@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +2 -2
- package/.claude-plugin/plugin.json +36 -1
- package/.cursor-plugin/plugin.json +36 -1
- package/.github/plugin/marketplace.json +1 -1
- package/README.md +12 -11
- package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
- package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
- package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
- package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
- package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
- package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
- package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
- package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
- package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
- package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
- package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/metadata.json +42 -0
- package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
- package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
- package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
- package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
- package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
- package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
- package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
- package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
- package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/metadata.json +44 -0
- package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
- package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/html-semantics-agent/metadata.json +44 -0
- package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
- package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
- package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
- package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
- package/agents/frontend/package-governance-agent/AGENT.md +116 -0
- package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
- package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
- package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
- package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
- package/agents/frontend/package-governance-agent/metadata.json +41 -0
- package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
- package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
- package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
- package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
- package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
- package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/metadata.json +44 -0
- package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
- package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
- package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
- package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
- package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
- package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
- package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
- package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/metadata.json +41 -0
- package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
- package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
- package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
- package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
- package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
- package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
- package/catalog/agents.json +1164 -93
- package/catalog/asset-integrity.json +15393 -12593
- package/catalog/install-roles.json +103 -1
- package/catalog/skill-manifest.json +1909 -26
- package/catalog/skills.json +1672 -24
- package/package.json +5 -4
- package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
- package/powers/README.md +3 -2
- package/powers/vanguard-frontend/POWER.md +42 -0
- package/schemas/agent.schema.json +1 -0
- package/schemas/skill.schema.json +1 -0
- package/scripts/export-marketplace-agents.mjs +48 -15
- package/scripts/generate-docs-data.mjs +1 -0
- package/scripts/generate-kiro-powers.mjs +12 -0
- package/scripts/update-catalog-new-agents.py +6 -1
- package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
- package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
- package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
- package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
- package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
- package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
- package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
- package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
- package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
- package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
- package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
- package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
- package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
- package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
- package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
- package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
- package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
- package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
- package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
- package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
- package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
- package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
- package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
- package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
- package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
- package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
- package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
- package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
- package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
- package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
- package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
- package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
- package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
- package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
- package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
- package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
- package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
- package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
- package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
- package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
- package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
- package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
- package/skills/frontend/design-token-governance-review/metadata.json +27 -0
- package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
- package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
- package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
- package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
- package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
- package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
- package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
- package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
- package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
- package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
- package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
- package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
- package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
- package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
- package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
- package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
- package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
- package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
- package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
- package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
- package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
- package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
- package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
- package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
- package/skills/frontend/frontend-board-chair/metadata.json +27 -0
- package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
- package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
- package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
- package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
- package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
- package/skills/frontend/frontend-maestro/SKILL.md +63 -0
- package/skills/frontend/frontend-maestro/metadata.json +26 -0
- package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
- package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
- package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
- package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
- package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
- package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
- package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
- package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
- package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
- package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
- package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
- package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
- package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
- package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
- package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
- package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
- package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
- package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
- package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
- package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
- package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
- package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
- package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
- package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
- package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
- package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
- package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
- package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
- package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
- package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
- package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
- package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
- package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
- package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
- package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
- package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
- package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
- package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
- package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
- package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
- package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
- package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
- package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
- package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
- package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
- package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
- package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
- package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
- package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
- package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
- package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
- package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
- package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
- package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
- package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
- package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
- package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
- package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
- package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
- package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
- package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
- package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
- package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
- package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
- package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
- package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
- package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
- package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
- package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
- package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
- package/skills/frontend/react-state-effects-review/metadata.json +27 -0
- package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
- package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
- package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
- package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
- package/skills/frontend/routing-navigation-review/metadata.json +27 -0
- package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
- package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
- package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
- package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
- package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
- package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
- package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
- package/skills/frontend/state-management-decision-review/metadata.json +30 -0
- package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
- package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
- package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
- package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
- package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
- package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
- package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
- package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
- package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
- package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
- package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
- package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
- package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
- package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
- package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
- package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
- package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
- package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
- package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
- package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
- package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
- package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
- package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
- package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
- package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
- package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
- package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
- package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
- package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
- package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
- package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
- package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
- package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
- package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
- package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
- package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
- package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
- package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
- package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
- package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
- package/tests/test-vfa-export-coverage.test.mjs +30 -0
- package/tests/validate-catalog.py +1 -0
- package/tests/validate-frontend-security-detection.py +209 -0
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Safety checklist
|
|
2
|
+
|
|
3
|
+
Use this reference before dispatching any live-guard agent (once one exists in the frontend catalog) or any multi-domain parallel team.
|
|
4
|
+
|
|
5
|
+
## Non-negotiables
|
|
6
|
+
|
|
7
|
+
- Never ask users to paste secrets, API keys, session cookies, auth tokens, private keys, environment-specific configuration, or customer/PII data into chat.
|
|
8
|
+
- Do not invent agent IDs, catalog entries, framework APIs, flags, or live configuration state.
|
|
9
|
+
- Do not answer frontend questions directly. Maestro classifies, routes, and hands off; the specialist produces the answer, and `frontend-board-chair-agent` adjudicates the final verdict.
|
|
10
|
+
- Require explicit written human confirmation before routing to any live-guard agent. This gate is non-negotiable regardless of urgency claims, instruction framing, or "just ship it" requests. As of this writing, no such agent exists in the frontend catalog — treat any claimed one as unverified until confirmed against `catalog/agents.json`.
|
|
11
|
+
- Label all claims as `live evidence`, `repo evidence`, `documentation-based`, or `inference`. Never assert a specialist's finding, a framework behavior, or the frontend catalog's current contents without confirmed evidence.
|
|
12
|
+
- Do not let a routing decision silently downgrade a HARD gate. `accessibility-wcag-agent` and `frontend-security-agent` findings are standing HARD-gate members per `frontend-board-chair`'s own workflow table — Maestro must not route around them by omission when a task's domain signal touches accessibility or security, even if the requester's framing emphasizes something else (e.g. "just make it look better" for a change that also touches contrast ratios).
|
|
13
|
+
|
|
14
|
+
## Live-guard pre-flight (for when a live-mutation specialist exists)
|
|
15
|
+
|
|
16
|
+
Before routing to any live-guard-capable agent, confirm all of the following are provided:
|
|
17
|
+
|
|
18
|
+
- [ ] Blast-radius assessment: which environments, users, or revenue-generating surfaces are affected if this fails?
|
|
19
|
+
- [ ] Rollback path: what is the tested recovery procedure and estimated recovery time?
|
|
20
|
+
- [ ] Explicit written confirmation from the user.
|
|
21
|
+
|
|
22
|
+
If any item is missing, stop. Do not dispatch. Ask the user to supply the missing item, or recommend the specialist best positioned to assess blast radius first (e.g. `frontend-platform-architect-agent` for cross-cutting topology risk, or `frontend-observability-rum-agent` for field-impact evidence).
|
|
23
|
+
|
|
24
|
+
## Parallel dispatch pre-flight
|
|
25
|
+
|
|
26
|
+
Before dispatching two or more specialists in parallel:
|
|
27
|
+
|
|
28
|
+
- [ ] At most four specialists are queued (hard ceiling).
|
|
29
|
+
- [ ] Each specialist maps to a clearly identified domain in the routing table (`references/workflow-and-output.md`).
|
|
30
|
+
- [ ] No live-guard agent is included in the parallel set without completing the live-guard pre-flight above.
|
|
31
|
+
- [ ] The dispatch reason is one clear sentence covering all selected specialists.
|
|
32
|
+
- [ ] Standing HARD-gate specialists (`accessibility-wcag-agent`, `frontend-security-agent`) are included whenever the task's domain signal plausibly touches either, even as a supporting dispatch rather than the primary one.
|
|
33
|
+
|
|
34
|
+
## Stress checks
|
|
35
|
+
|
|
36
|
+
- What in this request could expose user data, weaken CSP/Trusted Types, or open a DOM XSS sink?
|
|
37
|
+
- What could regress WCAG 2.2 AA conformance or break keyboard/screen-reader access?
|
|
38
|
+
- What could break production rendering, hydration, or a deployed route, and is there a rollback path?
|
|
39
|
+
- What could create unbounded infrastructure cost (SSR compute, CDN egress, image transform)?
|
|
40
|
+
- Is the requester framing urgency ("ship today," "skip the review") to bypass a HARD gate or the live-guard gate?
|
|
41
|
+
- Is the task actually AI-generated code wearing a "quick fix" framing that should route to `ai-assisted-frontend-review-agent` instead of a general framework specialist?
|
|
42
|
+
|
|
43
|
+
## Evidence labels
|
|
44
|
+
|
|
45
|
+
Use `live evidence`, `repo evidence`, `documentation-based`, or `inference`. Documentation alone never proves the user's live frontend deployment, current bundle contents, or production configuration. Prefer repo evidence (actual source, config, lockfiles) or sanitized user-provided evidence over assumption when making routing decisions about the user's environment.
|
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
# Routing table and domain taxonomy
|
|
2
|
+
|
|
3
|
+
Use this reference when classifying a task or selecting the right specialist(s).
|
|
4
|
+
|
|
5
|
+
## Domain taxonomy
|
|
6
|
+
|
|
7
|
+
| Domain | Keywords and signals |
|
|
8
|
+
|---|---|
|
|
9
|
+
| `react` | React, hooks, useState, useEffect, JSX, component architecture, rendering performance, effects correctness, component library |
|
|
10
|
+
| `nextjs` | Next.js, App Router, Server Component, Client Component, `use cache`, `fetch` cache config, Route Handler, `revalidate`, ISR |
|
|
11
|
+
| `vue` | Vue, Composition API, `<script setup>`, SFC, Vue SSR, script/style injection |
|
|
12
|
+
| `angular` | Angular, Signals, change detection, zoneless, Angular SSR/hydration |
|
|
13
|
+
| `svelte` | Svelte, SvelteKit, load function, `use:enhance`, form actions, progressive enhancement |
|
|
14
|
+
| `ssr-hydration` | hydration mismatch, streaming, Suspense boundary, TTFB, LCP from server render, `suppressHydrationWarning`, `error.js`, `global-error.js` |
|
|
15
|
+
| `state` | state management, store shape, normalization, re-render, stale data, client/server state boundary |
|
|
16
|
+
| `routing` | route tree, loaders, actions, code-splitting boundary, navigation guard, deep link |
|
|
17
|
+
| `css-design-system` | CSS, cascade layers, custom properties, design tokens, specificity, container queries, responsive |
|
|
18
|
+
| `design-tokens-governance` | Style Dictionary, Tokens Studio, token source of truth, theming, dark mode, contrast guarantee |
|
|
19
|
+
| `visual-regression` | pixel diff, screenshot test, Chromatic, Storybook test-runner, DOM snapshot |
|
|
20
|
+
| `testing` | unit test, component test, integration test, E2E, test pyramid, flaky suite |
|
|
21
|
+
| `performance-cwv` | Core Web Vitals, LCP, INP, CLS, lab data, field data, performance budget |
|
|
22
|
+
| `build-tooling` | Vite, Webpack, Rollup, code splitting, bundle size budget, vendor chunk, duplicate dependency |
|
|
23
|
+
| `package-governance` | package.json, lockfile, pnpm catalog, npm override, Renovate, Dependabot, dependency confusion |
|
|
24
|
+
| `monorepo-dx` | Turborepo, Nx, workspace topology, remote caching, task graph, stale cache |
|
|
25
|
+
| `browser-compat` | Baseline, caniuse, polyfill, graceful degradation, unsupported browser feature |
|
|
26
|
+
| `accessibility` | WCAG, ARIA, screen reader, keyboard trap, focus order, alt text, a11y audit |
|
|
27
|
+
| `html-semantics` | landmark, heading hierarchy, native element, WHATWG HTML, structured data, semantic markup |
|
|
28
|
+
| `i18n-l10n` | ICU MessageFormat, CLDR, plural rule, RTL, locale, translation readiness |
|
|
29
|
+
| `security` | XSS, CSP, Trusted Types, DOM sink, client-side supply chain, OWASP |
|
|
30
|
+
| `api-bff` | BFF, trust boundary, over-fetching, backend contract, authorization at the edge |
|
|
31
|
+
| `observability-rum` | RUM, OpenTelemetry Web, error tracking, sampling, cardinality, PII in telemetry |
|
|
32
|
+
| `analytics-experimentation` | A/B test, experimentation, event schema, statistical validity, conversion tracking |
|
|
33
|
+
| `pwa-offline` | service worker, web app manifest, offline fallback, installability |
|
|
34
|
+
| `typescript` | tsconfig strictness, type contract, narrowing, `any`-laundering, public API surface |
|
|
35
|
+
| `migration` | legacy jQuery/AngularJS/Backbone migration, monolith-to-microfrontend, framework major-version upgrade, strangler-fig |
|
|
36
|
+
| `finops-cost` | CDN egress, edge/SSR compute cost, image transform cost, build minutes, cost-to-serve |
|
|
37
|
+
| `platform-architecture` | module boundary, build/runtime topology, shared-platform contract, technology-adoption gate, cross-team drift |
|
|
38
|
+
| `platform-foundation` | new-project scaffolding, framework-vs-platform tradeoff, browser-support baseline, cross-cutting HTML/CSS/JS/TS decision that doesn't fit one specialist |
|
|
39
|
+
| `ai-generated-review` | AI-generated code, LLM-generated component, hallucinated API, generated hooks/glue code |
|
|
40
|
+
| `red-team` | adversarial review, elevated review bar, red-team pass, second-opinion security/a11y check |
|
|
41
|
+
|
|
42
|
+
## Full routing table
|
|
43
|
+
|
|
44
|
+
### Frameworks
|
|
45
|
+
|
|
46
|
+
| Agent | Domain(s) | Use when… |
|
|
47
|
+
|---|---|---|
|
|
48
|
+
| `react-specialist-agent` | react | Reviewing React component architecture, hooks/effects correctness, or rendering-performance risk |
|
|
49
|
+
| `nextjs-specialist-agent` | nextjs, ssr-hydration | Reviewing Next.js App Router rendering strategy, fetch/cache configuration, or Server/Client Component boundary correctness |
|
|
50
|
+
| `vue-specialist-agent` | vue | Reviewing Vue 3 Composition API architecture or Vue SSR security posture |
|
|
51
|
+
| `angular-specialist-agent` | angular, ssr-hydration | Reviewing Angular Signals architecture, change-detection strategy, or SSR/hydration correctness |
|
|
52
|
+
| `svelte-sveltekit-specialist-agent` | svelte | Reviewing SvelteKit routing/load-function correctness or progressive-enhancement resilience |
|
|
53
|
+
|
|
54
|
+
### Rendering
|
|
55
|
+
|
|
56
|
+
| Agent | Domain(s) | Use when… |
|
|
57
|
+
|---|---|---|
|
|
58
|
+
| `ssr-hydration-streaming-agent` | ssr-hydration | Diagnosing hydration-mismatch errors, slow-data waterfalls, or incorrect Suspense/error-boundary placement |
|
|
59
|
+
|
|
60
|
+
### State and routing
|
|
61
|
+
|
|
62
|
+
| Agent | Domain(s) | Use when… |
|
|
63
|
+
|---|---|---|
|
|
64
|
+
| `state-management-data-flow-agent` | state | Reviewing client/server state boundaries, store shape, normalization, or re-render performance |
|
|
65
|
+
| `routing-navigation-agent` | routing | Reviewing route-tree structure, data-loading strategy, code-splitting boundaries, or navigation-guard logic |
|
|
66
|
+
|
|
67
|
+
### Styling and design systems
|
|
68
|
+
|
|
69
|
+
| Agent | Domain(s) | Use when… |
|
|
70
|
+
|---|---|---|
|
|
71
|
+
| `css-architecture-agent` | css-design-system | Reviewing CSS specificity, cascade-layer strategy, or custom-property/design-token architecture |
|
|
72
|
+
| `design-systems-governance-agent` | design-tokens-governance | Reviewing design-token pipelines and component-library governance |
|
|
73
|
+
| `visual-regression-agent` | visual-regression | Reviewing pixel-diff or DOM-snapshot visual regression pipelines |
|
|
74
|
+
|
|
75
|
+
### Testing and quality
|
|
76
|
+
|
|
77
|
+
| Agent | Domain(s) | Use when… |
|
|
78
|
+
|---|---|---|
|
|
79
|
+
| `testing-quality-engineering-agent` | testing | Reviewing or designing frontend test strategy across unit, component, integration, and E2E layers |
|
|
80
|
+
|
|
81
|
+
### Performance and build
|
|
82
|
+
|
|
83
|
+
| Agent | Domain(s) | Use when… |
|
|
84
|
+
|---|---|---|
|
|
85
|
+
| `web-performance-core-vitals-agent` | performance-cwv | Triaging Core Web Vitals (LCP, INP, CLS) using lab and field evidence |
|
|
86
|
+
| `build-tooling-bundling-agent` | build-tooling | Reviewing Vite/Webpack/Rollup build configuration, code-splitting strategy, or bundle budgets |
|
|
87
|
+
| `package-governance-agent` | package-governance | Reviewing package.json manifests, lockfiles, or dependency version policy |
|
|
88
|
+
| `monorepo-dx-agent` | monorepo-dx | Reviewing monorepo task-graph orchestration or remote-caching correctness |
|
|
89
|
+
|
|
90
|
+
### Compatibility and semantics
|
|
91
|
+
|
|
92
|
+
| Agent | Domain(s) | Use when… |
|
|
93
|
+
|---|---|---|
|
|
94
|
+
| `browser-compatibility-agent` | browser-compat | Checking used web-platform features against the org's supported-browser matrix |
|
|
95
|
+
| `accessibility-wcag-agent` | accessibility | Auditing markup and components against WCAG 2.2 A/AA success criteria |
|
|
96
|
+
| `html-semantics-agent` | html-semantics | Reviewing markup structure, landmark/heading hierarchy, or ARIA application |
|
|
97
|
+
| `internationalization-localization-agent` | i18n-l10n | Verifying i18n architecture and l10n readiness |
|
|
98
|
+
|
|
99
|
+
### Security and boundaries
|
|
100
|
+
|
|
101
|
+
| Agent | Domain(s) | Use when… |
|
|
102
|
+
|---|---|---|
|
|
103
|
+
| `frontend-security-agent` | security | Hunting DOM XSS sinks, CSP/Trusted Types gaps, or client-side supply-chain risk |
|
|
104
|
+
| `api-integration-bff-agent` | api-bff | Reviewing the contract, ownership, and trust boundary between frontend clients and backend/BFF layers |
|
|
105
|
+
|
|
106
|
+
### Observability, analytics, and offline
|
|
107
|
+
|
|
108
|
+
| Agent | Domain(s) | Use when… |
|
|
109
|
+
|---|---|---|
|
|
110
|
+
| `frontend-observability-rum-agent` | observability-rum | Reviewing or designing RUM instrumentation (Core Web Vitals, OTel Web traces, error tracking) |
|
|
111
|
+
| `product-analytics-experimentation-agent` | analytics-experimentation | Reviewing frontend analytics instrumentation and A/B experimentation setups |
|
|
112
|
+
| `pwa-offline-capability-agent` | pwa-offline | Validating service-worker caching behavior, manifest installability, or offline-fallback coverage |
|
|
113
|
+
|
|
114
|
+
### Contracts, migration, and cost
|
|
115
|
+
|
|
116
|
+
| Agent | Domain(s) | Use when… |
|
|
117
|
+
|---|---|---|
|
|
118
|
+
| `typescript-contracts-agent` | typescript | Reviewing tsconfig strictness posture, exported type contracts, or narrowing correctness |
|
|
119
|
+
| `frontend-migration-modernization-agent` | migration | Planning or de-risking a large-scale frontend migration or framework major-version upgrade |
|
|
120
|
+
| `frontend-finops-cost-to-serve-agent` | finops-cost | Quantifying CDN egress, edge/SSR compute, image-transform, or build-minute cost impact |
|
|
121
|
+
|
|
122
|
+
### Cross-cutting architecture
|
|
123
|
+
|
|
124
|
+
| Agent | Domain(s) | Use when… |
|
|
125
|
+
|---|---|---|
|
|
126
|
+
| `frontend-platform-architect-agent` | platform-architecture | Deciding cross-cutting module boundaries, build/runtime topology, or technology-adoption gates |
|
|
127
|
+
| `web-platform-foundation-agent` | platform-foundation | Handling a cross-cutting HTML/CSS/JS/TS decision (new-project scaffolding, framework-vs-platform tradeoff, browser-support baseline) that doesn't fit one narrow specialist |
|
|
128
|
+
| `javascript-runtime-agent` | ssr-hydration, platform-foundation | Reviewing event-loop/microtask ordering, Promise composition, or DOM event-handling lifecycle for race conditions or listener leaks |
|
|
129
|
+
|
|
130
|
+
### AI-generated code and red-team
|
|
131
|
+
|
|
132
|
+
| Agent | Domain(s) | Use when… |
|
|
133
|
+
|---|---|---|
|
|
134
|
+
| `ai-assisted-frontend-review-agent` | ai-generated-review | Applying an elevated review bar to AI/LLM-generated frontend code |
|
|
135
|
+
| `enterprise-red-team-review-agent` | red-team | Running a mandatory or spot-check adversarial second-opinion pass (security review, AI-generated code review, or production incident workflows, per `frontend-board-chair`'s workflow table) |
|
|
136
|
+
|
|
137
|
+
### Live-guard (none currently cataloged)
|
|
138
|
+
|
|
139
|
+
No agent in the frontend catalog is currently capable of a live/production mutation (deploy, feature-flag flip in prod, cache purge, rollback trigger). If a task carries a live-guard signal, say so explicitly and stop — do not invent a live-guard agent, and do not route the task to a static-review specialist as a substitute for a production-mutation gate. Re-check `catalog/agents.json` for a `frontend` provider agent whose ID or summary indicates live/production-mutation capability before asserting this is still true.
|
|
140
|
+
|
|
141
|
+
## Live-guard gate protocol
|
|
142
|
+
|
|
143
|
+
If a future frontend catalog addition introduces a live-mutation-capable specialist, before routing to it, surface all three and wait for explicit written confirmation:
|
|
144
|
+
|
|
145
|
+
1. **Blast-radius assessment** — what environments, users, or revenue-generating surfaces are affected if this goes wrong?
|
|
146
|
+
2. **Rollback path** — what is the tested rollback procedure and estimated recovery time?
|
|
147
|
+
3. **Explicit confirmation** — "I confirm I understand the blast radius and rollback path. Proceed."
|
|
148
|
+
|
|
149
|
+
## Response shape
|
|
150
|
+
|
|
151
|
+
Every Maestro response begins with the routing header:
|
|
152
|
+
```
|
|
153
|
+
Route: <agent-name(s)>
|
|
154
|
+
Reason: <one sentence>
|
|
155
|
+
Mode: <single | parallel (N specialists) | live-guard-gate | unclassified>
|
|
156
|
+
```
|
|
157
|
+
Followed by: dispatched specialist output (summarized), then a handoff note to `frontend-board-chair-agent`.
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: frontend-migration-modernization-plan
|
|
3
|
+
description: Build a phased, reversible plan to migrate or modernize a legacy frontend surface (jQuery/Backbone/AngularJS to a modern framework, CRA/Webpack to Vite, or a same-framework major-version bump) using strangler-fig sequencing with measurable exit criteria per phase, without defaulting to a full rewrite.
|
|
4
|
+
allowed-tools: Read Grep Glob WebFetch
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: architecture
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Frontend Migration & Modernization Plan
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Most full frontend rewrites blow their timeline/budget or never ship, while unmanaged incremental migrations rot into permanent dual-stack debt. This skill exists to produce a bounded, reversible, metric-gated migration plan without stuffing the entire migration playbook (strangler patterns, legacy-jQuery inventory tactics, framework-upgrade risk analysis, rollback design) into every response — those load only when the task needs them.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- plan a migration off a legacy stack (jQuery, Backbone, AngularJS, old CRA/Webpack setup) to a modern framework or bundler,
|
|
23
|
+
- sequence a same-framework major-version upgrade (React 17→19, Angular N→N+2, Vue 2→3) as a phased rollout,
|
|
24
|
+
- design a strangler-fig boundary (route table, module federation seam, adapter layer) between legacy and modern code,
|
|
25
|
+
- define rollback and legacy-decommission exit criteria for an in-flight migration.
|
|
26
|
+
|
|
27
|
+
## Lean operating rules
|
|
28
|
+
|
|
29
|
+
- First classify the migration type: cross-framework (paradigm shift, high risk) vs. same-framework major-version (breaking-change surface, narrower risk). They need different reference material — do not blend them.
|
|
30
|
+
- Do not recommend a full rewrite as the default. Only recommend it when incremental strangling is demonstrably infeasible (e.g. the runtime model itself is incompatible), and say so explicitly with the reason.
|
|
31
|
+
- Every phase must have a stated rollback action completable within one deploy cycle and a measurable exit metric (not a date-only gate).
|
|
32
|
+
- Treat the legacy-decommission step as mandatory and time-boxed; a migration plan with no decommission criteria is incomplete.
|
|
33
|
+
- Verify target-framework migration APIs/codemods via Context7 or official docs before citing them; never invent a codemod name or flag.
|
|
34
|
+
- Never propose a migration phase that merges auth/session state across old and new stacks without a named security review gate.
|
|
35
|
+
- Load `references/strangler-boundary-design.md` only when the user needs the actual seam/proxy design, not for a high-level phase summary.
|
|
36
|
+
- Load `references/rollback-and-exit-criteria.md` only when defining or auditing phase gates.
|
|
37
|
+
- Load `references/rewrite-vs-incremental-decision.md` only when the user is undecided between rewrite and incremental strangling.
|
|
38
|
+
|
|
39
|
+
## Context7 Documentation Protocol
|
|
40
|
+
|
|
41
|
+
Every framework-specific migration API, codemod name, config flag, or "recommended path" claim in a response must be traceable to one of:
|
|
42
|
+
|
|
43
|
+
1. **Context7-verified** — resolved via `mcp__Context7__resolve-library-id` then confirmed with `mcp__Context7__query-docs` against the specific library (e.g. `/reactjs/react.dev`, `/vercel/next.js`) in this session or a prior verification you can cite by source URL.
|
|
44
|
+
2. **Official docs (direct citation)** — a specific docs URL, used when Context7 has no coverage for that library/version.
|
|
45
|
+
3. **Inference** — explicitly labeled as such; never presented as a verified codemod/flag.
|
|
46
|
+
|
|
47
|
+
Do not invent codemod names, CLI flags, or config keys. If Context7 and official docs both lack coverage for a specific claim (e.g. an exact flag for a niche bundler), say so and mark it `inference — verify against installed tooling` rather than guessing. Re-verify before citing if the last check is not from the current session, since migration tooling and recommended paths change across releases (e.g. Next.js has shipped multiple generations of App Router migration guidance; React Compiler adoption guidance is still evolving).
|
|
48
|
+
|
|
49
|
+
Confirmed in this skill's authoring session (re-verify if stale):
|
|
50
|
+
|
|
51
|
+
- Next.js ships `npx @next/codemod cra-to-next` for CRA → Next.js migration, and a `rewrites().fallback` config for proxying unmigrated routes during incremental strangler cutover. Source: `vercel/next.js` docs (`01-app/02-guides/upgrading/codemods.mdx`, `01-app/03-api-reference/05-config/01-next-config-js/rewrites.mdx`).
|
|
52
|
+
- Next.js explicitly supports `app/` and `pages/` directories coexisting during App Router migration and recommends breaking the migration into small incremental steps. Source: `vercel/next.js` docs (`01-app/02-guides/migrating/app-router-migration.mdx`).
|
|
53
|
+
- React Compiler supports incremental adoption via `compilationMode: 'annotation'` plus `"use memo"` / `"use no memo"` directives, letting teams opt components in/out individually before flipping to full inference mode. Source: `reactjs/react.dev` docs (`reference/react-compiler/directives.md`, `learn/react-compiler/incremental-adoption.md`).
|
|
54
|
+
|
|
55
|
+
## References
|
|
56
|
+
|
|
57
|
+
Load these only when needed:
|
|
58
|
+
|
|
59
|
+
- [Strangler boundary design](references/strangler-boundary-design.md) — use when the user needs the actual technical seam (proxy/route-table, module federation, adapter layer) between legacy and modern code, not just a phase list.
|
|
60
|
+
- [Rollback and exit criteria](references/rollback-and-exit-criteria.md) — use when defining or auditing what makes a phase safe to promote, and what makes legacy code eligible for decommission.
|
|
61
|
+
- [Rewrite vs. incremental decision](references/rewrite-vs-incremental-decision.md) — use only when the user is weighing a full rewrite against strangler-fig incrementalism and needs the decision criteria, not for already-decided migrations.
|
|
62
|
+
|
|
63
|
+
## Response minimum
|
|
64
|
+
|
|
65
|
+
Return, at minimum:
|
|
66
|
+
|
|
67
|
+
- the migration type classification (cross-framework vs. same-framework) and why,
|
|
68
|
+
- the phase sequence with entry/exit criteria per phase,
|
|
69
|
+
- the rollback design per phase,
|
|
70
|
+
- the legacy-decommission criteria and time-box,
|
|
71
|
+
- evidence level for any framework API/codemod cited (Context7-verified vs. inference).
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "frontend-migration-modernization-plan",
|
|
3
|
+
"name": "Frontend Migration & Modernization Plan",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Builds a phased strangler-fig migration/modernization plan for legacy frontend stacks (jQuery/Backbone/AngularJS, old bundlers, framework major versions) with rollback gates, exit criteria, and business-risk-first sequencing, loading legacy-pattern, risk, and rollback references progressively rather than dumping the whole migration playbook into every prompt.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://react.dev/learn/react-compiler/incremental-adoption",
|
|
18
|
+
"https://nextjs.org/docs/app/guides/migrating",
|
|
19
|
+
"https://vitejs.dev/guide/migration",
|
|
20
|
+
"https://angular.dev/reference/migrations"
|
|
21
|
+
],
|
|
22
|
+
"security_notes": "Never propose a migration phase that merges auth/session state across old and new stacks without a named security review gate. Treat every phase's rollback path as a hard requirement, not optional documentation.",
|
|
23
|
+
"last_verified": "2026-07-02",
|
|
24
|
+
"path": "skills/frontend/frontend-migration-modernization-plan",
|
|
25
|
+
"author": "github: Raishin",
|
|
26
|
+
"version": "0.1.0"
|
|
27
|
+
}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
# Rewrite vs. Incremental Strangler Decision
|
|
2
|
+
|
|
3
|
+
Use this reference only when the user is genuinely undecided between a full rewrite and an incremental strangler-fig migration. If the user has already committed to one path, do not relitigate it here — go to the relevant execution reference instead.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "The old code is so bad that a rewrite is obviously faster."
|
|
10
|
+
|
|
11
|
+
That is almost never true at the scope people imagine. A rewrite discards the accumulated bug fixes, edge-case handling, and business-rule knowledge encoded in the legacy UI — knowledge that usually is not written down anywhere else. Teams that rewrite typically re-discover that knowledge the hard way, in production, after cutover, when rollback is hardest.
|
|
12
|
+
|
|
13
|
+
The inverse bad assumption is also common:
|
|
14
|
+
|
|
15
|
+
> "We should never rewrite; incremental is always safer."
|
|
16
|
+
|
|
17
|
+
That is also false. If the legacy runtime model is fundamentally incompatible with the target (e.g. synchronous global-state jQuery plugins that assume full-page reloads, wired into a codebase with no seams at all), forcing an incremental strangler pattern onto it can cost more than a bounded rewrite of a small, well-scoped surface.
|
|
18
|
+
|
|
19
|
+
## Decision criteria (score each, do not eyeball it)
|
|
20
|
+
|
|
21
|
+
Ask these questions and get concrete answers, not vibes:
|
|
22
|
+
|
|
23
|
+
1. **Are there any existing seams?** Route boundaries, iframe boundaries, distinct page loads, or module boundaries where legacy and new code could coexist without deep coupling. No seams at all is the strongest signal toward a bounded rewrite of that specific surface — not the whole app.
|
|
24
|
+
2. **What is the blast radius of the surface in question?** A single internal admin page vs. the primary customer checkout flow have very different risk tolerances for "big bang" replacement.
|
|
25
|
+
3. **Is there a shared auth/session model that both stacks must honor simultaneously?** If yes, this is a hard security gate (see SKILL.md operating rules) and it must be solved before any coexistence phase, regardless of which path you choose.
|
|
26
|
+
4. **How much business logic is embedded in the view layer with no test coverage?** High untested logic in the view layer favors strangling in small verifiable slices, not a big-bang rewrite, because you can diff behavior slice-by-slice.
|
|
27
|
+
5. **What is the team's real capacity to run two stacks in production concurrently?** Strangler patterns are not free — they cost ongoing dual-stack operational overhead (two build pipelines, two deploy paths, two sets of dependencies to patch). If the team cannot sustain that for the migration's duration, say so explicitly; it changes the sequencing, not the recommendation to avoid rewrite.
|
|
28
|
+
6. **Is the target framework migration path officially supported for incremental coexistence?** For example, Next.js explicitly documents `app/` and `pages/` directories coexisting and recommends breaking migration into small steps (Context7-verified: `vercel/next.js` docs, `app-router-migration.mdx`). Absence of an official coexistence path for a given framework pair is a signal toward more conservative, smaller-scoped increments — not automatically toward a rewrite.
|
|
29
|
+
|
|
30
|
+
## Default and its exception
|
|
31
|
+
|
|
32
|
+
**Default: incremental strangler-fig migration**, scoped by seam (route, module federation boundary, or adapter layer), sequenced business-risk-first (§ see SKILL.md phase sequencing).
|
|
33
|
+
|
|
34
|
+
**Exception — recommend a bounded rewrite only when:**
|
|
35
|
+
- no viable seam exists for the surface in question, AND
|
|
36
|
+
- the surface is small/isolated enough that its blast radius is contained, AND
|
|
37
|
+
- the team explicitly accepts the rewrite's discovery risk (silent behavior regressions) with a stated verification plan (parity testing, feature-flagged rollout, or shadow traffic comparison).
|
|
38
|
+
|
|
39
|
+
Never recommend a rewrite for an entire application as a first move. If the user pushes for "just rewrite it all," push back and ask for the seam analysis above first.
|
|
40
|
+
|
|
41
|
+
## When to push back
|
|
42
|
+
|
|
43
|
+
Push back if the user says:
|
|
44
|
+
|
|
45
|
+
- "The old code is a mess, let's just start over" — with no seam analysis and no scoping of blast radius.
|
|
46
|
+
- "We'll run both stacks forever, it's fine" — dual-stack maintenance without a decommission time-box is not a migration, it's permanent debt (see `rollback-and-exit-criteria.md`).
|
|
47
|
+
- "Auth can stay separate for now, we'll unify it later" — unresolved shared-session risk is a security gate, not a deferred nice-to-have.
|
|
48
|
+
|
|
49
|
+
Those are not pragmatic shortcuts. They are how migrations become permanent, half-finished liabilities.
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
# Rollback and Exit Criteria
|
|
2
|
+
|
|
3
|
+
Use this reference when defining or auditing what makes a migration phase safe to promote, and what makes legacy code eligible for decommission. Every phase in a migration plan produced by this skill must satisfy the rules below — a phase with a date-only gate and no measurable exit criteria is not a real gate.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The common bad assumption is:
|
|
8
|
+
|
|
9
|
+
> "We'll know it's done when it feels stable / when the sprint is over."
|
|
10
|
+
|
|
11
|
+
That is not an exit criterion, it is a shrug. A migration plan that cannot say, in advance, exactly what evidence promotes a phase and exactly what action reverts it is not a plan — it is hope with a Gantt chart.
|
|
12
|
+
|
|
13
|
+
## Non-negotiable design rules
|
|
14
|
+
|
|
15
|
+
### 1. Every phase needs a rollback action completable within one deploy cycle
|
|
16
|
+
|
|
17
|
+
Not "we could revert the commit eventually." A concrete, rehearsed action: flip a feature flag, revert a route-table entry (see `strangler-boundary-design.md`), or redirect the fallback proxy back to the legacy origin. If the rollback action requires a data migration to reverse, it is not a one-deploy-cycle rollback — flag that phase as higher risk and require an explicit sign-off before it ships, not an assumption that "we probably won't need to roll back."
|
|
18
|
+
|
|
19
|
+
### 2. Every phase needs a measurable exit metric, not a date
|
|
20
|
+
|
|
21
|
+
Acceptable exit metrics (pick what's relevant to the phase, be specific, not generic):
|
|
22
|
+
|
|
23
|
+
- **Correctness parity**: error rate / exception rate on the migrated surface within an agreed delta of the legacy baseline over a stated observation window (e.g. 7 days of production traffic, not "looked fine in staging").
|
|
24
|
+
- **Performance budget**: a named Core Web Vitals or custom timing metric within budget on real user traffic (field data), not lab-only Lighthouse runs. State the budget number and the percentile (e.g. p75 LCP) before the phase starts, not after.
|
|
25
|
+
- **Accessibility parity**: no WCAG 2.2 AA regressions introduced on the migrated surface versus the legacy baseline — verified, not assumed, because visual parity does not imply a11y parity (a modern component can look identical and still break keyboard nav or screen-reader semantics).
|
|
26
|
+
- **Functional coverage**: percentage of legacy behavior with an automated test (unit/E2E) proving parity before the legacy path is removed for that surface. "It looks right when I clicked around" is not functional coverage.
|
|
27
|
+
|
|
28
|
+
A phase gate that only says "ship by end of quarter" with no metric above attached is incomplete — say so explicitly rather than accepting a date-only gate.
|
|
29
|
+
|
|
30
|
+
### 3. Rollback and forward-progress must not both depend on the same broken assumption
|
|
31
|
+
|
|
32
|
+
If the rollback path assumes the legacy stack is still fully deployable and the forward path assumes the legacy stack can be safely decommissioned, decide explicitly which is true at each point in time. Common failure: teams decommission legacy build infrastructure or dependencies "since we're mostly migrated" while the rollback plan still assumes that infrastructure exists. State exactly when the legacy stack becomes non-reinstatable, and do not cross that line until the exit criteria for full decommission (below) are met.
|
|
33
|
+
|
|
34
|
+
### 4. The legacy-decommission step is mandatory and time-boxed
|
|
35
|
+
|
|
36
|
+
A migration plan that ends at "new code is live in production alongside the old code, indefinitely" is not finished — it has produced a permanent second stack to maintain, patch for security, and onboard new engineers into. Every plan produced by this skill must include an explicit decommission phase with:
|
|
37
|
+
|
|
38
|
+
- a stated time-box (a date or a trigger condition — e.g. "30 days after the correctness-parity metric holds"),
|
|
39
|
+
- the specific artifacts being removed (routes, build config, dependencies, feature flags, dual-stack CI jobs),
|
|
40
|
+
- a final rollback-of-last-resort note: once legacy code/dependencies are actually deleted (not just unrouted), rollback is no longer a redeploy — it is a restore from version control and a re-provisioning effort. State this transition point explicitly so nobody assumes rollback stays cheap forever.
|
|
41
|
+
|
|
42
|
+
### 5. Security/auth coexistence gates are checkpoints, not footnotes
|
|
43
|
+
|
|
44
|
+
If any phase requires legacy and modern stacks to share auth/session state (see `strangler-boundary-design.md`, route-table seam), that phase's exit criteria must include an explicit security review sign-off as a blocking gate — not a "should be fine" assumption. Do not let a convenience shortcut ("just share the cookie") skip this gate.
|
|
45
|
+
|
|
46
|
+
## Minimal safe phase-gate template
|
|
47
|
+
|
|
48
|
+
For each phase, state:
|
|
49
|
+
|
|
50
|
+
1. **Entry criteria** — what must be true before this phase starts (e.g. prior phase's exit metric held for N days).
|
|
51
|
+
2. **Rollback action** — the specific, one-deploy-cycle-or-less action, and who/what triggers it (automatic alert threshold vs. manual call).
|
|
52
|
+
3. **Exit metric(s)** — the specific measurable target(s) from the categories above, with number, percentile/window, and data source (field vs. lab, explicitly labeled).
|
|
53
|
+
4. **Decommission artifacts** (only for the final phase(s)) — exactly what gets deleted and the time-box/trigger for deletion.
|
|
54
|
+
|
|
55
|
+
## Adversarial checklist
|
|
56
|
+
|
|
57
|
+
Before finalizing a phase gate, answer these:
|
|
58
|
+
|
|
59
|
+
- If this phase fails its exit metric, what is the exact command/flag/route change that reverts it, and has anyone rehearsed it?
|
|
60
|
+
- What happens to in-flight user sessions or in-progress transactions at the moment of rollback?
|
|
61
|
+
- Is the exit metric based on field data (real user traffic) or only lab data (synthetic runs)? If only lab, say so — it does not prove field parity.
|
|
62
|
+
- Does any exit metric assume a sample size / observation window long enough to be statistically meaningful, or is it "looked fine after a day"?
|
|
63
|
+
- Who has authority to declare the decommission time-box met, and what happens if the trigger condition never fires (permanent stall)?
|
|
64
|
+
|
|
65
|
+
If you cannot answer these for a given phase, the phase gate is not ready to ship — say so rather than presenting an incomplete gate as final.
|
|
66
|
+
|
|
67
|
+
## When to push back
|
|
68
|
+
|
|
69
|
+
Push back if the user proposes:
|
|
70
|
+
|
|
71
|
+
- "We'll decide the rollback plan if we need it" — rollback design is not optional and not deferrable to incident time.
|
|
72
|
+
- "Let's skip the decommission step, we can clean up later" — "later" is how dual-stack maintenance becomes permanent.
|
|
73
|
+
- "The exit criteria is just 'ship it and see'" — that is not a gate, it is an unmonitored rollout.
|
|
74
|
+
|
|
75
|
+
Those are not pragmatic shortcuts. They are how a bounded migration plan turns into indefinite dual-stack technical debt.
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
# Strangler Boundary Design
|
|
2
|
+
|
|
3
|
+
Use this reference only when the user needs the actual technical seam between legacy and modern code — a proxy/route table, a module federation boundary, or an in-page adapter layer — not for a high-level phase summary (that belongs in the main SKILL.md response).
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive story is:
|
|
8
|
+
|
|
9
|
+
> "We'll put the new framework next to the old one and slowly move pages over."
|
|
10
|
+
|
|
11
|
+
That undersells the seam design problem. The seam is where almost all migration risk concentrates: shared routing, shared auth/session, shared global CSS/JS, and shared build tooling all leak across the boundary unless it is designed deliberately. A vague "next to" is not a seam; it is an accident waiting to surface in production.
|
|
12
|
+
|
|
13
|
+
Officially grounded seam patterns (Context7-verified where cited):
|
|
14
|
+
|
|
15
|
+
## 1. Route-table / reverse-proxy seam (cross-stack, coarse-grained)
|
|
16
|
+
|
|
17
|
+
The legacy app and the new app live at the same origin (or behind a shared edge proxy), and routing decides which stack serves which path. This is the seam Next.js documents directly: a `rewrites().fallback` config that proxies every unmatched route to the existing legacy site, so you migrate route-by-route while the legacy app keeps serving everything not yet migrated (Context7-verified: `vercel/next.js` docs, `rewrites.mdx`).
|
|
18
|
+
|
|
19
|
+
Design rules for this seam:
|
|
20
|
+
- Decide route ownership explicitly per URL prefix; do not let both stacks claim the same path under different conditions (e.g. query-param-based routing to two different apps at the same path is a maintenance trap).
|
|
21
|
+
- Shared navigation chrome (header/footer/nav) rendered by two different stacks will drift visually and behaviorally. Either keep it duplicated with a visual-regression gate on both, or extract it into a served fragment neither app owns independently.
|
|
22
|
+
- Session/auth cookies must be readable by both origins/apps identically, or you have silently created a security gate (see SKILL.md — this needs an explicit review, not an assumption that "cookies just work").
|
|
23
|
+
|
|
24
|
+
## 2. Directory/module coexistence seam (same-framework major upgrades, or App Router migrations)
|
|
25
|
+
|
|
26
|
+
Some frameworks explicitly support two routing/rendering models coexisting in the same codebase during migration — for example, Next.js `app/` and `pages/` directories running side by side, with official guidance to migrate in small incremental steps rather than all at once (Context7-verified: `vercel/next.js` docs, `app-router-migration.mdx`).
|
|
27
|
+
|
|
28
|
+
Design rules for this seam:
|
|
29
|
+
- Confirm the specific framework version actually supports this coexistence mode before planning around it — do not assume parity across major versions without checking current docs for that version.
|
|
30
|
+
- Treat each migrated unit (page, route segment, module) as independently revertible: moving a route from the old model to the new one should be revertible by moving it back, not by reverting a large multi-file commit.
|
|
31
|
+
- Watch for cross-cutting concerns that do not respect the module boundary: global CSS resets, shared state stores, and app-wide providers/interceptors often need to be dual-registered or bridged, and that bridging code is itself migration debt that must be tracked and later removed.
|
|
32
|
+
|
|
33
|
+
## 3. Adapter/wrapper seam (embedding new components inside legacy views, or vice versa)
|
|
34
|
+
|
|
35
|
+
A common fine-grained seam: mount a modern component (e.g. React) inside a specific DOM node that the legacy stack (e.g. jQuery/Backbone) still controls, via an explicit mount/unmount adapter. This is the right seam when there is no clean route-level boundary — e.g. a single complex widget inside an otherwise-legacy page.
|
|
36
|
+
|
|
37
|
+
Design rules for this seam:
|
|
38
|
+
- The adapter must own an explicit lifecycle contract: who calls mount, who calls unmount, and what happens on the legacy view's re-render (does it destroy and remount the modern component, or does it leave it alone?). An undefined lifecycle contract causes memory leaks or duplicate event listeners — this is the most common actual incident in this pattern.
|
|
39
|
+
- Do not share mutable state between the two stacks by direct object reference across the boundary. Pass data in, read data out via an explicit, versioned contract (props in, callback/event out), so either side can evolve independently.
|
|
40
|
+
- CSS leakage across the boundary (legacy global styles cascading into the modern component's markup, or vice versa) needs a stated containment strategy (scoped classes, shadow DOM, or a documented "no shared class names" rule) before this seam ships to production, not after a visual bug report.
|
|
41
|
+
|
|
42
|
+
## 4. Module federation / micro-frontend seam (large-scale, multi-team boundary)
|
|
43
|
+
|
|
44
|
+
When multiple teams own different areas of the surface, a build-time or runtime module federation boundary lets each area upgrade independently. This is a heavier seam — it introduces shared-dependency version negotiation (React/framework version skew between federated modules) as a first-class operational concern.
|
|
45
|
+
|
|
46
|
+
Design rules for this seam:
|
|
47
|
+
- Explicitly decide and document which shared dependencies (framework, design-system, state library) are singleton-shared vs. independently versioned per module. Undecided version skew is the top failure mode of federation-based strangling.
|
|
48
|
+
- Define a contract for cross-module navigation and shared auth/session state before any module ships, not as each new module is added ad hoc.
|
|
49
|
+
|
|
50
|
+
## Verification targets
|
|
51
|
+
|
|
52
|
+
- For any Next.js-specific claim above (rewrites/fallback config, app/pages coexistence), re-verify the exact config shape against the installed Next.js version's current docs before writing production config — minor/major versions have changed this surface across releases.
|
|
53
|
+
- For any other framework/bundler pairing not covered above, resolve the library via Context7 and query current docs for an "incremental adoption" or "migration guide" page before proposing a specific seam mechanism; do not assume feature parity with the Next.js/React examples above.
|
|
54
|
+
|
|
55
|
+
## When to push back
|
|
56
|
+
|
|
57
|
+
Push back if the user asks for:
|
|
58
|
+
|
|
59
|
+
- a seam with no explicit route/module ownership decision ("we'll figure out which app handles what dynamically")
|
|
60
|
+
- shared mutable state passed by direct reference across the legacy/modern boundary "to keep it simple"
|
|
61
|
+
- a module federation boundary with no shared-dependency version policy
|
|
62
|
+
|
|
63
|
+
Those are not simplifications. They are the exact places migrations go from "in progress" to "permanently half-broken."
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: frontend-observability-rum-instrumentation
|
|
3
|
+
description: Design or review browser-side Real User Monitoring instrumentation for Core Web Vitals (LCP, INP, CLS) using the web-vitals attribution build and distributed tracing via OpenTelemetry Web, enforcing lab-vs-field evidence labeling, sampling/cardinality sizing, and PII-in-telemetry controls, with library-specific wiring references loaded only when instrumentation code is actually being written or reviewed.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: observability
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Frontend Observability RUM Instrumentation
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Lab-only performance testing (Lighthouse, synthetic CI runs) systematically misses the device/network diversity of real users, and ad-hoc telemetry instrumentation routinely leaks PII into span attributes or blows up observability cost through unsampled high-cardinality export. This skill wires and reviews field RUM (web-vitals + OpenTelemetry Web) with explicit evidence labeling and privacy/cost guardrails baked in from the start.
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- instrument Core Web Vitals (LCP, INP, CLS) field measurement in a web app,
|
|
23
|
+
- set up or review OpenTelemetry Web browser tracing (document load, fetch/XHR spans),
|
|
24
|
+
- review an existing RUM/telemetry pipeline for PII exposure or sampling/cost issues,
|
|
25
|
+
- interpret or report on Core Web Vitals data and needs a lab-vs-field distinction made explicit,
|
|
26
|
+
- set or validate a performance budget against field p75 data.
|
|
27
|
+
|
|
28
|
+
## When NOT to use
|
|
29
|
+
|
|
30
|
+
- Diagnosing *why* a specific LCP/INP/CLS number is high (phase decomposition of an existing regression) — hand off to `core-web-vitals-triage`; this skill instruments the pipeline that produces the data, it does not decompose an already-captured regression.
|
|
31
|
+
- Bundle size, code-splitting, or caching remediation once a cause is known — hand off to `bundle-budget-code-splitting-review` or `service-worker-cache-strategy-review`.
|
|
32
|
+
- Server-side or backend-service tracing with no browser-origin span — this skill is scoped to browser-side RUM and OpenTelemetry Web only.
|
|
33
|
+
|
|
34
|
+
## Context7 Documentation Protocol
|
|
35
|
+
|
|
36
|
+
`web-vitals` and OpenTelemetry Web packages ship breaking API changes across major versions (attribution-build option shapes, sampler class names, exporter constructor options), and memorized snippets go stale. Before writing or reviewing instrumentation code:
|
|
37
|
+
|
|
38
|
+
1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
|
|
39
|
+
2. Call `mcp__Context7__resolve-library-id` for `web-vitals` and/or `opentelemetry-js` before making any claim about their current API shape. Verified IDs as of this skill's `updated` date: `/googlechrome/web-vitals` and `/open-telemetry/opentelemetry-js`.
|
|
40
|
+
3. Call `mcp__Context7__query-docs` for the specific mechanism in scope — e.g. "attribution build generateTarget option", "INPAttributionReportOpts durationThreshold", "WebTracerProvider spanProcessors config", "TraceIdRatioBasedSampler" — before ruling on it. Do this per review; do not reuse a prior session's memory of these APIs.
|
|
41
|
+
4. Known facts verified via Context7 as of this skill's `updated` date: the attribution build (`web-vitals/attribution`) accepts `AttributionReportOpts` (`reportAllChanges`, `generateTarget`) on `onCLS`/`onFCP`/`onLCP`/`onTTFB`, and `INPAttributionReportOpts` additionally exposes `durationThreshold` (default `40`) and `includeProcessedEventEntries` (default `true`) on `onINP`. `WebTracerProvider` (from `@opentelemetry/sdk-trace-web`) takes a `spanProcessors` array in its constructor — do not tell a user to call a separate `addSpanProcessor` method as the primary pattern without checking the installed SDK version. `TraceIdRatioBasedSampler` takes a single ratio argument (0–1) and is normally wrapped in `ParentBasedSampler({ root: ... })` so that downstream/parent sampling decisions are respected.
|
|
42
|
+
5. If Context7 is unavailable or returns no relevant match, fall back to `official_docs` / `references/*.md` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
|
|
43
|
+
6. Never invent a `web-vitals` metric field, attribution property, OpenTelemetry exporter option, or sampler class that no queried source confirms.
|
|
44
|
+
|
|
45
|
+
## Lean operating rules
|
|
46
|
+
|
|
47
|
+
- Always label every performance number as lab evidence (Lighthouse/CI/synthetic) or field evidence (RUM, real users — state the percentile; p75 is the CWV standard) — never let the two blur into an unlabeled "the site is fast" claim.
|
|
48
|
+
- Default to the standard `web-vitals` build (`onLCP`/`onINP`/`onCLS`) for production reporting; only use the `/attribution` build's richer diagnostic payload when actively debugging a specific regression, and only send that extra payload to a dev/debug destination, not blanket production export.
|
|
49
|
+
- Do not enable `reportAllChanges: true` in production by default — it multiplies event volume for a debugging-only benefit.
|
|
50
|
+
- Before adding any custom span/metric attribute, run it through a PII check: no raw URLs with query strings, no user IDs, no free-text form input, no precise geolocation, unless explicitly scrubbed and justified.
|
|
51
|
+
- Size the OpenTelemetry sampling rate (e.g. `TraceIdRatioBasedSampler` wrapped in `ParentBasedSampler`) against the stated/estimated traffic volume and the backend's cost/cardinality limits; never recommend 100% unsampled export for a high-traffic app without an explicit cost review.
|
|
52
|
+
- Use OpenTelemetry Semantic Conventions attribute names instead of inventing ad-hoc span/attribute naming, so telemetry stays queryable/comparable across services.
|
|
53
|
+
- Treat any recommended performance budget threshold as grounded in web.dev's documented "good" ranges (LCP ≤2.5s, INP ≤200ms, CLS ≤0.1 at p75) unless the org has an explicitly stricter documented SLO.
|
|
54
|
+
- This skill performs static review and instrumentation-code authoring only; it does not deploy telemetry configuration to production or flip sampling/export settings on a live collector without explicit human sign-off logged outside this skill.
|
|
55
|
+
|
|
56
|
+
## References
|
|
57
|
+
|
|
58
|
+
Load these only when needed:
|
|
59
|
+
|
|
60
|
+
- [web-vitals attribution build wiring](references/web-vitals-attribution-wiring.md) — use when writing or reviewing the actual `onLCP`/`onINP`/`onCLS` instrumentation call, choosing between standard and attribution builds, or setting `generateTarget`/`durationThreshold`/`reportAllChanges`.
|
|
61
|
+
- [OpenTelemetry Web tracing wiring](references/opentelemetry-web-tracing-wiring.md) — use only when wiring or reviewing `WebTracerProvider`, `DocumentLoadInstrumentation`, `FetchInstrumentation`, exporter, or sampler configuration.
|
|
62
|
+
- [Sampling, cardinality, and PII controls](references/sampling-cardinality-pii-controls.md) — use when sizing sampling rates against traffic/cost, naming attributes via Semantic Conventions, or auditing an existing pipeline for PII leakage.
|
|
63
|
+
|
|
64
|
+
## Response minimum
|
|
65
|
+
|
|
66
|
+
Return, at minimum:
|
|
67
|
+
|
|
68
|
+
- the metric/trace component in scope and whether guidance concerns lab or field measurement,
|
|
69
|
+
- evidence level for any performance claim (lab-evidence, field-evidence with percentile, or documentation-based),
|
|
70
|
+
- instrumentation code or review findings with exact API options used,
|
|
71
|
+
- PII-in-telemetry check result for every attribute touched,
|
|
72
|
+
- sampling-rate rationale tied to stated traffic volume and cost constraints.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "frontend-observability-rum-instrumentation",
|
|
3
|
+
"name": "Frontend Observability RUM Instrumentation",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Skill for designing and reviewing Real User Monitoring instrumentation using the web-vitals attribution build and OpenTelemetry Web, with explicit sampling, cardinality, and PII-in-telemetry controls and lab-vs-field evidence labeling.",
|
|
15
|
+
"source_type": "adapted",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://web.dev/articles/vitals",
|
|
18
|
+
"https://github.com/GoogleChrome/web-vitals",
|
|
19
|
+
"https://opentelemetry.io/docs/languages/js/",
|
|
20
|
+
"https://opentelemetry.io/docs/specs/semconv/"
|
|
21
|
+
],
|
|
22
|
+
"security_notes": "Never recommends capturing full URLs with query strings, user identifiers, or free-text form values as span/metric attributes without explicit scrubbing. Read-only review of existing instrumentation; does not deploy telemetry config changes to production without explicit human sign-off logged outside this skill.",
|
|
23
|
+
"last_verified": "2026-07-02",
|
|
24
|
+
"path": "skills/frontend/frontend-observability-rum-instrumentation",
|
|
25
|
+
"author": "github: Raishin",
|
|
26
|
+
"version": "0.1.0"
|
|
27
|
+
}
|