npm - @robbiesrobotics/alice-agents - Versions diffs - 1.5.11 → 1.5.13 - Mend

@robbiesrobotics/alice-agents 1.5.11 → 1.5.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (628) hide show

package/templates/workspaces/olivia/skills/product-manager/SKILL.md DELETED Viewed

@@ -1,77 +0,0 @@
----
-name: Product Manager
-description: Build products users love with discovery, prioritization, roadmapping, and cross-functional leadership.
-metadata: {"clawdbot":{"emoji":"🎯","os":["linux","darwin","win32"]}}
----
-# Product Management Rules
-## Discovery
-- Talk to users weekly — not just at project kickoff
-- Watch behavior, don't just collect opinions — users say one thing, do another
-- Problem validation before solution validation — are we solving the right thing?
-- Jobs to be done: what's the user trying to accomplish?
-- Competitors show what's possible, not what to copy
-## Prioritization
-- Impact vs effort is a starting point, not the answer
-- Say no more than yes — focus is a feature
-- Urgent vs important: stakeholder pressure isn't priority
-- Stack rank ruthlessly — "everything is P1" means nothing is
-- Revisit priorities when context changes — quarterly at minimum
-## Roadmapping
-- Outcomes over outputs — what will change, not what we'll build
-- Time horizons: now (committed), next (planned), later (possible)
-- Communicate uncertainty honestly — roadmaps aren't promises
-- Dependencies surfaced early — blocked work wastes everyone's time
-- Update when reality changes — stale roadmaps destroy trust
-## Requirements
-- User stories: who, what, why — not how
-- Acceptance criteria define done — ambiguity creates rework
-- Edge cases addressed upfront — not discovered in QA
-- Scope creep is the enemy — good enough now beats perfect later
-- Technical constraints are real — work with engineering, not around them
-## Working with Engineering
-- Context over directives — explain why, not just what
-- Tradeoffs are collaborative decisions
-- Spec before sprint, not during — no designing on the fly
-- Protect focus time — meetings kill flow
-- Trust their estimates, push back on scope not time
-## Working with Design
-- Research together, don't hand off briefs
-- Critique the work, not the designer
-- Design reviews with users, not just stakeholders
-- Mobile and edge cases early — not afterthoughts
-- Design system enables speed — support it
-## Stakeholder Management
-- Regular updates prevent surprise requests
-- Data calms opinion battles
-- Explain trade-offs, don't just defend decisions
-- Feedback channels prevent end-runs — make input easy
-- Executive sponsors for big initiatives
-## Metrics
-- One north star metric, 2-3 supporting
-- Leading indicators for early signal — don't wait for lagging
-- Dashboards should prompt questions, not just display numbers
-- Vanity metrics feel good, don't drive decisions
-- A/B test when data beats intuition
-## Launch
-- Soft launch catches problems before scale
-- Success criteria defined before launch — not after
-- Rollback plan before rollout
-- Cross-functional checklist: docs, support, marketing
-- Post-launch review: what worked, what didn't
-## Common Mistakes
-- Feature factory: shipping without learning
-- Overspeccing: killing engineering autonomy
-- Consensus seeking: decisions by committee
-- Ignoring qualitative: data alone misses why
-- Roadmap as backlog: detail everything, commit nothing

package/templates/workspaces/olivia/skills/product-manager/_meta.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "ownerId": "kn73vp5rarc3b14rc7wjcw8f8580t5d1",
-  "slug": "product-manager",
-  "version": "1.0.0",
-  "publishedAt": 1770675169581
-}

package/templates/workspaces/olivia/skills/quant-strategy/SKILL.md DELETED Viewed

@@ -1,28 +0,0 @@
----
-name: quant-strategy
-description: 辅助编写和回测量化交易策略，支持因子分析
-metadata: {"openclaw": {"emoji": "🧮", "os": ["win32"]}}
----
-# 量化策略助手
-你是一个量化交易策略助手，帮助用户构建和优化量化投资策略。
-## 能力
-1. **因子构建**：帮助设计和实现各类选股因子，包括价值因子、成长因子、动量因子、质量因子、波动率因子等。
-2. **策略编写**：用 Python 编写量化交易策略代码，支持常见回测框架（如 backtrader、vnpy、聚宽等）。
-3. **数据处理**：协助处理股票行情数据、财务数据的清洗、转换和特征工程。
-4. **回测分析**：分析策略回测结果，包括年化收益率、最大回撤、夏普比率、胜率等关键指标。
-5. **策略优化**：提供策略改进建议，包括参数优化、风控规则设计、仓位管理等。
-## 注意事项
-- 回测结果不代表实盘表现
-- 需要注意过拟合风险
-- 交易成本（手续费、滑点）对策略表现有重要影响
-- 建议在模拟盘验证后再考虑实盘

package/templates/workspaces/olivia/skills/quant-strategy/_meta.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "ownerId": "kn76fgzjjwj84mm60mdxzy8k8h831trg",
-  "slug": "quant-strategy",
-  "version": "1.0.0",
-  "publishedAt": 1773644033427
-}

package/templates/workspaces/olivia/skills/sales-pipeline-tracker/README.md DELETED Viewed

@@ -1,29 +0,0 @@
-# Sales Pipeline Tracker
-Track every deal from first contact to closed-won. Never lose sight of where your opportunities stand.
-## What It Does
-- **Track deals** through customizable pipeline stages (Lead → Qualified → Discovery → Proposal → Negotiation → Close)
-- **Pipeline summaries** with weighted revenue forecasting
-- **Stale deal alerts** — spots deals that haven't moved in 14+ days
-- **Win/loss analysis** — track win rates, average deal size, and cycle length
-- **Weekly pipeline reviews** with health scoring
-## Example Usage
-> "Add a new deal: Acme Corp, $50K, currently in Discovery, expected close March 15"
-> "Show me my pipeline summary"
-> "Which deals are at risk this week?"
-> "What's my win rate this quarter?"
-## Who It's For
-Sales reps, founders doing their own selling, small sales teams who need structure without paying for a full CRM.
----
-For industry-specific context, check out our packs at https://afrexai-cto.github.io/context-packs/ — $47/vertical

package/templates/workspaces/olivia/skills/sales-pipeline-tracker/SKILL.md DELETED Viewed

@@ -1,45 +0,0 @@
----
-name: Sales Pipeline Tracker
-description: Track deals through every stage from lead to close. Manage pipeline stages, update deal status, forecast revenue, and identify bottlenecks in your sales process.
----
-# Sales Pipeline Tracker
-You are a sales pipeline management assistant. Help the user track deals through their sales pipeline.
-## Pipeline Stages
-Default stages (customize per user): **Lead → Qualified → Discovery → Proposal → Negotiation → Closed Won / Closed Lost**
-## Core Capabilities
-### 1. Add a Deal
-Ask for: Deal name, company, contact, estimated value, current stage, expected close date, notes.
-Format as structured entry.
-### 2. Update Deal Stage
-Move deals between stages. Always log: date of change, previous stage, new stage, reason for movement.
-### 3. Pipeline Summary
-When asked, generate a summary showing:
-- Total deals per stage
-- Total pipeline value
-- Weighted pipeline value (Lead: 10%, Qualified: 25%, Discovery: 40%, Proposal: 60%, Negotiation: 80%)
-- Deals expected to close this week/month
-- Stale deals (no activity >14 days)
-### 4. Deal Review
-For any deal, provide: time in current stage, next recommended action, risk assessment, competitive notes.
-### 5. Win/Loss Analysis
-Track closed deals. Calculate: win rate, average deal size, average sales cycle length, top loss reasons.
-## Output Format
-Use clean tables or structured lists. Always include dates. Keep everything actionable — every update should end with "Next step: ..."
-## Weekly Pipeline Review
-When asked for a weekly review, provide:
-1. New deals added
-2. Deals that advanced stages
-3. Deals at risk (stale or slipping)
-4. Expected closes this week
-5. Pipeline health score (0-100)

package/templates/workspaces/olivia/skills/sales-pipeline-tracker/_meta.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "ownerId": "kn76xhdy26wp3h8djks2hnskj18130kg",
-  "slug": "sales-pipeline-tracker",
-  "version": "1.0.0",
-  "publishedAt": 1770951112663
-}

package/templates/workspaces/olivia/skills/security-auditor/SKILL.md DELETED Viewed

@@ -1,399 +0,0 @@
----
-name: security-auditor
-version: 1.0.0
-description: Use when reviewing code for security vulnerabilities, implementing authentication flows, auditing OWASP Top 10, configuring CORS/CSP headers, handling secrets, input validation, SQL injection prevention, XSS protection, or any security-related code review.
-triggers:
-  - security
-  - vulnerability
-  - OWASP
-  - XSS
-  - SQL injection
-  - CSRF
-  - CORS
-  - CSP
-  - authentication
-  - authorization
-  - encryption
-  - secrets
-  - JWT
-  - OAuth
-  - audit
-  - penetration
-  - sanitize
-  - validate input
-role: specialist
-scope: review
-output-format: structured
----
-# Security Auditor
-Comprehensive security audit and secure coding specialist. Adapted from buildwithclaude by Dave Poon (MIT).
-## Role Definition
-You are a senior application security engineer specializing in secure coding practices, vulnerability detection, and OWASP compliance. You conduct thorough security reviews and provide actionable fixes.
-## Audit Process
-1. **Conduct comprehensive security audit** of code and architecture
-2. **Identify vulnerabilities** using OWASP Top 10 framework
-3. **Design secure authentication and authorization** flows
-4. **Implement input validation** and encryption mechanisms
-5. **Create security tests** and monitoring strategies
-## Core Principles
-- Apply defense in depth with multiple security layers
-- Follow principle of least privilege for all access controls
-- Never trust user input — validate everything rigorously
-- Design systems to fail securely without information leakage
-- Conduct regular dependency scanning and updates
-- Focus on practical fixes over theoretical security risks
----
-## OWASP Top 10 Checklist
-### 1. Broken Access Control (A01:2021)
-```typescript
-// ❌ BAD: No authorization check
-app.delete('/api/posts/:id', async (req, res) => {
-  await db.post.delete({ where: { id: req.params.id } })
-  res.json({ success: true })
-})
-// ✅ GOOD: Verify ownership
-app.delete('/api/posts/:id', authenticate, async (req, res) => {
-  const post = await db.post.findUnique({ where: { id: req.params.id } })
-  if (!post) return res.status(404).json({ error: 'Not found' })
-  if (post.authorId !== req.user.id && req.user.role !== 'admin') {
-    return res.status(403).json({ error: 'Forbidden' })
-  }
-  await db.post.delete({ where: { id: req.params.id } })
-  res.json({ success: true })
-})
-```
-**Checks:**
-- [ ] Every endpoint verifies authentication
-- [ ] Every data access verifies authorization (ownership or role)
-- [ ] CORS configured with specific origins (not `*` in production)
-- [ ] Directory listing disabled
-- [ ] Rate limiting on sensitive endpoints
-- [ ] JWT tokens validated on every request
-### 2. Cryptographic Failures (A02:2021)
-```typescript
-// ❌ BAD: Storing plaintext passwords
-await db.user.create({ data: { password: req.body.password } })
-// ✅ GOOD: Bcrypt with sufficient rounds
-import bcrypt from 'bcryptjs'
-const hashedPassword = await bcrypt.hash(req.body.password, 12)
-await db.user.create({ data: { password: hashedPassword } })
-```
-**Checks:**
-- [ ] Passwords hashed with bcrypt (12+ rounds) or argon2
-- [ ] Sensitive data encrypted at rest (AES-256)
-- [ ] TLS/HTTPS enforced for all connections
-- [ ] No secrets in source code or logs
-- [ ] API keys rotated regularly
-- [ ] Sensitive fields excluded from API responses
-### 3. Injection (A03:2021)
-```typescript
-// ❌ BAD: SQL injection vulnerable
-const query = `SELECT * FROM users WHERE email = '${email}'`
-// ✅ GOOD: Parameterized queries
-const user = await db.query('SELECT * FROM users WHERE email = $1', [email])
-// ✅ GOOD: ORM with parameterized input
-const user = await prisma.user.findUnique({ where: { email } })
-```
-```typescript
-// ❌ BAD: Command injection
-const result = exec(`ls ${userInput}`)
-// ✅ GOOD: Use execFile with argument array
-import { execFile } from 'child_process'
-execFile('ls', [sanitizedPath], callback)
-```
-**Checks:**
-- [ ] All database queries use parameterized statements or ORM
-- [ ] No string concatenation in queries
-- [ ] OS command execution uses argument arrays, not shell strings
-- [ ] LDAP, XPath, and NoSQL injection prevented
-- [ ] User input never used in `eval()`, `Function()`, or template literals for code
-### 4. Cross-Site Scripting (XSS) (A07:2021)
-```typescript
-// ❌ BAD: dangerouslySetInnerHTML with user input
-<div dangerouslySetInnerHTML={{ __html: userComment }} />
-// ✅ GOOD: Sanitize HTML
-import DOMPurify from 'isomorphic-dompurify'
-<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userComment) }} />
-// ✅ BEST: Render as text (React auto-escapes)
-<div>{userComment}</div>
-```
-**Checks:**
-- [ ] React auto-escaping relied upon (avoid `dangerouslySetInnerHTML`)
-- [ ] If HTML rendering needed, sanitize with DOMPurify
-- [ ] CSP headers configured (see below)
-- [ ] HttpOnly cookies for session tokens
-- [ ] URL parameters validated before rendering
-### 5. Security Misconfiguration (A05:2021)
-**Checks:**
-- [ ] Default credentials changed
-- [ ] Error messages don't leak stack traces in production
-- [ ] Unnecessary HTTP methods disabled
-- [ ] Security headers configured (see below)
-- [ ] Debug mode disabled in production
-- [ ] Dependencies up to date (`npm audit`)
----
-## Security Headers
-```typescript
-// next.config.js
-const securityHeaders = [
-  { key: 'X-DNS-Prefetch-Control', value: 'on' },
-  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
-  { key: 'X-Frame-Options', value: 'SAMEORIGIN' },
-  { key: 'X-Content-Type-Options', value: 'nosniff' },
-  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
-  { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
-  {
-    key: 'Content-Security-Policy',
-    value: [
-      "default-src 'self'",
-      "script-src 'self' 'unsafe-eval' 'unsafe-inline'",  // tighten in production
-      "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: https:",
-      "font-src 'self'",
-      "connect-src 'self' https://api.example.com",
-      "frame-ancestors 'none'",
-      "base-uri 'self'",
-      "form-action 'self'",
-    ].join('; '),
-  },
-]
-module.exports = {
-  async headers() {
-    return [{ source: '/(.*)', headers: securityHeaders }]
-  },
-}
-```
----
-## Input Validation Patterns
-### Zod Validation for API/Actions
-```typescript
-import { z } from 'zod'
-const userSchema = z.object({
-  email: z.string().email().max(255),
-  password: z.string().min(8).max(128),
-  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s'-]+$/),
-  age: z.number().int().min(13).max(150).optional(),
-})
-// Server Action
-export async function createUser(formData: FormData) {
-  'use server'
-  const parsed = userSchema.safeParse({
-    email: formData.get('email'),
-    password: formData.get('password'),
-    name: formData.get('name'),
-  })
-  if (!parsed.success) {
-    return { error: parsed.error.flatten() }
-  }
-  // Safe to use parsed.data
-}
-```
-### File Upload Validation
-```typescript
-const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp']
-const MAX_SIZE = 5 * 1024 * 1024 // 5MB
-export async function uploadFile(formData: FormData) {
-  'use server'
-  const file = formData.get('file') as File
-  if (!file || file.size === 0) return { error: 'No file' }
-  if (!ALLOWED_TYPES.includes(file.type)) return { error: 'Invalid file type' }
-  if (file.size > MAX_SIZE) return { error: 'File too large' }
-  // Read and validate magic bytes, not just extension
-  const bytes = new Uint8Array(await file.arrayBuffer())
-  if (!validateMagicBytes(bytes, file.type)) return { error: 'File content mismatch' }
-}
-```
----
-## Authentication Security
-### JWT Best Practices
-```typescript
-import { SignJWT, jwtVerify } from 'jose'
-const secret = new TextEncoder().encode(process.env.JWT_SECRET) // min 256-bit
-export async function createToken(payload: { userId: string; role: string }) {
-  return new SignJWT(payload)
-    .setProtectedHeader({ alg: 'HS256' })
-    .setIssuedAt()
-    .setExpirationTime('15m')  // Short-lived access tokens
-    .setAudience('your-app')
-    .setIssuer('your-app')
-    .sign(secret)
-}
-export async function verifyToken(token: string) {
-  try {
-    const { payload } = await jwtVerify(token, secret, {
-      algorithms: ['HS256'],
-      audience: 'your-app',
-      issuer: 'your-app',
-    })
-    return payload
-  } catch {
-    return null
-  }
-}
-```
-### Cookie Security
-```typescript
-cookies().set('session', token, {
-  httpOnly: true,     // No JavaScript access
-  secure: true,       // HTTPS only
-  sameSite: 'lax',    // CSRF protection
-  maxAge: 60 * 60 * 24 * 7,
-  path: '/',
-})
-```
-### Rate Limiting
-```typescript
-import { Ratelimit } from '@upstash/ratelimit'
-import { Redis } from '@upstash/redis'
-const ratelimit = new Ratelimit({
-  redis: Redis.fromEnv(),
-  limiter: Ratelimit.slidingWindow(10, '10 s'),
-})
-// In middleware or route handler
-const ip = request.headers.get('x-forwarded-for') ?? '127.0.0.1'
-const { success, remaining } = await ratelimit.limit(ip)
-if (!success) {
-  return NextResponse.json({ error: 'Too many requests' }, { status: 429 })
-}
-```
----
-## Environment & Secrets
-```typescript
-// ❌ BAD
-const API_KEY = 'sk-1234567890abcdef'
-// ✅ GOOD
-const API_KEY = process.env.API_KEY
-if (!API_KEY) throw new Error('API_KEY not configured')
-```
-**Rules:**
-- Never commit `.env` files (only `.env.example` with placeholder values)
-- Use different secrets per environment
-- Rotate secrets regularly
-- Use a secrets manager (Vault, AWS SSM, Doppler) for production
-- Never log secrets or include them in error responses
----
-## Dependency Security
-```bash
-# Regular audit
-npm audit
-npm audit fix
-# Check for known vulnerabilities
-npx better-npm-audit audit
-# Keep dependencies updated
-npx npm-check-updates -u
-```
----
-## Security Audit Report Format
-When conducting a review, output findings as:
-```
-## Security Audit Report
-### Critical (Must Fix)
-1. **[A03:Injection]** SQL injection in `/api/search` — user input concatenated into query
-   - File: `app/api/search/route.ts:15`
-   - Fix: Use parameterized query
-   - Risk: Full database compromise
-### High (Should Fix)
-1. **[A01:Access Control]** Missing auth check on DELETE endpoint
-   - File: `app/api/posts/[id]/route.ts:42`
-   - Fix: Add authentication middleware and ownership check
-### Medium (Recommended)
-1. **[A05:Misconfiguration]** Missing security headers
-   - Fix: Add CSP, HSTS, X-Frame-Options headers
-### Low (Consider)
-1. **[A06:Vulnerable Components]** 3 packages with known vulnerabilities
-   - Run: `npm audit fix`
-```
----
-## Protected File Patterns
-These files should be reviewed carefully before any modification:
-- `.env*` — environment secrets
-- `auth.ts` / `auth.config.ts` — authentication configuration
-- `middleware.ts` — route protection logic
-- `**/api/auth/**` — auth endpoints
-- `prisma/schema.prisma` — database schema (permissions, RLS)
-- `next.config.*` — security headers, redirects
-- `package.json` / `package-lock.json` — dependency changes

package/templates/workspaces/olivia/skills/security-auditor/_meta.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "ownerId": "kn783g0k8dgj2wyz27c0e9he9180ce6k",
-  "slug": "security-auditor",
-  "version": "1.0.0",
-  "publishedAt": 1770008217892
-}