@wrongstack/core 0.9.4 → 0.9.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (59) hide show
  1. package/dist/{agent-subagent-runner-DaF_EgRG.d.ts → agent-subagent-runner-C4qt9e5Y.d.ts} +1 -1
  2. package/dist/{config-SkMIDN9L.d.ts → config-CWva0qoL.d.ts} +4 -0
  3. package/dist/coordination/index.d.ts +8 -7
  4. package/dist/coordination/index.js +672 -46
  5. package/dist/coordination/index.js.map +1 -1
  6. package/dist/defaults/index.d.ts +12 -11
  7. package/dist/defaults/index.js +780 -23
  8. package/dist/defaults/index.js.map +1 -1
  9. package/dist/execution/index.d.ts +7 -6
  10. package/dist/execution/index.js +1 -0
  11. package/dist/execution/index.js.map +1 -1
  12. package/dist/extension/index.d.ts +4 -3
  13. package/dist/{index-CP8638Wm.d.ts → index-aizK8olO.d.ts} +3 -2
  14. package/dist/{index-Bsha5K4D.d.ts → index-p95HQ22A.d.ts} +3 -2
  15. package/dist/index.d.ts +22 -16
  16. package/dist/index.js +861 -35
  17. package/dist/index.js.map +1 -1
  18. package/dist/infrastructure/index.d.ts +2 -2
  19. package/dist/kernel/index.d.ts +4 -3
  20. package/dist/{mcp-servers-BouUWYW6.d.ts → mcp-servers-BkVEqkRe.d.ts} +1 -1
  21. package/dist/{multi-agent-coordinator-DTXF2aAl.d.ts → multi-agent-coordinator-bRaI_aD1.d.ts} +1 -1
  22. package/dist/{null-fleet-bus-Chrc_3Pp.d.ts → null-fleet-bus-DKM3Iy9d.d.ts} +183 -3
  23. package/dist/{secret-scrubber-DttNiGYA.d.ts → permission-bPuzAy4x.d.ts} +1 -6
  24. package/dist/{permission-policy-BpCGYBud.d.ts → permission-policy-BUQSutpl.d.ts} +8 -1
  25. package/dist/{plan-templates-envSmNlZ.d.ts → plan-templates-fkQTyz3U.d.ts} +25 -1
  26. package/dist/sdd/index.d.ts +5 -4
  27. package/dist/sdd/index.js +1 -0
  28. package/dist/sdd/index.js.map +1 -1
  29. package/dist/secret-scrubber-3MHDDAtm.d.ts +6 -0
  30. package/dist/{secret-scrubber-QSeI0ADi.d.ts → secret-scrubber-7rSC_emZ.d.ts} +1 -1
  31. package/dist/security/index.d.ts +4 -3
  32. package/dist/security/index.js +37 -6
  33. package/dist/security/index.js.map +1 -1
  34. package/dist/storage/index.d.ts +3 -2
  35. package/dist/storage/index.js +88 -5
  36. package/dist/storage/index.js.map +1 -1
  37. package/dist/{tool-executor-CsktM3h9.d.ts → tool-executor-Boo3dekH.d.ts} +1 -1
  38. package/dist/types/index.d.ts +6 -5
  39. package/dist/types/index.js.map +1 -1
  40. package/dist/utils/index.d.ts +12 -1
  41. package/dist/utils/index.js +85 -1
  42. package/dist/utils/index.js.map +1 -1
  43. package/package.json +1 -1
  44. package/skills/api-design/SKILL.md +139 -0
  45. package/skills/audit-log/SKILL.md +87 -14
  46. package/skills/bug-hunter/SKILL.md +42 -19
  47. package/skills/docker-deploy/SKILL.md +155 -0
  48. package/skills/git-flow/SKILL.md +53 -1
  49. package/skills/multi-agent/SKILL.md +42 -0
  50. package/skills/node-modern/SKILL.md +57 -1
  51. package/skills/observability/SKILL.md +134 -0
  52. package/skills/prompt-engineering/SKILL.md +46 -19
  53. package/skills/react-modern/SKILL.md +92 -1
  54. package/skills/refactor-planner/SKILL.md +49 -1
  55. package/skills/sdd/SKILL.md +12 -1
  56. package/skills/security-scanner/SKILL.md +46 -1
  57. package/skills/skill-creator/SKILL.md +49 -52
  58. package/skills/testing/SKILL.md +170 -0
  59. package/skills/typescript-strict/SKILL.md +98 -1
@@ -9,6 +9,61 @@ version: 1.1.0
9
9
 
10
10
  # Modern Node.js (>= 22) — WrongStack
11
11
 
12
+ ## Overview
13
+
14
+ Node.js >= 22 patterns: ESM-only imports, native fetch with AbortSignal, Web Streams, and async patterns. WrongStack uses ESM throughout — no CommonJS in new code.
15
+
16
+ ## Rules
17
+
18
+ 1. Always use ESM (`import` with `.js` extension) — never `require()`.
19
+ 2. Always use `node:` protocol for built-in modules.
20
+ 3. Always use `AbortSignal.timeout()` for long-running operations (fetch, spawn, setTimeout).
21
+ 4. Never use axios, node-fetch, or got — native fetch is sufficient.
22
+ 5. Always handle `ENOENT` on file reads — use try/catch or `access` first.
23
+ 6. Use `Promise.allSettled` when partial failure is acceptable.
24
+
25
+ ## Patterns
26
+
27
+ ### Do
28
+
29
+ ```typescript
30
+ // ✅ ESM with .js extension and node: protocol
31
+ import * as fs from 'node:fs/promises';
32
+ import { createServer } from 'node:http';
33
+ import { helper } from './helper.js';
34
+
35
+ // ✅ Native fetch with AbortSignal
36
+ const res = await fetch(url, { signal: AbortSignal.timeout(5000) });
37
+
38
+ // ✅ Atomic write
39
+ const tmp = `${target}.${randomBytes(4).toString('hex')}.tmp`;
40
+ await writeFile(tmp, data);
41
+ await rename(tmp, target);
42
+
43
+ // ✅ Parallel with allSettled
44
+ const results = await Promise.allSettled(tasks.map(t => t.run()));
45
+ ```
46
+
47
+ ### Don't
48
+
49
+ ```typescript
50
+ // ❌ CommonJS
51
+ const fs = require('fs/promises');
52
+
53
+ // ❌ No AbortSignal — hangs forever on timeout
54
+ await fetch(url);
55
+
56
+ // ❌ axios in new code
57
+ const res = await axios.get(url);
58
+
59
+ // ❌ Swallowing AbortError silently
60
+ try {
61
+ await fetch(url);
62
+ } catch (e) {
63
+ // AbortError means timeout — log it or handle explicitly
64
+ }
65
+ ```
66
+
12
67
  ## Imports — always ESM
13
68
 
14
69
  ```ts
@@ -130,4 +185,5 @@ while (true) {
130
185
 
131
186
  - `typescript-strict` — strict TypeScript patterns
132
187
  - `react-modern` — React Server Components with Node.js
133
- - `bug-hunter` — catching async/await bugs, unhandled rejections
188
+ - `bug-hunter` — catching async/await bugs, unhandled rejections
189
+ - `sdd` — for setting up new Node.js features with a spec first
@@ -0,0 +1,134 @@
1
+ ---
2
+ name: observability
3
+ description: |
4
+ Use this skill when instrumenting logs, traces, or metrics in WrongStack,
5
+ or when setting up observability for a new feature. Triggers: user says
6
+ "log", "trace", "metrics", "observability", "instrument", "structured logging",
7
+ "opentelemetry", "log level", "debug", "monitoring".
8
+ version: 1.0.0
9
+ ---
10
+
11
+ # Observability — WrongStack
12
+
13
+ ## Overview
14
+
15
+ Instruments WrongStack code with structured logs, traces, and metrics. WrongStack uses structured logging (JSON to stdout), and pairs with `audit-log` for session analysis. The goal: every significant event is traceable from input to output.
16
+
17
+ ## Rules
18
+
19
+ 1. Log at the right level: `DEBUG` (dev only), `INFO` (normal flow), `WARN` (recoverable), `ERROR` (needs attention).
20
+ 2. Structured logs only — JSON to stdout, not plain text to files.
21
+ 3. Every significant event needs a `traceId` — correlate across tools.
22
+ 4. Never log secrets, tokens, or PII — redact before logging.
23
+ 5. Logs must answer: what happened, what context, what was the outcome.
24
+ 6. Metrics: count errors, measure latency, track active sessions.
25
+ 7. Traces: every tool call should be a span with timing.
26
+
27
+ ## Patterns
28
+
29
+ ### Do
30
+
31
+ ```typescript
32
+ // ✅ Structured log — JSON to stdout
33
+ console.log(JSON.stringify({
34
+ level: 'info',
35
+ traceId: context.traceId,
36
+ event: 'tool_executed',
37
+ tool: 'read',
38
+ path: 'src/index.ts',
39
+ duration_ms: 12,
40
+ outcome: 'success',
41
+ }));
42
+
43
+ // ✅ Error with context
44
+ console.log(JSON.stringify({
45
+ level: 'error',
46
+ traceId: context.traceId,
47
+ event: 'tool_failed',
48
+ tool: 'bash',
49
+ command: 'pnpm test',
50
+ error: err.message,
51
+ duration_ms: 30000,
52
+ outcome: 'timeout',
53
+ }));
54
+
55
+ // ✅ Trace span around a tool call
56
+ import { trace } from 'node:opentelemetry/api';
57
+ const span = trace.getTracer('wrongstack').startSpan('bash');
58
+ try {
59
+ const result = await bash(cmd);
60
+ span.setStatus({ code: SpanStatusCode.OK });
61
+ return result;
62
+ } catch (err) {
63
+ span.recordException(err);
64
+ span.setStatus({ code: SpanStatusCode.ERROR });
65
+ throw err;
66
+ } finally {
67
+ span.end();
68
+ }
69
+ ```
70
+
71
+ ### Don't
72
+
73
+ ```typescript
74
+ // ❌ Plain text log
75
+ console.log('User logged in'); // not structured, hard to search
76
+
77
+ // ❌ Logging secrets
78
+ console.log(JSON.stringify({ token: bearerToken })); // redact!
79
+
80
+ // ❌ Log level confusion
81
+ console.log('DEBUG: entering function'); // INFO/WARN/ERROR only in prod
82
+
83
+ // ❌ Missing traceId
84
+ console.log(JSON.stringify({ event: 'tool_executed' })); // no correlation
85
+ ```
86
+
87
+ ## Log levels
88
+
89
+ | Level | When to use | Example |
90
+ |-------|-------------|---------|
91
+ | `DEBUG` | Dev-only detail | "entering parseArgs with 3 args" |
92
+ | `INFO` | Normal flow | "tool executed", "session started" |
93
+ | `WARN` | Recoverable issue | "retry attempt2/3", "cache miss" |
94
+ | `ERROR` | Needs attention | "tool timeout", "auth failure" |
95
+
96
+ ## Structured log schema
97
+
98
+ Every log should include:
99
+
100
+ ```json
101
+ {
102
+ "level": "info | warn | error",
103
+ "traceId": "uuid",
104
+ "event": "event_name",
105
+ "timestamp": "ISO8601",
106
+ "duration_ms": 12,
107
+ "outcome": "success | failure | timeout",
108
+ "context": { /* optional extra */ }
109
+ }
110
+ ```
111
+
112
+ ## Metrics to track
113
+
114
+ | Metric | Type | Why |
115
+ |--------|------|-----|
116
+ | `tool.executions` | Counter | How often each tool runs |
117
+ | `tool.duration_ms` | Histogram | Latency per tool |
118
+ | `session.iterations` | Gauge | Active iterations per session |
119
+ | `error.count` | Counter | Errors by type |
120
+ | `context.tokens` | Gauge | Context size per session |
121
+
122
+ ## WrongStack-specific notes
123
+
124
+ - **Session logs**: WrongStack writes session JSONL to `sessionRoot` — see `audit-log` skill for analysis.
125
+ - **Log output**: All logs go to stdout as JSON — CI captures them, not file logs.
126
+ - **Redaction**: Use `redactKeys()` helper — never log `Authorization`, `token`, `apiKey`, `secret`.
127
+ - **Tool tracing**: Each tool wrapper should emit a structured log on start and end.
128
+
129
+ ## Skills in scope
130
+
131
+ - `audit-log` — for analyzing the logs this skill produces
132
+ - `bug-hunter` — for finding bugs via error trace patterns
133
+ - `security-scanner` — for ensuring no secrets leak into logs
134
+ - `node-modern` — for async tracing patterns with AbortSignal
@@ -9,6 +9,51 @@ version: 1.1.0
9
9
 
10
10
  # Prompt Engineering — WrongStack
11
11
 
12
+ ## Overview
13
+
14
+ Designs, critiques, and fixes system prompts, tool descriptions, and skill definitions for LLM agents. WrongStack uses a 4-layer prompt structure — static content first, volatile last for cache efficiency.
15
+
16
+ ## Rules
17
+
18
+ 1. Static content first, volatile last — cache-friendly prompts cost less per token.
19
+ 2. First sentence of skill description = trigger — keep it specific and actionable.
20
+ 3. Tool descriptions must say: when to use, key parameters, what it returns.
21
+ 4. Remove filler ("Please be helpful", "Sure, I'd be happy to") — wastes tokens.
22
+ 5. Always read before edit — agents should grep/read first, then edit.
23
+ 6. Skill descriptions should list specific trigger keywords, not generic descriptions.
24
+
25
+ ## Patterns
26
+
27
+ ### Do
28
+
29
+ ```markdown
30
+ # ✅ Good — specific trigger
31
+ Use this skill when writing or reviewing React 19+ code.
32
+
33
+ # ✅ Good — tool description with all three parts
34
+ Search file contents with regex. Pattern is regex. Use output_mode to select
35
+ content (matched lines), files_with_matches (file list), or count (line counts).
36
+ Always read before edit — grep first to locate the target.
37
+
38
+ # ✅ Good — skill description with trigger keywords
39
+ Use this skill when designing system prompts or tool descriptions
40
+ for LLM agents. Covers structure, specificity, and common pitfalls.
41
+ Triggers: user mentions "prompt", "system instruction", "tool hint".
42
+ ```
43
+
44
+ ### Don't
45
+
46
+ ```markdown
47
+ # ❌ Bad — vague trigger
48
+ This skill is about Docker.
49
+
50
+ # ❌ Bad — filler
51
+ Please be helpful and use your best judgment.
52
+
53
+ # ❌ Bad — tool description missing parameters
54
+ Search files using grep.
55
+ ```
56
+
12
57
  ## WrongStack's 4-layer structure
13
58
 
14
59
  ```
@@ -84,26 +129,8 @@ See `skill-creator` skill for the format. Key points:
84
129
  - Include concrete code examples in "Do" and "Don't" sections
85
130
  - End with "Skills in scope" so agents know to delegate
86
131
 
87
- ## Anti-patterns for skill descriptions
88
-
89
- ```
90
- # Bad — doesn't say when to use it
91
- This skill helps with code review.
92
-
93
- # Good — specific trigger
94
- Use this skill when reviewing a pull request or reviewing code changes
95
- before committing. Covers bug detection, style, and security.
96
-
97
- # Bad — too long, no trigger
98
- This skill is a comprehensive guide to writing effective prompts...
99
-
100
- # Good — short trigger + description
101
- Use this skill when designing system prompts or tool descriptions
102
- for LLM agents. Covers structure, specificity, and common pitfalls.
103
- ```
104
-
105
132
  ## Skills in scope
106
133
 
107
- - `skill-creator` — for creating new skills
134
+ - `skill-creator` — for creating new skills (primary — prompt-engineering feeds into skill creation)
108
135
  - `typescript-strict` — for TypeScript-specific prompt typing
109
136
  - `react-modern` — for React component prompt conventions
@@ -9,6 +9,55 @@ version: 1.1.0
9
9
 
10
10
  # Modern React (19+) — WrongStack
11
11
 
12
+ ## Overview
13
+
14
+ React 19+ patterns: Server Components by default, `use` hook for promises, `useTransition` for non-blocking updates, and clean client boundary management. WrongStack uses TypeScript throughout.
15
+
16
+ ## Rules
17
+
18
+ 1. Default to Server Components — mark `'use client'` only for interactive code.
19
+ 2. Keep the client boundary minimal — avoid unnecessary serialization errors.
20
+ 3. Don't use `useEffect` for data fetching — use Server Components or `use(promise)`.
21
+ 4. Don't use `forwardRef` in new code — `ref` is a regular prop in React 19.
22
+ 5. Use named exports for components — default exports hinder refactoring.
23
+ 6. Event handlers must have explicit types: `React.MouseEvent<HTMLButtonElement>`.
24
+
25
+ ## Patterns
26
+
27
+ ### Do
28
+
29
+ ```tsx
30
+ // ✅ Server Component — direct await
31
+ async function Profile({ userId }: { userId: string }) {
32
+ const user = await fetch(`/api/users/${userId}`).then(r => r.json());
33
+ return <div>{user.name}</div>;
34
+ }
35
+
36
+ // ✅ Client Component — use(promise) for thenables
37
+ import { use } from 'react';
38
+ function UserData({ promise }: { promise: Promise<User> }) {
39
+ const user = use(promise);
40
+ return <div>{user.name}</div>;
41
+ }
42
+
43
+ // ✅ useTransition for non-urgent updates
44
+ const [isPending, startTransition] = useTransition();
45
+ startTransition(() => setPage(page + 1));
46
+ ```
47
+
48
+ ### Don't
49
+
50
+ ```tsx
51
+ // ❌ Bad — useEffect for data fetching
52
+ useEffect(() => { fetchData().then(setData); }, []);
53
+
54
+ // ❌ Bad — forwardRef in new code
55
+ const Button = forwardRef<HTMLButtonElement, ButtonProps>(...)
56
+
57
+ // ❌ Bad — default export
58
+ export default function Button() { ... }
59
+ ```
60
+
12
61
  ## Component types
13
62
 
14
63
  ```tsx
@@ -76,10 +125,52 @@ const fullName = firstName + ' ' + lastName;
76
125
  | `useState` | Local component state | Don't sync with props via useEffect |
77
126
  | `useReducer` | Complex state logic | Don't chain useState for related state |
78
127
  | `useTransition` | Non-blocking updates | Don't use for urgent state changes |
128
+ | `useDeferredValue` | Deferring expensive rendering | Don't use for urgent state changes |
129
+ | `useCallback` | Stable function references for deps | Don't memoize everything — measure first |
130
+ | `useMemo` | Expensive computations | Don't memoize trivial calculations |
79
131
  | `use` | Awaiting promises in render | Don't use outside component render |
80
132
  | `useEffect` | Side effects only | Don't use for data fetching or derived state |
81
133
 
82
- ## Common React 19 changes
134
+ ## Patterns
135
+
136
+ ### Do
137
+
138
+ ```tsx
139
+ // ✅ useDeferredValue for expensive search
140
+ function SearchResults({ query }: { query: string }) {
141
+ const deferredQuery = useDeferredValue(query);
142
+ // deferredQuery lags behind query — renders are non-blocking
143
+ }
144
+
145
+ // ✅ useCallback for stable deps in child
146
+ const handleClick = useCallback(() => {
147
+ setCount(c => c + 1);
148
+ }, []);
149
+
150
+ // ✅ useMemo for expensive transformations
151
+ const sorted = useMemo(
152
+ () => items.slice().sort((a, b) => a.name.localeCompare(b.name)),
153
+ [items]
154
+ );
155
+ ```
156
+
157
+ ### Don't
158
+
159
+ ```tsx
160
+ // ❌ useMemo for trivial operations
161
+ const doubled = useMemo(() => count * 2, [count]); // not worth it
162
+
163
+ // ❌ useCallback when deps change every render
164
+ const handleClick = useCallback(() => {
165
+ doSomething(obj); // obj changes every render — no benefit
166
+ }, [obj]);
167
+
168
+ // ❌ useDeferredValue for simple state
169
+ const [name, setName] = useState('');
170
+ const deferredName = useDeferredValue(name); // overkill
171
+ ```
172
+
173
+ ### Common React 19 changes
83
174
 
84
175
  - `ref` is a regular prop — no more `forwardRef`
85
176
  - Server Components can be nested without serialization
@@ -9,7 +9,55 @@ version: 1.1.0
9
9
 
10
10
  # Refactor Planner — WrongStack
11
11
 
12
- Analyzes code structure and produces a phased refactoring plan with risk assessment, dependency ordering, and rollback strategy.
12
+ ## Overview
13
+
14
+ Analyzes code structure and produces a phased refactoring plan with risk assessment, dependency ordering, and rollback strategy. Use for multi-file refactors, breaking up large modules, or addressing technical debt.
15
+
16
+ ## Rules
17
+
18
+ 1. Always build a dependency graph before planning — assumptions cause wasted work.
19
+ 2. Always include a rollback strategy — every refactor can fail.
20
+ 3. Never skip Phase 1 (low-risk quick wins) — momentum matters.
21
+ 4. Never over-phase — if a task takes <1h, merge it with related tasks.
22
+ 5. Rate each module by: cyclomatic complexity, test coverage, fan-out, public API surface.
23
+ 6. Never ignore team constraints — parallelization only works if reviewers exist.
24
+
25
+ ## Patterns
26
+
27
+ ### Do
28
+
29
+ ```json
30
+ // ✅ Good — risk assessment checklist
31
+ {
32
+ "module": "src/auth/session.ts",
33
+ "size": 450,
34
+ "cyclomatic": 12,
35
+ "testCoverage": 65,
36
+ "fanOut": 8,
37
+ "publicAPI": true,
38
+ "dependencies": ["core", "providers"],
39
+ "dependents": ["cli", "tui", "webui"]
40
+ }
41
+ ```
42
+
43
+ ```text
44
+ // ✅ Good — dependency graph (most important part)
45
+ config.ts → logger.ts → path-resolver.ts
46
+ ↓ ↓
47
+ secret-vault.ts session-store.ts
48
+ ↓ ↓
49
+ └────────→ agent.ts ←←←
50
+ ```
51
+
52
+ ### Don't
53
+
54
+ ```json
55
+ // ❌ Bad — no dependency graph
56
+ // "Refactor the auth layer" — with no graph, order is guessed
57
+
58
+ // ❌ Bad — no rollback strategy
59
+ // "We'll figure it out if something breaks" — plan for failure
60
+ ```
13
61
 
14
62
  ## When to use
15
63
 
@@ -9,7 +9,18 @@ version: 2.1.0
9
9
 
10
10
  # Spec-Driven Development — WrongStack
11
11
 
12
- Every non-trivial change starts with a spec. The spec is the source of truth.
12
+ ## Overview
13
+
14
+ Every non-trivial change starts with a spec. The spec is the source of truth — it defines what to build, how to verify it, and what counts as done. SDD uses `/sdd` slash commands to create specs, generate task graphs, and track execution.
15
+
16
+ ## Rules
17
+
18
+ 1. Every non-trivial task needs a spec before writing code — you'll rewrite it anyway.
19
+ 2. Spec must have acceptance criteria — without them, you can't know when it's done.
20
+ 3. Tasks must have dependencies — everything is a dependency of something.
21
+ 4. Spec must be specific: "Users authenticate via OAuth2 with PKCE" not "improve auth".
22
+ 5. Skipping `/sdd` for urgent tasks backfires — the spec is what makes "urgent" possible.
23
+ 6. When the spec reveals a multi-file refactor, delegate to `refactor-planner` first.
13
24
 
14
25
  ## When to use
15
26
 
@@ -9,7 +9,52 @@ version: 1.1.0
9
9
 
10
10
  # Security Scanner — WrongStack
11
11
 
12
- Scans code, configs, and dependencies for security issues.
12
+ ## Overview
13
+
14
+ Scans code, configs, and dependencies for security issues. Reports with severity (CRITICAL/HIGH/MEDIUM/LOW) and concrete remediation steps. Pairs with `npm audit` for supply chain scanning.
15
+
16
+ ## Rules
17
+
18
+ 1. Always provide remediation — "found X" without "do Y" is useless.
19
+ 2. Verify regex matches before flagging — generic patterns cause false positives.
20
+ 3. Don't scan `node_modules` — use `npm audit` for supply chain issues.
21
+ 4. Don't flag test fixtures — mock credentials in tests are acceptable.
22
+ 5. Always run dependency audit — supply chain is a real attack vector.
23
+ 6. Flag config issues (TLS disabled, HTTP in production) as CRITICAL.
24
+
25
+ ## Patterns
26
+
27
+ ### Do
28
+
29
+ ```typescript
30
+ // ✅ SAFE — parameterized query
31
+ db.query("SELECT * FROM users WHERE id = $1", [userId]);
32
+
33
+ // ✅ SAFE — escape user input
34
+ element.textContent = userInput;
35
+
36
+ // ✅ SAFE — execFile with args array
37
+ execFile('find', ['.', '-name', userInput], { signal: AbortSignal.timeout(5000) });
38
+ ```
39
+
40
+ ### Don't
41
+
42
+ ```typescript
43
+ // ❌ CRITICAL — hardcoded AWS credentials
44
+ const awsKey = "[REDACTED:aws_access_key]";
45
+
46
+ // ❌ CRITICAL — private key committed
47
+ const pem = "-----BEGIN RSA PRIVATE KEY-----\nMIIE...";
48
+
49
+ // ❌ HIGH — XSS via innerHTML
50
+ element.innerHTML = userInput;
51
+
52
+ // ❌ HIGH — shell injection
53
+ exec(`find . -name ${userInput}`);
54
+
55
+ // ❌ HIGH — SQL injection
56
+ const query = "SELECT * FROM users WHERE id = " + userId;
57
+ ```
13
58
 
14
59
  ## Workflow
15
60
 
@@ -8,7 +8,54 @@ version: 1.1.0
8
8
 
9
9
  # Skill Creator — WrongStack
10
10
 
11
- Guide the user through creating a new skill. You are the wizard — ask questions, validate answers, write the file.
11
+ ## Overview
12
+
13
+ Guides the creation of new WrongStack skills. A skill is a Markdown file with YAML frontmatter — the first sentence of the description is the trigger. You are the wizard: ask questions, validate answers, write the file.
14
+
15
+ ## Rules
16
+
17
+ 1. First sentence of `description` = trigger — this is the only thing the skill loader matches on.
18
+ 2. Name must be kebab-case: `my-skill`, `docker-deploy` — lowercase, hyphens only.
19
+ 3. Skills live in `.wrongstack/skills/<name>/SKILL.md` (project level).
20
+ 4. After the trigger sentence, add `Triggers: user says "X", "Y", "Z".`.
21
+ 5. Content must be actionable — rules, patterns, anti-patterns, not just prose.
22
+ 6. End with "Skills in scope" listing related skills for delegation.
23
+ 7. Don't let skill names collide with existing skills.
24
+
25
+ ## Patterns
26
+
27
+ ### Do
28
+
29
+ ```markdown
30
+ ---
31
+ name: docker-deploy
32
+ description: |
33
+ Use this skill when deploying Docker containers to a production cluster.
34
+ Triggers: user says "docker", "container", "deploy", "dockerfile", "image".
35
+ version: 1.0.0
36
+ ---
37
+
38
+ # Docker Deploy — WrongStack
39
+
40
+ ## Overview
41
+ ...
42
+ ## Rules
43
+ ...
44
+ ## Patterns
45
+ ...
46
+ ## Skills in scope
47
+ ```
48
+
49
+ ### Don't
50
+
51
+ ```markdown
52
+ ---
53
+ name: MySkill # ❌ PascalCase
54
+ name: my_skill # ❌ underscore
55
+ description: |
56
+ This skill is about Docker. # ❌ no trigger sentence
57
+ ---
58
+ ```
12
59
 
13
60
  ## Skill format
14
61
 
@@ -58,49 +105,7 @@ Skills live in directories under these paths (priority order):
58
105
 
59
106
  For user-created skills: always use path 1 (project level).
60
107
 
61
- ## Naming Rules
62
-
63
- - **kebab-case**: `my-skill`, `docker-deploy`, `api-testing`
64
- - Lowercase letters, numbers, hyphens only
65
- - No spaces, no underscores, no uppercase
66
- - Directory name = skill name
67
-
68
- ## The Trigger — the most important part
69
-
70
- The **first sentence** of the `description` is the trigger. This is the **only** thing the skill loader matches on.
71
-
72
- ```
73
- # ✅ Good — specific trigger that can be matched
74
- Use this skill when deploying Docker containers to a production cluster.
75
-
76
- # ❌ Bad — vague, can't be matched
77
- This skill is about Docker deployment.
78
-
79
- # ✅ Good — pattern-matchable
80
- Use this skill when writing or reviewing React 19+ code.
81
-
82
- # ❌ Bad — too broad
83
- This skill is about code.
84
- ```
85
-
86
- After the trigger sentence, add `Triggers: user says "X", "Y", "Z".` so agents know when to delegate.
87
-
88
- ## Description rules
89
-
90
- - First sentence = trigger condition
91
- - Second sentence = what it covers
92
- - Triggers list = specific keywords or phrases
93
- - Multi-line descriptions use YAML block scalar (`|`)
94
-
95
- ## Content Guidelines
96
-
97
- - **Rules**: concrete do/don't rules, not vague advice
98
- - **Patterns**: actual code examples, not pseudocode
99
- - **Anti-patterns**: show what NOT to do with real code
100
- - **Workflows**: step-by-step, actionable, not theoretical
101
- - **Skills in scope**: list related skills at the bottom for delegation
102
-
103
- ## Creation Workflow
108
+ ## Workflow
104
109
 
105
110
  1. **Ask the name** — suggest kebab-case, validate format
106
111
  2. **Ask the trigger** — "What situation should activate this skill?"
@@ -117,14 +122,6 @@ Before writing the file, verify:
117
122
  - [ ] Content is actionable (rules, patterns, not just prose)
118
123
  - [ ] File will be placed in `.wrongstack/skills/`
119
124
 
120
- ## Existing skills (don't collide)
121
-
122
- ```
123
- audit-log, bug-hunter, git-flow, multi-agent, node-modern,
124
- prompt-engineering, react-modern, refactor-planner, sdd,
125
- security-scanner, skill-creator, typescript-strict
126
- ```
127
-
128
125
  ## Skills in scope
129
126
 
130
127
  - `prompt-engineering` — for crafting the skill description and prompt text