@wrongstack/core 0.1.8 → 0.1.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wrongstack/core",
-  "version": "0.1.8",
+  "version": "0.1.9",
   "license": "MIT",
   "description": "WrongStack core: kernel, types, defaults, and shared utilities for the WrongStack CLI agent.",
   "repository": {
@@ -43,7 +43,7 @@
     "dist",
     "skills"
   ],
-  "wrongstackApiVersion": "0.1.8",
+  "wrongstackApiVersion": "0.1.9",
   "devDependencies": {
     "@types/node": "^22.19.19",
     "tsup": "^8.5.1",

package/skills/audit-log/SKILL.md

@@ -0,0 +1,67 @@
+---
+name: audit-log
+description: |
+  System-wide audit log analysis. Covers log parsing, anomaly detection,
+  pattern recognition across sessions, and structured reporting.
+  Use for post-mortems, trend analysis, and operational insights.
+version: 1.0.0
+---
+
+# Audit Log Agent
+
+Analyzes session logs, event streams, and system traces to surface patterns,
+anomalies, and actionable insights.
+
+## Capabilities
+
+- Parse structured JSONL session logs
+- Detect repeated failure patterns across runs
+- Identify tool usage anomalies (over-use, misuse, failures)
+- Track token consumption trends per agent/session
+- Generate markdown audit reports
+
+## Workflow
+
+1. **Collect** — Read session logs from `sessionRoot` or provided path
+2. **Parse** — Extract events: tool calls, iterations, errors, usage
+3. **Analyze** — Group by category, detect anomalies
+4. **Report** — Output structured markdown summary
+
+## Input
+
+```json
+{
+  "task": "analyze | report | trends",
+  "sessionPath": "<path to session JSONL>",
+  "focus": "errors | tools | usage | all"
+}
+```
+
+## Output Format
+
+```
+## Audit Report — <date>
+
+### Summary
+- Total sessions: N
+- Total tool calls: N
+- Error rate: X%
+
+### Top Errors
+1. <error-type>: <count>x — <context>
+2. ...
+
+### Tool Usage
+| Tool | Calls | Failures | Avg Duration |
+|------|-------|----------|--------------|
+| read | 142   | 3        | 45ms         |
+
+### Anomalies
+- `<pattern-detected>` — <severity: low/medium/high>
+```
+
+## Anti-patterns
+
+- Don't summarize what you didn't parse — be precise
+- Don't mix session paths — analyze one at a time or aggregate clearly
+- Don't skip error context — the user's log is the source of truth

package/skills/bug-hunter/SKILL.md

@@ -0,0 +1,87 @@
+---
+name: bug-hunter
+description: |
+  Systematic bug and code smell detection. Covers static analysis patterns,
+  anti-pattern recognition, error-prone construct detection, and severity ranking.
+  Use before refactoring or as a standalone health check.
+version: 1.0.0
+---
+
+# Bug Hunter Agent
+
+Scans source code for bugs, anti-patterns, and code smells using pattern matching
+and heuristics. Outputs a prioritized hit list with file:line references.
+
+## Capabilities
+
+- Detect common bug patterns (uncaught errors, resource leaks, race conditions)
+- Identify anti-patterns (callback hell, God objects, circular deps)
+- Find TypeScript-specific issues (unsafe any, missing null checks)
+- Flag security-sensitive constructs (eval, innerHTML, hardcoded secrets)
+- Rank findings by severity: critical > high > medium > low
+
+## Workflow
+
+1. **Scope** — Accept file/dir globs or explicit paths
+2. **Scan** — Run grep/read across target files
+3. **Classify** — Categorize findings by type and severity
+4. **Rank** — Sort by severity, then frequency
+5. **Report** — Markdown output with fix suggestions
+
+## Input
+
+```json
+{
+  "task": "scan | hunt | check",
+  "paths": ["src/**/*.ts", "lib/*.js"],
+  "focus": "bugs | patterns | security | all",
+  "severityThreshold": "medium"
+}
+```
+
+## Output Format
+
+```
+## Bug Hunt Report — <scope>
+
+### Critical (must fix)
+1. **[RACE]** `src/auth.ts:47` — setTimeout without clearTimeout in loop
+2. **[SECRET]** `lib/config.ts:12` — hardcoded API key detected
+
+### High (should fix)
+3. **[MEMORY]** `tools/pool.ts:89` — event listener never removed
+4. **[TYPE]** `core/agent.ts:103` — unsafe `any` cast loses type safety
+
+### Medium
+...
+
+### Low (consider)
+...
+
+## Summary
+| Severity | Count |
+|----------|-------|
+| Critical | 2     |
+| High     | 4     |
+| Medium   | 7     |
+| Low      | 3     |
+
+Total: 16 findings in 12 files
+```
+
+## Bug Pattern Reference
+
+| Pattern | Regex Hint | Severity |
+|---------|------------|----------|
+| Uncaught promise | `\.then\(` without `catch` | high |
+| Event leak | `on\(` without `off`/`removeListener` | high |
+| Hardcoded secret | `[a-zA-Z0-9/_-]{20,}` in config | critical |
+| unsafe any | `: any\b` or `<any>` | medium |
+| innerHTML | `innerHTML\s*=` | high |
+| TODO without FIXME | `TODO(?!.*FIXME)` | low |
+
+## Anti-patterns
+
+- Don't scan node_modules — waste of time and false positives
+- Don't report without file:line — useless for fixing
+- Don't ignore false positive rates — if >30% of findings are noise, lower confidence

package/skills/refactor-planner/SKILL.md

@@ -0,0 +1,94 @@
+---
+name: refactor-planner
+description: |
+  Structured refactoring planning from code analysis. Covers dependency mapping,
+  risk assessment, phased planning, and migration strategy.
+  Use before large rewrites or when technical debt is blocking progress.
+version: 1.0.0
+---
+
+# Refactor Planner Agent
+
+Analyzes code structure and produces a concrete, phased refactoring plan with
+risk assessment, dependency ordering, and rollback considerations.
+
+## Capabilities
+
+- Map module-level dependencies (import graph)
+- Identify coupling hotspots (high fan-in/out modules)
+- Assess refactoring risk by cyclomatic complexity and test coverage
+- Generate phased plans with checkpoint milestones
+- Produce diff-friendly task lists (one task = one concern)
+
+## Workflow
+
+1. **Analyze** — Build dependency graph, count coupling
+2. **Score** — Rate each module by: size, complexity, test coverage, change frequency
+3. **Plan** — Order tasks by risk, dependency, and payoff
+4. **Document** — Output phased markdown plan
+
+## Input
+
+```json
+{
+  "task": "plan | assess | roadmap",
+  "target": "src/core | packages/tools | .",
+  "constraint": "no-breaking-changes | minimal-downtime | full-rewrite",
+  "focus": "architecture | performance | maintainability"
+}
+```
+
+## Output Format
+
+```
+## Refactor Plan — <target>
+
+### Phase 1: Low Risk / High Payoff (do first)
+| # | Task | Module | Risk | Est. Time |
+|---|------|--------|------|-----------|
+| 1 | Extract `ToolExecutor` interface | core/tool-executor.ts | low | 2h |
+| 2 | Decouple `SessionStore` from Agent | core/session-store.ts | low | 4h |
+
+### Phase 2: Medium Risk (test heavily)
+| # | Task | Module | Risk | Est. Time |
+|---|------|--------|------|-----------|
+| 3 | Break circular dep: Config ↔ Logger | core/config.ts | medium | 6h |
+| 4 | Split `Context` into read/write slices | core/context.ts | medium | 8h |
+
+### Phase 3: High Risk (requires full regression)
+...
+
+### Dependency Graph (abbreviated)
+```
+config.ts → logger.ts → path-resolver.ts
+     ↓           ↓
+  secret-vault.ts    session-store.ts
+     ↓                    ↓
+     └────────→  agent.ts  ←←←
+```
+
+### Rollback Strategy
+Each phase commits independently. On failure: `git checkout phase<N>`.
+Run `pnpm test` before advancing.
+
+### Exit Criteria
+- [ ] All Phase 1 tasks pass `pnpm test`
+- [ ] No circular deps in `src/core`
+- [ ] `Context` interface < 20 methods
+```
+
+## Risk Criteria
+
+| Factor | Low Risk | Medium Risk | High Risk |
+|--------|----------|-------------|-----------|
+| Cyclomatic complexity | <10 | 10-20 | >20 |
+| Test coverage | >80% | 50-80% | <50% |
+| Fan-out (imports) | <5 | 5-15 | >15 |
+| Change frequency | low | medium | high |
+
+## Anti-patterns
+
+- Don't plan without analyzing — assumptions cause wasted work
+- Don't skip rollback strategy — every refactor can fail
+- Don't over-phase — if a task takes <1h, merge it
+- Don't ignore team constraints — parallelization only works if reviewers exist

package/skills/security-scanner/SKILL.md

@@ -0,0 +1,117 @@
+---
+name: security-scanner
+description: |
+  Security vulnerability scanning for code and configuration. Covers secret detection,
+  injection vectors, dependency vulnerabilities, and supply chain risks.
+  Use during CI, before releases, or as a standalone audit.
+version: 1.0.0
+---
+
+# Security Scanner Agent
+
+Scans code, configs, and dependencies for security issues ranging from
+hardcoded secrets to injection vulnerabilities and supply chain risks.
+
+## Capabilities
+
+- Detect hardcoded secrets: API keys, tokens, passwords, private keys
+- Find injection vectors: eval, innerHTML, SQL concatenation, shell injection
+- Identify insecure patterns: weak crypto, hardcoded IVs, disabled TLS verification
+- Scan dependencies for known CVEs (via package audit)
+- Flag supply chain risks: unverified scripts, postinstall hooks, .npmrc issues
+
+## Workflow
+
+1. **Scope** — Accept paths or use sensible defaults
+2. **Secrets Scan** — Regex scan for credential patterns
+3. **Injection Scan** — Pattern match dangerous constructs
+4. **Config Scan** — Check TLS, crypto, auth configurations
+5. **Dependency Scan** — Run audit on package.json
+6. **Report** — Prioritized markdown with remediation
+
+## Input
+
+```json
+{
+  "task": "scan | audit | secrets | dependencies",
+  "paths": ["src", "config"],
+  "depth": "quick | normal | deep",
+  "excludePaths": ["node_modules", "dist"]
+}
+```
+
+## Output Format
+
+```
+## Security Scan Report — <timestamp>
+
+### CRITICAL: Secrets Found
+1. **[CRITICAL]** `config/keys.ts:8` — AWS Access Key ID exposed
+   ```
+   const awsKey = "AKIAIOSFODNN7EXAMPLE"; // ← remove this
+   ```
+2. **[CRITICAL]** `.env:3` — Private key committed to repo
+   ```
+   PEM_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIE..."
+   ```
+
+### HIGH: Injection Vectors
+3. **[HIGH]** `lib/renderer.ts:42` — innerHTML assignment
+   ```ts
+   element.innerHTML = userInput; // ← sanitize or use textContent
+   ```
+4. **[HIGH]** `tools/shell.ts:15` — shell injection via template literal
+   ```ts
+   exec(`echo ${userInput}`); // ← escape or use array form
+   ```
+
+### MEDIUM: Insecure Patterns
+5. **[MEDIUM]** `lib/crypto.ts:9` — MD5 used for hashing (not for passwords)
+6. **[MEDIUM]** `server.ts:22` — TLS certificate verification disabled
+
+### Dependency Issues
+7. **[HIGH]** `lodash < 4.17.21` — CVE-2021-23337
+8. **[MEDIUM]** `minimist < 1.2.6` — CVE-2021-44906
+
+## Summary
+| Severity | Count |
+|----------|-------|
+| Critical | 2     |
+| High     | 4     |
+| Medium   | 3     |
+| Low      | 1     |
+
+## Remediation Checklist
+- [ ] Remove hardcoded secrets from `config/keys.ts`
+- [ ] Sanitize user input before innerHTML assignment
+- [ ] Update lodash to >= 4.17.21
+- [ ] Enable TLS verification in production
+```
+
+## Secret Pattern Reference
+
+| Pattern | Example | Severity |
+|---------|---------|----------|
+| AWS Access Key | `AKIAIOSFODNN7EXAMPLE` | critical |
+| AWS Secret Key | `[a-zA-Z0-9/+=]{40}` base64 | critical |
+| GitHub Token | `ghp_[a-zA-Z0-9]{36}` | critical |
+| Private Key PEM | `-----BEGIN.*PRIVATE KEY-----` | critical |
+| JWT | `eyJ[a-zA-Z0-9_-]+` | high |
+| Generic API Key | `[a-zA-Z0-9]{32,}` | medium |
+
+## Injection Patterns
+
+| Construct | Safe Alternative |
+|-----------|-----------------|
+| `eval(str)` | `new Function()` or parse |
+| `innerHTML = x` | `textContent` or sanitize |
+| `exec(\`cmd ${input}\`)` | `execFile` with args array |
+| `SQL = "SELECT * FROM " + table` | parameterized query |
+| `fs.readFile(path + userInput)` | `path.resolve` + allowlist |
+
+## Anti-patterns
+
+- Don't scan node_modules — noise, use `npm audit` instead
+- Don't report without remediation — "found X" is useless without "do Y"
+- Don't ignore false positives — verify before flagging (especially regex-based secrets)
+- Don't skip dependency scanning — supply chain is a real attack vector