@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +2 -2
- package/.claude-plugin/plugin.json +36 -1
- package/.cursor-plugin/plugin.json +36 -1
- package/.github/plugin/marketplace.json +1 -1
- package/README.md +12 -11
- package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
- package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
- package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
- package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
- package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
- package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
- package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
- package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
- package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
- package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
- package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/metadata.json +42 -0
- package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
- package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
- package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
- package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
- package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
- package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
- package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
- package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
- package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/metadata.json +44 -0
- package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
- package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/html-semantics-agent/metadata.json +44 -0
- package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
- package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
- package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
- package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
- package/agents/frontend/package-governance-agent/AGENT.md +116 -0
- package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
- package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
- package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
- package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
- package/agents/frontend/package-governance-agent/metadata.json +41 -0
- package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
- package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
- package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
- package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
- package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
- package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/metadata.json +44 -0
- package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
- package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
- package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
- package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
- package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
- package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
- package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
- package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/metadata.json +41 -0
- package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
- package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
- package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
- package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
- package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
- package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
- package/catalog/agents.json +1164 -93
- package/catalog/asset-integrity.json +15393 -12593
- package/catalog/install-roles.json +103 -1
- package/catalog/skill-manifest.json +1909 -26
- package/catalog/skills.json +1672 -24
- package/package.json +5 -4
- package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
- package/powers/README.md +3 -2
- package/powers/vanguard-frontend/POWER.md +42 -0
- package/schemas/agent.schema.json +1 -0
- package/schemas/skill.schema.json +1 -0
- package/scripts/export-marketplace-agents.mjs +48 -15
- package/scripts/generate-docs-data.mjs +1 -0
- package/scripts/generate-kiro-powers.mjs +12 -0
- package/scripts/update-catalog-new-agents.py +6 -1
- package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
- package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
- package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
- package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
- package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
- package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
- package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
- package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
- package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
- package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
- package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
- package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
- package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
- package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
- package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
- package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
- package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
- package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
- package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
- package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
- package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
- package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
- package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
- package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
- package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
- package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
- package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
- package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
- package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
- package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
- package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
- package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
- package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
- package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
- package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
- package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
- package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
- package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
- package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
- package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
- package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
- package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
- package/skills/frontend/design-token-governance-review/metadata.json +27 -0
- package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
- package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
- package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
- package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
- package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
- package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
- package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
- package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
- package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
- package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
- package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
- package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
- package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
- package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
- package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
- package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
- package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
- package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
- package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
- package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
- package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
- package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
- package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
- package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
- package/skills/frontend/frontend-board-chair/metadata.json +27 -0
- package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
- package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
- package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
- package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
- package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
- package/skills/frontend/frontend-maestro/SKILL.md +63 -0
- package/skills/frontend/frontend-maestro/metadata.json +26 -0
- package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
- package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
- package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
- package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
- package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
- package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
- package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
- package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
- package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
- package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
- package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
- package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
- package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
- package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
- package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
- package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
- package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
- package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
- package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
- package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
- package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
- package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
- package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
- package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
- package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
- package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
- package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
- package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
- package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
- package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
- package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
- package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
- package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
- package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
- package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
- package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
- package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
- package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
- package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
- package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
- package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
- package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
- package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
- package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
- package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
- package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
- package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
- package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
- package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
- package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
- package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
- package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
- package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
- package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
- package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
- package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
- package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
- package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
- package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
- package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
- package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
- package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
- package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
- package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
- package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
- package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
- package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
- package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
- package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
- package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
- package/skills/frontend/react-state-effects-review/metadata.json +27 -0
- package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
- package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
- package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
- package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
- package/skills/frontend/routing-navigation-review/metadata.json +27 -0
- package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
- package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
- package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
- package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
- package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
- package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
- package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
- package/skills/frontend/state-management-decision-review/metadata.json +30 -0
- package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
- package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
- package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
- package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
- package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
- package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
- package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
- package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
- package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
- package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
- package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
- package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
- package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
- package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
- package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
- package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
- package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
- package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
- package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
- package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
- package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
- package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
- package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
- package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
- package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
- package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
- package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
- package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
- package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
- package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
- package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
- package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
- package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
- package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
- package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
- package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
- package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
- package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
- package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
- package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
- package/tests/test-vfa-export-coverage.test.mjs +30 -0
- package/tests/validate-catalog.py +1 -0
- package/tests/validate-frontend-security-detection.py +209 -0
|
@@ -0,0 +1,188 @@
|
|
|
1
|
+
# Client-Side Guards as an Authorization Boundary, and Navigation Control-Flow Risks
|
|
2
|
+
|
|
3
|
+
Use this reference when the review scope includes a `router.beforeEach`/`beforeEnter` (or a
|
|
4
|
+
meta-framework's route-middleware equivalent), any redirect returned from a guard, a catch-all
|
|
5
|
+
route, or the app's `history` mode configuration. Covers rubric items 1, 5, 6, 7 (and their
|
|
6
|
+
"not a finding" counterparts 8, 13, 14, 15).
|
|
7
|
+
|
|
8
|
+
## What people get wrong
|
|
9
|
+
|
|
10
|
+
The naive assumption:
|
|
11
|
+
|
|
12
|
+
> "This route checks `isAuthenticated` in `beforeEach` and redirects to `/login` if it's false,
|
|
13
|
+
> so the route is protected."
|
|
14
|
+
|
|
15
|
+
Wrong in isolation. Vue Router's own guard mechanics confirm exactly what a guard is: a
|
|
16
|
+
JavaScript callback that runs *in the browser*, before a navigation is allowed to resolve. It
|
|
17
|
+
can return `false` to cancel the navigation, a route location to redirect, or (with the legacy
|
|
18
|
+
third argument) call `next()` — all of this is client-side control flow (`repo evidence`,
|
|
19
|
+
`/vuejs/router`, navigation-guards guide). None of it executes on a server the attacker doesn't
|
|
20
|
+
control. A guard is the correct place for *UX* gating — don't render a protected page's shell
|
|
21
|
+
to a user who hasn't logged in — but it is not, and cannot be, the mechanism that stops a
|
|
22
|
+
request from reaching protected data, because:
|
|
23
|
+
|
|
24
|
+
- the bundled JavaScript (and therefore the guard's logic) is fully visible and can be read,
|
|
25
|
+
patched via devtools, or skipped by calling the underlying API/data-fetch directly;
|
|
26
|
+
- `isAuthenticated` itself is usually just client-held state (a token's presence, a decoded JWT
|
|
27
|
+
claim, a Pinia/Vuex flag) that the guard reads — it is not an independent judgment the server
|
|
28
|
+
makes on the attacker's actual request.
|
|
29
|
+
|
|
30
|
+
## Officially grounded requirement
|
|
31
|
+
|
|
32
|
+
Vue Router's documented guard pattern for authentication redirects is:
|
|
33
|
+
|
|
34
|
+
```js
|
|
35
|
+
router.beforeEach(async (to, from) => {
|
|
36
|
+
if (
|
|
37
|
+
!isAuthenticated &&
|
|
38
|
+
// Avoid an infinite redirect
|
|
39
|
+
to.name !== 'Login'
|
|
40
|
+
) {
|
|
41
|
+
return { name: 'Login' }
|
|
42
|
+
}
|
|
43
|
+
})
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
(`repo evidence`, `/vuejs/router`, navigation-guards guide — including the documented
|
|
47
|
+
`to.name !== 'Login'` self-exclusion check, which is the framework's own prescribed loop-avoidance
|
|
48
|
+
pattern, not an optional hardening step.) The docs also show the same pattern via `meta` fields:
|
|
49
|
+
|
|
50
|
+
```js
|
|
51
|
+
router.beforeEach((to, from) => {
|
|
52
|
+
if (to.meta.requiresAuth && !auth.isLoggedIn()) {
|
|
53
|
+
return { path: '/login', query: { redirect: to.fullPath } }
|
|
54
|
+
}
|
|
55
|
+
})
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
(`repo evidence`, `/vuejs/router`, meta guide.) Nowhere in Vue Router's own documentation is a
|
|
59
|
+
guard described as an authorization mechanism that replaces server-side access control — the
|
|
60
|
+
docs frame it strictly as navigation control flow (cancel / redirect / proceed). The conclusion
|
|
61
|
+
that a guard must not be the *sole* boundary is standard web-security practice (client-side
|
|
62
|
+
controls are trivially bypassable; the server must independently authorize every request) rather
|
|
63
|
+
than a Vue-Router-specific API claim — treat this specific conclusion as `inference` grounded in
|
|
64
|
+
`documentation-based` general security guidance (OWASP: never rely on client-side enforcement
|
|
65
|
+
alone), layered on top of the `repo evidence` fact that guards are browser-executed callbacks.
|
|
66
|
+
|
|
67
|
+
Guards can also programmatically extend the route table and redirect in one motion:
|
|
68
|
+
|
|
69
|
+
```js
|
|
70
|
+
router.beforeEach(to => {
|
|
71
|
+
if (!hasNecessaryRoute(to)) {
|
|
72
|
+
router.addRoute(generateRoute(to))
|
|
73
|
+
return to.fullPath
|
|
74
|
+
}
|
|
75
|
+
})
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
(`repo evidence`, `/vuejs/router`, dynamic-routing guide.) If `generateRoute()` builds a route
|
|
79
|
+
pattern from untrusted input, the pattern itself becomes an injection surface — treat this the
|
|
80
|
+
same as any other user-controlled routing input.
|
|
81
|
+
|
|
82
|
+
## Non-negotiable design rules
|
|
83
|
+
|
|
84
|
+
### 1. A guard finding requires evidence of an ABSENT server-side check, not just a present client check
|
|
85
|
+
|
|
86
|
+
Do not flag "there is a client-side guard" as the defect. The finding is: this route's guard
|
|
87
|
+
exists, **and** the review found no evidence that the API/data endpoint the route depends on
|
|
88
|
+
independently checks authorization on the server. Look for: a 401/403 test or comment, a BFF
|
|
89
|
+
layer, server middleware, or an API contract doc showing enforcement. If such evidence exists,
|
|
90
|
+
the guard is correctly UX-only and this is not a finding (rubric item 8).
|
|
91
|
+
|
|
92
|
+
### 2. Distinguish "guard exists with server enforcement" from "guard is believed to be enough"
|
|
93
|
+
|
|
94
|
+
Ask explicitly, in the finding write-up, whether the codebase (or the user) asserts the guard
|
|
95
|
+
*is* the security boundary ("the API trusts anyone who reached this route") versus treats it as
|
|
96
|
+
UX convenience layered over real server checks. The former is the HIGH finding; the latter,
|
|
97
|
+
with visible server-side evidence, is not.
|
|
98
|
+
|
|
99
|
+
### 3. Redirect self-exclusion prevents the documented loop failure mode
|
|
100
|
+
|
|
101
|
+
Every unconditional-redirect guard (`if (!isAuthenticated) return { name: 'Login' }` with no
|
|
102
|
+
exclusion for the login route itself) is a HIGH finding: it produces an infinite redirect loop
|
|
103
|
+
the moment the guard runs on the login route's own navigation. The fix is the framework's own
|
|
104
|
+
documented pattern (`to.name !== 'Login'` or equivalent). A guard that already includes this
|
|
105
|
+
check is correctly implemented (rubric item 13) — do not invent a residual risk without a
|
|
106
|
+
concrete counter-path.
|
|
107
|
+
|
|
108
|
+
### 4. A guard-returned or `next()`-passed redirect target must itself be traced
|
|
109
|
+
|
|
110
|
+
If the redirect location returned by a guard (or passed to `next(...)`) is built from
|
|
111
|
+
`to.query`/`to.params` rather than a hardcoded route, trace that value the same way you would
|
|
112
|
+
trace an open-redirect target (see `open-redirect-and-injection.md`) — a guard can reintroduce
|
|
113
|
+
the exact same open-redirect defect class it was written to prevent.
|
|
114
|
+
|
|
115
|
+
### 5. Catch-all routes need their actual render path checked, not just their existence
|
|
116
|
+
|
|
117
|
+
Vue Router's documented catch-all pattern is `{ path: '/:pathMatch(.*)*', name: 'NotFound',
|
|
118
|
+
component: NotFound }` (`repo evidence`, `/vuejs/router`, dynamic-matching guide). This pattern
|
|
119
|
+
alone is correct and not a finding. It becomes a finding only when: (a) the matched component
|
|
120
|
+
renders `route.params.pathMatch` through an unsanitized sink, or (b) route table ordering
|
|
121
|
+
causes the catch-all to shadow a route that should require authentication (read the full routes
|
|
122
|
+
array in declaration order — Vue Router matches in the order routes are registered).
|
|
123
|
+
|
|
124
|
+
### 6. History-mode server configuration is out of the router's control but in scope for the review
|
|
125
|
+
|
|
126
|
+
`createWebHistory()` (`repo evidence`, `/vuejs/router`, history-mode guide) produces
|
|
127
|
+
clean URLs but requires the server to serve the app's `index.html` for any path the SPA should
|
|
128
|
+
handle client-side. This is not itself a router-code defect, but the review must check for
|
|
129
|
+
evidence of the corresponding server/proxy fallback rule (nginx `try_files`, a framework's SPA
|
|
130
|
+
middleware, a static-host rewrite rule) — its *absence* breaks direct links/refreshes, and an
|
|
131
|
+
*overly broad* fallback (matching `/api/*` or asset paths that should 404 or route elsewhere)
|
|
132
|
+
can leak information or serve the app shell where a different, more restrictive handler was
|
|
133
|
+
intended.
|
|
134
|
+
|
|
135
|
+
## Minimal safe pattern
|
|
136
|
+
|
|
137
|
+
```js
|
|
138
|
+
// Guard: UX-only redirect, with the documented loop-avoidance check.
|
|
139
|
+
router.beforeEach((to, from) => {
|
|
140
|
+
if (to.meta.requiresAuth && !authStore.isAuthenticated && to.name !== 'Login') {
|
|
141
|
+
return { name: 'Login', query: { redirect: to.fullPath } }
|
|
142
|
+
}
|
|
143
|
+
})
|
|
144
|
+
|
|
145
|
+
// Server / BFF: the actual authorization boundary (illustrative — lives outside router code).
|
|
146
|
+
// GET /api/account -> 401 if session invalid, regardless of any client-side navigation state.
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Anti-pattern (guard as the only boundary — do not approve without server-side evidence):
|
|
150
|
+
|
|
151
|
+
```js
|
|
152
|
+
router.beforeEach((to, from) => {
|
|
153
|
+
if (to.meta.requiresAuth && !authStore.isAuthenticated) {
|
|
154
|
+
return { name: 'Login' } // no `to.name !== 'Login'` check -> loop risk
|
|
155
|
+
}
|
|
156
|
+
// No evidence anywhere in the reviewed diff/API that /api/account (or whatever
|
|
157
|
+
// this route fetches) independently checks the session server-side.
|
|
158
|
+
})
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
## Adversarial checklist
|
|
162
|
+
|
|
163
|
+
- If a user disables JavaScript, or calls the route's underlying API directly with curl/devtools,
|
|
164
|
+
does the server independently reject the unauthorized request? If unknown, ask — do not assume
|
|
165
|
+
yes.
|
|
166
|
+
- Does every unconditional redirect-on-guard have a self-exclusion for its own target route?
|
|
167
|
+
- Is any guard's redirect destination built from `to.query`/`to.params` rather than a hardcoded
|
|
168
|
+
name/path? If so, cross-reference `open-redirect-and-injection.md`.
|
|
169
|
+
- Does `router.addRoute()` (if called from within a guard) build its route definition from any
|
|
170
|
+
user-reachable input?
|
|
171
|
+
- Read the full `routes` array in registration order — does a catch-all or broad pattern appear
|
|
172
|
+
before a route that should take precedence and require auth?
|
|
173
|
+
- Does `createWebHistory()` appear with no server config file in the reviewed diff/repo showing
|
|
174
|
+
the SPA-fallback rule? Flag this as an open question if the server config is out of scope
|
|
175
|
+
rather than assuming it is either correct or missing.
|
|
176
|
+
|
|
177
|
+
## Verification targets
|
|
178
|
+
|
|
179
|
+
- Grep for `router.beforeEach(`, `beforeEnter:`, and meta-framework middleware files
|
|
180
|
+
(`middleware/`, `definePageMeta`) and read each guard's full body.
|
|
181
|
+
- Grep for `to.name !==`, `from.name !==`, or equivalent self-exclusion checks near a redirect
|
|
182
|
+
return/`next(...)` call inside each guard found above.
|
|
183
|
+
- Grep for `router.addRoute(` calls inside guard bodies and trace the argument's construction.
|
|
184
|
+
- Grep for `pathMatch(.*)` / `path: '*'` and read the matched component's template for any
|
|
185
|
+
`route.params.pathMatch` usage.
|
|
186
|
+
- Grep for `createWebHistory(` and check the repo for a corresponding server config file
|
|
187
|
+
(`nginx.conf`, `vercel.json`, `netlify.toml`, a framework's server entry) with a fallback rule;
|
|
188
|
+
note explicitly if that file is outside the review's scope.
|
|
@@ -0,0 +1,190 @@
|
|
|
1
|
+
# Open Redirect, Scheme Injection, and Reflected XSS Through the Router
|
|
2
|
+
|
|
3
|
+
Use this reference when the review scope includes a post-login redirect flow reading
|
|
4
|
+
`route.query`, a dynamic `:to`/`:href` binding, or a `v-html`/`innerHTML` sink fed by
|
|
5
|
+
`route.params`/`route.query`. Covers rubric items 2, 3, 4 (and their "not a finding"
|
|
6
|
+
counterparts 9, 10, 11, 12).
|
|
7
|
+
|
|
8
|
+
## What people get wrong
|
|
9
|
+
|
|
10
|
+
The naive assumption, said three different ways depending on which defect it excuses:
|
|
11
|
+
|
|
12
|
+
> "It's just redirecting back to where the user came from — that's a UX feature, not a
|
|
13
|
+
> security decision."
|
|
14
|
+
|
|
15
|
+
> "It's a router-link, Vue Router handles the URL, so it must be safe."
|
|
16
|
+
|
|
17
|
+
> "It's just the search query showing what the user typed — of course it should render as-is."
|
|
18
|
+
|
|
19
|
+
All three treat *router-adjacent* data (a `redirect` query param, a `:to` binding, a
|
|
20
|
+
`route.params`/`route.query` value) as inherently trusted because it arrived through routing
|
|
21
|
+
machinery rather than a form POST. Vue Router's own docs confirm the opposite: dynamic segments
|
|
22
|
+
are "exposed... as `route.params`" with no escaping step described anywhere in the dynamic-
|
|
23
|
+
matching guide (`repo evidence`, `/vuejs/router`) — they are raw strings lifted from the URL,
|
|
24
|
+
exactly as attacker-controllable as any query-string or form value.
|
|
25
|
+
|
|
26
|
+
## Officially grounded facts
|
|
27
|
+
|
|
28
|
+
- **Redirect functions receive the live route object and can echo it verbatim.** Vue Router's
|
|
29
|
+
documented redirect patterns include function-based redirects that read `to.params`/`to.query`
|
|
30
|
+
directly: `redirect: to => ({ path: '/search', query: { q: to.params.searchText } })` and
|
|
31
|
+
`redirect: to => \`/redirected-path/${to.params.id}\`` (`repo evidence`, `/vuejs/router`,
|
|
32
|
+
redirect-and-alias / extending-routes guides). The mechanism for building a redirect target
|
|
33
|
+
from live route data is a first-class, documented feature — which is exactly why an
|
|
34
|
+
*unvalidated* version of the same mechanism (echoing a full attacker-supplied URL instead of a
|
|
35
|
+
path segment) is dangerous: the framework will not stop you.
|
|
36
|
+
- **`router.push` accepts a bare string path with no origin/scheme validation of its own** —
|
|
37
|
+
`router.push('/users/eduardo')`, `router.push(\`/user/${username}\`)` (`repo evidence`,
|
|
38
|
+
`/vuejs/router`, navigation guide). If `username` (or any interpolated value) is instead a
|
|
39
|
+
full external URL or a `javascript:` string, `router.push` does not reject it — it is the
|
|
40
|
+
calling code's responsibility to validate before calling.
|
|
41
|
+
- **`RouterLink`'s `:to` prop is commonly extended to bind directly to `:href` for external
|
|
42
|
+
links, gated only by an `isExternalLink` string check** — Vue Router's own
|
|
43
|
+
extending-router-link guide shows `:href="to"` used directly for values where
|
|
44
|
+
`typeof props.to === 'string' && props.to.startsWith('http')` (`repo evidence`,
|
|
45
|
+
`/vuejs/router`, extending-router-link guide). This is the documented pattern for handling
|
|
46
|
+
external links alongside internal ones — but note precisely what it does *not* include: any
|
|
47
|
+
scheme allowlist beyond the `http` prefix check. A value like `javascript:...` or
|
|
48
|
+
`httpjavascript:` crafted to defeat a naive `startsWith('http')` check is not excluded by this
|
|
49
|
+
documented example alone; production code needs an explicit protocol allowlist (see pattern
|
|
50
|
+
below), not just an `http`-prefix string check.
|
|
51
|
+
- **`route.params`/`route.query` carry no built-in HTML-escaping** — confirmed by the dynamic-
|
|
52
|
+
matching guide's description of params as directly exposed URL segments (`repo evidence`,
|
|
53
|
+
`/vuejs/router`). Vue's *template* interpolation (`{{ }}`) auto-escapes when you render these
|
|
54
|
+
values normally; the risk is exclusively when a `route.params`/`route.query` value reaches a
|
|
55
|
+
`v-html` binding or a manual `.innerHTML` assignment, which bypass that auto-escaping by
|
|
56
|
+
design (`documentation-based`, Vue security guide — this specific `v-html`-is-unescaped claim
|
|
57
|
+
is general Vue template-compiler behavior, not a Vue-Router API, so it is grounded in the
|
|
58
|
+
`official_docs` Vue security guide rather than the `/vuejs/router` library).
|
|
59
|
+
|
|
60
|
+
## Non-negotiable design rules
|
|
61
|
+
|
|
62
|
+
### 1. Open redirect: validate against a same-origin/relative-path allowlist, not a blocklist
|
|
63
|
+
|
|
64
|
+
The only acceptable fix for a `redirect`/`returnUrl` query value used in a post-auth redirect is
|
|
65
|
+
allowlisting: confirm the value is a relative path starting with a single `/` (reject
|
|
66
|
+
protocol-relative `//` and any value containing `://`), or resolve it with
|
|
67
|
+
`new URL(value, window.location.origin)` and compare the resolved `origin` to the app's own
|
|
68
|
+
origin. A denylist of "known bad" values (blocking `http://`/`https://` substrings, for example)
|
|
69
|
+
is not sufficient — treat a blocklist-only approach as still a finding, since it is trivially
|
|
70
|
+
bypassed by encoding or alternate schemes.
|
|
71
|
+
|
|
72
|
+
### 2. Scheme injection: allowlist protocols explicitly, don't rely on prefix checks alone
|
|
73
|
+
|
|
74
|
+
For any dynamic `:to`/`:href` fed by user-reachable input, require a visible allowlist check
|
|
75
|
+
(e.g., `['http:', 'https:', 'mailto:'].includes(new URL(value, base).protocol)`) on the exact
|
|
76
|
+
data-flow path. A `startsWith('http')` check (as shown in Vue Router's own external-link
|
|
77
|
+
extension example) is a routing-decision heuristic (is this internal or external), not a
|
|
78
|
+
security control — do not accept it as clearing a scheme-injection finding.
|
|
79
|
+
|
|
80
|
+
### 3. Trace `v-html`/`innerHTML` sinks fed by route data back to the URL, not just to a variable name
|
|
81
|
+
|
|
82
|
+
If a component does `<div v-html="route.query.bio">` or
|
|
83
|
+
`el.innerHTML = route.params.description`, the origin is the URL itself — the most directly
|
|
84
|
+
user-controlled input there is, requiring no stored/second-order step. Do not treat this as
|
|
85
|
+
lower-severity than a stored-XSS path; a reflected payload via a shared link is exploitable
|
|
86
|
+
immediately.
|
|
87
|
+
|
|
88
|
+
### 4. Text interpolation and non-rendering uses of route data are not the defect
|
|
89
|
+
|
|
90
|
+
`{{ route.query.q }}`, `:aria-label="route.params.id"`, passing `route.params.id` into an API
|
|
91
|
+
call, or using it as a `v-if` condition are all safe — Vue's default interpolation escapes, and
|
|
92
|
+
non-DOM-rendering uses have no injection sink at all. Only flag the specific `v-html`/`innerHTML`
|
|
93
|
+
sink, not every place a component touches `route.params`/`route.query`.
|
|
94
|
+
|
|
95
|
+
## Minimal safe implementation patterns
|
|
96
|
+
|
|
97
|
+
Open redirect, validated:
|
|
98
|
+
|
|
99
|
+
```js
|
|
100
|
+
const SAFE_REDIRECT = /^\/(?!\/)/ // single leading slash, not protocol-relative
|
|
101
|
+
|
|
102
|
+
function safeRedirectTarget(raw) {
|
|
103
|
+
return typeof raw === 'string' && SAFE_REDIRECT.test(raw) ? raw : '/'
|
|
104
|
+
}
|
|
105
|
+
|
|
106
|
+
router.push(safeRedirectTarget(route.query.redirect))
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
Scheme-validated dynamic link:
|
|
110
|
+
|
|
111
|
+
```vue
|
|
112
|
+
<script setup>
|
|
113
|
+
const ALLOWED_SCHEMES = ['http:', 'https:', 'mailto:']
|
|
114
|
+
|
|
115
|
+
function safeHref(url) {
|
|
116
|
+
try {
|
|
117
|
+
const parsed = new URL(url, window.location.origin)
|
|
118
|
+
return ALLOWED_SCHEMES.includes(parsed.protocol) ? parsed.href : '#'
|
|
119
|
+
} catch {
|
|
120
|
+
return '#'
|
|
121
|
+
}
|
|
122
|
+
}
|
|
123
|
+
</script>
|
|
124
|
+
|
|
125
|
+
<template>
|
|
126
|
+
<a :href="safeHref(profile.websiteUrl)">Website</a>
|
|
127
|
+
</template>
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
Route data into `v-html`, sanitized:
|
|
131
|
+
|
|
132
|
+
```vue
|
|
133
|
+
<script setup>
|
|
134
|
+
import DOMPurify from 'dompurify'
|
|
135
|
+
import { computed } from 'vue'
|
|
136
|
+
import { useRoute } from 'vue-router'
|
|
137
|
+
|
|
138
|
+
const route = useRoute()
|
|
139
|
+
const safeQueryPreview = computed(() => DOMPurify.sanitize(String(route.query.q ?? '')))
|
|
140
|
+
</script>
|
|
141
|
+
|
|
142
|
+
<template>
|
|
143
|
+
<div v-html="safeQueryPreview"></div>
|
|
144
|
+
</template>
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
Anti-patterns (do not approve):
|
|
148
|
+
|
|
149
|
+
```js
|
|
150
|
+
// Open redirect: unvalidated query value passed straight to router/window.
|
|
151
|
+
router.push(route.query.redirect) // or: window.location.href = route.query.returnUrl
|
|
152
|
+
```
|
|
153
|
+
|
|
154
|
+
```vue
|
|
155
|
+
<!-- Scheme injection: no protocol allowlist. -->
|
|
156
|
+
<router-link :to="userProvidedProfileLink">Visit</router-link>
|
|
157
|
+
```
|
|
158
|
+
|
|
159
|
+
```vue
|
|
160
|
+
<!-- Reflected XSS: route.query rendered via v-html with no sanitizer on the path. -->
|
|
161
|
+
<div v-html="route.query.q"></div>
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
## Adversarial checklist
|
|
165
|
+
|
|
166
|
+
- Does any code read `route.query.redirect`/`returnUrl` (or similarly named params) and pass it
|
|
167
|
+
to `router.push`, `router.replace`, or `window.location` without an allowlist check?
|
|
168
|
+
- Is the allowlist check a same-origin/relative-path confirmation, or only a substring blocklist
|
|
169
|
+
(which does not count as a fix)?
|
|
170
|
+
- Does any `:to`/`:href` binding's traced source include user-reachable input with no protocol
|
|
171
|
+
allowlist visible on that exact path?
|
|
172
|
+
- Would `javascript:`, `data:`, or `vbscript:` reach any such binding unmodified?
|
|
173
|
+
- Does any `v-html` or manual `.innerHTML` assignment's traced source include
|
|
174
|
+
`route.params`/`route.query` with no named sanitizer call on that exact path?
|
|
175
|
+
- Is a redirect-loop or bypass reachable by feeding a guard's own redirect target from
|
|
176
|
+
unvalidated `to.query`/`to.params` (cross-reference `client-guards-and-control-flow.md`)?
|
|
177
|
+
|
|
178
|
+
## Verification targets
|
|
179
|
+
|
|
180
|
+
- Grep for `route.query.redirect`, `route.query.returnUrl`, `to.query.redirect`, and similar
|
|
181
|
+
names; trace each into `router.push(`, `router.replace(`, or `window.location`.
|
|
182
|
+
- Grep for `:to="` and `:href="` bound to a non-literal expression; trace each backward through
|
|
183
|
+
props/computed/store to its origin.
|
|
184
|
+
- Grep for `v-html` and `.innerHTML =` and trace each backward for any `route.params`/
|
|
185
|
+
`route.query` origin.
|
|
186
|
+
- Grep for a scheme/protocol allowlist (`ALLOWED_SCHEMES`, `new URL(`, `.protocol ===`) near
|
|
187
|
+
each dynamic link binding found above, and confirm it sits on the traced path rather than
|
|
188
|
+
merely existing elsewhere in the file.
|
|
189
|
+
- Grep for a sanitizer import (`dompurify` or an equivalent project utility) and confirm its
|
|
190
|
+
call site is on the traced `v-html`/`innerHTML` path.
|
package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md
ADDED
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
# Review Workflow and Findings Contract
|
|
2
|
+
|
|
3
|
+
Use this reference for the step-by-step review procedure and the required output shape. Load
|
|
4
|
+
the two domain references only for the specific defect class the routing code under review
|
|
5
|
+
actually raises.
|
|
6
|
+
|
|
7
|
+
## Prerequisites
|
|
8
|
+
|
|
9
|
+
- Confirm Vue Router is actually in use (`package.json` — `vue-router`) and identify the major
|
|
10
|
+
version. Guard signatures (`next` third argument vs. return-value guards), redirect object
|
|
11
|
+
shape, and catch-all syntax (`/:pathMatch(.*)*` vs. legacy `*`) differ across Vue Router 3 vs.
|
|
12
|
+
4 — do not apply v4 syntax expectations to a v3 codebase or vice versa.
|
|
13
|
+
- Identify whether the app runs in `history` mode (`createWebHistory`) or hash mode
|
|
14
|
+
(`createWebHistory` vs. `createWebHashHistory`) — the server-fallback concern
|
|
15
|
+
(`client-guards-and-control-flow.md`, rule 6) only applies to `history` mode.
|
|
16
|
+
- Identify whether this is a meta-framework (Nuxt) rather than raw Vue Router — Nuxt's
|
|
17
|
+
`definePageMeta`/route middleware wraps the same underlying guard concepts but with different
|
|
18
|
+
file-based conventions; note this explicitly rather than assuming `router.beforeEach` exists
|
|
19
|
+
verbatim in a Nuxt app.
|
|
20
|
+
|
|
21
|
+
## Workflow
|
|
22
|
+
|
|
23
|
+
1. **Locate every navigation guard.** Grep for `router.beforeEach(`, `beforeEnter:` on route
|
|
24
|
+
definitions, and (for Nuxt) `middleware/` files or `definePageMeta({ middleware: ... })`.
|
|
25
|
+
Read each guard's full body.
|
|
26
|
+
2. **For each guard that gates a protected route, look for the server-side counterpart.**
|
|
27
|
+
Identify what API/data endpoint the protected route depends on and search for evidence
|
|
28
|
+
(tests, comments, a BFF layer, an API contract doc) that the endpoint independently enforces
|
|
29
|
+
authorization server-side. Absence of such evidence is the finding — see
|
|
30
|
+
`client-guards-and-control-flow.md`.
|
|
31
|
+
3. **Trace every redirect.** For guard-returned redirects, `next(...)` calls, and any
|
|
32
|
+
post-login redirect flow, determine: is the target hardcoded/same-origin, or built from
|
|
33
|
+
`to.query`/`to.params`/`route.query`? If the latter, trace whether it is validated against a
|
|
34
|
+
same-origin/relative-path allowlist before use. See `open-redirect-and-injection.md`.
|
|
35
|
+
4. **Enumerate every dynamic `:to`/`:href` binding in scope.** Trace each backward through
|
|
36
|
+
props, computed values, and store state to its origin. Check for a visible protocol
|
|
37
|
+
allowlist on the exact traced path when the origin includes user-reachable input.
|
|
38
|
+
5. **Enumerate every `v-html`/`innerHTML` sink in scope that touches `route.params`/
|
|
39
|
+
`route.query`.** Trace backward the same way; check for a named sanitizer call on the exact
|
|
40
|
+
path.
|
|
41
|
+
6. **Check guard self-exclusion and route-table ordering.** For every unconditional
|
|
42
|
+
redirect-on-guard, confirm a self-exclusion check exists for the guard's own redirect target.
|
|
43
|
+
Read the full `routes` array in declaration order and check whether a catch-all or broad
|
|
44
|
+
pattern could shadow a route that should require authentication.
|
|
45
|
+
7. **Check `history`-mode server configuration when in scope.** If `createWebHistory()` is used,
|
|
46
|
+
look for a server/proxy config file with an SPA-fallback rule; note explicitly if that file
|
|
47
|
+
is outside the review's scope rather than assuming correctness.
|
|
48
|
+
8. **Produce ranked findings** using the output contract below.
|
|
49
|
+
|
|
50
|
+
## Decision tree
|
|
51
|
+
|
|
52
|
+
- A guard redirects unauthenticated users away from a protected route, and no evidence exists
|
|
53
|
+
that the route's underlying API/data endpoint independently enforces authorization
|
|
54
|
+
server-side → **HIGH** finding, `client-guard-as-sole-authz`. Cite Vue Router's own framing of
|
|
55
|
+
guards as client-side navigation control flow (`repo evidence`) plus general server-side-
|
|
56
|
+
enforcement practice (`inference`/`documentation-based`).
|
|
57
|
+
- A guard redirects unauthenticated users away from a protected route, **and** the route's
|
|
58
|
+
server endpoint is confirmed to independently reject unauthorized requests → not a finding;
|
|
59
|
+
state explicitly that the guard is correctly UX-only.
|
|
60
|
+
- A post-auth redirect flow passes `route.query.redirect`/`returnUrl` (or equivalent) into
|
|
61
|
+
`router.push`/`window.location` with no same-origin/relative-path validation → **HIGH**
|
|
62
|
+
finding, `open-redirect`.
|
|
63
|
+
- The same flow validates the value against a same-origin/relative-path allowlist before use →
|
|
64
|
+
not a finding.
|
|
65
|
+
- A dynamic `:to`/`:href` binding's traced source includes user-reachable input with no
|
|
66
|
+
protocol allowlist on the exact path → **HIGH** finding, `scheme-injection` (reachable via a
|
|
67
|
+
crafted profile/link field triggering `javascript:`/`data:` execution on click).
|
|
68
|
+
- The same binding's source is a literal, a named-route object, or already passes a protocol
|
|
69
|
+
allowlist on the traced path → not a finding.
|
|
70
|
+
- `route.params`/`route.query` reaches a `v-html` binding or manual `.innerHTML` assignment
|
|
71
|
+
with no named sanitizer call on the exact traced path → **HIGH** finding, `reflected-xss`.
|
|
72
|
+
- `route.params`/`route.query` is used only via text interpolation, non-rendering logic, or
|
|
73
|
+
passes through a sanitizer call on the traced path → not a finding.
|
|
74
|
+
- An unconditional redirect-on-guard has no self-exclusion check for its own redirect target →
|
|
75
|
+
**HIGH** finding, `redirect-loop` (Vue Router's own docs prescribe the `to.name !== 'Login'`
|
|
76
|
+
self-exclusion pattern as required, not optional).
|
|
77
|
+
- The guard already includes a self-exclusion check → not a finding.
|
|
78
|
+
- A guard's redirect target (or a `next(...)` argument) is itself built from unvalidated
|
|
79
|
+
`to.query`/`to.params` → **HIGH** finding, `open-redirect` (the guard reintroduces the same
|
|
80
|
+
defect class it exists to prevent) — cross-reference the open-redirect rule above.
|
|
81
|
+
- A catch-all route (`/:pathMatch(.*)*`) renders `route.params.pathMatch` through an
|
|
82
|
+
unsanitized sink, or route-table ordering lets it shadow a route that should require auth →
|
|
83
|
+
**MEDIUM-to-HIGH** finding, `catch-all-misconfig`, depending on what is actually exposed.
|
|
84
|
+
- A catch-all route renders only a static not-found component with no broader-than-intended
|
|
85
|
+
matching (confirmed via route-table order) → not a finding.
|
|
86
|
+
- `createWebHistory()` is used with no evidence of a corresponding server-side SPA-fallback
|
|
87
|
+
rule in scope → note as an **open question**, not a confirmed finding, unless the server
|
|
88
|
+
config is actually in the reviewed diff/repo and shown to be missing or overly broad, in
|
|
89
|
+
which case it is a **MEDIUM** finding, `history-mode-server-misconfig`.
|
|
90
|
+
- `createWebHistory()` is paired with a reviewed, correctly scoped server-fallback rule → not a
|
|
91
|
+
finding; state it as reviewed-and-safe.
|
|
92
|
+
|
|
93
|
+
## Output contract
|
|
94
|
+
|
|
95
|
+
Every response from this skill must return:
|
|
96
|
+
|
|
97
|
+
1. **Scope** — the guard(s), redirect flow(s), dynamic link binding(s), route table, and/or
|
|
98
|
+
`v-html`/`innerHTML` sink(s) reviewed.
|
|
99
|
+
2. **Ranked findings** — each with file:line, defect category (`client-guard-as-sole-authz` /
|
|
100
|
+
`open-redirect` / `scheme-injection` / `reflected-xss` / `redirect-loop` /
|
|
101
|
+
`catch-all-misconfig` / `history-mode-server-misconfig`), the concrete data-flow trace (every
|
|
102
|
+
hop from origin to sink, or the guard-to-endpoint gap for the authz-boundary category), and
|
|
103
|
+
a fix sketch matching Vue Router's documented pattern.
|
|
104
|
+
3. **Server-side enforcement status for every guard finding** — an explicit statement of
|
|
105
|
+
whether evidence of independent server-side authorization was found, and where; never infer
|
|
106
|
+
server enforcement exists without evidence on the traced path.
|
|
107
|
+
4. **Evidence level per finding** — `repo evidence`, `documentation-based`, or `inference`.
|
|
108
|
+
Label structural-risk findings (e.g., "no evidence of server enforcement") as structural
|
|
109
|
+
risk, not confirmed exploitation — proving actual bypass requires a live request against the
|
|
110
|
+
real API, which this skill does not perform.
|
|
111
|
+
5. **Verdict** — approve / approve-with-notes / block.
|
|
112
|
+
6. **Open questions or out-of-scope items** — e.g., "confirming the API layer actually rejects
|
|
113
|
+
unauthorized requests requires a live request or reading server-side code outside this
|
|
114
|
+
diff's scope," or "server SPA-fallback configuration is outside the reviewed files; flag for
|
|
115
|
+
a separate infra review."
|
|
116
|
+
|
|
117
|
+
## When to push back
|
|
118
|
+
|
|
119
|
+
Push back if the user asks to:
|
|
120
|
+
|
|
121
|
+
- approve a route as "protected" solely because a `beforeEach`/`beforeEnter` guard redirects
|
|
122
|
+
unauthenticated users, with no evidence the underlying API/data endpoint independently
|
|
123
|
+
enforces authorization — a client-side redirect is not access control,
|
|
124
|
+
- treat a redirect-target validation as done because "we checked it's a string" or "we blocked
|
|
125
|
+
`http://`" — a type check or substring blocklist is not an allowlist and does not clear an
|
|
126
|
+
open-redirect finding,
|
|
127
|
+
- approve a dynamic link binding because "Vue Router handles URLs safely" — Vue Router does not
|
|
128
|
+
validate URL schemes; that is application-code responsibility,
|
|
129
|
+
- skip tracing a `route.params`/`route.query` value into `v-html` because "it's just the search
|
|
130
|
+
box echoing what the user typed" — a reflected payload via a shared URL is exploitable
|
|
131
|
+
immediately, with no stored/second-order step required,
|
|
132
|
+
- downgrade a missing self-exclusion check in a redirect guard to informational because "it
|
|
133
|
+
hasn't looped in testing" — Vue Router's own docs treat this check as required, not optional,
|
|
134
|
+
and the loop condition depends on navigation order that testing may not have exercised.
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: vue-ssr-security-review
|
|
3
|
+
description: Statically review Vue 3 SSR entry points and templates for cross-request state pollution (module-scope reactive state, non-per-request app/store creation) and injection via unsanitized v-html or unvalidated dynamic href/src bindings, grounded in Vue's own SSR and security-best-practices guidance.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-02"
|
|
9
|
+
category: security
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Vue SSR Security Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Review Vue 3 server-side-rendered entry points, module-scope state, and template bindings for the two SSR-specific defect classes Vue's own documentation calls out directly: cross-request state pollution from state that is not created fresh per request, and injection through unsanitized `v-html` or unvalidated dynamic `:href`/`:src` bindings — without re-litigating composable/reactivity architecture, hydration-mismatch mechanics, or general component design in every response. This skill exists so the review stays anchored to the two documented, security-critical defect classes instead of drifting into a general "SSR code review."
|
|
17
|
+
|
|
18
|
+
## When to use
|
|
19
|
+
|
|
20
|
+
Use this skill when the user asks to:
|
|
21
|
+
|
|
22
|
+
- review an SSR entry point (`entry-server.js`/`.ts`, or equivalent request-handling code that creates the Vue app for rendering),
|
|
23
|
+
- assess whether a `v-html` usage is safe,
|
|
24
|
+
- investigate a report of users seeing another user's data on first load or on a subsequent request — the classic cross-request state pollution symptom,
|
|
25
|
+
- perform a pre-launch security review of an SSR Vue application.
|
|
26
|
+
|
|
27
|
+
Do not use this skill for:
|
|
28
|
+
|
|
29
|
+
- a purely client-rendered (non-SSR) Vue app with no server-rendering entry point — cross-request state pollution does not apply, because each browser tab has its own isolated JS realm and there is no shared server process handling concurrent requests,
|
|
30
|
+
- Options API/Composition API architecture review with no security angle (composable extraction quality, reactivity-boundary correctness) — use `vue-composition-api-architecture-review` instead,
|
|
31
|
+
- a bug that requires live traffic reproduction (concurrent-request load testing, session-replay capture) to confirm exploitation — static analysis proves the structural risk, not that it has already been exploited in production.
|
|
32
|
+
|
|
33
|
+
## Context7 Documentation Protocol
|
|
34
|
+
|
|
35
|
+
- Resolve the Vue library ID with `resolve-library-id` (matched result: `/vuejs/vue`) before citing any SSR-mechanism or `v-html`-behavior claim.
|
|
36
|
+
- `/vuejs/vue` is Vue's core source-and-test repository (its SSR test fixtures and `server-renderer` package source cover Vue 2's `vue-server-renderer`), not the Vue 3 prose docs site. Use `query-docs` against it only to corroborate low-level rendering mechanics (e.g., that `v-html` compiles directly to setting the `innerHTML` DOM property with no sanitization step). It does not reliably surface the Vue 3 SSR guide's per-request-instance narrative or the Security guide's `v-html`/dynamic-binding rules — for that guidance, use the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based`.
|
|
37
|
+
- Before flagging a specific pattern as cross-request state pollution, confirm the app is actually SSR (a request-handling entry point exists that renders on the server) — the pollution risk is specific to SSR's single, long-lived Node.js process handling many requests; it does not apply to a client-only SPA.
|
|
38
|
+
- Read `package.json` first to confirm which Vue major and SSR toolchain are in use (`vue-server-renderer` for Vue 2, `@vue/server-renderer` / a meta-framework like Nuxt for Vue 3) — the per-request app/store creation requirement and the exact API names differ by major version and toolchain; do not apply Vue 3 API names to a Vue 2 codebase or vice versa.
|
|
39
|
+
- If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's `metadata.json` and label the claim `documentation-based, unverified against current release`.
|
|
40
|
+
|
|
41
|
+
## Lean operating rules
|
|
42
|
+
|
|
43
|
+
- Cross-request state pollution and injection findings default to HIGH severity. This is a security-scoped skill: do not downgrade a structural cross-request-pollution risk or an untraced `v-html` sanitizer gap to MEDIUM just because it has not been observed exploited yet — the risk is in the structure, not in whether someone has already hit it.
|
|
44
|
+
- Trace every finding to a concrete file:line and a concrete data-flow path. A finding that says "this might leak state" or "this v-html might be unsafe" without showing the specific module-scope declaration, the specific reachability path, or the specific unsanitized data-flow trace is not a valid finding — it is a guess.
|
|
45
|
+
- Do not treat every module-scope declaration as a pollution risk. An immutable, non-reactive constant (a route table, a static config object, a compiled template) declared at module scope is safe. Only *mutable or reactive* state reachable from an SSR-rendered component's render path is the risk — check both properties (mutability/reactivity, and reachability) before flagging.
|
|
46
|
+
- Do not approve a `v-html` binding whose data source includes any user-reachable input (route params, query strings, request bodies, third-party API responses that themselves echo user input) unless a named sanitizer call (e.g., DOMPurify) is visibly present on that exact data-flow path. A sanitizer import existing elsewhere in the codebase does not clear this bar — trace the specific path under review.
|
|
47
|
+
- Check dynamic `:href`/`:src` bindings for scheme validation (an allowlist rejecting `javascript:` and other non-`http(s)` schemes) whenever the bound value's source includes user-reachable input. An unvalidated dynamic URL binding fed by user input is a MEDIUM-to-HIGH finding depending on reachability from an authenticated or public surface.
|
|
48
|
+
- Watch for per-request factory functions that appear correct (a fresh `createApp()`/`createSSRApp()` call per request) but still close over a shared module-level cache, singleton, or default parameter passed in from outer scope — the factory pattern alone does not guarantee isolation if it references mutable shared state from its enclosing scope.
|
|
49
|
+
- Never execute, build, or run application code, and never send live requests, as part of this review; this is a static-review skill (Read/Grep/Glob only).
|
|
50
|
+
- Load only the reference needed for the concern in scope.
|
|
51
|
+
|
|
52
|
+
## References
|
|
53
|
+
|
|
54
|
+
Load these only when needed:
|
|
55
|
+
|
|
56
|
+
- [Review workflow and findings contract](references/workflow-and-output.md) — use for the step-by-step review procedure, the state-pollution/injection decision tree, and the required output shape.
|
|
57
|
+
- [Cross-request state pollution](references/cross-request-state-pollution.md) — load only when reviewing an SSR entry point, tracing app/store/router creation, or investigating a suspected cross-request data-leak symptom.
|
|
58
|
+
- [Injection: v-html and dynamic URL bindings](references/injection-and-dynamic-urls.md) — load only when the review scope includes a `v-html` usage or a dynamic `:href`/`:src` binding. Includes the OWASP XSS grounding reference; load that citation only when a `v-html` finding is actually present.
|
|
59
|
+
|
|
60
|
+
## Response minimum
|
|
61
|
+
|
|
62
|
+
Return, at minimum:
|
|
63
|
+
|
|
64
|
+
- the SSR entry point(s), module-scope declarations, and/or template bindings in scope,
|
|
65
|
+
- ranked findings with file:line evidence, defect category (`state-pollution`, `xss`, or `url-injection`), the concrete data-flow trace (module-scope declaration and its reachability, or the origin-to-sink path for the injection), and a fix sketch matching Vue's documented pattern,
|
|
66
|
+
- for every `v-html` finding, an explicit statement of whether a sanitizer call is present on the traced path — never approve on the assumption one exists elsewhere,
|
|
67
|
+
- evidence level per finding (`repo evidence`, `documentation-based`, or `inference`), with structural risk findings explicitly labeled as structural risk, not as confirmed-exploited,
|
|
68
|
+
- verdict (approve / approve-with-notes / block),
|
|
69
|
+
- open questions or scope the review could not cover (e.g., "confirming actual cross-request leakage requires concurrent-request load testing, not static review").
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "vue-ssr-security-review",
|
|
3
|
+
"name": "Vue SSR Security Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews Vue 3 SSR entry points and templates for cross-request state pollution (module-scope reactive state, non-per-request app/store/router creation) and injection via unsanitized v-html or unvalidated dynamic href/src bindings, grounding claims via Context7 and Vue's own SSR and security best-practices documentation.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://vuejs.org/guide/scaling-up/ssr.html",
|
|
18
|
+
"https://vuejs.org/guide/best-practices/security.html",
|
|
19
|
+
"https://owasp.org/www-project-top-ten/",
|
|
20
|
+
"https://owasp.org/www-community/attacks/xss/"
|
|
21
|
+
],
|
|
22
|
+
"security_notes": "This skill's entire scope is security-critical: cross-request state pollution is a data-exposure defect (potential cross-tenant/cross-user leakage) and unsanitized v-html is a stored/reflected XSS vector. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete sanitizer evidence. Static-review-only skill: it reads and greps SSR entry points and template source but never executes, builds, or runs application code, and never sends live requests.",
|
|
23
|
+
"last_verified": "2026-07-02",
|
|
24
|
+
"path": "skills/frontend/vue-ssr-security-review",
|
|
25
|
+
"author": "github: Raishin",
|
|
26
|
+
"version": "0.1.0"
|
|
27
|
+
}
|