@wrongstack/core 0.6.4 → 0.6.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{agent-bridge-eb7qnNrd.d.ts → agent-bridge-BBXK_ppx.d.ts} +1 -1
- package/dist/agent-subagent-runner-DsSm9lKN.d.ts +174 -0
- package/dist/{compactor-RIPuTtWK.d.ts → compactor-C8NhpSt5.d.ts} +1 -1
- package/dist/{config-BGGuP_Ar.d.ts → config-DfC6g6KV.d.ts} +1 -1
- package/dist/{context-CDRyrkKQ.d.ts → context-DN5v-uQX.d.ts} +11 -0
- package/dist/coordination/index.d.ts +10 -9
- package/dist/coordination/index.js +113 -20
- package/dist/coordination/index.js.map +1 -1
- package/dist/defaults/index.d.ts +22 -21
- package/dist/defaults/index.js +1359 -919
- package/dist/defaults/index.js.map +1 -1
- package/dist/{events-BHuIHekD.d.ts → events-CJqwQl8G.d.ts} +17 -1
- package/dist/execution/index.d.ts +116 -13
- package/dist/execution/index.js +1438 -131
- package/dist/execution/index.js.map +1 -1
- package/dist/extension/index.d.ts +6 -6
- package/dist/{goal-store-DVCfj7Ff.d.ts → goal-store-HHgaq5ue.d.ts} +3 -3
- package/dist/{index-CPcDqvZh.d.ts → index-CXnWsGBp.d.ts} +11 -175
- package/dist/{index-BOn9NK7D.d.ts → index-DcnXDPdY.d.ts} +6 -6
- package/dist/index.d.ts +29 -28
- package/dist/index.js +1105 -666
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.d.ts +6 -6
- package/dist/kernel/index.d.ts +9 -9
- package/dist/kernel/index.js.map +1 -1
- package/dist/{mcp-servers-DBdh3cee.d.ts → mcp-servers-CevFHHM1.d.ts} +3 -3
- package/dist/models/index.d.ts +2 -2
- package/dist/models/index.js +5 -16
- package/dist/models/index.js.map +1 -1
- package/dist/{multi-agent-CxSb-9dQ.d.ts → multi-agent-D5IbASk_.d.ts} +16 -4
- package/dist/observability/index.d.ts +2 -2
- package/dist/{path-resolver-CMGNadvq.d.ts → path-resolver-CBx_q1HA.d.ts} +2 -2
- package/dist/{plan-templates-BJflQY2i.d.ts → plan-templates-BEOllUJV.d.ts} +5 -4
- package/dist/{provider-runner-BFgNXpaP.d.ts → provider-runner-Byh5TcJs.d.ts} +3 -3
- package/dist/{retry-policy-LKS8MHsB.d.ts → retry-policy-BZSIMxrJ.d.ts} +1 -1
- package/dist/sdd/index.d.ts +9 -4
- package/dist/sdd/index.js +21 -0
- package/dist/sdd/index.js.map +1 -1
- package/dist/{secret-scrubber-CfMdAJ_l.d.ts → secret-scrubber-CT7wefiO.d.ts} +1 -1
- package/dist/{secret-scrubber-BzQR5BiL.d.ts → secret-scrubber-I0QHY_ob.d.ts} +1 -1
- package/dist/security/index.d.ts +3 -3
- package/dist/{selector-C7HqnZJU.d.ts → selector-DDb_mq9X.d.ts} +1 -1
- package/dist/{session-reader-CzfRA6Vk.d.ts → session-reader-B9nVkziM.d.ts} +1 -1
- package/dist/storage/index.d.ts +6 -6
- package/dist/storage/index.js +29 -3
- package/dist/storage/index.js.map +1 -1
- package/dist/{system-prompt-Dl2QY1_B.d.ts → system-prompt-gL06H9P4.d.ts} +1 -1
- package/dist/{task-graph-BITvWt4t.d.ts → task-graph-D1YQbpxF.d.ts} +1 -0
- package/dist/{tool-executor-FoxBjULX.d.ts → tool-executor-BF7QfYVE.d.ts} +4 -4
- package/dist/types/index.d.ts +16 -16
- package/dist/types/index.js +5 -16
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.d.ts +1 -1
- package/package.json +1 -1
- package/skills/audit-log/SKILL.md +57 -28
- package/skills/bug-hunter/SKILL.md +85 -61
- package/skills/git-flow/SKILL.md +73 -18
- package/skills/multi-agent/SKILL.md +69 -40
- package/skills/node-modern/SKILL.md +111 -19
- package/skills/prompt-engineering/SKILL.md +97 -16
- package/skills/react-modern/SKILL.md +104 -18
- package/skills/refactor-planner/SKILL.md +73 -43
- package/skills/sdd/SKILL.md +123 -165
- package/skills/security-scanner/SKILL.md +95 -93
- package/skills/skill-creator/SKILL.md +58 -25
- package/skills/typescript-strict/SKILL.md +107 -15
package/skills/sdd/SKILL.md
CHANGED
|
@@ -1,165 +1,123 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: sdd
|
|
3
|
-
description: |
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
Tasks
|
|
116
|
-
|
|
117
|
-
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
```
|
|
125
|
-
pending → in_progress → review → completed
|
|
126
|
-
↓
|
|
127
|
-
blocked (waiting on dependencies)
|
|
128
|
-
↓
|
|
129
|
-
failed
|
|
130
|
-
```
|
|
131
|
-
|
|
132
|
-
## Critical Path Analysis
|
|
133
|
-
|
|
134
|
-
The critical path identifies:
|
|
135
|
-
|
|
136
|
-
- **Bottleneck tasks** that block the most downstream work
|
|
137
|
-
- **Parallel groups** of tasks that can execute concurrently
|
|
138
|
-
- **Ready tasks** that can start immediately
|
|
139
|
-
- **Execution order** respecting all dependencies
|
|
140
|
-
|
|
141
|
-
## Spec Versioning
|
|
142
|
-
|
|
143
|
-
When requirements change:
|
|
144
|
-
|
|
145
|
-
- Added requirements → new tasks generated
|
|
146
|
-
- Removed requirements → tasks removed
|
|
147
|
-
- Modified requirements → tasks updated (description, priority, dependencies)
|
|
148
|
-
- Version history tracked for audit trail
|
|
149
|
-
|
|
150
|
-
## Auto-Execution
|
|
151
|
-
|
|
152
|
-
The auto-executor runs tasks with:
|
|
153
|
-
|
|
154
|
-
- Dependency-aware ordering (blocked tasks wait)
|
|
155
|
-
- Automatic retry on transient failures (configurable max retries)
|
|
156
|
-
- Deadlock detection (all remaining blocked by failed tasks)
|
|
157
|
-
- Progress tracking and event emission
|
|
158
|
-
|
|
159
|
-
## Done conditions
|
|
160
|
-
|
|
161
|
-
A feature is done when:
|
|
162
|
-
1. All critical and high priority tasks completed
|
|
163
|
-
2. Tests written and passing
|
|
164
|
-
3. Documentation updated
|
|
165
|
-
4. No blocked tasks remaining
|
|
1
|
+
---
|
|
2
|
+
name: sdd
|
|
3
|
+
description: |
|
|
4
|
+
Use this skill when starting a non-trivial implementation, bug fix, or refactor
|
|
5
|
+
in WrongStack. Triggers: user says "/sdd", "spec", "specification", "task graph",
|
|
6
|
+
"SDD", "acceptance criteria", or starts a new feature.
|
|
7
|
+
version: 2.1.0
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
# Spec-Driven Development — WrongStack
|
|
11
|
+
|
|
12
|
+
Every non-trivial change starts with a spec. The spec is the source of truth.
|
|
13
|
+
|
|
14
|
+
## When to use
|
|
15
|
+
|
|
16
|
+
- New feature implementation
|
|
17
|
+
- Bug fix with complexity
|
|
18
|
+
- Refactoring with scope
|
|
19
|
+
- Any task requiring more than 1 hour
|
|
20
|
+
|
|
21
|
+
## The SDD workflow
|
|
22
|
+
|
|
23
|
+
```
|
|
24
|
+
1. /sdd new [title] → Build spec from questions
|
|
25
|
+
2. /sdd tasks <id> → Generate task graph from spec
|
|
26
|
+
3. /sdd graph <id> → Visualize dependencies
|
|
27
|
+
4. /sdd critical <id> → Find bottlenecks
|
|
28
|
+
5. /sdd execute <id> → Run tasks (or execute manually)
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
## Task lifecycle commands
|
|
32
|
+
|
|
33
|
+
| Command | What it does |
|
|
34
|
+
|---------|--------------|
|
|
35
|
+
| `/sdd tasks` | Show task list with progress bar (sorted: in_progress → pending → review → blocked → failed → completed) |
|
|
36
|
+
| `/sdd next` | Show next executable task + blockers |
|
|
37
|
+
| `/sdd done <N>` | Complete a task (by number or fuzzy title match) |
|
|
38
|
+
| `/sdd skip <N>` | Skip a task back to pending |
|
|
39
|
+
| `/sdd fail <N>` | Mark a task as failed |
|
|
40
|
+
| `/sdd review <N>` | Send a task to review |
|
|
41
|
+
| `/sdd edit <N> <text>` | Edit task title (short text) or description (long text) |
|
|
42
|
+
| `/sdd undo` | Undo last task completion |
|
|
43
|
+
| `/sdd graph` | ASCII task dependency visualization |
|
|
44
|
+
| `/sdd critical` | Critical path analysis + bottlenecks |
|
|
45
|
+
|
|
46
|
+
## Spec templates
|
|
47
|
+
|
|
48
|
+
| Template | Best for |
|
|
49
|
+
|---|---|
|
|
50
|
+
| `feature` | New feature development |
|
|
51
|
+
| `bugfix` | Bug fix with root cause analysis |
|
|
52
|
+
| `refactor` | Code refactoring with goals |
|
|
53
|
+
| `infra` | Infrastructure/tooling changes |
|
|
54
|
+
| `integration` | External service integration |
|
|
55
|
+
| `cli-command` | New CLI commands/slash commands |
|
|
56
|
+
|
|
57
|
+
## Spec structure
|
|
58
|
+
|
|
59
|
+
A complete spec has:
|
|
60
|
+
1. **Overview** — What problem does this solve?
|
|
61
|
+
2. **Requirements** — `[priority] description` format
|
|
62
|
+
3. **Architecture** — High-level design (if needed)
|
|
63
|
+
4. **API Design** — Endpoints, inputs, outputs (if applicable)
|
|
64
|
+
5. **Acceptance Criteria** — How do we know it's done?
|
|
65
|
+
|
|
66
|
+
### Requirement format
|
|
67
|
+
|
|
68
|
+
```
|
|
69
|
+
[critical] Users can authenticate with OAuth2
|
|
70
|
+
[high] Rate limiting: 100 req/min per user
|
|
71
|
+
[medium] Response time < 200ms p95
|
|
72
|
+
[low] Support dark mode
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
## Task graph generation
|
|
76
|
+
|
|
77
|
+
Each requirement generates one or more tasks. Tasks have states:
|
|
78
|
+
```
|
|
79
|
+
pending → in_progress → review → completed
|
|
80
|
+
↓
|
|
81
|
+
blocked (waiting on dependencies)
|
|
82
|
+
↓
|
|
83
|
+
failed
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
## Critical path
|
|
87
|
+
|
|
88
|
+
The critical path finds:
|
|
89
|
+
- **Bottleneck tasks** blocking the most downstream work
|
|
90
|
+
- **Parallel groups** that can run concurrently
|
|
91
|
+
- **Ready tasks** that can start immediately
|
|
92
|
+
- **Execution order** respecting all dependencies
|
|
93
|
+
|
|
94
|
+
## Goal & Eternal Mode
|
|
95
|
+
|
|
96
|
+
`/sdd` pairs with `/goal` for autonomous execution:
|
|
97
|
+
|
|
98
|
+
| Command | What it does |
|
|
99
|
+
|---------|--------------|
|
|
100
|
+
| `/goal set <text>` | Set an autonomous mission |
|
|
101
|
+
| `/goal pause` | Pause at end of current iteration |
|
|
102
|
+
| `/goal resume` | Resume a paused goal |
|
|
103
|
+
| `/goal journal [N]` | Show recent journal entries |
|
|
104
|
+
| `/goal clear` | Clear goal and stop eternal mode |
|
|
105
|
+
| `/autonomy eternal` | Run goal loop indefinitely |
|
|
106
|
+
| `/autonomy stop` | Stop eternal mode |
|
|
107
|
+
|
|
108
|
+
**Eternal stage flow:** `decide → execute → reflect → sleep | paused | stopped`
|
|
109
|
+
Stage shown in real-time. Pause stops after current iteration completes.
|
|
110
|
+
|
|
111
|
+
## Anti-patterns
|
|
112
|
+
|
|
113
|
+
- **Writing code before the spec** — you'll rewrite it anyway
|
|
114
|
+
- **Spec that's too vague** — "improve auth" is not a spec, "Users authenticate via OAuth2 with PKCE" is
|
|
115
|
+
- **Tasks with no dependencies** — everything is a dependency of something
|
|
116
|
+
- **Spec without acceptance criteria** — how do you know when it's done?
|
|
117
|
+
- **Skipping /sdd for urgent tasks** — the spec is what makes "urgent" possible
|
|
118
|
+
|
|
119
|
+
## Skills in scope
|
|
120
|
+
|
|
121
|
+
- `refactor-planner` — when the spec reveals a multi-file refactor
|
|
122
|
+
- `bug-hunter` — when a bugfix spec needs a root cause analysis section
|
|
123
|
+
- `multi-agent` — for executing parallel task groups
|
|
@@ -1,117 +1,119 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: security-scanner
|
|
3
3
|
description: |
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
version: 1.
|
|
4
|
+
Use this skill when scanning code or configuration for security vulnerabilities
|
|
5
|
+
in WrongStack. Triggers: user says "security", "vulnerability", "CVE", "secret",
|
|
6
|
+
"injection", "XSS", "SQL injection", "audit security", "supply chain".
|
|
7
|
+
version: 1.1.0
|
|
8
8
|
---
|
|
9
9
|
|
|
10
|
-
# Security Scanner
|
|
10
|
+
# Security Scanner — WrongStack
|
|
11
11
|
|
|
12
|
-
Scans code, configs, and dependencies for security issues
|
|
13
|
-
hardcoded secrets to injection vulnerabilities and supply chain risks.
|
|
14
|
-
|
|
15
|
-
## Capabilities
|
|
16
|
-
|
|
17
|
-
- Detect hardcoded secrets: API keys, tokens, passwords, private keys
|
|
18
|
-
- Find injection vectors: eval, innerHTML, SQL concatenation, shell injection
|
|
19
|
-
- Identify insecure patterns: weak crypto, hardcoded IVs, disabled TLS verification
|
|
20
|
-
- Scan dependencies for known CVEs (via package audit)
|
|
21
|
-
- Flag supply chain risks: unverified scripts, postinstall hooks, .npmrc issues
|
|
12
|
+
Scans code, configs, and dependencies for security issues.
|
|
22
13
|
|
|
23
14
|
## Workflow
|
|
24
15
|
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
## Input
|
|
33
|
-
|
|
34
|
-
```json
|
|
35
|
-
{
|
|
36
|
-
"task": "scan | audit | secrets | dependencies",
|
|
37
|
-
"paths": ["src", "config"],
|
|
38
|
-
"depth": "quick | normal | deep",
|
|
39
|
-
"excludePaths": ["node_modules", "dist"]
|
|
40
|
-
}
|
|
16
|
+
```
|
|
17
|
+
1. Scope: Accept paths or use sensible defaults
|
|
18
|
+
2. Secrets: Regex scan for credential patterns
|
|
19
|
+
3. Injection: Pattern match dangerous constructs
|
|
20
|
+
4. Config: Check TLS, crypto, auth configurations
|
|
21
|
+
5. Audit: Run package audit
|
|
22
|
+
6. Report: Prioritized markdown with remediation
|
|
41
23
|
```
|
|
42
24
|
|
|
43
|
-
##
|
|
25
|
+
## Severity levels
|
|
44
26
|
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
const awsKey = "AKIAIOSFODNN7EXAMPLE"; // ← remove this
|
|
52
|
-
```
|
|
53
|
-
2. **[CRITICAL]** `.env:3` — Private key committed to repo
|
|
54
|
-
```
|
|
55
|
-
PEM_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIE..."
|
|
56
|
-
```
|
|
57
|
-
|
|
58
|
-
### HIGH: Injection Vectors
|
|
59
|
-
3. **[HIGH]** `lib/renderer.ts:42` — innerHTML assignment
|
|
60
|
-
```ts
|
|
61
|
-
element.innerHTML = userInput; // ← sanitize or use textContent
|
|
62
|
-
```
|
|
63
|
-
4. **[HIGH]** `tools/shell.ts:15` — shell injection via template literal
|
|
64
|
-
```ts
|
|
65
|
-
exec(`echo ${userInput}`); // ← escape or use array form
|
|
66
|
-
```
|
|
67
|
-
|
|
68
|
-
### MEDIUM: Insecure Patterns
|
|
69
|
-
5. **[MEDIUM]** `lib/crypto.ts:9` — MD5 used for hashing (not for passwords)
|
|
70
|
-
6. **[MEDIUM]** `server.ts:22` — TLS certificate verification disabled
|
|
71
|
-
|
|
72
|
-
### Dependency Issues
|
|
73
|
-
7. **[HIGH]** `lodash < 4.17.21` — CVE-2021-23337
|
|
74
|
-
8. **[MEDIUM]** `minimist < 1.2.6` — CVE-2021-44906
|
|
75
|
-
|
|
76
|
-
## Summary
|
|
77
|
-
| Severity | Count |
|
|
78
|
-
|----------|-------|
|
|
79
|
-
| Critical | 2 |
|
|
80
|
-
| High | 4 |
|
|
81
|
-
| Medium | 3 |
|
|
82
|
-
| Low | 1 |
|
|
27
|
+
| Level | Meaning | Action |
|
|
28
|
+
|-------|---------|--------|
|
|
29
|
+
| **CRITICAL** | Active exploit possible | Fix immediately |
|
|
30
|
+
| **HIGH** | Vulnerability likely exploitable | Fix before release |
|
|
31
|
+
| **MEDIUM** | Risk exists but harder to exploit | Fix soon |
|
|
32
|
+
| **LOW** | Best practice violation | Consider fixing |
|
|
83
33
|
|
|
84
|
-
##
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
34
|
+
## Secret patterns
|
|
35
|
+
|
|
36
|
+
```
|
|
37
|
+
| Pattern | Example | Level |
|
|
38
|
+
|---------|---------|-------|
|
|
39
|
+
| GitHub token | `ghp_[a-zA-Z0-9]{36}` | CRITICAL |
|
|
40
|
+
| AWS Access Key | `[A-Z0-9]{20}` | CRITICAL |
|
|
41
|
+
| AWS Secret | base64 40-char | CRITICAL |
|
|
42
|
+
| Private Key PEM | `-----BEGIN.*PRIVATE KEY-----` | CRITICAL |
|
|
43
|
+
| JWT | `eyJ[a-zA-Z0-9_-]+` | HIGH |
|
|
44
|
+
| Generic API Key | 32+ random chars | MEDIUM |
|
|
45
|
+
| Bearer token | `Authorization: Bearer xxx` | HIGH |
|
|
89
46
|
```
|
|
90
47
|
|
|
91
|
-
##
|
|
48
|
+
## Real examples
|
|
49
|
+
|
|
50
|
+
```typescript
|
|
51
|
+
// ❌ CRITICAL — hardcoded AWS credentials
|
|
52
|
+
const awsKey = "AKIAIOSFODNN7EXAMPLE";
|
|
53
|
+
|
|
54
|
+
// ❌ CRITICAL — private key committed
|
|
55
|
+
const pem = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...";
|
|
56
|
+
|
|
57
|
+
// ❌ HIGH — JWT in code
|
|
58
|
+
const token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...";
|
|
59
|
+
|
|
60
|
+
// ❌ HIGH — XSS via innerHTML
|
|
61
|
+
element.innerHTML = userInput;
|
|
62
|
+
|
|
63
|
+
// ❌ HIGH — shell injection
|
|
64
|
+
exec(`find . -name ${userInput}`);
|
|
65
|
+
|
|
66
|
+
// ❌ HIGH — SQL injection
|
|
67
|
+
const query = "SELECT * FROM users WHERE id = " + userId;
|
|
92
68
|
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
| AWS Access Key | `AKIAIOSFODNN7EXAMPLE` | critical |
|
|
96
|
-
| AWS Secret Key | `[a-zA-Z0-9/+=]{40}` base64 | critical |
|
|
97
|
-
| GitHub Token | `ghp_[a-zA-Z0-9]{36}` | critical |
|
|
98
|
-
| Private Key PEM | `-----BEGIN.*PRIVATE KEY-----` | critical |
|
|
99
|
-
| JWT | `eyJ[a-zA-Z0-9_-]+` | high |
|
|
100
|
-
| Generic API Key | `[a-zA-Z0-9]{32,}` | medium |
|
|
69
|
+
// ✅ SAFE — parameterized query
|
|
70
|
+
db.query("SELECT * FROM users WHERE id = $1", [userId]);
|
|
101
71
|
|
|
102
|
-
|
|
72
|
+
// ✅ SAFE — escape user input
|
|
73
|
+
element.textContent = userInput;
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
## Injection vectors
|
|
103
77
|
|
|
104
|
-
| Construct | Safe
|
|
105
|
-
|
|
106
|
-
| `eval(str)` | `new Function()` or parse |
|
|
107
|
-
| `innerHTML = x` | `textContent` or sanitize |
|
|
78
|
+
| Construct | Safe alternative |
|
|
79
|
+
|-----------|-------------------|
|
|
80
|
+
| `eval(str)` | `new Function()` or parse then evaluate |
|
|
81
|
+
| `innerHTML = x` | `textContent` or DOMPurify.sanitize |
|
|
108
82
|
| `exec(\`cmd ${input}\`)` | `execFile` with args array |
|
|
109
83
|
| `SQL = "SELECT * FROM " + table` | parameterized query |
|
|
110
84
|
| `fs.readFile(path + userInput)` | `path.resolve` + allowlist |
|
|
111
85
|
|
|
86
|
+
## Configuration checks
|
|
87
|
+
|
|
88
|
+
```
|
|
89
|
+
- TLS verification disabled? → CRITICAL for production
|
|
90
|
+
- HTTP instead of HTTPS? → MEDIUM for production
|
|
91
|
+
- Secrets in env vars logged to console? → CRITICAL
|
|
92
|
+
- Hardcoded credentials in config? → CRITICAL
|
|
93
|
+
- Overly permissive CORS? → MEDIUM
|
|
94
|
+
- Missing rate limiting? → MEDIUM-HIGH
|
|
95
|
+
```
|
|
96
|
+
|
|
112
97
|
## Anti-patterns
|
|
113
98
|
|
|
114
|
-
- Don't scan node_modules —
|
|
115
|
-
- Don't report without remediation — "found X" is useless without "do Y"
|
|
116
|
-
- Don't ignore false positives — verify before flagging (especially
|
|
117
|
-
- Don't skip dependency scanning — supply chain is a real attack vector
|
|
99
|
+
- **Don't scan `node_modules`** — use `npm audit` instead
|
|
100
|
+
- **Don't report without remediation** — "found X" is useless without "do Y"
|
|
101
|
+
- **Don't ignore false positives** — verify regex matches before flagging (especially generic patterns)
|
|
102
|
+
- **Don't skip dependency scanning** — supply chain is a real attack vector
|
|
103
|
+
- **Don't flag test fixtures** — mock credentials in tests are ok, but not in production code
|
|
104
|
+
|
|
105
|
+
## Remediation template
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
## Remediation Checklist
|
|
109
|
+
- [ ] Remove hardcoded credentials from `src/config.ts`
|
|
110
|
+
- [ ] Move secrets to environment variables, add to .gitignore
|
|
111
|
+
- [ ] Use parameterized queries in `src/db/` files
|
|
112
|
+
- [ ] Add rate limiting to `src/api/` routes
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
## Skills in scope
|
|
116
|
+
|
|
117
|
+
- `bug-hunter` — for general code quality bugs found during security scan
|
|
118
|
+
- `audit-log` — for dependency version audit trails
|
|
119
|
+
- `git-flow` — for committing security patches properly
|
|
@@ -1,17 +1,16 @@
|
|
|
1
1
|
---
|
|
2
2
|
name: skill-creator
|
|
3
3
|
description: |
|
|
4
|
-
Use this skill when the user wants to create a new AI skill.
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
version: 1.0.0
|
|
4
|
+
Use this skill when the user wants to create a new AI skill in WrongStack.
|
|
5
|
+
Triggers: user says "create a skill", "new skill", "add a skill", "skill definition".
|
|
6
|
+
version: 1.1.0
|
|
8
7
|
---
|
|
9
8
|
|
|
10
|
-
# Skill Creator
|
|
9
|
+
# Skill Creator — WrongStack
|
|
11
10
|
|
|
12
|
-
Guide the user through creating a new
|
|
11
|
+
Guide the user through creating a new skill. You are the wizard — ask questions, validate answers, write the file.
|
|
13
12
|
|
|
14
|
-
## Skill
|
|
13
|
+
## Skill format
|
|
15
14
|
|
|
16
15
|
Every skill is a Markdown file with YAML frontmatter:
|
|
17
16
|
|
|
@@ -19,8 +18,8 @@ Every skill is a Markdown file with YAML frontmatter:
|
|
|
19
18
|
---
|
|
20
19
|
name: my-skill-name
|
|
21
20
|
description: |
|
|
22
|
-
|
|
23
|
-
|
|
21
|
+
Use this skill when <trigger situation>.
|
|
22
|
+
Triggers: user says "keyword", "another keyword".
|
|
24
23
|
version: 1.0.0
|
|
25
24
|
---
|
|
26
25
|
|
|
@@ -35,10 +34,14 @@ What this skill does.
|
|
|
35
34
|
|
|
36
35
|
## Patterns
|
|
37
36
|
### Do
|
|
38
|
-
|
|
37
|
+
\`\`\`ts
|
|
38
|
+
// good example
|
|
39
|
+
\`\`\`
|
|
39
40
|
|
|
40
41
|
### Don't
|
|
41
|
-
|
|
42
|
+
\`\`\`ts
|
|
43
|
+
// bad example
|
|
44
|
+
\`\`\`
|
|
42
45
|
|
|
43
46
|
## Workflow
|
|
44
47
|
1. Step one
|
|
@@ -51,23 +54,42 @@ Skills live in directories under these paths (priority order):
|
|
|
51
54
|
|
|
52
55
|
1. **Project**: `<project>/.wrongstack/skills/<name>/SKILL.md`
|
|
53
56
|
2. **User global**: `~/.wrongstack/skills/<name>/SKILL.md`
|
|
54
|
-
3. **Bundled**: `packages/core/skills/<name>/SKILL.md` (read-only)
|
|
57
|
+
3. **Bundled**: `packages/core/skills/<name>/SKILL.md` (read-only, for core team)
|
|
55
58
|
|
|
56
|
-
For user-created skills
|
|
59
|
+
For user-created skills: always use path 1 (project level).
|
|
57
60
|
|
|
58
61
|
## Naming Rules
|
|
59
62
|
|
|
60
|
-
- kebab-case
|
|
63
|
+
- **kebab-case**: `my-skill`, `docker-deploy`, `api-testing`
|
|
61
64
|
- Lowercase letters, numbers, hyphens only
|
|
62
65
|
- No spaces, no underscores, no uppercase
|
|
63
66
|
- Directory name = skill name
|
|
64
67
|
|
|
65
|
-
##
|
|
68
|
+
## The Trigger — the most important part
|
|
69
|
+
|
|
70
|
+
The **first sentence** of the `description` is the trigger. This is the **only** thing the skill loader matches on.
|
|
71
|
+
|
|
72
|
+
```
|
|
73
|
+
# ✅ Good — specific trigger that can be matched
|
|
74
|
+
Use this skill when deploying Docker containers to a production cluster.
|
|
75
|
+
|
|
76
|
+
# ❌ Bad — vague, can't be matched
|
|
77
|
+
This skill is about Docker deployment.
|
|
78
|
+
|
|
79
|
+
# ✅ Good — pattern-matchable
|
|
80
|
+
Use this skill when writing or reviewing React 19+ code.
|
|
81
|
+
|
|
82
|
+
# ❌ Bad — too broad
|
|
83
|
+
This skill is about code.
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
After the trigger sentence, add `Triggers: user says "X", "Y", "Z".` so agents know when to delegate.
|
|
66
87
|
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
-
|
|
88
|
+
## Description rules
|
|
89
|
+
|
|
90
|
+
- First sentence = trigger condition
|
|
91
|
+
- Second sentence = what it covers
|
|
92
|
+
- Triggers list = specific keywords or phrases
|
|
71
93
|
- Multi-line descriptions use YAML block scalar (`|`)
|
|
72
94
|
|
|
73
95
|
## Content Guidelines
|
|
@@ -76,16 +98,14 @@ For user-created skills, always use path 1 (project level).
|
|
|
76
98
|
- **Patterns**: actual code examples, not pseudocode
|
|
77
99
|
- **Anti-patterns**: show what NOT to do with real code
|
|
78
100
|
- **Workflows**: step-by-step, actionable, not theoretical
|
|
79
|
-
-
|
|
101
|
+
- **Skills in scope**: list related skills at the bottom for delegation
|
|
80
102
|
|
|
81
103
|
## Creation Workflow
|
|
82
104
|
|
|
83
|
-
When the user wants to create a skill:
|
|
84
|
-
|
|
85
105
|
1. **Ask the name** — suggest kebab-case, validate format
|
|
86
|
-
2. **Ask the
|
|
87
|
-
3. **Ask
|
|
88
|
-
4. **Generate the SKILL.md** — write
|
|
106
|
+
2. **Ask the trigger** — "What situation should activate this skill?"
|
|
107
|
+
3. **Ask the coverage** — what rules, patterns, workflows?
|
|
108
|
+
4. **Generate the SKILL.md** — write to `.wrongstack/skills/<name>/SKILL.md`
|
|
89
109
|
5. **Confirm** — show the path, remind them to use `/skill` to list skills
|
|
90
110
|
|
|
91
111
|
## Validation Checklist
|
|
@@ -96,3 +116,16 @@ Before writing the file, verify:
|
|
|
96
116
|
- [ ] Description has a clear trigger sentence
|
|
97
117
|
- [ ] Content is actionable (rules, patterns, not just prose)
|
|
98
118
|
- [ ] File will be placed in `.wrongstack/skills/`
|
|
119
|
+
|
|
120
|
+
## Existing skills (don't collide)
|
|
121
|
+
|
|
122
|
+
```
|
|
123
|
+
audit-log, bug-hunter, git-flow, multi-agent, node-modern,
|
|
124
|
+
prompt-engineering, react-modern, refactor-planner, sdd,
|
|
125
|
+
security-scanner, skill-creator, typescript-strict
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
## Skills in scope
|
|
129
|
+
|
|
130
|
+
- `prompt-engineering` — for crafting the skill description and prompt text
|
|
131
|
+
- `git-flow` — for committing the new skill file
|