@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +2 -2
- package/.claude-plugin/plugin.json +36 -1
- package/.cursor-plugin/plugin.json +36 -1
- package/.github/plugin/marketplace.json +1 -1
- package/README.md +12 -11
- package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
- package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
- package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
- package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
- package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
- package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
- package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
- package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
- package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
- package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
- package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/metadata.json +42 -0
- package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
- package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
- package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
- package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
- package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
- package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
- package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
- package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
- package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/metadata.json +44 -0
- package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
- package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/html-semantics-agent/metadata.json +44 -0
- package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
- package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
- package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
- package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
- package/agents/frontend/package-governance-agent/AGENT.md +116 -0
- package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
- package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
- package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
- package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
- package/agents/frontend/package-governance-agent/metadata.json +41 -0
- package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
- package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
- package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
- package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
- package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
- package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/metadata.json +44 -0
- package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
- package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
- package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
- package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
- package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
- package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
- package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
- package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/metadata.json +41 -0
- package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
- package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
- package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
- package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
- package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
- package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
- package/catalog/agents.json +1164 -93
- package/catalog/asset-integrity.json +15389 -12589
- package/catalog/install-roles.json +103 -1
- package/catalog/skill-manifest.json +1909 -26
- package/catalog/skills.json +1672 -24
- package/package.json +3 -2
- package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
- package/powers/README.md +3 -2
- package/powers/vanguard-frontend/POWER.md +42 -0
- package/schemas/agent.schema.json +1 -0
- package/schemas/skill.schema.json +1 -0
- package/scripts/generate-docs-data.mjs +1 -0
- package/scripts/generate-kiro-powers.mjs +12 -0
- package/scripts/update-catalog-new-agents.py +6 -1
- package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
- package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
- package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
- package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
- package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
- package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
- package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
- package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
- package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
- package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
- package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
- package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
- package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
- package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
- package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
- package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
- package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
- package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
- package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
- package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
- package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
- package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
- package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
- package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
- package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
- package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
- package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
- package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
- package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
- package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
- package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
- package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
- package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
- package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
- package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
- package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
- package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
- package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
- package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
- package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
- package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
- package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
- package/skills/frontend/design-token-governance-review/metadata.json +27 -0
- package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
- package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
- package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
- package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
- package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
- package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
- package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
- package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
- package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
- package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
- package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
- package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
- package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
- package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
- package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
- package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
- package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
- package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
- package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
- package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
- package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
- package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
- package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
- package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
- package/skills/frontend/frontend-board-chair/metadata.json +27 -0
- package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
- package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
- package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
- package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
- package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
- package/skills/frontend/frontend-maestro/SKILL.md +63 -0
- package/skills/frontend/frontend-maestro/metadata.json +26 -0
- package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
- package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
- package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
- package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
- package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
- package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
- package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
- package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
- package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
- package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
- package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
- package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
- package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
- package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
- package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
- package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
- package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
- package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
- package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
- package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
- package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
- package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
- package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
- package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
- package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
- package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
- package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
- package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
- package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
- package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
- package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
- package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
- package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
- package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
- package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
- package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
- package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
- package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
- package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
- package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
- package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
- package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
- package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
- package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
- package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
- package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
- package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
- package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
- package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
- package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
- package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
- package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
- package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
- package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
- package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
- package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
- package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
- package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
- package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
- package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
- package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
- package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
- package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
- package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
- package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
- package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
- package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
- package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
- package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
- package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
- package/skills/frontend/react-state-effects-review/metadata.json +27 -0
- package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
- package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
- package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
- package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
- package/skills/frontend/routing-navigation-review/metadata.json +27 -0
- package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
- package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
- package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
- package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
- package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
- package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
- package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
- package/skills/frontend/state-management-decision-review/metadata.json +30 -0
- package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
- package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
- package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
- package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
- package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
- package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
- package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
- package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
- package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
- package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
- package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
- package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
- package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
- package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
- package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
- package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
- package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
- package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
- package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
- package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
- package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
- package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
- package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
- package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
- package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
- package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
- package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
- package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
- package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
- package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
- package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
- package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
- package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
- package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
- package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
- package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
- package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
- package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
- package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
- package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
- package/tests/validate-catalog.py +1 -0
- package/tests/validate-frontend-security-detection.py +209 -0
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
# DOM Mutation and Plugin Side Effects
|
|
2
|
+
|
|
3
|
+
Use this reference when auditing third-party jQuery plugins and ad-hoc DOM-manipulation code for behavior that happens outside any framework render cycle — direct DOM mutation, global state writes, timers, and unsanitized HTML construction.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "The plugin has a small public API (`$(el).fancyPlugin({ options })`), so its footprint is small too."
|
|
10
|
+
|
|
11
|
+
That is false for the overwhelming majority of jQuery-era UI plugins. A plugin's public API surface tells you nothing about:
|
|
12
|
+
|
|
13
|
+
- how many DOM nodes it creates and where it puts them (often *outside* the element it was called on — appended to `body`, injected as siblings, or moved elsewhere in the tree),
|
|
14
|
+
- whether it registers global listeners (`$(window).resize(...)`, `$(document).on('keydown', ...)`) that persist for the lifetime of the page regardless of whether the "widget" is still visible,
|
|
15
|
+
- whether it holds module-level or `$.fancyPlugin.instances`-style singleton state shared across every instantiation on the page,
|
|
16
|
+
- whether it starts timers (`setInterval` for polling/auto-rotation, `setTimeout` for debounce/animation) that are never cleaned up on the jQuery side either, but happen to not matter in a page-reload-based app the way they will matter in a long-lived SPA.
|
|
17
|
+
|
|
18
|
+
A framework component's render cycle (mount → update → unmount) has no way to automatically clean up any of this. If the plugin's real behavior is not inventoried, the "equivalent" component will leak listeners, leak timers, or silently stop working the first time the framework unmounts and remounts the component (which jQuery-era pages never did — they reloaded instead).
|
|
19
|
+
|
|
20
|
+
## Non-negotiable design rules
|
|
21
|
+
|
|
22
|
+
### 1. Read the plugin's source, not just its call sites
|
|
23
|
+
|
|
24
|
+
A call site like `$('.carousel').slick({ autoplay: true })` gives zero information about side effects. Locate the actual plugin source (vendored file, node_modules, or inlined script) and grep it directly for:
|
|
25
|
+
|
|
26
|
+
- `document.body.append`/`appendChild`, `$('body').append(`, or any DOM insertion target that is not `this`/the plugin's own root element,
|
|
27
|
+
- `setInterval`, `setTimeout` with no matching `clearInterval`/`clearTimeout` in a documented teardown/`destroy` method,
|
|
28
|
+
- `$(window)`, `$(document)` listener registration,
|
|
29
|
+
- module-level `var`/`let` outside any function scope, or properties attached to the jQuery plugin namespace itself (`$.fn.pluginName.defaults`, a shared cache object) — these persist across every instance and every page-lifecycle event.
|
|
30
|
+
|
|
31
|
+
### 2. Distinguish "has a destroy/teardown method" from "is actually called"
|
|
32
|
+
|
|
33
|
+
Many plugins document a `.pluginName('destroy')` API. Grep the *call sites*, not just the plugin source, for whether teardown is ever invoked. A legacy app that never unmounts widgets (because it never removes DOM nodes without a full page reload) commonly never calls teardown — meaning the migration is the first time this code path's absence becomes an observable bug (memory growth, duplicate global listeners after client-side navigation).
|
|
34
|
+
|
|
35
|
+
### 3. Treat every `.html()`, `.append()`, `.prepend()`, `.after()`, `.before()`, `.replaceWith()`, or raw `.innerHTML =` assignment fed by non-literal data as a security finding
|
|
36
|
+
|
|
37
|
+
"Non-literal" means anything built from a variable, template string, concatenation, `.val()`/`.text()` of another element, a server response, or a URL/query-string value — not a fixed string literal written by the developer. For each match:
|
|
38
|
+
|
|
39
|
+
- record whether the source is attacker-influenceable (see the taint sources in this skill's sibling security-review skills: URL params, API responses rendering third-party/user content, `postMessage`, storage written by another origin),
|
|
40
|
+
- flag explicitly if the *proposed* replacement is `dangerouslySetInnerHTML` (React) or `v-html` (Vue) — per the Context7-grounded React docs, `dangerouslySetInnerHTML` is a documented "Security Hole" when fed untrusted input directly; a framework migration must not be the moment an existing (bad) pattern becomes a *worse* one by skipping the sanitizer entirely,
|
|
41
|
+
- never assume the plugin already sanitizes its input; verify by reading the plugin's actual string-construction code if the finding is high-severity enough to matter (public-facing, user-generated-content-adjacent).
|
|
42
|
+
|
|
43
|
+
### 4. Global state and timers are migration blockers, not migration details
|
|
44
|
+
|
|
45
|
+
If a plugin's side effects are genuinely global (a single page-wide autoplay ticker, a shared modal-stack z-index counter), the target architecture needs an explicit decision about where that state lives (a store, a context, a singleton service) — it cannot be silently absorbed into "just render the component and it'll work," because the framework component model assumes state is either component-local or explicitly lifted, not implicitly global via a shared jQuery-plugin-namespace object.
|
|
46
|
+
|
|
47
|
+
## Minimal safe inventory progression
|
|
48
|
+
|
|
49
|
+
1. Identify every `$(el).pluginName(...)` call site across the codebase and group by plugin.
|
|
50
|
+
2. For each distinct plugin, locate its actual source (not just its call sites) and grep it for the side-effect categories in rule 1.
|
|
51
|
+
3. For each plugin, check whether a teardown/destroy path exists in the source and whether it is ever invoked at any call site.
|
|
52
|
+
4. Separately, grep the whole codebase (not just plugin source) for `.html(`, `.append(`, `.prepend(`, `.after(`, `.before(`, `.replaceWith(`, and `.innerHTML =` and classify each by literal vs. non-literal input.
|
|
53
|
+
5. Cross-reference: does any plugin call site feed plugin options built from non-literal, potentially-attacker-influenceable data (e.g., a plugin's `content` option populated from an API response)? This is a compound finding — flag it distinctly from a plain `.html()` call, since the plugin's internal handling of that option is opaque without reading its source.
|
|
54
|
+
|
|
55
|
+
## Verification targets
|
|
56
|
+
|
|
57
|
+
- For any plugin flagged as holding global/singleton state, confirm by checking whether multiple instantiations on the same page actually interfere with each other in the current app (evidence: a bug report, a workaround comment in the code, or a code path that explicitly guards against double-initialization) versus being a theoretical risk only.
|
|
58
|
+
- For any `.html()`/`.append()` finding proposed for replacement with `dangerouslySetInnerHTML`/`v-html`, confirm whether a sanitizer (DOMPurify or equivalent) is already present anywhere in the dependency tree before assuming one must be added from scratch.
|
|
59
|
+
|
|
60
|
+
## When to push back
|
|
61
|
+
|
|
62
|
+
Push back if the user asks to:
|
|
63
|
+
|
|
64
|
+
- port a plugin's call site 1:1 into a `useEffect`/lifecycle-hook wrapper without first reading the plugin's own source for global listeners, timers, or singleton state — this reproduces every leak the plugin had, now inside a component that mounts/unmounts far more often than the legacy page ever did,
|
|
65
|
+
- replace `.html()` with `dangerouslySetInnerHTML`/`v-html` as a mechanical find-and-replace with no sanitizer discussion — that is a downgrade, not a port, whenever the source data is non-literal,
|
|
66
|
+
- mark a plugin "no side effects, safe to wrap" based on reading only its options API or its README, without having actually grepped its source.
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
# Event Delegation Inventory
|
|
2
|
+
|
|
3
|
+
Use this reference when cataloguing jQuery/Backbone-era event-binding patterns before a framework migration — specifically `$(document).on(...)`-style global delegation, `$.fn` plugin custom events, and Backbone view `events` maps.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "Events are just `addEventListener` with extra syntax. I'll find every `.on(` call, rewrite it as an `onClick` prop, and move on."
|
|
10
|
+
|
|
11
|
+
That is incomplete, and it is the single most common source of silent regressions in jQuery-to-framework ports. jQuery delegation and framework event handlers solve different problems:
|
|
12
|
+
|
|
13
|
+
- **Delegation exists because elements come and go.** `$(document).on('click', '.tab', handler)` was written that way *because* `.tab` elements are added/removed dynamically (AJAX-loaded content, plugin-rendered markup) and a direct binding would miss elements that did not exist at bind time. A framework component only needs this pattern if it renders variable, dynamically-appearing children with no stable parent to attach the handler to — which is rare inside a component tree where the framework already re-renders and re-attaches handlers on every update.
|
|
14
|
+
- **The delegation selector is not the same as ownership.** `$(document).on('click', '.modal-close', ...)` is bound once, globally, but the handler's *logic* may belong to a specific feature. Naively porting this to a single global `document.addEventListener` in the new app (instead of scoping it to the owning component) reproduces the original code smell instead of fixing it.
|
|
15
|
+
- **Custom/synthetic events are easy to miss.** jQuery plugins frequently `.trigger('customEventName')` and other code listens with `.on('customEventName', ...)`. Grepping only for DOM event names (`click`, `submit`, `change`) misses this entire category of implicit coupling between unrelated-looking modules.
|
|
16
|
+
- **Backbone view `events` maps use a different delegation model** (`{'click .save': 'onSave'}`), scoped to `this.el`, and typically calling `this.render()` internally — the "component" boundary is the Backbone view, not the DOM node the handler is nominally attached to.
|
|
17
|
+
|
|
18
|
+
## Non-negotiable design rules
|
|
19
|
+
|
|
20
|
+
### 1. Classify every handler by binding scope, not by event name
|
|
21
|
+
|
|
22
|
+
For each match, record:
|
|
23
|
+
|
|
24
|
+
- **Global** (`$(document).on(...)`, `$(window).on(...)`, `$('body').on(...)`) — highest risk; likely couples unrelated features.
|
|
25
|
+
- **Container-scoped** (`$('#widget-container').on(...)`) — bound once to a stable ancestor; probably maps to a single component boundary.
|
|
26
|
+
- **Element-direct** (`$('.button').click(...)` or `.on()` with no delegate selector) — bound at render time; will break silently if the plugin re-renders the DOM node without rebinding (a classic jQuery bug this inventory should surface, not silently port forward).
|
|
27
|
+
- **Backbone view `events` map** — scoped to `this.el`; note the view class name and whether `render()` is called inside the handler.
|
|
28
|
+
|
|
29
|
+
### 2. Do not assume the delegated selector's specificity survives the port
|
|
30
|
+
|
|
31
|
+
A delegated selector like `.on('click', '.item.active', ...)` depends on class-toggling logic living somewhere else in the codebase. Trace where `.active` is added/removed before assuming the target framework's conditional rendering (`className` binding, `:class`, `[class.active]`) is an equivalent replacement — confirm the toggle logic itself is inventoried, not just the handler.
|
|
32
|
+
|
|
33
|
+
### 3. Treat custom/synthesized events as first-class inventory items
|
|
34
|
+
|
|
35
|
+
Grep for `.trigger(`, `.triggerHandler(`, and Backbone's `.trigger(` (models/collections/views all mix in Backbone.Events) alongside the corresponding `.on('eventName', ...)` listeners. Record the event name, the emitting module, and every listening module — this is often the only documentation of a cross-module dependency that exists.
|
|
36
|
+
|
|
37
|
+
### 4. Distinguish "will the target framework's re-render make this delegation unnecessary" from "must this delegation pattern be explicitly reproduced"
|
|
38
|
+
|
|
39
|
+
Framework component trees re-attach handlers on every re-render by design (React re-runs the component function; Vue/Angular re-bind via their own reactivity), which naturally replaces *element-direct* handlers that needed delegation only to survive jQuery's manual DOM churn. But a *genuinely* dynamic, framework-external DOM region (e.g., markup injected by a third-party widget the framework does not control) still needs an explicit delegation strategy — do not assume the framework's reactivity makes all delegation moot.
|
|
40
|
+
|
|
41
|
+
## Minimal safe inventory progression
|
|
42
|
+
|
|
43
|
+
1. Grep for `.on(`, `.bind(`, `.delegate(`, `.live(` (legacy jQuery <1.9 API — flag its presence as an age/version signal), `.click(`, `.trigger(`, `.triggerHandler(`, and Backbone `events:` object literals.
|
|
44
|
+
2. For each match, classify by binding scope (see rule 1) and record the file, the selector/event name, and the handler body's actual side effect (state mutation, network call, DOM mutation, navigation).
|
|
45
|
+
3. Group matches by the DOM region or feature they affect, not by file — a single feature's delegation logic is often split across an initializer file and a separate handler file.
|
|
46
|
+
4. For every custom/triggered event, find both the emitter and every listener before marking the entry complete; an event with only an emitter found (no listener located) is an open item, not a non-issue.
|
|
47
|
+
5. Produce the ownership mapping: each inventoried handler maps to a proposed owning component in the target architecture, or is marked "unresolved — requires product/design input" if no natural owner exists.
|
|
48
|
+
|
|
49
|
+
## Verification targets
|
|
50
|
+
|
|
51
|
+
- Confirm handler classification against actual runtime behavior where feasible (e.g., does the container the handler is bound to ever get replaced/re-rendered by innerHTML replacement elsewhere in the codebase — that would mean an element-direct binding silently stops firing, a bug worth flagging even before migration).
|
|
52
|
+
- Cross-check every `.trigger('name', ...)` call against every `.on('name', ...)` listener; an emitter with zero listeners found in-repo may indicate a listener registered dynamically (e.g., via a plugin option callback) — mark as `inference, needs runtime confirmation` rather than silently dropping it.
|
|
53
|
+
|
|
54
|
+
## When to push back
|
|
55
|
+
|
|
56
|
+
Push back if the user asks to:
|
|
57
|
+
|
|
58
|
+
- port event handlers file-by-file without first producing the ownership/ scope classification — this guarantees global delegation gets flattened into ad hoc per-component listeners that reintroduce the same "who owns this click" ambiguity the review exists to resolve,
|
|
59
|
+
- skip the custom/triggered-event grep because "we only care about DOM events" — cross-module `.trigger()`/`.on()` coupling is frequently the least-visible and highest-risk-to-drop behavior in the entire codebase,
|
|
60
|
+
- treat "the new framework re-renders automatically, so delegation is a non-issue" as true everywhere, without checking whether any DOM region is still externally/plugin-controlled.
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
# Legacy Accessibility Shim Audit
|
|
2
|
+
|
|
3
|
+
Use this reference when checking whether a legacy jQuery/Backbone-era widget provides accessibility behavior that the replacement component must explicitly reproduce before being declared equivalent.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "The markup for this widget has no `role`, no `aria-*` attributes, and no `tabindex` in the HTML template — so it must have no accessibility behavior, and the replacement doesn't need any either."
|
|
10
|
+
|
|
11
|
+
That is frequently false, and it is the single most common way a framework migration silently regresses keyboard and screen-reader support. Many jQuery UI-era plugins (jQuery UI's own dialog/tabs/autocomplete/datepicker widgets, and third-party clones of them) inject ARIA attributes, manage `tabindex`, and bind keyboard handlers **at runtime**, via JavaScript, into the DOM the plugin controls — none of it visible in the static HTML template or component markup a reviewer would normally read. Auditing only the markup and concluding "no accessibility behavior found" is a false negative, not a confirmed gap.
|
|
12
|
+
|
|
13
|
+
Conversely, the opposite mistake also happens: assuming a plugin "must" handle accessibility because it is a mature, popular widget — some plugins (and especially most custom/homegrown ones) genuinely do nothing beyond visual behavior, and the accessibility gap being ported forward is real and already present, not a migration regression.
|
|
14
|
+
|
|
15
|
+
Both mistakes are resolved the same way: verify, do not assume, in either direction.
|
|
16
|
+
|
|
17
|
+
## Officially grounded shape (what the ARIA APG actually specifies)
|
|
18
|
+
|
|
19
|
+
The W3C ARIA Authoring Practices Guide (APG) documents, per widget pattern (dialog, tabs, combobox/autocomplete, disclosure, menu, slider, etc.), the specific roles, states, properties, and keyboard interactions an accessible implementation of that pattern requires — e.g., a tabs widget needs `role="tablist"`/`role="tab"`/`role="tabpanel"`, `aria-selected`, and arrow-key navigation between tabs with roving `tabindex`; a modal dialog needs `role="dialog"`, `aria-modal="true"`, focus moved into the dialog on open, focus trapped within it, and focus returned to the triggering element on close. Use the APG pattern for the specific widget type as the checklist for what the *replacement* component must implement — regardless of what the legacy plugin did or did not do.
|
|
20
|
+
|
|
21
|
+
## Non-negotiable design rules
|
|
22
|
+
|
|
23
|
+
### 1. Check the plugin's actual runtime output, not the call-site markup
|
|
24
|
+
|
|
25
|
+
For jQuery UI and comparable plugins, the accessibility-relevant code lives in the plugin source, in functions that run on initialization and on state change (e.g., open/close, select/deselect). Grep the plugin source for `.attr('role'`, `.attr('aria-`, `.attr('tabindex'`, `setAttribute('aria-`, and keydown/keyup handlers that check `event.which`/`event.key` against arrow keys, `Escape`, `Enter`, `Space`, `Tab`. Their presence means the plugin manages this at runtime; their absence (confirmed by actually reading the source, not by absence in the call-site HTML) means it does not.
|
|
26
|
+
|
|
27
|
+
### 2. Separately verify focus management, which is easy to miss even when ARIA attributes are present
|
|
28
|
+
|
|
29
|
+
A widget can have textbook-correct `role`/`aria-*` attributes and still fail if focus is never moved: a modal that sets `role="dialog"` but never calls `.focus()` on an element inside it when opened, or never restores focus to the trigger on close, is not accessible despite "having ARIA." Grep specifically for `.focus()` calls (or their absence) at the widget's open/close or activate/deactivate transitions, independent of the ARIA-attribute check in rule 1.
|
|
30
|
+
|
|
31
|
+
### 3. Map each finding to the specific APG pattern for that widget type, not a generic "is it accessible" judgment
|
|
32
|
+
|
|
33
|
+
"Accessible" is not a yes/no property; it is per-interaction-pattern. A datepicker's requirements (grid navigation, `aria-live` announcement of the selected date) are different from a dropdown menu's (`aria-expanded`, `aria-haspopup`, arrow-key/Escape handling) or a tooltip's (`aria-describedby`, hover *and* focus triggering, Escape dismissal). Identify which APG pattern the widget corresponds to before building the parity checklist — do not reuse one pattern's checklist for a structurally different widget.
|
|
34
|
+
|
|
35
|
+
### 4. Treat "no accessibility behavior found after reading the source" as a real, reportable gap — not a reason to skip the checklist
|
|
36
|
+
|
|
37
|
+
If the plugin genuinely implements nothing (common for homegrown carousels, custom tooltips, and simple show/hide toggles built directly on top of jQuery with no ARIA/keyboard code at all), report this explicitly as a pre-existing gap the migration inherits, and still produce the APG-pattern-based parity checklist so the replacement component can *close* the gap rather than silently reproduce it. Do not conflate "the legacy version was already inaccessible" with "so the new version doesn't need to be."
|
|
38
|
+
|
|
39
|
+
## Minimal safe audit progression
|
|
40
|
+
|
|
41
|
+
1. Identify each interactive widget being migrated and classify it against the closest W3C ARIA APG pattern (dialog, tabs, tablist, menu, menubar, combobox, listbox, slider, tooltip, disclosure, accordion, carousel, etc.).
|
|
42
|
+
2. For each widget, locate the actual plugin/implementation source and grep for ARIA attribute writes, `tabindex` management, and keyboard event handlers (rule 1).
|
|
43
|
+
3. Separately check focus-management calls at the widget's key state transitions (rule 2).
|
|
44
|
+
4. Build a per-widget parity checklist directly from the matched APG pattern's required roles/states/properties/keyboard interactions (rule 3), marking each item as "present in legacy (verified)", "absent in legacy (confirmed gap)", or "inference — plugin source not fully readable, needs runtime confirmation".
|
|
45
|
+
5. Flag any widget where the legacy implementation provides real accessibility behavior that the currently-planned replacement component does not yet account for — this is the actual migration risk this reference exists to catch.
|
|
46
|
+
|
|
47
|
+
## Verification targets
|
|
48
|
+
|
|
49
|
+
- Where feasible, confirm the plugin's runtime-injected ARIA/keyboard behavior against the plugin's own official documentation or changelog (version-specific — accessibility support has been added/changed across major versions of common plugins) rather than relying solely on reading one version of vendored source.
|
|
50
|
+
- For focus-trap claims, confirm whether the trap covers `Tab` cycling in both directions (forward from the last focusable element wraps to the first, `Shift+Tab` from the first wraps to the last) — a common incomplete implementation traps only one direction.
|
|
51
|
+
|
|
52
|
+
## When to push back
|
|
53
|
+
|
|
54
|
+
Push back if the user asks to:
|
|
55
|
+
|
|
56
|
+
- skip the accessibility audit for a widget because "the markup has no ARIA attributes so there's nothing to check" — this is exactly the false-negative pattern this reference exists to prevent for runtime-injected behavior,
|
|
57
|
+
- declare a replacement component "equivalent" based on visual/behavioral parity alone, with no APG-pattern-based keyboard/focus/ARIA checklist,
|
|
58
|
+
- treat a confirmed pre-existing accessibility gap in the legacy widget as acceptable to carry forward silently without at least flagging it as a known, inherited gap in the migration output.
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: microfrontend-boundary-review
|
|
3
|
+
description: Reviews micro-frontend/module-federation boundary contracts for shared-dependency versioning safety, runtime isolation, and ownership clarity before adoption or extension of a distributed frontend architecture.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: architecture
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Micro-Frontend Boundary Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Gate the adoption or extension of a micro-frontend / module-federation architecture on three things that determine whether it actually reduces coupling or merely relocates it: an explicit shared-dependency version-compatibility contract, a runtime-isolation level matched to each remote's data sensitivity, and unambiguous per-remote ownership with a bounded blast radius. Micro-frontends are frequently adopted to solve an organizational coupling problem (multiple teams shipping one deployable) but, done carelessly, they trade that problem for a worse one: distributed runtime coupling where one team's broken bundle or dependency bump breaks a sibling team's remote in production. This skill exists to make that trade-off explicit before it ships, not to rubber-stamp micro-frontends as a default architecture.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- adopt micro-frontends or module federation for the first time in a project that is currently a single deployable,
|
|
23
|
+
- add a new remote to an existing micro-frontend host (including a third-party-built or externally-owned remote),
|
|
24
|
+
- audit shared-dependency version drift across existing remotes that is causing or risks causing runtime breakage,
|
|
25
|
+
- review the isolation level (iframe vs. same-runtime composition) chosen for a remote against the sensitivity of the data it handles.
|
|
26
|
+
|
|
27
|
+
Do not use this skill for:
|
|
28
|
+
|
|
29
|
+
- module/package boundary review within a single deployable application — that is `frontend-platform-architecture-review`,
|
|
30
|
+
- reviewing whether server-side aggregation belongs in a BFF versus client-side composition — that is `frontend-bff-boundary-review`,
|
|
31
|
+
- component-level React architecture (props, composition, state placement) inside one remote or host — that is `react-component-architecture-review`,
|
|
32
|
+
- approving micro-frontends as a default architectural choice; this skill's default posture is to make the team justify the distributed-coupling trade-off, not to assume it is warranted.
|
|
33
|
+
|
|
34
|
+
## Context7 Documentation Protocol
|
|
35
|
+
|
|
36
|
+
- Resolve `/reactjs/react.dev` with `resolve-library-id` before evaluating any same-runtime composition pattern (module federation without iframes, build-time composition, or any design where a host and one or more remotes mount into the same page) that puts multiple React roots on one page or that requires the host and a remote to interoperate at runtime.
|
|
37
|
+
- Query the resolved docs for `createRoot` and `useId` behavior before approving that pattern. Official React docs confirm `createRoot` is designed to be called multiple times on one page — "a page that uses 'sprinkles' of React for parts of the page may have as many separate roots as needed" — so multiple independently-mounted roots is a supported pattern, not a hack. Docs also confirm that independent React applications sharing a page must pass a distinct `identifierPrefix` to `createRoot` (or `hydrateRoot`) to prevent `useId`-generated identifier collisions between them; a same-runtime composition with two or more `createRoot` calls and no distinct `identifierPrefix` per root is a concrete, checkable defect, not a style preference.
|
|
38
|
+
- React's official docs do not state a cross-major-version compatibility guarantee for multiple React copies coexisting in one page (e.g., a host on React 18 and a remote on React 19 sharing a runtime). Treat any claim that "different React versions across remotes is safe because each root is independent" as `documentation-based, unconfirmed` — flag it as a required verification item rather than asserting it is safe or unsafe from memory.
|
|
39
|
+
- Where a claim depends on module-federation-tooling behavior specifically (Webpack Module Federation shared-scope negotiation, Vite plugin federation's `shared` config, singleton flags, `strictVersion` behavior), require the proposer to cite that tool's own current documentation. That tooling is outside React/Next.js core and is not assumed covered by the React docs grounding above — do not extend React-docs-grounded claims to cover federation-tool-specific version-negotiation behavior.
|
|
40
|
+
- If Context7 is unavailable, state every runtime-isolation and shared-dependency claim as `documentation-based, unconfirmed` rather than asserting it from memory, and require the user to verify against the installed React version and the federation tool's current docs before treating the boundary as approved.
|
|
41
|
+
|
|
42
|
+
## Lean operating rules
|
|
43
|
+
|
|
44
|
+
- First establish the composition mechanism in scope (module federation, iframes, or build-time/server-side composition) — the isolation and versioning risks differ by mechanism, and advice given for one mistakenly applied to another is unreliable.
|
|
45
|
+
- Determine the isolation level required from each remote's data sensitivity before reviewing anything else. A remote that renders or handles data that should not share a CSP/JavaScript-runtime trust boundary with sibling remotes needs iframe isolation or an equivalent mitigation; same-runtime composition is not a neutral default for that remote regardless of how convenient it is.
|
|
46
|
+
- Do not treat "it uses module federation" as evidence of isolation. Module federation and other non-iframe composition share the same JavaScript runtime and the same CSP context across host and remotes — a vulnerability or a broken bundle in one remote can affect the host and every sibling remote sharing that runtime.
|
|
47
|
+
- Require an explicit, documented shared-dependency version-compatibility policy (pinned versions, a defined compatible range, or singleton/strictVersion enforcement in the federation config) before approving adoption or a new remote. Unmanaged, unmonitored version drift across remotes is the most common cause of micro-frontend production incidents and is not acceptable as "we'll handle it if it breaks."
|
|
48
|
+
- Require a bounded blast radius for every remote: an error boundary or equivalent isolation around the remote's mount point so an uncaught error or broken bundle in that remote does not take down the host or sibling remotes, and an independent deployment/rollback path so one remote's release cannot force a host-wide rollback.
|
|
49
|
+
- Require unambiguous, single-team ownership per remote. A remote with shared or unclear ownership has no clear on-call responsibility when it breaks in production, which defeats the organizational-coupling benefit micro-frontends were adopted for in the first place.
|
|
50
|
+
- Do not accept "micro-frontends reduce coupling" as self-evidently true. Ask what coupling moved from build-time (a monorepo/shared-deploy dependency graph, which is visible and tooling-enforced) to runtime (a shared-dependency and shared-CSP-context graph, which is often invisible until it breaks in production).
|
|
51
|
+
- Never execute, build, or run application code, module-federation dev servers, or bundler configs as part of this review; this is a static-review skill (Read/Grep/Glob only) — review the composition config, shared-dependency manifest, and ownership documentation as given.
|
|
52
|
+
- Treat any hardcoded credential, API key, or token found in a remote's config, shared module, or example fixture as a HIGH-severity finding requiring immediate escalation, separate from the boundary-contract verdict.
|
|
53
|
+
|
|
54
|
+
## References
|
|
55
|
+
|
|
56
|
+
Load these only when needed:
|
|
57
|
+
|
|
58
|
+
- [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step boundary-review procedure (isolation, versioning, ownership, blast radius) and the required output shape.
|
|
59
|
+
- [Shared-runtime security and CSP boundary](references/shared-runtime-security.md) — use only when a remote handles sensitive data and same-runtime (non-iframe) composition is proposed or in place, to ground the CSP trust-boundary collapse risk and isolation mitigations.
|
|
60
|
+
|
|
61
|
+
## Response minimum
|
|
62
|
+
|
|
63
|
+
Return, at minimum:
|
|
64
|
+
|
|
65
|
+
- the composition mechanism in scope (module federation, iframes, build-time/server-side composition) and whether it was confirmed from config or asserted by the user,
|
|
66
|
+
- the isolation-level verdict for each remote in scope, matched against its data sensitivity,
|
|
67
|
+
- the shared-dependency version-compatibility policy status (present/absent, and its mechanism if present),
|
|
68
|
+
- the blast-radius and ownership status per remote (error-boundary/isolation mitigation present, independent deploy path present, owning team named),
|
|
69
|
+
- ranked findings with file:line or config-key evidence where applicable, risk class, and fix,
|
|
70
|
+
- verdict: approve / approve-with-notes / block,
|
|
71
|
+
- evidence level (including whether React-version or federation-tool-version claims were confirmed or left `documentation-based, unconfirmed`) and open questions.
|
|
@@ -0,0 +1,26 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "microfrontend-boundary-review",
|
|
3
|
+
"name": "Micro-Frontend Boundary Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews micro-frontend/module-federation boundary contracts for shared-dependency versioning safety, runtime isolation, and ownership clarity before adoption or extension, grounded via Context7 against official React docs for same-runtime multi-root composition.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://react.dev/reference/react-dom/client/createRoot",
|
|
18
|
+
"https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy",
|
|
19
|
+
"https://web.dev/articles/vitals"
|
|
20
|
+
],
|
|
21
|
+
"security_notes": "Micro-frontend boundaries that share a JavaScript runtime (module federation, build-time composition, or any non-iframe composition) collapse the CSP trust boundary between teams' code — a vulnerability, XSS, or broken bundle in one remote can affect the host and sibling remotes sharing that runtime. Require an explicit shared-dependency version-compatibility contract and a documented blast-radius statement (error-boundary isolation, independent deploy/rollback) for any non-iframe-isolated micro-frontend adoption, and require iframe isolation or an equivalent mitigation for any remote handling data that should not share a trust boundary with lower-trust remotes. Static-review-only skill: it reads and greps composition config and does not execute, build, or run application code, dev servers, or bundler configs. Treat any hardcoded credential, API key, or token found in a remote's config or example fixture as a HIGH-severity finding requiring immediate escalation.",
|
|
22
|
+
"last_verified": "2026-07-02",
|
|
23
|
+
"path": "skills/frontend/microfrontend-boundary-review",
|
|
24
|
+
"author": "github: Raishin",
|
|
25
|
+
"version": "0.1.0"
|
|
26
|
+
}
|
|
@@ -0,0 +1,50 @@
|
|
|
1
|
+
# Shared-runtime security and CSP boundary
|
|
2
|
+
|
|
3
|
+
Use this reference only when a remote in scope handles sensitive data and same-runtime (non-iframe) composition is proposed or already in place. It grounds the CSP trust-boundary collapse risk that makes "we used module federation" an insufficient answer to "is this isolated."
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive story is:
|
|
8
|
+
|
|
9
|
+
> Module federation loads remote code into my app via a script tag, same as any other bundle-splitting technique. That's just how modern frontend works — it's not a security boundary question.
|
|
10
|
+
|
|
11
|
+
Wrong. A `<script>`-loaded remote, whether fetched via module federation, dynamic `import()`, or any other non-iframe mechanism, executes in the same JavaScript realm as the host: same `window`, same DOM, same Content-Security-Policy context, same cookies and storage the host can reach. There is no process boundary and no origin boundary unless one is deliberately introduced. "It's just code splitting" is true from a bundler's perspective and false from a trust-boundary perspective — those are different questions with different answers.
|
|
12
|
+
|
|
13
|
+
## Officially grounded shape
|
|
14
|
+
|
|
15
|
+
- CSP (per MDN) is enforced per browsing context / document, not per script origin within that document. A single CSP header applies to the entire page — host and every same-runtime remote share it. A remote that needs a looser policy (e.g., to run its own inline styles or connect to its own API) cannot get one without loosening the policy for the host and every sibling remote, unless that remote is isolated into its own document (an iframe with its own CSP).
|
|
16
|
+
- An iframe, by contrast, is a separate browsing context with its own document and can carry its own CSP (via the iframe's own response headers, or constrained further by the host's `Content-Security-Policy: frame-src`/`child-src` and the iframe's `sandbox` attribute). This is the mechanism that actually creates an enforceable boundary between host and remote, not module federation's build-time module resolution.
|
|
17
|
+
- React's official docs confirm `createRoot` supports mounting multiple independent applications into one page (see `references/../SKILL.md` Context7 Documentation Protocol), which is the mechanism most same-runtime micro-frontend compositions use — this confirms the *mounting* pattern is supported, but says nothing about *security isolation* between those roots, because there is none by default: all roots share one JS realm.
|
|
18
|
+
|
|
19
|
+
## Non-negotiable design rules
|
|
20
|
+
|
|
21
|
+
1. **Isolation level is a data-sensitivity decision, not a tooling decision.** Do not let the choice of module federation vs. iframes be driven by developer convenience or performance preference alone when a remote handles data (payment details, PII, credentials, admin actions) that should not be reachable by a compromised or buggy sibling remote. Convenience does not override trust-boundary requirements.
|
|
22
|
+
|
|
23
|
+
2. **A compromised or buggy same-runtime remote can read/write anything the host can.** This includes DOM access to sibling remotes' rendered output, cookies and localStorage/sessionStorage the host has access to, and any global state or event bus shared across the composition. Treat a same-runtime remote as having the same privilege as the host itself, not a scoped subset of it.
|
|
24
|
+
|
|
25
|
+
3. **Third-party-owned or externally-built remotes are a stronger case for iframe isolation**, independent of data sensitivity, because the supply-chain trust level of the remote's build pipeline is not controlled by the host team. A remote built and deployed by a team outside the organization's own release process should default to iframe isolation unless there is a specific, documented reason and compensating control (e.g., contractual code-review gate, pinned immutable artifact, subresource integrity) to trust it in the shared runtime.
|
|
26
|
+
|
|
27
|
+
4. **Shared-dependency version drift is itself a security surface**, not just a stability one. An outdated shared dependency pulled in by version-range negotiation (rather than pinning) can reintroduce a patched vulnerability across the entire composition, and the host team may have no visibility into which remote's dependency requirement caused the downgrade.
|
|
28
|
+
|
|
29
|
+
## High-risk assumptions to kill
|
|
30
|
+
|
|
31
|
+
- "Module federation isolates the remote because it's a separate bundle." — False; bundle separation is a build-time concept, not a runtime trust boundary.
|
|
32
|
+
- "The remote only touches its own DOM subtree, so it can't affect the rest of the page." — False by default; nothing prevents a same-runtime remote's script from reaching outside its mount point unless the host specifically constrains it (and few do).
|
|
33
|
+
- "We trust the other team, so isolation doesn't matter." — Trust in a team does not substitute for isolation against a supply-chain compromise of that team's dependencies or build pipeline.
|
|
34
|
+
- "CSP is already strict, so we're covered." — A strict host-level CSP still applies uniformly to every same-runtime remote; it does not give any one remote a tighter or differently-scoped policy than the rest of the page.
|
|
35
|
+
|
|
36
|
+
## Safe verification targets
|
|
37
|
+
|
|
38
|
+
- The response headers actually served for the host document — confirm the CSP header text, not a policy described in a design doc.
|
|
39
|
+
- Whether any remote requiring isolation is served inside an `<iframe>` with its own `sandbox` attribute and (where relevant) its own CSP header, versus mounted via same-runtime `createRoot`/module federation.
|
|
40
|
+
- The federation config's `shared` block or equivalent, to confirm whether shared dependencies are pinned/singleton-enforced or resolved via an unpinned version range.
|
|
41
|
+
|
|
42
|
+
## When to push back
|
|
43
|
+
|
|
44
|
+
Push back if the user asks for:
|
|
45
|
+
|
|
46
|
+
- same-runtime composition for a remote handling payment, auth, or other sensitive data with no isolation mitigation and no documented compensating control,
|
|
47
|
+
- trusting a third-party-owned remote in the shared runtime solely because "we trust that vendor," with no supply-chain control (pinning, integrity checks, review gate) backing that trust,
|
|
48
|
+
- treating an unpinned shared-dependency version range as acceptable because "it hasn't broken yet."
|
|
49
|
+
|
|
50
|
+
Those are not pragmatic trade-offs. They are unreviewed risk acceptance dressed up as an architecture decision.
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Review workflow and findings contract
|
|
2
|
+
|
|
3
|
+
Use this reference for the step-by-step boundary-review procedure and the required output shape for any micro-frontend adoption review, new-remote addition, or existing-composition audit.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "We're using module federation, so the frontend is already decoupled — this review is a formality."
|
|
10
|
+
|
|
11
|
+
That is backwards. Module federation (and most non-iframe composition mechanisms) decouple the *build*, not the *runtime*. Host and remotes still share one JavaScript execution context, one CSP context, and — unless explicitly pinned or negotiated — a dependency graph that can silently drift out of compatibility. The review exists precisely because "we already use the right tooling" is not the same claim as "the boundary is safe."
|
|
12
|
+
|
|
13
|
+
## Step-by-step workflow
|
|
14
|
+
|
|
15
|
+
1. **Classify the composition mechanism.** Determine whether the architecture uses module federation (Webpack Module Federation, Vite plugin federation, or similar), iframe-based composition, or build-time/server-side composition (e.g., server-side includes, build-time module stitching). Do not proceed with mechanism-specific advice until this is confirmed from config, not assumed from the user's description alone.
|
|
16
|
+
|
|
17
|
+
2. **Determine the isolation level required per remote.** For each remote in scope, ask: does it render or handle data that should not be visible to, or influenced by, a bug or compromise in a sibling remote? If yes, same-runtime composition is disqualified unless a documented, specific mitigation is in place (e.g., a dedicated CSP frame-ancestors/sandboxed iframe for that one remote, or a Trusted Types policy scoped to it).
|
|
18
|
+
|
|
19
|
+
3. **Review the shared-dependency contract.** Locate the federation config's `shared` block (or equivalent for build-time composition) and check for: pinned or ranged version requirements, `singleton`/`strictVersion`-style enforcement (tool-specific — verify against that tool's current docs, not assumed from React docs), and whether version mismatches fail the build/fail loudly at runtime or fail silently (multiple copies of a library loaded, or an incompatible version silently used).
|
|
20
|
+
|
|
21
|
+
4. **Confirm ownership is unambiguous.** Every remote must map to exactly one owning team with clear on-call responsibility. A remote with co-ownership, no documented owner, or an owner that is "whoever last touched it" is a blocking finding, not a note.
|
|
22
|
+
|
|
23
|
+
5. **Assess blast radius.** For each remote, determine what happens to the host and sibling remotes if this remote throws an uncaught error, fails to load, or ships a broken bundle. Look for an error boundary (or equivalent isolation mechanism) around each remote's mount point, and confirm each remote has an independent deployment and rollback path that does not require a host-wide release.
|
|
24
|
+
|
|
25
|
+
6. **Check same-runtime multi-root hygiene, if applicable.** If the composition mounts multiple independent applications into one page (e.g., multiple `createRoot` calls, one per remote), confirm each root passes a distinct `identifierPrefix` to prevent `useId`-generated identifier collisions across independently-owned code — this is a concrete, checkable defect per official React docs, not a stylistic nit.
|
|
26
|
+
|
|
27
|
+
7. **Issue a verdict** using the response-minimum contract below.
|
|
28
|
+
|
|
29
|
+
## Required output shape
|
|
30
|
+
|
|
31
|
+
Every response to a micro-frontend boundary review must include:
|
|
32
|
+
|
|
33
|
+
- **Composition mechanism** — module federation / iframes / build-time-server-side, and whether this was confirmed from config or asserted by the user.
|
|
34
|
+
- **Isolation verdict per remote** — matched explicitly against that remote's data sensitivity; state which remotes require iframe-or-equivalent isolation and whether that mitigation exists.
|
|
35
|
+
- **Shared-dependency policy status** — present or absent; if present, its mechanism (pinned versions, `singleton`, `strictVersion`, or equivalent) and whether mismatches fail loudly or silently.
|
|
36
|
+
- **Blast-radius and ownership status per remote** — error-boundary/isolation mitigation present, independent deploy/rollback path present, owning team named.
|
|
37
|
+
- **Ranked findings** — file:line or config-key evidence where applicable, risk class (isolation gap, versioning gap, ownership gap, blast-radius gap), and a concrete fix.
|
|
38
|
+
- **Verdict** — approve / approve-with-notes / block.
|
|
39
|
+
- **Evidence level** — `live evidence` (read from actual config/source), `user-provided evidence` (asserted by the user without config to confirm), `documentation-based` (React/CSP/tooling docs grounding a claim), or `documentation-based, unconfirmed` (a claim the official docs do not explicitly confirm, e.g. cross-major-version React compatibility across remotes) — plus open questions the proposer must answer before the boundary can be considered fully reviewed.
|
|
40
|
+
|
|
41
|
+
## Verification targets
|
|
42
|
+
|
|
43
|
+
- The federation config's `shared` block (or build-time composition manifest) — the source of truth for the version-compatibility policy, not the proposer's verbal description of it.
|
|
44
|
+
- The mount-point code for each remote — to confirm an error boundary or equivalent isolation wraps it, not just that one exists "somewhere."
|
|
45
|
+
- The deployment pipeline configuration — to confirm each remote's independent deploy/rollback path actually exists as a distinct pipeline stage or repository, not merely as an intention.
|
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: monorepo-package-governance-review
|
|
3
|
+
description: Reviews monorepo task-graph configuration (Turborepo tasks/caching, Nx task pipelines) alongside dependency and lockfile governance (pnpm catalogs, npm overrides, lifecycle-script risk) to prevent false-green CI from stale cache reuse and unpinned supply-chain exposure.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.2.0"
|
|
8
|
+
updated: "2026-07-03"
|
|
9
|
+
category: platform
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Monorepo & Package Governance Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Monorepo tooling and dependency governance fail together more often than separately: a missing task-graph edge lets a stale build pass CI, and an unpinned dependency range lets that same task silently resolve a different, possibly compromised, package version next time. This skill reviews both the task graph (Turborepo/Nx) and the dependency/lockfile layer (pnpm catalogs, npm overrides, lifecycle scripts) as one governance surface, without stuffing bundler internals, framework-specific build guidance, or CI-vendor setup into every prompt.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- review `turbo.json` (`tasks`, `dependsOn`, `inputs`, `outputs`, `env`) or `nx.json` (`targetDefaults`, `namedInputs`) task-graph configuration,
|
|
23
|
+
- diagnose a false-green CI result where a task passed despite a real upstream code change (stale cache reuse),
|
|
24
|
+
- review `package.json`/lockfile version-pin policy, pnpm `catalog`/`catalogs`, or npm `overrides`/`resolutions`,
|
|
25
|
+
- audit lifecycle scripts (`postinstall`/`preinstall`/`prepare`) introduced by a new or bumped dependency,
|
|
26
|
+
- consolidate duplicate/drifted dependency versions across monorepo packages,
|
|
27
|
+
- review remote-cache (Turborepo Remote Cache / Nx Cloud) token handling in CI config,
|
|
28
|
+
- audit `.npmrc` scope-to-registry mappings for scoped internal packages (dependency-confusion exposure), verify `package-lock.json` is committed and CI enforces a frozen install (`npm ci`, not `npm install`), or review lifecycle-script (`postinstall`/`preinstall`/`prepare`) allowlisting for a new dependency.
|
|
29
|
+
|
|
30
|
+
## Lean operating rules
|
|
31
|
+
|
|
32
|
+
- Classify the monorepo tool in scope first (Turborepo vs Nx vs plain npm/pnpm workspaces) from actual config files present (`turbo.json`, `nx.json`, `pnpm-workspace.yaml`) — do not assume tooling from the user's phrasing alone.
|
|
33
|
+
- Trace every cross-package build/test task dependency to its actual `dependsOn` (Turborepo) or `targetDefaults`/`dependsOn` (Nx) edge; a task that consumes another package's build output without a graph edge is a false-green risk, not a style nit.
|
|
34
|
+
- Check that cache `inputs` (Nx `namedInputs`) and `env`/`globalEnv` (Turborepo) include every file and environment variable that actually affects a task's output; an incomplete cache key is a correctness bug that manifests as a stale pass, not merely a performance issue.
|
|
35
|
+
- Note that Turborepo's legacy `pipeline` key was renamed to `tasks`; flag `pipeline` usage as needing a version check, not silent modernization, since the correct key depends on the installed Turborepo major version.
|
|
36
|
+
- Treat any lockfile change unaccompanied by a matching `package.json`/`pnpm-workspace.yaml` change (or vice versa) as suspicious and requiring explanation before approval.
|
|
37
|
+
- Require pinning or `catalog:`/npm `overrides` consolidation for security-sensitive or high-blast-radius dependencies; do not blanket-require exact pins if the team runs a working Renovate/Dependabot auto-merge policy with CI gating — ask before assuming the policy is absent.
|
|
38
|
+
- Flag any new dependency's `postinstall`/`preinstall`/`prepare` script by quoting its actual script content from `package.json`, not by assuming intent from the package name alone.
|
|
39
|
+
- Verify current pnpm `catalog:`/`catalogs:` syntax and Turborepo/Nx task-config key names against Context7-sourced docs before recommending a diff, since these keys and defaults have changed across major versions (see Context7 Documentation Protocol below).
|
|
40
|
+
- Load only the reference needed for the component in scope; do not dump both the task-graph and dependency-governance reference into a single-focus review.
|
|
41
|
+
|
|
42
|
+
## Context7 Documentation Protocol
|
|
43
|
+
|
|
44
|
+
Before making any version-specific claim about Turborepo (`tasks` vs legacy `pipeline`, `dependsOn` semantics, `inputs`/`outputs`/`env`/`globalEnv` behavior, Remote Cache auth), Nx (`targetDefaults`, `namedInputs`, `dependsOn`, `nx.json` vs per-project `project.json`/`package.json` `nx` block), pnpm (`catalog`/`catalogs` syntax in `pnpm-workspace.yaml`, the `catalog:` protocol in `overrides`), or npm registry/supply-chain behavior (`.npmrc` scope-to-registry mapping, `npm ci` vs `npm install` frozen-install semantics, `allowScripts`/`npm approve-scripts` lifecycle-script gating):
|
|
45
|
+
|
|
46
|
+
1. Call `mcp__Context7__resolve-library-id` for the library in scope (`Turborepo`, `Nx`, `pnpm`, or `npm`) if not already resolved in this session.
|
|
47
|
+
2. Call `mcp__Context7__query-docs` with a specific query naming the exact config key or behavior in question (for example: "turbo.json tasks dependsOn env cache hash", "nx.json targetDefaults namedInputs", "pnpm-workspace.yaml catalog catalogs syntax", "npmrc scope registry mapping allowScripts npm ci").
|
|
48
|
+
3. Prefer the result over training-data recall — config key names and defaults have changed across major versions of all three tools.
|
|
49
|
+
4. If Context7 is unavailable or returns no relevant result, state the claim as `documentation-based (unverified this session)` and recommend the user confirm against the installed tool version's own docs before applying any diff.
|
|
50
|
+
5. Never invent a config key, CLI flag, or default value that Context7 did not return or that is not directly visible in the repo's own config file.
|
|
51
|
+
|
|
52
|
+
## References
|
|
53
|
+
|
|
54
|
+
Load these only when needed:
|
|
55
|
+
|
|
56
|
+
- [Task-graph review](references/task-graph-review.md) — use for `turbo.json`/`nx.json` false-green diagnosis: missing `dependsOn` edges, incomplete cache `inputs`/`env`, and legacy `pipeline` vs `tasks` drift.
|
|
57
|
+
- [Dependency and lockfile governance](references/dependency-lockfile-governance.md) — use for pnpm `catalog`/`catalogs`, npm `overrides`, lockfile/package.json mismatch, and lifecycle-script (`postinstall`) risk review.
|
|
58
|
+
- [npm supply-chain governance](references/npm-supply-chain-governance.md) — use for dependency-confusion review of `.npmrc` scope-to-registry mappings, unscoped registry auth tokens, `package-lock.json` commitment/frozen-install (`npm ci`) enforcement, and `allowScripts` lifecycle-script gating for new/bumped dependencies.
|
|
59
|
+
|
|
60
|
+
## Response minimum
|
|
61
|
+
|
|
62
|
+
Return, at minimum:
|
|
63
|
+
|
|
64
|
+
- whether the finding is task-graph (false-green risk), dependency-version (supply-chain/reproducibility risk), or both,
|
|
65
|
+
- exact missing edge / cache-key gap / unpinned range with file and line citation,
|
|
66
|
+
- evidence level (`live repo evidence`, `documentation-based`, or `inference`) and the Turborepo/Nx/pnpm version the guidance targets,
|
|
67
|
+
- proposed config diff (not applied — this skill is static-review-only),
|
|
68
|
+
- security caveat on any lifecycle script or committed token found, and a rollback/verification note (for example, which command to run locally to confirm the cache-key fix produces a miss on the affected change).
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "monorepo-package-governance-review",
|
|
3
|
+
"name": "Monorepo & Package Governance Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews monorepo task-graph configuration (Turborepo/Nx) and dependency/version governance (pnpm catalogs, npm overrides, lockfile integrity) together to stop false-green CI cache reuse and unpinned supply-chain exposure, with config-key claims grounded in Context7-sourced docs and progressive reference loading. Also covers npm dependency-confusion review: .npmrc scope-to-registry mapping, package-lock.json commitment/frozen-install (npm ci) enforcement, and allowScripts lifecycle-script gating.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://turborepo.com/docs/crafting-your-repository/configuring-tasks",
|
|
18
|
+
"https://turborepo.com/docs/crafting-your-repository/caching",
|
|
19
|
+
"https://nx.dev/concepts/task-pipeline-configuration",
|
|
20
|
+
"https://pnpm.io/catalogs",
|
|
21
|
+
"https://pnpm.io/pnpm-workspace_yaml",
|
|
22
|
+
"https://github.com/npm/cli/blob/latest/docs/lib/content/using-npm/scope.md",
|
|
23
|
+
"https://github.com/npm/cli/blob/latest/docs/lib/content/configuring-npm/npmrc.md",
|
|
24
|
+
"https://github.com/npm/cli/blob/latest/docs/lib/content/commands/npm-ci.md",
|
|
25
|
+
"https://github.com/npm/cli/blob/latest/docs/lib/content/commands/npm-approve-scripts.md"
|
|
26
|
+
],
|
|
27
|
+
"security_notes": "Static-review-only skill: reads and greps turbo.json, nx.json, package.json, pnpm-workspace.yaml, .npmrc, and lockfiles but never runs install, build, or CI commands. Remote-cache and registry auth tokens must be CI-scoped secrets, never committed to turbo.json/nx.json/.npmrc; any token-shaped literal found in a config file is an automatic blocking finding, and any .npmrc credential key (_auth/_authToken/_password/etc.) not scoped to a specific registry host/path is a blocking finding regardless of the token's live validity. Any dependency lifecycle script (postinstall/preinstall/prepare) introduced in the same PR as a workspace-topology change warrants extra scrutiny and must be quoted verbatim in the finding, not summarized from the package name; cross-reference it against the root package.json's allowScripts field. A scoped package (@scope/name) referenced in package.json with no matching @scope:registry mapping in .npmrc is a dependency-confusion finding.",
|
|
28
|
+
"last_verified": "2026-07-03",
|
|
29
|
+
"path": "skills/frontend/monorepo-package-governance-review",
|
|
30
|
+
"author": "github: Raishin",
|
|
31
|
+
"version": "0.2.0"
|
|
32
|
+
}
|
|
@@ -0,0 +1,82 @@
|
|
|
1
|
+
# Dependency and Lockfile Governance
|
|
2
|
+
|
|
3
|
+
Use this reference for reviewing dependency version policy, pnpm catalogs, npm overrides, lockfile/manifest consistency, and lifecycle-script risk in a monorepo workspace.
|
|
4
|
+
|
|
5
|
+
> Version note: pnpm `catalog`/`catalogs` syntax and the `catalog:` protocol are documented at `pnpm.io/catalogs` and `pnpm.io/pnpm-workspace_yaml`. Confirm the installed pnpm major version supports catalogs (a relatively recent feature) via Context7 before recommending a migration to it.
|
|
6
|
+
|
|
7
|
+
## What people get wrong
|
|
8
|
+
|
|
9
|
+
The naive story is:
|
|
10
|
+
|
|
11
|
+
> "The lockfile is just an implementation detail; reviewing `package.json` is enough."
|
|
12
|
+
|
|
13
|
+
Wrong. A `package.json` range like `^4.2.0` and a lockfile pinned to `4.2.0` can silently diverge from what actually gets installed the next time `install` runs without `--frozen-lockfile` (or the pnpm/npm equivalent). Dependency governance review has at least three separate concerns, and collapsing them into "check package.json" misses two of the three:
|
|
14
|
+
|
|
15
|
+
1. **declared range** — what `package.json` (or a pnpm catalog entry) says is acceptable,
|
|
16
|
+
2. **resolved version** — what the lockfile actually pins right now,
|
|
17
|
+
3. **install-time behavior** — whether CI enforces the lockfile (frozen install) or silently re-resolves and drifts.
|
|
18
|
+
|
|
19
|
+
## Officially grounded shape
|
|
20
|
+
|
|
21
|
+
From pnpm docs (`catalogs`, `pnpm-workspace_yaml`, `settings`):
|
|
22
|
+
|
|
23
|
+
- `pnpm-workspace.yaml` top-level `catalog:` defines a default catalog of shared dependency versions, referenced in any package's `package.json` via the `catalog:` protocol (or `catalog:default` explicitly).
|
|
24
|
+
- `catalogs:` (plural) defines named catalogs (e.g., `react17`, `react18`) for cases where different packages in the workspace intentionally need different major versions of the same dependency during a migration.
|
|
25
|
+
- The `catalog:` protocol can also be used inside `pnpm-workspace.yaml`'s own `overrides` block (`overrides: { foo: "catalog:" }`) to force a single resolved version workspace-wide while keeping the source of truth in one catalog entry.
|
|
26
|
+
- Catalogs solve version **drift** (same dependency, different ranges in different packages) but do not by themselves solve version **pinning** (exact vs range) — those are separate governance questions.
|
|
27
|
+
|
|
28
|
+
npm's dependency-governance primitives (`overrides` in `package.json`, `resolutions` in Yarn) serve a similar drift-consolidation role but operate differently: `overrides` forces a resolved version across the entire tree regardless of what nested dependencies request, which can mask a legitimate need for two different major versions if applied too broadly.
|
|
29
|
+
|
|
30
|
+
## Non-negotiable design rules
|
|
31
|
+
|
|
32
|
+
### 1. Lockfile changes must be explainable by a manifest change
|
|
33
|
+
|
|
34
|
+
If a lockfile diff shows resolved-version changes with no corresponding `package.json`/`pnpm-workspace.yaml` diff, treat that as suspicious until explained (could be a legitimate transitive-dependency update from a fresh `install`, or could indicate an out-of-band lockfile edit or a compromised registry response). Ask for the `install` command/log that produced the diff before approving.
|
|
35
|
+
|
|
36
|
+
### 2. Catalog/override consolidation is a security control, not just tidiness
|
|
37
|
+
|
|
38
|
+
Multiple packages independently specifying loose ranges (`^4.0.0`) for the same security-sensitive dependency means each package can independently resolve to a different patch/minor version over time, widening the set of versions that must be trusted. Consolidating via a pnpm catalog entry or npm `overrides` forces one resolved version, shrinking the audit surface — recommend this specifically for auth, crypto, or serialization libraries, not indiscriminately for every dependency.
|
|
39
|
+
|
|
40
|
+
### 3. Pinning policy depends on the team's automation, not a blanket rule
|
|
41
|
+
|
|
42
|
+
Do not require exact-version pins (`4.2.0` instead of `^4.2.0`) unless asked, unless the dependency is security-sensitive, or unless there is no automated update+CI-gate pipeline (Renovate/Dependabot with required status checks) in place. A team with working automated updates and a frozen-lockfile CI gate already has reproducibility; blanket exact-pinning there adds churn without adding safety. Ask about the update-automation setup before recommending a pinning policy change.
|
|
43
|
+
|
|
44
|
+
### 4. Lifecycle scripts are quoted, not summarized
|
|
45
|
+
|
|
46
|
+
When a new or bumped dependency introduces a `postinstall`, `preinstall`, or `prepare` script, quote the script's actual content from the dependency's `package.json` (or lockfile-recorded script) in the finding. Do not infer safety or danger from the package name or its stated purpose — a script literally reading `node scripts/postinstall.js` requires opening that file, not accepting the name as self-explanatory.
|
|
47
|
+
|
|
48
|
+
### 5. Frozen installs are the enforcement mechanism — verify CI actually uses one
|
|
49
|
+
|
|
50
|
+
A correct lockfile is meaningless if CI runs a non-frozen install (allowing silent re-resolution). Check the CI workflow for the frozen-install flag appropriate to the package manager (e.g., pnpm's `--frozen-lockfile`, npm's `ci` command) before concluding that lockfile governance is actually enforced end-to-end.
|
|
51
|
+
|
|
52
|
+
## Minimal safe review flow
|
|
53
|
+
|
|
54
|
+
1. Identify the package manager and workspace layout (`pnpm-workspace.yaml`, npm/yarn `workspaces` field in root `package.json`).
|
|
55
|
+
2. For the dependency/package in scope, compare the declared range(s) across every package that references it — flag drift (same dependency, different ranges, no catalog/override tying them together).
|
|
56
|
+
3. Cross-check the lockfile's resolved version(s) against declared ranges; flag any resolved version outside a declared range (should not normally happen, but indicates a manifest/lockfile edit order-of-operations problem) and any case with multiple distinct resolved versions for what should be one consolidated dependency.
|
|
57
|
+
4. For any new/bumped dependency in the diff, check its `package.json` for `postinstall`/`preinstall`/`prepare` and quote the script content verbatim if present.
|
|
58
|
+
5. Check the CI workflow for a frozen/`ci`-style install command; flag if absent.
|
|
59
|
+
6. Report findings with exact file:line citations; propose the catalog/override/pin diff without applying it.
|
|
60
|
+
|
|
61
|
+
## Adversarial checklist
|
|
62
|
+
|
|
63
|
+
Before recommending a dependency-governance change, answer these:
|
|
64
|
+
|
|
65
|
+
- Does the lockfile diff have a corresponding manifest diff, or is it unexplained?
|
|
66
|
+
- For the dependency being consolidated, is there a legitimate reason two packages need different major versions (active migration), or is the split accidental drift?
|
|
67
|
+
- Does CI actually enforce the lockfile with a frozen-install flag, or can a fresh `install` silently re-resolve?
|
|
68
|
+
- If a lifecycle script is present, have I read its actual content, not just its filename?
|
|
69
|
+
- Is the pinning policy I'm recommending consistent with whether this team already runs automated dependency updates with CI gating?
|
|
70
|
+
|
|
71
|
+
If you cannot answer these from repo evidence, say so rather than issuing a blanket pinning recommendation.
|
|
72
|
+
|
|
73
|
+
## When to push back
|
|
74
|
+
|
|
75
|
+
Push back if the user asks to:
|
|
76
|
+
|
|
77
|
+
- "just pin everything to exact versions" without checking whether an update-automation + CI-gate pipeline already provides reproducibility — this trades update velocity for a pinning policy that may not add real safety,
|
|
78
|
+
- consolidate every dependency into one catalog entry regardless of legitimate multi-version migration needs (e.g., forcibly unifying `react17`/`react18` catalogs mid-migration),
|
|
79
|
+
- accept a lockfile diff with no explainable manifest change "because CI passed" — a passing CI run does not prove the lockfile change was legitimate, only that the resolved versions installed successfully,
|
|
80
|
+
- ignore a `postinstall` script because "it's a well-known package" — package reputation does not substitute for reading the actual script content in the version being introduced.
|
|
81
|
+
|
|
82
|
+
Those are not shortcuts. They trade a diagnosable supply-chain question for an assumption that will not hold under a compromised-dependency scenario.
|