@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (875) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15393 -12593
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +5 -4
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/export-marketplace-agents.mjs +48 -15
  333. package/scripts/generate-docs-data.mjs +1 -0
  334. package/scripts/generate-kiro-powers.mjs +12 -0
  335. package/scripts/update-catalog-new-agents.py +6 -1
  336. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  340. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  341. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  342. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  344. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  345. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  346. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  348. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  353. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  354. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  355. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  356. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  357. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  358. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  359. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  360. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  361. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  362. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  363. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  368. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  374. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  375. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  376. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  377. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  378. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  379. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  380. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  381. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  382. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  383. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  384. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  385. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  386. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  387. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  390. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  391. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  392. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  393. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  394. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  395. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  396. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  399. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  404. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  405. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  406. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  407. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  408. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  409. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  410. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  411. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  413. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  414. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  415. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  418. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  419. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  420. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  422. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  423. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  424. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  425. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  426. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  427. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  434. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  439. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  443. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  444. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  445. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  446. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  447. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  448. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  449. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  454. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  459. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  460. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  461. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  463. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  464. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  465. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  469. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  470. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  471. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  472. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  473. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  474. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  475. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  476. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  479. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  484. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  485. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  486. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  489. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  494. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  495. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  496. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  498. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  499. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  500. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  503. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  507. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  512. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  513. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  514. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  515. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  516. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  517. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  523. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  524. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  525. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  528. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  529. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  530. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  534. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  535. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  536. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  539. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  540. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  541. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  542. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  543. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  548. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  549. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  550. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  551. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  552. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  553. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  554. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  555. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  556. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  557. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  558. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  559. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  564. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  569. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  570. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  571. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  572. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  573. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  574. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  579. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  583. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  584. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  585. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  587. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  592. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  593. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  594. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  595. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  596. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  597. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  598. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  599. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  602. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  607. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  608. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  609. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  613. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  614. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  615. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  616. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  617. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  618. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  619. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  620. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  621. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  622. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  623. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  624. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  629. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  671. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  713. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  714. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  725. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  736. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  764. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  775. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  786. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  797. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  808. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  819. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  830. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  841. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  861. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  872. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  873. package/tests/test-vfa-export-coverage.test.mjs +30 -0
  874. package/tests/validate-catalog.py +1 -0
  875. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,76 @@
1
+ ---
2
+ name: bundle-budget-code-splitting-review
3
+ description: Reviews JavaScript/CSS bundle composition against explicit numeric budgets, evaluates route- and component-level code-splitting boundaries, and requires a CI-enforced budget before endorsing any size fix as resolved.
4
+ allowed-tools: Read Grep Glob Bash(npm run build:*) Bash(du:*)
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: operational
10
+ ---
11
+
12
+ # Bundle Budget & Code-Splitting Review
13
+
14
+ ## Purpose
15
+
16
+ Teams routinely respond to "the bundle feels big" with an ad hoc `React.lazy()` here and a dynamic `import()` there, ship it, and call the finding closed once the build succeeds. That proves nothing: it does not show whether the total byte weight moved, whether the change reduced or inflated the request count, or whether the win survives the next dependency bump. This skill turns "bundle feels big" into a numeric, device/network-scoped budget tied to INP/TTI, ranks analyzer output by both byte weight and main-thread execution cost, classifies each contributor into a specific remediation path, and refuses to mark a size finding resolved without a CI-enforced budget check — a one-time manual fix without an enforced budget is a regression waiting to happen.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - reduce JavaScript or CSS bundle size,
23
+ - review a bundle-analyzer report (webpack-bundle-analyzer, rollup-plugin-visualizer, or equivalent stats output),
24
+ - set or enforce a performance budget for a route or shared entry,
25
+ - decide where to add route-level or component-level code splitting,
26
+ - assess the size impact of adding a new dependency before it merges.
27
+
28
+ ## When NOT to use
29
+
30
+ - Pure image/media asset optimization — different budget class (bytes-per-image, format/compression), different tooling; not this skill's concern.
31
+ - Server-side bundle or cold-start size for a serverless/edge function — different runtime, not the client-bundle budget this skill enforces.
32
+ - Deciding whether a chunk's *contents* are dead code once it is correctly split — hand off to `tree-shaking-dead-code-review` for that specific question; a chunk can be correctly split and still be full of unused exports, which is a distinct defect from a splitting-boundary defect.
33
+ - Diagnosing which Core Web Vitals sub-phase is regressing before a cause is known — hand off to `core-web-vitals-triage` first if the user only has a vague "it feels slow" complaint with no analyzer report yet; return here once JS weight is confirmed as the dominant contributor.
34
+
35
+ ## Context7 Documentation Protocol
36
+
37
+ Bundler chunking APIs are version-sensitive and have changed shape recently — do not prescribe a config from memorized training data.
38
+
39
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
40
+ 2. Call `mcp__Context7__resolve-library-id` for the bundler in scope (Vite, webpack, Rollup, esbuild, Rolldown) before prescribing any chunking configuration.
41
+ 3. Call `mcp__Context7__query-docs` for the specific mechanism — e.g. "manualChunks vs codeSplitting", "splitChunks cacheGroups", "dynamic import chunk naming" — before ruling on it. Do this per review; do not reuse a prior session's memory of bundler internals.
42
+ 4. Known version-sensitive trap verified via Context7 as of this skill's `updated` date: Vite 8 (Rolldown-powered) removes the object form of `build.rollupOptions.output.manualChunks` entirely and deprecates the function form; the documented replacement is `build.rolldownOptions.output.codeSplitting` with a `groups` array (`{ name, test }` entries). Do not hand a Vite 8+ project a `manualChunks: { vendor: [...] }` object-form snippet — it will not apply. For Vite <8, function-form `manualChunks(id) { ... }` is still valid but is itself deprecated and should be flagged as a forward-migration item, not endorsed as the long-term pattern.
43
+ 5. webpack's chunking surface (`optimization.splitChunks.cacheGroups`, dynamic `import()` with `webpackChunkName` magic comments) is comparatively stable across recent majors per Context7-grounded docs, but still confirm the installed webpack major before prescribing a specific `cacheGroups` shape, since defaults (`chunks: 'async'` vs `'all'`) affect which imports are eligible for splitting.
44
+ 6. If Context7 is unavailable or returns no relevant match for the installed bundler, fall back to `official_docs` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
45
+ 7. Never invent a bundler config key, CLI flag, or plugin option that no queried source confirms.
46
+
47
+ ## Lean operating rules
48
+
49
+ - Establish the numeric budget before ranking anything. A budget with no device/network class and no percentile is not a budget — it is a guess. Refuse to close a finding against an undefined budget.
50
+ - Rank analyzer contributors by both parsed/gzipped byte size and main-thread execution cost; these produce different orderings, and execution cost correlates more directly with INP than raw byte size does. Report both, do not collapse them into one number.
51
+ - Classify every large module into exactly one path: needed on the critical path (keep, minimize), needed but deferrable (route/component-split candidate), duplicated across chunks (fix chunk-grouping config, not application code), or a heavier-than-necessary dependency (replace, or hand off to `tree-shaking-dead-code-review` if the issue is unused exports rather than the dependency itself).
52
+ - Treat over-splitting as a real regression, not just under-splitting. Every new chunk is a new request; if the aggregate request-overhead cost (connection reuse aside, still parse/eval/scheduling cost) offsets the byte savings, the split is net-negative. Require the byte-vs-request-count comparison before endorsing a split.
53
+ - Confirm the installed bundler major version via Context7 before prescribing `manualChunks`, `rolldownOptions.codeSplitting`, or `splitChunks` syntax — see Context7 Documentation Protocol. Do not assume a memorized API is still current.
54
+ - Never accept "it built without errors" as evidence a split is beneficial. Require a before/after byte comparison from the analyzer output, gzipped or brotli as configured for production.
55
+ - Flag any dynamic `import()` whose module specifier is built from unsanitized user input as a code-injection risk, not merely a performance nit — this is a security-relevant finding, not a style note.
56
+ - Do not recommend inlining third-party scripts to "save a request" without naming the CSP/subresource-integrity trade-off of inlined vs. externally loaded, SRI-checkable code.
57
+ - Require a CI-enforced budget (bundlesize, Lighthouse CI budget, or bundler-plugin size-limit check) as a condition of marking any size finding resolved. A manual one-time fix with no enforcement is not a fix, it is a snapshot.
58
+
59
+ ## References
60
+
61
+ Load these only when needed:
62
+
63
+ - [Budget methodology](references/budget-methodology.md) — use when the user has no existing budget, or an existing budget lacks a device/network class or percentile, and one must be established or corrected.
64
+ - [Bundler chunking APIs](references/bundler-chunking-apis.md) — use when prescribing or reviewing Vite, webpack, or Rollup chunking configuration; contains the version-sensitive API grounding.
65
+ - [Code-splitting boundaries](references/code-splitting-boundaries.md) — use when deciding where to add route- or component-level splitting, or when diagnosing duplicated-dependency-across-chunks and over-splitting.
66
+ - [CI enforcement and verification](references/ci-enforcement-and-verification.md) — use for every review to specify the CI-enforced budget mechanism, the verification command, and the adversarial checklist before closing the finding.
67
+
68
+ ## Response minimum
69
+
70
+ Return, at minimum:
71
+
72
+ - the numeric budget in scope (bytes, compression form, device/network class, percentile), stated explicitly or flagged as missing,
73
+ - the ranked contributor list with both byte size and main-thread execution-cost figures,
74
+ - per-item classification (keep / split / replace / dead-code-handoff / chunk-grouping-fix) with the concrete config diff, version-confirmed against the installed bundler major,
75
+ - the CI-enforced budget definition to add, not just a one-time manual fix,
76
+ - the verification command (`npm run build -- --report` or the project's equivalent analyzer invocation) and the request-count check confirming the split did not net-negative the change.
@@ -0,0 +1,29 @@
1
+ {
2
+ "id": "bundle-budget-code-splitting-review",
3
+ "name": "Bundle Budget & Code-Splitting Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews JavaScript/CSS bundle composition against explicit numeric budgets, ranks analyzer contributors by byte weight and main-thread execution cost, evaluates route- and component-level code-splitting boundaries against version-confirmed bundler chunking APIs, and requires a CI-enforced budget before endorsing any size fix as resolved, loaded progressively.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://web.dev/articles/reduce-javascript-payloads-with-code-splitting",
18
+ "https://web.dev/articles/your-first-performance-budget",
19
+ "https://vite.dev/guide/build.html",
20
+ "https://webpack.js.org/guides/code-splitting/",
21
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules/Dynamic_module_loading",
22
+ "https://webpack.js.org/plugins/split-chunks-plugin/"
23
+ ],
24
+ "security_notes": "Do not recommend inlining third-party scripts to save a request without disclosing the CSP/subresource-integrity trade-off of inlined vs. externally loaded, SRI-checkable code. Flag any dynamic import() of a module specifier built from unsanitized user input as a code-injection risk, not merely a performance concern. Do not accept or echo any credential-shaped string found in a pasted build config or analyzer report as if it were safe to keep in the transcript.",
25
+ "last_verified": "2026-07-02",
26
+ "path": "skills/frontend/bundle-budget-code-splitting-review",
27
+ "author": "github: Raishin",
28
+ "version": "0.1.0"
29
+ }
@@ -0,0 +1,36 @@
1
+ # Budget Methodology
2
+
3
+ Use this reference when the user has no existing performance budget, or an existing budget is missing a device/network class, a compression form, or a percentile — establish or correct it before ranking anything against it.
4
+
5
+ ## What people get wrong
6
+
7
+ The common bad assumption is:
8
+
9
+ > "Keep the bundle small" is a budget.
10
+
11
+ It is not. A budget with no number is a slogan. A number with no device/network class and no percentile is a coin flip about whose experience it describes. Per web.dev's performance-budget guidance, a usable budget names:
12
+
13
+ 1. **the metric being bounded** — total JS/CSS transfer bytes, per-route transfer bytes, or a timing metric (TTI/INP) the byte budget is a proxy for,
14
+ 2. **the compression form** — gzip or brotli, matching what production actually serves; raw/uncompressed bytes overstate the number users pay for, and mixing forms across comparisons invalidates the comparison,
15
+ 3. **the device/network class** — a mid-tier mobile CPU on a throttled "good 4G" profile is a meaningfully different budget than an unthrottled desktop; web.dev's budget guidance frames budgets in terms of a target device class precisely because bundle-parse/execution cost scales with CPU, not just network time,
16
+ 4. **the percentile** — p75 is the conventional anchor (it is also the percentile Core Web Vitals field assessment uses), not the best-case or median session.
17
+
18
+ ## Establishing a budget when none exists
19
+
20
+ 1. Ask (or infer from existing CI config, `lighthouserc`, `bundlesize.config.json`, or a `size-limit` entry) whether a budget already exists in any form. Do not assume none exists just because this review wasn't asked to check.
21
+ 2. Anchor the budget to a route classification, not a single global number:
22
+ - **critical path / shared entry** — loaded on every route; tightest budget, since it blocks first render everywhere.
23
+ - **secondary route** — route-specific bundle loaded via code splitting; budget can be looser since it does not block other routes.
24
+ - **vendor chunk** — third-party dependency weight; budget separately from application code so a dependency bump is caught distinctly from an application-code regression.
25
+ 3. State the number in gzipped (or brotli, matching production) bytes, tied to p75 on the project's target device/network class. If the project has no stated target device/network class, default to a mid-tier mobile device on a throttled "good 4G" profile per web.dev's stated default budget context, and say explicitly that this default was assumed, not confirmed with the user.
26
+ 4. Tie the byte budget back to a timing outcome (TTI or INP) where possible — a byte number with no timing justification is arbitrary. State the reasoning explicitly (e.g., "X KB of parse/execute cost on the target device class corresponds to roughly Y ms of main-thread blocking, which risks the INP budget").
27
+
28
+ ## Correcting an existing but underspecified budget
29
+
30
+ If a budget exists but is missing a device/network class or a percentile, do not silently adopt it as sufficient. State the gap explicitly as a finding, propose the missing dimension using the defaults above, and note that the corrected budget needs sign-off before being treated as CI-enforceable — see [CI enforcement and verification](ci-enforcement-and-verification.md).
31
+
32
+ ## Non-negotiables
33
+
34
+ - Do not rank an analyzer report against a budget that has no stated compression form — a byte number with unstated compression is not comparable to anything.
35
+ - Do not accept "under 250 KB" with no percentile or device class as a complete budget; treat it as a starting number that needs the missing dimensions filled in before enforcement.
36
+ - Do not invent a budget number without grounding it in either the project's existing target (stated by the user, present in CI config) or web.dev's documented default budget context — state which one was used.
@@ -0,0 +1,116 @@
1
+ # Bundler Chunking APIs
2
+
3
+ Use this reference when prescribing or reviewing chunking configuration for Vite, webpack, or Rollup. Every claim below was confirmed against Context7-indexed official documentation as of this skill's `updated` date; re-verify against the installed bundler major before use — see the Context7 Documentation Protocol in `SKILL.md`.
4
+
5
+ > Version note: bundler chunking surfaces are actively evolving (Vite's Rolldown migration in particular). Verify the installed major version before applying any snippet in this file to a real project.
6
+
7
+ ## What people get wrong
8
+
9
+ The naive story is:
10
+
11
+ > "manualChunks is the Vite way to split vendor code, and that's stable."
12
+
13
+ Wrong, as of Vite 8. Confirmed via Context7 against `/vitejs/vite`'s migration guide: the **object form** of `build.rollupOptions.output.manualChunks` is removed entirely in Vite 8 (Rolldown-powered), and the **function form** is deprecated. Handing a Vite 8+ project the classic object-form snippet produces a config that silently does not apply the intended grouping.
14
+
15
+ ## Vite: manualChunks → codeSplitting
16
+
17
+ **Deprecated / removed (pre-Vite-8 object form — removed in Vite 8):**
18
+
19
+ ```javascript
20
+ // Vite <8, object form — REMOVED in Vite 8
21
+ build: {
22
+ rollupOptions: {
23
+ output: {
24
+ manualChunks: {
25
+ vendor: ['react', 'vue'],
26
+ },
27
+ },
28
+ },
29
+ },
30
+ ```
31
+
32
+ **Deprecated but still functional (function form, pre-Vite-8 and transitional):**
33
+
34
+ ```javascript
35
+ // Still works pre-Vite-8; deprecated, flag as a forward-migration item
36
+ manualChunks(id) {
37
+ if (id.includes('some-heavy-lib')) {
38
+ return 'heavy-lib-chunk'
39
+ }
40
+ },
41
+ ```
42
+
43
+ **Current documented replacement (Vite 8+, Rolldown):**
44
+
45
+ ```javascript
46
+ build: {
47
+ rolldownOptions: {
48
+ output: {
49
+ codeSplitting: {
50
+ groups: [
51
+ { name: 'vendor', test: /[\\/]node_modules[\\/]/ },
52
+ ],
53
+ },
54
+ },
55
+ },
56
+ }
57
+ ```
58
+
59
+ Decision rule: confirm the installed Vite major first.
60
+ - Vite 8+: use `rolldownOptions.output.codeSplitting.groups`. Do not offer the object-form `manualChunks` snippet — it does not apply.
61
+ - Vite <8: function-form `manualChunks(id) {...}` is valid today but is a deprecated pattern; note the future migration to `codeSplitting` as a forward-looking item rather than presenting it as the long-term answer.
62
+
63
+ ## webpack: splitChunks / cacheGroups
64
+
65
+ Confirmed via Context7 against `/websites/webpack_js` guides (caching, printable, code-splitting). This surface is comparatively stable across recent majors, but `chunks` defaults and `cacheGroups` shape still depend on the installed major — confirm before prescribing.
66
+
67
+ **Vendor chunk extraction:**
68
+
69
+ ```javascript
70
+ optimization: {
71
+ runtimeChunk: 'single',
72
+ splitChunks: {
73
+ cacheGroups: {
74
+ vendor: {
75
+ test: /[\\/]node_modules[\\/]/,
76
+ name: 'vendors',
77
+ chunks: 'all',
78
+ },
79
+ },
80
+ },
81
+ },
82
+ ```
83
+
84
+ Notes:
85
+ - `chunks: 'all'` makes both synchronously and dynamically imported modules eligible for the cache group; the webpack default for `optimization.splitChunks.chunks` (when not explicitly set) is `'async'`, which only splits dynamically imported modules. Confirm which behavior the review target actually wants — a review that recommends `cacheGroups` without checking the effective `chunks` mode can silently miss the synchronous-import case.
86
+ - Merging all of `node_modules` into a single `vendors` chunk (as shown) is explicitly called out in webpack's own guidance as not generally recommended for typical apps — it produces a single large chunk that invalidates entirely on any dependency bump. Prefer scoping `cacheGroups` to specific heavy dependencies over a single monolithic vendor bucket unless the project's caching strategy specifically wants long-term vendor-chunk stability at the cost of granularity.
87
+
88
+ **Dynamic import as a split point:**
89
+
90
+ ```javascript
91
+ function onClick() {
92
+ import("./module")
93
+ .then((module) => module.default)
94
+ .catch((err) => {
95
+ console.log("Chunk loading failed")
96
+ })
97
+ }
98
+ ```
99
+
100
+ **Named dynamic-import chunk (magic comment):**
101
+
102
+ ```javascript
103
+ import(
104
+ /* webpackChunkName: "app" */
105
+ "./app.jsx"
106
+ ).then((App) => {
107
+ // ...
108
+ })
109
+ ```
110
+
111
+ Use `webpackChunkName` when the review needs a stable, human-readable chunk name for budget tracking across builds — an unnamed dynamic-import chunk gets a content-hashed name that is harder to track budget deltas against over time.
112
+
113
+ ## Cross-bundler decision rule
114
+
115
+ - Do not present a Rollup, Vite, or webpack chunking snippet as bundler-agnostic; the option names and defaults are not interchangeable, and copying a webpack `cacheGroups` shape into a Vite config (or vice versa) will not work.
116
+ - Every chunking recommendation in a review must state which bundler and which major version it targets, resolved via Context7 for that specific project, not assumed from the most common current pattern in training data.
@@ -0,0 +1,53 @@
1
+ # CI Enforcement and Verification
2
+
3
+ Use this reference for every review to specify the CI-enforced budget mechanism, the verification command, and the adversarial checklist before a size finding can be closed.
4
+
5
+ ## Non-negotiable: no finding closes without a CI-enforced budget
6
+
7
+ A one-time manual fix — splitting a chunk, removing a dependency, adjusting `cacheGroups` — proves the bundle is smaller *today*. It proves nothing about tomorrow's dependency bump, an unreviewed import added six weeks from now, or a well-intentioned refactor that quietly reintroduces the same weight. Require one of the following, tied to the numeric budget established in [Budget methodology](budget-methodology.md), before marking any size finding resolved:
8
+
9
+ - A `bundlesize`-style check (or equivalent size-limit tool) wired into CI that fails the build/PR when a named entry or chunk exceeds its budget.
10
+ - A Lighthouse CI budget (`budgets.json` / `lighthouserc` budget assertions) that fails on `resource-summary` script/stylesheet byte-size thresholds.
11
+ - A bundler-plugin size check (e.g., a Rollup/Vite/webpack plugin that asserts output size at build time) that fails the build rather than just reporting.
12
+
13
+ If none of these exist in the project, state that as an explicit gap in the finding — do not let a review close as "fixed" when the only evidence is a single local `npm run build` byte count with no enforcement wired into CI.
14
+
15
+ ## Verification command
16
+
17
+ State the exact command used to produce the before/after comparison, matching the project's actual tooling rather than assuming a generic one:
18
+
19
+ - `npm run build -- --report` (or the project's equivalent analyzer-invoking build script) to regenerate the analyzer report.
20
+ - For Vite projects, confirm whether `rollup-plugin-visualizer` (or an equivalent) is wired into the build config; if not present, state that as a prerequisite gap before a byte-level review can be evidence-backed rather than estimated.
21
+ - For webpack projects, confirm `webpack-bundle-analyzer` (or the `--json` stats output piped into an equivalent tool) is available.
22
+ - Always compare gzipped (or brotli, matching production `Content-Encoding`) sizes, not raw/parsed sizes, unless the budget was explicitly defined in a different compression form — see [Budget methodology](budget-methodology.md).
23
+
24
+ ## Adversarial checklist
25
+
26
+ Before closing a bundle-size finding, answer these:
27
+
28
+ - Is the budget tied to a percentile and a device/network class, or is it vague ("keep it small")? If vague, it is not a budget yet — fix that first.
29
+ - Is the prescribed bundler chunking API confirmed against the installed major version via Context7, or is it a memorized snippet that might target a removed/deprecated API shape?
30
+ - Does the proposed split reduce byte weight without increasing request count enough to net-negative the change? Was that comparison actually made, or only the byte number?
31
+ - Is a CI-enforced budget check part of the deliverable, or only a one-time manual diff?
32
+ - Was the ranking done by byte size alone, or also by main-thread execution cost? A large but rarely-executed module and a small but hot-path module do not carry equal INP risk.
33
+ - If a dependency was flagged as "too heavy," was a lighter alternative actually identified with a size delta, or was "split it" offered as a substitute for that harder analysis?
34
+ - If a dynamic `import()` specifier is built from any user-controlled input (route param, query string, feature flag value sourced externally), was that flagged as a code-injection risk, not filed only as a performance note?
35
+
36
+ If any of these cannot be answered affirmatively, the finding is not ready to close — say so explicitly rather than presenting a partial analysis as complete.
37
+
38
+ ## When to push back
39
+
40
+ Push back if the user asks for:
41
+
42
+ - a one-time size fix with no request to add or verify a CI budget check — explain why that guarantees regression.
43
+ - inlining a third-party script "to save a request" without acknowledging the CSP/SRI trade-off.
44
+ - splitting every component in a route "to be safe," without a request-count comparison — that is not caution, it is trading one unverified assumption for another.
45
+ - a chunking config copied from a different bundler or an unconfirmed version, because "it's probably still the same API" — that is exactly the failure mode this skill's Context7 protocol exists to prevent.
46
+
47
+ Those are not shortcuts. They convert a measurable problem into an unmeasured one.
48
+
49
+ ## Handoff boundaries
50
+
51
+ - If the root cause is unused exports inside an otherwise-necessary, correctly-split dependency: hand off to `tree-shaking-dead-code-review`.
52
+ - If the user's starting complaint is a vague "it feels slow" with no analyzer report yet and JS weight has not been confirmed as the dominant contributor: hand off to `core-web-vitals-triage` first, then return here once bundle weight is confirmed as the cause.
53
+ - If the fix under discussion is caching strategy for repeat visits rather than first-load byte weight: hand off to `service-worker-cache-strategy-review` (or the closest equivalent asset in scope) rather than stretching this skill's budget framing to cover caching.
@@ -0,0 +1,46 @@
1
+ # Code-Splitting Boundaries
2
+
3
+ Use this reference when deciding where to add route- or component-level splitting, or when diagnosing a duplicated-dependency-across-chunks finding or an over-splitting regression.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "More `import()` calls always make the bundle better."
10
+
11
+ Wrong. Splitting trades parse/execute weight on one chunk for request-count and coordination overhead across chunks. Per web.dev's code-splitting guidance, the goal is to defer weight that is not needed for the current route/interaction — not to fragment the bundle for its own sake. Every additional chunk is an additional request the browser must schedule, and on a constrained connection or a cold cache, that overhead is real and can offset the byte savings the split was meant to deliver.
12
+
13
+ ## Classification per contributor
14
+
15
+ For each large module identified in the analyzer report, classify it into exactly one path:
16
+
17
+ 1. **Needed on the critical path (keep, minimize).** The module is required to render the current route's above-the-fold content or its primary interaction. Do not split it away; instead look for a lighter alternative or confirm it is already tree-shaken (hand off to `tree-shaking-dead-code-review` if unused exports are suspected within an otherwise-necessary dependency).
18
+ 2. **Needed but deferrable (route/component-split candidate).** The module is required somewhere in the app but not on the current route's critical render/interaction path — e.g., a charting library only used on a `/reports` route, a modal's rich-text editor only needed after a user action. Split via dynamic `import()` at the route or component boundary where it is actually invoked.
19
+ 3. **Duplicated across chunks.** The same dependency (or a near-duplicate version) appears in the byte weight of more than one chunk. This is a chunk-grouping configuration defect, not an application-code defect — fix it via the bundler's vendor-chunk / `cacheGroups` / `codeSplitting.groups` configuration (see [Bundler chunking APIs](bundler-chunking-apis.md)), not by rewriting application imports.
20
+ 4. **Heavier than necessary for its purpose.** The dependency itself is oversized relative to what the app uses from it (e.g., importing a full date-utility library for one format call). Recommend a lighter alternative and state the size delta; do not default to "just split it" when the real fix is not depending on the heavy library at all.
21
+
22
+ ## Route-level vs. component-level splitting
23
+
24
+ - **Route-level splitting** is the default first move: split at the router boundary so an entire route's code (including its route-specific dependencies) loads only when that route is navigated to. This is the highest-leverage split because it aligns with actual user navigation and typically yields one request per route transition, not per component.
25
+ - **Component-level splitting** is for a specific heavy component *within* an already-loaded route that is not needed immediately — e.g., a modal, a below-the-fold widget, a rarely-used settings panel. Reach for this only after route-level splitting is exhausted; splitting every individual component inside an already-necessary route multiplies request count without changing what must load before the route is usable.
26
+ - Do not recommend component-level splitting for something the user will interact with immediately on route entry — that just moves the same byte weight into a second network round trip with no benefit, and adds a loading-state flash that can itself become a CLS or perceived-jank complaint (hand off wording/attribution disagreements to `core-web-vitals-triage`).
27
+
28
+ ## Over-splitting: a real regression, not just a missed optimization
29
+
30
+ Before endorsing any new split point, require a request-count comparison alongside the byte comparison:
31
+
32
+ - If a split reduces the shared/critical-path bundle by N KB but adds M new chunks that are each fetched on the same route transition (e.g., several components all lazy-loaded on the same screen, each producing its own round trip), the net effect can be worse: more connection/scheduling overhead, more parse/compile invocations, and a longer time to fully interactive — even though the "critical path" number looks smaller in isolation.
33
+ - HTTP/2+ multiplexing reduces but does not eliminate this cost: each chunk still has its own parse, compile, and module-registration cost on the main thread, which is the more INP-relevant number per `core-web-vitals-triage`'s execution-cost framing.
34
+ - The correct test is: does total time-to-interactive (or the relevant INP-adjacent metric) improve, not just does the critical-path byte number shrink. State this comparison explicitly in the finding; do not accept a smaller entry-chunk number alone as proof of improvement.
35
+
36
+ ## Duplicated dependency across chunks — diagnosis path
37
+
38
+ 1. Confirm via the analyzer report (most bundle-analyzer tools flag this directly, e.g. webpack-bundle-analyzer's treemap showing the same module path under multiple chunk nodes) that the same module resolves into more than one output chunk.
39
+ 2. Check for version skew first — two different semver ranges of the same dependency resolving to two separate copies is an application-level (`package.json`/lockfile) defect, not a chunking-config defect; recommend a dependency dedupe/resolution fix, not a chunking change.
40
+ 3. If it is genuinely one version pulled into multiple chunks because multiple entry points or route chunks each import it, this is the textbook case for a shared vendor chunk (webpack `cacheGroups`) or an equivalent shared-group rule (Vite `codeSplitting.groups`) — see [Bundler chunking APIs](bundler-chunking-apis.md).
41
+
42
+ ## Non-negotiables
43
+
44
+ - Do not recommend a component-level split for anything visible immediately on route entry.
45
+ - Do not endorse a split without the request-count comparison alongside the byte comparison.
46
+ - Do not treat a duplicated-dependency finding as an application-code problem before checking for version skew.
@@ -0,0 +1,75 @@
1
+ ---
2
+ name: core-web-vitals-triage
3
+ description: Decomposes LCP, INP, and CLS regressions into their documented sub-phases using lab and field evidence, and refuses to declare a metric fixed without a field-data or CI-budget verification path.
4
+ allowed-tools: Read Grep Glob Bash(lighthouse:*) WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: operational
10
+ ---
11
+
12
+ # Core Web Vitals Triage
13
+
14
+ ## Purpose
15
+
16
+ Teams routinely shotgun-fix Core Web Vitals: compress an image, preload a font, and split a bundle in the same PR, then declare victory off one green Lighthouse run. That never isolates the actual cause, frequently doesn't move the field percentile Google's page-experience signal and real users actually experience, and burns engineering cycles on the wrong sub-phase. This skill decomposes an LCP, INP, or CLS regression into its documented sub-phases (per web.dev's LCP four-phase model, INP three-phase model, and the W3C Largest Contentful Paint / Event Timing specs), attributes each phase to a concrete verifiable cause, and refuses to close the loop without a field-data or CI-budget verification path — because a single lab run proves nothing about the field percentile that ranking and users actually see.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - diagnose a Core Web Vitals regression (LCP, INP, or CLS) reported by Lighthouse, PageSpeed Insights, CrUX, or Search Console's page-experience report,
23
+ - explain why a page "feels slow" or "feels janky" in terms of a specific, verifiable rendering or interaction sub-phase,
24
+ - reconcile a lab score change with (or without) a corresponding field percentile shift,
25
+ - decide which downstream skill should implement a Core Web Vitals fix (bundle/code-splitting vs. caching vs. server/CDN).
26
+
27
+ ## When NOT to use
28
+
29
+ - Pure server/infra latency tuning with no client-rendering component (TTFB-dominant LCP with no client-side contribution) — hand off to an infra/CDN-focused review; this skill identifies that TTFB is the dominant phase but does not own backend latency remediation.
30
+ - Native mobile app performance — different metric model, not Core Web Vitals.
31
+ - Implementing the fix. This skill diagnoses and specifies the fix, then hands off implementation-class changes to `bundle-budget-code-splitting-review` or `service-worker-cache-strategy-review` (or the closest equivalent asset in scope) — it does not write the fix code itself.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ Framework rendering internals that affect LCP/INP attribution (image loading priority hints, hydration/streaming boundaries, transition scheduling) change between major versions, and memorized behavior goes stale fast. Before attributing a delay to a specific framework mechanism:
36
+
37
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
38
+ 2. Call `mcp__Context7__resolve-library-id` for the framework in scope (e.g. Next.js, React, Vite) before making any claim about its current rendering/loading behavior.
39
+ 3. Call `mcp__Context7__query-docs` for the specific mechanism — e.g. "Image component priority/preload prop", "useTransition / startTransition scheduling", "manualChunks / codeSplitting build output" — before ruling on it. Do this per review; do not reuse a prior session's memory of framework internals.
40
+ 4. Known version-sensitive traps verified via Context7 as of this skill's `updated` date: Next.js deprecated the `<Image priority>` prop in Next.js 16 in favor of `preload` (same LCP-eager-load intent, new prop name — do not tell a Next.js 16+ user to add `priority` without checking their major version first). Vite deprecated the object form of `build.rollupOptions.output.manualChunks` in Vite 8+ in favor of `rolldownOptions.output.codeSplitting` — do not prescribe `manualChunks` config to a Vite 8+ project without verifying the installed version.
41
+ 5. web.dev is the primary source for Core Web Vitals *thresholds* and *phase definitions* and is not currently indexed in Context7; treat threshold/phase-boundary numbers pulled from `official_docs`/`WebFetch` as `documentation-based`, not `Context7-verified`, and say so explicitly.
42
+ 6. If Context7 is unavailable or returns no relevant match, fall back to `official_docs` / `references/*.md` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
43
+ 7. Never invent a framework prop, build-config option, or performance-entry field that no queried source confirms.
44
+
45
+ ## Lean operating rules
46
+
47
+ - Classify the evidence tier before decomposing anything: field RUM data present (CrUX API or `web-vitals` library export) vs. lab-only (Lighthouse/PSI JSON). Cap the verdict ceiling at `lab evidence only` when field data is absent — never phrase a lab-only finding as a field-validated user-experience claim.
48
+ - Decompose LCP into its four documented sub-phases (TTFB, resource-load delay, resource-load duration, render delay) per web.dev — never leave a finding at "LCP is high," always name the dominant phase.
49
+ - Decompose INP into its three documented sub-phases (input delay, processing time, presentation delay) per web.dev — never attribute INP to generic "JS is slow" without naming which phase and which task/handler.
50
+ - Decompose CLS by naming the specific shifting element and its trigger (late-loading web font, unsized image/embed, late-injected content, animation-triggered reflow) — a CLS score alone is not a diagnosis.
51
+ - Distinguish lab CLS (bounded to a single automated load, per Lighthouse) from field CLS (session-long, includes user-triggered layout shifts within 500ms of input, per the field CLS definition) — do not generalize one to the other.
52
+ - Attribute every phase to a concrete, verifiable artifact: a network-waterfall entry, a main-thread long-task entry, or a specific unsized DOM element. Never accept or emit "JS is slow" or "images are heavy" as a terminal diagnosis.
53
+ - State the correct owning skill for any implementation-class fix (bundle/code-splitting for JS-weight causes, service-worker caching for repeat-visit causes) rather than attempting to specify the implementation here.
54
+ - Never declare a metric "fixed" from a single lab run. State the CrUX 28-day rolling-window lag explicitly whenever recommending field-data confirmation.
55
+ - Never recommend removing accessible loading-state semantics (`aria-live`, `role="status"`, visible focus indicators) as a CLS or INP fix — that trades a compliance/usability regression for a metric number.
56
+ - Always account for device class: mobile field data (not desktop lab data) is what page-experience ranking and most real users actually see, per CrUX/web.dev methodology.
57
+
58
+ ## References
59
+
60
+ Load these only when needed:
61
+
62
+ - [LCP phase decomposition](references/lcp-phase-decomposition.md) — use when the regression or complaint is about page-load speed / the largest visible element painting late.
63
+ - [INP phase decomposition](references/inp-phase-decomposition.md) — use when the regression or complaint is about interaction responsiveness / a page "feeling janky."
64
+ - [CLS attribution](references/cls-attribution.md) — use when the regression or complaint is about visible layout jumping/shifting.
65
+ - [Evidence tiers, verification, and handoff](references/evidence-tiers-and-handoff.md) — use for every triage to classify evidence tier, specify the re-verification path, and route implementation-class fixes to the correct owning skill.
66
+
67
+ ## Response minimum
68
+
69
+ Return, at minimum:
70
+
71
+ - per-metric verdict (LCP/INP/CLS as applicable) with its evidence tier (`field evidence` vs. `lab evidence only` vs. `documentation-based` vs. `inference`),
72
+ - the sub-phase decomposition table for each metric in scope,
73
+ - the root-cause attribution per phase, tied to a concrete artifact (waterfall entry, long-task entry, DOM element),
74
+ - the minimal targeted fix per phase and which skill owns implementing it,
75
+ - the exact re-verification command/tool and the field-data confirmation window (CrUX's 28-day rolling window, stated explicitly) before the metric can be declared fixed.
@@ -0,0 +1,33 @@
1
+ {
2
+ "id": "core-web-vitals-triage",
3
+ "name": "Core Web Vitals Triage",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Decomposes LCP, INP, and CLS regressions into their documented web.dev/W3C sub-phases (TTFB/resource-load-delay/resource-load-duration/render-delay for LCP; input-delay/processing-time/presentation-delay for INP; element-level trigger attribution for CLS), grades findings by lab-vs-field evidence tier, and refuses to declare a metric fixed without a field-data or CI-budget verification path, loaded progressively.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://web.dev/articles/vitals",
18
+ "https://web.dev/articles/lcp",
19
+ "https://web.dev/articles/optimize-lcp",
20
+ "https://web.dev/articles/inp",
21
+ "https://web.dev/articles/optimize-inp",
22
+ "https://web.dev/articles/cls",
23
+ "https://web.dev/articles/optimize-cls",
24
+ "https://developer.chrome.com/docs/crux",
25
+ "https://www.w3.org/TR/largest-contentful-paint/",
26
+ "https://www.w3.org/TR/event-timing/"
27
+ ],
28
+ "security_notes": "Do not request production analytics credentials or raw customer session data; accept only sanitized/aggregated field exports (CrUX API responses, exported web-vitals RUM aggregates). Do not recommend removing accessible loading-state semantics (aria-live, role=status, visible focus indicators) as a CLS/INP fix. Do not accept or echo any credential-shaped string found in a pasted trace/config as if it were safe to keep in the transcript.",
29
+ "last_verified": "2026-07-02",
30
+ "path": "skills/frontend/core-web-vitals-triage",
31
+ "author": "github: Raishin",
32
+ "version": "0.1.0"
33
+ }
@@ -0,0 +1,45 @@
1
+ # CLS Attribution
2
+
3
+ Use this reference when the regression or complaint is about visible layout jumping/shifting, a CLS score drop, or a user report that "content jumps while loading."
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "CLS is 0.3, so something isn't sized — check the images."
10
+
11
+ Unsized images are one cause among several, and CLS is a session-level accumulation, not a single-event score. Two different pages can hit the same CLS number for entirely different reasons, and lab CLS (a single automated Lighthouse load) systematically under-reports field CLS (a real session including user-triggered scroll/interaction shifts), because field CLS per web.dev's methodology is a windowed sum across the full page lifetime, not just initial load.
12
+
13
+ ## Lab vs. field CLS — do not conflate them
14
+
15
+ - **Lab CLS** (Lighthouse/PSI): measured over one automated page load with no user interaction. It only captures load-time shifts.
16
+ - **Field CLS** (CrUX / `web-vitals` library): measured over the actual session, using the "maximum session window" methodology (windows of shifts gapped by <1s and spanning <5s, take the largest window) — per web.dev's CLS definition. It can and does include shifts triggered well after load, e.g. late-injected consent banners, lazy-loaded below-the-fold content, or shifts within 500ms of a user interaction (which the spec excludes from counting, but adjacent shifts outside that window still count).
17
+ - If lab CLS is low but field CLS (CrUX) is high, the cause is very likely something that only manifests during real sessions: late third-party script injection, ad-slot resize, or content that loads outside the automated tool's short observation window. Do not tell the user "Lighthouse says it's fine" as if that settles a field CLS complaint.
18
+
19
+ ## Attribution catalog — name the specific trigger
20
+
21
+ For every CLS finding, name the specific shifting element and its trigger category. Do not report a bare CLS number as a diagnosis. Common trigger categories, per web.dev's optimize-CLS guidance:
22
+
23
+ 1. **Unsized media** — images, videos, iframes, or embeds rendered without explicit `width`/`height` attributes or a reserved `aspect-ratio`, so the browser doesn't know the box size until the resource loads. Fix: explicit intrinsic dimensions or CSS `aspect-ratio` on the container.
24
+ 2. **Web-font swap/FOIT-to-FOUT shift** — a fallback font renders at a different metric than the loaded webfont, causing reflow when the real font swaps in. Fix: `font-display` strategy tuned for the situation, and where supported, `size-adjust`/`ascent-override`/`descent-override` font-face descriptors to metric-match the fallback — verify current browser support before prescribing these descriptors as a guaranteed fix.
25
+ 3. **Late-injected content above existing content** — a banner, ad slot, cookie-consent widget, or async-loaded element inserted above content the user is already viewing, pushing everything below it down. Fix: reserve space for the element up front (a placeholder with the known/estimated final size) rather than letting it inject with zero reserved height.
26
+ 4. **Animation-triggered reflow** — CSS animations/transitions that animate layout-affecting properties (`width`, `height`, `top`, `left`, `margin`) instead of compositor-only properties (`transform`, `opacity`). Fix: rewrite the animation to use `transform`/`opacity` so it doesn't trigger layout at all.
27
+ 5. **Dynamically injected/removed DOM nodes tied to loading states** — a skeleton/spinner removed and replaced with real content at a different size. This is the category most likely to overlap with an accessibility loading-state pattern — see the non-negotiable below before touching it.
28
+
29
+ ## Non-negotiable: do not sacrifice accessible loading semantics for a CLS number
30
+
31
+ A loading skeleton or spinner frequently carries `aria-live`, `role="status"`, or manages focus during a load transition. Do not recommend removing these attributes, collapsing the announcement, or eliminating visible focus indicators as a way to "simplify" the DOM and reduce shift count. If the loading-state element itself is the CLS trigger, fix it by reserving its layout space (matching the skeleton's box size to the final content's box size) — not by removing the accessibility semantics that make the loading state perceivable to assistive technology users. A metric win that produces a WCAG regression is not a fix; flag it as a conflict and specify the size-reserving fix instead.
32
+
33
+ ## Root-cause attribution — require an artifact, not an assertion
34
+
35
+ Require one of:
36
+
37
+ - A `LayoutShift` PerformanceObserver entry (per the W3C spec family CLS draws from) identifying the specific `sources` (nodes) and their `previousRect`/`currentRect`.
38
+ - A Lighthouse/PSI "Avoid large layout shifts" audit entry naming the specific DOM node.
39
+ - A DevTools Performance panel layout-shift region correlated to a specific paint frame and the element that moved.
40
+
41
+ If none of these are available, the finding is capped at `inference` and must say so.
42
+
43
+ ## Verification target
44
+
45
+ Re-run the trace and confirm the named element no longer appears in the layout-shift audit / `LayoutShift` entries. For field confirmation, see `references/evidence-tiers-and-handoff.md` — a lab-only CLS fix does not confirm the field CLS percentile improved, especially for triggers (late-injected content, session-long shifts) that lab tooling under-samples by design.
@@ -0,0 +1,57 @@
1
+ # Evidence Tiers, Verification, and Handoff
2
+
3
+ Use this reference for every triage, regardless of which metric (LCP/INP/CLS) is in scope, to classify evidence, specify the re-verification path, and route implementation-class fixes to the correct owning skill.
4
+
5
+ ## Evidence tiers — classify before decomposing anything
6
+
7
+ Label every claim in the output with one of these tiers. Do not let a lab-only trace produce a field-level verdict.
8
+
9
+ 1. **Field evidence** — CrUX API p75 data for the specific origin/URL/device-class, or an aggregated export from a `web-vitals`-library RUM collector covering real user sessions. This is the only tier that can support a "this is what real users experience" verdict.
10
+ 2. **Lab evidence only** — a single Lighthouse/PSI run, a synthetic CI trace, or a local DevTools trace. Useful for sub-phase decomposition and root-cause attribution, but caps the verdict at "reproduced in a synthetic environment" — never phrase it as a confirmed real-user-experience claim.
11
+ 3. **Documentation-based** — a threshold, phase definition, or mechanism claim sourced from web.dev/W3C docs or Context7-queried framework docs, not from a trace the user provided. Correct for grounding definitions; not a substitute for evidence about this specific page.
12
+ 4. **Inference** — a plausible attribution without a cited artifact (waterfall entry, long-task entry, `LayoutShift`/`PerformanceEventTiming` entry). Must be labeled explicitly and should prompt a request for the missing artifact before the finding is treated as actionable.
13
+
14
+ If field data is absent entirely, the ceiling for the whole triage is **lab evidence only** — recommend field instrumentation (the `web-vitals` JS library, or enabling/checking CrUX coverage for the origin) as a first-class next step, not an afterthought.
15
+
16
+ ## Device class matters — do not generalize desktop lab data to mobile field reality
17
+
18
+ CrUX and the page-experience ranking signal are dominated by mobile field data for most origins. A desktop Lighthouse run that looks clean does not confirm the mobile field experience is clean, and the two frequently diverge (different CPU/network throttling profiles, different viewport-driven CLS triggers, different bundle-parse cost on slower mobile CPUs). Always state which device class a lab trace was captured against, and prefer mobile-throttled traces when field data specifically flags mobile.
19
+
20
+ ## CrUX's rolling window — the confirmation lag that must be disclosed
21
+
22
+ CrUX reports a **28-day rolling window** of aggregated field data. This has two direct consequences for any "field-confirmed fixed" claim:
23
+
24
+ - A fix deployed today will not be visible in CrUX's public dataset as a clean, isolated before/after split for up to 28 days, and even then the reported window blends pre- and post-fix days until the older data ages out.
25
+ - Same-day or next-day CrUX checks after a deploy prove nothing about the field impact of that deploy. Do not let a user (or yourself) declare a metric "fixed" from a CrUX check taken within the rolling-window lag of the deploy.
26
+
27
+ If the user wants faster confirmation than CrUX's window allows, the correct answer is same-origin RUM instrumentation (a `web-vitals`-library collector reporting to the user's own analytics pipeline), which can show a near-real-time before/after split — but that requires the user to already have or add that instrumentation; do not assume it exists.
28
+
29
+ ## Handoff table — this skill diagnoses, it does not implement
30
+
31
+ | Dominant cause | Owning skill / next step |
32
+ |---|---|
33
+ | TTFB-dominant LCP | Server/CDN/infra latency review — out of this skill's cluster entirely |
34
+ | JS bundle weight causing resource-load-delay, resource-load-duration, or INP input-delay/processing-time | `bundle-budget-code-splitting-review` (or the closest equivalent asset in the catalog for this provider) |
35
+ | Repeat-visit caching / stale-resource causes | `service-worker-cache-strategy-review` (or the closest equivalent caching-strategy asset in the catalog) |
36
+ | Single-element resource-hint fix (a missed preload/eager-load on the actual LCP element) | Specify directly in this skill's output; it's a targeted attribute change, not a build-pipeline change |
37
+ | Framework-specific rendering/scheduling mechanism (transitions, image-loading props, hydration boundaries) | Verify via Context7 first (see SKILL.md protocol), then specify directly if it's a single-component change; hand off if it implies a broader architectural pattern change |
38
+ | Accessibility-vs-metric conflict (loading-state semantics implicated in a CLS/INP finding) | Do not resolve by stripping accessibility semantics; specify the size/scheduling fix that preserves them, and flag the conflict explicitly |
39
+
40
+ Do not reinvent bundle-splitting or caching-strategy guidance inside this skill — name the dominant cause, cite the artifact, and route to the owning skill so the fix is specified once, correctly, in the asset that owns it.
41
+
42
+ ## Adversarial checklist — answer before closing a triage
43
+
44
+ - Is every sub-phase attribution backed by a cited waterfall/long-task/`LayoutShift`/`PerformanceEventTiming` entry, or is it asserted?
45
+ - Is the evidence tier for the overall verdict correctly capped (lab-only claims never phrased as field-confirmed)?
46
+ - Is the device class of every lab trace stated, and does it match the device class the field complaint (if any) refers to?
47
+ - Is the CrUX 28-day lag disclosed if field re-confirmation is part of the recommended next step?
48
+ - Is the fix routed to the correct owning skill instead of being reinvented here?
49
+ - Does any proposed fix remove or weaken an accessible loading-state semantic? If so, it must be flagged as a conflict, not silently accepted.
50
+ - Would declaring this metric "fixed" right now be true, or just true-in-the-lab?
51
+
52
+ ## Common failure modes to actively guard against
53
+
54
+ - Shotgunning multiple simultaneous changes (image compression + font preload + code-splitting in one PR) so the actual causal phase is never isolated — insist on isolating the dominant phase before recommending a bundle of fixes, or at minimum flag that a bundled fix will make attribution of the eventual field-data improvement ambiguous.
55
+ - Treating a single lab run, in either direction, as proof of anything about the field percentile.
56
+ - Generalizing desktop lab data to a mobile field complaint, or vice versa.
57
+ - Declaring victory the day after deploy based on a CrUX check that is still inside the 28-day blended window.