@wrongstack/core 0.6.3 → 0.6.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (63) hide show
  1. package/dist/{agent-bridge-eb7qnNrd.d.ts → agent-bridge-BBXK_ppx.d.ts} +1 -1
  2. package/dist/agent-subagent-runner-DsSm9lKN.d.ts +174 -0
  3. package/dist/{compactor-RIPuTtWK.d.ts → compactor-C8NhpSt5.d.ts} +1 -1
  4. package/dist/{config-BGGuP_Ar.d.ts → config-DfC6g6KV.d.ts} +1 -1
  5. package/dist/{context-CDRyrkKQ.d.ts → context-DN5v-uQX.d.ts} +11 -0
  6. package/dist/coordination/index.d.ts +10 -9
  7. package/dist/coordination/index.js +113 -20
  8. package/dist/coordination/index.js.map +1 -1
  9. package/dist/defaults/index.d.ts +21 -20
  10. package/dist/defaults/index.js +1329 -925
  11. package/dist/defaults/index.js.map +1 -1
  12. package/dist/{events-BHuIHekD.d.ts → events-CJqwQl8G.d.ts} +17 -1
  13. package/dist/execution/index.d.ts +82 -13
  14. package/dist/execution/index.js +1366 -74
  15. package/dist/execution/index.js.map +1 -1
  16. package/dist/extension/index.d.ts +6 -6
  17. package/dist/{goal-store-DVCfj7Ff.d.ts → goal-store-_Er467ya.d.ts} +2 -2
  18. package/dist/{index-CPcDqvZh.d.ts → index-CXnWsGBp.d.ts} +11 -175
  19. package/dist/{index-BOn9NK7D.d.ts → index-DcnXDPdY.d.ts} +6 -6
  20. package/dist/index.d.ts +28 -27
  21. package/dist/index.js +1068 -664
  22. package/dist/index.js.map +1 -1
  23. package/dist/infrastructure/index.d.ts +6 -6
  24. package/dist/kernel/index.d.ts +9 -9
  25. package/dist/kernel/index.js.map +1 -1
  26. package/dist/{mcp-servers-DBdh3cee.d.ts → mcp-servers-CevFHHM1.d.ts} +3 -3
  27. package/dist/models/index.d.ts +2 -2
  28. package/dist/models/index.js +5 -16
  29. package/dist/models/index.js.map +1 -1
  30. package/dist/{multi-agent-CxSb-9dQ.d.ts → multi-agent-D5IbASk_.d.ts} +16 -4
  31. package/dist/observability/index.d.ts +2 -2
  32. package/dist/{path-resolver-CMGNadvq.d.ts → path-resolver-CBx_q1HA.d.ts} +2 -2
  33. package/dist/{plan-templates-BJflQY2i.d.ts → plan-templates-BEOllUJV.d.ts} +5 -4
  34. package/dist/{provider-runner-BFgNXpaP.d.ts → provider-runner-Byh5TcJs.d.ts} +3 -3
  35. package/dist/{retry-policy-LKS8MHsB.d.ts → retry-policy-BZSIMxrJ.d.ts} +1 -1
  36. package/dist/sdd/index.d.ts +3 -3
  37. package/dist/{secret-scrubber-CfMdAJ_l.d.ts → secret-scrubber-CT7wefiO.d.ts} +1 -1
  38. package/dist/{secret-scrubber-BzQR5BiL.d.ts → secret-scrubber-I0QHY_ob.d.ts} +1 -1
  39. package/dist/security/index.d.ts +3 -3
  40. package/dist/{selector-C7HqnZJU.d.ts → selector-DDb_mq9X.d.ts} +1 -1
  41. package/dist/{session-reader-CzfRA6Vk.d.ts → session-reader-B9nVkziM.d.ts} +1 -1
  42. package/dist/storage/index.d.ts +6 -6
  43. package/dist/storage/index.js +27 -2
  44. package/dist/storage/index.js.map +1 -1
  45. package/dist/{system-prompt-Dl2QY1_B.d.ts → system-prompt-gL06H9P4.d.ts} +1 -1
  46. package/dist/{tool-executor-FoxBjULX.d.ts → tool-executor-BF7QfYVE.d.ts} +4 -4
  47. package/dist/types/index.d.ts +15 -15
  48. package/dist/types/index.js +5 -16
  49. package/dist/types/index.js.map +1 -1
  50. package/dist/utils/index.d.ts +1 -1
  51. package/package.json +1 -1
  52. package/skills/audit-log/SKILL.md +57 -28
  53. package/skills/bug-hunter/SKILL.md +85 -61
  54. package/skills/git-flow/SKILL.md +73 -18
  55. package/skills/multi-agent/SKILL.md +69 -40
  56. package/skills/node-modern/SKILL.md +111 -19
  57. package/skills/prompt-engineering/SKILL.md +97 -16
  58. package/skills/react-modern/SKILL.md +104 -18
  59. package/skills/refactor-planner/SKILL.md +73 -43
  60. package/skills/sdd/SKILL.md +54 -112
  61. package/skills/security-scanner/SKILL.md +95 -93
  62. package/skills/skill-creator/SKILL.md +58 -25
  63. package/skills/typescript-strict/SKILL.md +107 -15
@@ -1,69 +1,50 @@
1
1
  ---
2
2
  name: sdd
3
3
  description: |
4
- Specification-driven development workflow. Covers spec parsing,
5
- task graph generation from requirements, dependency tracking,
6
- interactive spec building, persistence, visualization, critical
7
- path analysis, spec versioning, and auto-execution.
8
- version: 2.0.0
4
+ Use this skill when starting a non-trivial implementation, bug fix, or refactor
5
+ in WrongStack. Triggers: user says "/sdd", "spec", "specification", "task graph",
6
+ "SDD", "acceptance criteria", or starts a new feature.
7
+ version: 2.1.0
9
8
  ---
10
9
 
11
- # Spec-Driven Development
10
+ # Spec-Driven Development — WrongStack
12
11
 
13
- Guide the agent through specification-first development workflow.
12
+ Every non-trivial change starts with a spec. The spec is the source of truth.
14
13
 
15
- ## Core Principle
16
-
17
- Every non-trivial change starts with a spec. The spec is the source of truth. Tasks are derived from specs, not the other way around.
18
-
19
- ## Workflow
20
-
21
- ```
22
- Spec → Analysis → Task Graph → Visualization → Execution → Done
23
- ↑ ↓
24
- └── Versioning ──────┘ (incremental updates)
25
- ```
26
-
27
- ### When to use
14
+ ## When to use
28
15
 
29
16
  - New feature implementation
30
17
  - Bug fix with complexity
31
18
  - Refactoring with scope
32
19
  - Any task requiring more than 1 hour
33
20
 
34
- ## Slash Command: /sdd
35
-
36
- The `/sdd` command provides the full SDD workflow through the REPL/TUI:
21
+ ## The SDD workflow
37
22
 
38
23
  ```
39
- /sdd new [title] Interactive spec builder (question-driven)
40
- /sdd from <template> Create from template (feature|bugfix|refactor|infra|integration|cli-command)
41
- /sdd list — List saved specs
42
- /sdd show <id> Show spec details + completeness analysis
43
- /sdd analyze <id> Deep spec analysis (gaps, risks, suggestions)
44
- /sdd tasks <id> — Generate task graph from spec
45
- /sdd graph <id> — ASCII visualization of task graph
46
- /sdd status <id> — Compact task list grouped by status
47
- /sdd critical <id> — Critical path analysis with bottlenecks
48
- /sdd execute <id> — Auto-execute tasks (dependency-aware)
49
- /sdd templates — List available spec templates
50
- /sdd version <id> — Show spec version history
24
+ 1. /sdd new [title] Build spec from questions
25
+ 2. /sdd tasks <id> Generate task graph from spec
26
+ 3. /sdd graph <id> → Visualize dependencies
27
+ 4. /sdd critical <id> Find bottlenecks
28
+ 5. /sdd execute <id> Run tasks (or execute manually)
51
29
  ```
52
30
 
53
- ### Full workflow example
31
+ ## /sdd command reference
54
32
 
55
- ```
56
- 1. /sdd new Auth System
57
- 2. Answer questions (title, overview, requirements, acceptance criteria)
58
- 3. /sdd tasks <id> → generates task graph
59
- 4. /sdd graph <id> → visualize dependencies
60
- 5. /sdd critical <id> → find bottlenecks
61
- 6. /sdd execute <id> → run tasks autonomously
62
- ```
63
-
64
- ## Spec Templates
33
+ | Command | What it does |
34
+ |---------|--------------|
35
+ | `/sdd new [title]` | Interactive spec builder |
36
+ | `/sdd from <template>` | Create from template (feature, bugfix, refactor, infra, cli-command) |
37
+ | `/sdd list` | List saved specs |
38
+ | `/sdd show <id>` | Show spec + completeness |
39
+ | `/sdd tasks <id>` | Generate task graph |
40
+ | `/sdd graph <id>` | ASCII visualization |
41
+ | `/sdd status <id>` | Task list by status |
42
+ | `/sdd critical <id>` | Critical path + bottlenecks |
43
+ | `/sdd execute <id>` | Auto-execute tasks |
44
+ | `/sdd approve <id>` | Approve pending tasks |
45
+ | `/sdd version <id>` | Version history |
65
46
 
66
- Built-in templates for common scenarios:
47
+ ## Spec templates
67
48
 
68
49
  | Template | Best for |
69
50
  |---|---|
@@ -74,53 +55,27 @@ Built-in templates for common scenarios:
74
55
  | `integration` | External service integration |
75
56
  | `cli-command` | New CLI commands/slash commands |
76
57
 
77
- ## Spec sections
78
-
79
- A good spec includes:
58
+ ## Spec structure
80
59
 
60
+ A complete spec has:
81
61
  1. **Overview** — What problem does this solve?
82
- 2. **Requirements** — Functional and non-functional requirements with priorities
83
- 3. **Architecture** — High-level design if needed
84
- 4. **API Design** — If applicable
85
- 5. **Data Model** — If applicable
86
- 6. **Security** — Auth, permissions, data handling
87
- 7. **Acceptance Criteria** — How do we know it's done?
62
+ 2. **Requirements** — `[priority] description` format
63
+ 3. **Architecture** — High-level design (if needed)
64
+ 4. **API Design** — Endpoints, inputs, outputs (if applicable)
65
+ 5. **Acceptance Criteria** — How do we know it's done?
88
66
 
89
67
  ### Requirement format
90
68
 
91
69
  ```
92
- [functional] User can authenticate with OAuth2
93
- [security] Rate limiting: 100 req/min per user
94
- [performance] Response time < 200ms p95
70
+ [critical] Users can authenticate with OAuth2
71
+ [high] Rate limiting: 100 req/min per user
72
+ [medium] Response time < 200ms p95
73
+ [low] Support dark mode
95
74
  ```
96
75
 
97
- Priority markers: `[critical]`, `[high]`, `[medium]`, `[low]`
98
-
99
- ## Persistence
100
-
101
- Specs and task graphs are persisted under `.wrongstack/`:
102
-
103
- ```
104
- .wrongstack/
105
- specs/
106
- _index.json — Spec index for fast listing
107
- <uuid>.json — Individual spec files
108
- task-graphs/
109
- _index.json — Task graph index
110
- <uuid>.json — Individual graph files (Map-aware JSON)
111
- ```
112
-
113
- ## Task generation
114
-
115
- Tasks are derived from requirements:
116
-
117
- - Each requirement → one or more tasks
118
- - Requirements with acceptance criteria → separate test tasks
119
- - Critical requirements → tasks marked critical
120
- - Blocked requirements → blocked tasks
121
-
122
- ## Task states
76
+ ## Task graph generation
123
77
 
78
+ Each requirement generates one or more tasks. Tasks have states:
124
79
  ```
125
80
  pending → in_progress → review → completed
126
81
 
@@ -129,37 +84,24 @@ pending → in_progress → review → completed
129
84
  failed
130
85
  ```
131
86
 
132
- ## Critical Path Analysis
133
-
134
- The critical path identifies:
87
+ ## Critical path
135
88
 
136
- - **Bottleneck tasks** that block the most downstream work
137
- - **Parallel groups** of tasks that can execute concurrently
89
+ The critical path finds:
90
+ - **Bottleneck tasks** blocking the most downstream work
91
+ - **Parallel groups** that can run concurrently
138
92
  - **Ready tasks** that can start immediately
139
93
  - **Execution order** respecting all dependencies
140
94
 
141
- ## Spec Versioning
142
-
143
- When requirements change:
144
-
145
- - Added requirements → new tasks generated
146
- - Removed requirements → tasks removed
147
- - Modified requirements → tasks updated (description, priority, dependencies)
148
- - Version history tracked for audit trail
149
-
150
- ## Auto-Execution
151
-
152
- The auto-executor runs tasks with:
95
+ ## Anti-patterns
153
96
 
154
- - Dependency-aware ordering (blocked tasks wait)
155
- - Automatic retry on transient failures (configurable max retries)
156
- - Deadlock detection (all remaining blocked by failed tasks)
157
- - Progress tracking and event emission
97
+ - **Writing code before the spec** — you'll rewrite it anyway
98
+ - **Spec that's too vague** "improve auth" is not a spec, "Users authenticate via OAuth2 with PKCE" is
99
+ - **Tasks with no dependencies** everything is a dependency of something
100
+ - **Spec without acceptance criteria** — how do you know when it's done?
101
+ - **Skipping /sdd for urgent tasks** — the spec is what makes "urgent" possible
158
102
 
159
- ## Done conditions
103
+ ## Skills in scope
160
104
 
161
- A feature is done when:
162
- 1. All critical and high priority tasks completed
163
- 2. Tests written and passing
164
- 3. Documentation updated
165
- 4. No blocked tasks remaining
105
+ - `refactor-planner` when the spec reveals a multi-file refactor
106
+ - `bug-hunter` when a bugfix spec needs a root cause analysis section
107
+ - `multi-agent` for executing parallel task groups
@@ -1,117 +1,119 @@
1
1
  ---
2
2
  name: security-scanner
3
3
  description: |
4
- Security vulnerability scanning for code and configuration. Covers secret detection,
5
- injection vectors, dependency vulnerabilities, and supply chain risks.
6
- Use during CI, before releases, or as a standalone audit.
7
- version: 1.0.0
4
+ Use this skill when scanning code or configuration for security vulnerabilities
5
+ in WrongStack. Triggers: user says "security", "vulnerability", "CVE", "secret",
6
+ "injection", "XSS", "SQL injection", "audit security", "supply chain".
7
+ version: 1.1.0
8
8
  ---
9
9
 
10
- # Security Scanner Agent
10
+ # Security Scanner — WrongStack
11
11
 
12
- Scans code, configs, and dependencies for security issues ranging from
13
- hardcoded secrets to injection vulnerabilities and supply chain risks.
14
-
15
- ## Capabilities
16
-
17
- - Detect hardcoded secrets: API keys, tokens, passwords, private keys
18
- - Find injection vectors: eval, innerHTML, SQL concatenation, shell injection
19
- - Identify insecure patterns: weak crypto, hardcoded IVs, disabled TLS verification
20
- - Scan dependencies for known CVEs (via package audit)
21
- - Flag supply chain risks: unverified scripts, postinstall hooks, .npmrc issues
12
+ Scans code, configs, and dependencies for security issues.
22
13
 
23
14
  ## Workflow
24
15
 
25
- 1. **Scope** — Accept paths or use sensible defaults
26
- 2. **Secrets Scan** Regex scan for credential patterns
27
- 3. **Injection Scan** Pattern match dangerous constructs
28
- 4. **Config Scan** Check TLS, crypto, auth configurations
29
- 5. **Dependency Scan** Run audit on package.json
30
- 6. **Report** Prioritized markdown with remediation
31
-
32
- ## Input
33
-
34
- ```json
35
- {
36
- "task": "scan | audit | secrets | dependencies",
37
- "paths": ["src", "config"],
38
- "depth": "quick | normal | deep",
39
- "excludePaths": ["node_modules", "dist"]
40
- }
16
+ ```
17
+ 1. Scope: Accept paths or use sensible defaults
18
+ 2. Secrets: Regex scan for credential patterns
19
+ 3. Injection: Pattern match dangerous constructs
20
+ 4. Config: Check TLS, crypto, auth configurations
21
+ 5. Audit: Run package audit
22
+ 6. Report: Prioritized markdown with remediation
41
23
  ```
42
24
 
43
- ## Output Format
25
+ ## Severity levels
44
26
 
45
- ```
46
- ## Security Scan Report — <timestamp>
47
-
48
- ### CRITICAL: Secrets Found
49
- 1. **[CRITICAL]** `config/keys.ts:8` AWS Access Key ID exposed
50
- ```
51
- const awsKey = "AKIAIOSFODNN7EXAMPLE"; // ← remove this
52
- ```
53
- 2. **[CRITICAL]** `.env:3` — Private key committed to repo
54
- ```
55
- PEM_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIE..."
56
- ```
57
-
58
- ### HIGH: Injection Vectors
59
- 3. **[HIGH]** `lib/renderer.ts:42` — innerHTML assignment
60
- ```ts
61
- element.innerHTML = userInput; // ← sanitize or use textContent
62
- ```
63
- 4. **[HIGH]** `tools/shell.ts:15` — shell injection via template literal
64
- ```ts
65
- exec(`echo ${userInput}`); // ← escape or use array form
66
- ```
67
-
68
- ### MEDIUM: Insecure Patterns
69
- 5. **[MEDIUM]** `lib/crypto.ts:9` — MD5 used for hashing (not for passwords)
70
- 6. **[MEDIUM]** `server.ts:22` — TLS certificate verification disabled
71
-
72
- ### Dependency Issues
73
- 7. **[HIGH]** `lodash < 4.17.21` — CVE-2021-23337
74
- 8. **[MEDIUM]** `minimist < 1.2.6` — CVE-2021-44906
75
-
76
- ## Summary
77
- | Severity | Count |
78
- |----------|-------|
79
- | Critical | 2 |
80
- | High | 4 |
81
- | Medium | 3 |
82
- | Low | 1 |
27
+ | Level | Meaning | Action |
28
+ |-------|---------|--------|
29
+ | **CRITICAL** | Active exploit possible | Fix immediately |
30
+ | **HIGH** | Vulnerability likely exploitable | Fix before release |
31
+ | **MEDIUM** | Risk exists but harder to exploit | Fix soon |
32
+ | **LOW** | Best practice violation | Consider fixing |
83
33
 
84
- ## Remediation Checklist
85
- - [ ] Remove hardcoded secrets from `config/keys.ts`
86
- - [ ] Sanitize user input before innerHTML assignment
87
- - [ ] Update lodash to >= 4.17.21
88
- - [ ] Enable TLS verification in production
34
+ ## Secret patterns
35
+
36
+ ```
37
+ | Pattern | Example | Level |
38
+ |---------|---------|-------|
39
+ | GitHub token | `ghp_[a-zA-Z0-9]{36}` | CRITICAL |
40
+ | AWS Access Key | `[A-Z0-9]{20}` | CRITICAL |
41
+ | AWS Secret | base64 40-char | CRITICAL |
42
+ | Private Key PEM | `-----BEGIN.*PRIVATE KEY-----` | CRITICAL |
43
+ | JWT | `eyJ[a-zA-Z0-9_-]+` | HIGH |
44
+ | Generic API Key | 32+ random chars | MEDIUM |
45
+ | Bearer token | `Authorization: Bearer xxx` | HIGH |
89
46
  ```
90
47
 
91
- ## Secret Pattern Reference
48
+ ## Real examples
49
+
50
+ ```typescript
51
+ // ❌ CRITICAL — hardcoded AWS credentials
52
+ const awsKey = "AKIAIOSFODNN7EXAMPLE";
53
+
54
+ // ❌ CRITICAL — private key committed
55
+ const pem = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...";
56
+
57
+ // ❌ HIGH — JWT in code
58
+ const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
59
+
60
+ // ❌ HIGH — XSS via innerHTML
61
+ element.innerHTML = userInput;
62
+
63
+ // ❌ HIGH — shell injection
64
+ exec(`find . -name ${userInput}`);
65
+
66
+ // ❌ HIGH — SQL injection
67
+ const query = "SELECT * FROM users WHERE id = " + userId;
92
68
 
93
- | Pattern | Example | Severity |
94
- |---------|---------|----------|
95
- | AWS Access Key | `AKIAIOSFODNN7EXAMPLE` | critical |
96
- | AWS Secret Key | `[a-zA-Z0-9/+=]{40}` base64 | critical |
97
- | GitHub Token | `ghp_[a-zA-Z0-9]{36}` | critical |
98
- | Private Key PEM | `-----BEGIN.*PRIVATE KEY-----` | critical |
99
- | JWT | `eyJ[a-zA-Z0-9_-]+` | high |
100
- | Generic API Key | `[a-zA-Z0-9]{32,}` | medium |
69
+ // SAFE parameterized query
70
+ db.query("SELECT * FROM users WHERE id = $1", [userId]);
101
71
 
102
- ## Injection Patterns
72
+ // SAFE — escape user input
73
+ element.textContent = userInput;
74
+ ```
75
+
76
+ ## Injection vectors
103
77
 
104
- | Construct | Safe Alternative |
105
- |-----------|-----------------|
106
- | `eval(str)` | `new Function()` or parse |
107
- | `innerHTML = x` | `textContent` or sanitize |
78
+ | Construct | Safe alternative |
79
+ |-----------|-------------------|
80
+ | `eval(str)` | `new Function()` or parse then evaluate |
81
+ | `innerHTML = x` | `textContent` or DOMPurify.sanitize |
108
82
  | `exec(\`cmd ${input}\`)` | `execFile` with args array |
109
83
  | `SQL = "SELECT * FROM " + table` | parameterized query |
110
84
  | `fs.readFile(path + userInput)` | `path.resolve` + allowlist |
111
85
 
86
+ ## Configuration checks
87
+
88
+ ```
89
+ - TLS verification disabled? → CRITICAL for production
90
+ - HTTP instead of HTTPS? → MEDIUM for production
91
+ - Secrets in env vars logged to console? → CRITICAL
92
+ - Hardcoded credentials in config? → CRITICAL
93
+ - Overly permissive CORS? → MEDIUM
94
+ - Missing rate limiting? → MEDIUM-HIGH
95
+ ```
96
+
112
97
  ## Anti-patterns
113
98
 
114
- - Don't scan node_modules — noise, use `npm audit` instead
115
- - Don't report without remediation — "found X" is useless without "do Y"
116
- - Don't ignore false positives — verify before flagging (especially regex-based secrets)
117
- - Don't skip dependency scanning — supply chain is a real attack vector
99
+ - **Don't scan `node_modules`** — use `npm audit` instead
100
+ - **Don't report without remediation** — "found X" is useless without "do Y"
101
+ - **Don't ignore false positives** — verify regex matches before flagging (especially generic patterns)
102
+ - **Don't skip dependency scanning** — supply chain is a real attack vector
103
+ - **Don't flag test fixtures** — mock credentials in tests are ok, but not in production code
104
+
105
+ ## Remediation template
106
+
107
+ ```
108
+ ## Remediation Checklist
109
+ - [ ] Remove hardcoded credentials from `src/config.ts`
110
+ - [ ] Move secrets to environment variables, add to .gitignore
111
+ - [ ] Use parameterized queries in `src/db/` files
112
+ - [ ] Add rate limiting to `src/api/` routes
113
+ ```
114
+
115
+ ## Skills in scope
116
+
117
+ - `bug-hunter` — for general code quality bugs found during security scan
118
+ - `audit-log` — for dependency version audit trails
119
+ - `git-flow` — for committing security patches properly
@@ -1,17 +1,16 @@
1
1
  ---
2
2
  name: skill-creator
3
3
  description: |
4
- Use this skill when the user wants to create a new AI skill.
5
- Covers skill format, file structure, naming conventions,
6
- and the interactive creation workflow.
7
- version: 1.0.0
4
+ Use this skill when the user wants to create a new AI skill in WrongStack.
5
+ Triggers: user says "create a skill", "new skill", "add a skill", "skill definition".
6
+ version: 1.1.0
8
7
  ---
9
8
 
10
- # Skill Creator
9
+ # Skill Creator — WrongStack
11
10
 
12
- Guide the user through creating a new AI skill. You are the wizard — ask questions, validate answers, write the file.
11
+ Guide the user through creating a new skill. You are the wizard — ask questions, validate answers, write the file.
13
12
 
14
- ## Skill Format
13
+ ## Skill format
15
14
 
16
15
  Every skill is a Markdown file with YAML frontmatter:
17
16
 
@@ -19,8 +18,8 @@ Every skill is a Markdown file with YAML frontmatter:
19
18
  ---
20
19
  name: my-skill-name
21
20
  description: |
22
- First sentence is the trigger — when should this skill activate?
23
- Rest describes what the skill covers.
21
+ Use this skill when <trigger situation>.
22
+ Triggers: user says "keyword", "another keyword".
24
23
  version: 1.0.0
25
24
  ---
26
25
 
@@ -35,10 +34,14 @@ What this skill does.
35
34
 
36
35
  ## Patterns
37
36
  ### Do
38
- ```code example```
37
+ \`\`\`ts
38
+ // good example
39
+ \`\`\`
39
40
 
40
41
  ### Don't
41
- ```anti-pattern example```
42
+ \`\`\`ts
43
+ // bad example
44
+ \`\`\`
42
45
 
43
46
  ## Workflow
44
47
  1. Step one
@@ -51,23 +54,42 @@ Skills live in directories under these paths (priority order):
51
54
 
52
55
  1. **Project**: `<project>/.wrongstack/skills/<name>/SKILL.md`
53
56
  2. **User global**: `~/.wrongstack/skills/<name>/SKILL.md`
54
- 3. **Bundled**: `packages/core/skills/<name>/SKILL.md` (read-only)
57
+ 3. **Bundled**: `packages/core/skills/<name>/SKILL.md` (read-only, for core team)
55
58
 
56
- For user-created skills, always use path 1 (project level).
59
+ For user-created skills: always use path 1 (project level).
57
60
 
58
61
  ## Naming Rules
59
62
 
60
- - kebab-case: `my-skill`, `docker-deploy`, `api-testing`
63
+ - **kebab-case**: `my-skill`, `docker-deploy`, `api-testing`
61
64
  - Lowercase letters, numbers, hyphens only
62
65
  - No spaces, no underscores, no uppercase
63
66
  - Directory name = skill name
64
67
 
65
- ## Description Rules
68
+ ## The Trigger — the most important part
69
+
70
+ The **first sentence** of the `description` is the trigger. This is the **only** thing the skill loader matches on.
71
+
72
+ ```
73
+ # ✅ Good — specific trigger that can be matched
74
+ Use this skill when deploying Docker containers to a production cluster.
75
+
76
+ # ❌ Bad — vague, can't be matched
77
+ This skill is about Docker deployment.
78
+
79
+ # ✅ Good — pattern-matchable
80
+ Use this skill when writing or reviewing React 19+ code.
81
+
82
+ # ❌ Bad — too broad
83
+ This skill is about code.
84
+ ```
85
+
86
+ After the trigger sentence, add `Triggers: user says "X", "Y", "Z".` so agents know when to delegate.
66
87
 
67
- - First sentence = trigger condition. This is when the skill activates.
68
- - Good: "Use this skill when deploying Docker containers."
69
- - Bad: "This skill is about Docker."
70
- - Be specific about scope — what technologies, what situations
88
+ ## Description rules
89
+
90
+ - First sentence = trigger condition
91
+ - Second sentence = what it covers
92
+ - Triggers list = specific keywords or phrases
71
93
  - Multi-line descriptions use YAML block scalar (`|`)
72
94
 
73
95
  ## Content Guidelines
@@ -76,16 +98,14 @@ For user-created skills, always use path 1 (project level).
76
98
  - **Patterns**: actual code examples, not pseudocode
77
99
  - **Anti-patterns**: show what NOT to do with real code
78
100
  - **Workflows**: step-by-step, actionable, not theoretical
79
- - Keep it focused one skill = one concern
101
+ - **Skills in scope**: list related skills at the bottom for delegation
80
102
 
81
103
  ## Creation Workflow
82
104
 
83
- When the user wants to create a skill:
84
-
85
105
  1. **Ask the name** — suggest kebab-case, validate format
86
- 2. **Ask the description** — guide them to write a good trigger sentence
87
- 3. **Ask what to cover** — rules, patterns, workflows they want in the body
88
- 4. **Generate the SKILL.md** — write the file to `.wrongstack/skills/<name>/SKILL.md`
106
+ 2. **Ask the trigger** — "What situation should activate this skill?"
107
+ 3. **Ask the coverage** — what rules, patterns, workflows?
108
+ 4. **Generate the SKILL.md** — write to `.wrongstack/skills/<name>/SKILL.md`
89
109
  5. **Confirm** — show the path, remind them to use `/skill` to list skills
90
110
 
91
111
  ## Validation Checklist
@@ -96,3 +116,16 @@ Before writing the file, verify:
96
116
  - [ ] Description has a clear trigger sentence
97
117
  - [ ] Content is actionable (rules, patterns, not just prose)
98
118
  - [ ] File will be placed in `.wrongstack/skills/`
119
+
120
+ ## Existing skills (don't collide)
121
+
122
+ ```
123
+ audit-log, bug-hunter, git-flow, multi-agent, node-modern,
124
+ prompt-engineering, react-modern, refactor-planner, sdd,
125
+ security-scanner, skill-creator, typescript-strict
126
+ ```
127
+
128
+ ## Skills in scope
129
+
130
+ - `prompt-engineering` — for crafting the skill description and prompt text
131
+ - `git-flow` — for committing the new skill file