@skilly-hand/skilly-hand 0.11.1 → 0.13.0

package/CHANGELOG.md

@@ -5,11 +5,32 @@ All notable changes to this project are documented in this file.
 ## [Unreleased]
 
 ### Added
-- _None._
+- Figma plugin detection support
+- New test fixtures for figma-plugin projects
 
 ### Changed
+- Improved project detection logic with configExists helper function
+- Updated skill recommendations for React, Next.js, Angular, Vite, and other technologies
+- Changed figma-mcp-0to1 skill detectors from "always" to "figma"
+
+### Fixed
+- _None._
+
+### Removed
 - _None._
 
+## [0.12.0] - 2026-04-05
+[View on npm](https://www.npmjs.com/package/@skilly-hand/skilly-hand/v/0.12.0)
+
+### Added
+- Added `SECURITY.md` policy for vulnerability reporting and response procedures.
+- Added `security-check` script to scan source code for exposed secrets and API keys.
+- Integrated security scanning into the `verify:publish` pipeline to catch credential leaks before release.
+
+### Changed
+- Updated `.gitignore` to include `.env*` pattern for environment variable files.
+- Updated `verify-packlist.mjs` to whitelist `SECURITY.md` in npm package.
+
 ### Fixed
 - _None._
 

package/SECURITY.md

@@ -0,0 +1,37 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest version published on npm is supported with security fixes. No backport patches are issued for older versions.
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability, please **do not open a public GitHub issue**. Instead, use [GitHub Security Advisories](https://github.com/Davecelot/skilly-hand/security/advisories/new) to report it privately.
+
+Include as much detail as possible:
+
+- A description of the vulnerability and its potential impact
+- Steps to reproduce or a minimal proof-of-concept
+- The version of `@skilly-hand/skilly-hand` you are using
+- Your environment (OS, Node.js version)
+
+## Response Timeline
+
+This is a solo-maintained project. I will do my best to:
+
+- Acknowledge the report within a few days
+- Triage and provide an estimated fix timeline once reviewed
+- Publish a patch and disclose the issue publicly after the fix ships
+
+## Out of Scope
+
+The following are not considered security vulnerabilities in this project:
+
+- Content inside skill `.md` files — these are prose instructions for AI agents, not executable code
+- Vulnerabilities in third-party dependencies — please report those directly to the upstream package maintainers
+- Issues that require physical access to the machine running the CLI
+
+## Please Do Not
+
+- Disclose the vulnerability publicly before a fix has been released
+- Open a public GitHub issue to report security concerns

package/catalog/skills/figma-mcp-0to1/manifest.json

@@ -4,7 +4,7 @@
   "description": "Guide users from Figma MCP installation and authentication through first canvas creation, with function-level tool coverage and operational recovery patterns.",
   "portable": true,
   "tags": ["figma", "mcp", "workflow", "design"],
-  "detectors": ["always"],
+  "detectors": ["figma"],
   "detectionTriggers": ["manual"],
   "installsFor": ["all"],
   "agentSupport": ["codex", "claude", "cursor", "gemini", "copilot", "antigravity", "windsurf", "trae"],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@skilly-hand/skilly-hand",
-  "version": "0.11.1",
+  "version": "0.13.0",
   "license": "CC-BY-NC-4.0",
   "type": "module",
   "publishConfig": {
@@ -14,7 +14,8 @@
     "packages",
     "README.md",
     "CHANGELOG.md",
-    "LICENSE"
+    "LICENSE",
+    "SECURITY.md"
   ],
   "workspaces": [
     "packages/*"
@@ -28,8 +29,9 @@
     "catalog:sync": "node ./scripts/sync-catalog-readme.mjs",
     "agentic:self:sync": "node ./scripts/sync-self-agentic.mjs",
     "test": "node --test tests/*.test.js",
+    "security:check": "node ./scripts/security-check.mjs",
     "verify:packlist": "node ./scripts/verify-packlist.mjs",
-    "verify:publish": "npm run catalog:check && npm test && npm run verify:packlist",
+    "verify:publish": "npm run security:check && npm run catalog:check && npm test && npm run verify:packlist",
     "publish:prepare": "npm run verify:publish && npm pack --dry-run --json",
     "publish:otp": "node ./scripts/publish-with-otp.mjs",
     "publish:next": "node ./scripts/publish-with-otp.mjs --tag next",

package/packages/detectors/src/index.js

@@ -10,6 +10,13 @@ async function pathExists(filePath) {
   }
 }
 
+async function configExists(cwd, base, extensions = ["js", "ts"]) {
+  for (const ext of extensions) {
+    if (await pathExists(path.join(cwd, `${base}.${ext}`))) return true;
+  }
+  return false;
+}
+
 async function readJson(filePath) {
   if (!(await pathExists(filePath))) {
     return null;
@@ -41,14 +48,10 @@ export async function detectProject(cwd) {
   const packageJson = await readJson(path.join(cwd, "package.json"));
   const tsconfigExists = await pathExists(path.join(cwd, "tsconfig.json"));
   const angularJsonExists = await pathExists(path.join(cwd, "angular.json"));
-  const viteConfigExists =
-    (await pathExists(path.join(cwd, "vite.config.js"))) ||
-    (await pathExists(path.join(cwd, "vite.config.ts")));
-  const nextConfigExists =
-    (await pathExists(path.join(cwd, "next.config.js"))) ||
-    (await pathExists(path.join(cwd, "next.config.mjs"))) ||
-    (await pathExists(path.join(cwd, "next.config.ts")));
+  const viteConfigExists = await configExists(cwd, "vite.config");
+  const nextConfigExists = await configExists(cwd, "next.config", ["js", "mjs", "ts"]);
   const storybookDirExists = await pathExists(path.join(cwd, ".storybook"));
+  const figmaConfigExists = await configExists(cwd, "figma.config");
   const results = [];
 
   if (packageJson) {
@@ -56,27 +59,34 @@ export async function detectProject(cwd) {
       technology: "nodejs",
       confidence: 1,
       reasons: ["Found package.json"],
-      recommendedSkillIds: ["token-optimizer", "commit-writer", "pr-writer", "spec-driven-development"]
+      recommendedSkillIds: [
+        "token-optimizer",
+        "spec-driven-development",
+        "review-rangers",
+        "project-teacher"
+      ]
     });
   }
 
-  if (packageJson || tsconfigExists) {
+  const deps = packageJson ? { ...packageJson.dependencies, ...packageJson.devDependencies } : {};
+
+  if (tsconfigExists || "typescript" in deps) {
     addDetection(results, {
       technology: "typescript",
-      confidence: tsconfigExists ? 0.95 : 0.7,
-      reasons: tsconfigExists ? ["Found tsconfig.json"] : ["TypeScript inferred from project layout"],
+      confidence: tsconfigExists ? 0.95 : 0.9,
+      reasons: tsconfigExists
+        ? ["Found tsconfig.json"]
+        : ['Dependency "typescript" found in package.json'],
       recommendedSkillIds: ["token-optimizer"]
     });
   }
 
-  const deps = packageJson ? { ...packageJson.dependencies, ...packageJson.devDependencies } : {};
-
   if ("react" in deps) {
     addDetection(results, {
       technology: "react",
       confidence: 0.95,
       reasons: ['Dependency "react" found in package.json'],
-      recommendedSkillIds: ["accessibility-audit", "storybook-component-stories", "playwright-ui-testing"]
+      recommendedSkillIds: ["accessibility-audit", "react-guidelines", "frontend-design"]
     });
   }
 
@@ -84,8 +94,15 @@ export async function detectProject(cwd) {
     addDetection(results, {
       technology: "nextjs",
       confidence: nextConfigExists ? 1 : 0.9,
-      reasons: nextConfigExists ? ["Found next.config.*"] : ['Dependency "next" found in package.json'],
-      recommendedSkillIds: ["accessibility-audit", "playwright-ui-testing", "spec-driven-development"]
+      reasons: nextConfigExists
+        ? ["Found next.config.*"]
+        : ['Dependency "next" found in package.json'],
+      recommendedSkillIds: [
+        "accessibility-audit",
+        "spec-driven-development",
+        "react-guidelines",
+        "frontend-design"
+      ]
     });
   }
 
@@ -93,12 +110,14 @@ export async function detectProject(cwd) {
     addDetection(results, {
       technology: "angular",
       confidence: angularJsonExists ? 1 : 0.95,
-      reasons: angularJsonExists ? ["Found angular.json"] : ['Dependency "@angular/core" found in package.json'],
+      reasons: angularJsonExists
+        ? ["Found angular.json"]
+        : ['Dependency "@angular/core" found in package.json'],
       recommendedSkillIds: [
         "angular-guidelines",
-        "vitest-component-testing",
-        "storybook-component-stories",
-        "accessibility-audit"
+        "accessibility-audit",
+        "frontend-design",
+        "test-driven-development"
       ]
     });
   }
@@ -107,8 +126,10 @@ export async function detectProject(cwd) {
     addDetection(results, {
       technology: "vite",
       confidence: viteConfigExists ? 1 : 0.9,
-      reasons: viteConfigExists ? ["Found vite.config.*"] : ['Dependency "vite" found in package.json'],
-      recommendedSkillIds: ["storybook-component-stories", "playwright-ui-testing"]
+      reasons: viteConfigExists
+        ? ["Found vite.config.*"]
+        : ['Dependency "vite" found in package.json'],
+      recommendedSkillIds: ["frontend-design"]
     });
   }
 
@@ -117,7 +138,7 @@ export async function detectProject(cwd) {
       technology: "playwright",
       confidence: 0.95,
       reasons: ['Dependency "@playwright/test" found in package.json'],
-      recommendedSkillIds: ["playwright-ui-testing"]
+      recommendedSkillIds: ["test-driven-development"]
     });
   }
 
@@ -126,16 +147,19 @@ export async function detectProject(cwd) {
       technology: "vitest",
       confidence: 0.95,
       reasons: ['Dependency "vitest" found in package.json'],
-      recommendedSkillIds: ["vitest-component-testing"]
+      recommendedSkillIds: ["test-driven-development"]
     });
   }
 
-  if ("tailwindcss" in deps || (await pathExists(path.join(cwd, "tailwind.config.js"))) || (await pathExists(path.join(cwd, "tailwind.config.ts")))) {
+  const tailwindConfigExists = await configExists(cwd, "tailwind.config");
+  if ("tailwindcss" in deps || tailwindConfigExists) {
     addDetection(results, {
       technology: "tailwindcss",
-      confidence: 0.9,
-      reasons: ['Dependency "tailwindcss" or config file found'],
-      recommendedSkillIds: ["accessibility-audit", "css-modules"]
+      confidence: tailwindConfigExists ? 1 : 0.9,
+      reasons: tailwindConfigExists
+        ? ["Found tailwind.config.*"]
+        : ['Dependency "tailwindcss" found in package.json'],
+      recommendedSkillIds: ["accessibility-audit", "frontend-design"]
     });
   }
 
@@ -143,8 +167,23 @@ export async function detectProject(cwd) {
     addDetection(results, {
       technology: "storybook",
       confidence: storybookDirExists ? 1 : 0.9,
-      reasons: storybookDirExists ? ["Found .storybook directory"] : ["Storybook dependency found"],
-      recommendedSkillIds: ["storybook-component-stories", "playwright-ui-testing"]
+      reasons: storybookDirExists
+        ? ["Found .storybook directory"]
+        : ["Storybook dependency found in package.json"],
+      recommendedSkillIds: ["frontend-design"]
+    });
+  }
+
+  const figmaDeps = ["@figma/plugin-typings", "@figma/widget-typings", "figma-api"];
+  const figmaDepFound = figmaDeps.find((dep) => dep in deps);
+  if (figmaConfigExists || figmaDepFound) {
+    addDetection(results, {
+      technology: "figma",
+      confidence: figmaConfigExists ? 1 : 0.95,
+      reasons: figmaConfigExists
+        ? ["Found figma.config.*"]
+        : [`Dependency "${figmaDepFound}" found in package.json`],
+      recommendedSkillIds: ["figma-mcp-0to1"]
     });
   }
 
@@ -152,7 +191,20 @@ export async function detectProject(cwd) {
 }
 
 export async function inspectProjectFiles(cwd) {
-  const probes = ["package.json", "tsconfig.json", "angular.json", ".storybook"];
+  const probes = [
+    "package.json",
+    "tsconfig.json",
+    "angular.json",
+    ".storybook",
+    "vite.config.js",
+    "vite.config.ts",
+    "next.config.js",
+    "next.config.mjs",
+    "tailwind.config.js",
+    "tailwind.config.ts",
+    "figma.config.js",
+    "figma.config.ts"
+  ];
   const statuses = [];
 
   for (const probe of probes) {