@wrongstack/core 0.9.4 → 0.9.19
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{agent-subagent-runner-DaF_EgRG.d.ts → agent-subagent-runner-C4qt9e5Y.d.ts} +1 -1
- package/dist/{config-SkMIDN9L.d.ts → config-CWva0qoL.d.ts} +4 -0
- package/dist/coordination/index.d.ts +8 -7
- package/dist/coordination/index.js +672 -46
- package/dist/coordination/index.js.map +1 -1
- package/dist/defaults/index.d.ts +12 -11
- package/dist/defaults/index.js +780 -23
- package/dist/defaults/index.js.map +1 -1
- package/dist/execution/index.d.ts +7 -6
- package/dist/execution/index.js +1 -0
- package/dist/execution/index.js.map +1 -1
- package/dist/extension/index.d.ts +4 -3
- package/dist/{index-CP8638Wm.d.ts → index-aizK8olO.d.ts} +3 -2
- package/dist/{index-Bsha5K4D.d.ts → index-p95HQ22A.d.ts} +3 -2
- package/dist/index.d.ts +22 -16
- package/dist/index.js +861 -35
- package/dist/index.js.map +1 -1
- package/dist/infrastructure/index.d.ts +2 -2
- package/dist/kernel/index.d.ts +4 -3
- package/dist/{mcp-servers-BouUWYW6.d.ts → mcp-servers-BkVEqkRe.d.ts} +1 -1
- package/dist/{multi-agent-coordinator-DTXF2aAl.d.ts → multi-agent-coordinator-bRaI_aD1.d.ts} +1 -1
- package/dist/{null-fleet-bus-Chrc_3Pp.d.ts → null-fleet-bus-DKM3Iy9d.d.ts} +183 -3
- package/dist/{secret-scrubber-DttNiGYA.d.ts → permission-bPuzAy4x.d.ts} +1 -6
- package/dist/{permission-policy-BpCGYBud.d.ts → permission-policy-BUQSutpl.d.ts} +8 -1
- package/dist/{plan-templates-envSmNlZ.d.ts → plan-templates-fkQTyz3U.d.ts} +25 -1
- package/dist/sdd/index.d.ts +5 -4
- package/dist/sdd/index.js +1 -0
- package/dist/sdd/index.js.map +1 -1
- package/dist/secret-scrubber-3MHDDAtm.d.ts +6 -0
- package/dist/{secret-scrubber-QSeI0ADi.d.ts → secret-scrubber-7rSC_emZ.d.ts} +1 -1
- package/dist/security/index.d.ts +4 -3
- package/dist/security/index.js +37 -6
- package/dist/security/index.js.map +1 -1
- package/dist/storage/index.d.ts +3 -2
- package/dist/storage/index.js +88 -5
- package/dist/storage/index.js.map +1 -1
- package/dist/{tool-executor-CsktM3h9.d.ts → tool-executor-Boo3dekH.d.ts} +1 -1
- package/dist/types/index.d.ts +6 -5
- package/dist/types/index.js.map +1 -1
- package/dist/utils/index.d.ts +12 -1
- package/dist/utils/index.js +85 -1
- package/dist/utils/index.js.map +1 -1
- package/package.json +1 -1
- package/skills/api-design/SKILL.md +139 -0
- package/skills/audit-log/SKILL.md +87 -14
- package/skills/bug-hunter/SKILL.md +42 -19
- package/skills/docker-deploy/SKILL.md +155 -0
- package/skills/git-flow/SKILL.md +53 -1
- package/skills/multi-agent/SKILL.md +42 -0
- package/skills/node-modern/SKILL.md +57 -1
- package/skills/observability/SKILL.md +134 -0
- package/skills/prompt-engineering/SKILL.md +46 -19
- package/skills/react-modern/SKILL.md +92 -1
- package/skills/refactor-planner/SKILL.md +49 -1
- package/skills/sdd/SKILL.md +12 -1
- package/skills/security-scanner/SKILL.md +46 -1
- package/skills/skill-creator/SKILL.md +49 -52
- package/skills/testing/SKILL.md +170 -0
- package/skills/typescript-strict/SKILL.md +98 -1
|
@@ -9,6 +9,61 @@ version: 1.1.0
|
|
|
9
9
|
|
|
10
10
|
# Modern Node.js (>= 22) — WrongStack
|
|
11
11
|
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Node.js >= 22 patterns: ESM-only imports, native fetch with AbortSignal, Web Streams, and async patterns. WrongStack uses ESM throughout — no CommonJS in new code.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Always use ESM (`import` with `.js` extension) — never `require()`.
|
|
19
|
+
2. Always use `node:` protocol for built-in modules.
|
|
20
|
+
3. Always use `AbortSignal.timeout()` for long-running operations (fetch, spawn, setTimeout).
|
|
21
|
+
4. Never use axios, node-fetch, or got — native fetch is sufficient.
|
|
22
|
+
5. Always handle `ENOENT` on file reads — use try/catch or `access` first.
|
|
23
|
+
6. Use `Promise.allSettled` when partial failure is acceptable.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```typescript
|
|
30
|
+
// ✅ ESM with .js extension and node: protocol
|
|
31
|
+
import * as fs from 'node:fs/promises';
|
|
32
|
+
import { createServer } from 'node:http';
|
|
33
|
+
import { helper } from './helper.js';
|
|
34
|
+
|
|
35
|
+
// ✅ Native fetch with AbortSignal
|
|
36
|
+
const res = await fetch(url, { signal: AbortSignal.timeout(5000) });
|
|
37
|
+
|
|
38
|
+
// ✅ Atomic write
|
|
39
|
+
const tmp = `${target}.${randomBytes(4).toString('hex')}.tmp`;
|
|
40
|
+
await writeFile(tmp, data);
|
|
41
|
+
await rename(tmp, target);
|
|
42
|
+
|
|
43
|
+
// ✅ Parallel with allSettled
|
|
44
|
+
const results = await Promise.allSettled(tasks.map(t => t.run()));
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
### Don't
|
|
48
|
+
|
|
49
|
+
```typescript
|
|
50
|
+
// ❌ CommonJS
|
|
51
|
+
const fs = require('fs/promises');
|
|
52
|
+
|
|
53
|
+
// ❌ No AbortSignal — hangs forever on timeout
|
|
54
|
+
await fetch(url);
|
|
55
|
+
|
|
56
|
+
// ❌ axios in new code
|
|
57
|
+
const res = await axios.get(url);
|
|
58
|
+
|
|
59
|
+
// ❌ Swallowing AbortError silently
|
|
60
|
+
try {
|
|
61
|
+
await fetch(url);
|
|
62
|
+
} catch (e) {
|
|
63
|
+
// AbortError means timeout — log it or handle explicitly
|
|
64
|
+
}
|
|
65
|
+
```
|
|
66
|
+
|
|
12
67
|
## Imports — always ESM
|
|
13
68
|
|
|
14
69
|
```ts
|
|
@@ -130,4 +185,5 @@ while (true) {
|
|
|
130
185
|
|
|
131
186
|
- `typescript-strict` — strict TypeScript patterns
|
|
132
187
|
- `react-modern` — React Server Components with Node.js
|
|
133
|
-
- `bug-hunter` — catching async/await bugs, unhandled rejections
|
|
188
|
+
- `bug-hunter` — catching async/await bugs, unhandled rejections
|
|
189
|
+
- `sdd` — for setting up new Node.js features with a spec first
|
|
@@ -0,0 +1,134 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: observability
|
|
3
|
+
description: |
|
|
4
|
+
Use this skill when instrumenting logs, traces, or metrics in WrongStack,
|
|
5
|
+
or when setting up observability for a new feature. Triggers: user says
|
|
6
|
+
"log", "trace", "metrics", "observability", "instrument", "structured logging",
|
|
7
|
+
"opentelemetry", "log level", "debug", "monitoring".
|
|
8
|
+
version: 1.0.0
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
# Observability — WrongStack
|
|
12
|
+
|
|
13
|
+
## Overview
|
|
14
|
+
|
|
15
|
+
Instruments WrongStack code with structured logs, traces, and metrics. WrongStack uses structured logging (JSON to stdout), and pairs with `audit-log` for session analysis. The goal: every significant event is traceable from input to output.
|
|
16
|
+
|
|
17
|
+
## Rules
|
|
18
|
+
|
|
19
|
+
1. Log at the right level: `DEBUG` (dev only), `INFO` (normal flow), `WARN` (recoverable), `ERROR` (needs attention).
|
|
20
|
+
2. Structured logs only — JSON to stdout, not plain text to files.
|
|
21
|
+
3. Every significant event needs a `traceId` — correlate across tools.
|
|
22
|
+
4. Never log secrets, tokens, or PII — redact before logging.
|
|
23
|
+
5. Logs must answer: what happened, what context, what was the outcome.
|
|
24
|
+
6. Metrics: count errors, measure latency, track active sessions.
|
|
25
|
+
7. Traces: every tool call should be a span with timing.
|
|
26
|
+
|
|
27
|
+
## Patterns
|
|
28
|
+
|
|
29
|
+
### Do
|
|
30
|
+
|
|
31
|
+
```typescript
|
|
32
|
+
// ✅ Structured log — JSON to stdout
|
|
33
|
+
console.log(JSON.stringify({
|
|
34
|
+
level: 'info',
|
|
35
|
+
traceId: context.traceId,
|
|
36
|
+
event: 'tool_executed',
|
|
37
|
+
tool: 'read',
|
|
38
|
+
path: 'src/index.ts',
|
|
39
|
+
duration_ms: 12,
|
|
40
|
+
outcome: 'success',
|
|
41
|
+
}));
|
|
42
|
+
|
|
43
|
+
// ✅ Error with context
|
|
44
|
+
console.log(JSON.stringify({
|
|
45
|
+
level: 'error',
|
|
46
|
+
traceId: context.traceId,
|
|
47
|
+
event: 'tool_failed',
|
|
48
|
+
tool: 'bash',
|
|
49
|
+
command: 'pnpm test',
|
|
50
|
+
error: err.message,
|
|
51
|
+
duration_ms: 30000,
|
|
52
|
+
outcome: 'timeout',
|
|
53
|
+
}));
|
|
54
|
+
|
|
55
|
+
// ✅ Trace span around a tool call
|
|
56
|
+
import { trace } from 'node:opentelemetry/api';
|
|
57
|
+
const span = trace.getTracer('wrongstack').startSpan('bash');
|
|
58
|
+
try {
|
|
59
|
+
const result = await bash(cmd);
|
|
60
|
+
span.setStatus({ code: SpanStatusCode.OK });
|
|
61
|
+
return result;
|
|
62
|
+
} catch (err) {
|
|
63
|
+
span.recordException(err);
|
|
64
|
+
span.setStatus({ code: SpanStatusCode.ERROR });
|
|
65
|
+
throw err;
|
|
66
|
+
} finally {
|
|
67
|
+
span.end();
|
|
68
|
+
}
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
### Don't
|
|
72
|
+
|
|
73
|
+
```typescript
|
|
74
|
+
// ❌ Plain text log
|
|
75
|
+
console.log('User logged in'); // not structured, hard to search
|
|
76
|
+
|
|
77
|
+
// ❌ Logging secrets
|
|
78
|
+
console.log(JSON.stringify({ token: bearerToken })); // redact!
|
|
79
|
+
|
|
80
|
+
// ❌ Log level confusion
|
|
81
|
+
console.log('DEBUG: entering function'); // INFO/WARN/ERROR only in prod
|
|
82
|
+
|
|
83
|
+
// ❌ Missing traceId
|
|
84
|
+
console.log(JSON.stringify({ event: 'tool_executed' })); // no correlation
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
## Log levels
|
|
88
|
+
|
|
89
|
+
| Level | When to use | Example |
|
|
90
|
+
|-------|-------------|---------|
|
|
91
|
+
| `DEBUG` | Dev-only detail | "entering parseArgs with 3 args" |
|
|
92
|
+
| `INFO` | Normal flow | "tool executed", "session started" |
|
|
93
|
+
| `WARN` | Recoverable issue | "retry attempt2/3", "cache miss" |
|
|
94
|
+
| `ERROR` | Needs attention | "tool timeout", "auth failure" |
|
|
95
|
+
|
|
96
|
+
## Structured log schema
|
|
97
|
+
|
|
98
|
+
Every log should include:
|
|
99
|
+
|
|
100
|
+
```json
|
|
101
|
+
{
|
|
102
|
+
"level": "info | warn | error",
|
|
103
|
+
"traceId": "uuid",
|
|
104
|
+
"event": "event_name",
|
|
105
|
+
"timestamp": "ISO8601",
|
|
106
|
+
"duration_ms": 12,
|
|
107
|
+
"outcome": "success | failure | timeout",
|
|
108
|
+
"context": { /* optional extra */ }
|
|
109
|
+
}
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
## Metrics to track
|
|
113
|
+
|
|
114
|
+
| Metric | Type | Why |
|
|
115
|
+
|--------|------|-----|
|
|
116
|
+
| `tool.executions` | Counter | How often each tool runs |
|
|
117
|
+
| `tool.duration_ms` | Histogram | Latency per tool |
|
|
118
|
+
| `session.iterations` | Gauge | Active iterations per session |
|
|
119
|
+
| `error.count` | Counter | Errors by type |
|
|
120
|
+
| `context.tokens` | Gauge | Context size per session |
|
|
121
|
+
|
|
122
|
+
## WrongStack-specific notes
|
|
123
|
+
|
|
124
|
+
- **Session logs**: WrongStack writes session JSONL to `sessionRoot` — see `audit-log` skill for analysis.
|
|
125
|
+
- **Log output**: All logs go to stdout as JSON — CI captures them, not file logs.
|
|
126
|
+
- **Redaction**: Use `redactKeys()` helper — never log `Authorization`, `token`, `apiKey`, `secret`.
|
|
127
|
+
- **Tool tracing**: Each tool wrapper should emit a structured log on start and end.
|
|
128
|
+
|
|
129
|
+
## Skills in scope
|
|
130
|
+
|
|
131
|
+
- `audit-log` — for analyzing the logs this skill produces
|
|
132
|
+
- `bug-hunter` — for finding bugs via error trace patterns
|
|
133
|
+
- `security-scanner` — for ensuring no secrets leak into logs
|
|
134
|
+
- `node-modern` — for async tracing patterns with AbortSignal
|
|
@@ -9,6 +9,51 @@ version: 1.1.0
|
|
|
9
9
|
|
|
10
10
|
# Prompt Engineering — WrongStack
|
|
11
11
|
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Designs, critiques, and fixes system prompts, tool descriptions, and skill definitions for LLM agents. WrongStack uses a 4-layer prompt structure — static content first, volatile last for cache efficiency.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Static content first, volatile last — cache-friendly prompts cost less per token.
|
|
19
|
+
2. First sentence of skill description = trigger — keep it specific and actionable.
|
|
20
|
+
3. Tool descriptions must say: when to use, key parameters, what it returns.
|
|
21
|
+
4. Remove filler ("Please be helpful", "Sure, I'd be happy to") — wastes tokens.
|
|
22
|
+
5. Always read before edit — agents should grep/read first, then edit.
|
|
23
|
+
6. Skill descriptions should list specific trigger keywords, not generic descriptions.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```markdown
|
|
30
|
+
# ✅ Good — specific trigger
|
|
31
|
+
Use this skill when writing or reviewing React 19+ code.
|
|
32
|
+
|
|
33
|
+
# ✅ Good — tool description with all three parts
|
|
34
|
+
Search file contents with regex. Pattern is regex. Use output_mode to select
|
|
35
|
+
content (matched lines), files_with_matches (file list), or count (line counts).
|
|
36
|
+
Always read before edit — grep first to locate the target.
|
|
37
|
+
|
|
38
|
+
# ✅ Good — skill description with trigger keywords
|
|
39
|
+
Use this skill when designing system prompts or tool descriptions
|
|
40
|
+
for LLM agents. Covers structure, specificity, and common pitfalls.
|
|
41
|
+
Triggers: user mentions "prompt", "system instruction", "tool hint".
|
|
42
|
+
```
|
|
43
|
+
|
|
44
|
+
### Don't
|
|
45
|
+
|
|
46
|
+
```markdown
|
|
47
|
+
# ❌ Bad — vague trigger
|
|
48
|
+
This skill is about Docker.
|
|
49
|
+
|
|
50
|
+
# ❌ Bad — filler
|
|
51
|
+
Please be helpful and use your best judgment.
|
|
52
|
+
|
|
53
|
+
# ❌ Bad — tool description missing parameters
|
|
54
|
+
Search files using grep.
|
|
55
|
+
```
|
|
56
|
+
|
|
12
57
|
## WrongStack's 4-layer structure
|
|
13
58
|
|
|
14
59
|
```
|
|
@@ -84,26 +129,8 @@ See `skill-creator` skill for the format. Key points:
|
|
|
84
129
|
- Include concrete code examples in "Do" and "Don't" sections
|
|
85
130
|
- End with "Skills in scope" so agents know to delegate
|
|
86
131
|
|
|
87
|
-
## Anti-patterns for skill descriptions
|
|
88
|
-
|
|
89
|
-
```
|
|
90
|
-
# Bad — doesn't say when to use it
|
|
91
|
-
This skill helps with code review.
|
|
92
|
-
|
|
93
|
-
# Good — specific trigger
|
|
94
|
-
Use this skill when reviewing a pull request or reviewing code changes
|
|
95
|
-
before committing. Covers bug detection, style, and security.
|
|
96
|
-
|
|
97
|
-
# Bad — too long, no trigger
|
|
98
|
-
This skill is a comprehensive guide to writing effective prompts...
|
|
99
|
-
|
|
100
|
-
# Good — short trigger + description
|
|
101
|
-
Use this skill when designing system prompts or tool descriptions
|
|
102
|
-
for LLM agents. Covers structure, specificity, and common pitfalls.
|
|
103
|
-
```
|
|
104
|
-
|
|
105
132
|
## Skills in scope
|
|
106
133
|
|
|
107
|
-
- `skill-creator` — for creating new skills
|
|
134
|
+
- `skill-creator` — for creating new skills (primary — prompt-engineering feeds into skill creation)
|
|
108
135
|
- `typescript-strict` — for TypeScript-specific prompt typing
|
|
109
136
|
- `react-modern` — for React component prompt conventions
|
|
@@ -9,6 +9,55 @@ version: 1.1.0
|
|
|
9
9
|
|
|
10
10
|
# Modern React (19+) — WrongStack
|
|
11
11
|
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
React 19+ patterns: Server Components by default, `use` hook for promises, `useTransition` for non-blocking updates, and clean client boundary management. WrongStack uses TypeScript throughout.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Default to Server Components — mark `'use client'` only for interactive code.
|
|
19
|
+
2. Keep the client boundary minimal — avoid unnecessary serialization errors.
|
|
20
|
+
3. Don't use `useEffect` for data fetching — use Server Components or `use(promise)`.
|
|
21
|
+
4. Don't use `forwardRef` in new code — `ref` is a regular prop in React 19.
|
|
22
|
+
5. Use named exports for components — default exports hinder refactoring.
|
|
23
|
+
6. Event handlers must have explicit types: `React.MouseEvent<HTMLButtonElement>`.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```tsx
|
|
30
|
+
// ✅ Server Component — direct await
|
|
31
|
+
async function Profile({ userId }: { userId: string }) {
|
|
32
|
+
const user = await fetch(`/api/users/${userId}`).then(r => r.json());
|
|
33
|
+
return <div>{user.name}</div>;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
// ✅ Client Component — use(promise) for thenables
|
|
37
|
+
import { use } from 'react';
|
|
38
|
+
function UserData({ promise }: { promise: Promise<User> }) {
|
|
39
|
+
const user = use(promise);
|
|
40
|
+
return <div>{user.name}</div>;
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
// ✅ useTransition for non-urgent updates
|
|
44
|
+
const [isPending, startTransition] = useTransition();
|
|
45
|
+
startTransition(() => setPage(page + 1));
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
### Don't
|
|
49
|
+
|
|
50
|
+
```tsx
|
|
51
|
+
// ❌ Bad — useEffect for data fetching
|
|
52
|
+
useEffect(() => { fetchData().then(setData); }, []);
|
|
53
|
+
|
|
54
|
+
// ❌ Bad — forwardRef in new code
|
|
55
|
+
const Button = forwardRef<HTMLButtonElement, ButtonProps>(...)
|
|
56
|
+
|
|
57
|
+
// ❌ Bad — default export
|
|
58
|
+
export default function Button() { ... }
|
|
59
|
+
```
|
|
60
|
+
|
|
12
61
|
## Component types
|
|
13
62
|
|
|
14
63
|
```tsx
|
|
@@ -76,10 +125,52 @@ const fullName = firstName + ' ' + lastName;
|
|
|
76
125
|
| `useState` | Local component state | Don't sync with props via useEffect |
|
|
77
126
|
| `useReducer` | Complex state logic | Don't chain useState for related state |
|
|
78
127
|
| `useTransition` | Non-blocking updates | Don't use for urgent state changes |
|
|
128
|
+
| `useDeferredValue` | Deferring expensive rendering | Don't use for urgent state changes |
|
|
129
|
+
| `useCallback` | Stable function references for deps | Don't memoize everything — measure first |
|
|
130
|
+
| `useMemo` | Expensive computations | Don't memoize trivial calculations |
|
|
79
131
|
| `use` | Awaiting promises in render | Don't use outside component render |
|
|
80
132
|
| `useEffect` | Side effects only | Don't use for data fetching or derived state |
|
|
81
133
|
|
|
82
|
-
##
|
|
134
|
+
## Patterns
|
|
135
|
+
|
|
136
|
+
### Do
|
|
137
|
+
|
|
138
|
+
```tsx
|
|
139
|
+
// ✅ useDeferredValue for expensive search
|
|
140
|
+
function SearchResults({ query }: { query: string }) {
|
|
141
|
+
const deferredQuery = useDeferredValue(query);
|
|
142
|
+
// deferredQuery lags behind query — renders are non-blocking
|
|
143
|
+
}
|
|
144
|
+
|
|
145
|
+
// ✅ useCallback for stable deps in child
|
|
146
|
+
const handleClick = useCallback(() => {
|
|
147
|
+
setCount(c => c + 1);
|
|
148
|
+
}, []);
|
|
149
|
+
|
|
150
|
+
// ✅ useMemo for expensive transformations
|
|
151
|
+
const sorted = useMemo(
|
|
152
|
+
() => items.slice().sort((a, b) => a.name.localeCompare(b.name)),
|
|
153
|
+
[items]
|
|
154
|
+
);
|
|
155
|
+
```
|
|
156
|
+
|
|
157
|
+
### Don't
|
|
158
|
+
|
|
159
|
+
```tsx
|
|
160
|
+
// ❌ useMemo for trivial operations
|
|
161
|
+
const doubled = useMemo(() => count * 2, [count]); // not worth it
|
|
162
|
+
|
|
163
|
+
// ❌ useCallback when deps change every render
|
|
164
|
+
const handleClick = useCallback(() => {
|
|
165
|
+
doSomething(obj); // obj changes every render — no benefit
|
|
166
|
+
}, [obj]);
|
|
167
|
+
|
|
168
|
+
// ❌ useDeferredValue for simple state
|
|
169
|
+
const [name, setName] = useState('');
|
|
170
|
+
const deferredName = useDeferredValue(name); // overkill
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
### Common React 19 changes
|
|
83
174
|
|
|
84
175
|
- `ref` is a regular prop — no more `forwardRef`
|
|
85
176
|
- Server Components can be nested without serialization
|
|
@@ -9,7 +9,55 @@ version: 1.1.0
|
|
|
9
9
|
|
|
10
10
|
# Refactor Planner — WrongStack
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Analyzes code structure and produces a phased refactoring plan with risk assessment, dependency ordering, and rollback strategy. Use for multi-file refactors, breaking up large modules, or addressing technical debt.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Always build a dependency graph before planning — assumptions cause wasted work.
|
|
19
|
+
2. Always include a rollback strategy — every refactor can fail.
|
|
20
|
+
3. Never skip Phase 1 (low-risk quick wins) — momentum matters.
|
|
21
|
+
4. Never over-phase — if a task takes <1h, merge it with related tasks.
|
|
22
|
+
5. Rate each module by: cyclomatic complexity, test coverage, fan-out, public API surface.
|
|
23
|
+
6. Never ignore team constraints — parallelization only works if reviewers exist.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```json
|
|
30
|
+
// ✅ Good — risk assessment checklist
|
|
31
|
+
{
|
|
32
|
+
"module": "src/auth/session.ts",
|
|
33
|
+
"size": 450,
|
|
34
|
+
"cyclomatic": 12,
|
|
35
|
+
"testCoverage": 65,
|
|
36
|
+
"fanOut": 8,
|
|
37
|
+
"publicAPI": true,
|
|
38
|
+
"dependencies": ["core", "providers"],
|
|
39
|
+
"dependents": ["cli", "tui", "webui"]
|
|
40
|
+
}
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
```text
|
|
44
|
+
// ✅ Good — dependency graph (most important part)
|
|
45
|
+
config.ts → logger.ts → path-resolver.ts
|
|
46
|
+
↓ ↓
|
|
47
|
+
secret-vault.ts session-store.ts
|
|
48
|
+
↓ ↓
|
|
49
|
+
└────────→ agent.ts ←←←
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
### Don't
|
|
53
|
+
|
|
54
|
+
```json
|
|
55
|
+
// ❌ Bad — no dependency graph
|
|
56
|
+
// "Refactor the auth layer" — with no graph, order is guessed
|
|
57
|
+
|
|
58
|
+
// ❌ Bad — no rollback strategy
|
|
59
|
+
// "We'll figure it out if something breaks" — plan for failure
|
|
60
|
+
```
|
|
13
61
|
|
|
14
62
|
## When to use
|
|
15
63
|
|
package/skills/sdd/SKILL.md
CHANGED
|
@@ -9,7 +9,18 @@ version: 2.1.0
|
|
|
9
9
|
|
|
10
10
|
# Spec-Driven Development — WrongStack
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Every non-trivial change starts with a spec. The spec is the source of truth — it defines what to build, how to verify it, and what counts as done. SDD uses `/sdd` slash commands to create specs, generate task graphs, and track execution.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Every non-trivial task needs a spec before writing code — you'll rewrite it anyway.
|
|
19
|
+
2. Spec must have acceptance criteria — without them, you can't know when it's done.
|
|
20
|
+
3. Tasks must have dependencies — everything is a dependency of something.
|
|
21
|
+
4. Spec must be specific: "Users authenticate via OAuth2 with PKCE" not "improve auth".
|
|
22
|
+
5. Skipping `/sdd` for urgent tasks backfires — the spec is what makes "urgent" possible.
|
|
23
|
+
6. When the spec reveals a multi-file refactor, delegate to `refactor-planner` first.
|
|
13
24
|
|
|
14
25
|
## When to use
|
|
15
26
|
|
|
@@ -9,7 +9,52 @@ version: 1.1.0
|
|
|
9
9
|
|
|
10
10
|
# Security Scanner — WrongStack
|
|
11
11
|
|
|
12
|
-
|
|
12
|
+
## Overview
|
|
13
|
+
|
|
14
|
+
Scans code, configs, and dependencies for security issues. Reports with severity (CRITICAL/HIGH/MEDIUM/LOW) and concrete remediation steps. Pairs with `npm audit` for supply chain scanning.
|
|
15
|
+
|
|
16
|
+
## Rules
|
|
17
|
+
|
|
18
|
+
1. Always provide remediation — "found X" without "do Y" is useless.
|
|
19
|
+
2. Verify regex matches before flagging — generic patterns cause false positives.
|
|
20
|
+
3. Don't scan `node_modules` — use `npm audit` for supply chain issues.
|
|
21
|
+
4. Don't flag test fixtures — mock credentials in tests are acceptable.
|
|
22
|
+
5. Always run dependency audit — supply chain is a real attack vector.
|
|
23
|
+
6. Flag config issues (TLS disabled, HTTP in production) as CRITICAL.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```typescript
|
|
30
|
+
// ✅ SAFE — parameterized query
|
|
31
|
+
db.query("SELECT * FROM users WHERE id = $1", [userId]);
|
|
32
|
+
|
|
33
|
+
// ✅ SAFE — escape user input
|
|
34
|
+
element.textContent = userInput;
|
|
35
|
+
|
|
36
|
+
// ✅ SAFE — execFile with args array
|
|
37
|
+
execFile('find', ['.', '-name', userInput], { signal: AbortSignal.timeout(5000) });
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
### Don't
|
|
41
|
+
|
|
42
|
+
```typescript
|
|
43
|
+
// ❌ CRITICAL — hardcoded AWS credentials
|
|
44
|
+
const awsKey = "[REDACTED:aws_access_key]";
|
|
45
|
+
|
|
46
|
+
// ❌ CRITICAL — private key committed
|
|
47
|
+
const pem = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...";
|
|
48
|
+
|
|
49
|
+
// ❌ HIGH — XSS via innerHTML
|
|
50
|
+
element.innerHTML = userInput;
|
|
51
|
+
|
|
52
|
+
// ❌ HIGH — shell injection
|
|
53
|
+
exec(`find . -name ${userInput}`);
|
|
54
|
+
|
|
55
|
+
// ❌ HIGH — SQL injection
|
|
56
|
+
const query = "SELECT * FROM users WHERE id = " + userId;
|
|
57
|
+
```
|
|
13
58
|
|
|
14
59
|
## Workflow
|
|
15
60
|
|
|
@@ -8,7 +8,54 @@ version: 1.1.0
|
|
|
8
8
|
|
|
9
9
|
# Skill Creator — WrongStack
|
|
10
10
|
|
|
11
|
-
|
|
11
|
+
## Overview
|
|
12
|
+
|
|
13
|
+
Guides the creation of new WrongStack skills. A skill is a Markdown file with YAML frontmatter — the first sentence of the description is the trigger. You are the wizard: ask questions, validate answers, write the file.
|
|
14
|
+
|
|
15
|
+
## Rules
|
|
16
|
+
|
|
17
|
+
1. First sentence of `description` = trigger — this is the only thing the skill loader matches on.
|
|
18
|
+
2. Name must be kebab-case: `my-skill`, `docker-deploy` — lowercase, hyphens only.
|
|
19
|
+
3. Skills live in `.wrongstack/skills/<name>/SKILL.md` (project level).
|
|
20
|
+
4. After the trigger sentence, add `Triggers: user says "X", "Y", "Z".`.
|
|
21
|
+
5. Content must be actionable — rules, patterns, anti-patterns, not just prose.
|
|
22
|
+
6. End with "Skills in scope" listing related skills for delegation.
|
|
23
|
+
7. Don't let skill names collide with existing skills.
|
|
24
|
+
|
|
25
|
+
## Patterns
|
|
26
|
+
|
|
27
|
+
### Do
|
|
28
|
+
|
|
29
|
+
```markdown
|
|
30
|
+
---
|
|
31
|
+
name: docker-deploy
|
|
32
|
+
description: |
|
|
33
|
+
Use this skill when deploying Docker containers to a production cluster.
|
|
34
|
+
Triggers: user says "docker", "container", "deploy", "dockerfile", "image".
|
|
35
|
+
version: 1.0.0
|
|
36
|
+
---
|
|
37
|
+
|
|
38
|
+
# Docker Deploy — WrongStack
|
|
39
|
+
|
|
40
|
+
## Overview
|
|
41
|
+
...
|
|
42
|
+
## Rules
|
|
43
|
+
...
|
|
44
|
+
## Patterns
|
|
45
|
+
...
|
|
46
|
+
## Skills in scope
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
### Don't
|
|
50
|
+
|
|
51
|
+
```markdown
|
|
52
|
+
---
|
|
53
|
+
name: MySkill # ❌ PascalCase
|
|
54
|
+
name: my_skill # ❌ underscore
|
|
55
|
+
description: |
|
|
56
|
+
This skill is about Docker. # ❌ no trigger sentence
|
|
57
|
+
---
|
|
58
|
+
```
|
|
12
59
|
|
|
13
60
|
## Skill format
|
|
14
61
|
|
|
@@ -58,49 +105,7 @@ Skills live in directories under these paths (priority order):
|
|
|
58
105
|
|
|
59
106
|
For user-created skills: always use path 1 (project level).
|
|
60
107
|
|
|
61
|
-
##
|
|
62
|
-
|
|
63
|
-
- **kebab-case**: `my-skill`, `docker-deploy`, `api-testing`
|
|
64
|
-
- Lowercase letters, numbers, hyphens only
|
|
65
|
-
- No spaces, no underscores, no uppercase
|
|
66
|
-
- Directory name = skill name
|
|
67
|
-
|
|
68
|
-
## The Trigger — the most important part
|
|
69
|
-
|
|
70
|
-
The **first sentence** of the `description` is the trigger. This is the **only** thing the skill loader matches on.
|
|
71
|
-
|
|
72
|
-
```
|
|
73
|
-
# ✅ Good — specific trigger that can be matched
|
|
74
|
-
Use this skill when deploying Docker containers to a production cluster.
|
|
75
|
-
|
|
76
|
-
# ❌ Bad — vague, can't be matched
|
|
77
|
-
This skill is about Docker deployment.
|
|
78
|
-
|
|
79
|
-
# ✅ Good — pattern-matchable
|
|
80
|
-
Use this skill when writing or reviewing React 19+ code.
|
|
81
|
-
|
|
82
|
-
# ❌ Bad — too broad
|
|
83
|
-
This skill is about code.
|
|
84
|
-
```
|
|
85
|
-
|
|
86
|
-
After the trigger sentence, add `Triggers: user says "X", "Y", "Z".` so agents know when to delegate.
|
|
87
|
-
|
|
88
|
-
## Description rules
|
|
89
|
-
|
|
90
|
-
- First sentence = trigger condition
|
|
91
|
-
- Second sentence = what it covers
|
|
92
|
-
- Triggers list = specific keywords or phrases
|
|
93
|
-
- Multi-line descriptions use YAML block scalar (`|`)
|
|
94
|
-
|
|
95
|
-
## Content Guidelines
|
|
96
|
-
|
|
97
|
-
- **Rules**: concrete do/don't rules, not vague advice
|
|
98
|
-
- **Patterns**: actual code examples, not pseudocode
|
|
99
|
-
- **Anti-patterns**: show what NOT to do with real code
|
|
100
|
-
- **Workflows**: step-by-step, actionable, not theoretical
|
|
101
|
-
- **Skills in scope**: list related skills at the bottom for delegation
|
|
102
|
-
|
|
103
|
-
## Creation Workflow
|
|
108
|
+
## Workflow
|
|
104
109
|
|
|
105
110
|
1. **Ask the name** — suggest kebab-case, validate format
|
|
106
111
|
2. **Ask the trigger** — "What situation should activate this skill?"
|
|
@@ -117,14 +122,6 @@ Before writing the file, verify:
|
|
|
117
122
|
- [ ] Content is actionable (rules, patterns, not just prose)
|
|
118
123
|
- [ ] File will be placed in `.wrongstack/skills/`
|
|
119
124
|
|
|
120
|
-
## Existing skills (don't collide)
|
|
121
|
-
|
|
122
|
-
```
|
|
123
|
-
audit-log, bug-hunter, git-flow, multi-agent, node-modern,
|
|
124
|
-
prompt-engineering, react-modern, refactor-planner, sdd,
|
|
125
|
-
security-scanner, skill-creator, typescript-strict
|
|
126
|
-
```
|
|
127
|
-
|
|
128
125
|
## Skills in scope
|
|
129
126
|
|
|
130
127
|
- `prompt-engineering` — for crafting the skill description and prompt text
|