aw-ecc 1.4.21

package/.opencode/tools/run-tests.ts

@@ -0,0 +1,139 @@
+/**
+ * Run Tests Tool
+ *
+ * Custom OpenCode tool to run test suites with various options.
+ * Automatically detects the package manager and test framework.
+ */
+
+import { tool } from "@opencode-ai/plugin/tool"
+import * as path from "path"
+import * as fs from "fs"
+
+export default tool({
+  description:
+    "Run the test suite with optional coverage, watch mode, or specific test patterns. Automatically detects package manager (npm, pnpm, yarn, bun) and test framework.",
+  args: {
+    pattern: tool.schema
+      .string()
+      .optional()
+      .describe("Test file pattern or specific test name to run"),
+    coverage: tool.schema
+      .boolean()
+      .optional()
+      .describe("Run with coverage reporting (default: false)"),
+    watch: tool.schema
+      .boolean()
+      .optional()
+      .describe("Run in watch mode for continuous testing (default: false)"),
+    updateSnapshots: tool.schema
+      .boolean()
+      .optional()
+      .describe("Update Jest/Vitest snapshots (default: false)"),
+  },
+  async execute(args, context) {
+    const { pattern, coverage, watch, updateSnapshots } = args
+    const cwd = context.worktree || context.directory
+
+    // Detect package manager
+    const packageManager = await detectPackageManager(cwd)
+
+    // Detect test framework
+    const testFramework = await detectTestFramework(cwd)
+
+    // Build command
+    let cmd: string[] = [packageManager]
+
+    if (packageManager === "npm") {
+      cmd.push("run", "test")
+    } else {
+      cmd.push("test")
+    }
+
+    // Add options based on framework
+    const testArgs: string[] = []
+
+    if (coverage) {
+      testArgs.push("--coverage")
+    }
+
+    if (watch) {
+      testArgs.push("--watch")
+    }
+
+    if (updateSnapshots) {
+      testArgs.push("-u")
+    }
+
+    if (pattern) {
+      if (testFramework === "jest" || testFramework === "vitest") {
+        testArgs.push("--testPathPattern", pattern)
+      } else {
+        testArgs.push(pattern)
+      }
+    }
+
+    // Add -- separator for npm
+    if (testArgs.length > 0) {
+      if (packageManager === "npm") {
+        cmd.push("--")
+      }
+      cmd.push(...testArgs)
+    }
+
+    const command = cmd.join(" ")
+
+    return JSON.stringify({
+      command,
+      packageManager,
+      testFramework,
+      options: {
+        pattern: pattern || "all tests",
+        coverage: coverage || false,
+        watch: watch || false,
+        updateSnapshots: updateSnapshots || false,
+      },
+      instructions: `Run this command to execute tests:\n\n${command}`,
+    })
+  },
+})
+
+async function detectPackageManager(cwd: string): Promise<string> {
+  const lockFiles: Record<string, string> = {
+    "bun.lockb": "bun",
+    "pnpm-lock.yaml": "pnpm",
+    "yarn.lock": "yarn",
+    "package-lock.json": "npm",
+  }
+
+  for (const [lockFile, pm] of Object.entries(lockFiles)) {
+    if (fs.existsSync(path.join(cwd, lockFile))) {
+      return pm
+    }
+  }
+
+  return "npm"
+}
+
+async function detectTestFramework(cwd: string): Promise<string> {
+  const packageJsonPath = path.join(cwd, "package.json")
+
+  if (fs.existsSync(packageJsonPath)) {
+    try {
+      const packageJson = JSON.parse(fs.readFileSync(packageJsonPath, "utf-8"))
+      const deps = {
+        ...packageJson.dependencies,
+        ...packageJson.devDependencies,
+      }
+
+      if (deps.vitest) return "vitest"
+      if (deps.jest) return "jest"
+      if (deps.mocha) return "mocha"
+      if (deps.ava) return "ava"
+      if (deps.tap) return "tap"
+    } catch {
+      // Ignore parse errors
+    }
+  }
+
+  return "unknown"
+}

package/.opencode/tools/security-audit.ts

@@ -0,0 +1,277 @@
+/**
+ * Security Audit Tool
+ *
+ * Custom OpenCode tool to run security audits on dependencies and code.
+ * Combines npm audit, secret scanning, and OWASP checks.
+ *
+ * NOTE: This tool SCANS for security anti-patterns - it does not introduce them.
+ * The regex patterns below are used to DETECT potential issues in user code.
+ */
+
+import { tool } from "@opencode-ai/plugin/tool"
+import * as path from "path"
+import * as fs from "fs"
+
+export default tool({
+  description:
+    "Run a comprehensive security audit including dependency vulnerabilities, secret scanning, and common security issues.",
+  args: {
+    type: tool.schema
+      .enum(["all", "dependencies", "secrets", "code"])
+      .optional()
+      .describe("Type of audit to run (default: all)"),
+    fix: tool.schema
+      .boolean()
+      .optional()
+      .describe("Attempt to auto-fix dependency vulnerabilities (default: false)"),
+    severity: tool.schema
+      .enum(["low", "moderate", "high", "critical"])
+      .optional()
+      .describe("Minimum severity level to report (default: moderate)"),
+  },
+  async execute(args, context) {
+    const auditType = args.type ?? "all"
+    const fix = args.fix ?? false
+    const severity = args.severity ?? "moderate"
+    const cwd = context.worktree || context.directory
+
+    const results: AuditResults = {
+      timestamp: new Date().toISOString(),
+      directory: cwd,
+      checks: [],
+      summary: {
+        passed: 0,
+        failed: 0,
+        warnings: 0,
+      },
+    }
+
+    // Check for dependencies audit
+    if (auditType === "all" || auditType === "dependencies") {
+      results.checks.push({
+        name: "Dependency Vulnerabilities",
+        description: "Check for known vulnerabilities in dependencies",
+        command: fix ? "npm audit fix" : "npm audit",
+        severityFilter: severity,
+        status: "pending",
+      })
+    }
+
+    // Check for secrets
+    if (auditType === "all" || auditType === "secrets") {
+      const secretPatterns = await scanForSecrets(cwd)
+      if (secretPatterns.length > 0) {
+        results.checks.push({
+          name: "Secret Detection",
+          description: "Scan for hardcoded secrets and API keys",
+          status: "failed",
+          findings: secretPatterns,
+        })
+        results.summary.failed++
+      } else {
+        results.checks.push({
+          name: "Secret Detection",
+          description: "Scan for hardcoded secrets and API keys",
+          status: "passed",
+        })
+        results.summary.passed++
+      }
+    }
+
+    // Check for common code security issues
+    if (auditType === "all" || auditType === "code") {
+      const codeIssues = await scanCodeSecurity(cwd)
+      if (codeIssues.length > 0) {
+        results.checks.push({
+          name: "Code Security",
+          description: "Check for common security anti-patterns",
+          status: "warning",
+          findings: codeIssues,
+        })
+        results.summary.warnings++
+      } else {
+        results.checks.push({
+          name: "Code Security",
+          description: "Check for common security anti-patterns",
+          status: "passed",
+        })
+        results.summary.passed++
+      }
+    }
+
+    // Generate recommendations
+    results.recommendations = generateRecommendations(results)
+
+    return JSON.stringify(results)
+  },
+})
+
+interface AuditCheck {
+  name: string
+  description: string
+  command?: string
+  severityFilter?: string
+  status: "pending" | "passed" | "failed" | "warning"
+  findings?: Array<{ file: string; issue: string; line?: number }>
+}
+
+interface AuditResults {
+  timestamp: string
+  directory: string
+  checks: AuditCheck[]
+  summary: {
+    passed: number
+    failed: number
+    warnings: number
+  }
+  recommendations?: string[]
+}
+
+async function scanForSecrets(
+  cwd: string
+): Promise<Array<{ file: string; issue: string; line?: number }>> {
+  const findings: Array<{ file: string; issue: string; line?: number }> = []
+
+  // Patterns to DETECT potential secrets (security scanning)
+  const secretPatterns = [
+    { pattern: /api[_-]?key\s*[:=]\s*['"][^'"]{20,}['"]/gi, name: "API Key" },
+    { pattern: /password\s*[:=]\s*['"][^'"]+['"]/gi, name: "Password" },
+    { pattern: /secret\s*[:=]\s*['"][^'"]{10,}['"]/gi, name: "Secret" },
+    { pattern: /Bearer\s+[A-Za-z0-9\-_]+\.[A-Za-z0-9\-_]+/g, name: "JWT Token" },
+    { pattern: /sk-[a-zA-Z0-9]{32,}/g, name: "OpenAI API Key" },
+    { pattern: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub Token" },
+    { pattern: /aws[_-]?secret[_-]?access[_-]?key/gi, name: "AWS Secret" },
+  ]
+
+  const ignorePatterns = [
+    "node_modules",
+    ".git",
+    "dist",
+    "build",
+    ".env.example",
+    ".env.template",
+  ]
+
+  const srcDir = path.join(cwd, "src")
+  if (fs.existsSync(srcDir)) {
+    await scanDirectory(srcDir, secretPatterns, ignorePatterns, findings)
+  }
+
+  // Also check root config files
+  const configFiles = ["config.js", "config.ts", "settings.js", "settings.ts"]
+  for (const configFile of configFiles) {
+    const filePath = path.join(cwd, configFile)
+    if (fs.existsSync(filePath)) {
+      await scanFile(filePath, secretPatterns, findings)
+    }
+  }
+
+  return findings
+}
+
+async function scanDirectory(
+  dir: string,
+  patterns: Array<{ pattern: RegExp; name: string }>,
+  ignorePatterns: string[],
+  findings: Array<{ file: string; issue: string; line?: number }>
+): Promise<void> {
+  if (!fs.existsSync(dir)) return
+
+  const entries = fs.readdirSync(dir, { withFileTypes: true })
+
+  for (const entry of entries) {
+    const fullPath = path.join(dir, entry.name)
+
+    if (ignorePatterns.some((p) => fullPath.includes(p))) continue
+
+    if (entry.isDirectory()) {
+      await scanDirectory(fullPath, patterns, ignorePatterns, findings)
+    } else if (entry.isFile() && entry.name.match(/\.(ts|tsx|js|jsx|json)$/)) {
+      await scanFile(fullPath, patterns, findings)
+    }
+  }
+}
+
+async function scanFile(
+  filePath: string,
+  patterns: Array<{ pattern: RegExp; name: string }>,
+  findings: Array<{ file: string; issue: string; line?: number }>
+): Promise<void> {
+  try {
+    const content = fs.readFileSync(filePath, "utf-8")
+    const lines = content.split("\n")
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i]
+      for (const { pattern, name } of patterns) {
+        // Reset regex state
+        pattern.lastIndex = 0
+        if (pattern.test(line)) {
+          findings.push({
+            file: filePath,
+            issue: `Potential ${name} found`,
+            line: i + 1,
+          })
+        }
+      }
+    }
+  } catch {
+    // Ignore read errors
+  }
+}
+
+async function scanCodeSecurity(
+  cwd: string
+): Promise<Array<{ file: string; issue: string; line?: number }>> {
+  const findings: Array<{ file: string; issue: string; line?: number }> = []
+
+  // Patterns to DETECT security anti-patterns (this tool scans for issues)
+  // These are detection patterns, not code that uses these anti-patterns
+  const securityPatterns = [
+    { pattern: /\beval\s*\(/g, name: "eval() usage - potential code injection" },
+    { pattern: /innerHTML\s*=/g, name: "innerHTML assignment - potential XSS" },
+    { pattern: /dangerouslySetInnerHTML/g, name: "dangerouslySetInnerHTML - potential XSS" },
+    { pattern: /document\.write/g, name: "document.write - potential XSS" },
+    { pattern: /\$\{.*\}.*sql/gi, name: "Potential SQL injection" },
+  ]
+
+  const srcDir = path.join(cwd, "src")
+  if (fs.existsSync(srcDir)) {
+    await scanDirectory(srcDir, securityPatterns, ["node_modules", ".git", "dist"], findings)
+  }
+
+  return findings
+}
+
+function generateRecommendations(results: AuditResults): string[] {
+  const recommendations: string[] = []
+
+  for (const check of results.checks) {
+    if (check.status === "failed" && check.name === "Secret Detection") {
+      recommendations.push(
+        "CRITICAL: Remove hardcoded secrets and use environment variables instead"
+      )
+      recommendations.push("Add a .env file (gitignored) for local development")
+      recommendations.push("Use a secrets manager for production deployments")
+    }
+
+    if (check.status === "warning" && check.name === "Code Security") {
+      recommendations.push(
+        "Review flagged code patterns for potential security vulnerabilities"
+      )
+      recommendations.push("Consider using DOMPurify for HTML sanitization")
+      recommendations.push("Use parameterized queries for database operations")
+    }
+
+    if (check.status === "pending" && check.name === "Dependency Vulnerabilities") {
+      recommendations.push("Run 'npm audit' to check for dependency vulnerabilities")
+      recommendations.push("Consider using 'npm audit fix' to auto-fix issues")
+    }
+  }
+
+  if (recommendations.length === 0) {
+    recommendations.push("No critical security issues found. Continue following security best practices.")
+  }
+
+  return recommendations
+}

package/.opencode/tsconfig.json

@@ -0,0 +1,29 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": ".",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "resolveJsonModule": true,
+    "isolatedModules": true,
+    "verbatimModuleSyntax": true
+  },
+  "include": [
+    "plugins/**/*.ts",
+    "tools/**/*.ts",
+    "index.ts"
+  ],
+  "exclude": [
+    "node_modules",
+    "dist"
+  ]
+}

package/AGENTS.md

@@ -0,0 +1,124 @@
+# AW SDLC Repo Instructions
+
+Use the repo-local AW SDLC files as the source of truth for routing and stage behavior.
+
+## Catalog Snapshot
+
+Catalog snapshot: providing 28 specialized agents, 158 skills, 69 commands for repo-local AW SDLC routing.
+
+agents/ - 28 specialized subagents
+skills/ - 157 workflow skills and domain knowledge
+commands/ - 69 slash commands
+
+## Public Surface
+
+Keep the public interface intentionally small, but make each stage legible:
+
+- `/aw:plan`
+- `/aw:build`
+- `/aw:investigate`
+- `/aw:test`
+- `/aw:review`
+- `/aw:deploy`
+- `/aw:ship`
+
+The default delivery flow is:
+
+- `/aw:plan` -> `/aw:build` -> `/aw:test` -> `/aw:review` -> `/aw:deploy` -> `/aw:ship`
+
+`/aw:investigate` is a conditional bug, alert, and unclear-root-cause route.
+It is available as a first-class command, but it is not part of the default happy-path sequence.
+
+Compatibility entrypoints may remain during migration:
+
+- `/aw:execute` -> compatibility alias to `/aw:build`
+- `/aw:verify` -> compatibility entry that routes to `/aw:test`, `/aw:review`, or the smallest correct combined verification flow
+
+Do not introduce public commands for preparation, hidden review-loop helpers, debugging internals, or finish compatibility behavior.
+Those stay internal behind the AW stage boundary.
+
+`aw-yolo` is an explicit internal orchestration skill for end-to-end automation.
+It starts from the first unsatisfied stage and runs only the smallest correct remaining sequence.
+It is opt-in, not the default public mental model.
+
+## Migration Note
+
+This repo intentionally replaced the older monolithic ECC-style `AGENTS.md` checklist with a repo-local AW SDLC routing contract.
+If you were relying on the removed baseline guidance, use these files instead:
+
+- `defaults/aw-sdlc/baseline-profiles.yml` for GHL review, QA, governance, and deploy policy defaults
+- `docs/aw-sdlc-command-skill-architecture.md` for command/skill ownership and compatibility rules
+- `commands/*.md` for public command contracts and final output shapes
+- `skills/aw-*/SKILL.md` for stage behavior, review loops, launch discipline, and internal helpers
+- `references/*.md` for reusable checklists, examples, and org-standard guardrails loaded on demand
+
+Treat this as a repo-local behavior change.
+Prefer the AW SDLC files above over inherited global ECC workflow guidance when they conflict.
+
+## Routing
+
+- Prefer `skills/using-aw-skills/SKILL.md` for repo-local routing.
+- Route by intent when the request is clear.
+- Use `/aw:ship` for launch, rollout, rollback readiness, and release closeout work.
+- Use `aw-yolo` only when the user explicitly asks for one-run end-to-end automation.
+- When selected, do not restart from planning by habit; begin at the first unsatisfied stage.
+- Keep the public route at `/aw:plan` even when planning internally uses `aw-brainstorm`, `aw-spec`, and `aw-tasks`.
+
+## Activation Rule
+
+Before any substantive response:
+
+1. select the smallest correct AW skill stack first
+2. prefer the explicit public command and its mapped stage skill when the user names it
+3. otherwise choose the needed process skill, primary stage skill, and matching public route by intent
+4. only after the skill stack is selected, load deeper domain behavior or ask clarifying questions
+
+Do not begin with generic workflow commentary, implementation advice, or release guidance before the AW skill stack is selected.
+Do not bypass repo-local AW routing just because a global or parent workspace instruction layer also exists.
+
+## Fast Path
+
+When `.aw_docs/features/<feature_slug>/spec.md` and concrete approved execution inputs already exist:
+
+- do not reopen planning only because richer artifacts are absent
+- prefer the smallest correct execution sequence
+- for approved implementation work, use `prepare -> build`
+- for bugs or alerts with unclear cause, insert `investigate` before `build`
+- for proving quality, use `test -> review`
+- for verified release work, use `deploy -> ship` only when rollout or closeout is actually requested
+- use `aw-yolo` only when the user explicitly wants the whole flow automated in one pass
+- use it to orchestrate stages, not to collapse stage evidence or boundaries
+
+## Artifact Contract
+
+Write deterministic outputs under:
+
+- `.aw_docs/features/<feature_slug>/`
+
+Stage artifact expectations:
+
+- build -> `execution.md`, `state.json`
+- investigate -> `investigation.md`, `state.json`
+- test -> `verification.md`, `state.json`
+- review -> `verification.md`, `state.json`
+- deploy -> `release.md`, `state.json`
+- ship -> `release.md`, `state.json`
+
+Do not treat an internal stage as complete until its required artifacts are written to disk.
+A code diff, console summary, or verbal handoff is not a valid substitute for the required stage artifact files.
+
+## Org Standards
+
+Relevant GHL baseline profiles, platform playbooks, and `.aw_rules` remain active across every stage.
+That means:
+
+- frontend work should inherit HighRise, design review, accessibility review, and responsive verification expectations
+- review should inherit platform review playbooks and PR governance
+- test should inherit repo-local validation, E2E, sandbox, and quality-gate expectations from the resolved baseline
+- deploy and ship should inherit staging evidence, rollback, and release-safety expectations from the resolved baseline
+
+## Guardrails
+
+- never skip test and review before deploy when the selected baseline requires them
+- fail closed for unknown deploy configuration
+- prefer repo-local commands, skills, defaults, references, and docs over global fallback behavior

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Affaan Mustafa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.