@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (873) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15389 -12589
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +3 -2
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/generate-docs-data.mjs +1 -0
  333. package/scripts/generate-kiro-powers.mjs +12 -0
  334. package/scripts/update-catalog-new-agents.py +6 -1
  335. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  336. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  340. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  341. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  342. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  344. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  345. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  346. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  348. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  353. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  354. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  355. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  356. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  357. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  358. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  359. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  360. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  361. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  362. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  363. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  368. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  374. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  375. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  376. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  377. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  378. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  379. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  380. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  381. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  382. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  383. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  384. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  385. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  386. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  387. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  390. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  391. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  392. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  393. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  394. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  395. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  396. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  399. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  404. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  405. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  406. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  407. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  408. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  409. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  410. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  411. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  413. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  414. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  415. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  418. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  419. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  420. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  422. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  423. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  424. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  425. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  426. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  427. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  434. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  439. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  443. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  444. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  445. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  446. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  447. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  448. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  449. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  454. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  459. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  460. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  461. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  463. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  464. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  465. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  469. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  470. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  471. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  472. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  473. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  474. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  475. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  476. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  479. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  484. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  485. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  486. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  489. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  494. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  495. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  496. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  498. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  499. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  500. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  503. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  507. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  512. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  513. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  514. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  515. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  516. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  517. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  523. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  524. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  525. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  528. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  529. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  530. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  534. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  535. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  536. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  539. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  540. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  541. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  542. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  543. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  548. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  549. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  550. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  551. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  552. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  553. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  554. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  555. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  556. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  557. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  558. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  559. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  564. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  569. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  570. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  571. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  572. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  573. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  574. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  579. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  583. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  584. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  585. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  587. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  592. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  593. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  594. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  595. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  596. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  597. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  598. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  599. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  602. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  607. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  608. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  609. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  613. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  614. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  615. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  616. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  617. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  618. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  619. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  620. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  621. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  622. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  623. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  624. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  629. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  671. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  713. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  714. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  725. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  736. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  764. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  775. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  786. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  797. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  808. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  819. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  830. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  841. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  861. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  872. package/tests/validate-catalog.py +1 -0
  873. package/tests/validate-frontend-security-detection.py +209 -0
@@ -1,4 +1,35 @@
1
1
  [
2
+ {
3
+ "id": "accessibility-wcag-agent",
4
+ "name": "Accessibility (WCAG 2.2) Agent",
5
+ "type": "agent",
6
+ "provider": "frontend",
7
+ "harnesses": [
8
+ "codex",
9
+ "copilot",
10
+ "claude-code",
11
+ "cursor",
12
+ "gemini",
13
+ "kiro"
14
+ ],
15
+ "summary": "Static-review agent auditing frontend markup, components, and design-system primitives against WCAG 2.2 A/AA success criteria and ARIA APG patterns, distinguishing automated-detectable failures from manual-judgment checks and quantifying legal/conversion risk.",
16
+ "source_type": "adapted",
17
+ "official_docs": [
18
+ "https://www.w3.org/TR/WCAG22/",
19
+ "https://www.w3.org/WAI/WCAG22/quickref/",
20
+ "https://www.w3.org/WAI/ARIA/apg/",
21
+ "https://www.w3.org/TR/wai-aria-1.2/",
22
+ "https://developer.mozilla.org/en-US/docs/Web/Accessibility",
23
+ "https://www.w3.org/WAI/standards-guidelines/act/rules/",
24
+ "https://www.ada.gov/resources/web-guidance/",
25
+ "https://www.section508.gov/"
26
+ ],
27
+ "security_notes": "Read-only static review only; never executes browser automation with write access or installs browser extensions. Redact any PII (names, emails, form data) surfaced in audited fixtures before including in reports. Automated tooling (axe-core-class rules) covers roughly 30-50% of WCAG failures per documented axe-core coverage claims; never represent automated-only results as full conformance.",
28
+ "last_verified": "2026-07-02",
29
+ "path": "agents/frontend/accessibility-wcag-agent",
30
+ "version": "0.1.0",
31
+ "companion_skills": []
32
+ },
2
33
  {
3
34
  "id": "accounting-business-combinations-advisor-agent",
4
35
  "name": "Accounting Business Combinations Advisor",
@@ -469,6 +500,36 @@
469
500
  "author": "github: Raishin",
470
501
  "version": "0.1.0"
471
502
  },
503
+ {
504
+ "id": "ai-assisted-frontend-review-agent",
505
+ "name": "AI-Assisted Frontend Code Review",
506
+ "type": "agent",
507
+ "provider": "frontend",
508
+ "harnesses": [
509
+ "codex",
510
+ "copilot",
511
+ "claude-code",
512
+ "cursor",
513
+ "gemini",
514
+ "kiro"
515
+ ],
516
+ "summary": "Applies an elevated, adversarial review bar specifically to AI/LLM-generated frontend code (components, hooks, API-calling glue, config) to catch the failure patterns unique to generated code: plausible-looking but insecure patterns, hallucinated APIs, missing accessibility semantics, and unverified framework-version claims.",
517
+ "source_type": "adapted",
518
+ "official_docs": [
519
+ "https://owasp.org/www-project-top-10-for-large-language-model-applications/",
520
+ "https://owasp.org/www-project-top-ten/",
521
+ "https://www.w3.org/WAI/ARIA/apg/",
522
+ "https://react.dev/reference/rules",
523
+ "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html"
524
+ ],
525
+ "security_notes": "Treat every AI-generated code suggestion as untrusted input until verified: check for hallucinated package names (typosquat/slopsquat risk), fabricated APIs that happen to compile against a permissive type, unsafe DOM sinks (innerHTML/dangerouslySetInnerHTML) introduced without sanitization, and hardcoded secrets the generator may have echoed from training data or context. This agent is static-review only — it flags risk, it does not auto-merge or auto-fix without human review of the diff.",
526
+ "last_verified": "2026-07-02",
527
+ "path": "agents/frontend/ai-assisted-frontend-review-agent",
528
+ "version": "0.1.0",
529
+ "companion_skills": [
530
+ "ai-generated-frontend-code-review"
531
+ ]
532
+ },
472
533
  {
473
534
  "id": "alibaba-ack-container-platform-operator-agent",
474
535
  "name": "Alibaba Cloud ACK Container Platform Operator",
@@ -1769,6 +1830,67 @@
1769
1830
  "author": "github: Raishin",
1770
1831
  "version": "0.1.0"
1771
1832
  },
1833
+ {
1834
+ "id": "angular-specialist-agent",
1835
+ "name": "Angular Specialist",
1836
+ "type": "agent",
1837
+ "provider": "frontend",
1838
+ "harnesses": [
1839
+ "codex",
1840
+ "copilot",
1841
+ "claude-code",
1842
+ "cursor",
1843
+ "gemini",
1844
+ "kiro"
1845
+ ],
1846
+ "summary": "Static-review agent for Angular Signals-based architecture, change-detection strategy, and SSR/hydration correctness.",
1847
+ "source_type": "adapted",
1848
+ "official_docs": [
1849
+ "https://angular.dev/guide/signals",
1850
+ "https://angular.dev/guide/hydration",
1851
+ "https://angular.dev/errors/NG0500",
1852
+ "https://angular.dev/api/platform-browser/provideClientHydration",
1853
+ "https://angular.dev/guide/components/change-detection",
1854
+ "https://www.w3.org/WAI/WCAG22/quickref/"
1855
+ ],
1856
+ "security_notes": "Flag direct DOM manipulation (nativeElement, document.createElement/insertBefore) inside components that also participate in SSR/hydration — this is both a hydration-correctness and an XSS-adjacent risk when combined with unsanitized string interpolation into innerHTML. Flag bypassSecurityTrust* usage without a documented, reviewed justification.",
1857
+ "last_verified": "2026-07-02",
1858
+ "path": "agents/frontend/angular-specialist-agent",
1859
+ "version": "0.1.0",
1860
+ "companion_skills": [
1861
+ "angular-architecture-signals-review",
1862
+ "angular-ssr-hydration-review"
1863
+ ]
1864
+ },
1865
+ {
1866
+ "id": "api-integration-bff-agent",
1867
+ "name": "API Integration & BFF Boundary",
1868
+ "type": "agent",
1869
+ "provider": "frontend",
1870
+ "harnesses": [
1871
+ "codex",
1872
+ "copilot",
1873
+ "claude-code",
1874
+ "cursor",
1875
+ "gemini",
1876
+ "kiro"
1877
+ ],
1878
+ "summary": "Designs and reviews the contract, ownership, and trust boundary between frontend clients and backend/BFF layers to prevent over-fetching, leaked backend implementation details, and unenforced authorization at the edge.",
1879
+ "source_type": "adapted",
1880
+ "official_docs": [
1881
+ "https://nextjs.org/docs/app/building-your-application/routing/route-handlers",
1882
+ "https://nextjs.org/docs/app/building-your-application/caching",
1883
+ "https://tanstack.com/query/latest/docs/framework/react/guides/query-keys",
1884
+ "https://owasp.org/www-project-api-security/",
1885
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS",
1886
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"
1887
+ ],
1888
+ "security_notes": "The BFF/route-handler layer is the trust boundary: it must re-validate authorization on every request (never trust a client-supplied role/claim without server-side session verification), must not forward raw upstream error bodies (which can leak stack traces/internal hostnames) to the client, and must enforce output shaping so the client only ever receives fields it is authorized to see (no 'fetch everything, filter in the UI'). CORS policy must be an explicit allowlist, never a wildcard combined with credentialed requests. Treat this boundary as the primary place to prevent OWASP API Security Top 10 issues (BOLA/broken object-level authorization, excessive data exposure) from reaching the client.",
1889
+ "last_verified": "2026-07-02",
1890
+ "path": "agents/frontend/api-integration-bff-agent",
1891
+ "version": "0.1.0",
1892
+ "companion_skills": []
1893
+ },
1772
1894
  {
1773
1895
  "id": "argo-rollouts-progressive-delivery-review-agent",
1774
1896
  "name": "Argo Rollouts Progressive Delivery Review",
@@ -4264,6 +4386,66 @@
4264
4386
  "version": "0.1.0",
4265
4387
  "companion_skills": null
4266
4388
  },
4389
+ {
4390
+ "id": "browser-compatibility-agent",
4391
+ "name": "Browser Compatibility",
4392
+ "type": "agent",
4393
+ "provider": "frontend",
4394
+ "harnesses": [
4395
+ "codex",
4396
+ "copilot",
4397
+ "claude-code",
4398
+ "cursor",
4399
+ "gemini",
4400
+ "kiro"
4401
+ ],
4402
+ "summary": "Static-review agent that checks used web-platform features against the org's actual supported-browser matrix using Baseline/caniuse data, flagging unguarded non-Baseline usage and verifying graceful-degradation/polyfill strategy.",
4403
+ "source_type": "adapted",
4404
+ "official_docs": [
4405
+ "https://web-platform-dx.github.io/web-features/",
4406
+ "https://web.dev/baseline",
4407
+ "https://caniuse.com/",
4408
+ "https://html.spec.whatwg.org/multipage/",
4409
+ "https://developer.mozilla.org/en-US/docs/Web/API",
4410
+ "https://www.w3.org/TR/CSS/",
4411
+ "https://github.com/browserslist/browserslist"
4412
+ ],
4413
+ "security_notes": "Static review only; does not execute code in real browsers/BrowserStack-class services with write access, and does not recommend disabling security-relevant browser defaults (e.g., mixed-content blocking, SameSite defaults) as a compatibility workaround.",
4414
+ "last_verified": "2026-07-02",
4415
+ "path": "agents/frontend/browser-compatibility-agent",
4416
+ "version": "0.1.0",
4417
+ "companion_skills": []
4418
+ },
4419
+ {
4420
+ "id": "build-tooling-bundling-agent",
4421
+ "name": "Build Tooling & Bundling",
4422
+ "type": "agent",
4423
+ "provider": "frontend",
4424
+ "harnesses": [
4425
+ "codex",
4426
+ "copilot",
4427
+ "claude-code",
4428
+ "cursor",
4429
+ "gemini",
4430
+ "kiro"
4431
+ ],
4432
+ "summary": "Reviews Vite/Webpack/Rollup build configuration, code-splitting strategy, and bundle-size budgets to stop duplicate dependencies, unsplit vendor chunks, and undetected bloat from degrading load performance.",
4433
+ "source_type": "adapted",
4434
+ "official_docs": [
4435
+ "https://vite.dev/guide/build.html",
4436
+ "https://vite.dev/guide/migration.html",
4437
+ "https://webpack.js.org/guides/code-splitting/",
4438
+ "https://webpack.js.org/plugins/split-chunks-plugin/",
4439
+ "https://web.dev/articles/reduce-javascript-payloads-with-code-splitting"
4440
+ ],
4441
+ "security_notes": "Bundle analysis must not exfiltrate source maps or environment-embedded secrets (e.g., accidentally inlined .env values via import.meta.env misuse) to third-party bundle-analyzer SaaS without review. Treat any dependency pulled in via a postinstall/prepare script as a supply-chain risk requiring extra scrutiny before it's allowed to affect the production bundle.",
4442
+ "last_verified": "2026-07-02",
4443
+ "path": "agents/frontend/build-tooling-bundling-agent",
4444
+ "version": "0.1.0",
4445
+ "companion_skills": [
4446
+ "build-tooling-vite-webpack-review"
4447
+ ]
4448
+ },
4267
4449
  {
4268
4450
  "id": "cert-manager-issuer-trust-review-agent",
4269
4451
  "name": "cert-manager Issuer Trust Review",
@@ -4633,6 +4815,37 @@
4633
4815
  "path": "agents/microsoft/copilot-studio-agent-governance-alm-agent",
4634
4816
  "version": "0.1.0"
4635
4817
  },
4818
+ {
4819
+ "id": "css-architecture-agent",
4820
+ "name": "CSS Architecture & Design Systems",
4821
+ "type": "agent",
4822
+ "provider": "frontend",
4823
+ "harnesses": [
4824
+ "codex",
4825
+ "copilot",
4826
+ "claude-code",
4827
+ "cursor",
4828
+ "gemini",
4829
+ "kiro"
4830
+ ],
4831
+ "summary": "Reviews CSS specificity, cascade-layer strategy, custom-property/design-token architecture, and responsive/container-query patterns for maintainability and design-system consistency, preventing specificity wars and token drift across large component libraries.",
4832
+ "source_type": "adapted",
4833
+ "official_docs": [
4834
+ "https://developer.mozilla.org/en-US/docs/Web/CSS",
4835
+ "https://www.w3.org/TR/css-cascade-5/",
4836
+ "https://www.w3.org/TR/css-variables-1/",
4837
+ "https://www.w3.org/TR/css-contain-3/",
4838
+ "https://web.dev/learn/css/",
4839
+ "https://www.w3.org/TR/WCAG22/#visual-presentation",
4840
+ "https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_cascade/Cascade_layers",
4841
+ "https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_containment/Container_queries"
4842
+ ],
4843
+ "security_notes": "Flag any CSS that exfiltrates data via attribute selectors against user-controlled values combined with background-image/url() network requests (a known CSS-based data-exfiltration and history-sniffing vector). Flag user-select: none or CSS-only patterns used to fake security controls (e.g., hiding a 'disabled' delete button with CSS instead of removing server-side authorization) — CSS is presentation-layer only and must never be treated as an access-control boundary. Do not approve @import of third-party stylesheets without SRI/CSP style-src consideration.",
4844
+ "last_verified": "2026-07-02",
4845
+ "path": "agents/frontend/css-architecture-agent",
4846
+ "version": "0.1.0",
4847
+ "companion_skills": []
4848
+ },
4636
4849
  {
4637
4850
  "id": "d365-commerce-agent",
4638
4851
  "name": "D365 Commerce",
@@ -5152,6 +5365,36 @@
5152
5365
  "path": "agents/databricks/databricks-unity-catalog-governance-at-azure-agent",
5153
5366
  "version": "0.1.0"
5154
5367
  },
5368
+ {
5369
+ "id": "design-systems-governance-agent",
5370
+ "name": "Design Systems Governance Agent",
5371
+ "type": "agent",
5372
+ "provider": "frontend",
5373
+ "harnesses": [
5374
+ "codex",
5375
+ "copilot",
5376
+ "claude-code",
5377
+ "cursor",
5378
+ "gemini",
5379
+ "kiro"
5380
+ ],
5381
+ "summary": "Reviews design-token pipelines and component-library governance (token source of truth, Style Dictionary/Tokens Studio transforms, contrast and theming guarantees) to stop hardcoded values and token drift from breaking theming, dark mode, and WCAG contrast compliance.",
5382
+ "source_type": "adapted",
5383
+ "official_docs": [
5384
+ "https://www.w3.org/community/design-tokens/",
5385
+ "https://www.w3.org/TR/WCAG21/#contrast-minimum",
5386
+ "https://www.w3.org/TR/WCAG21/#non-text-contrast",
5387
+ "https://storybook.js.org/docs/writing-tests/accessibility-testing",
5388
+ "https://amzn.github.io/style-dictionary/#/"
5389
+ ],
5390
+ "security_notes": "Design-token build pipelines that pull from an external CMS/Figma API must not embed long-lived personal access tokens in committed config; require scoped, rotatable tokens in CI secrets only. Treat any token pipeline that writes generated files back into source control unreviewed (no PR diff visibility) as a supply-chain integrity gap. Static/read-only review only; never runs the token build pipeline and never sends discovered credentials anywhere.",
5391
+ "last_verified": "2026-07-02",
5392
+ "path": "agents/frontend/design-systems-governance-agent",
5393
+ "version": "0.1.0",
5394
+ "companion_skills": [
5395
+ "design-token-governance-review"
5396
+ ]
5397
+ },
5155
5398
  {
5156
5399
  "id": "dotnet-aspire-cloud-native-review-agent",
5157
5400
  "name": ".NET Aspire Cloud-Native Review Agent",
@@ -5486,6 +5729,36 @@
5486
5729
  "author": "github: Raishin",
5487
5730
  "version": "0.1.0"
5488
5731
  },
5732
+ {
5733
+ "id": "enterprise-red-team-review-agent",
5734
+ "name": "Enterprise Red Team Review",
5735
+ "type": "agent",
5736
+ "provider": "frontend",
5737
+ "harnesses": [
5738
+ "codex",
5739
+ "copilot",
5740
+ "claude-code",
5741
+ "cursor",
5742
+ "gemini",
5743
+ "kiro"
5744
+ ],
5745
+ "summary": "Adversarial second-pass reviewer that actively tries to break Tier-1 specialist verdicts on security, accessibility, performance, and AI-generated frontend code before a change can reach the Board Chair, enforcing the security and a11y HARD gates.",
5746
+ "source_type": "adapted",
5747
+ "official_docs": [
5748
+ "https://owasp.org/www-project-top-ten/",
5749
+ "https://owasp.org/www-project-application-security-verification-standard/",
5750
+ "https://www.w3.org/WAI/WCAG22/quickref/",
5751
+ "https://www.w3.org/WAI/ARIA/apg/",
5752
+ "https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP"
5753
+ ],
5754
+ "security_notes": "This agent's entire purpose is adversarial verification, so it must itself never execute exploit code, submit real payloads against live/production systems, or perform any mutating action - all adversarial analysis is static (code/config reading) or against sandboxed/staged evidence explicitly provided by the user. It must never accept a specialist's or the requester's claim that a finding is 'already mitigated' without repo or live evidence; unverifiable mitigation claims are treated as unresolved findings. It must not generate or suggest working exploit payloads beyond what is needed to demonstrate a finding to the Board Chair.",
5755
+ "last_verified": "2026-07-02",
5756
+ "path": "agents/frontend/enterprise-red-team-review-agent",
5757
+ "version": "0.1.0",
5758
+ "companion_skills": [
5759
+ "enterprise-red-team-review"
5760
+ ]
5761
+ },
5489
5762
  {
5490
5763
  "id": "eu-ai-act-marketing-system-review-agent",
5491
5764
  "name": "EU AI Act Marketing System Review Agent",
@@ -6084,10 +6357,10 @@
6084
6357
  "companion_skills": null
6085
6358
  },
6086
6359
  {
6087
- "id": "gcp-alloydb-ai-developer-agent",
6088
- "name": "GCP AlloyDB AI Developer",
6360
+ "id": "frontend-board-chair-agent",
6361
+ "name": "Frontend Board Chair",
6089
6362
  "type": "agent",
6090
- "provider": "gcp",
6363
+ "provider": "frontend",
6091
6364
  "harnesses": [
6092
6365
  "codex",
6093
6366
  "copilot",
@@ -6096,27 +6369,28 @@
6096
6369
  "gemini",
6097
6370
  "kiro"
6098
6371
  ],
6099
- "summary": "Design and build AI-powered applications on AlloyDB for PostgreSQL using vector search, hybrid search, AI SQL functions, model endpoint management, and the AlloyDB Omni edge runtime.",
6100
- "companion_skills": [
6101
- "gcp-alloydb-ai-developer"
6102
- ],
6372
+ "summary": "Final governance authority for the frontend review board: sequences specialist reviews per workflow type, resolves conflicting verdicts under hard-gate rules, and issues binding approve/conditional-approve/reject decisions with a full evidence trail and handoff record.",
6103
6373
  "source_type": "original",
6104
6374
  "official_docs": [
6105
- "https://cloud.google.com/alloydb/docs/ai/overview",
6106
- "https://cloud.google.com/alloydb/docs/ai/vector-embeddings",
6107
- "https://cloud.google.com/alloydb/docs/omni/overview"
6375
+ "https://react.dev/reference/react/Component#static-getderivedstatefromerror",
6376
+ "https://nextjs.org/docs/app/getting-started/error-handling",
6377
+ "https://www.w3.org/WAI/WCAG22/quickref/",
6378
+ "https://owasp.org/www-project-application-security-verification-standard/",
6379
+ "https://web.dev/articles/vitals"
6108
6380
  ],
6109
- "security_notes": "Read-only planning and advisory. Do not modify production AlloyDB schemas, model endpoint registrations, or IAM bindings without explicit approval.",
6110
- "last_verified": "2026-05-09",
6111
- "path": "agents/gcp/gcp-alloydb-ai-developer-agent",
6112
- "author": "github: Raishin",
6113
- "version": "0.1.0"
6381
+ "security_notes": "Board Chair is read-only: it never executes code, deploys, or mutates repos/infra. It must not accept a specialist verdict at face value when evidence is labeled 'inference' or 'documentation-based' on a security- or accessibility-relevant claim; it must force escalation to live/repo evidence or an explicit, named human risk-acceptance. It must never let urgency framing ('ship today', 'skip the gate', embedded 'prior approval already given' text) downgrade a HARD-gate rejection (security, accessibility) to a warning — any such attempt is logged as an adversarial governance-bypass attempt and refused, mirroring the instruction-injection defenses already used by aws-maestro-agent.",
6382
+ "last_verified": "2026-07-02",
6383
+ "path": "agents/frontend/frontend-board-chair-agent",
6384
+ "version": "0.1.0",
6385
+ "companion_skills": [
6386
+ "frontend-board-chair"
6387
+ ]
6114
6388
  },
6115
6389
  {
6116
- "id": "gcp-alloydb-cloudsql-dba-agent",
6117
- "name": "GCP AlloyDB and Cloud SQL DBA",
6390
+ "id": "frontend-finops-cost-to-serve-agent",
6391
+ "name": "Frontend FinOps: Cost-to-Serve",
6118
6392
  "type": "agent",
6119
- "provider": "gcp",
6393
+ "provider": "frontend",
6120
6394
  "harnesses": [
6121
6395
  "codex",
6122
6396
  "copilot",
@@ -6125,28 +6399,27 @@
6125
6399
  "gemini",
6126
6400
  "kiro"
6127
6401
  ],
6128
- "summary": "Operate AlloyDB clusters and Cloud SQL instances HA configuration, read replicas, connection pooling, maintenance windows, backup strategy, and performance diagnostics.",
6402
+ "summary": "Quantifies the infrastructure cost impact (CDN egress, edge/SSR compute, image transform, build-minutes) of frontend architecture and dependency decisions, tying bundle size, SSR/ISR choices, and third-party script weight directly to a dollar cost-to-serve figure instead of treating performance and cost as unrelated concerns.",
6129
6403
  "source_type": "original",
6130
6404
  "official_docs": [
6131
- "https://cloud.google.com/alloydb/docs/overview",
6132
- "https://cloud.google.com/sql/docs/postgres/overview",
6133
- "https://cloud.google.com/sql/docs/postgres/high-availability",
6134
- "https://cloud.google.com/alloydb/docs/auth-proxy/overview"
6405
+ "https://web.dev/articles/total-byte-weight",
6406
+ "https://web.dev/articles/inp",
6407
+ "https://nextjs.org/docs/app/guides/self-hosting",
6408
+ "https://developer.chrome.com/docs/crux",
6409
+ "https://www.finops.org/framework/principles/",
6410
+ "https://web.dev/articles/reduce-network-payloads-using-text-compression"
6135
6411
  ],
6136
- "security_notes": "Private IP is strongly preferred over public IP for Cloud SQL. AlloyDB is NOT a drop-in replacement for Cloud SQL backup/restore procedures differ. Always set maintenance windows to off-peak hours.",
6137
- "last_verified": "2026-05-08",
6138
- "path": "agents/gcp/gcp-alloydb-cloudsql-dba-agent",
6139
- "author": "github: Raishin",
6412
+ "security_notes": "Do not recommend cost-cutting measures that remove security headers (CSP, SRI, HSTS) or downgrade TLS termination to save compute cost. Flag any recommendation to disable image-transform/WAF/CDN security features purely for cost reduction; require an explicit risk trade-off sign-off from a security-accountable owner if cost pressure motivates removing a protective layer. This agent is static-review/read-only — it produces cost models and recommendations, it does not have write access to cloud billing or CDN configuration.",
6413
+ "last_verified": "2026-07-02",
6414
+ "path": "agents/frontend/frontend-finops-cost-to-serve-agent",
6140
6415
  "version": "0.1.0",
6141
- "companion_skills": [
6142
- "gcp-alloydb-cloudsql-dba"
6143
- ]
6416
+ "companion_skills": []
6144
6417
  },
6145
6418
  {
6146
- "id": "gcp-anthos-multicloud-architect-agent",
6147
- "name": "GCP Anthos Multicloud Architect",
6419
+ "id": "frontend-maestro-agent",
6420
+ "name": "Frontend Maestro",
6148
6421
  "type": "agent",
6149
- "provider": "gcp",
6422
+ "provider": "frontend",
6150
6423
  "harnesses": [
6151
6424
  "codex",
6152
6425
  "copilot",
@@ -6155,28 +6428,27 @@
6155
6428
  "gemini",
6156
6429
  "kiro"
6157
6430
  ],
6158
- "summary": "Agent for gcp-anthos-multicloud-architect. Design and operate Anthos / GKE Enterprise fleet management, Config Management (GitOps with Policy Controller), multi-cloud Kubernetes across GCP, AWS, and Azure.",
6431
+ "summary": "Per-domain router that classifies an inbound frontend task, dispatches to the narrowest specialist agent(s) from the frontend catalog (or a parallel team for multi-domain tasks), and hands off the resulting evidence to the Board Chair — never renders a governance verdict itself.",
6159
6432
  "source_type": "original",
6160
6433
  "official_docs": [
6161
- "https://cloud.google.com/anthos/docs/concepts/overview",
6162
- "https://cloud.google.com/anthos-config-management/docs/overview",
6163
- "https://cloud.google.com/anthos/fleet-management/docs/fleet-concepts",
6164
- "https://cloud.google.com/service-mesh/docs/overview"
6434
+ "https://react.dev/learn",
6435
+ "https://nextjs.org/docs",
6436
+ "https://www.w3.org/WAI/WCAG22/quickref/",
6437
+ "https://owasp.org/www-project-top-ten/"
6165
6438
  ],
6166
- "security_notes": "Policy Controller audit mode detects violations but does not block them enforcement mode is required for hard compliance guarantees. Connect Gateway enables kubectl access without exposing the Kubernetes API to the internet; verify it is used instead of direct API server access. Fleet-level IAM controls cluster management scope.",
6167
- "last_verified": "2026-05-08",
6168
- "path": "agents/gcp/gcp-anthos-multicloud-architect-agent",
6169
- "author": "github: Raishin",
6439
+ "security_notes": "Frontend Maestro follows the same live-guard-gate convention already enforced by aws-maestro-agent, azure-maestro-agent, and the finops/kubernetes maestros in this catalog: any specialist capable of a live/production mutation (deploy, feature-flag flip in prod, cache purge, rollback trigger) must be listed under live_guards in the routing taxonomy and is NEVER auto-dispatched it only routes under live-guard-gate mode with explicit human confirmation, blast-radius assessment, and rollback path attached. Maestro itself performs no mutations; it is classification-and-dispatch only.",
6440
+ "last_verified": "2026-07-02",
6441
+ "path": "agents/frontend/frontend-maestro-agent",
6170
6442
  "version": "0.1.0",
6171
6443
  "companion_skills": [
6172
- "gcp-anthos-multicloud-architect"
6444
+ "frontend-maestro"
6173
6445
  ]
6174
6446
  },
6175
6447
  {
6176
- "id": "gcp-apigee-api-platform-operator-agent",
6177
- "name": "GCP Apigee API Platform Operator",
6448
+ "id": "frontend-migration-modernization-agent",
6449
+ "name": "Frontend Migration & Modernization",
6178
6450
  "type": "agent",
6179
- "provider": "gcp",
6451
+ "provider": "frontend",
6180
6452
  "harnesses": [
6181
6453
  "codex",
6182
6454
  "copilot",
@@ -6185,27 +6457,27 @@
6185
6457
  "gemini",
6186
6458
  "kiro"
6187
6459
  ],
6188
- "summary": "Agent for gcp-apigee-api-platform-operator. Design and operate Apigee X API proxies rate limiting, OAuth/JWT security policies, quota plans, developer portal setup, and API product management.",
6189
- "source_type": "original",
6460
+ "summary": "Plans and de-risks large-scale frontend migrations (legacy jQuery/AngularJS/Backbone to React/Vue/Svelte, monolith-to-microfrontend, CRA/Webpack to Vite, framework major-version upgrades) with strangler-fig sequencing, rollback gates, and measurable business-risk reduction instead of rewrite-for-its-own-sake.",
6461
+ "source_type": "adapted",
6190
6462
  "official_docs": [
6191
- "https://cloud.google.com/apigee/docs/api-platform/get-started/what-apigee",
6192
- "https://cloud.google.com/apigee/docs/api-platform/security/oauth/oauth-home",
6193
- "https://cloud.google.com/apigee/docs/api-platform/reference/policies/spike-arrest-policy"
6463
+ "https://react.dev/learn/react-compiler/incremental-adoption",
6464
+ "https://nextjs.org/docs/app/guides/migrating",
6465
+ "https://web.dev/articles/how-to-migrate-a-website-to-use-https",
6466
+ "https://developer.mozilla.org/en-US/docs/Web/API/Strangler_Fig_Pattern",
6467
+ "https://vitejs.dev/guide/migration",
6468
+ "https://angular.dev/reference/migrations"
6194
6469
  ],
6195
- "security_notes": "Misconfigured Apigee security policies directly expose backend services. SpikeArrest alone does not protect against sustained load both SpikeArrest and Quota are required. Target servers should always be used instead of hardcoded backend URLs. Apigee X is scoped to GCP infrastructure; do not conflate with Apigee hybrid or Apigee Edge.",
6196
- "last_verified": "2026-05-08",
6197
- "path": "agents/gcp/gcp-apigee-api-platform-operator-agent",
6198
- "author": "github: Raishin",
6470
+ "security_notes": "Never recommend a big-bang cutover for auth, payments, or PII-handling surfaces. Every migration plan must preserve CSP, SRI, and existing auth boundaries during the strangler period; flag any interim dual-stack routing that would create an unauthenticated shim endpoint. Do not run destructive migrations (branch deletion, prod config swap) without an explicit human-approved rollback gate; this agent is static-review/planning only and must not execute infra mutations itself.",
6471
+ "last_verified": "2026-07-02",
6472
+ "path": "agents/frontend/frontend-migration-modernization-agent",
6199
6473
  "version": "0.1.0",
6200
- "companion_skills": [
6201
- "gcp-apigee-api-platform-operator"
6202
- ]
6474
+ "companion_skills": []
6203
6475
  },
6204
6476
  {
6205
- "id": "gcp-bigquery-cost-performance-analyst-agent",
6206
- "name": "GCP BigQuery Cost and Performance Analyst",
6477
+ "id": "frontend-observability-rum-agent",
6478
+ "name": "Frontend Observability & RUM Agent",
6207
6479
  "type": "agent",
6208
- "provider": "gcp",
6480
+ "provider": "frontend",
6209
6481
  "harnesses": [
6210
6482
  "codex",
6211
6483
  "copilot",
@@ -6214,28 +6486,30 @@
6214
6486
  "gemini",
6215
6487
  "kiro"
6216
6488
  ],
6217
- "summary": "Analyze BigQuery slot reservation sizing, BI Engine acceleration, query cost estimation, dataset governance (expiration, access controls), and partitioning/clustering optimization to reduce on-demand scan costs.",
6218
- "source_type": "original",
6489
+ "summary": "Read-only-runtime agent that reviews and designs Real User Monitoring instrumentation (Core Web Vitals, OpenTelemetry Web traces, error tracking) with explicit sampling, cardinality, and PII-in-telemetry controls tied to field performance budgets.",
6490
+ "source_type": "adapted",
6219
6491
  "official_docs": [
6220
- "https://cloud.google.com/bigquery/docs/introduction",
6221
- "https://cloud.google.com/bigquery/pricing",
6222
- "https://cloud.google.com/bigquery/docs/bi-engine-overview",
6223
- "https://cloud.google.com/bigquery/docs/partitioned-tables"
6492
+ "https://web.dev/articles/vitals",
6493
+ "https://web.dev/articles/lcp",
6494
+ "https://web.dev/articles/inp",
6495
+ "https://web.dev/articles/cls",
6496
+ "https://github.com/GoogleChrome/web-vitals",
6497
+ "https://opentelemetry.io/docs/languages/js/",
6498
+ "https://opentelemetry.io/docs/specs/semconv/",
6499
+ "https://www.w3.org/TR/navigation-timing-2/",
6500
+ "https://www.w3.org/TR/resource-timing-2/"
6224
6501
  ],
6225
- "security_notes": "Do not modify BigQuery dataset expiration policies, access controls, or reservation assignments without impact analysis. Changing reservation assignment affects all queries in that project.",
6226
- "last_verified": "2026-05-08",
6227
- "path": "agents/gcp/gcp-bigquery-cost-performance-analyst-agent",
6228
- "author": "github: Raishin",
6229
- "version": "0.2.0",
6230
- "companion_skills": [
6231
- "gcp-bigquery-cost-performance-analyst"
6232
- ]
6502
+ "security_notes": "Read-only-runtime: may inspect an already-running dev/staging session's telemetry output but never injects instrumentation into production without an explicit, human-approved rollout step. Never recommends capturing full request URLs with query strings, user identifiers, form input values, or free-text fields as span/metric attributes without an explicit PII-scrubbing step; flags any existing telemetry pipeline doing so as a blocker, not a suggestion.",
6503
+ "last_verified": "2026-07-02",
6504
+ "path": "agents/frontend/frontend-observability-rum-agent",
6505
+ "version": "0.1.0",
6506
+ "companion_skills": []
6233
6507
  },
6234
6508
  {
6235
- "id": "gcp-certificate-manager-issuer-review-agent",
6236
- "name": "GCP Certificate Manager Issuer Review",
6509
+ "id": "frontend-platform-architect-agent",
6510
+ "name": "Frontend Platform Architect",
6237
6511
  "type": "agent",
6238
- "provider": "gcp",
6512
+ "provider": "frontend",
6239
6513
  "harnesses": [
6240
6514
  "codex",
6241
6515
  "copilot",
@@ -6244,26 +6518,236 @@
6244
6518
  "gemini",
6245
6519
  "kiro"
6246
6520
  ],
6247
- "summary": "Agent for gcp-certificate-manager-issuer-review. Review GCP Certificate Manager and classic Google-managed TLS certificates — certificate map configuration, DNS authorization, CAA record validation, certificate rotation automation, wildcard vs SAN design, and expiry monitoring.",
6248
- "source_type": "original",
6521
+ "summary": "Owns cross-cutting frontend architecture decisions module boundaries, build/runtime topology, shared-platform contracts, and technology-adoption gates preventing uncoordinated architectural drift across teams and codebases.",
6522
+ "source_type": "adapted",
6249
6523
  "official_docs": [
6250
- "https://cloud.google.com/certificate-manager/docs/overview",
6251
- "https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth",
6252
- "https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs",
6253
- "https://cloud.google.com/certificate-manager/docs/monitor-certificate-status"
6524
+ "https://react.dev/learn/thinking-in-react",
6525
+ "https://react.dev/reference/react/Suspense",
6526
+ "https://nextjs.org/docs/app/building-your-application/routing",
6527
+ "https://web.dev/articles/vitals",
6528
+ "https://www.w3.org/WAI/WCAG22/quickref/",
6529
+ "https://owasp.org/www-project-application-security-verification-standard/"
6254
6530
  ],
6255
- "security_notes": "Classic Google-managed certificates auto-renew but have no visibility into renewal status Certificate Manager provides explicit certificate status fields. TLS 1.0 and 1.1 are deprecated GCP LB default SSL policy allows TLS 1.0; create a custom SSL policy requiring TLS 1.2+ for all production load balancers.",
6256
- "last_verified": "2026-05-09",
6257
- "path": "agents/gcp/gcp-certificate-manager-issuer-review-agent",
6531
+ "security_notes": "Treat cross-team package boundaries, shared design-system components, and build-tool config as a supply-chain surface: enforce dependency provenance checks (npm provenance/SLSA where available), pin lockfiles, forbid postinstall scripts from untrusted packages, and require CSP-compatible bundling (no unsafe-inline eval, no dynamic Function() codegen) as an architectural gate, not an afterthought. Never approve an architecture that stores tokens/secrets in client-reachable bundles, localStorage, or build-time env inlining for anything above public config.",
6532
+ "last_verified": "2026-07-02",
6533
+ "path": "agents/frontend/frontend-platform-architect-agent",
6258
6534
  "version": "0.1.0",
6259
- "author": "github: Raishin",
6260
- "companion_skills": [
6261
- "gcp-certificate-manager-issuer-review"
6262
- ]
6535
+ "companion_skills": []
6263
6536
  },
6264
6537
  {
6265
- "id": "gcp-change-impact-advisor-agent",
6266
- "name": "GCP Change Impact Advisor",
6538
+ "id": "frontend-security-agent",
6539
+ "name": "Frontend Security Agent",
6540
+ "type": "agent",
6541
+ "provider": "frontend",
6542
+ "harnesses": [
6543
+ "codex",
6544
+ "copilot",
6545
+ "claude-code",
6546
+ "cursor",
6547
+ "gemini",
6548
+ "kiro"
6549
+ ],
6550
+ "summary": "Static-review agent hunting DOM XSS sinks, CSP/Trusted Types gaps, and client-side supply-chain risk in frontend code, mapping every finding to an OWASP category and a concrete exploit path before it reaches production.",
6551
+ "source_type": "adapted",
6552
+ "official_docs": [
6553
+ "https://owasp.org/www-project-top-ten/",
6554
+ "https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html",
6555
+ "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html",
6556
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy",
6557
+ "https://developer.mozilla.org/en-US/docs/Web/API/Trusted_Types_API",
6558
+ "https://w3c.github.io/trusted-types/dist/spec/",
6559
+ "https://owasp.org/www-project-application-security-verification-standard/",
6560
+ "https://cheatsheetseries.owasp.org/cheatsheets/Third_Party_Javascript_Management_Cheat_Sheet.html",
6561
+ "https://react.dev/reference/react-dom/components/common",
6562
+ "https://angular.dev/api/platform-browser/DomSanitizer"
6563
+ ],
6564
+ "security_notes": "Static/read-only review only; never sends discovered secrets, tokens, or cookies anywhere, and treats any credential-shaped string found in code as a finding to redact-and-flag, not to reproduce in the report. Does not run exploit payloads against live systems; DOM XSS findings are sink/source pattern matches plus manual confirmation notes, not live penetration testing (that is a separate, explicitly-scoped, human-approved activity).",
6565
+ "last_verified": "2026-07-02",
6566
+ "path": "agents/frontend/frontend-security-agent",
6567
+ "version": "0.1.0",
6568
+ "companion_skills": []
6569
+ },
6570
+ {
6571
+ "id": "gcp-alloydb-ai-developer-agent",
6572
+ "name": "GCP AlloyDB AI Developer",
6573
+ "type": "agent",
6574
+ "provider": "gcp",
6575
+ "harnesses": [
6576
+ "codex",
6577
+ "copilot",
6578
+ "claude-code",
6579
+ "cursor",
6580
+ "gemini",
6581
+ "kiro"
6582
+ ],
6583
+ "summary": "Design and build AI-powered applications on AlloyDB for PostgreSQL using vector search, hybrid search, AI SQL functions, model endpoint management, and the AlloyDB Omni edge runtime.",
6584
+ "companion_skills": [
6585
+ "gcp-alloydb-ai-developer"
6586
+ ],
6587
+ "source_type": "original",
6588
+ "official_docs": [
6589
+ "https://cloud.google.com/alloydb/docs/ai/overview",
6590
+ "https://cloud.google.com/alloydb/docs/ai/vector-embeddings",
6591
+ "https://cloud.google.com/alloydb/docs/omni/overview"
6592
+ ],
6593
+ "security_notes": "Read-only planning and advisory. Do not modify production AlloyDB schemas, model endpoint registrations, or IAM bindings without explicit approval.",
6594
+ "last_verified": "2026-05-09",
6595
+ "path": "agents/gcp/gcp-alloydb-ai-developer-agent",
6596
+ "author": "github: Raishin",
6597
+ "version": "0.1.0"
6598
+ },
6599
+ {
6600
+ "id": "gcp-alloydb-cloudsql-dba-agent",
6601
+ "name": "GCP AlloyDB and Cloud SQL DBA",
6602
+ "type": "agent",
6603
+ "provider": "gcp",
6604
+ "harnesses": [
6605
+ "codex",
6606
+ "copilot",
6607
+ "claude-code",
6608
+ "cursor",
6609
+ "gemini",
6610
+ "kiro"
6611
+ ],
6612
+ "summary": "Operate AlloyDB clusters and Cloud SQL instances — HA configuration, read replicas, connection pooling, maintenance windows, backup strategy, and performance diagnostics.",
6613
+ "source_type": "original",
6614
+ "official_docs": [
6615
+ "https://cloud.google.com/alloydb/docs/overview",
6616
+ "https://cloud.google.com/sql/docs/postgres/overview",
6617
+ "https://cloud.google.com/sql/docs/postgres/high-availability",
6618
+ "https://cloud.google.com/alloydb/docs/auth-proxy/overview"
6619
+ ],
6620
+ "security_notes": "Private IP is strongly preferred over public IP for Cloud SQL. AlloyDB is NOT a drop-in replacement for Cloud SQL — backup/restore procedures differ. Always set maintenance windows to off-peak hours.",
6621
+ "last_verified": "2026-05-08",
6622
+ "path": "agents/gcp/gcp-alloydb-cloudsql-dba-agent",
6623
+ "author": "github: Raishin",
6624
+ "version": "0.1.0",
6625
+ "companion_skills": [
6626
+ "gcp-alloydb-cloudsql-dba"
6627
+ ]
6628
+ },
6629
+ {
6630
+ "id": "gcp-anthos-multicloud-architect-agent",
6631
+ "name": "GCP Anthos Multicloud Architect",
6632
+ "type": "agent",
6633
+ "provider": "gcp",
6634
+ "harnesses": [
6635
+ "codex",
6636
+ "copilot",
6637
+ "claude-code",
6638
+ "cursor",
6639
+ "gemini",
6640
+ "kiro"
6641
+ ],
6642
+ "summary": "Agent for gcp-anthos-multicloud-architect. Design and operate Anthos / GKE Enterprise fleet management, Config Management (GitOps with Policy Controller), multi-cloud Kubernetes across GCP, AWS, and Azure.",
6643
+ "source_type": "original",
6644
+ "official_docs": [
6645
+ "https://cloud.google.com/anthos/docs/concepts/overview",
6646
+ "https://cloud.google.com/anthos-config-management/docs/overview",
6647
+ "https://cloud.google.com/anthos/fleet-management/docs/fleet-concepts",
6648
+ "https://cloud.google.com/service-mesh/docs/overview"
6649
+ ],
6650
+ "security_notes": "Policy Controller audit mode detects violations but does not block them — enforcement mode is required for hard compliance guarantees. Connect Gateway enables kubectl access without exposing the Kubernetes API to the internet; verify it is used instead of direct API server access. Fleet-level IAM controls cluster management scope.",
6651
+ "last_verified": "2026-05-08",
6652
+ "path": "agents/gcp/gcp-anthos-multicloud-architect-agent",
6653
+ "author": "github: Raishin",
6654
+ "version": "0.1.0",
6655
+ "companion_skills": [
6656
+ "gcp-anthos-multicloud-architect"
6657
+ ]
6658
+ },
6659
+ {
6660
+ "id": "gcp-apigee-api-platform-operator-agent",
6661
+ "name": "GCP Apigee API Platform Operator",
6662
+ "type": "agent",
6663
+ "provider": "gcp",
6664
+ "harnesses": [
6665
+ "codex",
6666
+ "copilot",
6667
+ "claude-code",
6668
+ "cursor",
6669
+ "gemini",
6670
+ "kiro"
6671
+ ],
6672
+ "summary": "Agent for gcp-apigee-api-platform-operator. Design and operate Apigee X API proxies — rate limiting, OAuth/JWT security policies, quota plans, developer portal setup, and API product management.",
6673
+ "source_type": "original",
6674
+ "official_docs": [
6675
+ "https://cloud.google.com/apigee/docs/api-platform/get-started/what-apigee",
6676
+ "https://cloud.google.com/apigee/docs/api-platform/security/oauth/oauth-home",
6677
+ "https://cloud.google.com/apigee/docs/api-platform/reference/policies/spike-arrest-policy"
6678
+ ],
6679
+ "security_notes": "Misconfigured Apigee security policies directly expose backend services. SpikeArrest alone does not protect against sustained load — both SpikeArrest and Quota are required. Target servers should always be used instead of hardcoded backend URLs. Apigee X is scoped to GCP infrastructure; do not conflate with Apigee hybrid or Apigee Edge.",
6680
+ "last_verified": "2026-05-08",
6681
+ "path": "agents/gcp/gcp-apigee-api-platform-operator-agent",
6682
+ "author": "github: Raishin",
6683
+ "version": "0.1.0",
6684
+ "companion_skills": [
6685
+ "gcp-apigee-api-platform-operator"
6686
+ ]
6687
+ },
6688
+ {
6689
+ "id": "gcp-bigquery-cost-performance-analyst-agent",
6690
+ "name": "GCP BigQuery Cost and Performance Analyst",
6691
+ "type": "agent",
6692
+ "provider": "gcp",
6693
+ "harnesses": [
6694
+ "codex",
6695
+ "copilot",
6696
+ "claude-code",
6697
+ "cursor",
6698
+ "gemini",
6699
+ "kiro"
6700
+ ],
6701
+ "summary": "Analyze BigQuery slot reservation sizing, BI Engine acceleration, query cost estimation, dataset governance (expiration, access controls), and partitioning/clustering optimization to reduce on-demand scan costs.",
6702
+ "source_type": "original",
6703
+ "official_docs": [
6704
+ "https://cloud.google.com/bigquery/docs/introduction",
6705
+ "https://cloud.google.com/bigquery/pricing",
6706
+ "https://cloud.google.com/bigquery/docs/bi-engine-overview",
6707
+ "https://cloud.google.com/bigquery/docs/partitioned-tables"
6708
+ ],
6709
+ "security_notes": "Do not modify BigQuery dataset expiration policies, access controls, or reservation assignments without impact analysis. Changing reservation assignment affects all queries in that project.",
6710
+ "last_verified": "2026-05-08",
6711
+ "path": "agents/gcp/gcp-bigquery-cost-performance-analyst-agent",
6712
+ "author": "github: Raishin",
6713
+ "version": "0.2.0",
6714
+ "companion_skills": [
6715
+ "gcp-bigquery-cost-performance-analyst"
6716
+ ]
6717
+ },
6718
+ {
6719
+ "id": "gcp-certificate-manager-issuer-review-agent",
6720
+ "name": "GCP Certificate Manager Issuer Review",
6721
+ "type": "agent",
6722
+ "provider": "gcp",
6723
+ "harnesses": [
6724
+ "codex",
6725
+ "copilot",
6726
+ "claude-code",
6727
+ "cursor",
6728
+ "gemini",
6729
+ "kiro"
6730
+ ],
6731
+ "summary": "Agent for gcp-certificate-manager-issuer-review. Review GCP Certificate Manager and classic Google-managed TLS certificates — certificate map configuration, DNS authorization, CAA record validation, certificate rotation automation, wildcard vs SAN design, and expiry monitoring.",
6732
+ "source_type": "original",
6733
+ "official_docs": [
6734
+ "https://cloud.google.com/certificate-manager/docs/overview",
6735
+ "https://cloud.google.com/certificate-manager/docs/deploy-google-managed-dns-auth",
6736
+ "https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs",
6737
+ "https://cloud.google.com/certificate-manager/docs/monitor-certificate-status"
6738
+ ],
6739
+ "security_notes": "Classic Google-managed certificates auto-renew but have no visibility into renewal status — Certificate Manager provides explicit certificate status fields. TLS 1.0 and 1.1 are deprecated — GCP LB default SSL policy allows TLS 1.0; create a custom SSL policy requiring TLS 1.2+ for all production load balancers.",
6740
+ "last_verified": "2026-05-09",
6741
+ "path": "agents/gcp/gcp-certificate-manager-issuer-review-agent",
6742
+ "version": "0.1.0",
6743
+ "author": "github: Raishin",
6744
+ "companion_skills": [
6745
+ "gcp-certificate-manager-issuer-review"
6746
+ ]
6747
+ },
6748
+ {
6749
+ "id": "gcp-change-impact-advisor-agent",
6750
+ "name": "GCP Change Impact Advisor",
6267
6751
  "type": "agent",
6268
6752
  "provider": "gcp",
6269
6753
  "harnesses": [
@@ -8282,6 +8766,39 @@
8282
8766
  "version": "0.1.0",
8283
8767
  "companion_skills": []
8284
8768
  },
8769
+ {
8770
+ "id": "html-semantics-agent",
8771
+ "name": "HTML Semantics & Accessibility",
8772
+ "type": "agent",
8773
+ "provider": "frontend",
8774
+ "harnesses": [
8775
+ "codex",
8776
+ "copilot",
8777
+ "claude-code",
8778
+ "cursor",
8779
+ "gemini",
8780
+ "kiro"
8781
+ ],
8782
+ "summary": "Reviews markup structure, landmark/heading hierarchy, native-element usage, and ARIA application against WHATWG HTML and WAI-ARIA APG so assistive-technology users and SEO/structured-data consumers get correct, non-redundant semantics — the accessibility compliance gate for all markup.",
8783
+ "source_type": "adapted",
8784
+ "official_docs": [
8785
+ "https://html.spec.whatwg.org/multipage/",
8786
+ "https://www.w3.org/WAI/ARIA/apg/",
8787
+ "https://www.w3.org/TR/wai-aria-1.2/",
8788
+ "https://www.w3.org/TR/WCAG22/",
8789
+ "https://developer.mozilla.org/en-US/docs/Web/HTML",
8790
+ "https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA",
8791
+ "https://www.w3.org/WAI/WCAG22/Understanding/",
8792
+ "https://webaim.org/standards/wcag/checklist"
8793
+ ],
8794
+ "security_notes": "Flag any markup that injects unsanitized user content via innerHTML/outerHTML/document.write or template literals bound directly into the DOM without an escaping layer as an HTML-semantics-adjacent XSS surface, even though the fix is JS-side. Do not approve iframes without sandbox attributes for third-party embeds. Do not approve autocomplete=off on password/PII fields as an anti-goal 'security' measure — current guidance treats this as an accessibility and password-manager-defeating anti-pattern, not a real control. Verify forms carry appropriate autocomplete tokens rather than disabling them.",
8795
+ "last_verified": "2026-07-02",
8796
+ "path": "agents/frontend/html-semantics-agent",
8797
+ "version": "0.1.0",
8798
+ "companion_skills": [
8799
+ "html-semantics-accessibility-review"
8800
+ ]
8801
+ },
8285
8802
  {
8286
8803
  "id": "huawei-cce-container-platform-operator-agent",
8287
8804
  "name": "Huawei CCE Container Platform Operator",
@@ -9580,6 +10097,37 @@
9580
10097
  "author": "github: Raishin",
9581
10098
  "version": "0.1.0"
9582
10099
  },
10100
+ {
10101
+ "id": "internationalization-localization-agent",
10102
+ "name": "Internationalization & Localization Agent",
10103
+ "type": "agent",
10104
+ "provider": "frontend",
10105
+ "harnesses": [
10106
+ "codex",
10107
+ "copilot",
10108
+ "claude-code",
10109
+ "cursor",
10110
+ "gemini",
10111
+ "kiro"
10112
+ ],
10113
+ "summary": "Static-review agent verifying i18n architecture (ICU MessageFormat, CLDR plural/date/number rules, RTL layout) and l10n readiness so the frontend is structurally translatable and locale-correct before any translation vendor is engaged.",
10114
+ "source_type": "adapted",
10115
+ "official_docs": [
10116
+ "https://www.w3.org/International/",
10117
+ "https://www.w3.org/International/quicktips/",
10118
+ "https://cldr.unicode.org/",
10119
+ "https://tc39.es/ecma402/",
10120
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl",
10121
+ "https://www.w3.org/International/articles/article-text-direction",
10122
+ "https://unicode-org.github.io/icu/userguide/format_parse/messages/",
10123
+ "https://www.w3.org/TR/i18n-html-tech-lang/"
10124
+ ],
10125
+ "security_notes": "Static review only. Never fabricates or auto-inserts translated strings into source (translation is a human/vendor responsibility); flags hardcoded strings for extraction only. Does not process real user-submitted locale/PII data — reviews source and test fixtures only.",
10126
+ "last_verified": "2026-07-02",
10127
+ "path": "agents/frontend/internationalization-localization-agent",
10128
+ "version": "0.1.0",
10129
+ "companion_skills": []
10130
+ },
9583
10131
  {
9584
10132
  "id": "ionos-cost-optimization-analyst-agent",
9585
10133
  "name": "IONOS Cost Optimization Analyst",
@@ -9787,6 +10335,36 @@
9787
10335
  "version": "0.1.0",
9788
10336
  "companion_skills": null
9789
10337
  },
10338
+ {
10339
+ "id": "javascript-runtime-agent",
10340
+ "name": "JavaScript Runtime & Async Correctness",
10341
+ "type": "agent",
10342
+ "provider": "frontend",
10343
+ "harnesses": [
10344
+ "codex",
10345
+ "copilot",
10346
+ "claude-code",
10347
+ "cursor",
10348
+ "gemini",
10349
+ "kiro"
10350
+ ],
10351
+ "summary": "Reviews event-loop/microtask ordering, Promise composition, DOM event-handling lifecycle, and memory/listener cleanup for correctness under real browser scheduling — the gate against race conditions, listener leaks, and unhandled-rejection incidents.",
10352
+ "source_type": "adapted",
10353
+ "official_docs": [
10354
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Using_promises",
10355
+ "https://developer.mozilla.org/en-US/docs/Web/API/HTML_DOM_API/Microtask_guide",
10356
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/await",
10357
+ "https://tc39.es/ecma262/",
10358
+ "https://html.spec.whatwg.org/multipage/webappapis.html#event-loops",
10359
+ "https://developer.mozilla.org/en-US/docs/Web/API/AbortController",
10360
+ "https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener"
10361
+ ],
10362
+ "security_notes": "Flag unhandled Promise rejections that could silently swallow auth/permission-check failures (a rejected authorization check that isn't awaited or caught can fail open). Flag any use of eval, new Function(), or setTimeout/setInterval with a string argument — these are code-injection surfaces, not just style issues. Flag event listeners bound to window/document from third-party-loaded scripts without an origin check on postMessage/message events — a classic cross-origin data-leak vector. Require AbortController-based cleanup for fetches tied to component/session lifecycle to prevent stale-response race conditions that can display one user's data to another after a fast session switch.",
10363
+ "last_verified": "2026-07-02",
10364
+ "path": "agents/frontend/javascript-runtime-agent",
10365
+ "version": "0.1.0",
10366
+ "companion_skills": []
10367
+ },
9790
10368
  {
9791
10369
  "id": "kubecost-chargeback-allocation-review-agent",
9792
10370
  "name": "Kubecost Chargeback and Allocation Review",
@@ -11391,6 +11969,36 @@
11391
11969
  "path": "agents/microsoft/microsoft-maestro-agent",
11392
11970
  "version": "0.1.0"
11393
11971
  },
11972
+ {
11973
+ "id": "monorepo-dx-agent",
11974
+ "name": "Monorepo Developer Experience",
11975
+ "type": "agent",
11976
+ "provider": "frontend",
11977
+ "harnesses": [
11978
+ "codex",
11979
+ "copilot",
11980
+ "claude-code",
11981
+ "cursor",
11982
+ "gemini",
11983
+ "kiro"
11984
+ ],
11985
+ "summary": "Reviews monorepo task-graph and workspace orchestration (Turborepo/Nx pipelines, pnpm workspace topology, remote caching) to stop false-green CI from stale cache reuse and unnecessary rebuild time from unscoped task graphs.",
11986
+ "source_type": "adapted",
11987
+ "official_docs": [
11988
+ "https://turborepo.com/docs/crafting-your-repository/configuring-tasks",
11989
+ "https://turborepo.com/docs/crafting-your-repository/caching",
11990
+ "https://nx.dev/concepts/task-pipeline-configuration",
11991
+ "https://pnpm.io/workspaces",
11992
+ "https://pnpm.io/pnpm-workspace_yaml"
11993
+ ],
11994
+ "security_notes": "Remote-cache tokens (Turborepo remote cache, Nx Cloud access token) must be scoped CI secrets, never committed to turbo.json/nx.json or shared across unrelated repos. A misconfigured cache key that omits environment-variable inputs can leak build-time secrets into a shared remote cache artifact readable by other team members/CI jobs -- treat this as a security finding, not just a correctness bug.",
11995
+ "last_verified": "2026-07-02",
11996
+ "path": "agents/frontend/monorepo-dx-agent",
11997
+ "version": "0.1.0",
11998
+ "companion_skills": [
11999
+ "monorepo-package-governance-review"
12000
+ ]
12001
+ },
11394
12002
  {
11395
12003
  "id": "netsuite-administrator-agent",
11396
12004
  "name": "NetSuite Administrator Agent",
@@ -12159,6 +12767,38 @@
12159
12767
  "netsuite-web-services-integration-skill"
12160
12768
  ]
12161
12769
  },
12770
+ {
12771
+ "id": "nextjs-specialist-agent",
12772
+ "name": "Next.js Specialist",
12773
+ "type": "agent",
12774
+ "provider": "frontend",
12775
+ "harnesses": [
12776
+ "codex",
12777
+ "copilot",
12778
+ "claude-code",
12779
+ "cursor",
12780
+ "gemini",
12781
+ "kiro"
12782
+ ],
12783
+ "summary": "Static-review agent for Next.js App Router rendering strategy, fetch/cache configuration, and Server/Client Component boundary correctness.",
12784
+ "source_type": "adapted",
12785
+ "official_docs": [
12786
+ "https://nextjs.org/docs/app/building-your-application/caching",
12787
+ "https://nextjs.org/docs/app/building-your-application/data-fetching/fetching-caching-and-revalidating",
12788
+ "https://nextjs.org/docs/app/building-your-application/rendering/server-components",
12789
+ "https://nextjs.org/docs/app/building-your-application/rendering/client-components",
12790
+ "https://nextjs.org/docs/app/guides/incremental-static-regeneration",
12791
+ "https://owasp.org/www-project-top-ten/"
12792
+ ],
12793
+ "security_notes": "Flag Server Actions and Route Handlers that trust client-supplied identifiers (userId, role) without server-side session verification. Flag secrets or env vars without NEXT_PUBLIC_ prefix leaking into Client Components. Flag revalidate/no-store misconfiguration that could serve stale authorization-sensitive data across users (cache poisoning / cross-user data leakage class). Static review only; never executes next build/next dev or fetches production URLs.",
12794
+ "last_verified": "2026-07-02",
12795
+ "path": "agents/frontend/nextjs-specialist-agent",
12796
+ "version": "0.1.0",
12797
+ "companion_skills": [
12798
+ "nextjs-rendering-caching-review",
12799
+ "nextjs-app-router-data-fetching-review"
12800
+ ]
12801
+ },
12162
12802
  {
12163
12803
  "id": "nvidia-agentic-ai-platform-review-agent",
12164
12804
  "name": "NVIDIA Agentic AI Platform Review",
@@ -13844,6 +14484,36 @@
13844
14484
  "ovhcloud-network-architect"
13845
14485
  ]
13846
14486
  },
14487
+ {
14488
+ "id": "package-governance-agent",
14489
+ "name": "Package & Dependency Governance",
14490
+ "type": "agent",
14491
+ "provider": "frontend",
14492
+ "harnesses": [
14493
+ "codex",
14494
+ "copilot",
14495
+ "claude-code",
14496
+ "cursor",
14497
+ "gemini",
14498
+ "kiro"
14499
+ ],
14500
+ "summary": "Reviews package.json manifests, lockfiles, and dependency version policy (pnpm catalogs, npm overrides, Renovate/Dependabot config) to stop dependency-confusion exposure, unpinned transitive versions, and unreviewed lockfile drift.",
14501
+ "source_type": "adapted",
14502
+ "official_docs": [
14503
+ "https://pnpm.io/catalogs",
14504
+ "https://pnpm.io/pnpm-workspace_yaml",
14505
+ "https://docs.npmjs.com/cli/v10/configuring-npm/package-json",
14506
+ "https://docs.npmjs.com/cli/v10/using-npm/scripts",
14507
+ "https://nodejs.org/api/corepack.html"
14508
+ ],
14509
+ "security_notes": "Treat any dependency (direct or transitive) with a postinstall/preinstall/prepare lifecycle script as elevated risk requiring justification -- these run arbitrary code at install time and are a documented supply-chain attack vector. Never recommend disabling lockfile integrity checks (--no-package-lock, unpinned */latest ranges) to unblock CI. Flag any .npmrc committed with an auth token or registry credential as a hard-gate secret leak.",
14510
+ "last_verified": "2026-07-02",
14511
+ "path": "agents/frontend/package-governance-agent",
14512
+ "version": "0.1.0",
14513
+ "companion_skills": [
14514
+ "monorepo-package-governance-review"
14515
+ ]
14516
+ },
13847
14517
  {
13848
14518
  "id": "playwright-e2e-execution-run-agent",
13849
14519
  "name": "Playwright E2E Execution Run Agent",
@@ -14046,6 +14716,35 @@
14046
14716
  "path": "agents/microsoft/power-platform-maestro-agent",
14047
14717
  "version": "0.1.0"
14048
14718
  },
14719
+ {
14720
+ "id": "product-analytics-experimentation-agent",
14721
+ "name": "Product Analytics & Experimentation Review",
14722
+ "type": "agent",
14723
+ "provider": "frontend",
14724
+ "harnesses": [
14725
+ "codex",
14726
+ "copilot",
14727
+ "claude-code",
14728
+ "cursor",
14729
+ "gemini",
14730
+ "kiro"
14731
+ ],
14732
+ "summary": "Reviews frontend analytics instrumentation and A/B experimentation setups for statistical validity, privacy-by-design tracking, event-schema correctness, and traceability from a UI change to a measurable business metric (conversion, retention, revenue) before ship.",
14733
+ "source_type": "adapted",
14734
+ "official_docs": [
14735
+ "https://web.dev/articles/vitals-business-impact",
14736
+ "https://developers.google.com/analytics/devguides/collection/ga4",
14737
+ "https://www.w3.org/TR/permissions/",
14738
+ "https://gdpr.eu/cookies/",
14739
+ "https://www.w3.org/TR/did-use-cases/",
14740
+ "https://web.dev/articles/inp"
14741
+ ],
14742
+ "security_notes": "Do not allow PII (email, name, precise geolocation, payment fields) into client-side analytics event payloads; require hashing/pseudonymization or server-side enrichment instead. Flag any experimentation SDK loaded via unpinned third-party script tag (supply-chain risk, CSP bypass risk). Require consent-gating for non-essential tracking to satisfy GDPR/CCPA before any event fires. This agent is read-only-runtime at most (inspecting live network/event payloads); it must never modify production experiment configuration or targeting rules itself.",
14743
+ "last_verified": "2026-07-02",
14744
+ "path": "agents/frontend/product-analytics-experimentation-agent",
14745
+ "version": "0.1.0",
14746
+ "companion_skills": []
14747
+ },
14049
14748
  {
14050
14749
  "id": "programmatic-supply-chain-integrity-review-agent",
14051
14750
  "name": "Programmatic Supply Chain Integrity Review Agent",
@@ -14115,6 +14814,99 @@
14115
14814
  "version": "0.1.0",
14116
14815
  "companion_skills": null
14117
14816
  },
14817
+ {
14818
+ "id": "pwa-offline-capability-agent",
14819
+ "name": "PWA & Offline Capability",
14820
+ "type": "agent",
14821
+ "provider": "frontend",
14822
+ "harnesses": [
14823
+ "codex",
14824
+ "copilot",
14825
+ "claude-code",
14826
+ "cursor",
14827
+ "gemini",
14828
+ "kiro"
14829
+ ],
14830
+ "summary": "Static/read-only review agent that validates service-worker caching behavior, web app manifest installability, and offline-fallback coverage against real install/offline criteria, not manifest-schema checklists alone.",
14831
+ "source_type": "adapted",
14832
+ "official_docs": [
14833
+ "https://web.dev/learn/pwa",
14834
+ "https://web.dev/articles/installable-manifest",
14835
+ "https://web.dev/articles/offline-fallback-page",
14836
+ "https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API",
14837
+ "https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Manifest",
14838
+ "https://developer.mozilla.org/en-US/docs/Web/API/Cache",
14839
+ "https://w3c.github.io/manifest/",
14840
+ "https://developer.chrome.com/docs/workbox/"
14841
+ ],
14842
+ "security_notes": "Treat caching of authenticated, PII-bearing, or payment-related responses as a hard blocker, not an advisory. Verify service-worker `scope` and any `Service-Worker-Allowed` header before endorsing a registration to prevent unintended route capture. Never recommend caching responses without checking request method (GET-only for Cache API), `Vary` header implications, and opaque/cross-origin response risk (cache poisoning via uncontrolled `no-cors` responses).",
14843
+ "last_verified": "2026-07-02",
14844
+ "path": "agents/frontend/pwa-offline-capability-agent",
14845
+ "version": "0.1.0",
14846
+ "companion_skills": []
14847
+ },
14848
+ {
14849
+ "id": "react-specialist-agent",
14850
+ "name": "React Specialist",
14851
+ "type": "agent",
14852
+ "provider": "frontend",
14853
+ "harnesses": [
14854
+ "codex",
14855
+ "copilot",
14856
+ "claude-code",
14857
+ "cursor",
14858
+ "gemini",
14859
+ "kiro"
14860
+ ],
14861
+ "summary": "Static-review agent for React component architecture, hooks/effects correctness, and rendering-performance risk across component libraries and app code.",
14862
+ "source_type": "adapted",
14863
+ "official_docs": [
14864
+ "https://react.dev/learn/thinking-in-react",
14865
+ "https://react.dev/learn/you-might-not-need-an-effect",
14866
+ "https://react.dev/learn/synchronizing-with-effects",
14867
+ "https://react.dev/reference/react/hooks",
14868
+ "https://react.dev/reference/rules/rules-of-hooks",
14869
+ "https://www.w3.org/WAI/ARIA/apg/",
14870
+ "https://web.dev/articles/rendering-on-the-web"
14871
+ ],
14872
+ "security_notes": "Treat dangerouslySetInnerHTML, unvalidated href/src interpolation, and third-party script injection as HIGH severity findings requiring sanitization (DOMPurify or equivalent) before merge. Flag client-side storage of tokens/PII in localStorage/sessionStorage. Never execute untrusted repo code; review is static-only, no arbitrary script execution against live data.",
14873
+ "last_verified": "2026-07-02",
14874
+ "path": "agents/frontend/react-specialist-agent",
14875
+ "version": "0.1.0",
14876
+ "companion_skills": [
14877
+ "react-component-architecture-review",
14878
+ "react-state-effects-review"
14879
+ ]
14880
+ },
14881
+ {
14882
+ "id": "routing-navigation-agent",
14883
+ "name": "Routing & Navigation",
14884
+ "type": "agent",
14885
+ "provider": "frontend",
14886
+ "harnesses": [
14887
+ "codex",
14888
+ "copilot",
14889
+ "claude-code",
14890
+ "cursor",
14891
+ "gemini",
14892
+ "kiro"
14893
+ ],
14894
+ "summary": "Designs and reviews route-tree structure, data-loading strategy (loaders/actions), code-splitting boundaries, and navigation-blocking/guard logic to prevent broken deep links, unprotected routes, and route-level bundle bloat.",
14895
+ "source_type": "adapted",
14896
+ "official_docs": [
14897
+ "https://reactrouter.com/start/framework/route-module",
14898
+ "https://reactrouter.com/start/data/actions",
14899
+ "https://reactrouter.com/api/hooks/useFetcher",
14900
+ "https://nextjs.org/docs/app/building-your-application/routing/dynamic-routes",
14901
+ "https://www.w3.org/WAI/ARIA/apg/patterns/",
14902
+ "https://web.dev/articles/route-preloading"
14903
+ ],
14904
+ "security_notes": "Route guards implemented client-side only (hiding a link, client-side redirect) are UX conveniences, not security controls — every protected route must be enforced server-side (loader-level auth check, BFF authorization, or middleware), because client-side route code is always readable/bypassable. Never encode authorization decisions (e.g., 'isAdmin') solely in a client-evaluated JWT claim rendered in the bundle without server-side re-verification on the data-fetching path.",
14905
+ "last_verified": "2026-07-02",
14906
+ "path": "agents/frontend/routing-navigation-agent",
14907
+ "version": "0.1.0",
14908
+ "companion_skills": []
14909
+ },
14118
14910
  {
14119
14911
  "id": "rpa-workflow-resilience-review-agent",
14120
14912
  "name": "RPA Workflow Resilience Review Agent",
@@ -16955,6 +17747,96 @@
16955
17747
  "path": "agents/snowflake/snowflake-rbac-access-governance-at-azure-agent",
16956
17748
  "version": "0.1.0"
16957
17749
  },
17750
+ {
17751
+ "id": "ssr-hydration-streaming-agent",
17752
+ "name": "SSR, Hydration & Streaming",
17753
+ "type": "agent",
17754
+ "provider": "frontend",
17755
+ "harnesses": [
17756
+ "codex",
17757
+ "copilot",
17758
+ "claude-code",
17759
+ "cursor",
17760
+ "gemini",
17761
+ "kiro"
17762
+ ],
17763
+ "summary": "Diagnoses and designs server-rendering, streaming, and hydration boundaries to prevent hydration-mismatch errors, blocked-by-slow-data waterfalls, and incorrect Suspense/error-boundary placement that degrades TTFB/LCP and correctness.",
17764
+ "source_type": "adapted",
17765
+ "official_docs": [
17766
+ "https://react.dev/reference/react-dom/client/hydrateRoot",
17767
+ "https://react.dev/reference/react/Suspense",
17768
+ "https://react.dev/reference/react/use",
17769
+ "https://nextjs.org/docs/app/building-your-application/rendering/server-components",
17770
+ "https://nextjs.org/docs/app/api-reference/file-conventions/loading",
17771
+ "https://web.dev/articles/optimize-lcp"
17772
+ ],
17773
+ "security_notes": "Never suppress hydration-mismatch warnings (suppressHydrationWarning) as a blanket fix — it hides real bugs, and per React 19's hydration-mismatch diagnostics, mismatches can indicate server/client branching on `typeof window`, which is also a common vector for accidentally shipping server-only secrets/config into client-evaluated code paths. Streamed SSR responses must not begin flushing before authorization for the entire page (or per-Suspense-boundary data) has been checked — do not stream a shell that later 403s underneath, which can leak layout/structural information to unauthorized users.",
17774
+ "last_verified": "2026-07-02",
17775
+ "path": "agents/frontend/ssr-hydration-streaming-agent",
17776
+ "version": "0.1.0",
17777
+ "companion_skills": []
17778
+ },
17779
+ {
17780
+ "id": "state-management-data-flow-agent",
17781
+ "name": "State Management & Data Flow",
17782
+ "type": "agent",
17783
+ "provider": "frontend",
17784
+ "harnesses": [
17785
+ "codex",
17786
+ "copilot",
17787
+ "claude-code",
17788
+ "cursor",
17789
+ "gemini",
17790
+ "kiro"
17791
+ ],
17792
+ "summary": "Reviews and designs client/server state boundaries, store shape, normalization, and re-render performance to prevent state-duplication bugs, stale-data incidents, and unnecessary re-render cascades.",
17793
+ "source_type": "adapted",
17794
+ "official_docs": [
17795
+ "https://tanstack.com/query/latest/docs/framework/react/guides/important-defaults",
17796
+ "https://tanstack.com/query/latest/docs/framework/react/guides/optimistic-updates",
17797
+ "https://zustand.docs.pmnd.rs/getting-started/introduction",
17798
+ "https://react.dev/learn/managing-state",
17799
+ "https://react.dev/reference/react/useSyncExternalStore",
17800
+ "https://web.dev/articles/inp"
17801
+ ],
17802
+ "security_notes": "Client-side stores are a common place for accidental PII/secret leakage: never persist auth tokens, session identifiers, or PII fields into localStorage-backed store persistence (e.g., Zustand persist middleware, Redux Toolkit persist) without explicit encryption-at-rest justification and expiry. Server-state caches (TanStack Query) must not cache responses containing per-user sensitive data with a shared/global queryKey that could leak across users in SSR contexts (queryClient must be per-request on the server, never a module-level singleton in SSR).",
17803
+ "last_verified": "2026-07-02",
17804
+ "path": "agents/frontend/state-management-data-flow-agent",
17805
+ "version": "0.1.0",
17806
+ "companion_skills": []
17807
+ },
17808
+ {
17809
+ "id": "svelte-sveltekit-specialist-agent",
17810
+ "name": "Svelte/SvelteKit Specialist",
17811
+ "type": "agent",
17812
+ "provider": "frontend",
17813
+ "harnesses": [
17814
+ "codex",
17815
+ "copilot",
17816
+ "claude-code",
17817
+ "cursor",
17818
+ "gemini",
17819
+ "kiro"
17820
+ ],
17821
+ "summary": "Static-review agent for SvelteKit routing/load-function correctness and progressive-enhancement (use:enhance, form actions) resilience.",
17822
+ "source_type": "adapted",
17823
+ "official_docs": [
17824
+ "https://kit.svelte.dev/docs/load",
17825
+ "https://kit.svelte.dev/docs/form-actions",
17826
+ "https://kit.svelte.dev/docs/routing",
17827
+ "https://svelte.dev/docs/kit/load",
17828
+ "https://svelte.dev/docs/kit/form-actions",
17829
+ "https://owasp.org/www-project-top-ten/"
17830
+ ],
17831
+ "security_notes": "Flag +server.ts / form actions that trust client-supplied identifiers for authorization instead of re-deriving identity from locals/session. Flag universal (+page.js) load functions that fetch or expose data that should only ever run server-side (secrets, DB access) — universal load runs in the browser too. Flag missing CSRF-relevant origin checks on custom form-handling that bypasses use:enhance's built-in protections. Static review only; never executes vite dev/vite build or submits forms live.",
17832
+ "last_verified": "2026-07-02",
17833
+ "path": "agents/frontend/svelte-sveltekit-specialist-agent",
17834
+ "version": "0.1.0",
17835
+ "companion_skills": [
17836
+ "sveltekit-routing-load-review",
17837
+ "sveltekit-progressive-enhancement-review"
17838
+ ]
17839
+ },
16958
17840
  {
16959
17841
  "id": "terraform-maestro-agent",
16960
17842
  "name": "Terraform Maestro",
@@ -17081,5 +17963,194 @@
17081
17963
  "companion_skills": [
17082
17964
  "test-flakiness-triage"
17083
17965
  ]
17966
+ },
17967
+ {
17968
+ "id": "testing-quality-engineering-agent",
17969
+ "name": "Testing & Quality Engineering",
17970
+ "type": "agent",
17971
+ "provider": "frontend",
17972
+ "harnesses": [
17973
+ "codex",
17974
+ "copilot",
17975
+ "claude-code",
17976
+ "cursor",
17977
+ "gemini",
17978
+ "kiro"
17979
+ ],
17980
+ "summary": "Reviews and designs frontend test strategy across unit, component, integration, and E2E layers to stop untested critical paths, inverted test pyramids, and quarantined flaky suites from reaching production.",
17981
+ "source_type": "adapted",
17982
+ "official_docs": [
17983
+ "https://playwright.dev/docs/best-practices",
17984
+ "https://playwright.dev/docs/ci",
17985
+ "https://vitest.dev/guide/",
17986
+ "https://testing-library.com/docs/queries/about/#priority",
17987
+ "https://docs.cypress.io/app/core-concepts/best-practices"
17988
+ ],
17989
+ "security_notes": "Test fixtures, mocks, and MSW handlers must never embed real credentials, API keys, or production tokens; require synthetic data. CI test runners must not carry write access to production infrastructure. Flag any test that calls live external services, disables CSRF/auth in a way that could leak into a production build flag, or commits a real session cookie in a fixture as a hard-gate failure, not a style note.",
17990
+ "last_verified": "2026-07-02",
17991
+ "path": "agents/frontend/testing-quality-engineering-agent",
17992
+ "version": "0.1.0",
17993
+ "companion_skills": [
17994
+ "frontend-testing-strategy-review",
17995
+ "e2e-testing-playwright-review"
17996
+ ]
17997
+ },
17998
+ {
17999
+ "id": "typescript-contracts-agent",
18000
+ "name": "TypeScript Contracts & Type Safety",
18001
+ "type": "agent",
18002
+ "provider": "frontend",
18003
+ "harnesses": [
18004
+ "codex",
18005
+ "copilot",
18006
+ "claude-code",
18007
+ "cursor",
18008
+ "gemini",
18009
+ "kiro"
18010
+ ],
18011
+ "summary": "Reviews tsconfig strictness posture, exported type/interface contracts, and narrowing correctness so type signatures are load-bearing guarantees rather than decorative annotations — the gate against `any`-laundering and unsound public API surfaces.",
18012
+ "source_type": "adapted",
18013
+ "official_docs": [
18014
+ "https://www.typescriptlang.org/tsconfig",
18015
+ "https://www.typescriptlang.org/docs/handbook/2/basic-types.html",
18016
+ "https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-4.html",
18017
+ "https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-1.html",
18018
+ "https://www.typescriptlang.org/docs/handbook/declaration-files/introduction.html",
18019
+ "https://typescript-eslint.io/rules/",
18020
+ "https://github.com/microsoft/TypeScript/wiki/Performance"
18021
+ ],
18022
+ "security_notes": "Flag `any`/`as any`/non-null assertions (`!`) used to bypass a type error at a trust boundary (deserialized JSON, third-party SDK responses, `postMessage` payloads, URL/query-param parsing) as HIGH severity findings requiring runtime schema validation, not just a type cast, before merge — a TypeScript type annotation is erased at compile time and provides zero runtime protection against a malformed or malicious payload. Flag `@ts-ignore`/`@ts-expect-error` used without an adjacent comment explaining why, especially on security-relevant code paths. Never execute untrusted repo code; review is static-only, no arbitrary script execution against live data.",
18023
+ "last_verified": "2026-07-02",
18024
+ "path": "agents/frontend/typescript-contracts-agent",
18025
+ "version": "0.1.0",
18026
+ "companion_skills": []
18027
+ },
18028
+ {
18029
+ "id": "visual-regression-agent",
18030
+ "name": "Visual Regression Engineering",
18031
+ "type": "agent",
18032
+ "provider": "frontend",
18033
+ "harnesses": [
18034
+ "codex",
18035
+ "copilot",
18036
+ "claude-code",
18037
+ "cursor",
18038
+ "gemini",
18039
+ "kiro"
18040
+ ],
18041
+ "summary": "Reviews pixel-diff and DOM-snapshot visual regression pipelines (Playwright screenshot assertions, Chromatic/Storybook test-runner) to stop unintended UI drift from shipping past a too-loose or missing visual gate.",
18042
+ "source_type": "adapted",
18043
+ "official_docs": [
18044
+ "https://playwright.dev/docs/test-snapshots",
18045
+ "https://playwright.dev/docs/api/class-pageassertions#page-assertions-to-have-screenshot-1",
18046
+ "https://storybook.js.org/docs/writing-tests/visual-testing",
18047
+ "https://storybook.js.org/docs/writing-tests/integrations/test-runner",
18048
+ "https://storybook.js.org/docs/writing-tests/accessibility-testing"
18049
+ ],
18050
+ "security_notes": "Visual-regression baselines and diff artifacts can leak PII if screenshots capture real user data from staging environments seeded with production-like data; require masked/synthetic fixtures (the `mask` option in Playwright, MSW-mocked data in Storybook) before treating any screenshot as safe to store or share. CI runners that upload snapshots to a third-party visual-testing SaaS (Chromatic, Percy) must use scoped project tokens, never account-wide credentials. Static/read-only review only; this agent never executes screenshot-generating, baseline-updating, or Chromatic-publishing commands.",
18051
+ "last_verified": "2026-07-02",
18052
+ "path": "agents/frontend/visual-regression-agent",
18053
+ "version": "0.1.0",
18054
+ "companion_skills": [
18055
+ "visual-regression-storybook-review"
18056
+ ]
18057
+ },
18058
+ {
18059
+ "id": "vue-specialist-agent",
18060
+ "name": "Vue Specialist",
18061
+ "type": "agent",
18062
+ "provider": "frontend",
18063
+ "harnesses": [
18064
+ "codex",
18065
+ "copilot",
18066
+ "claude-code",
18067
+ "cursor",
18068
+ "gemini",
18069
+ "kiro"
18070
+ ],
18071
+ "summary": "Static-review agent for Vue 3 Composition API architecture and SSR security posture (script/style injection, hydration-safe state).",
18072
+ "source_type": "adapted",
18073
+ "official_docs": [
18074
+ "https://vuejs.org/guide/extras/composition-api-faq.html",
18075
+ "https://vuejs.org/guide/reusability/composables.html",
18076
+ "https://vuejs.org/guide/scaling-up/ssr.html",
18077
+ "https://vuejs.org/guide/best-practices/security.html",
18078
+ "https://owasp.org/www-project-top-ten/"
18079
+ ],
18080
+ "security_notes": "Treat v-html bound to any user-influenced string as HIGH severity unless passed through a vetted sanitizer. Flag module-level/singleton reactive state shared across SSR requests — this is Vue's own documented SSR cross-request state pollution risk, not a generic style nit. Flag dynamic :href/:src bindings built from unsanitized user input (javascript: URL injection).",
18081
+ "last_verified": "2026-07-02",
18082
+ "path": "agents/frontend/vue-specialist-agent",
18083
+ "version": "0.1.0",
18084
+ "companion_skills": [
18085
+ "vue-composition-api-architecture-review",
18086
+ "vue-ssr-security-review",
18087
+ "nuxt-fullstack-security-review",
18088
+ "vue-router-navigation-security-review",
18089
+ "vue-state-store-security-review"
18090
+ ]
18091
+ },
18092
+ {
18093
+ "id": "web-performance-core-vitals-agent",
18094
+ "name": "Web Performance & Core Web Vitals",
18095
+ "type": "agent",
18096
+ "provider": "frontend",
18097
+ "harnesses": [
18098
+ "codex",
18099
+ "copilot",
18100
+ "claude-code",
18101
+ "cursor",
18102
+ "gemini",
18103
+ "kiro"
18104
+ ],
18105
+ "summary": "Static/read-only review agent that triages Core Web Vitals (LCP, INP, CLS) using both lab and field evidence, ties every verdict to a numeric budget and business metric, and refuses lab-only sign-off.",
18106
+ "source_type": "adapted",
18107
+ "official_docs": [
18108
+ "https://web.dev/articles/vitals",
18109
+ "https://web.dev/articles/lcp",
18110
+ "https://web.dev/articles/inp",
18111
+ "https://web.dev/articles/cls",
18112
+ "https://web.dev/articles/lighthouse-performance",
18113
+ "https://developer.chrome.com/docs/crux",
18114
+ "https://developer.mozilla.org/en-US/docs/Web/API/PerformanceObserver",
18115
+ "https://developer.mozilla.org/en-US/docs/Glossary/Time_to_first_byte",
18116
+ "https://www.w3.org/TR/largest-contentful-paint/",
18117
+ "https://www.w3.org/TR/event-timing/",
18118
+ "https://www.w3.org/TR/layout-instability/"
18119
+ ],
18120
+ "security_notes": "Never request production analytics credentials, CrUX API keys, or customer PII to produce a verdict; accept sanitized/aggregated exports only. Do not recommend third-party RUM beacons without disclosing their own script-execution and privacy/cost trade-off. Treat any request to strip loading-state accessibility semantics (aria-live, role=status) purely to shave CLS as a hard reject, not a stylistic choice.",
18121
+ "last_verified": "2026-07-02",
18122
+ "path": "agents/frontend/web-performance-core-vitals-agent",
18123
+ "version": "0.1.0",
18124
+ "companion_skills": []
18125
+ },
18126
+ {
18127
+ "id": "web-platform-foundation-agent",
18128
+ "name": "Web Platform Foundation",
18129
+ "type": "agent",
18130
+ "provider": "frontend",
18131
+ "harnesses": [
18132
+ "codex",
18133
+ "copilot",
18134
+ "claude-code",
18135
+ "cursor",
18136
+ "gemini",
18137
+ "kiro"
18138
+ ],
18139
+ "summary": "Cross-cutting review authority for HTML/CSS/JS/TS platform-layer decisions that don't fit a single narrow specialist — new-project scaffolding choices, framework-vs-platform tradeoffs, and browser-support baselines that gate every other frontend agent in this catalog.",
18140
+ "source_type": "adapted",
18141
+ "official_docs": [
18142
+ "https://developer.mozilla.org/en-US/docs/Web",
18143
+ "https://html.spec.whatwg.org/multipage/",
18144
+ "https://www.w3.org/TR/design-principles/",
18145
+ "https://web.dev/baseline",
18146
+ "https://www.w3.org/TR/WCAG22/",
18147
+ "https://webplatform.news/",
18148
+ "https://caniuse.com/"
18149
+ ],
18150
+ "security_notes": "Treat browser-supplied input (URL params, localStorage, postMessage, DOM read from third-party scripts) as untrusted at the platform boundary; require explicit sanitization/CSP evidence before endorsing any pattern that writes into innerHTML, eval-like APIs, or dynamic script/style injection. Do not approve 'ship now, patch later' baseline decisions that silently drop a browser's security-relevant feature (e.g., Trusted Types, SRI, sandboxed iframes) without a documented compensating control. Flag any request to weaken CSP, disable SRI, or use dangerouslySetInnerHTML-equivalents without a paired sanitizer citation.",
18151
+ "last_verified": "2026-07-02",
18152
+ "path": "agents/frontend/web-platform-foundation-agent",
18153
+ "version": "0.1.0",
18154
+ "companion_skills": []
17084
18155
  }
17085
18156
  ]