@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (873) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15389 -12589
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +3 -2
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/generate-docs-data.mjs +1 -0
  333. package/scripts/generate-kiro-powers.mjs +12 -0
  334. package/scripts/update-catalog-new-agents.py +6 -1
  335. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  336. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  340. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  341. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  342. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  344. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  345. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  346. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  348. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  353. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  354. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  355. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  356. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  357. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  358. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  359. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  360. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  361. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  362. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  363. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  368. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  374. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  375. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  376. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  377. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  378. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  379. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  380. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  381. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  382. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  383. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  384. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  385. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  386. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  387. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  390. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  391. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  392. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  393. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  394. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  395. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  396. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  399. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  404. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  405. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  406. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  407. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  408. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  409. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  410. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  411. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  413. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  414. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  415. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  418. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  419. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  420. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  422. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  423. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  424. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  425. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  426. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  427. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  434. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  439. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  443. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  444. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  445. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  446. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  447. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  448. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  449. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  454. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  459. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  460. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  461. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  463. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  464. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  465. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  469. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  470. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  471. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  472. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  473. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  474. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  475. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  476. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  479. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  484. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  485. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  486. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  489. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  494. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  495. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  496. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  498. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  499. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  500. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  503. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  507. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  512. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  513. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  514. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  515. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  516. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  517. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  523. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  524. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  525. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  528. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  529. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  530. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  534. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  535. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  536. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  539. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  540. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  541. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  542. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  543. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  548. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  549. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  550. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  551. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  552. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  553. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  554. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  555. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  556. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  557. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  558. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  559. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  564. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  569. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  570. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  571. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  572. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  573. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  574. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  579. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  583. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  584. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  585. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  587. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  592. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  593. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  594. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  595. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  596. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  597. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  598. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  599. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  602. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  607. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  608. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  609. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  613. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  614. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  615. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  616. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  617. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  618. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  619. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  620. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  621. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  622. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  623. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  624. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  629. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  671. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  713. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  714. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  725. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  736. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  764. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  775. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  786. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  797. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  808. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  819. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  830. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  841. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  861. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  872. package/tests/validate-catalog.py +1 -0
  873. package/tests/validate-frontend-security-detection.py +209 -0
@@ -85,6 +85,33 @@
85
85
  "author": "github: Raishin",
86
86
  "version": "0.1.0"
87
87
  },
88
+ {
89
+ "id": "ai-generated-frontend-code-review",
90
+ "name": "AI-Generated Frontend Code Review",
91
+ "type": "skill",
92
+ "provider": "frontend",
93
+ "harnesses": [
94
+ "claude-code",
95
+ "cursor",
96
+ "codex",
97
+ "gemini",
98
+ "kiro",
99
+ "other"
100
+ ],
101
+ "summary": "Applies an elevated review pass specifically to AI/LLM-generated frontend diffs, checking for hallucinated framework APIs, slopsquatted dependency names, unsanitized dynamic-HTML sinks, and missing accessibility semantics — the failure patterns unique to generated-but-plausible-looking code — before merge.",
102
+ "source_type": "original",
103
+ "official_docs": [
104
+ "https://owasp.org/www-project-top-10-for-large-language-model-applications/",
105
+ "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html",
106
+ "https://www.w3.org/WAI/ARIA/apg/",
107
+ "https://react.dev/reference/rules"
108
+ ],
109
+ "security_notes": "Treat all AI-generated code as untrusted input requiring verification, not a lower-scrutiny fast path. Check every new dependency name against the real package registry before approving install (slopsquat defense). Check every dynamic-HTML sink for sanitization. Never execute exploit payloads against live/staging systems; static-review-only skill (Read/Grep/Glob/WebFetch/WebSearch, no mutation, no live target traffic). Never reproduce discovered secrets/tokens verbatim in findings output.",
110
+ "last_verified": "2026-07-02",
111
+ "path": "skills/frontend/ai-generated-frontend-code-review",
112
+ "version": "0.1.0",
113
+ "author": "github: Raishin"
114
+ },
88
115
  {
89
116
  "id": "alibaba-ack-container-platform-operator",
90
117
  "name": "Alibaba Cloud ACK Container Platform Operator",
@@ -1239,6 +1266,114 @@
1239
1266
  "version": "0.1.0",
1240
1267
  "lifecycle": "experimental"
1241
1268
  },
1269
+ {
1270
+ "id": "angular-architecture-signals-review",
1271
+ "name": "Angular Architecture & Signals Review",
1272
+ "type": "skill",
1273
+ "provider": "frontend",
1274
+ "harnesses": [
1275
+ "claude-code",
1276
+ "cursor",
1277
+ "codex",
1278
+ "gemini",
1279
+ "kiro",
1280
+ "other"
1281
+ ],
1282
+ "summary": "Reviews Angular component/service architecture for correct Signals usage, computed/effect semantics, and change-detection strategy, using Angular's own Signals, change-detection, and dependency-injection guidance loaded progressively and grounded via Context7 against the repo's confirmed Angular version.",
1283
+ "source_type": "original",
1284
+ "official_docs": [
1285
+ "https://angular.dev/guide/signals",
1286
+ "https://angular.dev/guide/signals/linked-signal",
1287
+ "https://angular.dev/guide/components/change-detection",
1288
+ "https://angular.dev/guide/di/dependency-injection"
1289
+ ],
1290
+ "security_notes": "No direct security-primitive concern in this skill's scope; escalate any bypassSecurityTrust* usage discovered incidentally to the angular-ssr-hydration-review skill or a security reviewer rather than handling it here. Static-review-only skill: it reads and greps component/service source but never executes, builds, or runs application code. Treat any API key or token found hardcoded in component/service state or default values as a HIGH-severity finding requiring immediate escalation, not a style note.",
1291
+ "last_verified": "2026-07-02",
1292
+ "path": "skills/frontend/angular-architecture-signals-review",
1293
+ "version": "0.1.0",
1294
+ "author": "github: Raishin"
1295
+ },
1296
+ {
1297
+ "id": "angular-ssr-hydration-review",
1298
+ "name": "Angular SSR & Hydration Review",
1299
+ "type": "skill",
1300
+ "provider": "frontend",
1301
+ "harnesses": [
1302
+ "claude-code",
1303
+ "cursor",
1304
+ "codex",
1305
+ "gemini",
1306
+ "kiro",
1307
+ "other"
1308
+ ],
1309
+ "summary": "Reviews Angular SSR bootstrap configuration and component templates for hydration-mismatch risk (NG0500-class errors), unjustified ngSkipHydration usage, and direct-DOM-manipulation patterns that bypass Angular's template-owned DOM model, using Angular's own hydration guide and error catalog loaded progressively and grounded via Context7 against the repo's confirmed Angular version.",
1310
+ "source_type": "original",
1311
+ "official_docs": [
1312
+ "https://angular.dev/guide/hydration",
1313
+ "https://angular.dev/errors/NG0500",
1314
+ "https://angular.dev/api/platform-browser/provideClientHydration",
1315
+ "https://www.w3.org/WAI/WCAG22/quickref/"
1316
+ ],
1317
+ "security_notes": "Direct DOM manipulation combined with dynamic string content (innerHTML-equivalent native calls) bypasses Angular's built-in sanitization pipeline -- treat any such pattern touching user-influenced data as an XSS-class finding, escalated to HIGH, in addition to the hydration-correctness finding. Static-review-only skill: it reads and greps bootstrap configuration and component source but never executes, builds, or runs application code.",
1318
+ "last_verified": "2026-07-02",
1319
+ "path": "skills/frontend/angular-ssr-hydration-review",
1320
+ "version": "0.1.0",
1321
+ "author": "github: Raishin"
1322
+ },
1323
+ {
1324
+ "id": "angular-template-sanitizer-security-review",
1325
+ "name": "Angular Template Sanitizer Security Review",
1326
+ "type": "skill",
1327
+ "provider": "frontend",
1328
+ "harnesses": [
1329
+ "claude-code",
1330
+ "cursor",
1331
+ "codex",
1332
+ "gemini",
1333
+ "kiro",
1334
+ "other"
1335
+ ],
1336
+ "summary": "Reviews Angular templates and components for injection via DomSanitizer bypass calls (bypassSecurityTrustHtml, bypassSecurityTrustUrl, bypassSecurityTrustResourceUrl), unsanitized [innerHTML] bindings, and dynamically bound iframe security attributes such as [attr.sandbox], grounding claims via Context7 and Angular's own sanitizer and NG0910 documentation.",
1337
+ "source_type": "original",
1338
+ "official_docs": [
1339
+ "https://angular.dev/best-practices/security",
1340
+ "https://angular.dev/errors/NG0910",
1341
+ "https://owasp.org/www-project-top-ten/",
1342
+ "https://owasp.org/www-community/attacks/xss/"
1343
+ ],
1344
+ "security_notes": "This skill's entire scope is security-critical: DomSanitizer bypass calls and unsanitized [innerHTML] bindings are XSS vectors, and dynamically bound iframe security attributes are a sandbox-escape vector Angular's own NG0910 check exists to reject. Every finding defaults to HIGH severity unless proven otherwise with concrete validation/sanitizer evidence on the traced path. Static-review-only skill: it reads and greps components and templates but never executes, builds, or runs application code, and never sends live requests.",
1345
+ "last_verified": "2026-07-03",
1346
+ "path": "skills/frontend/angular-template-sanitizer-security-review",
1347
+ "author": "github: Raishin",
1348
+ "version": "0.1.0"
1349
+ },
1350
+ {
1351
+ "id": "api-integration-contract-review",
1352
+ "name": "API Integration Contract Review",
1353
+ "type": "skill",
1354
+ "provider": "frontend",
1355
+ "harnesses": [
1356
+ "claude-code",
1357
+ "cursor",
1358
+ "codex",
1359
+ "gemini",
1360
+ "kiro",
1361
+ "other"
1362
+ ],
1363
+ "summary": "Reviews frontend-to-backend API contracts for data-minimization, authorization enforcement, versioning safety, and error-shape leakage before they ship, using OWASP API Security Top 10 grounding, server-side object-level authorization checks, and CORS/versioning gates loaded progressively and validated via Context7 against the repo's confirmed framework versions.",
1364
+ "source_type": "original",
1365
+ "official_docs": [
1366
+ "https://nextjs.org/docs/app/building-your-application/routing/route-handlers",
1367
+ "https://owasp.org/www-project-api-security/",
1368
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS",
1369
+ "https://tanstack.com/query/latest/docs/framework/react/guides/query-keys"
1370
+ ],
1371
+ "security_notes": "Static-review-only skill: it reads and greps route handler code, authorization middleware, and contract documentation but never executes, builds, or runs application code, and never issues live requests. Every finding of client-side-only authorization or excessive data exposure is treated as a security-severity finding, not a style note. Wildcard CORS combined with credentialed requests is an automatic blocking finding. Raw upstream error forwarding to the client is a blocking finding.",
1372
+ "last_verified": "2026-07-02",
1373
+ "path": "skills/frontend/api-integration-contract-review",
1374
+ "version": "0.1.0",
1375
+ "author": "github: Raishin"
1376
+ },
1242
1377
  {
1243
1378
  "id": "argo-rollouts-progressive-delivery-review",
1244
1379
  "name": "Argo Rollouts Progressive Delivery Review",
@@ -3778,6 +3913,89 @@
3778
3913
  "version": "0.1.0",
3779
3914
  "author": "github: Raishin"
3780
3915
  },
3916
+ {
3917
+ "id": "browser-compatibility-review",
3918
+ "name": "Browser Compatibility Review",
3919
+ "type": "skill",
3920
+ "provider": "frontend",
3921
+ "harnesses": [
3922
+ "claude-code",
3923
+ "cursor",
3924
+ "codex",
3925
+ "gemini",
3926
+ "kiro",
3927
+ "other"
3928
+ ],
3929
+ "summary": "Skill for auditing web-platform feature usage against the org's declared browser support matrix using Baseline/caniuse status, verifying graceful-degradation or polyfill coverage for any non-Baseline feature.",
3930
+ "source_type": "original",
3931
+ "official_docs": [
3932
+ "https://web-platform-dx.github.io/web-features/",
3933
+ "https://web.dev/baseline",
3934
+ "https://caniuse.com/",
3935
+ "https://github.com/browserslist/browserslist"
3936
+ ],
3937
+ "security_notes": "Static review only; never recommends disabling security-relevant browser defaults (mixed-content blocking, SameSite cookie defaults) as a compatibility workaround.",
3938
+ "last_verified": "2026-07-02",
3939
+ "path": "skills/frontend/browser-compatibility-review",
3940
+ "version": "0.1.0",
3941
+ "author": "github: Raishin"
3942
+ },
3943
+ {
3944
+ "id": "build-tooling-vite-webpack-review",
3945
+ "name": "Build Tooling (Vite/Webpack) Review",
3946
+ "type": "skill",
3947
+ "provider": "frontend",
3948
+ "harnesses": [
3949
+ "codex",
3950
+ "claude-code",
3951
+ "cursor",
3952
+ "gemini",
3953
+ "kiro",
3954
+ "other"
3955
+ ],
3956
+ "summary": "Reviews Vite and Webpack build configuration, code-splitting/chunking strategy, and bundle-size budgets, version-labeling every recommendation because Vite 8's Rolldown-based codeSplitting API replaced the Rollup-era manualChunks option.",
3957
+ "source_type": "original",
3958
+ "official_docs": [
3959
+ "https://vite.dev/guide/build.html",
3960
+ "https://vite.dev/guide/migration.html",
3961
+ "https://webpack.js.org/guides/code-splitting/",
3962
+ "https://webpack.js.org/plugins/split-chunks-plugin/"
3963
+ ],
3964
+ "security_notes": "Bundle-analyzer output shared outside the org must not include source maps that reveal internal API paths or accidentally-inlined environment values. Any dependency with an install-time script that runs during the build must be reviewed before it's allowed to affect the production bundle. Static-review-only skill: it reads and greps build config and source; it does not execute builds, install dependencies, or run bundler CLIs. Treat any credential-shaped string found in a pasted build config, CI job definition, or analyzer report as unsafe to echo in the transcript.",
3965
+ "last_verified": "2026-07-02",
3966
+ "path": "skills/frontend/build-tooling-vite-webpack-review",
3967
+ "version": "0.1.0",
3968
+ "author": "github: Raishin"
3969
+ },
3970
+ {
3971
+ "id": "bundle-budget-code-splitting-review",
3972
+ "name": "Bundle Budget & Code-Splitting Review",
3973
+ "type": "skill",
3974
+ "provider": "frontend",
3975
+ "harnesses": [
3976
+ "codex",
3977
+ "claude-code",
3978
+ "cursor",
3979
+ "gemini",
3980
+ "kiro",
3981
+ "other"
3982
+ ],
3983
+ "summary": "Reviews JavaScript/CSS bundle composition against explicit numeric budgets, ranks analyzer contributors by byte weight and main-thread execution cost, evaluates route- and component-level code-splitting boundaries against version-confirmed bundler chunking APIs, and requires a CI-enforced budget before endorsing any size fix as resolved, loaded progressively.",
3984
+ "source_type": "original",
3985
+ "official_docs": [
3986
+ "https://web.dev/articles/reduce-javascript-payloads-with-code-splitting",
3987
+ "https://web.dev/articles/your-first-performance-budget",
3988
+ "https://vite.dev/guide/build.html",
3989
+ "https://webpack.js.org/guides/code-splitting/",
3990
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules/Dynamic_module_loading",
3991
+ "https://webpack.js.org/plugins/split-chunks-plugin/"
3992
+ ],
3993
+ "security_notes": "Do not recommend inlining third-party scripts to save a request without disclosing the CSP/subresource-integrity trade-off of inlined vs. externally loaded, SRI-checkable code. Flag any dynamic import() of a module specifier built from unsanitized user input as a code-injection risk, not merely a performance concern. Do not accept or echo any credential-shaped string found in a pasted build config or analyzer report as if it were safe to keep in the transcript.",
3994
+ "last_verified": "2026-07-02",
3995
+ "path": "skills/frontend/bundle-budget-code-splitting-review",
3996
+ "version": "0.1.0",
3997
+ "author": "github: Raishin"
3998
+ },
3781
3999
  {
3782
4000
  "id": "business-combinations-advisor",
3783
4001
  "name": "Business Combinations Advisor",
@@ -4348,6 +4566,100 @@
4348
4566
  "version": "0.1.0",
4349
4567
  "author": "github: Raishin"
4350
4568
  },
4569
+ {
4570
+ "id": "core-web-vitals-triage",
4571
+ "name": "Core Web Vitals Triage",
4572
+ "type": "skill",
4573
+ "provider": "frontend",
4574
+ "harnesses": [
4575
+ "codex",
4576
+ "claude-code",
4577
+ "cursor",
4578
+ "gemini",
4579
+ "kiro",
4580
+ "other"
4581
+ ],
4582
+ "summary": "Decomposes LCP, INP, and CLS regressions into their documented web.dev/W3C sub-phases (TTFB/resource-load-delay/resource-load-duration/render-delay for LCP; input-delay/processing-time/presentation-delay for INP; element-level trigger attribution for CLS), grades findings by lab-vs-field evidence tier, and refuses to declare a metric fixed without a field-data or CI-budget verification path, loaded progressively.",
4583
+ "source_type": "original",
4584
+ "official_docs": [
4585
+ "https://web.dev/articles/vitals",
4586
+ "https://web.dev/articles/lcp",
4587
+ "https://web.dev/articles/optimize-lcp",
4588
+ "https://web.dev/articles/inp",
4589
+ "https://web.dev/articles/optimize-inp",
4590
+ "https://web.dev/articles/cls",
4591
+ "https://web.dev/articles/optimize-cls",
4592
+ "https://developer.chrome.com/docs/crux",
4593
+ "https://www.w3.org/TR/largest-contentful-paint/",
4594
+ "https://www.w3.org/TR/event-timing/"
4595
+ ],
4596
+ "security_notes": "Do not request production analytics credentials or raw customer session data; accept only sanitized/aggregated field exports (CrUX API responses, exported web-vitals RUM aggregates). Do not recommend removing accessible loading-state semantics (aria-live, role=status, visible focus indicators) as a CLS/INP fix. Do not accept or echo any credential-shaped string found in a pasted trace/config as if it were safe to keep in the transcript.",
4597
+ "last_verified": "2026-07-02",
4598
+ "path": "skills/frontend/core-web-vitals-triage",
4599
+ "version": "0.1.0",
4600
+ "author": "github: Raishin"
4601
+ },
4602
+ {
4603
+ "id": "critical-rendering-path-review",
4604
+ "name": "Critical Rendering Path Review",
4605
+ "type": "skill",
4606
+ "provider": "frontend",
4607
+ "harnesses": [
4608
+ "codex",
4609
+ "claude-code",
4610
+ "cursor",
4611
+ "gemini",
4612
+ "kiro",
4613
+ "other"
4614
+ ],
4615
+ "summary": "Reviews page load sequencing — resource loading order, render-blocking CSS/JS, layout-shift risk, and Core Web Vitals budget adherence — separating lab (Lighthouse/synthetic) data from field (CrUX/RUM) data so performance claims are evidence-graded rather than asserted.",
4616
+ "source_type": "original",
4617
+ "official_docs": [
4618
+ "https://web.dev/articles/critical-rendering-path",
4619
+ "https://web.dev/articles/optimize-lcp",
4620
+ "https://web.dev/articles/cls",
4621
+ "https://web.dev/articles/inp",
4622
+ "https://web.dev/vitals",
4623
+ "https://developer.mozilla.org/en-US/docs/Web/Performance/Guides/Critical_rendering_path",
4624
+ "https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/link",
4625
+ "https://developer.chrome.com/docs/lighthouse/overview"
4626
+ ],
4627
+ "security_notes": "Flag preload/prefetch/preconnect resource hints pointed at third-party origins without considering the information-leakage/timing implications of establishing early connections to those origins. Flag any performance 'optimization' that removes Subresource Integrity (SRI) from a script/style tag to save a round trip — integrity checks are not a discretionary performance cost. Do not recommend inlining third-party scripts to avoid a network request in a way that bypasses CSP script-src allow-listing.",
4628
+ "last_verified": "2026-07-02",
4629
+ "path": "skills/frontend/critical-rendering-path-review",
4630
+ "version": "0.1.0",
4631
+ "author": "github: Raishin"
4632
+ },
4633
+ {
4634
+ "id": "css-architecture-design-system-review",
4635
+ "name": "CSS Architecture & Design System Review",
4636
+ "type": "skill",
4637
+ "provider": "frontend",
4638
+ "harnesses": [
4639
+ "claude-code",
4640
+ "cursor",
4641
+ "codex",
4642
+ "gemini",
4643
+ "kiro",
4644
+ "other"
4645
+ ],
4646
+ "summary": "Reviews CSS for specificity/cascade-layer discipline, design-token conformance, and responsive strategy (container queries vs. media queries), catching specificity wars, token drift, and non-reflowing layouts before they compound into unmaintainable stylesheets.",
4647
+ "source_type": "original",
4648
+ "official_docs": [
4649
+ "https://developer.mozilla.org/en-US/docs/Web/CSS",
4650
+ "https://www.w3.org/TR/css-cascade-5/",
4651
+ "https://www.w3.org/TR/css-variables-1/",
4652
+ "https://www.w3.org/TR/css-contain-3/",
4653
+ "https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_cascade/Cascade_layers",
4654
+ "https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_containment/Container_queries",
4655
+ "https://www.w3.org/TR/WCAG22/#visual-presentation"
4656
+ ],
4657
+ "security_notes": "Do not treat CSS visibility/display properties as an access-control mechanism — hiding an element with CSS never substitutes for server-side authorization; flag any pattern that relies on it as a security control. Flag attribute-selector-plus-background-image patterns that could exfiltrate user-controlled attribute values via network requests (CSS-based data-exfiltration vector). Flag third-party @import without SRI/CSP style-src consideration.",
4658
+ "last_verified": "2026-07-02",
4659
+ "path": "skills/frontend/css-architecture-design-system-review",
4660
+ "version": "0.1.0",
4661
+ "author": "github: Raishin"
4662
+ },
4351
4663
  {
4352
4664
  "id": "d365-commerce",
4353
4665
  "name": "D365 Commerce",
@@ -4949,6 +5261,33 @@
4949
5261
  "author": "github: Raishin",
4950
5262
  "version": "0.1.0"
4951
5263
  },
5264
+ {
5265
+ "id": "design-token-governance-review",
5266
+ "name": "Design Token Governance Review",
5267
+ "type": "skill",
5268
+ "provider": "frontend",
5269
+ "harnesses": [
5270
+ "claude-code",
5271
+ "cursor",
5272
+ "codex",
5273
+ "gemini",
5274
+ "kiro",
5275
+ "other"
5276
+ ],
5277
+ "summary": "Reviews design-token source of truth, build/transform pipelines, and resolved contrast ratios against WCAG 1.4.3/1.4.11 to stop hardcoded values and inaccessible token pairings from shipping across themes.",
5278
+ "source_type": "original",
5279
+ "official_docs": [
5280
+ "https://www.w3.org/community/design-tokens/",
5281
+ "https://www.w3.org/TR/WCAG21/#contrast-minimum",
5282
+ "https://www.w3.org/TR/WCAG21/#non-text-contrast",
5283
+ "https://amzn.github.io/style-dictionary/#/"
5284
+ ],
5285
+ "security_notes": "Token-source pipelines pulling from Figma/Tokens Studio APIs must use scoped, rotatable personal access tokens stored only in CI secrets, never committed to token-source config files.",
5286
+ "last_verified": "2026-07-02",
5287
+ "path": "skills/frontend/design-token-governance-review",
5288
+ "version": "0.1.0",
5289
+ "author": "github: Raishin"
5290
+ },
4952
5291
  {
4953
5292
  "id": "dotnet-aspire-cloud-native-review",
4954
5293
  "name": ".NET Aspire Cloud-Native Review",
@@ -5223,6 +5562,62 @@
5223
5562
  "version": "0.1.0",
5224
5563
  "author": "github: Raishin"
5225
5564
  },
5565
+ {
5566
+ "id": "e2e-testing-playwright-review",
5567
+ "name": "E2E Testing (Playwright) Review",
5568
+ "type": "skill",
5569
+ "provider": "frontend",
5570
+ "harnesses": [
5571
+ "claude-code",
5572
+ "cursor",
5573
+ "codex",
5574
+ "gemini",
5575
+ "kiro",
5576
+ "other"
5577
+ ],
5578
+ "summary": "Reviews Playwright end-to-end test configuration, fixtures, sharding, and screenshot-assertion setup for reliability, CI parallelism, and accurate visual/behavioral gating, grounded in current Playwright API docs.",
5579
+ "source_type": "original",
5580
+ "official_docs": [
5581
+ "https://playwright.dev/docs/best-practices",
5582
+ "https://playwright.dev/docs/ci",
5583
+ "https://playwright.dev/docs/test-snapshots",
5584
+ "https://playwright.dev/docs/api/class-pageassertions#page-assertions-to-have-screenshot-1",
5585
+ "https://playwright.dev/docs/test-parallel"
5586
+ ],
5587
+ "security_notes": "Playwright storageState.json fixtures can capture real session cookies/auth tokens if generated against a live authenticated session; require these be generated against a dedicated test account and treated as sensitive (not committed to a public repo). HAR-file recordings used for network mocking can capture real API keys in request headers -- scrub before committing.",
5588
+ "last_verified": "2026-07-02",
5589
+ "path": "skills/frontend/e2e-testing-playwright-review",
5590
+ "version": "0.1.0",
5591
+ "author": "github: Raishin"
5592
+ },
5593
+ {
5594
+ "id": "edge-cache-data-bleed-review",
5595
+ "name": "Edge Cache Data-Bleed Review",
5596
+ "type": "skill",
5597
+ "provider": "frontend",
5598
+ "harnesses": [
5599
+ "claude-code",
5600
+ "cursor",
5601
+ "codex",
5602
+ "gemini",
5603
+ "kiro",
5604
+ "other"
5605
+ ],
5606
+ "summary": "Reviews Next.js App Router caching surfaces -- route-level revalidate exports, 'use cache: private' boundaries on cookies()-reading server functions, generateStaticParams on personalized routes, and Cache-Control/Vary response headers -- for defects that let one user's authenticated response be cached and replayed to a different user, grounding claims via Context7 and Next.js's own caching documentation.",
5607
+ "source_type": "original",
5608
+ "official_docs": [
5609
+ "https://nextjs.org/docs/app/api-reference/directives/use-cache-private",
5610
+ "https://nextjs.org/docs/app/guides/incremental-static-regeneration",
5611
+ "https://nextjs.org/docs/app/api-reference/file-conventions/route-segment-config",
5612
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Vary",
5613
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Cache-Control"
5614
+ ],
5615
+ "security_notes": "This skill's entire scope is security-critical: a shared cache entry (ISR revalidate window, an uncached-boundary server function, or a CDN/proxy edge cache) serving one user's session-derived response to a different user is a cross-user data-exposure defect, not a performance bug. Every finding in this skill defaults to HIGH severity unless proven otherwise with a concrete 'use cache: private' or Cache-Control: private boundary on the traced path. Static-review-only skill: it reads and greps route files, server functions, and response-header call sites but never executes, builds, or runs application code, and never sends live requests.",
5616
+ "last_verified": "2026-07-03",
5617
+ "path": "skills/frontend/edge-cache-data-bleed-review",
5618
+ "version": "0.1.0",
5619
+ "author": "github: Raishin"
5620
+ },
5226
5621
  {
5227
5622
  "id": "email-sender-authentication-review",
5228
5623
  "name": "Email Sender Authentication Review",
@@ -5252,6 +5647,33 @@
5252
5647
  "version": "0.1.0",
5253
5648
  "lifecycle": "experimental"
5254
5649
  },
5650
+ {
5651
+ "id": "enterprise-red-team-review",
5652
+ "name": "Enterprise Red Team Review",
5653
+ "type": "skill",
5654
+ "provider": "frontend",
5655
+ "harnesses": [
5656
+ "claude-code",
5657
+ "cursor",
5658
+ "codex",
5659
+ "gemini",
5660
+ "kiro",
5661
+ "other"
5662
+ ],
5663
+ "summary": "Adversarial second-pass review skill that hunts for what Tier-1 specialists missed on security, accessibility, and AI-generated frontend code before a change reaches the Board Chair for adjudication.",
5664
+ "source_type": "original",
5665
+ "official_docs": [
5666
+ "https://owasp.org/www-project-top-ten/",
5667
+ "https://owasp.org/www-project-application-security-verification-standard/",
5668
+ "https://www.w3.org/WAI/ARIA/apg/",
5669
+ "https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP"
5670
+ ],
5671
+ "security_notes": "Static/findings-only review - never execute exploit code or mutate the reviewed codebase; never accept an unverifiable 'already mitigated' claim as resolved; escalate secret/PII exposure paths and AI-code prompt-injection artifacts immediately as CONFIRMED findings.",
5672
+ "last_verified": "2026-07-02",
5673
+ "path": "skills/frontend/enterprise-red-team-review",
5674
+ "version": "0.1.0",
5675
+ "author": "github: Raishin"
5676
+ },
5255
5677
  {
5256
5678
  "id": "environment-to-production-release-protocol",
5257
5679
  "name": "Environment-to-Production Release Protocol",
@@ -5779,27 +6201,351 @@
5779
6201
  "security_notes": "Advisory only. Never accepts MNPI or confidential budget figures."
5780
6202
  },
5781
6203
  {
5782
- "id": "fx-translation-advisor",
5783
- "name": "FX Translation Advisor",
6204
+ "id": "framework-upgrade-risk-review",
6205
+ "name": "Framework Upgrade Risk Review",
5784
6206
  "type": "skill",
5785
- "provider": "accounting",
6207
+ "provider": "frontend",
5786
6208
  "harnesses": [
5787
6209
  "claude-code",
5788
- "codex",
5789
6210
  "cursor",
6211
+ "codex",
5790
6212
  "gemini",
5791
6213
  "kiro",
5792
6214
  "other"
5793
6215
  ],
5794
- "summary": "Multi-jurisdiction reference framework for foreign currency translation and remeasurement. Covers functional currency determination (ASC 830-10-45 / IAS 21.9–21.14), translation vs. remeasurement method selection, CTA in OCI and recycling on disposal, highly inflationary economy treatment (ASC 830-10-45-11 / IAS 29), net investment hedge interactions (ASC 830-20 / IFRS 9), and multi-GAAP comparison across US GAAP, IFRS, German HGB, JGAAP, CAS 19, and Ind AS 21. Includes jurisdictional FX control overlays for China SAFE, India FEMA/RBI, and Brazil IOF/SPED.",
6216
+ "summary": "Assesses the breaking-change and regression risk of a same-framework major-version upgrade (React, Angular, Vue, Next.js, build tooling) by grounding every claimed breaking change in the framework's official changelog/migration guide via Context7, and separates upgrade-blocking issues from cosmetic deprecation warnings.",
5795
6217
  "source_type": "original",
5796
- "category": "finance",
5797
- "execution_tier": "read-only-runtime",
5798
- "oauth_scopes": [],
5799
- "mcp_servers": [],
5800
- "run_as_permissions": {
5801
- "required": [],
5802
- "denied": []
6218
+ "official_docs": [
6219
+ "https://react.dev/blog",
6220
+ "https://nextjs.org/docs/app/guides/upgrading",
6221
+ "https://angular.dev/reference/releases",
6222
+ "https://vuejs.org/guide/introduction.html"
6223
+ ],
6224
+ "security_notes": "Prioritize any breaking change tied to a security advisory (e.g. a CVE fixed by the new major version) as a forced-upgrade driver, and flag if the current pinned version is past its security-support window regardless of migration effort. Never invent codemod names, CLI flags, or config keys.",
6225
+ "last_verified": "2026-07-02",
6226
+ "path": "skills/frontend/framework-upgrade-risk-review",
6227
+ "version": "0.1.0",
6228
+ "author": "github: Raishin"
6229
+ },
6230
+ {
6231
+ "id": "frontend-auth-session-security-review",
6232
+ "name": "Frontend Auth & Session Security Review",
6233
+ "type": "skill",
6234
+ "provider": "frontend",
6235
+ "harnesses": [
6236
+ "claude-code",
6237
+ "cursor",
6238
+ "codex",
6239
+ "gemini",
6240
+ "kiro",
6241
+ "other"
6242
+ ],
6243
+ "summary": "Reviews client-side authentication and session-management implementations for token-storage location, session-cookie-flag correctness, CSRF/open-redirect exposure, and OAuth/OIDC flow choice (PKCE authorization code vs deprecated implicit grant) for browser-based apps, grounding claims via Context7 against the OWASP Cheat Sheet Series and the OAuth 2.1 draft.",
6244
+ "source_type": "original",
6245
+ "official_docs": [
6246
+ "https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html",
6247
+ "https://owasp.org/www-project-application-security-verification-standard/",
6248
+ "https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps",
6249
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite",
6250
+ "https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"
6251
+ ],
6252
+ "security_notes": "Never asks for or prints real session tokens, cookies, client secrets, or OAuth credentials during review; treats any such value found in fixtures/logs as a redaction target. Does not perform live session hijacking, token replay, or CSRF exploitation testing against real systems. Static-review-only skill: reads and greps auth/session code but never executes, builds, or runs application code, and never sends live requests.",
6253
+ "last_verified": "2026-07-02",
6254
+ "path": "skills/frontend/frontend-auth-session-security-review",
6255
+ "version": "0.1.0",
6256
+ "author": "github: Raishin"
6257
+ },
6258
+ {
6259
+ "id": "frontend-bff-boundary-review",
6260
+ "name": "Frontend BFF Boundary Review",
6261
+ "type": "skill",
6262
+ "provider": "frontend",
6263
+ "harnesses": [
6264
+ "claude-code",
6265
+ "cursor",
6266
+ "codex",
6267
+ "gemini",
6268
+ "kiro",
6269
+ "other"
6270
+ ],
6271
+ "summary": "Determines and reviews whether aggregation/shaping logic belongs in a Backend-for-Frontend layer versus client-side composition, and audits existing BFF boundaries for scope creep, duplicated aggregation logic, and leaked backend topology or pass-through authorization, grounded via Context7 against the repo's confirmed Next.js version when a Route Handler is the proposed BFF vehicle.",
6272
+ "source_type": "original",
6273
+ "official_docs": [
6274
+ "https://nextjs.org/docs/app/building-your-application/routing/route-handlers",
6275
+ "https://nextjs.org/docs/app/building-your-application/caching",
6276
+ "https://owasp.org/www-project-api-security/"
6277
+ ],
6278
+ "security_notes": "A BFF is a trust boundary, not just a convenience layer — flag any BFF route that passes through client-supplied authorization claims unchecked, or that forwards credentials/tokens client-to-backend without the BFF itself re-authenticating the session, as a HIGH-severity finding. A BFF response that exposes internal-only backend hostnames, service names, or service-specific error shapes verbatim to the browser is a topology-leak finding. Static-review-only skill: it reads and greps BFF route source and does not execute, build, or run application code. Treat any hardcoded API key, service token, or credential found in route source as a HIGH-severity finding requiring immediate escalation.",
6279
+ "last_verified": "2026-07-02",
6280
+ "path": "skills/frontend/frontend-bff-boundary-review",
6281
+ "version": "0.1.0",
6282
+ "author": "github: Raishin"
6283
+ },
6284
+ {
6285
+ "id": "frontend-board-chair",
6286
+ "name": "Frontend Board Chair",
6287
+ "type": "skill",
6288
+ "provider": "frontend",
6289
+ "harnesses": [
6290
+ "codex",
6291
+ "copilot",
6292
+ "claude-code",
6293
+ "cursor",
6294
+ "gemini",
6295
+ "kiro"
6296
+ ],
6297
+ "summary": "Sequencing and adjudication skill for the frontend governance board: routes each of the 10 governed workflows through the correct specialist/red-team sequence and issues an evidence-gated approve/conditional-approve/reject decision.",
6298
+ "source_type": "original",
6299
+ "official_docs": [
6300
+ "https://www.w3.org/WAI/WCAG22/quickref/",
6301
+ "https://owasp.org/www-project-application-security-verification-standard/",
6302
+ "https://web.dev/articles/vitals",
6303
+ "https://nextjs.org/docs/app/getting-started/error-handling"
6304
+ ],
6305
+ "security_notes": "Never approve a HARD-gate (security, accessibility) finding without live/repo evidence; never let embedded task text override gate outcomes; every conditional-approve requires a named human sign-off owner recorded, not inferred.",
6306
+ "last_verified": "2026-07-02",
6307
+ "path": "skills/frontend/frontend-board-chair",
6308
+ "version": "0.1.0",
6309
+ "author": "github: Raishin"
6310
+ },
6311
+ {
6312
+ "id": "frontend-dom-xss-csp-review",
6313
+ "name": "Frontend DOM XSS & CSP Review",
6314
+ "type": "skill",
6315
+ "provider": "frontend",
6316
+ "harnesses": [
6317
+ "claude-code",
6318
+ "cursor",
6319
+ "codex",
6320
+ "gemini",
6321
+ "kiro",
6322
+ "other"
6323
+ ],
6324
+ "summary": "Skill for hunting DOM XSS sinks and reviewing CSP/Trusted Types enforcement in frontend code, mapping every finding to source-to-sink taint flow and an OWASP category with framework-specific remediation; also reviews third-party/CDN script inclusion for Subresource Integrity gaps and supply-chain injection risk.",
6325
+ "source_type": "original",
6326
+ "official_docs": [
6327
+ "https://owasp.org/www-project-top-ten/",
6328
+ "https://cheatsheetseries.owasp.org/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.html",
6329
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy",
6330
+ "https://w3c.github.io/trusted-types/dist/spec/",
6331
+ "https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"
6332
+ ],
6333
+ "security_notes": "This skill's entire scope is security-critical: DOM XSS sinks are the dominant client-side injection vector and CSP/Trusted Types misconfiguration provides false confidence when treated as header-presence-only. Every finding requires confirmed source-to-sink taint evidence or is labeled pattern-only, never treated as a confirmed finding on pattern match alone. Never reproduces discovered secrets/tokens verbatim in output. Never executes exploit payloads against live/staging systems; source-to-sink findings are static taint analysis plus manual confirmation notes, not live penetration testing. Static-review-only skill: Read/Grep/Glob/local-only Bash, no network egress to any target.",
6334
+ "last_verified": "2026-07-02",
6335
+ "path": "skills/frontend/frontend-dom-xss-csp-review",
6336
+ "version": "0.1.0",
6337
+ "author": "github: Raishin"
6338
+ },
6339
+ {
6340
+ "id": "frontend-error-boundary-resilience-review",
6341
+ "name": "Frontend Error Boundary & Resilience Review",
6342
+ "type": "skill",
6343
+ "provider": "frontend",
6344
+ "harnesses": [
6345
+ "claude-code",
6346
+ "cursor",
6347
+ "codex",
6348
+ "gemini",
6349
+ "kiro",
6350
+ "other"
6351
+ ],
6352
+ "summary": "Reviews error-boundary placement, fallback UX, and failure-isolation strategy to prevent whole-page crashes from a single component's runtime error and ensure graceful, accessible degradation.",
6353
+ "source_type": "original",
6354
+ "official_docs": [
6355
+ "https://react.dev/reference/react/Component#catching-rendering-errors-with-an-error-boundary",
6356
+ "https://react.dev/reference/react/Suspense",
6357
+ "https://www.w3.org/WAI/ARIA/apg/patterns/alert/",
6358
+ "https://web.dev/articles/vitals"
6359
+ ],
6360
+ "security_notes": "Error-boundary fallback UI must never render raw error.message or error.stack from unexpected exceptions to end users in production - this can leak internal implementation detail; require a sanitized, generic fallback with detail only in server-side/observability logs. Static-review-only skill: it reads and greps component tree, boundary placement, and fallback UI source but never executes, builds, or runs application code.",
6361
+ "last_verified": "2026-07-02",
6362
+ "path": "skills/frontend/frontend-error-boundary-resilience-review",
6363
+ "version": "0.1.0",
6364
+ "author": "github: Raishin"
6365
+ },
6366
+ {
6367
+ "id": "frontend-finops-cost-to-serve-review",
6368
+ "name": "Frontend FinOps Cost-to-Serve Review",
6369
+ "type": "skill",
6370
+ "provider": "frontend",
6371
+ "harnesses": [
6372
+ "codex",
6373
+ "copilot",
6374
+ "claude-code",
6375
+ "cursor",
6376
+ "gemini",
6377
+ "kiro"
6378
+ ],
6379
+ "summary": "Builds a defensible cost-to-serve model (CDN egress, SSR/edge compute, image transform, build-minutes) for a frontend surface and ranks remediation options by dollar savings versus performance/security risk, keeping performance and cloud spend tied together instead of reviewed separately.",
6380
+ "source_type": "adapted",
6381
+ "official_docs": [
6382
+ "https://web.dev/articles/total-byte-weight",
6383
+ "https://nextjs.org/docs/app/guides/self-hosting",
6384
+ "https://www.finops.org/framework/principles/",
6385
+ "https://developer.chrome.com/docs/crux"
6386
+ ],
6387
+ "security_notes": "Never recommend disabling CSP, WAF, image-pipeline security scanning, or TLS termination purely to cut cost; any such trade-off requires explicit security-owner sign-off, not a default recommendation.",
6388
+ "last_verified": "2026-07-02",
6389
+ "path": "skills/frontend/frontend-finops-cost-to-serve-review",
6390
+ "version": "0.1.0",
6391
+ "author": "github: Raishin"
6392
+ },
6393
+ {
6394
+ "id": "frontend-maestro",
6395
+ "name": "Frontend Maestro",
6396
+ "type": "skill",
6397
+ "provider": "frontend",
6398
+ "harnesses": [
6399
+ "codex",
6400
+ "copilot",
6401
+ "claude-code",
6402
+ "cursor",
6403
+ "gemini",
6404
+ "kiro"
6405
+ ],
6406
+ "summary": "Routing skill that classifies an inbound frontend governance task against the frontend taxonomy and dispatches to the narrowest specialist(s), following the same live-guard-gate discipline as the existing per-provider maestro skills in this repo.",
6407
+ "source_type": "original",
6408
+ "official_docs": [
6409
+ "https://react.dev/learn",
6410
+ "https://nextjs.org/docs",
6411
+ "https://www.w3.org/WAI/WCAG22/quickref/"
6412
+ ],
6413
+ "security_notes": "Follows this repo's existing live-guard-gate convention: any specialist capable of a live/production mutation is listed under live_guards and never auto-dispatched; requires explicit human confirmation, blast-radius assessment, and rollback path before live-guard-gate dispatch. No live-guard-capable specialist currently exists in the frontend catalog; Maestro must say so rather than fabricate one until that changes. Never asks for secrets, credentials, tokens, or environment-specific identifiers.",
6414
+ "last_verified": "2026-07-02",
6415
+ "path": "skills/frontend/frontend-maestro",
6416
+ "version": "0.1.0",
6417
+ "author": "github: Raishin"
6418
+ },
6419
+ {
6420
+ "id": "frontend-migration-modernization-plan",
6421
+ "name": "Frontend Migration & Modernization Plan",
6422
+ "type": "skill",
6423
+ "provider": "frontend",
6424
+ "harnesses": [
6425
+ "claude-code",
6426
+ "cursor",
6427
+ "codex",
6428
+ "gemini",
6429
+ "kiro",
6430
+ "other"
6431
+ ],
6432
+ "summary": "Builds a phased strangler-fig migration/modernization plan for legacy frontend stacks (jQuery/Backbone/AngularJS, old bundlers, framework major versions) with rollback gates, exit criteria, and business-risk-first sequencing, loading legacy-pattern, risk, and rollback references progressively rather than dumping the whole migration playbook into every prompt.",
6433
+ "source_type": "original",
6434
+ "official_docs": [
6435
+ "https://react.dev/learn/react-compiler/incremental-adoption",
6436
+ "https://nextjs.org/docs/app/guides/migrating",
6437
+ "https://vitejs.dev/guide/migration",
6438
+ "https://angular.dev/reference/migrations"
6439
+ ],
6440
+ "security_notes": "Never propose a migration phase that merges auth/session state across old and new stacks without a named security review gate. Treat every phase's rollback path as a hard requirement, not optional documentation.",
6441
+ "last_verified": "2026-07-02",
6442
+ "path": "skills/frontend/frontend-migration-modernization-plan",
6443
+ "version": "0.1.0",
6444
+ "author": "github: Raishin"
6445
+ },
6446
+ {
6447
+ "id": "frontend-observability-rum-instrumentation",
6448
+ "name": "Frontend Observability RUM Instrumentation",
6449
+ "type": "skill",
6450
+ "provider": "frontend",
6451
+ "harnesses": [
6452
+ "claude-code",
6453
+ "cursor",
6454
+ "codex",
6455
+ "gemini",
6456
+ "kiro",
6457
+ "other"
6458
+ ],
6459
+ "summary": "Skill for designing and reviewing Real User Monitoring instrumentation using the web-vitals attribution build and OpenTelemetry Web, with explicit sampling, cardinality, and PII-in-telemetry controls and lab-vs-field evidence labeling.",
6460
+ "source_type": "adapted",
6461
+ "official_docs": [
6462
+ "https://web.dev/articles/vitals",
6463
+ "https://github.com/GoogleChrome/web-vitals",
6464
+ "https://opentelemetry.io/docs/languages/js/",
6465
+ "https://opentelemetry.io/docs/specs/semconv/"
6466
+ ],
6467
+ "security_notes": "Never recommends capturing full URLs with query strings, user identifiers, or free-text form values as span/metric attributes without explicit scrubbing. Read-only review of existing instrumentation; does not deploy telemetry config changes to production without explicit human sign-off logged outside this skill.",
6468
+ "last_verified": "2026-07-02",
6469
+ "path": "skills/frontend/frontend-observability-rum-instrumentation",
6470
+ "version": "0.1.0",
6471
+ "author": "github: Raishin"
6472
+ },
6473
+ {
6474
+ "id": "frontend-platform-architecture-review",
6475
+ "name": "Frontend Platform Architecture Review",
6476
+ "type": "skill",
6477
+ "provider": "frontend",
6478
+ "harnesses": [
6479
+ "claude-code",
6480
+ "cursor",
6481
+ "codex",
6482
+ "gemini",
6483
+ "kiro",
6484
+ "other"
6485
+ ],
6486
+ "summary": "Reviews cross-cutting frontend architecture decisions (module boundaries, rendering topology, technology adoption) against a rewrite-averse, evidence-grounded standard before they are approved, using duplication checks, incremental-migration requirements, and Core Web Vitals/a11y/security gates loaded progressively and grounded via Context7 against the repo's confirmed framework versions.",
6487
+ "source_type": "original",
6488
+ "official_docs": [
6489
+ "https://react.dev/learn/thinking-in-react",
6490
+ "https://nextjs.org/docs/app/building-your-application/routing",
6491
+ "https://web.dev/articles/vitals",
6492
+ "https://www.w3.org/WAI/WCAG22/quickref/"
6493
+ ],
6494
+ "security_notes": "Static-review-only skill: it reads and greps proposal documents, config, and source but never executes, builds, or runs application code. Flag any architecture proposal that stores secrets/tokens in client-reachable bundles or build-time-inlined env vars, allows postinstall scripts from unpinned/unaudited dependencies, or introduces a CSP-incompatible pattern (unsafe-eval, dynamic Function()) as a blocking finding, not a note.",
6495
+ "last_verified": "2026-07-02",
6496
+ "path": "skills/frontend/frontend-platform-architecture-review",
6497
+ "version": "0.1.0",
6498
+ "author": "github: Raishin"
6499
+ },
6500
+ {
6501
+ "id": "frontend-testing-strategy-review",
6502
+ "name": "Frontend Testing Strategy Review",
6503
+ "type": "skill",
6504
+ "provider": "frontend",
6505
+ "harnesses": [
6506
+ "claude-code",
6507
+ "cursor",
6508
+ "codex",
6509
+ "gemini",
6510
+ "kiro",
6511
+ "other"
6512
+ ],
6513
+ "summary": "Reviews unit/component/integration/E2E test-pyramid shape, coverage of critical user journeys, and flaky-test governance for a frontend codebase using Vitest/Jest, Testing Library, and Playwright/Cypress, loading framework-specific reference guidance only when needed.",
6514
+ "source_type": "original",
6515
+ "official_docs": [
6516
+ "https://playwright.dev/docs/best-practices",
6517
+ "https://vitest.dev/guide/",
6518
+ "https://testing-library.com/docs/queries/about/#priority",
6519
+ "https://docs.cypress.io/app/core-concepts/best-practices"
6520
+ ],
6521
+ "security_notes": "Never accept or request real credentials/session tokens for test fixtures; require synthetic data or mocked network layers (MSW, cy.intercept, Playwright route interception). Flag any test-only auth/CSRF bypass flag that could ship enabled in a production build as a hard-gate finding.",
6522
+ "last_verified": "2026-07-02",
6523
+ "path": "skills/frontend/frontend-testing-strategy-review",
6524
+ "version": "0.1.0",
6525
+ "author": "github: Raishin"
6526
+ },
6527
+ {
6528
+ "id": "fx-translation-advisor",
6529
+ "name": "FX Translation Advisor",
6530
+ "type": "skill",
6531
+ "provider": "accounting",
6532
+ "harnesses": [
6533
+ "claude-code",
6534
+ "codex",
6535
+ "cursor",
6536
+ "gemini",
6537
+ "kiro",
6538
+ "other"
6539
+ ],
6540
+ "summary": "Multi-jurisdiction reference framework for foreign currency translation and remeasurement. Covers functional currency determination (ASC 830-10-45 / IAS 21.9–21.14), translation vs. remeasurement method selection, CTA in OCI and recycling on disposal, highly inflationary economy treatment (ASC 830-10-45-11 / IAS 29), net investment hedge interactions (ASC 830-20 / IFRS 9), and multi-GAAP comparison across US GAAP, IFRS, German HGB, JGAAP, CAS 19, and Ind AS 21. Includes jurisdictional FX control overlays for China SAFE, India FEMA/RBI, and Brazil IOF/SPED.",
6541
+ "source_type": "original",
6542
+ "category": "finance",
6543
+ "execution_tier": "read-only-runtime",
6544
+ "oauth_scopes": [],
6545
+ "mcp_servers": [],
6546
+ "run_as_permissions": {
6547
+ "required": [],
6548
+ "denied": []
5803
6549
  },
5804
6550
  "official_docs": [
5805
6551
  "https://asc.fasb.org/830",
@@ -7194,6 +7940,35 @@
7194
7940
  "author": "github: Raishin",
7195
7941
  "version": "0.1.0"
7196
7942
  },
7943
+ {
7944
+ "id": "graphql-client-security-review",
7945
+ "name": "GraphQL Client Security Review",
7946
+ "type": "skill",
7947
+ "provider": "frontend",
7948
+ "harnesses": [
7949
+ "claude-code",
7950
+ "cursor",
7951
+ "codex",
7952
+ "gemini",
7953
+ "kiro",
7954
+ "other"
7955
+ ],
7956
+ "summary": "Statically reviews Apollo Client (and urql-equivalent) GraphQL client configuration for production devtools/introspection exposure, normalized cache not cleared across user sessions, missing persisted-query allowlisting against client-driven query abuse, auth headers attached without CSRF protection, and sensitive fields normalized into the cache unmasked -- grounded in Apollo Client's own configuration, authentication, and caching documentation.",
7957
+ "source_type": "original",
7958
+ "official_docs": [
7959
+ "https://www.apollographql.com/docs/react/development-testing/developer-tooling",
7960
+ "https://www.apollographql.com/docs/react/networking/authentication",
7961
+ "https://www.apollographql.com/docs/react/api/link/apollo-link-context",
7962
+ "https://www.apollographql.com/docs/react/caching/advanced-topics",
7963
+ "https://www.apollographql.com/docs/react/api/link/persisted-queries",
7964
+ "https://owasp.org/www-project-top-ten/"
7965
+ ],
7966
+ "security_notes": "This skill's entire scope is security-critical: production-enabled devtools expose full schema introspection and the normalized cache inspector, an uncleared cache after logout is a cross-user/cross-tenant data-exposure defect, unallowlisted client-driven queries are a denial-of-service/cost-abuse vector, an auth header with no CSRF token weakens mutation-endpoint protection, and unmasked sensitive fields in the normalized cache are exposed to the devtools inspector for the life of the cache entry. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete configuration evidence. Static-review-only skill: it reads and greps GraphQL client setup, link chains, and cache configuration but never executes, builds, or runs application code, and never sends live GraphQL requests.",
7967
+ "last_verified": "2026-07-03",
7968
+ "path": "skills/frontend/graphql-client-security-review",
7969
+ "version": "0.1.0",
7970
+ "author": "github: Raishin"
7971
+ },
7197
7972
  {
7198
7973
  "id": "hedge-accounting-advisor",
7199
7974
  "name": "Hedge Accounting Advisor",
@@ -7442,6 +8217,35 @@
7442
8217
  "author": "github: Raishin",
7443
8218
  "version": "0.1.0"
7444
8219
  },
8220
+ {
8221
+ "id": "html-semantics-accessibility-review",
8222
+ "name": "HTML Semantics & Accessibility Review",
8223
+ "type": "skill",
8224
+ "provider": "frontend",
8225
+ "harnesses": [
8226
+ "claude-code",
8227
+ "cursor",
8228
+ "codex",
8229
+ "gemini",
8230
+ "kiro",
8231
+ "other"
8232
+ ],
8233
+ "summary": "Reviews markup for correct native-element usage, valid heading/landmark structure, and WAI-ARIA APG-conformant custom-widget patterns, producing a WCAG-grounded verdict with APG citations for every custom interactive element and flags for anything needing live assistive-technology verification.",
8234
+ "source_type": "original",
8235
+ "official_docs": [
8236
+ "https://html.spec.whatwg.org/multipage/",
8237
+ "https://www.w3.org/WAI/ARIA/apg/",
8238
+ "https://www.w3.org/TR/wai-aria-1.2/",
8239
+ "https://www.w3.org/TR/WCAG22/",
8240
+ "https://developer.mozilla.org/en-US/docs/Web/HTML",
8241
+ "https://developer.mozilla.org/en-US/docs/Web/Accessibility/ARIA"
8242
+ ],
8243
+ "security_notes": "Do not hardcode or request user PII, real screen-reader session logs, or authenticated-app URLs in review examples. Flag markup that binds unsanitized user content directly into the DOM (innerHTML/outerHTML/document.write) as an XSS-adjacent finding even though the primary fix is JS-side. Treat WCAG conformance findings as compliance-relevant (ADA/Section 508/EN 301 549 exposure) and label them as such rather than 'style nitpicks'.",
8244
+ "last_verified": "2026-07-02",
8245
+ "path": "skills/frontend/html-semantics-accessibility-review",
8246
+ "version": "0.1.0",
8247
+ "author": "github: Raishin"
8248
+ },
7445
8249
  {
7446
8250
  "id": "huawei-cce-container-platform-operator",
7447
8251
  "name": "Huawei CCE Container Platform Operator",
@@ -8559,6 +9363,34 @@
8559
9363
  "author": "github: Raishin",
8560
9364
  "version": "0.1.0"
8561
9365
  },
9366
+ {
9367
+ "id": "i18n-l10n-readiness-review",
9368
+ "name": "i18n/l10n Readiness Review",
9369
+ "type": "skill",
9370
+ "provider": "frontend",
9371
+ "harnesses": [
9372
+ "codex",
9373
+ "claude-code",
9374
+ "cursor",
9375
+ "gemini",
9376
+ "kiro",
9377
+ "other"
9378
+ ],
9379
+ "summary": "Skill for auditing i18n architecture (ICU MessageFormat, Intl-based formatting, CLDR pluralization, RTL layout) so a frontend is structurally translation-ready before any translation vendor engagement.",
9380
+ "source_type": "adapted",
9381
+ "official_docs": [
9382
+ "https://www.w3.org/International/",
9383
+ "https://cldr.unicode.org/",
9384
+ "https://tc39.es/ecma402/",
9385
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Intl",
9386
+ "https://www.w3.org/International/articles/article-text-direction"
9387
+ ],
9388
+ "security_notes": "Static review only; never fabricates or inserts translated strings (that is a human/vendor task). Does not process real user-submitted locale/PII data.",
9389
+ "last_verified": "2026-07-02",
9390
+ "path": "skills/frontend/i18n-l10n-readiness-review",
9391
+ "version": "0.1.0",
9392
+ "author": "github: Raishin"
9393
+ },
8562
9394
  {
8563
9395
  "id": "identity-to-data-access-protocol",
8564
9396
  "name": "Identity to Data Access Protocol",
@@ -8868,6 +9700,35 @@
8868
9700
  "author": "github: Raishin",
8869
9701
  "version": "0.1.0"
8870
9702
  },
9703
+ {
9704
+ "id": "javascript-runtime-async-review",
9705
+ "name": "JavaScript Runtime & Async Correctness Review",
9706
+ "type": "skill",
9707
+ "provider": "frontend",
9708
+ "harnesses": [
9709
+ "claude-code",
9710
+ "cursor",
9711
+ "codex",
9712
+ "gemini",
9713
+ "kiro",
9714
+ "other"
9715
+ ],
9716
+ "summary": "Reviews JavaScript for event-loop/microtask ordering correctness, unhandled Promise rejections, DOM event-listener lifecycle, and race-condition risk in rapid-repeated-async UI patterns, tracing actual browser scheduling behavior rather than assumed synchronous-style reasoning.",
9717
+ "source_type": "original",
9718
+ "official_docs": [
9719
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Using_promises",
9720
+ "https://developer.mozilla.org/en-US/docs/Web/API/HTML_DOM_API/Microtask_guide",
9721
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/await",
9722
+ "https://html.spec.whatwg.org/multipage/webappapis.html#event-loops",
9723
+ "https://developer.mozilla.org/en-US/docs/Web/API/AbortController",
9724
+ "https://tc39.es/ecma262/"
9725
+ ],
9726
+ "security_notes": "Flag unhandled Promise rejections on authorization/permission-check code paths — a rejected check that isn't awaited/caught can fail open. Flag eval, new Function(), and string-argument setTimeout/setInterval as code-injection surfaces. Flag window/document message-event listeners without an origin check on postMessage payloads. Require AbortController-based cancellation for lifecycle-bound fetches to prevent stale-response race conditions that can leak one user's data into another user's view after a fast session switch.",
9727
+ "last_verified": "2026-07-02",
9728
+ "path": "skills/frontend/javascript-runtime-async-review",
9729
+ "version": "0.1.0",
9730
+ "author": "github: Raishin"
9731
+ },
8871
9732
  {
8872
9733
  "id": "kubecost-chargeback-allocation-review",
8873
9734
  "name": "Kubecost Chargeback and Allocation Review",
@@ -9278,6 +10139,33 @@
9278
10139
  "author": "github: Raishin",
9279
10140
  "version": "0.1.0"
9280
10141
  },
10142
+ {
10143
+ "id": "legacy-jquery-to-modern-framework-review",
10144
+ "name": "Legacy jQuery to Modern Framework Review",
10145
+ "type": "skill",
10146
+ "provider": "frontend",
10147
+ "harnesses": [
10148
+ "claude-code",
10149
+ "cursor",
10150
+ "codex",
10151
+ "gemini",
10152
+ "kiro",
10153
+ "other"
10154
+ ],
10155
+ "summary": "Reviews a legacy jQuery/Backbone-era codebase for the specific hidden behaviors (implicit global event delegation, direct DOM mutation outside any render cycle, undocumented plugin side effects, ad-hoc accessibility shims) that a mechanical framework port will silently drop, producing an inventory that a migration plan can actually rely on.",
10156
+ "source_type": "original",
10157
+ "official_docs": [
10158
+ "https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener",
10159
+ "https://api.jquery.com/category/events/event-handler-attachment/",
10160
+ "https://www.w3.org/WAI/ARIA/apg/",
10161
+ "https://react.dev/reference/rules"
10162
+ ],
10163
+ "security_notes": "Legacy jQuery plugins frequently construct HTML via string concatenation and .html(); flag every such call as a potential unsanitized-injection point that a naive port might carry forward unchanged, or worse, replace with dangerouslySetInnerHTML/v-html without adding sanitization. Static-review-only skill: Read/Grep/Glob, no Bash execution, no network egress, no code mutation.",
10164
+ "last_verified": "2026-07-02",
10165
+ "path": "skills/frontend/legacy-jquery-to-modern-framework-review",
10166
+ "version": "0.1.0",
10167
+ "author": "github: Raishin"
10168
+ },
9281
10169
  {
9282
10170
  "id": "legal-counsel-review",
9283
10171
  "name": "Legal Counsel Review",
@@ -10041,6 +10929,32 @@
10041
10929
  "author": "github: Raishin",
10042
10930
  "version": "0.1.0"
10043
10931
  },
10932
+ {
10933
+ "id": "microfrontend-boundary-review",
10934
+ "name": "Micro-Frontend Boundary Review",
10935
+ "type": "skill",
10936
+ "provider": "frontend",
10937
+ "harnesses": [
10938
+ "claude-code",
10939
+ "cursor",
10940
+ "codex",
10941
+ "gemini",
10942
+ "kiro",
10943
+ "other"
10944
+ ],
10945
+ "summary": "Reviews micro-frontend/module-federation boundary contracts for shared-dependency versioning safety, runtime isolation, and ownership clarity before adoption or extension, grounded via Context7 against official React docs for same-runtime multi-root composition.",
10946
+ "source_type": "original",
10947
+ "official_docs": [
10948
+ "https://react.dev/reference/react-dom/client/createRoot",
10949
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy",
10950
+ "https://web.dev/articles/vitals"
10951
+ ],
10952
+ "security_notes": "Micro-frontend boundaries that share a JavaScript runtime (module federation, build-time composition, or any non-iframe composition) collapse the CSP trust boundary between teams' code — a vulnerability, XSS, or broken bundle in one remote can affect the host and sibling remotes sharing that runtime. Require an explicit shared-dependency version-compatibility contract and a documented blast-radius statement (error-boundary isolation, independent deploy/rollback) for any non-iframe-isolated micro-frontend adoption, and require iframe isolation or an equivalent mitigation for any remote handling data that should not share a trust boundary with lower-trust remotes. Static-review-only skill: it reads and greps composition config and does not execute, build, or run application code, dev servers, or bundler configs. Treat any hardcoded credential, API key, or token found in a remote's config or example fixture as a HIGH-severity finding requiring immediate escalation.",
10953
+ "last_verified": "2026-07-02",
10954
+ "path": "skills/frontend/microfrontend-boundary-review",
10955
+ "version": "0.1.0",
10956
+ "author": "github: Raishin"
10957
+ },
10044
10958
  {
10045
10959
  "id": "microsoft-business-impact-value-realization",
10046
10960
  "name": "Microsoft Business Impact & Value Realization",
@@ -10097,6 +11011,38 @@
10097
11011
  "version": "0.1.0",
10098
11012
  "author": "github: Raishin"
10099
11013
  },
11014
+ {
11015
+ "id": "monorepo-package-governance-review",
11016
+ "name": "Monorepo & Package Governance Review",
11017
+ "type": "skill",
11018
+ "provider": "frontend",
11019
+ "harnesses": [
11020
+ "claude-code",
11021
+ "cursor",
11022
+ "codex",
11023
+ "gemini",
11024
+ "kiro",
11025
+ "other"
11026
+ ],
11027
+ "summary": "Reviews monorepo task-graph configuration (Turborepo/Nx) and dependency/version governance (pnpm catalogs, npm overrides, lockfile integrity) together to stop false-green CI cache reuse and unpinned supply-chain exposure, with config-key claims grounded in Context7-sourced docs and progressive reference loading. Also covers npm dependency-confusion review: .npmrc scope-to-registry mapping, package-lock.json commitment/frozen-install (npm ci) enforcement, and allowScripts lifecycle-script gating.",
11028
+ "source_type": "original",
11029
+ "official_docs": [
11030
+ "https://turborepo.com/docs/crafting-your-repository/configuring-tasks",
11031
+ "https://turborepo.com/docs/crafting-your-repository/caching",
11032
+ "https://nx.dev/concepts/task-pipeline-configuration",
11033
+ "https://pnpm.io/catalogs",
11034
+ "https://pnpm.io/pnpm-workspace_yaml",
11035
+ "https://github.com/npm/cli/blob/latest/docs/lib/content/using-npm/scope.md",
11036
+ "https://github.com/npm/cli/blob/latest/docs/lib/content/configuring-npm/npmrc.md",
11037
+ "https://github.com/npm/cli/blob/latest/docs/lib/content/commands/npm-ci.md",
11038
+ "https://github.com/npm/cli/blob/latest/docs/lib/content/commands/npm-approve-scripts.md"
11039
+ ],
11040
+ "security_notes": "Static-review-only skill: reads and greps turbo.json, nx.json, package.json, pnpm-workspace.yaml, .npmrc, and lockfiles but never runs install, build, or CI commands. Remote-cache and registry auth tokens must be CI-scoped secrets, never committed to turbo.json/nx.json/.npmrc; any token-shaped literal found in a config file is an automatic blocking finding, and any .npmrc credential key (_auth/_authToken/_password/etc.) not scoped to a specific registry host/path is a blocking finding regardless of the token's live validity. Any dependency lifecycle script (postinstall/preinstall/prepare) introduced in the same PR as a workspace-topology change warrants extra scrutiny and must be quoted verbatim in the finding, not summarized from the package name; cross-reference it against the root package.json's allowScripts field. A scoped package (@scope/name) referenced in package.json with no matching @scope:registry mapping in .npmrc is a dependency-confusion finding.",
11041
+ "last_verified": "2026-07-03",
11042
+ "path": "skills/frontend/monorepo-package-governance-review",
11043
+ "version": "0.2.0",
11044
+ "author": "github: Raishin"
11045
+ },
10100
11046
  {
10101
11047
  "id": "netsuite-administrator-skill",
10102
11048
  "name": "NetSuite Administrator Skill",
@@ -10815,6 +11761,121 @@
10815
11761
  "version": "0.1.0",
10816
11762
  "author": "github: Raishin"
10817
11763
  },
11764
+ {
11765
+ "id": "nextjs-app-router-data-fetching-review",
11766
+ "name": "Next.js App Router Data Fetching Review",
11767
+ "type": "skill",
11768
+ "provider": "frontend",
11769
+ "harnesses": [
11770
+ "claude-code",
11771
+ "cursor",
11772
+ "codex",
11773
+ "gemini",
11774
+ "kiro",
11775
+ "other"
11776
+ ],
11777
+ "summary": "Reviews Server/Client Component boundaries and Server Action authorization trust for data-fetching correctness and security, using Next.js's own Server Components/Server Actions documentation loaded progressively and grounded via Context7 against the repo's confirmed Next.js version.",
11778
+ "source_type": "original",
11779
+ "official_docs": [
11780
+ "https://nextjs.org/docs/app/building-your-application/rendering/server-components",
11781
+ "https://nextjs.org/docs/app/building-your-application/rendering/client-components",
11782
+ "https://nextjs.org/docs/app/building-your-application/data-fetching/server-actions-and-mutations",
11783
+ "https://owasp.org/www-project-top-ten/"
11784
+ ],
11785
+ "security_notes": "A Server Action that derives an authorization decision from client-supplied form data instead of the server-side session is a Broken Access Control finding (OWASP A01) and must be escalated as HIGH, not filed as a style note. A Client Component whose import graph reaches a server-only module (DB client, non-NEXT_PUBLIC_ env access, server-only-guarded module) is a HIGH-severity bundle-leak finding. Static-review-only skill: it reads and greps component/action source but never executes, builds, or runs application code. Treat any hardcoded API key, token, or credential found in a Server Action or Client Component as a HIGH-severity finding requiring immediate escalation.",
11786
+ "last_verified": "2026-07-02",
11787
+ "path": "skills/frontend/nextjs-app-router-data-fetching-review",
11788
+ "version": "0.1.0",
11789
+ "author": "github: Raishin"
11790
+ },
11791
+ {
11792
+ "id": "nextjs-rendering-caching-review",
11793
+ "name": "Next.js Rendering & Caching Review",
11794
+ "type": "skill",
11795
+ "provider": "frontend",
11796
+ "harnesses": [
11797
+ "claude-code",
11798
+ "cursor",
11799
+ "codex",
11800
+ "gemini",
11801
+ "kiro",
11802
+ "other"
11803
+ ],
11804
+ "summary": "Reviews Next.js App Router rendering-mode selection and fetch()/Data-Cache configuration for staleness and cross-user data-leakage risk, using Next.js's own caching documentation loaded progressively and grounded via Context7 against the repo's confirmed Next.js version.",
11805
+ "source_type": "original",
11806
+ "official_docs": [
11807
+ "https://nextjs.org/docs/app/building-your-application/caching",
11808
+ "https://nextjs.org/docs/app/building-your-application/data-fetching/fetching-caching-and-revalidating",
11809
+ "https://nextjs.org/docs/app/guides/incremental-static-regeneration",
11810
+ "https://nextjs.org/docs/app/api-reference/functions/revalidateTag"
11811
+ ],
11812
+ "security_notes": "Cross-user Data Cache leakage (caching a per-user response as if it were shared/public) is a data-exposure defect, not merely a performance nit — this skill escalates such findings to HIGH severity and requires a security-review sign-off, not just a caching-strategy note. Static-review-only skill: it reads and greps route/fetch source but never executes, builds, or runs application code. Treat any hardcoded API key, token, or credential found in a fetch() call or header as a HIGH-severity finding requiring immediate escalation.",
11813
+ "last_verified": "2026-07-02",
11814
+ "path": "skills/frontend/nextjs-rendering-caching-review",
11815
+ "version": "0.1.0",
11816
+ "author": "github: Raishin"
11817
+ },
11818
+ {
11819
+ "id": "nextjs-server-security-review",
11820
+ "name": "Next.js Server Security Review",
11821
+ "type": "skill",
11822
+ "provider": "frontend",
11823
+ "harnesses": [
11824
+ "claude-code",
11825
+ "cursor",
11826
+ "codex",
11827
+ "gemini",
11828
+ "kiro",
11829
+ "other"
11830
+ ],
11831
+ "summary": "Reviews Next.js middleware, Server Actions, next.config.js, and environment-variable files for middleware matcher exclusions that silently skip auth on Server Functions, Server Actions missing allowedOrigins CSRF protection, secrets leaked via NEXT_PUBLIC_ prefixes, and SSRF/open-redirect via dangerouslyAllowLocalIP or unvalidated rewrite destinations, grounding claims via Context7 and Next.js's own documentation.",
11832
+ "source_type": "original",
11833
+ "official_docs": [
11834
+ "https://nextjs.org/docs/app/building-your-application/authentication",
11835
+ "https://nextjs.org/docs/app/guides/data-security",
11836
+ "https://nextjs.org/docs/app/guides/environment-variables",
11837
+ "https://nextjs.org/docs/app/api-reference/file-conventions/proxy",
11838
+ "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery",
11839
+ "https://owasp.org/www-community/attacks/xss/"
11840
+ ],
11841
+ "security_notes": "This skill's entire scope is security-critical: a middleware matcher exclusion is a zero-trust boundary defect (authorization silently skipped on excluded paths), a missing serverActions.allowedOrigins is a CSRF gap, a NEXT_PUBLIC_-prefixed secret is a build-time data exposure with no runtime remediation once shipped, and dangerouslyAllowLocalIP or an unvalidated rewrite destination is a server-side request forgery / open-redirect vector. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete repo evidence. Static-review-only skill: it reads and greps middleware, Server Action, config, and environment files but never executes, builds, or runs application code, and never sends live requests.",
11842
+ "last_verified": "2026-07-03",
11843
+ "path": "skills/frontend/nextjs-server-security-review",
11844
+ "version": "0.1.0",
11845
+ "author": "github: Raishin"
11846
+ },
11847
+ {
11848
+ "id": "nuxt-fullstack-security-review",
11849
+ "name": "Nuxt Fullstack Security Review",
11850
+ "type": "skill",
11851
+ "provider": "frontend",
11852
+ "harnesses": [
11853
+ "claude-code",
11854
+ "cursor",
11855
+ "codex",
11856
+ "gemini",
11857
+ "kiro",
11858
+ "other"
11859
+ ],
11860
+ "summary": "Reviews Nuxt 3/4 full-stack code for private secrets exposed via runtimeConfig.public/NUXT_PUBLIC_* env vars, useState/module-scope cross-request state pollution in Nitro, server-route SSRF via $fetch/ofetch with blind useRequestHeaders/credential forwarding, NuxtPayload/useState serialization reaching an XSS sink, and missing security response headers (routeRules headers, the nuxt-security module), grounding claims via Context7 and Nuxt's own documentation.",
11861
+ "source_type": "original",
11862
+ "official_docs": [
11863
+ "https://nuxt.com/docs/guide/going-further/runtime-config",
11864
+ "https://nuxt.com/docs/getting-started/state-management",
11865
+ "https://nuxt.com/docs/guide/directory-structure/server",
11866
+ "https://nuxt.com/docs/getting-started/data-fetching",
11867
+ "https://nuxt.com/docs/api/composables/use-request-headers",
11868
+ "https://nuxt.com/docs/api/composables/use-response-header",
11869
+ "https://nuxt.com/docs/guide/concepts/rendering",
11870
+ "https://owasp.org/www-community/attacks/Server_Side_Request_Forgery",
11871
+ "https://owasp.org/www-community/attacks/xss/"
11872
+ ],
11873
+ "security_notes": "This skill's entire scope is security-critical: a runtimeConfig.public/NUXT_PUBLIC_* secret is a client-bundle credential leak, useState/module-scope pollution in Nitro is a cross-tenant/cross-user data-exposure defect, server-route SSRF and blind header forwarding can leak credentials or reach internal network targets, payload/useState reaching an unsanitized sink is XSS, and missing security response headers weakens the app's baseline browser-side defenses. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete evidence (a private key correctly scoped, an allowlisted outbound host, a sanitizer visibly on the traced path, or documented header coverage of the routes in scope). Static-review-only skill: it reads and greps nuxt.config.ts, composables/plugins/server code, and templates but never executes, builds, or runs application code, and never sends live requests.",
11874
+ "last_verified": "2026-07-03",
11875
+ "path": "skills/frontend/nuxt-fullstack-security-review",
11876
+ "version": "0.1.0",
11877
+ "author": "github: Raishin"
11878
+ },
10818
11879
  {
10819
11880
  "id": "nvidia-agentic-ai-platform-review",
10820
11881
  "name": "NVIDIA Agentic AI Platform Review",
@@ -12518,6 +13579,33 @@
12518
13579
  "author": "github: Raishin",
12519
13580
  "version": "0.1.0"
12520
13581
  },
13582
+ {
13583
+ "id": "pci-payment-ui-security-review",
13584
+ "name": "PCI Payment UI Security Review",
13585
+ "type": "skill",
13586
+ "provider": "frontend",
13587
+ "harnesses": [
13588
+ "claude-code",
13589
+ "cursor",
13590
+ "codex",
13591
+ "gemini",
13592
+ "kiro",
13593
+ "other"
13594
+ ],
13595
+ "summary": "Reviews payment-collection frontend code for the PCI-DSS-relevant frontend defect classes: raw PAN/CVV collection in self-controlled inputs instead of Stripe hosted fields, card data persisted client-side or to analytics, raw card data POSTed to a first-party endpoint before tokenization, and third-party scripts loaded without Subresource Integrity — grounded via Context7 Stripe documentation and PCI-DSS v4 script-security requirements (standard-based).",
13596
+ "source_type": "original",
13597
+ "official_docs": [
13598
+ "https://docs.stripe.com/js/elements_object/create",
13599
+ "https://docs.stripe.com/security/guide#validating-pci-compliance",
13600
+ "https://www.pcisecuritystandards.org/document_library/",
13601
+ "https://www.pcisecuritystandards.org/documents/SAQ-A-r2-v4_0.pdf"
13602
+ ],
13603
+ "security_notes": "This skill's entire scope is security-critical: raw PAN/CVV collection outside a Stripe-controlled iframe, client-side persistence of cardholder data, and unsigned third-party scripts on payment pages are all cardholder-data-exposure or code-tampering vectors. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete evidence of iframe isolation, tokenization-before-POST, or a visible integrity attribute. This is the FRONTEND slice of PCI-DSS only — it is NOT a full PCI-DSS audit; server-side cardholder-data-environment segmentation, network controls, and key management are explicitly out of scope. Static-review-only skill: it reads and greps payment-page source but never executes, builds, or runs application code, and never sends live requests.",
13604
+ "last_verified": "2026-07-03",
13605
+ "path": "skills/frontend/pci-payment-ui-security-review",
13606
+ "version": "0.1.0",
13607
+ "author": "github: Raishin"
13608
+ },
12521
13609
  {
12522
13610
  "id": "playwright-e2e-execution-run",
12523
13611
  "name": "Playwright E2E Execution Run",
@@ -12777,6 +13865,35 @@
12777
13865
  "version": "0.1.0",
12778
13866
  "author": "github: Raishin"
12779
13867
  },
13868
+ {
13869
+ "id": "product-analytics-experimentation-review",
13870
+ "name": "Product Analytics & Experimentation Review",
13871
+ "type": "skill",
13872
+ "provider": "frontend",
13873
+ "harnesses": [
13874
+ "claude-code",
13875
+ "cursor",
13876
+ "codex",
13877
+ "gemini",
13878
+ "kiro",
13879
+ "other"
13880
+ ],
13881
+ "summary": "Reviews frontend analytics instrumentation and A/B/multivariate experiment setups for event-schema correctness, sample-ratio-mismatch risk, valid statistical stopping rules, and consent-gated privacy compliance before an experiment or tracking change ships.",
13882
+ "source_type": "adapted",
13883
+ "official_docs": [
13884
+ "https://web.dev/articles/vitals-business-impact",
13885
+ "https://developers.google.com/analytics/devguides/collection/ga4",
13886
+ "https://gdpr.eu/cookies/",
13887
+ "https://www.w3.org/TR/permissions/",
13888
+ "https://developers.google.com/tag-platform/security/guides/consent",
13889
+ "https://iabeurope.eu/iab-europe-transparency-consent-framework/"
13890
+ ],
13891
+ "security_notes": "Require consent-gate verification before any non-essential tracking call is approved; require PII scrubbing/hashing review on every new event schema field before it is marked shippable. Also check IAB TCF v2.2 purpose/vendor-granular consent, Google Consent Mode v2 synchronous default-denied timing, GPC/Do-Not-Track honoring, cookie categorization/expiry, and analytics-endpoint data residency. Read-only static review; does not execute experiment code, query a live analytics backend, or change a live feature-flag/experiment configuration.",
13892
+ "last_verified": "2026-07-03",
13893
+ "path": "skills/frontend/product-analytics-experimentation-review",
13894
+ "version": "0.1.0",
13895
+ "author": "github: Raishin"
13896
+ },
12780
13897
  {
12781
13898
  "id": "programmatic-supply-chain-integrity-review",
12782
13899
  "name": "Programmatic Supply Chain Integrity Review",
@@ -12810,28 +13927,138 @@
12810
13927
  "id": "prometheus-alerting-cardinality-review",
12811
13928
  "name": "Prometheus Alerting and Cardinality Review",
12812
13929
  "type": "skill",
12813
- "provider": "prometheus",
13930
+ "provider": "prometheus",
13931
+ "harnesses": [
13932
+ "codex",
13933
+ "claude-code",
13934
+ "cursor",
13935
+ "gemini",
13936
+ "kiro",
13937
+ "other"
13938
+ ],
13939
+ "summary": "Review Prometheus and AlertManager configuration for cardinality explosion, recording rules, alert expression correctness, routing, scrape security, and retention.",
13940
+ "source_type": "original",
13941
+ "official_docs": [
13942
+ "https://prometheus.io/docs/prometheus/latest/querying/basics/",
13943
+ "https://prometheus.io/docs/practices/naming/",
13944
+ "https://prometheus.io/docs/practices/alerting/",
13945
+ "https://prometheus.io/docs/alerting/latest/alertmanager/",
13946
+ "https://prometheus.io/docs/prometheus/latest/storage/",
13947
+ "https://prometheus.io/docs/practices/remote_write/"
13948
+ ],
13949
+ "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
13950
+ "last_verified": "2026-05-02",
13951
+ "path": "skills/prometheus/prometheus-alerting-cardinality-review",
13952
+ "version": "0.1.0",
13953
+ "author": "github: Raishin"
13954
+ },
13955
+ {
13956
+ "id": "pwa-offline-readiness-review",
13957
+ "name": "PWA Offline Readiness Review",
13958
+ "type": "skill",
13959
+ "provider": "frontend",
13960
+ "harnesses": [
13961
+ "claude-code",
13962
+ "cursor",
13963
+ "codex",
13964
+ "gemini",
13965
+ "kiro",
13966
+ "other"
13967
+ ],
13968
+ "summary": "Validates installability against W3C manifest criteria and tests real offline navigation behavior end to end, rejecting a manifest-schema-valid but practically non-installable or non-functional-offline PWA.",
13969
+ "source_type": "original",
13970
+ "official_docs": [
13971
+ "https://w3c.github.io/manifest/",
13972
+ "https://web.dev/articles/installable-manifest",
13973
+ "https://web.dev/articles/offline-fallback-page",
13974
+ "https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Manifest",
13975
+ "https://developer.mozilla.org/en-US/docs/Web/API/BeforeInstallPromptEvent",
13976
+ "https://web.dev/articles/lighthouse-pwa"
13977
+ ],
13978
+ "security_notes": "Manifest and service-worker files must be served over HTTPS (a hard W3C/browser installability requirement, not a preference); flag any start_url or icon reference pointing to an HTTP origin or third-party CDN without integrity guarantees. Do not recommend caching the offline-fallback page's embedded data if it contains anything user-specific/authenticated -- the fallback route must be static/public content only.",
13979
+ "last_verified": "2026-07-02",
13980
+ "path": "skills/frontend/pwa-offline-readiness-review",
13981
+ "version": "0.1.0",
13982
+ "author": "github: Raishin"
13983
+ },
13984
+ {
13985
+ "id": "react-component-architecture-review",
13986
+ "name": "React Component Architecture Review",
13987
+ "type": "skill",
13988
+ "provider": "frontend",
13989
+ "harnesses": [
13990
+ "claude-code",
13991
+ "cursor",
13992
+ "codex",
13993
+ "gemini",
13994
+ "kiro",
13995
+ "other"
13996
+ ],
13997
+ "summary": "Reviews React component trees for composition, prop-interface, and separation-of-concerns defects that erode testability and maintainability, using React's own composition guidance (component decomposition, lifting state, context) loaded progressively and grounded via Context7 against the repo's confirmed React version.",
13998
+ "source_type": "original",
13999
+ "official_docs": [
14000
+ "https://react.dev/learn/thinking-in-react",
14001
+ "https://react.dev/learn/passing-props-to-a-component",
14002
+ "https://react.dev/learn/sharing-state-between-components",
14003
+ "https://react.dev/reference/rules/rules-of-hooks"
14004
+ ],
14005
+ "security_notes": "Static-review-only skill: it reads and greps component source but never executes, builds, or runs application code. Do not review or execute application secrets; treat any API key or token found hardcoded in component props or default values as a HIGH-severity finding requiring immediate escalation, not a style note.",
14006
+ "last_verified": "2026-07-02",
14007
+ "path": "skills/frontend/react-component-architecture-review",
14008
+ "version": "0.1.0",
14009
+ "author": "github: Raishin"
14010
+ },
14011
+ {
14012
+ "id": "react-rsc-data-boundary-review",
14013
+ "name": "React RSC Data Boundary Review",
14014
+ "type": "skill",
14015
+ "provider": "frontend",
14016
+ "harnesses": [
14017
+ "claude-code",
14018
+ "cursor",
14019
+ "codex",
14020
+ "gemini",
14021
+ "kiro",
14022
+ "other"
14023
+ ],
14024
+ "summary": "Reviews React Server Components code for data leaks across the server-to-client serialization boundary: secrets passed as props to Client Components, server-only modules missing the server-only guard, use server actions with no authorization check, non-public environment variables read in use client modules, and tainted values crossing the boundary unnarrowed, grounding claims via Context7 and React's and Next.js's own documentation.",
14025
+ "source_type": "original",
14026
+ "official_docs": [
14027
+ "https://react.dev/reference/rsc/server-components",
14028
+ "https://react.dev/reference/react/experimental_taintUniqueValue",
14029
+ "https://nextjs.org/docs/app/getting-started/server-and-client-components",
14030
+ "https://nextjs.org/docs/app/guides/data-security"
14031
+ ],
14032
+ "security_notes": "This skill's entire scope is security-critical: a secret crossing the server-to-client serialization boundary is a data-exposure defect (potential credential/token leakage to every browser rendering the page), a missing server-only guard risks accidental client-bundle inclusion of secret-reading code, an unauthorized use server action is a mutation/IDOR vector, and non-public env exposure in a use client module signals a broken trust boundary. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete guard/narrowing evidence. Static-review-only skill: it reads and greps Server/Client Component source and server actions but never executes, builds, or runs application code, and never sends live requests.",
14033
+ "last_verified": "2026-07-03",
14034
+ "path": "skills/frontend/react-rsc-data-boundary-review",
14035
+ "version": "0.1.0",
14036
+ "author": "github: Raishin"
14037
+ },
14038
+ {
14039
+ "id": "react-state-effects-review",
14040
+ "name": "React State & Effects Review",
14041
+ "type": "skill",
14042
+ "provider": "frontend",
12814
14043
  "harnesses": [
12815
- "codex",
12816
14044
  "claude-code",
12817
14045
  "cursor",
14046
+ "codex",
12818
14047
  "gemini",
12819
14048
  "kiro",
12820
14049
  "other"
12821
14050
  ],
12822
- "summary": "Review Prometheus and AlertManager configuration for cardinality explosion, recording rules, alert expression correctness, routing, scrape security, and retention.",
14051
+ "summary": "Reviews useState/useEffect/useReducer usage for the documented anti-patterns (unneeded effects, missing cleanup, race conditions, stale closures), classifying each effect against React's own 'You Might Not Need an Effect' catalog and grounding every claim via Context7 against the repo's confirmed React version.",
12823
14052
  "source_type": "original",
12824
14053
  "official_docs": [
12825
- "https://prometheus.io/docs/prometheus/latest/querying/basics/",
12826
- "https://prometheus.io/docs/practices/naming/",
12827
- "https://prometheus.io/docs/practices/alerting/",
12828
- "https://prometheus.io/docs/alerting/latest/alertmanager/",
12829
- "https://prometheus.io/docs/prometheus/latest/storage/",
12830
- "https://prometheus.io/docs/practices/remote_write/"
14054
+ "https://react.dev/learn/you-might-not-need-an-effect",
14055
+ "https://react.dev/learn/synchronizing-with-effects",
14056
+ "https://react.dev/reference/react/useEffect",
14057
+ "https://react.dev/learn/removing-effect-dependencies"
12831
14058
  ],
12832
- "security_notes": "honor_labels: true on untrusted scrape targets allows the scraped workload to override job/instance labels, enabling metric spoofing. Scrape configs pointing to external HTTP endpoints are SSRF candidates.",
12833
- "last_verified": "2026-05-02",
12834
- "path": "skills/prometheus/prometheus-alerting-cardinality-review",
14059
+ "security_notes": "Static-review-only skill: it reads and greps component source but never executes, builds, or runs application code. Flag effects that perform authenticated writes (mutations) without idempotency/cancellation guards — a race condition here can cause duplicate financial or state-changing operations, not just a UI bug as a HIGH-severity finding requiring immediate escalation, not a style note.",
14060
+ "last_verified": "2026-07-02",
14061
+ "path": "skills/frontend/react-state-effects-review",
12835
14062
  "version": "0.1.0",
12836
14063
  "author": "github: Raishin"
12837
14064
  },
@@ -12899,6 +14126,33 @@
12899
14126
  "version": "0.1.2",
12900
14127
  "lifecycle": "experimental"
12901
14128
  },
14129
+ {
14130
+ "id": "routing-navigation-review",
14131
+ "name": "Routing & Navigation Review",
14132
+ "type": "skill",
14133
+ "provider": "frontend",
14134
+ "harnesses": [
14135
+ "claude-code",
14136
+ "cursor",
14137
+ "codex",
14138
+ "gemini",
14139
+ "kiro",
14140
+ "other"
14141
+ ],
14142
+ "summary": "Reviews route-tree structure, loader/action placement, code-splitting, and navigation-blocking/focus-management for correctness, security enforcement, and accessibility conformance.",
14143
+ "source_type": "original",
14144
+ "official_docs": [
14145
+ "https://reactrouter.com/start/framework/route-module",
14146
+ "https://reactrouter.com/start/data/actions",
14147
+ "https://nextjs.org/docs/app/building-your-application/routing/dynamic-routes",
14148
+ "https://www.w3.org/WAI/ARIA/apg/patterns/"
14149
+ ],
14150
+ "security_notes": "Client-side-only route guards (hiding a nav link, redirecting in a component) are UX only; treat any route lacking a paired server-side enforcement point (loader auth check, middleware, or BFF authorization) as a blocking security finding. Static-review-only skill: it reads and greps route source but never executes, builds, or runs application code.",
14151
+ "last_verified": "2026-07-02",
14152
+ "path": "skills/frontend/routing-navigation-review",
14153
+ "version": "0.1.0",
14154
+ "author": "github: Raishin"
14155
+ },
12902
14156
  {
12903
14157
  "id": "rpa-workflow-resilience-review",
12904
14158
  "name": "RPA Workflow Resilience Review",
@@ -15981,6 +17235,35 @@
15981
17235
  "author": "github: Raishin",
15982
17236
  "version": "0.1.0"
15983
17237
  },
17238
+ {
17239
+ "id": "service-worker-cache-strategy-review",
17240
+ "name": "Service Worker Cache Strategy Review",
17241
+ "type": "skill",
17242
+ "provider": "frontend",
17243
+ "harnesses": [
17244
+ "claude-code",
17245
+ "cursor",
17246
+ "codex",
17247
+ "gemini",
17248
+ "kiro",
17249
+ "other"
17250
+ ],
17251
+ "summary": "Reviews service-worker route-matching and caching-strategy choices (precache vs. cache-first vs. network-first vs. stale-while-revalidate) against request type and security sensitivity, rejecting uniform blanket strategies and flagging authenticated/PII responses cached in the Cache API.",
17252
+ "source_type": "original",
17253
+ "official_docs": [
17254
+ "https://developer.chrome.com/docs/workbox/",
17255
+ "https://developer.mozilla.org/en-US/docs/Web/API/Service_Worker_API",
17256
+ "https://developer.mozilla.org/en-US/docs/Web/API/Cache",
17257
+ "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Vary",
17258
+ "https://web.dev/articles/service-worker-caching-and-http-caching",
17259
+ "https://owasp.org/www-community/attacks/Cache_Poisoning"
17260
+ ],
17261
+ "security_notes": "Hard-block caching of any response carrying Set-Cookie, an echoed Authorization value, or clearly PII/payment-bearing JSON without explicit, reviewed justification. Hard-block a service-worker scope broader than the routes it is meant to control unless justified. Flag cache.put() calls on opaque (no-cors) cross-origin responses as an unreviewable-content risk per OWASP cache-poisoning concerns. Do not paste real user session data, cookies, or authenticated response bodies into review examples.",
17262
+ "last_verified": "2026-07-02",
17263
+ "path": "skills/frontend/service-worker-cache-strategy-review",
17264
+ "version": "0.1.0",
17265
+ "author": "github: Raishin"
17266
+ },
15984
17267
  {
15985
17268
  "id": "sigstore-cosign-supply-chain-review",
15986
17269
  "name": "Sigstore Cosign Supply Chain Review",
@@ -16094,6 +17377,146 @@
16094
17377
  "version": "0.1.0",
16095
17378
  "author": "github: Raishin"
16096
17379
  },
17380
+ {
17381
+ "id": "ssr-hydration-streaming-diagnosis",
17382
+ "name": "SSR Hydration & Streaming Diagnosis",
17383
+ "type": "skill",
17384
+ "provider": "frontend",
17385
+ "harnesses": [
17386
+ "claude-code",
17387
+ "cursor",
17388
+ "codex",
17389
+ "gemini",
17390
+ "kiro",
17391
+ "other"
17392
+ ],
17393
+ "summary": "Diagnoses hydration-mismatch errors and streaming/Suspense-boundary placement issues to their root cause, using framework-version-specific evidence rather than guesswork, with root-cause-before-fix and auth-before-stream as hard gates.",
17394
+ "source_type": "original",
17395
+ "official_docs": [
17396
+ "https://react.dev/reference/react-dom/client/hydrateRoot",
17397
+ "https://react.dev/reference/react/Suspense",
17398
+ "https://react.dev/reference/react/use",
17399
+ "https://nextjs.org/docs/app/building-your-application/rendering/server-components",
17400
+ "https://web.dev/articles/optimize-lcp"
17401
+ ],
17402
+ "security_notes": "Never accept suppressHydrationWarning as the fix without a documented, unavoidable non-determinism justification; treat it as a rejected finding when used without an identified root cause. Treat streaming that flushes page structure or content before an authorization check resolves as a potential information-disclosure finding requiring escalation, not a performance note. Static-review-only skill: it reads and greps component/boundary source and reported error text but never executes, builds, or runs application code.",
17403
+ "last_verified": "2026-07-02",
17404
+ "path": "skills/frontend/ssr-hydration-streaming-diagnosis",
17405
+ "version": "0.1.0",
17406
+ "author": "github: Raishin"
17407
+ },
17408
+ {
17409
+ "id": "state-management-decision-review",
17410
+ "name": "State Management Decision Review",
17411
+ "type": "skill",
17412
+ "provider": "frontend",
17413
+ "harnesses": [
17414
+ "claude-code",
17415
+ "cursor",
17416
+ "codex",
17417
+ "gemini",
17418
+ "kiro",
17419
+ "other"
17420
+ ],
17421
+ "summary": "Reviews whether data is correctly classified as server state vs. client state vs. derived state, and whether the resulting store/cache design (query keys, invalidation triggers, optimistic-update rollback, SSR instantiation, selector shape) avoids duplication, stale-data bugs, and unnecessary re-render cascades, grounding every TanStack Query and Zustand claim via Context7 against the repo's confirmed installed version.",
17422
+ "source_type": "original",
17423
+ "official_docs": [
17424
+ "https://tanstack.com/query/latest/docs/framework/react/guides/important-defaults",
17425
+ "https://tanstack.com/query/latest/docs/framework/react/guides/optimistic-updates",
17426
+ "https://tanstack.com/query/latest/docs/framework/react/guides/ssr",
17427
+ "https://zustand.docs.pmnd.rs/getting-started/introduction",
17428
+ "https://zustand.docs.pmnd.rs/hooks/use-shallow",
17429
+ "https://zustand.docs.pmnd.rs/middlewares/persist",
17430
+ "https://react.dev/learn/managing-state"
17431
+ ],
17432
+ "security_notes": "Static-review-only skill: it reads and greps source but never executes, builds, or runs application code. Reject any store design that persists auth tokens, session identifiers, or PII to localStorage/sessionStorage without an explicit encryption/expiry justification or a documented partialize exclusion, and reject any SSR queryClient/store pattern that instantiates as a module-level singleton, which risks cross-request/cross-user data leakage. Missing optimistic-update rollback and SSR singleton instantiation are treated as HARD STOP findings, not style notes.",
17433
+ "last_verified": "2026-07-02",
17434
+ "path": "skills/frontend/state-management-decision-review",
17435
+ "version": "0.1.0",
17436
+ "author": "github: Raishin"
17437
+ },
17438
+ {
17439
+ "id": "sveltekit-actions-load-security-review",
17440
+ "name": "SvelteKit Actions & Load Security Review",
17441
+ "type": "skill",
17442
+ "provider": "frontend",
17443
+ "harnesses": [
17444
+ "claude-code",
17445
+ "cursor",
17446
+ "codex",
17447
+ "gemini",
17448
+ "kiro",
17449
+ "other"
17450
+ ],
17451
+ "summary": "Reviews SvelteKit form actions, load functions, and cookie/HTML bindings for CSRF origin-check bypass, unauthenticated data exposure through load(), auth guards that live only in +layout.server.js without a parent() call in child pages, insecure cookies.set() options, and unsanitized {@html} bindings, grounding claims via Context7 and SvelteKit's own CSRF, cookies, load, and authentication documentation.",
17452
+ "source_type": "original",
17453
+ "official_docs": [
17454
+ "https://svelte.dev/docs/kit/configuration#csrf",
17455
+ "https://svelte.dev/docs/kit/load#Cookies",
17456
+ "https://svelte.dev/docs/kit/load#Implications-for-authentication",
17457
+ "https://svelte.dev/docs/kit/@sveltejs-kit#Cookies",
17458
+ "https://svelte.dev/docs/svelte/@html"
17459
+ ],
17460
+ "security_notes": "This skill's entire scope is security-critical: a disabled/bypassed CSRF check enables cross-site form submission, an unguarded load() or action leaking data via a raw cookie value is an authentication-bypass/data-exposure defect, an auth guard living only in +layout.server.js is a structural auth-boundary gap when a child page's load skips await parent() or hooks.server.js does not enforce the check first, an insecure cookies.set() call (missing/false httpOnly, secure, or sameSite, or a missing path) is a session-hijacking-adjacent cookie-policy defect, and unsanitized {@html} on user-reachable input is a stored/reflected XSS vector. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete guard/sanitizer evidence on the exact traced path. Static-review-only skill: it reads and greps svelte.config.js, +page.server.js/+layout.server.js/+server.js, form action code, and .svelte templates but never executes, builds, or runs application code, and never sends live requests.",
17461
+ "last_verified": "2026-07-03",
17462
+ "path": "skills/frontend/sveltekit-actions-load-security-review",
17463
+ "version": "0.1.0",
17464
+ "author": "github: Raishin"
17465
+ },
17466
+ {
17467
+ "id": "sveltekit-progressive-enhancement-review",
17468
+ "name": "SvelteKit Progressive Enhancement Review",
17469
+ "type": "skill",
17470
+ "provider": "frontend",
17471
+ "harnesses": [
17472
+ "claude-code",
17473
+ "cursor",
17474
+ "codex",
17475
+ "gemini",
17476
+ "kiro",
17477
+ "other"
17478
+ ],
17479
+ "summary": "Reviews SvelteKit forms and actions for functional resilience without JavaScript and for use:enhance error-handling correctness.",
17480
+ "source_type": "original",
17481
+ "official_docs": [
17482
+ "https://kit.svelte.dev/docs/form-actions",
17483
+ "https://svelte.dev/docs/kit/form-actions",
17484
+ "https://www.w3.org/WAI/WCAG22/quickref/",
17485
+ "https://owasp.org/www-project-top-ten/"
17486
+ ],
17487
+ "security_notes": "A custom use:enhance SubmitFunction that bypasses the form's native action/method to call a hand-rolled fetch() may skip SvelteKit's built-in CSRF-relevant origin checks applied to form actions — flag any such bypass for security review rather than treating it as a pure UX nit. Static-review-only skill: it reads and greps form/action source but never executes, builds, or runs application code.",
17488
+ "last_verified": "2026-07-02",
17489
+ "path": "skills/frontend/sveltekit-progressive-enhancement-review",
17490
+ "version": "0.1.0",
17491
+ "author": "github: Raishin"
17492
+ },
17493
+ {
17494
+ "id": "sveltekit-routing-load-review",
17495
+ "name": "SvelteKit Routing & Load Function Review",
17496
+ "type": "skill",
17497
+ "provider": "frontend",
17498
+ "harnesses": [
17499
+ "claude-code",
17500
+ "cursor",
17501
+ "codex",
17502
+ "gemini",
17503
+ "kiro",
17504
+ "other"
17505
+ ],
17506
+ "summary": "Reviews SvelteKit route files for correct universal-vs-server load placement, preventing server-only logic from executing in the browser.",
17507
+ "source_type": "original",
17508
+ "official_docs": [
17509
+ "https://kit.svelte.dev/docs/load",
17510
+ "https://kit.svelte.dev/docs/routing",
17511
+ "https://svelte.dev/docs/kit/load",
17512
+ "https://svelte.dev/docs/kit/routing"
17513
+ ],
17514
+ "security_notes": "Server-only secrets, database clients, or privileged third-party API keys reachable from a +page.js/+layout.js (universal load, which runs in the browser too) is a credential-exposure defect — escalate as HIGH, not a style preference. Static-review-only skill: it reads and greps route source but never executes, builds, or runs application code.",
17515
+ "last_verified": "2026-07-02",
17516
+ "path": "skills/frontend/sveltekit-routing-load-review",
17517
+ "version": "0.1.0",
17518
+ "author": "github: Raishin"
17519
+ },
16097
17520
  {
16098
17521
  "id": "tax-provision-advisor",
16099
17522
  "name": "Tax Provision Advisor",
@@ -16284,6 +17707,63 @@
16284
17707
  "author": "github: Raishin",
16285
17708
  "version": "0.1.0"
16286
17709
  },
17710
+ {
17711
+ "id": "tree-shaking-dead-code-review",
17712
+ "name": "Tree-Shaking & Dead-Code Review",
17713
+ "type": "skill",
17714
+ "provider": "frontend",
17715
+ "harnesses": [
17716
+ "codex",
17717
+ "claude-code",
17718
+ "cursor",
17719
+ "gemini",
17720
+ "kiro",
17721
+ "other"
17722
+ ],
17723
+ "summary": "Verifies that a bundler's tree-shaking actually eliminated dead code by inspecting output bytes, module format, and sideEffects/treeshake configuration against a production-mode before/after diff, rather than trusting a clean build as proof of elimination, loaded progressively.",
17724
+ "source_type": "original",
17725
+ "official_docs": [
17726
+ "https://webpack.js.org/guides/tree-shaking/",
17727
+ "https://developer.mozilla.org/en-US/docs/Glossary/Tree_shaking",
17728
+ "https://rollupjs.org/configuration-options/#treeshake",
17729
+ "https://nodejs.org/api/packages.html#packagejson-and-file-extensions",
17730
+ "https://web.dev/articles/reduce-javascript-payloads-with-tree-shaking"
17731
+ ],
17732
+ "security_notes": "Do not recommend blanket sideEffects: false on a package the reviewer has not verified is actually side-effect-free (e.g., polyfills, CSS imports, analytics auto-init) -- this silently drops required initialization code, which is a correctness bug, not just a size issue, and can remove security-relevant setup such as CSP nonce injection or sanitizer initialization. Require a runtime smoke test, not just a rebuild, after any sideEffects: false change. Do not accept or echo any credential-shaped string found in a pasted build config, package.json, or analyzer report as if it were safe to keep in the transcript.",
17733
+ "last_verified": "2026-07-02",
17734
+ "path": "skills/frontend/tree-shaking-dead-code-review",
17735
+ "version": "0.1.0",
17736
+ "author": "github: Raishin"
17737
+ },
17738
+ {
17739
+ "id": "typescript-contracts-review",
17740
+ "name": "TypeScript Contracts Review",
17741
+ "type": "skill",
17742
+ "provider": "frontend",
17743
+ "harnesses": [
17744
+ "claude-code",
17745
+ "cursor",
17746
+ "codex",
17747
+ "gemini",
17748
+ "kiro",
17749
+ "other"
17750
+ ],
17751
+ "summary": "Reviews tsconfig strictness posture, any/assertion usage at trust boundaries, and exported public-API type surfaces so type signatures are enforced runtime-shape guarantees rather than decorative annotations, requiring paired runtime validation wherever external data enters the type system.",
17752
+ "source_type": "original",
17753
+ "official_docs": [
17754
+ "https://www.typescriptlang.org/tsconfig",
17755
+ "https://www.typescriptlang.org/docs/handbook/2/basic-types.html",
17756
+ "https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-4.html",
17757
+ "https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-1.html",
17758
+ "https://www.typescriptlang.org/docs/handbook/declaration-files/introduction.html",
17759
+ "https://typescript-eslint.io/rules/"
17760
+ ],
17761
+ "security_notes": "Flag any, as, and non-null assertions (!) at trust boundaries (parsed JSON, third-party SDK responses, postMessage payloads, URL/query-param parsing) without paired runtime validation — a type annotation is erased at compile time and enforces nothing against a malformed or malicious payload. Flag @ts-ignore/@ts-expect-error without an adjacent justification comment, especially on security-relevant code. Flag any proposal to loosen tsconfig strictness (removing strict, disabling strictNullChecks) without an explicit, separately-reviewed migration plan.",
17762
+ "last_verified": "2026-07-02",
17763
+ "path": "skills/frontend/typescript-contracts-review",
17764
+ "version": "0.1.0",
17765
+ "author": "github: Raishin"
17766
+ },
16287
17767
  {
16288
17768
  "id": "variance-analysis-advisor",
16289
17769
  "name": "Variance Analysis Advisor",
@@ -16348,6 +17828,174 @@
16348
17828
  "version": "0.1.0",
16349
17829
  "author": "github: Raishin"
16350
17830
  },
17831
+ {
17832
+ "id": "visual-regression-storybook-review",
17833
+ "name": "Visual Regression (Storybook) Review",
17834
+ "type": "skill",
17835
+ "provider": "frontend",
17836
+ "harnesses": [
17837
+ "claude-code",
17838
+ "cursor",
17839
+ "codex",
17840
+ "gemini",
17841
+ "kiro",
17842
+ "other"
17843
+ ],
17844
+ "summary": "Reviews Storybook-based visual regression and accessibility gating (test-runner, a11y addon, Chromatic integration) to ensure visually-critical components have deterministic pixel-diff and axe-core coverage before merge.",
17845
+ "source_type": "original",
17846
+ "official_docs": [
17847
+ "https://storybook.js.org/docs/writing-tests/visual-testing",
17848
+ "https://storybook.js.org/docs/writing-tests/integrations/test-runner",
17849
+ "https://storybook.js.org/docs/writing-tests/accessibility-testing",
17850
+ "https://www.w3.org/TR/WCAG21/#contrast-minimum"
17851
+ ],
17852
+ "security_notes": "Chromatic/Percy project tokens used in CI must be scoped per-project secrets, not account-wide credentials, and never committed to `chromatic.config.json` or `.storybook/main.js`. Screenshot baselines must not capture real user PII from a staging environment seeded with production-like data.",
17853
+ "last_verified": "2026-07-02",
17854
+ "path": "skills/frontend/visual-regression-storybook-review",
17855
+ "version": "0.1.0",
17856
+ "author": "github: Raishin"
17857
+ },
17858
+ {
17859
+ "id": "vue-composition-api-architecture-review",
17860
+ "name": "Vue Composition API Architecture Review",
17861
+ "type": "skill",
17862
+ "provider": "frontend",
17863
+ "harnesses": [
17864
+ "claude-code",
17865
+ "cursor",
17866
+ "codex",
17867
+ "gemini",
17868
+ "kiro",
17869
+ "other"
17870
+ ],
17871
+ "summary": "Reviews Vue 3 composables and script-setup components for reactivity-boundary correctness (ref/reactive/computed usage, destructuring-loses-reactivity pitfalls, toRef/toRefs/unref interop, lifecycle-hook synchronous-registration timing) and composable extraction quality, grounding claims via Context7 against Vue's own composables and reactivity documentation.",
17872
+ "source_type": "original",
17873
+ "official_docs": [
17874
+ "https://vuejs.org/guide/extras/composition-api-faq.html",
17875
+ "https://vuejs.org/guide/reusability/composables.html",
17876
+ "https://vuejs.org/api/reactivity-core.html",
17877
+ "https://vuejs.org/guide/essentials/reactivity-fundamentals.html"
17878
+ ],
17879
+ "security_notes": "Static-review-only skill: it reads and greps composable/component source but never executes, builds, or runs application code. No direct security-primitive concern; if a composable is found managing auth tokens, session state, or other credential material, flag it out of scope and recommend the vue-ssr-security-review skill instead of performing credential-handling review here.",
17880
+ "last_verified": "2026-07-02",
17881
+ "path": "skills/frontend/vue-composition-api-architecture-review",
17882
+ "version": "0.1.0",
17883
+ "author": "github: Raishin"
17884
+ },
17885
+ {
17886
+ "id": "vue-router-navigation-security-review",
17887
+ "name": "Vue Router Navigation Security Review",
17888
+ "type": "skill",
17889
+ "provider": "frontend",
17890
+ "harnesses": [
17891
+ "claude-code",
17892
+ "cursor",
17893
+ "codex",
17894
+ "gemini",
17895
+ "kiro",
17896
+ "other"
17897
+ ],
17898
+ "summary": "Statically reviews Vue Router navigation guards, redirect flows, dynamic link bindings, and route configuration for client-side guards used as the sole authorization boundary, open redirects via route.query.redirect/returnUrl, javascript:/data: scheme injection through dynamic :to/:href bindings, reflected XSS from route params/query reaching v-html/innerHTML, guard-induced redirect loops, and catch-all/history-mode misconfiguration, grounding claims via Context7 against Vue Router's own documentation.",
17899
+ "source_type": "original",
17900
+ "official_docs": [
17901
+ "https://router.vuejs.org/guide/advanced/navigation-guards.html",
17902
+ "https://router.vuejs.org/guide/essentials/redirect-and-alias.html",
17903
+ "https://router.vuejs.org/guide/essentials/dynamic-matching.html",
17904
+ "https://router.vuejs.org/guide/essentials/history-mode.html",
17905
+ "https://vuejs.org/guide/best-practices/security.html",
17906
+ "https://owasp.org/www-community/attacks/xss/",
17907
+ "https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html"
17908
+ ],
17909
+ "security_notes": "This skill's entire scope is security-critical: a client-side-only navigation guard treated as an authorization boundary is a broken access control defect, an unvalidated route.query.redirect/returnUrl is an open-redirect vector, an unvalidated dynamic :to/:href is a javascript:/data:-scheme injection vector, and route params/query reaching v-html/innerHTML is reflected XSS. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete evidence (a confirmed server-side check, a same-origin allowlist, a protocol allowlist, or a sanitizer call on the exact traced path). Static-review-only skill: it reads and greps router configuration, guards, and template bindings but never executes, builds, or runs application code, and never sends live requests.",
17910
+ "last_verified": "2026-07-03",
17911
+ "path": "skills/frontend/vue-router-navigation-security-review",
17912
+ "version": "0.1.0",
17913
+ "author": "github: Raishin"
17914
+ },
17915
+ {
17916
+ "id": "vue-ssr-security-review",
17917
+ "name": "Vue SSR Security Review",
17918
+ "type": "skill",
17919
+ "provider": "frontend",
17920
+ "harnesses": [
17921
+ "claude-code",
17922
+ "cursor",
17923
+ "codex",
17924
+ "gemini",
17925
+ "kiro",
17926
+ "other"
17927
+ ],
17928
+ "summary": "Reviews Vue 3 SSR entry points and templates for cross-request state pollution (module-scope reactive state, non-per-request app/store/router creation) and injection via unsanitized v-html or unvalidated dynamic href/src bindings, grounding claims via Context7 and Vue's own SSR and security best-practices documentation.",
17929
+ "source_type": "original",
17930
+ "official_docs": [
17931
+ "https://vuejs.org/guide/scaling-up/ssr.html",
17932
+ "https://vuejs.org/guide/best-practices/security.html",
17933
+ "https://owasp.org/www-project-top-ten/",
17934
+ "https://owasp.org/www-community/attacks/xss/"
17935
+ ],
17936
+ "security_notes": "This skill's entire scope is security-critical: cross-request state pollution is a data-exposure defect (potential cross-tenant/cross-user leakage) and unsanitized v-html is a stored/reflected XSS vector. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete sanitizer evidence. Static-review-only skill: it reads and greps SSR entry points and template source but never executes, builds, or runs application code, and never sends live requests.",
17937
+ "last_verified": "2026-07-02",
17938
+ "path": "skills/frontend/vue-ssr-security-review",
17939
+ "version": "0.1.0",
17940
+ "author": "github: Raishin"
17941
+ },
17942
+ {
17943
+ "id": "vue-state-store-security-review",
17944
+ "name": "Vue State Store Security Review",
17945
+ "type": "skill",
17946
+ "provider": "frontend",
17947
+ "harnesses": [
17948
+ "claude-code",
17949
+ "cursor",
17950
+ "codex",
17951
+ "gemini",
17952
+ "kiro",
17953
+ "other"
17954
+ ],
17955
+ "summary": "Reviews Pinia and legacy Vuex state stores for sensitive data persisted to localStorage/sessionStorage without scoping, untrusted server-payload hydration (window.__pinia/__INITIAL_STATE__) with un-escaped state serialization, SSR store-singleton cross-request pollution, store plugins/$subscribe/$onAction acting on untrusted payloads, client-held role flags used as an authorization source of truth, and devtools state exposure in production builds, grounding claims via Context7 and each library's own documentation.",
17956
+ "source_type": "original",
17957
+ "official_docs": [
17958
+ "https://pinia.vuejs.org/ssr/",
17959
+ "https://pinia.vuejs.org/core-concepts/plugins.html",
17960
+ "https://github.com/prazdevs/pinia-plugin-persistedstate/blob/main/docs/guide/config.md",
17961
+ "https://vuex.vuejs.org/guide/modules.html",
17962
+ "https://vuex.vuejs.org/api/",
17963
+ "https://owasp.org/www-project-top-ten/",
17964
+ "https://owasp.org/www-community/attacks/xss/"
17965
+ ],
17966
+ "security_notes": "This skill's entire scope is security-critical: unscoped client-side persistence of tokens/PII is an XSS-exfiltratable data-exposure vector, untrusted/un-escaped state hydration is an XSS and data-integrity vector, SSR store-singleton pollution is a cross-tenant/cross-user data-exposure defect, untrusted payload handling in store plugins/hooks can drive unsanitized writes or calls, client-held role flags used as an authorization source of truth is a broken-access-control defect, and production devtools exposure leaks the full state tree to any user with browser devtools open. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete evidence (a pick/paths scope, an escaping call, a per-request creation trace, a server-side re-check). Static-review-only skill: it reads and greps store definitions, persistence config, SSR entry points, and plugin/hook code but never executes, builds, or runs application code, and never sends live requests.",
17967
+ "last_verified": "2026-07-03",
17968
+ "path": "skills/frontend/vue-state-store-security-review",
17969
+ "version": "0.1.0",
17970
+ "author": "github: Raishin"
17971
+ },
17972
+ {
17973
+ "id": "wcag-22-accessibility-audit",
17974
+ "name": "WCAG 2.2 Accessibility Audit",
17975
+ "type": "skill",
17976
+ "provider": "frontend",
17977
+ "harnesses": [
17978
+ "claude-code",
17979
+ "cursor",
17980
+ "codex",
17981
+ "gemini",
17982
+ "kiro",
17983
+ "other"
17984
+ ],
17985
+ "summary": "Progressive-disclosure skill for auditing frontend markup/components against WCAG 2.2 A/AA success criteria and ARIA APG patterns, separating automated-detectable failures from manual-verification items with legal-exposure flags.",
17986
+ "source_type": "original",
17987
+ "official_docs": [
17988
+ "https://www.w3.org/TR/WCAG22/",
17989
+ "https://www.w3.org/WAI/WCAG22/quickref/",
17990
+ "https://www.w3.org/WAI/ARIA/apg/",
17991
+ "https://www.w3.org/WAI/standards-guidelines/act/rules/"
17992
+ ],
17993
+ "security_notes": "Redact PII found in audited fixtures before including in reports. Never represent automated-only scan results as full WCAG conformance; axe-core-class tooling documents ~30-50% detection coverage. Do not treat this skill's static-review output as a substitute for a legal accessibility conformance opinion.",
17994
+ "last_verified": "2026-07-02",
17995
+ "path": "skills/frontend/wcag-22-accessibility-audit",
17996
+ "version": "0.1.0",
17997
+ "author": "github: Raishin"
17998
+ },
16351
17999
  {
16352
18000
  "id": "working-capital-advisor",
16353
18001
  "name": "Finance Working Capital Advisor",