@wrongstack/core 0.264.0 → 0.265.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{agent-bridge-D8sa1vtv.d.ts → agent-bridge-DrkBxszZ.d.ts} +1 -1
- package/dist/{agent-subagent-runner-c9DLkaas.d.ts → agent-subagent-runner-DM2pP-B6.d.ts} +113 -11
- package/dist/{brain-O1IdKPaK.d.ts → brain-BXd_61kQ.d.ts} +31 -2
- package/dist/{compactor-BBy0rCtB.d.ts → compactor-B8pOf45Y.d.ts} +1 -1
- package/dist/{config-Dz2F3H2K.d.ts → config-BMCj_XDs.d.ts} +80 -12
- package/dist/{context-BGSpZNSE.d.ts → context-MRk5PhNv.d.ts} +26 -12
- package/dist/coordination/index.d.ts +77 -21
- package/dist/coordination/index.js +557 -159
- package/dist/coordination/index.js.map +1 -1
- package/dist/{default-config-CXsDvOmP.d.ts → default-config-B0cj-Hry.d.ts} +11 -1
- package/dist/defaults/index.d.ts +28 -28
- package/dist/defaults/index.js +609 -195
- package/dist/defaults/index.js.map +1 -1
- package/dist/execution/index.d.ts +16 -16
- package/dist/execution/index.js +394 -155
- package/dist/execution/index.js.map +1 -1
- package/dist/execution/prompt-enhancer.d.ts +2 -2
- package/dist/execution/prompt-enhancer.js +1 -1
- package/dist/execution/prompt-enhancer.js.map +1 -1
- package/dist/extension/index.d.ts +6 -6
- package/dist/{goal-preamble-DzjFuN3p.d.ts → goal-preamble-DvHDSKSe.d.ts} +14 -10
- package/dist/{goal-store-CxWmCGbH.d.ts → goal-store-DtLMySNb.d.ts} +1 -1
- package/dist/{index-CYIQrXVF.d.ts → index-B-ch8K9C.d.ts} +8 -8
- package/dist/{index-CbLSI66_.d.ts → index-CEDeNodM.d.ts} +5 -5
- package/dist/index.d.ts +183 -52
- package/dist/index.js +1779 -673
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.d.ts +6 -6
- package/dist/infrastructure/index.js +12 -8
- package/dist/infrastructure/index.js.map +1 -1
- package/dist/kernel/index.d.ts +9 -9
- package/dist/kernel/index.js +1 -1
- package/dist/kernel/index.js.map +1 -1
- package/dist/{llm-selector-DzxuZnNz.d.ts → llm-selector-C0tfTCUe.d.ts} +14 -2
- package/dist/{mcp-servers-DC4QRPUI.d.ts → mcp-servers-2x4w6Jn9.d.ts} +3 -3
- package/dist/models/index.d.ts +5 -5
- package/dist/models/index.js +74 -30
- package/dist/models/index.js.map +1 -1
- package/dist/{models-registry-B_siPxqN.d.ts → models-registry-DmJlKuNp.d.ts} +1 -1
- package/dist/{multi-agent-coordinator-CK5Jdj9K.d.ts → multi-agent-coordinator-DyCkCZnU.d.ts} +1 -1
- package/dist/{null-fleet-bus-DgvD4SCO.d.ts → null-fleet-bus-CG9QY2aP.d.ts} +6 -6
- package/dist/observability/index.d.ts +2 -2
- package/dist/{parallel-eternal-engine-bK0JQBR_.d.ts → parallel-eternal-engine-Jw9uhEoT.d.ts} +9 -9
- package/dist/{path-resolver-BPEDlN38.d.ts → path-resolver-Dy2ej-gE.d.ts} +3 -3
- package/dist/{permission-4yvGmMRB.d.ts → permission-B9SB45lp.d.ts} +1 -1
- package/dist/{permission-policy-C6XpsBOy.d.ts → permission-policy-CkjSXabK.d.ts} +2 -2
- package/dist/{pipeline-CXCeMz8J.d.ts → pipeline-DPDxH_7m.d.ts} +3 -3
- package/dist/{plan-templates-BvzRBkJc.d.ts → plan-templates-CzD9GnAU.d.ts} +32 -8
- package/dist/{provider-runner-C5aQpDWE.d.ts → provider-runner-DMa70ODu.d.ts} +3 -3
- package/dist/{retry-policy-CFhdtRzz.d.ts → retry-policy-CN0khdlj.d.ts} +1 -1
- package/dist/sdd/index.d.ts +8 -8
- package/dist/sdd/index.js +274 -93
- package/dist/sdd/index.js.map +1 -1
- package/dist/{secret-vault-CxiVLbt1.d.ts → secret-vault-B2yw84VT.d.ts} +43 -4
- package/dist/secret-vault-BAKpgFw_.d.ts +57 -0
- package/dist/security/index.d.ts +5 -5
- package/dist/security/index.js +204 -23
- package/dist/security/index.js.map +1 -1
- package/dist/{selector-gIuhRTkN.d.ts → selector-CzHh_igB.d.ts} +1 -1
- package/dist/{session-event-bridge-DkvvrpDt.d.ts → session-event-bridge-BUI6Jf-4.d.ts} +1 -1
- package/dist/{session-reader-KdfVwkKP.d.ts → session-reader-CMgdMSRP.d.ts} +1 -1
- package/dist/storage/index.d.ts +112 -15
- package/dist/storage/index.js +419 -81
- package/dist/storage/index.js.map +1 -1
- package/dist/tools/index.d.ts +2 -2
- package/dist/types/index.d.ts +21 -21
- package/dist/types/index.js +261 -53
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.d.ts +3 -3
- package/dist/utils/index.js +3 -5
- package/dist/utils/index.js.map +1 -1
- package/dist/{wstack-paths-CJjEwPXn.d.ts → wstack-paths-hOpNLmvf.d.ts} +2 -0
- package/package.json +1 -1
- package/skills/api-design/SKILL.md +1 -1
- package/skills/audit-log/SKILL.md +6 -6
- package/skills/bug-hunter/SKILL.md +5 -5
- package/skills/chimera/SKILL.md +4 -4
- package/skills/docker-deploy/SKILL.md +1 -1
- package/skills/git-flow/SKILL.md +3 -3
- package/skills/multi-agent/SKILL.md +3 -3
- package/skills/node-modern/SKILL.md +1 -0
- package/skills/observability/SKILL.md +2 -2
- package/skills/output-standards/SKILL.md +51 -28
- package/skills/refactor-planner/SKILL.md +3 -3
- package/skills/security-scanner/SKILL.md +4 -3
- package/skills/tech-stack/SKILL.md +1 -2
- package/dist/secret-vault-BJDY28ev.d.ts +0 -25
|
@@ -81,6 +81,8 @@ interface WstackPaths {
|
|
|
81
81
|
projectAutophase: string;
|
|
82
82
|
/** ~/.wrongstack/sync.json — CloudSync configuration */
|
|
83
83
|
syncConfig: string;
|
|
84
|
+
/** Function to get the status.json path for a project given its hash. */
|
|
85
|
+
projectStatus: (projectHash: string) => string;
|
|
84
86
|
}
|
|
85
87
|
declare function projectHash(absRoot: string): string;
|
|
86
88
|
/**
|
package/package.json
CHANGED
|
@@ -74,7 +74,7 @@ Response.json({ error: '...' }, { status: 200 }); // lies about outcome
|
|
|
74
74
|
|
|
75
75
|
```
|
|
76
76
|
POST /sessions
|
|
77
|
-
Body: { "provider": "anthropic", "model": "
|
|
77
|
+
Body: { "provider": "anthropic", "model": "<model-id>" }
|
|
78
78
|
201: { "id": "sess_abc", "provider": "anthropic", ... }
|
|
79
79
|
400: { "error": { "code": "VALIDATION_ERROR", "message": "model is required" } }
|
|
80
80
|
```
|
|
@@ -20,7 +20,7 @@ Parses WrongStack session JSONL files to extract tool usage patterns, error dist
|
|
|
20
20
|
1. Always parse from the source JSONL — never summarize what you didn't read.
|
|
21
21
|
2. Analyze one session at a time, or aggregate with clear labeling per session.
|
|
22
22
|
3. Cite specific data in reports: iteration numbers, tool names, error messages.
|
|
23
|
-
4. Flag repeated failures (same tool,5+ times) as a real issue, not noise.
|
|
23
|
+
4. Flag repeated failures (same tool, 5+ times) as a real issue, not noise.
|
|
24
24
|
5. Report cost trends in context of iteration count — a spike means context growth.
|
|
25
25
|
|
|
26
26
|
## Patterns
|
|
@@ -77,7 +77,7 @@ const errorsByType = events
|
|
|
77
77
|
- **Tool entropy**: too many different tools in one iteration = unfocused task
|
|
78
78
|
|
|
79
79
|
### Error patterns
|
|
80
|
-
- **Same error repeating**: `ToolExecutionError`47x across iterations = systemic issue
|
|
80
|
+
- **Same error repeating**: `ToolExecutionError` 47x across iterations = systemic issue
|
|
81
81
|
- **Error clustering**: all errors in `bash` tool = command timeout pattern
|
|
82
82
|
- **Error rate by type**: which error type is most common?
|
|
83
83
|
- **Error distribution**: are errors clustered in specific packages or tools?
|
|
@@ -85,7 +85,7 @@ const errorsByType = events
|
|
|
85
85
|
### Cost patterns
|
|
86
86
|
- **Token growth**: tokens/iteration trending up = context bloat
|
|
87
87
|
- **Provider cost**: which model is most expensive per call?
|
|
88
|
-
- **Cost spikes**:
|
|
88
|
+
- **Cost spikes**: sudden 3x increase = large file reads or excessive tool calls
|
|
89
89
|
- **Iteration cost variance**: avg $0.04/iter → $0.11/iter = context growing
|
|
90
90
|
|
|
91
91
|
### Context management
|
|
@@ -154,10 +154,10 @@ When reading a session file:
|
|
|
154
154
|
- Iteration 11-20: avg $0.11/iteration (context growth)
|
|
155
155
|
|
|
156
156
|
<next_steps>
|
|
157
|
-
1.
|
|
158
|
-
2. Review tool call count in iteration 14 — 50+ tool calls suggests loop
|
|
159
|
-
3. Run `pnpm test` to verify fixes for identified issues
|
|
157
|
+
1. Run the session tests and the type checker
|
|
160
158
|
</next_steps>
|
|
159
|
+
|
|
160
|
+
Investigate iterations 14–20 in the session log for the bash command timeout pattern. Review iteration 14's tool call count for loop behavior.
|
|
161
161
|
```
|
|
162
162
|
|
|
163
163
|
## Anti-patterns
|
|
@@ -17,7 +17,7 @@ Grep/read across target files to surface bugs, anti-patterns, and quality issues
|
|
|
17
17
|
|
|
18
18
|
## Rules
|
|
19
19
|
|
|
20
|
-
1. Always include `file:line`
|
|
20
|
+
1. Always include a `file:line` you have actually read — verify the line exists; never invent, guess, or extrapolate a reference. No line reference = can't be fixed.
|
|
21
21
|
2. Never scan `node_modules` — waste of time, false positives.
|
|
22
22
|
3. Don't report style issues as bugs — those are lint findings.
|
|
23
23
|
4. If >30% of findings are noise, note the false positive rate in the report.
|
|
@@ -127,10 +127,10 @@ const data: any = response.json();
|
|
|
127
127
|
Total: 16 findings in 12 files
|
|
128
128
|
|
|
129
129
|
<next_steps>
|
|
130
|
-
1.
|
|
131
|
-
2.
|
|
132
|
-
3.
|
|
133
|
-
4.
|
|
130
|
+
1. Fix the shell injection in tools/shell.ts:42
|
|
131
|
+
2. Fix the hardcoded API key in lib/config.ts:8
|
|
132
|
+
3. Fix the memory leak in tools/pool.ts:89
|
|
133
|
+
4. Fix the unsafe any cast in core/agent.ts:103
|
|
134
134
|
</next_steps>
|
|
135
135
|
```
|
|
136
136
|
|
package/skills/chimera/SKILL.md
CHANGED
|
@@ -22,7 +22,7 @@ issues the session agent may have missed.
|
|
|
22
22
|
|
|
23
23
|
1. **Only review changed files.** The list of files is provided to you — do not
|
|
24
24
|
expand scope.
|
|
25
|
-
2. **Read before judging.**
|
|
25
|
+
2. **Read before judging.** Read the file and confirm the exact line before flagging — never cite a `file:line` you haven't read.
|
|
26
26
|
3. **Be surgical.** Flag real bugs, not style preferences. If it compiles and
|
|
27
27
|
the logic is sound, it's fine.
|
|
28
28
|
4. **No re-litigation.** Do not re-raise issues already discussed in the session
|
|
@@ -57,9 +57,9 @@ Write your report as a single message appended to the chat. Use this structure:
|
|
|
57
57
|
- Clean files: N
|
|
58
58
|
|
|
59
59
|
<next_steps>
|
|
60
|
-
1.
|
|
61
|
-
2.
|
|
62
|
-
3.
|
|
60
|
+
1. Fix null deref in path/file.ts:42
|
|
61
|
+
2. Fix plaintext API key in path/config.ts:8
|
|
62
|
+
3. Fix unsafe any cast in path/helper.ts:15
|
|
63
63
|
</next_steps>
|
|
64
64
|
```
|
|
65
65
|
|
package/skills/git-flow/SKILL.md
CHANGED
|
@@ -146,10 +146,10 @@ git rebase main && git merge --ff-only feature
|
|
|
146
146
|
3. Open PR with description linking to issue
|
|
147
147
|
|
|
148
148
|
<next_steps>
|
|
149
|
-
1.
|
|
150
|
-
2. Commit with: `fix: correct race condition in token refresh`
|
|
151
|
-
3. Open PR with description linking to issue #123
|
|
149
|
+
1. Create a branch fix/session-leak, commit the token refresh fix, and push it
|
|
152
150
|
</next_steps>
|
|
151
|
+
|
|
152
|
+
Open a PR at GitHub linking to issue #123 with the commit message describing the fix.
|
|
153
153
|
```
|
|
154
154
|
|
|
155
155
|
## Skills in scope
|
|
@@ -127,9 +127,9 @@ When a leader synthesizes results from subagents:
|
|
|
127
127
|
[Deduplicated and prioritized action items]
|
|
128
128
|
|
|
129
129
|
<next_steps>
|
|
130
|
-
1.
|
|
131
|
-
2.
|
|
132
|
-
3.
|
|
130
|
+
1. Fix critical issue in <file:line>
|
|
131
|
+
2. Fix high-priority issue in <file:line>
|
|
132
|
+
3. Fix remaining issue in <file:line>
|
|
133
133
|
</next_steps>
|
|
134
134
|
```
|
|
135
135
|
|
|
@@ -113,6 +113,7 @@ setTimeout(handler, 1000, { signal: userSignal });
|
|
|
113
113
|
```ts
|
|
114
114
|
// ✅ Atomic write pattern
|
|
115
115
|
import { rename, writeFile } from 'node:fs/promises';
|
|
116
|
+
import { randomBytes } from 'node:crypto';
|
|
116
117
|
const tmp = `${target}.${randomBytes(4).toString('hex')}.tmp`;
|
|
117
118
|
await writeFile(tmp, data);
|
|
118
119
|
await rename(tmp, target);
|
|
@@ -53,7 +53,7 @@ console.log(JSON.stringify({
|
|
|
53
53
|
}));
|
|
54
54
|
|
|
55
55
|
// ✅ Trace span around a tool call
|
|
56
|
-
import { trace } from '
|
|
56
|
+
import { trace, SpanStatusCode } from '@opentelemetry/api';
|
|
57
57
|
const span = trace.getTracer('wrongstack').startSpan('bash');
|
|
58
58
|
try {
|
|
59
59
|
const result = await bash(cmd);
|
|
@@ -90,7 +90,7 @@ console.log(JSON.stringify({ event: 'tool_executed' })); // no correlation
|
|
|
90
90
|
|-------|-------------|---------|
|
|
91
91
|
| `DEBUG` | Dev-only detail | "entering parseArgs with 3 args" |
|
|
92
92
|
| `INFO` | Normal flow | "tool executed", "session started" |
|
|
93
|
-
| `WARN` | Recoverable issue | "retry
|
|
93
|
+
| `WARN` | Recoverable issue | "retry attempt 2/3", "cache miss" |
|
|
94
94
|
| `ERROR` | Needs attention | "tool timeout", "auth failure" |
|
|
95
95
|
|
|
96
96
|
## Structured log schema
|
|
@@ -15,26 +15,25 @@ extract structured data from agent responses.
|
|
|
15
15
|
|
|
16
16
|
## Rules
|
|
17
17
|
|
|
18
|
-
1. **Only the leader agent's final message
|
|
19
|
-
2. **
|
|
20
|
-
3. **
|
|
21
|
-
4. **
|
|
22
|
-
5. **
|
|
23
|
-
6. **
|
|
24
|
-
7. **
|
|
18
|
+
1. **Only the leader agent's final message SHOULD include `<next_steps>`** — subagents report findings only. If nothing is pending, omit the tag and say "No pending actions."
|
|
19
|
+
2. **`<next_steps>` is for prompt options only** — every item must be something the user can type into the prompt and submit. If a step is a human-only action (e.g., "open DevTools", "check the browser console"), put it outside the tag as informational text instead.
|
|
20
|
+
3. **Tags must be properly closed** — `<next_steps>...</next_steps>` with exact tag names.
|
|
21
|
+
4. **No markdown inside tags** — plain text only, one item per line.
|
|
22
|
+
5. **Items are prompt inputs** — not imperative instructions. Write what the user would type, not what they should do.
|
|
23
|
+
6. **Items marked `auto="true"` must include input content** — the user can copy and submit it directly.
|
|
24
|
+
7. **Keep concise** — max 5 items unless the task genuinely requires more.
|
|
25
25
|
|
|
26
26
|
## Output Format
|
|
27
27
|
|
|
28
|
-
Every agent's final message MUST end with this structure:
|
|
29
|
-
|
|
30
28
|
```
|
|
31
29
|
[... task results ...]
|
|
32
30
|
|
|
33
31
|
<next_steps>
|
|
34
|
-
1.
|
|
35
|
-
2.
|
|
36
|
-
3. Third actionable next step (if needed)
|
|
32
|
+
1. Prompt option the user can enter — phrased as what to type, not what to do
|
|
33
|
+
2. Another prompt option
|
|
37
34
|
</next_steps>
|
|
35
|
+
|
|
36
|
+
Informational text for human-only actions (outside the tag, no tag wrapper).
|
|
38
37
|
```
|
|
39
38
|
|
|
40
39
|
### Format Requirements
|
|
@@ -44,29 +43,31 @@ Every agent's final message MUST end with this structure:
|
|
|
44
43
|
| Opening tag | `<next_steps>` on its own line | `<next_steps>` |
|
|
45
44
|
| Numbered items | `1. ` prefix, one per line | `1. Fix auth bug in core/session.ts` |
|
|
46
45
|
| Closing tag | `</next_steps>` on its own line | `</next_steps>` |
|
|
47
|
-
|
|
|
48
|
-
| Blank line after | Not required | — |
|
|
46
|
+
| `auto="true"` items | Include the full input content | `1. fix in core/auth.ts:42 auto="true"` |
|
|
49
47
|
|
|
50
48
|
### ✅ Correct Examples
|
|
51
49
|
|
|
52
50
|
```
|
|
53
|
-
|
|
51
|
+
Bug Hunt complete. Found 3 critical issues.
|
|
54
52
|
|
|
55
53
|
<next_steps>
|
|
56
|
-
1. Fix shell injection in packages/cli/src/slash-commands/dev.ts:15
|
|
57
|
-
2. Replace Math.random() with randomUUID() in
|
|
58
|
-
3. Run
|
|
54
|
+
1. Fix the shell injection in packages/cli/src/slash-commands/dev.ts:15
|
|
55
|
+
2. Replace Math.random() with randomUUID() in the affected files
|
|
56
|
+
3. Run the type checker
|
|
59
57
|
</next_steps>
|
|
58
|
+
|
|
59
|
+
Open browser DevTools → Network tab to verify the WebSocket
|
|
60
|
+
connection is established before testing.
|
|
60
61
|
```
|
|
61
62
|
|
|
62
63
|
```
|
|
63
|
-
|
|
64
|
+
Audit complete. Found bash command timeout pattern in iterations 14–20.
|
|
64
65
|
|
|
65
66
|
<next_steps>
|
|
66
|
-
1.
|
|
67
|
-
2. [HIGH] packages/core/src/session-registry.ts:145 — remove ! assertion
|
|
68
|
-
3. [HIGH] packages/core/src/session-registry.ts:169 — remove ! assertion
|
|
67
|
+
1. Run the session tests and the type checker
|
|
69
68
|
</next_steps>
|
|
69
|
+
|
|
70
|
+
Review iterations 14–20 in the session log to characterize the loop.
|
|
70
71
|
```
|
|
71
72
|
|
|
72
73
|
### ❌ Incorrect Examples
|
|
@@ -102,15 +103,35 @@ Next steps:
|
|
|
102
103
|
# ❌ Missing opening/closing tags
|
|
103
104
|
```
|
|
104
105
|
|
|
106
|
+
```
|
|
107
|
+
<next_steps>
|
|
108
|
+
1. Open the browser console and check for errors # ❌ Human-only action, not a prompt
|
|
109
|
+
</next_steps>
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
## `auto="true"` Format
|
|
113
|
+
|
|
114
|
+
Items that should be auto-submitted (the user can copy-paste and send) use `auto="true"`:
|
|
115
|
+
|
|
116
|
+
```
|
|
117
|
+
<next_steps>
|
|
118
|
+
1. Run the type checker auto="true"
|
|
119
|
+
2. Fix the shell injection in packages/cli/src/slash-commands/dev.ts:15
|
|
120
|
+
</next_steps>
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
The text before `auto="true"` is the exact prompt the user would type. Items without `auto="true"` are suggestions the user can select manually.
|
|
124
|
+
|
|
105
125
|
## Subagent Requirements
|
|
106
126
|
|
|
107
127
|
When a **leader agent** synthesizes output from **subagents**, the leader MUST:
|
|
108
128
|
|
|
109
129
|
1. Collect findings from subagents (they return results, not `<next_steps>`)
|
|
110
|
-
2. Based on findings, produce a unified `<next_steps>` section
|
|
130
|
+
2. Based on findings, produce a unified `<next_steps>` section with prompt options
|
|
111
131
|
3. Remove duplicates (dedupe by file path + action)
|
|
112
132
|
4. Re-prioritize if needed (critical > high > medium > low)
|
|
113
|
-
5.
|
|
133
|
+
5. Human-only findings (e.g., "check the browser console") go outside the tag
|
|
134
|
+
6. Keep the unified list within the 5-item guideline, but no hard cap
|
|
114
135
|
|
|
115
136
|
When a **subagent** completes its task, it MUST:
|
|
116
137
|
|
|
@@ -120,13 +141,15 @@ When a **subagent** completes its task, it MUST:
|
|
|
120
141
|
|
|
121
142
|
## Anti-patterns
|
|
122
143
|
|
|
144
|
+
- **Don't put human-only actions in `<next_steps>`** — those belong outside the tag as plain text
|
|
145
|
+
- **Don't write imperative instructions** — write what the user would type, not what they should do
|
|
123
146
|
- **Don't use markdown inside `<next_steps>`** — plain text only
|
|
124
|
-
- **Don't skip the tag** — the
|
|
147
|
+
- **Don't skip the tag when there are prompt options** — the tag enables the `/next` workflow
|
|
125
148
|
- **Don't use dashes or asterisks** — use `1.`, `2.`, `3.` numbering
|
|
126
|
-
- **Don't be vague** — "fix bugs" is useless, "fix auth/session.ts:42" is
|
|
149
|
+
- **Don't be vague** — "fix bugs" is useless, "fix auth/session.ts:42" is a valid prompt
|
|
127
150
|
- **Don't exceed 5 items without reason** — if >5, it's probably not a single task
|
|
128
|
-
- **Don't write declarations of intent** — "we should refactor X" is not
|
|
129
|
-
- **Don't suggest manual review** — "manually check if X is correct" is not a
|
|
151
|
+
- **Don't write declarations of intent** — "we should refactor X" is not a prompt; "refactor core/config.ts" is
|
|
152
|
+
- **Don't suggest manual review as a prompt** — "manually check if X is correct" is not a valid LLM prompt; instead put it outside the tag
|
|
130
153
|
- **Don't include `<next_steps>` in subagent output** — subagents report findings, leaders produce next steps
|
|
131
154
|
|
|
132
155
|
## Skills in scope
|
|
@@ -157,9 +157,9 @@ config.ts → logger.ts → path-resolver.ts
|
|
|
157
157
|
- [ ] `Context` interface < 20 methods
|
|
158
158
|
|
|
159
159
|
<next_steps>
|
|
160
|
-
1.
|
|
161
|
-
2.
|
|
162
|
-
3.
|
|
160
|
+
1. Extract ToolExecutor interface in core/tool-executor.ts
|
|
161
|
+
2. Decouple SessionStore from Agent in core/session-store.ts
|
|
162
|
+
3. Break circular dep between Config and Logger in core/config.ts
|
|
163
163
|
</next_steps>
|
|
164
164
|
```
|
|
165
165
|
|
|
@@ -21,6 +21,7 @@ Scans code, configs, and dependencies for security issues. Reports with severity
|
|
|
21
21
|
4. Don't flag test fixtures — mock credentials in tests are acceptable.
|
|
22
22
|
5. Always run dependency audit — supply chain is a real attack vector.
|
|
23
23
|
6. Flag config issues (TLS disabled, HTTP in production) as CRITICAL.
|
|
24
|
+
7. Never echo a full secret into the report — redact it (short prefix + char count, e.g. `ghp_…36 chars`). Cite `file:line` you have read; don't flag from a pattern guess.
|
|
24
25
|
|
|
25
26
|
## Patterns
|
|
26
27
|
|
|
@@ -157,9 +158,9 @@ element.textContent = userInput;
|
|
|
157
158
|
- [ ] Add rate limiting to `src/api/` routes
|
|
158
159
|
|
|
159
160
|
<next_steps>
|
|
160
|
-
1.
|
|
161
|
-
2.
|
|
162
|
-
3.
|
|
161
|
+
1. Fix the hardcoded API key in src/config.ts
|
|
162
|
+
2. Fix the shell injection in src/auth/login.ts
|
|
163
|
+
3. Fix the missing rate limiting in src/api/routes.ts
|
|
163
164
|
</next_steps>
|
|
164
165
|
```
|
|
165
166
|
|
|
@@ -105,8 +105,7 @@ When APPROVED:
|
|
|
105
105
|
**Note**: <any caveats about the version, semver range, or compatibility>
|
|
106
106
|
|
|
107
107
|
<next_steps>
|
|
108
|
-
1.
|
|
109
|
-
2. [If rejected] Migration step to the recommended alternative
|
|
108
|
+
1. Add <package>@<version> to the project auto="true"
|
|
110
109
|
</next_steps>
|
|
111
110
|
```
|
|
112
111
|
|
|
@@ -1,25 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* SecretVault encrypts secrets-at-rest in config files. The wire format is
|
|
3
|
-
* `enc:v1:<base64-iv>:<base64-tag>:<base64-ciphertext>`. Plaintext strings
|
|
4
|
-
* (those that do not match this prefix) are passed through unchanged so that
|
|
5
|
-
* existing configs and env-var-derived values keep working.
|
|
6
|
-
*
|
|
7
|
-
* The vault is intentionally NOT designed to defeat a determined local
|
|
8
|
-
* attacker who can read both the config file and the key file — that level
|
|
9
|
-
* of secrecy needs the OS keychain. The goal is to keep keys from being
|
|
10
|
-
* visible in screen shares, accidental log captures, and `cat config.json`
|
|
11
|
-
* over someone's shoulder.
|
|
12
|
-
*/
|
|
13
|
-
interface SecretVault {
|
|
14
|
-
encrypt(plaintext: string): string;
|
|
15
|
-
decrypt(value: string): string;
|
|
16
|
-
isEncrypted(value: string): boolean;
|
|
17
|
-
}
|
|
18
|
-
/**
|
|
19
|
-
* No-op SecretVault that passes values through unchanged.
|
|
20
|
-
* Used in contexts where encryption is not needed — e.g. reading/writing
|
|
21
|
-
* config sections that contain no secret fields (models, settings, etc.).
|
|
22
|
-
*/
|
|
23
|
-
declare const noOpVault: SecretVault;
|
|
24
|
-
|
|
25
|
-
export { type SecretVault as S, noOpVault as n };
|