cfsa-antigravity 1.0.0

package/template/.agent/skills/adversarial-review/SKILL.md

@@ -0,0 +1,90 @@
+---
+name: adversarial-review
+description: Structured methodology for adversarial thinking — generating attack scenarios, abuse cases, race conditions, and security edge cases against specs and implementations. Produces spec-level gap items, not code-level fixes.
+---
+
+# Adversarial Review
+
+This skill is invoked during spec deepening passes, ambiguity audits, and security review gates, and its output is always spec-level gap items — never code-level fixes.
+
+## When to Use
+
+- During `write-architecture-spec-deepen` Pass 3
+- During `audit-ambiguity-execute` Step 3c devil's advocate pass
+- During `remediate-pipeline-execute` adversarial consistency check
+- During `validate-phase` Step 8 security review
+- Before any spec layer audit gate
+
+## Instructions
+
+### 1. Attack Surface Enumeration
+
+Systematically enumerate each of the following categories for every feature or endpoint under review. For each category, apply the listed triggering question:
+
+- **Authentication bypass**: "What happens if the request arrives with no token, an expired token, or a token for a different service?"
+- **Privilege escalation**: "What happens if a user with role X calls an endpoint intended only for role Y — does the guard exist at the API layer, or only the UI layer?"
+- **Insecure direct object reference (IDOR)**: "What happens if an authenticated user sends a request substituting another user's resource ID?"
+- **Data exfiltration**: "Does any response field expose data about resources the caller did not request?"
+- **Denial-of-service**: "Is this endpoint bounded — are there rate limits, payload size limits, and query result limits specified in the spec?"
+- **Injection points**: "Is every user-supplied string that reaches a query, command, template, or file path validated and sanitized in the spec?"
+
+For every category where the spec does not provide an explicit answer, write a `SPEC GAP` item (see Step 5).
+
+### 2. Abuse Scenario Generation Framework
+
+For each feature or endpoint, generate all four scenario paths:
+
+- **Happy path**: The intended use by a legitimate, competent user.
+- **Malicious actor path**: A deliberate attempt to cause unauthorized access, data corruption, or system disruption.
+- **Incompetent actor path**: An accidental misuse — duplicate submissions, wrong resource IDs, malformed payloads — and whether the spec handles the resulting state gracefully.
+- **Concurrent execution path**: Two or more users executing the same operation simultaneously — does the spec describe the expected outcome, or does it silently assume serial execution?
+
+Document the expected behavior for each path. Any path for which the spec does not define expected behavior is a `SPEC GAP`.
+
+### 3. Race Condition and Concurrency Identification
+
+For every write operation in the spec, ask "what if two requests arrive simultaneously?" Specifically identify:
+
+- Shared mutable state that is read then written in non-atomic operations.
+- Read-modify-write sequences that do not specify a locking or optimistic-concurrency strategy.
+- Time-of-check-to-time-of-use (TOCTOU) windows (e.g., permission check followed by action, not wrapped atomically).
+- Distributed transaction boundaries where partial success is possible and the spec does not define a rollback or compensation behavior.
+
+Each identified pattern that is not addressed in the spec is a `SPEC GAP`.
+
+### 4. Boundary Condition Stress-Testing
+
+For every input in the spec, verify the spec defines behavior at:
+
+- **Empty string / empty collection** (where at least one item is assumed by downstream logic).
+- **Null and undefined** (for every optional field — what does the system do when the field is absent?).
+- **Maximum field length** (what happens when a string hits the character limit?).
+- **Integer overflow and underflow boundaries**.
+- **Negative numbers** where only positives are semantically valid.
+- **Unicode edge cases**: right-to-left characters, zero-width characters, emoji in identifiers.
+
+Any boundary for which the spec does not define behavior is a `SPEC GAP`.
+
+### 5. Documenting Findings as Spec-Level Gap Items
+
+All findings from Steps 1–4 must be written using this exact format:
+
+```
+SPEC GAP: [layer] § [section] — [what is underspecified] — [attack scenario or failure mode] — [proposed resolution or question for user]
+```
+
+- The **layer** field is one of: `IA`, `BE`, `FE`.
+- The **section** field quotes the heading of the spec section under review.
+- The **proposed resolution** is either a concrete suggestion (if the answer is determinable from `vision.md` or `architecture-design.md`) or a question for the user (if it is a product decision).
+
+**Never** write the finding as a code change, a PR comment, or an implementation task.
+
+## Anti-Patterns
+
+- **Implementation TODOs instead of spec gaps** — Documenting findings as implementation TODOs rather than spec gap items. The output of this skill is always a spec amendment, never a code fix.
+- **Skipping the concurrent execution path** — Skipping the concurrent execution path because "the feature seems simple." Concurrency issues emerge precisely in features that appear trivial.
+- **Stopping at the happy path** — The malicious, incompetent, and concurrent paths are not optional. All four scenario paths must be generated for every feature and endpoint.
+
+## Related Skills
+
+- **`security-scanning-security-hardening`** — Use when transitioning from spec-level gap analysis to implementation-level security hardening. This skill identifies *what is underspecified* at the spec layer; `security-scanning-security-hardening` coordinates *multi-layer scanning and hardening* of the actual codebase and infrastructure after implementation.

package/template/.agent/skills/antigravity-workflows/SKILL.md

@@ -0,0 +1,81 @@
+---
+name: antigravity-workflows
+description: "Orchestrate multiple Antigravity skills through guided workflows for SaaS MVP delivery, security audits, AI agent builds, and browser QA."
+risk: none
+source: self
+date_added: "2026-02-27"
+---
+
+# Antigravity Workflows
+
+Use this skill to turn a complex objective into a guided sequence of skill invocations.
+
+## When to Use This Skill
+
+Use this skill when:
+- The user wants to combine several skills without manually selecting each one.
+- The goal is multi-phase (for example: plan, build, test, ship).
+- The user asks for best-practice execution for common scenarios like:
+  - Shipping a SaaS MVP
+  - Running a web security audit
+  - Building an AI agent system
+  - Implementing browser automation and E2E QA
+
+## Workflow Source of Truth
+
+Read workflows in this order:
+1. `docs/WORKFLOWS.md` for human-readable playbooks.
+2. `data/workflows.json` for machine-readable workflow metadata.
+
+## How to Run This Skill
+
+1. Identify the user's concrete outcome.
+2. Propose the 1-2 best matching workflows.
+3. Ask the user to choose one.
+4. Execute step-by-step:
+   - Announce current step and expected artifact.
+   - Invoke recommended skills for that step.
+   - Verify completion criteria before moving to next step.
+5. At the end, provide:
+   - Completed artifacts
+   - Validation evidence
+   - Remaining risks and next actions
+
+## Default Workflow Routing
+
+- Product delivery request -> `ship-saas-mvp`
+- Security review request -> `security-audit-web-app`
+- Agent/LLM product request -> `build-ai-agent-system`
+- E2E/browser testing request -> `qa-browser-automation`
+
+## Copy-Paste Prompts
+
+```text
+Use @antigravity-workflows to run the "Ship a SaaS MVP" workflow for my project idea.
+```
+
+```text
+Use @antigravity-workflows and execute a full "Security Audit for a Web App" workflow.
+```
+
+```text
+Use @antigravity-workflows to guide me through "Build an AI Agent System" with checkpoints.
+```
+
+```text
+Use @antigravity-workflows to execute the "QA and Browser Automation" workflow and stabilize flaky tests.
+```
+
+## Limitations
+
+- This skill orchestrates; it does not replace specialized skills.
+- It depends on the local availability of referenced skills.
+- It does not guarantee success without environment access, credentials, or required infrastructure.
+- For stack-specific browser automation in Go, `go-playwright` may require the corresponding skill to be present in your local skills repository.
+
+## Related Skills
+
+- `concise-planning`
+- `brainstorming`
+- `workflow-automation`
+- `verification-before-completion`

package/template/.agent/skills/antigravity-workflows/resources/implementation-playbook.md

@@ -0,0 +1,36 @@
+# Antigravity Workflows Implementation Playbook
+
+This document explains how an agent should execute workflow-based orchestration.
+
+## Execution Contract
+
+For every workflow:
+
+1. Confirm objective and scope.
+2. Select the best-matching workflow.
+3. Execute workflow steps in order.
+4. Produce one concrete artifact per step.
+5. Validate before continuing.
+
+## Step Artifact Examples
+
+- Plan step -> scope document or milestone checklist.
+- Build step -> code changes and implementation notes.
+- Test step -> test results and failure triage.
+- Release step -> rollout checklist and risk log.
+
+## Safety Guardrails
+
+- Never run destructive actions without explicit user approval.
+- If a required skill is missing, state the gap and fallback to closest available skill.
+- When security testing is involved, ensure authorization is explicit.
+
+## Suggested Completion Format
+
+At workflow completion, return:
+
+1. Completed steps
+2. Artifacts produced
+3. Validation evidence
+4. Open risks
+5. Suggested next action

package/template/.agent/skills/api-design-principles/SKILL.md

@@ -0,0 +1,37 @@
+---
+name: api-design-principles
+description: Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers. Use when designing new APIs, reviewing API specifications, or establishing API design standards.
+---
+
+# API Design Principles
+
+Master REST and GraphQL API design principles to build intuitive, scalable, and maintainable APIs that delight developers and stand the test of time.
+
+## Use this skill when
+
+- Designing new REST or GraphQL APIs
+- Refactoring existing APIs for better usability
+- Establishing API design standards for your team
+- Reviewing API specifications before implementation
+- Migrating between API paradigms (REST to GraphQL, etc.)
+- Creating developer-friendly API documentation
+- Optimizing APIs for specific use cases (mobile, third-party integrations)
+
+## Do not use this skill when
+
+- You only need implementation guidance for a specific framework
+- You are doing infrastructure-only work without API contracts
+- You cannot change or version public interfaces
+
+## Instructions
+
+1. Define consumers, use cases, and constraints.
+2. Choose API style and model resources or types.
+3. Specify errors, versioning, pagination, and auth strategy.
+4. Validate with examples and review for consistency.
+
+Refer to `resources/implementation-playbook.md` for detailed patterns, checklists, and templates.
+
+## Resources
+
+- `resources/implementation-playbook.md` for detailed patterns, checklists, and templates.

package/template/.agent/skills/api-design-principles/assets/api-design-checklist.md

@@ -0,0 +1,155 @@
+# API Design Checklist
+
+## Pre-Implementation Review
+
+### Resource Design
+
+- [ ] Resources are nouns, not verbs
+- [ ] Plural names for collections
+- [ ] Consistent naming across all endpoints
+- [ ] Clear resource hierarchy (avoid deep nesting >2 levels)
+- [ ] All CRUD operations properly mapped to HTTP methods
+
+### HTTP Methods
+
+- [ ] GET for retrieval (safe, idempotent)
+- [ ] POST for creation
+- [ ] PUT for full replacement (idempotent)
+- [ ] PATCH for partial updates
+- [ ] DELETE for removal (idempotent)
+
+### Status Codes
+
+- [ ] 200 OK for successful GET/PATCH/PUT
+- [ ] 201 Created for POST
+- [ ] 204 No Content for DELETE
+- [ ] 400 Bad Request for malformed requests
+- [ ] 401 Unauthorized for missing auth
+- [ ] 403 Forbidden for insufficient permissions
+- [ ] 404 Not Found for missing resources
+- [ ] 422 Unprocessable Entity for validation errors
+- [ ] 429 Too Many Requests for rate limiting
+- [ ] 500 Internal Server Error for server issues
+
+### Pagination
+
+- [ ] All collection endpoints paginated
+- [ ] Default page size defined (e.g., 20)
+- [ ] Maximum page size enforced (e.g., 100)
+- [ ] Pagination metadata included (total, pages, etc.)
+- [ ] Cursor-based or offset-based pattern chosen
+
+### Filtering & Sorting
+
+- [ ] Query parameters for filtering
+- [ ] Sort parameter supported
+- [ ] Search parameter for full-text search
+- [ ] Field selection supported (sparse fieldsets)
+
+### Versioning
+
+- [ ] Versioning strategy defined (URL/header/query)
+- [ ] Version included in all endpoints
+- [ ] Deprecation policy documented
+
+### Error Handling
+
+- [ ] Consistent error response format
+- [ ] Detailed error messages
+- [ ] Field-level validation errors
+- [ ] Error codes for client handling
+- [ ] Timestamps in error responses
+
+### Authentication & Authorization
+
+- [ ] Authentication method defined (Bearer token, API key)
+- [ ] Authorization checks on all endpoints
+- [ ] 401 vs 403 used correctly
+- [ ] Token expiration handled
+
+### Rate Limiting
+
+- [ ] Rate limits defined per endpoint/user
+- [ ] Rate limit headers included
+- [ ] 429 status code for exceeded limits
+- [ ] Retry-After header provided
+
+### Documentation
+
+- [ ] OpenAPI/Swagger spec generated
+- [ ] All endpoints documented
+- [ ] Request/response examples provided
+- [ ] Error responses documented
+- [ ] Authentication flow documented
+
+### Testing
+
+- [ ] Unit tests for business logic
+- [ ] Integration tests for endpoints
+- [ ] Error scenarios tested
+- [ ] Edge cases covered
+- [ ] Performance tests for heavy endpoints
+
+### Security
+
+- [ ] Input validation on all fields
+- [ ] SQL injection prevention
+- [ ] XSS prevention
+- [ ] CORS configured correctly
+- [ ] HTTPS enforced
+- [ ] Sensitive data not in URLs
+- [ ] No secrets in responses
+
+### Performance
+
+- [ ] Database queries optimized
+- [ ] N+1 queries prevented
+- [ ] Caching strategy defined
+- [ ] Cache headers set appropriately
+- [ ] Large responses paginated
+
+### Monitoring
+
+- [ ] Logging implemented
+- [ ] Error tracking configured
+- [ ] Performance metrics collected
+- [ ] Health check endpoint available
+- [ ] Alerts configured for errors
+
+## GraphQL-Specific Checks
+
+### Schema Design
+
+- [ ] Schema-first approach used
+- [ ] Types properly defined
+- [ ] Non-null vs nullable decided
+- [ ] Interfaces/unions used appropriately
+- [ ] Custom scalars defined
+
+### Queries
+
+- [ ] Query depth limiting
+- [ ] Query complexity analysis
+- [ ] DataLoaders prevent N+1
+- [ ] Pagination pattern chosen (Relay/offset)
+
+### Mutations
+
+- [ ] Input types defined
+- [ ] Payload types with errors
+- [ ] Optimistic response support
+- [ ] Idempotency considered
+
+### Performance
+
+- [ ] DataLoader for all relationships
+- [ ] Query batching enabled
+- [ ] Persisted queries considered
+- [ ] Response caching implemented
+
+### Documentation
+
+- [ ] All fields documented
+- [ ] Deprecations marked
+- [ ] Examples provided
+- [ ] Schema introspection enabled

package/template/.agent/skills/api-design-principles/assets/rest-api-template.py

@@ -0,0 +1,182 @@
+"""
+Production-ready REST API template using FastAPI.
+Includes pagination, filtering, error handling, and best practices.
+"""
+
+from fastapi import FastAPI, HTTPException, Query, Path, Depends, status
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.middleware.trustedhost import TrustedHostMiddleware
+from fastapi.responses import JSONResponse
+from pydantic import BaseModel, Field, EmailStr, ConfigDict
+from typing import Optional, List, Any
+from datetime import datetime
+from enum import Enum
+
+app = FastAPI(
+    title="API Template",
+    version="1.0.0",
+    docs_url="/api/docs"
+)
+
+# Security Middleware
+# Trusted Host: Prevents HTTP Host Header attacks
+app.add_middleware(
+    TrustedHostMiddleware,
+    allowed_hosts=["*"] # TODO: Configure this in production, e.g. ["api.example.com"]
+)
+
+# CORS: Configures Cross-Origin Resource Sharing
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"], # TODO: Update this with specific origins in production
+    allow_credentials=False, # TODO: Set to True if you need cookies/auth headers, but restrict origins
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+# Models
+class UserStatus(str, Enum):
+    ACTIVE = "active"
+    INACTIVE = "inactive"
+    SUSPENDED = "suspended"
+
+class UserBase(BaseModel):
+    email: EmailStr
+    name: str = Field(..., min_length=1, max_length=100)
+    status: UserStatus = UserStatus.ACTIVE
+
+class UserCreate(UserBase):
+    password: str = Field(..., min_length=8)
+
+class UserUpdate(BaseModel):
+    email: Optional[EmailStr] = None
+    name: Optional[str] = Field(None, min_length=1, max_length=100)
+    status: Optional[UserStatus] = None
+
+class User(UserBase):
+    id: str
+    created_at: datetime
+    updated_at: datetime
+
+    model_config = ConfigDict(from_attributes=True)
+
+# Pagination
+class PaginationParams(BaseModel):
+    page: int = Field(1, ge=1)
+    page_size: int = Field(20, ge=1, le=100)
+
+class PaginatedResponse(BaseModel):
+    items: List[Any]
+    total: int
+    page: int
+    page_size: int
+    pages: int
+
+# Error handling
+class ErrorDetail(BaseModel):
+    field: Optional[str] = None
+    message: str
+    code: str
+
+class ErrorResponse(BaseModel):
+    error: str
+    message: str
+    details: Optional[List[ErrorDetail]] = None
+
+@app.exception_handler(HTTPException)
+async def http_exception_handler(request, exc):
+    return JSONResponse(
+        status_code=exc.status_code,
+        content=ErrorResponse(
+            error=exc.__class__.__name__,
+            message=exc.detail if isinstance(exc.detail, str) else exc.detail.get("message", "Error"),
+            details=exc.detail.get("details") if isinstance(exc.detail, dict) else None
+        ).model_dump()
+    )
+
+# Endpoints
+@app.get("/api/users", response_model=PaginatedResponse, tags=["Users"])
+async def list_users(
+    page: int = Query(1, ge=1),
+    page_size: int = Query(20, ge=1, le=100),
+    status: Optional[UserStatus] = Query(None),
+    search: Optional[str] = Query(None)
+):
+    """List users with pagination and filtering."""
+    # Mock implementation
+    total = 100
+    items = [
+        User(
+            id=str(i),
+            email=f"user{i}@example.com",
+            name=f"User {i}",
+            status=UserStatus.ACTIVE,
+            created_at=datetime.now(),
+            updated_at=datetime.now()
+        ).model_dump()
+        for i in range((page-1)*page_size, min(page*page_size, total))
+    ]
+
+    return PaginatedResponse(
+        items=items,
+        total=total,
+        page=page,
+        page_size=page_size,
+        pages=(total + page_size - 1) // page_size
+    )
+
+@app.post("/api/users", response_model=User, status_code=status.HTTP_201_CREATED, tags=["Users"])
+async def create_user(user: UserCreate):
+    """Create a new user."""
+    # Mock implementation
+    return User(
+        id="123",
+        email=user.email,
+        name=user.name,
+        status=user.status,
+        created_at=datetime.now(),
+        updated_at=datetime.now()
+    )
+
+@app.get("/api/users/{user_id}", response_model=User, tags=["Users"])
+async def get_user(user_id: str = Path(..., description="User ID")):
+    """Get user by ID."""
+    # Mock: Check if exists
+    if user_id == "999":
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail={"message": "User not found", "details": {"id": user_id}}
+        )
+
+    return User(
+        id=user_id,
+        email="user@example.com",
+        name="User Name",
+        status=UserStatus.ACTIVE,
+        created_at=datetime.now(),
+        updated_at=datetime.now()
+    )
+
+@app.patch("/api/users/{user_id}", response_model=User, tags=["Users"])
+async def update_user(user_id: str, update: UserUpdate):
+    """Partially update user."""
+    # Validate user exists
+    existing = await get_user(user_id)
+
+    # Apply updates
+    update_data = update.model_dump(exclude_unset=True)
+    for field, value in update_data.items():
+        setattr(existing, field, value)
+
+    existing.updated_at = datetime.now()
+    return existing
+
+@app.delete("/api/users/{user_id}", status_code=status.HTTP_204_NO_CONTENT, tags=["Users"])
+async def delete_user(user_id: str):
+    """Delete user."""
+    await get_user(user_id)  # Verify exists
+    return None
+
+if __name__ == "__main__":
+    import uvicorn
+    uvicorn.run(app, host="0.0.0.0", port=8000)