and specifies the fix, then hands off implementation-class changes to `bundle-budget-code-splitting-review` or `service-worker-cache-strategy-review` (or the closest equivalent asset in scope) — it does not write the fix code itself.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ Framework rendering internals that affect LCP/INP attribution (image loading priority hints, hydration/streaming boundaries, transition scheduling) change between major versions, and memorized behavior goes stale fast. Before attributing a delay to a specific framework mechanism:
36
+
37
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
38
+ 2. Call `mcp__Context7__resolve-library-id` for the framework in scope (e.g. Next.js, React, Vite) before making any claim about its current rendering/loading behavior.
39
+ 3. Call `mcp__Context7__query-docs` for the specific mechanism — e.g. "Image component priority/preload prop", "useTransition / startTransition scheduling", "manualChunks / codeSplitting build output" — before ruling on it. Do this per review; do not reuse a prior session's memory of framework internals.
40
+ 4. Known version-sensitive traps verified via Context7 as of this skill's `updated` date: Next.js deprecated the `<Image priority>` prop in Next.js 16 in favor of `preload` (same LCP-eager-load intent, new prop name — do not tell a Next.js 16+ user to add `priority` without checking their major version first). Vite deprecated the object form of `build.rollupOptions.output.manualChunks` in Vite 8+ in favor of `rolldownOptions.output.codeSplitting` — do not prescribe `manualChunks` config to a Vite 8+ project without verifying the installed version.
41
+ 5. web.dev is the primary source for Core Web Vitals *thresholds* and *phase definitions* and is not currently indexed in Context7; treat threshold/phase-boundary numbers pulled from `official_docs`/`WebFetch` as `documentation-based`, not `Context7-verified`, and say so explicitly.
42
+ 6. If Context7 is unavailable or returns no relevant match, fall back to `official_docs` / `references/*.md` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
43
+ 7. Never invent a framework prop, build-config option, or performance-entry field that no queried source confirms.
44
+
45
+ ## Lean operating rules
46
+
47
+ - Classify the evidence tier before decomposing anything: field RUM data present (CrUX API or `web-vitals` library export) vs. lab-only (Lighthouse/PSI JSON). Cap the verdict ceiling at `lab evidence only` when field data is absent — never phrase a lab-only finding as a field-validated user-experience claim.
48
+ - Decompose LCP into its four documented sub-phases (TTFB, resource-load delay, resource-load duration, render delay) per web.dev — never leave a finding at "LCP is high," always name the dominant phase.
49
+ - Decompose INP into its three documented sub-phases (input delay, processing time, presentation delay) per web.dev — never attribute INP to generic "JS is slow" without naming which phase and which task/handler.
50
+ - Decompose CLS by naming the specific shifting element and its trigger (late-loading web font, unsized image/embed, late-injected content, animation-triggered reflow) — a CLS score alone is not a diagnosis.
51
+ - Distinguish lab CLS (bounded to a single automated load, per Lighthouse) from field CLS (session-long, includes user-triggered layout shifts within 500ms of input, per the field CLS definition) — do not generalize one to the other.
52
+ - Attribute every phase to a concrete, verifiable artifact: a network-waterfall entry, a main-thread long-task entry, or a specific unsized DOM element. Never accept or emit "JS is slow" or "images are heavy" as a terminal diagnosis.
53
+ - State the correct owning skill for any implementation-class fix (bundle/code-splitting for JS-weight causes, service-worker caching for repeat-visit causes) rather than attempting to specify the implementation here.
54
+ - Never declare a metric "fixed" from a single lab run. State the CrUX 28-day rolling-window lag explicitly whenever recommending field-data confirmation.
55
+ - Never recommend removing accessible loading-state semantics (`aria-live`, `role="status"`, visible focus indicators) as a CLS or INP fix — that trades a compliance/usability regression for a metric number.
56
+ - Always account for device class: mobile field data (not desktop lab data) is what page-experience ranking and most real users actually see, per CrUX/web.dev methodology.
57
+
58
+ ## References
59
+
60
+ Load these only when needed:
61
+
62
+ - [LCP phase decomposition](references/lcp-phase-decomposition.md) — use when the regression or complaint is about page-load speed / the largest visible element painting late.
63
+ - [INP phase decomposition](references/inp-phase-decomposition.md) — use when the regression or complaint is about interaction responsiveness / a page "feeling janky."
64
+ - [CLS attribution](references/cls-attribution.md) — use when the regression or complaint is about visible layout jumping/shifting.
65
+ - [Evidence tiers, verification, and handoff](references/evidence-tiers-and-handoff.md) — use for every triage to classify evidence tier, specify the re-verification path, and route implementation-class fixes to the correct owning skill.
66
+
67
+ ## Response minimum
68
+
69
+ Return, at minimum:
70
+
71
+ - per-metric verdict (LCP/INP/CLS as applicable) with its evidence tier (`field evidence` vs. `lab evidence only` vs. `documentation-based` vs. `inference`),
72
+ - the sub-phase decomposition table for each metric in scope,
73
+ - the root-cause attribution per phase, tied to a concrete artifact (waterfall entry, long-task entry, DOM element),
74
+ - the minimal targeted fix per phase and which skill owns implementing it,
75
+ - the exact re-verification command/tool and the field-data confirmation window (CrUX's 28-day rolling window, stated explicitly) before the metric can be declared fixed.
@@ -0,0 +1,33 @@
1
+ {
2
+ "id": "core-web-vitals-triage",
3
+ "name": "Core Web Vitals Triage",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Decomposes LCP, INP, and CLS regressions into their documented web.dev/W3C sub-phases (TTFB/resource-load-delay/resource-load-duration/render-delay for LCP; input-delay/processing-time/presentation-delay for INP; element-level trigger attribution for CLS), grades findings by lab-vs-field evidence tier, and refuses to declare a metric fixed without a field-data or CI-budget verification path, loaded progressively.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://web.dev/articles/vitals",
18
+ "https://web.dev/articles/lcp",
19
+ "https://web.dev/articles/optimize-lcp",
20
+ "https://web.dev/articles/inp",
21
+ "https://web.dev/articles/optimize-inp",
22
+ "https://web.dev/articles/cls",
23
+ "https://web.dev/articles/optimize-cls",
24
+ "https://developer.chrome.com/docs/crux",
25
+ "https://www.w3.org/TR/largest-contentful-paint/",
26
+ "https://www.w3.org/TR/event-timing/"
27
+ ],
28
+ "security_notes": "Do not request production analytics credentials or raw customer session data; accept only sanitized/aggregated field exports (CrUX API responses, exported web-vitals RUM aggregates). Do not recommend removing accessible loading-state semantics (aria-live, role=status, visible focus indicators) as a CLS/INP fix. Do not accept or echo any credential-shaped string found in a pasted trace/config as if it were safe to keep in the transcript.",
29
+ "last_verified": "2026-07-02",
30
+ "path": "skills/frontend/core-web-vitals-triage",
31
+ "author": "github: Raishin",
32
+ "version": "0.1.0"
33
+ }
@@ -0,0 +1,45 @@
1
+ # CLS Attribution
2
+
3
+ Use this reference when the regression or complaint is about visible layout jumping/shifting, a CLS score drop, or a user report that "content jumps while loading."
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "CLS is 0.3, so something isn't sized — check the images."
10
+
11
+ Unsized images are one cause among several, and CLS is a session-level accumulation, not a single-event score. Two different pages can hit the same CLS number for entirely different reasons, and lab CLS (a single automated Lighthouse load) systematically under-reports field CLS (a real session including user-triggered scroll/interaction shifts), because field CLS per web.dev's methodology is a windowed sum across the full page lifetime, not just initial load.
12
+
13
+ ## Lab vs. field CLS — do not conflate them
14
+
15
+ - **Lab CLS** (Lighthouse/PSI): measured over one automated page load with no user interaction. It only captures load-time shifts.
16
+ - **Field CLS** (CrUX / `web-vitals` library): measured over the actual session, using the "maximum session window" methodology (windows of shifts gapped by <1s and spanning <5s, take the largest window) — per web.dev's CLS definition. It can and does include shifts triggered well after load, e.g. late-injected consent banners, lazy-loaded below-the-fold content, or shifts within 500ms of a user interaction (which the spec excludes from counting, but adjacent shifts outside that window still count).
17
+ - If lab CLS is low but field CLS (CrUX) is high, the cause is very likely something that only manifests during real sessions: late third-party script injection, ad-slot resize, or content that loads outside the automated tool's short observation window. Do not tell the user "Lighthouse says it's fine" as if that settles a field CLS complaint.
18
+
19
+ ## Attribution catalog — name the specific trigger
20
+
21
+ For every CLS finding, name the specific shifting element and its trigger category. Do not report a bare CLS number as a diagnosis. Common trigger categories, per web.dev's optimize-CLS guidance:
22
+
23
+ 1. **Unsized media** — images, videos, iframes, or embeds rendered without explicit `width`/`height` attributes or a reserved `aspect-ratio`, so the browser doesn't know the box size until the resource loads. Fix: explicit intrinsic dimensions or CSS `aspect-ratio` on the container.
24
+ 2. **Web-font swap/FOIT-to-FOUT shift** — a fallback font renders at a different metric than the loaded webfont, causing reflow when the real font swaps in. Fix: `font-display` strategy tuned for the situation, and where supported, `size-adjust`/`ascent-override`/`descent-override` font-face descriptors to metric-match the fallback — verify current browser support before prescribing these descriptors as a guaranteed fix.
25
+ 3. **Late-injected content above existing content** — a banner, ad slot, cookie-consent widget, or async-loaded element inserted above content the user is already viewing, pushing everything below it down. Fix: reserve space for the element up front (a placeholder with the known/estimated final size) rather than letting it inject with zero reserved height.
26
+ 4. **Animation-triggered reflow** — CSS animations/transitions that animate layout-affecting properties (`width`, `height`, `top`, `left`, `margin`) instead of compositor-only properties (`transform`, `opacity`). Fix: rewrite the animation to use `transform`/`opacity` so it doesn't trigger layout at all.
27
+ 5. **Dynamically injected/removed DOM nodes tied to loading states** — a skeleton/spinner removed and replaced with real content at a different size. This is the category most likely to overlap with an accessibility loading-state pattern — see the non-negotiable below before touching it.
28
+
29
+ ## Non-negotiable: do not sacrifice accessible loading semantics for a CLS number
30
+
31
+ A loading skeleton or spinner frequently carries `aria-live`, `role="status"`, or manages focus during a load transition. Do not recommend removing these attributes, collapsing the announcement, or eliminating visible focus indicators as a way to "simplify" the DOM and reduce shift count. If the loading-state element itself is the CLS trigger, fix it by reserving its layout space (matching the skeleton's box size to the final content's box size) — not by removing the accessibility semantics that make the loading state perceivable to assistive technology users. A metric win that produces a WCAG regression is not a fix; flag it as a conflict and specify the size-reserving fix instead.
32
+
33
+ ## Root-cause attribution — require an artifact, not an assertion
34
+
35
+ Require one of:
36
+
37
+ - A `LayoutShift` PerformanceObserver entry (per the W3C spec family CLS draws from) identifying the specific `sources` (nodes) and their `previousRect`/`currentRect`.
38
+ - A Lighthouse/PSI "Avoid large layout shifts" audit entry naming the specific DOM node.
39
+ - A DevTools Performance panel layout-shift region correlated to a specific paint frame and the element that moved.
40
+
41
+ If none of these are available, the finding is capped at `inference` and must say so.
42
+
43
+ ## Verification target
44
+
45
+ Re-run the trace and confirm the named element no longer appears in the layout-shift audit / `LayoutShift` entries. For field confirmation, see `references/evidence-tiers-and-handoff.md` — a lab-only CLS fix does not confirm the field CLS percentile improved, especially for triggers (late-injected content, session-long shifts) that lab tooling under-samples by design.
@@ -0,0 +1,57 @@
1
+ # Evidence Tiers, Verification, and Handoff
2
+
3
+ Use this reference for every triage, regardless of which metric (LCP/INP/CLS) is in scope, to classify evidence, specify the re-verification path, and route implementation-class fixes to the correct owning skill.
4
+
5
+ ## Evidence tiers — classify before decomposing anything
6
+
7
+ Label every claim in the output with one of these tiers. Do not let a lab-only trace produce a field-level verdict.
8
+
9
+ 1. **Field evidence** — CrUX API p75 data for the specific origin/URL/device-class, or an aggregated export from a `web-vitals`-library RUM collector covering real user sessions. This is the only tier that can support a "this is what real users experience" verdict.
10
+ 2. **Lab evidence only** — a single Lighthouse/PSI run, a synthetic CI trace, or a local DevTools trace. Useful for sub-phase decomposition and root-cause attribution, but caps the verdict at "reproduced in a synthetic environment" — never phrase it as a confirmed real-user-experience claim.
11
+ 3. **Documentation-based** — a threshold, phase definition, or mechanism claim sourced from web.dev/W3C docs or Context7-queried framework docs, not from a trace the user provided. Correct for grounding definitions; not a substitute for evidence about this specific page.
12
+ 4. **Inference** — a plausible attribution without a cited artifact (waterfall entry, long-task entry, `LayoutShift`/`PerformanceEventTiming` entry). Must be labeled explicitly and should prompt a request for the missing artifact before the finding is treated as actionable.
13
+
14
+ If field data is absent entirely, the ceiling for the whole triage is **lab evidence only** — recommend field instrumentation (the `web-vitals` JS library, or enabling/checking CrUX coverage for the origin) as a first-class next step, not an afterthought.
15
+
16
+ ## Device class matters — do not generalize desktop lab data to mobile field reality
17
+
18
+ CrUX and the page-experience ranking signal are dominated by mobile field data for most origins. A desktop Lighthouse run that looks clean does not confirm the mobile field experience is clean, and the two frequently diverge (different CPU/network throttling profiles, different viewport-driven CLS triggers, different bundle-parse cost on slower mobile CPUs). Always state which device class a lab trace was captured against, and prefer mobile-throttled traces when field data specifically flags mobile.
19
+
20
+ ## CrUX's rolling window — the confirmation lag that must be disclosed
21
+
22
+ CrUX reports a **28-day rolling window** of aggregated field data. This has two direct consequences for any "field-confirmed fixed" claim:
23
+
24
+ - A fix deployed today will not be visible in CrUX's public dataset as a clean, isolated before/after split for up to 28 days, and even then the reported window blends pre- and post-fix days until the older data ages out.
25
+ - Same-day or next-day CrUX checks after a deploy prove nothing about the field impact of that deploy. Do not let a user (or yourself) declare a metric "fixed" from a CrUX check taken within the rolling-window lag of the deploy.
26
+
27
+ If the user wants faster confirmation than CrUX's window allows, the correct answer is same-origin RUM instrumentation (a `web-vitals`-library collector reporting to the user's own analytics pipeline), which can show a near-real-time before/after split — but that requires the user to already have or add that instrumentation; do not assume it exists.
28
+
29
+ ## Handoff table — this skill diagnoses, it does not implement
30
+
31
+ | Dominant cause | Owning skill / next step |
32
+ |---|---|
33
+ | TTFB-dominant LCP | Server/CDN/infra latency review — out of this skill's cluster entirely |
34
+ | JS bundle weight causing resource-load-delay, resource-load-duration, or INP input-delay/processing-time | `bundle-budget-code-splitting-review` (or the closest equivalent asset in the catalog for this provider) |
35
+ | Repeat-visit caching / stale-resource causes | `service-worker-cache-strategy-review` (or the closest equivalent caching-strategy asset in the catalog) |
36
+ | Single-element resource-hint fix (a missed preload/eager-load on the actual LCP element) | Specify directly in this skill's output; it's a targeted attribute change, not a build-pipeline change |
37
+ | Framework-specific rendering/scheduling mechanism (transitions, image-loading props, hydration boundaries) | Verify via Context7 first (see SKILL.md protocol), then specify directly if it's a single-component change; hand off if it implies a broader architectural pattern change |
38
+ | Accessibility-vs-metric conflict (loading-state semantics implicated in a CLS/INP finding) | Do not resolve by stripping accessibility semantics; specify the size/scheduling fix that preserves them, and flag the conflict explicitly |
39
+
40
+ Do not reinvent bundle-splitting or caching-strategy guidance inside this skill — name the dominant cause, cite the artifact, and route to the owning skill so the fix is specified once, correctly, in the asset that owns it.
41
+
42
+ ## Adversarial checklist — answer before closing a triage
43
+
44
+ - Is every sub-phase attribution backed by a cited waterfall/long-task/`LayoutShift`/`PerformanceEventTiming` entry, or is it asserted?
45
+ - Is the evidence tier for the overall verdict correctly capped (lab-only claims never phrased as field-confirmed)?
46
+ - Is the device class of every lab trace stated, and does it match the device class the field complaint (if any) refers to?
47
+ - Is the CrUX 28-day lag disclosed if field re-confirmation is part of the recommended next step?
48
+ - Is the fix routed to the correct owning skill instead of being reinvented here?
49
+ - Does any proposed fix remove or weaken an accessible loading-state semantic? If so, it must be flagged as a conflict, not silently accepted.
50
+ - Would declaring this metric "fixed" right now be true, or just true-in-the-lab?
51
+
52
+ ## Common failure modes to actively guard against
53
+
54
+ - Shotgunning multiple simultaneous changes (image compression + font preload + code-splitting in one PR) so the actual causal phase is never isolated — insist on isolating the dominant phase before recommending a bundle of fixes, or at minimum flag that a bundled fix will make attribution of the eventual field-data improvement ambiguous.
55
+ - Treating a single lab run, in either direction, as proof of anything about the field percentile.
56
+ - Generalizing desktop lab data to a mobile field complaint, or vice versa.
57
+ - Declaring victory the day after deploy based on a CrUX check that is still inside the 28-day blended window.
@@ -0,0 +1,49 @@
1
+ # INP Phase Decomposition
2
+
3
+ Use this reference when the regression or complaint is about interaction responsiveness — a page "feels laggy," a PSI/CrUX INP score drop, or a Search Console page-experience INP warning.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "INP is high, so the JavaScript bundle is too big — code-split it."
10
+
11
+ Sometimes true, usually incomplete. INP measures the full latency of the interaction that produced the worst (or a high-percentile) responsiveness value in a session, per the W3C Event Timing spec. Bundle size affects one of three sub-phases; the other two are frequently the actual bottleneck and a bundle-size fix does nothing for them.
12
+
13
+ ## The three documented sub-phases
14
+
15
+ Per web.dev's INP guidance, decompose the flagged interaction into:
16
+
17
+ 1. **Input delay** — from the user's physical input (click/tap/keypress) to the start of the event handler(s) processing it. Grown by: the main thread being busy with an unrelated task (a long task from a timer, a fetch-then-render cycle, a third-party script) when the input arrives.
18
+ 2. **Processing time** — the actual execution time of the event handler(s) triggered by the input, including any synchronous work chained inside it (state updates, synchronous re-renders, layout-triggering DOM reads/writes).
19
+ 3. **Presentation delay** — from processing completion to the next frame actually being presented, including style/layout/paint work and any work the browser defers to the next task (e.g. `requestAnimationFrame` callbacks).
20
+
21
+ Every INP finding in this skill's output must name which of these three phases is dominant, tied to a specific long-task or event-handler entry — not just restate the total INP number.
22
+
23
+ ## Framework-specific attribution — verify via Context7, do not assume
24
+
25
+ Resolve the framework via Context7 (see SKILL.md's Context7 Documentation Protocol) before attributing processing-time cost to a specific rendering mechanism. Confirmed via Context7 against `/reactjs/react.dev`:
26
+
27
+ - React's `useTransition`/`startTransition` exists specifically to move non-urgent state updates off the synchronous, blocking render path so urgent updates (the actual click/keypress response) aren't queued behind them — per React's own framing, transitions "will be interrupted if more urgent updates like clicks or key presses come in." If processing-time is dominated by a large synchronous re-render triggered by an interaction, and part of that re-render is not required to satisfy the immediate visual feedback (e.g. re-rendering a large list after a filter change), that is the documented mechanism to reach for — verify the installed React major supports it (React 18+) before recommending it.
28
+ - Do not claim a synchronous `setState` inside an event handler is inherently the INP cause without a long-task/processing-time artifact — React batches many such updates, and the actual cost may be in downstream layout/paint work (presentation delay), not the state update itself.
29
+ - For any other framework in scope (Vue, Svelte, Angular), do not assume an analogous "transition" primitive exists or behaves the same way — query Context7 for that framework's current concurrency/scheduling primitives before recommending one.
30
+
31
+ ## Root-cause attribution — require an artifact, not an assertion
32
+
33
+ For each phase you name as dominant, require one of:
34
+
35
+ - A `PerformanceEventTiming` entry (per the W3C Event Timing spec: `processingStart`, `processingEnd`, `startTime`, `duration`) from field RUM instrumentation (the `web-vitals` library's INP attribution build, or equivalent).
36
+ - A long-task entry (`PerformanceLongTaskTiming`) overlapping the input-delay or presentation-delay window, showing what else the main thread was doing.
37
+ - A DevTools/Lighthouse trace showing the specific event handler's call stack and duration.
38
+
39
+ If none of these are available, the finding is capped at `inference` and must say so.
40
+
41
+ ## Minimal targeted fix per phase (and who owns it)
42
+
43
+ - **Input-delay-dominant** → identify and break up or defer the unrelated main-thread work that was running when input arrived (a competing long task, an eagerly-executing third-party script, an unbatched synchronous fetch handler). If the cause is JS parse/execution weight from the initial bundle, hand off to `bundle-budget-code-splitting-review`.
44
+ - **Processing-time-dominant** → reduce the synchronous work inside the handler itself: defer non-urgent state updates (verify current framework primitive via Context7), memoize expensive derived computation, move genuinely heavy computation off the main thread (a Web Worker) rather than accepting it as unavoidable.
45
+ - **Presentation-delay-dominant** → reduce layout/paint cost triggered by the update (avoid forced synchronous layout / layout thrashing, reduce the DOM subtree size affected by the update, check for expensive CSS selectors or filters/shadows recalculated on every frame).
46
+
47
+ ## Verification target
48
+
49
+ Re-run field-representative interaction traces (Lighthouse's user-flow / timespan mode against the specific interaction, or a `web-vitals` INP attribution build in a staging RUM collector) and diff the three-phase breakdown against the pre-regression trace, not just the top-line INP number. See `references/evidence-tiers-and-handoff.md` for the field-data confirmation window before declaring the metric fixed.
@@ -0,0 +1,51 @@
1
+ # LCP Phase Decomposition
2
+
3
+ Use this reference when the regression or complaint is about page-load speed, a Lighthouse/PSI LCP score drop, or a CrUX LCP p75 shift.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "LCP went from 2.3s to 3.8s, so the page got slower — compress the images."
10
+
11
+ Wrong, or at least unverified. LCP is not one number produced by one cause. web.dev decomposes it into four sequential sub-phases, and the correct fix depends entirely on which phase grew. Compressing an image only helps if resource-load-duration is the dominant phase; if the regression is actually render-delay because the image is being lazy-loaded instead of eager-loaded, compression does nothing.
12
+
13
+ ## The four documented sub-phases
14
+
15
+ Per web.dev's LCP guidance, decompose the LCP element's timeline into:
16
+
17
+ 1. **Time to First Byte (TTFB)** — from navigation start to the first byte of the document response. Server/CDN/redirect-chain territory, not a client-rendering fix.
18
+ 2. **Resource load delay** — from TTFB to when the browser starts loading the LCP resource (e.g. the hero image). Grown by: the resource being discovered late (not in the initial HTML, injected by JS, behind a render-blocking script), missing `fetchpriority="high"`/preload hints, or a redirect chain on the resource URL itself.
19
+ 3. **Resource load duration** — the time actually spent downloading the LCP resource. Grown by: resource size, missing compression/modern format, slow origin, lack of CDN, render-blocking requests competing for bandwidth/connections ahead of it.
20
+ 4. **Render delay** — from resource load complete to the element actually painting. Grown by: main-thread blocking (long tasks, large JS execution, web-font blocking text render), CSS/layout work queued ahead of the paint.
21
+
22
+ Every LCP finding in this skill's output must name which of these four phases is dominant, with a waterfall-entry citation, not just restate the total LCP number.
23
+
24
+ ## Framework-specific attribution — verify via Context7, do not assume
25
+
26
+ Do not attribute an LCP delay to a framework mechanism from memory. Resolve the framework via Context7 and query current docs first (see SKILL.md's Context7 Documentation Protocol). Known traps as of this skill's `updated` date, confirmed via Context7 against `/vercel/next.js`:
27
+
28
+ - **Next.js `<Image>` eager-load prop is version-sensitive.** As of Next.js 16, the `priority` prop is deprecated in favor of `preload` (same intent — insert a `<link>` preload and skip lazy-loading for the LCP candidate — new prop name). Telling a Next.js 16+ user to add `priority={true}` is stale guidance; verify the installed Next.js major first, then recommend `preload` (16+) or `priority` (pre-16) accordingly. Either way: the LCP image must not be lazy-loaded by default (`loading="lazy"` is the `next/image` default) — that alone is a common render-delay root cause when the hero image regresses after an unrelated refactor accidentally drops the eager-load prop.
29
+ - **Do not assume `fetchpriority="high"` alone fixes resource-load-delay** if the resource is still discovered late (e.g. only referenced inside a client-side-rendered component that itself waits on hydration). Preload hints only help resources the browser can discover early; a resource injected after JS execution still incurs discovery delay regardless of priority hints.
30
+ - For non-Next.js stacks (Vite-based React/Vue/Svelte apps), verify current `vite-imagetools` / native `<img fetchpriority>` support against the installed Vite major via Context7 (`/vitejs/vite`) rather than assuming a plugin API that may have moved between majors.
31
+
32
+ ## Root-cause attribution — require an artifact, not an assertion
33
+
34
+ For each phase you name as dominant, require one of:
35
+
36
+ - A network-waterfall entry (from the Lighthouse/PSI JSON `resourceSummary`/`network-requests` audit, or a browser DevTools export) showing the specific request's start/end offsets.
37
+ - A `LargestContentfulPaint` PerformanceObserver entry (`element`, `url`, `renderTime`, `loadTime`) per the W3C Largest Contentful Paint spec, if the user has instrumented field RUM.
38
+ - For render-delay specifically: a long-task entry (`PerformanceLongTaskTiming`) overlapping the window between resource-load-complete and `renderTime`.
39
+
40
+ If none of these are available, the finding is capped at `inference` and must say so — do not present a phase attribution as verified without a cited artifact.
41
+
42
+ ## Minimal targeted fix per phase (and who owns it)
43
+
44
+ - **TTFB-dominant** → out of this skill's scope; hand off to server/CDN/infra review (redirect-chain removal, CDN edge caching, server response-time reduction). Do not prescribe a client-side fix for a TTFB problem.
45
+ - **Resource-load-delay-dominant** → eager-load / preload the correct hint for the actual LCP element (verify current framework prop via Context7 first), remove render-blocking requests ahead of discovery, eliminate resource redirect chains. Implementation of a broader preload/resource-hint strategy across a route is `bundle-budget-code-splitting-review`'s territory if it touches build output; a single-element preload hint can be specified directly here.
46
+ - **Resource-load-duration-dominant** → image/video compression, modern format (AVIF/WebP), responsive `sizes`/`srcset`, CDN/origin latency — hand off bundle-weight-class changes to `bundle-budget-code-splitting-review`.
47
+ - **Render-delay-dominant** → identify and reduce the specific long task or web-font-blocking render ahead of the LCP paint; if the cause is JS bundle weight/parse time, hand off to `bundle-budget-code-splitting-review`.
48
+
49
+ ## Verification target
50
+
51
+ Re-run the trace (Lighthouse CI or PSI API) against the same route/device-class combination and diff the four-phase breakdown, not just the top-line LCP number, against the pre-regression trace. See `references/evidence-tiers-and-handoff.md` for the field-data confirmation window before declaring the metric fixed.