@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (875) hide show
  1. package/.claude-plugin/marketplace.json +2 -2
  2. package/.claude-plugin/plugin.json +36 -1
  3. package/.cursor-plugin/plugin.json +36 -1
  4. package/.github/plugin/marketplace.json +1 -1
  5. package/README.md +12 -11
  6. package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
  7. package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
  8. package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
  9. package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
  10. package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
  11. package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
  12. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
  13. package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
  14. package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
  15. package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
  16. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
  17. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
  18. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
  19. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
  20. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
  21. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
  22. package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
  23. package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
  24. package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
  25. package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
  26. package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
  27. package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
  28. package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
  29. package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
  30. package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  31. package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
  32. package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
  33. package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
  34. package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
  35. package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
  36. package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
  37. package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
  38. package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
  39. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
  40. package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
  41. package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
  42. package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
  43. package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
  44. package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
  45. package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
  46. package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
  47. package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
  48. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
  49. package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
  50. package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
  51. package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
  52. package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
  53. package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
  54. package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
  55. package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
  56. package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
  57. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
  58. package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
  59. package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
  60. package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
  61. package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
  62. package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
  63. package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
  64. package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
  65. package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
  66. package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
  67. package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
  68. package/agents/frontend/css-architecture-agent/metadata.json +42 -0
  69. package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
  70. package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
  71. package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
  72. package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
  73. package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
  74. package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
  75. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  76. package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
  77. package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
  78. package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
  79. package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
  80. package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
  81. package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
  82. package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
  83. package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
  84. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
  85. package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
  86. package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
  87. package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
  88. package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
  89. package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
  90. package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
  91. package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
  92. package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
  93. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
  94. package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
  95. package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
  96. package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
  97. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
  98. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
  99. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
  100. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
  101. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
  102. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
  103. package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
  104. package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
  105. package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
  106. package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
  107. package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
  108. package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
  109. package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
  110. package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
  111. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
  112. package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
  113. package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
  114. package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
  115. package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
  116. package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
  117. package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
  118. package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
  119. package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
  120. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
  121. package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
  122. package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
  123. package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
  124. package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
  125. package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
  126. package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
  127. package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
  128. package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
  129. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
  130. package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
  131. package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
  132. package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
  133. package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
  134. package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
  135. package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
  136. package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
  137. package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
  138. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
  139. package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
  140. package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
  141. package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
  142. package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
  143. package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
  144. package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
  145. package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
  146. package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
  147. package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
  148. package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
  149. package/agents/frontend/frontend-security-agent/metadata.json +44 -0
  150. package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
  151. package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
  152. package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
  153. package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
  154. package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
  155. package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
  156. package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
  157. package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
  158. package/agents/frontend/html-semantics-agent/metadata.json +44 -0
  159. package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
  160. package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
  161. package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
  162. package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
  163. package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
  164. package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
  165. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
  166. package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
  167. package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
  168. package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
  169. package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
  170. package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
  171. package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
  172. package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
  173. package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
  174. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
  175. package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
  176. package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
  177. package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
  178. package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
  179. package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
  180. package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
  181. package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
  182. package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
  183. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
  184. package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
  185. package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
  186. package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
  187. package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
  188. package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
  189. package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
  190. package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
  191. package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
  192. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  193. package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
  194. package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
  195. package/agents/frontend/package-governance-agent/AGENT.md +116 -0
  196. package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
  197. package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
  198. package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
  199. package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
  200. package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
  201. package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
  202. package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
  203. package/agents/frontend/package-governance-agent/metadata.json +41 -0
  204. package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
  205. package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
  206. package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
  207. package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
  208. package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
  209. package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
  210. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
  211. package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
  212. package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
  213. package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
  214. package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
  215. package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
  216. package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
  217. package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
  218. package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
  219. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
  220. package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
  221. package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
  222. package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
  223. package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
  224. package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
  225. package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
  226. package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
  227. package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
  228. package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  229. package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
  230. package/agents/frontend/react-specialist-agent/metadata.json +44 -0
  231. package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
  232. package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
  233. package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
  234. package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
  235. package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
  236. package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
  237. package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
  238. package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
  239. package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
  240. package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
  241. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
  242. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
  243. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
  244. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
  245. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
  246. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
  247. package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
  248. package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
  249. package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
  250. package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
  251. package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
  252. package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
  253. package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
  254. package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
  255. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
  256. package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
  257. package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
  258. package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
  259. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
  260. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
  261. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
  262. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
  263. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
  264. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
  265. package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
  266. package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
  267. package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
  268. package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
  269. package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
  270. package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
  271. package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
  272. package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
  273. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
  274. package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
  275. package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
  276. package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
  277. package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
  278. package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
  279. package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
  280. package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
  281. package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
  282. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
  283. package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
  284. package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
  285. package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
  286. package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
  287. package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
  288. package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
  289. package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
  290. package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
  291. package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
  292. package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
  293. package/agents/frontend/visual-regression-agent/metadata.json +41 -0
  294. package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
  295. package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
  296. package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
  297. package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
  298. package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
  299. package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
  300. package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
  301. package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
  302. package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
  303. package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
  304. package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
  305. package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
  306. package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
  307. package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
  308. package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
  309. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
  310. package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
  311. package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
  312. package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
  313. package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
  314. package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
  315. package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
  316. package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
  317. package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
  318. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
  319. package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
  320. package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
  321. package/catalog/agents.json +1164 -93
  322. package/catalog/asset-integrity.json +15393 -12593
  323. package/catalog/install-roles.json +103 -1
  324. package/catalog/skill-manifest.json +1909 -26
  325. package/catalog/skills.json +1672 -24
  326. package/package.json +5 -4
  327. package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
  328. package/powers/README.md +3 -2
  329. package/powers/vanguard-frontend/POWER.md +42 -0
  330. package/schemas/agent.schema.json +1 -0
  331. package/schemas/skill.schema.json +1 -0
  332. package/scripts/export-marketplace-agents.mjs +48 -15
  333. package/scripts/generate-docs-data.mjs +1 -0
  334. package/scripts/generate-kiro-powers.mjs +12 -0
  335. package/scripts/update-catalog-new-agents.py +6 -1
  336. package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
  337. package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
  338. package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
  339. package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
  340. package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
  341. package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
  342. package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
  343. package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
  344. package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
  345. package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
  346. package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
  347. package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
  348. package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
  349. package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
  350. package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
  351. package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
  352. package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
  353. package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
  354. package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
  355. package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
  356. package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
  357. package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
  358. package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
  359. package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
  360. package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
  361. package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
  362. package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
  363. package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
  364. package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
  365. package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
  366. package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
  367. package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
  368. package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
  369. package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
  370. package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
  371. package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
  372. package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
  373. package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
  374. package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
  375. package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
  376. package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
  377. package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
  378. package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
  379. package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
  380. package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
  381. package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
  382. package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
  383. package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
  384. package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
  385. package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
  386. package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
  387. package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
  388. package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
  389. package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
  390. package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
  391. package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
  392. package/skills/frontend/design-token-governance-review/metadata.json +27 -0
  393. package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
  394. package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
  395. package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
  396. package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
  397. package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
  398. package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
  399. package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
  400. package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
  401. package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
  402. package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
  403. package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
  404. package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
  405. package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
  406. package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
  407. package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
  408. package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
  409. package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
  410. package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
  411. package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
  412. package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
  413. package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
  414. package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
  415. package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
  416. package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
  417. package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
  418. package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
  419. package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
  420. package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
  421. package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
  422. package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
  423. package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
  424. package/skills/frontend/frontend-board-chair/metadata.json +27 -0
  425. package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
  426. package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
  427. package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
  428. package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
  429. package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
  430. package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
  431. package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
  432. package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
  433. package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
  434. package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
  435. package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
  436. package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
  437. package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
  438. package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
  439. package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
  440. package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
  441. package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
  442. package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
  443. package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
  444. package/skills/frontend/frontend-maestro/SKILL.md +63 -0
  445. package/skills/frontend/frontend-maestro/metadata.json +26 -0
  446. package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
  447. package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
  448. package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
  449. package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
  450. package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
  451. package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
  452. package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
  453. package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
  454. package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
  455. package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
  456. package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
  457. package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
  458. package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
  459. package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
  460. package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
  461. package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
  462. package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
  463. package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
  464. package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
  465. package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
  466. package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
  467. package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
  468. package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
  469. package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
  470. package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
  471. package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
  472. package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
  473. package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
  474. package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
  475. package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
  476. package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
  477. package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
  478. package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
  479. package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
  480. package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
  481. package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
  482. package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
  483. package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
  484. package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
  485. package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
  486. package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
  487. package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
  488. package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
  489. package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
  490. package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
  491. package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
  492. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
  493. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
  494. package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
  495. package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
  496. package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
  497. package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
  498. package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
  499. package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
  500. package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
  501. package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
  502. package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
  503. package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
  504. package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
  505. package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
  506. package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
  507. package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
  508. package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
  509. package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
  510. package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
  511. package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
  512. package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
  513. package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
  514. package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
  515. package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
  516. package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
  517. package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
  518. package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
  519. package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
  520. package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
  521. package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
  522. package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
  523. package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
  524. package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
  525. package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
  526. package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
  527. package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
  528. package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
  529. package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
  530. package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
  531. package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
  532. package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
  533. package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
  534. package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
  535. package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
  536. package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
  537. package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
  538. package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
  539. package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
  540. package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
  541. package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
  542. package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
  543. package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
  544. package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
  545. package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
  546. package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
  547. package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
  548. package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
  549. package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
  550. package/skills/frontend/react-state-effects-review/metadata.json +27 -0
  551. package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
  552. package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
  553. package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
  554. package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
  555. package/skills/frontend/routing-navigation-review/metadata.json +27 -0
  556. package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
  557. package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
  558. package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
  559. package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
  560. package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
  561. package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
  562. package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
  563. package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
  564. package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
  565. package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
  566. package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
  567. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
  568. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
  569. package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
  570. package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
  571. package/skills/frontend/state-management-decision-review/metadata.json +30 -0
  572. package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
  573. package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
  574. package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
  575. package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
  576. package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
  577. package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
  578. package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
  579. package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
  580. package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
  581. package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
  582. package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
  583. package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
  584. package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
  585. package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
  586. package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
  587. package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
  588. package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
  589. package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
  590. package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
  591. package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
  592. package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
  593. package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
  594. package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
  595. package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
  596. package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
  597. package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
  598. package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
  599. package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
  600. package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
  601. package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
  602. package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
  603. package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
  604. package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
  605. package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
  606. package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
  607. package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
  608. package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
  609. package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
  610. package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
  611. package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
  612. package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
  613. package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
  614. package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
  615. package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
  616. package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
  617. package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
  618. package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
  619. package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
  620. package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
  621. package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
  622. package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
  623. package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
  624. package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
  625. package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
  626. package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
  627. package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
  628. package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
  629. package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
  630. package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
  631. package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
  632. package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
  633. package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
  634. package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
  635. package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
  636. package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
  637. package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
  638. package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
  639. package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
  640. package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
  641. package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
  642. package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
  643. package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
  644. package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
  645. package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
  646. package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
  647. package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
  648. package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
  649. package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
  650. package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
  651. package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
  652. package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
  653. package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
  654. package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
  655. package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
  656. package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
  657. package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
  658. package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
  659. package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
  660. package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
  661. package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
  662. package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
  663. package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
  664. package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
  665. package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
  666. package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
  667. package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
  668. package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
  669. package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
  670. package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
  671. package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
  672. package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
  673. package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
  674. package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
  675. package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
  676. package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
  677. package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
  678. package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
  679. package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
  680. package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
  681. package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
  682. package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
  683. package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
  684. package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
  685. package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
  686. package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
  687. package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
  688. package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
  689. package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
  690. package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
  691. package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
  692. package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
  693. package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
  694. package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
  695. package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
  696. package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
  697. package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
  698. package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
  699. package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
  700. package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
  701. package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
  702. package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
  703. package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
  704. package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
  705. package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
  706. package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
  707. package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
  708. package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
  709. package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
  710. package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
  711. package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
  712. package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
  713. package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
  714. package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
  715. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
  716. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
  717. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
  718. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
  719. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
  720. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
  721. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
  722. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
  723. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
  724. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
  725. package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
  726. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
  727. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
  728. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
  729. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
  730. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
  731. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
  732. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
  733. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
  734. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
  735. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
  736. package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
  737. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
  738. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
  739. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
  740. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
  741. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
  742. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
  743. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
  744. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
  745. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
  746. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
  747. package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
  748. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
  749. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
  750. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
  751. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
  752. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
  753. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
  754. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
  755. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
  756. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
  757. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
  758. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
  759. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
  760. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
  761. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
  762. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
  763. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
  764. package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
  765. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
  766. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
  767. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
  768. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
  769. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
  770. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
  771. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
  772. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
  773. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
  774. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
  775. package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
  776. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
  777. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
  778. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
  779. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
  780. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
  781. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
  782. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
  783. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
  784. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
  785. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
  786. package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
  787. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
  788. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
  789. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
  790. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
  791. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
  792. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
  793. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
  794. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
  795. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
  796. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
  797. package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
  798. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
  799. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
  800. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
  801. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
  802. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
  803. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
  804. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
  805. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
  806. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
  807. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
  808. package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
  809. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
  810. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
  811. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
  812. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
  813. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
  814. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
  815. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
  816. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
  817. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
  818. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
  819. package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
  820. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
  821. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
  822. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
  823. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
  824. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
  825. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
  826. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
  827. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
  828. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
  829. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
  830. package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
  831. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
  832. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
  833. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
  834. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
  835. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
  836. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
  837. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
  838. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
  839. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
  840. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
  841. package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
  842. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
  843. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
  844. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
  845. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
  846. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
  847. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
  848. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
  849. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
  850. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
  851. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
  852. package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
  853. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
  854. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
  855. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
  856. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
  857. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
  858. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
  859. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
  860. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
  861. package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
  862. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
  863. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
  864. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
  865. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
  866. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
  867. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
  868. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
  869. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
  870. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
  871. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
  872. package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
  873. package/tests/test-vfa-export-coverage.test.mjs +30 -0
  874. package/tests/validate-catalog.py +1 -0
  875. package/tests/validate-frontend-security-detection.py +209 -0
@@ -0,0 +1,29 @@
1
+ {
2
+ "id": "typescript-contracts-review",
3
+ "name": "TypeScript Contracts Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews tsconfig strictness posture, any/assertion usage at trust boundaries, and exported public-API type surfaces so type signatures are enforced runtime-shape guarantees rather than decorative annotations, requiring paired runtime validation wherever external data enters the type system.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://www.typescriptlang.org/tsconfig",
18
+ "https://www.typescriptlang.org/docs/handbook/2/basic-types.html",
19
+ "https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-4.html",
20
+ "https://www.typescriptlang.org/docs/handbook/release-notes/typescript-4-1.html",
21
+ "https://www.typescriptlang.org/docs/handbook/declaration-files/introduction.html",
22
+ "https://typescript-eslint.io/rules/"
23
+ ],
24
+ "security_notes": "Flag any, as, and non-null assertions (!) at trust boundaries (parsed JSON, third-party SDK responses, postMessage payloads, URL/query-param parsing) without paired runtime validation — a type annotation is erased at compile time and enforces nothing against a malformed or malicious payload. Flag @ts-ignore/@ts-expect-error without an adjacent justification comment, especially on security-relevant code. Flag any proposal to loosen tsconfig strictness (removing strict, disabling strictNullChecks) without an explicit, separately-reviewed migration plan.",
25
+ "last_verified": "2026-07-02",
26
+ "path": "skills/frontend/typescript-contracts-review",
27
+ "author": "github: Raishin",
28
+ "version": "0.1.0"
29
+ }
@@ -0,0 +1,59 @@
1
+ # Public API Surface Diffing
2
+
3
+ Use this reference when a diff touches an exported/published package (a library consumed by other packages or external users via its declared entry points and generated `.d.ts` files) and a breaking-change check against the previous public type surface is needed.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > No runtime logic changed, only type signatures — so this can't be a breaking change.
10
+
11
+ Wrong. TypeScript's declaration-file contract (`.d.ts`) *is* the public API surface for a published package's consumers. A change with zero runtime behavior difference can still be a semver-breaking change for anyone whose code type-checks against this package, because their build breaks even though the JavaScript that ships would have behaved identically.
12
+
13
+ ## Officially grounded shape
14
+
15
+ Per the TypeScript declaration-files handbook, `.d.ts` files describe the shape of a library to consumers — they are the contract a downstream `tsc` run checks against, independent of the actual runtime implementation. Consequences that matter for a breaking-change review:
16
+
17
+ - **Removing an export** (a function, type, interface, class, or re-export) breaks every consumer importing it, even if nothing else changed.
18
+ - **Narrowing a parameter type** (accepting fewer input shapes than before, e.g. `string` → `'a' | 'b'`) breaks consumers who were legitimately passing a now-disallowed value, even if that value never caused a runtime error.
19
+ - **Widening a publicly-returned type in a way that removes previously-guaranteed members** (e.g. a return type that used to always include `id: string` now types it as `id?: string`, or a return type widens from a specific union to a broader one) breaks consumers whose downstream code relied on the narrower guarantee, even though the runtime object may not have changed at all.
20
+ - **Adding a required property to an exported interface/type** that consumers are expected to construct (not just consume) breaks every call site constructing that type without the new property.
21
+ - **Changing a type from an interface to a type alias (or vice versa)** is usually safe for consumption but can break consumers who were declaration-merging against the interface — a real but narrower risk to check when the package is designed for extension.
22
+ - **Generic parameter changes** (adding a required type parameter, changing a default, changing variance-relevant usage) can break consumers who don't explicitly specify type arguments and were relying on inference.
23
+
24
+ ## Non-negotiable design rules
25
+
26
+ 1. **Diff the emitted public surface, not just the source diff.** The source diff shows what changed in the implementation file; the question that matters is what changed in what the package actually exports from its declared entry point(s) (per `package.json` `exports`/`types`/`main` fields). An internal type change that never reaches an exported symbol is not a public API break.
27
+ 2. **Type-only changes are real changes.** Do not wave through a diff as "just types, no behavior change" — for a published package, a type-only change to an exported symbol is exactly the kind of change semver-breaking-change review exists for.
28
+ 3. **Distinguish parameter-position from return-position changes** — narrowing accepted input is breaking; narrowing *offered* output guarantees is also breaking, but for a different reason (consumers relying on the wider prior contract). Both directions matter; do not only check one.
29
+ 4. **Check re-exports, not just direct declarations.** A type re-exported from a barrel file (`export * from './internal'`) is part of the public surface exactly as much as a type declared at the entry point — a change to the underlying `./internal` type is a public break even if the entry-point file itself has no diff.
30
+ 5. **A change behind an internal-only export or a `@internal`/unexported symbol is not a public break** — confirm the changed symbol is actually reachable from the package's declared public entry point(s) before flagging it as breaking; do not over-flag purely-internal refactors.
31
+
32
+ ## Minimal safe audit flow
33
+
34
+ 1. Identify the package's declared public entry point(s) from `package.json` (`main`, `module`, `types`/`typings`, or the `exports` map's `types` conditions for each subpath).
35
+ 2. From the diff, list every exported symbol (function, class, interface, type alias, enum, const) whose declaration changed, was added, or was removed — including via re-export chains reachable from the entry point(s).
36
+ 3. For each changed exported symbol, classify the change: added (usually safe), removed (breaking), parameter narrowed (breaking for callers), parameter widened (usually safe), return narrowed/property-removed-or-optionalized (breaking for consumers), return widened purely additively (usually safe).
37
+ 4. For anything classified breaking, state the concrete failure mode for a consumer: what specific call pattern that currently type-checks against the published types would fail to type-check against the new ones.
38
+ 5. If the repo has no automated API-surface-diff tooling in place (e.g. no `api-extractor`, no `.d.ts`-snapshot test), note that as a process gap rather than silently accepting the manual audit as a full substitute for automated coverage on every future change.
39
+
40
+ ## High-risk assumptions to kill
41
+
42
+ - "No runtime behavior changed, so it's not breaking" — irrelevant for a published package's type contract.
43
+ - "This is just a refactor, the public API is the same" — verify against the actual entry-point re-export chain; an internal rename can accidentally change what a barrel file re-exports.
44
+ - "Adding a property to an interface is always additive/safe" — true for consumption (reading), false for construction (a consumer building an object literal to satisfy that interface now needs the new property too, unless it was added as optional).
45
+ - "TypeScript would catch this for us automatically" — it catches it for *this repo's own* compile, not for downstream consumers' separate compiles against the published `.d.ts`; the break only surfaces in their build, after the package is published.
46
+
47
+ ## Verification targets
48
+
49
+ - `package.json` `exports`/`types`/`main` fields, to establish the actual public entry point(s).
50
+ - `git diff` scoped to files reachable from those entry points (direct declarations and re-export chains).
51
+ - If available, a generated `.d.ts` diff (build output before/after) or an `api-extractor`-style report — prefer this over manual source-diff reasoning when the tooling exists, since re-export chains and inferred types are easy to miscount by hand.
52
+
53
+ ## When to push back
54
+
55
+ Push back if the user asks to:
56
+
57
+ - ship a narrowed parameter type or removed export as a patch/minor version bump without flagging it as a breaking (major) change,
58
+ - describe a type-only breaking change as "not a real change" because runtime behavior is unaffected,
59
+ - skip the public-surface check because "it's just an internal refactor" without first confirming the changed symbol isn't reachable from a declared entry point.
@@ -0,0 +1,61 @@
1
+ # Strict-Flag Posture
2
+
3
+ Use this reference when auditing or recommending a tsconfig strict-family flag set, or when a reviewer needs to determine what a repo's `strict: true` actually enables on its installed compiler.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > The repo sets `"strict": true`, so it's using TypeScript's strictest checking.
10
+
11
+ Incomplete, for two separate reasons:
12
+
13
+ 1. `strict` is a bundle, and the bundle's membership is **open-ended by design**. Per the TypeScript docs: turning `strict` on "is equivalent to enabling all of the strict mode family options... Future versions of TypeScript may introduce additional stricter checking under this flag." A repo pinned to an older `typescript` version gets a smaller bundle than the same `strict: true` on a newer one.
14
+ 2. Two of the most consequential type-soundness flags — `noUncheckedIndexedAccess` and `exactOptionalPropertyTypes` — are **not** part of the `strict` bundle at all. They are separate opt-in flags. A repo can be maximally "strict" by the `strict: true` definition and still have neither enabled.
15
+
16
+ ## Officially grounded shape (what the docs say)
17
+
18
+ - `strict: true` is the master flag; it currently bundles at minimum `strictNullChecks`, `noImplicitAny`, `noImplicitThis`, `alwaysStrict`, `strictFunctionTypes`, `strictBindCallApply`, `strictPropertyInitialization`, and (since TypeScript 4.4) `useUnknownInCatchVariables`. Verify the current exact bundle via `query-docs` against the installed version — do not treat this list as closed or version-independent.
19
+ - `useUnknownInCatchVariables` (TS 4.4+) changes the default type of a `catch` variable from `any` to `unknown`. It is auto-enabled under `strict`. Its presence means catch-block property access (`err.message`) requires narrowing first (e.g. `instanceof Error`) — code that skips narrowing under an older compiler target may newly fail, or may be silently unsound if the repo is still pre-4.4.
20
+ - `noUncheckedIndexedAccess` — **not** in the `strict` bundle — makes indexed access (`arr[i]`, `record[key]`) include `undefined` in the result type. Without it, index signatures and array access lie: `arr[i]` types as `T`, not `T | undefined`, even though out-of-bounds access returns `undefined` at runtime.
21
+ - `exactOptionalPropertyTypes` — **not** in the `strict` bundle — makes `{ prop?: string }` distinguish "prop is absent" from "prop is present and set to `undefined`". Without it, `obj.prop = undefined` is accepted as satisfying an optional property even where the author's intent required the key to be entirely absent (relevant for APIs that branch on `'prop' in obj` or `Object.keys`).
22
+ - As of TypeScript 5.9, `tsc --init` generates both of these under a separate "Stricter Typechecking Options" block alongside `strict: true` — this is a **default-generation change**, not a retroactive change to what `strict` means. Repos scaffolded before 5.9 will not have picked these up automatically, and repos on TypeScript versions predating their introduction cannot have them regardless of `tsc --init` vintage.
23
+
24
+ > Version note: exact strict-family bundle membership and default `tsc --init` output are version-sensitive. Confirm both via `query-docs` against the specific `typescript` version in the repo's lockfile before making a definitive claim — do not rely on a memorized flag list.
25
+
26
+ ## Non-negotiable design rules
27
+
28
+ 1. **Read the effective config, not just the top-level file.** `tsconfig.json` can `extends` a base config (monorepo shared config, `@tsconfig/*` package). A flag absent from the leaf file may be inherited, or a permissive leaf-level override may silently defeat a strict base. Resolve the full `extends` chain before concluding a flag is off.
29
+ 2. **Distinguish "not in `strict`" from "not needed."** `noUncheckedIndexedAccess` and `exactOptionalPropertyTypes` are the two flags most commonly mistaken for redundant with `strict`. Treat their absence as a real gap to call out, not a non-finding, whenever the diff under review does array/record indexing or optional-property assignment that would behave differently under them.
30
+ 3. **Version-gate every strict-bundle claim.** Do not assert "this repo has `useUnknownInCatchVariables`" from `strict: true` alone — confirm the installed `typescript` version is 4.4+ first.
31
+ 4. **Treat strictness removal as a migration, not a diff line.** A one-line change disabling `strictNullChecks` or removing `strict` can silently make thousands of previously-checked call sites unchecked. Require an explicit, separately-reviewed migration plan (with a scoped rollout, e.g. per-directory `strict` via TypeScript project references, or documented follow-up) rather than approving it inline in an unrelated feature PR.
32
+ 5. **Do not conflate ESLint strictness with compiler strictness.** `typescript-eslint`'s `strict-type-checked` config and the compiler's `strict` flag are independent axes — a repo can have one without the other. Check both when the review scope includes lint config.
33
+
34
+ ## Minimal safe audit flow
35
+
36
+ 1. Read `package.json`/lockfile to get the exact `typescript` version.
37
+ 2. Read `tsconfig.json` and resolve its full `extends` chain to the effective merged config.
38
+ 3. List which strict-family flags (per the version-confirmed bundle) are on, and separately whether `noUncheckedIndexedAccess` and `exactOptionalPropertyTypes` are on.
39
+ 4. Compare against current TypeScript-recommended defaults (via `query-docs`) for that version, and note the gap explicitly rather than treating "has `strict: true`" as sufficient.
40
+ 5. If the diff under review does indexed access or optional-property assignment and the relevant flag is off, name the specific unsound pattern this enables (e.g. "line 42 assumes `config[key]` is never `undefined`; with `noUncheckedIndexedAccess` off, the compiler will not catch this if `key` is absent from `config`").
41
+
42
+ ## High-risk assumptions to kill
43
+
44
+ - "`strict: true` means fully strict" — it does not include `noUncheckedIndexedAccess` or `exactOptionalPropertyTypes`.
45
+ - "The build passes, so the types are sound" — passes only prove soundness relative to whatever flags are actually active, which may be a materially weaker set than the reviewer assumes.
46
+ - "Newer TypeScript version means newer defaults apply automatically" — `tsc --init` default generation only affects newly scaffolded configs; upgrading the compiler does not retroactively add opt-in flags to an existing `tsconfig.json`.
47
+ - "This monorepo's shared base config is strict, so every package is strict" — a leaf `tsconfig.json` can override or narrow it; always resolve the effective chain.
48
+
49
+ ## Verification targets
50
+
51
+ - `cat tsconfig.json` and every file in its `extends` chain.
52
+ - `npm ls typescript` / lockfile entry for the resolved `typescript` version.
53
+ - `tsc --showConfig` (if available in the environment) to print the fully resolved effective compiler options — prefer this over manually merging `extends` chains by hand when the tool is available.
54
+
55
+ ## When to push back
56
+
57
+ Push back if the user asks to:
58
+
59
+ - disable `strict` (or any of its family) as a quick fix to unblock a build, without a scoped migration plan,
60
+ - treat a passing `tsc --noEmit` as proof of runtime safety for external-data handling — it is not; that is the trust-boundary concern in a separate reference,
61
+ - skip checking `noUncheckedIndexedAccess`/`exactOptionalPropertyTypes` because "the repo has `strict: true`" — that claim alone does not cover those flags.
@@ -0,0 +1,68 @@
1
+ # Trust-Boundary Validation Patterns
2
+
3
+ Use this reference when auditing external-data ingestion points — API responses, `JSON.parse`, `postMessage`, URL/query-param parsing, form input, environment variables — for whether a declared TypeScript type is actually backed by a runtime check.
4
+
5
+ ## What people get wrong
6
+
7
+ The naive story is:
8
+
9
+ > I typed the response as `User`, so `response.data` is a `User`.
10
+
11
+ Wrong, and dangerously so. TypeScript types are fully erased at compile time — the emitted JavaScript contains no trace of the type annotation. A cast like `const user = response.data as User` or a generic call like `fetch<User>(url)` where the generic only annotates the return type performs **zero runtime work**. If the actual payload is malformed, missing a field, or actively malicious (an attacker-controlled API, a compromised third-party SDK, a crafted `postMessage`), the code proceeds as if it received a valid `User` and every downstream consumer inherits that false confidence.
12
+
13
+ This is not a hypothetical edge case — it is the default behavior of `JSON.parse`, which is typed to return `any` specifically because the compiler cannot know the shape of arbitrary parsed JSON. Any annotation applied after that point (`JSON.parse(raw) as Shape`, or assigning the `any` result to a `Shape`-typed variable) is the developer asserting a guarantee the compiler cannot verify and runtime does not enforce.
14
+
15
+ ## Officially grounded shape
16
+
17
+ - `JSON.parse` returns `any`. Assigning that `any` to a typed variable, or asserting it with `as`, produces no runtime check — `typescript-eslint`'s `no-unsafe-assignment`, `no-unsafe-member-access`, and `no-unsafe-return` rules specifically exist to flag this exact pattern (an `any` from `JSON.parse` flowing into a typed context) because it is common enough to warrant dedicated tooling.
18
+ - `no-explicit-any` and the `no-unsafe-*` family are part of `recommended-type-checked` / `strict-type-checked` shared configs — if the diff introduces this pattern in a repo that has those configs active, it should already surface as a lint failure; if it does not surface, either the config isn't active on that file or the pattern is disguised (e.g. via an intermediate `unknown` cast chained through `as`).
19
+ - A type assertion (`as T`) does not perform a structural check; it only suppresses the compiler's own inference. `T!` (non-null assertion) similarly performs no runtime check — it only silences the compiler's null/undefined narrowing.
20
+ - The compiler-sound way to narrow an `unknown` or `any` value to a specific type is a **type guard function** (`function isUser(x: unknown): x is User`) that performs actual runtime property/shape checks, or a schema-validation library (e.g. Zod, io-ts, ArkType — verify current API via `query-docs`/official docs for whichever the repo already uses; do not introduce a new one without the user's decision) whose `.parse()`/`.safeParse()` throws or returns a discriminated result on shape mismatch.
21
+
22
+ ## Non-negotiable design rules
23
+
24
+ 1. **Every trust boundary needs a paired runtime check, not just a type annotation.** Trust boundaries include: HTTP/fetch response bodies, WebSocket messages, `postMessage` payloads, URL/query-string parsing, `localStorage`/`sessionStorage` reads, environment variables consumed at runtime, file uploads, and any third-party SDK callback whose payload originates outside this codebase's own type-checked code.
25
+ 2. **A cast is not a check.** `as T`, `<T>value`, and `!` all compile away. None of them are acceptable as the sole guarantee for external data. Flag them at trust boundaries even if the code "usually works" — the point is what happens on the malformed/adversarial input, not the happy path.
26
+ 3. **`unknown` is the correct type for genuinely-unvalidated external input**, not `any`. `unknown` forces every consumer to narrow before use; `any` opts the value (and everything derived from it) out of type checking entirely, often silently propagating far beyond the original ingestion point.
27
+ 4. **Validation must match the type it claims to back.** A partial validator (checks `id` and `name` exist but the type declares five required fields) is a false sense of security — flag a type/validator shape mismatch as a defect, not just validator absence.
28
+ 5. **Distinguish internal-boundary types from trust-boundary types.** Not every `any`/assertion in a codebase needs a schema validator — internal function calls between already-typechecked code do not cross a trust boundary. Scope the audit to data that originates outside this codebase's own compiled/typechecked surface.
29
+
30
+ ## Minimal safe audit flow
31
+
32
+ 1. Identify every point in the diff where external data enters: fetch/axios/SDK response handling, `JSON.parse` calls, `postMessage` listeners, `URLSearchParams`/`location.search` reads, `process.env`/`import.meta.env` reads used in logic (not just build-time constants), form-field extraction.
33
+ 2. For each, trace whether the value passes through a runtime validator (schema library, hand-written type guard with actual property checks) before being treated as its declared type, or whether a bare assertion/cast/generic-only-annotation is the only "check."
34
+ 3. Where a validator exists, confirm its declared shape matches the TypeScript type it's meant to back — a validator checking fewer fields than the type declares is a gap, not full coverage.
35
+ 4. Where no validator exists, name the concrete blast radius: what downstream code trusts this value's shape, and what happens if a field is missing/wrong-typed/malicious (e.g. `undefined.toUpperCase()` throwing, or a numeric field actually being an attacker-supplied string flowing into a template literal or SQL-adjacent context).
36
+
37
+ ## Adversarial checklist
38
+
39
+ Before approving a trust-boundary type as sound, answer:
40
+
41
+ - What is the actual runtime function/library call that validates this data, by name — not "it's typed as `User`"?
42
+ - What happens if a required field is absent? Does the validator reject it, or does the type only claim it's required while runtime silently proceeds with `undefined`?
43
+ - What happens if a field has the wrong primitive type (a string where a number is declared)? Coercion, rejection, or silent pass-through?
44
+ - Is the validator's schema kept in sync with the TypeScript type by construction (e.g. `z.infer<typeof schema>` generates the type from the validator) or are they two independently hand-maintained declarations that can drift?
45
+ - If this is a third-party SDK response, does the SDK's own published types (if any) constitute a runtime guarantee, or are they — like all TypeScript types — compile-time only and equally unenforced by the SDK itself?
46
+
47
+ If these cannot be answered concretely, the trust-boundary claim is unverified — report it as a finding, not a pass.
48
+
49
+ ## High-risk assumptions to kill
50
+
51
+ - "It's typed, so it's validated" — types are erased; only executed code validates.
52
+ - "The SDK's TypeScript types mean the SDK enforces the shape" — a third-party SDK's `.d.ts` file is exactly as unenforced at runtime as first-party code's types.
53
+ - "We control the API, so the response is always well-formed" — deploy skew (client ahead of/behind the API), a compromised or misconfigured upstream, or a partial outage returning an error body with a 200 status all violate this assumption in practice.
54
+ - "`as unknown as T` is safer than `as T`" — it silences the double-assertion protection the compiler otherwise gives when the two types are structurally too different to be a plausible mistake; it typically appears specifically to bypass that protection, which is a stronger signal something is being forced through.
55
+
56
+ ## Verification targets
57
+
58
+ - `git diff` or `Grep` for `JSON.parse(`, ` as `, and `!` immediately following a value derived from `fetch`, `axios`, `postMessage`, `URLSearchParams`, `process.env`, or a named SDK client.
59
+ - Presence and shape of a schema-validation library call (`.parse(`, `.safeParse(`, or a hand-written `is`-suffixed type-guard function) between the raw external value and its first typed use.
60
+ - If a schema library generates the TypeScript type (e.g. `z.infer<...>`), confirm the type in the diff is actually derived that way rather than hand-declared separately, which would let the two drift.
61
+
62
+ ## When to push back
63
+
64
+ Push back if the user asks to:
65
+
66
+ - add a type annotation to an external-data-handling function as the fix for a bug, without adding a runtime check — the type change alone does not prevent the bug's root cause,
67
+ - suppress a `no-unsafe-assignment`/`no-explicit-any` lint finding at a trust boundary with an inline disable comment instead of adding validation,
68
+ - treat "the SDK is typed" as sufficient justification to skip validating that SDK's response shape.
@@ -0,0 +1,64 @@
1
+ ---
2
+ name: visual-regression-storybook-review
3
+ description: Reviews Storybook visual-testing setup -- test-runner wiring, Chromatic integration, and the a11y addon's axe-core gating -- to ensure visually-critical components have deterministic pixel-diff and accessibility coverage before merge, grounded in current Storybook docs.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: delivery
10
+ ---
11
+
12
+ # Visual Regression (Storybook) Review
13
+
14
+ ## Purpose
15
+
16
+ Storybook can run three different kinds of automated checks -- the generic `test-runner`, hosted Chromatic visual/interaction diffing, and the `a11y` addon's axe-core accessibility checks -- and teams frequently conflate them or wire only one when they need two. This skill reviews which checks are actually wired, whether they gate merge or are advisory-only, and whether visually-critical components and all theme variants are in scope, grounded in current, version-specific Storybook API behavior rather than remembered config shapes that may be stale across majors.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review or configure Storybook's `test-runner`, Chromatic, or `a11y` addon setup,
23
+ - diagnose why a visual or accessibility regression shipped despite Storybook tests passing,
24
+ - decide whether a check should run locally, in the test-runner, or via Chromatic,
25
+ - audit whether dark mode/RTL/reduced-motion story variants have visual and a11y coverage.
26
+
27
+ ## Context7 Documentation Protocol
28
+
29
+ Storybook's addon config shape (`preVisit`/`postVisit` hooks, `parameters.a11y.*`, `chromatic.config.json` fields) has changed across Storybook 8/9/10 and is documented, not folklore -- never assert a hook signature, parameter name, or default value from memory.
30
+
31
+ 1. Call `ToolSearch` with query `"context7"` (or `"select:mcp__Context7__resolve-library-id,mcp__Context7__query-docs"`) to load the Context7 tools if not already loaded in this session.
32
+ 2. Call `mcp__Context7__resolve-library-id` with library name `Storybook` to obtain the current Context7-compatible ID (`/storybookjs/storybook`); prefer the resolved ID over guessing.
33
+ 3. Call `mcp__Context7__query-docs` for the specific claim in question -- e.g. "test-runner preVisit postVisit hooks configuration", "a11y addon parameters.a11y.test values", "Chromatic config.json fields and CI wiring" -- before stating it as fact. Do this per review, not once from a prior session's memory.
34
+ 4. Prefer the official docs URLs in `official_docs` for primary normative statements (exact parameter names, exact config shape); use Context7 to ground and cross-check the claim before writing it into a finding.
35
+ 5. If Context7 is unavailable or returns no relevant match, fall back to the `official_docs` URLs and mark the claim `documentation-based (Context7 unavailable)` rather than presenting it as freshly verified.
36
+ 6. Never invent a config key, addon parameter, hook name, or axe-core rule ID that no queried source confirms.
37
+
38
+ ## Lean operating rules
39
+
40
+ - Distinguish the three tools explicitly: `test-runner` (generic CI test harness, runs locally or in CI via Playwright-driven `preVisit`/`postVisit` hooks), Chromatic (hosted visual + interaction diffing with a reviewer UI and git-provider sync), and the `a11y` addon (axe-core checks configured through `parameters.a11y.*`) -- do not treat them as interchangeable or assume one subsumes the others.
41
+ - Confirm whether `parameters.a11y.test` is set to `'error'` (fails the build on violations) rather than left unset or at `'todo'` (warns only) before crediting a project with enforced accessibility gating; `'off'` disables the check entirely except for manual panel review.
42
+ - Require that visually-critical stories include dark mode, RTL, and `prefers-reduced-motion` variants in the checked set, not just the default light theme -- a diff/a11y suite that only ever renders the default theme systematically misses regressions in every other supported mode.
43
+ - Verify the exact addon/config API shape (e.g., `preVisit`/`postVisit` hook signatures, `injectAxe`/`configureAxe`/`checkA11y` from `axe-playwright`, or `parameters.a11y.context`/`config`/`options`) against the installed Storybook major version before recommending a `.storybook/test-runner.ts` or `preview.ts` diff, since these shapes have changed across Storybook 8/9/10.
44
+ - Recommend masking or mocking non-deterministic content (timestamps, animations, randomized data, live network responses) before recommending a looser pixel-diff tolerance -- widening tolerance first hides the actual source of visual noise rather than fixing it.
45
+ - Treat the test-runner and Chromatic as complementary, not redundant: the test-runner can run custom assertions locally and in any CI, while Chromatic adds hosted visual/interaction diffing with reviewer approval and git sync; a project that has only one may still have a real coverage gap depending on what it needs.
46
+ - Load the design-token-governance skill instead of this one when the root cause is a token/contrast issue rather than a Storybook wiring gap; load `wcag-22-accessibility-audit` when the question is about accessibility compliance strategy broader than what the `a11y` addon checks.
47
+
48
+ ## References
49
+
50
+ Load these only when needed:
51
+
52
+ - [Test-runner and Chromatic wiring](references/test-runner-and-chromatic-wiring.md) -- use when reviewing or configuring the `test-runner`'s `preVisit`/`postVisit` hooks, CI invocation, or Chromatic project setup and the distinction between the two.
53
+ - [Accessibility addon gating](references/accessibility-addon-gating.md) -- use when reviewing or configuring the `a11y` addon's `parameters.a11y.test` gating behavior, axe-core rule configuration, or diagnosing why violations aren't failing CI.
54
+ - [Theme and variant coverage](references/theme-and-variant-coverage.md) -- use when auditing whether dark mode, RTL, and reduced-motion story variants have visual/a11y coverage, or when non-deterministic content needs masking before diffing.
55
+
56
+ ## Response minimum
57
+
58
+ Return, at minimum:
59
+
60
+ - which of the three tools (test-runner/Chromatic/a11y addon) is in scope and whether it currently gates merge,
61
+ - theme/variant coverage gap (dark mode, RTL, reduced-motion) if any,
62
+ - evidence level and the Storybook major version the guidance targets,
63
+ - proposed config diff (not applied),
64
+ - security caveat on any Chromatic/Percy token or PII-bearing baseline reviewed.
@@ -0,0 +1,27 @@
1
+ {
2
+ "id": "visual-regression-storybook-review",
3
+ "name": "Visual Regression (Storybook) Review",
4
+ "type": "skill",
5
+ "provider": "frontend",
6
+ "harnesses": [
7
+ "claude-code",
8
+ "cursor",
9
+ "codex",
10
+ "gemini",
11
+ "kiro",
12
+ "other"
13
+ ],
14
+ "summary": "Reviews Storybook-based visual regression and accessibility gating (test-runner, a11y addon, Chromatic integration) to ensure visually-critical components have deterministic pixel-diff and axe-core coverage before merge.",
15
+ "source_type": "original",
16
+ "official_docs": [
17
+ "https://storybook.js.org/docs/writing-tests/visual-testing",
18
+ "https://storybook.js.org/docs/writing-tests/integrations/test-runner",
19
+ "https://storybook.js.org/docs/writing-tests/accessibility-testing",
20
+ "https://www.w3.org/TR/WCAG21/#contrast-minimum"
21
+ ],
22
+ "security_notes": "Chromatic/Percy project tokens used in CI must be scoped per-project secrets, not account-wide credentials, and never committed to `chromatic.config.json` or `.storybook/main.js`. Screenshot baselines must not capture real user PII from a staging environment seeded with production-like data.",
23
+ "last_verified": "2026-07-02",
24
+ "path": "skills/frontend/visual-regression-storybook-review",
25
+ "author": "github: Raishin",
26
+ "version": "0.1.0"
27
+ }
@@ -0,0 +1,86 @@
1
+ # Accessibility Addon (a11y) Gating
2
+
3
+ Use this reference when reviewing or configuring the `a11y` addon's `parameters.a11y.test` gating behavior, axe-core rule configuration, or diagnosing why accessibility violations aren't failing CI despite the addon being installed. For test-runner/Chromatic wiring, see `test-runner-and-chromatic-wiring.md`. For dark mode/RTL/reduced-motion coverage of the stories being checked, see `theme-and-variant-coverage.md`.
4
+
5
+ > Version note: `parameters.a11y.test` and the `initialGlobals`/`globals.a11y.manual` flag are current documented shapes; the addon's config surface has changed across Storybook majors (notably the move to `parameters.a11y.test` gating via the Vitest addon or test-runner). Verify the exact parameter names against the installed Storybook version via Context7 (`/storybookjs/storybook`) or the official docs before writing a config diff.
6
+
7
+ ## What people get wrong
8
+
9
+ The common bad assumption is:
10
+
11
+ > The `a11y` addon is installed, so accessibility violations block merge.
12
+
13
+ That is false by default. The addon being installed only means violations are visible in the Storybook UI's a11y panel during manual browsing. Whether a violation actually fails a build depends entirely on the `parameters.a11y.test` value, which is `undefined` (no enforced test behavior) unless explicitly set.
14
+
15
+ ## Officially grounded shape
16
+
17
+ The accessibility addon is built on `axe-core`; its configuration options largely map to axe-core's own API surface:
18
+
19
+ | Property | Default | Description |
20
+ |---|---|---|
21
+ | `parameters.a11y.context` | `'body'` | Context passed to `axe.run` -- which elements checks run against. |
22
+ | `parameters.a11y.config` | (empty) | Configuration passed to `axe.configure()` -- most commonly used to enable/disable individual rules. |
23
+ | `parameters.a11y.options` | `{}` | Options passed to `axe.run` -- can adjust which rulesets are checked. |
24
+ | `parameters.a11y.test` | `undefined` | Determines test behavior when run with the Vitest addon or the test-runner. |
25
+ | `globals.a11y.manual` | `undefined` | Set `true` to prevent a story from being automatically analyzed when visited. |
26
+
27
+ `parameters.a11y.test` accepts exactly three documented values:
28
+
29
+ - `'off'` -- do not run accessibility tests automatically (manual panel review is still possible).
30
+ - `'todo'` -- run accessibility tests; violations surface as a **warning** in the Storybook UI, not a failing test.
31
+ - `'error'` -- run accessibility tests; violations surface as a **failing test** in the Storybook UI and CLI/CI.
32
+
33
+ This parameter can be set at the project level (`.storybook/preview.ts`), the component level (a story file's meta/default export), or an individual story level -- so a project can have global `'error'` gating with a deliberate `'todo'` or `'off'` override on a specific known-noisy story, or the reverse (global `'todo'` with `'error'` only on a few critical components). Either shape is valid; the review's job is to confirm which shape actually exists and whether it matches intent.
34
+
35
+ For test-runner-based enforcement (as opposed to the Vitest addon), the documented pattern injects and configures axe via the `axe-playwright` package inside the `preVisit`/`postVisit` hooks:
36
+
37
+ ```typescript
38
+ import type { TestRunnerConfig } from '@storybook/test-runner';
39
+ import { getStoryContext } from '@storybook/test-runner';
40
+ import { injectAxe, checkA11y, configureAxe } from 'axe-playwright';
41
+
42
+ const config: TestRunnerConfig = {
43
+ async preVisit(page) {
44
+ await injectAxe(page);
45
+ },
46
+ async postVisit(page, context) {
47
+ const storyContext = await getStoryContext(page, context);
48
+ await configureAxe(page, {
49
+ rules: storyContext.parameters?.a11y?.config?.rules,
50
+ });
51
+ const element = storyContext.parameters?.a11y?.element ?? 'body';
52
+ await checkA11y(page, element, {
53
+ detailedReport: true,
54
+ detailedReportOptions: { html: true },
55
+ });
56
+ },
57
+ };
58
+ export default config;
59
+ ```
60
+
61
+ Note this is a distinct enforcement path from `parameters.a11y.test` (which governs the addon's own Vitest-addon/test-runner-integrated behavior) -- a project wiring axe manually through `axe-playwright` in `preVisit`/`postVisit` is not automatically respecting `parameters.a11y.test`, and the two should not be assumed to be reading the same configuration unless the `postVisit` hook explicitly reads `storyContext.parameters?.a11y?.config`.
62
+
63
+ ## Non-negotiable design rules
64
+
65
+ 1. **Never credit "a11y addon is installed" as accessibility gating without confirming `parameters.a11y.test` is `'error'`** (or that a manual `axe-playwright` wiring in `postVisit` calls `checkA11y` in a way that actually fails the test runner process, not just logs a report). `'todo'` and the addon's default unset state are advisory only.
66
+ 2. **Confirm which enforcement path is in use** -- `parameters.a11y.test` via the Vitest addon/test-runner integration, or a manually wired `axe-playwright` `preVisit`/`postVisit` pair -- before writing a config diff; they are configured differently and a fix aimed at the wrong path silently does nothing.
67
+ 3. **Do not recommend disabling a rule globally via `parameters.a11y.config.rules` to silence a violation** without first confirming the violation is a false positive for the actual DOM/ARIA semantics in question, not a real defect the team wants to suppress.
68
+ 4. **Respect `globals.a11y.manual: true` as an intentional opt-out signal**, not dead config -- confirm with the team whether a story marked `manual` is deliberately excluded (e.g., because it renders non-deterministic third-party content) before treating its absence from automated coverage as a gap to fix by removing the flag.
69
+ 5. **Scope `parameters.a11y.context` deliberately** when a story wraps content the team doesn't own (e.g., a third-party embed) -- running the full-page `axe.run` against unowned markup produces violations the team cannot fix and trains reviewers to ignore the panel.
70
+
71
+ ## Safe verification targets
72
+
73
+ - `.storybook/preview.ts` -- confirm the project-level `parameters.a11y.test` value and any `initialGlobals.a11y.manual` default.
74
+ - Individual story files -- confirm component/story-level `parameters.a11y` overrides match documented intent (not accidental inheritance).
75
+ - `.storybook/test-runner.ts` -- if `axe-playwright` is used, confirm `preVisit` calls `injectAxe` and `postVisit` calls `checkA11y` with a real failure path (not a report-only call whose result is discarded).
76
+ - CI logs from a Storybook build with a known-injected violation -- the most reliable evidence that gating is real is a CI run that actually failed on a deliberate violation, not just config inspection.
77
+
78
+ ## When to push back
79
+
80
+ Push back if the user asks for:
81
+
82
+ - treating `'todo'` as sufficient gating because "it shows up in the UI,"
83
+ - disabling a specific axe rule project-wide to unblock a single component's merge, as a permanent fix rather than a scoped, justified exception,
84
+ - adding the `a11y` addon without setting `parameters.a11y.test` anywhere, and calling that "accessibility testing is now covered."
85
+
86
+ Visibility in a panel is not the same as a merge-blocking test.
@@ -0,0 +1,56 @@
1
+ # Test-Runner and Chromatic Wiring
2
+
3
+ Use this reference when reviewing or configuring the Storybook `test-runner`'s `preVisit`/`postVisit` hooks, its CI invocation, Chromatic project setup, or when a user is unclear on the difference between the two. For axe-core/a11y gating specifics, see `accessibility-addon-gating.md`. For theme/variant coverage, see `theme-and-variant-coverage.md`.
4
+
5
+ > Version note: hook signatures and helper exports (`getStoryContext`, `waitForPageReady`) live in `@storybook/test-runner` and have evolved across Storybook majors. Verify exact exports and signatures against the installed version via Context7 (`/storybookjs/storybook`) or the official docs before citing one as available.
6
+
7
+ ## What people get wrong
8
+
9
+ The common bad assumption is:
10
+
11
+ > "We have Storybook tests" means visual regressions are covered.
12
+
13
+ That is not necessarily true. A project can have:
14
+
15
+ - a `test-runner` that only asserts `expect(canvas).toBeInTheDocument()`-style smoke checks, with no image snapshot step at all,
16
+ - Chromatic connected but running in "notify only" mode with no branch protection requiring the check,
17
+ - both tools installed, but neither one covering the components the team actually considers visually critical.
18
+
19
+ "Storybook tests exist" and "visual regressions are gated" are different claims. Confirm which one is actually true before crediting a project with coverage.
20
+
21
+ ## Officially grounded shape
22
+
23
+ Per Storybook's own documentation, the `test-runner` and Chromatic are described as complementary, not redundant:
24
+
25
+ - **The `test-runner`** is a generic testing tool, built on Playwright, that can run locally or in CI and be configured or extended to run "all kinds of tests." It exposes a `preVisit`/`postVisit` hook API in `.storybook/test-runner.ts`:
26
+ - `setup()` runs once before the test runner starts.
27
+ - `preVisit(page, context)` runs before a story is rendered; `page` is Playwright's page object, `context` carries the story's id/title/name.
28
+ - `postVisit(page, context)` runs after a story is fully rendered; this is where image-snapshot assertions and `getStoryContext(page, context)` (to read the story's full parameters/args/argTypes) typically go.
29
+ - `waitForPageReady(page)` is a documented helper for image-snapshot testing that waits for the page -- including async items like images and fonts -- to finish loading before a screenshot is taken; skipping it is a common source of flaky screenshot diffs on slow-loading assets.
30
+ - **Chromatic** is a cloud-based service that runs visual and interaction tests without the team having to set up the test-runner itself. It syncs with the git provider and manages access control for private projects. Storybook's own docs describe using the test-runner locally and Chromatic in CI as a valid pairing: use Chromatic for visual and component tests, and the test-runner for other custom tests.
31
+ - Chromatic project configuration lives in `chromatic.config.json` (fields such as `projectId`, `buildScriptName`, `zip`, `debug`) rather than being hardcoded into CI invocation flags.
32
+
33
+ ## Non-negotiable design rules
34
+
35
+ 1. **Do not credit "Storybook tests pass" as visual coverage without confirming a diffing step exists.** A `test-runner` config with no image-snapshot assertion in `postVisit`, and no Chromatic connection, has zero visual-regression coverage regardless of how many stories exist.
36
+ 2. **Confirm the check is required, not advisory.** A connected Chromatic project that is not set as a required status check on the default branch's protection rules can be bypassed by any merge; "connected" and "gating" are different claims and must be verified separately (repo evidence: branch protection config, not just Chromatic dashboard presence).
37
+ 3. **Use `waitForPageReady` (or an equivalent explicit wait) before any screenshot assertion in `postVisit`.** Taking a screenshot before fonts/images finish loading produces non-deterministic diffs that erode trust in the whole suite and lead teams to loosen thresholds instead of fixing the real timing bug.
38
+ 4. **Do not run the test-runner without `preVisit`/`postVisit` review when adding a11y or visual checks.** These hooks are the only place axe injection and screenshot assertions can run per-story with access to `getStoryContext`; bolting checks on outside this API produces inconsistent coverage across stories.
39
+ 5. **When both the test-runner and Chromatic exist, confirm they aren't duplicating the same check with different tolerances.** Two visual-diff mechanisms with different pixel-diff thresholds on the same components is a maintenance and false-confidence problem, not defense in depth.
40
+
41
+ ## Safe verification targets
42
+
43
+ - `.storybook/test-runner.ts` (or `.js`) -- confirm `preVisit`/`postVisit` hooks exist and what they assert.
44
+ - `chromatic.config.json` and the CI workflow step invoking `chromatic` -- confirm `projectId` is present and the step is wired into a required CI job, not an optional/manual trigger.
45
+ - Branch protection rules (repo settings, not just CI YAML) -- confirm the Chromatic and/or test-runner CI check is marked required before merge.
46
+ - `package.json` `test-storybook` script and its CI invocation flags (e.g. `--ci`, coverage flags) -- confirm it's actually called in CI, not just defined locally.
47
+
48
+ ## When to push back
49
+
50
+ Push back if the user asks for:
51
+
52
+ - widening a `test-runner` image-snapshot diff threshold as the first response to flaky screenshots, before confirming `waitForPageReady` or explicit content masking is in place,
53
+ - connecting Chromatic without also making it a required CI check, calling that "visual regression coverage,"
54
+ - removing the test-runner because "Chromatic covers it," without confirming Chromatic's scope actually includes the custom assertions the test-runner was running.
55
+
56
+ Those are shortcuts that produce the appearance of coverage without the substance.
@@ -0,0 +1,51 @@
1
+ # Theme and Variant Coverage
2
+
3
+ Use this reference when auditing whether dark mode, RTL, and `prefers-reduced-motion` story variants have visual and accessibility coverage, or when non-deterministic content needs masking/mocking before a pixel diff is trustworthy. For the mechanics of the test-runner and Chromatic themselves, see `test-runner-and-chromatic-wiring.md`. For axe-core gating specifics, see `accessibility-addon-gating.md`.
4
+
5
+ ## What people get wrong
6
+
7
+ The common bad assumption is:
8
+
9
+ > If the default-theme story passes visual and a11y checks, the component is covered.
10
+
11
+ That is incomplete. A component's rendered DOM, computed contrast ratios, and layout can all differ meaningfully across:
12
+
13
+ - **color scheme** (light vs. dark, or any custom theme the design system supports) -- contrast ratios computed by axe-core in a light-theme snapshot say nothing about the dark-theme token pairing, which is a distinct set of color values,
14
+ - **text direction** (LTR vs. RTL) -- logical layout bugs (icon placement, padding asymmetry, text truncation direction) frequently only appear in RTL and are invisible in an LTR-only snapshot,
15
+ - **motion preference** (`prefers-reduced-motion: reduce`) -- a component that only has an animated entrance story has no coverage confirming the reduced-motion fallback renders correctly, not just "does not animate."
16
+
17
+ A visual-regression suite that only ever renders the default light/LTR/motion-enabled variant of each component has verified one of potentially four-plus meaningfully different rendered states, and will not catch a regression introduced in any of the others.
18
+
19
+ ## Officially grounded shape
20
+
21
+ Storybook does not automatically render every theme/direction/motion-preference permutation of a story -- coverage of these dimensions is a function of how many story variants exist and whether decorators or globals feed them into each render. Confirm, as repo evidence rather than assumption, whether:
22
+
23
+ - a dark-mode (or multi-theme) decorator/global exists and is exercised by dedicated stories, not just toggle-able in the manual Storybook UI,
24
+ - RTL stories exist using the project's actual RTL mechanism (e.g. a `dir="rtl"` wrapper decorator), not just documented as "supported" in a design doc,
25
+ - a `prefers-reduced-motion` variant exists, typically via a decorator that sets the media feature for the story's iframe, or via a dedicated reduced-motion story.
26
+
27
+ `parameters.a11y.context` (see `accessibility-addon-gating.md`) determines what markup axe-core inspects per story -- confirm it is not silently scoped in a way that excludes the very wrapper (e.g. an RTL `dir` wrapper) whose correctness is under test.
28
+
29
+ ## Non-negotiable design rules
30
+
31
+ 1. **Do not count a single default-theme story as coverage for "the component supports dark mode."** Supporting a capability in code and having a regression-tested story for it are different claims; only the latter catches a regression.
32
+ 2. **Mask or mock non-deterministic content before adding any new theme/variant story to a visual diff, rather than after a flaky failure appears.** Timestamps, live avatars, randomized placeholder data, and animated content are common sources of false-positive diffs; the fix is explicit masking (e.g. a `mask` option, disabled animations, or seeded fixture data) applied at story-authoring time, not a loosened global threshold applied later.
33
+ 3. **Treat RTL coverage as a layout-logic concern, not a translation concern.** An RTL story does not need translated text to be useful -- it needs the same content rendered with `dir="rtl"` to catch physical-vs-logical CSS property bugs (e.g. `margin-left` instead of `margin-inline-start`).
34
+ 4. **Treat `prefers-reduced-motion` coverage as a distinct assertion from "does it animate," not a subset of it.** A story confirming the *entrance* animation looks right says nothing about whether the reduced-motion fallback (often a hard cut or fade) is also correct; test both if the component is animated.
35
+ 5. **Prioritize theme/variant coverage by actual usage risk, not exhaustive permutation.** A component used only in an admin-only, LTR-only internal tool does not need RTL coverage; a design-system primitive used across public, internationalized surfaces does. Recommend coverage proportional to blast radius, not maximal coverage for its own sake.
36
+
37
+ ## Safe verification targets
38
+
39
+ - Story files for visually-critical components -- confirm the presence (or absence) of theme/direction/motion story variants, not just the default export.
40
+ - `.storybook/preview.ts` decorators and globals -- confirm a theme-switching or `dir`-setting decorator exists and is actually wired into the stories claimed to cover it.
41
+ - The test-runner's `postVisit` hook or Chromatic's captured snapshot list -- confirm the theme/variant stories are actually included in the set of stories being diffed, not excluded by a `tags` filter or story-level skip.
42
+
43
+ ## When to push back
44
+
45
+ Push back if the user asks for:
46
+
47
+ - claiming "dark mode is covered" based on a single manually-toggled preview in local dev, with no corresponding story or CI snapshot,
48
+ - adding an RTL story with translated placeholder text but no `dir="rtl"` wrapper, which tests translation rendering but not the actual logical-CSS layout bug class RTL coverage exists to catch,
49
+ - deferring reduced-motion coverage indefinitely on an animation-heavy component while treating it as low priority, without characterizing the actual user population affected (motion-sensitivity accommodations are an accessibility requirement, not a nice-to-have).
50
+
51
+ Partial coverage presented as complete coverage is worse than an honestly documented gap.
@@ -0,0 +1,68 @@
1
+ ---
2
+ name: vue-composition-api-architecture-review
3
+ description: Statically review Vue 3 Composition API code — composable extraction quality, reactivity-boundary correctness (ref/reactive/computed usage, destructuring-loses-reactivity pitfalls), and script-setup component organization — against Vue's own documented composable conventions and reactivity fundamentals.
4
+ allowed-tools: Read Grep Glob
5
+ metadata:
6
+ author: "github: Raishin"
7
+ version: "0.1.0"
8
+ updated: "2026-07-02"
9
+ category: architecture
10
+ ---
11
+
12
+ # Vue Composition API Architecture Review
13
+
14
+ ## Purpose
15
+
16
+ Review Vue 3 composables and `<script setup>` components for the specific defect classes Vue's own documentation calls out — reactivity lost through destructuring, lifecycle hooks registered outside the synchronous setup window, impure `computed()` getters, and script-setup components that mix data-fetching, business logic, and presentation with no composable extraction — without re-litigating component prop design, template markup, styling, or SSR/hydration concerns in every response. This skill exists so those adjacent concerns stay out of scope and the review stays focused on the documented reactivity-boundary and composable-extraction catalog.
17
+
18
+ ## When to use
19
+
20
+ Use this skill when the user asks to:
21
+
22
+ - review a new or refactored composable (a `use*`-prefixed function) before merge,
23
+ - diagnose a report that "reactive state doesn't update in the UI" after destructuring a composable's return value,
24
+ - review a `<script setup>` component for organization and whether logic should be extracted into a composable,
25
+ - decide whether a given `computed()` or lifecycle-hook usage is correct.
26
+
27
+ Do not use this skill for:
28
+
29
+ - Options API-only codebases with no Composition API usage and no stated migration plan — there is no reactivity-boundary or composable-extraction surface to review,
30
+ - SSR-specific security concerns (session/auth-token handling inside composables, hydration mismatches) — hand off to `vue-ssr-security-review`,
31
+ - a bug that requires live reproduction (Vue Devtools reactivity inspection, browser profiling) to confirm — static analysis can identify the missing `toRefs()`/guard, not prove which specific runtime instance broke.
32
+
33
+ ## Context7 Documentation Protocol
34
+
35
+ - Resolve the Vue library ID with `resolve-library-id` (matched result: `/vuejs/vue`) before labeling any specific pattern as a reactivity-loss bug or a composable-convention violation.
36
+ - `/vuejs/vue` is Vue's core source-and-test repository, not the prose docs site. Use `query-docs` against it to corroborate exact runtime behavior (e.g., the `computed({ get, set })` writable-computed shape, `reactive()`/`ref()` tracking mechanics) from source and unit tests. It does not reliably surface the narrative guidance in the Composables and Reactivity Fundamentals guides — for that guidance, use the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based`.
37
+ - Before asserting a specific destructuring pattern loses reactivity, confirm which construct is being destructured: destructuring a `reactive()`-returned proxy loses reactivity on primitive-valued properties; destructuring a `ref()` or a `toRefs()`-wrapped object does not, because each extracted value is itself a ref. Do not apply a blanket "destructuring is unsafe" rule — check the return type first.
38
+ - Read `package.json` first to confirm Vue 3.x is in use; Composition API and its documented composable conventions (including `<script setup>`) are Vue 3 features, not Vue 2.
39
+ - If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
40
+
41
+ ## Lean operating rules
42
+
43
+ - For every composable in scope, first determine whether its return value is intended to be destructured by consumers. If yes, verify it returns individual refs or a `toRefs()`-wrapped reactive object — a plain `reactive()` object returned for destructuring is the documented reactivity-loss pitfall, not a style preference.
44
+ - For every composable, verify the `use*` naming convention and verify that lifecycle hooks (`onMounted`, `onUnmounted`, `watch`, etc.) and other composables are called synchronously during the composable's/component's initial `setup()`/`<script setup>` execution — not inside an async callback, `await`-continuation, conditional, loop, or event handler registered after setup has returned. Vue's synchronous-registration requirement is a hard rule, not a lint nicety: a hook registered after an `await` silently fails to attach to the correct component instance.
45
+ - For every `computed()` in scope, verify the getter is a pure read with no side effects (no state mutation, no async calls, no logging with side effects). A writable computed (`computed({ get, set })`) is the documented pattern for two-way-bindable derived state — do not flag its `set` function as an impurity; that is its intended role.
46
+ - Review `<script setup>` components for responsibility mixing: data-fetching, validation/business logic, and presentation-only state all inline with no composable extraction. Flag extraction candidates only when the mixed logic is non-trivial and would reduce duplication or improve testability if extracted — do not flag a component for using one or two local `ref()`s that have no reuse potential.
47
+ - Do not fabricate a reactivity-loss finding without showing the exact destructuring line and the specific property that would stop updating. A finding that only says "this might lose reactivity" without the concrete assignment is not a valid finding.
48
+ - Never execute, build, or run application code as part of this review; this is a static-review skill (Read/Grep/Glob only).
49
+ - Load only the reference needed for the concern in scope.
50
+
51
+ ## References
52
+
53
+ Load these only when needed:
54
+
55
+ - [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the reactivity/composable decision tree, and the required output shape.
56
+ - [Reactivity boundaries](references/reactivity-boundaries.md) — load only when reviewing `ref()`/`reactive()`/`computed()` usage, a suspected destructuring-loses-reactivity bug, or `toRef()`/`toRefs()`/`unref()` interop code.
57
+ - [Composable and script-setup conventions](references/composable-and-script-setup-conventions.md) — load only when reviewing composable naming/structure, lifecycle-hook registration timing, or `<script setup>` responsibility mixing and extraction candidates.
58
+
59
+ ## Response minimum
60
+
61
+ Return, at minimum:
62
+
63
+ - the composable(s) and/or component(s), files, and specific call sites in scope,
64
+ - ranked findings with file:line evidence, defect category (reactivity-loss, lifecycle-timing, computed-impurity, or extraction candidate), and a concrete fix sketch matching the docs' recommended pattern,
65
+ - for every reactivity-loss finding, the exact destructuring line and the property that would stop updating,
66
+ - evidence level per finding (`repo evidence`, `documentation-based`, or `inference`),
67
+ - verdict (approve / approve-with-notes / block),
68
+ - open questions or scope the review could not cover (e.g., "requires Vue Devtools reactivity inspection to confirm at runtime").