@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +2 -2
- package/.claude-plugin/plugin.json +36 -1
- package/.cursor-plugin/plugin.json +36 -1
- package/.github/plugin/marketplace.json +1 -1
- package/README.md +12 -11
- package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
- package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
- package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
- package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
- package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
- package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
- package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
- package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
- package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
- package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
- package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/metadata.json +42 -0
- package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
- package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
- package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
- package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
- package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
- package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
- package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
- package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
- package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/metadata.json +44 -0
- package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
- package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/html-semantics-agent/metadata.json +44 -0
- package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
- package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
- package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
- package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
- package/agents/frontend/package-governance-agent/AGENT.md +116 -0
- package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
- package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
- package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
- package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
- package/agents/frontend/package-governance-agent/metadata.json +41 -0
- package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
- package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
- package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
- package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
- package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
- package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/metadata.json +44 -0
- package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
- package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
- package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
- package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
- package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
- package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
- package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
- package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/metadata.json +41 -0
- package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
- package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
- package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
- package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
- package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
- package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
- package/catalog/agents.json +1164 -93
- package/catalog/asset-integrity.json +15389 -12589
- package/catalog/install-roles.json +103 -1
- package/catalog/skill-manifest.json +1909 -26
- package/catalog/skills.json +1672 -24
- package/package.json +3 -2
- package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
- package/powers/README.md +3 -2
- package/powers/vanguard-frontend/POWER.md +42 -0
- package/schemas/agent.schema.json +1 -0
- package/schemas/skill.schema.json +1 -0
- package/scripts/generate-docs-data.mjs +1 -0
- package/scripts/generate-kiro-powers.mjs +12 -0
- package/scripts/update-catalog-new-agents.py +6 -1
- package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
- package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
- package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
- package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
- package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
- package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
- package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
- package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
- package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
- package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
- package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
- package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
- package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
- package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
- package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
- package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
- package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
- package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
- package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
- package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
- package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
- package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
- package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
- package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
- package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
- package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
- package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
- package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
- package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
- package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
- package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
- package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
- package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
- package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
- package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
- package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
- package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
- package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
- package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
- package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
- package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
- package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
- package/skills/frontend/design-token-governance-review/metadata.json +27 -0
- package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
- package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
- package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
- package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
- package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
- package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
- package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
- package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
- package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
- package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
- package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
- package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
- package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
- package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
- package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
- package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
- package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
- package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
- package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
- package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
- package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
- package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
- package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
- package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
- package/skills/frontend/frontend-board-chair/metadata.json +27 -0
- package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
- package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
- package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
- package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
- package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
- package/skills/frontend/frontend-maestro/SKILL.md +63 -0
- package/skills/frontend/frontend-maestro/metadata.json +26 -0
- package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
- package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
- package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
- package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
- package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
- package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
- package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
- package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
- package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
- package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
- package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
- package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
- package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
- package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
- package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
- package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
- package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
- package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
- package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
- package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
- package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
- package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
- package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
- package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
- package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
- package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
- package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
- package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
- package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
- package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
- package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
- package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
- package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
- package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
- package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
- package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
- package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
- package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
- package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
- package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
- package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
- package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
- package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
- package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
- package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
- package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
- package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
- package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
- package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
- package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
- package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
- package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
- package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
- package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
- package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
- package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
- package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
- package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
- package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
- package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
- package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
- package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
- package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
- package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
- package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
- package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
- package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
- package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
- package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
- package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
- package/skills/frontend/react-state-effects-review/metadata.json +27 -0
- package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
- package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
- package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
- package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
- package/skills/frontend/routing-navigation-review/metadata.json +27 -0
- package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
- package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
- package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
- package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
- package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
- package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
- package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
- package/skills/frontend/state-management-decision-review/metadata.json +30 -0
- package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
- package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
- package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
- package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
- package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
- package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
- package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
- package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
- package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
- package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
- package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
- package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
- package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
- package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
- package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
- package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
- package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
- package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
- package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
- package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
- package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
- package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
- package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
- package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
- package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
- package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
- package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
- package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
- package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
- package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
- package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
- package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
- package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
- package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
- package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
- package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
- package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
- package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
- package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
- package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
- package/tests/validate-catalog.py +1 -0
- package/tests/validate-frontend-security-detection.py +209 -0
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "framework-upgrade-risk-review",
|
|
3
|
+
"name": "Framework Upgrade Risk Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Assesses the breaking-change and regression risk of a same-framework major-version upgrade (React, Angular, Vue, Next.js, build tooling) by grounding every claimed breaking change in the framework's official changelog/migration guide via Context7, and separates upgrade-blocking issues from cosmetic deprecation warnings.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://react.dev/blog",
|
|
18
|
+
"https://nextjs.org/docs/app/guides/upgrading",
|
|
19
|
+
"https://angular.dev/reference/releases",
|
|
20
|
+
"https://vuejs.org/guide/introduction.html"
|
|
21
|
+
],
|
|
22
|
+
"security_notes": "Prioritize any breaking change tied to a security advisory (e.g. a CVE fixed by the new major version) as a forced-upgrade driver, and flag if the current pinned version is past its security-support window regardless of migration effort. Never invent codemod names, CLI flags, or config keys.",
|
|
23
|
+
"last_verified": "2026-07-02",
|
|
24
|
+
"path": "skills/frontend/framework-upgrade-risk-review",
|
|
25
|
+
"author": "github: Raishin",
|
|
26
|
+
"version": "0.1.0"
|
|
27
|
+
}
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
# Breaking-Change Triage
|
|
2
|
+
|
|
3
|
+
Use this reference when classifying specific breaking changes from an official migration guide into blocking vs. cosmetic buckets, and when mapping each change to the code paths it actually touches.
|
|
4
|
+
|
|
5
|
+
> Version note: breaking-change lists are per-release and change across minor/patch versions within a major too (e.g. deprecation warnings added in a `.1` release ahead of removal in the next major). Re-pull the current official migration guide for the exact source and target versions before triaging — do not reuse a prior session's list without re-verifying it still matches.
|
|
6
|
+
|
|
7
|
+
## What people get wrong
|
|
8
|
+
|
|
9
|
+
The naive assumption is:
|
|
10
|
+
|
|
11
|
+
> "The migration guide lists N breaking changes, so there are N things to fix, roughly equal effort each."
|
|
12
|
+
|
|
13
|
+
Wrong. Migration guides mix at least three fundamentally different categories of severity, and treating them as equivalent produces either false alarm (blocking a low-risk upgrade over a warning) or false confidence (shipping an upgrade that silently changes runtime behavior).
|
|
14
|
+
|
|
15
|
+
## The three-tier classification
|
|
16
|
+
|
|
17
|
+
### 1. Build-blocking
|
|
18
|
+
|
|
19
|
+
The code will not compile or the build will fail outright. These are the safest category paradoxically — the build tells you immediately, and CI catches them before merge.
|
|
20
|
+
|
|
21
|
+
Examples grounded in official docs:
|
|
22
|
+
- React 19 removing `propTypes`/`defaultProps` on function components — this is a type/lint-level break in TypeScript codebases, not always a hard compile failure in plain JS, so verify whether the project uses TypeScript strict mode or just runtime PropTypes checks before calling it "build-blocking" vs. "silently degraded."
|
|
23
|
+
- Any removed export, removed CLI flag, or removed config key — grep the repo for the literal symbol/flag name to confirm actual usage before flagging it as in-scope; do not flag "this symbol was removed" as risk if the repo never imports it.
|
|
24
|
+
|
|
25
|
+
### 2. Runtime-blocking (behavioral break, not compile break)
|
|
26
|
+
|
|
27
|
+
The code compiles and builds fine, but behaves differently or throws at runtime. These are more dangerous than build-blocking changes because CI without adequate integration/e2e coverage will not catch them before production.
|
|
28
|
+
|
|
29
|
+
Grounded example: Next.js 15 making `cookies()`, `headers()`, `draftMode()`, and `params`/`searchParams` asynchronous. Old synchronous call sites do not necessarily fail to build in JS (they may still "work" until the returned Promise is used incorrectly) — they fail or misbehave at runtime, and the failure mode may only surface on paths exercised by real traffic, not by every test.
|
|
30
|
+
|
|
31
|
+
Grounded example: Next.js 15 changing `fetch` to be uncached by default. This produces no build error and no runtime crash — it produces a silent regression in data freshness or, more dangerously, in cache-hit-dependent performance/cost assumptions. This class of change is the one triage must not under-weight, because there is no error to signal it happened.
|
|
32
|
+
|
|
33
|
+
For every runtime-blocking change, identify:
|
|
34
|
+
- the specific API/behavior that changed (cite the migration guide section),
|
|
35
|
+
- whether an automated codemod exists and is officially named for it (do not assume — check `references/dependency-compatibility-matrix.md`-adjacent codemod listings in the framework's own upgrade docs),
|
|
36
|
+
- what test coverage (if any) would actually exercise the changed code path — if none, say so explicitly as a residual risk, not a solved problem.
|
|
37
|
+
|
|
38
|
+
### 3. Cosmetic deprecation
|
|
39
|
+
|
|
40
|
+
The code still works exactly as before; the framework emits a warning (console warning, lint warning, or doc note) that the API is scheduled for removal in a *future* major, not this one.
|
|
41
|
+
|
|
42
|
+
Do not present these as this-upgrade risk. List them separately as "deprecation debt to schedule before the *next* major," since conflating them with real blockers dilutes attention from what actually needs fixing before merge.
|
|
43
|
+
|
|
44
|
+
## Mapping to blast radius
|
|
45
|
+
|
|
46
|
+
For every build-blocking and runtime-blocking item (never cosmetic-only items, to keep the list actionable):
|
|
47
|
+
|
|
48
|
+
1. Identify the literal API/symbol/config key changed.
|
|
49
|
+
2. Search the repo (`Grep`) for actual usage of that symbol — imports, JSX usage, config keys, CLI invocations in `package.json` scripts.
|
|
50
|
+
3. Count distinct files/modules touched; do not estimate — enumerate.
|
|
51
|
+
4. Flag any usage inside test fixtures or mocks separately from production source, since test-only usage changes the risk profile (breaks CI, not production).
|
|
52
|
+
5. If the symbol is re-exported or wrapped by an internal abstraction layer, note that fixing the wrapper once may resolve many call sites — do not multiply file count by naive per-callsite fix cost.
|
|
53
|
+
|
|
54
|
+
## When to push back
|
|
55
|
+
|
|
56
|
+
Push back if the user asks you to://"just estimate the risk without checking the actual official migration guide for this version" — a risk assessment built from memory of a different major version (or a different framework entirely) is not a risk assessment, it is a guess wearing a risk assessment's clothes.
|
|
57
|
+
Push back if the user wants to skip the blast-radius search step because "it's probably fine" — "probably fine" is exactly the failure mode this skill exists to replace with an enumerated count.
|
|
58
|
+
Push back if the user wants to bundle a same-framework major upgrade together with unrelated dependency upgrades in one PR — that makes the blast radius of a failure ambiguous (which upgrade caused the regression?) and should be flagged as a review/rollback risk, not silently accepted.
|
package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md
ADDED
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
# Dependency Compatibility Matrix
|
|
2
|
+
|
|
3
|
+
Use this reference when the actual upgrade blocker is a third-party dependency's peer-dependency constraint, not a breaking change in the core framework itself.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive assumption is:
|
|
8
|
+
|
|
9
|
+
> "The framework's own migration guide says the upgrade is straightforward, so the upgrade is straightforward."
|
|
10
|
+
|
|
11
|
+
Wrong. The framework's own breaking-change list only covers the framework. It says nothing about whether the state-management library, UI component library, testing library, or build plugin the project actually depends on has published a compatible release yet. A framework-major upgrade is frequently blocked not by the framework's own breaking changes but by an ecosystem library that has not shipped peer-dependency support for the new major, sometimes for months after the framework's release.
|
|
12
|
+
|
|
13
|
+
## The actual compatibility surface
|
|
14
|
+
|
|
15
|
+
For a same-framework major upgrade, the dependencies most likely to gate the upgrade are:
|
|
16
|
+
|
|
17
|
+
- **UI component libraries** built directly against the framework's internals (not just its public API) — these are the most common blockers because internal API changes (e.g. React's internal fiber/reconciler changes, Angular's internal change-detection changes) can break a component library even when the library's *usage* of the public API looks unchanged.
|
|
18
|
+
- **State-management libraries** with framework-version-pinned peer dependencies.
|
|
19
|
+
- **Testing-library integrations** (React Testing Library, Angular TestBed harnesses, Vue Test Utils) — these often require a matching major version to support new rendering/hydration internals, and a stale version can produce misleading green tests that do not reflect real runtime behavior.
|
|
20
|
+
- **Build-tool plugins/loaders** that wrap the framework's compiler (e.g. a bundler plugin implementing framework-specific fast-refresh or SSR transforms) — these must track framework-internal changes closely and are a common source of "works with `next dev` but breaks under the plugin" issues.
|
|
21
|
+
- **Meta-framework version coupling** — e.g. Next.js major versions are coupled to a specific React major/minor floor; do not assess a Next.js upgrade's React compatibility from memory, check the specific Next.js major's stated React peer-dependency range in its own official docs for that release.
|
|
22
|
+
|
|
23
|
+
## Procedure
|
|
24
|
+
|
|
25
|
+
1. Enumerate the project's direct dependencies with the framework's own package as a peer dependency (read `package.json` `peerDependencies` fields of the top N most framework-coupled packages actually installed, not a generic list).
|
|
26
|
+
2. For each, check whether a release compatible with the target framework major has shipped. Prefer checking the dependency's own official changelog/release notes over inferring from its semver range, since a library may have shipped a compatible peer-dependency range before actually fixing all the runtime breakage that range implies is safe.
|
|
27
|
+
3. If a dependency has *not* shipped compatible support, this is a hard blocker independent of how clean the framework's own breaking-change list is — say so explicitly and do not let a clean framework migration guide imply a clean overall upgrade.
|
|
28
|
+
4. If a dependency requires a beta/RC release to get compatibility, flag that as an elevated-risk path (pinning to a pre-release for a production dependency) rather than presenting it as equivalent to a stable compatible release.
|
|
29
|
+
5. Distinguish "peer-dependency range technically allows the new major" from "the maintainer has stated they tested against the new major" — a permissive semver range is not evidence of compatibility, it is often just an unmaintained range that was never tightened.
|
|
30
|
+
|
|
31
|
+
## When to push back
|
|
32
|
+
|
|
33
|
+
Push back if the user wants to force-install (`--legacy-peer-deps` / `--force`) past a peer-dependency conflict as the resolution rather than as a temporary unblock — that suppresses the signal that a real incompatibility may exist and should be logged as residual risk, not treated as "resolved."
|
|
34
|
+
|
|
35
|
+
Push back if the user assumes a component library "probably still works" because it hasn't announced incompatibility — the absence of an announcement is not evidence of compatibility, especially for internal-API-coupled libraries; recommend an actual smoke test of the specific components in use.
|
|
36
|
+
|
|
37
|
+
Push back if the plan is to upgrade the framework and defer checking ecosystem-dependency compatibility until after merge — for framework-internal-coupled dependencies (UI kits, test harnesses, build plugins) this ordering inverts the actual risk: the framework's own official migration guide is usually the well-tested, well-documented part, while third-party catch-up compatibility is the least-documented and most likely source of surprise regressions.
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: frontend-auth-session-security-review
|
|
3
|
+
description: Review client-side authentication and session-management code for token-storage location, cookie-flag correctness, CSRF/open-redirect exposure, and OAuth/OIDC flow choice for browser-based apps against OWASP ASVS and Session Management Cheat Sheet guidance, with the OAuth-for-browsers reference loaded only when an OAuth/OIDC flow is in scope.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: security
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Frontend Auth & Session Security Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Most client-side account-takeover incidents come from session-management shortcuts, not cryptographic flaws: tokens in `localStorage` exposed to any XSS, missing `HttpOnly`/`Secure`/`SameSite` cookie flags, client-only redirect validation enabling open redirects, or implicit-grant OAuth flows that current guidance has superseded. This skill reviews against OWASP ASVS session-management requirements and the current browser-based-app OAuth best practice, not outdated tutorial patterns. It exists so the review stays anchored to these four documented defect classes — token storage, cookie flags, CSRF/open-redirect, OAuth flow choice — instead of drifting into a general "auth code review."
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- review where and how auth tokens/session identifiers are stored client-side,
|
|
23
|
+
- audit cookie attributes (`HttpOnly`, `Secure`, `SameSite`, `Domain`, `Path`) on session cookies,
|
|
24
|
+
- review a login/logout/session-refresh/redirect flow for CSRF or open-redirect exposure,
|
|
25
|
+
- review or design an OAuth 2.0/OIDC flow for a single-page or browser-based app,
|
|
26
|
+
- triage a session-fixation or account-takeover bug report.
|
|
27
|
+
|
|
28
|
+
Do not use this skill for:
|
|
29
|
+
|
|
30
|
+
- server-side authorization/access-control logic review (role checks, object-level permission enforcement) with no client-side session-handling angle — that is a backend authorization review, not a frontend session-security review,
|
|
31
|
+
- a DOM XSS or injection root-cause review with no session/auth angle — use a dedicated XSS/injection review skill; this skill treats "is there an XSS sink reachable from this token" only insofar as it changes the token-storage risk verdict, it does not hunt XSS sinks exhaustively,
|
|
32
|
+
- cryptographic algorithm or JWT signature-implementation review (choosing HS256 vs RS256, key-rotation mechanics) — that is a token-issuance/backend concern, not a client-side session-management concern,
|
|
33
|
+
- confirming that a session-fixation or CSRF bug has already been exploited in production — static review proves the structural risk, not confirmed exploitation; that requires live traffic analysis or a penetration test.
|
|
34
|
+
|
|
35
|
+
## Context7 Documentation Protocol
|
|
36
|
+
|
|
37
|
+
- Resolve the OWASP Cheat Sheet Series library ID with `resolve-library-id` (matched result: `/owasp/cheatsheetseries`) before citing any session-cookie-flag, CSRF-defense, or open-redirect-prevention claim; use `query-docs` against it to ground the exact flag/pattern being recommended (e.g., `__Host-` prefix requirements, `SameSite=Strict` vs `Lax` tradeoffs, synchronizer-token vs double-submit-cookie pattern).
|
|
38
|
+
- For OAuth/OIDC flow-choice claims (PKCE requirement for public clients, implicit-grant removal), resolve and query `/websites/datatracker_ietf_doc_draft-ietf-oauth-v2-1` (OAuth 2.1, which formalizes the browser-based-app guidance: implicit and hybrid flows removed, PKCE required for public clients). This is an IETF draft and its exact section numbers/text shift between draft revisions — label version-specific text as `documentation-based, verify against current draft revision`, not as ratified RFC text.
|
|
39
|
+
- Do not conflate the OAuth 2.1 draft's PKCE-for-public-clients requirement with a guarantee that a specific SDK or framework already implements it correctly — verify the actual library/SDK in use (via its own docs or Context7 entry, if one exists) before asserting the app's flow is compliant.
|
|
40
|
+
- If Context7 is unavailable for either library, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
|
|
41
|
+
- Read `package.json` (and any auth-library config) first to confirm which auth pattern is actually wired up (cookie-session middleware, an OAuth/OIDC client SDK, a hand-rolled fetch-based token flow) before recommending a fix — do not prescribe a pattern the app's architecture cannot support without a larger refactor being made explicit.
|
|
42
|
+
|
|
43
|
+
## Lean operating rules
|
|
44
|
+
|
|
45
|
+
- First classify the app architecture: traditional server-rendered app using cookies for session state, vs. SPA/browser-based app calling an API with bearer tokens. The correct token-storage and CSRF-defense pattern differs by architecture — a cookie-flag finding does not apply to a pure bearer-token SPA, and vice versa. State this classification explicitly before any other finding.
|
|
46
|
+
- Never bless `localStorage`/`sessionStorage` for session or access tokens as a default recommendation. If the codebase already uses it, treat it as a finding (XSS-exposure risk: any injected script can read it) and only accept it as a deliberate, justified tradeoff if the user explicitly argues the tradeoff and no unresolved XSS-sink concern exists in the reviewed scope — this skill does not itself clear that bar, it flags it.
|
|
47
|
+
- Verify every session cookie has `HttpOnly`, `Secure`, and an explicit `SameSite` value appropriate to the flow. `SameSite=None` is only acceptable paired with `Secure` and a documented cross-site necessity (e.g., a third-party embed); never accept `SameSite=None` without `Secure`, and never accept an unset `SameSite` (browser defaults vary and should not be relied on).
|
|
48
|
+
- For OAuth/OIDC in browser-based apps, flag the implicit grant (`response_type=token`) as a finding — current guidance requires the authorization code flow with PKCE for public clients. Do not recommend implicit grant for new work under any circumstance.
|
|
49
|
+
- Verify redirect/return-URL parameters (post-login redirect, OAuth `redirect_uri`, logout redirect) are validated against a server-side allow-list, not merely checked client-side. A client-only check (e.g., a JS regex before `window.location.assign`) is bypassable by directly hitting the server endpoint with the malicious parameter and is not a valid control on its own.
|
|
50
|
+
- Never ask for or print real tokens, cookies, session IDs, or OAuth client secrets during review; use placeholder or redacted values in every example and finding.
|
|
51
|
+
- Check that logout actually invalidates the session/token server-side (revocation call, server-side session-store deletion), not just clears client-side storage — a client-only logout leaves the token valid for replay until natural expiry.
|
|
52
|
+
- Load only the reference needed for the concern in scope; never load the OAuth reference when no OAuth/OIDC flow is present in the reviewed code.
|
|
53
|
+
|
|
54
|
+
## References
|
|
55
|
+
|
|
56
|
+
Load these only when needed:
|
|
57
|
+
|
|
58
|
+
- [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the architecture-classification decision tree, and the required output shape.
|
|
59
|
+
- [Token storage and cookie-flag review](references/token-storage-and-cookies.md) — load when the review scope includes where tokens/session IDs are stored or how session cookies are configured.
|
|
60
|
+
- [CSRF, open-redirect, and OAuth/OIDC flow review](references/csrf-redirect-and-oauth.md) — load when the review scope includes a state-changing request's CSRF defenses, a redirect/return-URL parameter, or an OAuth/OIDC authorization flow. Its OAuth/OIDC subsection applies only when an OAuth/OIDC flow is actually present in scope.
|
|
61
|
+
|
|
62
|
+
## Response minimum
|
|
63
|
+
|
|
64
|
+
Return, at minimum:
|
|
65
|
+
|
|
66
|
+
- the app architecture classification (cookie-based vs SPA/bearer-token) driving the recommendation,
|
|
67
|
+
- token-storage location finding and its XSS-exposure implication,
|
|
68
|
+
- cookie-flag compliance table (`HttpOnly`/`Secure`/`SameSite`) if cookies are in scope,
|
|
69
|
+
- CSRF-defense assessment (token pattern present/absent, `SameSite` reliance) for state-changing requests in scope,
|
|
70
|
+
- redirect/return-URL validation finding (server-side allow-list present or absent) if a redirect parameter is in scope,
|
|
71
|
+
- OAuth/OIDC flow assessment (PKCE-based authorization code vs deprecated implicit) only if an OAuth/OIDC flow is in scope,
|
|
72
|
+
- evidence level per finding (`repo evidence`, `documentation-based`, or `inference`),
|
|
73
|
+
- explicit statement that no live session hijacking, token replay, or CSRF exploitation was performed — this is a static review,
|
|
74
|
+
- verdict (approve / approve-with-notes / block) and open questions the review could not resolve statically.
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "frontend-auth-session-security-review",
|
|
3
|
+
"name": "Frontend Auth & Session Security Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews client-side authentication and session-management implementations for token-storage location, session-cookie-flag correctness, CSRF/open-redirect exposure, and OAuth/OIDC flow choice (PKCE authorization code vs deprecated implicit grant) for browser-based apps, grounding claims via Context7 against the OWASP Cheat Sheet Series and the OAuth 2.1 draft.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html",
|
|
18
|
+
"https://owasp.org/www-project-application-security-verification-standard/",
|
|
19
|
+
"https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps",
|
|
20
|
+
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite",
|
|
21
|
+
"https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html"
|
|
22
|
+
],
|
|
23
|
+
"security_notes": "Never asks for or prints real session tokens, cookies, client secrets, or OAuth credentials during review; treats any such value found in fixtures/logs as a redaction target. Does not perform live session hijacking, token replay, or CSRF exploitation testing against real systems. Static-review-only skill: reads and greps auth/session code but never executes, builds, or runs application code, and never sends live requests.",
|
|
24
|
+
"last_verified": "2026-07-02",
|
|
25
|
+
"path": "skills/frontend/frontend-auth-session-security-review",
|
|
26
|
+
"author": "github: Raishin",
|
|
27
|
+
"version": "0.1.0"
|
|
28
|
+
}
|
package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md
ADDED
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
# CSRF, Open-Redirect, and OAuth/OIDC Flow Review
|
|
2
|
+
|
|
3
|
+
Use this reference when the review scope includes a state-changing request's CSRF defenses, a redirect/return-URL parameter, or an OAuth/OIDC authorization flow. The OAuth/OIDC subsection applies only when an OAuth/OIDC flow is actually present in scope — do not load or apply it otherwise.
|
|
4
|
+
|
|
5
|
+
## CSRF defenses
|
|
6
|
+
|
|
7
|
+
### What people get wrong
|
|
8
|
+
|
|
9
|
+
The common bad assumption is:
|
|
10
|
+
|
|
11
|
+
> "We use cookies for sessions, so CSRF isn't really our problem — that's an old attack."
|
|
12
|
+
|
|
13
|
+
CSRF is specifically an attack against cookie-based (or any auto-attached-credential) session mechanisms: the browser automatically attaches the session cookie to a request the attacker's site triggers, without the user's knowledge. It remains directly relevant to any cookie-based session architecture, and is *not* automatically neutralized just because `SameSite` exists — `SameSite` is one layer, not a complete substitute for a token-based defense when the target action is sensitive.
|
|
14
|
+
|
|
15
|
+
### Grounded defense patterns (per OWASP CSRF Prevention Cheat Sheet)
|
|
16
|
+
|
|
17
|
+
- **Synchronizer token pattern** — server generates a unique, unpredictable, session-bound token; the client includes it in every state-changing request (hidden form field or custom header for AJAX/fetch); server validates it matches the session before processing. Requires server-side state. Preferred for traditional stateful (cookie-session) applications.
|
|
18
|
+
- **Double-submit cookie pattern** — a stateless alternative: the token is set as a cookie and also sent in the request body/header; the server compares the two. The *signed* double-submit variant, which cryptographically binds the token to the session, is the recommended variation — an unsigned token without session binding offers minimal protection and is vulnerable to cookie-injection attacks. Do not accept an unsigned double-submit implementation as adequate.
|
|
19
|
+
- **`SameSite` cookie attribute** — `Strict` or `Lax` prevents the browser from attaching the session cookie to most cross-site requests, providing meaningful CSRF mitigation as a primary layer per current OWASP guidance, but treat it as defense-in-depth alongside a token-based pattern for sensitive state-changing operations (password change, payment, account-deletion, permission grants), not as the sole control for those.
|
|
20
|
+
- **Custom request headers for API-only surfaces** — for a pure JSON API with no HTML forms, requiring a custom header (e.g., `X-Requested-With`) that only same-origin JS can set (browsers block cross-origin scripts from setting arbitrary headers without a permissive CORS policy) is an accepted lightweight defense, contingent on the API's CORS configuration not being permissive (`Access-Control-Allow-Origin: *` with credentials defeats this).
|
|
21
|
+
|
|
22
|
+
### Non-negotiables
|
|
23
|
+
|
|
24
|
+
- Never use `GET` requests for state-changing operations — GET requests are trivially triggerable cross-site (an `<img>` tag, a bare link) with no token protection possible in the same way, and are logged/cached/exposed via browser history and Referer headers.
|
|
25
|
+
- Do not transmit CSRF tokens inside cookies for the synchronizer token pattern — tokens for that pattern belong in the response payload (hidden form field, JSON body) and are returned via form submission or a custom header, not round-tripped through a cookie (that would defeat the pattern's separation from the auto-attached credential it is meant to validate).
|
|
26
|
+
- Do not accept "we validate the Origin/Referer header" as a complete substitute for a token or `SameSite` defense unless you have confirmed the app also has a documented fallback for the (rare but real) cases where those headers are stripped by proxies or privacy tools — treat header-checking as defense-in-depth, not sole control, unless the app explicitly documents this as its chosen primary defense with that tradeoff acknowledged.
|
|
27
|
+
- XSS bypasses CSRF protections entirely (a script running in-origin can read a CSRF token and submit it). If a known, unremediated XSS finding exists in the same review scope, state explicitly that the CSRF defenses reviewed here are undermined by it — do not present the CSRF findings as if they stand alone.
|
|
28
|
+
|
|
29
|
+
## Open-redirect prevention
|
|
30
|
+
|
|
31
|
+
### Grounded pattern (per OWASP Unvalidated Redirects and Forwards Cheat Sheet)
|
|
32
|
+
|
|
33
|
+
- Best: avoid using user input to determine the destination URL at all. Use a short name, ID, or token that the server maps to a full target URL server-side (with care to avoid enumeration issues if the mapping itself is guessable).
|
|
34
|
+
- If user input for the destination is unavoidable, validate it server-side against an allow-list of trusted hosts/paths before redirecting. A relative-path-only allow-list (rejecting any input containing a scheme or `//` prefix that would make it absolute/protocol-relative) is a common safe pattern for "return to this page after login" flows.
|
|
35
|
+
- If using a regex or string-prefix check for validation, it must be anchored and must account for scheme and protocol-relative URLs (`//evil.example.com` is parsed by browsers as `https://evil.example.com` when used as a redirect target) — an unanchored or naive `startsWith`/`includes` check is bypassable.
|
|
36
|
+
- Ideally, force a user-confirmation interstitial ("You are leaving [app] and going to [external site]") for any redirect to a genuinely external destination, even an allow-listed one, for sensitive flows.
|
|
37
|
+
|
|
38
|
+
### Non-negotiables
|
|
39
|
+
|
|
40
|
+
- A client-side-only check (JavaScript validation before calling `window.location.assign`/`.href =`) is not a control — an attacker can hit the server-side redirect endpoint directly with the malicious parameter, bypassing any client-side JS entirely. The validation must exist server-side to count as a mitigation.
|
|
41
|
+
- Do not accept "we only redirect within our own app" as verified without checking what "within our own app" means in the actual validation code — a check for a substring match (e.g., `url.includes('myapp.com')`) is bypassable by an attacker-controlled URL like `https://myapp.com.evil.example.com` or `https://evil.example.com/?x=myapp.com`.
|
|
42
|
+
|
|
43
|
+
## OAuth/OIDC flow review (load only when an OAuth/OIDC flow is in scope)
|
|
44
|
+
|
|
45
|
+
### What people get wrong
|
|
46
|
+
|
|
47
|
+
The common bad assumption is:
|
|
48
|
+
|
|
49
|
+
> "OAuth is OAuth — any grant type is fine as long as we're using a real identity provider."
|
|
50
|
+
|
|
51
|
+
Grant-type choice materially changes the app's attack surface. The implicit grant returns the access token directly in the URL fragment, exposing it to browser history, Referer leakage (in older browsers/misconfigurations), and any script with access to the URL — with no refresh-token issuance. OAuth 2.1 (the current consolidated guidance, an IETF draft at the time of writing — verify against the current draft revision via Context7 before citing exact section numbers) removes the implicit grant and hybrid flows entirely, and requires PKCE for public clients using the authorization code flow.
|
|
52
|
+
|
|
53
|
+
### Non-negotiable design rules
|
|
54
|
+
|
|
55
|
+
1. **Public clients (SPA, mobile app — anything that cannot hold a client secret) must use the authorization code flow with PKCE.** Verify both `code_challenge`/`code_challenge_method` on the authorization request and `code_verifier` on the token exchange are present. A code flow without PKCE for a public client is a finding.
|
|
56
|
+
2. **Never recommend or approve `response_type=token` (implicit grant) for new work.** If found in an existing app, flag as HIGH and recommend migration to authorization code + PKCE — do not treat it as merely legacy-acceptable.
|
|
57
|
+
3. **The `redirect_uri` must be an exact match against a pre-registered value at the authorization server**, not a pattern/wildcard match validated only client-side. Confirm this is enforced server-side (at the identity provider / authorization server config), not assumed.
|
|
58
|
+
4. **`state` parameter must be present, unique per authorization request, and validated on callback** to prevent CSRF against the OAuth flow itself (an attacker tricking a victim into completing an auth flow bound to the attacker's session).
|
|
59
|
+
5. **Tokens received from the authorization server must be stored per the token-storage guidance** in `references/token-storage-and-cookies.md` — an otherwise-correct PKCE flow that then stores the resulting access/refresh token in `localStorage` still carries the storage-location finding.
|
|
60
|
+
|
|
61
|
+
### Verification targets
|
|
62
|
+
|
|
63
|
+
- The actual authorization-request URL construction (grep for `response_type=`, `code_challenge`) to confirm PKCE is wired, not merely available in the SDK but unused.
|
|
64
|
+
- The token-exchange (token endpoint) call to confirm `code_verifier` is sent and matches what generated the `code_challenge`.
|
|
65
|
+
- The `state`-parameter generation and validation code path.
|
|
66
|
+
|
|
67
|
+
## When to push back
|
|
68
|
+
|
|
69
|
+
Push back if the user asks to:
|
|
70
|
+
|
|
71
|
+
- skip CSRF token implementation because "`SameSite=Lax` covers it" for a sensitive operation (payment, password change, account deletion, permission/role grant) — recommend defense-in-depth for those specifically, per the non-negotiables above,
|
|
72
|
+
- add a redirect allow-list check only in client-side JavaScript "to keep it simple" — restate that this is not a control and must exist server-side,
|
|
73
|
+
- keep an implicit-grant OAuth flow because "migrating is a bigger lift than this review's scope" — flag it at HIGH regardless of migration-effort framing; effort is a planning input, not a reason to downgrade a structural finding,
|
|
74
|
+
- treat Origin/Referer header validation as a complete CSRF defense with no documented fallback for header-stripping scenarios.
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
# Token Storage and Cookie-Flag Review
|
|
2
|
+
|
|
3
|
+
Use this reference when the review scope includes where tokens or session IDs are stored client-side, or how session cookies are configured. Grounded in the OWASP Session Management Cheat Sheet (`/owasp/cheatsheetseries` via Context7, or `official_docs` fallback).
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "We use HTTPS, so cookies/tokens are safe."
|
|
10
|
+
|
|
11
|
+
TLS protects data in transit between the browser and server. It does nothing about:
|
|
12
|
+
|
|
13
|
+
- a script running in the page's own origin reading `document.cookie` (no `HttpOnly`) or `localStorage`,
|
|
14
|
+
- a cookie being sent to the wrong origin or subdomain (`SameSite`/`Domain` misconfiguration),
|
|
15
|
+
- a token being replayed after logout because nothing invalidated it server-side.
|
|
16
|
+
|
|
17
|
+
Storage location and cookie attributes are a separate control surface from transport security. Both must be correct.
|
|
18
|
+
|
|
19
|
+
## Storage location: the tradeoffs, stated plainly
|
|
20
|
+
|
|
21
|
+
- **`HttpOnly` cookie** — not readable by JavaScript. The strongest default for a session identifier or refresh token. Cannot be attached manually to cross-origin API calls (the browser does that automatically only for same-origin/configured-domain requests), which is why bearer-token SPAs calling a separate API origin often cannot use this alone.
|
|
22
|
+
- **`localStorage`/`sessionStorage`** — readable by any JavaScript running in the page's origin, including any successfully injected script (stored or reflected XSS, a compromised third-party script/CDN dependency, a malicious browser extension with page access). No same-origin isolation between "your code" and "any script that got a foothold." Never the default recommendation for a session token or refresh token.
|
|
23
|
+
- **In-memory (JS variable/closure, not persisted)** — not readable via `document.cookie` or storage APIs, and does not survive a page reload without a re-fetch (typically via an `HttpOnly` refresh-token cookie). This is the pattern OAuth 2.1 / current SPA guidance converges on: short-lived access token in memory, refresh mechanism anchored in an `HttpOnly` cookie.
|
|
24
|
+
|
|
25
|
+
## Cookie-flag compliance table (build this for every session cookie in scope)
|
|
26
|
+
|
|
27
|
+
| Attribute | Required value | Why |
|
|
28
|
+
|---|---|---|
|
|
29
|
+
| `HttpOnly` | present | Blocks `document.cookie` read access from JS; the primary XSS-exfiltration mitigation for the cookie. Does not stop the cookie being *sent* during a combined XSS+CSRF attack — pair with CSRF defenses. |
|
|
30
|
+
| `Secure` | present | Cookie is only sent over HTTPS; without it, a network attacker on an insecure network segment can observe or (on `SameSite=None` without `Secure`, which browsers reject) inject it. |
|
|
31
|
+
| `SameSite` | `Strict` (preferred) or `Lax`; never unset, never `None` without `Secure` | Prevents the browser from attaching the cookie to cross-site requests, mitigating CSRF and cross-origin leakage. Do not rely on an unset value — browser default behavior has changed across versions and should not be the enforcement mechanism. |
|
|
32
|
+
| `Domain` | omitted, or scoped to the narrowest subdomain that needs it | An overly broad `Domain` (e.g., a session cookie set on the parent domain when only one subdomain needs it) widens the blast radius if any sibling subdomain is compromised. |
|
|
33
|
+
| `Path` | `/` or the narrowest path needed | Broad by convention for session cookies; flag only if a narrower path was clearly intended and not applied. |
|
|
34
|
+
| `__Host-` prefix | recommended when `Domain` is omitted and `Path=/` | Browser-enforced: only accepted if `Secure`, no `Domain` attribute, and `Path=/`. Prevents subdomain-forgery and downgrade attacks on the cookie name itself. |
|
|
35
|
+
|
|
36
|
+
Extract this table from the actual `Set-Cookie` header construction in code (session-middleware config, a manual `res.cookie(...)`/`Set-Cookie` call) — do not infer flags from framework defaults without checking the actual configured options, since defaults vary by framework and version.
|
|
37
|
+
|
|
38
|
+
## Non-negotiables
|
|
39
|
+
|
|
40
|
+
- Do not accept "the session cookie is `HttpOnly`" as sufficient on its own without also checking `Secure` and `SameSite` — all three are independent controls addressing different attack vectors (XSS-read, network interception, cross-site request attachment).
|
|
41
|
+
- Do not accept a refresh token or long-lived credential in `localStorage`/`sessionStorage` under any framing ("just for this internal tool," "we'll migrate later") without flagging it as a finding — a refresh token grants renewable access and is a higher-value target than a short-lived access token.
|
|
42
|
+
- Treat an access token held only in memory (a JS variable, not persisted storage) as acceptable for that token alone, but check separately how the app re-obtains a new access token after a page reload — if that mechanism reads a token from `localStorage` instead of an `HttpOnly` refresh-cookie flow, the finding moves to that mechanism.
|
|
43
|
+
- Session ID/token entropy and length are a server-side generation concern (cryptographically secure random generation, sufficient bit length per OWASP Session Management guidance) — verify it if the generation code is in scope, but do not assume insufficient entropy without reading the actual generation call; do not guess.
|
|
44
|
+
|
|
45
|
+
## Verification targets
|
|
46
|
+
|
|
47
|
+
- Actual `Set-Cookie` header value (from server code, middleware config, or a captured response header if the user provides sanitized evidence) — not the framework's documented default.
|
|
48
|
+
- The token re-acquisition path after page reload/tab reopen, to catch a `localStorage` fallback hiding behind an otherwise-correct in-memory primary storage.
|
|
49
|
+
- The logout code path, to confirm it triggers server-side invalidation (see `references/workflow-and-output.md` decision tree) rather than only clearing client-side state.
|
package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md
ADDED
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
# Review Workflow and Findings Contract
|
|
2
|
+
|
|
3
|
+
Use this reference for the step-by-step review procedure, the architecture-classification decision tree, and the required output shape. Load the other two references only for the specific defect class the auth/session code under review actually raises.
|
|
4
|
+
|
|
5
|
+
## Prerequisites
|
|
6
|
+
|
|
7
|
+
- Classify the app architecture before anything else:
|
|
8
|
+
- **Cookie-based** — the server sets a session cookie on login and the browser sends it automatically on subsequent requests; no bearer token is manually attached to API calls.
|
|
9
|
+
- **SPA/bearer-token** — the client receives a token (access token, ID token) after authentication and manually attaches it to API requests (typically an `Authorization: Bearer` header), whether via `fetch`/`axios` interceptor or a client SDK.
|
|
10
|
+
- **Hybrid** — a bearer token is used for API calls but a refresh token or session anchor lives in an `HttpOnly` cookie (the current recommended pattern for browser-based apps per OAuth 2.1 guidance).
|
|
11
|
+
- State this classification explicitly in the output before any other finding — cookie-flag findings do not apply to a pure bearer-token flow with no cookies, and token-storage findings about `localStorage` do not apply to a pure cookie-based flow with no client-readable token.
|
|
12
|
+
- Read `package.json` and any auth-config files first to confirm the actual auth library/pattern wired up (session middleware, an OAuth/OIDC SDK, a hand-rolled fetch-based flow) before recommending a fix.
|
|
13
|
+
|
|
14
|
+
## Workflow
|
|
15
|
+
|
|
16
|
+
1. **Classify the architecture** per the Prerequisites above and state it first.
|
|
17
|
+
2. **Locate every token/session-ID storage site.** Grep for `localStorage`, `sessionStorage`, `document.cookie`, cookie-library calls (`Set-Cookie`, `cookie.set`, session-middleware config), and in-memory storage (a JS variable/closure/module-scope singleton). For each, identify what is stored (session ID, access token, refresh token, ID token) and where. See `references/token-storage-and-cookies.md`.
|
|
18
|
+
3. **For every session cookie found, extract its attribute set** (`HttpOnly`, `Secure`, `SameSite`, `Domain`, `Path`, and whether a `__Host-`/`__Secure-` prefix is used). Compare against the compliance table in `references/token-storage-and-cookies.md`.
|
|
19
|
+
4. **Enumerate every state-changing request path** (form POST, fetch/axios mutation call) reachable from an authenticated session. For each, determine whether a CSRF defense is present (synchronizer token, double-submit cookie, `SameSite=Strict`/`Lax` reliance, or a custom-header-based defense for API-only surfaces). See `references/csrf-redirect-and-oauth.md`.
|
|
20
|
+
5. **Enumerate every redirect/return-URL parameter** (post-login redirect, OAuth `redirect_uri` handling, logout redirect, "return to" deep links). For each, trace whether validation happens server-side against an allow-list, client-side only, or not at all.
|
|
21
|
+
6. **If an OAuth/OIDC flow is present**, identify the `response_type` and grant type in use. Flag implicit grant (`response_type=token`) as a finding. Confirm PKCE (`code_challenge`/`code_verifier`) is present for the authorization code flow. Load the OAuth/OIDC subsection of `references/csrf-redirect-and-oauth.md` only in this case.
|
|
22
|
+
7. **Check logout behavior.** Confirm logout triggers a server-side session/token invalidation (session-store deletion, token-revocation endpoint call), not only a client-side storage clear.
|
|
23
|
+
8. **Produce ranked findings** using the output contract below.
|
|
24
|
+
|
|
25
|
+
## Decision tree
|
|
26
|
+
|
|
27
|
+
- Session ID or access/refresh token stored in `localStorage`/`sessionStorage` → **HIGH** finding (XSS-exposure risk: any injected script reads it via `document`/`window` APIs with no mitigation). Note whether a known XSS sink exists in the same codebase (raises severity further) or whether none was found in the scope reviewed (still HIGH — absence-of-observed-XSS is not evidence of safety).
|
|
28
|
+
- Session cookie missing `HttpOnly` → **HIGH** finding (defeats the cookie's primary XSS-mitigation purpose).
|
|
29
|
+
- Session cookie missing `Secure` → **HIGH** finding (cookie can be sent over plaintext HTTP; also blocks safe use of `__Host-`/`__Secure-` prefixes).
|
|
30
|
+
- Session cookie with `SameSite=None` and no `Secure` → **HIGH** finding (browsers increasingly reject this combination outright, but code relying on it is broken-by-design regardless).
|
|
31
|
+
- Session cookie with `SameSite` unset (relying on browser default) → **MEDIUM** finding — do not rely on browser defaults, which vary by browser and version; require an explicit value.
|
|
32
|
+
- State-changing request with no CSRF token, no `SameSite=Strict`/`Lax` cookie reliance, and no custom-header-based defense → **HIGH** finding.
|
|
33
|
+
- State-changing request relying solely on `SameSite=Lax`/`Strict` with no token-based defense-in-depth → **MEDIUM** finding — acceptable as a primary defense per current OWASP guidance, but flag the absence of defense-in-depth for sensitive operations (e.g., password change, payment).
|
|
34
|
+
- Redirect/return-URL parameter validated only client-side (a JS check before navigation, with no equivalent server-side check) → **HIGH** finding — bypassable by calling the server endpoint directly.
|
|
35
|
+
- Redirect/return-URL parameter with no validation at all → **HIGH** finding, open redirect.
|
|
36
|
+
- Redirect/return-URL parameter validated server-side against an allow-list of trusted hosts/paths → not a finding.
|
|
37
|
+
- OAuth/OIDC flow using `response_type=token` (implicit grant) → **HIGH** finding — current guidance requires authorization code flow with PKCE for public clients.
|
|
38
|
+
- OAuth/OIDC authorization code flow present but missing `code_challenge`/`code_verifier` (no PKCE) for a public client (SPA, mobile app with no client secret) → **HIGH** finding.
|
|
39
|
+
- OAuth/OIDC authorization code flow with PKCE correctly present → not a finding on flow choice (still check `redirect_uri` validation and token-storage location separately).
|
|
40
|
+
- Logout clears client-side storage only, with no server-side session/token invalidation call → **MEDIUM-to-HIGH** finding depending on token lifetime (a short-lived access token narrows the window; a long-lived or non-expiring token makes this HIGH).
|
|
41
|
+
|
|
42
|
+
## Output contract
|
|
43
|
+
|
|
44
|
+
Every response from this skill must return:
|
|
45
|
+
|
|
46
|
+
1. **Architecture classification** — cookie-based, SPA/bearer-token, or hybrid, stated first and driving which finding categories apply.
|
|
47
|
+
2. **Ranked findings** — each with file:line, defect category (`token-storage` / `cookie-flags` / `csrf` / `open-redirect` / `oauth-flow` / `logout-invalidation`), and a fix sketch grounded in the cited OWASP/OAuth guidance.
|
|
48
|
+
3. **Cookie-flag compliance table** — if session cookies are in scope, a table of cookie name → `HttpOnly`/`Secure`/`SameSite`/prefix status.
|
|
49
|
+
4. **Sanitized examples only** — every finding illustrated with placeholder/redacted values, never a real token, cookie, or secret observed in the reviewed code.
|
|
50
|
+
5. **Evidence level per finding** — `repo evidence`, `documentation-based`, or `inference`.
|
|
51
|
+
6. **Explicit no-live-testing statement** — this skill performs static review only; it never attempts session hijacking, token replay, or CSRF exploitation against a live system.
|
|
52
|
+
7. **Verdict** — approve / approve-with-notes / block.
|
|
53
|
+
8. **Open questions or out-of-scope items** — e.g., "confirming this CSRF gap is exploitable end-to-end requires a live request against a running instance, not static review," or "JWT signature/algorithm choice is out of scope for this skill — recommend a token-issuance/backend review."
|
|
54
|
+
|
|
55
|
+
## When to push back
|
|
56
|
+
|
|
57
|
+
Push back if the user asks to:
|
|
58
|
+
|
|
59
|
+
- accept `localStorage` token storage because "we don't have any XSS right now" — absence of a known XSS finding in this review's scope is not proof none exists; the storage choice itself is the risk being flagged,
|
|
60
|
+
- skip cookie-flag validation because "the framework sets sane defaults" — verify the actual `Set-Cookie` header or session-middleware config; frameworks vary and defaults change across versions,
|
|
61
|
+
- treat a client-side-only redirect check as sufficient because "the server also has auth on that route" — authentication on the target route does not validate that the redirect *destination* itself was vetted; these are separate controls,
|
|
62
|
+
- approve an implicit-grant OAuth flow because "it's simpler to implement" — current guidance has removed implicit grant from OAuth 2.1 specifically because of its token-leakage-via-URL-fragment and no-refresh-token exposure; simplicity does not offset this,
|
|
63
|
+
- treat "we cleared localStorage on logout" as equivalent to server-side session invalidation — a still-valid token can be replayed from a captured request or a second device/tab until it naturally expires.
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: frontend-bff-boundary-review
|
|
3
|
+
description: Determines and reviews whether aggregation/shaping logic belongs in a Backend-for-Frontend layer versus client-side composition, and audits existing BFF boundaries for scope creep, duplicated aggregation logic, and leaked backend topology or pass-through authorization.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: architecture
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Frontend BFF Boundary Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Decide whether a multi-backend data need belongs in a Backend-for-Frontend (BFF) route or in client-side composition, and audit an existing BFF layer for the two failure modes that matter most: organic scope creep (duplicated or one-off aggregation logic scattered across routes) and trust-boundary erosion (a BFF that forwards client-supplied authorization claims or credentials without re-verifying them, or that leaks internal backend topology into its responses). This skill exists so the boundary decision and the trust-boundary audit stay the focus, and so field-level contract review of an already-scoped endpoint, or client-side cache/store design once data has landed in the browser, stay out of scope.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- decide whether a feature needing data from multiple backend services should aggregate server-side (a BFF route) or client-side (parallel query-library calls),
|
|
23
|
+
- audit an existing BFF layer, or a specific BFF route, that has grown organically over time,
|
|
24
|
+
- review whether a proposed new BFF route or service duplicates an existing one's aggregation logic,
|
|
25
|
+
- check whether a BFF route re-authenticates/re-authorizes the caller or merely passes through client-supplied claims/tokens to backend services.
|
|
26
|
+
|
|
27
|
+
Do not use this skill for:
|
|
28
|
+
|
|
29
|
+
- reviewing the field-level shape, versioning, or authorization contract of a single already-scoped API endpoint — that is `api-integration-contract-review`,
|
|
30
|
+
- client-side cache/store design (query-library cache keys, state colocation) once data has already been fetched — that is `state-management-decision-review`,
|
|
31
|
+
- rendering-mode or `fetch()` cache-directive selection for a Next.js route with no cross-service aggregation involved — that is `nextjs-rendering-caching-review`,
|
|
32
|
+
- Server Action authorization or `'use client'`/`'use server'` boundary review with no BFF-scope question involved — that is `nextjs-app-router-data-fetching-review`.
|
|
33
|
+
|
|
34
|
+
## Context7 Documentation Protocol
|
|
35
|
+
|
|
36
|
+
- Resolve `/vercel/next.js` with `resolve-library-id` before citing any Route Handler capability, caching directive, or runtime behavior as grounds for a BFF-vs-client-composition recommendation.
|
|
37
|
+
- Before recommending a Next.js Route Handler as the BFF implementation vehicle, read the repo's `package.json` to confirm the installed Next.js major version, then call `query-docs` scoped to that version for "Route Handler caching" and "route segment config revalidate fetchCache." Caching semantics changed materially across major versions — Route Handler `GET` methods are cached by default through Next.js 14 but are **not** cached by default starting in Next.js 15, requiring an explicit `export const dynamic = 'force-static'` to opt back in. A BFF route assumed to cache aggregated responses on an unverified version can silently hit every backend on every request instead of reducing round-trips as intended.
|
|
38
|
+
- If the version cannot be confirmed, or Context7 is unavailable, state the caching claim as `documentation-based, version-unconfirmed` and recommend the user verify `export const dynamic` / `export const revalidate` / `export const fetchCache` behavior against their installed version before relying on it for load-reduction claims.
|
|
39
|
+
- Do not assume a Route Handler behaves like a `fetch()` call inside a Server Component; segment-level config (`dynamic`, `revalidate`, `fetchCache`) governs the Route Handler's own caching, and it is set independently of caching used for calls the handler itself makes.
|
|
40
|
+
|
|
41
|
+
## Lean operating rules
|
|
42
|
+
|
|
43
|
+
- A BFF is a trust boundary, not a convenience layer for reshaping JSON. The default posture for any BFF route is that it terminates the client's authentication context and establishes its own — it does not relay whatever the client sent forward.
|
|
44
|
+
- Default toward BFF aggregation when a feature needs data from two or more backend services with different authorization models or error shapes. Default toward client-side composition only when the backends involved are already safe to call directly from the browser (same trust level as the client, already CORS-exposed, no internal-only topology).
|
|
45
|
+
- Before proposing a new BFF route, search for an existing route already serving an overlapping need. A second BFF route re-implementing the same aggregation is a maintenance and drift risk, not a fresh feature.
|
|
46
|
+
- Treat any BFF route that reads a client-supplied authorization claim (a role, user ID, or permission flag taken from a request body, query string, or an unverified header) and uses it directly to gate a backend call as a HIGH-severity finding — this is pass-through authorization, not delegation.
|
|
47
|
+
- Treat any BFF route that forwards a client-supplied bearer token or credential straight to a downstream backend, in place of the BFF re-authenticating the session and minting its own downstream credential, as a HIGH-severity finding, unless the system is an explicit, documented token-exchange/delegation design (e.g. OAuth token exchange) with its own re-verification step.
|
|
48
|
+
- Treat any BFF response that exposes internal-only backend hostnames, service names, stack traces, or service-specific error codes/shapes verbatim to the browser as a MEDIUM-to-HIGH finding depending on sensitivity — the BFF exists in part to prevent this leak, and a thin pass-through response defeats that purpose.
|
|
49
|
+
- Do not recommend client-side composition when it would require the browser to hold credentials for, or make direct network calls to, a backend that is not already intended to be internet-reachable — that is a bigger security regression than the aggregation-placement question being asked.
|
|
50
|
+
- Do not flag every multi-call client-side data-fetching pattern as a problem. Client-side composition of two or three already-public, already-authorized endpoints is a legitimate, lower-latency choice; only escalate when trust boundaries or topology are actually crossed.
|
|
51
|
+
- Never execute, build, or run application code as part of this review; this is a static-review skill (Read/Grep/Glob only).
|
|
52
|
+
- Treat any hardcoded API key, service token, or credential found in BFF route source, environment file references, or example data as a HIGH-severity finding requiring immediate escalation, separate from the boundary-scope verdict.
|
|
53
|
+
|
|
54
|
+
## References
|
|
55
|
+
|
|
56
|
+
Load these only when needed:
|
|
57
|
+
|
|
58
|
+
- [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step boundary-decision procedure, the existing-BFF audit method, and the required output shape.
|
|
59
|
+
- [OWASP API Security — trust-boundary risks](references/owasp-api-trust-boundary.md) — load only when a pass-through-authorization or topology-leak finding is present, to ground the finding's OWASP API Security Top 10 classification and severity framing.
|
|
60
|
+
|
|
61
|
+
## Response minimum
|
|
62
|
+
|
|
63
|
+
Return, at minimum:
|
|
64
|
+
|
|
65
|
+
- the boundary decision (BFF aggregation vs. client-side composition) with justification tied to the number of backends, their auth models, and their reachability from the browser,
|
|
66
|
+
- for any new/extended BFF route: an explicit scope statement and a check for an existing overlapping route,
|
|
67
|
+
- a trust-boundary audit result (pass-through-authorization check, credential-forwarding check, topology-leak check) for any BFF route in scope,
|
|
68
|
+
- ranked findings with file:line evidence, risk class, and fix,
|
|
69
|
+
- the Next.js major version the caching claims were verified against, if a Route Handler is the proposed implementation,
|
|
70
|
+
- verdict: approve / approve-with-notes / block,
|
|
71
|
+
- evidence level and open questions.
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "frontend-bff-boundary-review",
|
|
3
|
+
"name": "Frontend BFF Boundary Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Determines and reviews whether aggregation/shaping logic belongs in a Backend-for-Frontend layer versus client-side composition, and audits existing BFF boundaries for scope creep, duplicated aggregation logic, and leaked backend topology or pass-through authorization, grounded via Context7 against the repo's confirmed Next.js version when a Route Handler is the proposed BFF vehicle.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://nextjs.org/docs/app/building-your-application/routing/route-handlers",
|
|
18
|
+
"https://nextjs.org/docs/app/building-your-application/caching",
|
|
19
|
+
"https://owasp.org/www-project-api-security/"
|
|
20
|
+
],
|
|
21
|
+
"security_notes": "A BFF is a trust boundary, not just a convenience layer — flag any BFF route that passes through client-supplied authorization claims unchecked, or that forwards credentials/tokens client-to-backend without the BFF itself re-authenticating the session, as a HIGH-severity finding. A BFF response that exposes internal-only backend hostnames, service names, or service-specific error shapes verbatim to the browser is a topology-leak finding. Static-review-only skill: it reads and greps BFF route source and does not execute, build, or run application code. Treat any hardcoded API key, service token, or credential found in route source as a HIGH-severity finding requiring immediate escalation.",
|
|
22
|
+
"last_verified": "2026-07-02",
|
|
23
|
+
"path": "skills/frontend/frontend-bff-boundary-review",
|
|
24
|
+
"author": "github: Raishin",
|
|
25
|
+
"version": "0.1.0"
|
|
26
|
+
}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
# OWASP API Security — trust-boundary risks
|
|
2
|
+
|
|
3
|
+
Use this reference only when a BFF pass-through-authorization, credential-forwarding, or topology-leak finding is present, to ground the finding's OWASP API Security Top 10 classification and severity framing. Do not load this for placement-decision-only or duplication-only findings.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive story is:
|
|
8
|
+
|
|
9
|
+
> The BFF sits on the server, so anything it does is "backend" and therefore trusted. If the client already sent a valid-looking token or role claim, the BFF can just pass it along to keep things simple.
|
|
10
|
+
|
|
11
|
+
That confuses **where the BFF runs** with **what it verifies**. A BFF's value as a trust boundary comes entirely from the fact that it terminates the client's untrusted request and re-establishes a verified identity before talking to backends that may extend it a higher level of implicit trust (network-level trust, service credentials, mTLS). A BFF that relays a client-supplied claim or token unmodified has not added a trust boundary — it has added a network hop that carries the exact same unverified trust forward, while looking, to anyone reading the architecture diagram, like a security control exists there.
|
|
12
|
+
|
|
13
|
+
## Why this maps to the OWASP API Security Top 10, not a generic bug
|
|
14
|
+
|
|
15
|
+
The OWASP API Security Top 10 exists because API-shaped systems fail differently from traditional web apps — trust decisions happen at machine-to-machine boundaries with no UI to visually obscure the shortcut. The BFF failure modes in this skill's scope map onto specific categories:
|
|
16
|
+
|
|
17
|
+
- **Pass-through authorization** — the BFF reads a role, permission flag, or user identifier directly from client-supplied input (a header, body field, or query parameter) and uses it to gate a backend call, instead of re-deriving that identity from its own verified session. This is a **Broken Object Property Level Authorization / Broken Function Level Authorization** failure: the client dictates its own privilege level, and the BFF enforces nothing.
|
|
18
|
+
- **Credential forwarding** — the BFF forwards a client-supplied bearer token, API key, or session artifact straight to a downstream backend instead of re-authenticating and minting its own downstream credential scoped to the verified identity. This is a **Broken Authentication** failure at the BFF layer: the BFF has no authentication step of its own, it is a transparent relay wearing an authentication-shaped label.
|
|
19
|
+
- **Topology leakage** — the BFF's responses or error handling expose internal-only backend hostnames, service names, or backend-specific error codes/shapes verbatim to the client. This is a **Security Misconfiguration / excessive data exposure** failure: the BFF's shaping responsibility — the entire reason to interpose a server-side layer instead of letting the client call backends directly — has been skipped, and the client now has a map of internal architecture it should never see.
|
|
20
|
+
|
|
21
|
+
All three are trust-boundary defects, not merely "missing error handling" or "verbose logging" — the defect is that a boundary presented as a security control performs none of the verification or shaping that justifies calling it one.
|
|
22
|
+
|
|
23
|
+
## Non-negotiable framing rules
|
|
24
|
+
|
|
25
|
+
- **Severity floor**: pass-through authorization and credential forwarding are HIGH severity, regardless of how the client-supplied value was obtained (even if it originated from a legitimate prior login) — the defect is that the BFF trusts it without independent verification. Topology leakage is MEDIUM-to-HIGH depending on the sensitivity of what leaked (an internal hostname is lower severity than a leaked service-account error revealing valid credentials or query structure).
|
|
26
|
+
- **Evidence requirement**: cite the exact client-controlled value (header name, body field, query param) the BFF trusts in place of its own verification, or the exact response/error path that exposes internal topology.
|
|
27
|
+
- **Do not conflate with input validation**: a BFF route that fails to validate the *shape* of a request body is a data-integrity note, not a trust-boundary finding by itself. These categories apply specifically to authorization/authentication *decisions* and *response shaping*, not to whether input is well-formed.
|
|
28
|
+
- **Token-exchange is not automatically a defect**: a BFF that receives a client token and performs an explicit, documented token-exchange step (validating the client token, then requesting a new downstream-scoped token from an authorization server) is re-verifying, not passing through. The distinguishing question is always: did the BFF perform its own verification step, or did it just relay the value forward unchanged?
|
|
29
|
+
|
|
30
|
+
## Minimal safe fix pattern
|
|
31
|
+
|
|
32
|
+
Every HIGH finding from this reference should point toward the same shape of fix: the BFF independently verifies the caller (session validation, token introspection, or a documented token-exchange call) and derives the identity/role used for backend authorization from that verification step — never from a value the client attached to the request. For topology leakage, the fix is a response-shaping layer that maps backend-specific errors to a generic, client-safe error taxonomy before the response leaves the BFF.
|
|
33
|
+
|
|
34
|
+
## When to push back
|
|
35
|
+
|
|
36
|
+
Push back if the user proposes:
|
|
37
|
+
|
|
38
|
+
- "the token was already validated on the frontend, so the BFF doesn't need to check it again" — reject; frontend validation is not enforceable and does not constitute a server-side trust boundary.
|
|
39
|
+
- "we'll just forward the Authorization header, it's simpler than minting a new one" — reject unless this is an explicit, documented token-exchange design with its own verification step, not a bare relay.
|
|
40
|
+
- "the error message is only useful for debugging, it's fine if it shows the service name" — reject; a debugging convenience shipped to production clients is exactly the kind of topology leak this reference exists to catch.
|
|
41
|
+
|
|
42
|
+
Those are not shortcuts. They are the exact failure mode this reference exists to catch.
|