asdm-cli 0.1.0

package/registry/commands/audit-deps.asdm.md

@@ -0,0 +1,76 @@
+---
+name: audit-deps
+type: command
+description: "Audits project dependencies for security vulnerabilities and supply chain risks"
+version: 1.0.0
+
+providers:
+  opencode:
+    slash_command: /audit-deps
+    agent: security-auditor
+  claude-code:
+    slash_command: /audit-deps
+    agent: security-auditor
+  copilot:
+    slash_command: /audit-deps
+    agent: security-auditor
+---
+
+# /audit-deps
+
+Performs a comprehensive security audit of project dependencies. Checks for known CVEs, outdated packages, license compliance issues, and supply chain risk indicators.
+
+## Usage
+
+```
+/audit-deps
+/audit-deps --severity high
+/audit-deps --fix
+/audit-deps --format json
+```
+
+## Options
+
+- `--severity <level>` — Report only findings at or above this level: `critical`, `high` (default), `medium`, `low`
+- `--fix` — Automatically apply safe, non-breaking upgrades for found vulnerabilities
+- `--format <type>` — Output format: `table` (default), `json`, `sarif`
+- `--production` — Audit only production dependencies (skip devDependencies)
+- `--license <policy>` — Fail on packages with incompatible licenses: `permissive`, `copyleft`
+
+## Checks Performed
+
+### CVE Scan
+Cross-references installed package versions against the GitHub Advisory Database and OSV (Open Source Vulnerabilities). Reports CVE ID, CVSS score, affected version range, and fixed version.
+
+### Outdated Packages
+Identifies packages more than 2 major versions behind latest stable. Major version lag increases the cost of future security updates.
+
+### Supply Chain Indicators
+Flags packages exhibiting risk signals:
+- Maintainer changes in the last 90 days
+- Package publish from a new or recently-created npm account
+- Lockfile hash mismatch (possible tampering)
+- Package name typosquatting risk (similarity to popular packages)
+
+### License Compliance
+Identifies packages with licenses that may be incompatible with your project's license:
+- GPL/AGPL in proprietary projects
+- Missing license (undeclared licenses = legal risk)
+- Dual-licensed packages requiring commercial licensing
+
+## Output Example
+
+```
+CRITICAL  lodash@4.17.15    CVE-2021-23337  Prototype pollution via zipObjectDeep  → fix: 4.17.21
+HIGH      axios@0.21.1      CVE-2021-3749   SSRF via redirect following            → fix: 0.21.4
+MEDIUM    moment@2.29.1     Deprecated      Use dayjs or date-fns instead
+
+Summary: 2 vulnerabilities found (1 CRITICAL, 1 HIGH), 1 deprecation warning
+Run /audit-deps --fix to apply 2 safe upgrades automatically
+```
+
+## Notes
+
+- Always review `--fix` changes before committing — automatic upgrades may introduce breaking changes
+- Run in CI on every PR to catch new vulnerabilities introduced by dependency updates
+- SARIF output format is compatible with GitHub Code Scanning for automated tracking

package/registry/commands/check-file.asdm.md

@@ -0,0 +1,58 @@
+---
+name: check-file
+type: command
+description: "Analyzes a file for quality issues including style, complexity, and correctness"
+version: 1.0.0
+
+providers:
+  opencode:
+    slash_command: /check-file
+    agent: code-reviewer
+  claude-code:
+    slash_command: /check-file
+    agent: code-reviewer
+  copilot:
+    slash_command: /check-file
+    agent: code-reviewer
+---
+
+# /check-file
+
+Performs a comprehensive quality analysis of a single file, reporting issues by severity.
+
+## Usage
+
+```
+/check-file <path>
+/check-file src/auth/login.ts
+/check-file --severity high src/payments/stripe.ts
+```
+
+## Options
+
+- `<path>` — Required. Path to the file to analyze (relative to project root)
+- `--severity <level>` — Filter output to findings at or above this severity (default: LOW)
+- `--focus <area>` — Limit analysis to a specific concern: `security`, `performance`, `style`, `correctness`
+
+## Behavior
+
+1. Reads the specified file
+2. Identifies the language and applicable rule set
+3. Performs static analysis across all configured categories
+4. Reports findings sorted by severity (CRITICAL first)
+5. Provides a summary with total count per severity level
+
+## Output Format
+
+```
+CRITICAL  src/auth/login.ts:47   Hardcoded JWT secret — move to environment variable
+HIGH      src/auth/login.ts:62   Missing error handling on async bcrypt.compare call
+MEDIUM    src/auth/login.ts:89   Function loginUser has cyclomatic complexity of 14
+LOW       src/auth/login.ts:12   Import order: third-party imports before local imports
+
+Summary: 1 CRITICAL, 1 HIGH, 1 MEDIUM, 1 LOW
+```
+
+## Exit Behavior
+
+Returns findings as output. Does not modify the file. Use with `code-reviewer` agent for suggested fixes.

package/registry/commands/generate-types.asdm.md

@@ -0,0 +1,82 @@
+---
+name: generate-types
+type: command
+description: "Generates TypeScript types from a JSON Schema, OpenAPI spec, or database schema"
+version: 1.0.0
+
+providers:
+  opencode:
+    slash_command: /generate-types
+    agent: architect
+  claude-code:
+    slash_command: /generate-types
+    agent: architect
+  copilot:
+    slash_command: /generate-types
+    agent: architect
+---
+
+# /generate-types
+
+Generates fully-typed TypeScript interfaces and types from a schema source. Supports JSON Schema, OpenAPI 3.x specifications, GraphQL schemas, and SQL table definitions.
+
+## Usage
+
+```
+/generate-types <source>
+/generate-types schemas/user.schema.json
+/generate-types openapi.yaml --output src/types/api.ts
+/generate-types --from-sql "CREATE TABLE users (...)"
+```
+
+## Options
+
+- `<source>` — Required. Path to schema file or inline schema string
+- `--output <path>` — Write generated types to this file (default: stdout)
+- `--from-sql` — Parse a SQL CREATE TABLE statement and generate types
+- `--strict` — Generate strict types with no implicit `any` or loose unions
+- `--prefix <name>` — Prefix all generated type names (e.g., `--prefix Api` → `ApiUser`)
+- `--readonly` — Mark all generated object properties as `readonly`
+
+## Supported Sources
+
+| Source | Format |
+|--------|--------|
+| JSON Schema | `*.schema.json` |
+| OpenAPI 3.x | `openapi.yaml`, `openapi.json` |
+| GraphQL | `*.graphql`, `schema.gql` |
+| SQL DDL | Inline `CREATE TABLE` statements |
+
+## Output Example
+
+Input (`user.schema.json`):
+```json
+{
+  "type": "object",
+  "required": ["id", "email"],
+  "properties": {
+    "id": { "type": "string", "format": "uuid" },
+    "email": { "type": "string", "format": "email" },
+    "name": { "type": "string" },
+    "createdAt": { "type": "string", "format": "date-time" }
+  }
+}
+```
+
+Generated output:
+```typescript
+/** Auto-generated from user.schema.json — do not edit manually */
+
+export interface User {
+  id: string;
+  email: string;
+  name?: string;
+  createdAt?: string;
+}
+```
+
+## Rules
+
+- Generated files always include a header comment marking them as auto-generated
+- Required fields are non-optional; optional fields use `?` notation
+- `format: date-time` maps to `string` by default; use `--date-type Date` to use `Date` objects

package/registry/commands/scaffold-component.asdm.md

@@ -0,0 +1,89 @@
+---
+name: scaffold-component
+type: command
+description: "Scaffolds a new UI component with boilerplate, types, and test file"
+version: 1.0.0
+
+providers:
+  opencode:
+    slash_command: /scaffold-component
+    agent: architect
+  claude-code:
+    slash_command: /scaffold-component
+    agent: architect
+  copilot:
+    slash_command: /scaffold-component
+    agent: architect
+---
+
+# /scaffold-component
+
+Generates a new UI component with all required boilerplate: component file, TypeScript props interface, CSS module (or styled component), and a test file with basic render assertions.
+
+## Usage
+
+```
+/scaffold-component <name>
+/scaffold-component Button
+/scaffold-component UserCard --dir src/components/users
+/scaffold-component DataTable --framework flutter
+```
+
+## Options
+
+- `<name>` — Required. PascalCase component name (e.g., `UserCard`, `PaymentForm`)
+- `--dir <path>` — Output directory (default: `src/components/<name>`)
+- `--framework <name>` — Target framework: `react` (default), `react-native`, `flutter`
+- `--no-tests` — Skip test file generation
+- `--no-styles` — Skip style file generation
+- `--story` — Also generate a Storybook story file
+
+## Generated Files (React)
+
+For `/scaffold-component UserCard --dir src/components/users`:
+
+```
+src/components/users/UserCard/
+├── UserCard.tsx         # Component implementation
+├── UserCard.module.css  # CSS module
+├── UserCard.test.tsx    # Vitest/Jest test file
+└── index.ts             # Re-export barrel
+```
+
+### Component Template
+
+```tsx
+import styles from './UserCard.module.css'
+
+export interface UserCardProps {
+  // TODO: define props
+}
+
+export function UserCard(props: UserCardProps) {
+  return (
+    <div className={styles.container}>
+      {/* TODO: implement */}
+    </div>
+  )
+}
+```
+
+### Test Template
+
+```tsx
+import { render, screen } from '@testing-library/react'
+import { UserCard } from './UserCard'
+
+describe('UserCard', () => {
+  it('renders without crashing', () => {
+    render(<UserCard />)
+    // TODO: add meaningful assertions
+  })
+})
+```
+
+## Notes
+
+- Component names are validated as PascalCase before generation
+- If the target directory already exists, the command fails with an error — no accidental overwrites
+- For React Native, generates a `StyleSheet.create` style block instead of a CSS module

package/registry/commands/summarize.asdm.md

@@ -0,0 +1,61 @@
+---
+name: summarize
+type: command
+description: "Generates a concise summary of a file, module, or diff for documentation or review"
+version: 1.0.0
+
+providers:
+  opencode:
+    slash_command: /summarize
+    agent: documentation-writer
+  claude-code:
+    slash_command: /summarize
+    agent: documentation-writer
+  copilot:
+    slash_command: /summarize
+    agent: documentation-writer
+---
+
+# /summarize
+
+Generates a structured summary of code or documentation. Useful for understanding unfamiliar code, writing commit messages, preparing PR descriptions, or producing change logs.
+
+## Usage
+
+```
+/summarize <path>
+/summarize src/core/parser.ts
+/summarize --format changelog src/
+/summarize --diff HEAD~1
+```
+
+## Options
+
+- `<path>` — File or directory to summarize
+- `--format <type>` — Output format: `prose` (default), `bullets`, `changelog`, `pr-description`
+- `--diff <ref>` — Summarize changes since a git ref instead of the full file
+- `--depth <level>` — Level of detail: `brief` (1 paragraph), `standard` (default), `detailed` (full breakdown)
+
+## Behavior
+
+For a **file**: Describes purpose, key exports, notable patterns, and any caveats.
+
+For a **directory**: Describes the module boundary, what it owns, and how components relate.
+
+For a **diff**: Describes what changed, why it likely changed (based on context), and the risk surface of the change.
+
+## Output Example (file)
+
+```
+## src/core/parser.ts
+
+Parses ASDM asset files (.asdm.md) from raw string content into structured ParsedAsset objects.
+
+**Exports:** `parseAsset(content, sourcePath, provider?)`
+
+**Behavior:** Splits YAML frontmatter from Markdown body, validates required fields (name, type,
+description, version), extracts provider-specific config, and computes the SHA-256 of the raw content.
+Throws a ParseError for malformed input with a descriptive message.
+
+**Dependencies:** yaml (frontmatter parsing), crypto (SHA-256 hash)
+```

package/registry/latest.json

@@ -0,0 +1,253 @@
+{
+  "$schema": "https://asdm.dev/schemas/manifest.schema.json",
+  "version": "0.1.0",
+  "policy": {
+    "locked_fields": [
+      "telemetry",
+      "install_hooks",
+      "auto_verify"
+    ],
+    "telemetry": true,
+    "auto_verify": true,
+    "install_hooks": true,
+    "allowed_profiles": [
+      "base",
+      "fullstack-engineer",
+      "data-analytics",
+      "mobile",
+      "security"
+    ],
+    "allowed_providers": [
+      "opencode",
+      "claude-code",
+      "copilot"
+    ],
+    "min_cli_version": "0.1.0"
+  },
+  "profiles": {
+    "base": {
+      "agents": [
+        "code-reviewer",
+        "documentation-writer"
+      ],
+      "skills": [
+        "plan-protocol",
+        "code-review"
+      ],
+      "commands": [
+        "check-file",
+        "summarize"
+      ],
+      "providers": [
+        "opencode",
+        "claude-code",
+        "copilot"
+      ]
+    },
+    "data-analytics": {
+      "extends": [
+        "base"
+      ],
+      "agents": [
+        "code-reviewer",
+        "data-analyst",
+        "documentation-writer"
+      ],
+      "skills": [
+        "plan-protocol",
+        "code-review",
+        "data-pipeline"
+      ],
+      "commands": [
+        "check-file",
+        "summarize",
+        "analyze-schema"
+      ],
+      "providers": [
+        "opencode",
+        "claude-code",
+        "copilot"
+      ]
+    },
+    "fullstack-engineer": {
+      "extends": [
+        "base"
+      ],
+      "agents": [
+        "code-reviewer",
+        "documentation-writer",
+        "architect",
+        "test-engineer"
+      ],
+      "skills": [
+        "plan-protocol",
+        "code-review",
+        "frontend-design",
+        "api-design"
+      ],
+      "commands": [
+        "check-file",
+        "summarize",
+        "generate-types",
+        "scaffold-component"
+      ],
+      "providers": [
+        "opencode",
+        "claude-code",
+        "copilot"
+      ]
+    },
+    "mobile": {
+      "extends": [
+        "base"
+      ],
+      "agents": [
+        "code-reviewer",
+        "documentation-writer",
+        "mobile-engineer"
+      ],
+      "skills": [
+        "plan-protocol",
+        "code-review",
+        "mobile-patterns"
+      ],
+      "commands": [
+        "check-file",
+        "summarize",
+        "scaffold-component"
+      ],
+      "providers": [
+        "opencode",
+        "claude-code",
+        "copilot"
+      ]
+    },
+    "security": {
+      "extends": [
+        "base"
+      ],
+      "agents": [
+        "code-reviewer",
+        "security-auditor",
+        "documentation-writer"
+      ],
+      "skills": [
+        "plan-protocol",
+        "code-review",
+        "threat-modeling"
+      ],
+      "commands": [
+        "check-file",
+        "summarize",
+        "audit-deps"
+      ],
+      "providers": [
+        "opencode",
+        "claude-code",
+        "copilot"
+      ]
+    }
+  },
+  "assets": {
+    "agents/architect.asdm.md": {
+      "sha256": "cac0b010fd350f9d23bfbb090327dc2e8e971be9daafa764269619224c5ca742",
+      "size": 3011,
+      "version": "1.0.0"
+    },
+    "agents/code-reviewer.asdm.md": {
+      "sha256": "682c73710a84ad8c40e3d8548f82811390ce3db32c6f136116afcde7f87fc75d",
+      "size": 2911,
+      "version": "1.0.0"
+    },
+    "agents/data-analyst.asdm.md": {
+      "sha256": "bb0ce105b9dd19eaef3be5d6b76f5ad273b4b95057d3bb2c998acbaf3dfc7589",
+      "size": 2865,
+      "version": "1.0.0"
+    },
+    "agents/documentation-writer.asdm.md": {
+      "sha256": "05f22780898bdc7dc9e842caab967241b99e02ca7d43d30b09ca8d19fc85d63a",
+      "size": 2788,
+      "version": "1.0.0"
+    },
+    "agents/mobile-engineer.asdm.md": {
+      "sha256": "ab51f952dcc8ce72cf3f48359e11c30fc7a3f5b32b534e56b04ee47cd382c3bd",
+      "size": 2903,
+      "version": "1.0.0"
+    },
+    "agents/security-auditor.asdm.md": {
+      "sha256": "8285378a7b30009a02f537d9fc882344c50444c1c1fe1b0ff35b8e49e475b2eb",
+      "size": 3167,
+      "version": "1.0.0"
+    },
+    "agents/test-engineer.asdm.md": {
+      "sha256": "e23266b82c0e3ccb96d613167c3c27d88651ff159fcb8e9b8eaf34b125681278",
+      "size": 2811,
+      "version": "1.0.0"
+    },
+    "skills/api-design/SKILL.asdm.md": {
+      "sha256": "637fc8014c22ddd8fa9122a44eb68cef70ffecfed724e8535b8d7d54091c579c",
+      "size": 3506,
+      "version": "1.0.0"
+    },
+    "skills/code-review/SKILL.asdm.md": {
+      "sha256": "de2011667b7f9e5c07cef878d43e85bb2d9fa2109c4ba64e161b6038012fab20",
+      "size": 3112,
+      "version": "1.0.0"
+    },
+    "skills/data-pipeline/SKILL.asdm.md": {
+      "sha256": "35e45153c4eafc4f1654b46865a226509634b3659365b03e19de482d10233699",
+      "size": 3686,
+      "version": "1.0.0"
+    },
+    "skills/frontend-design/SKILL.asdm.md": {
+      "sha256": "9cdddedd6f2b6caa8bafb8f8fa9864b6473c89170c4feedd05aaa9f1a30a8d3f",
+      "size": 3267,
+      "version": "1.0.0"
+    },
+    "skills/mobile-patterns/SKILL.asdm.md": {
+      "sha256": "9f336da4b1979cbdadad95012a4347f0e9830597f60e98e9084d6a0d07459acd",
+      "size": 3561,
+      "version": "1.0.0"
+    },
+    "skills/plan-protocol/SKILL.asdm.md": {
+      "sha256": "c0226a04e91caedc6dd9b51946508b9c05c29b51aa3402217c176161c0e7a16c",
+      "size": 2781,
+      "version": "1.0.0"
+    },
+    "skills/threat-modeling/SKILL.asdm.md": {
+      "sha256": "255ec1cc1773315b994bff8f09e647750210bc34f233c5ff83053fb6568f67e5",
+      "size": 4256,
+      "version": "1.0.0"
+    },
+    "commands/analyze-schema.asdm.md": {
+      "sha256": "2c855b9b02257cecc71c5a03faa05da52e215df148aa141c9258db8e0d2b6174",
+      "size": 2538,
+      "version": "1.0.0"
+    },
+    "commands/audit-deps.asdm.md": {
+      "sha256": "b5d54e07d9596b996090aae8e83476fb2d53b62301dd3feef82facd3d08f7150",
+      "size": 2781,
+      "version": "1.0.0"
+    },
+    "commands/check-file.asdm.md": {
+      "sha256": "3090793fb1eb3484626f7a4c9569df87ff486586e2e3f4046c15749003a4af73",
+      "size": 1700,
+      "version": "1.0.0"
+    },
+    "commands/generate-types.asdm.md": {
+      "sha256": "d1b1401c495410ee68aedc055700cfb11794228d8f363bdf6463b75e58bdff20",
+      "size": 2259,
+      "version": "1.0.0"
+    },
+    "commands/scaffold-component.asdm.md": {
+      "sha256": "312cf07c16a44fe334037281213aed99d8410070acbfe35e6ae0968ec8a5263f",
+      "size": 2327,
+      "version": "1.0.0"
+    },
+    "commands/summarize.asdm.md": {
+      "sha256": "0f52ab9a25f6f802aa2a9025d8a4e9a5825aa04ba94173884bb189566ad07ad0",
+      "size": 1919,
+      "version": "1.0.0"
+    }
+  }
+}

package/registry/policy.yaml

@@ -0,0 +1,14 @@
+version: "1.0.0"
+allowed_profiles:
+  - base
+  - fullstack-engineer
+  - data-analytics
+  - mobile
+  - security
+default_profile: base
+allow_custom_agents: false
+require_integrity_check: true
+emit_targets:
+  - opencode
+  - claude-code
+  - copilot

package/registry/profiles/base/profile.yaml

@@ -0,0 +1,19 @@
+name: base
+description: "Minimal base profile with essential agents"
+
+agents:
+  - code-reviewer
+  - documentation-writer
+
+skills:
+  - plan-protocol
+  - code-review
+
+commands:
+  - check-file
+  - summarize
+
+providers:
+  - opencode
+  - claude-code
+  - copilot

package/registry/profiles/data-analytics/profile.yaml

@@ -0,0 +1,24 @@
+name: data-analytics
+description: "Data science and analytics profile"
+extends:
+  - base
+
+agents:
+  - code-reviewer
+  - data-analyst
+  - documentation-writer
+
+skills:
+  - plan-protocol
+  - code-review
+  - data-pipeline
+
+commands:
+  - check-file
+  - summarize
+  - analyze-schema
+
+providers:
+  - opencode
+  - claude-code
+  - copilot