@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (875) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15393 -12593
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +5 -4
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/export-marketplace-agents.mjs +48 -15
  333. package/scripts/generate-docs-data.mjs +1 -0
  334. package/scripts/generate-kiro-powers.mjs +12 -0
  335. package/scripts/update-catalog-new-agents.py +6 -1
  336. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  340. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  341. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  342. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  344. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  345. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  346. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  348. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  353. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  354. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  355. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  356. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  357. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  358. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  359. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  360. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  361. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  362. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  363. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  368. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  374. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  375. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  376. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  377. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  378. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  379. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  380. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  381. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  382. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  383. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  384. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  385. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  386. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  387. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  390. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  391. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  392. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  393. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  394. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  395. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  396. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  399. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  404. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  405. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  406. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  407. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  408. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  409. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  410. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  411. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  413. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  414. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  415. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  418. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  419. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  420. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  422. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  423. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  424. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  425. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  426. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  427. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  434. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  439. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  443. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  444. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  445. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  446. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  447. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  448. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  449. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  454. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  459. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  460. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  461. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  463. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  464. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  465. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  469. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  470. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  471. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  472. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  473. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  474. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  475. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  476. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  479. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  484. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  485. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  486. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  489. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  494. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  495. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  496. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  498. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  499. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  500. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  503. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  507. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  512. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  513. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  514. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  515. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  516. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  517. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  523. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  524. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  525. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  528. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  529. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  530. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  534. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  535. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  536. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  539. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  540. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  541. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  542. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  543. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  548. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  549. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  550. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  551. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  552. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  553. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  554. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  555. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  556. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  557. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  558. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  559. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  564. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  569. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  570. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  571. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  572. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  573. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  574. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  579. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  583. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  584. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  585. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  587. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  592. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  593. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  594. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  595. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  596. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  597. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  598. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  599. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  602. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  607. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  608. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  609. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  613. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  614. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  615. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  616. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  617. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  618. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  619. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  620. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  621. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  622. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  623. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  624. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  629. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  671. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  713. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  714. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  725. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  736. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  764. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  775. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  786. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  797. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  808. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  819. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  830. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  841. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  861. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  872. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  873. package/tests/test-vfa-export-coverage.test.mjs +30 -0
  874. package/tests/validate-catalog.py +1 -0
  875. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,67 @@
1
+ ---
2
+ name: sveltekit-routing-load-review
3
+ description: Statically review SvelteKit route files (+page.js, +page.server.js, +layout.js, +layout.server.js, +server.ts) to verify universal-vs-server load placement, catching server-only secrets, database clients, or privileged API access that would leak into or execute inside the browser.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: architecture
10
+ ---
11
+
12
+ # SvelteKit Routing & Load Function Review
13
+
14
+ ## Purpose
15
+
16
+ Review SvelteKit route files for correct universal-vs-server `load` function placement without re-litigating progressive-enhancement UX, form-action design, or component styling in every response. This skill exists because SvelteKit's universal `load` functions (`+page.js` / `+layout.js`) run on the server for the initial SSR render **and again in the browser** on every subsequent client-side navigation — a fact that is routinely missed and turns a misplaced database call or secret reference into a client-side credential exposure, not just a style defect.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review a new or changed SvelteKit route's `load` functions before merge,
23
+ - investigate a secret, database error, or unexpected network call surfacing in the browser console or network tab for a SvelteKit route,
24
+ - determine whether data-fetching for a given route is placed in the correct file (`+page.js` vs `+page.server.js`, `+layout.js` vs `+layout.server.js`),
25
+ - audit `+layout`/`+page`/`+server` file precedence for a route tree.
26
+
27
+ Do not use this skill for:
28
+
29
+ - progressive-enhancement or `<form>` action / `use:enhance` UX review — use `sveltekit-progressive-enhancement-review` instead,
30
+ - pure component-internal state with no `load` function involved,
31
+ - live performance profiling of load waterfalls — that needs runtime tracing, not static review.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ - Resolve the library ID with `resolve-library-id` (matched result: `/sveltejs/kit`) before citing any SvelteKit-specific claim.
36
+ - Before asserting the universal-vs-server execution model, call `query-docs` against `/sveltejs/kit` for "load functions" and quote the precise rule: a universal `load` (`+page.js`/`+layout.js`) runs on the server during SSR and hydration, then runs **again in the browser** on every subsequent client-side navigation (or always in the browser if SSR is disabled / the route is a SPA); a server `load` (`+page.server.js`/`+layout.server.js`) always runs only on the server. If both exist for a route, the server `load` runs first and its return value becomes the `data` property passed into the universal `load`.
37
+ - Verify the SvelteKit major version installed in the repo (`package.json`) before asserting version-specific behavior of `$env/static/private` / `$env/dynamic/private` enforcement or server-only module protection — this has evolved across releases (private `$env/*` client-side imports were blocked starting in a 1.0-pre release).
38
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
39
+ - Never assume a repo's SvelteKit config (`kit.env.privatePrefix`, adapter, `ssr`/`csr` page options) matches defaults without reading `svelte.config.js` and any per-route page-option exports — page options change when/whether a universal `load` ever runs on the server at all.
40
+
41
+ ## Lean operating rules
42
+
43
+ - First classify every load-bearing route file as universal (`+page.js`, `+layout.js`) or server (`+page.server.js`, `+layout.server.js`) by filename suffix alone — never by guessing from content or route name.
44
+ - Treat every universal `load` function as browser-reachable code, full stop. It is not "mostly server-side" or "server-side on first load" — SvelteKit re-runs it client-side on every subsequent navigation by default.
45
+ - Do not assume SvelteKit's build-time `$env/static/private` / `$env/dynamic/private` import guard catches every leak. It blocks direct imports of those modules from client-reachable files, but it does not catch manual `process.env` reads, a `$lib/server`-protected module re-exporting a secret through a non-`.server` module, or a secret being copied into the plain object a server `load` returns.
46
+ - Trace secrets and DB clients through the full import graph, including transitive `$lib` imports — a universal `load` that imports an innocuous-looking `$lib/utils.js` which itself imports `$lib/server/db.js` is still a leak path (and SvelteKit's server-only module protection should catch that specific case at build time; verify it does, do not assume).
47
+ - Treat any private value present in the plain object a server `load` (or `+layout.server.js`) returns as a candidate leak the moment a universal `load`, a client component, or `page.data`/`$page.data` can read it — server `load` output crosses the server/client boundary via devalue serialization, it is not automatically safe just because it originated server-side.
48
+ - Never mark a `+page.server.js` or `+layout.server.js` file itself as a browser-exposure risk for containing secrets or DB calls — those files are always server-only by SvelteKit's routing contract; the risk is in what they choose to *return*, not that they execute.
49
+ - Do not flag deep or repeated `+layout.server.js` logic as a leak; flag it as a MEDIUM duplication/maintainability finding only, distinct from HIGH-severity leak findings.
50
+ - Never execute, build, or run application code as part of this review; this is a static-review skill (Read/Grep/Glob only).
51
+
52
+ ## References
53
+
54
+ Load these only when needed:
55
+
56
+ - [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the leak-tracing decision tree, and the required output shape.
57
+ - [Routing conventions](references/routing-conventions.md) — load only when `+layout`/`+page`/`+server` file precedence or route-tree structure (not just load placement) is in question.
58
+
59
+ ## Response minimum
60
+
61
+ Return, at minimum:
62
+
63
+ - the route(s) and file(s) in scope, each labeled universal or server load,
64
+ - ranked findings with file:line evidence and the full import/data-flow trace for any leak finding,
65
+ - evidence level per finding (`repo evidence`, `documentation-based`, or `inference`),
66
+ - verdict (approve / approve-with-notes / block),
67
+ - open questions or scope the review could not cover (e.g., unverified `svelte.config.js` env prefix, unread transitive `$lib` module).
@@ -0,0 +1,27 @@
1
+ {
2
+ "id": "sveltekit-routing-load-review",
3
+ "name": "SvelteKit Routing & Load Function Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews SvelteKit route files for correct universal-vs-server load placement, preventing server-only logic from executing in the browser.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://kit.svelte.dev/docs/load",
18
+ "https://kit.svelte.dev/docs/routing",
19
+ "https://svelte.dev/docs/kit/load",
20
+ "https://svelte.dev/docs/kit/routing"
21
+ ],
22
+ "security_notes": "Server-only secrets, database clients, or privileged third-party API keys reachable from a +page.js/+layout.js (universal load, which runs in the browser too) is a credential-exposure defect — escalate as HIGH, not a style preference. Static-review-only skill: it reads and greps route source but never executes, builds, or runs application code.",
23
+ "last_verified": "2026-07-02",
24
+ "path": "skills/frontend/sveltekit-routing-load-review",
25
+ "author": "github: Raishin",
26
+ "version": "0.1.0"
27
+ }
@@ -0,0 +1,35 @@
1
+ # Routing Conventions: File Roles and Precedence
2
+
3
+ Use this reference only when a review also needs to assess `+layout`/`+page`/`+server` file precedence or route-tree structure — not for a load-placement-only review (see `workflow-and-output.md` for that).
4
+
5
+ ## Officially grounded file roles
6
+
7
+ Per SvelteKit's routing documentation:
8
+
9
+ - **`+page.svelte`** — the component rendered for a route.
10
+ - **`+page.js`** — exports a universal `load` (typed `PageLoad`). Runs on the server during SSR/hydration, then again in the browser on subsequent client-side navigations (subject to page options).
11
+ - **`+page.server.js`** — exports a server `load` (typed `PageServerLoad`), always server-only. Renaming `+page.js` to `+page.server.js` is the documented mechanism for moving a load function that needs a database or private env var out of universal-execution scope. Can also export form `actions`.
12
+ - **`+layout.svelte`** — wraps child routes; layouts nest by directory structure.
13
+ - **`+layout.js` / `+layout.server.js`** — same universal/server split as page equivalents, but the returned data is available to the layout's own component and to every child route via `await parent()`.
14
+ - **`+server.js`/`+server.ts`** — exports HTTP method handlers (`GET`, `POST`, etc.) for a route, making it an API endpoint rather than a page. Always server-only.
15
+
16
+ ## Precedence and data flow
17
+
18
+ - If a route has both a server `load` and a universal `load` (e.g., `+page.server.js` and `+page.js` in the same directory), **the server `load` runs first**. Its return value becomes the `data` property on the `LoadEvent` passed into the universal `load`. Do not describe these as running "in parallel" or "independently" — they are sequential and dependent.
19
+ - A server `load`'s return value must be serializable via devalue (JSON-representable types plus `BigInt`, `Date`, `Map`, `Set`, `RegExp`, and repeated/cyclical references). A universal `load` has no such restriction and may return non-serializable values (component constructors, class instances, functions) — this asymmetry is a useful signal during review: if a "server load" is returning something devalue cannot serialize, either the classification is wrong or the code will fail at runtime, not just leak.
20
+ - A `+layout.server.js`'s data is available to every nested route's `load` via the `parent()` function — trace `parent()` calls when checking whether a leak in a layout's server `load` return value actually reaches a specific deeply nested universal `load`.
21
+ - Prerendered routes invoke `load` at build time, not per-request — flag this distinction only if the review scope includes prerendering/page-option correctness; it does not change the leak-tracing rules above.
22
+
23
+ ## Review-relevant precedence pitfalls
24
+
25
+ - Do not assume a `+page.server.js` with no corresponding `+page.js` implies the route has no client-reachable data flow — the server `load`'s return value still reaches the client as `data`/`$page.data` for the page component itself, even with no universal `load` present. Apply the same leak-tracing rules from `workflow-and-output.md` regardless of whether a sibling universal `load` exists.
26
+ - Do not assume `+layout.js`/`+layout.server.js` data is scoped narrowly — it is available to the entire subtree beneath that layout, which widens the blast radius of any leak found there compared to a single `+page.js`.
27
+ - A `+server.ts` in the same directory as a `+page.js`/`+page.server.js` is a separate concern from page load functions; do not conflate an API endpoint's own request-handling logic with the page's load-function review unless the page's universal `load` calls that endpoint via `fetch()`, in which case trace the endpoint's response shape for any leaked field the same way you would trace a server `load`'s return value.
28
+
29
+ ## When to push back
30
+
31
+ Push back if the user asks you to:
32
+
33
+ - "just put it in `+page.js` so it fetches faster" when the data source requires a private credential or database access — that is not faster, it is a credential-exposure defect.
34
+ - treat a `+layout.server.js` leak as low-severity because "it's just the layout" — layout-scoped leaks reach a wider client-visible subtree than a single page's leak, not a narrower one.
35
+ - skip verifying the installed SvelteKit version's `$env`/server-only-module enforcement because "the docs say it's blocked" — documentation describes the current release's behavior; it does not prove the repo's pinned version enforces it the same way.
@@ -0,0 +1,60 @@
1
+ # Review Workflow and Findings Contract
2
+
3
+ Use this reference for the step-by-step review procedure, the leak-tracing decision tree, and the required output shape for a SvelteKit routing/load review.
4
+
5
+ > Version note: `$env/*` client-import enforcement and server-only module protection are Vite-plugin-driven and have evolved across SvelteKit releases. Verify the installed `@sveltejs/kit` version in `package.json` before asserting exact enforcement behavior; do not assume the latest documented behavior applies to an older installed version.
6
+
7
+ ## What people get wrong
8
+
9
+ The naive assumption is:
10
+
11
+ > "`+page.js` is the client file and `+page.server.js` is the server file — as long as I don't put a DB call directly in `+page.js`, I'm safe."
12
+
13
+ That is incomplete in two ways:
14
+
15
+ 1. `+page.js` (and `+layout.js`) are **universal** — SvelteKit runs them on the server for the first SSR render, then re-runs them **in the browser** for every subsequent client-side navigation. It is not "the client file"; it is "the file that runs in both places," and the browser-execution half is where secrets leak.
16
+ 2. A secret can leak without ever being imported into a universal `load` file directly — it leaks the moment it appears anywhere inside the plain object a server `load` *returns*, because that object is serialized (via devalue) and shipped to the browser as `data`/`$page.data` regardless of whether anything downstream "needed" it.
17
+
18
+ ## Step-by-step workflow
19
+
20
+ 1. **Inventory route files.** For every route directory in scope, list `+page.js`, `+page.server.js`, `+layout.js`, `+layout.server.js`, and `+server.ts`/`+server.js` present. Classify each by filename suffix alone: `.server.` → server load, otherwise → universal load. Do not infer classification from file content or route name.
21
+ 2. **Confirm page options.** Read any `export const ssr` / `export const csr` in `+page.js`/`+layout.js` for the route. If `ssr = false`, the "universal load runs server-first" assumption is void — the universal load runs client-only, in a SPA-style mount, from the start. If `csr = false`, the universal load never re-runs client-side on navigation (full-page reloads instead) — note this because it changes (lowers) the leak surface but should still be verified rather than assumed.
22
+ 3. **Trace each universal load's imports.** For every `+page.js`/`+layout.js` in scope, follow its import graph, including transitive `$lib` imports, looking for:
23
+ - direct imports from `$env/static/private` or `$env/dynamic/private` (SvelteKit's Vite plugin should block this at build time for client-reachable files — verify the repo's SvelteKit version actually enforces this, do not assume),
24
+ - imports of a module under `$lib/server/` or named `*.server.js`/`*.server.ts` (SvelteKit's server-only module protection should block this too — same verification caveat),
25
+ - manual `process.env.<SECRET>` reads that bypass both of the above guards,
26
+ - a database client (Prisma, Drizzle, raw driver, etc.) instantiated or imported directly.
27
+ 4. **Trace server-`load` return values.** For every `+page.server.js`/`+layout.server.js` in scope, inspect the object literal(s) returned by `load`. Flag any field that is a raw secret, API key, session token, or full DB-record dump not intended for client consumption — that object becomes `data` in the child universal `load` and `$page.data` in every component, i.e. it is client-visible the instant it is returned, independent of whether the universal `load` "does" anything with it.
28
+ 5. **Check route-tree precedence** only if `+layout`/`+page`/`+server` structural correctness is also in question — load `references/routing-conventions.md` for that sub-review.
29
+ 6. **Rank and report findings** per the output shape below.
30
+
31
+ ## Leak-tracing decision tree
32
+
33
+ - Universal `load` (or a module it transitively imports) directly imports `$env/static/private`, `$env/dynamic/private`, or reads `process.env.<SECRET>` → **HIGH**. State whether the repo's SvelteKit version's build-time guard would catch this import path or whether it is a bypass (e.g., `process.env` read, or a non-`.server`-suffixed module outside `$lib/server/` that re-exports a value originally sourced from a private env var).
34
+ - Universal `load` imports a `$lib/server/*` or `*.server.js` module directly → **HIGH** unless the repo's verified SvelteKit version enforces server-only module protection for that exact import path, in which case this is a build-time-blocked case; still flag it as a MEDIUM code-smell (the import should never have been attempted) rather than close the finding silently.
35
+ - Server `load` (`+page.server.js`/`+layout.server.js`) returns an object containing a raw secret, token, or credential intended only for server-to-service calls → **HIGH**, regardless of whether any universal `load` or component currently reads that field. The leak is the serialization to the client, not the eventual consumption.
36
+ - Server `load` output is consumed unchanged by a child universal `load` that then spreads or forwards it further (e.g., into a client-side third-party SDK init call) → **HIGH**, trace and cite both hops.
37
+ - `+page.server.js`/`+layout.server.js` contains a DB call or secret access with no client-visible leak in its return value → **not a finding for this skill**; this is expected, correct placement.
38
+ - Duplicate near-identical server `load` logic repeated across sibling `+page.server.js` files that could be consolidated into a shared `+layout.server.js` → **MEDIUM**, maintainability/duplication, not a security finding.
39
+ - `+server.ts` (API route) referenced by a universal `load`'s `fetch()` call, where the `+server.ts` handler itself correctly guards secrets server-side → **not a finding**; note it as an alternative-pattern observation only if the review scope includes route-tree precedence.
40
+
41
+ ## Adversarial checklist
42
+
43
+ Before closing a review with no HIGH findings, confirm:
44
+
45
+ - Did you classify every file by filename suffix, not by assumption?
46
+ - For every universal `load`, did you check `ssr`/`csr` page options before asserting when/whether it runs server-side vs. client-side?
47
+ - Did you follow *transitive* `$lib` imports, not just the direct imports in the load file itself?
48
+ - Did you inspect the actual object returned by every server `load`, not just whether it "looks like" it fetches sensitive data?
49
+ - Did you verify the installed SvelteKit version's enforcement behavior for `$env/*/private` and server-only modules rather than assuming current docs apply unconditionally?
50
+ - If you found zero leaks, is that because none exist, or because you didn't trace far enough?
51
+
52
+ ## Output shape
53
+
54
+ Every review response must include:
55
+
56
+ 1. **Scope** — routes and files reviewed, each labeled universal-load or server-load (or both, if the route has paired files).
57
+ 2. **Findings** — ranked HIGH → MEDIUM → LOW, each with `file:line`, the classification (misplacement vs. leak vs. duplication), the full import/data-flow trace for any leak finding, and a concrete fix sketch (e.g., "move to `+page.server.js`" or "strip `apiKey` field from the returned object before it reaches `data`").
58
+ 3. **Evidence level** per finding: `repo evidence` (read the actual file/import), `documentation-based` (asserting SvelteKit's enforcement behavior from docs without confirming the installed version), or `inference` (plausible but unverified, e.g., a dynamic import you could not statically resolve).
59
+ 4. **Verdict** — approve / approve-with-notes / block. A single HIGH leak finding is a block.
60
+ 5. **Open questions** — anything the review could not verify (unread `svelte.config.js`, unresolved dynamic import, unconfirmed SvelteKit version).
@@ -0,0 +1,74 @@
1
+ ---
2
+ name: tree-shaking-dead-code-review
3
+ description: Verifies that a bundler's tree-shaking actually eliminated dead code by inspecting output bytes and sideEffects/module-format configuration, rather than trusting a clean build as proof of elimination.
4
+ allowed-tools: Read Grep Glob Bash(npm run build:*)
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: operational
10
+ ---
11
+
12
+ # Tree-Shaking & Dead-Code Review
13
+
14
+ ## Purpose
15
+
16
+ "The build succeeded" and "the code was tree-shaken" are unrelated claims. A production build with zero errors can still ship a fully dead, unreferenced module byte-for-byte, because tree-shaking is not a guaranteed pass — it is a conditional static-analysis optimization that silently no-ops the moment it hits a CJS `require`, a missing or wrong `sideEffects` field, a barrel-file re-export, or a development-mode build. This skill treats "eliminated" as a claim that must be proven from bundle-analyzer output bytes and module lists, before and after, in a production build — never inferred from build success, and never inferred from a `sideEffects: false` change applied without reading the target module for real side effects first, since that specific mistake causes silent runtime breakage (dropped polyfills, dropped CSS injection, dropped security-relevant initialization), not just a size regression.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - verify why a supposedly-unused import is still present in bundle-analyzer output,
23
+ - evaluate whether a new dependency is tree-shakeable before it is added,
24
+ - configure or review a `sideEffects` field in package.json for an app or a library the user is authoring,
25
+ - explain why a `sideEffects: false` change either had no effect or broke something at runtime.
26
+
27
+ ## When NOT to use
28
+
29
+ - General bundle-size triage with no specific dead-code suspicion yet — use `bundle-budget-code-splitting-review` first to establish the numeric budget and rank contributors; hand off here once a specific module is suspected of being fully unused rather than merely heavy.
30
+ - Deciding route- or component-level code-splitting boundaries — that is a splitting-boundary decision, not an elimination-verification decision; `bundle-budget-code-splitting-review` owns it.
31
+ - Diagnosing which Core Web Vitals sub-phase is regressing with no analyzer report yet — hand off to `core-web-vitals-triage` first, return here once dead code is the named suspect.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ Tree-shaking configuration surface differs by bundler and has shifted across majors (Rolldown replacing Rollup inside Vite 7+, webpack's `sideEffects`/`usedExports` interaction, Rollup's `treeshake` preset system). Do not prescribe a fix from memorized training data.
36
+
37
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded this session.
38
+ 2. Call `mcp__Context7__resolve-library-id` for the bundler actually installed in the project (webpack, Rollup, or Vite/Rolldown) before prescribing any `sideEffects` or `treeshake` configuration — do not assume the bundler from the framework name alone.
39
+ 3. Call `mcp__Context7__query-docs` for the specific mechanism in question — e.g. "sideEffects array vs boolean", "treeshake.moduleSideEffects options", "production mode requirement for usedExports" — before ruling on it. Do this per review; do not reuse a prior session's memory of bundler internals.
40
+ 4. Context7-grounded facts to confirm, not assume:
41
+ - webpack: tree-shaking requires `mode: 'production'` (or `optimization.usedExports` explicitly enabled) to take visible effect; `sideEffects: false` in package.json additionally requires `optimization.providedExports` (on by default in production mode) to let webpack drop unused-export modules; a module with real side effects (e.g. CSS imports) must be listed explicitly, e.g. `"sideEffects": ["**/*.css"]`, or that side effect is silently dropped.
42
+ - Rollup: `treeshake` accepts `false`, a preset (`'smallest' | 'safest' | 'recommended'`), or a fine-grained object — `moduleSideEffects` (boolean, `'no-external'`, a string array, or a predicate function) and `propertyReadSideEffects` are the two options most often responsible for either under- or over-aggressive elimination.
43
+ - Vite 7+ ships Rolldown as its production bundler; `build.rollupOptions` is now an alias for `build.rolldownOptions` and is deprecated in favor of it — verify which option surface the installed Vite major actually documents before prescribing config keys.
44
+ 5. If Context7 is unavailable or returns no relevant match for the installed bundler, fall back to `official_docs` and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
45
+ 6. Never invent a bundler config key, CLI flag, or `package.json` field that no queried source confirms.
46
+
47
+ ## Lean operating rules
48
+
49
+ - Require confirmation the build ran in production mode before evaluating any tree-shaking claim. A development-mode build routinely skips or partially applies elimination by design; "it's still there in dev" proves nothing.
50
+ - Determine the suspect dependency's actual module format from its package.json (`exports`/`module` with an `import` condition vs. a `main`/`require`-only CJS entry) — do not infer format from the package's popularity or age. CJS defeats static tree-shaking analysis regardless of bundler, and is the most common silent cause of "unused code that won't go away."
51
+ - Check `sideEffects` in both the app's own package.json and the suspect dependency's package.json. A missing field or `sideEffects: true` tells the bundler to assume every import has a side effect and keep it — this is often correct behavior being mistaken for a bug.
52
+ - Before proposing or accepting `sideEffects: false` on any module, read that module for top-level side-effecting code — global polyfills, CSS-in-JS injection, prototype patching, analytics auto-init, CSP nonce injection, sanitizer initialization. A false `sideEffects: false` claim is a correctness bug that ships silently; it will not show up as a build error.
53
+ - Rule out a barrel-file re-export pattern (`import * as utils from './utils'`, or a package `index.js` that re-exports everything) in the app's own code before blaming the dependency — this is a common tree-shaking blocker that has nothing to do with the dependency's configuration.
54
+ - Never accept "no build errors" or "the build completed" as proof of elimination. Require a bundle-analyzer or output-file diff showing the specific module or byte range is actually absent, taken from a production build, before and after the change.
55
+ - After any `sideEffects: false` change, require a runtime smoke test of the affected surface, not just a rebuild — dropped initialization code fails at runtime, not at build time.
56
+ - Confirm the installed bundler and its major version via Context7 before prescribing exact config syntax — see Context7 Documentation Protocol. Do not assume a memorized API is still current.
57
+
58
+ ## References
59
+
60
+ Load these only when needed:
61
+
62
+ - [Module format and sideEffects field](references/module-format-and-sideeffects.md) — use when determining whether a dependency is ESM or CJS, and when reading or writing the `sideEffects` field in package.json (webpack's flag semantics and the production-mode requirement).
63
+ - [Rollup and Vite treeshake options](references/rollup-vite-treeshake-options.md) — use when the project is Rollup- or Vite/Rolldown-based and the review needs `treeshake.moduleSideEffects`, `propertyReadSideEffects`, or preset-level configuration.
64
+ - [ESM/CJS interop and verification](references/esm-cjs-interop-and-verification.md) — use when the suspect module's format is ambiguous, when CJS interop is suspected as the blocker, and for the before/after diff and runtime-smoke-test verification workflow that closes out every review.
65
+
66
+ ## Response minimum
67
+
68
+ Return, at minimum:
69
+
70
+ - the module format (ESM/CJS) and `sideEffects` field state for both the app and the suspect dependency, cited from the actual package.json content read,
71
+ - confirmation the evidence came from a production-mode build, not development mode,
72
+ - the exact package.json or bundler-config change proposed, with syntax version-confirmed via Context7 against the installed bundler major,
73
+ - the before/after bundle-analyzer byte and module-count diff proving elimination, not just build success,
74
+ - a correctness caveat and runtime-smoke-test requirement whenever `sideEffects: false` is newly applied.
@@ -0,0 +1,28 @@
1
+ {
2
+ "id": "tree-shaking-dead-code-review",
3
+ "name": "Tree-Shaking & Dead-Code Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "codex",
8
+ "claude-code",
9
+ "cursor",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Verifies that a bundler's tree-shaking actually eliminated dead code by inspecting output bytes, module format, and sideEffects/treeshake configuration against a production-mode before/after diff, rather than trusting a clean build as proof of elimination, loaded progressively.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://webpack.js.org/guides/tree-shaking/",
18
+ "https://developer.mozilla.org/en-US/docs/Glossary/Tree_shaking",
19
+ "https://rollupjs.org/configuration-options/#treeshake",
20
+ "https://nodejs.org/api/packages.html#packagejson-and-file-extensions",
21
+ "https://web.dev/articles/reduce-javascript-payloads-with-tree-shaking"
22
+ ],
23
+ "security_notes": "Do not recommend blanket sideEffects: false on a package the reviewer has not verified is actually side-effect-free (e.g., polyfills, CSS imports, analytics auto-init) -- this silently drops required initialization code, which is a correctness bug, not just a size issue, and can remove security-relevant setup such as CSP nonce injection or sanitizer initialization. Require a runtime smoke test, not just a rebuild, after any sideEffects: false change. Do not accept or echo any credential-shaped string found in a pasted build config, package.json, or analyzer report as if it were safe to keep in the transcript.",
24
+ "last_verified": "2026-07-02",
25
+ "path": "skills/frontend/tree-shaking-dead-code-review",
26
+ "author": "github: Raishin",
27
+ "version": "0.1.0"
28
+ }
@@ -0,0 +1,57 @@
1
+ # ESM/CJS Interop and the Verification Workflow
2
+
3
+ Use this reference when the suspect module's format is ambiguous, when CJS interop is suspected as the actual blocker, and for the before/after diff and runtime-smoke-test steps that close out every review in this skill.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > I imported it with `import`, so it's an ES module now.
10
+
11
+ Wrong. Writing `import x from 'pkg'` in your own source does not change what `pkg` itself is. Per Node.js's package.json documentation, a package's actual module system is determined by its own `"type"` field, its `"exports"` map conditions, and file extensions (`.mjs`/`.cjs` override `"type"`) — not by the syntax the *importer* happens to use. Bundlers perform CJS/ESM interop specifically so that `import`-syntax consumers can still consume CJS packages, and that interop is exactly what defeats static tree-shaking: the bundler cannot statically prove which of a CJS module's dynamically-assigned `module.exports` properties are unused, so it must keep the whole thing.
12
+
13
+ ## Diagnosing interop as the cause
14
+
15
+ Before concluding a bundler configuration is wrong, rule out CJS interop as the actual and unfixable-by-config cause:
16
+
17
+ 1. Check the dependency's `package.json` `"exports"` map for an `"import"` condition pointing at a real ESM build. If the only entry is `"require"` or a bare `"main"` pointing at a `.js` file with no `"type": "module"`, the package is CJS-only at that entry point — no bundler `sideEffects` or `treeshake` setting will make it statically analyzable.
18
+ 2. Check whether the package ships *both* CJS and ESM builds but exposes only a barrel-style default export from the ESM entry (e.g. `lodash-es`'s top-level `index.js` re-exporting every function) versus a per-function subpath (`lodash-es/debounce`). Importing the barrel entry can still pull in far more than needed even when the package is technically ESM, because the bundler must still resolve and analyze the whole re-export graph; importing the specific subpath sidesteps that entirely and is usually the more reliable fix regardless of `sideEffects` configuration.
19
+ 3. Check the app's *own* code for a barrel-file pattern before blaming the dependency at all: `import * as utils from './utils'` where `./utils/index.js` re-exports every internal module, or a component library's internal `index.ts` that re-exports every component. This is one of the most common tree-shaking blockers and has nothing to do with any external dependency's configuration — the fix is importing the specific submodule directly, or restructuring the barrel to preserve per-export side-effect metadata the bundler can act on.
20
+
21
+ ## Example: the "why is lodash still in my bundle" case
22
+
23
+ A report of "lodash is in the bundle even though we only use `lodash-es`'s `debounce`" is almost always one of:
24
+
25
+ - The app actually imports from the CJS `lodash` package somewhere (a transitive dependency, or a stray import), not `lodash-es` — confirm via the analyzer's module-resolution path, not the package name alone.
26
+ - The app imports the `lodash-es` barrel default (`import _ from 'lodash-es'` or `import { debounce } from 'lodash-es'`) rather than the subpath (`import debounce from 'lodash-es/debounce'`). Named imports from a barrel *can* still tree-shake correctly under a fully ESM, side-effect-clean barrel, but many barrels re-export in ways that retain more than expected — subpath import is the more reliable fix and should be verified by diff, not assumed to work either way.
27
+
28
+ Recommend the narrowest import path the package actually exposes, then confirm via analyzer diff that only the intended submodule remains — do not close the finding on the recommendation alone.
29
+
30
+ ## The verification workflow
31
+
32
+ Every finding in this skill closes only with evidence, not a config change alone:
33
+
34
+ 1. **Confirm production mode.** Re-run (or ask for) the project's production build command. A development-mode analyzer run is not admissible evidence either for "it's broken" or "it's fixed."
35
+ 2. **Capture the before state.** Record the suspect module's presence and byte size (parsed and gzipped/brotli, matching how the project already measures) from the analyzer output.
36
+ 3. **Apply the narrowest fix.** Prefer, in order: correcting an app-side barrel import → correcting a `sideEffects` field with side-effecting files explicitly listed → switching to a bundler-level `moduleSideEffects`/`treeshake` override only when the first two do not apply → replacing a CJS-only dependency with an ESM-native alternative or its narrowest subpath.
37
+ 4. **Capture the after state.** Re-run the identical production build and analyzer command. Diff module list and byte counts against the before state.
38
+ 5. **Runtime smoke test, mandatory whenever `sideEffects: false` changed.** Load the affected page or component in the built (not dev-server) output and confirm styling, polyfilled behavior, and any global registration the module was responsible for still function. A passing build after `sideEffects: false` proves nothing about runtime correctness — that field's entire failure mode is silent at build time.
39
+
40
+ ## Hard stops
41
+
42
+ - Do not apply `sideEffects: false` without having read the target module for top-level side effects.
43
+ - Do not claim tree-shaking success, or failure, from a development-mode build.
44
+ - Do not treat "no build errors" as proof of elimination in either direction.
45
+ - Do not close a finding without a before/after analyzer diff attached.
46
+
47
+ ## Adversarial checklist
48
+
49
+ Before closing any review under this skill, confirm:
50
+
51
+ - Was the diff taken from a production build, not development mode?
52
+ - Is the dependency's actual module format verified from its own `package.json`, not assumed from its name or popularity?
53
+ - If `sideEffects: false` was applied or proposed, was the target module's source actually read for side effects first?
54
+ - Is a barrel-file import pattern in the app's *own* code ruled out as the real blocker, separately from the dependency's configuration?
55
+ - Was a runtime smoke test performed after any `sideEffects: false` change, not just a rebuild?
56
+
57
+ If any answer is no, the review is not done.
@@ -0,0 +1,61 @@
1
+ # Module Format and the sideEffects Field
2
+
3
+ Use this reference when determining whether a dependency is structurally tree-shakeable, and when reading or writing the `sideEffects` field for webpack-family bundlers.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > The bundler is smart enough to figure out what's unused. If it doesn't, the bundler is broken.
10
+
11
+ Wrong. Tree-shaking is a conditional optimization built on two independent prerequisites, and if either is missing the bundler is not broken — it is behaving exactly as documented:
12
+
13
+ 1. The module must be statically analyzable ES modules (`import`/`export`), not `require`/`module.exports`.
14
+ 2. The bundler must be told, explicitly or by default assumption, which modules have no side effects, so it is safe to drop unreferenced exports.
15
+
16
+ Neither prerequisite is automatic. Both must be verified, not assumed.
17
+
18
+ ## Module format: the first gate
19
+
20
+ Static analysis of `import`/`export` bindings is what lets a bundler know, at build time, exactly which exports are used and which are not. `require()` calls are dynamic and CommonJS's `module.exports` object can be mutated at runtime in ways a static analyzer cannot fully prove safe — so a CJS module is generally not tree-shakeable, regardless of which bundler processes it.
21
+
22
+ Check module format from the dependency's own `package.json`, not from assumption:
23
+
24
+ - An `"exports"` field with an `"import"` condition, or a top-level `"module"` field pointing at an ESM build, signals the package ships (or can ship) ES modules.
25
+ - A `"main"` field with no ESM entry point, or a package that only exposes `require()`-compatible output, is CJS-only. Static tree-shaking of that package's internals is not achievable through configuration; the fix is choosing a narrower import path the package exposes, or an ESM-native alternative.
26
+
27
+ Do not assume format from the package's popularity, age, or name. Long-lived, widely used packages are exactly the ones most likely to still ship a CJS-only default entry for backward compatibility while also shipping an ESM build the app is failing to resolve.
28
+
29
+ ## The sideEffects field: the second gate
30
+
31
+ Per webpack's own guidance, tree-shaking of unused *exports* within an otherwise-imported ESM module is a separate mechanism (`usedExports`) from tree-shaking of unused *whole modules* (`sideEffects`). The `sideEffects` field governs the latter: it tells webpack whether a module can be dropped entirely if none of its exports are referenced.
32
+
33
+ - `"sideEffects": false` at the package level tells the bundler: assume nothing in this package has an import-time side effect; safe to drop any file whose exports are unused.
34
+ - Omitting the field, or `"sideEffects": true`, tells the bundler to assume every file might have a side effect and to keep every imported file regardless of whether its exports are used.
35
+ - A module that genuinely does have import-time side effects — CSS imports, global polyfills, prototype patching, analytics auto-registration — must be listed explicitly if the rest of the package is marked side-effect-free, e.g.:
36
+
37
+ ```json
38
+ {
39
+ "name": "awesome-ui",
40
+ "sideEffects": ["**/*.css"]
41
+ }
42
+ ```
43
+
44
+ Marking the whole package `sideEffects: false` while a CSS import exists uninstrumented inside it will silently drop the CSS from the production bundle. This does not produce a build error. It produces broken styling in production that only shows up after deploy.
45
+
46
+ ## The production-mode requirement
47
+
48
+ Per webpack's documented guidance, tree-shaking's user-visible effect (actual removal of dead code from output) requires `mode: 'production'`, or `optimization.usedExports` explicitly enabled in a non-production config. In development mode, webpack intentionally may keep `usedExports` analysis observable in the module graph without physically removing the code from the bundle, specifically so developers can inspect what *would* be removed. A development-mode bundle showing a module present is not evidence tree-shaking is broken — it may be evidence tree-shaking was never active for that build.
49
+
50
+ `"sideEffects": false` additionally depends on `optimization.providedExports` to identify which exports are actually used before webpack can drop unused ones; this is enabled by default under `mode: 'production'`, but if a project runs a custom production-like config outside the `mode` shorthand, confirm the option is not disabled.
51
+
52
+ ## What to check, in order
53
+
54
+ 1. Confirm the analyzer output being reviewed came from a production-mode build. If not, stop and get one — nothing below is meaningful otherwise.
55
+ 2. Read the suspect dependency's `package.json` `exports`/`module`/`main` fields to determine module format.
56
+ 3. Read `sideEffects` on both the app's own `package.json` and the dependency's `package.json`.
57
+ 4. If proposing `sideEffects: false` (or adding a package to an existing `sideEffects` array as an exception), read the module's source for top-level side-effecting statements before proposing it — do not propose it from the field being merely absent.
58
+
59
+ ## Verification target
60
+
61
+ A `package.json` diff and a bundle-analyzer module-list diff, both taken from a production build, one before and one after the change. "The build still succeeds" is not verification of either format or side-effect claims.
@@ -0,0 +1,79 @@
1
+ # Rollup and Vite Tree-Shaking Options
2
+
3
+ Use this reference when the project bundles with Rollup directly, or with Vite (which bundles production builds through Rollup on Vite 5/6, and through Rolldown — a Rust reimplementation with a Rollup-compatible option surface — on Vite 7+). Confirm the installed major via Context7 before applying any snippet below; the option surface has moved.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > Rollup's ESM-first design means everything just gets tree-shaken automatically; there's nothing to configure.
10
+
11
+ Incomplete. Rollup's `treeshake` option is not a single on/off switch — it accepts `false` (fully disabled), a named preset, or a fine-grained options object, and the two settings most responsible for either under-elimination or unsafe over-elimination are `moduleSideEffects` and `propertyReadSideEffects`, both of which default to conservative (safe but less aggressive) behavior unless explicitly overridden.
12
+
13
+ ## The treeshake option surface
14
+
15
+ ```javascript
16
+ export default {
17
+ input: 'src/index.js',
18
+ output: { format: 'es', dir: 'dist' },
19
+ treeshake: {
20
+ moduleSideEffects: false, // assume modules have no side effects
21
+ propertyReadSideEffects: false, // property reads are side-effect-free
22
+ tryCatchDeoptimization: false, // don't pessimistically include try-catch bodies
23
+ unknownGlobalSideEffects: false, // accessing unknown globals is safe
24
+ preset: 'smallest', // or 'safest' / 'recommended'
25
+ },
26
+ };
27
+ ```
28
+
29
+ `treeshake` also accepts the boolean `true` (default behavior) or one of the preset strings directly (`'smallest' | 'safest' | 'recommended'`) without a full options object.
30
+
31
+ ### moduleSideEffects
32
+
33
+ `moduleSideEffects` controls whether an entire imported module is retained even when none of its exports are used, mirroring in spirit what webpack's `sideEffects` package.json field does, but configured at the bundler level rather than (or in addition to) the package level. It accepts:
34
+
35
+ - `boolean` — blanket true/false for all modules.
36
+ - `'no-external'` — treat only external (`node_modules`) modules as side-effect-free; local project code keeps its analyzed side effects.
37
+ - a string array — explicit module ID patterns to treat as side-effect-free.
38
+ - a predicate function `(id, external) => boolean` for per-module logic.
39
+
40
+ Setting this to `false` globally without auditing what actually lives in `node_modules` is the Rollup-side equivalent of the webpack `sideEffects: false` correctness trap: any dependency that performs import-time registration (polyfills, global CSS, `window` patches) will be silently dropped.
41
+
42
+ ### propertyReadSideEffects
43
+
44
+ This governs whether Rollup assumes a property read (including getter invocation) can safely be removed if its result is unused:
45
+
46
+ ```javascript
47
+ // Removed if treeshake.propertyReadSideEffects === false
48
+ const foo = {
49
+ get bar() {
50
+ console.log('effect');
51
+ return 'bar';
52
+ },
53
+ };
54
+ const result = foo.bar;
55
+ const illegalAccess = foo.quux.tooDeep; // would also throw at runtime if kept
56
+ ```
57
+
58
+ Setting this `false` can eliminate code whose only purpose was a getter side effect (logging, lazy initialization, a Proxy trap). This is a narrower and less commonly needed lever than `moduleSideEffects` — do not reach for it as a first attempt to eliminate a stubborn module; confirm the actual blocker is a property read, not module-level retention, before touching this option.
59
+
60
+ ### External module elimination example
61
+
62
+ ```javascript
63
+ // input
64
+ import { unused } from 'external-a';
65
+ import 'external-b';
66
+ console.log(42);
67
+ ```
68
+
69
+ With `treeshake.moduleSideEffects === true` (default-safe), both imports are retained even though `unused` is never referenced, because `moduleSideEffects: true` means Rollup assumes importing `external-a` and `external-b` might do something even without using their exports. With `moduleSideEffects: false`, both are dropped — which is correct only if neither package performs import-time work.
70
+
71
+ ## Vite / Rolldown specifics
72
+
73
+ Vite's production build has historically gone through Rollup, exposed via `build.rollupOptions`. Starting with Vite 7.3.1, the production bundler is Rolldown, and `build.rollupOptions` is now documented as a deprecated alias for `build.rolldownOptions` — if both are set, `rollupOptions` is ignored and Vite emits a warning. Verify the installed Vite major via Context7 before choosing which option key to write into a config; a `rollupOptions.output.manualChunks` object-form snippet, or a Rollup-specific `treeshake` shape, is not guaranteed to carry over unchanged into `rolldownOptions`.
74
+
75
+ `import.meta.env.DEV` and `import.meta.hot` guards are statically replaceable constants in Vite's build pipeline — code inside an `if (import.meta.env.DEV)` block is tree-shaken out of production builds by design. If a user reports dev-only code appearing in a production bundle, check whether the guard condition is actually one of these statically-analyzable forms rather than a runtime environment-variable read that the bundler cannot constant-fold.
76
+
77
+ ## Verification target
78
+
79
+ A Rollup/Rolldown build with `--sourcemap` or the project's configured `rollup-plugin-visualizer`/equivalent output, diffed before and after any `treeshake` option change, on a production-mode build. Confirm via Context7 that the exact option key exists on the installed bundler version before writing it into config — `rollupOptions` vs `rolldownOptions` is the most likely place this silently drifts.
@@ -0,0 +1,70 @@
1
+ ---
2
+ name: typescript-contracts-review
3
+ description: Review TypeScript diffs and tsconfig strictness posture for sound type contracts — auditing any/assertion usage at trust boundaries, unsound narrowing, and exported public-API type-surface breakage — so that a passing compile is meaningful evidence rather than a decorative pass, and requiring paired runtime validation wherever external data enters the type system.
4
+ allowed-tools: Read Grep Glob Bash(git diff:*) Bash(tsc --noEmit:*) WebFetch
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: compliance
10
+ ---
11
+
12
+ # TypeScript Contracts Review
13
+
14
+ ## Purpose
15
+
16
+ "The build passes" is only meaningful evidence of type safety if the active tsconfig is actually strict and the code doesn't defeat it with `any`, unchecked assertions, or broad suppression comments — and TypeScript types are fully erased at compile time, so a type annotation on external data (a parsed JSON response, a third-party SDK payload, a URL parameter) provides zero runtime protection unless paired with an actual runtime validator. This skill exists so those two failure modes — a loose or silently-weakened tsconfig, and type annotations that assert safety no runtime check backs up — get audited explicitly instead of being assumed away by a green checkmark. It also checks exported public-API type surfaces so a "just an internal refactor" diff doesn't silently break every downstream consumer of a published package.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review a TypeScript/TSX diff for type-safety soundness before merge,
23
+ - audit a codebase's tsconfig strictness posture against current TypeScript-recommended defaults,
24
+ - check `any`/type-assertion/non-null-assertion usage, especially at external-data boundaries,
25
+ - verify a discriminated union or type-guard function actually narrows correctly,
26
+ - assess whether a change to an exported/published package breaks its public API type surface.
27
+
28
+ Do not use this skill for:
29
+
30
+ - pure runtime/logic bug hunting that has nothing to do with type contracts — that is a general code-review task,
31
+ - JavaScript files with no type annotations or JSDoc types — there is no type contract to audit,
32
+ - live `tsc --noEmit`/type-coverage execution results interpretation beyond what this static review can determine from the diff — report that a live run is needed rather than fabricating its result.
33
+
34
+ ## Context7 Documentation Protocol
35
+
36
+ - Resolve the TypeScript library ID with `resolve-library-id` before ruling on any compiler-flag or strict-family question; do not answer from memory, because recommended defaults change across releases (confirmed via Context7: TypeScript 5.9's `tsc --init` now emits `noUncheckedIndexedAccess: true` and `exactOptionalPropertyTypes: true` as a separate "Stricter Typechecking Options" block alongside `strict: true`, where earlier `tsc --init` output only set `strict: true`).
37
+ - Before asserting which individual flags `strict: true` bundles (`strictNullChecks`, `noImplicitAny`, `noImplicitThis`, `alwaysStrict`, `strictFunctionTypes`, `strictBindCallApply`, `strictPropertyInitialization`, `useUnknownInCatchVariables`), call `query-docs` against the current TypeScript docs rather than reciting a memorized list — the bundle is described as open-ended ("future versions of TypeScript may introduce additional stricter checking under this flag"), so a stale list under-reports what a repo's `strict: true` actually enables on its installed compiler version.
38
+ - Before flagging or endorsing a `typescript-eslint` rule (e.g. `no-explicit-any`, `no-unsafe-assignment`, `no-non-null-assertion`), verify via `query-docs` whether that rule is in the repo's active shared config (`recommended`, `recommended-type-checked`, `strict-type-checked`) — rule membership across those tiers has changed between major versions (confirmed via Context7: the v7→v8 `recommended-type-checked` diff added/removed multiple rules), so do not assume a rule is enabled just because the repo extends a config by name without checking the installed version.
39
+ - Read `package.json`/lockfile first to confirm the installed `typescript` and `typescript-eslint`/`@typescript-eslint/*` major versions before citing version-gated behavior (e.g. `exactOptionalPropertyTypes` semantics, `satisfies` operator availability, `const` type parameters) — do not assume a feature is available because it appears in current docs if the installed major predates it.
40
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label every version-sensitive claim `documentation-based, unverified against installed compiler version`.
41
+
42
+ ## Lean operating rules
43
+
44
+ - Never accept "the build passes" as sufficient evidence of type safety without checking the actual tsconfig strict-family flags in effect — a loose config proves far less than developers assume, and `strict: true` alone (pre-5.9 `tsc --init` default) does not imply `noUncheckedIndexedAccess` or `exactOptionalPropertyTypes` are on.
45
+ - Every new `any` must carry an adjacent justification comment; flag unjustified `any` as blocking, especially inside application logic that later consumers trust as validated.
46
+ - Every trust-boundary type (parsed JSON, third-party SDK response, `postMessage` payload, URL/query-param, form input, environment variable) must be paired with an actual runtime validator — a type annotation alone is erased at compile time and enforces nothing at runtime.
47
+ - Treat any proposal to loosen existing tsconfig strictness (removing `strict`, disabling `strictNullChecks`) as requiring an explicit, separately-reviewed migration plan, not a routine PR change.
48
+ - Flag broad `@ts-nocheck`/file-level suppression as blocking by default; require `@ts-ignore`/`@ts-expect-error` to carry an adjacent comment explaining why, weighted higher severity if the suppressed code is security- or trust-boundary-relevant.
49
+ - Do not let generic-type complexity become unreadable; a type requiring a comment to explain what it constrains is a design smell worth simplifying, not a badge of sophistication.
50
+ - Do not run or assert `tsc --noEmit` success from memory — invoke it or explicitly flag that CI must, rather than fabricating a compile-success claim.
51
+ - When a diff touches an exported/published package's public surface, check for a breaking type change (removed export, narrowed parameter type, widened return type becoming a narrower consumer-facing type, added required property) before approving; a type-only change can still be a semver-breaking change even with zero runtime behavior difference.
52
+
53
+ ## References
54
+
55
+ Load these only when needed:
56
+
57
+ - [Strict-flag posture reference](references/strict-flag-posture.md) — use when auditing or recommending a tsconfig strict-family flag set, including which flags are bundled under `strict` vs. separately opt-in (`noUncheckedIndexedAccess`, `exactOptionalPropertyTypes`), and how to read a repo's actual effective config (including `extends` chains).
58
+ - [Trust-boundary validation patterns](references/trust-boundary-validation.md) — use when auditing external-data ingestion points (API responses, `JSON.parse`, `postMessage`, URL parsing, form/env input) for paired runtime validation against their declared types.
59
+ - [Public API surface diffing](references/public-api-surface-diff.md) — use when a diff touches an exported/published package and a breaking-change check against the previous public `.d.ts`/export surface is needed.
60
+
61
+ ## Response minimum
62
+
63
+ Return, at minimum:
64
+
65
+ - the tsconfig strictness posture summary (which strict-family flags are on/off vs. current TypeScript-recommended defaults, and the compiler version that posture was checked against),
66
+ - the `any`/assertion audit for every new `any`, `as`, and `!` in the diff, each flagged with its justification or lack thereof and file:line evidence,
67
+ - the trust-boundary validation audit for every external-data ingestion point touched, naming the missing or present runtime validator,
68
+ - the public-API surface diff and any breaking-change flags, when the diff touches an exported package,
69
+ - verdict (approve / approve-with-notes / block),
70
+ - residual risk notes for anything requiring a live `tsc --noEmit`/type-coverage run beyond this static diff review.