@wrongstack/core 0.9.4 → 0.9.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{agent-subagent-runner-DaF_EgRG.d.ts → agent-subagent-runner-C4qt9e5Y.d.ts} +1 -1
- package/dist/{config-SkMIDN9L.d.ts → config-CWva0qoL.d.ts} +4 -0
- package/dist/coordination/index.d.ts +8 -7
- package/dist/coordination/index.js +672 -46
- package/dist/coordination/index.js.map +1 -1
- package/dist/defaults/index.d.ts +12 -11
- package/dist/defaults/index.js +780 -23
- package/dist/defaults/index.js.map +1 -1
- package/dist/execution/index.d.ts +7 -6
- package/dist/execution/index.js +1 -0
- package/dist/execution/index.js.map +1 -1
- package/dist/extension/index.d.ts +4 -3
- package/dist/{index-CP8638Wm.d.ts → index-aizK8olO.d.ts} +3 -2
- package/dist/{index-Bsha5K4D.d.ts → index-p95HQ22A.d.ts} +3 -2
- package/dist/index.d.ts +22 -16
- package/dist/index.js +861 -35
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.d.ts +2 -2
- package/dist/kernel/index.d.ts +4 -3
- package/dist/{mcp-servers-BouUWYW6.d.ts → mcp-servers-BkVEqkRe.d.ts} +1 -1
- package/dist/{multi-agent-coordinator-DTXF2aAl.d.ts → multi-agent-coordinator-bRaI_aD1.d.ts} +1 -1
- package/dist/{null-fleet-bus-Chrc_3Pp.d.ts → null-fleet-bus-DKM3Iy9d.d.ts} +183 -3
- package/dist/{secret-scrubber-DttNiGYA.d.ts → permission-bPuzAy4x.d.ts} +1 -6
- package/dist/{permission-policy-BpCGYBud.d.ts → permission-policy-BUQSutpl.d.ts} +8 -1
- package/dist/{plan-templates-envSmNlZ.d.ts → plan-templates-fkQTyz3U.d.ts} +25 -1
- package/dist/sdd/index.d.ts +5 -4
- package/dist/sdd/index.js +1 -0
- package/dist/sdd/index.js.map +1 -1
- package/dist/secret-scrubber-3MHDDAtm.d.ts +6 -0
- package/dist/{secret-scrubber-QSeI0ADi.d.ts → secret-scrubber-7rSC_emZ.d.ts} +1 -1
- package/dist/security/index.d.ts +4 -3
- package/dist/security/index.js +37 -6
- package/dist/security/index.js.map +1 -1
- package/dist/storage/index.d.ts +3 -2
- package/dist/storage/index.js +88 -5
- package/dist/storage/index.js.map +1 -1
- package/dist/{tool-executor-CsktM3h9.d.ts → tool-executor-Boo3dekH.d.ts} +1 -1
- package/dist/types/index.d.ts +6 -5
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.d.ts +12 -1
- package/dist/utils/index.js +85 -1
- package/dist/utils/index.js.map +1 -1
- package/package.json +1 -1
- package/skills/api-design/SKILL.md +139 -0
- package/skills/audit-log/SKILL.md +87 -14
- package/skills/bug-hunter/SKILL.md +42 -19
- package/skills/docker-deploy/SKILL.md +155 -0
- package/skills/git-flow/SKILL.md +53 -1
- package/skills/multi-agent/SKILL.md +42 -0
- package/skills/node-modern/SKILL.md +57 -1
- package/skills/observability/SKILL.md +134 -0
- package/skills/prompt-engineering/SKILL.md +46 -19
- package/skills/react-modern/SKILL.md +92 -1
- package/skills/refactor-planner/SKILL.md +49 -1
- package/skills/sdd/SKILL.md +12 -1
- package/skills/security-scanner/SKILL.md +46 -1
- package/skills/skill-creator/SKILL.md +49 -52
- package/skills/testing/SKILL.md +170 -0
- package/skills/typescript-strict/SKILL.md +98 -1
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: api-design
|
|
3
|
+
description: |
|
|
4
|
+
Use this skill when designing, reviewing, or refactoring REST APIs in WrongStack.
|
|
5
|
+
Triggers: user says "API", "endpoint", "REST", "request", "response", "JSON",
|
|
6
|
+
"HTTP", "status code", "pagination", "query params", "request body".
|
|
7
|
+
version: 1.0.0
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
# API Design — WrongStack
|
|
11
|
+
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Designs and reviews REST APIs for WrongStack services. WrongStack uses JSON over HTTPS, conventional HTTP status codes, and cursor-based pagination. APIs are consumed by the TUI, webui, and external integrations.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Use conventional HTTP status codes: `200` (ok), `201` (created), `400` (bad request), `401` (unauthorized), `403` (forbidden), `404` (not found), `500` (server error).
|
|
19
|
+
2. Always return consistent error shape: `{ "error": { "code": "ERROR_CODE", "message": "Human readable" } }`.
|
|
20
|
+
3. Use plural nouns for resource names: `/sessions` not `/session`.
|
|
21
|
+
4. Pagination: cursor-based for large datasets, not offset-based.
|
|
22
|
+
5. Request validation: validate on server, return `400` with field-level errors.
|
|
23
|
+
6. Idempotency: `POST` to `/resources` creates; `PUT` to `/resources/:id` replaces.
|
|
24
|
+
7. No secrets in URLs — put auth in headers, not query params.
|
|
25
|
+
8. Versioning: prefix with `/v1/` when breaking changes are inevitable.
|
|
26
|
+
|
|
27
|
+
## Patterns
|
|
28
|
+
|
|
29
|
+
### Do
|
|
30
|
+
|
|
31
|
+
```typescript
|
|
32
|
+
// ✅ Consistent error shape
|
|
33
|
+
interface ErrorResponse {
|
|
34
|
+
error: {
|
|
35
|
+
code: string; // machine-readable: "VALIDATION_ERROR"
|
|
36
|
+
message: string; // human-readable: "name is required"
|
|
37
|
+
details?: unknown; // optional field-level errors
|
|
38
|
+
};
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
// ✅ Cursor-based pagination
|
|
42
|
+
interface PaginatedResponse<T> {
|
|
43
|
+
data: T[];
|
|
44
|
+
nextCursor: string | null; // null = last page
|
|
45
|
+
hasMore: boolean;
|
|
46
|
+
}
|
|
47
|
+
|
|
48
|
+
// GET /sessions?cursor=abc123&limit=20
|
|
49
|
+
|
|
50
|
+
// ✅ Proper status codes
|
|
51
|
+
if (!resource) return Response.json({ error: { code: 'NOT_FOUND', message: '...' } }, { status: 404 });
|
|
52
|
+
if (!auth) return Response.json({ error: { code: 'UNAUTHORIZED', message: '...' } }, { status: 401 });
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
### Don't
|
|
56
|
+
|
|
57
|
+
```typescript
|
|
58
|
+
// ❌ Inconsistent error shape
|
|
59
|
+
Response.json({ message: 'Not found' }); // no code, no standard shape
|
|
60
|
+
|
|
61
|
+
// ❌ Secrets in URL
|
|
62
|
+
GET /api/data?apiKey=sk-xxx // ❌ put in Authorization header
|
|
63
|
+
|
|
64
|
+
// ❌ Offset pagination (fragile on mutations)
|
|
65
|
+
GET /users?offset=100&limit=20 // ❌ gaps after insert/delete
|
|
66
|
+
|
|
67
|
+
// ❌ 200 for errors
|
|
68
|
+
Response.json({ error: '...' }, { status: 200 }); // lies about outcome
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
## Request/response patterns
|
|
72
|
+
|
|
73
|
+
### Create resource (POST)
|
|
74
|
+
|
|
75
|
+
```
|
|
76
|
+
POST /sessions
|
|
77
|
+
Body: { "provider": "anthropic", "model": "claude-3-5-sonnet" }
|
|
78
|
+
201: { "id": "sess_abc", "provider": "anthropic", ... }
|
|
79
|
+
400: { "error": { "code": "VALIDATION_ERROR", "message": "model is required" } }
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
### Get resource (GET)
|
|
83
|
+
|
|
84
|
+
```
|
|
85
|
+
GET /sessions/sess_abc
|
|
86
|
+
200: { "id": "sess_abc", "status": "running", ... }
|
|
87
|
+
404: { "error": { "code": "NOT_FOUND", "message": "Session not found" } }
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
### List with pagination
|
|
91
|
+
|
|
92
|
+
```
|
|
93
|
+
GET /sessions?cursor=sess_xyz&limit=20
|
|
94
|
+
200: {
|
|
95
|
+
"data": [...],
|
|
96
|
+
"nextCursor": "sess_aaa",
|
|
97
|
+
"hasMore": true
|
|
98
|
+
}
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
### Update resource (PUT)
|
|
102
|
+
|
|
103
|
+
```
|
|
104
|
+
PUT /sessions/sess_abc
|
|
105
|
+
Body: { "status": "paused" }
|
|
106
|
+
200: { "id": "sess_abc", "status": "paused", ... }
|
|
107
|
+
400: { "error": { "code": "INVALID_STATUS", "message": "Must be running or paused" } }
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
## Error codes
|
|
111
|
+
|
|
112
|
+
| Code | HTTP | When |
|
|
113
|
+
|------|------|------|
|
|
114
|
+
| `VALIDATION_ERROR` | 400 | Request body/params invalid |
|
|
115
|
+
| `UNAUTHORIZED` | 401 | Missing or invalid auth |
|
|
116
|
+
| `FORBIDDEN` | 403 | Auth valid but no permission |
|
|
117
|
+
| `NOT_FOUND` | 404 | Resource doesn't exist |
|
|
118
|
+
| `CONFLICT` | 409 | Duplicate resource |
|
|
119
|
+
| `RATE_LIMITED` | 429 | Too many requests |
|
|
120
|
+
| `INTERNAL_ERROR` | 500 | Server-side failure |
|
|
121
|
+
|
|
122
|
+
## Authentication
|
|
123
|
+
|
|
124
|
+
- Bearer token in `Authorization` header: `Authorization: Bearer <token>`
|
|
125
|
+
- API key in `X-API-Key` header for machine-to-machine
|
|
126
|
+
- Never use query params for auth credentials
|
|
127
|
+
|
|
128
|
+
## WrongStack-specific notes
|
|
129
|
+
|
|
130
|
+
- **WrongStack CLI**: Most API calls go through the CLI's internal tool wrappers, not raw HTTP.
|
|
131
|
+
- **Session management**: Sessions are created/managed via the CLI, not a public REST API.
|
|
132
|
+
- **MCP tools**: MCP servers expose tools, not REST endpoints — this skill is for any HTTP APIs WrongStack exposes.
|
|
133
|
+
|
|
134
|
+
## Skills in scope
|
|
135
|
+
|
|
136
|
+
- `sdd` — for spec-driven API design with acceptance criteria
|
|
137
|
+
- `typescript-strict` — for type-safe request/response types
|
|
138
|
+
- `security-scanner` — for scanning API implementations for injection, auth, and secrets
|
|
139
|
+
- `testing` — for writing integration tests against API endpoints
|
|
@@ -11,6 +11,54 @@ version: 1.1.0
|
|
|
11
11
|
|
|
12
12
|
Analyzes session logs, event streams, and system traces to surface patterns, anomalies, and actionable insights.
|
|
13
13
|
|
|
14
|
+
## Overview
|
|
15
|
+
|
|
16
|
+
Parses WrongStack session JSONL files to extract tool usage patterns, error distributions, cost trends, and context anomalies. Produces a structured report with prioritized findings.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
|
|
20
|
+
1. Always parse from the source JSONL — never summarize what you didn't read.
|
|
21
|
+
2. Analyze one session at a time, or aggregate with clear labeling per session.
|
|
22
|
+
3. Cite specific data in reports: iteration numbers, tool names, error messages.
|
|
23
|
+
4. Flag repeated failures (same tool,5+ times) as a real issue, not noise.
|
|
24
|
+
5. Report cost trends in context of iteration count — a spike means context growth.
|
|
25
|
+
|
|
26
|
+
## Patterns
|
|
27
|
+
|
|
28
|
+
### Do
|
|
29
|
+
|
|
30
|
+
```json
|
|
31
|
+
// ✅ Good — parse tool call counts from session JSONL
|
|
32
|
+
{
|
|
33
|
+
"iterations": 23,
|
|
34
|
+
"toolCalls": [
|
|
35
|
+
{ "tool": "read", "count": 142, "failures": 3 },
|
|
36
|
+
{ "tool": "bash", "count": 89, "failures": 12 }
|
|
37
|
+
],
|
|
38
|
+
"costPerIteration": [0.04, 0.04, 0.11, 0.18]
|
|
39
|
+
}
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
```typescript
|
|
43
|
+
// ✅ Extract error distribution
|
|
44
|
+
const errorsByType = events
|
|
45
|
+
.filter(e => e.type === 'error')
|
|
46
|
+
.reduce((acc, e) => {
|
|
47
|
+
acc[e.error.type] = (acc[e.error.type] || 0) + 1;
|
|
48
|
+
return acc;
|
|
49
|
+
}, {});
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
### Don't
|
|
53
|
+
|
|
54
|
+
```typescript
|
|
55
|
+
// ❌ Bad — report without citing data
|
|
56
|
+
"bash had some failures" // no count, no iteration, no error type
|
|
57
|
+
|
|
58
|
+
// ❌ Bad — mix sessions without labeling
|
|
59
|
+
// Analyzed 3 sessions together with no per-session breakdown
|
|
60
|
+
```
|
|
61
|
+
|
|
14
62
|
## Workflow
|
|
15
63
|
|
|
16
64
|
```
|
|
@@ -23,24 +71,48 @@ Analyzes session logs, event streams, and system traces to surface patterns, ano
|
|
|
23
71
|
## What to look for
|
|
24
72
|
|
|
25
73
|
### Tool usage patterns
|
|
26
|
-
- Over-used tools
|
|
27
|
-
-
|
|
28
|
-
- Unusual
|
|
74
|
+
- **Over-used tools**: 100+ calls to the same tool = possibly a loop
|
|
75
|
+
- **Consistent failures**: same tool failing 5x+ = bug or misconfiguration
|
|
76
|
+
- **Unusual sequences**: 50 writes in a row with no reads = wrong approach
|
|
77
|
+
- **Tool entropy**: too many different tools in one iteration = unfocused task
|
|
29
78
|
|
|
30
79
|
### Error patterns
|
|
31
|
-
- Same error repeating across iterations
|
|
32
|
-
- Error
|
|
33
|
-
-
|
|
80
|
+
- **Same error repeating**: `ToolExecutionError`47x across iterations = systemic issue
|
|
81
|
+
- **Error clustering**: all errors in `bash` tool = command timeout pattern
|
|
82
|
+
- **Error rate by type**: which error type is most common?
|
|
83
|
+
- **Error distribution**: are errors clustered in specific packages or tools?
|
|
34
84
|
|
|
35
85
|
### Cost patterns
|
|
36
|
-
-
|
|
37
|
-
-
|
|
38
|
-
-
|
|
86
|
+
- **Token growth**: tokens/iteration trending up = context bloat
|
|
87
|
+
- **Provider cost**: which model is most expensive per call?
|
|
88
|
+
- **Cost spikes**: sudden3x increase = large file reads or excessive tool calls
|
|
89
|
+
- **Iteration cost variance**: avg $0.04/iter → $0.11/iter = context growing
|
|
39
90
|
|
|
40
91
|
### Context management
|
|
41
|
-
-
|
|
42
|
-
-
|
|
43
|
-
- Session
|
|
92
|
+
- **High tool count per iteration**: >50 tool calls = possible loop or unfocused task
|
|
93
|
+
- **Compaction events**: context compaction triggered 3x in one session = too much context
|
|
94
|
+
- **Session restart**: same session restarting multiple times = crash loop
|
|
95
|
+
- **Long iterations**: single iteration >5min = stuck or waiting on something
|
|
96
|
+
|
|
97
|
+
## Session file structure
|
|
98
|
+
|
|
99
|
+
WrongStack session logs are JSONL files. Each line is a JSON event. Key event types:
|
|
100
|
+
|
|
101
|
+
```
|
|
102
|
+
{"type": "iteration_start", "iteration": 1, "timestamp": "..."}
|
|
103
|
+
{"type": "tool_call", "tool": "read", "input": {"path": "src/index.ts"}, "duration_ms": 12}
|
|
104
|
+
{"type": "tool_result", "tool": "read", "output_lines": 45}
|
|
105
|
+
{"type": "error", "error": {"type": "ToolExecutionError", "message": "...", "tool": "bash"}}
|
|
106
|
+
{"type": "compaction", "reason": "context_near_limit", "tokens_removed": 1200}
|
|
107
|
+
{"type": "cost", "input_tokens": 3400, "output_tokens": 890, "cost_usd": 0.11}
|
|
108
|
+
{"type": "iteration_end", "iteration": 1, "stop_reason": "end_turn"}
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
When reading a session file:
|
|
112
|
+
1. `grep` for event types you need (e.g., `grep '"type": "error"' session.jsonl`)
|
|
113
|
+
2. `read` the full file for detailed analysis
|
|
114
|
+
3. Track iteration boundaries via `iteration_start` / `iteration_end` events
|
|
115
|
+
4. Sum `cost_usd` per iteration for cost trend analysis
|
|
44
116
|
|
|
45
117
|
## Input
|
|
46
118
|
|
|
@@ -64,7 +136,7 @@ Analyzes session logs, event streams, and system traces to surface patterns, ano
|
|
|
64
136
|
- Cost: $X.XX
|
|
65
137
|
|
|
66
138
|
### Top Errors (by count)
|
|
67
|
-
1. `ToolExecutionError` — 47x
|
|
139
|
+
1. `ToolExecutionError` — 47x — concentrated in `bash` tool, command timeout
|
|
68
140
|
2. `PermissionDenied` — 12x — `exec` tool, no trust file entry
|
|
69
141
|
|
|
70
142
|
### Tool Usage
|
|
@@ -93,4 +165,5 @@ Analyzes session logs, event streams, and system traces to surface patterns, ano
|
|
|
93
165
|
## Skills in scope
|
|
94
166
|
|
|
95
167
|
- `bug-hunter` — for turning audit findings into concrete bugs to fix
|
|
96
|
-
- `refactor-planner` — for addressing systemic issues found in logs
|
|
168
|
+
- `refactor-planner` — for addressing systemic issues found in logs
|
|
169
|
+
- `security-scanner` — for security-adjacent findings (leaked keys, injection patterns in logs)
|
|
@@ -11,6 +11,19 @@ version: 1.1.0
|
|
|
11
11
|
|
|
12
12
|
Scans code for bugs and code smells. Outputs a prioritized hit list with file:line references.
|
|
13
13
|
|
|
14
|
+
## Overview
|
|
15
|
+
|
|
16
|
+
Grep/read across target files to surface bugs, anti-patterns, and quality issues. Classifies by severity (critical/high/medium/low) and reports with file:line + fix suggestion.
|
|
17
|
+
|
|
18
|
+
## Rules
|
|
19
|
+
|
|
20
|
+
1. Always include `file:line` in every finding — no line reference = can't be fixed.
|
|
21
|
+
2. Never scan `node_modules` — waste of time, false positives.
|
|
22
|
+
3. Don't report style issues as bugs — those are lint findings.
|
|
23
|
+
4. If >30% of findings are noise, note the false positive rate in the report.
|
|
24
|
+
5. Don't flag deprecated APIs without severity — some deprecations are acceptable.
|
|
25
|
+
6. Sort output: critical > high > medium > low.
|
|
26
|
+
|
|
14
27
|
## Workflow
|
|
15
28
|
|
|
16
29
|
```
|
|
@@ -30,23 +43,25 @@ Scans code for bugs and code smells. Outputs a prioritized hit list with file:li
|
|
|
30
43
|
| **Medium** | Error handling gap, type unsafety | Fix soon |
|
|
31
44
|
| **Low** | Style, minor code smell | Consider fixing |
|
|
32
45
|
|
|
33
|
-
##
|
|
46
|
+
## Patterns
|
|
34
47
|
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
48
|
+
### Do
|
|
49
|
+
|
|
50
|
+
```typescript
|
|
51
|
+
// ✅ FIXED — use textContent instead of innerHTML
|
|
52
|
+
element.textContent = userInput;
|
|
53
|
+
|
|
54
|
+
// ✅ FIXED — parameterized query
|
|
55
|
+
db.query("SELECT * FROM users WHERE id = $1", [userId]);
|
|
56
|
+
|
|
57
|
+
// ✅ FIXED — proper await with catch
|
|
58
|
+
await fetchData().catch(err => console.error(err));
|
|
59
|
+
|
|
60
|
+
// ✅ FIXED — execFile with args array
|
|
61
|
+
execFile('echo', [userInput], { signal: AbortSignal.timeout(5000) });
|
|
47
62
|
```
|
|
48
63
|
|
|
49
|
-
|
|
64
|
+
### Don't
|
|
50
65
|
|
|
51
66
|
```typescript
|
|
52
67
|
// ❌ CRITICAL — hardcoded API key
|
|
@@ -63,13 +78,21 @@ exec(`echo ${userInput}`);
|
|
|
63
78
|
|
|
64
79
|
// ❌ HIGH — unsafe any
|
|
65
80
|
const data: any = response.json();
|
|
81
|
+
```
|
|
66
82
|
|
|
67
|
-
|
|
68
|
-
element.textContent = userInput;
|
|
83
|
+
### Bug patterns to find
|
|
69
84
|
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
85
|
+
| Pattern | Regex hint | Severity |
|
|
86
|
+
|---------|------------|----------|
|
|
87
|
+
| Uncaught promise | `\.then\(` without `.catch` | high |
|
|
88
|
+
| Event listener leak | `on(` without `off/removeListener` | high |
|
|
89
|
+
| Hardcoded secret | `[A-Za-z0-9/+=]{40}` in config or code | critical |
|
|
90
|
+
| unsafe any | `: any\b` or `as any` | medium |
|
|
91
|
+
| innerHTML assignment | `innerHTML\s*=` | high |
|
|
92
|
+
| Missing await | `await` not used on async call | high |
|
|
93
|
+
| Unhandled rejection | `process.on('unhandledRejection'` | medium |
|
|
94
|
+
| SQL concatenation | `"SELECT * FROM " + table` | critical |
|
|
95
|
+
| Shell injection | `exec(\`cmd ${input}\`)` | critical |
|
|
73
96
|
|
|
74
97
|
## Anti-patterns
|
|
75
98
|
|
|
@@ -0,0 +1,155 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: docker-deploy
|
|
3
|
+
description: |
|
|
4
|
+
Use this skill when building, containerizing, or deploying WrongStack
|
|
5
|
+
with Docker. Triggers: user says "docker", "container", "dockerfile",
|
|
6
|
+
"image", "docker-compose", "deploy", "containerize", "registry",
|
|
7
|
+
"multi-stage", "distroless".
|
|
8
|
+
version: 1.0.0
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
# Docker Deploy — WrongStack
|
|
12
|
+
|
|
13
|
+
## Overview
|
|
14
|
+
|
|
15
|
+
Containerizes and deploys WrongStack with Docker. WrongStack is a Node.js CLI tool — containerize it for CI/CD, cloud deployment, or self-hosted setups. Use multi-stage builds to keep images small and distroless base images for security.
|
|
16
|
+
|
|
17
|
+
## Rules
|
|
18
|
+
|
|
19
|
+
1. Multi-stage build: build stage (with dev deps) + runtime stage (production deps only).
|
|
20
|
+
2. Use `node:*` base image with pinned version — not `node:latest`.
|
|
21
|
+
3. Never run as root in the container — use a non-root user.
|
|
22
|
+
4. Pass secrets via environment variables, not baked into the image.
|
|
23
|
+
5. Health check: `docker healthcheck` pointing to the CLI's self-check command.
|
|
24
|
+
6. Tag images with git SHA: `wrongstack:$GIT_SHA` — never `latest` in production.
|
|
25
|
+
7. Scan images for vulnerabilities: `trivy image` or `docker scout` before push.
|
|
26
|
+
8. Use `.dockerignore` to exclude `node_modules`, `dist`, `.git`, `*.test.ts`.
|
|
27
|
+
|
|
28
|
+
## Patterns
|
|
29
|
+
|
|
30
|
+
### Do
|
|
31
|
+
|
|
32
|
+
```dockerfile
|
|
33
|
+
# ✅ Multi-stage build — small production image
|
|
34
|
+
FROM node:22-alpine AS builder
|
|
35
|
+
WORKDIR /app
|
|
36
|
+
COPY package.json pnpm-lock.yaml .pnpmfile.cjs ./
|
|
37
|
+
RUN corepack enable && pnpm install --frozen-lockfile
|
|
38
|
+
COPY . .
|
|
39
|
+
RUN pnpm build
|
|
40
|
+
|
|
41
|
+
FROM node:22-alpine AS runtime
|
|
42
|
+
WORKDIR /app
|
|
43
|
+
# Copy only what's needed
|
|
44
|
+
COPY --from=builder /app/packages/cli/dist ./dist/
|
|
45
|
+
COPY --from=builder /app/node_modules ./node_modules/
|
|
46
|
+
COPY --from=builder /app/packages/cli/package.json ./
|
|
47
|
+
|
|
48
|
+
# Non-root user
|
|
49
|
+
RUN addgroup -S wrongstack && adduser -S wrongstack -G wrongstack
|
|
50
|
+
USER wrongstack
|
|
51
|
+
|
|
52
|
+
ENTRYPOINT ["node", "dist/index.js"]
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
```yaml
|
|
56
|
+
# ✅ docker-compose.yml — development
|
|
57
|
+
version: '3.9'
|
|
58
|
+
services:
|
|
59
|
+
wrongstack:
|
|
60
|
+
build:
|
|
61
|
+
context: .
|
|
62
|
+
dockerfile: Dockerfile
|
|
63
|
+
environment:
|
|
64
|
+
- WRONGSTACK_CONFIG_DIR=/app/.wrongstack
|
|
65
|
+
- WRONGSTACK_SESSION_ROOT=/app/sessions
|
|
66
|
+
volumes:
|
|
67
|
+
- .:/app
|
|
68
|
+
- wrongstack-data:/app/.wrongstack
|
|
69
|
+
stdin_open: true
|
|
70
|
+
tty: true
|
|
71
|
+
|
|
72
|
+
volumes:
|
|
73
|
+
wrongstack-data:
|
|
74
|
+
```
|
|
75
|
+
|
|
76
|
+
```bash
|
|
77
|
+
# ✅ Build with git SHA tag
|
|
78
|
+
IMAGE_TAG="wrongstack:$(git rev-parse --short HEAD)"
|
|
79
|
+
docker build -t "$IMAGE_TAG" .
|
|
80
|
+
docker tag "$IMAGE_TAG" "registry.example.com/wrongstack:$IMAGE_TAG"
|
|
81
|
+
docker push "registry.example.com/wrongstack:$IMAGE_TAG"
|
|
82
|
+
```
|
|
83
|
+
|
|
84
|
+
### Don't
|
|
85
|
+
|
|
86
|
+
```dockerfile
|
|
87
|
+
# ❌ Running as root
|
|
88
|
+
FROM node:22
|
|
89
|
+
WORKDIR /app
|
|
90
|
+
COPY . .
|
|
91
|
+
RUN npm install && npm run build
|
|
92
|
+
ENTRYPOINT ["npm", "start"]
|
|
93
|
+
|
|
94
|
+
# ❌ No .dockerignore — copies everything
|
|
95
|
+
# node_modules, .git, dist/ end up in the image
|
|
96
|
+
|
|
97
|
+
# ❌ Secrets baked into image
|
|
98
|
+
ARG API_KEY
|
|
99
|
+
RUN echo $API_KEY > /app/config.key # ❌
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
## Dockerfile best practices
|
|
103
|
+
|
|
104
|
+
| Practice | Why |
|
|
105
|
+
|----------|-----|
|
|
106
|
+
| Pin base image version | `node:22-alpine` not `node:latest` |
|
|
107
|
+
| Multi-stage build | 1GB → ~150MB image size |
|
|
108
|
+
| Non-root user | Security: container compromise ≠ host root |
|
|
109
|
+
| `.dockerignore` | Smaller image, faster builds |
|
|
110
|
+
| No `latest` tag | Reproducibility — you always know which SHA |
|
|
111
|
+
| Health check | Kubernetes/docker-compose health monitoring |
|
|
112
|
+
|
|
113
|
+
## Environment variables
|
|
114
|
+
|
|
115
|
+
```bash
|
|
116
|
+
# Required at runtime
|
|
117
|
+
WRONGSTACK_CONFIG_DIR=/app/.wrongstack
|
|
118
|
+
WRONGSTACK_SESSION_ROOT=/app/sessions
|
|
119
|
+
|
|
120
|
+
# Optional
|
|
121
|
+
WRONGSTACK_PROVIDER=anthropic
|
|
122
|
+
WRONGSTACK_MODEL=claude-3-5-sonnet-20241022
|
|
123
|
+
WRONGSTACK_API_KEY=${ANTHROPIC_API_KEY} # from secrets manager
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
## Health check
|
|
127
|
+
|
|
128
|
+
```dockerfile
|
|
129
|
+
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
|
130
|
+
CMD node dist/index.js diag-doctor || exit 1
|
|
131
|
+
```
|
|
132
|
+
|
|
133
|
+
## Image scanning
|
|
134
|
+
|
|
135
|
+
```bash
|
|
136
|
+
# Scan before push
|
|
137
|
+
trivy image wrongstack:$GIT_SHA
|
|
138
|
+
|
|
139
|
+
# Block critical vulnerabilities
|
|
140
|
+
trivy image --exit-code 1 --ignore-unfixed --severity HIGH,CRITICAL wrongstack:$GIT_SHA
|
|
141
|
+
```
|
|
142
|
+
|
|
143
|
+
## WrongStack-specific notes
|
|
144
|
+
|
|
145
|
+
- **WrongStack CLI entry point**: `packages/cli/dist/index.js` after build.
|
|
146
|
+
- **pnpm workspaces**: Build from repo root — `pnpm -r build` before `docker build`.
|
|
147
|
+
- **Session storage**: Sessions are stored at `WRONGSTACK_SESSION_ROOT` — mount a volume for persistence.
|
|
148
|
+
- **Config**: Config is at `WRONGSTACK_CONFIG_DIR` — mount for config persistence across restarts.
|
|
149
|
+
|
|
150
|
+
## Skills in scope
|
|
151
|
+
|
|
152
|
+
- `security-scanner` — for scanning Dockerfiles and container configs for vulnerabilities
|
|
153
|
+
- `git-flow` — for tagging releases and managing Docker image versions
|
|
154
|
+
- `node-modern` — for Node.js-specific containerization patterns
|
|
155
|
+
- `observability` — for logging and tracing in containerized environments
|
package/skills/git-flow/SKILL.md
CHANGED
|
@@ -9,6 +9,57 @@ version: 1.1.0
|
|
|
9
9
|
|
|
10
10
|
# Git Workflow — WrongStack
|
|
11
11
|
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Guides commit messages, branch hygiene, PR strategy, and merge decisions. WrongStack uses pnpm workspaces — use `pnpm -r` for recursive commands across packages.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. One concern per commit — never mix logic changes with lockfile updates.
|
|
19
|
+
2. Never force-push shared branches — use `--force-with-lease` on own branches only.
|
|
20
|
+
3. Always branch from `main` or a stable release tag.
|
|
21
|
+
4. Small, frequent commits with clear messages beat large, vague ones.
|
|
22
|
+
5. Rebase onto `main` before PR when safe for cleaner history.
|
|
23
|
+
6. Delete branches after merge unless shared or releasing.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```bash
|
|
30
|
+
# ✅ Good commit — what and why
|
|
31
|
+
fix: correct race condition in token refresh
|
|
32
|
+
|
|
33
|
+
Retry logic now respects backoff multiplier. Without this,
|
|
34
|
+
repeated failures would hammer the provider instead of backing off.
|
|
35
|
+
|
|
36
|
+
Fix #123
|
|
37
|
+
|
|
38
|
+
# ✅ Topic branch naming
|
|
39
|
+
feat/login
|
|
40
|
+
fix/session-leak
|
|
41
|
+
refactor/auth-layer
|
|
42
|
+
|
|
43
|
+
# ✅ Feature branch → rebase → fast-forward merge
|
|
44
|
+
git rebase main && git merge --ff-only feature
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
### Don't
|
|
48
|
+
|
|
49
|
+
```bash
|
|
50
|
+
# ❌ Bad — what, not why
|
|
51
|
+
git commit -m "fix: fixed bug"
|
|
52
|
+
|
|
53
|
+
# ❌ Bad — WIP commit left in main
|
|
54
|
+
git commit -m "WIP"
|
|
55
|
+
|
|
56
|
+
# ❌ Bad — force-push to shared branch
|
|
57
|
+
git push --force origin main
|
|
58
|
+
|
|
59
|
+
# ❌ Bad — mega-commit across 15 packages
|
|
60
|
+
git commit -m "Update stuff"
|
|
61
|
+
```
|
|
62
|
+
|
|
12
63
|
## Commit messages
|
|
13
64
|
|
|
14
65
|
Format: `type: short description`
|
|
@@ -84,4 +135,5 @@ git rebase main && git merge --ff-only feature
|
|
|
84
135
|
## Skills in scope
|
|
85
136
|
|
|
86
137
|
- `refactor-planner` — when a refactor involves multiple git-managed changes
|
|
87
|
-
- `multi-agent` — for fleet-wide version audits across packages
|
|
138
|
+
- `multi-agent` — for fleet-wide version audits across packages
|
|
139
|
+
- `bug-hunter` — for spotting bugs at commit time before they reach main
|
|
@@ -9,6 +9,48 @@ version: 1.1.0
|
|
|
9
9
|
|
|
10
10
|
# Multi-Agent Coordination — WrongStack
|
|
11
11
|
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Coordinates parallel AI agent execution for tasks that benefit from fanning out. Leader delegates narrow subtasks to workers, collects structured results, and synthesizes a unified output.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Subagents share nothing — no memory, no session state, no variable scope.
|
|
19
|
+
2. Leader must aggregate results — don't let worker output go unprocessed.
|
|
20
|
+
3. Narrow task scope per subagent — broad tasks cause `budget_exhausted`.
|
|
21
|
+
4. Role must match task — don't use `bug-hunter` to write docs.
|
|
22
|
+
5. Check `stopReason` on every result: `end_turn` (clean), `budget_exhausted` (retry), `error` (surface), `aborted` (don't retry).
|
|
23
|
+
6. Don't fan out single atomic tasks under 5 tool calls — overhead exceeds benefit.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```typescript
|
|
30
|
+
// ✅ Good — narrow, focused task per subagent
|
|
31
|
+
batch_tool_use([
|
|
32
|
+
{ tool: "delegate", input: { task: "Audit auth/session.ts for null-deref bugs", role: "bug-hunter" }},
|
|
33
|
+
{ tool: "delegate", input: { task: "Audit auth/token.ts for null-deref bugs", role: "bug-hunter" }},
|
|
34
|
+
{ tool: "delegate", input: { task: "Audit auth/refresh.ts for null-deref bugs", role: "bug-hunter" }},
|
|
35
|
+
])
|
|
36
|
+
|
|
37
|
+
// ✅ Leader passes artifact explicitly
|
|
38
|
+
// Subagent B gets subagent A's output as part of the task description
|
|
39
|
+
```
|
|
40
|
+
|
|
41
|
+
### Don't
|
|
42
|
+
|
|
43
|
+
```typescript
|
|
44
|
+
// ❌ Bad — too broad, will exhaust budget
|
|
45
|
+
{ task: "Audit all packages for bugs" }
|
|
46
|
+
|
|
47
|
+
// ❌ Bad — no aggregation
|
|
48
|
+
// Subagents return results, leader pastes raw output without synthesis
|
|
49
|
+
|
|
50
|
+
// ❌ Bad — role mismatch
|
|
51
|
+
{ task: "Write documentation for the API", role: "bug-hunter" }
|
|
52
|
+
```
|
|
53
|
+
|
|
12
54
|
## When to fan out
|
|
13
55
|
|
|
14
56
|
✅ Good fits:
|