@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (873) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15389 -12589
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +3 -2
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/generate-docs-data.mjs +1 -0
  333. package/scripts/generate-kiro-powers.mjs +12 -0
  334. package/scripts/update-catalog-new-agents.py +6 -1
  335. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  336. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  340. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  341. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  342. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  344. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  345. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  346. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  348. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  353. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  354. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  355. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  356. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  357. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  358. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  359. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  360. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  361. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  362. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  363. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  368. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  374. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  375. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  376. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  377. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  378. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  379. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  380. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  381. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  382. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  383. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  384. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  385. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  386. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  387. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  390. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  391. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  392. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  393. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  394. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  395. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  396. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  399. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  404. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  405. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  406. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  407. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  408. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  409. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  410. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  411. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  413. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  414. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  415. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  418. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  419. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  420. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  422. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  423. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  424. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  425. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  426. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  427. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  434. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  439. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  443. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  444. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  445. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  446. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  447. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  448. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  449. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  454. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  459. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  460. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  461. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  463. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  464. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  465. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  469. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  470. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  471. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  472. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  473. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  474. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  475. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  476. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  479. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  484. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  485. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  486. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  489. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  494. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  495. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  496. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  498. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  499. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  500. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  503. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  507. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  512. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  513. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  514. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  515. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  516. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  517. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  523. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  524. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  525. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  528. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  529. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  530. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  534. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  535. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  536. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  539. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  540. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  541. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  542. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  543. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  548. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  549. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  550. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  551. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  552. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  553. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  554. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  555. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  556. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  557. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  558. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  559. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  564. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  569. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  570. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  571. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  572. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  573. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  574. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  579. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  583. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  584. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  585. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  587. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  592. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  593. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  594. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  595. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  596. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  597. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  598. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  599. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  602. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  607. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  608. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  609. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  613. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  614. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  615. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  616. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  617. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  618. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  619. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  620. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  621. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  622. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  623. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  624. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  629. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  671. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  713. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  714. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  725. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  736. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  764. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  775. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  786. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  797. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  808. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  819. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  830. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  841. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  861. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  872. package/tests/validate-catalog.py +1 -0
  873. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,67 @@
1
+ ---
2
+ name: critical-rendering-path-review
3
+ description: Review page-load resource sequencing, render-blocking CSS/JS, layout-shift sources, and Core Web Vitals (LCP/CLS/INP) budget adherence against the critical rendering path model, explicitly separating lab/synthetic measurement (Lighthouse) from field/real-user measurement (CrUX/RUM) so performance claims are evidence-graded rather than asserted from a single synthetic run.
4
+ allowed-tools: Read Grep Glob Bash(git diff:*) WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: operational
10
+ ---
11
+
12
+ # Critical Rendering Path Review
13
+
14
+ ## Purpose
15
+
16
+ Performance regressions in the critical rendering path (render-blocking resources, layout-shift-inducing patterns, oversized LCP candidates) are cheap to introduce and expensive to diagnose after the fact, and lab data (a single Lighthouse run) frequently disagrees with field data (real users on real networks/devices) in ways that matter — a change that looks fine in a fast CI-runner Lighthouse run can regress Core Web Vitals for the actual user population. This skill reviews resource-loading order and layout-shift risk against the browser's actual parse/style/layout/paint pipeline, and enforces the lab-vs-field evidence distinction so performance verdicts aren't overclaimed.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review a diff for render-blocking CSS/JS, resource-loading order, or `<link>` resource-hint (preload/prefetch/preconnect) usage,
23
+ - diagnose or prevent Cumulative Layout Shift (CLS) sources (unsized images/embeds, late-injected content above existing content, web-font swap),
24
+ - assess Largest Contentful Paint (LCP) or Interaction to Next Paint (INP) budget adherence for a page or component,
25
+ - reconcile conflicting lab (Lighthouse) vs. field (CrUX/RUM) performance data,
26
+ - set or enforce a performance budget for a page/route.
27
+
28
+ ## Context7 Documentation Protocol
29
+
30
+ Render-blocking semantics, `<link>` resource-hint behavior, and Core Web Vitals thresholds/definitions change as browser implementations and measurement methodology evolve (e.g. INP replaced FID as a Core Web Vital in May 2024) — never assert them from memory.
31
+
32
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if they are not already loaded in this session.
33
+ 2. Call `mcp__Context7__resolve-library-id` for the relevant documentation set — for this skill that is almost always MDN (`/mdn/content`, or `/websites/developer_mozilla_en-us` if the former lacks coverage for the query).
34
+ 3. Call `mcp__Context7__query-docs` for the specific mechanism in question — e.g. "render-blocking `<link>` and `<script>` behavior", "`rel=preload` `as` and `crossorigin` requirements", "LargestContentfulPaint / layout-shift performance entry semantics" — before ruling on it. Do this per review, not once from memory of a prior session.
35
+ 4. web.dev is the primary source for Core Web Vitals *thresholds* (good/needs-improvement/poor cutoffs) and is not currently indexed in Context7; treat threshold numbers pulled from `official_docs`/`WebFetch` as `documentation-based` rather than `Context7-verified`, and say so explicitly. Use Context7/MDN to verify the underlying *mechanism* (what LCP/CLS/INP actually measure, what a `PerformanceObserver` reports) wherever possible.
36
+ 5. Prefer the official spec/MDN wording over this skill's own paraphrase when the two could be read to disagree; cite the resolved doc URL in the finding.
37
+ 6. If Context7 is unavailable or returns no relevant match, fall back to the URLs in `official_docs` / `references/*.md`, and explicitly mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
38
+ 7. Never invent a `<link>` attribute, performance-entry field, or Core Web Vitals threshold that no queried source confirms.
39
+
40
+ ## Lean operating rules
41
+
42
+ - Always separate lab data (synthetic, single-run, deterministic-ish, from Lighthouse/CI) from field data (real-user, aggregated, from CrUX or RUM tooling) explicitly in every finding — never present a Lighthouse score as if it were a field-validated user-experience claim.
43
+ - Trace resource-loading order against the actual critical rendering path (HTML parse → DOM/CSSOM construction → render tree → layout → paint → composite) rather than asserting 'this is render-blocking' without identifying which pipeline stage it blocks.
44
+ - Every image, video, or embed must have explicit width/height or `aspect-ratio` reserved space to prevent CLS; flag any that don't.
45
+ - Flag web-font loading without a `font-display` strategy or preload for the LCP-critical font, since font-swap/flash is a common unaddressed CLS and LCP-delay source.
46
+ - Query current web.dev/MDN Core Web Vitals thresholds before asserting a pass/fail budget verdict — LCP/CLS/INP thresholds and measurement methodology have changed (INP replaced FID as a Core Web Vital in May 2024); never assert current thresholds from memory.
47
+ - Do not recommend `preload`/`prefetch`/`preconnect` for third-party origins without weighing the connection-establishment cost against the information-leakage/timing tradeoff.
48
+ - Treat a single synthetic Lighthouse run as insufficient evidence for a production performance claim; flag the need for field data (CrUX/RUM) before asserting a real-user-experience verdict.
49
+ - Never suggest dropping Subresource Integrity (SRI) or bypassing CSP `script-src` allow-listing as a performance optimization.
50
+
51
+ ## References
52
+
53
+ Load these only when needed:
54
+
55
+ - [Resource-loading order and render-blocking audit](references/resource-loading-order.md) — use when tracing which resources block first paint/LCP and how to reorder or hint them (preload/defer/async/module).
56
+ - [Layout-shift source catalog](references/layout-shift-sources.md) — use when auditing a page/component for CLS sources beyond unsized media (late web-font swap, injected banners/ads, animation-triggered reflow).
57
+ - [Lab vs. field evidence reconciliation](references/lab-vs-field-evidence.md) — use when Lighthouse (lab) and CrUX/RUM (field) data disagree, or when a performance claim needs to be evidence-graded for a stakeholder deliverable.
58
+
59
+ ## Response minimum
60
+
61
+ Return, at minimum:
62
+
63
+ - the critical-rendering-path stage(s) affected by the change in scope (parse/style/layout/paint/composite),
64
+ - the render-blocking resource audit for any new/modified `<link>`, `<script>`, or `@import`,
65
+ - the CLS-source audit (unsized media, font-swap, late-injected content) for the page/component in scope,
66
+ - the LCP/CLS/INP budget verdict, explicitly labeled as lab evidence, field evidence, or inference,
67
+ - residual risk notes for anything requiring live Lighthouse/CrUX/RUM data beyond this static review.
@@ -0,0 +1,31 @@
1
+ {
2
+ "id": "critical-rendering-path-review",
3
+ "name": "Critical Rendering Path Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews page load sequencing — resource loading order, render-blocking CSS/JS, layout-shift risk, and Core Web Vitals budget adherence — separating lab (Lighthouse/synthetic) data from field (CrUX/RUM) data so performance claims are evidence-graded rather than asserted.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://web.dev/articles/critical-rendering-path",
18
+ "https://web.dev/articles/optimize-lcp",
19
+ "https://web.dev/articles/cls",
20
+ "https://web.dev/articles/inp",
21
+ "https://web.dev/vitals",
22
+ "https://developer.mozilla.org/en-US/docs/Web/Performance/Guides/Critical_rendering_path",
23
+ "https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/link",
24
+ "https://developer.chrome.com/docs/lighthouse/overview"
25
+ ],
26
+ "security_notes": "Flag preload/prefetch/preconnect resource hints pointed at third-party origins without considering the information-leakage/timing implications of establishing early connections to those origins. Flag any performance 'optimization' that removes Subresource Integrity (SRI) from a script/style tag to save a round trip — integrity checks are not a discretionary performance cost. Do not recommend inlining third-party scripts to avoid a network request in a way that bypasses CSP script-src allow-listing.",
27
+ "last_verified": "2026-07-02",
28
+ "path": "skills/frontend/critical-rendering-path-review",
29
+ "author": "github: Raishin",
30
+ "version": "0.1.0"
31
+ }
@@ -0,0 +1,60 @@
1
+ # Lab vs. Field Evidence Reconciliation
2
+
3
+ > Core Web Vitals thresholds (the good/needs-improvement/poor cutoffs for LCP/CLS/INP) live in web.dev, which is not currently indexed in Context7. Treat specific threshold numbers as `documentation-based` and re-verify against `https://web.dev/vitals` and the metric-specific web.dev articles before asserting a pass/fail budget verdict — do not assert them from memory or from this file, which does not restate them for that reason.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "I ran Lighthouse, the score is green, performance is fine."
10
+
11
+ Wrong, and it is wrong in a specific, well-documented way: Lighthouse is a **lab** tool — a single synthetic run, on a simulated or fixed device/network profile, usually with a cold cache, on whatever machine ran it (a fast CI runner or an engineer's laptop are both faster and more consistent than most real user devices/networks). It cannot see what real users on real hardware and real networks actually experience. A change can score green in a CI Lighthouse run and simultaneously regress Core Web Vitals in the Chrome UX Report (CrUX) for the real user population, and the reverse is equally possible — a lab regression that never shows up in field data because it falls below the threshold real users' devices are sensitive to.
12
+
13
+ ## Officially grounded distinction
14
+
15
+ - **Lab data** (Lighthouse, WebPageTest, a local Chrome DevTools trace): synthetic, reproducible, deterministic-ish (modulo system noise), useful for **diagnosing** *why* something is slow because it gives you a full trace/waterfall — but it reflects one simulated environment, not your actual user population's device mix, network conditions, cache state, or extensions/interference.
16
+ - **Field data** (Chrome UX Report / CrUX, or a first-party Real User Monitoring / RUM setup using the `web-vitals` JS library or the underlying Performance APIs directly): aggregated measurements from real page loads by real users, on their actual devices and networks — this is what Core Web Vitals thresholds are actually evaluated against for things like Google Search's page-experience signal, and it is the only data source that can tell you what users actually experienced.
17
+
18
+ Neither one is a substitute for the other:
19
+
20
+ - Lab data without field data → you don't know if your synthetic environment represents your real users at all (e.g. testing on fast fiber when 40% of your traffic is mobile on 4G).
21
+ - Field data without lab data → you know something regressed, but you have no trace/waterfall to diagnose *why*, and CrUX is aggregated over a rolling 28-day window, so it lags a deploy by design and can't attribute a regression to a specific commit.
22
+
23
+ ## Non-negotiable review rules
24
+
25
+ ### 1. Never present a Lighthouse score as a user-experience claim
26
+
27
+ A sentence like "LCP is 1.8s, this is fast for users" is not supportable from a Lighthouse run alone — the correct claim is "LCP is 1.8s in this lab run under [specified throttling profile]; field verification via CrUX/RUM is needed to confirm real-user experience." Say which one you have.
28
+
29
+ ### 2. Label every performance number by its evidence source
30
+
31
+ Use one of: `lab (Lighthouse/CI)`, `lab (local DevTools trace)`, `field (CrUX)`, `field (RUM)`, `inference (not measured, reasoned from code review)`. Do not present an inferred estimate ("this should improve LCP by roughly X") as if it were measured.
32
+
33
+ ### 3. CrUX has structural limitations — know them before citing it
34
+
35
+ CrUX data: is a rolling aggregate (commonly a 28-day window) so it cannot attribute a regression to a specific deploy without waiting; only reports origins/URLs with sufficient real-world traffic (low-traffic pages may have no CrUX data at all); reports field percentiles (commonly the 75th percentile) rather than a single number, so "the field LCP" is actually a distribution, not a point value — always specify which percentile a cited number represents. Flag a claim that treats CrUX as instantly reflecting today's deploy, or as covering a low-traffic page it may not have data for.
36
+
37
+ ### 4. A single Lighthouse run is not enough even as lab evidence
38
+
39
+ Lab measurement variance (system load, thermal throttling, background processes) means a single run of Lighthouse is not reliable evidence on its own — multiple runs (or a controlled tool that already runs multiple iterations and reports median/percentile) are needed before treating a lab number as stable evidence, not just a single sample.
40
+
41
+ ### 5. Reconciling disagreement between lab and field
42
+
43
+ When lab says "fine" and field says "regressed" (or vice versa), the disagreement itself is the finding — investigate rather than picking whichever number supports the desired conclusion. Common causes: the lab throttling profile doesn't represent the real device/network mix (e.g. desktop-only lab testing for a mostly-mobile audience); the lab run has a warm cache the CI step didn't clear, but real first-time visitors don't; the regression is specific to a code path/interaction that the lab script's test URL/flow doesn't exercise (e.g. INP on a specific interactive element the Lighthouse run never clicks, since Lighthouse's synthetic run cannot fully simulate INP the way field RUM data — which requires observed real interactions — can).
44
+
45
+ ## Minimal safe review flow
46
+
47
+ 1. Identify what evidence is actually available for the claim being reviewed (lab-only, field-only, both, or neither/inference).
48
+ 2. If only lab data exists for a production-impacting claim, state that field verification is outstanding as a residual risk rather than asserting a final verdict.
49
+ 3. If lab and field data disagree, investigate the throttling-profile/cache-state/traffic-mix explanations above before concluding either number is "wrong."
50
+ 4. Cite the specific percentile (e.g. p75) and time window for any field number, and the specific throttling/device profile for any lab number.
51
+ 5. Re-verify current LCP/CLS/INP threshold cutoffs against `https://web.dev/vitals` before stating a pass/fail budget verdict — do not reuse a remembered threshold from a prior review.
52
+
53
+ ## When to push back
54
+
55
+ Push back if the user says:
56
+
57
+ - "the Lighthouse score is green, ship it" — for anything with real production traffic, ask whether field data (CrUX or RUM) exists or is planned to confirm it,
58
+ - "CrUX shows we're fine" for a page/route that just shipped a change days ago — CrUX's rolling window means it may not yet reflect that change,
59
+ - "just average the field numbers" — Core Web Vitals are evaluated at specific percentiles (commonly p75), not the mean; averaging hides the tail experience that the metric is specifically designed to surface,
60
+ - "we don't need RUM, Lighthouse in CI is enough" for a production application with a real, diverse user base — lab-only measurement cannot see device/network heterogeneity that field data is specifically designed to capture.
@@ -0,0 +1,68 @@
1
+ # Layout-Shift Source Catalog
2
+
3
+ > Verify `LayoutShift`/`LayoutShiftAttribution` performance-entry semantics against current MDN docs via Context7 before citing exact scoring behavior — the CLS scoring window/session-gap algorithm has changed since CLS's introduction. Treat any specific numeric session-window value as `documentation-based` and re-verify rather than asserted from memory.
4
+
5
+ ## What people get wrong
6
+
7
+ The common bad assumption is:
8
+
9
+ > "CLS is about images without `width`/`height` — I checked, they're all fine."
10
+
11
+ Incomplete. Unsized media is the textbook example, but it is one of at least five distinct source categories, and a page can pass a naive "all images have dimensions" check while still shipping a significant CLS regression.
12
+
13
+ ## Officially grounded definition
14
+
15
+ Per MDN's CLS glossary entry and the Layout Instability API (`LayoutShift`/`LayoutShiftAttribution`), a layout shift is scored when a visible element's start position changes between two rendered frames, without that change being the direct result of a user interaction. `LayoutShiftAttribution` reports the specific DOM node(s) responsible along with `previousRect`/`currentRect`, which is the ground-truth way to attribute a shift to a specific element rather than guessing from a diff.
16
+
17
+ ## Source categories to audit
18
+
19
+ ### 1. Unsized media (the well-known one)
20
+
21
+ Any `<img>`, `<video>`, `<iframe>`, or `<embed>` without explicit `width`/`height` attributes (or a CSS `aspect-ratio`/explicit sized container) reserves no space before the resource loads, so its arrival pushes surrounding content. This applies equally to background images used as layout-affecting content and to responsive images (`srcset`) — the reserved box must match the *intrinsic* aspect ratio, not just have some placeholder height that doesn't match the eventual rendered size.
22
+
23
+ ### 2. Web-font swap (FOIT/FOUT)
24
+
25
+ A font that loads after initial text paint and has different metrics (x-height, glyph width) than the fallback font shifts every line it affects when it swaps in. This is invisible to an "images have dimensions" check entirely. Mitigations to look for:
26
+
27
+ - `font-display: swap` (or `optional`) on `@font-face`, chosen deliberately rather than defaulted to `auto`/`block`.
28
+ - A `<link rel="preload" as="font" crossorigin>` for the LCP-critical font so it's fetched earlier and the swap window is shorter.
29
+ - Font-metric-matching fallback stacks (e.g. via `size-adjust`/`ascent-override`/`descent-override` in a matching `@font-face` fallback declaration, or a generated fallback via a tool that computes these) to minimize the visual delta when the swap happens, when the swap itself can't be eliminated.
30
+
31
+ Flag any new `@font-face` with neither a `font-display` strategy nor a metric-matched fallback as an unaddressed CLS/LCP risk.
32
+
33
+ ### 3. Content injected above existing content
34
+
35
+ Any DOM insertion above the current viewport's visible content — a banner, cookie-consent bar, ad slot, or async-loaded promo — that doesn't have space reserved for it shifts everything below. This is a frequent CLS source that has nothing to do with media sizing at all. Audit: does the container reserve a fixed or `min-height` slot before the async content resolves, or does content just get prepended/inserted into flow?
36
+
37
+ ### 4. Animations that trigger layout instead of compositing
38
+
39
+ CSS animations/transitions on `top`/`left`/`width`/`height`/`margin` (layout-triggering properties) rather than `transform`/`opacity` (compositor-only properties) can register as layout shifts if they affect other elements' positions, and are also a distinct main-thread-cost problem independent of CLS. Flag any newly added animation on a layout-affecting property and ask whether a `transform`-based equivalent achieves the same visual effect.
40
+
41
+ ### 5. FOUC/late-applied CSS affecting already-painted content
42
+
43
+ If content paints before a stylesheet (or a `<style>` block inserted by JS) fully applies, and the styles change box dimensions, that is a layout-shift source distinct from font swap — e.g. a CSS-in-JS solution that injects styles after first paint, or a critical-CSS strategy that inlines an incomplete subset and loads the rest async without accounting for elements that need the deferred rules for correct sizing.
44
+
45
+ ## Non-negotiable review rules
46
+
47
+ - Do not accept "images have width/height" as a complete CLS review — walk all five categories above.
48
+ - Any element inserted above existing viewport content without a reserved slot is a blocking finding, not a nice-to-have fix, if it's likely to occur after first paint (ads, consent banners, personalization banners, notification bars).
49
+ - New `@font-face` rules must specify a deliberate `font-display` value; flag `auto`/default (browser-dependent, commonly behaves like `block`) as unreviewed.
50
+ - New layout-triggering animations (`top`/`left`/`width`/`height`/`margin` in `@keyframes` or `transition`) should be flagged with a suggested `transform`/`opacity` alternative when the visual intent allows it.
51
+ - Distinguish shifts caused by user interaction (which are explicitly excluded from CLS scoring, e.g. an accordion the user clicked to expand) from unexpected shifts — don't flag legitimate, user-triggered layout changes as CLS problems.
52
+
53
+ ## Minimal safe review flow
54
+
55
+ 1. Identify every element that renders asynchronously or after a network/font/JS dependency resolves (images, fonts, injected banners, lazy content, animated elements).
56
+ 2. For each, check whether visual space is reserved before it resolves (`width`/`height`, `aspect-ratio`, `min-height` container, skeleton placeholder).
57
+ 3. For fonts specifically, confirm a `font-display` strategy and, for LCP-critical fonts, a preload.
58
+ 4. For animations, confirm they animate compositor-only properties where visually equivalent.
59
+ 5. State whether the verdict is markup/CSS-inferred (`inference`) or confirmed via a live `LayoutShift`/`LayoutShiftAttribution` observer trace (`live evidence`) — attribution data is the only way to confirm which specific element actually caused a measured shift versus which one merely looks suspicious in markup.
60
+
61
+ ## When to push back
62
+
63
+ Push back if the user says:
64
+
65
+ - "it's just one image, CLS won't notice" — a single large above-the-fold image is often the single biggest CLS contributor on a page,
66
+ - "we'll add the font-display later" — that is deferring a known, cheap-to-fix CLS/LCP source indefinitely,
67
+ - "the banner only shows sometimes, so it doesn't count" — intermittent injection is still a real-user-experience regression for the users who see it, and CrUX aggregates across all real loads including that one,
68
+ - "let's just wrap it in `overflow: hidden` so the shift isn't visible" — that hides the symptom from a visual check without preventing the actual layout recalculation, and does not necessarily improve the measured CLS score.
@@ -0,0 +1,79 @@
1
+ # Resource-Loading Order and Render-Blocking Audit
2
+
3
+ > Verify exact `<link>`/`<script>` attribute behavior against current MDN docs via Context7 before ruling — browser render-blocking rules and resource-hint attributes are implementation-defined and have changed (e.g. `blocking="render"`, `fetchpriority`). Do not assert them from memory.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "Put scripts at the bottom of `<body>` and it's fixed."
10
+
11
+ Incomplete. That mitigates one failure mode (parser-blocking synchronous `<script>` in `<head>`) but says nothing about CSS blocking, resource priority, third-party origin cost, or whether the thing you deferred was actually needed for first paint.
12
+
13
+ ## Officially grounded pipeline
14
+
15
+ Per MDN's critical rendering path reference: the browser builds the DOM as HTML is parsed, builds the CSSOM from requested/inline styles, combines DOM + CSSOM into the render tree, computes layout, then paints and composites pixels. Two consequences follow directly from that pipeline:
16
+
17
+ - **CSS is render-blocking by default.** The browser withholds first paint until it has the CSSOM, specifically to avoid a flash of unstyled content. A `<link rel="stylesheet">` in `<head>` blocks rendering unless explicitly marked otherwise (e.g. via a non-render-blocking media query that doesn't match the current viewport, or `blocking` control on supporting elements).
18
+ - **A synchronous `<script>` (no `async`/`defer`/`type="module"`) blocks HTML parsing at the point it appears,** because the parser must assume the script could call `document.write` or otherwise mutate the DOM before parsing continues. It does not block CSSOM construction, but it can be blocked *by* an earlier stylesheet (browsers commonly delay script execution until preceding CSS has loaded, since the script might query computed style).
19
+
20
+ So "render-blocking" is not one failure mode — audit each resource against which stage it blocks:
21
+
22
+ | Resource | Blocks HTML parse? | Blocks first paint? |
23
+ |---|---|---|
24
+ | `<link rel="stylesheet">` (no disabling media) | No | Yes |
25
+ | `<script src="...">` (no async/defer/module) | Yes, at that point | Indirectly (delays DOM/paint readiness) |
26
+ | `<script defer>` | No | No (executes after parse, before `DOMContentLoaded`) |
27
+ | `<script async>` | No | No, but executes whenever it finishes downloading — order not guaranteed relative to other scripts |
28
+ | `<script type="module">` | No (deferred by default) | No |
29
+ | `@import` inside CSS | N/A | Yes, and serializes — it blocks until fetched, adding a network round trip the browser couldn't discover from the HTML in parallel |
30
+
31
+ Live evidence for a given page: `PerformanceObserver({type: "resource", buffered: true})` and check `entry.renderBlockingStatus === "blocking"` (per `PerformanceResourceTiming.renderBlockingStatus`), or `performance.getEntriesByType("resource")` filtered the same way. This is the only way to get a ground-truth render-blocking verdict for a *live* page rather than an inferred one from reading markup.
32
+
33
+ ## Non-negotiable review rules
34
+
35
+ ### 1. Classify every new/modified `<link>` and `<script>` by blocking behavior, not by intent
36
+
37
+ Do not accept "it's deferred" as true because the author says so — check the actual attribute (`defer`, `async`, `type="module"`, `blocking`) and its placement.
38
+
39
+ ### 2. `@import` in CSS is a hidden render-blocking network round trip
40
+
41
+ Flag any new `@import` in a stylesheet that's itself render-blocking. The browser cannot discover and start fetching an `@import`-ed stylesheet until it has already parsed the CSS that contains it — it cannot be discovered by the HTML preload scanner the way a `<link>` can. Prefer a second `<link rel="stylesheet">` in the HTML.
42
+
43
+ ### 3. Resource hints are not interchangeable
44
+
45
+ Per MDN's `<link>` reference and the `dns-prefetch`/`preconnect`/`preload` guides:
46
+
47
+ - `dns-prefetch` — resolve DNS only. Cheapest hint; useful for many possible-but-uncertain origins.
48
+ - `preconnect` — DNS + TCP + TLS handshake. More expensive per origin; browsers cap how many they'll act on, so do not `preconnect` to more than a handful of origins.
49
+ - `preload` — fetch a *specific, known-needed* resource at high priority, before the parser would otherwise discover it. Requires the correct `as` value (`script`, `style`, `font`, `image`, etc.) or the browser may apply the wrong priority/type-check and silently double-fetch. Cross-origin font preloads require `crossorigin` even for same-site font hosting, because fonts are fetched in "anonymous" CORS mode regardless of same-origin-ness.
50
+ - `modulepreload` — the module-script-specific equivalent of `preload`, which also allows the browser to parse and cache the module graph ahead of execution.
51
+ - `prefetch` — low-priority fetch for a resource likely needed for a *future* navigation, not the current render. Do not use it for anything on the current page's critical path — it competes for bandwidth at low priority and is the wrong tool if the goal is to affect *this* page's LCP.
52
+
53
+ A `preload` misused for a resource that turns out unused within a few seconds of load produces a Chrome DevTools/Lighthouse warning and wastes bandwidth — flag speculative preloads with no confirmed use.
54
+
55
+ ### 4. Third-party resource hints have a cost, not just a benefit
56
+
57
+ `preconnect`/`dns-prefetch` to a third-party origin (analytics, font CDN, ad tech, social widget) opens a connection or resolves DNS to that origin earlier than the page would otherwise need to — which also means that origin observes the visit earlier and independent of whether the resource is ever actually used. Weigh this against the latency win; do not recommend blanket `preconnect` to every third-party origin referenced anywhere on the page.
58
+
59
+ ### 5. LCP-candidate resource should be the highest-priority fetch on the page
60
+
61
+ If the LCP element is a background `<img>`, hero image, or web font, confirm it is discoverable by the HTML preload scanner (i.e. present as a real `<img src>`/`<link>` in markup, not injected by a blocking JS bundle) and, where warranted, has an explicit `fetchpriority="high"` or `<link rel="preload">`. An LCP image that only becomes discoverable after a render-blocking JS bundle executes is a common, easily fixed regression.
62
+
63
+ ## Minimal safe review flow
64
+
65
+ 1. List every `<link>`, `<script>`, and `@import` added or modified in the diff.
66
+ 2. Classify each by blocking behavior per the table above (parse-blocking / paint-blocking / neither).
67
+ 3. For each resource hint (`preload`/`prefetch`/`preconnect`/`dns-prefetch`/`modulepreload`), confirm it targets a resource actually needed for *this* page's first render, has correct `as`/`type`/`crossorigin`, and isn't redundant with browser-default discovery.
68
+ 4. Identify the LCP candidate and confirm it is discoverable without executing render-blocking JS first.
69
+ 5. Flag any `@import`, unbounded `preconnect` list, or speculative preload as findings, not silent passes.
70
+ 6. State whether the verdict is markup-inferred (`inference`) or confirmed via a live `PerformanceObserver`/DevTools trace (`live evidence`).
71
+
72
+ ## When to push back
73
+
74
+ Push back if the user asks for:
75
+
76
+ - `preconnect` to every third-party domain referenced anywhere in the codebase "just in case,"
77
+ - moving all `<script>` tags to `async` without checking execution-order dependencies between them,
78
+ - a blanket `preload` for every image on the page instead of just the LCP candidate,
79
+ - removing a render-blocking stylesheet without confirming what visual state exists before it loads (flash of unstyled content is a real regression, not just a metric).
@@ -0,0 +1,71 @@
1
+ ---
2
+ name: css-architecture-design-system-review
3
+ description: Review CSS for specificity and cascade-layer discipline, design-token (custom-property) conformance, and responsive strategy correctness (container queries vs. media queries), catching specificity wars, hardcoded-value token drift, and non-reflowing layouts that fail WCAG 1.4.10/1.4.4 before they compound into unmaintainable stylesheets.
4
+ allowed-tools: Read Grep Glob Bash(git diff:*) WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: architecture
10
+ ---
11
+
12
+ # CSS Architecture & Design System Review
13
+
14
+ ## Purpose
15
+
16
+ CSS at scale degrades through two silent mechanisms: specificity creep (engineers reaching for `!important` or ID selectors to win cascade fights instead of fixing the underlying layer structure) and design-token drift (hardcoded values reappearing next to a token system, diverging visual output over time). Neither shows up as a compile error or a failing test — they show up eighteen months later as an unmaintainable stylesheet nobody wants to touch. This skill catches both at review time, plus the responsive-strategy and WCAG visual-presentation failures that are CSS's specific accessibility responsibility.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review a CSS/component-styling diff for specificity, cascade, or maintainability issues,
23
+ - audit a codebase's design-token (CSS custom-property) conformance,
24
+ - decide between container queries and media queries for a responsive pattern,
25
+ - establish or enforce a cascade-layer strategy (`@layer reset, base, tokens, components, utilities, overrides`),
26
+ - check layout resilience against WCAG 2.2 reflow (1.4.10) and resize-text (1.4.4) criteria.
27
+
28
+ Do not use this skill for:
29
+
30
+ - JavaScript/framework component architecture — use the matching framework-specific review skill instead,
31
+ - live visual-regression testing or contrast-ratio measurement — that requires a runtime tool, not static review,
32
+ - choosing a CSS methodology from scratch with no existing code — that is a greenfield design conversation, not a review.
33
+
34
+ ## Context7 Documentation Protocol
35
+
36
+ - Resolve the MDN Web Docs library ID with `resolve-library-id` (matched result: `/mdn/content`) before citing any cascade-layer, container-query, or custom-property specificity claim.
37
+ - Before asserting cascade-layer precedence, `!important` interaction, or container-query browser-support behavior, call `query-docs` against `/mdn/content` and cite the section — do not assert from memory. Cascade-layer `!important` precedence is inverted relative to normal-declaration precedence and is easy to misstate without checking.
38
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
39
+ - Never assume a browser-support baseline (e.g., "container queries are safe everywhere now") without checking current docs; treat support claims as version/date-sensitive, not fixed facts.
40
+
41
+ ## Lean operating rules
42
+
43
+ - Never approve new `!important` without a documented cascade-layer justification — it is a symptom that the layer/selector structure should be fixed, not a valid quick fix. Note: `!important` precedence is inverted across layers (earlier-declared layers win for important declarations), so verify actual winning behavior against the declared `@layer` order rather than assuming a simple override.
44
+ - Never approve new ID-selector styling for components; treat it as a specificity-escalation risk that will require `!important` or worse to override later.
45
+ - In any codebase with an established design-token system, flag hardcoded color/spacing/typography values and name the nearest token substitute — do not silently allow token drift. Distinguish token tiers (primitive → semantic → component) when recommending a substitute; do not point a component-level override at a raw primitive if a semantic token exists.
46
+ - Do not bikeshed methodology (BEM vs. utility-first vs. CSS Modules vs. cascade layers) when a convention is already established; enforce consistency with what exists over personal preference.
47
+ - Query current MDN/W3C docs for `@layer`/`@container` support and semantics before ruling — container queries only reached broad Baseline status in 2023 and cascade-layer support nuances (especially `!important` interaction) vary; never assert current support from memory.
48
+ - Distinguish container queries (component depends on its container's size) from media queries (component depends on the viewport) — recommending the wrong one for the actual dependency is a correctness bug, not a style preference. A component intended for reuse across differently-sized containers (sidebar, main content, modal) needs a container query; a page-level layout shift needs a media query.
49
+ - Never treat CSS as an access-control boundary; `display:none`/`visibility:hidden` hiding an affordance is not a substitute for server-side authorization. Flag this as a HIGH-severity finding, not a style note, whenever hidden-but-present markup carries privileged data or actions.
50
+ - Flag anything needing live visual-regression or contrast-ratio measurement as a residual risk requiring live-runtime verification, not asserted from static analysis alone.
51
+ - Flag attribute-selector-plus-background-image patterns (e.g. `input[value^="a"] { background: url(...) }`) as a potential CSS-based data-exfiltration vector — they can leak user-controlled attribute values via network requests.
52
+ - Flag third-party `@import` rules with no accompanying Subresource Integrity or CSP `style-src` consideration as a supply-chain risk, not a performance nitpick.
53
+ - Never execute, build, or run application code, and never fetch live pages to "see how it renders" without the user's explicit ask; this is a static-review skill augmented only by documentation lookups (Read/Grep/Glob plus scoped `git diff` and `WebFetch` for docs/spec grounding).
54
+
55
+ ## References
56
+
57
+ Load these only when needed:
58
+
59
+ - [Cascade layer strategy](references/cascade-layer-strategy.md) — use when establishing or auditing a `@layer` order for a codebase, or resolving a specificity conflict between two legitimate rules.
60
+ - [Design token conformance patterns](references/token-conformance.md) — use when auditing hardcoded-value drift against an existing custom-property token system, including token-tier (primitive vs. semantic vs. component) conventions.
61
+ - [Responsive strategy decision guide](references/responsive-strategy.md) — use when deciding container query vs. media query, or auditing reflow/resize-text compliance at 400%/200% zoom.
62
+
63
+ ## Response minimum
64
+
65
+ Return, at minimum:
66
+
67
+ - the specificity/cascade verdict per flagged selector, with its computed specificity value when relevant,
68
+ - a token-conformance report distinguishing token-referenced values from hardcoded ones,
69
+ - the responsive-strategy verdict (container query vs. media query appropriateness) for any new responsive rule,
70
+ - the recommended cascade-layer placement for new rules,
71
+ - residual risk notes for anything requiring live visual-regression or contrast-checker verification beyond this static review.
@@ -0,0 +1,30 @@
1
+ {
2
+ "id": "css-architecture-design-system-review",
3
+ "name": "CSS Architecture & Design System Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews CSS for specificity/cascade-layer discipline, design-token conformance, and responsive strategy (container queries vs. media queries), catching specificity wars, token drift, and non-reflowing layouts before they compound into unmaintainable stylesheets.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://developer.mozilla.org/en-US/docs/Web/CSS",
18
+ "https://www.w3.org/TR/css-cascade-5/",
19
+ "https://www.w3.org/TR/css-variables-1/",
20
+ "https://www.w3.org/TR/css-contain-3/",
21
+ "https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_cascade/Cascade_layers",
22
+ "https://developer.mozilla.org/en-US/docs/Web/CSS/CSS_containment/Container_queries",
23
+ "https://www.w3.org/TR/WCAG22/#visual-presentation"
24
+ ],
25
+ "security_notes": "Do not treat CSS visibility/display properties as an access-control mechanism — hiding an element with CSS never substitutes for server-side authorization; flag any pattern that relies on it as a security control. Flag attribute-selector-plus-background-image patterns that could exfiltrate user-controlled attribute values via network requests (CSS-based data-exfiltration vector). Flag third-party @import without SRI/CSP style-src consideration.",
26
+ "last_verified": "2026-07-02",
27
+ "path": "skills/frontend/css-architecture-design-system-review",
28
+ "author": "github: Raishin",
29
+ "version": "0.1.0"
30
+ }
@@ -0,0 +1,64 @@
1
+ # Cascade layer strategy
2
+
3
+ Use this reference when establishing or auditing a `@layer` order for a codebase, or resolving a specificity conflict between two legitimate rules.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > Cascade layers are just a naming convention — put rules in a `@layer` block and specificity stops mattering.
10
+
11
+ Half right, and the half that's wrong is dangerous. Layers change *which layer wins*, but specificity still decides the winner *within* a layer, and — critically — the precedence order **inverts** for `!important` declarations. Per MDN's cascade-layers guidance: earlier-declared layers win over later-declared layers for normal declarations, but for `!important` declarations, earlier-declared layers win over later ones too — meaning an `!important` in an early "reset" layer can beat an `!important` in a later "overrides" layer, which is the opposite of what most engineers assume ("overrides should always win"). Unlayered styles sit in an implicit final layer for normal declarations, but unlayered `!important` styles have *lower* precedence than any layered `!important` declaration. Get this backwards and you'll "fix" a cascade bug by adding `!important` to the wrong layer and watch it silently lose anyway.
12
+
13
+ ## Officially grounded shape (MDN / W3C Cascade 5)
14
+
15
+ - `@layer name1, name2, name3;` declares layer order upfront, independent of where each layer's rules are later defined in the file.
16
+ - Layer order determines precedence **regardless of selector specificity** for normal (non-important) declarations — a low-specificity selector in a later layer beats a high-specificity selector in an earlier layer.
17
+ - Unlayered styles form an implicit layer that comes **last** (highest precedence) for normal declarations.
18
+ - For `!important` declarations, the precedence order is **inverted**: earlier-declared layers' important styles win over later layers' important styles, and layered important styles always beat unlayered important styles.
19
+ - Inline `style=""` importance still beats all author-layer `!important` declarations, regardless of layer order.
20
+ - `@import url(...) layer(name);` can assign an entire imported stylesheet to a layer, which is useful for third-party CSS you don't control (framework resets, component libraries) — put it in an early layer so your own rules can override it without `!important`.
21
+
22
+ ## Non-negotiable design rules
23
+
24
+ ### 1. Declare the full layer order in one place, upfront
25
+
26
+ Do not let layer order emerge implicitly from file-load order. A single `@layer reset, base, tokens, components, utilities, overrides;` statement (naming may vary per codebase convention) at the top of the entry stylesheet is the source of truth. If layer order is scattered or redeclared inconsistently across files, the *effective* order becomes whatever browser resolves first-seen — audit for this as a HIGH-severity finding.
27
+
28
+ ### 2. `!important` inside a layer is not a free pass — verify the inversion
29
+
30
+ Before approving `!important` anywhere, confirm which layer it lives in and whether the intended "win" actually happens under the inverted precedence rule. An `!important` added to `overrides` (a late layer) to "make sure it wins" will **lose** to an `!important` already present in an earlier layer like `reset`. This is the single most common cascade-layer mistake — check it explicitly, don't assume.
31
+
32
+ ### 3. Third-party/vendor CSS goes in the earliest layer
33
+
34
+ Wrap vendor resets, component-library base styles, or any CSS the team doesn't control in its own early layer (or `@import ... layer(vendor);`). This guarantees your own component/utility layers can override it with normal specificity, with no `!important` needed at all — that's the actual payoff of adopting layers.
35
+
36
+ ### 4. Utilities still need to out-rank components, by layer not specificity
37
+
38
+ If the codebase uses utility classes (e.g. Tailwind-style) alongside component styles, utilities must live in a layer declared *after* the components layer. Do not rely on utility classes having higher specificity than component selectors — that's fragile and exactly the pattern layers exist to replace.
39
+
40
+ ### 5. New ID-selector or `!important` usage outside an established layer is a regression, not a quick fix
41
+
42
+ Once a codebase has adopted cascade layers, any new unlayered `!important` or ID-selector styling should be treated as bypassing the system the team already invested in. Flag it and point to the correct layer.
43
+
44
+ ## Specificity primer (for the parts layers don't cover)
45
+
46
+ Within a single layer (or in a codebase with no layers), specificity still resolves conflicts using the standard weight: inline style > ID selectors > class/attribute/pseudo-class selectors > type/pseudo-element selectors, with `!important` overriding all of the above except a later `!important` of equal-or-higher-weight origin. Report specificity as a 4-part tuple (inline, IDs, classes/attrs/pseudo-classes, types/pseudo-elements) when it materially matters to a finding — do not just say "too specific" without the number.
47
+
48
+ ## Minimal safe implementation flow
49
+
50
+ 1. Confirm whether the codebase already declares a layer order. If yes, audit new rules against it. If no, do not retrofit an entire stylesheet into layers as a side effect of a routine review — recommend it as a separate, scoped initiative and note the current specificity-conflict risk in the meantime.
51
+ 2. For any flagged `!important` or ID selector, identify the specific rule it's fighting and the minimal layer-based fix (move to correct layer, or remove the escalation entirely because the real fix is layer placement).
52
+ 3. Verify inverted `!important` precedence explicitly for any layer-crossing `!important` conflict before declaring a winner — do not eyeball it.
53
+ 4. Note any third-party CSS that isn't isolated into its own layer as a maintainability risk.
54
+
55
+ ## Adversarial checklist
56
+
57
+ Before finalizing a cascade-layer finding, answer these:
58
+
59
+ - Is the full layer order declared in exactly one place, and does every file agree with it?
60
+ - If this conflict involves `!important` on both sides, did I apply the inverted precedence rule, or did I default to "later wins" (which is wrong for important declarations)?
61
+ - Is this `!important` compensating for a missing/incorrect layer assignment, rather than a legitimate necessity (e.g., overriding inline styles from a CMS)?
62
+ - Is the specificity claim backed by an actual computed tuple, or asserted qualitatively ("too specific")?
63
+
64
+ If any answer is "not sure," lower the finding's confidence and label it `documentation-based, needs live cascade-order verification` rather than presenting it as a confirmed defect.
@@ -0,0 +1,63 @@
1
+ # Responsive strategy decision guide
2
+
3
+ Use this reference when deciding container query vs. media query, or auditing reflow/resize-text compliance at 400%/200% zoom.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > Container queries are the new best practice — replace media queries with them wherever possible.
10
+
11
+ Wrong. Container queries and media queries answer different questions and are not interchangeable. A media query answers "how big is the viewport (or does the user prefer reduced motion / dark mode / etc.)?" A container query answers "how big is *this specific containing element*, regardless of viewport?" A component meant to be reusable inside a narrow sidebar *and* a wide main-content area needs a container query — a media query cannot express that, because the viewport is the same in both placements. Conversely, a page-level layout shift (e.g. switching a top-nav to a hamburger menu) is inherently viewport-driven and belongs in a media query — wrapping the whole page in a container just to query it is unnecessary indirection.
12
+
13
+ ## Officially grounded shape (MDN CSS Containment / Container Queries)
14
+
15
+ - `container-type: inline-size;` (or `size`) on an ancestor establishes a **query container**; `container-name` optionally scopes which `@container` rules target it.
16
+ - `@container (width >= 400px) { ... }` and named variants `@container excerpt (width >= 400px) { ... }` share the same comparison syntax and logical operators (`and`, `or`, `not`) as media queries.
17
+ - Container **style** queries (`@container style(--flag: value)`) also exist for querying a custom-property value on the container, distinct from size queries — verify which variant (`size` vs `style` vs both) the codebase/browser target actually needs before recommending one.
18
+ - A container query cannot query the size of the element it's applied to relative to itself (no self-referential sizing loop) — the `container-type` must be set on an **ancestor**, and the query targets descendants of that ancestor.
19
+ - Setting `container-type: size` or `inline-size` on an element applies layout/size containment to it, which affects how that element's children are sized (e.g. percentage heights) — this is a real layout side effect, not a no-op flag, and must be accounted for, not just bolted on to "enable container queries."
20
+
21
+ ## Non-negotiable design rules
22
+
23
+ ### 1. Ask "does this depend on its container, or on the viewport?" before choosing
24
+
25
+ If the same component needs different styling depending on *where it's placed* (sidebar vs. full-width), that's a container-size dependency → container query. If the same component always needs the same styling regardless of placement, but that styling should change based on *screen size*, that's a viewport dependency → media query. Do not default to container queries just because they are newer; recommending one when the actual dependency is viewport-based is a correctness bug, not a stylistic choice.
26
+
27
+ ### 2. Verify the containment side effect before approving `container-type`
28
+
29
+ Applying `container-type: size` or `inline-size` establishes containment that can change how a container's children resolve percentage-based dimensions and can affect the container's own intrinsic sizing behavior. Flag any new `container-type` addition to an element whose children rely on percentage heights or intrinsic sizing without a check that behavior is still correct.
30
+
31
+ ### 3. Do not recommend "just add both" as a hedge
32
+
33
+ Applying both a media query and a container query to the same rule for the "same" breakpoint without a distinct rationale for each is a maintainability trap — two systems now need to be kept in sync for one visual outcome. If both are genuinely needed (e.g., viewport-level layout change *and* the component independently needs to adapt to a narrower container within that layout), state the distinct rationale for each explicitly.
34
+
35
+ ### 4. Media queries remain correct — and required — for preference-based and non-size media features
36
+
37
+ `prefers-reduced-motion`, `prefers-color-scheme`, `prefers-contrast`, `forced-colors`, and print media all have no container-query equivalent; container queries only address size/style-of-container, not user/device preference signals. Never suggest replacing a preference-based media query with a container query.
38
+
39
+ ## WCAG 2.2 reflow and resize-text audit
40
+
41
+ - **1.4.10 Reflow**: content must be usable without horizontal scrolling (except content requiring 2D layout, like data tables or images) at a 320 CSS-px equivalent viewport width (i.e., 400% zoom on a 1280px-wide viewport). Flag any fixed-width container, fixed `min-width` wider than ~320px on primary content, or `overflow-x` forced on the body/main content region as a reflow-failure risk.
42
+ - **1.4.4 Resize text**: text must remain readable and functional when resized up to 200% without loss of content or functionality, without requiring assistive technology. Flag any font-size defined in `px` on root/body text without a corresponding relative-unit (`rem`/`em`/`%`) sizing strategy, and flag any fixed-height text container that would clip text at 200% zoom.
43
+ - Fixed viewport units (`vh`/`vw`) used for text container height, combined with fixed-size text, is a common reflow+resize-text double failure — flag it as one finding with both WCAG criteria cited, not two separate notes.
44
+ - These are static-review flags based on markup/CSS inspection, not a substitute for live zoom/reflow testing in a real browser — always label the finding `documentation-based risk, requires live verification at 400%/200% zoom`.
45
+
46
+ ## Minimal safe implementation flow
47
+
48
+ 1. For each new/changed responsive rule, identify what the styling actually depends on: container size, viewport size, or a user/device preference.
49
+ 2. Match the dependency to the correct query type per the rules above.
50
+ 3. If `container-type` is newly applied, check descendant elements for percentage-based sizing that containment could affect.
51
+ 4. Scan for fixed-width primary-content containers, fixed-px text sizing, and fixed-height text containers as reflow/resize-text risk flags.
52
+ 5. Report all size-based container-query/media-query findings and all WCAG 1.4.10/1.4.4 flags as `documentation-based risk` pending live-browser verification — never assert a WCAG pass/fail from static review alone.
53
+
54
+ ## Adversarial checklist
55
+
56
+ Before finalizing a responsive-strategy finding, answer these:
57
+
58
+ - Is the actual styling dependency container-size, viewport-size, or a user/device preference — confirmed, not assumed?
59
+ - If recommending `container-type`, did I check whether it changes containment behavior for existing percentage-sized children?
60
+ - Am I recommending both a media query and a container query for the same visual outcome without a distinct rationale for each?
61
+ - Have I mislabeled a static-review flag as a confirmed WCAG pass/fail instead of a risk pending live verification?
62
+
63
+ If any answer is "not sure," lower the finding's confidence and label it `documentation-based, requires live verification` rather than presenting it as a confirmed defect.