@zmice/zc 0.1.0 → 0.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +153 -87
- package/dist/adapters/codex.d.ts.map +1 -1
- package/dist/adapters/codex.js +4 -2
- package/dist/adapters/codex.js.map +1 -1
- package/dist/adapters/qwen-code.d.ts.map +1 -1
- package/dist/adapters/qwen-code.js +7 -5
- package/dist/adapters/qwen-code.js.map +1 -1
- package/dist/cli/__tests__/i18n.test.d.ts +2 -0
- package/dist/cli/__tests__/i18n.test.d.ts.map +1 -0
- package/dist/cli/__tests__/i18n.test.js +45 -0
- package/dist/cli/__tests__/i18n.test.js.map +1 -0
- package/dist/cli/__tests__/platform.test.d.ts +2 -0
- package/dist/cli/__tests__/platform.test.d.ts.map +1 -0
- package/dist/cli/__tests__/platform.test.js +483 -0
- package/dist/cli/__tests__/platform.test.js.map +1 -0
- package/dist/cli/__tests__/surface.test.d.ts +2 -0
- package/dist/cli/__tests__/surface.test.d.ts.map +1 -0
- package/dist/cli/__tests__/surface.test.js +15 -0
- package/dist/cli/__tests__/surface.test.js.map +1 -0
- package/dist/cli/__tests__/toolkit.test.d.ts +2 -0
- package/dist/cli/__tests__/toolkit.test.d.ts.map +1 -0
- package/dist/cli/__tests__/toolkit.test.js +72 -0
- package/dist/cli/__tests__/toolkit.test.js.map +1 -0
- package/dist/cli/__tests__/upstream.test.d.ts +2 -0
- package/dist/cli/__tests__/upstream.test.d.ts.map +1 -0
- package/dist/cli/__tests__/upstream.test.js +163 -0
- package/dist/cli/__tests__/upstream.test.js.map +1 -0
- package/dist/cli/doctor.js +21 -21
- package/dist/cli/doctor.js.map +1 -1
- package/dist/cli/index.d.ts +2 -1
- package/dist/cli/index.d.ts.map +1 -1
- package/dist/cli/index.js +34 -14
- package/dist/cli/index.js.map +1 -1
- package/dist/cli/msg.d.ts.map +1 -1
- package/dist/cli/msg.js +73 -5
- package/dist/cli/msg.js.map +1 -1
- package/dist/cli/platform.d.ts +32 -0
- package/dist/cli/platform.d.ts.map +1 -0
- package/dist/cli/platform.js +635 -0
- package/dist/cli/platform.js.map +1 -0
- package/dist/cli/run.js +7 -7
- package/dist/cli/run.js.map +1 -1
- package/dist/cli/setup.js +7 -7
- package/dist/cli/setup.js.map +1 -1
- package/dist/cli/task.d.ts.map +1 -1
- package/dist/cli/task.js +108 -8
- package/dist/cli/task.js.map +1 -1
- package/dist/cli/team.d.ts +12 -0
- package/dist/cli/team.d.ts.map +1 -1
- package/dist/cli/team.js +82 -39
- package/dist/cli/team.js.map +1 -1
- package/dist/cli/toolkit.d.ts +3 -0
- package/dist/cli/toolkit.d.ts.map +1 -0
- package/dist/cli/toolkit.js +160 -0
- package/dist/cli/toolkit.js.map +1 -0
- package/dist/cli/upstream.d.ts +19 -0
- package/dist/cli/upstream.d.ts.map +1 -0
- package/dist/cli/upstream.js +705 -0
- package/dist/cli/upstream.js.map +1 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.d.ts +72 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.d.ts.map +1 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.js +105 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.js.map +1 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.test.d.ts +2 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.test.d.ts.map +1 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.test.js +104 -0
- package/dist/node_modules/@zmice/platform-core/dist/index.test.js.map +1 -0
- package/dist/node_modules/@zmice/platform-core/package.json +34 -0
- package/dist/platform-state/index.d.ts +4 -0
- package/dist/platform-state/index.d.ts.map +1 -0
- package/dist/platform-state/index.js +3 -0
- package/dist/platform-state/index.js.map +1 -0
- package/dist/platform-state/receipt.d.ts +11 -0
- package/dist/platform-state/receipt.d.ts.map +1 -0
- package/dist/platform-state/receipt.js +27 -0
- package/dist/platform-state/receipt.js.map +1 -0
- package/dist/platform-state/status.d.ts +3 -0
- package/dist/platform-state/status.d.ts.map +1 -0
- package/dist/platform-state/status.js +82 -0
- package/dist/platform-state/status.js.map +1 -0
- package/dist/platform-state/status.test.d.ts +2 -0
- package/dist/platform-state/status.test.d.ts.map +1 -0
- package/dist/platform-state/status.test.js +120 -0
- package/dist/platform-state/status.test.js.map +1 -0
- package/dist/platform-state/types.d.ts +58 -0
- package/dist/platform-state/types.d.ts.map +1 -0
- package/dist/platform-state/types.js +2 -0
- package/dist/platform-state/types.js.map +1 -0
- package/dist/runtime/__tests__/logger.test.d.ts +2 -0
- package/dist/runtime/__tests__/logger.test.d.ts.map +1 -0
- package/dist/runtime/__tests__/logger.test.js +11 -0
- package/dist/runtime/__tests__/logger.test.js.map +1 -0
- package/dist/runtime/__tests__/session-manager.test.d.ts +2 -0
- package/dist/runtime/__tests__/session-manager.test.d.ts.map +1 -0
- package/dist/runtime/__tests__/session-manager.test.js +11 -0
- package/dist/runtime/__tests__/session-manager.test.js.map +1 -0
- package/dist/runtime/__tests__/worktree-manager.test.d.ts +2 -0
- package/dist/runtime/__tests__/worktree-manager.test.d.ts.map +1 -0
- package/dist/runtime/__tests__/worktree-manager.test.js +11 -0
- package/dist/runtime/__tests__/worktree-manager.test.js.map +1 -0
- package/dist/runtime/logger.d.ts +5 -1
- package/dist/runtime/logger.d.ts.map +1 -1
- package/dist/runtime/logger.js +11 -1
- package/dist/runtime/logger.js.map +1 -1
- package/dist/runtime/state.d.ts +2 -8
- package/dist/runtime/state.d.ts.map +1 -1
- package/dist/runtime/state.js +7 -15
- package/dist/runtime/state.js.map +1 -1
- package/dist/runtime/worktree-manager.d.ts +5 -26
- package/dist/runtime/worktree-manager.d.ts.map +1 -1
- package/dist/runtime/worktree-manager.js +34 -98
- package/dist/runtime/worktree-manager.js.map +1 -1
- package/dist/team/__tests__/mailbox.test.d.ts +2 -0
- package/dist/team/__tests__/mailbox.test.d.ts.map +1 -0
- package/dist/team/__tests__/mailbox.test.js +22 -0
- package/dist/team/__tests__/mailbox.test.js.map +1 -0
- package/dist/team/__tests__/orchestrator.test.d.ts +2 -0
- package/dist/team/__tests__/orchestrator.test.d.ts.map +1 -0
- package/dist/team/__tests__/orchestrator.test.js +13 -0
- package/dist/team/__tests__/orchestrator.test.js.map +1 -0
- package/dist/team/__tests__/task-queue.test.d.ts +2 -0
- package/dist/team/__tests__/task-queue.test.d.ts.map +1 -0
- package/dist/team/__tests__/task-queue.test.js +28 -0
- package/dist/team/__tests__/task-queue.test.js.map +1 -0
- package/dist/team/__tests__/worker-manager.test.d.ts +2 -0
- package/dist/team/__tests__/worker-manager.test.d.ts.map +1 -0
- package/dist/team/__tests__/worker-manager.test.js +13 -0
- package/dist/team/__tests__/worker-manager.test.js.map +1 -0
- package/dist/team/mailbox.d.ts +12 -10
- package/dist/team/mailbox.d.ts.map +1 -1
- package/dist/team/mailbox.js +40 -27
- package/dist/team/mailbox.js.map +1 -1
- package/dist/team/orchestrator.d.ts +1 -6
- package/dist/team/orchestrator.d.ts.map +1 -1
- package/dist/team/orchestrator.js +27 -67
- package/dist/team/orchestrator.js.map +1 -1
- package/dist/team/task-queue.d.ts +18 -17
- package/dist/team/task-queue.d.ts.map +1 -1
- package/dist/team/task-queue.js +68 -71
- package/dist/team/task-queue.js.map +1 -1
- package/dist/team/worker-manager.d.ts +13 -36
- package/dist/team/worker-manager.d.ts.map +1 -1
- package/dist/team/worker-manager.js +34 -129
- package/dist/team/worker-manager.js.map +1 -1
- package/dist/utils/config.d.ts +15 -1
- package/dist/utils/config.d.ts.map +1 -1
- package/dist/utils/config.js +39 -1
- package/dist/utils/config.js.map +1 -1
- package/dist/utils/install-target.d.ts +23 -0
- package/dist/utils/install-target.d.ts.map +1 -0
- package/dist/utils/install-target.js +89 -0
- package/dist/utils/install-target.js.map +1 -0
- package/dist/utils/install-target.test.d.ts +2 -0
- package/dist/utils/install-target.test.d.ts.map +1 -0
- package/dist/utils/install-target.test.js +71 -0
- package/dist/utils/install-target.test.js.map +1 -0
- package/dist/utils/platform-install-receipt.d.ts +11 -0
- package/dist/utils/platform-install-receipt.d.ts.map +1 -0
- package/dist/utils/platform-install-receipt.js +62 -0
- package/dist/utils/platform-install-receipt.js.map +1 -0
- package/dist/utils/platform-install-receipt.test.d.ts +2 -0
- package/dist/utils/platform-install-receipt.test.d.ts.map +1 -0
- package/dist/utils/platform-install-receipt.test.js +74 -0
- package/dist/utils/platform-install-receipt.test.js.map +1 -0
- package/dist/utils/skill-loader.d.ts +0 -9
- package/dist/utils/skill-loader.d.ts.map +1 -1
- package/dist/utils/skill-loader.js +19 -26
- package/dist/utils/skill-loader.js.map +1 -1
- package/dist/utils/workspace.d.ts +28 -0
- package/dist/utils/workspace.d.ts.map +1 -0
- package/dist/utils/workspace.js +103 -0
- package/dist/utils/workspace.js.map +1 -0
- package/dist/utils/workspace.test.d.ts +2 -0
- package/dist/utils/workspace.test.d.ts.map +1 -0
- package/dist/utils/workspace.test.js +50 -0
- package/dist/utils/workspace.test.js.map +1 -0
- package/package.json +48 -36
- package/vendor/node_modules/@zmice/platform-core/dist/index.d.ts +72 -0
- package/vendor/node_modules/@zmice/platform-core/dist/index.d.ts.map +1 -0
- package/vendor/node_modules/@zmice/platform-core/dist/index.js +105 -0
- package/vendor/node_modules/@zmice/platform-core/dist/index.js.map +1 -0
- package/vendor/node_modules/@zmice/platform-core/dist/index.test.d.ts +2 -0
- package/vendor/node_modules/@zmice/platform-core/dist/index.test.d.ts.map +1 -0
- package/vendor/node_modules/@zmice/platform-core/dist/index.test.js +104 -0
- package/vendor/node_modules/@zmice/platform-core/dist/index.test.js.map +1 -0
- package/vendor/node_modules/@zmice/platform-core/package.json +34 -0
- package/vendor/packages/platform-codex/dist/generate.d.ts +2 -0
- package/vendor/packages/platform-codex/dist/generate.d.ts.map +1 -0
- package/vendor/packages/platform-codex/dist/generate.js +2 -0
- package/vendor/packages/platform-codex/dist/generate.js.map +1 -0
- package/vendor/packages/platform-codex/dist/index.d.ts +15 -0
- package/vendor/packages/platform-codex/dist/index.d.ts.map +1 -0
- package/vendor/packages/platform-codex/dist/index.js +46 -0
- package/vendor/packages/platform-codex/dist/index.js.map +1 -0
- package/vendor/packages/platform-codex/dist/index.test.d.ts +2 -0
- package/vendor/packages/platform-codex/dist/index.test.d.ts.map +1 -0
- package/vendor/packages/platform-codex/dist/index.test.js +38 -0
- package/vendor/packages/platform-codex/dist/index.test.js.map +1 -0
- package/vendor/packages/platform-codex/dist/install.d.ts +2 -0
- package/vendor/packages/platform-codex/dist/install.d.ts.map +1 -0
- package/vendor/packages/platform-codex/dist/install.js +2 -0
- package/vendor/packages/platform-codex/dist/install.js.map +1 -0
- package/vendor/packages/platform-codex/package.json +46 -0
- package/vendor/packages/platform-codex/templates/AGENTS.md +7 -0
- package/vendor/packages/platform-qoder/dist/generate.d.ts +2 -0
- package/vendor/packages/platform-qoder/dist/generate.d.ts.map +1 -0
- package/vendor/packages/platform-qoder/dist/generate.js +2 -0
- package/vendor/packages/platform-qoder/dist/generate.js.map +1 -0
- package/vendor/packages/platform-qoder/dist/index.d.ts +15 -0
- package/vendor/packages/platform-qoder/dist/index.d.ts.map +1 -0
- package/vendor/packages/platform-qoder/dist/index.js +46 -0
- package/vendor/packages/platform-qoder/dist/index.js.map +1 -0
- package/vendor/packages/platform-qoder/dist/index.test.d.ts +2 -0
- package/vendor/packages/platform-qoder/dist/index.test.d.ts.map +1 -0
- package/vendor/packages/platform-qoder/dist/index.test.js +38 -0
- package/vendor/packages/platform-qoder/dist/index.test.js.map +1 -0
- package/vendor/packages/platform-qoder/dist/install.d.ts +2 -0
- package/vendor/packages/platform-qoder/dist/install.d.ts.map +1 -0
- package/vendor/packages/platform-qoder/dist/install.js +2 -0
- package/vendor/packages/platform-qoder/dist/install.js.map +1 -0
- package/vendor/packages/platform-qoder/package.json +46 -0
- package/vendor/packages/platform-qoder/templates/instructions.md +7 -0
- package/vendor/packages/platform-qwen/dist/generate.d.ts +2 -0
- package/vendor/packages/platform-qwen/dist/generate.d.ts.map +1 -0
- package/vendor/packages/platform-qwen/dist/generate.js +2 -0
- package/vendor/packages/platform-qwen/dist/generate.js.map +1 -0
- package/vendor/packages/platform-qwen/dist/index.d.ts +16 -0
- package/vendor/packages/platform-qwen/dist/index.d.ts.map +1 -0
- package/vendor/packages/platform-qwen/dist/index.js +60 -0
- package/vendor/packages/platform-qwen/dist/index.js.map +1 -0
- package/vendor/packages/platform-qwen/dist/index.test.d.ts +2 -0
- package/vendor/packages/platform-qwen/dist/index.test.d.ts.map +1 -0
- package/vendor/packages/platform-qwen/dist/index.test.js +46 -0
- package/vendor/packages/platform-qwen/dist/index.test.js.map +1 -0
- package/vendor/packages/platform-qwen/dist/install.d.ts +2 -0
- package/vendor/packages/platform-qwen/dist/install.d.ts.map +1 -0
- package/vendor/packages/platform-qwen/dist/install.js +2 -0
- package/vendor/packages/platform-qwen/dist/install.js.map +1 -0
- package/vendor/packages/platform-qwen/package.json +46 -0
- package/vendor/packages/platform-qwen/templates/QWEN.md +7 -0
- package/vendor/packages/platform-qwen/templates/qwen-extension.json +7 -0
- package/vendor/packages/toolkit/dist/content-lint.test.d.ts +2 -0
- package/vendor/packages/toolkit/dist/content-lint.test.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/content-lint.test.js +252 -0
- package/vendor/packages/toolkit/dist/content-lint.test.js.map +1 -0
- package/vendor/packages/toolkit/dist/governance/index.d.ts +2 -0
- package/vendor/packages/toolkit/dist/governance/index.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/governance/index.js +2 -0
- package/vendor/packages/toolkit/dist/governance/index.js.map +1 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.d.ts +6 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.js +31 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.js.map +1 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.test.d.ts +2 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.test.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.test.js +23 -0
- package/vendor/packages/toolkit/dist/governance/upstreams.test.js.map +1 -0
- package/vendor/packages/toolkit/dist/index.d.ts +8 -0
- package/vendor/packages/toolkit/dist/index.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/index.js +8 -0
- package/vendor/packages/toolkit/dist/index.js.map +1 -0
- package/vendor/packages/toolkit/dist/lint/content-lint.d.ts +21 -0
- package/vendor/packages/toolkit/dist/lint/content-lint.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/lint/content-lint.js +250 -0
- package/vendor/packages/toolkit/dist/lint/content-lint.js.map +1 -0
- package/vendor/packages/toolkit/dist/lint/index.d.ts +2 -0
- package/vendor/packages/toolkit/dist/lint/index.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/lint/index.js +2 -0
- package/vendor/packages/toolkit/dist/lint/index.js.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/asset-unit.d.ts +4 -0
- package/vendor/packages/toolkit/dist/loaders/asset-unit.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/asset-unit.js +95 -0
- package/vendor/packages/toolkit/dist/loaders/asset-unit.js.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/content-tree.d.ts +2 -0
- package/vendor/packages/toolkit/dist/loaders/content-tree.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/content-tree.js +2 -0
- package/vendor/packages/toolkit/dist/loaders/content-tree.js.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/fs.d.ts +6 -0
- package/vendor/packages/toolkit/dist/loaders/fs.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/fs.js +19 -0
- package/vendor/packages/toolkit/dist/loaders/fs.js.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/index.d.ts +4 -0
- package/vendor/packages/toolkit/dist/loaders/index.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/index.js +4 -0
- package/vendor/packages/toolkit/dist/loaders/index.js.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/simple-yaml.d.ts +2 -0
- package/vendor/packages/toolkit/dist/loaders/simple-yaml.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/loaders/simple-yaml.js +125 -0
- package/vendor/packages/toolkit/dist/loaders/simple-yaml.js.map +1 -0
- package/vendor/packages/toolkit/dist/loaders.test.d.ts +2 -0
- package/vendor/packages/toolkit/dist/loaders.test.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/loaders.test.js +84 -0
- package/vendor/packages/toolkit/dist/loaders.test.js.map +1 -0
- package/vendor/packages/toolkit/dist/manifests/index.d.ts +2 -0
- package/vendor/packages/toolkit/dist/manifests/index.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/manifests/index.js +2 -0
- package/vendor/packages/toolkit/dist/manifests/index.js.map +1 -0
- package/vendor/packages/toolkit/dist/manifests/toolkit-manifest.d.ts +7 -0
- package/vendor/packages/toolkit/dist/manifests/toolkit-manifest.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/manifests/toolkit-manifest.js +72 -0
- package/vendor/packages/toolkit/dist/manifests/toolkit-manifest.js.map +1 -0
- package/vendor/packages/toolkit/dist/manifests.test.d.ts +2 -0
- package/vendor/packages/toolkit/dist/manifests.test.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/manifests.test.js +75 -0
- package/vendor/packages/toolkit/dist/manifests.test.js.map +1 -0
- package/vendor/packages/toolkit/dist/query/index.d.ts +2 -0
- package/vendor/packages/toolkit/dist/query/index.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/query/index.js +2 -0
- package/vendor/packages/toolkit/dist/query/index.js.map +1 -0
- package/vendor/packages/toolkit/dist/query/toolkit-query.d.ts +10 -0
- package/vendor/packages/toolkit/dist/query/toolkit-query.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/query/toolkit-query.js +49 -0
- package/vendor/packages/toolkit/dist/query/toolkit-query.js.map +1 -0
- package/vendor/packages/toolkit/dist/query.test.d.ts +2 -0
- package/vendor/packages/toolkit/dist/query.test.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/query.test.js +30 -0
- package/vendor/packages/toolkit/dist/query.test.js.map +1 -0
- package/vendor/packages/toolkit/dist/schema/asset-meta.d.ts +3 -0
- package/vendor/packages/toolkit/dist/schema/asset-meta.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/schema/asset-meta.js +130 -0
- package/vendor/packages/toolkit/dist/schema/asset-meta.js.map +1 -0
- package/vendor/packages/toolkit/dist/schema/asset-unit.d.ts +3 -0
- package/vendor/packages/toolkit/dist/schema/asset-unit.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/schema/asset-unit.js +22 -0
- package/vendor/packages/toolkit/dist/schema/asset-unit.js.map +1 -0
- package/vendor/packages/toolkit/dist/schema/index.d.ts +5 -0
- package/vendor/packages/toolkit/dist/schema/index.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/schema/index.js +5 -0
- package/vendor/packages/toolkit/dist/schema/index.js.map +1 -0
- package/vendor/packages/toolkit/dist/schema/kinds.d.ts +6 -0
- package/vendor/packages/toolkit/dist/schema/kinds.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/schema/kinds.js +24 -0
- package/vendor/packages/toolkit/dist/schema/kinds.js.map +1 -0
- package/vendor/packages/toolkit/dist/schema/manifest.d.ts +3 -0
- package/vendor/packages/toolkit/dist/schema/manifest.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/schema/manifest.js +30 -0
- package/vendor/packages/toolkit/dist/schema/manifest.js.map +1 -0
- package/vendor/packages/toolkit/dist/types.d.ts +80 -0
- package/vendor/packages/toolkit/dist/types.d.ts.map +1 -0
- package/vendor/packages/toolkit/dist/types.js +6 -0
- package/vendor/packages/toolkit/dist/types.js.map +1 -0
- package/vendor/packages/toolkit/package.json +35 -0
- package/vendor/packages/toolkit/src/content/agents/architect/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/architect/body.md +34 -0
- package/vendor/packages/toolkit/src/content/agents/architect/meta.yaml +25 -0
- package/vendor/packages/toolkit/src/content/agents/backend-specialist/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/backend-specialist/body.md +30 -0
- package/vendor/packages/toolkit/src/content/agents/backend-specialist/meta.yaml +24 -0
- package/vendor/packages/toolkit/src/content/agents/code-reviewer/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/code-reviewer/body.md +31 -0
- package/vendor/packages/toolkit/src/content/agents/code-reviewer/meta.yaml +26 -0
- package/vendor/packages/toolkit/src/content/agents/frontend-specialist/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/frontend-specialist/body.md +31 -0
- package/vendor/packages/toolkit/src/content/agents/frontend-specialist/meta.yaml +24 -0
- package/vendor/packages/toolkit/src/content/agents/performance-engineer/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/performance-engineer/body.md +72 -0
- package/vendor/packages/toolkit/src/content/agents/performance-engineer/meta.yaml +24 -0
- package/vendor/packages/toolkit/src/content/agents/product-owner/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/product-owner/body.md +32 -0
- package/vendor/packages/toolkit/src/content/agents/product-owner/meta.yaml +24 -0
- package/vendor/packages/toolkit/src/content/agents/security-auditor/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/security-auditor/body.md +83 -0
- package/vendor/packages/toolkit/src/content/agents/security-auditor/meta.yaml +24 -0
- package/vendor/packages/toolkit/src/content/agents/test-engineer/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/agents/test-engineer/body.md +30 -0
- package/vendor/packages/toolkit/src/content/agents/test-engineer/meta.yaml +28 -0
- package/vendor/packages/toolkit/src/content/commands/api/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/api/body.md +24 -0
- package/vendor/packages/toolkit/src/content/commands/api/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/build/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/build/body.md +37 -0
- package/vendor/packages/toolkit/src/content/commands/build/meta.yaml +26 -0
- package/vendor/packages/toolkit/src/content/commands/careful/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/careful/body.md +18 -0
- package/vendor/packages/toolkit/src/content/commands/careful/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/commands/ci/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/ci/body.md +27 -0
- package/vendor/packages/toolkit/src/content/commands/ci/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/commit/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/commit/body.md +26 -0
- package/vendor/packages/toolkit/src/content/commands/commit/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/ctx-health/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/ctx-health/body.md +22 -0
- package/vendor/packages/toolkit/src/content/commands/ctx-health/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/debug/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/debug/body.md +24 -0
- package/vendor/packages/toolkit/src/content/commands/debug/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/doc/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/doc/body.md +23 -0
- package/vendor/packages/toolkit/src/content/commands/doc/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/freeze/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/freeze/body.md +17 -0
- package/vendor/packages/toolkit/src/content/commands/freeze/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/commands/guard/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/guard/body.md +17 -0
- package/vendor/packages/toolkit/src/content/commands/guard/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/commands/idea/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/idea/body.md +23 -0
- package/vendor/packages/toolkit/src/content/commands/idea/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/learn/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/learn/body.md +37 -0
- package/vendor/packages/toolkit/src/content/commands/learn/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/migrate/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/migrate/body.md +24 -0
- package/vendor/packages/toolkit/src/content/commands/migrate/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/commands/onboard/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/onboard/body.md +24 -0
- package/vendor/packages/toolkit/src/content/commands/onboard/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/perf/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/perf/body.md +23 -0
- package/vendor/packages/toolkit/src/content/commands/perf/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/plan-review/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/plan-review/body.md +28 -0
- package/vendor/packages/toolkit/src/content/commands/plan-review/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/commands/qa/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/qa/body.md +24 -0
- package/vendor/packages/toolkit/src/content/commands/qa/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/quality-review/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/quality-review/body.md +38 -0
- package/vendor/packages/toolkit/src/content/commands/quality-review/meta.yaml +22 -0
- package/vendor/packages/toolkit/src/content/commands/retro/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/retro/body.md +25 -0
- package/vendor/packages/toolkit/src/content/commands/retro/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/commands/sdd-tdd/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/sdd-tdd/body.md +39 -0
- package/vendor/packages/toolkit/src/content/commands/sdd-tdd/meta.yaml +23 -0
- package/vendor/packages/toolkit/src/content/commands/secure/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/secure/body.md +23 -0
- package/vendor/packages/toolkit/src/content/commands/secure/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/ship/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/ship/body.md +17 -0
- package/vendor/packages/toolkit/src/content/commands/ship/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/commands/simplify/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/simplify/body.md +24 -0
- package/vendor/packages/toolkit/src/content/commands/simplify/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/commands/spec/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/spec/body.md +32 -0
- package/vendor/packages/toolkit/src/content/commands/spec/meta.yaml +23 -0
- package/vendor/packages/toolkit/src/content/commands/task-plan/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/task-plan/body.md +32 -0
- package/vendor/packages/toolkit/src/content/commands/task-plan/meta.yaml +23 -0
- package/vendor/packages/toolkit/src/content/commands/ui/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/ui/body.md +24 -0
- package/vendor/packages/toolkit/src/content/commands/ui/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/commands/verify/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/commands/verify/body.md +32 -0
- package/vendor/packages/toolkit/src/content/commands/verify/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/skills/api-and-interface-design/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/api-and-interface-design/body.md +289 -0
- package/vendor/packages/toolkit/src/content/skills/api-and-interface-design/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/brainstorming-and-design/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/brainstorming-and-design/body.md +129 -0
- package/vendor/packages/toolkit/src/content/skills/brainstorming-and-design/meta.yaml +18 -0
- package/vendor/packages/toolkit/src/content/skills/branch-finish-and-cleanup/body.md +155 -0
- package/vendor/packages/toolkit/src/content/skills/branch-finish-and-cleanup/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/skills/browser-qa-testing/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/browser-qa-testing/body.md +554 -0
- package/vendor/packages/toolkit/src/content/skills/browser-qa-testing/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/ci-cd-and-automation/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/ci-cd-and-automation/body.md +417 -0
- package/vendor/packages/toolkit/src/content/skills/ci-cd-and-automation/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/code-review-and-quality/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/code-review-and-quality/body.md +130 -0
- package/vendor/packages/toolkit/src/content/skills/code-review-and-quality/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/code-simplification/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/code-simplification/body.md +326 -0
- package/vendor/packages/toolkit/src/content/skills/code-simplification/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/codebase-onboarding/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/codebase-onboarding/body.md +40 -0
- package/vendor/packages/toolkit/src/content/skills/codebase-onboarding/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/context-budget-audit/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/context-budget-audit/body.md +38 -0
- package/vendor/packages/toolkit/src/content/skills/context-budget-audit/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/skills/context-engineering/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/context-engineering/body.md +55 -0
- package/vendor/packages/toolkit/src/content/skills/context-engineering/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/skills/continuous-learning/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/continuous-learning/body.md +367 -0
- package/vendor/packages/toolkit/src/content/skills/continuous-learning/meta.yaml +18 -0
- package/vendor/packages/toolkit/src/content/skills/debugging-and-error-recovery/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/debugging-and-error-recovery/body.md +43 -0
- package/vendor/packages/toolkit/src/content/skills/debugging-and-error-recovery/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/deprecation-and-migration/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/deprecation-and-migration/body.md +201 -0
- package/vendor/packages/toolkit/src/content/skills/deprecation-and-migration/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/developer-experience-audit/body.md +49 -0
- package/vendor/packages/toolkit/src/content/skills/developer-experience-audit/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/skills/documentation-and-adrs/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/documentation-and-adrs/body.md +61 -0
- package/vendor/packages/toolkit/src/content/skills/documentation-and-adrs/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/engineering-principles/body.md +54 -0
- package/vendor/packages/toolkit/src/content/skills/engineering-principles/meta.yaml +18 -0
- package/vendor/packages/toolkit/src/content/skills/frontend-ui-engineering/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/frontend-ui-engineering/body.md +324 -0
- package/vendor/packages/toolkit/src/content/skills/frontend-ui-engineering/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/git-workflow-and-versioning/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/git-workflow-and-versioning/body.md +319 -0
- package/vendor/packages/toolkit/src/content/skills/git-workflow-and-versioning/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/idea-refine/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/idea-refine/body.md +173 -0
- package/vendor/packages/toolkit/src/content/skills/idea-refine/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/skills/incremental-implementation/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/incremental-implementation/body.md +43 -0
- package/vendor/packages/toolkit/src/content/skills/incremental-implementation/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/multi-perspective-review/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/multi-perspective-review/body.md +52 -0
- package/vendor/packages/toolkit/src/content/skills/multi-perspective-review/meta.yaml +18 -0
- package/vendor/packages/toolkit/src/content/skills/parallel-agent-dispatch/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/parallel-agent-dispatch/body.md +351 -0
- package/vendor/packages/toolkit/src/content/skills/parallel-agent-dispatch/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/skills/performance-optimization/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/performance-optimization/body.md +345 -0
- package/vendor/packages/toolkit/src/content/skills/performance-optimization/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/planning-and-task-breakdown/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/planning-and-task-breakdown/body.md +48 -0
- package/vendor/packages/toolkit/src/content/skills/planning-and-task-breakdown/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/release-documentation-sync/body.md +54 -0
- package/vendor/packages/toolkit/src/content/skills/release-documentation-sync/meta.yaml +15 -0
- package/vendor/packages/toolkit/src/content/skills/review-response-and-resolution/body.md +61 -0
- package/vendor/packages/toolkit/src/content/skills/review-response-and-resolution/meta.yaml +18 -0
- package/vendor/packages/toolkit/src/content/skills/safety-guardrails/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/safety-guardrails/body.md +43 -0
- package/vendor/packages/toolkit/src/content/skills/safety-guardrails/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/skills/sdd-tdd-workflow/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/sdd-tdd-workflow/body.md +371 -0
- package/vendor/packages/toolkit/src/content/skills/sdd-tdd-workflow/meta.yaml +25 -0
- package/vendor/packages/toolkit/src/content/skills/security-and-hardening/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/security-and-hardening/body.md +344 -0
- package/vendor/packages/toolkit/src/content/skills/security-and-hardening/meta.yaml +21 -0
- package/vendor/packages/toolkit/src/content/skills/shipping-and-launch/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/shipping-and-launch/body.md +55 -0
- package/vendor/packages/toolkit/src/content/skills/shipping-and-launch/meta.yaml +22 -0
- package/vendor/packages/toolkit/src/content/skills/source-driven-development/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/source-driven-development/body.md +186 -0
- package/vendor/packages/toolkit/src/content/skills/source-driven-development/meta.yaml +18 -0
- package/vendor/packages/toolkit/src/content/skills/spec-driven-development/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/spec-driven-development/body.md +49 -0
- package/vendor/packages/toolkit/src/content/skills/spec-driven-development/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/sprint-retrospective/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/sprint-retrospective/body.md +336 -0
- package/vendor/packages/toolkit/src/content/skills/sprint-retrospective/meta.yaml +17 -0
- package/vendor/packages/toolkit/src/content/skills/subagent-driven-development/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/subagent-driven-development/body.md +228 -0
- package/vendor/packages/toolkit/src/content/skills/subagent-driven-development/meta.yaml +19 -0
- package/vendor/packages/toolkit/src/content/skills/team-orchestration/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/team-orchestration/body.md +372 -0
- package/vendor/packages/toolkit/src/content/skills/team-orchestration/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/test-driven-development/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/test-driven-development/body.md +374 -0
- package/vendor/packages/toolkit/src/content/skills/test-driven-development/meta.yaml +20 -0
- package/vendor/packages/toolkit/src/content/skills/using-agent-skills/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/using-agent-skills/body.md +169 -0
- package/vendor/packages/toolkit/src/content/skills/using-agent-skills/meta.yaml +23 -0
- package/vendor/packages/toolkit/src/content/skills/verification-before-completion/assets/.gitkeep +0 -0
- package/vendor/packages/toolkit/src/content/skills/verification-before-completion/body.md +68 -0
- package/vendor/packages/toolkit/src/content/skills/verification-before-completion/meta.yaml +20 -0
- package/vendor/packages/toolkit/templates/README.md +12 -0
- package/vendor/packages/toolkit/templates/asset-unit/assets/.gitkeep +1 -0
- package/vendor/packages/toolkit/templates/asset-unit/body.md +3 -0
- package/vendor/packages/toolkit/templates/asset-unit/meta.yaml +6 -0
- package/vendor/references/upstreams.yaml +89 -0
|
@@ -0,0 +1,344 @@
|
|
|
1
|
+
# Security and Hardening
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Security-first development practices for web applications. Treat every external input as hostile, every secret as sacred, and every authorization check as mandatory. Security isn't a phase — it's a constraint on every line of code that touches user data, authentication, or external systems.
|
|
6
|
+
|
|
7
|
+
## When to Use
|
|
8
|
+
|
|
9
|
+
- Building anything that accepts user input
|
|
10
|
+
- Implementing authentication or authorization
|
|
11
|
+
- Storing or transmitting sensitive data
|
|
12
|
+
- Integrating with external APIs or services
|
|
13
|
+
- Adding file uploads, webhooks, or callbacks
|
|
14
|
+
- Handling payment or PII data
|
|
15
|
+
|
|
16
|
+
## The Three-Tier Boundary System
|
|
17
|
+
|
|
18
|
+
### Always Do (No Exceptions)
|
|
19
|
+
|
|
20
|
+
- **Validate all external input** at the system boundary (API routes, form handlers)
|
|
21
|
+
- **Parameterize all database queries** — never concatenate user input into SQL
|
|
22
|
+
- **Encode output** to prevent XSS (use framework auto-escaping, don't bypass it)
|
|
23
|
+
- **Use HTTPS** for all external communication
|
|
24
|
+
- **Hash passwords** with bcrypt/scrypt/argon2 (never store plaintext)
|
|
25
|
+
- **Set security headers** (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
|
|
26
|
+
- **Use httpOnly, secure, sameSite cookies** for sessions
|
|
27
|
+
- **Run `npm audit`** (or equivalent) before every release
|
|
28
|
+
|
|
29
|
+
### Ask First (Requires Human Approval)
|
|
30
|
+
|
|
31
|
+
- Adding new authentication flows or changing auth logic
|
|
32
|
+
- Storing new categories of sensitive data (PII, payment info)
|
|
33
|
+
- Adding new external service integrations
|
|
34
|
+
- Changing CORS configuration
|
|
35
|
+
- Adding file upload handlers
|
|
36
|
+
- Modifying rate limiting or throttling
|
|
37
|
+
- Granting elevated permissions or roles
|
|
38
|
+
|
|
39
|
+
### Never Do
|
|
40
|
+
|
|
41
|
+
- **Never commit secrets** to version control (API keys, passwords, tokens)
|
|
42
|
+
- **Never log sensitive data** (passwords, tokens, full credit card numbers)
|
|
43
|
+
- **Never trust client-side validation** as a security boundary
|
|
44
|
+
- **Never disable security headers** for convenience
|
|
45
|
+
- **Never use `eval()` or `innerHTML`** with user-provided data
|
|
46
|
+
- **Never store sessions in client-accessible storage** (localStorage for auth tokens)
|
|
47
|
+
- **Never expose stack traces** or internal error details to users
|
|
48
|
+
|
|
49
|
+
## OWASP Top 10 Prevention
|
|
50
|
+
|
|
51
|
+
### 1. Injection (SQL, NoSQL, OS Command)
|
|
52
|
+
|
|
53
|
+
```typescript
|
|
54
|
+
// BAD: SQL injection via string concatenation
|
|
55
|
+
const query = `SELECT * FROM users WHERE id = '${userId}'`;
|
|
56
|
+
|
|
57
|
+
// GOOD: Parameterized query
|
|
58
|
+
const user = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
|
|
59
|
+
|
|
60
|
+
// GOOD: ORM with parameterized input
|
|
61
|
+
const user = await prisma.user.findUnique({ where: { id: userId } });
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
### 2. Broken Authentication
|
|
65
|
+
|
|
66
|
+
```typescript
|
|
67
|
+
// Password hashing
|
|
68
|
+
import { hash, compare } from 'bcrypt';
|
|
69
|
+
|
|
70
|
+
const SALT_ROUNDS = 12;
|
|
71
|
+
const hashedPassword = await hash(plaintext, SALT_ROUNDS);
|
|
72
|
+
const isValid = await compare(plaintext, hashedPassword);
|
|
73
|
+
|
|
74
|
+
// Session management
|
|
75
|
+
app.use(session({
|
|
76
|
+
secret: process.env.SESSION_SECRET, // From environment, not code
|
|
77
|
+
resave: false,
|
|
78
|
+
saveUninitialized: false,
|
|
79
|
+
cookie: {
|
|
80
|
+
httpOnly: true, // Not accessible via JavaScript
|
|
81
|
+
secure: true, // HTTPS only
|
|
82
|
+
sameSite: 'lax', // CSRF protection
|
|
83
|
+
maxAge: 24 * 60 * 60 * 1000, // 24 hours
|
|
84
|
+
},
|
|
85
|
+
}));
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
### 3. Cross-Site Scripting (XSS)
|
|
89
|
+
|
|
90
|
+
```typescript
|
|
91
|
+
// BAD: Rendering user input as HTML
|
|
92
|
+
element.innerHTML = userInput;
|
|
93
|
+
|
|
94
|
+
// GOOD: Use framework auto-escaping (React does this by default)
|
|
95
|
+
return <div>{userInput}</div>;
|
|
96
|
+
|
|
97
|
+
// If you MUST render HTML, sanitize first
|
|
98
|
+
import DOMPurify from 'dompurify';
|
|
99
|
+
const clean = DOMPurify.sanitize(userInput);
|
|
100
|
+
```
|
|
101
|
+
|
|
102
|
+
### 4. Broken Access Control
|
|
103
|
+
|
|
104
|
+
```typescript
|
|
105
|
+
// Always check authorization, not just authentication
|
|
106
|
+
app.patch('/api/tasks/:id', authenticate, async (req, res) => {
|
|
107
|
+
const task = await taskService.findById(req.params.id);
|
|
108
|
+
|
|
109
|
+
// Check that the authenticated user owns this resource
|
|
110
|
+
if (task.ownerId !== req.user.id) {
|
|
111
|
+
return res.status(403).json({
|
|
112
|
+
error: { code: 'FORBIDDEN', message: 'Not authorized to modify this task' }
|
|
113
|
+
});
|
|
114
|
+
}
|
|
115
|
+
|
|
116
|
+
// Proceed with update
|
|
117
|
+
const updated = await taskService.update(req.params.id, req.body);
|
|
118
|
+
return res.json(updated);
|
|
119
|
+
});
|
|
120
|
+
```
|
|
121
|
+
|
|
122
|
+
### 5. Security Misconfiguration
|
|
123
|
+
|
|
124
|
+
```typescript
|
|
125
|
+
// Security headers (use helmet for Express)
|
|
126
|
+
import helmet from 'helmet';
|
|
127
|
+
app.use(helmet());
|
|
128
|
+
|
|
129
|
+
// Content Security Policy
|
|
130
|
+
app.use(helmet.contentSecurityPolicy({
|
|
131
|
+
directives: {
|
|
132
|
+
defaultSrc: ["'self'"],
|
|
133
|
+
scriptSrc: ["'self'"],
|
|
134
|
+
styleSrc: ["'self'", "'unsafe-inline'"], // Tighten if possible
|
|
135
|
+
imgSrc: ["'self'", 'data:', 'https:'],
|
|
136
|
+
connectSrc: ["'self'"],
|
|
137
|
+
},
|
|
138
|
+
}));
|
|
139
|
+
|
|
140
|
+
// CORS — restrict to known origins
|
|
141
|
+
app.use(cors({
|
|
142
|
+
origin: process.env.ALLOWED_ORIGINS?.split(',') || 'http://localhost:3000',
|
|
143
|
+
credentials: true,
|
|
144
|
+
}));
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
### 6. Sensitive Data Exposure
|
|
148
|
+
|
|
149
|
+
```typescript
|
|
150
|
+
// Never return sensitive fields in API responses
|
|
151
|
+
function sanitizeUser(user: UserRecord): PublicUser {
|
|
152
|
+
const { passwordHash, resetToken, ...publicFields } = user;
|
|
153
|
+
return publicFields;
|
|
154
|
+
}
|
|
155
|
+
|
|
156
|
+
// Use environment variables for secrets
|
|
157
|
+
const API_KEY = process.env.STRIPE_API_KEY;
|
|
158
|
+
if (!API_KEY) throw new Error('STRIPE_API_KEY not configured');
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
## Input Validation Patterns
|
|
162
|
+
|
|
163
|
+
### Schema Validation at Boundaries
|
|
164
|
+
|
|
165
|
+
```typescript
|
|
166
|
+
import { z } from 'zod';
|
|
167
|
+
|
|
168
|
+
const CreateTaskSchema = z.object({
|
|
169
|
+
title: z.string().min(1).max(200).trim(),
|
|
170
|
+
description: z.string().max(2000).optional(),
|
|
171
|
+
priority: z.enum(['low', 'medium', 'high']).default('medium'),
|
|
172
|
+
dueDate: z.string().datetime().optional(),
|
|
173
|
+
});
|
|
174
|
+
|
|
175
|
+
// Validate at the route handler
|
|
176
|
+
app.post('/api/tasks', async (req, res) => {
|
|
177
|
+
const result = CreateTaskSchema.safeParse(req.body);
|
|
178
|
+
if (!result.success) {
|
|
179
|
+
return res.status(422).json({
|
|
180
|
+
error: {
|
|
181
|
+
code: 'VALIDATION_ERROR',
|
|
182
|
+
message: 'Invalid input',
|
|
183
|
+
details: result.error.flatten(),
|
|
184
|
+
},
|
|
185
|
+
});
|
|
186
|
+
}
|
|
187
|
+
// result.data is now typed and validated
|
|
188
|
+
const task = await taskService.create(result.data);
|
|
189
|
+
return res.status(201).json(task);
|
|
190
|
+
});
|
|
191
|
+
```
|
|
192
|
+
|
|
193
|
+
### File Upload Safety
|
|
194
|
+
|
|
195
|
+
```typescript
|
|
196
|
+
// Restrict file types and sizes
|
|
197
|
+
const ALLOWED_TYPES = ['image/jpeg', 'image/png', 'image/webp'];
|
|
198
|
+
const MAX_SIZE = 5 * 1024 * 1024; // 5MB
|
|
199
|
+
|
|
200
|
+
function validateUpload(file: UploadedFile) {
|
|
201
|
+
if (!ALLOWED_TYPES.includes(file.mimetype)) {
|
|
202
|
+
throw new ValidationError('File type not allowed');
|
|
203
|
+
}
|
|
204
|
+
if (file.size > MAX_SIZE) {
|
|
205
|
+
throw new ValidationError('File too large (max 5MB)');
|
|
206
|
+
}
|
|
207
|
+
// Don't trust the file extension — check magic bytes if critical
|
|
208
|
+
}
|
|
209
|
+
```
|
|
210
|
+
|
|
211
|
+
## Triaging npm audit Results
|
|
212
|
+
|
|
213
|
+
Not all audit findings require immediate action. Use this decision tree:
|
|
214
|
+
|
|
215
|
+
```
|
|
216
|
+
npm audit reports a vulnerability
|
|
217
|
+
├── Severity: critical or high
|
|
218
|
+
│ ├── Is the vulnerable code reachable in your app?
|
|
219
|
+
│ │ ├── YES --> Fix immediately (update, patch, or replace the dependency)
|
|
220
|
+
│ │ └── NO (dev-only dep, unused code path) --> Fix soon, but not a blocker
|
|
221
|
+
│ └── Is a fix available?
|
|
222
|
+
│ ├── YES --> Update to the patched version
|
|
223
|
+
│ └── NO --> Check for workarounds, consider replacing the dependency, or add to allowlist with a review date
|
|
224
|
+
├── Severity: moderate
|
|
225
|
+
│ ├── Reachable in production? --> Fix in the next release cycle
|
|
226
|
+
│ └── Dev-only? --> Fix when convenient, track in backlog
|
|
227
|
+
└── Severity: low
|
|
228
|
+
└── Track and fix during regular dependency updates
|
|
229
|
+
```
|
|
230
|
+
|
|
231
|
+
**Key questions:**
|
|
232
|
+
- Is the vulnerable function actually called in your code path?
|
|
233
|
+
- Is the dependency a runtime dependency or dev-only?
|
|
234
|
+
- Is the vulnerability exploitable given your deployment context (e.g., a server-side vulnerability in a client-only app)?
|
|
235
|
+
|
|
236
|
+
When you defer a fix, document the reason and set a review date.
|
|
237
|
+
|
|
238
|
+
## Rate Limiting
|
|
239
|
+
|
|
240
|
+
```typescript
|
|
241
|
+
import rateLimit from 'express-rate-limit';
|
|
242
|
+
|
|
243
|
+
// General API rate limit
|
|
244
|
+
app.use('/api/', rateLimit({
|
|
245
|
+
windowMs: 15 * 60 * 1000, // 15 minutes
|
|
246
|
+
max: 100, // 100 requests per window
|
|
247
|
+
standardHeaders: true,
|
|
248
|
+
legacyHeaders: false,
|
|
249
|
+
}));
|
|
250
|
+
|
|
251
|
+
// Stricter limit for auth endpoints
|
|
252
|
+
app.use('/api/auth/', rateLimit({
|
|
253
|
+
windowMs: 15 * 60 * 1000,
|
|
254
|
+
max: 10, // 10 attempts per 15 minutes
|
|
255
|
+
}));
|
|
256
|
+
```
|
|
257
|
+
|
|
258
|
+
## Secrets Management
|
|
259
|
+
|
|
260
|
+
```
|
|
261
|
+
.env files:
|
|
262
|
+
├── .env.example → Committed (template with placeholder values)
|
|
263
|
+
├── .env → NOT committed (contains real secrets)
|
|
264
|
+
└── .env.local → NOT committed (local overrides)
|
|
265
|
+
|
|
266
|
+
.gitignore must include:
|
|
267
|
+
.env
|
|
268
|
+
.env.local
|
|
269
|
+
.env.*.local
|
|
270
|
+
*.pem
|
|
271
|
+
*.key
|
|
272
|
+
```
|
|
273
|
+
|
|
274
|
+
**Always check before committing:**
|
|
275
|
+
```bash
|
|
276
|
+
# Check for accidentally staged secrets
|
|
277
|
+
git diff --cached | grep -i "password\|secret\|api_key\|token"
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
## Security Review Checklist
|
|
281
|
+
|
|
282
|
+
```markdown
|
|
283
|
+
### Authentication
|
|
284
|
+
- [ ] Passwords hashed with bcrypt/scrypt/argon2 (salt rounds ≥ 12)
|
|
285
|
+
- [ ] Session tokens are httpOnly, secure, sameSite
|
|
286
|
+
- [ ] Login has rate limiting
|
|
287
|
+
- [ ] Password reset tokens expire
|
|
288
|
+
|
|
289
|
+
### Authorization
|
|
290
|
+
- [ ] Every endpoint checks user permissions
|
|
291
|
+
- [ ] Users can only access their own resources
|
|
292
|
+
- [ ] Admin actions require admin role verification
|
|
293
|
+
|
|
294
|
+
### Input
|
|
295
|
+
- [ ] All user input validated at the boundary
|
|
296
|
+
- [ ] SQL queries are parameterized
|
|
297
|
+
- [ ] HTML output is encoded/escaped
|
|
298
|
+
|
|
299
|
+
### Data
|
|
300
|
+
- [ ] No secrets in code or version control
|
|
301
|
+
- [ ] Sensitive fields excluded from API responses
|
|
302
|
+
- [ ] PII encrypted at rest (if applicable)
|
|
303
|
+
|
|
304
|
+
### Infrastructure
|
|
305
|
+
- [ ] Security headers configured (CSP, HSTS, etc.)
|
|
306
|
+
- [ ] CORS restricted to known origins
|
|
307
|
+
- [ ] Dependencies audited for vulnerabilities
|
|
308
|
+
- [ ] Error messages don't expose internals
|
|
309
|
+
```
|
|
310
|
+
## See Also
|
|
311
|
+
|
|
312
|
+
For detailed security checklists and pre-commit verification steps, see `references/security-checklist.md`.
|
|
313
|
+
|
|
314
|
+
## Common Rationalizations
|
|
315
|
+
|
|
316
|
+
| Rationalization | Reality |
|
|
317
|
+
|---|---|
|
|
318
|
+
| "This is an internal tool, security doesn't matter" | Internal tools get compromised. Attackers target the weakest link. |
|
|
319
|
+
| "We'll add security later" | Security retrofitting is 10x harder than building it in. Add it now. |
|
|
320
|
+
| "No one would try to exploit this" | Automated scanners will find it. Security by obscurity is not security. |
|
|
321
|
+
| "The framework handles security" | Frameworks provide tools, not guarantees. You still need to use them correctly. |
|
|
322
|
+
| "It's just a prototype" | Prototypes become production. Security habits from day one. |
|
|
323
|
+
|
|
324
|
+
## Red Flags
|
|
325
|
+
|
|
326
|
+
- User input passed directly to database queries, shell commands, or HTML rendering
|
|
327
|
+
- Secrets in source code or commit history
|
|
328
|
+
- API endpoints without authentication or authorization checks
|
|
329
|
+
- Missing CORS configuration or wildcard (`*`) origins
|
|
330
|
+
- No rate limiting on authentication endpoints
|
|
331
|
+
- Stack traces or internal errors exposed to users
|
|
332
|
+
- Dependencies with known critical vulnerabilities
|
|
333
|
+
|
|
334
|
+
## Verification
|
|
335
|
+
|
|
336
|
+
After implementing security-relevant code:
|
|
337
|
+
|
|
338
|
+
- [ ] `npm audit` shows no critical or high vulnerabilities
|
|
339
|
+
- [ ] No secrets in source code or git history
|
|
340
|
+
- [ ] All user input validated at system boundaries
|
|
341
|
+
- [ ] Authentication and authorization checked on every protected endpoint
|
|
342
|
+
- [ ] Security headers present in response (check with browser DevTools)
|
|
343
|
+
- [ ] Error responses don't expose internal details
|
|
344
|
+
- [ ] Rate limiting active on auth endpoints
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
kind: skill
|
|
2
|
+
name: security-and-hardening
|
|
3
|
+
title: 安全加固
|
|
4
|
+
description: 加固代码免受常见漏洞影响。适用于处理用户输入、认证、数据存储或外部集成,也适用于任何接收不可信数据、管理会话或接入第三方服务的功能。
|
|
5
|
+
tier: recommended
|
|
6
|
+
audience: advanced
|
|
7
|
+
stability: stable
|
|
8
|
+
suggests:
|
|
9
|
+
- skill:safety-guardrails
|
|
10
|
+
- skill:verification-before-completion
|
|
11
|
+
platforms:
|
|
12
|
+
- qwen
|
|
13
|
+
- codex
|
|
14
|
+
- qoder
|
|
15
|
+
source:
|
|
16
|
+
upstream: agent-skills
|
|
17
|
+
strategy: adapted
|
|
18
|
+
origin_name: security-and-hardening
|
|
19
|
+
origin_path: skills/security-and-hardening/SKILL.md
|
|
20
|
+
origin_id: skill:security-and-hardening
|
|
21
|
+
notes: 沿用上游安全加固能力,并对齐本仓库审查维度。
|
|
File without changes
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# 发布上线
|
|
2
|
+
|
|
3
|
+
## 何时使用
|
|
4
|
+
|
|
5
|
+
- 要把功能首次发布到生产环境时
|
|
6
|
+
- 发布变更风险较高,需要灰度、监控和回滚方案时
|
|
7
|
+
- 涉及数据迁移、基础设施调整或用户可见行为变更时
|
|
8
|
+
|
|
9
|
+
## 输入前提
|
|
10
|
+
|
|
11
|
+
- 实现和验证已经完成,进入发布准备阶段
|
|
12
|
+
- 愿意把“能部署”与“能安全发布”区分开
|
|
13
|
+
- 已知当前上线范围和风险点
|
|
14
|
+
- 已识别发布会影响哪些说明、安装、升级或回滚文档
|
|
15
|
+
|
|
16
|
+
## 执行步骤
|
|
17
|
+
|
|
18
|
+
1. 完成发布前检查:质量、安全、性能、基础设施、文档
|
|
19
|
+
2. 决定是否需要 feature flag、灰度或分阶段放量
|
|
20
|
+
3. 定义监控指标、阈值和观察窗口
|
|
21
|
+
4. 明确回滚条件和回滚路径
|
|
22
|
+
5. 在发布 gate 中确认以下对外说明是否已就绪或已有明确补齐负责人:
|
|
23
|
+
- 发布说明和用户可见变更摘要
|
|
24
|
+
- 安装或升级指引
|
|
25
|
+
- 配置变更、默认值变化和兼容性说明
|
|
26
|
+
- 回滚步骤、回退条件和已知限制
|
|
27
|
+
6. 发布后做观察和收尾,包括清理临时开关,并核对文档是否与真实发布状态一致
|
|
28
|
+
|
|
29
|
+
## 成功标准
|
|
30
|
+
|
|
31
|
+
- 发布是可回滚、可监控、可解释的
|
|
32
|
+
- 风险较高的功能有分阶段上线策略
|
|
33
|
+
- 关键指标和告警阈值是明确的
|
|
34
|
+
- 上线后知道何时前进、何时暂停、何时回滚
|
|
35
|
+
- 发布相关说明不会因为遗漏文档同步而让用户或内部团队误操作
|
|
36
|
+
|
|
37
|
+
## 相关原则
|
|
38
|
+
|
|
39
|
+
- 发布不是“把代码推上去”,而是受控变更管理
|
|
40
|
+
- 高风险上线默认要有灰度和回滚方案
|
|
41
|
+
- 监控和观察窗口是发布的一部分
|
|
42
|
+
- 未同步的发布说明、安装升级指引和回滚说明,本质上也是发布风险
|
|
43
|
+
|
|
44
|
+
## 与文档同步的边界
|
|
45
|
+
|
|
46
|
+
- 本 skill 负责把文档同步纳入发布 gate,确保上线前后有明确责任和验收
|
|
47
|
+
- `documentation-and-adrs` 负责长期记录、ADR 和 drift 触发判断
|
|
48
|
+
- `release-documentation-sync` 负责发布后逐项核对 README、安装说明、行为变更记录等同步对象
|
|
49
|
+
|
|
50
|
+
## 与其他技能的衔接
|
|
51
|
+
|
|
52
|
+
- 通常接在 `verification-before-completion` 和 `code-review-and-quality` 之后
|
|
53
|
+
- 与 `documentation-and-adrs` 配合,补发布说明和决策记录
|
|
54
|
+
- 发布完成后如需做文档收尾,接 `release-documentation-sync`
|
|
55
|
+
- 高风险上线时可结合 `safety-guardrails`
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
kind: skill
|
|
2
|
+
name: shipping-and-launch
|
|
3
|
+
title: 发布上线
|
|
4
|
+
description: 为生产上线做准备。适用于部署前的检查清单、监控配置、分阶段发布策略与回滚方案规划,确保变更具备真正可发布性。
|
|
5
|
+
tier: recommended
|
|
6
|
+
audience: advanced
|
|
7
|
+
stability: stable
|
|
8
|
+
suggests:
|
|
9
|
+
- skill:safety-guardrails
|
|
10
|
+
- skill:documentation-and-adrs
|
|
11
|
+
- skill:release-documentation-sync
|
|
12
|
+
platforms:
|
|
13
|
+
- qwen
|
|
14
|
+
- codex
|
|
15
|
+
- qoder
|
|
16
|
+
source:
|
|
17
|
+
upstream: agent-skills
|
|
18
|
+
strategy: adapted
|
|
19
|
+
origin_name: shipping-and-launch
|
|
20
|
+
origin_path: skills/shipping-and-launch/SKILL.md
|
|
21
|
+
origin_id: skill:shipping-and-launch
|
|
22
|
+
notes: 基于上游发布准备能力整理,并补充发布说明与文档同步收尾 gate。
|
|
File without changes
|
|
@@ -0,0 +1,186 @@
|
|
|
1
|
+
# 基于官方文档的开发
|
|
2
|
+
|
|
3
|
+
## 概述
|
|
4
|
+
|
|
5
|
+
每个框架相关的代码决策都必须有官方文档支撑。不要凭记忆实现——验证、引用、让用户看到来源。训练数据会过时,API 会被弃用,最佳实践会演进。本技能确保用户得到可信赖的代码,因为每个模式都可以追溯到权威来源。
|
|
6
|
+
|
|
7
|
+
## 何时使用
|
|
8
|
+
|
|
9
|
+
- 用户需要遵循当前最佳实践的框架代码
|
|
10
|
+
- 构建模板、脚手架或将被跨项目复制的模式
|
|
11
|
+
- 用户明确要求有文档支撑的、经过验证的或"正确"的实现
|
|
12
|
+
- 实现依赖框架推荐方式的功能(表单、路由、数据获取、状态管理、认证)
|
|
13
|
+
- 审查或改进使用框架特定模式的代码
|
|
14
|
+
- 任何你准备凭记忆编写框架特定代码的时候
|
|
15
|
+
|
|
16
|
+
**不需要使用的场景:**
|
|
17
|
+
|
|
18
|
+
- 正确性不依赖特定版本的操作(重命名变量、修复拼写、移动文件)
|
|
19
|
+
- 在所有版本中行为一致的纯逻辑(循环、条件、数据结构)
|
|
20
|
+
- 用户明确要求速度优先于验证("快速搞定就行")
|
|
21
|
+
|
|
22
|
+
## 流程
|
|
23
|
+
|
|
24
|
+
```
|
|
25
|
+
检测 ──→ 拉取 ──→ 实现 ──→ 引用
|
|
26
|
+
│ │ │ │
|
|
27
|
+
▼ ▼ ▼ ▼
|
|
28
|
+
识别 获取 按照 标注
|
|
29
|
+
技术栈 相关文档 文档模式 来源
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
### 步骤 1:检测技术栈和版本
|
|
33
|
+
|
|
34
|
+
读取项目的依赖文件,识别精确版本:
|
|
35
|
+
|
|
36
|
+
```
|
|
37
|
+
package.json → Node/React/Vue/Angular/Svelte
|
|
38
|
+
composer.json → PHP/Symfony/Laravel
|
|
39
|
+
requirements.txt / pyproject.toml → Python/Django/Flask
|
|
40
|
+
go.mod → Go
|
|
41
|
+
Cargo.toml → Rust
|
|
42
|
+
Gemfile → Ruby/Rails
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
明确陈述发现:
|
|
46
|
+
|
|
47
|
+
```
|
|
48
|
+
技术栈检测结果:
|
|
49
|
+
- React 19.1.0(来自 package.json)
|
|
50
|
+
- Vite 6.2.0
|
|
51
|
+
- Tailwind CSS 4.0.3
|
|
52
|
+
→ 正在拉取相关模式的官方文档。
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
如果版本缺失或模糊,**向用户确认**。不要猜测——版本决定了哪些模式是正确的。
|
|
56
|
+
|
|
57
|
+
### 步骤 2:拉取官方文档
|
|
58
|
+
|
|
59
|
+
拉取你正在实现的功能对应的具体文档页面。不是首页,不是全部文档——是相关页面。
|
|
60
|
+
|
|
61
|
+
**来源优先级(按权威性排序):**
|
|
62
|
+
|
|
63
|
+
| 优先级 | 来源 | 示例 |
|
|
64
|
+
|--------|------|------|
|
|
65
|
+
| 1 | 官方文档 | react.dev, docs.djangoproject.com, symfony.com/doc |
|
|
66
|
+
| 2 | 官方博客/更新日志 | react.dev/blog, nextjs.org/blog |
|
|
67
|
+
| 3 | Web 标准参考 | MDN, web.dev, html.spec.whatwg.org |
|
|
68
|
+
| 4 | 浏览器/运行时兼容性 | caniuse.com, node.green |
|
|
69
|
+
|
|
70
|
+
**不具权威性——不可作为主要来源引用:**
|
|
71
|
+
|
|
72
|
+
- Stack Overflow 回答
|
|
73
|
+
- 博客文章或教程(即使是热门的)
|
|
74
|
+
- AI 生成的文档或摘要
|
|
75
|
+
- 你自己的训练数据(这正是需要验证的——不要自引自证)
|
|
76
|
+
|
|
77
|
+
**精确拉取:**
|
|
78
|
+
|
|
79
|
+
```
|
|
80
|
+
错误:拉取 React 首页
|
|
81
|
+
正确:拉取 react.dev/reference/react/useActionState
|
|
82
|
+
|
|
83
|
+
错误:搜索"django authentication best practices"
|
|
84
|
+
正确:拉取 docs.djangoproject.com/en/6.0/topics/auth/
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
拉取后,提取关键模式并记录任何弃用警告或迁移指引。
|
|
88
|
+
|
|
89
|
+
当官方来源之间相互矛盾时(如迁移指南与 API 参考不一致),向用户说明差异并针对检测到的版本验证哪个模式实际有效。
|
|
90
|
+
|
|
91
|
+
### 步骤 3:按文档模式实现
|
|
92
|
+
|
|
93
|
+
编写与文档一致的代码:
|
|
94
|
+
|
|
95
|
+
- 使用文档中的 API 签名,而非凭记忆
|
|
96
|
+
- 如果文档展示了新的做法,使用新做法
|
|
97
|
+
- 如果文档弃用了某个模式,不要使用弃用版本
|
|
98
|
+
- 如果文档没有覆盖某些内容,标记为未验证
|
|
99
|
+
|
|
100
|
+
**当文档与现有项目代码冲突时:**
|
|
101
|
+
|
|
102
|
+
```
|
|
103
|
+
冲突检测:
|
|
104
|
+
现有代码使用 useState 管理表单加载状态,
|
|
105
|
+
但 React 19 文档推荐使用 useActionState 处理此场景。
|
|
106
|
+
(来源:react.dev/reference/react/useActionState)
|
|
107
|
+
|
|
108
|
+
选项:
|
|
109
|
+
A) 使用现代模式(useActionState)—— 与当前文档一致
|
|
110
|
+
B) 匹配现有代码(useState)—— 与代码库一致
|
|
111
|
+
→ 你倾向哪种方式?
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
呈现冲突。不要默默选择。
|
|
115
|
+
|
|
116
|
+
### 步骤 4:标注来源
|
|
117
|
+
|
|
118
|
+
每个框架特定的模式都需要引用。用户必须能验证每个决策。
|
|
119
|
+
|
|
120
|
+
**在代码注释中:**
|
|
121
|
+
|
|
122
|
+
```typescript
|
|
123
|
+
// React 19 表单处理 useActionState
|
|
124
|
+
// 来源:https://react.dev/reference/react/useActionState#usage
|
|
125
|
+
const [state, formAction, isPending] = useActionState(submitOrder, initialState);
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
**在对话中:**
|
|
129
|
+
|
|
130
|
+
```
|
|
131
|
+
我使用 useActionState 而非手动 useState 管理表单提交状态。
|
|
132
|
+
React 19 用此 hook 替代了手动的 isPending/setIsPending 模式。
|
|
133
|
+
|
|
134
|
+
来源:https://react.dev/blog/2024/12/05/react-19#actions
|
|
135
|
+
"useTransition 现在支持异步函数 [...] 自动处理 pending 状态"
|
|
136
|
+
```
|
|
137
|
+
|
|
138
|
+
**引用规则:**
|
|
139
|
+
|
|
140
|
+
- 完整 URL,不使用缩短链接
|
|
141
|
+
- 尽可能使用带锚点的深链接(如 `/useActionState#usage` 优于 `/useActionState`)
|
|
142
|
+
- 当支撑非显而易见的决策时,引用相关段落
|
|
143
|
+
- 推荐平台特性时,附上浏览器/运行时兼容性数据
|
|
144
|
+
- 如果找不到某个模式的文档,明确说明:
|
|
145
|
+
|
|
146
|
+
```
|
|
147
|
+
未验证:未找到此模式的官方文档。
|
|
148
|
+
此实现基于训练数据,可能已过时。
|
|
149
|
+
请在用于生产前自行验证。
|
|
150
|
+
```
|
|
151
|
+
|
|
152
|
+
诚实说明未能验证的内容,比虚假自信更有价值。
|
|
153
|
+
|
|
154
|
+
## 常见借口
|
|
155
|
+
|
|
156
|
+
| 借口 | 现实 |
|
|
157
|
+
|------|------|
|
|
158
|
+
| "我对这个 API 很有信心" | 信心不是证据。训练数据里充满了看起来正确但在当前版本会出错的过时模式。验证它。 |
|
|
159
|
+
| "拉取文档浪费 token" | 编造 API 浪费更多。用户花一小时调试,才发现函数签名变了。一次拉取能省数小时返工。 |
|
|
160
|
+
| "文档里不会有我需要的" | 如果文档没覆盖,这本身就是有价值的信息——该模式可能不是官方推荐的。 |
|
|
161
|
+
| "我会注明可能已过时" | 免责声明没用。要么验证并引用,要么明确标记为未验证。模棱两可是最差选项。 |
|
|
162
|
+
| "这是简单任务,不需要检查" | 使用错误模式的简单任务会变成模板。用户把你的弃用表单处理复制到十个组件后才发现有现代方案。 |
|
|
163
|
+
|
|
164
|
+
## 危险信号
|
|
165
|
+
|
|
166
|
+
- 编写框架代码前没有检查该版本的文档
|
|
167
|
+
- 对 API 使用"我认为""应该是"而非引用来源
|
|
168
|
+
- 实现模式时不知道它适用于哪个版本
|
|
169
|
+
- 引用 Stack Overflow 或博客而非官方文档
|
|
170
|
+
- 因为出现在训练数据中而使用弃用的 API
|
|
171
|
+
- 实现前没有读 `package.json` / 依赖文件
|
|
172
|
+
- 交付代码时没有为框架特定决策标注来源
|
|
173
|
+
- 需要一个页面却拉取了整个文档站
|
|
174
|
+
|
|
175
|
+
## 检查清单
|
|
176
|
+
|
|
177
|
+
实现完成后自查:
|
|
178
|
+
|
|
179
|
+
- [ ] 已从依赖文件中识别框架和库的版本
|
|
180
|
+
- [ ] 已为框架特定模式拉取官方文档
|
|
181
|
+
- [ ] 所有来源都是官方文档,不是博客或训练数据
|
|
182
|
+
- [ ] 代码遵循当前版本文档中展示的模式
|
|
183
|
+
- [ ] 非显而易见的决策包含带完整 URL 的来源引用
|
|
184
|
+
- [ ] 未使用弃用 API(已对照迁移指南检查)
|
|
185
|
+
- [ ] 文档与现有代码的冲突已向用户说明
|
|
186
|
+
- [ ] 无法验证的内容已明确标记为未验证
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
kind: skill
|
|
2
|
+
name: source-driven-development
|
|
3
|
+
title: 官方文档实现
|
|
4
|
+
description: 基于官方文档的实现规范。在使用任何框架或库编写代码时使用。确保每个实现决策都有官方文档支撑,杜绝凭记忆编码导致的过时模式。
|
|
5
|
+
tier: recommended
|
|
6
|
+
audience: advanced
|
|
7
|
+
stability: stable
|
|
8
|
+
suggests:
|
|
9
|
+
- skill:engineering-principles
|
|
10
|
+
- skill:verification-before-completion
|
|
11
|
+
platforms:
|
|
12
|
+
- qwen
|
|
13
|
+
- codex
|
|
14
|
+
- qoder
|
|
15
|
+
source:
|
|
16
|
+
upstream: toolkit-original
|
|
17
|
+
strategy: curated
|
|
18
|
+
notes: 本仓库强调基于官方文档实现的原生规范。
|
|
File without changes
|