@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +2 -2
- package/.claude-plugin/plugin.json +36 -1
- package/.cursor-plugin/plugin.json +36 -1
- package/.github/plugin/marketplace.json +1 -1
- package/README.md +12 -11
- package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
- package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
- package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
- package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
- package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
- package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
- package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
- package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
- package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
- package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
- package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/metadata.json +42 -0
- package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
- package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
- package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
- package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
- package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
- package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
- package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
- package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
- package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/metadata.json +44 -0
- package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
- package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/html-semantics-agent/metadata.json +44 -0
- package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
- package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
- package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
- package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
- package/agents/frontend/package-governance-agent/AGENT.md +116 -0
- package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
- package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
- package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
- package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
- package/agents/frontend/package-governance-agent/metadata.json +41 -0
- package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
- package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
- package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
- package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
- package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
- package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/metadata.json +44 -0
- package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
- package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
- package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
- package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
- package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
- package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
- package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
- package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/metadata.json +41 -0
- package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
- package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
- package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
- package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
- package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
- package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
- package/catalog/agents.json +1164 -93
- package/catalog/asset-integrity.json +15389 -12589
- package/catalog/install-roles.json +103 -1
- package/catalog/skill-manifest.json +1909 -26
- package/catalog/skills.json +1672 -24
- package/package.json +3 -2
- package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
- package/powers/README.md +3 -2
- package/powers/vanguard-frontend/POWER.md +42 -0
- package/schemas/agent.schema.json +1 -0
- package/schemas/skill.schema.json +1 -0
- package/scripts/generate-docs-data.mjs +1 -0
- package/scripts/generate-kiro-powers.mjs +12 -0
- package/scripts/update-catalog-new-agents.py +6 -1
- package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
- package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
- package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
- package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
- package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
- package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
- package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
- package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
- package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
- package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
- package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
- package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
- package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
- package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
- package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
- package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
- package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
- package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
- package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
- package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
- package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
- package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
- package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
- package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
- package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
- package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
- package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
- package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
- package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
- package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
- package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
- package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
- package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
- package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
- package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
- package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
- package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
- package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
- package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
- package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
- package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
- package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
- package/skills/frontend/design-token-governance-review/metadata.json +27 -0
- package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
- package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
- package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
- package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
- package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
- package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
- package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
- package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
- package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
- package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
- package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
- package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
- package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
- package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
- package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
- package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
- package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
- package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
- package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
- package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
- package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
- package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
- package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
- package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
- package/skills/frontend/frontend-board-chair/metadata.json +27 -0
- package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
- package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
- package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
- package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
- package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
- package/skills/frontend/frontend-maestro/SKILL.md +63 -0
- package/skills/frontend/frontend-maestro/metadata.json +26 -0
- package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
- package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
- package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
- package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
- package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
- package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
- package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
- package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
- package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
- package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
- package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
- package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
- package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
- package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
- package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
- package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
- package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
- package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
- package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
- package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
- package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
- package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
- package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
- package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
- package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
- package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
- package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
- package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
- package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
- package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
- package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
- package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
- package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
- package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
- package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
- package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
- package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
- package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
- package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
- package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
- package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
- package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
- package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
- package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
- package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
- package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
- package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
- package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
- package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
- package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
- package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
- package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
- package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
- package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
- package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
- package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
- package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
- package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
- package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
- package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
- package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
- package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
- package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
- package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
- package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
- package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
- package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
- package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
- package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
- package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
- package/skills/frontend/react-state-effects-review/metadata.json +27 -0
- package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
- package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
- package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
- package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
- package/skills/frontend/routing-navigation-review/metadata.json +27 -0
- package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
- package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
- package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
- package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
- package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
- package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
- package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
- package/skills/frontend/state-management-decision-review/metadata.json +30 -0
- package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
- package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
- package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
- package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
- package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
- package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
- package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
- package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
- package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
- package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
- package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
- package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
- package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
- package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
- package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
- package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
- package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
- package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
- package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
- package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
- package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
- package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
- package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
- package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
- package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
- package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
- package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
- package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
- package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
- package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
- package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
- package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
- package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
- package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
- package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
- package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
- package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
- package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
- package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
- package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
- package/tests/validate-catalog.py +1 -0
- package/tests/validate-frontend-security-detection.py +209 -0
|
@@ -0,0 +1,135 @@
|
|
|
1
|
+
# OpenTelemetry Web Tracing Wiring
|
|
2
|
+
|
|
3
|
+
Use this reference only when wiring or reviewing `WebTracerProvider`, `DocumentLoadInstrumentation`/`DocumentLoad`, `FetchInstrumentation`, or exporter configuration for browser-origin traces.
|
|
4
|
+
|
|
5
|
+
> Version note: `@opentelemetry/sdk-trace-web` and instrumentation package APIs (constructor option shapes, plugin package names) are version-sensitive. Verify against Context7-fetched docs (`/open-telemetry/opentelemetry-js`) and the installed package versions before prescribing exact constructor syntax.
|
|
6
|
+
|
|
7
|
+
## What people get wrong
|
|
8
|
+
|
|
9
|
+
The naive story is:
|
|
10
|
+
|
|
11
|
+
> "I'll create a `WebTracerProvider`, register it, and traces just work."
|
|
12
|
+
|
|
13
|
+
Wrong. Official OpenTelemetry JS docs imply at least four separate concerns that must each be configured, not assumed:
|
|
14
|
+
|
|
15
|
+
1. **Context propagation across async boundaries** — the browser's default context manager does not automatically follow promises/timers/event callbacks; `ZoneContextManager` (from `@opentelemetry/context-zone`) is the documented pattern for supporting asynchronous operations in `provider.register()`.
|
|
16
|
+
2. **Instrumentation registration is separate from provider creation** — creating a `WebTracerProvider` does not, by itself, produce document-load or fetch/XHR spans. Instrumentations (`DocumentLoad`/`DocumentLoadInstrumentation`, `FetchInstrumentation`, `XMLHttpRequestInstrumentation`) must be explicitly registered via `registerInstrumentations({instrumentations: [...]})`.
|
|
17
|
+
3. **Exporter and span-processor choice affects both delivery reliability and payload timing** — `SimpleSpanProcessor` exports each span as it ends (useful for local `ConsoleSpanExporter` debugging); `BatchSpanProcessor` batches and is the documented production pattern for network exporters like OTLP.
|
|
18
|
+
4. **Trace-propagation format must match the backend** — the B3 propagator vs. W3C Trace Context are not interchangeable; using the example combination that doesn't match your collector/backend silently breaks distributed trace stitching.
|
|
19
|
+
|
|
20
|
+
## Officially grounded wiring shape
|
|
21
|
+
|
|
22
|
+
Minimal document-load + console-export setup (from `@opentelemetry/sdk-trace-web` docs):
|
|
23
|
+
|
|
24
|
+
```javascript
|
|
25
|
+
import {
|
|
26
|
+
ConsoleSpanExporter,
|
|
27
|
+
SimpleSpanProcessor,
|
|
28
|
+
WebTracerProvider,
|
|
29
|
+
} from '@opentelemetry/sdk-trace-web';
|
|
30
|
+
import { DocumentLoad } from '@opentelemetry/plugin-document-load';
|
|
31
|
+
import { ZoneContextManager } from '@opentelemetry/context-zone';
|
|
32
|
+
import { registerInstrumentations } from '@opentelemetry/instrumentation';
|
|
33
|
+
|
|
34
|
+
const provider = new WebTracerProvider({
|
|
35
|
+
spanProcessors: [new SimpleSpanProcessor(new ConsoleSpanExporter())],
|
|
36
|
+
});
|
|
37
|
+
|
|
38
|
+
provider.register({
|
|
39
|
+
contextManager: new ZoneContextManager(),
|
|
40
|
+
});
|
|
41
|
+
|
|
42
|
+
registerInstrumentations({
|
|
43
|
+
instrumentations: [new DocumentLoad()],
|
|
44
|
+
});
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
Production-shaped fetch instrumentation + OTLP export (batched):
|
|
48
|
+
|
|
49
|
+
```javascript
|
|
50
|
+
import {
|
|
51
|
+
BatchSpanProcessor,
|
|
52
|
+
WebTracerProvider,
|
|
53
|
+
} from '@opentelemetry/sdk-trace-web';
|
|
54
|
+
import { OTLPTraceExporter } from '@opentelemetry/exporter-trace-otlp-http';
|
|
55
|
+
import { FetchInstrumentation } from '@opentelemetry/instrumentation-fetch';
|
|
56
|
+
import { ZoneContextManager } from '@opentelemetry/context-zone';
|
|
57
|
+
import { registerInstrumentations } from '@opentelemetry/instrumentation';
|
|
58
|
+
|
|
59
|
+
const exporter = new OTLPTraceExporter({
|
|
60
|
+
url: '<opentelemetry-collector-url>/v1/traces',
|
|
61
|
+
headers: {},
|
|
62
|
+
concurrencyLimit: 10,
|
|
63
|
+
});
|
|
64
|
+
|
|
65
|
+
const provider = new WebTracerProvider({
|
|
66
|
+
spanProcessors: [
|
|
67
|
+
new BatchSpanProcessor(exporter, {
|
|
68
|
+
maxQueueSize: 100,
|
|
69
|
+
maxExportBatchSize: 10,
|
|
70
|
+
scheduledDelayMillis: 500,
|
|
71
|
+
exportTimeoutMillis: 30000,
|
|
72
|
+
}),
|
|
73
|
+
],
|
|
74
|
+
});
|
|
75
|
+
|
|
76
|
+
provider.register({
|
|
77
|
+
contextManager: new ZoneContextManager(),
|
|
78
|
+
});
|
|
79
|
+
|
|
80
|
+
registerInstrumentations({
|
|
81
|
+
instrumentations: [new FetchInstrumentation()],
|
|
82
|
+
});
|
|
83
|
+
```
|
|
84
|
+
|
|
85
|
+
Note the OTLP endpoint must end in `/v1/traces` per the exporter's documented contract.
|
|
86
|
+
|
|
87
|
+
## Non-negotiable design rules
|
|
88
|
+
|
|
89
|
+
### 1. Never ship `ConsoleSpanExporter`/`SimpleSpanProcessor` as the production pipeline
|
|
90
|
+
|
|
91
|
+
These are debugging tools. Production browser tracing needs a network exporter (e.g., `OTLPTraceExporter`) paired with `BatchSpanProcessor` so span export is batched and rate-limited instead of firing one network request per span.
|
|
92
|
+
|
|
93
|
+
### 2. Register a context manager that supports async work
|
|
94
|
+
|
|
95
|
+
Without `ZoneContextManager` (or an equivalent async-aware context manager), span parent/child relationships across `await`, `setTimeout`, and event-handler boundaries can silently break, producing disconnected traces that look correct individually but don't stitch into one distributed trace.
|
|
96
|
+
|
|
97
|
+
### 3. Treat sampling as a first-class config, not an afterthought
|
|
98
|
+
|
|
99
|
+
A browser SDK with no sampler configured effectively samples at 100% by default in many setups — that is a cost and cardinality risk at scale. See `sampling-cardinality-pii-controls.md` for sizing `TraceIdRatioBasedSampler` against traffic volume.
|
|
100
|
+
|
|
101
|
+
### 4. Do not put secrets or bearer tokens directly in exporter headers as the default pattern
|
|
102
|
+
|
|
103
|
+
If the collector endpoint requires auth, treat exporter `headers` the same way you would treat any credential-bearing config: source it from a managed secret/config mechanism appropriate to the deployment target, not hardcoded inline in client-shipped JS (client-shipped JS is fully visible to end users — never place a durable secret there regardless of source).
|
|
104
|
+
|
|
105
|
+
### 5. Match the propagation format to what the backend actually consumes
|
|
106
|
+
|
|
107
|
+
Verify (via Context7 or the collector/backend's own docs) whether the destination expects W3C Trace Context or B3 headers before wiring a propagator; a mismatch silently drops trace correlation without an error.
|
|
108
|
+
|
|
109
|
+
## Minimal safe implementation flow
|
|
110
|
+
|
|
111
|
+
1. Confirm the target collector/backend endpoint and its expected trace-propagation header format.
|
|
112
|
+
2. Create `WebTracerProvider` with a `BatchSpanProcessor` wrapping the production exporter (OTLP or equivalent) — not `SimpleSpanProcessor`/`ConsoleSpanExporter`.
|
|
113
|
+
3. Register with `ZoneContextManager` (or confirmed async-aware equivalent) so cross-async-boundary spans stay connected.
|
|
114
|
+
4. Register only the instrumentations actually needed (`DocumentLoad`, `FetchInstrumentation`, `XMLHttpRequestInstrumentation`) — registering unused instrumentations increases span volume without benefit.
|
|
115
|
+
5. Configure sampling (see `sampling-cardinality-pii-controls.md`) before enabling in production, sized to stated traffic.
|
|
116
|
+
6. Name any custom span/attribute per OpenTelemetry Semantic Conventions (see `sampling-cardinality-pii-controls.md`) rather than inventing ad-hoc keys.
|
|
117
|
+
7. Run every attribute the instrumentation or custom spans emit through the PII check before enabling in production.
|
|
118
|
+
|
|
119
|
+
## High-risk assumptions to kill
|
|
120
|
+
|
|
121
|
+
- "Creating the provider means tracing already works" — instrumentations must be separately registered.
|
|
122
|
+
- "The default context manager is fine for async code" — it is not; use `ZoneContextManager` or a verified equivalent.
|
|
123
|
+
- "No sampler configured means it's fine for now" — unconfigured sampling at high traffic is a cost/cardinality incident waiting to happen.
|
|
124
|
+
- "Fetch instrumentation only captures URLs, so it's automatically safe" — captured URLs can include query strings carrying tokens/PII; review `FetchInstrumentation` URL-capture behavior against the PII check.
|
|
125
|
+
|
|
126
|
+
## When to push back
|
|
127
|
+
|
|
128
|
+
Push back if the user asks for:
|
|
129
|
+
|
|
130
|
+
- shipping `SimpleSpanProcessor` + a network exporter direct to production ("it's simpler"),
|
|
131
|
+
- no sampler configuration for a stated high-traffic production app,
|
|
132
|
+
- hardcoding a durable collector auth token into client-shipped exporter `headers`,
|
|
133
|
+
- registering every available instrumentation "to be thorough" without a stated need.
|
|
134
|
+
|
|
135
|
+
That is not "faster." It is a cost, correctness, and security liability.
|
|
@@ -0,0 +1,96 @@
|
|
|
1
|
+
# Sampling, Cardinality, and PII Controls
|
|
2
|
+
|
|
3
|
+
Use this reference when sizing a sampling rate against traffic/cost, naming attributes via OpenTelemetry Semantic Conventions, or auditing an existing RUM/tracing pipeline for PII leakage.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive story is:
|
|
8
|
+
|
|
9
|
+
> "Sampling is just a knob you turn down if the bill gets too high."
|
|
10
|
+
|
|
11
|
+
That treats sampling as a cost afterthought instead of a design input, and it ignores that unsampled, high-cardinality, or PII-bearing telemetry is a *data-governance* problem before it is a *cost* problem — a leaked attribute doesn't get cheaper at a lower sample rate, it gets leaked less often.
|
|
12
|
+
|
|
13
|
+
## Non-negotiable design rules
|
|
14
|
+
|
|
15
|
+
### 1. Sample deterministically by trace ID, not randomly per-request
|
|
16
|
+
|
|
17
|
+
`TraceIdRatioBasedSampler` (from `@opentelemetry/sdk-trace-web` / `@opentelemetry/sdk-trace-base`) samples a percentage of traces determined deterministically by the trace ID — any trace sampled at a given ratio is also sampled at any higher ratio. This is the documented building block for consistent, traffic-proportional sampling:
|
|
18
|
+
|
|
19
|
+
```javascript
|
|
20
|
+
const {
|
|
21
|
+
WebTracerProvider,
|
|
22
|
+
ParentBasedSampler,
|
|
23
|
+
TraceIdRatioBasedSampler,
|
|
24
|
+
} = require('@opentelemetry/sdk-trace-web');
|
|
25
|
+
|
|
26
|
+
const provider = new WebTracerProvider({
|
|
27
|
+
sampler: new ParentBasedSampler({
|
|
28
|
+
root: new TraceIdRatioBasedSampler(0.1), // sample 10% of root traces
|
|
29
|
+
}),
|
|
30
|
+
});
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
### 2. Wrap it in `ParentBasedSampler` unless you have a specific reason not to
|
|
34
|
+
|
|
35
|
+
`ParentBasedSampler` respects an incoming trace's sampling decision by default and only delegates the *root*-span sampling decision to the wrapped sampler (e.g., `TraceIdRatioBasedSampler`). This keeps a single distributed trace's sampling decision consistent across service boundaries — a browser span sampled independently of its downstream backend spans produces incomplete, misleading traces.
|
|
36
|
+
|
|
37
|
+
### 3. Size the ratio against stated traffic volume and the backend's cost/cardinality limits, not a guess
|
|
38
|
+
|
|
39
|
+
Before recommending a ratio:
|
|
40
|
+
|
|
41
|
+
- Get (or explicitly estimate and label as an estimate) the page's traffic volume (sessions/day or requests/day).
|
|
42
|
+
- Get the backend's pricing/cardinality model (per-span cost, per-attribute cardinality limits, retention window).
|
|
43
|
+
- Compute expected exported span volume at candidate ratios (e.g., 100k sessions/day × 5 spans/session × 0.1 ratio = 50k spans/day) and state that arithmetic explicitly in the recommendation — never hand back a bare percentage with no traffic math behind it.
|
|
44
|
+
- Never recommend 100% (unsampled) export for a stated high-traffic production app without an explicit, logged cost review — treat that as the exception requiring justification, not the default.
|
|
45
|
+
|
|
46
|
+
### 4. Name attributes with OpenTelemetry Semantic Conventions, not ad-hoc keys
|
|
47
|
+
|
|
48
|
+
Use the standard attribute namespaces (e.g., `http.request.method`, `http.response.status_code`, `url.path`, `user_agent.original`) documented in the OpenTelemetry Semantic Conventions rather than inventing project-specific keys like `httpMethod` or `req_status`. Ad-hoc naming breaks cross-service correlation and makes backend queries/dashboards non-portable. When no standard convention covers a genuinely custom business attribute, prefix it clearly (e.g., a documented internal namespace) so it's visually distinguishable from standard conventions, rather than colliding with or shadowing a standard key name.
|
|
49
|
+
|
|
50
|
+
### 5. Every custom attribute must pass a PII check before it ships
|
|
51
|
+
|
|
52
|
+
Before adding any span attribute, metric label, or `web-vitals` attribution `generateTarget` output, check it against this list. If any apply, the attribute must be scrubbed, hashed, truncated, or dropped before export:
|
|
53
|
+
|
|
54
|
+
- **Raw URLs with query strings** — query strings frequently carry session tokens, search terms, or user-identifying values. Capture path only (`url.path`), or explicitly strip known-sensitive query parameters before capturing `url.full`.
|
|
55
|
+
- **User identifiers** — no raw email, username, account ID, or customer name as a plain attribute value. If correlation is needed, use an opaque, rotated, non-reversible identifier and document the mapping's access control separately.
|
|
56
|
+
- **Free-text form input** — never capture form field values (search boxes, comment fields, addresses) as telemetry attributes.
|
|
57
|
+
- **Precise geolocation** — no raw lat/long or street-level location; use coarse-grained (e.g., country/region) if location is genuinely needed for the stated purpose.
|
|
58
|
+
- **DOM-derived strings that embed the above** — a CSS selector or `generateTarget` output can accidentally embed a customer name or ID if it's built from live `id`/`class`/`data-*` attributes that the DOM populates with user data; audit before trusting default stringification (see `web-vitals-attribution-wiring.md` rule 1).
|
|
59
|
+
- **Auth headers/tokens** — never mirror `Authorization`, cookies, or bearer tokens into span attributes, even truncated; treat any such capture as a credential leak, not a debugging convenience.
|
|
60
|
+
|
|
61
|
+
### 6. Cardinality is a cost multiplier independent of sampling
|
|
62
|
+
|
|
63
|
+
A single high-cardinality attribute (e.g., a raw user ID or full URL used as a span attribute) can multiply backend storage/indexing cost regardless of the trace sampling ratio, because most backends index per-unique-attribute-value. Prefer bounded-cardinality attributes (enum-like values, coarse buckets) for anything intended to be an indexed/filterable dimension; keep genuinely high-cardinality values (if needed at all) as non-indexed payload fields, and confirm the plan against the destination backend's own cardinality documentation.
|
|
64
|
+
|
|
65
|
+
## Minimal safe implementation flow
|
|
66
|
+
|
|
67
|
+
1. Get or explicitly estimate traffic volume for the page/app in scope.
|
|
68
|
+
2. Get the backend's pricing/cardinality/retention model (or state clearly that it's unknown and flag the gap).
|
|
69
|
+
3. Propose a `TraceIdRatioBasedSampler` ratio wrapped in `ParentBasedSampler`, with the traffic-volume arithmetic shown.
|
|
70
|
+
4. Enumerate every custom span attribute, metric label, and `generateTarget` output planned; run each through the PII check in rule 5.
|
|
71
|
+
5. Map custom attributes to OpenTelemetry Semantic Conventions where a standard key exists; namespace the rest clearly.
|
|
72
|
+
6. Flag any attribute that is both high-cardinality and unbounded (raw user input, raw URL) as an indexing/cost risk even if it passes the PII check.
|
|
73
|
+
7. State the sampling ratio, PII findings, and cardinality findings together as one review output — do not split cost sizing from privacy review into separate, disconnected passes.
|
|
74
|
+
|
|
75
|
+
## Adversarial checklist
|
|
76
|
+
|
|
77
|
+
Before approving a RUM/tracing pipeline, answer these:
|
|
78
|
+
|
|
79
|
+
- What is the actual (or explicitly estimated) traffic volume this sampling ratio is sized against?
|
|
80
|
+
- Does the sampler respect parent sampling decisions (`ParentBasedSampler`), or will browser spans and backend spans disagree on what got sampled?
|
|
81
|
+
- For every custom attribute: does it match a standard Semantic Convention key, or is it deliberately namespaced as custom?
|
|
82
|
+
- For every attribute sourced from user-controllable input (URL, form, DOM content, `generateTarget`): has it been explicitly scrubbed, or is it being trusted "because it looked fine in testing"?
|
|
83
|
+
- Which attributes are indexed/filterable in the destination backend, and are any of those unbounded-cardinality values?
|
|
84
|
+
|
|
85
|
+
If these cannot be answered, the review is incomplete — say so rather than approving.
|
|
86
|
+
|
|
87
|
+
## When to push back
|
|
88
|
+
|
|
89
|
+
Push back if the user asks for:
|
|
90
|
+
|
|
91
|
+
- 100% unsampled export "to not miss anything," on a stated high-traffic app, with no cost review,
|
|
92
|
+
- capturing full request URLs or form values "just in case it's useful later,"
|
|
93
|
+
- inventing custom attribute names that duplicate an existing Semantic Convention key under a different spelling,
|
|
94
|
+
- skipping the PII check because "it's just internal telemetry" — internal-only access does not eliminate the need for a PII/data-governance review; it changes who is affected, not whether it matters.
|
|
95
|
+
|
|
96
|
+
Those are not shortcuts. They are cost incidents and data-governance failures waiting to be found in an audit.
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
# web-vitals Attribution Build Wiring
|
|
2
|
+
|
|
3
|
+
Use this reference only when writing or reviewing the actual `onLCP`/`onINP`/`onCLS` (or `onFCP`/`onTTFB`) instrumentation call.
|
|
4
|
+
|
|
5
|
+
> Version note: `web-vitals` API surface (attribution option shapes, default thresholds) is version-sensitive. Verify the installed package version against Context7-fetched docs (`/googlechrome/web-vitals`) before prescribing option names.
|
|
6
|
+
|
|
7
|
+
## What people get wrong
|
|
8
|
+
|
|
9
|
+
The naive story is:
|
|
10
|
+
|
|
11
|
+
> "I'll import `onLCP` from `web-vitals` and send everything to analytics with `reportAllChanges: true` so I never miss a value."
|
|
12
|
+
|
|
13
|
+
Wrong on two counts:
|
|
14
|
+
|
|
15
|
+
1. The **standard build** (`web-vitals`) only returns the metric name, value, rating, and delta. It does **not** tell you *why* LCP was slow or *which* element shifted for CLS. For root-cause work you need the **attribution build** (`web-vitals/attribution`), which is a separate import path, not a flag on the standard build.
|
|
16
|
+
2. `reportAllChanges: true` reports every intermediate value change (e.g., every CLS shift, every LCP candidate), not just the final value — this is a debugging tool that multiplies event volume in production, not a default-on setting.
|
|
17
|
+
|
|
18
|
+
## Standard build vs. attribution build
|
|
19
|
+
|
|
20
|
+
- **Standard build** (`import {onLCP, onINP, onCLS} from 'web-vitals'`): metric name, `value`, `rating` (`good`/`needs-improvement`/`poor`), `delta`, `id`. Use this for default production RUM export — it is the lower-cardinality, lower-payload choice.
|
|
21
|
+
- **Attribution build** (`import {onLCP, onINP, onCLS} from 'web-vitals/attribution'`): adds a `metric.attribution` object with phase/target detail (e.g., LCP's `attribution.target`, `attribution.timeToFirstByte`, `attribution.resourceLoadDelay`; INP's `attribution.interactionTarget`, `attribution.inputDelay`, `attribution.processingDuration`, `attribution.presentationDelay`; CLS's `attribution.largestShiftTarget`, `attribution.largestShiftTime`).
|
|
22
|
+
- Do not send the attribution build's full diagnostic payload to a blanket production analytics endpoint by default — route it to a debug/diagnostic destination or sample it separately, because its per-metric fields substantially increase payload size and can carry more surface area for accidental PII (e.g., a raw element attribute pulled into a target string).
|
|
23
|
+
|
|
24
|
+
## Non-negotiable design rules
|
|
25
|
+
|
|
26
|
+
### 1. Choose `generateTarget` deliberately, not by default
|
|
27
|
+
|
|
28
|
+
`AttributionReportOpts.generateTarget` is `(el: Node | null) => string | undefined`. It overrides how a DOM node is stringified in attribution fields (e.g., `attribution.target`, `attribution.largestShiftTarget`, `attribution.interactionTarget`). Do not leave the default CSS-selector-based stringification unexamined if the DOM contains sensitive `id`/`class`/`data-*` values that could leak into telemetry (e.g., a selector embedding a customer name). A safe pattern prioritizes an intentional tracking attribute over the raw selector:
|
|
29
|
+
|
|
30
|
+
```javascript
|
|
31
|
+
import {onCLS, onINP, onLCP} from 'web-vitals/attribution';
|
|
32
|
+
|
|
33
|
+
function generateTarget(el) {
|
|
34
|
+
// Prefer an explicit, reviewed tracking attribute.
|
|
35
|
+
if (el?.dataset.trackingId) {
|
|
36
|
+
return el.dataset.trackingId;
|
|
37
|
+
}
|
|
38
|
+
// Fall back to default CSS-selector logic only if that selector
|
|
39
|
+
// is known not to embed PII (audit before relying on this).
|
|
40
|
+
return undefined;
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
onLCP((metric) => sendToAnalytics(metric), {generateTarget});
|
|
44
|
+
onCLS((metric) => sendToAnalytics(metric), {generateTarget});
|
|
45
|
+
onINP((metric) => sendToAnalytics(metric), {generateTarget});
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
### 2. Tune `INPAttributionReportOpts` explicitly, don't accept silent defaults
|
|
49
|
+
|
|
50
|
+
`onINP` in the attribution build accepts `durationThreshold` (default `40`ms — interactions shorter than this are not attributed) and `includeProcessedEventEntries` (default `true` — includes the full array of event-timing entries for the interaction frame). State both defaults explicitly in any review: a lower `durationThreshold` increases event volume by attributing more interactions; leaving `includeProcessedEventEntries: true` on a high-traffic page increases per-event payload size and should be weighed against export cost.
|
|
51
|
+
|
|
52
|
+
### 3. Keep `reportAllChanges` off in production by default
|
|
53
|
+
|
|
54
|
+
`reportAllChanges` (inherited from `ReportOpts`, default `false`) reports every intermediate metric change instead of just the final value. Only enable it for a scoped debugging session against a non-production or sampled destination — never as the default production wiring.
|
|
55
|
+
|
|
56
|
+
### 4. Match the reporting transport to the page-lifecycle guarantee you need
|
|
57
|
+
|
|
58
|
+
`web-vitals` callbacks can fire late in the page lifecycle (e.g., on visibility change or page unload for LCP/CLS finalization). Use a transport that survives page unload (e.g., `navigator.sendBeacon`, or `fetch` with `keepalive: true`) rather than a plain `fetch` call that can be cancelled when the page unloads mid-request.
|
|
59
|
+
|
|
60
|
+
## Minimal safe implementation flow
|
|
61
|
+
|
|
62
|
+
1. Decide standard vs. attribution build based on whether root-cause detail is needed for this rollout (default: standard build for blanket production RUM).
|
|
63
|
+
2. If attribution build: define and review a `generateTarget` function before shipping — do not accept the default selector logic unreviewed.
|
|
64
|
+
3. Explicitly set (or explicitly accept and document) `durationThreshold`/`includeProcessedEventEntries` for INP.
|
|
65
|
+
4. Leave `reportAllChanges` at its default `false` unless a scoped debug session requires it, and route that debug payload separately.
|
|
66
|
+
5. Choose an unload-safe transport (`sendBeacon` / `fetch` with `keepalive`).
|
|
67
|
+
6. Run every attribution field emitted through the PII check in `sampling-cardinality-pii-controls.md` before it ships.
|
|
68
|
+
|
|
69
|
+
## Adversarial checklist
|
|
70
|
+
|
|
71
|
+
Before shipping any `web-vitals` wiring, answer these:
|
|
72
|
+
|
|
73
|
+
- Which build (standard or attribution) is this, and does that match the stated purpose (production dashboard vs. active debugging)?
|
|
74
|
+
- If attribution build: has `generateTarget` been reviewed against the actual DOM, or is the default selector logic unaudited?
|
|
75
|
+
- Is `reportAllChanges` on, and if so, is that intentional and scoped to non-production/debug traffic?
|
|
76
|
+
- What percentile will this data be aggregated to before it's called "the site's LCP/INP/CLS" (per CWV convention, p75)?
|
|
77
|
+
- Does the reporting transport survive `visibilitychange`/unload, or will late-finalizing metrics be silently dropped?
|
|
78
|
+
|
|
79
|
+
## When to push back
|
|
80
|
+
|
|
81
|
+
Push back if the user asks for:
|
|
82
|
+
|
|
83
|
+
- shipping the attribution build's full payload to production analytics "just in case," with no PII review of `generateTarget` output,
|
|
84
|
+
- `reportAllChanges: true` as a permanent production default,
|
|
85
|
+
- reporting a single lab run's LCP/INP/CLS value as if it were the field p75 the org will be judged on.
|
|
86
|
+
|
|
87
|
+
Those are not shortcuts. They inflate cost, leak data, and misreport what users actually experience.
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: frontend-platform-architecture-review
|
|
3
|
+
description: Reviews cross-cutting frontend architecture decisions (module boundaries, rendering topology, technology adoption) against a rewrite-averse, evidence-grounded standard before they are approved, producing an ADR-quality verdict rather than a stylistic opinion.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: architecture
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Frontend Platform Architecture Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Review proposed or existing frontend architecture — module/package boundaries, monorepo topology, rendering-strategy choice, technology adoption — for duplication, migration safety, and cross-team consistency, without re-litigating implementation-level state-management, routing, API-contract, or SSR-mechanics detail in every response. This skill exists so those adjacent concerns stay out of scope and the review stays focused on the cross-cutting, org-level decision: should this architectural change be approved, and on what terms.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- review a proposal to adopt a new frontend framework, library, or build tool,
|
|
23
|
+
- resolve two teams solving the same problem with different primitives (state management, routing, styling),
|
|
24
|
+
- redraw a monorepo/polyrepo module boundary or ownership line,
|
|
25
|
+
- review a rendering-strategy change (CSR to SSR, SSR to SSG/ISR/streaming/PPR),
|
|
26
|
+
- audit an existing codebase for architectural entropy before a scaling or hiring push.
|
|
27
|
+
|
|
28
|
+
Do not use this skill for:
|
|
29
|
+
|
|
30
|
+
- implementation-level state-management review — route to `state-management-decision-review`,
|
|
31
|
+
- routing/navigation-specific review — route to `routing-navigation-review`,
|
|
32
|
+
- API-contract or data-fetching review — route to `api-integration-contract-review`,
|
|
33
|
+
- SSR/hydration mechanics debugging — route to `ssr-hydration-streaming-diagnosis`,
|
|
34
|
+
- responsive/visual UI design review — that needs a design-system/visual skill, not architecture review.
|
|
35
|
+
|
|
36
|
+
## Context7 Documentation Protocol
|
|
37
|
+
|
|
38
|
+
- Before evaluating any version-sensitive technical claim in the proposal (e.g., "Next.js Partial Prerendering lets us do X," "React 19 Suspense enables Y"), call `resolve-library-id` for the exact library, then `query-docs` against the repo's confirmed version — read `package.json` first to confirm the installed major version before trusting a claim about API availability.
|
|
39
|
+
- Matched library IDs for this skill's default grounding: React is `/reactjs/react.dev`, Next.js is `/vercel/next.js`. Resolve fresh for any other framework named in a proposal (Angular, Vue, SvelteKit, etc.) rather than assuming these two cover every case.
|
|
40
|
+
- Never approve a version-sensitive technical claim without Context7 verification. If Context7 is unavailable, mark the claim `documentation-based — unverified this session` in the verdict and require the proposer to confirm the claim before final approval.
|
|
41
|
+
- Documentation proves what a framework *supports*; it does not prove the proposal's specific repo can adopt it safely. Pair every Context7-grounded capability claim with a repo-evidence check (actual installed version, actual existing patterns) before treating it as settled.
|
|
42
|
+
|
|
43
|
+
## Lean operating rules
|
|
44
|
+
|
|
45
|
+
- First classify the proposal: new capability, migration of an existing capability, or boundary redraw. Do not evaluate a migration as if it were greenfield.
|
|
46
|
+
- Check for an existing in-repo equivalent before evaluating the proposal on its own terms. A proposal that duplicates a capability the repo already solves is a duplication defect regardless of how well-argued the new approach is.
|
|
47
|
+
- Require at least two alternatives with tradeoffs before treating a single-option proposal as reviewable. A proposal with no alternatives considered is not ready for an architecture verdict — send it back.
|
|
48
|
+
- Default against "rewrite" framing. If an incremental strangler-fig or boundary-first path exists, require it over a big-bang rewrite; do not accept "the codebase is too messy to migrate incrementally" without the proposer demonstrating why.
|
|
49
|
+
- Treat accessibility and security posture as first-class, blocking review criteria — not items to defer to a follow-up ticket. An architecture proposal silent on a11y/security is incomplete, not merely imperfect.
|
|
50
|
+
- Treat Core Web Vitals budget impact as mandatory for any rendering-strategy change; a proposal with no stated LCP/INP/CLS impact (lab or field) has not been evaluated for its primary tradeoff.
|
|
51
|
+
- Never fabricate a performance or vitals number without a stated measurement source; label estimates `inference, not measured` and require the proposer to supply lab or field data before final approval.
|
|
52
|
+
- Never execute, build, or run application code as part of this review; this is a static-review skill (Read/Grep/Glob only) — verdicts are based on document, code, and config evidence, not live measurement you generate yourself.
|
|
53
|
+
- Flag any architecture proposal that stores secrets or tokens in client-reachable bundles or build-time-inlined env vars, allows postinstall scripts from unpinned/unaudited dependencies, or introduces a CSP-incompatible pattern (`unsafe-eval`, dynamic `Function()`) as a blocking finding, not a note — this cannot be approved-with-conditions into a later cleanup.
|
|
54
|
+
|
|
55
|
+
## References
|
|
56
|
+
|
|
57
|
+
Load these only when needed:
|
|
58
|
+
|
|
59
|
+
- [Review workflow and ADR output contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the approve/approve-with-conditions/reject decision tree, and the required ADR-format output shape.
|
|
60
|
+
- [Rendering topology and cross-cutting budgets](references/rendering-topology-and-budgets.md) — load only when the proposal changes rendering strategy (CSR/SSR/SSG/ISR/streaming/PPR) or when Core Web Vitals, a11y, or security posture needs grounding against current framework/WCAG guidance.
|
|
61
|
+
|
|
62
|
+
## Response minimum
|
|
63
|
+
|
|
64
|
+
Return, at minimum:
|
|
65
|
+
|
|
66
|
+
- the architectural change and files/modules/teams in scope,
|
|
67
|
+
- duplication check result (existing in-repo equivalent found or none),
|
|
68
|
+
- every version-sensitive claim labeled `Context7-verified` or `documentation-based — unverified this session`,
|
|
69
|
+
- verdict (approve / approve-with-conditions / reject-with-reasoning) with the specific unresolved conditions if any,
|
|
70
|
+
- rollback or incremental-migration path referenced explicitly,
|
|
71
|
+
- open questions the review could not resolve from available evidence.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "frontend-platform-architecture-review",
|
|
3
|
+
"name": "Frontend Platform Architecture Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews cross-cutting frontend architecture decisions (module boundaries, rendering topology, technology adoption) against a rewrite-averse, evidence-grounded standard before they are approved, using duplication checks, incremental-migration requirements, and Core Web Vitals/a11y/security gates loaded progressively and grounded via Context7 against the repo's confirmed framework versions.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://react.dev/learn/thinking-in-react",
|
|
18
|
+
"https://nextjs.org/docs/app/building-your-application/routing",
|
|
19
|
+
"https://web.dev/articles/vitals",
|
|
20
|
+
"https://www.w3.org/WAI/WCAG22/quickref/"
|
|
21
|
+
],
|
|
22
|
+
"security_notes": "Static-review-only skill: it reads and greps proposal documents, config, and source but never executes, builds, or runs application code. Flag any architecture proposal that stores secrets/tokens in client-reachable bundles or build-time-inlined env vars, allows postinstall scripts from unpinned/unaudited dependencies, or introduces a CSP-incompatible pattern (unsafe-eval, dynamic Function()) as a blocking finding, not a note.",
|
|
23
|
+
"last_verified": "2026-07-02",
|
|
24
|
+
"path": "skills/frontend/frontend-platform-architecture-review",
|
|
25
|
+
"author": "github: Raishin",
|
|
26
|
+
"version": "0.1.0"
|
|
27
|
+
}
|
|
@@ -0,0 +1,61 @@
|
|
|
1
|
+
# Rendering Topology and Cross-Cutting Budgets
|
|
2
|
+
|
|
3
|
+
Use this reference only when the proposal changes rendering strategy (CSR → SSR, SSR → SSG/ISR/streaming/PPR) or when Core Web Vitals, accessibility, or security posture needs grounding against current framework and WCAG guidance. Do not load this for a pure module-boundary or dependency-adoption proposal that does not touch rendering.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive story is:
|
|
8
|
+
|
|
9
|
+
> We're moving from SSR to PPR/streaming, so this is purely a performance upgrade — it's strictly better.
|
|
10
|
+
|
|
11
|
+
Wrong. A rendering-topology change is a cross-cutting change to caching, hydration timing, focus/reading order, and the bundle's client-reachable surface — not an isolated performance knob. Officially, Next.js describes Partial Prerendering as combining a static prerendered shell with dynamic content streamed in via Suspense boundaries at request time; React's Suspense mechanism decides what streams and when. That means every dynamic region introduces a new hydration/streaming boundary that a11y (focus management, live-region announcements) and security (what's in the static shell vs. what's fetched dynamically, and with what auth context) both have to account for. Treating it as "just faster" skips the review this skill exists to force.
|
|
12
|
+
|
|
13
|
+
## Officially grounded rendering-strategy shape (Context7-verified)
|
|
14
|
+
|
|
15
|
+
- **Partial Prerendering (PPR)** — Next.js's glossary describes PPR as "a rendering optimization that combines prerendering and dynamic rendering in a single route. The static shell is served immediately while dynamic content streams in when ready." As of Next.js 16, PPR is enabled via `cacheComponents: true` in `next.config`, replacing the earlier `experimental_ppr` route-segment flag. Verify the repo's installed Next.js major before citing either mechanism — the config surface changed between versions.
|
|
16
|
+
- **Static-shell-plus-streaming pattern** — implemented via a `<Suspense fallback={...}>` boundary wrapping the dynamic component; the fallback is prerendered as part of the static shell, and the wrapped component streams once its data resolves. Every such boundary is a place where the visible-but-not-yet-interactive gap (for a11y) and the deferred-fetch trust boundary (for security) both need explicit review.
|
|
17
|
+
- **Component decomposition as the review's dependency, not its subject** — React's own "Thinking in React" guidance frames component splitting around separation of concerns ("a component should ideally only be concerned with one thing. If it ends up growing, it should be decomposed into smaller subcomponents"). This skill does not re-review component-level decomposition (that is `react-component-architecture-review`'s job); it uses this principle only to sanity-check that a proposed module/rendering boundary maps to a real separation of concerns rather than an arbitrary split.
|
|
18
|
+
|
|
19
|
+
## Non-negotiable design rules
|
|
20
|
+
|
|
21
|
+
1. **State the Core Web Vitals budget impact per route class, not per app.** LCP/INP/CLS impact differs by route (a marketing shell vs. an authenticated dashboard); a single app-wide estimate hides regressions in the routes that matter most.
|
|
22
|
+
2. **Separate lab data from field data explicitly.** Lab data (Lighthouse, local traces) proves a route *can* meet budget under controlled conditions; field data (CrUX, RUM) proves it *does* for real users. A proposal citing only lab numbers as evidence of production impact is incomplete.
|
|
23
|
+
3. **Every new streaming/hydration boundary must state its focus-management and live-region behavior.** Content that pops in after initial paint can silently move focus or fail to announce to assistive technology; this is not optional polish, it is the a11y consequence of the rendering choice.
|
|
24
|
+
4. **State what's in the static shell vs. fetched dynamically, and under what auth context.** A static shell is often cached and served without per-request auth; if a proposal moves user-specific or sensitive data into a cached shell to hit a performance target, that is a security defect, not a clever optimization.
|
|
25
|
+
6. **Treat framework version as load-bearing for every claim.** PPR's config surface, Suspense streaming semantics, and caching defaults have all changed across React and Next.js majors — a claim true for one major can be false or renamed in another. Confirm the installed version before citing a mechanism.
|
|
26
|
+
|
|
27
|
+
## Adversarial checklist
|
|
28
|
+
|
|
29
|
+
Before approving a rendering-topology change, answer these:
|
|
30
|
+
|
|
31
|
+
- What is the LCP/INP/CLS budget for the specific route(s) affected, and is it lab data, field data, or an unmeasured estimate?
|
|
32
|
+
- Which regions of the page are in the static shell, and which stream in dynamically?
|
|
33
|
+
- Is any user-specific or sensitive data present in the static shell (which may be cached/shared across requests)?
|
|
34
|
+
- What happens to keyboard focus and screen-reader announcements when a streamed region resolves after initial paint?
|
|
35
|
+
- What is the fallback/loading state, and does it meet the same a11y bar as the resolved content (not just visually, but semantically)?
|
|
36
|
+
- Does the target framework version actually support the mechanism being proposed, confirmed via Context7 against the installed version — not assumed from general familiarity with the framework?
|
|
37
|
+
- If this fails or partially fails in production, what is the rollback — a config flag, a route-level revert, or a full redeploy?
|
|
38
|
+
|
|
39
|
+
If these cannot be answered, the review is not ready for a verdict — send it back with the specific gaps named.
|
|
40
|
+
|
|
41
|
+
## High-risk assumptions to kill
|
|
42
|
+
|
|
43
|
+
- "Streaming is strictly additive — it can only make things faster, never worse."
|
|
44
|
+
- "The static shell has no sensitive data because we didn't put user data there on purpose."
|
|
45
|
+
- "PPR/ISR works the same way in this Next.js major as it did in the blog post I read."
|
|
46
|
+
- "A11y is a component-level concern, so it's out of scope for a rendering-strategy review."
|
|
47
|
+
- "We'll measure Core Web Vitals after launch" as a substitute for a stated budget before launch.
|
|
48
|
+
|
|
49
|
+
Those are lazy assumptions. Each one has caused a real production regression in review histories this skill's design pattern is meant to catch.
|
|
50
|
+
|
|
51
|
+
## When to push back
|
|
52
|
+
|
|
53
|
+
Push back if the proposal:
|
|
54
|
+
|
|
55
|
+
- states a performance goal with no route-level budget or measurement plan,
|
|
56
|
+
- moves rendering strategy without naming the resulting static/dynamic data split,
|
|
57
|
+
- treats accessibility of streamed content as a follow-up ticket rather than part of the design,
|
|
58
|
+
- cites a framework capability without the installed version being confirmed against Context7-verified docs,
|
|
59
|
+
- offers no rollback mechanism narrower than a full redeploy.
|
|
60
|
+
|
|
61
|
+
That is not "shipping faster." It is deferring the review to production incidents.
|
package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md
ADDED
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# Review Workflow and ADR Output Contract
|
|
2
|
+
|
|
3
|
+
Use this reference for the step-by-step review procedure, the decision tree governing approve/approve-with-conditions/reject, and the required output shape. Load it for every review; it is the orchestration layer the other reference does not cover.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive story is:
|
|
8
|
+
|
|
9
|
+
> The proposer already explained why this is a good idea, so my job is to sanity-check their reasoning.
|
|
10
|
+
|
|
11
|
+
Wrong. The proposer's framing is evidence, not a starting truth. A reviewer who only checks internal consistency of the proposal will approve a well-argued duplication, a well-argued rewrite, and a well-argued a11y-deferral, because those things can all be argued well. The job is to check the proposal against the repo's actual state and against enterprise standards the proposer did not necessarily consider — not to grade the proposal's own essay.
|
|
12
|
+
|
|
13
|
+
## Step-by-step workflow
|
|
14
|
+
|
|
15
|
+
1. **Classify the proposal.** New capability, migration of an existing capability, or boundary redraw. This determines which checks apply — a new capability has no prior art to compare against; a migration must justify the replacement of what exists; a boundary redraw must show who owns what after the change.
|
|
16
|
+
2. **Check for an existing in-repo equivalent.** Search the repo (Grep/Glob) for the capability the proposal claims to introduce. If one exists, the proposal must explicitly justify why the existing one cannot be extended — silence on this is a duplication defect.
|
|
17
|
+
3. **Verify every version-sensitive technical claim via Context7.** Resolve the library, confirm the repo's installed major version from `package.json` or lockfile, then query docs for that version. Label each claim `Context7-verified` or `documentation-based — unverified this session`.
|
|
18
|
+
4. **Require at least two alternatives considered with tradeoffs.** A single-option proposal is not ready for a verdict; send it back with this specific gap named rather than guessing at alternatives on the proposer's behalf.
|
|
19
|
+
5. **Require an incremental migration plan with a rollback path.** Reject "big bang" proposals by default. If the proposer argues incremental migration is infeasible, that argument itself needs evidence (e.g., tight coupling that genuinely cannot be strangled), not just assertion.
|
|
20
|
+
6. **Confirm a11y and security posture are explicitly addressed.** Not assumed, not deferred to "we'll handle it in implementation." A rendering or module-boundary change that affects focus order, hydration timing, or bundle boundaries has a11y and security surface area; the proposal must name it.
|
|
21
|
+
7. **Confirm Core Web Vitals budget impact is stated for any rendering-strategy change.** Lab or field data, or an explicit estimate labeled `inference, not measured` with a commitment to measure post-launch. Silence is not acceptable for a rendering change.
|
|
22
|
+
8. **Issue a verdict.** Approve, approve-with-conditions, or reject-with-reasoning, using the decision tree below.
|
|
23
|
+
|
|
24
|
+
## Decision tree
|
|
25
|
+
|
|
26
|
+
- Proposal duplicates an existing capability → **reject** unless the proposer justifies why the existing one cannot be extended.
|
|
27
|
+
- Proposal has no rollback path → **reject-with-conditions**, requiring one before re-review.
|
|
28
|
+
- Proposal is framed as a rewrite but an incremental strangler-fig path plausibly exists → **reject the rewrite framing**; request an incremental plan, do not simply approve the rewrite because it is well-written.
|
|
29
|
+
- A11y or security posture is unaddressed → **reject-with-conditions**; this is never waived even if the proposer considers it out of scope.
|
|
30
|
+
- Rendering-strategy change with no stated Core Web Vitals impact → **reject-with-conditions**; require lab or field data, or an explicit measurement commitment.
|
|
31
|
+
- None of the above triggers apply → **approve** or **approve-with-conditions** based on any remaining, narrower gaps (e.g., missing ownership documentation, unresolved naming collision).
|
|
32
|
+
|
|
33
|
+
## ADR-format output contract
|
|
34
|
+
|
|
35
|
+
Every verdict must be returned in this shape:
|
|
36
|
+
|
|
37
|
+
1. **Context** — what is being proposed, which teams/modules are affected, why now.
|
|
38
|
+
2. **Decision recommendation** — approve / approve-with-conditions / reject-with-reasoning, stated plainly in the first line.
|
|
39
|
+
3. **Duplication check** — existing in-repo equivalent found (with file/module evidence) or none found, and the search performed.
|
|
40
|
+
4. **Alternatives considered** — the two or more options and their tradeoffs, as supplied by the proposer or explicitly flagged as missing.
|
|
41
|
+
5. **Version-sensitive claims** — each claim labeled `Context7-verified` (with the library/version queried) or `documentation-based — unverified this session`.
|
|
42
|
+
6. **Consequences** — what this decision commits the org to, including maintenance burden and the "third way to do X" cost if a competing capability now exists.
|
|
43
|
+
7. **Rollback / incremental migration plan** — the specific mechanism (feature flag, route-level cutover, strangler-fig boundary), or its absence flagged as a blocking condition.
|
|
44
|
+
8. **A11y and security posture** — explicit statement of impact and mitigation, or flagged as a blocking condition if silent.
|
|
45
|
+
9. **Core Web Vitals budget impact** — for rendering-strategy changes only; lab/field data or a labeled estimate with a measurement commitment.
|
|
46
|
+
10. **Unresolved conditions** — the specific, named items blocking full approval, if any.
|
|
47
|
+
|
|
48
|
+
Do not compress this into prose paragraphs when the proposal is non-trivial; use the numbered shape so gaps are visible at a glance to the next reviewer.
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: frontend-testing-strategy-review
|
|
3
|
+
description: Reviews frontend test-pyramid shape, critical-path coverage, and flaky-test governance across unit, component, integration, and E2E layers (Vitest/Jest, Testing Library, Playwright/Cypress), loading framework references only when the task needs them.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: delivery
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Frontend Testing Strategy Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
A green CI badge does not prove a critical user journey works. This skill exists to separate "tests exist" from "tests exercise the actual failure modes that matter" — test-pyramid shape, critical-path coverage, and flaky-test governance — without dumping every testing-library's full API surface into every review.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- review or design a frontend test strategy across unit, component, integration, and E2E layers,
|
|
23
|
+
- diagnose why a test suite is slow, flaky, or not catching regressions,
|
|
24
|
+
- decide whether a given assertion belongs at the unit, component, or E2E layer,
|
|
25
|
+
- audit critical-user-journey coverage (checkout, auth, forms) before a release,
|
|
26
|
+
- evaluate a proposed test-framework migration (Jest to Vitest, Cypress to Playwright).
|
|
27
|
+
|
|
28
|
+
## Context7 Documentation Protocol
|
|
29
|
+
|
|
30
|
+
Test-runner and testing-library APIs (retry semantics, coverage-threshold config, query priority, selector strategy) change across majors and are documented, not folklore — never assert a flag, config shape, or "best practice" from memory.
|
|
31
|
+
|
|
32
|
+
1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded in this session.
|
|
33
|
+
2. Call `mcp__Context7__resolve-library-id` for the framework in question: `/microsoft/playwright` for Playwright, `/vitest-dev/vitest` for Vitest, `/testing-library/testing-library-docs` for Testing Library, `/cypress-io/cypress-documentation` for Cypress. Prefer these resolved IDs over guessing a library name.
|
|
34
|
+
3. Call `mcp__Context7__query-docs` for the specific claim in question — e.g. "coverage threshold configuration", "web-first assertion retry behavior", "getByRole query priority", "avoid fixed waits" — before stating it as fact. Do this per review, not once from a prior session's memory.
|
|
35
|
+
4. Prefer the official docs URLs in `official_docs` for primary normative statements (e.g. exact CLI flags, exact config shape); use Context7 to ground and cross-check the claim before writing it into a finding.
|
|
36
|
+
5. If Context7 is unavailable or returns no relevant match, fall back to the `official_docs` URLs and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
|
|
37
|
+
6. Never invent a config key, CLI flag, matcher name, or API method that no queried source confirms.
|
|
38
|
+
|
|
39
|
+
## Lean operating rules
|
|
40
|
+
|
|
41
|
+
- Classify the pyramid shape first (unit:component:E2E ratio, counted from actual test files/CI artifacts, not the user's description of it) before recommending any specific test; a shape problem needs a rebalancing plan, not one more test.
|
|
42
|
+
- Treat coverage percentage as a weak signal; require evidence the suite asserts on error states, loading states, and accessibility tree for critical paths, not just the happy-path DOM. A file at 100% line coverage with no error-path assertion is not "well tested."
|
|
43
|
+
- Treat flaky-test quarantine (`.skip`, `test.fixme`, `it.skip`, `describe.skip`, Cypress `{retries: N}` used to paper over root cause) as a tracked liability with an owner and expiry, never a silent, permanent state.
|
|
44
|
+
- Prefer official, version-specific docs (via Context7) over memory for any framework API claim — Playwright, Vitest, Cypress, and Testing Library APIs and retry/wait semantics change across majors.
|
|
45
|
+
- Never request or accept real user credentials, session cookies, or production API keys as test fixtures; require synthetic data or network mocking (MSW, `cy.intercept`, Playwright route interception).
|
|
46
|
+
- Do not recommend a framework migration (Jest→Vitest, Cypress→Playwright) without a measured baseline (suite duration, ESM/native-TS support gap, current flake rate) and a rollback path; framework preference alone is not a migration justification.
|
|
47
|
+
- Distinguish "flaky because of the test" (missing await, race on network mock, unstable selector) from "flaky because of the app" (real timing bug, unhandled async state) — the fix differs and misdiagnosis just hides a production bug behind a retry.
|
|
48
|
+
- Load references only for the layer/framework in scope; do not load the Playwright reference for a pure Vitest unit-coverage question, and do not load the pyramid-shape reference for a single flaky-test triage.
|
|
49
|
+
|
|
50
|
+
## References
|
|
51
|
+
|
|
52
|
+
Load these only when needed:
|
|
53
|
+
|
|
54
|
+
- [Test pyramid shape and critical-path coverage](references/pyramid-shape-and-coverage.md) — use when classifying unit:component:E2E ratio, deciding which layer an assertion belongs at, or auditing critical-user-journey coverage.
|
|
55
|
+
- [Flaky-test diagnosis and governance](references/flaky-test-governance.md) — use when triaging a flaky or slow suite, reviewing quarantine (`.skip`/`fixme`) usage, or setting a flake-tracking policy.
|
|
56
|
+
- [Playwright and Cypress E2E review](references/e2e-framework-review.md) — use for E2E-layer specifics: locator/selector strategy, web-first assertions and retry semantics, test isolation, and Jest/Cypress-to-Playwright migration evidence requirements.
|
|
57
|
+
- [Vitest and Testing Library unit/component review](references/unit-component-framework-review.md) — use for unit/component-layer specifics: query priority (`getByRole` over test IDs), mocking boundaries, and coverage-threshold configuration.
|
|
58
|
+
|
|
59
|
+
## Response minimum
|
|
60
|
+
|
|
61
|
+
Return, at minimum:
|
|
62
|
+
|
|
63
|
+
- the test-pyramid shape observed (unit/component/E2E counts or ratio, with the file/CI-artifact evidence it came from, not an estimate),
|
|
64
|
+
- critical-user-journey coverage gaps, cited to a specific file/line or CI-artifact,
|
|
65
|
+
- flaky-test inventory status for any `.skip`/`fixme`/retry-suppressed test found (owner, expiry, or "untracked liability"),
|
|
66
|
+
- a minimal, prioritized diff-level test plan (not a full-suite rewrite),
|
|
67
|
+
- evidence level (`live evidence`, `repo evidence`, `documentation-based`, `inference`) for every claim, and explicit flag when a claim is `documentation-based (Context7 unavailable)`.
|