@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +2 -2
- package/.claude-plugin/plugin.json +36 -1
- package/.cursor-plugin/plugin.json +36 -1
- package/.github/plugin/marketplace.json +1 -1
- package/README.md +12 -11
- package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
- package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
- package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
- package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
- package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
- package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
- package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
- package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
- package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
- package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
- package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/metadata.json +42 -0
- package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
- package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
- package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
- package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
- package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
- package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
- package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
- package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
- package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/metadata.json +44 -0
- package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
- package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/html-semantics-agent/metadata.json +44 -0
- package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
- package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
- package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
- package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
- package/agents/frontend/package-governance-agent/AGENT.md +116 -0
- package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
- package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
- package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
- package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
- package/agents/frontend/package-governance-agent/metadata.json +41 -0
- package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
- package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
- package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
- package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
- package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
- package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/metadata.json +44 -0
- package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
- package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
- package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
- package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
- package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
- package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
- package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
- package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/metadata.json +41 -0
- package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
- package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
- package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
- package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
- package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
- package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
- package/catalog/agents.json +1164 -93
- package/catalog/asset-integrity.json +15389 -12589
- package/catalog/install-roles.json +103 -1
- package/catalog/skill-manifest.json +1909 -26
- package/catalog/skills.json +1672 -24
- package/package.json +3 -2
- package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
- package/powers/README.md +3 -2
- package/powers/vanguard-frontend/POWER.md +42 -0
- package/schemas/agent.schema.json +1 -0
- package/schemas/skill.schema.json +1 -0
- package/scripts/generate-docs-data.mjs +1 -0
- package/scripts/generate-kiro-powers.mjs +12 -0
- package/scripts/update-catalog-new-agents.py +6 -1
- package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
- package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
- package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
- package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
- package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
- package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
- package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
- package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
- package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
- package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
- package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
- package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
- package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
- package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
- package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
- package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
- package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
- package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
- package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
- package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
- package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
- package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
- package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
- package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
- package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
- package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
- package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
- package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
- package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
- package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
- package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
- package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
- package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
- package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
- package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
- package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
- package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
- package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
- package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
- package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
- package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
- package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
- package/skills/frontend/design-token-governance-review/metadata.json +27 -0
- package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
- package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
- package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
- package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
- package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
- package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
- package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
- package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
- package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
- package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
- package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
- package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
- package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
- package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
- package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
- package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
- package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
- package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
- package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
- package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
- package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
- package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
- package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
- package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
- package/skills/frontend/frontend-board-chair/metadata.json +27 -0
- package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
- package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
- package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
- package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
- package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
- package/skills/frontend/frontend-maestro/SKILL.md +63 -0
- package/skills/frontend/frontend-maestro/metadata.json +26 -0
- package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
- package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
- package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
- package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
- package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
- package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
- package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
- package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
- package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
- package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
- package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
- package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
- package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
- package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
- package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
- package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
- package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
- package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
- package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
- package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
- package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
- package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
- package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
- package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
- package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
- package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
- package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
- package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
- package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
- package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
- package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
- package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
- package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
- package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
- package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
- package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
- package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
- package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
- package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
- package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
- package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
- package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
- package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
- package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
- package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
- package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
- package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
- package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
- package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
- package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
- package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
- package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
- package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
- package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
- package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
- package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
- package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
- package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
- package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
- package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
- package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
- package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
- package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
- package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
- package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
- package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
- package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
- package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
- package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
- package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
- package/skills/frontend/react-state-effects-review/metadata.json +27 -0
- package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
- package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
- package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
- package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
- package/skills/frontend/routing-navigation-review/metadata.json +27 -0
- package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
- package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
- package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
- package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
- package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
- package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
- package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
- package/skills/frontend/state-management-decision-review/metadata.json +30 -0
- package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
- package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
- package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
- package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
- package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
- package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
- package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
- package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
- package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
- package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
- package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
- package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
- package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
- package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
- package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
- package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
- package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
- package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
- package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
- package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
- package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
- package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
- package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
- package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
- package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
- package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
- package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
- package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
- package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
- package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
- package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
- package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
- package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
- package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
- package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
- package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
- package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
- package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
- package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
- package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
- package/tests/validate-catalog.py +1 -0
- package/tests/validate-frontend-security-detection.py +209 -0
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
# Browserslist Matrix Interpretation
|
|
2
|
+
|
|
3
|
+
Use this reference when reading, interpreting, or proposing a change to the project's `.browserslistrc` / `package.json` `browserslist` config, or reconciling it with build-tool targets (Autoprefixer, Babel `preset-env`, `postcss-preset-env`, esbuild `target`).
|
|
4
|
+
|
|
5
|
+
> Version note (uncertainty flag): Context7 did not resolve a dedicated `browserslist` library at the time this skill was authored (only adjacent tooling like `es-check`, which integrates with Browserslist, was found). Treat Browserslist query-syntax details below as `documentation-based (Context7 unavailable for this library)`, and always confirm exact current syntax against the project's own resolved config output and the official `browserslist/browserslist` GitHub README before relying on it for a production recommendation.
|
|
6
|
+
|
|
7
|
+
## What people get wrong
|
|
8
|
+
|
|
9
|
+
The common bad assumption is:
|
|
10
|
+
|
|
11
|
+
> There's no `.browserslistrc` file, so this project doesn't have a declared matrix — I'll just eyeball it.
|
|
12
|
+
|
|
13
|
+
Wrong. Browserslist resolves configuration from multiple possible locations, in a defined precedence, and most frontend build tools (Autoprefixer, Babel, ESLint's `eslint-plugin-compat`, PostCSS presets) read it implicitly. Before declaring "no matrix exists," check all of the standard resolution points:
|
|
14
|
+
|
|
15
|
+
- a `browserslist` key in the project's `package.json`,
|
|
16
|
+
- a `.browserslistrc` file at the project root or a parent directory,
|
|
17
|
+
- a `BROWSERSLIST` environment variable (rare, but overrides file-based config when set),
|
|
18
|
+
- a shared/extended config referenced via `extends` in either of the above.
|
|
19
|
+
|
|
20
|
+
If genuinely none exist, Browserslist falls back to its own defaults (`> 0.5%, last 2 versions, Firefox ESR, not dead`) — that fallback *is* the effective matrix, and should be reported as such rather than treated as "no matrix."
|
|
21
|
+
|
|
22
|
+
## Reading the matrix correctly
|
|
23
|
+
|
|
24
|
+
- Browserslist queries combine like `> 0.5%, last 2 versions, not dead` — each comma-separated clause is a query, and by default clauses are combined with logical OR (a browser matching *any* clause is included), unless explicitly joined with `and`. Do not assume AND semantics for comma-separated queries without confirming against the project's resolved output.
|
|
25
|
+
- `not dead` excludes browsers without official support or security updates for the past 24 months (per Browserslist's documented `dead` query) — a matrix without `not dead` may be implicitly including officially unsupported browsers, which is itself worth flagging.
|
|
26
|
+
- Percentage-based queries (`> 0.5%`) are usage-share-relative and will silently shift over time as global usage shifts — a matrix expressed this way is not a fixed, auditable list; if the review needs a fixed matrix (e.g. for a compliance/procurement commitment), recommend resolving the query to a concrete browser list and pinning that, or flag the drift risk explicitly.
|
|
27
|
+
- To see the *actual resolved list* of browsers/versions a config expands to (not just the raw query string), the standard approach is running the project's own Browserslist resolution tooling (commonly exposed via the `browserslist` CLI or a project script) rather than manually reasoning about what a query string expands to — verify the exact command locally instead of assuming a specific CLI invocation, since this detail was not confirmed via Context7 for this skill.
|
|
28
|
+
|
|
29
|
+
## Non-negotiable rules
|
|
30
|
+
|
|
31
|
+
1. **Never approve or reject a feature's compatibility using an assumed matrix.** Always resolve the project's actual config (file-based, `package.json`-based, or the documented Browserslist default) before making a claim.
|
|
32
|
+
2. **Distinguish the declared query from the resolved browser list.** "last 2 versions" is not itself a browser list; it must be resolved against current release data to know which concrete versions are in scope, and that resolution changes over time as new versions ship.
|
|
33
|
+
3. **Reconcile the Browserslist matrix with the build tool's actual behavior separately per tool.** Babel `preset-env`, Autoprefixer, and `postcss-preset-env` each consume the same Browserslist config but apply it differently (transpilation targets vs CSS prefixing vs CSS feature polyfilling) — do not assume that because Babel is configured correctly, CSS-level compatibility is automatically covered, or vice versa.
|
|
34
|
+
4. **A percentage- or "last N versions"-based query is a moving target.** Flag this explicitly when a stakeholder wants a fixed compliance commitment; recommend either pinning explicit browser/version pairs or re-verifying the resolved list on a defined cadence.
|
|
35
|
+
5. **Proposing a matrix change is a data-backed recommendation, not a unilateral edit.** Base any proposed change on real usage/analytics data for the org's actual audience, and route the recommendation to the product/analytics owner rather than silently narrowing or widening support.
|
|
36
|
+
|
|
37
|
+
## Verification targets
|
|
38
|
+
|
|
39
|
+
- The actual `browserslist` key / `.browserslistrc` content in the project (read directly).
|
|
40
|
+
- The resolved concrete browser/version list the query expands to, obtained via the project's own tooling — verify the exact invocation locally rather than assuming one.
|
|
41
|
+
- Whether Babel, Autoprefixer, and any CSS preset-env-style tool in the build pipeline are all wired to the same Browserslist config (shared root config) rather than divergent per-tool overrides.
|
|
42
|
+
|
|
43
|
+
## When to push back
|
|
44
|
+
|
|
45
|
+
Push back if the user asks to:
|
|
46
|
+
|
|
47
|
+
- widen or narrow the supported-browser matrix without any usage/analytics justification,
|
|
48
|
+
- treat a percentage-based query as a fixed, auditable list for a compliance statement without resolving and pinning it,
|
|
49
|
+
- add a browser-compatibility "fix" that actually just silences a linter (`eslint-plugin-compat` disable comment) rather than resolving the underlying gap.
|
package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md
ADDED
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
# Fallback Verification Patterns
|
|
2
|
+
|
|
3
|
+
Use this reference when a finding requires checking whether an actual feature-detection gate or polyfill exists and correctly covers the risky code path — across JS, CSS, and HTML — rather than accepting an assertion that "there's a fallback."
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> The PR description says there's a fallback, so the fallback question is closed.
|
|
10
|
+
|
|
11
|
+
That is not evidence. A description, a comment, or a variable name (`hasPolyfillFallback`) is not proof that a gate exists, that it is correctly scoped to the risky code path, or that it fails safe. Always read the actual gating code before closing a fallback finding.
|
|
12
|
+
|
|
13
|
+
## Three fallback mechanisms, not one
|
|
14
|
+
|
|
15
|
+
Do not treat "fallback" as a single undifferentiated concept. There are three distinct mechanisms, each with its own failure modes:
|
|
16
|
+
|
|
17
|
+
1. **CSS `@supports` (feature queries)** — gates a CSS declaration block on whether the engine supports a given property/value pair.
|
|
18
|
+
- Failure mode: `@supports` itself has near-universal support, but the *query* can be written incorrectly (testing the wrong property, or a value that is always true/false), silently making the gate a no-op.
|
|
19
|
+
- Verification: confirm the `@supports` condition actually names the property/value being used in the gated block, and that a real non-supporting fallback declaration exists *before* the `@supports` block (CSS cascade order — the fallback must be overridable, not overridden).
|
|
20
|
+
|
|
21
|
+
2. **JS runtime feature detection** (`if ('IntersectionObserver' in window)`, `typeof`, `in` checks, capability probing) — gates a code path on whether an API exists before calling it.
|
|
22
|
+
- Failure mode: detecting the *existence* of an API is not the same as detecting *correct/complete* behavior — some browsers ship a partial or buggy implementation that passes an existence check but fails at runtime. For any feature with known partial-implementation history, verify the detection checks the specific method/behavior actually used, not just the top-level constructor.
|
|
23
|
+
- Verification: confirm the detected branch and the fallback branch are both reachable in the code (not dead code), and that the fallback branch has been exercised — read it, do not assume it degrades gracefully.
|
|
24
|
+
|
|
25
|
+
3. **Polyfills** (loaded unconditionally or conditionally) — ship an implementation of the missing capability.
|
|
26
|
+
- Failure mode: an unconditionally-loaded polyfill ships bytes to every user, including the ~95%+ who already have native support, with zero runtime code-splitting; a conditionally-loaded polyfill (dynamic `import()` behind a feature-detection check) avoids that cost but must be verified to not create a race condition where the gated code runs before the polyfill import resolves.
|
|
27
|
+
- Verification: confirm whether the polyfill load is conditional or unconditional (check the bundler output / import site), and if conditional, confirm the code that depends on the polyfilled API awaits the import before use.
|
|
28
|
+
|
|
29
|
+
## HTML-level fallback pattern
|
|
30
|
+
|
|
31
|
+
For new HTML elements/attributes, the platform's own graceful-degradation model (unknown elements render as inline/anonymous boxes, unknown attributes are ignored) is sometimes sufficient — but only when the fallback behavior of "ignore it" is actually an acceptable UX, not a broken one. Do not accept "the browser will just ignore it" as a verified fallback without checking whether ignoring the attribute leaves the feature in a broken or misleading state (e.g. a `<dialog>` element with no polyfill on a browser that doesn't support it does not just degrade — it fails to open at all).
|
|
32
|
+
|
|
33
|
+
## Non-negotiable rules
|
|
34
|
+
|
|
35
|
+
1. **A fallback finding is not closed until the actual gating code has been read.** Comments, descriptions, and test names are not evidence.
|
|
36
|
+
2. **The fallback path must be reachable and non-dead.** If the "supported" branch always evaluates true in every test/CI browser, the fallback branch may be unexercised dead code — flag this explicitly.
|
|
37
|
+
3. **Existence checks are not behavior checks.** For features with a documented history of partial/buggy implementations, verify the detection matches the actual method/behavior used.
|
|
38
|
+
4. **Unconditional polyfill loading is a performance finding, not just a compatibility non-issue.** Note the bundle-size cost even when the fallback itself is technically correct.
|
|
39
|
+
5. **CSS cascade order matters.** A fallback declaration placed *after* the `@supports`-gated declaration will win regardless of support, silently defeating the gate — always check declaration order, not just presence of the `@supports` block.
|
|
40
|
+
|
|
41
|
+
## Verification targets
|
|
42
|
+
|
|
43
|
+
- The literal `@supports`, `if`/`in`/`typeof` check, or dynamic-`import()` gate in the diff or file, read directly — not paraphrased from a PR description.
|
|
44
|
+
- CSS declaration order around any `@supports` block.
|
|
45
|
+
- Whether the polyfill import is conditional (behind a feature check) or unconditional, and whether dependent code awaits it.
|
|
46
|
+
- Whether the fallback branch is exercised by any existing test, or is unexercised dead code.
|
|
47
|
+
|
|
48
|
+
## When to push back
|
|
49
|
+
|
|
50
|
+
Push back if the user says:
|
|
51
|
+
|
|
52
|
+
- "there's a fallback, trust me" without pointing at code,
|
|
53
|
+
- "the browser will just ignore the unsupported part" for a feature whose absence actually breaks core functionality (not genuinely inert),
|
|
54
|
+
- "we'll add the polyfill later" while shipping the unguarded feature now to a matrix that doesn't yet support it.
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: build-tooling-vite-webpack-review
|
|
3
|
+
description: Reviews Vite and Webpack build/chunking configuration and bundle-size composition for duplicate dependencies, unsplit vendor chunks, and tree-shaking failures, always version-labeling config since Vite 8 replaced Rollup-era manualChunks with Rolldown-based codeSplitting.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: compute
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Build Tooling (Vite/Webpack) Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Bundler config advice that doesn't match the installed major version is worse than no advice — it produces a config diff that silently no-ops, throws at build time, or (worst case) applies to the wrong bundler engine entirely. Vite ships two build engines depending on version and config shape (Rollup-backed `rollupOptions`, or Rolldown-backed `rolldownOptions`), and Vite 8 removed the object form of `manualChunks` outright. This skill reviews Vite/Webpack build and chunking *configuration itself* — the config file, not the resulting bundle bytes — and treats the target bundler's exact major version as a required input, not an assumption, before proposing any config diff.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- review or tune Vite `build.rollupOptions`/`build.rolldownOptions` or Webpack `optimization.splitChunks` chunking configuration,
|
|
23
|
+
- diagnose a duplicate-dependency-across-chunks defect or an unsplit vendor chunk caused by chunking config (not by application-level import boundaries),
|
|
24
|
+
- evaluate a proposed bundler migration (Webpack to Vite, Rollup-backed Vite to Rolldown-backed Vite, or a Vite major-version upgrade) for build-time and config-compatibility impact,
|
|
25
|
+
- diagnose a tree-shaking failure that traces back to bundler/build config (module format, `sideEffects` field interaction with the bundler, barrel-file re-exports defeating static analysis) rather than to source-code side effects,
|
|
26
|
+
- set up or review a CI bundle-size budget gate at the build-tool level (build script, CI job config).
|
|
27
|
+
|
|
28
|
+
## When NOT to use
|
|
29
|
+
|
|
30
|
+
- Setting or auditing the *numeric* size budget itself, ranking analyzer contributors by byte weight vs. execution cost, or deciding route/component-level code-splitting boundaries — hand off to `bundle-budget-code-splitting-review` for that; this skill reviews the bundler config mechanism, not the budget methodology or split-boundary decision.
|
|
31
|
+
- Verifying that tree-shaking actually eliminated dead code via a before/after byte diff, or auditing `sideEffects: false` correctness on a specific package — hand off to `tree-shaking-dead-code-review` for that; this skill only flags build-config patterns (barrel imports, module-format mismatches) that are *known to defeat* tree-shaking, it does not verify the outcome.
|
|
32
|
+
- Non-bundler build tooling (Babel-only transpilation pipelines with no bundling step, TypeScript `tsc`-only builds, esbuild/Rolldown used as a library outside Vite/Webpack) — different config surface, not in scope here.
|
|
33
|
+
|
|
34
|
+
## Context7 Documentation Protocol
|
|
35
|
+
|
|
36
|
+
Vite's build-engine and chunking API surface changed between major versions — do not prescribe a config from memorized training data.
|
|
37
|
+
|
|
38
|
+
1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
|
|
39
|
+
2. Call `mcp__Context7__resolve-library-id` for each bundler in scope (`/vitejs/vite`, Webpack, `/rollup/rollup`, and `/rolldown/rolldown` if the project's Vite build is Rolldown-backed) before prescribing any chunking configuration.
|
|
40
|
+
3. Call `mcp__Context7__query-docs` for the specific mechanism — e.g. "rollupOptions.output.manualChunks vs rolldownOptions.output.codeSplitting", "splitChunks cacheGroups defaults", "manualChunks object form vs function form" — before ruling on it. Do this per review; do not reuse a prior session's memory of bundler internals.
|
|
41
|
+
4. Known version-sensitive facts verified via Context7 as of this skill's `updated` date:
|
|
42
|
+
- Vite's migration guide documents that the **object form** of `build.rollupOptions.output.manualChunks` was **removed**, and the **function form** was **deprecated**; the replacement is `build.rolldownOptions.output.codeSplitting`, which takes a `groups` array of `{ name, test }` entries (Rolldown's declarative chunk-grouping API). Do not hand a project on that config path a `manualChunks: { vendor: [...] }` object-form snippet — it will not apply.
|
|
43
|
+
- Rollup itself (used directly, or via Vite versions/configs that still route through `rollupOptions`) continues to support both the object form and function form of `output.manualChunks` per Rollup's own configuration docs — the removal is specific to Vite's option surface and its migration path toward Rolldown, not a Rollup-wide deprecation. Confirm which bundler engine actually processes the config (`rollupOptions` vs `rolldownOptions` key) before applying either party's rules.
|
|
44
|
+
- Vite ships a built-in `splitVendorChunkPlugin` that composes with function-form `manualChunks` but explicitly logs a warning and no-ops when combined with the object form — treat "vendor chunk isn't splitting and there's a console warning about `splitVendorChunk`" as a symptom of this specific interaction, not a generic bug report.
|
|
45
|
+
5. Webpack's `optimization.splitChunks` surface (`cacheGroups`, `chunks: 'all' | 'async' | 'initial'`, `minSize`, `maxInitialRequests`) is comparatively stable across recent majors per Context7-grounded docs, including its documented defaults (`minSize: 20000`, `defaultVendors`/`default` cache groups with `priority: -10`/`-20`) — still confirm the installed Webpack major before asserting a specific default, since defaults have shifted across major versions historically.
|
|
46
|
+
6. If Context7 is unavailable or returns no relevant match for the installed bundler, fall back to `official_docs` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
|
|
47
|
+
7. Never invent a bundler config key, CLI flag, or plugin option that no queried source confirms.
|
|
48
|
+
|
|
49
|
+
## Lean operating rules
|
|
50
|
+
|
|
51
|
+
- Confirm the installed Vite major version and which output-options key (`rollupOptions` vs `rolldownOptions`) the project's own config already uses before proposing a diff — these are two different bundler engines with two different chunking APIs, and giving the wrong era's config is a concrete, verified failure, not a style choice.
|
|
52
|
+
- Distinguish Vite's dev-server behavior (native ESM, no bundling, chunking config irrelevant) from its production build behavior (bundled via Rollup or Rolldown depending on version/config); every recommendation in this skill applies only to the production build path.
|
|
53
|
+
- Flag barrel-file (`index.ts` re-export) imports and wildcard imports of large libraries (icon sets, date libraries, utility libraries) as build-config-relevant tree-shaking risks when the project's module format or bundler settings can't statically resolve them — name the specific named/subpath-import fix, and hand off to `tree-shaking-dead-code-review` to verify the byte-level outcome.
|
|
54
|
+
- Treat a duplicate-dependency-across-chunks finding as a chunk-grouping *config* defect (fix `manualChunks`/`codeSplitting`/`cacheGroups`), not an application-code defect — do not propose restructuring import statements to solve what a config change solves more directly.
|
|
55
|
+
- Require a stated measured baseline (current bundle output, build time) before endorsing any bundler or bundler-major migration, plus a rollback path (pinned lockfile entry, ability to revert the config key).
|
|
56
|
+
- Recommend a CI bundle-size budget gate at the build-tool/CI-job level for any budget-critical route that lacks one, rather than treating build-config review as a one-time audit — but define the numeric budget itself only via `bundle-budget-code-splitting-review`.
|
|
57
|
+
- Do not evaluate bundle-size numbers as if they were field/RUM Core Web Vitals data; a build's stats output is lab data from a CI build unless explicitly stated otherwise.
|
|
58
|
+
- Never accept "it built without errors" as evidence a chunking config change is correct — a removed or renamed option key can silently no-op (see the Vite 8 `manualChunks` object-form removal) rather than error.
|
|
59
|
+
|
|
60
|
+
## References
|
|
61
|
+
|
|
62
|
+
Load these only when needed:
|
|
63
|
+
|
|
64
|
+
- [Vite chunking config reference](references/vite-chunking-config.md) — use when reviewing or writing `rollupOptions.output.manualChunks` or `rolldownOptions.output.codeSplitting`, or diagnosing which bundler engine a Vite config actually invokes.
|
|
65
|
+
- [Webpack splitChunks reference](references/webpack-splitchunks-config.md) — use when reviewing or writing `optimization.splitChunks`, `cacheGroups`, or `runtimeChunk` configuration.
|
|
66
|
+
- [Migration and config-diff safety](references/migration-and-config-diff-safety.md) — use before endorsing a bundler migration or a chunking-config change, to confirm baseline capture, rollback path, and the verification steps that must precede calling a config change complete.
|
|
67
|
+
|
|
68
|
+
## Response minimum
|
|
69
|
+
|
|
70
|
+
Return, at minimum:
|
|
71
|
+
|
|
72
|
+
- the bundler and confirmed major version (and, for Vite, the confirmed output-options key: `rollupOptions` or `rolldownOptions`) the guidance targets,
|
|
73
|
+
- build-config findings (duplicate-dependency chunk-grouping defects, config keys that no longer apply for the confirmed version, barrel-file/module-format patterns defeating tree-shaking) with file/line evidence,
|
|
74
|
+
- proposed chunking/config diff (not applied), labeled lab vs field for any performance number cited,
|
|
75
|
+
- evidence level (`live evidence`, `user-provided sanitized evidence`, `documentation-based`, or `inference`),
|
|
76
|
+
- migration caveat (baseline + rollback) if a bundler or bundler-major change is recommended, and a handoff note to `bundle-budget-code-splitting-review` or `tree-shaking-dead-code-review` if the user's actual question is budget-setting or tree-shaking verification rather than config review.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "build-tooling-vite-webpack-review",
|
|
3
|
+
"name": "Build Tooling (Vite/Webpack) Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"codex",
|
|
8
|
+
"claude-code",
|
|
9
|
+
"cursor",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews Vite and Webpack build configuration, code-splitting/chunking strategy, and bundle-size budgets, version-labeling every recommendation because Vite 8's Rolldown-based codeSplitting API replaced the Rollup-era manualChunks option.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://vite.dev/guide/build.html",
|
|
18
|
+
"https://vite.dev/guide/migration.html",
|
|
19
|
+
"https://webpack.js.org/guides/code-splitting/",
|
|
20
|
+
"https://webpack.js.org/plugins/split-chunks-plugin/"
|
|
21
|
+
],
|
|
22
|
+
"security_notes": "Bundle-analyzer output shared outside the org must not include source maps that reveal internal API paths or accidentally-inlined environment values. Any dependency with an install-time script that runs during the build must be reviewed before it's allowed to affect the production bundle. Static-review-only skill: it reads and greps build config and source; it does not execute builds, install dependencies, or run bundler CLIs. Treat any credential-shaped string found in a pasted build config, CI job definition, or analyzer report as unsafe to echo in the transcript.",
|
|
23
|
+
"last_verified": "2026-07-02",
|
|
24
|
+
"path": "skills/frontend/build-tooling-vite-webpack-review",
|
|
25
|
+
"author": "github: Raishin",
|
|
26
|
+
"version": "0.1.0"
|
|
27
|
+
}
|
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# Migration and Config-Diff Safety
|
|
2
|
+
|
|
3
|
+
Use this reference before endorsing any bundler migration (Webpack to Vite, Rollup-backed Vite to Rolldown-backed Vite, or a Vite/Webpack major-version bump) or before calling any chunking-config change complete.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive assumption is:
|
|
8
|
+
|
|
9
|
+
> The build succeeded with the new config, so the migration/change is done.
|
|
10
|
+
|
|
11
|
+
Wrong on two counts. First, a removed-but-not-erroring option (see `references/vite-chunking-config.md` on the Vite `manualChunks` object-form removal) means a "successful" build can silently be running a different chunking strategy than the team believes — success is not evidence of equivalence. Second, "the build succeeded" says nothing about whether the resulting bundle composition, chunk count, or build time actually moved in the intended direction, or whether a rollback path exists if it didn't.
|
|
12
|
+
|
|
13
|
+
## Non-negotiable rules
|
|
14
|
+
|
|
15
|
+
1. **Capture a measured baseline before any config or bundler change is applied.** At minimum: current chunk list with sizes (from the existing build's stats/manifest output), current total build time, and current bundler/major version. Without this, "did the migration help" is unanswerable after the fact.
|
|
16
|
+
2. **State the rollback path explicitly before endorsing the change.** For a config-only change, this is typically "revert this diff, config keys are additive/isolated." For a bundler-major or engine-swap migration (e.g., adopting Rolldown-backed Vite), confirm whether the change is a single reversible config-key swap or whether it also touches lockfile-pinned plugin versions that may not be compatible with the prior engine — a plugin written against Rollup's plugin API is not guaranteed compatible with Rolldown's plugin API even where the two claim general compatibility; confirm via Context7 rather than assuming.
|
|
17
|
+
3. **Never treat "build succeeded, no errors" as proof a chunking-config change took effect.** Require a chunk-list diff (names, count, sizes) between before and after. An unchanged chunk list after an intentional config edit means the edit likely didn't apply — check for the specific silent-no-op patterns named in the Vite and Webpack references before assuming the config is simply already optimal.
|
|
18
|
+
4. **Do not endorse a bundler migration on build-time or DX grounds alone without also stating the bundle-composition impact**, or explicitly noting that composition impact is unverified. A faster build with an unreviewed change in chunk boundaries can trade build-time wins for runtime request-count or duplicate-dependency regressions — that trade-off must be named, not silently accepted.
|
|
19
|
+
5. **Flag any migration proposal that lacks a stated baseline or rollback path as incomplete**, regardless of how confident the proposal otherwise sounds — this is the same discipline this skill applies to config-key claims: unverified confidence is not evidence.
|
|
20
|
+
6. **When the user's actual goal is a numeric bundle-size budget or code-splitting boundary decision** (not a config-mechanism review), hand off to `bundle-budget-code-splitting-review` rather than expanding this skill's scope to cover budget methodology.
|
|
21
|
+
7. **When the user's actual goal is verifying that a config change eliminated dead code** (byte-level tree-shaking outcome, `sideEffects` correctness), hand off to `tree-shaking-dead-code-review` rather than asserting a tree-shaking outcome from config inspection alone — this skill can flag config patterns *known to defeat* tree-shaking (barrel imports, module-format mismatches) but does not verify the resulting byte-level outcome itself.
|
|
22
|
+
|
|
23
|
+
## Minimal safe review flow
|
|
24
|
+
|
|
25
|
+
1. Confirm the current bundler, major version, and (for Vite) the active output-options key (`rollupOptions` vs `rolldownOptions`).
|
|
26
|
+
2. Capture the baseline: current chunk list/sizes and current build time, from user-provided build output or stats file — do not fabricate baseline numbers.
|
|
27
|
+
3. Ground every config-key claim via Context7 for the confirmed version before proposing a diff (see the Context7 Documentation Protocol in `SKILL.md`).
|
|
28
|
+
4. Propose the config diff, not an applied change — this is a static-review skill; it does not run builds.
|
|
29
|
+
5. State the verification command the user (or their CI) must run to confirm the diff took effect (e.g., `npm run build -- --report` or the project's equivalent stats-output invocation) and what a successful before/after diff looks like.
|
|
30
|
+
6. State the rollback path explicitly, even if it is as simple as "revert this config diff."
|
|
31
|
+
|
|
32
|
+
## When to push back
|
|
33
|
+
|
|
34
|
+
Push back if the user asks for:
|
|
35
|
+
|
|
36
|
+
- a bundler-major or engine (Rollup-to-Rolldown) migration with no stated baseline and "we'll measure it after,"
|
|
37
|
+
- a chunking-config change accepted as complete purely because the build didn't error,
|
|
38
|
+
- merging all of `node_modules` into a single vendor chunk (Webpack) or an equivalent broad grouping (Vite) presented as a universal best practice rather than a named caching/parallelism trade-off,
|
|
39
|
+
- a `manualChunks` config change on a Vite project without first confirming which output-options key and Vite major are actually in play.
|
|
40
|
+
|
|
41
|
+
Those are not shortcuts. They are a config diff without evidence it does what it claims.
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
# Vite Chunking Configuration
|
|
2
|
+
|
|
3
|
+
Use this reference when reviewing or writing Vite's production-build chunking configuration, or when a project reports a chunking config that "used to work" and no longer applies.
|
|
4
|
+
|
|
5
|
+
> Version note: this reference reflects Context7-grounded Vite documentation as of this skill's `updated` date. Vite's build-engine option surface has changed across major versions — re-verify against `mcp__Context7__query-docs` for `/vitejs/vite` before applying any snippet below to a specific installed version, and confirm the version with the project's own lockfile or `vite --version` output rather than assuming it from `package.json` ranges.
|
|
6
|
+
|
|
7
|
+
## What people get wrong
|
|
8
|
+
|
|
9
|
+
The naive assumption is:
|
|
10
|
+
|
|
11
|
+
> "Vite chunking config" is one API — `manualChunks` — and it works the same across every Vite version.
|
|
12
|
+
|
|
13
|
+
Wrong. Vite's production build is not one bundler; it is a build-engine seam. Depending on the Vite major version and which output-options key the config uses, the actual bundling engine is either:
|
|
14
|
+
|
|
15
|
+
- **Rollup**, addressed via `build.rollupOptions.output.manualChunks`, or
|
|
16
|
+
- **Rolldown** (a Rust-based bundler with a Rollup-compatible API surface, but its own option shapes for some features), addressed via `build.rolldownOptions.output.codeSplitting`.
|
|
17
|
+
|
|
18
|
+
A config snippet that is correct for one engine can silently no-op under the other. This is not a deprecation warning you can ignore — Vite's own migration guide documents the object form of `manualChunks` as **removed**, not merely discouraged.
|
|
19
|
+
|
|
20
|
+
## Officially grounded shape (what Vite/Rollup/Rolldown docs actually say)
|
|
21
|
+
|
|
22
|
+
Per Context7-grounded Vite build/migration docs and Rollup's own configuration docs:
|
|
23
|
+
|
|
24
|
+
- **Rollup's `output.manualChunks`** (used when the config's build path routes through `rollupOptions`) supports two forms:
|
|
25
|
+
- **Object form**: `manualChunks: { 'vendor-react': ['react', 'react-dom'] }` — maps a chunk name to an explicit array of module specifiers. Rollup's own docs describe this as the simpler, safer form.
|
|
26
|
+
- **Function form**: `manualChunks(id) { if (id.includes('node_modules')) return 'vendor'; }` — receives the module ID (and `{ getModuleInfo, getModuleIds }`) and returns a chunk name string or `null`/`undefined` to leave the module unassigned. Rollup's docs note `output.onlyExplicitManualChunks` is itself a separate, deprecated option slated to become Rollup 5's default behavior — confirm this hasn't shifted before relying on implicit fallback chunking.
|
|
27
|
+
- Rollup itself has **not** removed either form; the removal described below is specific to Vite's own option surface on its migration path toward Rolldown.
|
|
28
|
+
|
|
29
|
+
- **Vite's `build.rollupOptions.output.manualChunks`** — per Vite's migration guide (grounded via Context7): the **object form is removed** and the **function form is deprecated**. A project still passing `manualChunks: { vendor: [...] }` to `rollupOptions.output` on a Vite version past this removal will see the option ignored, not an error — this is the single most common false-negative in this review.
|
|
30
|
+
|
|
31
|
+
- **Vite's `build.rolldownOptions.output.codeSplitting`** — the documented replacement. Per Vite's build guide and Rolldown's own `manualCodeSplitting` reference, this takes a declarative shape:
|
|
32
|
+
|
|
33
|
+
```javascript
|
|
34
|
+
export default defineConfig({
|
|
35
|
+
build: {
|
|
36
|
+
rolldownOptions: {
|
|
37
|
+
output: {
|
|
38
|
+
codeSplitting: {
|
|
39
|
+
groups: [
|
|
40
|
+
{ name: 'vendor-react', test: /node_modules\/(react|react-dom)/ },
|
|
41
|
+
{ name: 'chunk', test: 'chunk.css' },
|
|
42
|
+
],
|
|
43
|
+
},
|
|
44
|
+
},
|
|
45
|
+
},
|
|
46
|
+
},
|
|
47
|
+
})
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
Each entry in `groups` is a `{ name, test }` pair; `test` can match on module ID pattern. This is a declarative alternative to `manualChunks`'s imperative function form, intended to avoid circular-dependency footguns that hand-written `manualChunks` functions can introduce.
|
|
51
|
+
|
|
52
|
+
- **`splitVendorChunkPlugin`** — Vite ships a built-in plugin implementing a `vendor` chunk heuristic (any `node_modules` module, not CSS, statically imported by an entry point) as a `manualChunks` function. Per its own source (grounded via Context7): when composed with a user-supplied **function-form** `manualChunks`, it wraps and chains the two; when composed with an **object-form** `manualChunks`, it detects the object form and **logs a console warning that it has no effect**, then does nothing. A project reporting "the vendor-splitting plugin isn't working, no error, just a console warning" is very likely hitting exactly this interaction.
|
|
53
|
+
|
|
54
|
+
## Non-negotiable review rules
|
|
55
|
+
|
|
56
|
+
1. **Confirm the output-options key before applying either ruleset.** Grep the Vite config for `rollupOptions` vs `rolldownOptions` under `build`. These are not interchangeable, and a chunking snippet written for one silently does nothing under the other.
|
|
57
|
+
2. **Confirm the installed Vite major.** Do not infer it from a `^7.0.0`-style semver range in `package.json` alone — a caret range can resolve to a version past a documented removal. Prefer lockfile-resolved version or a reported `vite --version` if available as user-provided evidence.
|
|
58
|
+
3. **If the config uses `rollupOptions.output.manualChunks` as an object**, and the confirmed Vite major is on/after the version where Vite's migration guide documents the removal, flag this as a silent no-op, not a style nit — the chunking strategy the team believes is active is not running.
|
|
59
|
+
4. **If the config uses `rollupOptions.output.manualChunks` as a function**, treat it as valid but flag it as a forward-migration item toward `rolldownOptions.output.codeSplitting`, per Vite's own deprecation notice — do not present the function form as the long-term recommended pattern.
|
|
60
|
+
5. **When migrating a `manualChunks` function to `codeSplitting` groups**, do not assume a 1:1 mechanical translation. A `manualChunks` function can express arbitrary conditional logic (e.g., branching on `getModuleInfo(id).importers`); `codeSplitting`'s `groups` array is pattern-match-based (`test` against module ID). Confirm each branch of the original function has an equivalent `test` pattern before calling the migration complete — untranslatable branches are a real migration risk, not a formality.
|
|
61
|
+
6. **Do not conflate Vite's dev-server module graph with its build chunking.** Chunking config has zero effect on `vite dev`; it applies only to `vite build`. A user reporting a "chunking problem" during local dev is describing something this config cannot cause.
|
|
62
|
+
|
|
63
|
+
## Verification targets
|
|
64
|
+
|
|
65
|
+
- The confirmed Vite major (from lockfile or reported CLI version) and the output-options key actually present in `vite.config.*`.
|
|
66
|
+
- For a `manualChunks` object-form finding: the exact Vite version threshold from `mcp__Context7__query-docs` against `/vitejs/vite`'s migration guide, quoted, not paraphrased from memory.
|
|
67
|
+
- For a proposed `codeSplitting` groups migration: each `groups[].test` pattern mapped explicitly back to the branch of the prior `manualChunks` function it replaces.
|
|
68
|
+
- A build output diff (chunk list, sizes) confirming the new config actually changed the chunk boundaries — an unchanged chunk list after a config edit is evidence the edit didn't take effect, not evidence the config was already optimal.
|
package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md
ADDED
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
# Webpack SplitChunksPlugin Configuration
|
|
2
|
+
|
|
3
|
+
Use this reference when reviewing or writing Webpack's `optimization.splitChunks` configuration, `cacheGroups`, or `runtimeChunk` settings.
|
|
4
|
+
|
|
5
|
+
> Version note: confirm the installed Webpack major via `mcp__Context7__query-docs` against Webpack's own docs before asserting a specific default value below applies — `SplitChunksPlugin` defaults have shifted across major versions historically, and this reference documents the currently Context7-grounded defaults, not a version-pinned guarantee.
|
|
6
|
+
|
|
7
|
+
## What people get wrong
|
|
8
|
+
|
|
9
|
+
The naive assumption is:
|
|
10
|
+
|
|
11
|
+
> `optimization.splitChunks: { chunks: 'all' }` is "the vendor-splitting setting" and turning it on is the whole job.
|
|
12
|
+
|
|
13
|
+
Incomplete. `chunks: 'all'` only changes *which* chunks (`async`, `initial`, or both) are eligible for splitting — it does not by itself define a vendor group, a size threshold, or a request-count ceiling. Webpack's actual chunk-splitting behavior is the product of several settings interacting: `chunks`, `minSize`, `minChunks`, `maxAsyncRequests`, `maxInitialRequests`, `enforceSizeThreshold`, and the `cacheGroups` map. Reviewing only `chunks` and ignoring the rest of the object produces a config that "does something" without the reviewer knowing what.
|
|
14
|
+
|
|
15
|
+
## Officially grounded shape (what Webpack docs actually say)
|
|
16
|
+
|
|
17
|
+
Per Context7-grounded Webpack docs (`SplitChunksPlugin` reference and code-splitting/caching guides):
|
|
18
|
+
|
|
19
|
+
- **Default `optimization.splitChunks` shape**, documented explicitly:
|
|
20
|
+
|
|
21
|
+
```javascript
|
|
22
|
+
optimization: {
|
|
23
|
+
splitChunks: {
|
|
24
|
+
chunks: "async",
|
|
25
|
+
minSize: 20000,
|
|
26
|
+
minRemainingSize: 0,
|
|
27
|
+
minChunks: 1,
|
|
28
|
+
maxAsyncRequests: 30,
|
|
29
|
+
maxInitialRequests: 30,
|
|
30
|
+
enforceSizeThreshold: 50000,
|
|
31
|
+
cacheGroups: {
|
|
32
|
+
defaultVendors: {
|
|
33
|
+
test: /[\\/]node_modules[\\/]/,
|
|
34
|
+
priority: -10,
|
|
35
|
+
reuseExistingChunk: true,
|
|
36
|
+
},
|
|
37
|
+
default: {
|
|
38
|
+
minChunks: 2,
|
|
39
|
+
priority: -20,
|
|
40
|
+
reuseExistingChunk: true,
|
|
41
|
+
},
|
|
42
|
+
},
|
|
43
|
+
},
|
|
44
|
+
}
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
The default `chunks: "async"` means only dynamically-imported (`import()`) chunks are eligible for splitting out of the box — a project relying on defaults and expecting *initial* (entry-point) chunks to also get vendor-split needs to explicitly set `chunks: "all"`, either globally or per cache group.
|
|
48
|
+
|
|
49
|
+
- **Explicit vendor cache group** — the documented pattern for pulling all `node_modules` code into a named `vendors` chunk:
|
|
50
|
+
|
|
51
|
+
```javascript
|
|
52
|
+
optimization: {
|
|
53
|
+
runtimeChunk: 'single',
|
|
54
|
+
splitChunks: {
|
|
55
|
+
cacheGroups: {
|
|
56
|
+
vendor: {
|
|
57
|
+
test: /[\\/]node_modules[\\/]/,
|
|
58
|
+
name: 'vendors',
|
|
59
|
+
chunks: 'all',
|
|
60
|
+
},
|
|
61
|
+
},
|
|
62
|
+
},
|
|
63
|
+
},
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
Webpack's own caching guide pairs this with `runtimeChunk: 'single'` specifically for long-term-caching correctness — extracting the webpack runtime/manifest into its own chunk so that changes to application code don't invalidate the vendor chunk's content hash. A `vendor` cache group added without `runtimeChunk: 'single'` is a common half-fix: the vendor chunk hash still churns on unrelated app changes because the runtime is bundled with it.
|
|
67
|
+
|
|
68
|
+
- **Custom cache-group merging** — Webpack's docs note that merging all of `node_modules` into a single `vendors` chunk via a broad `test: /node_modules/` cache group "is not generally recommended" as a default strategy, but can be a deliberate trade-off for long-term caching in specific deployment setups. Treat a broad single-vendor-chunk config as an explicit trade-off to confirm with the team, not a default best practice to apply unprompted.
|
|
69
|
+
|
|
70
|
+
## Non-negotiable review rules
|
|
71
|
+
|
|
72
|
+
1. **Read the whole `splitChunks` object, not just `chunks`.** `minSize`, `maxInitialRequests`, and `enforceSizeThreshold` jointly determine whether a module that "should" be split actually gets split. A module below `minSize` (default 20000 bytes) will not become its own chunk regardless of `cacheGroups` targeting, unless a cache group's own `enforce: true` overrides that.
|
|
73
|
+
2. **Confirm `chunks` scope per cache group, not just globally.** A global `chunks: 'async'` with a `vendor` cache group that doesn't override `chunks: 'all'` will not split vendor code out of the initial/entry bundle — only out of dynamically-imported chunks. This is the most common "I added a vendor cache group and nothing changed in the initial bundle" defect.
|
|
74
|
+
3. **Pair any named vendor cache group with `runtimeChunk: 'single'` when the goal is long-term-caching stability**, and say so explicitly if the config is missing it — otherwise the vendor chunk's cache-busting behavior won't match what the team expects.
|
|
75
|
+
4. **Do not propose a broad `test: /node_modules/` single-vendor-chunk config as a default recommendation.** Per Webpack's own docs, this is an explicit trade-off (fewer, larger, more cache-stable chunks vs. finer-grained, more parallel-loadable chunks), not a universal best practice — surface it as a choice with a named trade-off, not a fix.
|
|
76
|
+
5. **Confirm the installed Webpack major before asserting any specific default value** (e.g., `minSize: 20000`) — quote the value from `mcp__Context7__query-docs` against the confirmed major rather than this reference's cached snapshot, since defaults have changed across majors historically.
|
|
77
|
+
6. **Distinguish `optimization.splitChunks` (automatic, heuristic-driven) from explicit multi-entry configuration** (`entry: { index: ..., another: ... }`) — a duplicate-dependency finding across two *entry points* (not two dynamically-split chunks) is a `splitChunks` cache-group problem, not an entry-config problem; do not propose merging entries as the fix when the actual defect is a missing/misconfigured cache group.
|
|
78
|
+
|
|
79
|
+
## Verification targets
|
|
80
|
+
|
|
81
|
+
- The confirmed Webpack major and the full resolved `optimization.splitChunks` object (defaults plus overrides), not just the cache-group diff.
|
|
82
|
+
- The `chunks` scope value effective for the specific cache group in question (group-level override, if present, wins over the global setting).
|
|
83
|
+
- A build stats output (`webpack --json` or `webpack-bundle-analyzer` treemap) confirming the proposed cache-group change actually produced the intended chunk split, with a before/after chunk-name and chunk-size comparison.
|
|
84
|
+
- Whether `runtimeChunk` is configured, when reviewing a named vendor cache group intended for long-term-caching stability.
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: bundle-budget-code-splitting-review
|
|
3
|
+
description: Reviews JavaScript/CSS bundle composition against explicit numeric budgets, evaluates route- and component-level code-splitting boundaries, and requires a CI-enforced budget before endorsing any size fix as resolved.
|
|
4
|
+
allowed-tools: Read Grep Glob Bash(npm run build:*) Bash(du:*)
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: operational
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Bundle Budget & Code-Splitting Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Teams routinely respond to "the bundle feels big" with an ad hoc `React.lazy()` here and a dynamic `import()` there, ship it, and call the finding closed once the build succeeds. That proves nothing: it does not show whether the total byte weight moved, whether the change reduced or inflated the request count, or whether the win survives the next dependency bump. This skill turns "bundle feels big" into a numeric, device/network-scoped budget tied to INP/TTI, ranks analyzer output by both byte weight and main-thread execution cost, classifies each contributor into a specific remediation path, and refuses to mark a size finding resolved without a CI-enforced budget check — a one-time manual fix without an enforced budget is a regression waiting to happen.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- reduce JavaScript or CSS bundle size,
|
|
23
|
+
- review a bundle-analyzer report (webpack-bundle-analyzer, rollup-plugin-visualizer, or equivalent stats output),
|
|
24
|
+
- set or enforce a performance budget for a route or shared entry,
|
|
25
|
+
- decide where to add route-level or component-level code splitting,
|
|
26
|
+
- assess the size impact of adding a new dependency before it merges.
|
|
27
|
+
|
|
28
|
+
## When NOT to use
|
|
29
|
+
|
|
30
|
+
- Pure image/media asset optimization — different budget class (bytes-per-image, format/compression), different tooling; not this skill's concern.
|
|
31
|
+
- Server-side bundle or cold-start size for a serverless/edge function — different runtime, not the client-bundle budget this skill enforces.
|
|
32
|
+
- Deciding whether a chunk's *contents* are dead code once it is correctly split — hand off to `tree-shaking-dead-code-review` for that specific question; a chunk can be correctly split and still be full of unused exports, which is a distinct defect from a splitting-boundary defect.
|
|
33
|
+
- Diagnosing which Core Web Vitals sub-phase is regressing before a cause is known — hand off to `core-web-vitals-triage` first if the user only has a vague "it feels slow" complaint with no analyzer report yet; return here once JS weight is confirmed as the dominant contributor.
|
|
34
|
+
|
|
35
|
+
## Context7 Documentation Protocol
|
|
36
|
+
|
|
37
|
+
Bundler chunking APIs are version-sensitive and have changed shape recently — do not prescribe a config from memorized training data.
|
|
38
|
+
|
|
39
|
+
1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
|
|
40
|
+
2. Call `mcp__Context7__resolve-library-id` for the bundler in scope (Vite, webpack, Rollup, esbuild, Rolldown) before prescribing any chunking configuration.
|
|
41
|
+
3. Call `mcp__Context7__query-docs` for the specific mechanism — e.g. "manualChunks vs codeSplitting", "splitChunks cacheGroups", "dynamic import chunk naming" — before ruling on it. Do this per review; do not reuse a prior session's memory of bundler internals.
|
|
42
|
+
4. Known version-sensitive trap verified via Context7 as of this skill's `updated` date: Vite 8 (Rolldown-powered) removes the object form of `build.rollupOptions.output.manualChunks` entirely and deprecates the function form; the documented replacement is `build.rolldownOptions.output.codeSplitting` with a `groups` array (`{ name, test }` entries). Do not hand a Vite 8+ project a `manualChunks: { vendor: [...] }` object-form snippet — it will not apply. For Vite <8, function-form `manualChunks(id) { ... }` is still valid but is itself deprecated and should be flagged as a forward-migration item, not endorsed as the long-term pattern.
|
|
43
|
+
5. webpack's chunking surface (`optimization.splitChunks.cacheGroups`, dynamic `import()` with `webpackChunkName` magic comments) is comparatively stable across recent majors per Context7-grounded docs, but still confirm the installed webpack major before prescribing a specific `cacheGroups` shape, since defaults (`chunks: 'async'` vs `'all'`) affect which imports are eligible for splitting.
|
|
44
|
+
6. If Context7 is unavailable or returns no relevant match for the installed bundler, fall back to `official_docs` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
|
|
45
|
+
7. Never invent a bundler config key, CLI flag, or plugin option that no queried source confirms.
|
|
46
|
+
|
|
47
|
+
## Lean operating rules
|
|
48
|
+
|
|
49
|
+
- Establish the numeric budget before ranking anything. A budget with no device/network class and no percentile is not a budget — it is a guess. Refuse to close a finding against an undefined budget.
|
|
50
|
+
- Rank analyzer contributors by both parsed/gzipped byte size and main-thread execution cost; these produce different orderings, and execution cost correlates more directly with INP than raw byte size does. Report both, do not collapse them into one number.
|
|
51
|
+
- Classify every large module into exactly one path: needed on the critical path (keep, minimize), needed but deferrable (route/component-split candidate), duplicated across chunks (fix chunk-grouping config, not application code), or a heavier-than-necessary dependency (replace, or hand off to `tree-shaking-dead-code-review` if the issue is unused exports rather than the dependency itself).
|
|
52
|
+
- Treat over-splitting as a real regression, not just under-splitting. Every new chunk is a new request; if the aggregate request-overhead cost (connection reuse aside, still parse/eval/scheduling cost) offsets the byte savings, the split is net-negative. Require the byte-vs-request-count comparison before endorsing a split.
|
|
53
|
+
- Confirm the installed bundler major version via Context7 before prescribing `manualChunks`, `rolldownOptions.codeSplitting`, or `splitChunks` syntax — see Context7 Documentation Protocol. Do not assume a memorized API is still current.
|
|
54
|
+
- Never accept "it built without errors" as evidence a split is beneficial. Require a before/after byte comparison from the analyzer output, gzipped or brotli as configured for production.
|
|
55
|
+
- Flag any dynamic `import()` whose module specifier is built from unsanitized user input as a code-injection risk, not merely a performance nit — this is a security-relevant finding, not a style note.
|
|
56
|
+
- Do not recommend inlining third-party scripts to "save a request" without naming the CSP/subresource-integrity trade-off of inlined vs. externally loaded, SRI-checkable code.
|
|
57
|
+
- Require a CI-enforced budget (bundlesize, Lighthouse CI budget, or bundler-plugin size-limit check) as a condition of marking any size finding resolved. A manual one-time fix with no enforcement is not a fix, it is a snapshot.
|
|
58
|
+
|
|
59
|
+
## References
|
|
60
|
+
|
|
61
|
+
Load these only when needed:
|
|
62
|
+
|
|
63
|
+
- [Budget methodology](references/budget-methodology.md) — use when the user has no existing budget, or an existing budget lacks a device/network class or percentile, and one must be established or corrected.
|
|
64
|
+
- [Bundler chunking APIs](references/bundler-chunking-apis.md) — use when prescribing or reviewing Vite, webpack, or Rollup chunking configuration; contains the version-sensitive API grounding.
|
|
65
|
+
- [Code-splitting boundaries](references/code-splitting-boundaries.md) — use when deciding where to add route- or component-level splitting, or when diagnosing duplicated-dependency-across-chunks and over-splitting.
|
|
66
|
+
- [CI enforcement and verification](references/ci-enforcement-and-verification.md) — use for every review to specify the CI-enforced budget mechanism, the verification command, and the adversarial checklist before closing the finding.
|
|
67
|
+
|
|
68
|
+
## Response minimum
|
|
69
|
+
|
|
70
|
+
Return, at minimum:
|
|
71
|
+
|
|
72
|
+
- the numeric budget in scope (bytes, compression form, device/network class, percentile), stated explicitly or flagged as missing,
|
|
73
|
+
- the ranked contributor list with both byte size and main-thread execution-cost figures,
|
|
74
|
+
- per-item classification (keep / split / replace / dead-code-handoff / chunk-grouping-fix) with the concrete config diff, version-confirmed against the installed bundler major,
|
|
75
|
+
- the CI-enforced budget definition to add, not just a one-time manual fix,
|
|
76
|
+
- the verification command (`npm run build -- --report` or the project's equivalent analyzer invocation) and the request-count check confirming the split did not net-negative the change.
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "bundle-budget-code-splitting-review",
|
|
3
|
+
"name": "Bundle Budget & Code-Splitting Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"codex",
|
|
8
|
+
"claude-code",
|
|
9
|
+
"cursor",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews JavaScript/CSS bundle composition against explicit numeric budgets, ranks analyzer contributors by byte weight and main-thread execution cost, evaluates route- and component-level code-splitting boundaries against version-confirmed bundler chunking APIs, and requires a CI-enforced budget before endorsing any size fix as resolved, loaded progressively.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://web.dev/articles/reduce-javascript-payloads-with-code-splitting",
|
|
18
|
+
"https://web.dev/articles/your-first-performance-budget",
|
|
19
|
+
"https://vite.dev/guide/build.html",
|
|
20
|
+
"https://webpack.js.org/guides/code-splitting/",
|
|
21
|
+
"https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules/Dynamic_module_loading",
|
|
22
|
+
"https://webpack.js.org/plugins/split-chunks-plugin/"
|
|
23
|
+
],
|
|
24
|
+
"security_notes": "Do not recommend inlining third-party scripts to save a request without disclosing the CSP/subresource-integrity trade-off of inlined vs. externally loaded, SRI-checkable code. Flag any dynamic import() of a module specifier built from unsanitized user input as a code-injection risk, not merely a performance concern. Do not accept or echo any credential-shaped string found in a pasted build config or analyzer report as if it were safe to keep in the transcript.",
|
|
25
|
+
"last_verified": "2026-07-02",
|
|
26
|
+
"path": "skills/frontend/bundle-budget-code-splitting-review",
|
|
27
|
+
"author": "github: Raishin",
|
|
28
|
+
"version": "0.1.0"
|
|
29
|
+
}
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
# Budget Methodology
|
|
2
|
+
|
|
3
|
+
Use this reference when the user has no existing performance budget, or an existing budget is missing a device/network class, a compression form, or a percentile — establish or correct it before ranking anything against it.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "Keep the bundle small" is a budget.
|
|
10
|
+
|
|
11
|
+
It is not. A budget with no number is a slogan. A number with no device/network class and no percentile is a coin flip about whose experience it describes. Per web.dev's performance-budget guidance, a usable budget names:
|
|
12
|
+
|
|
13
|
+
1. **the metric being bounded** — total JS/CSS transfer bytes, per-route transfer bytes, or a timing metric (TTI/INP) the byte budget is a proxy for,
|
|
14
|
+
2. **the compression form** — gzip or brotli, matching what production actually serves; raw/uncompressed bytes overstate the number users pay for, and mixing forms across comparisons invalidates the comparison,
|
|
15
|
+
3. **the device/network class** — a mid-tier mobile CPU on a throttled "good 4G" profile is a meaningfully different budget than an unthrottled desktop; web.dev's budget guidance frames budgets in terms of a target device class precisely because bundle-parse/execution cost scales with CPU, not just network time,
|
|
16
|
+
4. **the percentile** — p75 is the conventional anchor (it is also the percentile Core Web Vitals field assessment uses), not the best-case or median session.
|
|
17
|
+
|
|
18
|
+
## Establishing a budget when none exists
|
|
19
|
+
|
|
20
|
+
1. Ask (or infer from existing CI config, `lighthouserc`, `bundlesize.config.json`, or a `size-limit` entry) whether a budget already exists in any form. Do not assume none exists just because this review wasn't asked to check.
|
|
21
|
+
2. Anchor the budget to a route classification, not a single global number:
|
|
22
|
+
- **critical path / shared entry** — loaded on every route; tightest budget, since it blocks first render everywhere.
|
|
23
|
+
- **secondary route** — route-specific bundle loaded via code splitting; budget can be looser since it does not block other routes.
|
|
24
|
+
- **vendor chunk** — third-party dependency weight; budget separately from application code so a dependency bump is caught distinctly from an application-code regression.
|
|
25
|
+
3. State the number in gzipped (or brotli, matching production) bytes, tied to p75 on the project's target device/network class. If the project has no stated target device/network class, default to a mid-tier mobile device on a throttled "good 4G" profile per web.dev's stated default budget context, and say explicitly that this default was assumed, not confirmed with the user.
|
|
26
|
+
4. Tie the byte budget back to a timing outcome (TTI or INP) where possible — a byte number with no timing justification is arbitrary. State the reasoning explicitly (e.g., "X KB of parse/execute cost on the target device class corresponds to roughly Y ms of main-thread blocking, which risks the INP budget").
|
|
27
|
+
|
|
28
|
+
## Correcting an existing but underspecified budget
|
|
29
|
+
|
|
30
|
+
If a budget exists but is missing a device/network class or a percentile, do not silently adopt it as sufficient. State the gap explicitly as a finding, propose the missing dimension using the defaults above, and note that the corrected budget needs sign-off before being treated as CI-enforceable — see [CI enforcement and verification](ci-enforcement-and-verification.md).
|
|
31
|
+
|
|
32
|
+
## Non-negotiables
|
|
33
|
+
|
|
34
|
+
- Do not rank an analyzer report against a budget that has no stated compression form — a byte number with unstated compression is not comparable to anything.
|
|
35
|
+
- Do not accept "under 250 KB" with no percentile or device class as a complete budget; treat it as a starting number that needs the missing dimensions filled in before enforcement.
|
|
36
|
+
- Do not invent a budget number without grounding it in either the project's existing target (stated by the user, present in CI config) or web.dev's documented default budget context — state which one was used.
|