@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (873) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15389 -12589
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +3 -2
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/generate-docs-data.mjs +1 -0
  333. package/scripts/generate-kiro-powers.mjs +12 -0
  334. package/scripts/update-catalog-new-agents.py +6 -1
  335. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  336. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  340. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  341. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  342. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  344. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  345. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  346. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  348. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  353. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  354. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  355. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  356. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  357. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  358. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  359. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  360. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  361. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  362. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  363. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  368. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  374. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  375. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  376. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  377. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  378. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  379. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  380. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  381. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  382. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  383. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  384. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  385. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  386. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  387. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  390. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  391. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  392. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  393. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  394. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  395. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  396. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  399. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  404. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  405. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  406. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  407. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  408. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  409. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  410. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  411. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  413. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  414. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  415. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  418. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  419. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  420. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  422. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  423. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  424. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  425. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  426. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  427. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  434. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  439. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  443. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  444. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  445. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  446. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  447. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  448. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  449. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  454. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  459. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  460. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  461. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  463. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  464. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  465. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  469. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  470. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  471. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  472. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  473. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  474. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  475. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  476. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  479. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  484. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  485. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  486. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  489. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  494. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  495. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  496. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  498. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  499. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  500. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  503. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  507. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  512. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  513. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  514. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  515. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  516. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  517. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  523. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  524. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  525. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  528. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  529. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  530. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  534. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  535. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  536. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  539. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  540. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  541. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  542. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  543. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  548. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  549. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  550. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  551. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  552. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  553. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  554. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  555. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  556. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  557. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  558. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  559. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  564. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  569. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  570. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  571. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  572. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  573. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  574. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  579. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  583. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  584. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  585. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  587. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  592. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  593. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  594. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  595. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  596. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  597. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  598. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  599. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  602. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  607. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  608. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  609. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  613. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  614. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  615. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  616. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  617. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  618. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  619. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  620. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  621. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  622. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  623. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  624. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  629. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  671. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  713. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  714. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  725. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  736. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  764. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  775. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  786. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  797. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  808. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  819. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  830. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  841. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  861. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  872. package/tests/validate-catalog.py +1 -0
  873. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,46 @@
1
+ # linkedSignal and DI-boundary patterns
2
+
3
+ > Load this reference only when `linkedSignal` appears in the diff under review, or when the review scope includes service/DI ownership review.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > `linkedSignal` is just `computed` with a different name; if it appears in a diff, check it the same way you'd check `computed` for purity.
10
+
11
+ Wrong. `linkedSignal` exists for a distinct problem `computed` cannot solve: **dependent state that must stay valid when its source changes, but can also be manually overridden**. Angular's own guidance frames this as ensuring "the `linkedSignal` always maintains a valid value, even when its underlying dependencies change" — while still allowing `.set()` calls that a plain `computed()` (read-only) would reject. Flagging a `linkedSignal` as "should be a `computed`" without checking whether manual override is a real requirement produces a false-positive finding.
12
+
13
+ The second naive story, on the DI side:
14
+
15
+ > A service exists, so as long as it's `providedIn: 'root'`, the DI design is fine.
16
+
17
+ Wrong. `providedIn: 'root'` is Angular's documented default for singleton services (per Angular's own style guide: "Design services around a single responsibility. Use the `providedIn: 'root'` option for singleton services"), but blast-radius and ownership are separate questions from injection scope. A root-provided service holding cross-cutting mutable state with no documented ownership model (who writes, who reads, what the lifetime and reset story is) is a design gap regardless of whether the DI scope itself is "correct."
18
+
19
+ ## `linkedSignal` review rules
20
+
21
+ - **Confirm the source relationship.** `linkedSignal(() => source())` (shorthand form) or `linkedSignal({ source: ..., computation: ... })` (object form, which also grants access to the previous value) should have a clear, traceable source signal. Flag a `linkedSignal` with no discernible source dependency as unclear intent.
22
+ - **Check for a genuine override requirement.** If nothing in the component ever calls `.set()` on the `linkedSignal`, it is not using the "dependent but overridable" capability and should likely be a plain `computed()` instead — recommend the simpler primitive.
23
+ - **Object form for prior-value access.** The object form (`{ source, computation: (sourceValue, previous) => ... }`) exists specifically for cases that need the prior computed/linked value (e.g. preserving a chat history while new content streams in, or converting a domain model to a form model only once a resource loads, per Angular's own AI/forms design-pattern guidance). Do not flag this as unnecessary complexity without checking whether prior-value access is actually used.
24
+ - **Do not conflate with `effect`-based derivation.** A `linkedSignal` reset-on-source-change pattern is the documented, correct tool for "resettable derived state" — it is not a workaround for avoiding `effect()`; do not suggest replacing it with an `effect()` that writes to a `signal()`, which reintroduces the state-propagation-via-effect anti-pattern this skill flags elsewhere.
25
+
26
+ ## DI/service-boundary review rules
27
+
28
+ - **Single responsibility per service.** Per Angular's own style guide, a service should be designed around a single responsibility. A service accumulating multiple unrelated concerns (e.g. auth state + feature-flag cache + analytics buffer in one class) is a boundary finding — recommend splitting along responsibility lines, not along "make it smaller" alone.
29
+ - **`inject()` over constructor injection for new/modified code.** Per the official Angular `angular-developer` skill and Angular's current style guidance, new code should prefer the `inject()` function over constructor-parameter injection — note this as a MEDIUM style finding when reviewing new service code that still uses constructor injection, not as a blocking defect for existing code that hasn't been touched.
30
+ - **Ownership model for mutable state.** For any injectable service exposing mutable `signal()` state, confirm the review can answer: who is allowed to call `.set()`/`.update()` on it, what triggers a reset, and what the lifetime is (root-singleton for app-lifetime state vs. component-provided for a narrower scope). If the code gives no evidence of an ownership model — e.g. the mutable signal is exposed as a public writable `Signal` rather than behind a method that encapsulates the mutation — flag it as a LOW/MEDIUM boundary gap and request either encapsulation (expose a read-only `Signal` via `.asReadonly()` and a controlled setter method) or explicit documentation, rather than prescribing a specific DI scope.
31
+ - **Do not prescribe DI scope changes speculatively.** Do not recommend moving a service from `providedIn: 'root'` to a component-level provider (or vice versa) unless the code in scope shows evidence of the actual lifetime/sharing requirement (e.g. multiple independent component instances each needing isolated state currently share one root singleton). A DI-scope change is a behavioral change, not a style preference.
32
+
33
+ ## When to still flag regardless of `linkedSignal`/DI context
34
+
35
+ - Any `computed()` purity violation, missing injection-context on an `effect()`, or untracked post-await signal read found incidentally while reviewing `linkedSignal`/DI code — those checks always apply per the main workflow.
36
+ - A hardcoded API key, token, or secret found in service state or a `linkedSignal` default/computation — HIGH severity, immediate escalation, regardless of scope.
37
+
38
+ ## When to push back
39
+
40
+ Push back if the user asks to:
41
+
42
+ - replace a `linkedSignal` that has a real manual-override requirement with a plain `computed()` "to simplify" — that removes a capability the component actually needs, it doesn't simplify anything,
43
+ - move a service to `providedIn: 'root'` or split it into a component-provided instance without evidence of the actual lifetime/sharing requirement — that is a behavioral change being requested as if it were a style fix,
44
+ - expose a service's internal mutable signal directly (without `.asReadonly()` or an encapsulating method) "to save a line" — that removes the ownership boundary the review is meant to protect.
45
+
46
+ That is not simplification. It is removing the guardrail the finding exists to establish.
@@ -0,0 +1,99 @@
1
+ # Review workflow and findings contract
2
+
3
+ Use this reference for the full Signals-architecture review procedure and the required output shape.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > `effect()` is the reactive hook, so use it whenever a value should update when something else changes. `computed()` is just a lighter-weight version of the same idea.
10
+
11
+ Wrong. Angular's own guidance draws a hard line: `computed()` is for **derived state** — it is lazily evaluated, memoized, and must be pure. `effect()` is for **syncing signal state to non-reactive, imperative APIs** (logging, `window.localStorage`, custom DOM behavior, third-party UI library integration) — not for propagating state changes between signals. Angular's docs are explicit that using effects to propagate state changes "can lead to `ExpressionChangedAfterItHasBeenChecked` errors, infinite circular updates, or unnecessary change detection cycles." Treating `effect()` as a generic "run this when that changes" tool, rather than checking whether the callback is actually a side effect on a non-reactive API, is the single most common Signals-architecture defect.
12
+
13
+ The second most common mistake: assuming every component that hasn't adopted `ChangeDetectionStrategy.OnPush` is behind on best practice. Signals do not require OnPush to function correctly — they improve the precision of change detection either way. Recommending OnPush without checking whether the component relies on implicit mutation-based update paths (rather than signal reads, `async` pipe, or explicit `markForCheck()`) produces broken advice, not an optimization.
14
+
15
+ ## Source priority reminder
16
+
17
+ Per the official Angular `angular-developer` skill (github.com/angular/skills), idiomatic modern Angular is Signals-first: prefer `signal`/`computed`/`linkedSignal`/`resource` for state, modern control flow (`@if`/`@for`/`@switch`), standalone components by default, and `inject()` + `providedIn: 'root'` for DI. The official skill also notes that Angular best practices vary significantly by version, so it analyzes the Angular version first — the same version-first discipline this workflow enforces in step 1. Treat that official skill (confirmed against the repo's pinned `angular_dev` major) as the authority on which primitive is idiomatic; use the rules below only to decide what to FLAG when code deviates.
18
+
19
+ ## Workflow
20
+
21
+ 1. **Confirm the Angular major version**
22
+ - Read `package.json` for the installed `@angular/core` version before evaluating any Signals-API claim (`linkedSignal`, `afterRenderEffect`, `@Service` decorator, `provideZonelessChangeDetection`) — these landed at different points across v16–v22.
23
+
24
+ 2. **Classify each reactive primitive in scope**
25
+ - `signal(...)` — mutable state.
26
+ - `computed(...)` — derived, read-only, must be pure, lazily evaluated and memoized per Angular's docs.
27
+ - `effect(...)` — side effect on a non-reactive API; requires an injection context.
28
+ - `linkedSignal(...)` — dependent, resettable derived state that can also be manually `.set()` (see `references/linked-signal-and-di-boundaries.md`).
29
+
30
+ 3. **Check `computed()` purity**
31
+ - Read every `computed()` callback. Flag any signal write, DOM mutation, HTTP call, or logging call inside it as a HIGH-severity purity violation — computed callbacks may re-run any number of times (or not at all, if never read) and must not have observable side effects.
32
+
33
+ 4. **Check whether each `effect()` is a genuine side effect**
34
+ - Ask: does this callback interact with a non-reactive, imperative API (DOM, storage, third-party library, logging)? If yes, it's a legitimate use.
35
+ - If the callback only computes a value and writes it into another signal with no other side effect, it is state propagation through an effect — recommend `computed()` (pure derivation) or `linkedSignal()` (derived-but-resettable state) instead, citing the specific Angular guidance against using effects for state propagation.
36
+ - Confirm the `effect()` call site has an injection context (component/directive/service constructor, or an explicit `Injector` in options). Flag a missing injection context as a correctness bug.
37
+ - Check for signal reads after an `await` inside the effect callback — the reactive context does not survive an async boundary, so those reads are untracked and the effect will not re-run when they change. Flag this as a correctness bug, not a style note.
38
+
39
+ 5. **Check change-detection strategy**
40
+ - Note whether each component in scope declares `changeDetection: ChangeDetectionStrategy.OnPush`.
41
+ - If a Signals-adopting component is still on the default strategy, check whether it relies on implicit mutation-based updates (direct property mutation observed via Zone.js, not signal reads or `async` pipe) that OnPush would silently break.
42
+ - If no such reliance is found, flag as a MEDIUM missed-performance-opportunity finding — not a defect.
43
+
44
+ 6. **Check service/DI boundaries**
45
+ - For services holding cross-cutting mutable state, confirm there is a documented (or at least inferable-from-code) ownership model: who writes, who reads, what the lifetime is.
46
+ - Do not prescribe a specific DI scope (`providedIn: 'root'` vs component-provided) without evidence of the actual sharing/lifetime requirement — see `references/linked-signal-and-di-boundaries.md` when this is in scope.
47
+
48
+ 7. **Produce ranked findings**
49
+ - Order by blast radius: correctness bugs (purity violations, missing injection context, untracked post-await reads, leaked secrets) first, then reactive-graph design defects (effect-as-computed misuse), then lower-severity notes (missed OnPush opportunity, DI-ownership documentation gaps).
50
+
51
+ ## Decision tree
52
+
53
+ - `computed()` callback has **any side effect** (signal write, DOM mutation, HTTP call) → HIGH finding: purity-contract violation. Fix: move the side effect into an `effect()`, keep `computed()` pure.
54
+ - `effect()` callback **only derives and stores** a value with no genuine side effect (no DOM/logging/storage/third-party sync) → MEDIUM finding: recommend `computed()` (if the value doesn't need manual override) or `linkedSignal()` (if it does).
55
+ - `effect()` **reads a signal after an `await`** → HIGH finding: untracked dependency, effect will not re-run correctly.
56
+ - `effect()` call site has **no resolvable injection context** → HIGH finding: correctness bug (Angular requires an injection context or explicit `Injector`).
57
+ - Component uses **signal-based state but Default change-detection strategy**, and does **not** rely on implicit mutation-based updates → MEDIUM finding: missed OnPush opportunity, not a block.
58
+ - Component uses **signal-based state but Default strategy**, and **does** rely on implicit mutation-based updates that OnPush would break → do not recommend OnPush without also flagging the mutation-based update paths that must be migrated first; treat as a scoped follow-up, not an inline fix.
59
+ - Service holds cross-cutting mutable state with **no ownership model evident from the code** → LOW/MEDIUM finding: request explicit ownership documentation; do not prescribe a DI scope change without more evidence.
60
+
61
+ ## Output contract
62
+
63
+ Return:
64
+
65
+ 1. Component(s)/service(s)/files in scope
66
+ 2. Ranked findings, each with:
67
+ - file:line evidence
68
+ - primitive-misuse category (purity violation / derivation-via-effect / injection-context error / untracked-post-await read / missed-OnPush-opportunity / DI-ownership gap)
69
+ - concrete fix sketch (e.g. "move to `computed()`", "add `Injector` option", "confirm no implicit-mutation reliance before adding OnPush")
70
+ - severity (HIGH / MEDIUM / LOW)
71
+ - evidence level (`repo evidence`, `documentation-based`, `inference`)
72
+ 3. Verdict: approve / approve-with-notes / block
73
+ 4. Open questions or explicitly out-of-scope items (e.g. zoneless migration recommendation excluded by design, unconfirmed Angular major version, SSR/hydration concerns deferred to `angular-ssr-hydration-review`)
74
+
75
+ ## Validation gates
76
+
77
+ - Every Signals-semantics claim cites the version-matched Angular docs (via Context7 `query-docs` against the confirmed major, or `metadata.json` `official_docs` with an "unverified against current release" label if Context7 is unavailable).
78
+ - Every "`computed()` must be pure" finding shows the specific side effect present in the callback — no bare assertion.
79
+ - No finding recommends a blanket OnPush migration across the whole app in one review — scope findings to the files actually under review.
80
+ - No finding recommends removing Zone.js or adopting `provideZonelessChangeDetection` — that is out of scope by design.
81
+
82
+ ## Common failure modes
83
+
84
+ - Treating every `effect()` as wrong. `effect()` is correct for genuine side effects (logging, DOM sync, `localStorage` writes, third-party UI library integration) — Angular's docs list these as the intended use cases.
85
+ - Missing that `linkedSignal` is intentionally different from `computed` — it exists specifically for resettable derived state that can also be manually overridden (e.g. a selected shipping option that resets when the options list changes but can also be user-set); do not flag `linkedSignal` usage as "should be `computed`" without checking whether manual override is a real requirement.
86
+ - Assuming OnPush is always strictly better without checking for other change-detection triggers the component relies on — `async` pipe subscriptions and signal reads still work under OnPush, but manual property mutation observed only via Zone.js does not trigger a check under OnPush.
87
+ - Recommending a DI-scope change (root vs component-provided) as a drive-by note without evidence of the actual lifetime/sharing requirement.
88
+
89
+ ## Adversarial checklist
90
+
91
+ Before finalizing a finding, answer these:
92
+
93
+ - Does any `computed()` callback perform a side effect (write, log, HTTP call, DOM mutation)?
94
+ - Is an `effect()` actually necessary, or does it just compute-and-store a value that `computed()` (or `linkedSignal()`) should own?
95
+ - Is the Signals-API claim (e.g. `linkedSignal` availability, `@Service` decorator) checked against this repo's actual Angular version, not assumed from the latest docs?
96
+ - Would switching this component to OnPush break any implicit mutation-based update path it currently relies on?
97
+ - Does the `effect()` read any signal after an `await`, silently breaking its reactive tracking?
98
+
99
+ If any answer is "not sure," lower the finding's confidence and label the evidence level accordingly — do not present it as a confirmed defect.
@@ -0,0 +1,77 @@
1
+ ---
2
+ name: angular-ssr-hydration-review
3
+ description: Statically review Angular SSR bootstrap configuration and component templates for hydration-mismatch risk (NG0500-class errors), unjustified ngSkipHydration usage, and direct-DOM-manipulation patterns that bypass Angular's template-owned DOM model, grounded in Angular's own hydration guide and error catalog.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: architecture
10
+ ---
11
+
12
+ # Angular SSR & Hydration Review
13
+
14
+ ## Purpose
15
+
16
+ Review Angular server-side-rendered bootstrap configuration and component templates for hydration-mismatch risk without re-litigating Signals/change-detection architecture, RxJS-only legacy code, or a full zoneless-migration plan in every response. This skill exists so hydration correctness — whether the DOM Angular produces on the client actually matches the DOM the server sent, per Angular's own reconciliation model — stays a focused, verifiable review instead of a vague "SSR looks fine" pass.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review an SSR-enabled Angular app before or after enabling `provideClientHydration()`,
23
+ - diagnose a reported flash-of-unstyled-content / re-render-on-load symptom consistent with a hydration mismatch,
24
+ - assess whether a component's direct DOM manipulation is hydration-safe,
25
+ - review existing `ngSkipHydration` usage for justification and tech-debt tracking,
26
+ - confirm i18n-block hydration is correctly configured (`withI18nSupport()`).
27
+
28
+ Do not use this skill for:
29
+
30
+ - a purely client-rendered (non-SSR) Angular app with no SSR bootstrap/`provideClientHydration()` configuration — hydration concerns do not apply,
31
+ - general Signals/change-detection/DI architecture review with no SSR dimension — use `angular-architecture-signals-review` instead.
32
+
33
+ ## Source priority (official Angular skills first)
34
+
35
+ Consult sources in this fixed order, and label findings by which layer they draw from:
36
+
37
+ 1. **The official Angular team's `angular-developer` skill** ([github.com/angular/skills](https://github.com/angular/skills/tree/main/angular-developer)) is the AUTHORITATIVE primary source for idiomatic Angular SSR/hydration — `provideClientHydration()`, `withI18nSupport()`, `withEventReplay()`, incremental hydration, and template-driven (Angular-owned) DOM. Prefer its idioms over memory.
38
+ 2. **Context7 `angular_dev` docs** (`/websites/angular_dev`, or the version-pinned `/websites/v20_angular_dev`) confirm hydration-feature availability and the NG0500 mechanism against the repo's pinned `@angular/core` major (read `package.json` first) — hydration support landed and matured incrementally, so the official skill states the modern shape and the versioned docs confirm it applies to THIS repo's major.
39
+ 3. **This skill's static-review judgment** (hydration-mismatch detection, SSR-path-vs-browser-guarded classification, `ngSkipHydration` tech-debt rules, sanitization-bypass detection, pre-hydration accessibility checks) is the review layer applied ON TOP of 1 and 2.
40
+
41
+ Where guidance conflicts: the official Angular `angular-developer` skill + version-matched `angular_dev` docs WIN on "what is idiomatic Angular" (correct hydration setup and the recommended fix shape). THIS skill governs "what to flag in review" (which DOM-mutation, `ngSkipHydration`, i18n, or sanitization patterns rise to a HIGH/MEDIUM finding and why). Never let this skill's flagging override an idiom the official skill and pinned docs endorse; conversely, an idiom being official does not exempt a concrete hydration-mismatch or sanitization-bypass defect from being flagged.
42
+
43
+ ## Context7 Documentation Protocol
44
+
45
+ - Resolve the Angular library ID with `resolve-library-id` (matched result: `/websites/angular_dev` or the version-pinned `/websites/v20_angular_dev` when the repo's confirmed major is known) before citing any hydration-mechanism or error-code claim.
46
+ - Before classifying a DOM-manipulation pattern as hydration-breaking, call `query-docs` against the repo's confirmed Angular major (read `package.json` — `@angular/core` — first) for `hydration`, `NG0500`, and `provideClientHydration`, and cite the doc section. The set of hydration-incompatible patterns is documented precisely by Angular (native `insertBefore`/`createElement`/`innerHTML`/`outerHTML` inside the reconciled tree) and is not safely inferable from general React/Vue hydration knowledge — the mechanisms differ.
47
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
48
+ - Do not assume a hydration feature (`withI18nSupport`, `withEventReplay`, incremental hydration) is available or behaves identically across Angular majors without confirming the version — hydration support landed and matured incrementally.
49
+
50
+ ## Lean operating rules
51
+
52
+ - First confirm SSR/hydration is actually configured: find `provideClientHydration(...)` in the bootstrap providers (`app.config.ts` / `main.server.ts` or equivalent). If it is absent, do not review the app as a hydration-mismatch problem — flag the larger finding that the app is not hydrating at all (full client remount on load), which is a different and more consequential issue than a mismatch.
53
+ - Classify every native DOM API call found (`document.createElement`, `.insertBefore`, `.appendChild`, `.removeChild`, `innerHTML`, `outerHTML`, direct `ElementRef.nativeElement` mutation) by whether it executes inside an SSR-rendered code path or is guarded to browser-only execution. A call guarded by `isPlatformBrowser(...)` (or an equivalent browser-only lifecycle boundary) that only runs after hydration completes is not a hydration-mismatch risk — do not flag it as one.
54
+ - Any native DOM mutation of a node inside the component's own reconciled template tree that runs during the SSR-rendered path is a hydration-mismatch risk matching Angular's documented NG0500 mechanism: Angular loses track of what the server actually rendered at that position and looks for the wrong node during reconciliation. Cite the specific call site and the specific NG0500 mechanism it matches — never assert "this may cause a mismatch" without naming the mechanism.
55
+ - Never recommend `ngSkipHydration` as the fix for a hydration-mismatch finding. Angular's own guidance frames it as a last-resort/temporary workaround (e.g. for third-party DOM-manipulating libraries), not a solution — it causes the component and its children to skip reconciliation and re-render from scratch, which is exactly the SSR-defeating behavior the review exists to catch. The default fix recommendation is refactoring the mutation to be template-driven (Angular-owned DOM creation) or, when the mutation is genuinely display-only DOM Angular does not need to reconcile, isolating it behind a browser-only guard.
56
+ - Treat every existing `ngSkipHydration` usage found in scope as a finding requiring a linked justification (comment or tracked issue reference). An unjustified `ngSkipHydration` is a MEDIUM tech-debt finding, not automatically a blocker — it silently disables hydration reconciliation for that component and its children with no record of why.
57
+ - If the app renders i18n blocks (`i18n` template attributes, `$localize`) and hydration is enabled, confirm `withI18nSupport()` is present in the `provideClientHydration(...)` call per Angular's documented default (Angular skips hydration for i18n-block components without it, causing an unrecorded re-render-from-scratch). Flag its absence as a MEDIUM hydration finding.
58
+ - SSR-rendered, pre-hydration content must remain accessible on its own — do not treat WCAG conformance as a post-hydration-only concern. If pre-hydration markup (what the server actually sends) drops accessible names, landmark structure, or focus order that the post-hydration DOM restores, flag it: users on slow connections or with assistive tech querying the DOM before hydration completes are affected by the pre-hydration state, not just the final one.
59
+ - Treat any native DOM insertion of dynamic, user-influenced string content (`innerHTML`, `outerHTML`, or an equivalent native-API string-injection call) as a HIGH-severity finding on two independent axes simultaneously: the hydration-mismatch risk described above, and a bypass of Angular's built-in sanitization pipeline (Angular's template bindings sanitize `[innerHTML]`; direct native DOM API calls do not) — an XSS-class finding. Report both; do not fold one into the other or drop either.
60
+ - Never execute, build, or run application code as part of this review; this is a static-review skill (Read/Grep/Glob only).
61
+
62
+ ## References
63
+
64
+ Load these only when needed:
65
+
66
+ - [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the SSR-rendered-vs-browser-guarded decision tree, and the required output shape.
67
+ - [i18n, event replay, and third-party DOM libraries](references/i18n-event-replay-and-third-party-libs.md) — load only when the diff includes i18n blocks, `withEventReplay()` configuration, or a third-party library known to perform direct DOM manipulation (e.g. D3, chart libraries, non-Angular widget wrappers).
68
+
69
+ ## Response minimum
70
+
71
+ Return, at minimum:
72
+
73
+ - the component(s)/bootstrap file(s) in scope, and whether `provideClientHydration()` is confirmed present,
74
+ - ranked findings with file:line evidence, hydration-mechanism category (SSR-path native DOM mutation / unjustified ngSkipHydration / missing i18n hydration support / pre-hydration accessibility gap / sanitization-bypass-plus-hydration-risk), and a concrete fix sketch defaulting to template-driven DOM per finding,
75
+ - evidence level per finding (`repo evidence`, `documentation-based`, or `inference`),
76
+ - verdict (approve / approve-with-notes / block),
77
+ - open questions or explicitly out-of-scope items (e.g. Signals/change-detection concerns deferred to `angular-architecture-signals-review`, hydration not configured at all so mismatch review does not apply).
@@ -0,0 +1,28 @@
1
+ {
2
+ "id": "angular-ssr-hydration-review",
3
+ "name": "Angular SSR & Hydration Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews Angular SSR bootstrap configuration and component templates for hydration-mismatch risk (NG0500-class errors), unjustified ngSkipHydration usage, and direct-DOM-manipulation patterns that bypass Angular's template-owned DOM model, using Angular's own hydration guide and error catalog loaded progressively and grounded via Context7 against the repo's confirmed Angular version.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://github.com/angular/skills/tree/main/angular-developer",
18
+ "https://angular.dev/guide/hydration",
19
+ "https://angular.dev/errors/NG0500",
20
+ "https://angular.dev/api/platform-browser/provideClientHydration",
21
+ "https://www.w3.org/WAI/WCAG22/quickref/"
22
+ ],
23
+ "security_notes": "Direct DOM manipulation combined with dynamic string content (innerHTML-equivalent native calls) bypasses Angular's built-in sanitization pipeline -- treat any such pattern touching user-influenced data as an XSS-class finding, escalated to HIGH, in addition to the hydration-correctness finding. Static-review-only skill: it reads and greps bootstrap configuration and component source but never executes, builds, or runs application code.",
24
+ "last_verified": "2026-07-02",
25
+ "path": "skills/frontend/angular-ssr-hydration-review",
26
+ "author": "github: Raishin",
27
+ "version": "0.1.0"
28
+ }
@@ -0,0 +1,50 @@
1
+ # i18n, event replay, and third-party DOM libraries
2
+
3
+ > Load this reference only when the diff under review includes i18n blocks, `withEventReplay()` configuration, or a third-party library known to perform direct DOM manipulation (e.g. D3, chart libraries, non-Angular widget wrappers).
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story on i18n:
8
+
9
+ > Hydration is hydration — if `provideClientHydration()` is configured, every component hydrates, including ones using i18n blocks.
10
+
11
+ Wrong. Angular's own hydration guide states its default plainly: "By default, Angular skips hydration for components using i18n blocks, causing them to re-render from scratch." `provideClientHydration()` alone does not cover i18n content — it requires the explicit `withI18nSupport()` feature. A review that confirms `provideClientHydration()` is present and stops there, without checking i18n-block components specifically, will miss that those components are silently falling back to full client re-render even though hydration "looks" enabled.
12
+
13
+ The naive story on third-party libraries:
14
+
15
+ > If a third-party library breaks hydration, that's a library bug — nothing to do at the integration layer except wait for a fix.
16
+
17
+ Incomplete. Angular's own guidance names this exact class of problem and gives the sanctioned mitigation: "Third-party libraries that rely on direct DOM manipulation, such as D3 charts, might cause DOM mismatch errors with hydration enabled. If you encounter such issues, applying the `ngSkipHydration` attribute to the component rendering the library can serve as a workaround." This is the one context where `ngSkipHydration` is Angular's own documented recommendation — but it is still scoped as a workaround for a specific, named class of problem (uncontrolled third-party DOM manipulation), not a general-purpose fix for any hydration mismatch, including ones caused by the application's own code.
18
+
19
+ ## Source priority reminder
20
+
21
+ Per the official Angular `angular-developer` skill (github.com/angular/skills), the idiomatic SSR/hydration setup is `provideClientHydration()` with the opt-in features (`withI18nSupport()`, `withEventReplay()`, incremental hydration) added as the app requires them, and DOM ownership kept template-driven. Treat that official skill (confirmed against the repo's pinned `angular_dev` major) as the authority on the correct hydration configuration and the recommended fix shape; use the rules below only to decide what to FLAG when code deviates.
22
+
23
+ ## i18n hydration review rules
24
+
25
+ - Confirm `withI18nSupport()` is present in the `provideClientHydration(...)` call whenever the codebase uses `i18n` template attributes or `$localize` anywhere in scope. Its absence is a MEDIUM finding: those components silently re-render from scratch, which is a real (if less severe) SSR-benefit loss, not a hard error.
26
+ - Do not assume `withI18nSupport()` is a no-op addition — confirm the Angular major version supports it (check `package.json` for `@angular/core`, then verify against Context7 `query-docs` for the confirmed version) before recommending it as a one-line fix.
27
+ - If `withI18nSupport()` is present, do not separately flag i18n-block components as hydration-risky purely for using i18n — the feature exists specifically to make that safe.
28
+
29
+ ## Third-party DOM library review rules
30
+
31
+ - When a component wraps a library known to perform direct DOM manipulation outside Angular's control (charting libraries, D3-based visualizations, non-Angular widget wrappers, map libraries), and that component shows an `ngSkipHydration` usage, treat the usage as the Angular-sanctioned workaround for this specific case — do not flag it with the same severity as an unjustified `ngSkipHydration` elsewhere in the app. Still require the justification comment/issue link (per the main workflow's tech-debt rule) so the workaround is tracked and revisited if the library adds hydration-safe integration later.
32
+ - Do not recommend removing `ngSkipHydration` from a genuine third-party-DOM-manipulation component without first confirming the library itself no longer performs uncontrolled native DOM mutation in the version pinned in the repo — removing the guard prematurely reintroduces the exact NG0500-class mismatch it exists to prevent.
33
+ - If a component wraps a third-party library but the library's DOM manipulation is confined to a container element genuinely outside Angular's reconciled tree (e.g. the library owns a `<div>` marked with `ngSkipHydration` and Angular does not attempt to reconcile anything inside it), do not also flag the library's internal DOM calls as separate hydration-mismatch findings — the `ngSkipHydration` boundary already scopes that correctly, per Angular's own guidance.
34
+ - Distinguish a third-party library's DOM manipulation from the *hosting component's own* unguarded native DOM calls. `ngSkipHydration` on the wrapper does not excuse unrelated unguarded DOM manipulation the application's own code performs elsewhere in the same component outside the library-owned region — evaluate those against the main workflow's SSR-path rules independently.
35
+
36
+ ## Event replay review rules
37
+
38
+ - `withEventReplay()` captures user interactions (clicks, and other supported native events) that occur before hydration completes and replays them once hydration finishes, per Angular's documented behavior. Its presence does not change hydration-mismatch risk — it changes interaction responsiveness during the hydration window. Do not conflate a missing `withEventReplay()` with a hydration-mismatch finding; it is a UX/responsiveness consideration, not a correctness one.
39
+ - If incremental hydration is configured, note that event replay is automatically active per Angular's documented behavior — do not flag `withEventReplay()` as separately required in that configuration.
40
+ - If the review scope includes a reported "clicks are lost/ignored right after page load" symptom (as opposed to a visual mismatch/flash symptom), treat that as a `withEventReplay()` gap, not an NG0500-class hydration-mismatch finding — the two symptom classes map to different mechanisms and different fixes.
41
+
42
+ ## When to push back
43
+
44
+ Push back if the user asks to:
45
+
46
+ - add `ngSkipHydration` to a component whose native DOM manipulation is the **application's own** unguarded code (not a third-party library boundary) "to make the error go away" — that suppresses the mismatch symptom while leaving the app fully re-rendering that component on every load, which is the outcome the review exists to prevent,
47
+ - skip confirming `withI18nSupport()` because "hydration is already enabled" — the i18n feature is opt-in and separate from the base `provideClientHydration()` call, per Angular's own documented default,
48
+ - treat every third-party-library `ngSkipHydration` usage as pre-approved without a justification link — the mitigation being Angular-sanctioned for this class of problem does not exempt it from the tracking requirement the main workflow applies to all `ngSkipHydration` usage.
49
+
50
+ That is not a workaround. It is silently disabling the SSR benefit the review exists to protect.
@@ -0,0 +1,101 @@
1
+ # Review workflow and findings contract
2
+
3
+ Use this reference for the full SSR/hydration review procedure and the required output shape.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > Angular SSR just server-renders the HTML and then "boots up" on the client. Any DOM manipulation is fine as long as the app works.
10
+
11
+ Wrong. Once `provideClientHydration()` is configured, Angular does not throw away and re-render the server-sent DOM — it **reconciles** against it, walking the existing DOM tree and matching it node-for-node against what the client-side render would have produced, then attaching event listeners and internal state to the existing nodes instead of replacing them. Angular's own error documentation is explicit about the failure mode: when a native DOM API creates or moves a node inside that reconciled tree, "Angular has no information about" the new node, so it looks for the wrong node at that position and throws a hydration mismatch (NG0500). Treating "the app still renders correctly in the end" as proof hydration is safe misses that Angular may have already thrown, logged an error, or silently fallen back to a client-side re-render of the affected subtree — defeating the SSR investment even when the visible symptom is subtle (a flash, a layout shift, a slower Largest Contentful Paint).
12
+
13
+ The second common mistake: assuming a hydration review applies to any Angular app with server-rendering. It does not — SSR without `provideClientHydration()` configured still full-remounts on the client (Angular's pre-hydration behavior), so there is no reconciliation to break. Reviewing DOM-manipulation patterns as "hydration risks" in that context produces findings that don't apply; the actual finding is that the app isn't hydrating and is losing the SSR performance benefit entirely.
14
+
15
+ ## Workflow
16
+
17
+ 1. **Confirm hydration is actually configured**
18
+ - Search the bootstrap entry point (`app.config.ts`, `main.server.ts`, or equivalent `bootstrapApplication` call) for `provideClientHydration(...)` in the providers array.
19
+ - If absent, do not proceed with a mismatch-pattern review. Report the larger finding: SSR is configured but hydration is not, so the app fully re-renders client-side on every load. Stop the hydration-mismatch-specific checks; this is a different, higher-severity finding than any individual mismatch would be.
20
+ - Note the Angular major version from `package.json` (`@angular/core`) — hydration feature availability (`withI18nSupport`, `withEventReplay`, incremental hydration) differs by version.
21
+
22
+ 2. **Inventory native DOM API usage**
23
+ - Grep for `document.createElement`, `document.querySelector` combined with mutation, `.insertBefore`, `.appendChild`, `.removeChild`, `.replaceChild`, `innerHTML =`, `outerHTML =`, and direct `ElementRef.nativeElement` property/method access that mutates the DOM, across components, directives, and any structural (not purely cosmetic-class-toggle) DOM work.
24
+ - For each hit, capture the enclosing lifecycle hook or method (`ngOnInit`, `ngAfterViewInit`, a directive host binding, an event handler) — the lifecycle context determines whether the call can execute during the SSR-reconciled render path.
25
+
26
+ 3. **Classify each hit: SSR-path vs browser-guarded**
27
+ - If the call is wrapped in (or its containing method is only invoked from) an `isPlatformBrowser(...)` check, or is registered via `afterNextRender`/`afterRender` (Angular's documented browser-only render callbacks), and there is no reachable path for it to run during the reconciled initial render, classify it as **safe / post-hydration**. Do not flag it as a mismatch risk.
28
+ - If the call has no such guard and executes in a lifecycle hook that runs during SSR (e.g. unguarded `ngOnInit`, unguarded constructor logic), classify it as **SSR-path**. Continue to step 4.
29
+
30
+ 4. **Confirm the SSR-path hit actually touches the reconciled tree**
31
+ - Determine whether the mutated node is inside the component's own template-rendered subtree (the tree Angular reconciles) versus a node genuinely outside Angular's knowledge (e.g. a detached, never-inserted-into-the-DOM canvas element used purely as an offscreen buffer). Angular's own NG0500 example shows the failure mode precisely: inserting a native node as a sibling/child within the host element Angular is walking during reconciliation.
32
+ - If the mutated node is inside the reconciled tree → HIGH finding, cite the NG0500 mechanism, and check whether the mutation also injects dynamic/user-influenced string content (see the sanitization-bypass rule below).
33
+ - If the node is genuinely outside Angular's reconciled tree → not a hydration finding; note it only if relevant to a different concern (e.g. memory-leak risk from an unmanaged node).
34
+
35
+ 5. **Check for dynamic-content-plus-hydration double risk**
36
+ - If the flagged SSR-path native DOM mutation also sets `innerHTML`/`outerHTML` (or an equivalent native string-injection call) with data that is user-influenced (query params, form input, API response echoing user data, route params), report it as two findings: the hydration-mismatch finding from step 4, and a separate HIGH-severity sanitization-bypass finding — Angular's template bindings (`[innerHTML]`) sanitize by default, but direct native DOM API calls do not pass through that pipeline.
37
+
38
+ 6. **Audit existing `ngSkipHydration` usage**
39
+ - Grep for `ngSkipHydration` (as a host binding, template attribute, or `[ngSkipHydration]`/`host: {ngSkipHydration: 'true'}`).
40
+ - For each usage, look for an adjacent comment or a referenced tracked issue explaining why hydration is being skipped for that component. No justification → MEDIUM tech-debt finding. A justification tied to a known limitation (e.g. a third-party DOM-manipulating library — see `references/i18n-event-replay-and-third-party-libs.md`) → note it as acceptable but still worth a tracked-removal follow-up if the underlying library constraint might be resolved.
41
+
42
+ 7. **Check i18n hydration configuration**
43
+ - If the app uses `i18n` template attributes or `$localize`, confirm `withI18nSupport()` is present in the `provideClientHydration(...)` call. Its absence means i18n-block components silently skip hydration and re-render from scratch by Angular's documented default — flag as MEDIUM.
44
+
45
+ 8. **Check pre-hydration accessibility**
46
+ - Compare what the server actually sends (the pre-hydration markup) against what the fully-hydrated DOM exposes, for accessible names, landmark roles, and focus order on interactive elements in scope. If pre-hydration markup is missing accessibility structure that only appears after a client-side patch, flag it — assistive technology and slow-network users interact with the pre-hydration state, not just the final one.
47
+
48
+ 9. **Produce ranked findings**
49
+ - Order by blast radius: SSR-not-configured-at-all (if found in step 1, report this alone and stop), then SSR-path native DOM mutations touching the reconciled tree (HIGH, split into hydration + sanitization findings when both apply), then missing i18n hydration support and pre-hydration accessibility gaps (MEDIUM), then unjustified `ngSkipHydration` usage (MEDIUM tech-debt).
50
+
51
+ ## Decision tree
52
+
53
+ - `provideClientHydration()` **absent** from bootstrap providers → single overriding finding: app is not hydrating, full client remount on every load. Stop mismatch-specific review.
54
+ - Native DOM mutation **guarded to browser-only execution** (`isPlatformBrowser`, `afterNextRender`/`afterRender`) with no reachable SSR-path call → not a finding.
55
+ - Native DOM mutation **runs during the SSR-rendered path** and **mutates a node inside the component's reconciled template tree** → HIGH finding: hydration-mismatch risk matching the NG0500 mechanism. Fix: refactor to template-driven DOM creation (bind the content through the template instead of imperative node insertion); do not recommend `ngSkipHydration` as the fix.
56
+ - Same as above, **and** the mutation injects dynamic/user-influenced string content via `innerHTML`/`outerHTML` or equivalent → report both the HIGH hydration finding and a separate HIGH sanitization-bypass (XSS-class) finding.
57
+ - `ngSkipHydration` present with **no linked justification** → MEDIUM finding: request a comment or tracked issue; do not treat presence alone as disqualifying.
58
+ - i18n blocks present, hydration enabled, **`withI18nSupport()` absent** → MEDIUM finding per Angular's documented default behavior.
59
+ - Pre-hydration markup **missing accessible structure** present only post-hydration → finding at a severity proportional to the affected interaction (focus-order or landmark loss on a primary interactive flow → HIGH; a secondary/decorative region → MEDIUM).
60
+
61
+ ## Output contract
62
+
63
+ Return:
64
+
65
+ 1. Component(s)/bootstrap file(s) in scope, and whether `provideClientHydration()` is confirmed present (with file:line)
66
+ 2. Ranked findings, each with:
67
+ - file:line evidence
68
+ - hydration-mechanism category (SSR-path native DOM mutation / unjustified ngSkipHydration / missing i18n hydration support / pre-hydration accessibility gap / sanitization-bypass-plus-hydration-risk)
69
+ - concrete fix sketch defaulting to template-driven DOM (never `ngSkipHydration` as the fix)
70
+ - severity (HIGH / MEDIUM / LOW)
71
+ - evidence level (`repo evidence`, `documentation-based`, `inference`)
72
+ 3. Verdict: approve / approve-with-notes / block
73
+ 4. Open questions or explicitly out-of-scope items (e.g. Signals/change-detection concerns deferred to `angular-architecture-signals-review`, hydration not configured so mismatch review does not apply, unconfirmed Angular major version)
74
+
75
+ ## Validation gates
76
+
77
+ - Every hydration-mismatch claim names the specific native DOM call and the specific NG0500 mechanism it matches, version-matched to the repo's confirmed Angular major — no bare "this may cause a mismatch."
78
+ - Every `ngSkipHydration` finding states explicitly whether a justification (comment or tracked issue) is present.
79
+ - No finding recommends `ngSkipHydration` as the resolution to a hydration-mismatch finding — the fix recommendation defaults to template-driven DOM refactoring.
80
+ - No finding claims a mismatch "will happen" without confirming the mutation executes on the SSR-rendered path (not behind an `isPlatformBrowser`/`afterNextRender` guard).
81
+
82
+ ## Common failure modes
83
+
84
+ - Flagging DOM manipulation that only executes inside an `isPlatformBrowser(...)` guard or an `afterNextRender`/`afterRender` callback as a hydration risk — those are Angular's documented browser-only execution points and do not participate in SSR reconciliation.
85
+ - Missing that `provideClientHydration()` itself is entirely absent, and reviewing the app for mismatch patterns anyway — when hydration isn't configured, there's nothing to reconcile, and the real finding (full client remount, no SSR benefit realized) is larger and different from any individual mismatch.
86
+ - Recommending `ngSkipHydration` as a fix rather than a last-resort workaround — it silently disables reconciliation for the component and its children, which is the SSR-defeating outcome the review exists to prevent.
87
+ - Assuming WCAG/accessibility requirements apply only to the final, fully-hydrated DOM — the server-rendered, pre-hydration markup is what users on slow connections or assistive technology querying early actually receive.
88
+ - Treating a hydration-mismatch finding and a sanitization-bypass finding as the same finding when both apply to one `innerHTML`-equivalent native call — they are independent risks (DOM-reconciliation correctness vs. XSS) and both must be reported.
89
+
90
+ ## Adversarial checklist
91
+
92
+ Before finalizing a finding, answer these:
93
+
94
+ - Is `provideClientHydration()` actually present in the bootstrap providers, or is "hydration" being reviewed on an app that never configured it?
95
+ - Does the flagged native DOM manipulation occur inside an SSR-rendered code path, or is it guarded to browser-only execution (`isPlatformBrowser`, `afterNextRender`/`afterRender`)?
96
+ - Does every `ngSkipHydration` usage in scope have a linked justification (comment or tracked issue)?
97
+ - Is dynamic content ever inserted via a native `innerHTML`/`outerHTML`-equivalent call on user-influenced data — and if so, has both the hydration risk and the XSS risk been reported as separate findings?
98
+ - Is the NG0500 mechanism claim matched to this repo's actual confirmed Angular version, not assumed from the latest docs?
99
+ - Does the pre-hydration (server-sent) markup, not just the final hydrated DOM, retain the accessibility structure being evaluated?
100
+
101
+ If any answer is "not sure," lower the finding's confidence and label the evidence level accordingly — do not present it as a confirmed defect.
@@ -0,0 +1,69 @@
1
+ ---
2
+ name: angular-template-sanitizer-security-review
3
+ description: Statically review Angular templates and components for injection via DomSanitizer bypass calls (bypassSecurityTrustHtml, bypassSecurityTrustUrl, bypassSecurityTrustResourceUrl), unsanitized [innerHTML] bindings, and dynamically bound iframe security attributes such as [attr.sandbox], grounded in Angular's own sanitizer and NG0910 documentation.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-03"
9
+ category: security
10
+ ---
11
+
12
+ # Angular Template Sanitizer Security Review
13
+
14
+ ## Purpose
15
+
16
+ Review Angular templates, components, and their data-flow for the documented injection classes Angular's own sanitizer architecture is built to catch, and that are only unsafe when application code deliberately or accidentally routes around it: `DomSanitizer` bypass calls (`bypassSecurityTrustHtml`, `bypassSecurityTrustUrl`, `bypassSecurityTrustResourceUrl`) fed by user-reachable input, unsanitized `[innerHTML]` bindings, and dynamically bound iframe security attributes such as `[attr.sandbox]` that Angular's own NG0910 check exists to reject. This skill exists so the review stays anchored to these documented, concrete sinks instead of drifting into a general "Angular code review" — it does not re-litigate change detection, signals architecture, or component design in every response.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review whether a `bypassSecurityTrustHtml`, `bypassSecurityTrustUrl`, or `bypassSecurityTrustResourceUrl` call is safe,
23
+ - assess whether an `[innerHTML]` binding is safe,
24
+ - review an `<iframe>` embed for a dynamically bound security attribute (`[attr.sandbox]`, `[sandbox]`, `[attr.allow]`, `[attr.credentialless]`) or an NG0910 error,
25
+ - perform a pre-launch security review of Angular templates that render user- or third-party-supplied content.
26
+
27
+ Do not use this skill for:
28
+
29
+ - Angular architecture review with no security angle (signals usage, change-detection strategy, component decomposition quality) — use `angular-architecture-signals-review` instead,
30
+ - SSR/hydration-specific defects (`TransferState` leakage, hydration mismatches) — use `angular-ssr-hydration-review` instead,
31
+ - a bug that requires live traffic reproduction (a captured XSS payload in a running app, a browser-based exploit proof) to confirm exploitation — static analysis proves the structural risk, not that it has already been exploited in production.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ - Resolve the Angular library ID with `resolve-library-id` (matched result: `/angular/angular`) before citing any sanitizer-mechanism or NG0910 claim.
36
+ - `/angular/angular` is Angular's own source-and-docs repository (high reputation, corroborated against `packages/platform-browser/src/security/dom_sanitization_service.ts`, `packages/core/src/sanitization/html_sanitizer.ts`, `packages/core/src/render3/instructions/shared.ts`, and `adev/src/content/reference/errors/NG0910.md`). Use `query-docs` against it to confirm low-level sanitizer mechanics directly from source: that `bypassSecurityTrustHtml` (and its URL/resource-URL siblings) mark a value trusted so `sanitize()` skips the HTML/URL sanitizer and returns the value unchanged, that property bindings like `[innerHTML]` accept a compiler-added sanitizer function that only risky properties receive, and that text interpolation instead calls `renderer.setValue()` on a text node — a path that never parses HTML and needs no sanitizer.
37
+ - Before flagging a `[attr.sandbox]`/`[sandbox]`/`[attr.allow]`/`[attr.credentialless]` binding, confirm Angular's own NG0910 check: these attributes are documented as required to be static (fixed at element-creation time) because they configure the iframe's security model before `src`/`srcdoc` load — a dynamic binding either throws NG0910 in dev or, if that check is suppressed, lets a runtime value weaken the sandbox.
38
+ - Read the component's imports first to confirm `DomSanitizer` (from `@angular/platform-browser`) is actually in use before assuming a bypass call exists — do not assume a project uses the bypass APIs without confirming the import and call site.
39
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
40
+
41
+ ## Lean operating rules
42
+
43
+ - Injection findings default to HIGH severity. This is a security-scoped skill: do not downgrade an untraced `bypassSecurityTrustHtml`/`bypassSecurityTrustUrl`/`bypassSecurityTrustResourceUrl` call or an unsanitized `[innerHTML]` binding to MEDIUM just because it has not been observed exploited yet — the risk is in the structure, not in whether someone has already hit it.
44
+ - Trace every finding to a concrete file:line and a concrete data-flow path. A finding that says "this bypass call might be unsafe" or "this innerHTML might be risky" without showing the specific origin (route param, query string, request body, or a third-party API response that itself echoes user input) and the specific sink is not a valid finding — it is a guess.
45
+ - Do not approve any `bypassSecurityTrustHtml`, `bypassSecurityTrustUrl`, or `bypassSecurityTrustResourceUrl` call whose input includes user-reachable data unless the trace shows the value was validated or sanitized on that exact path before the bypass call — the bypass APIs are intentional escape hatches from Angular's compiler-driven sanitization, not accidental gaps, so their mere presence is not evidence of prior review.
46
+ - Do not approve an `[innerHTML]` binding fed by user-reachable input unless a named sanitizer call (e.g., `DomSanitizer.sanitize(SecurityContext.HTML, ...)`, or a project-specific equivalent) is visibly present on that exact data-flow path. A sanitizer import existing elsewhere in the codebase does not clear this bar — trace the specific path under review.
47
+ - Flag any `[attr.sandbox]`, `[sandbox]`, `[attr.allow]`, or `[attr.credentialless]` binding on an `<iframe>` as a finding regardless of whether NG0910 is currently thrown in the reviewed environment — a suppressed or bypassed dev-mode check does not make the underlying dynamic-security-attribute pattern safe in production.
48
+ - Check dynamic `[href]`/`[src]` bindings fed through `bypassSecurityTrustUrl`/`bypassSecurityTrustResourceUrl` for scheme validation (an allowlist rejecting `javascript:` and other non-`http(s)` schemes) on the traced path before the bypass call — the bypass call itself performs no validation.
49
+ - Never execute, build, or run application code, and never send live requests, as part of this review; this is a static-review skill (Read/Grep/Glob only).
50
+ - Load only the reference needed for the concern in scope.
51
+
52
+ ## References
53
+
54
+ Load these only when needed:
55
+
56
+ - [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the sanitizer-bypass/innerHTML/iframe decision tree, and the required output shape.
57
+ - [DomSanitizer bypass calls and innerHTML](references/sanitizer-bypass-and-innerhtml.md) — load only when the review scope includes a `bypassSecurityTrustHtml`/`bypassSecurityTrustUrl`/`bypassSecurityTrustResourceUrl` call or an `[innerHTML]` binding. Includes the OWASP XSS grounding reference; load that citation only when a finding is actually present.
58
+ - [Dynamic iframe security attributes](references/iframe-security-attributes.md) — load only when the review scope includes an `<iframe>` element with a bound `sandbox`, `allow`, or `credentialless` attribute, or a reported NG0910 error.
59
+
60
+ ## Response minimum
61
+
62
+ Return, at minimum:
63
+
64
+ - the component(s), template binding(s), and/or `DomSanitizer` call site(s) in scope,
65
+ - ranked findings with file:line evidence, defect category (`xss`, `url-injection`, or `iframe-sandbox-escape`), the concrete data-flow trace (origin-to-sink path naming every hop), and a fix sketch matching Angular's documented pattern,
66
+ - for every bypass call or `[innerHTML]` finding, an explicit statement of whether validation or sanitization is present on the traced path — never approve on the assumption one exists elsewhere,
67
+ - evidence level per finding (`repo evidence`, `documentation-based`, or `inference`), with structural risk findings explicitly labeled as structural risk, not as confirmed-exploited,
68
+ - verdict (approve / approve-with-notes / block),
69
+ - open questions or scope the review could not cover (e.g., "confirming actual exploitation requires a live payload test in a running browser session, not static review").
@@ -0,0 +1,27 @@
1
+ {
2
+ "id": "angular-template-sanitizer-security-review",
3
+ "name": "Angular Template Sanitizer Security Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews Angular templates and components for injection via DomSanitizer bypass calls (bypassSecurityTrustHtml, bypassSecurityTrustUrl, bypassSecurityTrustResourceUrl), unsanitized [innerHTML] bindings, and dynamically bound iframe security attributes such as [attr.sandbox], grounding claims via Context7 and Angular's own sanitizer and NG0910 documentation.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://angular.dev/best-practices/security",
18
+ "https://angular.dev/errors/NG0910",
19
+ "https://owasp.org/www-project-top-ten/",
20
+ "https://owasp.org/www-community/attacks/xss/"
21
+ ],
22
+ "security_notes": "This skill's entire scope is security-critical: DomSanitizer bypass calls and unsanitized [innerHTML] bindings are XSS vectors, and dynamically bound iframe security attributes are a sandbox-escape vector Angular's own NG0910 check exists to reject. Every finding defaults to HIGH severity unless proven otherwise with concrete validation/sanitizer evidence on the traced path. Static-review-only skill: it reads and greps components and templates but never executes, builds, or runs application code, and never sends live requests.",
23
+ "last_verified": "2026-07-03",
24
+ "path": "skills/frontend/angular-template-sanitizer-security-review",
25
+ "author": "github: Raishin",
26
+ "version": "0.1.0"
27
+ }
@@ -0,0 +1,63 @@
1
+ # Dynamic Iframe Security Attributes
2
+
3
+ Use this reference only when the review scope includes an `<iframe>` element with a bound `sandbox`, `allow`, `credentialless`, `csp`, `referrerPolicy`, or `fetchPriority` attribute, or a reported NG0910 error.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive assumption is:
8
+
9
+ > "Angular throws NG0910 if I bind these attributes dynamically, so if my app runs without that error, my iframe binding must be fine."
10
+
11
+ Wrong in two ways. First, the check can be suppressed or not exercised in the exact code path under review (a conditional branch not hit during development, or an older Angular version without the check). Second, even when the error is correctly thrown and "fixed" by refactoring around it, the underlying intent — a *dynamic*, potentially user-influenced sandbox/allow value — is still the actual security concern, independent of whether the specific Angular version enforces it at compile/runtime.
12
+
13
+ ## Officially grounded rules
14
+
15
+ Angular's own documentation (`documentation-based`, `adev/src/content/reference/errors/NG0910.md`, confirmed via Context7 `/angular/angular`) states directly:
16
+
17
+ - **Angular throws NG0910 when it detects a binding on specific security-related `<iframe>` attributes**: `sandbox`, `allow`, `allowFullscreen`, `referrerPolicy`, `csp`, `fetchPriority`, or `credentialless`. These attributes configure the iframe's security model and must be applied before the `src`/`srcdoc` attributes load content, so Angular requires them to be static — their values fixed at element-creation time and never bound as a property (`[sandbox]="..."`) or attribute (`[attr.sandbox]="..."`) binding, including via a directive's host bindings.
18
+ - **The recommended fix is a static attribute**, e.g. `sandbox="allow-scripts"`, or Angular's `@if`/`@switch` control-flow blocks to conditionally render entire `<iframe>` elements with different static attribute values, rather than binding the attribute's value dynamically on one persistent element.
19
+
20
+ ## Non-negotiable design rules
21
+
22
+ ### 1. Flag the pattern regardless of whether NG0910 currently fires
23
+
24
+ A dynamically bound security-sensitive iframe attribute is the finding — not the NG0910 error message itself. If the error is suppressed (an older Angular version, a downgraded compiler check, or code that technically avoids triggering the exact check Angular implements) but the underlying dynamic-binding pattern is present, it is still a finding: the sandbox's actual value can still be influenced by whatever expression it is bound to.
25
+
26
+ ### 2. Check reachability of the bound expression
27
+
28
+ A `[attr.sandbox]` bound to a hardcoded, non-configurable constant expression evaluated once at compile time is a lower-severity finding (still worth fixing for forward-compatibility with future Angular checks) than one bound to a value that traces back to user-reachable input (a query parameter, a per-tenant config value editable by end users, or similar) — the latter is a HIGH finding because an attacker-influenced value can directly weaken the iframe sandbox.
29
+
30
+ ### 3. Use static attributes or conditional rendering, not dynamic binding
31
+
32
+ The correct fix is either a static attribute value or Angular's `@if`/`@switch` blocks rendering distinct `<iframe>` elements per case — not attempting to bind the attribute dynamically through a workaround (e.g., manual DOM manipulation via `ElementRef` to set the attribute outside Angular's binding system), which reintroduces the same risk outside Angular's own safety check.
33
+
34
+ ## Minimal safe implementation pattern
35
+
36
+ ```html
37
+ <!-- Static attribute, fixed at element-creation time. -->
38
+ <iframe sandbox="allow-scripts" [src]="trustedEmbedUrl"></iframe>
39
+ ```
40
+
41
+ ```html
42
+ <!-- Conditional rendering of distinct static configurations. -->
43
+ @if (isTrustedPartner) {
44
+ <iframe sandbox="allow-scripts allow-same-origin" [src]="trustedEmbedUrl"></iframe>
45
+ } @else {
46
+ <iframe sandbox="allow-scripts" [src]="trustedEmbedUrl"></iframe>
47
+ }
48
+ ```
49
+
50
+ Anti-pattern (dynamic binding — do not approve):
51
+
52
+ ```html
53
+ <!-- userSandbox may originate from a per-tenant config value; even if
54
+ NG0910 is not currently thrown in this environment, the sandbox's
55
+ effective value can be influenced by that input at runtime. -->
56
+ <iframe [attr.sandbox]="userSandbox" [src]="trustedEmbedUrl"></iframe>
57
+ ```
58
+
59
+ ## Verification targets
60
+
61
+ - Grep `<iframe>` elements for `[sandbox]`, `[attr.sandbox]`, `[allow]`, `[attr.allow]`, `[credentialless]`, `[attr.credentialless]`, `[csp]`, `[attr.csp]`, `[referrerPolicy]`, `[attr.referrerPolicy]`, `[fetchPriority]`, and `[attr.fetchPriority]`.
62
+ - For each match, trace the bound expression backward to determine whether it is a fixed compile-time constant or reachable from user-influenced input (query params, tenant config editable by end users, form state).
63
+ - Grep for `ElementRef`-based manual attribute manipulation on iframe elements, which can reintroduce the same dynamic-binding risk outside Angular's compiler-enforced static-attribute check.