cfsa-antigravity 2.19.0 → 2.19.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (200) hide show
  1. package/package.json +1 -1
  2. package/template/.agent/kit-sync.md +3 -3
  3. package/template/.claude/commands/audit-ambiguity-execute.md +6 -0
  4. package/template/.claude/commands/audit-ambiguity-rubrics.md +6 -0
  5. package/template/.claude/commands/audit-ambiguity.md +6 -0
  6. package/template/.claude/commands/bootstrap-agents-fill.md +6 -0
  7. package/template/.claude/commands/bootstrap-agents-provision.md +6 -0
  8. package/template/.claude/commands/bootstrap-agents.md +6 -0
  9. package/template/.claude/commands/create-prd-architecture.md +6 -0
  10. package/template/.claude/commands/create-prd-compile.md +6 -0
  11. package/template/.claude/commands/create-prd-design-system.md +6 -0
  12. package/template/.claude/commands/create-prd-security.md +6 -0
  13. package/template/.claude/commands/create-prd-stack.md +6 -0
  14. package/template/.claude/commands/decompose-architecture-structure.md +6 -0
  15. package/template/.claude/commands/decompose-architecture-validate.md +6 -0
  16. package/template/.claude/commands/evolve-contract.md +6 -0
  17. package/template/.claude/commands/evolve-feature-cascade.md +6 -0
  18. package/template/.claude/commands/evolve-feature-classify.md +6 -0
  19. package/template/.claude/commands/evolve-feature.md +6 -0
  20. package/template/.claude/commands/ideate-discover.md +6 -0
  21. package/template/.claude/commands/ideate-extract.md +6 -0
  22. package/template/.claude/commands/ideate-validate.md +6 -0
  23. package/template/.claude/commands/implement-slice-setup.md +6 -0
  24. package/template/.claude/commands/implement-slice-tdd.md +6 -0
  25. package/template/.claude/commands/plan-phase-preflight.md +6 -0
  26. package/template/.claude/commands/plan-phase-write.md +6 -0
  27. package/template/.claude/commands/propagate-decision-apply.md +6 -0
  28. package/template/.claude/commands/propagate-decision-scan.md +6 -0
  29. package/template/.claude/commands/propagate-decision.md +6 -0
  30. package/template/.claude/commands/remediate-pipeline-assess.md +6 -0
  31. package/template/.claude/commands/remediate-pipeline-execute.md +6 -0
  32. package/template/.claude/commands/remediate-pipeline.md +6 -0
  33. package/template/.claude/commands/remediate-shard-split.md +6 -0
  34. package/template/.claude/commands/resolve-ambiguity.md +6 -0
  35. package/template/.claude/commands/setup-workspace-cicd.md +6 -0
  36. package/template/.claude/commands/setup-workspace-data.md +6 -0
  37. package/template/.claude/commands/setup-workspace-hosting.md +6 -0
  38. package/template/.claude/commands/setup-workspace-scaffold.md +6 -0
  39. package/template/.claude/commands/sync-kit.md +6 -0
  40. package/template/.claude/commands/update-architecture-map.md +6 -0
  41. package/template/.claude/commands/validate-phase-quality.md +6 -0
  42. package/template/.claude/commands/validate-phase-readiness.md +6 -0
  43. package/template/.claude/commands/verify-infrastructure.md +6 -0
  44. package/template/.claude/commands/write-architecture-spec-deepen.md +6 -0
  45. package/template/.claude/commands/write-architecture-spec-design.md +6 -0
  46. package/template/.claude/commands/write-be-spec-classify.md +6 -0
  47. package/template/.claude/commands/write-be-spec-write.md +6 -0
  48. package/template/.claude/commands/write-fe-spec-classify.md +6 -0
  49. package/template/.claude/commands/write-fe-spec-write.md +6 -0
  50. package/template/.claude/skills/accessibility/SKILL.md +522 -0
  51. package/template/.claude/skills/accessibility/references/WCAG.md +162 -0
  52. package/template/.claude/skills/accessibility/references/ia-spec-checklist.md +35 -0
  53. package/template/.claude/skills/adversarial-review/SKILL.md +90 -0
  54. package/template/.claude/skills/antigravity-workflows/SKILL.md +81 -0
  55. package/template/.claude/skills/antigravity-workflows/resources/implementation-playbook.md +36 -0
  56. package/template/.claude/skills/api-design-principles/SKILL.md +169 -0
  57. package/template/.claude/skills/api-design-principles/assets/api-design-checklist.md +155 -0
  58. package/template/.claude/skills/api-design-principles/assets/rest-api-template.py +182 -0
  59. package/template/.claude/skills/api-design-principles/references/graphql-schema-design.md +583 -0
  60. package/template/.claude/skills/api-design-principles/references/rest-best-practices.md +408 -0
  61. package/template/.claude/skills/api-design-principles/resources/implementation-playbook.md +513 -0
  62. package/template/.claude/skills/api-versioning/SKILL.md +166 -0
  63. package/template/.claude/skills/api-versioning/references/typescript.md +157 -0
  64. package/template/.claude/skills/architecture-mapping/SKILL.md +219 -0
  65. package/template/.claude/skills/bootstrap-agents/SKILL.md +258 -0
  66. package/template/.claude/skills/brainstorming/SKILL.md +177 -0
  67. package/template/.claude/skills/brand-guidelines/SKILL.md +44 -0
  68. package/template/.claude/skills/clean-code/SKILL.md +196 -0
  69. package/template/.claude/skills/clean-code/references/typescript.md +126 -0
  70. package/template/.claude/skills/code-review-pro/SKILL.md +152 -0
  71. package/template/.claude/skills/concise-planning/SKILL.md +107 -0
  72. package/template/.claude/skills/cross-layer-consistency/SKILL.md +117 -0
  73. package/template/.claude/skills/database-schema-design/SKILL.md +205 -0
  74. package/template/.claude/skills/database-schema-design/references/relational.md +228 -0
  75. package/template/.claude/skills/deployment-procedures/SKILL.md +241 -0
  76. package/template/.claude/skills/design-anti-cliche/SKILL.md +159 -0
  77. package/template/.claude/skills/design-direction/SKILL.md +45 -0
  78. package/template/.claude/skills/error-handling-patterns/SKILL.md +226 -0
  79. package/template/.claude/skills/error-handling-patterns/references/go.md +162 -0
  80. package/template/.claude/skills/error-handling-patterns/references/python.md +262 -0
  81. package/template/.claude/skills/error-handling-patterns/references/rust.md +112 -0
  82. package/template/.claude/skills/error-handling-patterns/references/typescript.md +178 -0
  83. package/template/.claude/skills/find-skills/SKILL.md +145 -0
  84. package/template/.claude/skills/git-advanced/SKILL.md +972 -0
  85. package/template/.claude/skills/git-workflow/SKILL.md +420 -0
  86. package/template/.claude/skills/idea-extraction/SKILL.md +644 -0
  87. package/template/.claude/skills/logging-best-practices/SKILL.md +192 -0
  88. package/template/.claude/skills/logging-best-practices/references/go.md +49 -0
  89. package/template/.claude/skills/logging-best-practices/references/python.md +52 -0
  90. package/template/.claude/skills/logging-best-practices/references/typescript.md +215 -0
  91. package/template/.claude/skills/migration-management/SKILL.md +200 -0
  92. package/template/.claude/skills/migration-management/references/relational.md +214 -0
  93. package/template/.claude/skills/minimalist-surgical-development/SKILL.md +135 -0
  94. package/template/.claude/skills/parallel-agents/SKILL.md +165 -0
  95. package/template/.claude/skills/parallel-debugging/SKILL.md +135 -0
  96. package/template/.claude/skills/parallel-feature-development/SKILL.md +157 -0
  97. package/template/.claude/skills/performance-budgeting/SKILL.md +144 -0
  98. package/template/.claude/skills/pipeline-rubrics/SKILL.md +51 -0
  99. package/template/.claude/skills/pipeline-rubrics/references/architecture-rubric.md +19 -0
  100. package/template/.claude/skills/pipeline-rubrics/references/be-rubric.md +21 -0
  101. package/template/.claude/skills/pipeline-rubrics/references/fe-rubric.md +20 -0
  102. package/template/.claude/skills/pipeline-rubrics/references/ia-rubric.md +19 -0
  103. package/template/.claude/skills/pipeline-rubrics/references/scoring.md +32 -0
  104. package/template/.claude/skills/pipeline-rubrics/references/vision-rubric.md +12 -0
  105. package/template/.claude/skills/prd-templates/SKILL.md +107 -0
  106. package/template/.claude/skills/prd-templates/references/architecture-completeness-checklist.md +28 -0
  107. package/template/.claude/skills/prd-templates/references/architecture-design-template.md +88 -0
  108. package/template/.claude/skills/prd-templates/references/be-spec-classification.md +41 -0
  109. package/template/.claude/skills/prd-templates/references/be-spec-template.md +107 -0
  110. package/template/.claude/skills/prd-templates/references/bootstrap-verification-protocol.md +50 -0
  111. package/template/.claude/skills/prd-templates/references/constraint-exploration.md +41 -0
  112. package/template/.claude/skills/prd-templates/references/data-placement-template.md +74 -0
  113. package/template/.claude/skills/prd-templates/references/decision-confirmation-protocol.md +68 -0
  114. package/template/.claude/skills/prd-templates/references/decision-propagation.md +121 -0
  115. package/template/.claude/skills/prd-templates/references/decomposition-templates.md +226 -0
  116. package/template/.claude/skills/prd-templates/references/deep-ideation-loading-protocol.md +114 -0
  117. package/template/.claude/skills/prd-templates/references/design-system-decisions.md +198 -0
  118. package/template/.claude/skills/prd-templates/references/design-system-prerequisite-check.md +18 -0
  119. package/template/.claude/skills/prd-templates/references/domain-exhaustion-criteria.md +37 -0
  120. package/template/.claude/skills/prd-templates/references/engagement-tier-protocol.md +58 -0
  121. package/template/.claude/skills/prd-templates/references/engineering-standards-template.md +126 -0
  122. package/template/.claude/skills/prd-templates/references/evolution-layer-guidance.md +91 -0
  123. package/template/.claude/skills/prd-templates/references/expansion-modes.md +27 -0
  124. package/template/.claude/skills/prd-templates/references/fe-classification-procedures.md +47 -0
  125. package/template/.claude/skills/prd-templates/references/fe-spec-template.md +90 -0
  126. package/template/.claude/skills/prd-templates/references/feature-ledger-protocol.md +149 -0
  127. package/template/.claude/skills/prd-templates/references/folder-seeding-protocol.md +77 -0
  128. package/template/.claude/skills/prd-templates/references/fractal-cx-template.md +58 -0
  129. package/template/.claude/skills/prd-templates/references/fractal-feature-template.md +93 -0
  130. package/template/.claude/skills/prd-templates/references/fractal-node-index-template.md +55 -0
  131. package/template/.claude/skills/prd-templates/references/gate-applicability.md +92 -0
  132. package/template/.claude/skills/prd-templates/references/ideation-crosscut-template.md +36 -0
  133. package/template/.claude/skills/prd-templates/references/ideation-index-template.md +111 -0
  134. package/template/.claude/skills/prd-templates/references/ideation-meta-template.md +126 -0
  135. package/template/.claude/skills/prd-templates/references/infrastructure-report-template.md +71 -0
  136. package/template/.claude/skills/prd-templates/references/input-classification.md +23 -0
  137. package/template/.claude/skills/prd-templates/references/map-guard-protocol.md +65 -0
  138. package/template/.claude/skills/prd-templates/references/operational-templates.md +116 -0
  139. package/template/.claude/skills/prd-templates/references/persona-completeness-gate.md +20 -0
  140. package/template/.claude/skills/prd-templates/references/placeholder-guard-template.md +21 -0
  141. package/template/.claude/skills/prd-templates/references/placeholder-workflow-mapping.md +50 -0
  142. package/template/.claude/skills/prd-templates/references/shard-boundary-analysis.md +103 -0
  143. package/template/.claude/skills/prd-templates/references/shard-split-remediation.md +157 -0
  144. package/template/.claude/skills/prd-templates/references/skill-loading-protocol.md +36 -0
  145. package/template/.claude/skills/prd-templates/references/slice-completion-gates.md +29 -0
  146. package/template/.claude/skills/prd-templates/references/spec-coverage-sweep.md +44 -0
  147. package/template/.claude/skills/prd-templates/references/surface-model.md +61 -0
  148. package/template/.claude/skills/prd-templates/references/tdd-testing-policy.md +39 -0
  149. package/template/.claude/skills/prd-templates/references/vision-template.md +57 -0
  150. package/template/.claude/skills/prd-templates/references/workflow-checkpoint-protocol.md +112 -0
  151. package/template/.claude/skills/prd-templates/references/write-verification-protocol.md +57 -0
  152. package/template/.claude/skills/prompt-engineer/SKILL.md +203 -0
  153. package/template/.claude/skills/regex-patterns/SKILL.md +333 -0
  154. package/template/.claude/skills/regex-patterns/references/go.md +44 -0
  155. package/template/.claude/skills/regex-patterns/references/javascript.md +63 -0
  156. package/template/.claude/skills/regex-patterns/references/python.md +77 -0
  157. package/template/.claude/skills/regex-patterns/references/rust.md +43 -0
  158. package/template/.claude/skills/resolve-ambiguity/SKILL.md +278 -0
  159. package/template/.claude/skills/security-scanning-security-hardening/SKILL.md +231 -0
  160. package/template/.claude/skills/session-continuity/SKILL.md +732 -0
  161. package/template/.claude/skills/session-continuity/protocols/01-session-resumption.md +38 -0
  162. package/template/.claude/skills/session-continuity/protocols/02-progress-generation.md +85 -0
  163. package/template/.claude/skills/session-continuity/protocols/03-progress-update.md +70 -0
  164. package/template/.claude/skills/session-continuity/protocols/04-pattern-extraction.md +60 -0
  165. package/template/.claude/skills/session-continuity/protocols/05-session-close.md +37 -0
  166. package/template/.claude/skills/session-continuity/protocols/06-decision-analysis.md +84 -0
  167. package/template/.claude/skills/session-continuity/protocols/07-spec-pipeline-generation.md +48 -0
  168. package/template/.claude/skills/session-continuity/protocols/08-spec-pipeline-update.md +55 -0
  169. package/template/.claude/skills/session-continuity/protocols/09-parallel-claim.md +122 -0
  170. package/template/.claude/skills/session-continuity/protocols/10-placeholder-verification-gate.md +83 -0
  171. package/template/.claude/skills/session-continuity/protocols/11-parallel-synthesis.md +21 -0
  172. package/template/.claude/skills/session-continuity/protocols/ambiguity-gates.md +48 -0
  173. package/template/.claude/skills/skill-creator/SKILL.md +203 -0
  174. package/template/.claude/skills/skill-creator/references/.gitkeep +0 -0
  175. package/template/.claude/skills/skill-creator/scripts/.gitkeep +0 -0
  176. package/template/.claude/skills/spec-writing/SKILL.md +110 -0
  177. package/template/.claude/skills/systematic-debugging/CREATION-LOG.md +119 -0
  178. package/template/.claude/skills/systematic-debugging/SKILL.md +297 -0
  179. package/template/.claude/skills/systematic-debugging/condition-based-waiting-example.ts +158 -0
  180. package/template/.claude/skills/systematic-debugging/condition-based-waiting.md +115 -0
  181. package/template/.claude/skills/systematic-debugging/defense-in-depth.md +122 -0
  182. package/template/.claude/skills/systematic-debugging/find-polluter.sh +63 -0
  183. package/template/.claude/skills/systematic-debugging/root-cause-tracing.md +169 -0
  184. package/template/.claude/skills/systematic-debugging/test-academic.md +14 -0
  185. package/template/.claude/skills/systematic-debugging/test-pressure-1.md +58 -0
  186. package/template/.claude/skills/systematic-debugging/test-pressure-2.md +68 -0
  187. package/template/.claude/skills/systematic-debugging/test-pressure-3.md +69 -0
  188. package/template/.claude/skills/tdd-workflow/SKILL.md +186 -0
  189. package/template/.claude/skills/tdd-workflow/references/typescript.md +231 -0
  190. package/template/.claude/skills/tech-stack-catalog/SKILL.md +49 -0
  191. package/template/.claude/skills/tech-stack-catalog/references/constraint-questions.md +237 -0
  192. package/template/.claude/skills/tech-stack-catalog/references/dev-tooling-decisions.md +37 -0
  193. package/template/.claude/skills/tech-stack-catalog/references/surface-decision-tables.md +69 -0
  194. package/template/.claude/skills/technical-writer/SKILL.md +242 -0
  195. package/template/.claude/skills/testing-strategist/SKILL.md +319 -0
  196. package/template/.claude/skills/testing-strategist/references/typescript.md +328 -0
  197. package/template/.claude/skills/verification-before-completion/SKILL.md +97 -0
  198. package/template/.claude/skills/workflow-automation/SKILL.md +166 -0
  199. package/template/.claude/skills/workflow-automation/references/inngest.md +88 -0
  200. package/template/.claude/skills/workflow-automation/references/temporal.md +64 -0
@@ -0,0 +1,278 @@
1
+ ---
2
+ name: resolve-ambiguity
3
+ description: "Systematic ambiguity resolution through tiered information gathering. Use when facing unclear requirements, unknown context, uncertain implementation choices, or any situation where guessing would be risky."
4
+ version: 1.0.0
5
+ ---
6
+
7
+ # Resolve Ambiguity
8
+
9
+ Resolve ambiguity through a systematic process that prioritizes accurate information over guessing. This skill determines the best source for missing information and retrieves it efficiently.
10
+
11
+ **Core principle**: Rather ask than guess. Wrong assumptions waste more time than clarifying questions.
12
+
13
+ **Usage**: Invoke this skill reactively — whenever an agent encounters something it doesn't know during any pipeline step.
14
+
15
+ ---
16
+
17
+ ## Quick Start
18
+
19
+ When you encounter ambiguity, classify it:
20
+
21
+ 1. **Technical/Factual** — "How does X work?" "What is the correct syntax?" "What did the architecture doc decide?"
22
+ - Likely found in project or online sources
23
+ - Follow the tiered lookup process
24
+
25
+ 2. **Intent/Choice** — "Which approach should I use?" "What does the user want?" "Should we prioritize X or Y?"
26
+ - Requires user input
27
+ - Go directly to User Clarification (skip lookup)
28
+
29
+ ---
30
+
31
+ ## Tiered Lookup (for Technical/Factual ambiguity)
32
+
33
+ Check sources in this order. **Stop as soon as you find authoritative information.**
34
+
35
+ ### Tier 1: Project Context Files
36
+
37
+ **Check first — fastest and most relevant**
38
+
39
+ Look for project-specific context that may already answer the question:
40
+ - `AGENTS.md` or `GEMINI.md` — Agent instructions, tech stack, validation commands
41
+ - `.agent/instructions/tech-stack.md` — Technology decisions
42
+ - `.agent/instructions/patterns.md` — Code conventions
43
+ - `.agent/instructions/structure.md` — Directory layout
44
+ - `.agent/instructions/commands.md` — Dev, test, lint, build
45
+
46
+ If these files contain `{{PLACEHOLDER}}` values, the information hasn't been decided yet — move to the next tier.
47
+
48
+ ### Tier 2: Upstream Spec Documents
49
+
50
+ **Check second — the pipeline's own output**
51
+
52
+ The answer may already exist in a document written by an earlier pipeline stage:
53
+ - `docs/plans/ideation/ideation-index.md` + fractal domain tree (folder `*-index.md`, `*-cx.md`, and feature files) — Problem, personas, features, constraints, domain map
54
+ - `docs/plans/*-architecture-design.md` — Tech stack, system design, security model
55
+ - `docs/plans/ENGINEERING-STANDARDS.md` — Quality thresholds, performance budgets
56
+ - `docs/plans/ia/*.md` — IA shards (features, data models, access control, edge cases)
57
+ - `docs/plans/ia/deep-dives/*.md` — Detailed architectural decisions
58
+ - `docs/plans/be/*.md` — BE specs (endpoints, contracts, schemas)
59
+ - `docs/plans/fe/*.md` — FE specs (components, routing, state, a11y)
60
+
61
+ **Read the specific section, not the entire document.** Use the IA/BE/FE index files to locate the relevant shard or spec.
62
+
63
+ ### Tier 3: Architectural & Config Files
64
+
65
+ **Check third — project-specific patterns**
66
+
67
+ Look within the codebase for answers embedded in configuration or existing code:
68
+ - `package.json`, `tsconfig.json` — Dependencies, TypeScript config
69
+ - `pyproject.toml`, `setup.py` — Python config
70
+ - `Cargo.toml` — Rust config
71
+ - `.env.example` — Environment variables
72
+ - `README.md` — Project overview and setup
73
+ - `ARCHITECTURE.md` or `docs/architecture.md` — Design decisions
74
+
75
+ Also check existing code for established patterns:
76
+ - Search for files matching the pattern you're trying to follow
77
+ - Search for similar implementations in the codebase
78
+
79
+ ### Tier 4: MCP Documentation Tools
80
+
81
+ **Check fourth — if MCP documentation tools are available**
82
+
83
+ If MCP tools are available for documentation lookup, use them:
84
+ - Context7, Firecrawl, or other documentation-specific MCP tools
85
+ - These provide structured access to official library and framework documentation
86
+
87
+ ### Tier 5: Web Search Official Sources
88
+
89
+ **Check fifth — for external APIs, libraries, standards**
90
+
91
+ Search the web for:
92
+ - Official documentation sites
93
+ - GitHub repositories of libraries
94
+ - API reference documentation
95
+ - RFC or specification documents
96
+
97
+ **Search strategy**:
98
+ 1. Search with specific query: `"{library/API name} documentation {specific topic}"`
99
+ 2. Fetch the most authoritative result (official docs preferred)
100
+ 3. Extract only the relevant information
101
+
102
+ Prefer sources in this order:
103
+ 1. Official documentation (*.dev, *.io, readthedocs)
104
+ 2. GitHub repository README/docs
105
+ 3. Stack Overflow with high votes (for edge cases)
106
+
107
+ ### When to Stop
108
+
109
+ Stop the tiered lookup when:
110
+ - You find authoritative information that resolves the ambiguity
111
+ - You've checked all relevant tiers without finding information
112
+ - The information found indicates this is actually a choice/intent question
113
+
114
+ If all tiers exhausted without answer, proceed to User Clarification.
115
+
116
+ ---
117
+
118
+ ## User Clarification (for Intent/Choice ambiguity)
119
+
120
+ For intent/choice questions, or when tiered lookup fails, ask the user directly. **Never guess when user input is available.**
121
+
122
+ ### Principles
123
+
124
+ 1. **Explain what you need** — Tell the user what information is missing
125
+ 2. **Explain why you need it** — Describe how the answer affects the outcome
126
+ 3. **Offer smart choices** — If you can infer likely options, present them
127
+ 4. **Best practice first** — Order choices with recommended approach at top
128
+ 5. **Bad ideas last** — If including risky options, put them at the bottom
129
+ 6. **Always allow custom input** — User can always provide their own answer
130
+ 7. **When uncertain, don't guess choices** — Better to ask open-ended than offer wrong options
131
+
132
+ ### With Known Choices
133
+
134
+ When you can confidently identify the options, present them to the user:
135
+ - Question: Clear, specific question explaining context
136
+ - Options ordered by preference (2-4 max):
137
+ 1. Best practice / Most common / Recommended
138
+ 2. Good alternative
139
+ 3. Another valid option
140
+ 4. Least recommended / Has drawbacks
141
+ - Each option includes description explaining implications
142
+ - User can always provide custom input
143
+
144
+ ### Without Known Choices
145
+
146
+ When you cannot confidently identify the options:
147
+
148
+ **DO NOT GUESS.** Ask an open-ended question instead:
149
+ - Explain what you need to know and why
150
+ - Keep options minimal or omit entirely
151
+ - Allow free-form input as primary response method
152
+
153
+ ### Formatting Rules
154
+
155
+ 1. **Single question at a time** — Don't overwhelm with multiple questions
156
+ 2. **2-4 options maximum** — More becomes confusing
157
+ 3. **Descriptions are required** — Every option needs context
158
+ 4. **No yes/no when options exist** — Offer the actual choices instead
159
+ 5. **Acknowledge uncertainty** — "I'm not sure which applies, so..."
160
+
161
+ ---
162
+
163
+ ## Ambiguity Categories
164
+
165
+ ### Technical Implementation
166
+ **Examples**: "How do I call this API?" "What's the correct syntax?"
167
+
168
+ **Resolution path**:
169
+ 1. Check project context files → upstream specs
170
+ 2. Check architectural docs and existing code
171
+ 3. Search official documentation
172
+ 4. If still unclear → ask user for clarification
173
+
174
+ ### Project Conventions
175
+ **Examples**: "What naming convention?" "Where should this file go?"
176
+
177
+ **Resolution path**:
178
+ 1. Check agent instructions and patterns for explicit conventions
179
+ 2. Check existing code for patterns
180
+ 3. Check README/contributing guide
181
+ 4. If no clear pattern → ask user preference
182
+
183
+ ### Spec Interpretation
184
+ **Examples**: "Does the IA shard mean X or Y?" "Is this edge case in scope?"
185
+
186
+ **Resolution path**:
187
+ 1. Re-read the specific section of the upstream spec
188
+ 2. Check cross-shard references for clarification
189
+ 3. Check deep dives for architectural decisions
190
+ 4. If genuinely ambiguous → ask user (this is a spec gap that should be fixed)
191
+
192
+ ### User Intent
193
+ **Examples**: "Which feature first?" "Should I also refactor X?"
194
+
195
+ **Resolution path**:
196
+ 1. Skip lookup — this requires user input
197
+ 2. Ask user immediately
198
+ 3. Present inferred options if confident
199
+ 4. Allow open-ended response if uncertain
200
+
201
+ ### External Dependencies
202
+ **Examples**: "Which version of X?" "What's the API for Y?"
203
+
204
+ **Resolution path**:
205
+ 1. Check package.json/pyproject.toml for versions
206
+ 2. Search for current documentation
207
+ 3. Fetch official docs
208
+ 4. If version-specific behavior → confirm with user
209
+
210
+ ### Architectural Decisions
211
+ **Examples**: "Monolith or microservices?" "Which pattern to use?"
212
+
213
+ **Resolution path**:
214
+ 1. Check architecture-design.md for prior decisions
215
+ 2. Check ENGINEERING-STANDARDS.md for constraints
216
+ 3. This is usually a choice → ask user
217
+ 4. Present trade-offs clearly in options
218
+
219
+ ---
220
+
221
+ ## Relationship to `/audit-ambiguity`
222
+
223
+ This skill and the audit workflow are complementary:
224
+
225
+ | Aspect | `resolve-ambiguity` | `/audit-ambiguity` |
226
+ |--------|---------------------|---------------------|
227
+ | **When** | During any step, at any time | Between pipeline stages |
228
+ | **Trigger** | Agent encounters something it doesn't know | User invokes as a gate |
229
+ | **Scope** | Single question or decision | Entire spec layer |
230
+ | **Output** | Answer or user decision | Scored report with punch list |
231
+ | **Purpose** | Prevent guessing during execution | Verify completeness after writing |
232
+
233
+ **Composition**: After `/audit-ambiguity` produces a punch list, it invokes this skill on each gap:
234
+ - **Technical gaps** → tiered lookup finds the answer → **mechanical fix** with source citation
235
+ - **Intent gaps** → no source has the answer → **judgment call** presented to user
236
+ - This powers the audit's remediation phase with structured, source-backed resolution
237
+
238
+ ---
239
+
240
+ ## Anti-Patterns
241
+
242
+ ### Guessing and Hoping
243
+ **Wrong**: Making assumptions and proceeding without verification
244
+ **Instead**: Take 30 seconds to check or ask
245
+
246
+ ### Too Many Questions
247
+ **Wrong**: Asking 5 questions before doing anything
248
+ **Instead**: Ask only what's blocking immediate progress
249
+
250
+ ### Vague Questions
251
+ **Wrong**: "How should I proceed?"
252
+ **Instead**: "Should I use approach A (benefit) or B (benefit)?"
253
+
254
+ ### Assuming User Expertise
255
+ **Wrong**: "Should I use the factory pattern or strategy pattern?"
256
+ **Instead**: Explain the options in plain terms with trade-offs
257
+
258
+ ### Hiding Behind Defaults
259
+ **Wrong**: Silently using a default without mentioning alternatives
260
+ **Instead**: "I'll use X (the standard approach). Let me know if you'd prefer Y."
261
+
262
+ ### Skipping Upstream Specs
263
+ **Wrong**: Searching the web for an answer that's already in the architecture doc
264
+ **Instead**: Check Tier 1 and 2 (project docs and upstream specs) before going external
265
+
266
+ ### Not Recording the Resolution
267
+ **Wrong**: Resolving ambiguity verbally but not updating the spec
268
+ **Instead**: When a gap is resolved, update the relevant spec document so future readers don't hit the same ambiguity
269
+
270
+ ---
271
+
272
+ ## Process Summary
273
+
274
+ 1. **Detect**: Identify what information is missing
275
+ 2. **Classify**: Technical/Factual → Tiered lookup | Intent/Choice → User clarification
276
+ 3. **Resolve**: Execute the appropriate resolution path
277
+ 4. **Apply**: Use the information to proceed with the task
278
+ 5. **Record**: Update relevant documents so the resolution persists
@@ -0,0 +1,231 @@
1
+ ---
2
+ name: security-scanning-security-hardening
3
+ description: "Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls."
4
+ ---
5
+
6
+ Implement comprehensive security hardening with defense-in-depth strategy through coordinated multi-agent orchestration:
7
+
8
+ [Extended thinking: This workflow implements a defense-in-depth security strategy across all application layers. It coordinates specialized security agents to perform comprehensive assessments, implement layered security controls, and establish continuous security monitoring. The approach follows modern DevSecOps principles with shift-left security, automated scanning, and compliance validation. Each phase builds upon previous findings to create a resilient security posture that addresses both current vulnerabilities and future threats.]
9
+
10
+ ## Use this skill when
11
+
12
+ - Running a coordinated security hardening program
13
+ - Establishing defense-in-depth controls across app, infra, and CI/CD
14
+ - Prioritizing remediation from scans and threat modeling
15
+
16
+ ## Do not use this skill when
17
+
18
+ - You only need a quick scan without remediation work
19
+ - You lack authorization for security testing or changes
20
+ - The environment cannot tolerate invasive security controls
21
+
22
+ ## Instructions
23
+
24
+ 1. Execute Phase 1 to establish a security baseline.
25
+ 2. Apply Phase 2 remediations for high-risk issues.
26
+ 3. Implement Phase 3 controls and validate defenses.
27
+ 4. Complete Phase 4 validation and compliance checks.
28
+
29
+ ## Safety
30
+
31
+ - Avoid intrusive testing in production without approval.
32
+ - Ensure rollback plans exist before hardening changes.
33
+
34
+ ## Phase 1: Comprehensive Security Assessment
35
+
36
+ ### 1. Initial Vulnerability Scanning
37
+ - Use Task tool with subagent_type="security-auditor"
38
+ - Prompt: "Perform comprehensive security assessment on: $ARGUMENTS. Execute SAST analysis with Semgrep/SonarQube, DAST scanning with OWASP ZAP, dependency audit with Snyk/Trivy, secrets detection with GitLeaks/TruffleHog. Generate SBOM for supply chain analysis. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures."
39
+ - Output: Detailed vulnerability report with CVSS scores, exploitability analysis, attack surface mapping, secrets exposure report, SBOM inventory
40
+ - Context: Initial baseline for all remediation efforts
41
+
42
+ ### 2. Threat Modeling and Risk Analysis
43
+ - Use Task tool with subagent_type="security-auditor"
44
+ - Prompt: "Conduct threat modeling using STRIDE methodology for: $ARGUMENTS. Analyze attack vectors, create attack trees, assess business impact of identified vulnerabilities. Map threats to MITRE ATT&CK framework. Prioritize risks based on likelihood and impact."
45
+ - Output: Threat model diagrams, risk matrix with prioritized vulnerabilities, attack scenario documentation, business impact analysis
46
+ - Context: Uses vulnerability scan results to inform threat priorities
47
+
48
+ ### 3. Architecture Security Review
49
+ - Use Task tool with subagent_type="backend-api-security::backend-architect"
50
+ - Prompt: "Review architecture for security weaknesses in: $ARGUMENTS. Evaluate service boundaries, data flow security, authentication/authorization architecture, encryption implementation, network segmentation. Design zero-trust architecture patterns. Reference threat model and vulnerability findings."
51
+ - Output: Security architecture assessment, zero-trust design recommendations, service mesh security requirements, data classification matrix
52
+ - Context: Incorporates threat model to address architectural vulnerabilities
53
+
54
+ ## Phase 2: Vulnerability Remediation
55
+
56
+ ### 4. Critical Vulnerability Fixes
57
+ - Use Task tool with subagent_type="security-auditor"
58
+ - Prompt: "Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $ARGUMENTS. Fix SQL injections with parameterized queries, XSS with output encoding, authentication bypasses with secure session management, insecure deserialization with input validation. Apply security patches for CVEs."
59
+ - Output: Patched code with vulnerability fixes, security patch documentation, regression test requirements
60
+ - Context: Addresses high-priority items from vulnerability assessment
61
+
62
+ ### 5. Backend Security Hardening
63
+ - Use Task tool with subagent_type="backend-api-security::backend-security-coder"
64
+ - Prompt: "Implement comprehensive backend security controls for: $ARGUMENTS. Add input validation with OWASP ESAPI, implement rate limiting and DDoS protection, secure API endpoints with OAuth2/JWT validation, add encryption for data at rest/transit using AES-256/TLS 1.3. Implement secure logging without PII exposure."
65
+ - Output: Hardened API endpoints, validation middleware, encryption implementation, secure configuration templates
66
+ - Context: Builds upon vulnerability fixes with preventive controls
67
+
68
+ ### 6. Frontend Security Implementation
69
+ - Use Task tool with subagent_type="frontend-mobile-security::frontend-security-coder"
70
+ - Prompt: "Implement frontend security measures for: $ARGUMENTS. Configure CSP headers with nonce-based policies, implement XSS prevention with DOMPurify, secure authentication flows with PKCE OAuth2, add SRI for external resources, implement secure cookie handling with SameSite/HttpOnly/Secure flags."
71
+ - Output: Secure frontend components, CSP policy configuration, authentication flow implementation, security headers configuration
72
+ - Context: Complements backend security with client-side protections
73
+
74
+ ### 7. Mobile Security Hardening
75
+ - Use Task tool with subagent_type="frontend-mobile-security::mobile-security-coder"
76
+ - Prompt: "Implement mobile app security for: $ARGUMENTS. Add certificate pinning, implement biometric authentication, secure local storage with encryption, obfuscate code with ProGuard/R8, implement anti-tampering and root/jailbreak detection, secure IPC communications."
77
+ - Output: Hardened mobile application, security configuration files, obfuscation rules, certificate pinning implementation
78
+ - Context: Extends security to mobile platforms if applicable
79
+
80
+ ## Phase 3: Security Controls Implementation
81
+
82
+ ### 8. Authentication and Authorization Enhancement
83
+ - Use Task tool with subagent_type="security-auditor"
84
+ - Prompt: "Implement modern authentication system for: $ARGUMENTS. Deploy OAuth2/OIDC with PKCE, implement MFA with TOTP/WebAuthn/FIDO2, add risk-based authentication, implement RBAC/ABAC with principle of least privilege, add session management with secure token rotation."
85
+ - Output: Authentication service configuration, MFA implementation, authorization policies, session management system
86
+ - Context: Strengthens access controls based on architecture review
87
+
88
+ ### 9. Infrastructure Security Controls
89
+ - Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
90
+ - Prompt: "Deploy infrastructure security controls for: $ARGUMENTS. Configure WAF rules for OWASP protection, implement network segmentation with micro-segmentation, deploy IDS/IPS systems, configure cloud security groups and NACLs, implement DDoS protection with rate limiting and geo-blocking."
91
+ - Output: WAF configuration, network security policies, IDS/IPS rules, cloud security configurations
92
+ - Context: Implements network-level defenses
93
+
94
+ ### 10. Secrets Management Implementation
95
+ - Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
96
+ - Prompt: "Implement enterprise secrets management for: $ARGUMENTS. Deploy HashiCorp Vault or AWS Secrets Manager, implement secret rotation policies, remove hardcoded secrets, configure least-privilege IAM roles, implement encryption key management with HSM support."
97
+ - Output: Secrets management configuration, rotation policies, IAM role definitions, key management procedures
98
+ - Context: Eliminates secrets exposure vulnerabilities
99
+
100
+ ## Phase 4: Validation and Compliance
101
+
102
+ ### 11. Penetration Testing and Validation
103
+ - Use Task tool with subagent_type="security-auditor"
104
+ - Prompt: "Execute comprehensive penetration testing for: $ARGUMENTS. Perform authenticated and unauthenticated testing, API security testing, business logic testing, privilege escalation attempts. Use Burp Suite, Metasploit, and custom exploits. Validate all security controls effectiveness."
105
+ - Output: Penetration test report, proof-of-concept exploits, remediation validation, security control effectiveness metrics
106
+ - Context: Validates all implemented security measures
107
+
108
+ ### 12. Compliance and Standards Verification
109
+ - Use Task tool with subagent_type="security-auditor"
110
+ - Prompt: "Verify compliance with security frameworks for: $ARGUMENTS. Validate against OWASP ASVS Level 2, CIS Benchmarks, SOC2 Type II requirements, GDPR/CCPA privacy controls, HIPAA/PCI-DSS if applicable. Generate compliance attestation reports."
111
+ - Output: Compliance assessment report, gap analysis, remediation requirements, audit evidence collection
112
+ - Context: Ensures regulatory and industry standard compliance
113
+
114
+ ### 13. Security Monitoring and SIEM Integration
115
+ - Use Task tool with subagent_type="incident-response::devops-troubleshooter"
116
+ - Prompt: "Implement security monitoring and SIEM for: $ARGUMENTS. Deploy Splunk/ELK/Sentinel integration, configure security event correlation, implement behavioral analytics for anomaly detection, set up automated incident response playbooks, create security dashboards and alerting."
117
+ - Output: SIEM configuration, correlation rules, incident response playbooks, security dashboards, alert definitions
118
+ - Context: Establishes continuous security monitoring
119
+
120
+ ## Configuration Options
121
+ - scanning_depth: "quick" | "standard" | "comprehensive" (default: comprehensive)
122
+ - compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
123
+ - remediation_priority: "cvss_score" | "exploitability" | "business_impact"
124
+ - monitoring_integration: "splunk" | "elastic" | "sentinel" | "custom"
125
+ - authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]
126
+
127
+ ## Success Criteria
128
+ - All critical vulnerabilities (CVSS 7+) remediated
129
+ - OWASP Top 10 vulnerabilities addressed
130
+ - Zero high-risk findings in penetration testing
131
+ - Compliance frameworks validation passed
132
+ - Security monitoring detecting and alerting on threats
133
+ - Incident response time < 15 minutes for critical alerts
134
+ - SBOM generated and vulnerabilities tracked
135
+ - All secrets managed through secure vault
136
+ - Authentication implements MFA and secure session management
137
+ - Security tests integrated into CI/CD pipeline
138
+
139
+ ## Coordination Notes
140
+ - Each phase provides detailed findings that inform subsequent phases
141
+ - Security-auditor agent coordinates with domain-specific agents for fixes
142
+ - All code changes undergo security review before implementation
143
+ - Continuous feedback loop between assessment and remediation
144
+ - Security findings tracked in centralized vulnerability management system
145
+ - Regular security reviews scheduled post-implementation
146
+
147
+ Security hardening target: $ARGUMENTS
148
+
149
+ ## Attack Surface Review Protocol
150
+
151
+ This protocol runs during `/create-prd-security`. Universal checks apply to all projects. Surface-specific checks are conditional — they run only if the corresponding surface has been confirmed during `/create-prd-stack`.
152
+
153
+ ### Universal Checks (All Projects)
154
+
155
+ #### 1. Secret Management
156
+
157
+ Where secrets are stored (env vars, vault, cloud secret manager), access policy, rotation cadence, CI injection method (environment variables, OIDC, sealed secrets).
158
+
159
+ Document under `## Security — Attack Surface > Secret Management`.
160
+
161
+ #### 2. Dependency Audit Cadence
162
+
163
+ Scan frequency; CI gate behavior on critical CVE (block merge, warn, ignore); triage policy for high-severity CVEs (patch within N days) and medium-severity CVEs (patch within N days or accept-with-justification).
164
+
165
+ Document under `## Security — Attack Surface > Dependency Auditing`.
166
+
167
+ ### Web Surface Checks (If Web Surface Confirmed)
168
+
169
+ #### 1. OWASP Top 10 Review
170
+
171
+ For each of the 10 categories, name the specific mechanism that mitigates it.
172
+
173
+ **Rule:** "Handled by framework" is not acceptable — name the framework feature, the configuration, and the fallback if the framework is bypassed.
174
+
175
+ Document under `## Security — Attack Surface > Web > OWASP Top 10`.
176
+
177
+ #### 2. Security Headers
178
+
179
+ Configured values for each of the following headers:
180
+
181
+ - `Content-Security-Policy`
182
+ - `Strict-Transport-Security`
183
+ - `X-Content-Type-Options`
184
+ - `X-Frame-Options`
185
+ - `Referrer-Policy`
186
+ - `Permissions-Policy`
187
+
188
+ **Rule:** Each header must have a specific value, not just "enabled".
189
+
190
+ Document under `## Security — Attack Surface > Web > Security Headers`.
191
+
192
+ ### API Surface Checks (If API Surface Confirmed)
193
+
194
+ #### 1. OWASP API Security Top 10
195
+
196
+ For each category, name the mechanism that mitigates it.
197
+
198
+ **Special emphasis:** BOLA/IDOR requires a per-endpoint ownership check strategy — name how each endpoint verifies the requesting user owns the requested resource.
199
+
200
+ Document under `## Security — Attack Surface > API > OWASP API Top 10`.
201
+
202
+ ### Desktop Surface Checks (If Desktop Surface Confirmed)
203
+
204
+ #### 1. Sandboxing Model
205
+
206
+ Sandboxing strategy, IPC security boundaries, auto-update verification, code signing chain.
207
+
208
+ #### 2. Notarization
209
+
210
+ Notarization workflow (macOS notarization, Windows SmartScreen signing), signing certificate source, CI step that performs notarization.
211
+
212
+ #### 3. Local Data Encryption
213
+
214
+ Strategy for encrypting sensitive data at rest (encryption library, key storage mechanism, what data is encrypted).
215
+
216
+ Document all three under `## Security — Attack Surface > Desktop`.
217
+
218
+ ### Mobile Surface Checks (If Mobile Surface Confirmed)
219
+
220
+ #### 1. Mobile-Specific Threats
221
+
222
+ Certificate pinning strategy, secure storage approach, jailbreak/root detection policy, deep link validation.
223
+
224
+ Document under `## Security — Attack Surface > Mobile`.
225
+
226
+ ### User Presentation Prompts
227
+
228
+ Present these two questions to the user for confirmation:
229
+
230
+ 1. "Are there any attack vectors I've missed for your specific domain?"
231
+ 2. "Do the OWASP mechanisms look correct, or are any of them actually handled differently?"