@wrongstack/core 0.6.3 → 0.6.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{agent-bridge-eb7qnNrd.d.ts → agent-bridge-BBXK_ppx.d.ts} +1 -1
- package/dist/agent-subagent-runner-DsSm9lKN.d.ts +174 -0
- package/dist/{compactor-RIPuTtWK.d.ts → compactor-C8NhpSt5.d.ts} +1 -1
- package/dist/{config-BGGuP_Ar.d.ts → config-DfC6g6KV.d.ts} +1 -1
- package/dist/{context-CDRyrkKQ.d.ts → context-DN5v-uQX.d.ts} +11 -0
- package/dist/coordination/index.d.ts +10 -9
- package/dist/coordination/index.js +113 -20
- package/dist/coordination/index.js.map +1 -1
- package/dist/defaults/index.d.ts +21 -20
- package/dist/defaults/index.js +1329 -925
- package/dist/defaults/index.js.map +1 -1
- package/dist/{events-BHuIHekD.d.ts → events-CJqwQl8G.d.ts} +17 -1
- package/dist/execution/index.d.ts +82 -13
- package/dist/execution/index.js +1366 -74
- package/dist/execution/index.js.map +1 -1
- package/dist/extension/index.d.ts +6 -6
- package/dist/{goal-store-DVCfj7Ff.d.ts → goal-store-_Er467ya.d.ts} +2 -2
- package/dist/{index-CPcDqvZh.d.ts → index-CXnWsGBp.d.ts} +11 -175
- package/dist/{index-BOn9NK7D.d.ts → index-DcnXDPdY.d.ts} +6 -6
- package/dist/index.d.ts +28 -27
- package/dist/index.js +1068 -664
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.d.ts +6 -6
- package/dist/kernel/index.d.ts +9 -9
- package/dist/kernel/index.js.map +1 -1
- package/dist/{mcp-servers-DBdh3cee.d.ts → mcp-servers-CevFHHM1.d.ts} +3 -3
- package/dist/models/index.d.ts +2 -2
- package/dist/models/index.js +5 -16
- package/dist/models/index.js.map +1 -1
- package/dist/{multi-agent-CxSb-9dQ.d.ts → multi-agent-D5IbASk_.d.ts} +16 -4
- package/dist/observability/index.d.ts +2 -2
- package/dist/{path-resolver-CMGNadvq.d.ts → path-resolver-CBx_q1HA.d.ts} +2 -2
- package/dist/{plan-templates-BJflQY2i.d.ts → plan-templates-BEOllUJV.d.ts} +5 -4
- package/dist/{provider-runner-BFgNXpaP.d.ts → provider-runner-Byh5TcJs.d.ts} +3 -3
- package/dist/{retry-policy-LKS8MHsB.d.ts → retry-policy-BZSIMxrJ.d.ts} +1 -1
- package/dist/sdd/index.d.ts +3 -3
- package/dist/{secret-scrubber-CfMdAJ_l.d.ts → secret-scrubber-CT7wefiO.d.ts} +1 -1
- package/dist/{secret-scrubber-BzQR5BiL.d.ts → secret-scrubber-I0QHY_ob.d.ts} +1 -1
- package/dist/security/index.d.ts +3 -3
- package/dist/{selector-C7HqnZJU.d.ts → selector-DDb_mq9X.d.ts} +1 -1
- package/dist/{session-reader-CzfRA6Vk.d.ts → session-reader-B9nVkziM.d.ts} +1 -1
- package/dist/storage/index.d.ts +6 -6
- package/dist/storage/index.js +27 -2
- package/dist/storage/index.js.map +1 -1
- package/dist/{system-prompt-Dl2QY1_B.d.ts → system-prompt-gL06H9P4.d.ts} +1 -1
- package/dist/{tool-executor-FoxBjULX.d.ts → tool-executor-BF7QfYVE.d.ts} +4 -4
- package/dist/types/index.d.ts +15 -15
- package/dist/types/index.js +5 -16
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.d.ts +1 -1
- package/package.json +1 -1
- package/skills/audit-log/SKILL.md +57 -28
- package/skills/bug-hunter/SKILL.md +85 -61
- package/skills/git-flow/SKILL.md +73 -18
- package/skills/multi-agent/SKILL.md +69 -40
- package/skills/node-modern/SKILL.md +111 -19
- package/skills/prompt-engineering/SKILL.md +97 -16
- package/skills/react-modern/SKILL.md +104 -18
- package/skills/refactor-planner/SKILL.md +73 -43
- package/skills/sdd/SKILL.md +54 -112
- package/skills/security-scanner/SKILL.md +95 -93
- package/skills/skill-creator/SKILL.md +58 -25
- package/skills/typescript-strict/SKILL.md +107 -15
package/skills/sdd/SKILL.md
CHANGED
|
@@ -1,69 +1,50 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: sdd
|
|
3
3
|
description: |
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
version: 2.0.0
|
|
4
|
+
Use this skill when starting a non-trivial implementation, bug fix, or refactor
|
|
5
|
+
in WrongStack. Triggers: user says "/sdd", "spec", "specification", "task graph",
|
|
6
|
+
"SDD", "acceptance criteria", or starts a new feature.
|
|
7
|
+
version: 2.1.0
|
|
9
8
|
---
|
|
10
9
|
|
|
11
|
-
# Spec-Driven Development
|
|
10
|
+
# Spec-Driven Development — WrongStack
|
|
12
11
|
|
|
13
|
-
|
|
12
|
+
Every non-trivial change starts with a spec. The spec is the source of truth.
|
|
14
13
|
|
|
15
|
-
##
|
|
16
|
-
|
|
17
|
-
Every non-trivial change starts with a spec. The spec is the source of truth. Tasks are derived from specs, not the other way around.
|
|
18
|
-
|
|
19
|
-
## Workflow
|
|
20
|
-
|
|
21
|
-
```
|
|
22
|
-
Spec → Analysis → Task Graph → Visualization → Execution → Done
|
|
23
|
-
↑ ↓
|
|
24
|
-
└── Versioning ──────┘ (incremental updates)
|
|
25
|
-
```
|
|
26
|
-
|
|
27
|
-
### When to use
|
|
14
|
+
## When to use
|
|
28
15
|
|
|
29
16
|
- New feature implementation
|
|
30
17
|
- Bug fix with complexity
|
|
31
18
|
- Refactoring with scope
|
|
32
19
|
- Any task requiring more than 1 hour
|
|
33
20
|
|
|
34
|
-
##
|
|
35
|
-
|
|
36
|
-
The `/sdd` command provides the full SDD workflow through the REPL/TUI:
|
|
21
|
+
## The SDD workflow
|
|
37
22
|
|
|
38
23
|
```
|
|
39
|
-
/sdd new [title]
|
|
40
|
-
/sdd
|
|
41
|
-
/sdd
|
|
42
|
-
/sdd
|
|
43
|
-
/sdd
|
|
44
|
-
/sdd tasks <id> — Generate task graph from spec
|
|
45
|
-
/sdd graph <id> — ASCII visualization of task graph
|
|
46
|
-
/sdd status <id> — Compact task list grouped by status
|
|
47
|
-
/sdd critical <id> — Critical path analysis with bottlenecks
|
|
48
|
-
/sdd execute <id> — Auto-execute tasks (dependency-aware)
|
|
49
|
-
/sdd templates — List available spec templates
|
|
50
|
-
/sdd version <id> — Show spec version history
|
|
24
|
+
1. /sdd new [title] → Build spec from questions
|
|
25
|
+
2. /sdd tasks <id> → Generate task graph from spec
|
|
26
|
+
3. /sdd graph <id> → Visualize dependencies
|
|
27
|
+
4. /sdd critical <id> → Find bottlenecks
|
|
28
|
+
5. /sdd execute <id> → Run tasks (or execute manually)
|
|
51
29
|
```
|
|
52
30
|
|
|
53
|
-
|
|
31
|
+
## /sdd command reference
|
|
54
32
|
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
33
|
+
| Command | What it does |
|
|
34
|
+
|---------|--------------|
|
|
35
|
+
| `/sdd new [title]` | Interactive spec builder |
|
|
36
|
+
| `/sdd from <template>` | Create from template (feature, bugfix, refactor, infra, cli-command) |
|
|
37
|
+
| `/sdd list` | List saved specs |
|
|
38
|
+
| `/sdd show <id>` | Show spec + completeness |
|
|
39
|
+
| `/sdd tasks <id>` | Generate task graph |
|
|
40
|
+
| `/sdd graph <id>` | ASCII visualization |
|
|
41
|
+
| `/sdd status <id>` | Task list by status |
|
|
42
|
+
| `/sdd critical <id>` | Critical path + bottlenecks |
|
|
43
|
+
| `/sdd execute <id>` | Auto-execute tasks |
|
|
44
|
+
| `/sdd approve <id>` | Approve pending tasks |
|
|
45
|
+
| `/sdd version <id>` | Version history |
|
|
65
46
|
|
|
66
|
-
|
|
47
|
+
## Spec templates
|
|
67
48
|
|
|
68
49
|
| Template | Best for |
|
|
69
50
|
|---|---|
|
|
@@ -74,53 +55,27 @@ Built-in templates for common scenarios:
|
|
|
74
55
|
| `integration` | External service integration |
|
|
75
56
|
| `cli-command` | New CLI commands/slash commands |
|
|
76
57
|
|
|
77
|
-
## Spec
|
|
78
|
-
|
|
79
|
-
A good spec includes:
|
|
58
|
+
## Spec structure
|
|
80
59
|
|
|
60
|
+
A complete spec has:
|
|
81
61
|
1. **Overview** — What problem does this solve?
|
|
82
|
-
2. **Requirements** —
|
|
83
|
-
3. **Architecture** — High-level design if needed
|
|
84
|
-
4. **API Design** —
|
|
85
|
-
5. **
|
|
86
|
-
6. **Security** — Auth, permissions, data handling
|
|
87
|
-
7. **Acceptance Criteria** — How do we know it's done?
|
|
62
|
+
2. **Requirements** — `[priority] description` format
|
|
63
|
+
3. **Architecture** — High-level design (if needed)
|
|
64
|
+
4. **API Design** — Endpoints, inputs, outputs (if applicable)
|
|
65
|
+
5. **Acceptance Criteria** — How do we know it's done?
|
|
88
66
|
|
|
89
67
|
### Requirement format
|
|
90
68
|
|
|
91
69
|
```
|
|
92
|
-
[
|
|
93
|
-
[
|
|
94
|
-
[
|
|
70
|
+
[critical] Users can authenticate with OAuth2
|
|
71
|
+
[high] Rate limiting: 100 req/min per user
|
|
72
|
+
[medium] Response time < 200ms p95
|
|
73
|
+
[low] Support dark mode
|
|
95
74
|
```
|
|
96
75
|
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
## Persistence
|
|
100
|
-
|
|
101
|
-
Specs and task graphs are persisted under `.wrongstack/`:
|
|
102
|
-
|
|
103
|
-
```
|
|
104
|
-
.wrongstack/
|
|
105
|
-
specs/
|
|
106
|
-
_index.json — Spec index for fast listing
|
|
107
|
-
<uuid>.json — Individual spec files
|
|
108
|
-
task-graphs/
|
|
109
|
-
_index.json — Task graph index
|
|
110
|
-
<uuid>.json — Individual graph files (Map-aware JSON)
|
|
111
|
-
```
|
|
112
|
-
|
|
113
|
-
## Task generation
|
|
114
|
-
|
|
115
|
-
Tasks are derived from requirements:
|
|
116
|
-
|
|
117
|
-
- Each requirement → one or more tasks
|
|
118
|
-
- Requirements with acceptance criteria → separate test tasks
|
|
119
|
-
- Critical requirements → tasks marked critical
|
|
120
|
-
- Blocked requirements → blocked tasks
|
|
121
|
-
|
|
122
|
-
## Task states
|
|
76
|
+
## Task graph generation
|
|
123
77
|
|
|
78
|
+
Each requirement generates one or more tasks. Tasks have states:
|
|
124
79
|
```
|
|
125
80
|
pending → in_progress → review → completed
|
|
126
81
|
↓
|
|
@@ -129,37 +84,24 @@ pending → in_progress → review → completed
|
|
|
129
84
|
failed
|
|
130
85
|
```
|
|
131
86
|
|
|
132
|
-
## Critical
|
|
133
|
-
|
|
134
|
-
The critical path identifies:
|
|
87
|
+
## Critical path
|
|
135
88
|
|
|
136
|
-
|
|
137
|
-
- **
|
|
89
|
+
The critical path finds:
|
|
90
|
+
- **Bottleneck tasks** blocking the most downstream work
|
|
91
|
+
- **Parallel groups** that can run concurrently
|
|
138
92
|
- **Ready tasks** that can start immediately
|
|
139
93
|
- **Execution order** respecting all dependencies
|
|
140
94
|
|
|
141
|
-
##
|
|
142
|
-
|
|
143
|
-
When requirements change:
|
|
144
|
-
|
|
145
|
-
- Added requirements → new tasks generated
|
|
146
|
-
- Removed requirements → tasks removed
|
|
147
|
-
- Modified requirements → tasks updated (description, priority, dependencies)
|
|
148
|
-
- Version history tracked for audit trail
|
|
149
|
-
|
|
150
|
-
## Auto-Execution
|
|
151
|
-
|
|
152
|
-
The auto-executor runs tasks with:
|
|
95
|
+
## Anti-patterns
|
|
153
96
|
|
|
154
|
-
-
|
|
155
|
-
-
|
|
156
|
-
-
|
|
157
|
-
-
|
|
97
|
+
- **Writing code before the spec** — you'll rewrite it anyway
|
|
98
|
+
- **Spec that's too vague** — "improve auth" is not a spec, "Users authenticate via OAuth2 with PKCE" is
|
|
99
|
+
- **Tasks with no dependencies** — everything is a dependency of something
|
|
100
|
+
- **Spec without acceptance criteria** — how do you know when it's done?
|
|
101
|
+
- **Skipping /sdd for urgent tasks** — the spec is what makes "urgent" possible
|
|
158
102
|
|
|
159
|
-
##
|
|
103
|
+
## Skills in scope
|
|
160
104
|
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
3. Documentation updated
|
|
165
|
-
4. No blocked tasks remaining
|
|
105
|
+
- `refactor-planner` — when the spec reveals a multi-file refactor
|
|
106
|
+
- `bug-hunter` — when a bugfix spec needs a root cause analysis section
|
|
107
|
+
- `multi-agent` — for executing parallel task groups
|
|
@@ -1,117 +1,119 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: security-scanner
|
|
3
3
|
description: |
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
version: 1.
|
|
4
|
+
Use this skill when scanning code or configuration for security vulnerabilities
|
|
5
|
+
in WrongStack. Triggers: user says "security", "vulnerability", "CVE", "secret",
|
|
6
|
+
"injection", "XSS", "SQL injection", "audit security", "supply chain".
|
|
7
|
+
version: 1.1.0
|
|
8
8
|
---
|
|
9
9
|
|
|
10
|
-
# Security Scanner
|
|
10
|
+
# Security Scanner — WrongStack
|
|
11
11
|
|
|
12
|
-
Scans code, configs, and dependencies for security issues
|
|
13
|
-
hardcoded secrets to injection vulnerabilities and supply chain risks.
|
|
14
|
-
|
|
15
|
-
## Capabilities
|
|
16
|
-
|
|
17
|
-
- Detect hardcoded secrets: API keys, tokens, passwords, private keys
|
|
18
|
-
- Find injection vectors: eval, innerHTML, SQL concatenation, shell injection
|
|
19
|
-
- Identify insecure patterns: weak crypto, hardcoded IVs, disabled TLS verification
|
|
20
|
-
- Scan dependencies for known CVEs (via package audit)
|
|
21
|
-
- Flag supply chain risks: unverified scripts, postinstall hooks, .npmrc issues
|
|
12
|
+
Scans code, configs, and dependencies for security issues.
|
|
22
13
|
|
|
23
14
|
## Workflow
|
|
24
15
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
## Input
|
|
33
|
-
|
|
34
|
-
```json
|
|
35
|
-
{
|
|
36
|
-
"task": "scan | audit | secrets | dependencies",
|
|
37
|
-
"paths": ["src", "config"],
|
|
38
|
-
"depth": "quick | normal | deep",
|
|
39
|
-
"excludePaths": ["node_modules", "dist"]
|
|
40
|
-
}
|
|
16
|
+
```
|
|
17
|
+
1. Scope: Accept paths or use sensible defaults
|
|
18
|
+
2. Secrets: Regex scan for credential patterns
|
|
19
|
+
3. Injection: Pattern match dangerous constructs
|
|
20
|
+
4. Config: Check TLS, crypto, auth configurations
|
|
21
|
+
5. Audit: Run package audit
|
|
22
|
+
6. Report: Prioritized markdown with remediation
|
|
41
23
|
```
|
|
42
24
|
|
|
43
|
-
##
|
|
25
|
+
## Severity levels
|
|
44
26
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
const awsKey = "AKIAIOSFODNN7EXAMPLE"; // ← remove this
|
|
52
|
-
```
|
|
53
|
-
2. **[CRITICAL]** `.env:3` — Private key committed to repo
|
|
54
|
-
```
|
|
55
|
-
PEM_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIE..."
|
|
56
|
-
```
|
|
57
|
-
|
|
58
|
-
### HIGH: Injection Vectors
|
|
59
|
-
3. **[HIGH]** `lib/renderer.ts:42` — innerHTML assignment
|
|
60
|
-
```ts
|
|
61
|
-
element.innerHTML = userInput; // ← sanitize or use textContent
|
|
62
|
-
```
|
|
63
|
-
4. **[HIGH]** `tools/shell.ts:15` — shell injection via template literal
|
|
64
|
-
```ts
|
|
65
|
-
exec(`echo ${userInput}`); // ← escape or use array form
|
|
66
|
-
```
|
|
67
|
-
|
|
68
|
-
### MEDIUM: Insecure Patterns
|
|
69
|
-
5. **[MEDIUM]** `lib/crypto.ts:9` — MD5 used for hashing (not for passwords)
|
|
70
|
-
6. **[MEDIUM]** `server.ts:22` — TLS certificate verification disabled
|
|
71
|
-
|
|
72
|
-
### Dependency Issues
|
|
73
|
-
7. **[HIGH]** `lodash < 4.17.21` — CVE-2021-23337
|
|
74
|
-
8. **[MEDIUM]** `minimist < 1.2.6` — CVE-2021-44906
|
|
75
|
-
|
|
76
|
-
## Summary
|
|
77
|
-
| Severity | Count |
|
|
78
|
-
|----------|-------|
|
|
79
|
-
| Critical | 2 |
|
|
80
|
-
| High | 4 |
|
|
81
|
-
| Medium | 3 |
|
|
82
|
-
| Low | 1 |
|
|
27
|
+
| Level | Meaning | Action |
|
|
28
|
+
|-------|---------|--------|
|
|
29
|
+
| **CRITICAL** | Active exploit possible | Fix immediately |
|
|
30
|
+
| **HIGH** | Vulnerability likely exploitable | Fix before release |
|
|
31
|
+
| **MEDIUM** | Risk exists but harder to exploit | Fix soon |
|
|
32
|
+
| **LOW** | Best practice violation | Consider fixing |
|
|
83
33
|
|
|
84
|
-
##
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
34
|
+
## Secret patterns
|
|
35
|
+
|
|
36
|
+
```
|
|
37
|
+
| Pattern | Example | Level |
|
|
38
|
+
|---------|---------|-------|
|
|
39
|
+
| GitHub token | `ghp_[a-zA-Z0-9]{36}` | CRITICAL |
|
|
40
|
+
| AWS Access Key | `[A-Z0-9]{20}` | CRITICAL |
|
|
41
|
+
| AWS Secret | base64 40-char | CRITICAL |
|
|
42
|
+
| Private Key PEM | `-----BEGIN.*PRIVATE KEY-----` | CRITICAL |
|
|
43
|
+
| JWT | `eyJ[a-zA-Z0-9_-]+` | HIGH |
|
|
44
|
+
| Generic API Key | 32+ random chars | MEDIUM |
|
|
45
|
+
| Bearer token | `Authorization: Bearer xxx` | HIGH |
|
|
89
46
|
```
|
|
90
47
|
|
|
91
|
-
##
|
|
48
|
+
## Real examples
|
|
49
|
+
|
|
50
|
+
```typescript
|
|
51
|
+
// ❌ CRITICAL — hardcoded AWS credentials
|
|
52
|
+
const awsKey = "AKIAIOSFODNN7EXAMPLE";
|
|
53
|
+
|
|
54
|
+
// ❌ CRITICAL — private key committed
|
|
55
|
+
const pem = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...";
|
|
56
|
+
|
|
57
|
+
// ❌ HIGH — JWT in code
|
|
58
|
+
const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
|
|
59
|
+
|
|
60
|
+
// ❌ HIGH — XSS via innerHTML
|
|
61
|
+
element.innerHTML = userInput;
|
|
62
|
+
|
|
63
|
+
// ❌ HIGH — shell injection
|
|
64
|
+
exec(`find . -name ${userInput}`);
|
|
65
|
+
|
|
66
|
+
// ❌ HIGH — SQL injection
|
|
67
|
+
const query = "SELECT * FROM users WHERE id = " + userId;
|
|
92
68
|
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
| AWS Access Key | `AKIAIOSFODNN7EXAMPLE` | critical |
|
|
96
|
-
| AWS Secret Key | `[a-zA-Z0-9/+=]{40}` base64 | critical |
|
|
97
|
-
| GitHub Token | `ghp_[a-zA-Z0-9]{36}` | critical |
|
|
98
|
-
| Private Key PEM | `-----BEGIN.*PRIVATE KEY-----` | critical |
|
|
99
|
-
| JWT | `eyJ[a-zA-Z0-9_-]+` | high |
|
|
100
|
-
| Generic API Key | `[a-zA-Z0-9]{32,}` | medium |
|
|
69
|
+
// ✅ SAFE — parameterized query
|
|
70
|
+
db.query("SELECT * FROM users WHERE id = $1", [userId]);
|
|
101
71
|
|
|
102
|
-
|
|
72
|
+
// ✅ SAFE — escape user input
|
|
73
|
+
element.textContent = userInput;
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
## Injection vectors
|
|
103
77
|
|
|
104
|
-
| Construct | Safe
|
|
105
|
-
|
|
106
|
-
| `eval(str)` | `new Function()` or parse |
|
|
107
|
-
| `innerHTML = x` | `textContent` or sanitize |
|
|
78
|
+
| Construct | Safe alternative |
|
|
79
|
+
|-----------|-------------------|
|
|
80
|
+
| `eval(str)` | `new Function()` or parse then evaluate |
|
|
81
|
+
| `innerHTML = x` | `textContent` or DOMPurify.sanitize |
|
|
108
82
|
| `exec(\`cmd ${input}\`)` | `execFile` with args array |
|
|
109
83
|
| `SQL = "SELECT * FROM " + table` | parameterized query |
|
|
110
84
|
| `fs.readFile(path + userInput)` | `path.resolve` + allowlist |
|
|
111
85
|
|
|
86
|
+
## Configuration checks
|
|
87
|
+
|
|
88
|
+
```
|
|
89
|
+
- TLS verification disabled? → CRITICAL for production
|
|
90
|
+
- HTTP instead of HTTPS? → MEDIUM for production
|
|
91
|
+
- Secrets in env vars logged to console? → CRITICAL
|
|
92
|
+
- Hardcoded credentials in config? → CRITICAL
|
|
93
|
+
- Overly permissive CORS? → MEDIUM
|
|
94
|
+
- Missing rate limiting? → MEDIUM-HIGH
|
|
95
|
+
```
|
|
96
|
+
|
|
112
97
|
## Anti-patterns
|
|
113
98
|
|
|
114
|
-
- Don't scan node_modules —
|
|
115
|
-
- Don't report without remediation — "found X" is useless without "do Y"
|
|
116
|
-
- Don't ignore false positives — verify before flagging (especially
|
|
117
|
-
- Don't skip dependency scanning — supply chain is a real attack vector
|
|
99
|
+
- **Don't scan `node_modules`** — use `npm audit` instead
|
|
100
|
+
- **Don't report without remediation** — "found X" is useless without "do Y"
|
|
101
|
+
- **Don't ignore false positives** — verify regex matches before flagging (especially generic patterns)
|
|
102
|
+
- **Don't skip dependency scanning** — supply chain is a real attack vector
|
|
103
|
+
- **Don't flag test fixtures** — mock credentials in tests are ok, but not in production code
|
|
104
|
+
|
|
105
|
+
## Remediation template
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
## Remediation Checklist
|
|
109
|
+
- [ ] Remove hardcoded credentials from `src/config.ts`
|
|
110
|
+
- [ ] Move secrets to environment variables, add to .gitignore
|
|
111
|
+
- [ ] Use parameterized queries in `src/db/` files
|
|
112
|
+
- [ ] Add rate limiting to `src/api/` routes
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
## Skills in scope
|
|
116
|
+
|
|
117
|
+
- `bug-hunter` — for general code quality bugs found during security scan
|
|
118
|
+
- `audit-log` — for dependency version audit trails
|
|
119
|
+
- `git-flow` — for committing security patches properly
|
|
@@ -1,17 +1,16 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: skill-creator
|
|
3
3
|
description: |
|
|
4
|
-
Use this skill when the user wants to create a new AI skill.
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
version: 1.0.0
|
|
4
|
+
Use this skill when the user wants to create a new AI skill in WrongStack.
|
|
5
|
+
Triggers: user says "create a skill", "new skill", "add a skill", "skill definition".
|
|
6
|
+
version: 1.1.0
|
|
8
7
|
---
|
|
9
8
|
|
|
10
|
-
# Skill Creator
|
|
9
|
+
# Skill Creator — WrongStack
|
|
11
10
|
|
|
12
|
-
Guide the user through creating a new
|
|
11
|
+
Guide the user through creating a new skill. You are the wizard — ask questions, validate answers, write the file.
|
|
13
12
|
|
|
14
|
-
## Skill
|
|
13
|
+
## Skill format
|
|
15
14
|
|
|
16
15
|
Every skill is a Markdown file with YAML frontmatter:
|
|
17
16
|
|
|
@@ -19,8 +18,8 @@ Every skill is a Markdown file with YAML frontmatter:
|
|
|
19
18
|
---
|
|
20
19
|
name: my-skill-name
|
|
21
20
|
description: |
|
|
22
|
-
|
|
23
|
-
|
|
21
|
+
Use this skill when <trigger situation>.
|
|
22
|
+
Triggers: user says "keyword", "another keyword".
|
|
24
23
|
version: 1.0.0
|
|
25
24
|
---
|
|
26
25
|
|
|
@@ -35,10 +34,14 @@ What this skill does.
|
|
|
35
34
|
|
|
36
35
|
## Patterns
|
|
37
36
|
### Do
|
|
38
|
-
|
|
37
|
+
\`\`\`ts
|
|
38
|
+
// good example
|
|
39
|
+
\`\`\`
|
|
39
40
|
|
|
40
41
|
### Don't
|
|
41
|
-
|
|
42
|
+
\`\`\`ts
|
|
43
|
+
// bad example
|
|
44
|
+
\`\`\`
|
|
42
45
|
|
|
43
46
|
## Workflow
|
|
44
47
|
1. Step one
|
|
@@ -51,23 +54,42 @@ Skills live in directories under these paths (priority order):
|
|
|
51
54
|
|
|
52
55
|
1. **Project**: `<project>/.wrongstack/skills/<name>/SKILL.md`
|
|
53
56
|
2. **User global**: `~/.wrongstack/skills/<name>/SKILL.md`
|
|
54
|
-
3. **Bundled**: `packages/core/skills/<name>/SKILL.md` (read-only)
|
|
57
|
+
3. **Bundled**: `packages/core/skills/<name>/SKILL.md` (read-only, for core team)
|
|
55
58
|
|
|
56
|
-
For user-created skills
|
|
59
|
+
For user-created skills: always use path 1 (project level).
|
|
57
60
|
|
|
58
61
|
## Naming Rules
|
|
59
62
|
|
|
60
|
-
- kebab-case
|
|
63
|
+
- **kebab-case**: `my-skill`, `docker-deploy`, `api-testing`
|
|
61
64
|
- Lowercase letters, numbers, hyphens only
|
|
62
65
|
- No spaces, no underscores, no uppercase
|
|
63
66
|
- Directory name = skill name
|
|
64
67
|
|
|
65
|
-
##
|
|
68
|
+
## The Trigger — the most important part
|
|
69
|
+
|
|
70
|
+
The **first sentence** of the `description` is the trigger. This is the **only** thing the skill loader matches on.
|
|
71
|
+
|
|
72
|
+
```
|
|
73
|
+
# ✅ Good — specific trigger that can be matched
|
|
74
|
+
Use this skill when deploying Docker containers to a production cluster.
|
|
75
|
+
|
|
76
|
+
# ❌ Bad — vague, can't be matched
|
|
77
|
+
This skill is about Docker deployment.
|
|
78
|
+
|
|
79
|
+
# ✅ Good — pattern-matchable
|
|
80
|
+
Use this skill when writing or reviewing React 19+ code.
|
|
81
|
+
|
|
82
|
+
# ❌ Bad — too broad
|
|
83
|
+
This skill is about code.
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
After the trigger sentence, add `Triggers: user says "X", "Y", "Z".` so agents know when to delegate.
|
|
66
87
|
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
-
|
|
88
|
+
## Description rules
|
|
89
|
+
|
|
90
|
+
- First sentence = trigger condition
|
|
91
|
+
- Second sentence = what it covers
|
|
92
|
+
- Triggers list = specific keywords or phrases
|
|
71
93
|
- Multi-line descriptions use YAML block scalar (`|`)
|
|
72
94
|
|
|
73
95
|
## Content Guidelines
|
|
@@ -76,16 +98,14 @@ For user-created skills, always use path 1 (project level).
|
|
|
76
98
|
- **Patterns**: actual code examples, not pseudocode
|
|
77
99
|
- **Anti-patterns**: show what NOT to do with real code
|
|
78
100
|
- **Workflows**: step-by-step, actionable, not theoretical
|
|
79
|
-
-
|
|
101
|
+
- **Skills in scope**: list related skills at the bottom for delegation
|
|
80
102
|
|
|
81
103
|
## Creation Workflow
|
|
82
104
|
|
|
83
|
-
When the user wants to create a skill:
|
|
84
|
-
|
|
85
105
|
1. **Ask the name** — suggest kebab-case, validate format
|
|
86
|
-
2. **Ask the
|
|
87
|
-
3. **Ask
|
|
88
|
-
4. **Generate the SKILL.md** — write
|
|
106
|
+
2. **Ask the trigger** — "What situation should activate this skill?"
|
|
107
|
+
3. **Ask the coverage** — what rules, patterns, workflows?
|
|
108
|
+
4. **Generate the SKILL.md** — write to `.wrongstack/skills/<name>/SKILL.md`
|
|
89
109
|
5. **Confirm** — show the path, remind them to use `/skill` to list skills
|
|
90
110
|
|
|
91
111
|
## Validation Checklist
|
|
@@ -96,3 +116,16 @@ Before writing the file, verify:
|
|
|
96
116
|
- [ ] Description has a clear trigger sentence
|
|
97
117
|
- [ ] Content is actionable (rules, patterns, not just prose)
|
|
98
118
|
- [ ] File will be placed in `.wrongstack/skills/`
|
|
119
|
+
|
|
120
|
+
## Existing skills (don't collide)
|
|
121
|
+
|
|
122
|
+
```
|
|
123
|
+
audit-log, bug-hunter, git-flow, multi-agent, node-modern,
|
|
124
|
+
prompt-engineering, react-modern, refactor-planner, sdd,
|
|
125
|
+
security-scanner, skill-creator, typescript-strict
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
## Skills in scope
|
|
129
|
+
|
|
130
|
+
- `prompt-engineering` — for crafting the skill description and prompt text
|
|
131
|
+
- `git-flow` — for committing the new skill file
|