@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (875) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15393 -12593
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +5 -4
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/export-marketplace-agents.mjs +48 -15
  333. package/scripts/generate-docs-data.mjs +1 -0
  334. package/scripts/generate-kiro-powers.mjs +12 -0
  335. package/scripts/update-catalog-new-agents.py +6 -1
  336. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  340. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  341. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  342. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  344. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  345. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  346. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  348. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  353. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  354. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  355. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  356. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  357. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  358. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  359. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  360. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  361. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  362. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  363. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  368. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  374. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  375. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  376. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  377. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  378. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  379. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  380. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  381. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  382. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  383. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  384. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  385. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  386. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  387. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  390. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  391. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  392. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  393. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  394. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  395. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  396. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  399. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  404. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  405. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  406. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  407. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  408. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  409. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  410. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  411. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  413. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  414. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  415. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  418. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  419. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  420. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  422. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  423. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  424. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  425. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  426. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  427. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  434. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  439. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  443. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  444. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  445. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  446. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  447. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  448. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  449. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  454. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  459. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  460. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  461. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  463. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  464. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  465. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  469. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  470. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  471. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  472. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  473. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  474. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  475. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  476. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  479. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  484. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  485. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  486. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  489. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  494. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  495. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  496. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  498. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  499. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  500. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  503. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  507. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  512. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  513. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  514. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  515. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  516. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  517. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  523. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  524. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  525. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  528. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  529. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  530. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  534. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  535. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  536. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  539. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  540. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  541. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  542. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  543. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  548. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  549. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  550. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  551. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  552. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  553. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  554. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  555. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  556. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  557. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  558. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  559. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  564. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  569. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  570. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  571. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  572. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  573. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  574. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  579. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  583. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  584. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  585. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  587. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  592. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  593. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  594. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  595. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  596. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  597. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  598. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  599. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  602. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  607. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  608. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  609. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  613. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  614. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  615. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  616. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  617. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  618. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  619. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  620. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  621. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  622. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  623. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  624. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  629. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  671. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  713. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  714. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  725. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  736. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  764. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  775. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  786. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  797. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  808. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  819. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  830. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  841. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  861. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  872. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  873. package/tests/test-vfa-export-coverage.test.mjs +30 -0
  874. package/tests/validate-catalog.py +1 -0
  875. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,125 @@
1
+ # RTL and Logical-Property Layout Audit
2
+
3
+ Use this reference only when reviewing `lang`/`dir` attribute propagation, CSS logical
4
+ properties, or directional-iconography readiness for RTL markets.
5
+
6
+ > Version note: CSS logical-property support and the exact `dir="auto"` / `unicode-bidi`
7
+ > interaction are spec/browser-support-sensitive. Verify current support and behavior
8
+ > against the W3C Internationalization Techniques guidance and current MDN CSS logical
9
+ > properties documentation before asserting a given property is safe to rely on.
10
+
11
+ ## What people get wrong
12
+
13
+ The common bad assumption is:
14
+
15
+ > "RTL support means flipping the whole page with `dir="rtl"` on `<html>`, and CSS
16
+ > `transform: scaleX(-1)` or a mirrored stylesheet handles the rest."
17
+
18
+ That is incomplete in two directions:
19
+
20
+ 1. **Physical CSS properties don't flip automatically.** `margin-left`,
21
+ `padding-right`, `left`, `text-align: left` are all physical — they do not
22
+ reverse when `dir` changes. A layout built entirely from physical properties will
23
+ have `dir="rtl"` applied but visually remain LTR-positioned (padding stays on the
24
+ same physical side), which is often worse than doing nothing, because it looks
25
+ half-implemented.
26
+ 2. **Not everything should mirror.** Numerals, code snippets, logos, and some icon
27
+ families (e.g., a play button) are directionally invariant and should *not* flip;
28
+ only directionally-meaningful content (arrows indicating navigation direction,
29
+ "next/back" chevrons, progress bars implying forward motion) should mirror. A
30
+ blanket `scaleX(-1)` on the whole page over-mirrors and under-mirrors
31
+ simultaneously (it flips text glyphs and logos it shouldn't, while CSS engines
32
+ already handle text shaping/bidi separately from that transform).
33
+
34
+ ## Officially grounded shape (W3C Internationalization guidance)
35
+
36
+ - The `dir` attribute belongs on `<html>` at minimum, and should be set from the
37
+ active locale's script directionality, not hardcoded — the W3C guidance on the
38
+ `dir` attribute and the CSS `direction` property covers this split: `dir` is the
39
+ HTML-level semantic direction; `direction`/logical properties are the CSS-level
40
+ mechanism that responds to it.
41
+ - CSS logical properties (`margin-inline-start`, `margin-inline-end`,
42
+ `padding-block-start`, `inset-inline-start`, `border-inline-end`, `text-align:
43
+ start`/`end`) are defined relative to the *flow direction*, so a single stylesheet
44
+ written in logical properties adapts to `dir="ltr"` or `dir="rtl"` without a mirrored
45
+ stylesheet or a JS-driven layout flip.
46
+ - Bidi (bidirectional text) isolation matters even in an LTR-primary UI that embeds
47
+ RTL user content (e.g., a name or comment in Arabic inside an English UI) —
48
+ unisolated bidi runs can visually corrupt adjacent punctuation/numbers. Use `dir`
49
+ scoping or Unicode bidi-isolation characters/CSS `unicode-bidi: isolate` around
50
+ user-generated content of unknown directionality, not just at the page root.
51
+
52
+ ## Non-negotiable review rules
53
+
54
+ 1. **Verify `dir` is set dynamically from the active locale's script, and actually
55
+ reaches the rendered `<html>` element** — not just passed as a prop to a component
56
+ that never forwards it to the DOM root. A `dir` value trapped in application state
57
+ without reaching `<html dir>` does nothing for native browser bidi/text-alignment
58
+ behavior.
59
+ 2. **Grep for physical CSS properties in layout-critical rules** (`margin-left`,
60
+ `margin-right`, `padding-left`, `padding-right`, `left`, `right`, `text-align: left`,
61
+ `text-align: right`, `float: left`, `float: right`, `border-left`, `border-right`) —
62
+ each is a candidate defect if RTL is in scope or roadmapped. Flag with file:line;
63
+ do not silently "fix" — this skill reviews, it doesn't rewrite the codebase.
64
+ 3. **Distinguish directionally-meaningful icons from directionally-invariant ones.**
65
+ Flag navigation/progression icons (back/forward chevrons, "next step" arrows) that
66
+ lack any RTL-mirroring mechanism (a `dir`-aware icon variant, CSS `transform:
67
+ scaleX(-1)` scoped narrowly to that icon under `[dir="rtl"]`, or an icon library
68
+ with built-in bidi awareness). Do not flag logos, brand marks, or numerals as
69
+ needing mirroring.
70
+ 4. **Check bidi isolation for embedded user-generated or mixed-direction content**
71
+ (usernames, free-text fields, search queries) rendered inside a primarily
72
+ single-direction UI — flag missing isolation (`unicode-bidi: isolate`, `dir="auto"`
73
+ on the specific element, or equivalent) as a defect distinct from the page-level
74
+ `dir` question.
75
+ 5. **Do not accept a single manually-mirrored RTL stylesheet as a substitute for
76
+ logical properties** if the codebase is under active development — a parallel
77
+ mirrored stylesheet requires ongoing double-maintenance and drifts; flag it as a
78
+ maintainability/regression risk even if it currently renders correctly, and
79
+ recommend migration to logical properties as the structural fix.
80
+
81
+ ## Minimal safe audit flow
82
+
83
+ 1. Confirm where `dir` is set (locale config, i18n library, manual state) and trace
84
+ whether it reaches `<html dir>` in the actual rendered output (grep component tree /
85
+ root layout, not just the i18n config).
86
+ 2. Grep CSS/CSS-in-JS/Tailwind classes for physical directional properties in
87
+ layout-critical files; note density (a handful of instances vs. pervasive use)
88
+ since that changes remediation scope and urgency.
89
+ 3. Grep for directional icon usage (chevron/arrow component names, icon library
90
+ imports for "next"/"back"/"forward"/"previous") and check for any `dir`-aware
91
+ handling.
92
+ 4. Grep for free-text/user-generated-content rendering sites and check for bidi
93
+ isolation handling.
94
+ 5. Record findings as file:line, the specific physical-property or missing-isolation
95
+ instance, and whether RTL is currently shipped, roadmapped, or out of scope (which
96
+ changes finding severity but not whether it's recorded).
97
+
98
+ ## Adversarial checklist
99
+
100
+ Before clearing layout as "RTL-ready," answer these:
101
+
102
+ - Does `dir` actually reach `<html>`, or only live in component props/i18n state?
103
+ - What fraction of layout-critical CSS uses physical vs. logical properties?
104
+ - Which icons are directionally meaningful, and do any of them lack a mirroring
105
+ mechanism?
106
+ - Is there any user-generated or mixed-direction text rendered without bidi isolation?
107
+ - Is RTL support implemented via a parallel mirrored stylesheet (maintenance/drift
108
+ risk) or via logical properties (structural fix)?
109
+
110
+ If you cannot answer these, the RTL audit is incomplete — say so rather than declaring
111
+ readiness.
112
+
113
+ ## When to push back
114
+
115
+ Push back if the user asks to:
116
+
117
+ - "just flip the whole page with `transform: scaleX(-1)` and call it RTL support" —
118
+ that over-mirrors text/logos and under-addresses logical layout flow; it is not a
119
+ substitute for `dir` + logical properties.
120
+ - defer `dir`/logical-property work indefinitely because "we're not launching RTL
121
+ markets yet" while simultaneously claiming full i18n/l10n readiness — readiness
122
+ claims should state RTL scope explicitly (in scope, roadmapped, or explicitly out of
123
+ scope) rather than being silently omitted.
124
+ - treat a manually-mirrored RTL stylesheet as a permanent solution rather than a
125
+ stopgap, when the codebase is under active development and will keep drifting.
@@ -0,0 +1,70 @@
1
+ ---
2
+ name: javascript-runtime-async-review
3
+ description: Review JavaScript/TypeScript for event-loop and microtask/macrotask ordering correctness, unhandled Promise rejection paths, DOM event-listener and timer cleanup, and race-condition risk in rapid-repeated-async UI patterns, tracing actual browser scheduling semantics rather than assumed synchronous-style reasoning about async code.
4
+ allowed-tools: Read Grep Glob Bash(git diff:*) WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: delivery
10
+ ---
11
+
12
+ # JavaScript Runtime & Async Correctness Review
13
+
14
+ ## Purpose
15
+
16
+ `async`/`await` reads like synchronous code, which leads developers to reason about it as if it were synchronous — but the underlying microtask/macrotask scheduling model still governs actual execution order, and getting it wrong produces exactly the class of bug that's hardest to catch in normal testing: intermittent, timing-dependent, "works on my machine" race conditions. This skill traces real event-loop ordering, audits every async chain for unhandled-rejection paths, and verifies every listener/timer has a reachable cleanup path, so timing correctness is verified rather than assumed.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review JavaScript/TypeScript async code (Promises, async/await, timers) for correctness,
23
+ - audit event-listener, timer, or observer cleanup to prevent memory leaks,
24
+ - diagnose or prevent race conditions in UI patterns with rapid repeated async calls (search-as-you-type, polling, infinite scroll),
25
+ - check for unhandled Promise rejections, especially on security-relevant code paths,
26
+ - verify actual microtask/macrotask execution order for a specific code sequence.
27
+
28
+ Do not use this skill for:
29
+
30
+ - framework-specific effect/hook lifecycle review (React `useEffect` dependency arrays, Vue watchers) — use the matching framework-specific review skill; this skill covers the underlying runtime/scheduling layer those skills build on,
31
+ - bundler/build-tool configuration or transpilation-target correctness — out of scope,
32
+ - a claim that requires live production traffic or load-test evidence to confirm timing under real network jitter — this is static-review-only; label those findings as needing live verification, do not assert them as proven.
33
+
34
+ ## Context7 Documentation Protocol
35
+
36
+ - Resolve the docs source with `resolve-library-id` against `/mdn/content` (or the closest current MDN Context7 ID) before asserting any ordering, scheduling, or API-behavior claim.
37
+ - Before ruling on a specific ordering question (e.g., "does this `setTimeout(fn, 0)` run before or after this `.then()`"), call `query-docs` for that exact scenario — do not answer from memory or from a synchronous mental model, since ordering intuitions are a frequent source of subtly-wrong review comments.
38
+ - Trace microtask-vs-task distinctions explicitly: microtasks (Promise callbacks, `queueMicrotask`, `async`/`await` continuations) drain completely — including microtasks they themselves enqueue — before the next macrotask (`setTimeout`, `setInterval`, I/O, UI rendering) runs. Cite this distinction rather than assuming the reader already applies it correctly.
39
+ - For cancellation/lifecycle patterns (`AbortController`, `removeEventListener`), verify current API shape and browser support notes via `query-docs` before recommending a specific signature — do not invent options or assume universal support without checking.
40
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
41
+
42
+ ## Lean operating rules
43
+
44
+ - Do not assume `async`/`await` makes code race-condition-safe by default — it only guarantees ordering within a single linear await chain, not between independently-triggered async operations.
45
+ - Trace the actual microtask/macrotask interleaving for any ordering claim rather than asserting it from a synchronous mental model; query current MDN event-loop/microtask docs before ruling, since this is a frequent source of subtly-wrong assumptions.
46
+ - Every Promise chain must terminate in a `.catch` or sit inside a try/catch around every `await` — flag any chain that doesn't as an unhandled-rejection risk, with extra weight if it touches an authorization/permission check.
47
+ - Every `addEventListener`/`setInterval`/non-one-shot `setTimeout`/`Observer` must be matched to a traced, reachable `removeEventListener`/`clearInterval`/`clearTimeout`/`disconnect` call, including on early-return and error paths.
48
+ - Any UI pattern with rapid repeated async calls (search-as-you-type, polling) must use `AbortController`, a request-generation counter, or equivalent sequencing — flag its absence as a race-condition risk, not a style preference.
49
+ - Do not accept "passed manual testing" as sufficient evidence for timing-sensitive code — manual testing rarely hits the interleavings that matter; flag as needing live/load-tested verification instead.
50
+ - Flag `eval`, `new Function()`, and string-argument timers as code-injection risks requiring explicit justification, not routine patterns.
51
+ - Label every ordering/timing claim as `spec-traced`, `documentation-based`, or `needs live-runtime verification` so reviewers know what's actually been verified.
52
+ - Never execute, build, or run application code as part of this review; this is a static-review skill (Read/Grep/Glob only, plus `git diff` for scoping and `WebFetch` for spec/docs grounding).
53
+
54
+ ## References
55
+
56
+ Load these only when needed:
57
+
58
+ - [Event-loop ordering trace patterns](references/event-loop-tracing.md) — use when tracing the actual execution order of a specific microtask/macrotask/await sequence in review.
59
+ - [Unhandled-rejection audit checklist](references/rejection-audit.md) — use when systematically auditing a file/module's Promise chains for missing `.catch`/try-catch coverage.
60
+ - [Race-condition and cancellation patterns](references/race-condition-patterns.md) — use when reviewing rapid-repeated-async UI code for AbortController, generation-counter, or equivalent sequencing needs.
61
+
62
+ ## Response minimum
63
+
64
+ Return, at minimum:
65
+
66
+ - the event-loop/ordering verdict for each async chain reviewed, with the traced resolution order (not assumed),
67
+ - the unhandled-rejection audit result for every Promise chain in scope,
68
+ - the listener/timer/observer cleanup audit result, matching every registration to its cleanup call,
69
+ - race-condition risk flags for any rapid-repeated-call pattern lacking sequencing or cancellation,
70
+ - residual risk notes for anything requiring live or load-tested verification beyond this static trace.
@@ -0,0 +1,29 @@
1
+ {
2
+ "id": "javascript-runtime-async-review",
3
+ "name": "JavaScript Runtime & Async Correctness Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews JavaScript for event-loop/microtask ordering correctness, unhandled Promise rejections, DOM event-listener lifecycle, and race-condition risk in rapid-repeated-async UI patterns, tracing actual browser scheduling behavior rather than assumed synchronous-style reasoning.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Using_promises",
18
+ "https://developer.mozilla.org/en-US/docs/Web/API/HTML_DOM_API/Microtask_guide",
19
+ "https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/await",
20
+ "https://html.spec.whatwg.org/multipage/webappapis.html#event-loops",
21
+ "https://developer.mozilla.org/en-US/docs/Web/API/AbortController",
22
+ "https://tc39.es/ecma262/"
23
+ ],
24
+ "security_notes": "Flag unhandled Promise rejections on authorization/permission-check code paths — a rejected check that isn't awaited/caught can fail open. Flag eval, new Function(), and string-argument setTimeout/setInterval as code-injection surfaces. Flag window/document message-event listeners without an origin check on postMessage payloads. Require AbortController-based cancellation for lifecycle-bound fetches to prevent stale-response race conditions that can leak one user's data into another user's view after a fast session switch.",
25
+ "last_verified": "2026-07-02",
26
+ "path": "skills/frontend/javascript-runtime-async-review",
27
+ "author": "github: Raishin",
28
+ "version": "0.1.0"
29
+ }
@@ -0,0 +1,95 @@
1
+ # Event-Loop Ordering Trace Patterns
2
+
3
+ Use this reference only when a review requires tracing the actual resolution order of a specific microtask/macrotask/`await` sequence — not for general async-code review; use `rejection-audit.md` or `race-condition-patterns.md` for those.
4
+
5
+ ## What people get wrong
6
+
7
+ The common bad assumption is:
8
+
9
+ > "`async`/`await` reads top-to-bottom, so it executes top-to-bottom relative to everything else."
10
+
11
+ That is wrong. `async`/`await` is sugar over Promises. Every `await` suspends the async function and schedules its continuation as a **microtask**; it does not pause the rest of the program. Code after the async function call keeps running synchronously until the call stack empties, and only then does the microtask queue drain — completely, including any new microtasks enqueued during that drain — before the next macrotask (`setTimeout`, `setInterval`, I/O callback, UI paint) runs.
12
+
13
+ ## Officially grounded ordering rules (MDN)
14
+
15
+ Two queue classes, not one:
16
+
17
+ - **Task queue (macrotasks):** initial script execution, `setTimeout`/`setInterval` callbacks, event dispatch, I/O. When a new event-loop iteration begins, the runtime executes exactly the next task from the task queue. Tasks queued during that iteration wait for the *next* iteration.
18
+ - **Microtask queue:** Promise `.then`/`.catch`/`.finally` callbacks, `async`/`await` continuations, `queueMicrotask()`. Whenever a task exits and the call stack is empty, **all** microtasks run in turn — including ones newly enqueued by currently-running microtasks — until the microtask queue is fully empty. Only then does the next macrotask run.
19
+
20
+ Canonical worked example (MDN, `Guide/Using_promises`):
21
+
22
+ ```js
23
+ const wait = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
24
+
25
+ wait(0).then(() => console.log(4));
26
+ Promise.resolve()
27
+ .then(() => console.log(2))
28
+ .then(() => console.log(3));
29
+ console.log(1);
30
+ // Output: 1, 2, 3, 4
31
+ ```
32
+
33
+ `wait(0)` still goes through `setTimeout`, so its `.then` callback is a macrotask-queued continuation — it runs *after* all currently-queryable microtasks, even though its delay is `0` and even though it was scheduled first in source order. Do not accept "it's `setTimeout(fn, 0)` so it's basically synchronous" as a review claim; it is not.
34
+
35
+ Second canonical example, showing microtasks interleaving with `await` continuations (MDN, `Reference/Operators/await`):
36
+
37
+ ```js
38
+ let i = 0;
39
+ queueMicrotask(function test() {
40
+ i++;
41
+ console.log("microtask", i);
42
+ if (i < 3) queueMicrotask(test);
43
+ });
44
+
45
+ (async () => {
46
+ console.log("async function start");
47
+ for (let i = 1; i < 3; i++) {
48
+ await null;
49
+ console.log("async function resume", i);
50
+ }
51
+ await null;
52
+ console.log("async function end");
53
+ })();
54
+
55
+ queueMicrotask(() => console.log("queueMicrotask() after calling async function"));
56
+ console.log("script sync part end");
57
+
58
+ // Logs, in order:
59
+ // async function start
60
+ // script sync part end
61
+ // microtask 1
62
+ // async function resume 1
63
+ // queueMicrotask() after calling async function
64
+ // microtask 2
65
+ // async function resume 2
66
+ // microtask 3
67
+ // async function end
68
+ ```
69
+
70
+ The load-bearing detail: each `await null` inside the async function re-enters the *back* of the microtask queue on resume, so it interleaves with other pending microtasks rather than running immediately after the previous line. A review claim that "the loop finishes before the other microtasks run" is wrong given this trace — verify against the actual queue order, don't assert it.
71
+
72
+ ## Non-negotiable design rules
73
+
74
+ 1. **Never assert an ordering claim without naming which queue each operation lands on.** "This runs first" is not a finding; "this is a microtask (Promise `.then`) so it runs before that macrotask (`setTimeout`), regardless of the `setTimeout` delay value" is.
75
+ 2. **`setTimeout(fn, 0)` (or any small delay) is not "basically synchronous" and is not "basically a microtask."** It is a macrotask. All pending microtasks — including ones enqueued while draining the current batch — run before it, no matter how small the delay.
76
+ 3. **A `for`/`while` loop containing multiple `await` points interleaves with other queued microtasks on every resume**, not just at the start and end of the loop. Do not assume the loop runs to completion "in one go" once started.
77
+ 4. **`Promise.resolve().then(...)` chains queue one microtask per `.then` link.** A five-link `.then` chain takes five microtask-queue drains to fully resolve, and other pending microtasks interleave between each link if they were already queued.
78
+ 5. **Rendering/painting is a macrotask-adjacent checkpoint, not a microtask checkpoint.** Layout/paint work happens after the microtask queue drains and before the next macrotask in browsers implementing the HTML spec's rendering opportunity model — do not assume a DOM mutation made inside a microtask is guaranteed visible to the user before the *next* microtask runs; it is not guaranteed until a rendering opportunity occurs.
79
+
80
+ ## Verification targets
81
+
82
+ When repo evidence is available, verify a disputed ordering claim by:
83
+
84
+ - identifying every `Promise`-returning call, `.then`/`.catch`/`.finally`, `await`, and `queueMicrotask` in the sequence and labeling each a microtask source,
85
+ - identifying every `setTimeout`/`setInterval`/event-dispatch/I-O callback and labeling each a macrotask source,
86
+ - walking the sequence in source order, applying "drain all microtasks (including newly enqueued ones) before the next macrotask" at each synchronous-execution boundary,
87
+ - if the trace is non-obvious or contested, recommend the reviewer actually run the snippet (`node` REPL or browser console) rather than settle the dispute by further reasoning alone — label the resulting claim `needs live-runtime verification` until that's done.
88
+
89
+ ## When to push back
90
+
91
+ Push back if the user asks you to:
92
+
93
+ - assert an ordering claim "because `async`/`await` looks synchronous" without tracing the actual queue mechanics — that is exactly the intuition that produces production race conditions,
94
+ - treat `setTimeout(fn, 0)` as a synchronization primitive to "make sure the DOM update happened" — it is not deterministic relative to other macrotasks/microtasks queued by other code and is not a documented ordering guarantee,
95
+ - skip tracing a "probably fine" reordering in a diff without walking the actual microtask/macrotask sequence — "probably fine" is not evidence for a scheduling claim.
@@ -0,0 +1,96 @@
1
+ # Race-Condition and Cancellation Patterns
2
+
3
+ Use this reference only when reviewing a UI pattern with rapid repeated async calls (search-as-you-type, polling, infinite scroll, tab-switch-triggered refetch, debounced/throttled handlers) for `AbortController`, generation-counter, or equivalent sequencing needs — not for general rejection-handling audit (`rejection-audit.md`) or pure ordering questions with no repeated-call risk (`event-loop-tracing.md`).
4
+
5
+ ## What people get wrong
6
+
7
+ The common bad assumption is:
8
+
9
+ > "The requests are sent in order, so the responses will arrive and get applied in order too."
10
+
11
+ That is false, and it is the single most common source of "stale data flashes onto the screen" bug reports. Nothing about the network or the event loop guarantees that responses resolve in request order — a slower request issued first can resolve *after* a faster request issued second, and if both unconditionally call the same `setState`/DOM-write on resolution, the stale (first-issued, slower) response can overwrite the fresh (second-issued, faster) one. This is not a rare edge case; it is a predictable consequence of variable network latency and is trivially reproducible by throttling one request in DevTools.
12
+
13
+ ## Officially grounded cancellation pattern (MDN)
14
+
15
+ `AbortController`/`AbortSignal` is the documented mechanism for cancelling `fetch()` and for auto-removing event listeners, and it is the primary tool for closing this class of race condition — it actually cancels the in-flight request/listener rather than merely ignoring its eventual result.
16
+
17
+ Cancelling `fetch()`:
18
+
19
+ ```js
20
+ const controller = new AbortController();
21
+
22
+ async function search(query) {
23
+ controller.abort(); // cancel any prior in-flight search
24
+ const signal = controller.signal;
25
+ try {
26
+ const response = await fetch(`/api/search?q=${encodeURIComponent(query)}`, { signal });
27
+ const results = await response.json();
28
+ renderResults(results);
29
+ } catch (err) {
30
+ if (err.name === "AbortError") return; // expected: a newer request superseded this one
31
+ renderError(err);
32
+ }
33
+ }
34
+ ```
35
+
36
+ Note the bug in the naive version of this pattern: reusing a single `controller` across calls means `controller.abort()` must create a **new** controller for the next request (an already-aborted controller's signal cannot be un-aborted). The corrected shape keeps the controller reference in an outer/module/component-instance scope and reassigns it on every new call:
37
+
38
+ ```js
39
+ let currentController = null;
40
+
41
+ async function search(query) {
42
+ currentController?.abort();
43
+ currentController = new AbortController();
44
+ const { signal } = currentController;
45
+ try {
46
+ const response = await fetch(`/api/search?q=${encodeURIComponent(query)}`, { signal });
47
+ renderResults(await response.json());
48
+ } catch (err) {
49
+ if (err.name === "AbortError") return;
50
+ renderError(err);
51
+ }
52
+ }
53
+ ```
54
+
55
+ Auto-removing an event listener with the same signal, instead of a manual `removeEventListener` call (MDN, `EventTarget/addEventListener`):
56
+
57
+ ```js
58
+ const controller = new AbortController();
59
+ el.addEventListener("click", handler, { signal: controller.signal });
60
+ // Later, one call removes this (and any other listener sharing the signal):
61
+ controller.abort();
62
+ ```
63
+
64
+ ## Non-negotiable design rules
65
+
66
+ 1. **Every rapid-repeated-call site needs one of: `AbortController` cancellation, a request-generation counter, or a documented equivalent (e.g., a library-level cancellation/dedup mechanism like a query library's built-in request deduplication).** Absence of any of these on a search-as-you-type, poll, or tab-switch-refetch pattern is a race-condition finding, not a style note — regardless of how unlikely the reviewer judges the specific timing to be in practice.
67
+ 2. **A generation-counter guard must increment *before* issuing the new request and must be checked *immediately before* the state-mutating call on resolution**, comparing against the value captured at issue-time — not the current value read again at resolution-time (that comparison is always true and guards nothing):
68
+ ```js
69
+ let latestRequestId = 0;
70
+ async function search(query) {
71
+ const requestId = ++latestRequestId;
72
+ const results = await fetchResults(query);
73
+ if (requestId !== latestRequestId) return; // a newer request superseded this one
74
+ renderResults(results);
75
+ }
76
+ ```
77
+ 3. **`AbortController.abort()` rejects the pending `fetch()` Promise with an `AbortError`** — the catch/rejection path must explicitly distinguish `AbortError` (expected, safe to silently return) from every other error (must still surface to the user or logging). Treat a catch block that swallows *all* errors identically, including genuine network/server failures, as a separate finding from the missing-cancellation finding — silencing real errors alongside expected aborts hides genuine outages.
78
+ 4. **Debounce/throttle alone does not fix this class of race.** Debouncing reduces how many requests are *issued*; it does not guarantee the *responses* resolve in issue order. A debounced search-as-you-type handler still needs cancellation or a generation guard on the requests it does issue.
79
+ 5. **Polling intervals need the same cancellation discipline as one-shot requests**, plus `clearInterval`/`clearTimeout` on unmount/teardown — an in-flight poll response arriving after teardown that still writes to now-stale UI state or a detached DOM node is the same defect class as the search-as-you-type case, compounded by the interval continuing to fire if not cleared.
80
+ 6. **Session/identity switches (logout, account switch, tab becomes a different user's session) are the highest-severity variant of this pattern.** A stale in-flight request for the previous session resolving after the switch and writing its response into the new session's view is a data-exposure defect (one user's data rendered into another user's session), not merely a UI glitch — treat this specific trigger sequence as HIGH severity by default.
81
+
82
+ ## Verification targets
83
+
84
+ When repo evidence is available, verify a race-condition finding by:
85
+
86
+ - confirming the actual trigger sequence with concrete inputs (e.g., "type 'a', then quickly type 'ab' — if the `/search?q=a` response is slower than `/search?q=ab`, it can overwrite the correct results" ) rather than asserting a race "could" happen without describing how,
87
+ - checking whether the underlying HTTP client actually supports `signal` (native `fetch` does; some wrapped/legacy clients require an adapter or don't support cancellation at all — verify before recommending `AbortController` as the fix, and recommend a generation-counter guard instead when the client can't cancel),
88
+ - checking whether a `try`/`catch` around an aborted request correctly special-cases `AbortError` (rule 3 above) — a fix that adds cancellation but treats the resulting `AbortError` as a real failure introduces a new (spurious error UI) bug.
89
+
90
+ ## When to push back
91
+
92
+ Push back if the user asks you to:
93
+
94
+ - "just debounce it more" as the fix for a reported stale-data race — longer debounce reduces frequency, not the underlying unordered-resolution risk, and adds latency without closing the bug,
95
+ - skip cancellation because "the backend is fast, this basically never happens" — network latency variance (not backend speed alone) drives this bug, and it is exactly the kind of intermittent, hard-to-reproduce defect that's expensive once it reaches production; treat "basically never happens" as unverified until shown otherwise,
96
+ - add a generation counter or `AbortController` but continue writing state before checking the guard — the guard must be the last check *before* the state-mutating call, not merely present somewhere earlier in the function.
@@ -0,0 +1,77 @@
1
+ # Unhandled-Rejection Audit Checklist
2
+
3
+ Use this reference only when systematically auditing a file/module's Promise chains and `async` functions for missing `.catch`/try-catch coverage — not for tracing execution order (`event-loop-tracing.md`) or for cancellation/sequencing patterns (`race-condition-patterns.md`).
4
+
5
+ ## What people get wrong
6
+
7
+ The common bad assumption is:
8
+
9
+ > "The function is `async`, so any error inside it becomes a normal thrown error the caller will see."
10
+
11
+ That is incomplete. An `async` function that throws or whose `await`ed Promise rejects returns a **rejected Promise**, not a synchronous throw. If nothing consumes that rejection — no `.catch`, no surrounding `try`/`catch` at an `await` call site, no `await` at all on a fire-and-forget call — the rejection surfaces only as an "Unhandled promise rejection" warning (or, in older/misconfigured environments, silently), and any logic gated on that path (an authorization check, a save confirmation, a UI state update) simply never runs. A rejected permission check that isn't awaited/caught can fail open: the calling code proceeds past the check as if nothing happened, because nothing ever observed the rejection.
12
+
13
+ ## Officially grounded pattern
14
+
15
+ MDN's Promise/`await` docs converge on one rule: every Promise-producing expression needs exactly one of these along every path that can reject:
16
+
17
+ - a `.catch(...)` (or `.then(onFulfilled, onRejected)`) attached to the chain, or
18
+ - an enclosing `try { await ... } catch (e) { ... }` around the `await`.
19
+
20
+ ```js
21
+ // Unhandled: no .catch, and the caller does not await it.
22
+ function saveDraft(draft) {
23
+ api.save(draft).then((res) => showSavedToast(res));
24
+ }
25
+
26
+ // Handled: explicit .catch covers the whole chain.
27
+ function saveDraft(draft) {
28
+ api
29
+ .save(draft)
30
+ .then((res) => showSavedToast(res))
31
+ .catch((err) => showErrorToast(err));
32
+ }
33
+
34
+ // Handled: try/catch around the await.
35
+ async function saveDraft(draft) {
36
+ try {
37
+ const res = await api.save(draft);
38
+ showSavedToast(res);
39
+ } catch (err) {
40
+ showErrorToast(err);
41
+ }
42
+ }
43
+ ```
44
+
45
+ ## Non-negotiable design rules
46
+
47
+ 1. **Every Promise chain must terminate in exactly one rejection-handling construct along every branch.** A `.then(...).then(...)` chain with no trailing `.catch` is a finding even if an earlier link in the chain "usually" succeeds — "usually" is not "always," and the whole point of the audit is the failure path.
48
+ 2. **A `try` block around a call that does *not* `await` its Promise-returning expression does not catch that Promise's rejection.** `try { somePromiseFn(); } catch (e) {}` only catches a *synchronous* throw during the call setup, not an asynchronous rejection from the returned Promise. Flag this exact pattern by name — it is a common false sense of coverage.
49
+ 3. **A "fire-and-forget" call (`doSomethingAsync()` with no `await`, no `.then`, no `.catch`) is an unhandled-rejection risk by default.** It is only acceptable when the function is documented/verified to never reject (rare) or when the codebase has a deliberate, reviewed pattern for intentionally-detached tasks (e.g., a wrapper that logs-and-swallows). Do not accept "it's just a fire-and-forget analytics call" as an exemption without checking whether the underlying call can actually reject (network calls almost always can).
50
+ 4. **`Promise.all`/`Promise.allSettled`/`Promise.race`/`Promise.any` each have different rejection semantics — verify which one is in use before asserting the rejection is handled.** `Promise.all` rejects as soon as any input rejects (and the other results are dropped, not just delayed); `Promise.allSettled` never rejects and instead requires the caller to inspect each `status: "rejected"` result individually — a `.catch` on an `.allSettled` chain never fires for individual-item failures, so per-item error handling must happen inside the mapping/consuming code, not assumed to exist because a `.catch` is present elsewhere in the chain.
51
+ 5. **Authorization/permission-check code paths get elevated severity, not routine severity, for a missing rejection handler.** If a rejected check silently fails to block the gated action (because nothing awaited/caught it and the surrounding code proceeds unconditionally), that is a fail-open security defect, not a UX polish item.
52
+
53
+ ## Severity escalation
54
+
55
+ Treat a missing rejection handler as **HIGH severity** when:
56
+
57
+ - the Promise chain gates an authorization, permission, or entitlement check — a rejection that isn't observed means the gate is bypassed by default (fail-open),
58
+ - the Promise chain performs an authenticated write/mutation and the caller has no way to know it failed — silent data loss or an inconsistent state the user believes succeeded,
59
+ - the rejection would otherwise crash a Node.js process (unhandled rejections terminate the process by default in modern Node major versions) — verify the target runtime's current behavior via `query-docs` rather than assuming a specific Node version's default.
60
+
61
+ Otherwise (a rejection that only affects a non-critical UI affordance, like a tooltip's optional prefetch), MEDIUM or LOW is appropriate depending on user-visible impact — but still a finding, not a non-issue.
62
+
63
+ ## Verification targets
64
+
65
+ When repo evidence is available, verify each finding against:
66
+
67
+ - whether a global handler exists (`window.addEventListener("unhandledrejection", ...)` in browsers, `process.on("unhandledRejection", ...)` in Node) — a global handler changes the blast radius (it prevents a silent failure) but does **not** fix the underlying logic gap (the gated action still ran unguarded); note both facts, do not treat the global handler as sufficient remediation for a specific chain,
68
+ - whether the function is exported/public API — an unhandled rejection inside a shared utility has a larger blast radius than one confined to a single component's internal helper,
69
+ - the actual runtime target (browser vs. Node, and which Node major) before asserting process-crash consequences, since default unhandled-rejection behavior has changed across Node versions.
70
+
71
+ ## When to push back
72
+
73
+ Push back if the user asks you to:
74
+
75
+ - add a blanket top-level `unhandledrejection`/`unhandledRejection` listener as the fix instead of adding scoped `.catch`/`try-catch` at the actual call sites — a global listener can suppress the crash/warning without fixing the fail-open logic gap underneath it,
76
+ - treat `.catch(() => {})` (swallow-and-ignore) as equivalent to proper error handling for an authorization or mutation path — silently swallowing the error is a different (and often worse) defect than the original unhandled rejection, because it removes the warning signal without adding a safe fallback,
77
+ - skip the audit on a chain because "it basically never fails in practice" — that is exactly the assumption this audit exists to challenge; require either evidence the operation cannot reject, or a rejection handler.
@@ -0,0 +1,68 @@
1
+ ---
2
+ name: legacy-jquery-to-modern-framework-review
3
+ description: Inventory the hidden behaviors in a legacy jQuery/Backbone-era codebase — implicit global event delegation, direct DOM mutation outside any render cycle, plugin side effects, ad-hoc accessibility shims, and unsanitized HTML string building — that a mechanical framework port would silently drop or need to explicitly reproduce.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: architecture
10
+ ---
11
+
12
+ # Legacy jQuery to Modern Framework Review
13
+
14
+ ## Purpose
15
+
16
+ A mechanical 1:1 port of jQuery code into a modern component framework routinely loses behavior that was never written down: event delegation bound at `document` level, DOM mutations performed by third-party plugins outside any framework render cycle, and accessibility behavior (focus trapping, ARIA attribute toggling) implemented ad hoc in a plugin nobody remembers the internals of. A migration plan that skips this inventory ships a component tree that *looks* equivalent and silently regresses on events, side effects, or accessibility the day it reaches production. This skill exists to make that inventory explicit — component by component, handler by handler — before a migration plan commits to a strangler boundary.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - inventory jQuery/Backbone-era DOM manipulation and event-binding patterns before a framework migration,
23
+ - identify which jQuery plugins have undocumented side effects (DOM mutation, global state, timers) that must be explicitly reproduced in the replacement,
24
+ - find unsanitized HTML string-building (`.html()`, string concatenation into `innerHTML`) that a port must not carry forward unchanged — or worse, upgrade into an unguarded `dangerouslySetInnerHTML`/`v-html`,
25
+ - check whether legacy widgets provide accessibility behavior (keyboard support, focus management, ARIA toggling) that the replacement component must match before being declared equivalent.
26
+
27
+ Do not use this skill for:
28
+
29
+ - authoring the replacement framework's component code itself — this skill produces the inventory a migration plan consumes, it does not design the target architecture (pair with `frontend-migration-modernization-plan` or the target framework's architecture-review skill for that),
30
+ - general DOM XSS/CSP review with no legacy-migration angle — use `frontend-dom-xss-csp-review` for that,
31
+ - reviewing a codebase that has no jQuery/Backbone-era code at all.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ - Resolve the target framework's Context7 library ID (`resolve-library-id`) before citing any claim about how the replacement component's API is expected to behave — e.g. React: `/reactjs/react.dev`; Vue: `/websites/vuejs_guide`; Angular: `/websites/angular_dev`. Read `package.json` first to confirm the actual target framework and version; do not assume one from the ticket title.
36
+ - For every `dangerouslySetInnerHTML`/`v-html`-shaped replacement candidate, ground the security claim in Context7 React docs before writing it: `dangerouslySetInnerHTML` accepts an untrusted string only if the caller has already sanitized it — passing raw legacy `.html()` input straight through creates the same "Security Hole with dangerouslySetInnerHTML" pattern the official React docs warn about explicitly (a `post.content` string with an `onerror` payload rendered unsanitized). Label this claim `documentation-based (Context7: /reactjs/react.dev)`.
37
+ - For claims about refs, `useEffect`, and "escape hatch" DOM access as the sanctioned place to reproduce legacy imperative DOM code, ground them in the official React docs' "Manipulating the DOM with Refs" material (refs are an escape hatch for stepping outside React; manually manipulating DOM nodes React also renders causes conflicts, e.g. calling `ref.current.remove()` outside of `setState` crashes on the next render). Do not invent a different "sanctioned" location for imperative code.
38
+ - This skill does not by itself certify the new implementation is correct — it inventories legacy behavior and flags what the target implementation must account for. Do not recommend a specific target-framework API as the finished solution without verifying the claim against Context7/official docs first.
39
+ - If Context7 is unavailable for the target framework, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
40
+
41
+ ## Lean operating rules
42
+
43
+ - Treat every `$(document).on('click', '.selector', ...)`-style delegated handler as a routing/ownership question, not just an inventory line: in the ported code, which component owns this event, does the DOM structure still exist for delegation to make sense, and is event delegation still needed once the framework's synthetic/native event system replaces manual `$(document)` binding?
44
+ - Treat every `.html()`, `.append()`, `.prepend()`, or `.after()` call fed by non-literal data (template strings, concatenation, server response, `.val()`/`.text()` of another element) as a security finding, not just a style note. Flag it as an unsanitized-injection candidate for the migration plan's risk register, and flag doubly if the proposed replacement is `dangerouslySetInnerHTML`/`v-html` with no sanitizer in between.
45
+ - Do not assume a jQuery UI/plugin widget (datepicker, autocomplete, modal, tabs, slider, tooltip) has zero accessibility behavior just because the markup around it looks bare. Check the plugin's own documentation or bundled source for ARIA attribute toggling, `role` assignment, and keyboard handlers before declaring an accessibility gap — a missing declaration in the call-site markup does not mean the plugin injects nothing at runtime.
46
+ - Do not classify a jQuery plugin as side-effect-free because its public API looks simple. Grep the plugin source itself (not just call sites) for global variable writes, `setInterval`/`setTimeout` registration, direct `document`/`window` event binding, and DOM nodes created outside the element the plugin was called on — these are exactly the behaviors a component-scoped framework render cycle will not reproduce automatically.
47
+ - Do not recommend a specific target-framework API as "the" replacement without first grounding the claim via the Context7 Documentation Protocol above.
48
+ - Load `references/event-delegation-inventory.md` only when cataloguing event-binding patterns.
49
+ - Load `references/dom-mutation-and-plugin-side-effects.md` only when auditing third-party plugin behavior.
50
+ - Load `references/legacy-a11y-shim-audit.md` only when checking accessibility parity requirements.
51
+
52
+ ## References
53
+
54
+ Load these only when needed:
55
+
56
+ - [Event delegation inventory](references/event-delegation-inventory.md) — use to catalogue `$(document).on(...)`-style global delegation, `$.fn` custom-event patterns, and Backbone view event maps, and map each handler to an owning component in the target architecture.
57
+ - [DOM mutation and plugin side effects](references/dom-mutation-and-plugin-side-effects.md) — use to find third-party jQuery plugins performing direct DOM mutation, timers, global namespace writes, or singleton state outside any render cycle, and to flag unsanitized HTML string-building sites.
58
+ - [Legacy accessibility shim audit](references/legacy-a11y-shim-audit.md) — use to verify what keyboard/focus/ARIA behavior existing widgets provide before their replacement is declared equivalent.
59
+
60
+ ## Response minimum
61
+
62
+ Return, at minimum:
63
+
64
+ - the inventory of delegated event handlers with proposed component ownership in the target framework,
65
+ - the list of plugins/handlers with undocumented side effects requiring explicit reproduction,
66
+ - unsanitized HTML-construction sites flagged as security findings, with an explicit call-out if the proposed replacement is `dangerouslySetInnerHTML`/`v-html` without a sanitizer,
67
+ - an accessibility-parity checklist per replaced widget (keyboard support, focus management, ARIA attributes/roles),
68
+ - evidence level per finding (source-code-verified vs. plugin-docs-based vs. inference), and Context7/official-docs grounding for any target-framework API claim.
@@ -0,0 +1,27 @@
1
+ {
2
+ "id": "legacy-jquery-to-modern-framework-review",
3
+ "name": "Legacy jQuery to Modern Framework Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews a legacy jQuery/Backbone-era codebase for the specific hidden behaviors (implicit global event delegation, direct DOM mutation outside any render cycle, undocumented plugin side effects, ad-hoc accessibility shims) that a mechanical framework port will silently drop, producing an inventory that a migration plan can actually rely on.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener",
18
+ "https://api.jquery.com/category/events/event-handler-attachment/",
19
+ "https://www.w3.org/WAI/ARIA/apg/",
20
+ "https://react.dev/reference/rules"
21
+ ],
22
+ "security_notes": "Legacy jQuery plugins frequently construct HTML via string concatenation and .html(); flag every such call as a potential unsanitized-injection point that a naive port might carry forward unchanged, or worse, replace with dangerouslySetInnerHTML/v-html without adding sanitization. Static-review-only skill: Read/Grep/Glob, no Bash execution, no network egress, no code mutation.",
23
+ "last_verified": "2026-07-02",
24
+ "path": "skills/frontend/legacy-jquery-to-modern-framework-review",
25
+ "author": "github: Raishin",
26
+ "version": "0.1.0"
27
+ }