@raishin/vanguard-frontier-agentic 3.0.2 → 3.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +2 -2
- package/.claude-plugin/plugin.json +36 -1
- package/.cursor-plugin/plugin.json +36 -1
- package/.github/plugin/marketplace.json +1 -1
- package/README.md +12 -11
- package/agents/frontend/accessibility-wcag-agent/AGENT.md +137 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/claude-code.agent.md +119 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/codex.toml +42 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/copilot.agent.md +129 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/cursor.agent.md +122 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/gemini.agent.md +121 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/accessibility-wcag-agent/harnesses/kiro-ide.agent.md +120 -0
- package/agents/frontend/accessibility-wcag-agent/metadata.json +42 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/AGENT.md +121 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/ai-assisted-frontend-review-agent/metadata.json +39 -0
- package/agents/frontend/angular-specialist-agent/AGENT.md +128 -0
- package/agents/frontend/angular-specialist-agent/harnesses/claude-code.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/angular-specialist-agent/harnesses/copilot.agent.md +110 -0
- package/agents/frontend/angular-specialist-agent/harnesses/cursor.agent.md +103 -0
- package/agents/frontend/angular-specialist-agent/harnesses/gemini.agent.md +102 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/angular-specialist-agent/harnesses/kiro-ide.agent.md +101 -0
- package/agents/frontend/angular-specialist-agent/metadata.json +44 -0
- package/agents/frontend/api-integration-bff-agent/AGENT.md +124 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/api-integration-bff-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/api-integration-bff-agent/metadata.json +40 -0
- package/agents/frontend/browser-compatibility-agent/AGENT.md +133 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/copilot.agent.md +125 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/cursor.agent.md +118 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/gemini.agent.md +117 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/browser-compatibility-agent/harnesses/kiro-ide.agent.md +116 -0
- package/agents/frontend/browser-compatibility-agent/metadata.json +42 -0
- package/agents/frontend/build-tooling-bundling-agent/AGENT.md +121 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/build-tooling-bundling-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/build-tooling-bundling-agent/metadata.json +39 -0
- package/agents/frontend/css-architecture-agent/AGENT.md +123 -0
- package/agents/frontend/css-architecture-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/css-architecture-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/css-architecture-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/css-architecture-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/css-architecture-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/css-architecture-agent/metadata.json +42 -0
- package/agents/frontend/design-systems-governance-agent/AGENT.md +124 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/design-systems-governance-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/design-systems-governance-agent/metadata.json +41 -0
- package/agents/frontend/enterprise-red-team-review-agent/AGENT.md +140 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/claude-code.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/codex.toml +48 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/copilot.agent.md +100 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/cursor.agent.md +93 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/gemini.agent.md +92 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/enterprise-red-team-review-agent/harnesses/kiro-ide.agent.md +91 -0
- package/agents/frontend/enterprise-red-team-review-agent/metadata.json +39 -0
- package/agents/frontend/frontend-board-chair-agent/AGENT.md +94 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/claude-code.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/codex.toml +33 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/copilot.agent.md +34 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/cursor.agent.md +57 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/gemini.agent.md +56 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/frontend-board-chair-agent/harnesses/kiro-ide.agent.md +55 -0
- package/agents/frontend/frontend-board-chair-agent/metadata.json +41 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-finops-cost-to-serve-agent/metadata.json +40 -0
- package/agents/frontend/frontend-maestro-agent/AGENT.md +91 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/claude-code.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/codex.toml +34 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/copilot.agent.md +51 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/cursor.agent.md +40 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/gemini.agent.md +39 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-maestro-agent/harnesses/kiro-ide.agent.md +38 -0
- package/agents/frontend/frontend-maestro-agent/metadata.json +40 -0
- package/agents/frontend/frontend-migration-modernization-agent/AGENT.md +140 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/claude-code.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/codex.toml +46 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-migration-modernization-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/frontend-migration-modernization-agent/metadata.json +40 -0
- package/agents/frontend/frontend-observability-rum-agent/AGENT.md +131 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/claude-code.agent.md +114 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/copilot.agent.md +124 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/cursor.agent.md +117 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/gemini.agent.md +116 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-observability-rum-agent/harnesses/kiro-ide.agent.md +115 -0
- package/agents/frontend/frontend-observability-rum-agent/metadata.json +43 -0
- package/agents/frontend/frontend-platform-architect-agent/AGENT.md +139 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/copilot.agent.md +133 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/cursor.agent.md +124 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/gemini.agent.md +123 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-platform-architect-agent/harnesses/kiro-ide.agent.md +122 -0
- package/agents/frontend/frontend-platform-architect-agent/metadata.json +40 -0
- package/agents/frontend/frontend-security-agent/AGENT.md +123 -0
- package/agents/frontend/frontend-security-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/frontend-security-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/frontend-security-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/frontend-security-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/frontend-security-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/frontend-security-agent/metadata.json +44 -0
- package/agents/frontend/html-semantics-agent/AGENT.md +139 -0
- package/agents/frontend/html-semantics-agent/harnesses/claude-code.agent.md +122 -0
- package/agents/frontend/html-semantics-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/html-semantics-agent/harnesses/copilot.agent.md +132 -0
- package/agents/frontend/html-semantics-agent/harnesses/cursor.agent.md +125 -0
- package/agents/frontend/html-semantics-agent/harnesses/gemini.agent.md +124 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/html-semantics-agent/harnesses/kiro-ide.agent.md +123 -0
- package/agents/frontend/html-semantics-agent/metadata.json +44 -0
- package/agents/frontend/internationalization-localization-agent/AGENT.md +115 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/claude-code.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/copilot.agent.md +107 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/cursor.agent.md +100 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/gemini.agent.md +99 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/internationalization-localization-agent/harnesses/kiro-ide.agent.md +98 -0
- package/agents/frontend/internationalization-localization-agent/metadata.json +42 -0
- package/agents/frontend/javascript-runtime-agent/AGENT.md +121 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/javascript-runtime-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/javascript-runtime-agent/metadata.json +41 -0
- package/agents/frontend/monorepo-dx-agent/AGENT.md +111 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/claude-code.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/codex.toml +38 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/copilot.agent.md +103 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/cursor.agent.md +96 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/gemini.agent.md +95 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/monorepo-dx-agent/harnesses/kiro-ide.agent.md +94 -0
- package/agents/frontend/monorepo-dx-agent/metadata.json +41 -0
- package/agents/frontend/nextjs-specialist-agent/AGENT.md +122 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/nextjs-specialist-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/nextjs-specialist-agent/metadata.json +43 -0
- package/agents/frontend/package-governance-agent/AGENT.md +116 -0
- package/agents/frontend/package-governance-agent/harnesses/claude-code.agent.md +99 -0
- package/agents/frontend/package-governance-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/package-governance-agent/harnesses/copilot.agent.md +108 -0
- package/agents/frontend/package-governance-agent/harnesses/cursor.agent.md +101 -0
- package/agents/frontend/package-governance-agent/harnesses/gemini.agent.md +100 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/package-governance-agent/harnesses/kiro-ide.agent.md +99 -0
- package/agents/frontend/package-governance-agent/metadata.json +41 -0
- package/agents/frontend/product-analytics-experimentation-agent/AGENT.md +133 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/claude-code.agent.md +116 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/codex.toml +45 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/copilot.agent.md +126 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/cursor.agent.md +119 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/gemini.agent.md +118 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/product-analytics-experimentation-agent/harnesses/kiro-ide.agent.md +117 -0
- package/agents/frontend/product-analytics-experimentation-agent/metadata.json +40 -0
- package/agents/frontend/pwa-offline-capability-agent/AGENT.md +117 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/pwa-offline-capability-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/pwa-offline-capability-agent/metadata.json +42 -0
- package/agents/frontend/react-specialist-agent/AGENT.md +124 -0
- package/agents/frontend/react-specialist-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/harnesses/codex.toml +47 -0
- package/agents/frontend/react-specialist-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/react-specialist-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/react-specialist-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/react-specialist-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/react-specialist-agent/metadata.json +44 -0
- package/agents/frontend/routing-navigation-agent/AGENT.md +123 -0
- package/agents/frontend/routing-navigation-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/routing-navigation-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/routing-navigation-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/routing-navigation-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/routing-navigation-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/routing-navigation-agent/metadata.json +40 -0
- package/agents/frontend/ssr-hydration-streaming-agent/AGENT.md +123 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/copilot.agent.md +116 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/cursor.agent.md +109 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/gemini.agent.md +108 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/ssr-hydration-streaming-agent/harnesses/kiro-ide.agent.md +107 -0
- package/agents/frontend/ssr-hydration-streaming-agent/metadata.json +40 -0
- package/agents/frontend/state-management-data-flow-agent/AGENT.md +126 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/state-management-data-flow-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/state-management-data-flow-agent/metadata.json +40 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/AGENT.md +121 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/claude-code.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/codex.toml +44 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/copilot.agent.md +113 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/cursor.agent.md +106 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/gemini.agent.md +105 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-cli.agent.json +1 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/harnesses/kiro-ide.agent.md +104 -0
- package/agents/frontend/svelte-sveltekit-specialist-agent/metadata.json +43 -0
- package/agents/frontend/testing-quality-engineering-agent/AGENT.md +120 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/claude-code.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/copilot.agent.md +112 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/cursor.agent.md +105 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/gemini.agent.md +104 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/testing-quality-engineering-agent/harnesses/kiro-ide.agent.md +103 -0
- package/agents/frontend/testing-quality-engineering-agent/metadata.json +42 -0
- package/agents/frontend/typescript-contracts-agent/AGENT.md +122 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/claude-code.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/codex.toml +39 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/copilot.agent.md +114 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/cursor.agent.md +107 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/gemini.agent.md +106 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/typescript-contracts-agent/harnesses/kiro-ide.agent.md +105 -0
- package/agents/frontend/typescript-contracts-agent/metadata.json +41 -0
- package/agents/frontend/visual-regression-agent/AGENT.md +123 -0
- package/agents/frontend/visual-regression-agent/harnesses/claude-code.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/visual-regression-agent/harnesses/copilot.agent.md +115 -0
- package/agents/frontend/visual-regression-agent/harnesses/cursor.agent.md +108 -0
- package/agents/frontend/visual-regression-agent/harnesses/gemini.agent.md +107 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/visual-regression-agent/harnesses/kiro-ide.agent.md +106 -0
- package/agents/frontend/visual-regression-agent/metadata.json +41 -0
- package/agents/frontend/vue-specialist-agent/AGENT.md +126 -0
- package/agents/frontend/vue-specialist-agent/harnesses/claude-code.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/harnesses/codex.toml +61 -0
- package/agents/frontend/vue-specialist-agent/harnesses/copilot.agent.md +118 -0
- package/agents/frontend/vue-specialist-agent/harnesses/cursor.agent.md +111 -0
- package/agents/frontend/vue-specialist-agent/harnesses/gemini.agent.md +110 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/vue-specialist-agent/harnesses/kiro-ide.agent.md +109 -0
- package/agents/frontend/vue-specialist-agent/metadata.json +45 -0
- package/agents/frontend/web-performance-core-vitals-agent/AGENT.md +124 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/claude-code.agent.md +107 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/codex.toml +41 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/copilot.agent.md +117 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/cursor.agent.md +110 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/gemini.agent.md +109 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-performance-core-vitals-agent/harnesses/kiro-ide.agent.md +108 -0
- package/agents/frontend/web-performance-core-vitals-agent/metadata.json +45 -0
- package/agents/frontend/web-platform-foundation-agent/AGENT.md +117 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/claude-code.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/codex.toml +40 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/copilot.agent.md +109 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/cursor.agent.md +102 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/gemini.agent.md +101 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-cli.agent.json +5 -0
- package/agents/frontend/web-platform-foundation-agent/harnesses/kiro-ide.agent.md +100 -0
- package/agents/frontend/web-platform-foundation-agent/metadata.json +41 -0
- package/catalog/agents.json +1164 -93
- package/catalog/asset-integrity.json +15393 -12593
- package/catalog/install-roles.json +103 -1
- package/catalog/skill-manifest.json +1909 -26
- package/catalog/skills.json +1672 -24
- package/package.json +5 -4
- package/plugins/vanguard-frontier-agentic/.codex-plugin/plugin.json +1 -1
- package/powers/README.md +3 -2
- package/powers/vanguard-frontend/POWER.md +42 -0
- package/schemas/agent.schema.json +1 -0
- package/schemas/skill.schema.json +1 -0
- package/scripts/export-marketplace-agents.mjs +48 -15
- package/scripts/generate-docs-data.mjs +1 -0
- package/scripts/generate-kiro-powers.mjs +12 -0
- package/scripts/update-catalog-new-agents.py +6 -1
- package/skills/frontend/ai-generated-frontend-code-review/SKILL.md +68 -0
- package/skills/frontend/ai-generated-frontend-code-review/metadata.json +27 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/generated-a11y-gap-audit.md +55 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/hallucinated-api-verification.md +56 -0
- package/skills/frontend/ai-generated-frontend-code-review/references/slopsquat-dependency-check.md +49 -0
- package/skills/frontend/angular-architecture-signals-review/SKILL.md +80 -0
- package/skills/frontend/angular-architecture-signals-review/metadata.json +28 -0
- package/skills/frontend/angular-architecture-signals-review/references/linked-signal-and-di-boundaries.md +46 -0
- package/skills/frontend/angular-architecture-signals-review/references/workflow-and-output.md +99 -0
- package/skills/frontend/angular-ssr-hydration-review/SKILL.md +77 -0
- package/skills/frontend/angular-ssr-hydration-review/metadata.json +28 -0
- package/skills/frontend/angular-ssr-hydration-review/references/i18n-event-replay-and-third-party-libs.md +50 -0
- package/skills/frontend/angular-ssr-hydration-review/references/workflow-and-output.md +101 -0
- package/skills/frontend/angular-template-sanitizer-security-review/SKILL.md +69 -0
- package/skills/frontend/angular-template-sanitizer-security-review/metadata.json +27 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/iframe-security-attributes.md +63 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/sanitizer-bypass-and-innerhtml.md +93 -0
- package/skills/frontend/angular-template-sanitizer-security-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/api-integration-contract-review/SKILL.md +72 -0
- package/skills/frontend/api-integration-contract-review/metadata.json +27 -0
- package/skills/frontend/api-integration-contract-review/references/authorization-and-data-minimization.md +73 -0
- package/skills/frontend/api-integration-contract-review/references/error-shape-cors-versioning.md +65 -0
- package/skills/frontend/api-integration-contract-review/references/workflow-and-output.md +38 -0
- package/skills/frontend/browser-compatibility-review/SKILL.md +68 -0
- package/skills/frontend/browser-compatibility-review/metadata.json +27 -0
- package/skills/frontend/browser-compatibility-review/references/baseline-status-model.md +45 -0
- package/skills/frontend/browser-compatibility-review/references/browserslist-matrix-interpretation.md +49 -0
- package/skills/frontend/browser-compatibility-review/references/fallback-verification-patterns.md +54 -0
- package/skills/frontend/build-tooling-vite-webpack-review/SKILL.md +76 -0
- package/skills/frontend/build-tooling-vite-webpack-review/metadata.json +27 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/migration-and-config-diff-safety.md +41 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/vite-chunking-config.md +68 -0
- package/skills/frontend/build-tooling-vite-webpack-review/references/webpack-splitchunks-config.md +84 -0
- package/skills/frontend/bundle-budget-code-splitting-review/SKILL.md +76 -0
- package/skills/frontend/bundle-budget-code-splitting-review/metadata.json +29 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/budget-methodology.md +36 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/bundler-chunking-apis.md +116 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/ci-enforcement-and-verification.md +53 -0
- package/skills/frontend/bundle-budget-code-splitting-review/references/code-splitting-boundaries.md +46 -0
- package/skills/frontend/core-web-vitals-triage/SKILL.md +75 -0
- package/skills/frontend/core-web-vitals-triage/metadata.json +33 -0
- package/skills/frontend/core-web-vitals-triage/references/cls-attribution.md +45 -0
- package/skills/frontend/core-web-vitals-triage/references/evidence-tiers-and-handoff.md +57 -0
- package/skills/frontend/core-web-vitals-triage/references/inp-phase-decomposition.md +49 -0
- package/skills/frontend/core-web-vitals-triage/references/lcp-phase-decomposition.md +51 -0
- package/skills/frontend/critical-rendering-path-review/SKILL.md +67 -0
- package/skills/frontend/critical-rendering-path-review/metadata.json +31 -0
- package/skills/frontend/critical-rendering-path-review/references/lab-vs-field-evidence.md +60 -0
- package/skills/frontend/critical-rendering-path-review/references/layout-shift-sources.md +68 -0
- package/skills/frontend/critical-rendering-path-review/references/resource-loading-order.md +79 -0
- package/skills/frontend/css-architecture-design-system-review/SKILL.md +71 -0
- package/skills/frontend/css-architecture-design-system-review/metadata.json +30 -0
- package/skills/frontend/css-architecture-design-system-review/references/cascade-layer-strategy.md +64 -0
- package/skills/frontend/css-architecture-design-system-review/references/responsive-strategy.md +63 -0
- package/skills/frontend/css-architecture-design-system-review/references/token-conformance.md +58 -0
- package/skills/frontend/design-token-governance-review/SKILL.md +64 -0
- package/skills/frontend/design-token-governance-review/metadata.json +27 -0
- package/skills/frontend/design-token-governance-review/references/contrast-compliance-review.md +90 -0
- package/skills/frontend/design-token-governance-review/references/token-source-and-pipeline-review.md +97 -0
- package/skills/frontend/e2e-testing-playwright-review/SKILL.md +65 -0
- package/skills/frontend/e2e-testing-playwright-review/metadata.json +28 -0
- package/skills/frontend/e2e-testing-playwright-review/references/ci-sharding-and-parallelism.md +24 -0
- package/skills/frontend/e2e-testing-playwright-review/references/fixtures-and-auth-setup.md +26 -0
- package/skills/frontend/e2e-testing-playwright-review/references/visual-assertion-tuning.md +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/SKILL.md +71 -0
- package/skills/frontend/edge-cache-data-bleed-review/metadata.json +28 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/cache-control-and-vary-headers.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/caching-directives-and-route-config.md +59 -0
- package/skills/frontend/edge-cache-data-bleed-review/references/workflow-and-output.md +47 -0
- package/skills/frontend/enterprise-red-team-review/SKILL.md +69 -0
- package/skills/frontend/enterprise-red-team-review/metadata.json +27 -0
- package/skills/frontend/enterprise-red-team-review/references/a11y-checklist.md +36 -0
- package/skills/frontend/enterprise-red-team-review/references/ai-code-review.md +44 -0
- package/skills/frontend/enterprise-red-team-review/references/security-checklist.md +43 -0
- package/skills/frontend/framework-upgrade-risk-review/SKILL.md +69 -0
- package/skills/frontend/framework-upgrade-risk-review/metadata.json +27 -0
- package/skills/frontend/framework-upgrade-risk-review/references/breaking-change-triage.md +58 -0
- package/skills/frontend/framework-upgrade-risk-review/references/dependency-compatibility-matrix.md +37 -0
- package/skills/frontend/frontend-auth-session-security-review/SKILL.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/metadata.json +28 -0
- package/skills/frontend/frontend-auth-session-security-review/references/csrf-redirect-and-oauth.md +74 -0
- package/skills/frontend/frontend-auth-session-security-review/references/token-storage-and-cookies.md +49 -0
- package/skills/frontend/frontend-auth-session-security-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/frontend-bff-boundary-review/SKILL.md +71 -0
- package/skills/frontend/frontend-bff-boundary-review/metadata.json +26 -0
- package/skills/frontend/frontend-bff-boundary-review/references/owasp-api-trust-boundary.md +42 -0
- package/skills/frontend/frontend-bff-boundary-review/references/workflow-and-output.md +107 -0
- package/skills/frontend/frontend-board-chair/SKILL.md +67 -0
- package/skills/frontend/frontend-board-chair/metadata.json +27 -0
- package/skills/frontend/frontend-board-chair/references/conflict-resolution.md +67 -0
- package/skills/frontend/frontend-board-chair/references/evidence-and-handoff.md +63 -0
- package/skills/frontend/frontend-board-chair/references/workflow-routing.md +86 -0
- package/skills/frontend/frontend-dom-xss-csp-review/SKILL.md +74 -0
- package/skills/frontend/frontend-dom-xss-csp-review/metadata.json +28 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/csp-directive-review.md +80 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/dom-xss-sink-source-taxonomy.md +73 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/third-party-script-governance.md +103 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/trusted-types-enforcement.md +100 -0
- package/skills/frontend/frontend-dom-xss-csp-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/SKILL.md +64 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/metadata.json +27 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/boundary-placement-and-granularity.md +63 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/fallback-ux-and-accessibility.md +61 -0
- package/skills/frontend/frontend-error-boundary-resilience-review/references/observability-and-recovery.md +62 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/SKILL.md +58 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/metadata.json +27 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/ssr-isr-invocation-cost-modeling.md +83 -0
- package/skills/frontend/frontend-finops-cost-to-serve-review/references/third-party-script-cost-attribution.md +70 -0
- package/skills/frontend/frontend-maestro/SKILL.md +63 -0
- package/skills/frontend/frontend-maestro/metadata.json +26 -0
- package/skills/frontend/frontend-maestro/references/official-sources.md +28 -0
- package/skills/frontend/frontend-maestro/references/routing-quality-and-safety.md +67 -0
- package/skills/frontend/frontend-maestro/references/safety-checklist.md +45 -0
- package/skills/frontend/frontend-maestro/references/workflow-and-output.md +157 -0
- package/skills/frontend/frontend-migration-modernization-plan/SKILL.md +71 -0
- package/skills/frontend/frontend-migration-modernization-plan/metadata.json +27 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rewrite-vs-incremental-decision.md +49 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/rollback-and-exit-criteria.md +75 -0
- package/skills/frontend/frontend-migration-modernization-plan/references/strangler-boundary-design.md +63 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/SKILL.md +72 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/metadata.json +27 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/opentelemetry-web-tracing-wiring.md +135 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/sampling-cardinality-pii-controls.md +96 -0
- package/skills/frontend/frontend-observability-rum-instrumentation/references/web-vitals-attribution-wiring.md +87 -0
- package/skills/frontend/frontend-platform-architecture-review/SKILL.md +71 -0
- package/skills/frontend/frontend-platform-architecture-review/metadata.json +27 -0
- package/skills/frontend/frontend-platform-architecture-review/references/rendering-topology-and-budgets.md +61 -0
- package/skills/frontend/frontend-platform-architecture-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/frontend-testing-strategy-review/SKILL.md +67 -0
- package/skills/frontend/frontend-testing-strategy-review/metadata.json +27 -0
- package/skills/frontend/frontend-testing-strategy-review/references/e2e-framework-review.md +39 -0
- package/skills/frontend/frontend-testing-strategy-review/references/flaky-test-governance.md +55 -0
- package/skills/frontend/frontend-testing-strategy-review/references/pyramid-shape-and-coverage.md +62 -0
- package/skills/frontend/frontend-testing-strategy-review/references/unit-component-framework-review.md +35 -0
- package/skills/frontend/graphql-client-security-review/SKILL.md +73 -0
- package/skills/frontend/graphql-client-security-review/metadata.json +29 -0
- package/skills/frontend/graphql-client-security-review/references/cache-lifecycle-and-query-surface.md +107 -0
- package/skills/frontend/graphql-client-security-review/references/devtools-and-auth-header-risk.md +83 -0
- package/skills/frontend/graphql-client-security-review/references/workflow-and-output.md +53 -0
- package/skills/frontend/html-semantics-accessibility-review/SKILL.md +66 -0
- package/skills/frontend/html-semantics-accessibility-review/metadata.json +29 -0
- package/skills/frontend/html-semantics-accessibility-review/references/apg-pattern-index.md +55 -0
- package/skills/frontend/html-semantics-accessibility-review/references/heading-landmark-rules.md +54 -0
- package/skills/frontend/html-semantics-accessibility-review/references/wcag-criterion-mapping.md +40 -0
- package/skills/frontend/i18n-l10n-readiness-review/SKILL.md +122 -0
- package/skills/frontend/i18n-l10n-readiness-review/metadata.json +28 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/intl-formatting-audit.md +101 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/pluralization-icu-messageformat.md +132 -0
- package/skills/frontend/i18n-l10n-readiness-review/references/rtl-logical-properties-audit.md +125 -0
- package/skills/frontend/javascript-runtime-async-review/SKILL.md +70 -0
- package/skills/frontend/javascript-runtime-async-review/metadata.json +29 -0
- package/skills/frontend/javascript-runtime-async-review/references/event-loop-tracing.md +95 -0
- package/skills/frontend/javascript-runtime-async-review/references/race-condition-patterns.md +96 -0
- package/skills/frontend/javascript-runtime-async-review/references/rejection-audit.md +77 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/SKILL.md +68 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/metadata.json +27 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/dom-mutation-and-plugin-side-effects.md +66 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/event-delegation-inventory.md +60 -0
- package/skills/frontend/legacy-jquery-to-modern-framework-review/references/legacy-a11y-shim-audit.md +58 -0
- package/skills/frontend/microfrontend-boundary-review/SKILL.md +71 -0
- package/skills/frontend/microfrontend-boundary-review/metadata.json +26 -0
- package/skills/frontend/microfrontend-boundary-review/references/shared-runtime-security.md +50 -0
- package/skills/frontend/microfrontend-boundary-review/references/workflow-and-output.md +45 -0
- package/skills/frontend/monorepo-package-governance-review/SKILL.md +68 -0
- package/skills/frontend/monorepo-package-governance-review/metadata.json +32 -0
- package/skills/frontend/monorepo-package-governance-review/references/dependency-lockfile-governance.md +82 -0
- package/skills/frontend/monorepo-package-governance-review/references/npm-supply-chain-governance.md +95 -0
- package/skills/frontend/monorepo-package-governance-review/references/task-graph-review.md +82 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/SKILL.md +66 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/owasp-a01-broken-access-control.md +42 -0
- package/skills/frontend/nextjs-app-router-data-fetching-review/references/workflow-and-output.md +94 -0
- package/skills/frontend/nextjs-rendering-caching-review/SKILL.md +68 -0
- package/skills/frontend/nextjs-rendering-caching-review/metadata.json +27 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/cache-tag-invalidation.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/isr-reference.md +45 -0
- package/skills/frontend/nextjs-rendering-caching-review/references/workflow-and-output.md +85 -0
- package/skills/frontend/nextjs-server-security-review/SKILL.md +70 -0
- package/skills/frontend/nextjs-server-security-review/metadata.json +29 -0
- package/skills/frontend/nextjs-server-security-review/references/env-and-ssrf-surfaces.md +73 -0
- package/skills/frontend/nextjs-server-security-review/references/middleware-and-server-actions.md +67 -0
- package/skills/frontend/nextjs-server-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/nuxt-fullstack-security-review/SKILL.md +161 -0
- package/skills/frontend/nuxt-fullstack-security-review/metadata.json +32 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/acceptance-rubric.md +96 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/runtime-config-and-cross-request-state.md +193 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/ssrf-payload-and-response-headers.md +264 -0
- package/skills/frontend/nuxt-fullstack-security-review/references/workflow-and-output.md +127 -0
- package/skills/frontend/pci-payment-ui-security-review/SKILL.md +72 -0
- package/skills/frontend/pci-payment-ui-security-review/metadata.json +27 -0
- package/skills/frontend/pci-payment-ui-security-review/references/hosted-fields-and-tokenization.md +107 -0
- package/skills/frontend/pci-payment-ui-security-review/references/script-integrity-and-scope.md +66 -0
- package/skills/frontend/pci-payment-ui-security-review/references/workflow-and-output.md +52 -0
- package/skills/frontend/product-analytics-experimentation-review/SKILL.md +87 -0
- package/skills/frontend/product-analytics-experimentation-review/metadata.json +29 -0
- package/skills/frontend/product-analytics-experimentation-review/references/consent-and-pii-in-events.md +57 -0
- package/skills/frontend/product-analytics-experimentation-review/references/privacy-consent-depth-for-analytics.md +83 -0
- package/skills/frontend/product-analytics-experimentation-review/references/srm-and-bucketing-integrity.md +64 -0
- package/skills/frontend/product-analytics-experimentation-review/references/stopping-rules-and-peeking.md +61 -0
- package/skills/frontend/pwa-offline-readiness-review/SKILL.md +73 -0
- package/skills/frontend/pwa-offline-readiness-review/metadata.json +29 -0
- package/skills/frontend/pwa-offline-readiness-review/references/live-verification-protocol.md +67 -0
- package/skills/frontend/pwa-offline-readiness-review/references/manifest-installability-checklist.md +41 -0
- package/skills/frontend/pwa-offline-readiness-review/references/offline-fallback-precache-pattern.md +65 -0
- package/skills/frontend/react-component-architecture-review/SKILL.md +67 -0
- package/skills/frontend/react-component-architecture-review/metadata.json +27 -0
- package/skills/frontend/react-component-architecture-review/references/composite-widget-patterns.md +41 -0
- package/skills/frontend/react-component-architecture-review/references/workflow-and-output.md +84 -0
- package/skills/frontend/react-rsc-data-boundary-review/SKILL.md +70 -0
- package/skills/frontend/react-rsc-data-boundary-review/metadata.json +27 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/boundary-data-leaks-and-taint.md +115 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/server-actions-and-env-exposure.md +136 -0
- package/skills/frontend/react-rsc-data-boundary-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/react-state-effects-review/SKILL.md +69 -0
- package/skills/frontend/react-state-effects-review/metadata.json +27 -0
- package/skills/frontend/react-state-effects-review/references/effect-cleanup-and-race-conditions.md +89 -0
- package/skills/frontend/react-state-effects-review/references/stale-closures-and-dependency-arrays.md +74 -0
- package/skills/frontend/react-state-effects-review/references/workflow-and-output.md +46 -0
- package/skills/frontend/routing-navigation-review/SKILL.md +72 -0
- package/skills/frontend/routing-navigation-review/metadata.json +27 -0
- package/skills/frontend/routing-navigation-review/references/code-splitting-and-url-state.md +72 -0
- package/skills/frontend/routing-navigation-review/references/focus-and-navigation-blocking.md +65 -0
- package/skills/frontend/routing-navigation-review/references/server-enforcement-patterns.md +90 -0
- package/skills/frontend/routing-navigation-review/references/workflow-and-output.md +68 -0
- package/skills/frontend/service-worker-cache-strategy-review/SKILL.md +73 -0
- package/skills/frontend/service-worker-cache-strategy-review/metadata.json +29 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/cache-security-and-scope-audit.md +48 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/route-classification-matrix.md +47 -0
- package/skills/frontend/service-worker-cache-strategy-review/references/workbox-strategy-semantics.md +44 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/SKILL.md +69 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/metadata.json +28 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/fetch-waterfall-and-auth-timing.md +64 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/hydration-mismatch-diagnosis.md +66 -0
- package/skills/frontend/ssr-hydration-streaming-diagnosis/references/suspense-streaming-structure.md +63 -0
- package/skills/frontend/state-management-decision-review/SKILL.md +74 -0
- package/skills/frontend/state-management-decision-review/metadata.json +30 -0
- package/skills/frontend/state-management-decision-review/references/client-store-topology-and-rerenders.md +81 -0
- package/skills/frontend/state-management-decision-review/references/server-state-caching-and-invalidation.md +82 -0
- package/skills/frontend/state-management-decision-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-actions-load-security-review/SKILL.md +72 -0
- package/skills/frontend/sveltekit-actions-load-security-review/metadata.json +28 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/cookies-and-html-bindings.md +78 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/csrf-and-auth-boundaries.md +91 -0
- package/skills/frontend/sveltekit-actions-load-security-review/references/workflow-and-output.md +51 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/SKILL.md +68 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/failure-state-and-accessibility.md +48 -0
- package/skills/frontend/sveltekit-progressive-enhancement-review/references/workflow-and-output.md +63 -0
- package/skills/frontend/sveltekit-routing-load-review/SKILL.md +67 -0
- package/skills/frontend/sveltekit-routing-load-review/metadata.json +27 -0
- package/skills/frontend/sveltekit-routing-load-review/references/routing-conventions.md +35 -0
- package/skills/frontend/sveltekit-routing-load-review/references/workflow-and-output.md +60 -0
- package/skills/frontend/tree-shaking-dead-code-review/SKILL.md +74 -0
- package/skills/frontend/tree-shaking-dead-code-review/metadata.json +28 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/esm-cjs-interop-and-verification.md +57 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/module-format-and-sideeffects.md +61 -0
- package/skills/frontend/tree-shaking-dead-code-review/references/rollup-vite-treeshake-options.md +79 -0
- package/skills/frontend/typescript-contracts-review/SKILL.md +70 -0
- package/skills/frontend/typescript-contracts-review/metadata.json +29 -0
- package/skills/frontend/typescript-contracts-review/references/public-api-surface-diff.md +59 -0
- package/skills/frontend/typescript-contracts-review/references/strict-flag-posture.md +61 -0
- package/skills/frontend/typescript-contracts-review/references/trust-boundary-validation.md +68 -0
- package/skills/frontend/visual-regression-storybook-review/SKILL.md +64 -0
- package/skills/frontend/visual-regression-storybook-review/metadata.json +27 -0
- package/skills/frontend/visual-regression-storybook-review/references/accessibility-addon-gating.md +86 -0
- package/skills/frontend/visual-regression-storybook-review/references/test-runner-and-chromatic-wiring.md +56 -0
- package/skills/frontend/visual-regression-storybook-review/references/theme-and-variant-coverage.md +51 -0
- package/skills/frontend/vue-composition-api-architecture-review/SKILL.md +68 -0
- package/skills/frontend/vue-composition-api-architecture-review/metadata.json +27 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/composable-and-script-setup-conventions.md +50 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/reactivity-boundaries.md +44 -0
- package/skills/frontend/vue-composition-api-architecture-review/references/workflow-and-output.md +49 -0
- package/skills/frontend/vue-router-navigation-security-review/SKILL.md +155 -0
- package/skills/frontend/vue-router-navigation-security-review/metadata.json +30 -0
- package/skills/frontend/vue-router-navigation-security-review/references/acceptance-rubric.md +110 -0
- package/skills/frontend/vue-router-navigation-security-review/references/client-guards-and-control-flow.md +188 -0
- package/skills/frontend/vue-router-navigation-security-review/references/open-redirect-and-injection.md +190 -0
- package/skills/frontend/vue-router-navigation-security-review/references/workflow-and-output.md +134 -0
- package/skills/frontend/vue-ssr-security-review/SKILL.md +69 -0
- package/skills/frontend/vue-ssr-security-review/metadata.json +27 -0
- package/skills/frontend/vue-ssr-security-review/references/cross-request-state-pollution.md +98 -0
- package/skills/frontend/vue-ssr-security-review/references/injection-and-dynamic-urls.md +120 -0
- package/skills/frontend/vue-ssr-security-review/references/workflow-and-output.md +48 -0
- package/skills/frontend/vue-state-store-security-review/SKILL.md +168 -0
- package/skills/frontend/vue-state-store-security-review/metadata.json +30 -0
- package/skills/frontend/vue-state-store-security-review/references/acceptance-rubric.md +101 -0
- package/skills/frontend/vue-state-store-security-review/references/persistence-and-hydration.md +234 -0
- package/skills/frontend/vue-state-store-security-review/references/untrusted-payloads-and-authorization.md +200 -0
- package/skills/frontend/vue-state-store-security-review/references/workflow-and-output.md +142 -0
- package/skills/frontend/wcag-22-accessibility-audit/SKILL.md +67 -0
- package/skills/frontend/wcag-22-accessibility-audit/metadata.json +27 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/act-rules-detection-boundary.md +64 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/legal-exposure-severity.md +59 -0
- package/skills/frontend/wcag-22-accessibility-audit/references/wcag22-sc-index.md +114 -0
- package/tests/fixtures/frontend-maestro-routing/expected/001-happy-accessibility-wcag.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/002-happy-ai-assisted-frontend-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/003-happy-angular.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/004-happy-api-integration-bff.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/005-happy-browser-compatibility.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/006-happy-build-tooling-bundling.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/007-happy-css-architecture.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/008-happy-design-systems-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/009-happy-enterprise-red-team-review.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/010-happy-frontend-finops-cost-to-serve.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/011-happy-frontend-migration-modernization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/012-happy-frontend-observability-rum.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/013-happy-frontend-platform-architect.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/014-happy-frontend-security.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/015-happy-html-semantics.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/016-happy-internationalization-localization.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/017-happy-javascript-runtime.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/018-happy-monorepo-dx.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/019-happy-nextjs.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/020-happy-package-governance.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/021-happy-product-analytics-experimentation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/022-happy-pwa-offline-capability.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/023-happy-react.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/024-happy-routing-navigation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/025-happy-ssr-hydration-streaming.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/026-happy-state-management-data-flow.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/027-happy-svelte-sveltekit.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/028-happy-testing-quality-engineering.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/029-happy-typescript-contracts.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/030-happy-visual-regression.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/031-happy-vue.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/032-happy-web-performance-core-vitals.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/033-happy-web-platform-foundation.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/expected/036-ambiguous-vague-request.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/037-adv-instruction-injection.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/038-adv-persona-replacement.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/039-adv-liveguard-deploy-prod.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/040-adv-liveguard-flag-flip.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/expected/041-adv-secrets-bait.json +6 -0
- package/tests/fixtures/frontend-maestro-routing/expected/042-adv-liveguard-production-deploy.json +4 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/001-happy-accessibility-wcag.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/002-happy-ai-assisted-frontend-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/003-happy-angular.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/004-happy-api-integration-bff.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/005-happy-browser-compatibility.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/006-happy-build-tooling-bundling.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/007-happy-css-architecture.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/008-happy-design-systems-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/009-happy-enterprise-red-team-review.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/010-happy-frontend-finops-cost-to-serve.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/011-happy-frontend-migration-modernization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/012-happy-frontend-observability-rum.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/013-happy-frontend-platform-architect.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/014-happy-frontend-security.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/015-happy-html-semantics.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/016-happy-internationalization-localization.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/017-happy-javascript-runtime.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/018-happy-monorepo-dx.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/019-happy-nextjs.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/020-happy-package-governance.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/021-happy-product-analytics-experimentation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/022-happy-pwa-offline-capability.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/023-happy-react.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/024-happy-routing-navigation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/025-happy-ssr-hydration-streaming.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/026-happy-state-management-data-flow.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/027-happy-svelte-sveltekit.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/028-happy-testing-quality-engineering.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/029-happy-typescript-contracts.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/030-happy-visual-regression.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/031-happy-vue.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/032-happy-web-performance-core-vitals.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/033-happy-web-platform-foundation.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/034-parallel-react-performance-a11y.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/035-parallel-security-and-typescript.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/036-ambiguous-vague-request.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/037-adv-instruction-injection.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/038-adv-persona-replacement.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/039-adv-liveguard-deploy-prod.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/040-adv-liveguard-flag-flip.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/041-adv-secrets-bait.json +7 -0
- package/tests/fixtures/frontend-maestro-routing/inputs/042-adv-liveguard-production-deploy.json +3 -0
- package/tests/fixtures/frontend-maestro-routing/taxonomy.json +377 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/comment.component.ts +12 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/embed.component.html +3 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/green/profile.component.html +4 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/avatar.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/comment.component.ts +19 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/embed.component.html +5 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile-link.component.ts +20 -0
- package/tests/fixtures/frontend-security-detection/angular-template-sanitizer-security-review/red/profile.component.html +6 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-route.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/api-user-profile-vary.ts +15 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/dashboard-revalidate-cookies.tsx +32 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/green/product-static-params.tsx +19 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-route.ts +17 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/api-user-profile-vary.ts +16 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/dashboard-revalidate-cookies.tsx +18 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/get-user-data.ts +13 -0
- package/tests/fixtures/frontend-security-detection/edge-cache-data-bleed-review/red/product-static-params.tsx +25 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/oauth-flow.js +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/pkce-authorize-url.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/redirect-validation.js +12 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/green/token-storage.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/oauth-flow.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/pkce-authorize-url.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/redirect-validation.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/session-cookie.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-auth-session-security-review/red/token-storage.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/detectors.json +77 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/csp-broad-script-src.txt +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-function.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/dynamic-script-untrusted-src.js +24 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/eval-config.js +8 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/legacy-write.js +9 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/green/third-party-script-no-sri.html +14 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/csp-broad-script-src.txt +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dangerously-set-html.jsx +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-function.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/dynamic-script-untrusted-src.js +11 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/eval-config.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/innerhtml-sink.js +7 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/legacy-write.js +6 -0
- package/tests/fixtures/frontend-security-detection/frontend-dom-xss-csp-review/red/third-party-script-no-sri.html +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/apollo-client-setup.js +11 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/auth-context-link.js +15 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/logout-handler.js +10 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/payment-cache-policy.js +33 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/green/persisted-query-link.js +18 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/apollo-client-setup.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/auth-context-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/logout-handler.js +12 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/payment-cache-policy.js +21 -0
- package/tests/fixtures/frontend-security-detection/graphql-client-security-review/red/persisted-query-link.js +13 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/env.server-only-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-matcher-explicit-allowlist.ts +14 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/middleware-rewrite-allowlisted.ts +19 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.local-ip-disabled.js +9 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/green/next.config.server-actions-with-origins.js +12 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/env.next-public-secret.txt +6 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-matcher-excludes-api.ts +16 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/middleware-rewrite-ssrf.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.dangerously-allow-local-ip.js +11 -0
- package/tests/fixtures/frontend-security-detection/nextjs-server-security-review/red/next.config.server-actions-no-origins.js +14 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/CommentBody.vue +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/external-call.ts +6 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/nuxt.config.ts +8 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/proxy.ts +11 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/green/session.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/CommentBody.vue +9 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/external-call.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/nuxt.config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/proxy.ts +5 -0
- package/tests/fixtures/frontend-security-detection/nuxt-fullstack-security-review/red/session.ts +8 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/card-data-persistence.js +9 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/missing-iframe-isolation.jsx +26 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/raw-pan-input.vue +29 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/self-posted-card-data.ts +14 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/green/unsigned-third-party-script.html +17 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/card-data-persistence.js +11 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/missing-iframe-isolation.jsx +35 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/raw-pan-input.vue +27 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/self-posted-card-data.ts +15 -0
- package/tests/fixtures/frontend-security-detection/pci-payment-ui-security-review/red/unsigned-third-party-script.html +14 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientDashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/ClientWidget.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/Dashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/actions.ts +20 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/green/config.ts +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientDashboard.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/ClientWidget.tsx +9 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/Dashboard.tsx +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/actions.ts +8 -0
- package/tests/fixtures/frontend-security-detection/react-rsc-data-boundary-review/red/config.ts +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/auth-network-only.js +20 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/cors-checked-put.js +14 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/login-network-only.js +6 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/nav-stale-while-revalidate.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/green/registerroute-get-only.js +15 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/auth-echo-cached.js +18 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/login-cache-first.js +7 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/nav-cache-first.js +10 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/opaque-nocors-put.js +13 -0
- package/tests/fixtures/frontend-security-detection/service-worker-cache-strategy-review/red/put-non-get.js +19 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-disabled.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/csrf-wildcard-origins.config.js +14 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/green/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/CommentBody.svelte +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-disabled.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/csrf-wildcard-origins.config.js +16 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/load-session-leak.server.js +12 -0
- package/tests/fixtures/frontend-security-detection/sveltekit-actions-load-security-review/red/set-cookie-insecure.server.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/guard-sole-authz.js +11 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/open-redirect.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/reflected-xss.vue +14 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/green/scheme-injection.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/guard-sole-authz.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/open-redirect.js +7 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/redirect-loop.js +8 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/reflected-xss.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-router-navigation-security-review/red/scheme-injection.vue +10 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/detectors.json +41 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/AvatarImage.vue +18 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/ProfileLink.vue +19 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/green/entry-server.js +21 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/AvatarImage.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/ProfileLink.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/UserBio.vue +9 -0
- package/tests/fixtures/frontend-security-detection/vue-ssr-security-review/red/entry-server.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/detectors.json +50 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/auth-flag-ui-only.js +18 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydrate-validated.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/hydration-devalue.js +15 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/persist-scoped.js +22 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/green/ssr-per-request.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/auth-flag-gate.js +14 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydrate-unvalidated.js +10 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/hydration-serialize.js +13 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/persist-unscoped.js +19 -0
- package/tests/fixtures/frontend-security-detection/vue-state-store-security-review/red/ssr-singleton.js +15 -0
- package/tests/test-vfa-export-coverage.test.mjs +30 -0
- package/tests/validate-catalog.py +1 -0
- package/tests/validate-frontend-security-detection.py +209 -0
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
# Cross-Request State Pollution
|
|
2
|
+
|
|
3
|
+
Use this reference only when reviewing an SSR entry point, tracing app/store/router creation, or investigating a suspected cross-request data-leak symptom (a user reporting they saw another user's data on load).
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive assumption is:
|
|
8
|
+
|
|
9
|
+
> "The server renders each request separately, so state can't leak between users."
|
|
10
|
+
|
|
11
|
+
Wrong. A Node.js SSR server is a single long-lived process handling many concurrent requests on shared module-level memory. If the Vue app instance, its store, or any reactive state it reads is created once at module load time — rather than freshly for each request — every request after the first reads and mutates the *same* in-memory objects. One user's session data, cart contents, or auth state can render into another user's response. This is not a rare edge case; it is the default failure mode of naively porting client-only Vue code to an SSR entry point.
|
|
12
|
+
|
|
13
|
+
## Officially grounded requirement
|
|
14
|
+
|
|
15
|
+
Vue's own server-side-rendering guidance is explicit and non-negotiable on this point: **each incoming request must get a fresh, isolated instance of the root Vue app** (and, by extension, any store or router it depends on) rather than sharing one instance across requests. This is the single most important structural rule for SSR safety and is documented as a requirement, not a recommendation (`documentation-based`, Vue SSR guide).
|
|
16
|
+
|
|
17
|
+
The practical shape of the rule:
|
|
18
|
+
|
|
19
|
+
- The SSR entry point exports (or defines inline) a per-request factory function.
|
|
20
|
+
- That factory function is invoked once per incoming request.
|
|
21
|
+
- Inside that factory, `createSSRApp()` (or the toolchain-equivalent app-creation call) runs fresh — along with any Pinia/Vuex store instance and router instance the app needs — and only *that* freshly created instance is used to render the current request's response.
|
|
22
|
+
- Nothing about the freshly created instance is retained, cached, or reused for a subsequent request.
|
|
23
|
+
|
|
24
|
+
## Non-negotiable design rules
|
|
25
|
+
|
|
26
|
+
### 1. Trace app creation to its actual call site, not its apparent location
|
|
27
|
+
|
|
28
|
+
Do not accept "there's a `createSSRApp()` call in this file" as sufficient. Confirm it executes *inside* the function that runs per request, not at module top level where it would execute once when the server process starts.
|
|
29
|
+
|
|
30
|
+
### 2. Store and router instances follow the same rule as the app instance
|
|
31
|
+
|
|
32
|
+
A correctly per-request `createSSRApp()` call does not fix a module-scope Pinia store or a module-scope router instance created once and imported into every request's app tree. Check store/router creation with the same rigor as the app instance itself — these are frequently overlooked because the app-creation call "looks right" while the store creation nearby does not.
|
|
33
|
+
|
|
34
|
+
### 3. Closures over shared mutable state defeat an otherwise-correct factory
|
|
35
|
+
|
|
36
|
+
A per-request factory function that itself creates a fresh app can still leak if it closes over a module-level cache, singleton, or a mutable default parameter supplied from outer scope. Read the full body of the factory function, not just its `createSSRApp()` line — check every variable it references from enclosing scope, and classify each as immutable/safe or mutable/reactive/shared.
|
|
37
|
+
|
|
38
|
+
### 4. Immutable constants are not the risk; mutable and reactive state is
|
|
39
|
+
|
|
40
|
+
A module-scope `const ROUTES = [...]` frozen route table, a static config object with no runtime mutation path, or a compiled template string is safe to share across requests — it never changes after module load. The risk is specifically state that is either declared with `ref()`/`reactive()` (Vue's reactivity primitives, which are designed to be mutated and observed) or is a plain mutable object/array that request-handling code writes to. Classify every module-scope declaration on this axis before flagging it.
|
|
41
|
+
|
|
42
|
+
### 5. Reachability from the SSR-rendered tree is required for a finding
|
|
43
|
+
|
|
44
|
+
A mutable module-scope object that no SSR-rendered component or composable ever imports, reads, or writes is not a reachable risk in this review's scope (it may still be dead code or a different kind of bug, but it is not a cross-request pollution finding). Trace the import graph from the flagged declaration to at least one component or composable actually rendered during SSR before calling it a finding.
|
|
45
|
+
|
|
46
|
+
## Minimal safe implementation pattern
|
|
47
|
+
|
|
48
|
+
The safe shape, matching Vue's documented guidance:
|
|
49
|
+
|
|
50
|
+
```js
|
|
51
|
+
// entry-server.js
|
|
52
|
+
export async function render(url, context) {
|
|
53
|
+
// Fresh, per-request instances — nothing here is created at module scope.
|
|
54
|
+
const { app, router, store } = createApp()
|
|
55
|
+
|
|
56
|
+
router.push(url)
|
|
57
|
+
await router.isReady()
|
|
58
|
+
|
|
59
|
+
// Populate store state for this request only; store was just created above.
|
|
60
|
+
const html = await renderToString(app, context)
|
|
61
|
+
|
|
62
|
+
// app, router, store all go out of scope when this function returns.
|
|
63
|
+
return html
|
|
64
|
+
}
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
Anti-pattern (module-scope creation — do not approve):
|
|
68
|
+
|
|
69
|
+
```js
|
|
70
|
+
// entry-server.js — WRONG: created once at module load, shared across all requests
|
|
71
|
+
const app = createApp()
|
|
72
|
+
const store = createStore()
|
|
73
|
+
|
|
74
|
+
export async function render(url, context) {
|
|
75
|
+
router.push(url)
|
|
76
|
+
await router.isReady()
|
|
77
|
+
return renderToString(app, context) // every request renders the SAME app/store instance
|
|
78
|
+
}
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
## Adversarial checklist
|
|
82
|
+
|
|
83
|
+
Before clearing an SSR entry point as safe from cross-request pollution, answer these:
|
|
84
|
+
|
|
85
|
+
- Does the app-creation call execute inside the per-request handler, or at module scope?
|
|
86
|
+
- Does the store (if any) get created fresh inside that same per-request scope, or is it a module-level singleton imported into the app?
|
|
87
|
+
- Does the router get created fresh inside that same per-request scope?
|
|
88
|
+
- Does the per-request factory function close over any variable from its enclosing module scope that is mutable or reactive?
|
|
89
|
+
- Is there any module-scope cache (e.g., a component-render cache, a computed-property memoization keyed loosely, a "last user" convenience variable) that a developer might have added for performance and forgotten carries cross-request state?
|
|
90
|
+
- If two requests from different users hit this entry point concurrently, is there any shared object either request's handling code could write to that the other request's handling code could read?
|
|
91
|
+
|
|
92
|
+
If any answer reveals a "yes" to shared mutable reachable state, or the app/store/router creation cannot be confirmed as per-request, the finding is HIGH and structural — report it even without a reproduced incident.
|
|
93
|
+
|
|
94
|
+
## Verification targets
|
|
95
|
+
|
|
96
|
+
- Grep the SSR entry file for `createApp(` / `createSSRApp(` / `createStore(` / `createRouter(` and confirm each call site's enclosing scope (module-level `import`/top-level statement vs. inside an exported/invoked function).
|
|
97
|
+
- Grep for `let `/`var `/mutable `const` object or array literals at module scope in files imported by the SSR entry point or any SSR-rendered component.
|
|
98
|
+
- Grep for `ref(`/`reactive(` calls outside of a component's `setup()` or a composable function body — a `ref()`/`reactive()` call at true module scope (not inside any function) is the clearest structural signal of this defect class.
|
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
# Injection: v-html and Dynamic URL Bindings
|
|
2
|
+
|
|
3
|
+
Use this reference only when the review scope includes a `v-html` usage or a dynamic `:href`/`:src` binding. The OWASP XSS citation below is loaded only when a `v-html` finding is actually present in the review — do not cite it preemptively in a review that has no `v-html` usage.
|
|
4
|
+
|
|
5
|
+
## What people get wrong
|
|
6
|
+
|
|
7
|
+
The naive assumption is:
|
|
8
|
+
|
|
9
|
+
> "Vue escapes everything by default, so if I'm using `v-html` I must already know it's a special case and I've handled it."
|
|
10
|
+
|
|
11
|
+
Partially wrong. Vue's default text interpolation (`{{ }}`) does auto-escape, and that is precisely why `v-html` exists as an explicit escape hatch — but "I chose `v-html` on purpose" is not the same as "I sanitized the content that flows into it." The recurring real-world failure is not developers being unaware `v-html` is dangerous; it is developers sanitizing at one layer (e.g., a markdown renderer) while a *different* unsanitized value reaches the same `v-html` binding through a later code change, or trusting a third-party API response as "safe" because it isn't literally user-typed input even though it echoes user-submitted content back.
|
|
12
|
+
|
|
13
|
+
## Officially grounded rules
|
|
14
|
+
|
|
15
|
+
Vue's own security best-practices guidance states directly:
|
|
16
|
+
|
|
17
|
+
- **`v-html` on untrusted content is unsafe.** Dynamically rendering arbitrary HTML on your site via `v-html` can be dangerous because it can easily lead to XSS vulnerabilities. Only use `v-html` on content you can trust to be safe, or content sanitized by a dedicated library before it reaches the binding (`documentation-based`, Vue security guide).
|
|
18
|
+
- **Dynamic attribute/URL bindings need scheme validation.** Vue's docs specifically call out `:href`/`:src`-style dynamic bindings as an injection surface distinct from `v-html`: unvalidated user-provided URLs bound dynamically can carry a `javascript:` (or similarly dangerous non-`http(s)`) scheme, executing script when the element is interacted with, even though no HTML markup or `v-html` was involved.
|
|
19
|
+
- **Template injection is a separate, related risk** for any code path that compiles user-supplied strings as Vue templates at runtime — out of scope for a typical SSR entry/template review unless the app does this explicitly (e.g., a CMS that lets users author raw Vue template syntax); flag its presence if found, but it is not the default pattern to hunt for.
|
|
20
|
+
|
|
21
|
+
The low-level mechanism, confirmed by Vue's own compiler source (`repo evidence` via Context7 `/vuejs/vue`): `v-html` compiles directly to setting the element's `innerHTML` DOM property with the bound value stringified — there is no implicit sanitization step anywhere in that compilation path. Sanitization, if it happens at all, must be applied by application code before the value reaches the binding.
|
|
22
|
+
|
|
23
|
+
## Non-negotiable design rules
|
|
24
|
+
|
|
25
|
+
### 1. Trace the full origin-to-sink path before judging a v-html binding
|
|
26
|
+
|
|
27
|
+
Do not evaluate `v-html="someVar"` in isolation. Follow `someVar` backward: is it a literal string in the template file? A prop? A computed value derived from store state? Store state populated from an API response? An API response that itself echoes a value the current user (or any user) submitted at some point? The finding depends on where that trace terminates, not on the binding syntax alone.
|
|
28
|
+
|
|
29
|
+
### 2. A sanitizer import elsewhere in the codebase does not clear a specific finding
|
|
30
|
+
|
|
31
|
+
If the trace reveals user-reachable input reaching a `v-html` binding, the only thing that clears the finding is a *named sanitizer call* (e.g., `DOMPurify.sanitize(...)`) visibly present *on that exact path* — between the untrusted origin and the binding. "This codebase has a `sanitizeHtml` utility used elsewhere" is not evidence the specific path under review calls it.
|
|
32
|
+
|
|
33
|
+
### 3. Third-party API responses are not automatically trusted
|
|
34
|
+
|
|
35
|
+
An API response is not "safe by default" just because it did not come directly from the current request's form input. If the API itself stores and echoes content that any user (not necessarily the current one) previously submitted — a comment system, a CMS with contributor accounts, a product-review feed — that response is user-reachable input for this review's purposes and needs the same sanitizer-on-path check.
|
|
36
|
+
|
|
37
|
+
### 4. Dynamic URL bindings need scheme validation, not HTML sanitization
|
|
38
|
+
|
|
39
|
+
`:href`/`:src` bindings are a distinct injection surface from `v-html` — do not conflate the two fixes. The correct control for a dynamic URL binding fed by user-reachable input is scheme validation (an allowlist accepting only `http:`/`https:`/`mailto:` as appropriate, rejecting `javascript:` and other schemes), not HTML sanitization. A `v-html`-appropriate sanitizer call does not clear a URL-injection finding and vice versa.
|
|
40
|
+
|
|
41
|
+
### 5. Origin-controlled content is not automatically a false positive to skip silently
|
|
42
|
+
|
|
43
|
+
If a `v-html` trace terminates at fully origin-controlled content (static marketing copy authored only through the app's own trusted CMS with no user-submission path anywhere upstream), it is correctly not a finding — but state this explicitly in the output rather than omitting the binding from the review entirely. A future code change could introduce a user-reachable path into the same binding, and an explicit "reviewed, not a finding, because X" record is more useful than silence.
|
|
44
|
+
|
|
45
|
+
## Minimal safe implementation pattern
|
|
46
|
+
|
|
47
|
+
```vue
|
|
48
|
+
<script setup>
|
|
49
|
+
import DOMPurify from 'dompurify'
|
|
50
|
+
import { computed } from 'vue'
|
|
51
|
+
|
|
52
|
+
const props = defineProps<{ rawComment: string }>()
|
|
53
|
+
|
|
54
|
+
// Sanitizer call sits directly on the path between the untrusted prop and the binding.
|
|
55
|
+
const safeComment = computed(() => DOMPurify.sanitize(props.rawComment))
|
|
56
|
+
</script>
|
|
57
|
+
|
|
58
|
+
<template>
|
|
59
|
+
<div v-html="safeComment"></div>
|
|
60
|
+
</template>
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
Anti-pattern (untraced or missing sanitizer — do not approve):
|
|
64
|
+
|
|
65
|
+
```vue
|
|
66
|
+
<template>
|
|
67
|
+
<!-- userBio comes from a profile API that echoes user-submitted text.
|
|
68
|
+
No sanitizer call anywhere between the API response and this binding. -->
|
|
69
|
+
<div v-html="userBio"></div>
|
|
70
|
+
</template>
|
|
71
|
+
```
|
|
72
|
+
|
|
73
|
+
Dynamic URL scheme validation:
|
|
74
|
+
|
|
75
|
+
```vue
|
|
76
|
+
<script setup>
|
|
77
|
+
const ALLOWED_SCHEMES = ['http:', 'https:', 'mailto:']
|
|
78
|
+
|
|
79
|
+
function safeHref(url) {
|
|
80
|
+
try {
|
|
81
|
+
const parsed = new URL(url, window.location.origin)
|
|
82
|
+
return ALLOWED_SCHEMES.includes(parsed.protocol) ? url : '#'
|
|
83
|
+
} catch {
|
|
84
|
+
return '#'
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
</script>
|
|
88
|
+
|
|
89
|
+
<template>
|
|
90
|
+
<a :href="safeHref(userProvidedUrl)">Link</a>
|
|
91
|
+
</template>
|
|
92
|
+
```
|
|
93
|
+
|
|
94
|
+
## Adversarial checklist
|
|
95
|
+
|
|
96
|
+
Before clearing a `v-html` binding, answer these:
|
|
97
|
+
|
|
98
|
+
- What is the literal origin of the bound value — a template literal, a prop, computed state, store state, or an API response?
|
|
99
|
+
- Does any point along that trace involve content any user (current or otherwise) previously submitted?
|
|
100
|
+
- Is there a named sanitizer call visible on the exact path traced, or only "a sanitizer exists somewhere in this codebase"?
|
|
101
|
+
- Could a later code change (a refactor that swaps the data source, or a new field added to an existing API response) reach this same binding without re-triggering a security review?
|
|
102
|
+
|
|
103
|
+
Before clearing a dynamic `:href`/`:src` binding, answer these:
|
|
104
|
+
|
|
105
|
+
- Does the bound value's origin include user-reachable input?
|
|
106
|
+
- Is there scheme validation (allowlist) on the path, or only implicit trust that "URLs are just links"?
|
|
107
|
+
- Would a crafted `javascript:` (or `data:`, `vbscript:`) value reach this binding unmodified?
|
|
108
|
+
|
|
109
|
+
If any answer is unclear or reveals a gap, the finding is HIGH (for `v-html`) or MEDIUM-to-HIGH (for URL bindings, per reachability) — do not soften it to "worth double-checking."
|
|
110
|
+
|
|
111
|
+
## OWASP grounding (load only when a v-html finding is present)
|
|
112
|
+
|
|
113
|
+
Cross-Site Scripting (XSS) is the general vulnerability class that unsanitized `v-html` produces: an attacker-controlled or attacker-influenced string is rendered as live HTML/script in another user's browser session. The OWASP XSS reference and OWASP Top Ten (both listed in this skill's `official_docs`) provide the vendor-neutral grounding for why this defect class is treated as HIGH severity by default — it typically enables session/token theft, credential harvesting via injected forms, or full account takeover in the victim's authenticated context, not merely a cosmetic rendering issue. Cite these only in the specific finding write-up for a confirmed or suspected `v-html`/XSS defect, not as boilerplate in every review.
|
|
114
|
+
|
|
115
|
+
## Verification targets
|
|
116
|
+
|
|
117
|
+
- Grep the template scope (`.vue` files, render functions) for `v-html` and enumerate every match.
|
|
118
|
+
- Grep for `:href=` and `:src=` bindings (and their shorthand `v-bind:href=`/`v-bind:src=`) bound to a non-literal expression.
|
|
119
|
+
- For each match, grep backward through the component's props, computed properties, and any imported store/composable for the value's origin.
|
|
120
|
+
- Grep for a sanitizer import (`dompurify`, or an equivalent project-specific sanitizer utility) and confirm its call site is on the traced path, not merely present in the file or module.
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
# Review Workflow and Findings Contract
|
|
2
|
+
|
|
3
|
+
Use this reference for the step-by-step review procedure and the required output shape. Load the other two references only for the specific defect class the SSR code or template under review actually raises.
|
|
4
|
+
|
|
5
|
+
## Prerequisites
|
|
6
|
+
|
|
7
|
+
- Confirm the app is actually SSR: a request-handling entry point exists (`entry-server.js`/`.ts`, a Nuxt/framework server route, or equivalent) that renders Vue output on the server per incoming request. If no such entry point exists, cross-request state pollution is out of scope — flag this explicitly and move directly to the injection-only concerns (`v-html`, dynamic URL bindings), which apply to any Vue app regardless of rendering mode.
|
|
8
|
+
- Identify the Vue major and SSR toolchain in use (`package.json` — `vue`, `vue-server-renderer` for Vue 2, `@vue/server-renderer` or a meta-framework for Vue 3). Per-request creation APIs and exact guidance differ by major.
|
|
9
|
+
|
|
10
|
+
## Workflow
|
|
11
|
+
|
|
12
|
+
1. **Locate every SSR entry point.** For each, read the full request-handling function from the top.
|
|
13
|
+
2. **Trace app/store/router creation.** For each entry point, determine whether `createSSRApp()` (or the toolchain's equivalent app-factory call) — and any store (Pinia/Vuex) or router instance the app depends on — is created *inside* the per-request handler function, freshly, for every request. See `references/cross-request-state-pollution.md` for the decision tree.
|
|
14
|
+
3. **Enumerate module-scope declarations reachable from SSR-rendered components.** Grep for `ref()`, `reactive()`, plain mutable object/array literals, and module-level caches or singletons declared outside any per-request factory function. For each, check reachability: is it imported, read, or written by any component or composable in the SSR-rendered component tree?
|
|
15
|
+
4. **Enumerate every `v-html` binding in scope.** For each, trace its data source backward through props, computed values, store state, and API responses to the origin. Determine whether the origin includes user-reachable input (route params, query strings, request bodies, or a third-party API response that itself echoes user input) and whether a named sanitizer call sits on that exact path. See `references/injection-and-dynamic-urls.md`.
|
|
16
|
+
5. **Enumerate every dynamic `:href`/`:src` binding in scope.** For each, trace its data source the same way. Check for scheme validation (an allowlist rejecting `javascript:` and other non-`http(s)` schemes) when the source includes user-reachable input.
|
|
17
|
+
6. **Produce ranked findings** using the output contract below.
|
|
18
|
+
|
|
19
|
+
## Decision tree
|
|
20
|
+
|
|
21
|
+
- SSR entry point creates the app/store/router at module scope (outside the per-request handler) → **HIGH** finding, cross-request state pollution risk. Cite the Vue SSR guide's per-request-instance requirement directly (`documentation-based`).
|
|
22
|
+
- SSR entry point's per-request factory function closes over a shared module-level mutable cache, singleton, or default parameter from outer scope → **HIGH** finding — the factory pattern alone does not guarantee isolation; name the specific closed-over reference.
|
|
23
|
+
- A mutable or reactive module-scope declaration (not an immutable constant) is reachable — read or written — from any SSR-rendered component's render path → **HIGH** finding regardless of whether pollution has been observed yet; the risk is structural, not conditional on an incident report.
|
|
24
|
+
- Module-scope declaration is an immutable, non-reactive constant (static config, compiled route table, frozen lookup object) with no runtime mutation path → not a finding.
|
|
25
|
+
- `v-html` binding's traced data source includes user-reachable input and no sanitizer call is present on that exact path → **HIGH** finding, XSS. Do not accept "a sanitizer exists elsewhere in this codebase" as clearing this — the trace must show the sanitizer on the specific path reviewed.
|
|
26
|
+
- `v-html` binding's traced data source is fully origin-controlled with no user-reachable input anywhere in the trace (e.g., static marketing copy authored by the app's own CMS with no user-submission path) → not a finding, but state this explicitly in the output rather than silently omitting it.
|
|
27
|
+
- Dynamic `:href`/`:src` binding's traced source includes user-reachable input with no scheme allowlist/validation → **MEDIUM-to-HIGH** finding depending on reachability (public unauthenticated surface vs. requiring an authenticated session to trigger).
|
|
28
|
+
- Dynamic `:href`/`:src` binding's source is either fully origin-controlled or already passes through scheme validation → not a finding.
|
|
29
|
+
|
|
30
|
+
## Output contract
|
|
31
|
+
|
|
32
|
+
Every response from this skill must return:
|
|
33
|
+
|
|
34
|
+
1. **Scope** — the SSR entry point(s), module-scope declarations, and/or template bindings reviewed.
|
|
35
|
+
2. **Ranked findings** — each with file:line, defect category (`state-pollution` / `xss` / `url-injection`), the concrete data-flow trace (the module-scope declaration and its reachability path, or the full origin-to-sink path for the injection finding, naming every hop), and a fix sketch matching Vue's documented pattern.
|
|
36
|
+
3. **Sanitizer status per `v-html` finding** — an explicit statement of whether a sanitizer call is present on the traced path; never infer one exists.
|
|
37
|
+
4. **Evidence level per finding** — `repo evidence`, `documentation-based`, or `inference`. Label structural risk findings as structural risk explicitly — do not imply confirmed exploitation without live evidence (e.g., a captured cross-user response, a load-test reproduction).
|
|
38
|
+
5. **Verdict** — approve / approve-with-notes / block.
|
|
39
|
+
6. **Open questions or out-of-scope items** — e.g., "confirming actual cross-request leakage requires concurrent-request load testing, not static review," or "hydration-mismatch risk in this same file is out of scope — recommend a hydration-focused review if the framework is Angular-equivalent, otherwise out of scope for this Vue-focused skill."
|
|
40
|
+
|
|
41
|
+
## When to push back
|
|
42
|
+
|
|
43
|
+
Push back if the user asks to:
|
|
44
|
+
|
|
45
|
+
- approve a `v-html` usage because "we sanitize elsewhere in the app" without a sanitizer call visible on the specific traced path — that is not evidence, it is an assumption,
|
|
46
|
+
- treat a per-request `createSSRApp()` call as sufficient in isolation without checking what it closes over — the factory call passing a surface-level check is not the same as proving isolation,
|
|
47
|
+
- skip the cross-request-pollution check because "we haven't seen it happen in production" — this defect class is structural and often invisible until concurrent load or a specific request-timing race exposes it; absence of a reported incident is not evidence of absence of the risk,
|
|
48
|
+
- downgrade an untraced `v-html` finding to informational because "it's probably fine" — this skill's default is HIGH for exactly this class of unproven claim.
|
|
@@ -0,0 +1,168 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: vue-state-store-security-review
|
|
3
|
+
description: Statically review Pinia and legacy Vuex state stores for sensitive data persisted to localStorage/sessionStorage without scoping, untrusted server-payload hydration (window.__pinia/__INITIAL_STATE__) with un-escaped state serialization, SSR store-singleton cross-request pollution, store plugins/$subscribe/$onAction acting on untrusted payloads, client-held role flags used as an authorization source of truth, and devtools state exposure in production builds.
|
|
4
|
+
allowed-tools: Read Grep Glob
|
|
5
|
+
metadata:
|
|
6
|
+
author: "github: Raishin"
|
|
7
|
+
version: "0.1.0"
|
|
8
|
+
updated: "2026-07-03"
|
|
9
|
+
category: security
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
# Vue State Store Security Review
|
|
13
|
+
|
|
14
|
+
## Purpose
|
|
15
|
+
|
|
16
|
+
Review Pinia and legacy Vuex state-store code for the security-critical defect classes that
|
|
17
|
+
are specific to *state stores* as a component — not general Vue architecture, not composable
|
|
18
|
+
design, and not SSR hydration/injection issues that belong to `vue-ssr-security-review`. This
|
|
19
|
+
skill exists to keep the review anchored to five documented defect classes: (a) sensitive data
|
|
20
|
+
persisted client-side without scoping, (b) store hydration from an untrusted server payload
|
|
21
|
+
with un-escaped serialization, (c) SSR store-singleton cross-request pollution, (d) store
|
|
22
|
+
plugins/hooks acting on untrusted payloads and client-held flags used as an authorization
|
|
23
|
+
source of truth, and (e) devtools state exposure in production. It does not re-litigate
|
|
24
|
+
general reactivity/composable architecture, v-html/URL-injection review (covered by
|
|
25
|
+
`vue-ssr-security-review`), or Composition API design quality (covered by
|
|
26
|
+
`vue-composition-api-architecture-review`) in every response.
|
|
27
|
+
|
|
28
|
+
## When to use
|
|
29
|
+
|
|
30
|
+
Use this skill when the user asks to:
|
|
31
|
+
|
|
32
|
+
- review a Pinia store definition (`defineStore`) or a legacy Vuex module/store for security
|
|
33
|
+
issues,
|
|
34
|
+
- assess whether `pinia-plugin-persistedstate` / `vuex-persistedstate` configuration is safe
|
|
35
|
+
(what gets persisted, and where),
|
|
36
|
+
- review SSR store creation/hydration code (`entry-server.js`, a Nuxt server plugin, an
|
|
37
|
+
Express/Node handler that constructs `createPinia()`/`createStore()`) for cross-request
|
|
38
|
+
pollution risk,
|
|
39
|
+
- review a store plugin, `$subscribe`/`$onAction` hook, or Vuex plugin that consumes
|
|
40
|
+
mutation/action payloads,
|
|
41
|
+
- investigate whether a client-side role/permission flag (`isAdmin`, `role`) is being trusted
|
|
42
|
+
as an authorization boundary,
|
|
43
|
+
- perform a pre-launch security review of a Pinia/Vuex-based application's state layer.
|
|
44
|
+
|
|
45
|
+
Do not use this skill for:
|
|
46
|
+
|
|
47
|
+
- `v-html`/dynamic-URL injection review or SSR entry-point app/router creation — use
|
|
48
|
+
`vue-ssr-security-review` for those; this skill covers the *store* specifically, not the
|
|
49
|
+
broader SSR rendering surface (load both skills together if the review spans both),
|
|
50
|
+
- Composition API/composable architecture quality with no security angle — use
|
|
51
|
+
`vue-composition-api-architecture-review` instead,
|
|
52
|
+
- a general "which state-management library should we pick" architecture decision with no
|
|
53
|
+
security defect in scope — use `state-management-decision-review` instead,
|
|
54
|
+
- a bug that requires live traffic reproduction (concurrent-request capture, a devtools
|
|
55
|
+
screen-recording of production, live token exfiltration) to confirm exploitation — static
|
|
56
|
+
analysis proves the structural risk, not that it has already been exploited.
|
|
57
|
+
|
|
58
|
+
## Context7 Documentation Protocol
|
|
59
|
+
|
|
60
|
+
- Resolve library IDs with `resolve-library-id` before citing any store-behavior claim. This
|
|
61
|
+
skill's three grounding libraries: `/vuejs/pinia` (Pinia core — SSR hydration, plugins,
|
|
62
|
+
`$subscribe`/`$onAction`), `/prazdevs/pinia-plugin-persistedstate` (persistence defaults and
|
|
63
|
+
`pick`/`storage` config), `/vuejs/vuex` (legacy Vuex — `state` as function, `devtools`
|
|
64
|
+
option, plugin/module API).
|
|
65
|
+
- Use `query-docs` against `/prazdevs/pinia-plugin-persistedstate` to confirm persistence
|
|
66
|
+
defaults before flagging a persistence config: `storage` defaults to `localStorage` when
|
|
67
|
+
unset; `pick` (an array of dotted state-path strings) restricts persistence to named paths;
|
|
68
|
+
with no `pick`, the entire state is persisted. Cite these as `documentation-based`.
|
|
69
|
+
- Use `query-docs` against `/vuejs/pinia` to confirm SSR hydration mechanics before flagging a
|
|
70
|
+
hydration finding: the documented client-side pattern is
|
|
71
|
+
`pinia.state.value = JSON.parse(window.__pinia)`, and Pinia's own SSR guide states escaping
|
|
72
|
+
the serialized state is "**VERY important** if the content of the state can be changed by
|
|
73
|
+
the user, which is almost always the case," recommending `devalue` (or equivalent) over naive
|
|
74
|
+
`JSON.stringify`. Cite as `documentation-based`.
|
|
75
|
+
- Use `query-docs` against `/vuejs/pinia` to confirm `$subscribe`/`$onAction` hook signatures
|
|
76
|
+
(mutation object with `type`/`storeId`/`payload`; action object with `name`/`store`/`args`/
|
|
77
|
+
`after`/`onError`) before describing a plugin-hook finding — do not invent a hook name or
|
|
78
|
+
argument Context7 does not confirm.
|
|
79
|
+
- Use `query-docs` against `/vuejs/vuex` to confirm the `state: () => ({...})` factory pattern
|
|
80
|
+
(module reusability without shared state) and the `devtools: boolean` store option before
|
|
81
|
+
citing either — do not assume Pinia has an equivalent `devtools` boolean on `defineStore`/
|
|
82
|
+
`createPinia`; Context7 does not confirm that API surface for Pinia, so any Pinia-devtools
|
|
83
|
+
concern must be scoped to "a build-time devtools plugin explicitly force-enabled in
|
|
84
|
+
production," not a Pinia store option, and labeled `inference` unless a repo-specific config
|
|
85
|
+
is found.
|
|
86
|
+
- Read `package.json` first to confirm which store library is in play (`pinia`,
|
|
87
|
+
`pinia-plugin-persistedstate`, `vuex`, `vuex-persistedstate`) and its major version — API
|
|
88
|
+
names and defaults differ between Pinia and Vuex and across Vuex 3/4; do not apply one
|
|
89
|
+
library's API names to the other.
|
|
90
|
+
- If Context7 is unavailable, fall back to the `official_docs` URLs in this skill's
|
|
91
|
+
`metadata.json` and label the claim `documentation-based, unverified against current
|
|
92
|
+
release`.
|
|
93
|
+
|
|
94
|
+
## Lean operating rules
|
|
95
|
+
|
|
96
|
+
- Findings in every defect class below default to HIGH severity: unscoped sensitive-data
|
|
97
|
+
persistence, untrusted/un-escaped state hydration, SSR store-singleton pollution, untrusted
|
|
98
|
+
payload handling in store plugins/hooks, client-side-flag-as-authorization, and production
|
|
99
|
+
devtools exposure. Do not downgrade a structural finding to MEDIUM because it has not been
|
|
100
|
+
observed exploited — the risk is in the structure.
|
|
101
|
+
- Trace every finding to a concrete file:line and a concrete data-flow path. "This store might
|
|
102
|
+
leak sensitive data" or "this hydration looks risky" without naming the specific
|
|
103
|
+
`persist`/`pick`/`storage` config, the specific module-scope `createPinia()`/`createStore()`
|
|
104
|
+
declaration, or the specific untraced payload sink is not a valid finding — it is a guess.
|
|
105
|
+
- Before flagging a persistence config, read the full `state()` shape and the full `persist`
|
|
106
|
+
config together. A `persist: true` (or `persist: {}`) with no `pick`/`paths` array persists
|
|
107
|
+
the entire state — treat every sensitive field in that state as persisted unless a `pick`
|
|
108
|
+
list demonstrably excludes it. A `pick` list that omits the sensitive field(s) clears the
|
|
109
|
+
finding for those fields specifically (not for the whole store, if other sensitive fields
|
|
110
|
+
remain unscoped).
|
|
111
|
+
- Before flagging SSR store creation as cross-request pollution, confirm mutability/reachability
|
|
112
|
+
the same way `vue-ssr-security-review` requires for app instances: is the `createPinia()`/
|
|
113
|
+
`createStore()` call inside the per-request handler, and does that handler close over any
|
|
114
|
+
module-scope mutable/reactive reference? An immutable module-scope constant (a frozen config
|
|
115
|
+
object, a static route table) is not the risk; a store instance or mutable cache is.
|
|
116
|
+
- Do not approve a client-side role/permission flag (`isAdmin`, `role`, `permissions`) as an
|
|
117
|
+
authorization boundary for a mutating action unless the review also confirms (via visible
|
|
118
|
+
server-side code, or an explicit statement that server-side authorization is out of scope for
|
|
119
|
+
this static review) that the actual mutation is re-checked server-side. A store flag gating
|
|
120
|
+
only UI visibility (hiding a button) is not itself a finding; a store flag gating whether a
|
|
121
|
+
mutating network call is *made* is a finding regardless of UI-layer intent, because the flag
|
|
122
|
+
is client-writable.
|
|
123
|
+
- Do not treat every `$subscribe`/`$onAction`/Vuex-plugin hook as risky. Only hooks that act on
|
|
124
|
+
the payload with a side effect (write, external call, log of sensitive data, mutate another
|
|
125
|
+
store) and lack payload validation are findings; read-only observation (e.g., analytics event
|
|
126
|
+
naming) is not.
|
|
127
|
+
- Never execute, build, or run application code, and never send live requests, as part of this
|
|
128
|
+
review; this is a static-review skill (Read/Grep/Glob only).
|
|
129
|
+
- Load only the reference needed for the concern in scope.
|
|
130
|
+
|
|
131
|
+
## References
|
|
132
|
+
|
|
133
|
+
Load these only when needed:
|
|
134
|
+
|
|
135
|
+
- [Review workflow and findings contract](references/workflow-and-output.md) — use for the
|
|
136
|
+
step-by-step review procedure, the decision tree across all five defect classes, and the
|
|
137
|
+
required output shape.
|
|
138
|
+
- [Client-side persistence and hydration](references/persistence-and-hydration.md) — load when
|
|
139
|
+
reviewing `pinia-plugin-persistedstate`/`vuex-persistedstate` configuration, SSR store
|
|
140
|
+
creation/singleton risk, or server-payload hydration (`window.__pinia`/`__INITIAL_STATE__`).
|
|
141
|
+
- [Untrusted payloads and authorization](references/untrusted-payloads-and-authorization.md) —
|
|
142
|
+
load when reviewing `$subscribe`/`$onAction`/Vuex-plugin hooks, client-held role/permission
|
|
143
|
+
flags used for access control, or devtools production exposure.
|
|
144
|
+
- [Acceptance rubric](references/acceptance-rubric.md) — the enumerated defect/false-positive
|
|
145
|
+
list this skill's rules were authored against; load if you need the underlying catch list
|
|
146
|
+
rather than the operating rules derived from it.
|
|
147
|
+
|
|
148
|
+
## Response minimum
|
|
149
|
+
|
|
150
|
+
Return, at minimum:
|
|
151
|
+
|
|
152
|
+
- the store definition(s), persistence config, SSR entry point(s), and/or plugin/hook code in
|
|
153
|
+
scope,
|
|
154
|
+
- ranked findings with file:line evidence, defect category (`persistence`, `hydration`,
|
|
155
|
+
`ssr-pollution`, `untrusted-payload`, `client-auth-flag`, or `devtools-exposure`), the
|
|
156
|
+
concrete data-flow trace (state field → persist config, or server payload → hydration call,
|
|
157
|
+
or module-scope declaration → per-request reachability, or payload → sink), and a fix sketch
|
|
158
|
+
matching the grounding library's documented pattern,
|
|
159
|
+
- for every persistence finding, an explicit statement of which state fields are covered by
|
|
160
|
+
`pick`/`paths` (if any) and which are not,
|
|
161
|
+
- for every client-side-flag finding, an explicit statement of whether a server-side
|
|
162
|
+
authorization re-check was found, not found, or is out of scope for this static review,
|
|
163
|
+
- evidence level per finding (`repo evidence`, `documentation-based`, or `inference`), with
|
|
164
|
+
structural risk findings explicitly labeled as structural risk, not as confirmed-exploited,
|
|
165
|
+
- verdict (approve / approve-with-notes / block),
|
|
166
|
+
- open questions or scope the review could not cover (e.g., "confirming actual cross-request
|
|
167
|
+
leakage requires concurrent-request load testing," or "v-html/URL-injection review of this
|
|
168
|
+
same app is out of scope for this skill — see `vue-ssr-security-review`").
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
{
|
|
2
|
+
"id": "vue-state-store-security-review",
|
|
3
|
+
"name": "Vue State Store Security Review",
|
|
4
|
+
"type": "skill",
|
|
5
|
+
"provider": "frontend",
|
|
6
|
+
"harnesses": [
|
|
7
|
+
"claude-code",
|
|
8
|
+
"cursor",
|
|
9
|
+
"codex",
|
|
10
|
+
"gemini",
|
|
11
|
+
"kiro",
|
|
12
|
+
"other"
|
|
13
|
+
],
|
|
14
|
+
"summary": "Reviews Pinia and legacy Vuex state stores for sensitive data persisted to localStorage/sessionStorage without scoping, untrusted server-payload hydration (window.__pinia/__INITIAL_STATE__) with un-escaped state serialization, SSR store-singleton cross-request pollution, store plugins/$subscribe/$onAction acting on untrusted payloads, client-held role flags used as an authorization source of truth, and devtools state exposure in production builds, grounding claims via Context7 and each library's own documentation.",
|
|
15
|
+
"source_type": "original",
|
|
16
|
+
"official_docs": [
|
|
17
|
+
"https://pinia.vuejs.org/ssr/",
|
|
18
|
+
"https://pinia.vuejs.org/core-concepts/plugins.html",
|
|
19
|
+
"https://github.com/prazdevs/pinia-plugin-persistedstate/blob/main/docs/guide/config.md",
|
|
20
|
+
"https://vuex.vuejs.org/guide/modules.html",
|
|
21
|
+
"https://vuex.vuejs.org/api/",
|
|
22
|
+
"https://owasp.org/www-project-top-ten/",
|
|
23
|
+
"https://owasp.org/www-community/attacks/xss/"
|
|
24
|
+
],
|
|
25
|
+
"security_notes": "This skill's entire scope is security-critical: unscoped client-side persistence of tokens/PII is an XSS-exfiltratable data-exposure vector, untrusted/un-escaped state hydration is an XSS and data-integrity vector, SSR store-singleton pollution is a cross-tenant/cross-user data-exposure defect, untrusted payload handling in store plugins/hooks can drive unsanitized writes or calls, client-held role flags used as an authorization source of truth is a broken-access-control defect, and production devtools exposure leaks the full state tree to any user with browser devtools open. Every finding in this skill defaults to HIGH severity unless proven otherwise with concrete evidence (a pick/paths scope, an escaping call, a per-request creation trace, a server-side re-check). Static-review-only skill: it reads and greps store definitions, persistence config, SSR entry points, and plugin/hook code but never executes, builds, or runs application code, and never sends live requests.",
|
|
26
|
+
"last_verified": "2026-07-03",
|
|
27
|
+
"path": "skills/frontend/vue-state-store-security-review",
|
|
28
|
+
"author": "github: Raishin",
|
|
29
|
+
"version": "0.1.0"
|
|
30
|
+
}
|
|
@@ -0,0 +1,101 @@
|
|
|
1
|
+
# Acceptance Rubric (write before the rest of the skill — this is the failing test)
|
|
2
|
+
|
|
3
|
+
This rubric enumerates every defect a correct Vue state-store (Pinia / legacy Vuex) security
|
|
4
|
+
review MUST catch, and the benign patterns it MUST NOT flag. `SKILL.md` and the other
|
|
5
|
+
references are only "done" once every numbered item below is covered by an explicit operating
|
|
6
|
+
rule, decision-tree branch, or reference section. `selfCheck` in the final structured output
|
|
7
|
+
must map each item to the rule/reference that satisfies it.
|
|
8
|
+
|
|
9
|
+
## MUST CATCH
|
|
10
|
+
|
|
11
|
+
1. **Sensitive data persisted via `pinia-plugin-persistedstate` / `vuex-persistedstate` with no
|
|
12
|
+
`pick`/`paths` restriction.** A store whose `state` includes an auth token, refresh token,
|
|
13
|
+
session identifier, or PII field, and whose `persist: true` (or `persist: {}` with no
|
|
14
|
+
`pick`/`paths` array) config persists the *entire* state object — the sensitive field rides
|
|
15
|
+
along by default. `storage` defaults to `localStorage`, which is readable by any script in
|
|
16
|
+
the page's origin (XSS-exfiltratable, no `HttpOnly`-equivalent protection).
|
|
17
|
+
|
|
18
|
+
2. **Sensitive data persisted to `localStorage` explicitly (not just by default) when
|
|
19
|
+
`sessionStorage` or a narrower `pick` would suffice.** E.g. `storage: localStorage` combined
|
|
20
|
+
with a `pick` list that still includes `token`/`accessToken`/`user.ssn`/etc.
|
|
21
|
+
|
|
22
|
+
3. **Store hydration from an untrusted/unvalidated server payload.** Client code that reads
|
|
23
|
+
`window.__pinia`, `window.__INITIAL_STATE__`, or an equivalent global and feeds it directly
|
|
24
|
+
into `pinia.state.value = JSON.parse(...)` (or assigns into a Vuex store's state) with no
|
|
25
|
+
schema/shape validation and no evidence the server-side serialization step escaped the value
|
|
26
|
+
before embedding it in the HTML response.
|
|
27
|
+
|
|
28
|
+
4. **Un-escaped state serialization into the HTML response on the server side.** Server entry
|
|
29
|
+
code that builds the embedded state string via naive `JSON.stringify(state)` interpolated
|
|
30
|
+
directly into a `<script>` block (e.g. a template literal like
|
|
31
|
+
`` `<script>window.__pinia=${JSON.stringify(state)}</script>` ``) with no escaping of
|
|
32
|
+
`<`, `>`, `/`, or use of a safe-serialization library (`devalue` or equivalent) — a stored
|
|
33
|
+
value containing `</script><script>alert(1)</script>` breaks out of the tag and executes.
|
|
34
|
+
|
|
35
|
+
5. **SSR store singleton created once at module scope instead of freshly per request.** A
|
|
36
|
+
`const pinia = createPinia()` (or `const store = new Vuex.Store({...})` /
|
|
37
|
+
`createStore({...})` assigned to a module-level `const`/`let`) declared at the top level of
|
|
38
|
+
an SSR entry file (`entry-server.js`/`.ts`, a Nuxt server plugin, an Express/Node request
|
|
39
|
+
handler module) and reused/imported across requests instead of being constructed inside the
|
|
40
|
+
per-request handler function. This leaks one user's cart/auth/session state into another
|
|
41
|
+
concurrent user's response.
|
|
42
|
+
|
|
43
|
+
6. **A per-request store factory that still closes over module-scope mutable/reactive state.**
|
|
44
|
+
The factory function itself calls `createPinia()`/`createStore()` fresh each invocation, but
|
|
45
|
+
also reads or writes a module-level cache, singleton, or mutable default parameter from
|
|
46
|
+
enclosing scope — the factory call looking correct does not prove isolation.
|
|
47
|
+
|
|
48
|
+
7. **`$subscribe` / `$onAction` plugin hooks (or a Vuex plugin) that consume `mutation`/`args`
|
|
49
|
+
payloads and act on them (write to a DB, call an external API, log, mutate other stores)
|
|
50
|
+
without validating/sanitizing the payload shape or origin** — especially when the
|
|
51
|
+
store/action is reachable from a component that accepts route params, query strings, or
|
|
52
|
+
other user-controlled input as the action's argument.
|
|
53
|
+
|
|
54
|
+
8. **Client-side store flags (`isAdmin`, `role`, `isPremium`, `permissions`) used as an
|
|
55
|
+
authorization source of truth for gating a sensitive action or UI-triggered mutation**,
|
|
56
|
+
with no corresponding server-side authorization check on the actual mutating request. A
|
|
57
|
+
client can set/patch its own store state (via devtools, `$patch`, or direct console access),
|
|
58
|
+
so `if (store.isAdmin) { await deleteUser(id) }` with no server-side re-check is a broken
|
|
59
|
+
access-control finding, not merely a UX nicety.
|
|
60
|
+
|
|
61
|
+
9. **Devtools integration left enabled in a production build.** Vuex's `devtools: true`
|
|
62
|
+
(or an unset/default-true devtools option) shipped in a production store configuration
|
|
63
|
+
exposes full state-tree contents, mutation/action history, and time-travel debugging to
|
|
64
|
+
anyone with browser devtools open — a state/PII exposure risk if the store holds sensitive
|
|
65
|
+
data. (Pinia's devtools integration is dev-only-by-default at build time via the Vue
|
|
66
|
+
devtools plugin; flag only if a codebase explicitly force-enables it in a production
|
|
67
|
+
config — do not invent a `devtools` option on Pinia's `defineStore`/`createPinia` APIs,
|
|
68
|
+
which Context7 does not confirm exists.)
|
|
69
|
+
|
|
70
|
+
## MUST NOT FLAG (explicit false-positive guards)
|
|
71
|
+
|
|
72
|
+
10. **An immutable, non-sensitive constant persisted intentionally.** A `pick`-scoped
|
|
73
|
+
persistence of a UI preference (`theme`, `locale`, `sidebarCollapsed`) with no
|
|
74
|
+
auth/session/PII content is not a finding, even though it uses `localStorage` — state this
|
|
75
|
+
explicitly as reviewed-and-cleared rather than omitting it silently.
|
|
76
|
+
|
|
77
|
+
11. **A store correctly re-created per request.** An SSR entry point whose `createPinia()` (or
|
|
78
|
+
`createStore()`) call sits inside the exported per-request handler function, with no
|
|
79
|
+
closed-over mutable module-scope state, is not a finding — do not flag the mere presence of
|
|
80
|
+
`createPinia()` in an SSR file without checking its enclosing scope.
|
|
81
|
+
|
|
82
|
+
12. **Server-sent state that is properly escaped/serialized (`devalue` or equivalent) before
|
|
83
|
+
embedding, and validated/schema-checked on the client before hydration.** Not a finding —
|
|
84
|
+
state this explicitly as reviewed.
|
|
85
|
+
|
|
86
|
+
13. **`$subscribe`/`$onAction` hooks used for read-only observation** (e.g. analytics logging
|
|
87
|
+
of a mutation type, a devtools-only debug logger) with no write/mutating side effect and no
|
|
88
|
+
unsanitized use of the payload in a sink — not a finding, but note it was reviewed.
|
|
89
|
+
|
|
90
|
+
14. **A client-side role/flag used only for non-authoritative UI purposes** (e.g. hiding a menu
|
|
91
|
+
item) where the actual protected action is independently re-authorized server-side — not a
|
|
92
|
+
finding for that specific action, though the review should still confirm the server check
|
|
93
|
+
exists rather than assuming it.
|
|
94
|
+
|
|
95
|
+
## Traceability requirement
|
|
96
|
+
|
|
97
|
+
Every finding above must cite a concrete file:line and the exact data-flow path (store
|
|
98
|
+
declaration → persistence config / hydration call / SSR entry scope / action-payload sink /
|
|
99
|
+
authorization check) — a finding that says "this store might leak" without naming the specific
|
|
100
|
+
`persist`/`pick`/`storage` config, the specific module-scope declaration, or the specific
|
|
101
|
+
untraced sink is not valid per this skill's traceability rule.
|