@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (875) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15393 -12593
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +5 -4
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/export-marketplace-agents.mjs +48 -15
  333. package/scripts/generate-docs-data.mjs +1 -0
  334. package/scripts/generate-kiro-powers.mjs +12 -0
  335. package/scripts/update-catalog-new-agents.py +6 -1
  336. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  340. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  341. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  342. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  344. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  345. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  346. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  348. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  353. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  354. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  355. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  356. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  357. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  358. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  359. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  360. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  361. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  362. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  363. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  368. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  374. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  375. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  376. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  377. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  378. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  379. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  380. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  381. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  382. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  383. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  384. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  385. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  386. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  387. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  390. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  391. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  392. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  393. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  394. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  395. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  396. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  399. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  404. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  405. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  406. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  407. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  408. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  409. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  410. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  411. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  413. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  414. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  415. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  418. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  419. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  420. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  422. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  423. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  424. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  425. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  426. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  427. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  434. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  439. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  443. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  444. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  445. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  446. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  447. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  448. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  449. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  454. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  459. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  460. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  461. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  463. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  464. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  465. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  469. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  470. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  471. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  472. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  473. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  474. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  475. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  476. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  479. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  484. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  485. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  486. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  489. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  494. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  495. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  496. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  498. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  499. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  500. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  503. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  507. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  512. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  513. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  514. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  515. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  516. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  517. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  523. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  524. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  525. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  528. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  529. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  530. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  534. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  535. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  536. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  539. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  540. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  541. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  542. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  543. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  548. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  549. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  550. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  551. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  552. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  553. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  554. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  555. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  556. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  557. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  558. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  559. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  564. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  569. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  570. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  571. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  572. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  573. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  574. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  579. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  583. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  584. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  585. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  587. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  592. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  593. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  594. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  595. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  596. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  597. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  598. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  599. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  602. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  607. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  608. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  609. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  613. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  614. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  615. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  616. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  617. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  618. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  619. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  620. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  621. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  622. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  623. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  624. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  629. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  671. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  713. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  714. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  725. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  736. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  764. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  775. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  786. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  797. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  808. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  819. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  830. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  841. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  861. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  872. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  873. package/tests/test-vfa-export-coverage.test.mjs +30 -0
  874. package/tests/validate-catalog.py +1 -0
  875. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,57 @@
1
+ # Consent and PII in Events
2
+
3
+ Use this reference when reviewing whether tracking calls are properly consent-gated and whether event payloads leak personally identifiable information (PII).
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "We have a cookie consent banner, so our tracking is compliant."
10
+
11
+ Wrong. A consent banner existing somewhere on the page proves nothing about whether any *specific* tracking call actually respects the user's choice. Compliance is a property of the call site, not the page.
12
+
13
+ ## Officially grounded shape
14
+
15
+ Per web.dev's Permissions API guidance (`permissions-best-practices`), browser permission state is queried per capability via `navigator.permissions.query({name: ...})`, returns a `state` of `granted` / `denied` / `prompt`, and — critically — **permission grants are scoped per-origin**: a grant on one origin does not transfer to a different origin or subdomain. This same non-transferability logic applies to consent state in analytics/marketing tooling: a consent decision recorded for one property/origin should not be silently assumed to apply to another origin or a cross-subdomain deployment without an explicit, documented consent-propagation mechanism (e.g. a shared consent cookie deliberately scoped for that purpose).
16
+
17
+ Google's Consent Mode (referenced by GA4 tooling) works by adjusting or blocking specific measurement signals based on granted/denied consent state, rather than by a single all-or-nothing toggle — treat "consent" as a set of distinct signals (e.g. analytics storage, ad storage, ad personalization) each with independent gating, not one binary flag, unless the reviewed implementation is verified via Context7/current docs to behave otherwise.
18
+
19
+ ## Non-negotiable design rules
20
+
21
+ 1. **Consent must be checked at the call site of the tracking function**, immediately before or as a guard condition on the SDK call itself — not only at page load in a separate initialization block that the actual event-firing code doesn't reference. If the tracking call does not read live consent state (or a consent-derived flag) at the point it fires, treat the call as unverified for compliance regardless of banner presence.
22
+ 2. **Default state before consent is granted must be "no non-essential tracking"**, not "track now and revoke later" — later revocation does not undo data already collected and transmitted.
23
+ 3. **Consent scope is per-origin/per-property by default.** Any claim that a consent decision on one domain covers a subdomain, related property, or downstream data-sharing partner must point to an explicit propagation mechanism (documented shared cookie, server-side consent state sync) — never assume it transfers implicitly.
24
+ 4. **Every event-schema field must be classified**: essential/functional (may be exempt from consent gating under most frameworks), or analytics/marketing (must be consent-gated). Do not let a field's classification be assumed from its name alone — check what it actually contains.
25
+ 5. **PII must never appear in event payloads in plaintext** — this includes free-text search/input fields, full email addresses, exact geolocation (lat/long or address-level), payment instrument details, and raw URLs containing query-string parameters that carry any of the above. Hash, truncate, bucket (e.g. city-level geo instead of lat/long), or drop these fields before the event is considered shippable.
26
+ 6. **A schema field added for a new feature is not "safe by default."** Every new or changed field must be re-evaluated against rules 4 and 5, not grandfathered in because prior fields passed review.
27
+
28
+ ## Minimal safe review flow
29
+
30
+ 1. Enumerate every distinct tracking/event-firing call site touched by the change (not just the SDK initialization).
31
+ 2. For each call site, trace backwards to the actual conditional (if any) gating that call on consent state — confirm it reads a live consent value, not a stale/default-true flag.
32
+ 3. For each event's payload fields, classify each field as essential, analytics, or marketing, and flag any field whose content could plausibly contain PII regardless of its name.
33
+ 4. For any field flagged as potential PII, confirm it is hashed, truncated, generalized (e.g. geo bucketed to region), or removed before the event ships — do not accept "we'll filter it downstream" as sufficient, since the payload has already left the client by then.
34
+ 5. If the deployment spans multiple origins/subdomains, confirm the consent-propagation mechanism explicitly, rather than assuming a shared consent state.
35
+
36
+ ## Adversarial checklist
37
+
38
+ Before approving an instrumentation change as consent/PII compliant, answer these:
39
+
40
+ - Does the exact line of code that fires this tracking call check a live consent value, or does it fire unconditionally and rely on something else (a tag-manager rule, a server-side filter) to suppress it later?
41
+ - What is the default consent state before the user makes any choice — is non-essential tracking off by default?
42
+ - If this property has multiple subdomains or related origins, is there an explicit, documented mechanism sharing consent state, or is that being assumed?
43
+ - For every new field in this event's payload, what raw value does it actually carry at runtime — has anyone printed a sample payload, or is the field's safety being assumed from its name?
44
+ - If a field carries free text (search box, comment, form input), is there any scrubbing before it reaches the event payload, or does it pass through verbatim?
45
+
46
+ If any of these cannot be answered, the compliance posture is unverified, not confirmed.
47
+
48
+ ## When to push back
49
+
50
+ Push back if the user asks to:
51
+
52
+ - fire analytics/marketing events before consent is granted "just to see the data, we'll filter it later,"
53
+ - treat a consent banner's presence on the page as sufficient evidence that a specific new tracking call is compliant,
54
+ - add a free-text or geolocation field to an event schema without a scrubbing/generalization step,
55
+ - assume a consent decision made on the main domain automatically applies to a newly added subdomain or partner property.
56
+
57
+ Those are not shortcuts. They are compliance and privacy exposure shipped as a schema change.
@@ -0,0 +1,83 @@
1
+ # Privacy & Consent Depth for Analytics
2
+
3
+ Use this reference when the review needs standard-specific depth beyond the general consent/PII posture covered in `consent-and-pii-in-events.md` — specifically IAB TCF v2.2 purpose-granular consent, Google Consent Mode v2's default-denied timing requirement, Global Privacy Control / Do-Not-Track honoring, cookie categorization/expiry, and analytics-endpoint data residency. This is static-review guidance only; there is no detection corpus behind it (this skill is not a security-category skill).
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "We call `gtag('consent', 'update', ...)` when the CMP loads, so we're Consent Mode compliant."
10
+
11
+ Wrong. Consent Mode v2 distinguishes **defaults** from **updates**. The *default* consent state — set before the CMP has rendered or the user has answered anything — must itself be `denied` for the relevant signals, and it must be set **synchronously**, before any `gtag`/GTM tag fragment can fire. An `update` call arriving later is the correct mechanism for what happens *after* the user answers; it does nothing to undo tags that already fired under a missing or async-set default.
12
+
13
+ A second naive story:
14
+
15
+ > "We have a TCF consent string cookie (`euconsent-v2`), so every downstream vendor call is covered."
16
+
17
+ Wrong. TCF v2.2 consent is granular **per purpose ID**, not a single yes/no. A vendor may be consented for "measurement" (Purpose 1/analytics-adjacent purposes) but not for "personalized ads" (Purpose 4) or cross-context targeting. A tracking call that fires because *a* TC string cookie exists, without checking whether *that specific vendor and purpose combination* is granted, is not actually gated — it is gated by presence, not by scope.
18
+
19
+ ## Officially grounded shape
20
+
21
+ **Google Consent Mode v2 (doc-based, via Context7 `/websites/developers_google_tag-platform_security_guides`):**
22
+
23
+ - The default consent call must set at minimum all four parameters — `ad_storage`, `analytics_storage`, `ad_user_data`, `ad_personalization` — and per the consent-debugging guide, **"Ensure that the default consent statuses are not set asynchronously"** and the default block "should be placed at the top of your page, before any tag fragments or other code that might use consent settings."
24
+ - The documented pattern is: `gtag('consent', 'default', {ad_storage: 'denied', ad_user_data: 'denied', ad_personalization: 'denied', analytics_storage: 'denied'})` executed synchronously, before the gtag.js/GTM snippet loads — then `gtag('consent', 'update', {...})` later once the user answers the CMP.
25
+ - An optional `wait_for_update` parameter (e.g. `500` ms) exists specifically to give an asynchronous CMP banner time to call `update` before tags evaluate the default state — its presence in an implementation is a signal the team is aware of the timing requirement, not a substitute for a synchronous default block.
26
+ - Treat any implementation that sets defaults inside an async-loaded script, inside a CMP callback, or after the main gtag/GTM snippet as **non-compliant with the documented requirement**, regardless of whether an `update` call exists later.
27
+
28
+ **IAB TCF v2.2 (standard-based — no TCF library resolved in Context7 at time of review; treat as standard-based inference, not Context7-verified):**
29
+
30
+ - Consent and legitimate-interest signals are structured **per purpose ID and per vendor**, encoded into a single TC string. A compliant integration checks a specific `(vendorId, purposeId)` pair — commonly via a decoded consent object exposing something equivalent to `vendorConsents.has(purposeId)` — not merely "does a TC string exist."
31
+ - The TC string is the standard mechanism for **communicating** consent state to downstream vendors/partners. A server-side or third-party tracking call that omits the TC string (or an equivalent consent signal) gives the receiving party no way to honor purpose-specific restriction, even if the client-side call itself was gated correctly.
32
+ - Purpose-level gating and vendor-level gating are independent: a vendor consented for one purpose is not automatically consented for another. Do not treat "CMP shows a green banner" as equivalent to "this specific vendor/purpose pair is granted."
33
+
34
+ ## Non-negotiable design rules
35
+
36
+ 1. **Consent Mode defaults must be synchronous and denied-by-default**, set in the page `<head>` before the gtag.js/GTM snippet and before any `gtag('event', ...)` call — not inside a CMP callback, not behind a `DOMContentLoaded`/async script boundary.
37
+ 2. **No tracking call — pixel, `gtag`, `sendBeacon`, `fetch`, image-tag — fires before a consent signal exists**, whether that signal is a Consent Mode default/update pair or a decoded TCF TC string. "We'll gate it with CSS/display:none" or "we'll filter server-side" does not prevent the HTTP request from having already left the client with its payload.
38
+ 3. **PII must never ride in event properties**, regardless of consent state: raw email address, full legal name, unhashed user ID, phone number, precise address. Consent governs *whether tracking may happen*, not *what may be sent once it does* — a consented-but-PII-laden event is still a data-minimization violation.
39
+ 4. **Every cookie set by analytics/marketing code must be categorized (essential / functional / analytics / marketing) and carry an explicit, bounded expiry.** An uncategorized cookie cannot be selectively cleared by a CMP, and an unbounded/session-spanning expiry on a cookie that should be short-lived is itself a flag.
40
+ 5. **Global Privacy Control (`navigator.globalPrivacyControl === true`) and Do-Not-Track (`navigator.doNotTrack === "1"`) must be checked and honored as an opt-out signal** for non-essential tracking, alongside — not instead of — explicit CMP consent state. Treat code that reads a TC string or Consent Mode flag but never checks `navigator.globalPrivacyControl`/`doNotTrack` as an incomplete opt-out surface.
41
+ 6. **Data residency of the analytics endpoint must be identified, not assumed.** Note whether the destination (vendor domain, region-specific ingestion endpoint, self-hosted collector) is documented against any residency commitment made to users (e.g. "EU data stays in the EU"); flag payloads sent to a default/global endpoint when a residency-scoped endpoint is available and expected.
42
+
43
+ ## Minimal safe review flow
44
+
45
+ 1. Find the Consent Mode default-consent call (if Google tooling is in use). Confirm it (a) sets all relevant parameters to `denied`, (b) executes synchronously in `<head>`, before the gtag.js/GTM snippet — not inside a CMP callback or async script.
46
+ 2. Find every tracking call site (pixel `<img>`/`new Image()`, `gtag('event', ...)`, `sendBeacon`, `fetch` to an analytics/marketing endpoint). For each, confirm it is temporally *after* a consent signal is available — not merely after the page has "loaded."
47
+ 3. If TCF is in use, confirm the guarding logic checks a specific vendor/purpose pair from the decoded TC string, not just TC-string presence.
48
+ 4. For each event's payload, scan for PII fields regardless of consent state (see `consent-and-pii-in-events.md` rule 5 for the field list).
49
+ 5. List every cookie set by the code under review; confirm each has a declared category and an explicit `Max-Age`/`Expires` — flag any cookie set without either.
50
+ 6. Confirm the code checks `navigator.globalPrivacyControl` and/or `navigator.doNotTrack` and suppresses non-essential tracking when either signals opt-out, independent of CMP state.
51
+ 7. Identify the destination host/endpoint of each analytics call and note whether it matches any stated data-residency commitment; flag mismatches as unverified, not assumed-fine.
52
+
53
+ ## Concrete sinks to grep for
54
+
55
+ - **Unguarded pixel/image tracking**: `<img src="https://` or `new Image().src =` pointed at a tracking/analytics domain, with no preceding consent/TC-string/Consent-Mode check in the same code path. Risk: the HTTP GET — and any query-string PII on it — is unrecoverable once sent, unlike a suppressed JS event.
56
+ - **`gtag('event', ...)` before `gtag('consent', 'default', ...)`**: search for `gtag('event'` occurrences and confirm a `gtag('consent', 'default'` call precedes them in load order (ideally same `<head>` block, before the gtag.js `src` script tag). Risk: Consent Mode has no default state yet, so Google's tags apply undefined/permissive behavior.
57
+ - **PII literals in event payload construction**: `email`, `user.email`, `fullName`, `userId` (raw, unhashed) passed directly into an analytics `track()`/`gtag('event', ...)`/`sendBeacon()` call's properties object. Risk: PII leaves the client in plaintext regardless of consent state.
58
+ - **Cookie set without `Max-Age`/`Expires` and without a category comment/constant**: `document.cookie = "<name>=<value>"` with no `Max-Age=`/`Expires=` attribute, or a cookie name with no mapping in a consent-category config. Risk: cannot be selectively honored, cleared, or excluded by a CMP.
59
+
60
+ ## Adversarial checklist
61
+
62
+ - Is the Consent Mode (or equivalent) default set synchronously in `<head>`, or does it live behind an async script/CMP callback where tags could fire first?
63
+ - Does the code check a *specific* vendor/purpose grant from the TC string, or only "a TC string cookie is present"?
64
+ - Does any tracking call — pixel, beacon, fetch — execute before any consent signal (default, TCF string, or otherwise) is available at all?
65
+ - Does any event payload carry a raw email, name, phone number, or unhashed user ID, independent of whether consent was granted?
66
+ - Does every cookie set by this code have both a declared category and an explicit expiry, or are any "just set and never revisited"?
67
+ - Does the code check `navigator.globalPrivacyControl` / `navigator.doNotTrack` and suppress non-essential tracking on either signal, or does it only look at CMP-recorded consent?
68
+ - Is the destination endpoint for this analytics call known and checked against any data-residency commitment, or is "it's probably fine" being assumed?
69
+
70
+ If any of these cannot be answered from the code itself, treat the privacy/consent posture as **unverified**, not compliant.
71
+
72
+ ## When to push back
73
+
74
+ Push back if the user asks to:
75
+
76
+ - ship a Consent Mode default that is set asynchronously or after the gtag.js/GTM snippet, "since we'll call update quickly anyway,"
77
+ - gate a tracking call on "a TC string cookie exists" rather than the specific vendor/purpose grant it needs,
78
+ - add a raw email/name/unhashed user ID to an event's properties because "it's useful for support lookups,"
79
+ - set a new analytics/marketing cookie without an expiry or category because "we'll clean it up later,"
80
+ - skip checking Global Privacy Control/Do-Not-Track because "the CMP already covers consent,"
81
+ - send analytics payloads to a default global endpoint when a region-scoped endpoint exists and residency commitments apply.
82
+
83
+ Those are not shortcuts. They are unrecoverable data exposure and standards non-compliance shipped as an analytics change.
@@ -0,0 +1,64 @@
1
+ # SRM and Bucketing Integrity
2
+
3
+ Use this reference when auditing user-assignment/bucketing logic for an A/B or multivariate experiment, or when diagnosing a suspected sample-ratio mismatch (SRM).
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "We split traffic 50/50 in the config, so the experiment is randomized correctly."
10
+
11
+ Wrong. A correct config value does not guarantee correct *realized* assignment. SRM — where the observed split between variants diverges from the configured split by more than chance — is one of the most common silent killers of experiment validity, and it is caused by implementation bugs, not by the experimentation platform's randomization algorithm.
12
+
13
+ ## Common root causes of SRM
14
+
15
+ - **Non-deterministic bucketing**: assignment computed from `Math.random()` or an unseeded RNG on each page load/render instead of a stable hash of a persistent identifier (user ID, device ID, or a consistently-stored anonymous ID). This causes the same user to bounce between variants across requests, corrupting both the split and the per-user experience.
16
+ - **Redirect/loading-time asymmetry**: one variant triggers a client-side redirect or has a slower paint path, so users on slow connections/devices disproportionately bounce before the exposure event fires, undercounting that variant.
17
+ - **Bot/crawler contamination**: bot traffic is not filtered before assignment and is unevenly distributed across variants (e.g. one variant's URL gets crawled more).
18
+ - **Caching bypass**: a CDN or browser cache serves a cached response for one variant to users who should have been freshly assigned, without going through the bucketing code path at all.
19
+ - **Post-assignment filtering that isn't symmetric**: an error-handling or feature-guard path silently excludes users from one variant's exposure logging but not the other's (e.g. a try/catch around only the treatment code path).
20
+ - **Multiple exposure events per user**: a user is bucketed once but the exposure/"experiment viewed" event fires multiple times (e.g. once per re-render), inflating one variant's logged count without inflating actual unique users.
21
+
22
+ ## Non-negotiable design rules
23
+
24
+ 1. **Assignment must be deterministic per stable identifier.** Given the same user identifier and experiment ID, the bucketing function must return the same variant every time, computed via a consistent hash (not re-rolled per request). If the review cannot point to the exact hash/seed input, treat this as a blocking finding.
25
+ 2. **The identifier used for bucketing must survive the user's session.** An identifier that resets on page reload, tab close, or unauthenticated-to-authenticated transition will fragment the same real user across variants — verify what the identifier actually is (cookie, local storage, logged-in user ID) and its persistence.
26
+ 3. **The exposure/assignment log event must fire exactly once per unique assigned user**, at the point the user is committed to see the variant-specific experience — not on every render, not before the variant is actually applied, and not skipped on an error path.
27
+ 4. **Bot and internal-traffic filtering must run before or as part of assignment**, and must be applied identically to all variants — an asymmetric filter is itself an SRM source.
28
+ 5. **The chi-squared goodness-of-fit test is the standard tool for detecting SRM** on the ratio between logged variant counts and the configured allocation ratio; a low p-value (commonly p < 0.001 is used as a conservative SRM-alert threshold given how much SRM checks are run) on that test at meaningful sample volume is a signal to halt and debug before trusting any of the experiment's results, not something to explain away as "probably fine."
29
+
30
+ ## Minimal safe review flow
31
+
32
+ 1. Identify the exact code path that computes variant assignment. Confirm it is a pure function of `(stable_user_id, experiment_id)` via a documented hash — not `Math.random()`, not time-based, not re-evaluated per render.
33
+ 2. Confirm the identifier's lifetime matches or exceeds the experiment's intended duration and survives the user journeys the experiment covers (e.g. anonymous → logged-in transition, cross-device if applicable).
34
+ 3. Trace the exposure-logging call site: confirm it fires once per assigned user, only after the variant is actually rendered/applied (not merely "assigned" in memory before an early return/error).
35
+ 4. Check for asymmetric guards: any `try/catch`, feature flag, cache rule, or redirect that could apply to one variant's code path but not the equivalent point in the other variant's path.
36
+ 5. If actual counts are available, compute the chi-squared statistic against the configured ratio; treat a materially significant deviation as a blocking finding requiring root-cause before results are trusted.
37
+
38
+ ## Adversarial checklist
39
+
40
+ Before approving an experiment's bucketing as sound, answer these:
41
+
42
+ - What exact value is hashed to produce the variant assignment, and where is it read from?
43
+ - Does that value exist and stay stable before the user has logged in, accepted cookies, or completed onboarding?
44
+ - Is there any code path (error handler, feature gate, redirect, cache rule) that can prevent the exposure event from firing for one variant but not the other?
45
+ - If a user's assignment identifier changes mid-experiment (e.g. anon ID merges into logged-in ID), what happens to their variant — do they get reassigned, and if so, does that reassignment apply identically across variants?
46
+ - Has anyone actually looked at the realized split of exposure-event counts, or is "50/50" only ever been checked in the config file?
47
+
48
+ If any of these cannot be answered, the SRM risk is unverified, not absent.
49
+
50
+ ## High-risk assumptions to kill
51
+
52
+ - "The experimentation platform's randomization is trustworthy, so the split will be fine" — the platform's RNG is rarely the source of real-world SRM; the surrounding application code is.
53
+ - "We looked at the config and it says 50/50" — config intent is not realized assignment; only logged exposure counts prove realized assignment.
54
+ - "A small split deviation doesn't matter" — at low absolute counts a deviation may be noise, but the correct response is to run the chi-squared test at the actual observed volume, not to eyeball it.
55
+
56
+ ## When to push back
57
+
58
+ Push back if the user asks to:
59
+
60
+ - launch an experiment where bucketing logic cannot be traced to a deterministic, persistent-identifier hash,
61
+ - treat an experiment's result as valid without ever having checked the realized split against the configured ratio,
62
+ - ship an experiment where the exposure-logging event fires before the variant is actually applied (this inflates "assigned" counts independent of any real exposure).
63
+
64
+ Those are not shortcuts; they are how invalid experiment results ship as product decisions.
@@ -0,0 +1,61 @@
1
+ # Stopping Rules and Peeking
2
+
3
+ Use this reference when evaluating whether an experiment's statistical significance claim or stop/continue decision is actually valid, given how it was monitored.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "The dashboard shows p < 0.05, so the result is significant — let's ship it."
10
+
11
+ Wrong. A p-value computed under a fixed-sample-size assumption is only valid if the experiment was actually analyzed that way — once, at a pre-determined sample size or duration. Checking the dashboard daily and stopping the moment it crosses a significance threshold ("peeking") inflates the true false-positive rate far above the nominal 5%, often dramatically, because each look is an additional opportunity for noise to cross the threshold by chance.
12
+
13
+ ## Officially grounded shape
14
+
15
+ There is no single universally-mandated statistical framework across experimentation platforms — some use fixed-horizon frequentist testing, some use sequential testing frameworks (e.g. always-valid p-values, mSPRT-based methods) or Bayesian frameworks specifically designed to tolerate continuous monitoring. The review's job is not to mandate one specific framework, but to verify that **the stopping behavior actually used matches the statistical framework the experiment claims to be using.** A fixed-horizon test monitored continuously and stopped early on a significant read is invalid regardless of which platform produced the number.
16
+
17
+ ## Non-negotiable design rules
18
+
19
+ 1. **A primary metric and a minimum detectable effect (MDE) must be pre-registered before the experiment starts.** If the "significant" result was found by scanning a dashboard of many metrics after the fact and picking whichever moved, that is not a valid experiment result — it is multiple-comparisons-inflated noise. Treat the absence of a pre-registered primary metric as a blocking finding.
20
+ 2. **The required sample size/duration must be computed from the pre-registered MDE, baseline rate, and desired power *before* the experiment launches**, not decided retroactively based on how the data looks partway through.
21
+ 3. **If the experiment uses a fixed-horizon test, it must not be stopped early based on an interim significant read** — continuous or frequent peeking with a fixed-horizon test invalidates the significance claim. Verify the actual monitoring cadence against the analysis method actually used.
22
+ 4. **If continuous monitoring genuinely is required (e.g. to catch a severe regression fast), the experiment must use a sequential-testing-aware method** built for that purpose — confirm the platform/analysis actually implements one rather than assuming a standard p-value naturally tolerates repeated looks.
23
+ 5. **A minimum runtime should be enforced even for a positive early read** to cover known cyclical effects (day-of-week traffic mix, novelty effects that fade, weekly business cycles) — a result significant after two days is not the same evidence as the same result sustained across a full business cycle.
24
+ 6. **Secondary/guardrail metrics must be declared in advance too**, distinct from the primary metric, so that a regression on a guardrail metric (e.g. latency, error rate, unsubscribe rate) is caught by design rather than discovered only if someone happens to check.
25
+
26
+ ## Minimal safe review flow
27
+
28
+ 1. Confirm a primary metric and MDE were declared before the experiment launched — ask for the pre-registration artifact (ticket, doc, experiment-platform config) rather than accepting a post-hoc description.
29
+ 2. Identify which statistical framework is actually in use (fixed-horizon frequentist, sequential/always-valid, Bayesian) from the platform's documented behavior — verify via Context7/current docs rather than assuming.
30
+ 3. Check the actual monitoring/stop history: was the experiment checked once at the planned endpoint, or repeatedly with a stop-on-significance pattern? If the platform's dashboard was checked daily and the experiment stopped as soon as it crossed significance, and the underlying method is fixed-horizon, flag this as invalid regardless of the reported p-value.
31
+ 4. Confirm a minimum runtime (commonly at least one to two full business cycles, e.g. two weeks, adjusted for the app's actual traffic pattern) was respected even if an early read looked positive.
32
+ 5. Confirm guardrail/secondary metrics were declared and checked, not just the metric that happened to move favorably.
33
+
34
+ ## Adversarial checklist
35
+
36
+ Before accepting a "statistically significant" result as ship-worthy, answer these:
37
+
38
+ - What was the pre-registered primary metric, and does the "significant" result match that metric — or is it a different metric that happened to move?
39
+ - What analysis method is this platform's significance number actually based on (fixed-horizon, sequential, Bayesian), and was the monitoring behavior (single look vs. continuous dashboard checking) consistent with that method's assumptions?
40
+ - Was there a pre-declared minimum sample size or runtime, and was the experiment stopped before, at, or after that point?
41
+ - Were guardrail metrics (latency, errors, revenue-adjacent metrics not directly targeted) checked, or only the primary metric that moved favorably?
42
+ - If the same experiment had been stopped a few days earlier or later, is there reason to believe the result would look materially different (day-of-week effects, novelty effects)?
43
+
44
+ If any of these cannot be answered, the significance claim is unverified, not confirmed.
45
+
46
+ ## High-risk assumptions to kill
47
+
48
+ - "It says p < 0.05 so it's real" — without knowing the analysis method and monitoring history, a p-value alone proves nothing.
49
+ - "We checked it every day and stopped as soon as it looked good" — this is the textbook peeking failure mode, not diligence.
50
+ - "We'll just ship whichever metric moved" — post-hoc metric selection without pre-registration is multiple-comparisons noise, not a finding.
51
+
52
+ ## When to push back
53
+
54
+ Push back if the user asks to:
55
+
56
+ - ship a result based on a metric that was not the pre-registered primary metric,
57
+ - stop a fixed-horizon experiment early because an interim dashboard check crossed a significance threshold,
58
+ - skip a minimum-runtime requirement because an early read "already looks clearly positive,"
59
+ - run an experiment with no declared guardrail metrics on latency, errors, or adjacent business metrics.
60
+
61
+ Those are not efficiency gains. They are how false positives become shipped product decisions.
@@ -0,0 +1,73 @@
1
+ ---
2
+ name: pwa-offline-readiness-review
3
+ description: Validates installability against W3C manifest criteria and tests real offline navigation behavior end to end, rejecting a manifest-schema-valid but practically non-installable or non-functional-offline PWA.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: operational
10
+ ---
11
+
12
+ # PWA Offline Readiness Review
13
+
14
+ ## Purpose
15
+
16
+ A `manifest.json` that passes JSON-schema validation, and a Lighthouse PWA badge that reads 100, both prove far less than they appear to. The W3C manifest spec, `beforeinstallprompt` behavior, and offline-fallback rendering are three separate systems that must each work — a pass on one says nothing about the other two. The common failure mode is "checklist theater": a team ships a schema-valid manifest and a registered service worker, calls the app a PWA, and only discovers in production that the install banner never fires (`display: browser` left at a framework default) or that a network drop shows the browser's stock offline error page instead of a designed fallback. This skill performs the end-to-end verification — install criteria against the live origin, service-worker activation state, and an actual offline-throttle navigation test — that a static manifest read cannot substitute for.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - audit whether an app is a "real" installable PWA, not just manifest-schema-valid,
23
+ - debug why the install prompt / `beforeinstallprompt` never fires despite a Lighthouse PWA pass,
24
+ - review offline-fallback behavior, or debug a network drop showing the browser's default error page instead of a designed offline page,
25
+ - validate manifest fields (`name`, icons, `start_url`, `scope`, `display`) against W3C installability criteria before a release.
26
+
27
+ ## When not to use
28
+
29
+ - Caching-strategy correctness for an already-installable app (route classification, `CacheFirst` vs. `NetworkFirst`, authenticated-response caching risk) — hand off to `service-worker-cache-strategy-review`; that skill owns caching-strategy depth and this one does not duplicate it.
30
+ - General HTTP `Cache-Control`/CDN caching review with no manifest or service-worker installability question involved.
31
+
32
+ ## Context7 Documentation Protocol
33
+
34
+ Manifest-injection defaults, precache-manifest generation, and offline-fallback wiring differ by framework PWA plugin and by version — never assert a gap is "the app's fault" without checking the plugin's current documented default first.
35
+
36
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded in this session.
37
+ 2. Always ground manifest-field and installability-criteria claims against the W3C manifest spec directly (`official_docs`), not a vendor summary of it — vendor blog posts routinely lag or simplify the spec's `display`/`purpose`/icon-size language.
38
+ 3. If the project uses `vite-plugin-pwa`, resolve `/websites/vite-pwa-org_netlify_app` and query its manifest-generation, `generateSW`/`injectManifest`, and precache `globPatterns`/`maximumFileSizeToCacheInBytes` behavior before asserting an asset or route is missing from precache "because the app didn't configure it" — the plugin has documented defaults and size ceilings that silently exclude assets.
39
+ 4. If the project uses `next-pwa` (`@ducanh2912/next-pwa`), resolve `/ducanhgh/next-pwa` and query its `fallbacks` config (`document`/`data`/`image`/`audio`/`video`/`font`) and default-offline-page conventions (`pages/_offline.tsx` / `app/~offline/page.tsx`) before concluding a fallback route is absent — the plugin auto-wires a default path if the file exists at the conventional location.
40
+ 5. If the underlying precaching/fallback mechanism is hand-rolled Workbox (not a framework plugin), resolve `/googlechrome/workbox` and query `offlineFallback`/`setCatchHandler`/`precacheAndRoute` semantics — confirm whether the fallback handler checks the precache before an `offline-fallbacks` cache, since a bug in that check order is a common cause of the fallback silently failing.
41
+ 6. Query for the exact behavior in question per review, not from memory of a prior session — plugin defaults and Workbox recipe internals change across major versions.
42
+ 7. If Context7 is unavailable or has no relevant match, fall back to `official_docs` / the bundled references, and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
43
+ 8. Never invent a manifest field, plugin config key, or Workbox API that no queried source confirms.
44
+
45
+ ## Lean operating rules
46
+
47
+ - Verify HTTPS on the actual target origin first — the W3C-implementing browsers refuse installability outright without it (localhost is the only common documented exception); if HTTPS is not confirmed, stop there, because every downstream installability check is moot until it is fixed.
48
+ - Treat `display: browser` as a deliberate product choice to surface and confirm with the user, not a silent bug to "fix" — it is valid per spec, but it disqualifies the install-prompt flow by design, and teams frequently leave it at a framework default without realizing the consequence.
49
+ - Do not declare an app "installable" from manifest JSON validity alone — confirm HTTPS, a service worker that reaches the `activate` state, and a qualifying `display` value together; each is independently necessary and none is sufficient alone.
50
+ - Do not declare an app "offline-ready" from precache-manifest file lists or service-worker registration code alone — perform an actual DevTools offline-throttle navigation to a previously unvisited route and observe what renders; precaching and route-matching are separate concerns, and a precached fallback page with an unmatched route still fails offline.
51
+ - Confirm the offline-fallback page is itself guaranteed precached, including its own dependencies (fonts, inline API calls, images) — a fallback page that depends on an uncached asset fails to render exactly when it is needed.
52
+ - Treat the Lighthouse PWA category score as a secondary, corroborating signal only — it can pass on stale audit state and does not reproduce the live `beforeinstallprompt` browser signal; require the manual browser-session listener test as the primary proof of installability.
53
+ - Flag any `start_url`, icon, or fallback-asset reference pointing to an HTTP origin or an unpinned third-party CDN — a mixed-content or unverifiable icon source undermines both installability and the fallback page's guarantee of availability.
54
+ - Never recommend caching user-specific or authenticated content inside the offline-fallback route — it must render identically and safely for any unauthenticated network-offline visitor; if the app's fallback design leaks account state, that is a blocker, not a caching-strategy nuance for the sibling skill to solve.
55
+ - Label every claim as `live evidence`, `spec-cited`, `documentation-based`, or `inference` so the reviewer knows what was actually tested versus reasoned about from file contents.
56
+
57
+ ## References
58
+
59
+ Load these only when needed:
60
+
61
+ - [W3C manifest installability checklist](references/manifest-installability-checklist.md) — use when validating manifest field-by-field against W3C installability criteria (`name`/`short_name`, icons, `start_url`/`scope`, `display`) and when diagnosing a missing install prompt.
62
+ - [Offline fallback precache patterns](references/offline-fallback-precache-pattern.md) — use when reviewing how the offline-fallback route is registered and precached, across hand-rolled Workbox, `vite-plugin-pwa`, and `next-pwa` conventions.
63
+ - [Live installability and offline verification protocol](references/live-verification-protocol.md) — use for the step-by-step manual test procedure (HTTPS check, service-worker activation, `beforeinstallprompt` listener, DevTools offline-throttle navigation) and for interpreting Lighthouse-vs-live divergence.
64
+
65
+ ## Response minimum
66
+
67
+ Return, at minimum:
68
+
69
+ - pass/fail verdict per W3C installability field (HTTPS, `name`/`short_name`, icons, `start_url`/`scope`, `display`), each labeled with its evidence level,
70
+ - service-worker registration and activation status (not just "registered" — confirm `activate` was reached),
71
+ - the actual (not inferred) offline-navigation test result for at least one previously unvisited route, and the offline-fallback page's precache/dependency-precache status,
72
+ - explicit note on whether `display` disqualifies install prompts by design and whether that was confirmed as intentional with the user,
73
+ - a handoff note to `service-worker-cache-strategy-review` if the gap identified is a caching-strategy implementation detail rather than an installability/offline-navigation gap.
@@ -0,0 +1,29 @@
1
+ {
2
+ "id": "pwa-offline-readiness-review",
3
+ "name": "PWA Offline Readiness Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Validates installability against W3C manifest criteria and tests real offline navigation behavior end to end, rejecting a manifest-schema-valid but practically non-installable or non-functional-offline PWA.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://w3c.github.io/manifest/",
18
+ "https://web.dev/articles/installable-manifest",
19
+ "https://web.dev/articles/offline-fallback-page",
20
+ "https://developer.mozilla.org/en-US/docs/Web/Progressive_web_apps/Manifest",
21
+ "https://developer.mozilla.org/en-US/docs/Web/API/BeforeInstallPromptEvent",
22
+ "https://web.dev/articles/lighthouse-pwa"
23
+ ],
24
+ "security_notes": "Manifest and service-worker files must be served over HTTPS (a hard W3C/browser installability requirement, not a preference); flag any start_url or icon reference pointing to an HTTP origin or third-party CDN without integrity guarantees. Do not recommend caching the offline-fallback page's embedded data if it contains anything user-specific/authenticated -- the fallback route must be static/public content only.",
25
+ "last_verified": "2026-07-02",
26
+ "path": "skills/frontend/pwa-offline-readiness-review",
27
+ "author": "github: Raishin",
28
+ "version": "0.1.0"
29
+ }
@@ -0,0 +1,67 @@
1
+ # Live Installability and Offline Verification Protocol
2
+
3
+ Use this reference for the step-by-step manual test procedure that turns a static-file read into an evidence-backed verdict, and for interpreting divergence between the Lighthouse PWA category score and live browser behavior.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "Lighthouse gave the PWA category a 100, so it's installable and offline-ready."
10
+
11
+ Wrong, or at least insufficient. Lighthouse's PWA audit historically diverges from live installability criteria for several documented reasons: it can run against a cached or stale service-worker state, it evaluates a fixed audit checklist that has changed across Lighthouse versions (some historical PWA-specific badge criteria were deprecated/removed from newer Lighthouse releases entirely), and — critically — it does not reproduce the actual `beforeinstallprompt` event firing in a live user session, which is the real signal a browser uses to decide whether to show an install affordance. A high Lighthouse score is a corroborating signal, not proof.
12
+
13
+ ## Step-by-step protocol
14
+
15
+ ### 1. Confirm HTTPS on the actual deployed origin
16
+
17
+ Check the origin Lighthouse (or any static review) was run against versus the actual production/target origin. It is a common gap for a review to validate a staging or preview URL that differs in TLS configuration from the real deployment target. Record this as `live evidence` only if checked against the real target origin; otherwise label `documentation-based` / `inference`.
18
+
19
+ ### 2. Confirm service-worker registration reaches `activate`
20
+
21
+ In a real browser session (DevTools > Application > Service Workers), confirm:
22
+ - a service worker is listed for the correct scope,
23
+ - its status is `activated and is running` (not merely `installed` or stuck in `waiting`),
24
+ - there are no registration errors in the console (common causes of registration failure: scope mismatch between the registering script's location and the intended `scope`, a JavaScript error thrown during script evaluation, or an incorrect MIME type served for the service-worker script causing the browser to refuse it).
25
+
26
+ A service worker that never reaches `activate` cannot serve precached content or a fallback route, regardless of what the source code says it should do.
27
+
28
+ ### 3. Listen for `beforeinstallprompt` directly
29
+
30
+ In a real browser session on the target origin, add a listener before any other interaction:
31
+
32
+ ```js
33
+ window.addEventListener('beforeinstallprompt', (e) => {
34
+ console.log('beforeinstallprompt fired', e);
35
+ });
36
+ ```
37
+
38
+ If this event never fires despite all manifest and service-worker criteria appearing correct on paper, treat that as the authoritative negative signal and re-check (in order): `display` value, HTTPS on the exact origin under test, service-worker `activate` state, and whether the browser under test has already recorded a prior install/dismissal for this origin (some browsers suppress repeat prompts for a cooldown period after a user dismisses one — check for a documented per-browser dismissal-cooldown behavior before concluding the app itself is broken).
39
+
40
+ ### 4. Offline-throttle navigation test (the non-negotiable step)
41
+
42
+ This is the step most reviews skip, and skipping it is the single most common cause of a false "offline-ready" verdict.
43
+
44
+ 1. Load the app normally first (to allow the service worker to install/activate and precache assets).
45
+ 2. In DevTools > Network, set throttling to **Offline** (not just slow 3G — must be a hard offline state to exercise the fallback path, not a slow-network path).
46
+ 3. Navigate to a route the user has **not** previously visited in this session (revisiting an already-cached page proves only that specific page's cache entry works, not the fallback mechanism).
47
+ 4. Observe what renders:
48
+ - **The browser's default offline error page (e.g., the dinosaur game / "No internet" interstitial)** — the fallback route/catch-handler is missing, misconfigured, or the fallback document itself was not precached. This is a hard fail; report per `references/offline-fallback-precache-pattern.md`.
49
+ - **The app's designed offline page** — record as `live evidence` pass. Additionally confirm the page rendered with its full intended styling/images (a fallback page that renders as unstyled HTML because its CSS was not precached is a partial fail, not a full pass).
50
+ 5. While still offline, attempt navigation to a second previously-unvisited route to confirm the fallback is not a one-off fluke tied to a specific route's cache warm state.
51
+
52
+ ### 5. Confirm the fallback page's own dependencies
53
+
54
+ With DevTools still offline, inspect the rendered fallback page's network panel for any failed sub-resource requests (fonts, inline API calls, tracking scripts). A fallback page that fails to render its intended appearance because of an uncached font or a blocking synchronous API call is a partial failure — report it distinctly from a fully missing fallback.
55
+
56
+ ## Interpreting Lighthouse-vs-live divergence
57
+
58
+ | Lighthouse PWA signal | Live signal | Verdict |
59
+ |---|---|---|
60
+ | High score | `beforeinstallprompt` fires, offline test passes | Corroborated pass — cite both. |
61
+ | High score | `beforeinstallprompt` never fires | Live signal wins. Report the divergence explicitly and investigate `display`, origin mismatch, or per-browser dismissal-cooldown before concluding a manifest defect. |
62
+ | High score | Offline navigation shows default browser error page | Live signal wins. This is the checklist-theater failure mode this skill exists to catch — report as a blocker regardless of the Lighthouse score. |
63
+ | Low/missing score | Live signals pass | Investigate why Lighthouse diverges (stale audit run, outdated Lighthouse version, audit run against wrong origin) before treating the live pass as unreliable — a passing live test is still the stronger evidence. |
64
+
65
+ ## Verdict discipline
66
+
67
+ Never present a Lighthouse score alone as proof of either installability or offline readiness in the final response. Every "offline-ready" or "installable" verdict in the response must cite the specific live test performed (service-worker activation check, `beforeinstallprompt` listener result, offline-throttle navigation outcome) as the primary evidence, with Lighthouse noted only as a secondary, corroborating data point.
@@ -0,0 +1,41 @@
1
+ # W3C Manifest Installability Checklist
2
+
3
+ Use this reference when validating a `manifest.json` field-by-field against W3C installability criteria, or when diagnosing why an install prompt never appears.
4
+
5
+ ## What people get wrong
6
+
7
+ The common bad assumption is:
8
+
9
+ > "My `manifest.json` validates against the schema, so my app is installable."
10
+
11
+ That is incomplete. Schema validity (correct JSON shape, valid enum values) and installability (the specific subset of fields and runtime conditions a browser actually requires before it will fire `beforeinstallprompt`) are different bars. A manifest can be perfectly schema-valid and still never trigger an install prompt, because installability additionally depends on:
12
+
13
+ 1. **transport** — the manifest and its origin must be served over HTTPS,
14
+ 2. **service-worker presence** — most implementing browsers additionally require an active, fetch-handling service worker before treating the app as installable, not the manifest alone,
15
+ 3. **specific field values**, not just field presence — a `display` value of `browser` is schema-valid but disqualifies the install flow by design.
16
+
17
+ ## Field-by-field checklist (W3C manifest spec)
18
+
19
+ Work through each field and record a pass/fail with evidence label (`spec-cited`, `live evidence`, `documentation-based`, or `inference`):
20
+
21
+ - **`name` / `short_name`** — at least one must be present and non-empty; `short_name` is used where display space is constrained (home-screen label). Missing both is an outright installability blocker.
22
+ - **`icons`** — at least one icon meeting the browser's minimum size requirement (commonly a 192×192 and/or 512×512 PNG/SVG/WebP entry is expected by major implementations, though the spec itself does not hardcode a single universal minimum — cite the specific browser's documented threshold, do not assume one number applies everywhere). Check `purpose` values (`any`, `maskable`, `monochrome`) are correctly set — a maskable-only icon set with no `any` fallback can render badly on platforms that do not support maskable icons.
23
+ - **`start_url`** — must resolve to a same-origin (or explicitly permitted scope-relative) URL. Verify it is not a URL that 404s or redirects to a different origin.
24
+ - **`scope`** — must contain `start_url`. If `scope` is narrower than the app's actual navigable routes, navigations outside `scope` will open in a regular browser tab/window even from an installed app, breaking the installed-app experience.
25
+ - **`display`** — must be one of `standalone`, `fullscreen`, or `minimal-ui` for the app to be eligible for the install-prompt flow at all. `display: browser` is spec-valid but is explicitly the "opt out of app-like display" value; if found, treat it as a deliberate choice to confirm with the user, not a bug to silently patch.
26
+ - **`theme_color` / `background_color`** — not installability-blocking per spec, but their absence produces a visibly broken splash-screen/status-bar experience during install and first launch; flag as a quality issue, not a hard blocker.
27
+ - **`id`** (where supported) — used to distinguish app identity across updates to `start_url`; note if absent on a manifest that has changed `start_url` historically, since that can cause duplicate installs.
28
+
29
+ ## HTTPS is not optional
30
+
31
+ The W3C manifest spec and every major implementing browser refuse to treat an app as installable over plain HTTP (the common documented exception is `localhost` for local development). This is a transport-layer precondition, not a manifest field — check it first, separately from the field-by-field pass, because no amount of manifest correctness compensates for a missing HTTPS origin.
32
+
33
+ ## Service worker as a co-requirement
34
+
35
+ A manifest satisfying every field above does not by itself make most browsers fire `beforeinstallprompt`. The commonly documented additional requirement is a registered service worker that reaches the `activate` lifecycle state and handles at least the `fetch` event for the page. Confirm activation state directly (see `references/live-verification-protocol.md`) rather than assuming registration code in the source implies a running, activated worker in the deployed environment.
36
+
37
+ ## Common false negatives to rule out before blaming the manifest
38
+
39
+ - The manifest `<link rel="manifest">` tag is present in HTML but points to a 404 or a path blocked by CSP/robots rules.
40
+ - The manifest is served with an incorrect `Content-Type` that the browser refuses to parse as a manifest.
41
+ - A framework PWA plugin (see `references/offline-fallback-precache-pattern.md`) generated a manifest with `display: browser` as its own default, unrelated to any explicit app configuration — verify the plugin's current documented default via Context7 before concluding the app team made this choice deliberately.
@@ -0,0 +1,65 @@
1
+ # Offline Fallback Precache Patterns
2
+
3
+ Use this reference when reviewing how an app's offline-fallback route is registered and guaranteed-precached, across hand-rolled Workbox, `vite-plugin-pwa`, and `next-pwa` conventions. Query Context7 for the specific plugin/version in scope before asserting a default (see the Context7 Documentation Protocol in `SKILL.md`) — the exact config keys and default file paths below are current as queried, but plugin defaults change across major versions.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > "I have a service worker and it precaches my app shell, so offline works."
10
+
11
+ Wrong. Precaching an asset and having a route match a failed navigation to a fallback are two independent mechanisms. An app can precache a hundred files and still show the browser's default offline error page on every dropped-network navigation, because nothing registered a catch handler that serves a specific fallback document for failed `document`-destination requests. Conversely, an app can have a beautifully designed `/offline.html` page that is never precached, so the one time it is needed — when the network is down — the browser cannot fetch it either.
12
+
13
+ Both halves — a precached fallback document, and a route/catch-handler that serves it on navigation failure — must be verified independently.
14
+
15
+ ## Officially grounded shape (per queried sources)
16
+
17
+ ### Hand-rolled Workbox (`workbox-recipes` `offlineFallback` / `workbox-routing` `setCatchHandler`)
18
+
19
+ The documented pattern (`workbox-recipes/src/offlineFallback.ts`) sets a global catch handler keyed on `request.destination`:
20
+
21
+ - for `document` (navigation) requests, it looks up the fallback page first via `matchPrecache(pageFallback)`, then falls back to a secondary `workbox-offline-fallbacks` cache,
22
+ - optionally does the same for `image` and `font` destinations,
23
+ - returns `Response.error()` if neither matches — meaning if the fallback page itself was never precached and never separately cached, the catch handler produces a network error rather than a rendered page.
24
+
25
+ Review checklist for a hand-rolled implementation:
26
+ - Confirm the fallback page path passed to `offlineFallback()` (or an equivalent hand-written `setCatchHandler`) is one of the entries in the `precacheAndRoute()` manifest, not just a same-looking path.
27
+ - Confirm `precacheAndRoute()` was actually called (not just `precache()` alone) — `precache()` without `addRoute()`/`precacheAndRoute()` populates the cache but does not register the intercepting route, meaning normal navigations to precached pages would fall through to network first (relevant to caching-strategy review, but also affects whether the fallback lookup via `matchPrecache` finds a served entry).
28
+ - Confirm the catch handler is registered globally (`setCatchHandler`), not only on a subset of routes, or navigations outside those routes will surface the raw browser error page.
29
+
30
+ ### `vite-plugin-pwa` (Vite / `generateSW` or `injectManifest`)
31
+
32
+ `vite-plugin-pwa` does not auto-designate an offline-fallback page by default — precache coverage is controlled by `workbox.globPatterns` (which files get swept into the precache manifest) and `workbox.maximumFileSizeToCacheInBytes` (default documented ceiling around 2 MiB; assets above it are silently excluded from precache even if `globPatterns` would otherwise match them). Review checklist:
33
+ - Confirm the offline-fallback HTML file's glob pattern is actually included in `globPatterns` (a common gap: `globPatterns: ['**/*.{js,css,html}']` looks like it covers an `offline.html`, but if the file lives outside the configured `public`/build output directory scanned by the plugin, it will not appear in the manifest).
34
+ - Confirm the fallback file is under the size ceiling, or that `maximumFileSizeToCacheInBytes` was explicitly raised for it.
35
+ - Because `vite-plugin-pwa` does not wire the catch-handler/fallback-routing logic for you by default under `generateSW`, confirm the project either uses `injectManifest` with a custom service-worker source implementing `offlineFallback`/`setCatchHandler`, or has added equivalent `runtimeCaching` navigation-fallback configuration. Do not assume "precached" implies "served as a navigation fallback" — verify the routing half separately, per the "what people get wrong" framing above.
36
+
37
+ ### `next-pwa` (`@ducanh2912/next-pwa`)
38
+
39
+ This plugin's documented `fallbacks` option explicitly separates fallback routes by destination (`document`, `data`, `image`, `audio`, `video`, `font`), each pointing to a precached path, e.g.:
40
+
41
+ ```js
42
+ fallbacks: {
43
+ document: "/~offline",
44
+ data: "/fallback.json",
45
+ image: "/fallback.webp",
46
+ }
47
+ ```
48
+
49
+ Its internal fallback handler (`self.fallback`) branches on `request.destination` and matches against those precached paths via `caches.match(fallbackResponse, { ignoreSearch: true })`, returning `Response.error()` if no destination-specific fallback is configured. Review checklist:
50
+ - If no explicit `fallbacks.document` is configured, confirm whether the project instead relies on the plugin's documented convention path (`pages/_offline.tsx` or `app/~offline/page.tsx`) — the plugin auto-wires a default at that conventional location if the file exists; absence of explicit config is not automatically a gap if the convention file is present.
51
+ - If neither explicit `fallbacks.document` nor the convention file exists, the app has no navigation fallback at all — this is the direct cause of a raw browser offline error page and should be reported as a blocker, not a style nit.
52
+ - Confirm the fallback path itself is excluded from any auth-gating middleware — a fallback route that requires authentication to render defeats its own purpose during an offline navigation.
53
+
54
+ ## Minimal safe verification flow
55
+
56
+ 1. Identify which of the three patterns above (hand-rolled Workbox, `vite-plugin-pwa`, `next-pwa`) the project uses; do not assume, check the dependency and config file.
57
+ 2. Confirm the specific fallback document path is present in the generated/inspectable precache manifest (build output, or DevTools Application > Cache Storage after first load).
58
+ 3. Confirm a catch-handler/fallback route actually exists and targets that exact path — not merely that the path is precached.
59
+ 4. Run the live offline-throttle navigation test from `references/live-verification-protocol.md` to confirm the fallback actually renders end to end; steps 1–3 alone are necessary but not sufficient proof.
60
+
61
+ ## High-risk assumptions to kill
62
+
63
+ - "It's in the precache manifest, so offline works." — precache and fallback-routing are separate mechanisms; both must be verified.
64
+ - "The plugin handles this by default." — only true for the specific documented convention path/config key for that plugin and version; verify via Context7, do not assume parity across `vite-plugin-pwa` and `next-pwa` defaults.
65
+ - "The fallback page has no external dependencies, so it's safe offline." — verify this; a fallback page pulling a web font from a CDN, or making an inline API call for personalization, fails exactly when offline.