cli-jaw 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.ko.md +411 -0
- package/README.md +416 -0
- package/README.zh-CN.md +411 -0
- package/dist/bin/cli-jaw.js +108 -0
- package/dist/bin/cli-jaw.js.map +1 -0
- package/dist/bin/commands/browser.js +241 -0
- package/dist/bin/commands/browser.js.map +1 -0
- package/dist/bin/commands/chat.js +878 -0
- package/dist/bin/commands/chat.js.map +1 -0
- package/dist/bin/commands/doctor.js +152 -0
- package/dist/bin/commands/doctor.js.map +1 -0
- package/dist/bin/commands/employee.js +70 -0
- package/dist/bin/commands/employee.js.map +1 -0
- package/dist/bin/commands/init.js +110 -0
- package/dist/bin/commands/init.js.map +1 -0
- package/dist/bin/commands/mcp.js +219 -0
- package/dist/bin/commands/mcp.js.map +1 -0
- package/dist/bin/commands/memory.js +105 -0
- package/dist/bin/commands/memory.js.map +1 -0
- package/dist/bin/commands/reset.js +109 -0
- package/dist/bin/commands/reset.js.map +1 -0
- package/dist/bin/commands/serve.js +75 -0
- package/dist/bin/commands/serve.js.map +1 -0
- package/dist/bin/commands/skill.js +232 -0
- package/dist/bin/commands/skill.js.map +1 -0
- package/dist/bin/commands/status.js +51 -0
- package/dist/bin/commands/status.js.map +1 -0
- package/dist/bin/postinstall.js +218 -0
- package/dist/bin/postinstall.js.map +1 -0
- package/dist/lib/mcp-sync.js +639 -0
- package/dist/lib/mcp-sync.js.map +1 -0
- package/dist/lib/quota-copilot.js +62 -0
- package/dist/lib/quota-copilot.js.map +1 -0
- package/dist/lib/upload.js +72 -0
- package/dist/lib/upload.js.map +1 -0
- package/dist/server.js +832 -0
- package/dist/server.js.map +1 -0
- package/dist/src/agent/args.js +66 -0
- package/dist/src/agent/args.js.map +1 -0
- package/dist/src/agent/events.js +328 -0
- package/dist/src/agent/events.js.map +1 -0
- package/dist/src/agent/spawn.js +646 -0
- package/dist/src/agent/spawn.js.map +1 -0
- package/dist/src/browser/actions.js +168 -0
- package/dist/src/browser/actions.js.map +1 -0
- package/dist/src/browser/connection.js +79 -0
- package/dist/src/browser/connection.js.map +1 -0
- package/dist/src/browser/index.js +4 -0
- package/dist/src/browser/index.js.map +1 -0
- package/dist/src/browser/vision.js +128 -0
- package/dist/src/browser/vision.js.map +1 -0
- package/dist/src/cli/acp-client.js +298 -0
- package/dist/src/cli/acp-client.js.map +1 -0
- package/dist/src/cli/commands.js +267 -0
- package/dist/src/cli/commands.js.map +1 -0
- package/dist/src/cli/handlers.js +405 -0
- package/dist/src/cli/handlers.js.map +1 -0
- package/dist/src/cli/registry.js +87 -0
- package/dist/src/cli/registry.js.map +1 -0
- package/dist/src/command-contract/catalog.js +36 -0
- package/dist/src/command-contract/catalog.js.map +1 -0
- package/dist/src/command-contract/help-renderer.js +39 -0
- package/dist/src/command-contract/help-renderer.js.map +1 -0
- package/dist/src/command-contract/policy.js +34 -0
- package/dist/src/command-contract/policy.js.map +1 -0
- package/dist/src/core/bus.js +17 -0
- package/dist/src/core/bus.js.map +1 -0
- package/dist/src/core/config.js +198 -0
- package/dist/src/core/config.js.map +1 -0
- package/dist/src/core/db.js +97 -0
- package/dist/src/core/db.js.map +1 -0
- package/dist/src/core/i18n.js +86 -0
- package/dist/src/core/i18n.js.map +1 -0
- package/dist/src/core/logger.js +14 -0
- package/dist/src/core/logger.js.map +1 -0
- package/dist/src/core/settings-merge.js +40 -0
- package/dist/src/core/settings-merge.js.map +1 -0
- package/dist/src/http/async-handler.js +6 -0
- package/dist/src/http/async-handler.js.map +1 -0
- package/dist/src/http/error-middleware.js +24 -0
- package/dist/src/http/error-middleware.js.map +1 -0
- package/dist/src/http/response.js +16 -0
- package/dist/src/http/response.js.map +1 -0
- package/dist/src/memory/heartbeat.js +106 -0
- package/dist/src/memory/heartbeat.js.map +1 -0
- package/dist/src/memory/memory.js +119 -0
- package/dist/src/memory/memory.js.map +1 -0
- package/dist/src/memory/worklog.js +154 -0
- package/dist/src/memory/worklog.js.map +1 -0
- package/dist/src/orchestrator/distribute.js +310 -0
- package/dist/src/orchestrator/distribute.js.map +1 -0
- package/dist/src/orchestrator/parser.js +118 -0
- package/dist/src/orchestrator/parser.js.map +1 -0
- package/dist/src/orchestrator/pipeline.js +343 -0
- package/dist/src/orchestrator/pipeline.js.map +1 -0
- package/dist/src/prompt/builder.js +531 -0
- package/dist/src/prompt/builder.js.map +1 -0
- package/dist/src/routes/browser.js +126 -0
- package/dist/src/routes/browser.js.map +1 -0
- package/dist/src/routes/quota.js +94 -0
- package/dist/src/routes/quota.js.map +1 -0
- package/dist/src/security/decode.js +23 -0
- package/dist/src/security/decode.js.map +1 -0
- package/dist/src/security/path-guards.js +62 -0
- package/dist/src/security/path-guards.js.map +1 -0
- package/dist/src/telegram/bot.js +469 -0
- package/dist/src/telegram/bot.js.map +1 -0
- package/dist/src/telegram/forwarder.js +93 -0
- package/dist/src/telegram/forwarder.js.map +1 -0
- package/package.json +80 -0
- package/public/css/chat.css +571 -0
- package/public/css/layout.css +350 -0
- package/public/css/markdown.css +270 -0
- package/public/css/modals.css +172 -0
- package/public/css/sidebar.css +225 -0
- package/public/css/variables.css +142 -0
- package/public/index.html +470 -0
- package/public/js/api.js +55 -0
- package/public/js/constants.js +119 -0
- package/public/js/features/appname.js +43 -0
- package/public/js/features/chat.js +242 -0
- package/public/js/features/employees.js +120 -0
- package/public/js/features/heartbeat.js +80 -0
- package/public/js/features/i18n.js +125 -0
- package/public/js/features/memory.js +85 -0
- package/public/js/features/settings.js +512 -0
- package/public/js/features/sidebar.js +88 -0
- package/public/js/features/skills.js +68 -0
- package/public/js/features/slash-commands.js +231 -0
- package/public/js/features/theme.js +40 -0
- package/public/js/locale.js +23 -0
- package/public/js/main.js +281 -0
- package/public/js/render.js +294 -0
- package/public/js/state.js +16 -0
- package/public/js/ui.js +172 -0
- package/public/js/ws.js +76 -0
- package/public/locales/en.json +180 -0
- package/public/locales/ko.json +180 -0
- package/public/theme-test.html +545 -0
- package/skills_ref/1password/SKILL.md +70 -0
- package/skills_ref/agents-sdk/SKILL.md +155 -0
- package/skills_ref/agents-sdk/references/callable.md +92 -0
- package/skills_ref/agents-sdk/references/codemode.md +207 -0
- package/skills_ref/agents-sdk/references/email.md +146 -0
- package/skills_ref/agents-sdk/references/mcp.md +154 -0
- package/skills_ref/agents-sdk/references/state-scheduling.md +164 -0
- package/skills_ref/agents-sdk/references/streaming-chat.md +178 -0
- package/skills_ref/agents-sdk/references/workflows.md +132 -0
- package/skills_ref/algorithmic-art/LICENSE.txt +202 -0
- package/skills_ref/algorithmic-art/SKILL.md +405 -0
- package/skills_ref/algorithmic-art/templates/generator_template.js +223 -0
- package/skills_ref/algorithmic-art/templates/viewer.html +599 -0
- package/skills_ref/apple-notes/SKILL.md +77 -0
- package/skills_ref/apple-reminders/SKILL.md +118 -0
- package/skills_ref/atlas/SKILL.md +99 -0
- package/skills_ref/brainstorming/SKILL.md +96 -0
- package/skills_ref/browser/SKILL.md +179 -0
- package/skills_ref/canvas-design/LICENSE.txt +202 -0
- package/skills_ref/canvas-design/SKILL.md +130 -0
- package/skills_ref/canvas-design/canvas-fonts/ArsenalSC-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/ArsenalSC-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BigShoulders-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BigShoulders-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/BigShoulders-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Boldonse-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Boldonse-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BricolageGrotesque-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BricolageGrotesque-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/BricolageGrotesque-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/DMMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/DMMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/EricaOne-OFL.txt +94 -0
- package/skills_ref/canvas-design/canvas-fonts/EricaOne-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/GeistMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/GeistMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/GeistMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Gloock-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Gloock-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSerif-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSerif-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Italiana-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Italiana-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/JetBrainsMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/JetBrainsMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/JetBrainsMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Jura-Light.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Jura-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Jura-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/LibreBaskerville-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/LibreBaskerville-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/NationalPark-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/NationalPark-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/NationalPark-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/NothingYouCouldDo-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/NothingYouCouldDo-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Outfit-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Outfit-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Outfit-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/PixelifySans-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/PixelifySans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/PoiretOne-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/PoiretOne-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/RedHatMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/RedHatMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/RedHatMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Silkscreen-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Silkscreen-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/SmoochSans-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/SmoochSans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Tektur-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Tektur-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Tektur-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/YoungSerif-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/YoungSerif-Regular.ttf +0 -0
- package/skills_ref/changelog-generator/SKILL.md +104 -0
- package/skills_ref/cloudflare-deploy/SKILL.md +207 -0
- package/skills_ref/codebase-orientation/SKILL.md +29 -0
- package/skills_ref/config-file-explainer/SKILL.md +26 -0
- package/skills_ref/context-compression/SKILL.md +265 -0
- package/skills_ref/context-compression/references/evaluation-framework.md +213 -0
- package/skills_ref/context-compression/scripts/compression_evaluator.py +658 -0
- package/skills_ref/data-structure-chooser/SKILL.md +26 -0
- package/skills_ref/debugging-checklist/SKILL.md +26 -0
- package/skills_ref/debugging-helpers/CREATION-LOG.md +119 -0
- package/skills_ref/debugging-helpers/SKILL.md +296 -0
- package/skills_ref/debugging-helpers/condition-based-waiting-example.ts +158 -0
- package/skills_ref/debugging-helpers/condition-based-waiting.md +115 -0
- package/skills_ref/debugging-helpers/defense-in-depth.md +122 -0
- package/skills_ref/debugging-helpers/find-polluter.sh +63 -0
- package/skills_ref/debugging-helpers/root-cause-tracing.md +169 -0
- package/skills_ref/debugging-helpers/test-academic.md +14 -0
- package/skills_ref/debugging-helpers/test-pressure-1.md +58 -0
- package/skills_ref/debugging-helpers/test-pressure-2.md +68 -0
- package/skills_ref/debugging-helpers/test-pressure-3.md +69 -0
- package/skills_ref/deep-research/.env.example +7 -0
- package/skills_ref/deep-research/README.md +246 -0
- package/skills_ref/deep-research/SKILL.md +106 -0
- package/skills_ref/deep-research/requirements.txt +2 -0
- package/skills_ref/deep-research/scripts/research.py +692 -0
- package/skills_ref/dependency-install-helper/SKILL.md +26 -0
- package/skills_ref/dev/SKILL.md +65 -0
- package/skills_ref/dev-backend/SKILL.md +61 -0
- package/skills_ref/dev-data/SKILL.md +76 -0
- package/skills_ref/dev-frontend/LICENSE.txt +177 -0
- package/skills_ref/dev-frontend/SKILL.md +42 -0
- package/skills_ref/dev-testing/LICENSE.txt +202 -0
- package/skills_ref/dev-testing/SKILL.md +96 -0
- package/skills_ref/dev-testing/examples/console_logging.py +35 -0
- package/skills_ref/dev-testing/examples/element_discovery.py +40 -0
- package/skills_ref/dev-testing/examples/static_html_automation.py +33 -0
- package/skills_ref/dev-testing/scripts/with_server.py +106 -0
- package/skills_ref/develop-web-game/SKILL.md +149 -0
- package/skills_ref/differential-review/.claude-plugin/plugin.json +10 -0
- package/skills_ref/differential-review/README.md +109 -0
- package/skills_ref/differential-review/commands/diff-review.md +21 -0
- package/skills_ref/differential-review/skills/differential-review/SKILL.md +220 -0
- package/skills_ref/differential-review/skills/differential-review/adversarial.md +203 -0
- package/skills_ref/differential-review/skills/differential-review/methodology.md +234 -0
- package/skills_ref/differential-review/skills/differential-review/patterns.md +300 -0
- package/skills_ref/differential-review/skills/differential-review/reporting.md +369 -0
- package/skills_ref/dispatching-parallel-agents/SKILL.md +180 -0
- package/skills_ref/doc-coauthoring/SKILL.md +375 -0
- package/skills_ref/docx/LICENSE.txt +30 -0
- package/skills_ref/docx/SKILL.md +481 -0
- package/skills_ref/docx/scripts/__init__.py +1 -0
- package/skills_ref/docx/scripts/accept_changes.py +135 -0
- package/skills_ref/docx/scripts/comment.py +318 -0
- package/skills_ref/docx/scripts/office/helpers/__init__.py +0 -0
- package/skills_ref/docx/scripts/office/helpers/merge_runs.py +199 -0
- package/skills_ref/docx/scripts/office/helpers/simplify_redlines.py +197 -0
- package/skills_ref/docx/scripts/office/pack.py +159 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
- package/skills_ref/docx/scripts/office/schemas/mce/mc.xsd +75 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
- package/skills_ref/docx/scripts/office/soffice.py +183 -0
- package/skills_ref/docx/scripts/office/unpack.py +132 -0
- package/skills_ref/docx/scripts/office/validate.py +111 -0
- package/skills_ref/docx/scripts/office/validators/__init__.py +15 -0
- package/skills_ref/docx/scripts/office/validators/base.py +847 -0
- package/skills_ref/docx/scripts/office/validators/docx.py +446 -0
- package/skills_ref/docx/scripts/office/validators/pptx.py +275 -0
- package/skills_ref/docx/scripts/office/validators/redlining.py +247 -0
- package/skills_ref/docx/scripts/templates/comments.xml +3 -0
- package/skills_ref/docx/scripts/templates/commentsExtended.xml +3 -0
- package/skills_ref/docx/scripts/templates/commentsExtensible.xml +3 -0
- package/skills_ref/docx/scripts/templates/commentsIds.xml +3 -0
- package/skills_ref/docx/scripts/templates/people.xml +3 -0
- package/skills_ref/durable-objects/SKILL.md +186 -0
- package/skills_ref/durable-objects/references/rules.md +286 -0
- package/skills_ref/durable-objects/references/testing.md +264 -0
- package/skills_ref/durable-objects/references/workers.md +346 -0
- package/skills_ref/email-draft-polish/SKILL.md +24 -0
- package/skills_ref/error-message-explainer/SKILL.md +27 -0
- package/skills_ref/fal-image-edit/SKILL.md +249 -0
- package/skills_ref/fal-image-edit/scripts/edit-image.sh +199 -0
- package/skills_ref/figma-implement-design/SKILL.md +264 -0
- package/skills_ref/git-worktrees/SKILL.md +218 -0
- package/skills_ref/github/SKILL.md +210 -0
- package/skills_ref/gog/SKILL.md +116 -0
- package/skills_ref/goplaces/SKILL.md +52 -0
- package/skills_ref/himalaya/SKILL.md +257 -0
- package/skills_ref/hugging-face-cli/SKILL.md +186 -0
- package/skills_ref/hugging-face-cli/references/commands.md +954 -0
- package/skills_ref/hugging-face-cli/references/examples.md +374 -0
- package/skills_ref/hugging-face-evaluation/SKILL.md +651 -0
- package/skills_ref/hugging-face-evaluation/examples/.env.example +7 -0
- package/skills_ref/hugging-face-evaluation/examples/USAGE_EXAMPLES.md +382 -0
- package/skills_ref/hugging-face-evaluation/examples/artificial_analysis_to_hub.py +141 -0
- package/skills_ref/hugging-face-evaluation/examples/example_readme_tables.md +135 -0
- package/skills_ref/hugging-face-evaluation/examples/metric_mapping.json +50 -0
- package/skills_ref/hugging-face-evaluation/requirements.txt +20 -0
- package/skills_ref/hugging-face-evaluation/scripts/evaluation_manager.py +1374 -0
- package/skills_ref/hugging-face-evaluation/scripts/inspect_eval_uv.py +104 -0
- package/skills_ref/hugging-face-evaluation/scripts/inspect_vllm_uv.py +317 -0
- package/skills_ref/hugging-face-evaluation/scripts/lighteval_vllm_uv.py +303 -0
- package/skills_ref/hugging-face-evaluation/scripts/run_eval_job.py +98 -0
- package/skills_ref/hugging-face-evaluation/scripts/run_vllm_eval_job.py +331 -0
- package/skills_ref/hugging-face-evaluation/scripts/test_extraction.py +206 -0
- package/skills_ref/hugging-face-model-trainer/SKILL.md +718 -0
- package/skills_ref/hugging-face-model-trainer/references/gguf_conversion.md +296 -0
- package/skills_ref/hugging-face-model-trainer/references/hardware_guide.md +283 -0
- package/skills_ref/hugging-face-model-trainer/references/hub_saving.md +364 -0
- package/skills_ref/hugging-face-model-trainer/references/reliability_principles.md +371 -0
- package/skills_ref/hugging-face-model-trainer/references/trackio_guide.md +189 -0
- package/skills_ref/hugging-face-model-trainer/references/training_methods.md +150 -0
- package/skills_ref/hugging-face-model-trainer/references/training_patterns.md +203 -0
- package/skills_ref/hugging-face-model-trainer/references/troubleshooting.md +282 -0
- package/skills_ref/hugging-face-model-trainer/references/unsloth.md +313 -0
- package/skills_ref/hugging-face-model-trainer/scripts/convert_to_gguf.py +424 -0
- package/skills_ref/hugging-face-model-trainer/scripts/dataset_inspector.py +417 -0
- package/skills_ref/hugging-face-model-trainer/scripts/estimate_cost.py +150 -0
- package/skills_ref/hugging-face-model-trainer/scripts/train_dpo_example.py +106 -0
- package/skills_ref/hugging-face-model-trainer/scripts/train_grpo_example.py +89 -0
- package/skills_ref/hugging-face-model-trainer/scripts/train_sft_example.py +122 -0
- package/skills_ref/hugging-face-model-trainer/scripts/unsloth_sft_example.py +512 -0
- package/skills_ref/imagegen/SKILL.md +174 -0
- package/skills_ref/insecure-defaults/.claude-plugin/plugin.json +10 -0
- package/skills_ref/insecure-defaults/README.md +45 -0
- package/skills_ref/insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
- package/skills_ref/insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
- package/skills_ref/jupyter-notebook/SKILL.md +107 -0
- package/skills_ref/linear/SKILL.md +87 -0
- package/skills_ref/linter-fix-guide/SKILL.md +27 -0
- package/skills_ref/log-summarizer/SKILL.md +27 -0
- package/skills_ref/mcp-builder/LICENSE.txt +202 -0
- package/skills_ref/mcp-builder/SKILL.md +236 -0
- package/skills_ref/mcp-builder/reference/evaluation.md +602 -0
- package/skills_ref/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/skills_ref/mcp-builder/reference/node_mcp_server.md +970 -0
- package/skills_ref/mcp-builder/reference/python_mcp_server.md +719 -0
- package/skills_ref/mcp-builder/scripts/connections.py +151 -0
- package/skills_ref/mcp-builder/scripts/evaluation.py +373 -0
- package/skills_ref/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/skills_ref/mcp-builder/scripts/requirements.txt +2 -0
- package/skills_ref/memory/SKILL.md +129 -0
- package/skills_ref/modern-python/.claude-plugin/plugin.json +10 -0
- package/skills_ref/modern-python/README.md +66 -0
- package/skills_ref/modern-python/hooks/hooks.json +16 -0
- package/skills_ref/modern-python/hooks/setup-shims.bats +70 -0
- package/skills_ref/modern-python/hooks/setup-shims.sh +24 -0
- package/skills_ref/modern-python/hooks/shims/pip +27 -0
- package/skills_ref/modern-python/hooks/shims/pip-shim.bats +45 -0
- package/skills_ref/modern-python/hooks/shims/pip3 +27 -0
- package/skills_ref/modern-python/hooks/shims/pipx +41 -0
- package/skills_ref/modern-python/hooks/shims/pipx-shim.bats +64 -0
- package/skills_ref/modern-python/hooks/shims/python +26 -0
- package/skills_ref/modern-python/hooks/shims/python-shim.bats +53 -0
- package/skills_ref/modern-python/hooks/shims/python3 +26 -0
- package/skills_ref/modern-python/hooks/shims/uv +27 -0
- package/skills_ref/modern-python/hooks/shims/uv-shim.bats +47 -0
- package/skills_ref/modern-python/skills/modern-python/SKILL.md +333 -0
- package/skills_ref/modern-python/skills/modern-python/references/dependabot.md +43 -0
- package/skills_ref/modern-python/skills/modern-python/references/migration-checklist.md +141 -0
- package/skills_ref/modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
- package/skills_ref/modern-python/skills/modern-python/references/prek.md +211 -0
- package/skills_ref/modern-python/skills/modern-python/references/pyproject.md +254 -0
- package/skills_ref/modern-python/skills/modern-python/references/ruff-config.md +240 -0
- package/skills_ref/modern-python/skills/modern-python/references/security-setup.md +255 -0
- package/skills_ref/modern-python/skills/modern-python/references/testing.md +284 -0
- package/skills_ref/modern-python/skills/modern-python/references/uv-commands.md +200 -0
- package/skills_ref/modern-python/skills/modern-python/templates/dependabot.yml +36 -0
- package/skills_ref/modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
- package/skills_ref/nano-banana-pro/SKILL.md +58 -0
- package/skills_ref/netlify-deploy/SKILL.md +233 -0
- package/skills_ref/notion/SKILL.md +304 -0
- package/skills_ref/notion-knowledge-capture/SKILL.md +56 -0
- package/skills_ref/notion-meeting-intelligence/SKILL.md +60 -0
- package/skills_ref/notion-research-documentation/SKILL.md +59 -0
- package/skills_ref/notion-spec-to-implementation/SKILL.md +58 -0
- package/skills_ref/obsidian/SKILL.md +81 -0
- package/skills_ref/openai-docs/SKILL.md +56 -0
- package/skills_ref/openhue/SKILL.md +112 -0
- package/skills_ref/pdf/SKILL.md +69 -0
- package/skills_ref/postgres/README.md +77 -0
- package/skills_ref/postgres/SKILL.md +129 -0
- package/skills_ref/postgres/connections.example.json +34 -0
- package/skills_ref/postgres/requirements.txt +1 -0
- package/skills_ref/postgres/scripts/query.py +262 -0
- package/skills_ref/pptx/LICENSE.txt +30 -0
- package/skills_ref/pptx/SKILL.md +232 -0
- package/skills_ref/pptx/editing.md +205 -0
- package/skills_ref/pptx/pptxgenjs.md +420 -0
- package/skills_ref/pptx/scripts/__init__.py +0 -0
- package/skills_ref/pptx/scripts/add_slide.py +195 -0
- package/skills_ref/pptx/scripts/clean.py +286 -0
- package/skills_ref/pptx/scripts/office/helpers/__init__.py +0 -0
- package/skills_ref/pptx/scripts/office/helpers/merge_runs.py +199 -0
- package/skills_ref/pptx/scripts/office/helpers/simplify_redlines.py +197 -0
- package/skills_ref/pptx/scripts/office/pack.py +159 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
- package/skills_ref/pptx/scripts/office/schemas/mce/mc.xsd +75 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
- package/skills_ref/pptx/scripts/office/soffice.py +183 -0
- package/skills_ref/pptx/scripts/office/unpack.py +132 -0
- package/skills_ref/pptx/scripts/office/validate.py +111 -0
- package/skills_ref/pptx/scripts/office/validators/__init__.py +15 -0
- package/skills_ref/pptx/scripts/office/validators/base.py +847 -0
- package/skills_ref/pptx/scripts/office/validators/docx.py +446 -0
- package/skills_ref/pptx/scripts/office/validators/pptx.py +275 -0
- package/skills_ref/pptx/scripts/office/validators/redlining.py +247 -0
- package/skills_ref/pptx/scripts/thumbnail.py +289 -0
- package/skills_ref/property-based-testing/.claude-plugin/plugin.json +9 -0
- package/skills_ref/property-based-testing/README.md +47 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/README.md +88 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/SKILL.md +123 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/design.md +191 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/generating.md +204 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/interpreting-failures.md +239 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
- package/skills_ref/react-best-practices/AGENTS.md +2934 -0
- package/skills_ref/react-best-practices/README.md +123 -0
- package/skills_ref/react-best-practices/SKILL.md +136 -0
- package/skills_ref/react-best-practices/metadata.json +15 -0
- package/skills_ref/react-best-practices/rules/_sections.md +46 -0
- package/skills_ref/react-best-practices/rules/_template.md +28 -0
- package/skills_ref/react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/skills_ref/react-best-practices/rules/advanced-init-once.md +42 -0
- package/skills_ref/react-best-practices/rules/advanced-use-latest.md +39 -0
- package/skills_ref/react-best-practices/rules/async-api-routes.md +38 -0
- package/skills_ref/react-best-practices/rules/async-defer-await.md +80 -0
- package/skills_ref/react-best-practices/rules/async-dependencies.md +51 -0
- package/skills_ref/react-best-practices/rules/async-parallel.md +28 -0
- package/skills_ref/react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/skills_ref/react-best-practices/rules/bundle-barrel-imports.md +59 -0
- package/skills_ref/react-best-practices/rules/bundle-conditional.md +31 -0
- package/skills_ref/react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/skills_ref/react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/skills_ref/react-best-practices/rules/bundle-preload.md +50 -0
- package/skills_ref/react-best-practices/rules/client-event-listeners.md +74 -0
- package/skills_ref/react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/skills_ref/react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/skills_ref/react-best-practices/rules/client-swr-dedup.md +56 -0
- package/skills_ref/react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/skills_ref/react-best-practices/rules/js-cache-function-results.md +80 -0
- package/skills_ref/react-best-practices/rules/js-cache-property-access.md +28 -0
- package/skills_ref/react-best-practices/rules/js-cache-storage.md +70 -0
- package/skills_ref/react-best-practices/rules/js-combine-iterations.md +32 -0
- package/skills_ref/react-best-practices/rules/js-early-exit.md +50 -0
- package/skills_ref/react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/skills_ref/react-best-practices/rules/js-index-maps.md +37 -0
- package/skills_ref/react-best-practices/rules/js-length-check-first.md +49 -0
- package/skills_ref/react-best-practices/rules/js-min-max-loop.md +82 -0
- package/skills_ref/react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/skills_ref/react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/skills_ref/react-best-practices/rules/rendering-activity.md +26 -0
- package/skills_ref/react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/skills_ref/react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/skills_ref/react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/skills_ref/react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/skills_ref/react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/skills_ref/react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/skills_ref/react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/skills_ref/react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/skills_ref/react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/skills_ref/react-best-practices/rules/rerender-dependencies.md +45 -0
- package/skills_ref/react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/skills_ref/react-best-practices/rules/rerender-derived-state.md +29 -0
- package/skills_ref/react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/skills_ref/react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/skills_ref/react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/skills_ref/react-best-practices/rules/rerender-memo.md +44 -0
- package/skills_ref/react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/skills_ref/react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/skills_ref/react-best-practices/rules/rerender-transitions.md +40 -0
- package/skills_ref/react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/skills_ref/react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/skills_ref/react-best-practices/rules/server-auth-actions.md +96 -0
- package/skills_ref/react-best-practices/rules/server-cache-lru.md +41 -0
- package/skills_ref/react-best-practices/rules/server-cache-react.md +76 -0
- package/skills_ref/react-best-practices/rules/server-dedup-props.md +65 -0
- package/skills_ref/react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/skills_ref/react-best-practices/rules/server-serialization.md +38 -0
- package/skills_ref/receiving-code-review/SKILL.md +213 -0
- package/skills_ref/registry.json +1493 -0
- package/skills_ref/render-deploy/SKILL.md +462 -0
- package/skills_ref/requesting-code-review/SKILL.md +105 -0
- package/skills_ref/requesting-code-review/code-reviewer.md +146 -0
- package/skills_ref/screen-capture/SKILL.md +162 -0
- package/skills_ref/security-best-practices/LICENSE.txt +201 -0
- package/skills_ref/security-best-practices/SKILL.md +86 -0
- package/skills_ref/security-best-practices/agents/openai.yaml +4 -0
- package/skills_ref/security-best-practices/references/golang-general-backend-security.md +826 -0
- package/skills_ref/security-best-practices/references/javascript-express-web-server-security.md +1158 -0
- package/skills_ref/security-best-practices/references/javascript-general-web-frontend-security.md +747 -0
- package/skills_ref/security-best-practices/references/javascript-jquery-web-frontend-security.md +678 -0
- package/skills_ref/security-best-practices/references/javascript-typescript-nextjs-web-server-security.md +1144 -0
- package/skills_ref/security-best-practices/references/javascript-typescript-react-web-frontend-security.md +990 -0
- package/skills_ref/security-best-practices/references/javascript-typescript-vue-web-frontend-security.md +791 -0
- package/skills_ref/security-best-practices/references/python-django-web-server-security.md +882 -0
- package/skills_ref/security-best-practices/references/python-fastapi-web-server-security.md +1036 -0
- package/skills_ref/security-best-practices/references/python-flask-web-server-security.md +705 -0
- package/skills_ref/security-ownership-map/LICENSE.txt +201 -0
- package/skills_ref/security-ownership-map/SKILL.md +206 -0
- package/skills_ref/security-ownership-map/agents/openai.yaml +4 -0
- package/skills_ref/security-ownership-map/references/neo4j-import.md +60 -0
- package/skills_ref/security-ownership-map/scripts/build_ownership_map.py +956 -0
- package/skills_ref/security-ownership-map/scripts/community_maintainers.py +544 -0
- package/skills_ref/security-ownership-map/scripts/query_ownership.py +483 -0
- package/skills_ref/security-ownership-map/scripts/run_ownership_map.py +200 -0
- package/skills_ref/security-threat-model/LICENSE.txt +201 -0
- package/skills_ref/security-threat-model/SKILL.md +81 -0
- package/skills_ref/security-threat-model/agents/openai.yaml +4 -0
- package/skills_ref/security-threat-model/references/prompt-template.md +255 -0
- package/skills_ref/security-threat-model/references/security-controls-and-assets.md +32 -0
- package/skills_ref/sentry/SKILL.md +123 -0
- package/skills_ref/skill-creator/SKILL.md +372 -0
- package/skills_ref/sora/SKILL.md +153 -0
- package/skills_ref/speech/SKILL.md +144 -0
- package/skills_ref/spotify-player/SKILL.md +64 -0
- package/skills_ref/static-analysis/.claude-plugin/plugin.json +8 -0
- package/skills_ref/static-analysis/README.md +65 -0
- package/skills_ref/static-analysis/agents/semgrep-scanner.md +71 -0
- package/skills_ref/static-analysis/agents/semgrep-triager.md +107 -0
- package/skills_ref/static-analysis/skills/codeql/SKILL.md +119 -0
- package/skills_ref/static-analysis/skills/codeql/references/diagnostic-query-templates.md +339 -0
- package/skills_ref/static-analysis/skills/codeql/references/language-details.md +207 -0
- package/skills_ref/static-analysis/skills/codeql/references/performance-tuning.md +111 -0
- package/skills_ref/static-analysis/skills/codeql/references/ruleset-catalog.md +63 -0
- package/skills_ref/static-analysis/skills/codeql/references/threat-models.md +44 -0
- package/skills_ref/static-analysis/skills/codeql/workflows/build-database.md +669 -0
- package/skills_ref/static-analysis/skills/codeql/workflows/create-data-extensions.md +536 -0
- package/skills_ref/static-analysis/skills/codeql/workflows/run-analysis.md +436 -0
- package/skills_ref/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
- package/skills_ref/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills_ref/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills_ref/static-analysis/skills/semgrep/SKILL.md +431 -0
- package/skills_ref/static-analysis/skills/semgrep/references/rulesets.md +162 -0
- package/skills_ref/static-analysis/skills/semgrep/references/scanner-task-prompt.md +102 -0
- package/skills_ref/static-analysis/skills/semgrep/references/triage-task-prompt.md +122 -0
- package/skills_ref/static-analysis/skills/semgrep/scripts/merge_triaged_sarif.py +252 -0
- package/skills_ref/summarize/SKILL.md +87 -0
- package/skills_ref/tdd/SKILL.md +371 -0
- package/skills_ref/tdd/testing-anti-patterns.md +299 -0
- package/skills_ref/telegram-send/SKILL.md +99 -0
- package/skills_ref/terraform/README.md +105 -0
- package/skills_ref/terraform/code-generation/.claude-plugin/plugin.json +30 -0
- package/skills_ref/terraform/code-generation/skills/azure-verified-modules/SKILL.md +613 -0
- package/skills_ref/terraform/code-generation/skills/terraform-style-guide/SKILL.md +353 -0
- package/skills_ref/terraform/code-generation/skills/terraform-test/SKILL.md +1669 -0
- package/skills_ref/terraform/module-generation/.claude-plugin/plugin.json +30 -0
- package/skills_ref/terraform/module-generation/skills/refactor-module/SKILL.md +538 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/SKILL.md +468 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/api-monitoring.md +543 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/component-blocks.md +476 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/deployment-blocks.md +391 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/examples.md +1529 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/linked-stacks.md +187 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/troubleshooting.md +671 -0
- package/skills_ref/terraform/provider-development/.claude-plugin/plugin.json +13 -0
- package/skills_ref/terraform/provider-development/skills/new-terraform-provider/SKILL.md +25 -0
- package/skills_ref/terraform/provider-development/skills/new-terraform-provider/assets/main.go +40 -0
- package/skills_ref/terraform/provider-development/skills/provider-actions/SKILL.md +478 -0
- package/skills_ref/terraform/provider-development/skills/provider-resources/SKILL.md +599 -0
- package/skills_ref/terraform/provider-development/skills/run-acceptance-tests/SKILL.md +41 -0
- package/skills_ref/theme-factory/LICENSE.txt +202 -0
- package/skills_ref/theme-factory/SKILL.md +59 -0
- package/skills_ref/theme-factory/theme-showcase.pdf +0 -0
- package/skills_ref/theme-factory/themes/arctic-frost.md +19 -0
- package/skills_ref/theme-factory/themes/botanical-garden.md +19 -0
- package/skills_ref/theme-factory/themes/desert-rose.md +19 -0
- package/skills_ref/theme-factory/themes/forest-canopy.md +19 -0
- package/skills_ref/theme-factory/themes/golden-hour.md +19 -0
- package/skills_ref/theme-factory/themes/midnight-galaxy.md +19 -0
- package/skills_ref/theme-factory/themes/modern-minimalist.md +19 -0
- package/skills_ref/theme-factory/themes/ocean-depths.md +19 -0
- package/skills_ref/theme-factory/themes/sunset-boulevard.md +19 -0
- package/skills_ref/theme-factory/themes/tech-innovation.md +19 -0
- package/skills_ref/things-mac/SKILL.md +86 -0
- package/skills_ref/tmux/SKILL.md +153 -0
- package/skills_ref/transcribe/SKILL.md +81 -0
- package/skills_ref/trello/SKILL.md +95 -0
- package/skills_ref/tts/SKILL.md +99 -0
- package/skills_ref/vercel-deploy/SKILL.md +115 -0
- package/skills_ref/video-downloader/SKILL.md +99 -0
- package/skills_ref/video-downloader/scripts/download_video.py +145 -0
- package/skills_ref/video-frames/SKILL.md +46 -0
- package/skills_ref/vision-click/SKILL.md +128 -0
- package/skills_ref/weather/SKILL.md +112 -0
- package/skills_ref/web-artifacts-builder/LICENSE.txt +202 -0
- package/skills_ref/web-artifacts-builder/SKILL.md +74 -0
- package/skills_ref/web-artifacts-builder/scripts/bundle-artifact.sh +54 -0
- package/skills_ref/web-artifacts-builder/scripts/init-artifact.sh +322 -0
- package/skills_ref/web-artifacts-builder/scripts/shadcn-components.tar.gz +0 -0
- package/skills_ref/web-perf/SKILL.md +193 -0
- package/skills_ref/web-routing/SKILL.md +26 -0
- package/skills_ref/whatsapp/SKILL.md +255 -0
- package/skills_ref/whatsapp/assets/agent-app-integration-example.json +35 -0
- package/skills_ref/whatsapp/assets/databases-example.json +11 -0
- package/skills_ref/whatsapp/assets/function-decide-route-interactive-buttons.json +6 -0
- package/skills_ref/whatsapp/assets/functions-example.json +5 -0
- package/skills_ref/whatsapp/assets/workflow-agent-simple.json +31 -0
- package/skills_ref/whatsapp/assets/workflow-api-template-wait-agent.json +59 -0
- package/skills_ref/whatsapp/assets/workflow-customer-support-intake-agent.json +56 -0
- package/skills_ref/whatsapp/assets/workflow-decision.json +83 -0
- package/skills_ref/whatsapp/assets/workflow-interactive-buttons-decide-ai.json +89 -0
- package/skills_ref/whatsapp/assets/workflow-interactive-buttons-decide-function.json +88 -0
- package/skills_ref/whatsapp/assets/workflow-linear.json +53 -0
- package/skills_ref/whatsapp/package.json +10 -0
- package/skills_ref/whatsapp/references/app-integrations.md +89 -0
- package/skills_ref/whatsapp/references/databases-reference.md +21 -0
- package/skills_ref/whatsapp/references/execution-context.md +42 -0
- package/skills_ref/whatsapp/references/function-contracts.md +55 -0
- package/skills_ref/whatsapp/references/functions-payloads.md +87 -0
- package/skills_ref/whatsapp/references/functions-reference.md +133 -0
- package/skills_ref/whatsapp/references/graph-contract.md +145 -0
- package/skills_ref/whatsapp/references/node-types.md +430 -0
- package/skills_ref/whatsapp/references/triggers.md +20 -0
- package/skills_ref/whatsapp/references/workflow-overview.md +22 -0
- package/skills_ref/whatsapp/references/workflow-reference.md +123 -0
- package/skills_ref/whatsapp/scripts/configure-prop.js +113 -0
- package/skills_ref/whatsapp/scripts/create-connect-token.js +38 -0
- package/skills_ref/whatsapp/scripts/create-function.js +64 -0
- package/skills_ref/whatsapp/scripts/create-integration.js +137 -0
- package/skills_ref/whatsapp/scripts/create-row.js +47 -0
- package/skills_ref/whatsapp/scripts/create-trigger.js +88 -0
- package/skills_ref/whatsapp/scripts/create-workflow.js +85 -0
- package/skills_ref/whatsapp/scripts/delete-integration.js +44 -0
- package/skills_ref/whatsapp/scripts/delete-row.js +49 -0
- package/skills_ref/whatsapp/scripts/delete-trigger.js +44 -0
- package/skills_ref/whatsapp/scripts/deploy-function.js +47 -0
- package/skills_ref/whatsapp/scripts/edit-graph.js +289 -0
- package/skills_ref/whatsapp/scripts/get-action-schema.js +44 -0
- package/skills_ref/whatsapp/scripts/get-context-value.js +80 -0
- package/skills_ref/whatsapp/scripts/get-execution-event.js +55 -0
- package/skills_ref/whatsapp/scripts/get-execution.js +44 -0
- package/skills_ref/whatsapp/scripts/get-function.js +43 -0
- package/skills_ref/whatsapp/scripts/get-graph.js +85 -0
- package/skills_ref/whatsapp/scripts/get-table.js +45 -0
- package/skills_ref/whatsapp/scripts/get-workflow.js +44 -0
- package/skills_ref/whatsapp/scripts/invoke-function.js +60 -0
- package/skills_ref/whatsapp/scripts/lib/databases/args.js +87 -0
- package/skills_ref/whatsapp/scripts/lib/databases/filters.js +30 -0
- package/skills_ref/whatsapp/scripts/lib/databases/kapso-api.js +70 -0
- package/skills_ref/whatsapp/scripts/lib/functions/args.js +55 -0
- package/skills_ref/whatsapp/scripts/lib/functions/kapso-api.js +70 -0
- package/skills_ref/whatsapp/scripts/lib/workflows/args.js +53 -0
- package/skills_ref/whatsapp/scripts/lib/workflows/kapso-api.js +123 -0
- package/skills_ref/whatsapp/scripts/lib/workflows/result.js +16 -0
- package/skills_ref/whatsapp/scripts/list-accounts.js +62 -0
- package/skills_ref/whatsapp/scripts/list-apps.js +42 -0
- package/skills_ref/whatsapp/scripts/list-execution-events.js +61 -0
- package/skills_ref/whatsapp/scripts/list-executions.js +53 -0
- package/skills_ref/whatsapp/scripts/list-function-invocations.js +53 -0
- package/skills_ref/whatsapp/scripts/list-functions.js +41 -0
- package/skills_ref/whatsapp/scripts/list-integrations.js +41 -0
- package/skills_ref/whatsapp/scripts/list-provider-models.js +48 -0
- package/skills_ref/whatsapp/scripts/list-tables.js +41 -0
- package/skills_ref/whatsapp/scripts/list-triggers.js +44 -0
- package/skills_ref/whatsapp/scripts/list-whatsapp-phone-numbers.js +56 -0
- package/skills_ref/whatsapp/scripts/list-workflows.js +44 -0
- package/skills_ref/whatsapp/scripts/openapi-explore.mjs +1273 -0
- package/skills_ref/whatsapp/scripts/query-rows.js +71 -0
- package/skills_ref/whatsapp/scripts/reload-props.js +110 -0
- package/skills_ref/whatsapp/scripts/resume-execution.js +75 -0
- package/skills_ref/whatsapp/scripts/search-actions.js +64 -0
- package/skills_ref/whatsapp/scripts/update-execution-status.js +51 -0
- package/skills_ref/whatsapp/scripts/update-function.js +65 -0
- package/skills_ref/whatsapp/scripts/update-graph.js +154 -0
- package/skills_ref/whatsapp/scripts/update-integration.js +82 -0
- package/skills_ref/whatsapp/scripts/update-row.js +51 -0
- package/skills_ref/whatsapp/scripts/update-trigger.js +60 -0
- package/skills_ref/whatsapp/scripts/update-workflow-settings.js +67 -0
- package/skills_ref/whatsapp/scripts/upsert-row.js +64 -0
- package/skills_ref/whatsapp/scripts/validate-graph.js +293 -0
- package/skills_ref/whatsapp/scripts/variables-delete.js +37 -0
- package/skills_ref/whatsapp/scripts/variables-list.js +55 -0
- package/skills_ref/whatsapp/scripts/variables-set.js +39 -0
- package/skills_ref/writing-plans/SKILL.md +116 -0
- package/skills_ref/xlsx/LICENSE.txt +30 -0
- package/skills_ref/xlsx/SKILL.md +292 -0
- package/skills_ref/xlsx/scripts/office/helpers/__init__.py +0 -0
- package/skills_ref/xlsx/scripts/office/helpers/merge_runs.py +199 -0
- package/skills_ref/xlsx/scripts/office/helpers/simplify_redlines.py +197 -0
- package/skills_ref/xlsx/scripts/office/pack.py +159 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
- package/skills_ref/xlsx/scripts/office/schemas/mce/mc.xsd +75 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
- package/skills_ref/xlsx/scripts/office/soffice.py +183 -0
- package/skills_ref/xlsx/scripts/office/unpack.py +132 -0
- package/skills_ref/xlsx/scripts/office/validate.py +111 -0
- package/skills_ref/xlsx/scripts/office/validators/__init__.py +15 -0
- package/skills_ref/xlsx/scripts/office/validators/base.py +847 -0
- package/skills_ref/xlsx/scripts/office/validators/docx.py +446 -0
- package/skills_ref/xlsx/scripts/office/validators/pptx.py +275 -0
- package/skills_ref/xlsx/scripts/office/validators/redlining.py +247 -0
- package/skills_ref/xlsx/scripts/recalc.py +184 -0
- package/skills_ref/xurl/SKILL.md +461 -0
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
# Insecure Defaults Detection
|
|
2
|
+
|
|
3
|
+
Security skill for detecting insecure default configurations that create vulnerabilities when applications run with missing or incomplete configuration.
|
|
4
|
+
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
The `insecure-defaults` skill helps identify security vulnerabilities caused by:
|
|
8
|
+
|
|
9
|
+
- **Hardcoded fallback secrets** (JWT keys, API keys, session secrets)
|
|
10
|
+
- **Default credentials** (admin/admin, root/password)
|
|
11
|
+
- **Weak cryptographic defaults** (MD5, DES, ECB mode)
|
|
12
|
+
- **Permissive access control** (CORS *, public by default)
|
|
13
|
+
- **Missing security configuration** that causes fail-open behavior
|
|
14
|
+
|
|
15
|
+
**Critical Distinction:** This skill emphasizes **fail-secure vs. fail-open** behavior. Applications that crash without proper configuration are safe; applications that run with insecure defaults are vulnerable.
|
|
16
|
+
|
|
17
|
+
## Installation
|
|
18
|
+
|
|
19
|
+
```bash
|
|
20
|
+
cd parent-folder/skills
|
|
21
|
+
/plugin install ./plugins/insecure-defaults
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
Or from the plugin marketplace:
|
|
25
|
+
```bash
|
|
26
|
+
/plugin install insecure-defaults
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
## When to Use
|
|
30
|
+
|
|
31
|
+
Use this skill when:
|
|
32
|
+
|
|
33
|
+
- **Security auditing** production applications or services
|
|
34
|
+
- **Configuration review** of deployment manifests (Docker, Kubernetes, IaC)
|
|
35
|
+
- **Pre-production checks** before deploying new services
|
|
36
|
+
- **Code review** of authentication, authorization, or cryptographic code
|
|
37
|
+
- **Environment variable handling** analysis for secrets management
|
|
38
|
+
- **API security review** checking CORS, rate limiting, authentication
|
|
39
|
+
- **Third-party integration** review for hardcoded test credentials
|
|
40
|
+
|
|
41
|
+
## Usage
|
|
42
|
+
|
|
43
|
+
```
|
|
44
|
+
Audit this codebase for insecure defaults—focus on environment variable fallbacks and authentication configuration
|
|
45
|
+
```
|
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: insecure-defaults
|
|
3
|
+
description: "Detects fail-open insecure defaults (hardcoded secrets, weak auth, permissive security) that allow apps to run insecurely in production. Use when auditing security, reviewing config management, or analyzing environment variable handling."
|
|
4
|
+
allowed-tools:
|
|
5
|
+
- Read
|
|
6
|
+
- Grep
|
|
7
|
+
- Glob
|
|
8
|
+
- Bash
|
|
9
|
+
---
|
|
10
|
+
|
|
11
|
+
# Insecure Defaults Detection
|
|
12
|
+
|
|
13
|
+
Finds **fail-open** vulnerabilities where apps run insecurely with missing configuration. Distinguishes exploitable defaults from fail-secure patterns that crash safely.
|
|
14
|
+
|
|
15
|
+
- **Fail-open (CRITICAL):** `SECRET = env.get('KEY') or 'default'` → App runs with weak secret
|
|
16
|
+
- **Fail-secure (SAFE):** `SECRET = env['KEY']` → App crashes if missing
|
|
17
|
+
|
|
18
|
+
## When to Use
|
|
19
|
+
|
|
20
|
+
- **Security audits** of production applications (auth, crypto, API security)
|
|
21
|
+
- **Configuration review** of deployment files, IaC templates, Docker configs
|
|
22
|
+
- **Code review** of environment variable handling and secrets management
|
|
23
|
+
- **Pre-deployment checks** for hardcoded credentials or weak defaults
|
|
24
|
+
|
|
25
|
+
## When NOT to Use
|
|
26
|
+
|
|
27
|
+
Do not use this skill for:
|
|
28
|
+
- **Test fixtures** explicitly scoped to test environments (files in `test/`, `spec/`, `__tests__/`)
|
|
29
|
+
- **Example/template files** (`.example`, `.template`, `.sample` suffixes)
|
|
30
|
+
- **Development-only tools** (local Docker Compose for dev, debug scripts)
|
|
31
|
+
- **Documentation examples** in README.md or docs/ directories
|
|
32
|
+
- **Build-time configuration** that gets replaced during deployment
|
|
33
|
+
- **Crash-on-missing behavior** where app won't start without proper config (fail-secure)
|
|
34
|
+
|
|
35
|
+
When in doubt: trace the code path to determine if the app runs with the default or crashes.
|
|
36
|
+
|
|
37
|
+
## Rationalizations to Reject
|
|
38
|
+
|
|
39
|
+
- **"It's just a development default"** → If it reaches production code, it's a finding
|
|
40
|
+
- **"The production config overrides it"** → Verify prod config exists; code-level vulnerability remains if not
|
|
41
|
+
- **"This would never run without proper config"** → Prove it with code trace; many apps fail silently
|
|
42
|
+
- **"It's behind authentication"** → Defense in depth; compromised session still exploits weak defaults
|
|
43
|
+
- **"We'll fix it before release"** → Document now; "later" rarely comes
|
|
44
|
+
|
|
45
|
+
## Workflow
|
|
46
|
+
|
|
47
|
+
Follow this workflow for every potential finding:
|
|
48
|
+
|
|
49
|
+
### 1. SEARCH: Perform Project Discovery and Find Insecure Defaults
|
|
50
|
+
|
|
51
|
+
Determine language, framework, and project conventions. Use this information to further discover things like secret storage locations, secret usage patterns, credentialed third-party integrations, cryptography, and any other relevant configuration. Further use information to analyze insecure default configurations.
|
|
52
|
+
|
|
53
|
+
**Example**
|
|
54
|
+
Search for patterns in `**/config/`, `**/auth/`, `**/database/`, and env files:
|
|
55
|
+
- **Fallback secrets:** `getenv.*\) or ['"]`, `process\.env\.[A-Z_]+ \|\| ['"]`, `ENV\.fetch.*default:`
|
|
56
|
+
- **Hardcoded credentials:** `password.*=.*['"][^'"]{8,}['"]`, `api[_-]?key.*=.*['"][^'"]+['"]`
|
|
57
|
+
- **Weak defaults:** `DEBUG.*=.*true`, `AUTH.*=.*false`, `CORS.*=.*\*`
|
|
58
|
+
- **Crypto algorithms:** `MD5|SHA1|DES|RC4|ECB` in security contexts
|
|
59
|
+
|
|
60
|
+
Tailor search approach based on discovery results.
|
|
61
|
+
|
|
62
|
+
Focus on production-reachable code, not test fixtures or example files.
|
|
63
|
+
|
|
64
|
+
### 2. VERIFY: Actual Behavior
|
|
65
|
+
For each match, trace the code path to understand runtime behavior.
|
|
66
|
+
|
|
67
|
+
**Questions to answer:**
|
|
68
|
+
- When is this code executed? (Startup vs. runtime)
|
|
69
|
+
- What happens if a configuration variable is missing?
|
|
70
|
+
- Is there validation that enforces secure configuration?
|
|
71
|
+
|
|
72
|
+
### 3. CONFIRM: Production Impact
|
|
73
|
+
Determine if this issue reaches production:
|
|
74
|
+
|
|
75
|
+
If production config provides the variable → Lower severity (but still a code-level vulnerability)
|
|
76
|
+
If production config missing or uses default → CRITICAL
|
|
77
|
+
|
|
78
|
+
### 4. REPORT: with Evidence
|
|
79
|
+
|
|
80
|
+
**Example report:**
|
|
81
|
+
```
|
|
82
|
+
Finding: Hardcoded JWT Secret Fallback
|
|
83
|
+
Location: src/auth/jwt.ts:15
|
|
84
|
+
Pattern: const secret = process.env.JWT_SECRET || 'default';
|
|
85
|
+
|
|
86
|
+
Verification: App starts without JWT_SECRET; secret used in jwt.sign() at line 42
|
|
87
|
+
Production Impact: Dockerfile missing JWT_SECRET
|
|
88
|
+
Exploitation: Attacker forges JWTs using 'default', gains unauthorized access
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
## Quick Verification Checklist
|
|
92
|
+
|
|
93
|
+
**Fallback Secrets:** `SECRET = env.get(X) or Y`
|
|
94
|
+
→ Verify: App starts without env var? Secret used in crypto/auth?
|
|
95
|
+
→ Skip: Test fixtures, example files
|
|
96
|
+
|
|
97
|
+
**Default Credentials:** Hardcoded `username`/`password` pairs
|
|
98
|
+
→ Verify: Active in deployed config? No runtime override?
|
|
99
|
+
→ Skip: Disabled accounts, documentation examples
|
|
100
|
+
|
|
101
|
+
**Fail-Open Security:** `AUTH_REQUIRED = env.get(X, 'false')`
|
|
102
|
+
→ Verify: Default is insecure (false/disabled/permissive)?
|
|
103
|
+
→ Safe: App crashes or default is secure (true/enabled/restricted)
|
|
104
|
+
|
|
105
|
+
**Weak Crypto:** MD5/SHA1/DES/RC4/ECB in security contexts
|
|
106
|
+
→ Verify: Used for passwords, encryption, or tokens?
|
|
107
|
+
→ Skip: Checksums, non-security hashing
|
|
108
|
+
|
|
109
|
+
**Permissive Access:** CORS `*`, permissions `0777`, public-by-default
|
|
110
|
+
→ Verify: Default allows unauthorized access?
|
|
111
|
+
→ Skip: Explicitly configured permissiveness with justification
|
|
112
|
+
|
|
113
|
+
**Debug Features:** Stack traces, introspection, verbose errors
|
|
114
|
+
→ Verify: Enabled by default? Exposed in responses?
|
|
115
|
+
→ Skip: Logging-only, not user-facing
|
|
116
|
+
|
|
117
|
+
For detailed examples and counter-examples, see [examples.md](references/examples.md).
|
|
@@ -0,0 +1,409 @@
|
|
|
1
|
+
# Insecure Defaults: Examples and Counter-Examples
|
|
2
|
+
|
|
3
|
+
This document provides detailed examples for each category in the Quick Verification Checklist, showing both vulnerable patterns (report these) and secure patterns (skip these).
|
|
4
|
+
|
|
5
|
+
## Fallback Secrets
|
|
6
|
+
|
|
7
|
+
### ❌ VULNERABLE - Report These
|
|
8
|
+
|
|
9
|
+
**Python: Environment variable with fallback**
|
|
10
|
+
```python
|
|
11
|
+
# File: src/auth/jwt.py
|
|
12
|
+
SECRET_KEY = os.environ.get('SECRET_KEY', 'dev-secret-key-123')
|
|
13
|
+
|
|
14
|
+
# Used in security context
|
|
15
|
+
def create_token(user_id):
|
|
16
|
+
return jwt.encode({'user_id': user_id}, SECRET_KEY, algorithm='HS256')
|
|
17
|
+
```
|
|
18
|
+
**Why vulnerable:** App runs with known secret if `SECRET_KEY` is missing. Attacker can forge tokens.
|
|
19
|
+
|
|
20
|
+
**JavaScript: Logical OR fallback**
|
|
21
|
+
```javascript
|
|
22
|
+
// File: config/database.js
|
|
23
|
+
const DB_PASSWORD = process.env.DB_PASSWORD || 'admin123';
|
|
24
|
+
|
|
25
|
+
const pool = new Pool({
|
|
26
|
+
user: 'admin',
|
|
27
|
+
password: DB_PASSWORD,
|
|
28
|
+
database: 'production'
|
|
29
|
+
});
|
|
30
|
+
```
|
|
31
|
+
**Why vulnerable:** Database accepts hardcoded password in production if env var missing.
|
|
32
|
+
|
|
33
|
+
**Ruby: fetch with default**
|
|
34
|
+
```ruby
|
|
35
|
+
# File: config/secrets.rb
|
|
36
|
+
Rails.application.credentials.secret_key_base =
|
|
37
|
+
ENV.fetch('SECRET_KEY_BASE', 'fallback-secret-base')
|
|
38
|
+
```
|
|
39
|
+
**Why vulnerable:** Rails session encryption uses weak known key as fallback.
|
|
40
|
+
|
|
41
|
+
### ✅ SECURE - Skip These
|
|
42
|
+
|
|
43
|
+
**Fail-secure: Crashes without config**
|
|
44
|
+
```python
|
|
45
|
+
# File: src/auth/jwt.py
|
|
46
|
+
SECRET_KEY = os.environ['SECRET_KEY'] # Raises KeyError if missing
|
|
47
|
+
|
|
48
|
+
# App won't start without SECRET_KEY - fail-secure
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
**Explicit validation**
|
|
52
|
+
```javascript
|
|
53
|
+
// File: config/database.js
|
|
54
|
+
if (!process.env.DB_PASSWORD) {
|
|
55
|
+
throw new Error('DB_PASSWORD environment variable required');
|
|
56
|
+
}
|
|
57
|
+
const DB_PASSWORD = process.env.DB_PASSWORD;
|
|
58
|
+
```
|
|
59
|
+
|
|
60
|
+
**Test fixtures (clearly scoped)**
|
|
61
|
+
```python
|
|
62
|
+
# File: tests/fixtures/auth.py
|
|
63
|
+
TEST_SECRET = 'test-secret-key-123' # OK - test-only
|
|
64
|
+
|
|
65
|
+
# Usage in test
|
|
66
|
+
def test_token_creation():
|
|
67
|
+
token = create_token('user1', secret=TEST_SECRET)
|
|
68
|
+
```
|
|
69
|
+
|
|
70
|
+
---
|
|
71
|
+
|
|
72
|
+
## Default Credentials
|
|
73
|
+
|
|
74
|
+
### ❌ VULNERABLE - Report These
|
|
75
|
+
|
|
76
|
+
**Hardcoded admin account**
|
|
77
|
+
```python
|
|
78
|
+
# File: src/models/user.py
|
|
79
|
+
def bootstrap_admin():
|
|
80
|
+
"""Create default admin account if none exists"""
|
|
81
|
+
if not User.query.filter_by(role='admin').first():
|
|
82
|
+
admin = User(
|
|
83
|
+
username='admin',
|
|
84
|
+
password=hash_password('admin123'),
|
|
85
|
+
role='admin'
|
|
86
|
+
)
|
|
87
|
+
db.session.add(admin)
|
|
88
|
+
db.session.commit()
|
|
89
|
+
```
|
|
90
|
+
**Why vulnerable:** Default admin account created on first run with known credentials.
|
|
91
|
+
|
|
92
|
+
**API key in code**
|
|
93
|
+
```javascript
|
|
94
|
+
// File: src/integrations/payment.js
|
|
95
|
+
const STRIPE_API_KEY = process.env.STRIPE_KEY || 'sk_tes...';
|
|
96
|
+
|
|
97
|
+
const stripe = require('stripe')(STRIPE_API_KEY);
|
|
98
|
+
```
|
|
99
|
+
**Why vulnerable:** Uses test API key if env var missing. Might reach production.
|
|
100
|
+
|
|
101
|
+
**Database connection string**
|
|
102
|
+
```java
|
|
103
|
+
// File: DatabaseConfig.java
|
|
104
|
+
private static final String DB_URL = System.getenv().getOrDefault(
|
|
105
|
+
"DATABASE_URL",
|
|
106
|
+
"postgresql://admin:password@localhost:5432/prod"
|
|
107
|
+
);
|
|
108
|
+
```
|
|
109
|
+
**Why vulnerable:** Hardcoded database credentials as fallback.
|
|
110
|
+
|
|
111
|
+
### ✅ SECURE - Skip These
|
|
112
|
+
|
|
113
|
+
**Disabled default account**
|
|
114
|
+
```python
|
|
115
|
+
# File: src/models/user.py
|
|
116
|
+
def bootstrap_admin():
|
|
117
|
+
"""Admin account MUST be configured via environment"""
|
|
118
|
+
username = os.environ['ADMIN_USERNAME']
|
|
119
|
+
password = os.environ['ADMIN_PASSWORD']
|
|
120
|
+
|
|
121
|
+
if not User.query.filter_by(username=username).first():
|
|
122
|
+
admin = User(username=username, password=hash_password(password), role='admin')
|
|
123
|
+
db.session.add(admin)
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
**Example/documentation credentials**
|
|
127
|
+
```bash
|
|
128
|
+
# File: README.md
|
|
129
|
+
## Setup
|
|
130
|
+
|
|
131
|
+
Configure your API key:
|
|
132
|
+
```bash
|
|
133
|
+
export STRIPE_KEY='sk_tes...' # Example only
|
|
134
|
+
```
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
**Test fixture credentials**
|
|
138
|
+
```python
|
|
139
|
+
# File: tests/conftest.py
|
|
140
|
+
@pytest.fixture
|
|
141
|
+
def test_user():
|
|
142
|
+
return User(username='test_user', password='test_pass') # OK - test scope
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
---
|
|
146
|
+
|
|
147
|
+
## Fail-Open Security
|
|
148
|
+
|
|
149
|
+
### ❌ VULNERABLE - Report These
|
|
150
|
+
|
|
151
|
+
**Authentication disabled by default**
|
|
152
|
+
```python
|
|
153
|
+
# File: config/security.py
|
|
154
|
+
REQUIRE_AUTH = os.getenv('REQUIRE_AUTH', 'false').lower() == 'true'
|
|
155
|
+
|
|
156
|
+
@app.before_request
|
|
157
|
+
def check_auth():
|
|
158
|
+
if not REQUIRE_AUTH:
|
|
159
|
+
return # Skip auth check
|
|
160
|
+
# ... auth logic
|
|
161
|
+
```
|
|
162
|
+
**Why vulnerable:** Default is no authentication. App runs insecurely if env var missing.
|
|
163
|
+
|
|
164
|
+
**CORS allows all origins**
|
|
165
|
+
```javascript
|
|
166
|
+
// File: server.js
|
|
167
|
+
const allowedOrigins = process.env.ALLOWED_ORIGINS || '*';
|
|
168
|
+
|
|
169
|
+
app.use(cors({ origin: allowedOrigins }));
|
|
170
|
+
```
|
|
171
|
+
**Why vulnerable:** Default allows requests from any origin. XSS/CSRF risk.
|
|
172
|
+
|
|
173
|
+
**Debug mode enabled by default**
|
|
174
|
+
```python
|
|
175
|
+
# File: config.py
|
|
176
|
+
DEBUG = os.getenv('DEBUG', 'true').lower() != 'false' # Default: true
|
|
177
|
+
|
|
178
|
+
if DEBUG:
|
|
179
|
+
app.config['DEBUG'] = True
|
|
180
|
+
app.config['PROPAGATE_EXCEPTIONS'] = True
|
|
181
|
+
```
|
|
182
|
+
**Why vulnerable:** Debug mode default. Stack traces leak sensitive info in production.
|
|
183
|
+
|
|
184
|
+
### ✅ SECURE - Skip These
|
|
185
|
+
|
|
186
|
+
**Authentication required by default**
|
|
187
|
+
```python
|
|
188
|
+
# File: config/security.py
|
|
189
|
+
REQUIRE_AUTH = os.getenv('REQUIRE_AUTH', 'true').lower() == 'true' # Default: true
|
|
190
|
+
|
|
191
|
+
# Or better - crash if not explicitly configured
|
|
192
|
+
REQUIRE_AUTH = os.environ['REQUIRE_AUTH'].lower() == 'true'
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
**CORS requires explicit configuration**
|
|
196
|
+
```javascript
|
|
197
|
+
// File: server.js
|
|
198
|
+
if (!process.env.ALLOWED_ORIGINS) {
|
|
199
|
+
throw new Error('ALLOWED_ORIGINS must be configured');
|
|
200
|
+
}
|
|
201
|
+
const allowedOrigins = process.env.ALLOWED_ORIGINS.split(',');
|
|
202
|
+
|
|
203
|
+
app.use(cors({ origin: allowedOrigins }));
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
**Debug mode disabled by default**
|
|
207
|
+
```python
|
|
208
|
+
# File: config.py
|
|
209
|
+
DEBUG = os.getenv('DEBUG', 'false').lower() == 'true' # Default: false
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
---
|
|
213
|
+
|
|
214
|
+
## Weak Crypto
|
|
215
|
+
|
|
216
|
+
### ❌ VULNERABLE - Report These
|
|
217
|
+
|
|
218
|
+
**MD5 for password hashing**
|
|
219
|
+
```python
|
|
220
|
+
# File: src/auth/passwords.py
|
|
221
|
+
import hashlib
|
|
222
|
+
|
|
223
|
+
def hash_password(password):
|
|
224
|
+
"""Hash user password"""
|
|
225
|
+
return hashlib.md5(password.encode()).hexdigest()
|
|
226
|
+
```
|
|
227
|
+
**Why vulnerable:** MD5 is cryptographically broken. Rainbow tables exist. Use bcrypt/Argon2.
|
|
228
|
+
|
|
229
|
+
**DES encryption for sensitive data**
|
|
230
|
+
```java
|
|
231
|
+
// File: Encryption.java
|
|
232
|
+
public static byte[] encrypt(String data, byte[] key) {
|
|
233
|
+
Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
|
|
234
|
+
SecretKeySpec secretKey = new SecretKeySpec(key, "DES");
|
|
235
|
+
cipher.init(Cipher.ENCRYPT_MODE, secretKey);
|
|
236
|
+
return cipher.doFinal(data.getBytes());
|
|
237
|
+
}
|
|
238
|
+
```
|
|
239
|
+
**Why vulnerable:** DES has 56-bit keys (brute-forceable). ECB mode leaks patterns.
|
|
240
|
+
|
|
241
|
+
**SHA1 for signature verification**
|
|
242
|
+
```javascript
|
|
243
|
+
// File: webhooks.js
|
|
244
|
+
function verifySignature(payload, signature) {
|
|
245
|
+
const hmac = crypto.createHmac('sha1', WEBHOOK_SECRET);
|
|
246
|
+
const computed = hmac.update(payload).digest('hex');
|
|
247
|
+
return computed === signature;
|
|
248
|
+
}
|
|
249
|
+
```
|
|
250
|
+
**Why vulnerable:** SHA1 collisions exist. Use SHA256 or better.
|
|
251
|
+
|
|
252
|
+
### ✅ SECURE - Skip These
|
|
253
|
+
|
|
254
|
+
**Weak crypto for non-security checksums**
|
|
255
|
+
```python
|
|
256
|
+
# File: src/utils/cache.py
|
|
257
|
+
import hashlib
|
|
258
|
+
|
|
259
|
+
def cache_key(data):
|
|
260
|
+
"""Generate cache key - not security-sensitive"""
|
|
261
|
+
return hashlib.md5(data.encode()).hexdigest() # OK - just for cache lookup
|
|
262
|
+
```
|
|
263
|
+
|
|
264
|
+
**Modern crypto for passwords**
|
|
265
|
+
```python
|
|
266
|
+
# File: src/auth/passwords.py
|
|
267
|
+
import bcrypt
|
|
268
|
+
|
|
269
|
+
def hash_password(password):
|
|
270
|
+
return bcrypt.hashpw(password.encode(), bcrypt.gensalt())
|
|
271
|
+
```
|
|
272
|
+
|
|
273
|
+
**Strong encryption**
|
|
274
|
+
```java
|
|
275
|
+
// File: Encryption.java
|
|
276
|
+
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
|
|
277
|
+
// 256-bit key, authenticated encryption
|
|
278
|
+
```
|
|
279
|
+
|
|
280
|
+
---
|
|
281
|
+
|
|
282
|
+
## Permissive Access
|
|
283
|
+
|
|
284
|
+
### ❌ VULNERABLE - Report These
|
|
285
|
+
|
|
286
|
+
**File permissions world-writable**
|
|
287
|
+
```python
|
|
288
|
+
# File: src/storage/files.py
|
|
289
|
+
def create_secure_file(path):
|
|
290
|
+
fd = os.open(path, os.O_CREAT | os.O_WRONLY, 0o666) # rw-rw-rw-
|
|
291
|
+
return fd
|
|
292
|
+
```
|
|
293
|
+
**Why vulnerable:** Any user can write to file. Should be 0o600 or 0o644.
|
|
294
|
+
|
|
295
|
+
**S3 bucket public by default**
|
|
296
|
+
```python
|
|
297
|
+
# File: infrastructure/storage.py
|
|
298
|
+
def create_storage_bucket(name):
|
|
299
|
+
bucket = s3.create_bucket(
|
|
300
|
+
Bucket=name,
|
|
301
|
+
ACL='public-read' # Publicly readable by default
|
|
302
|
+
)
|
|
303
|
+
```
|
|
304
|
+
**Why vulnerable:** Sensitive data exposed publicly. Should require explicit configuration.
|
|
305
|
+
|
|
306
|
+
**API allows any origin**
|
|
307
|
+
```python
|
|
308
|
+
# File: app.py
|
|
309
|
+
@app.after_request
|
|
310
|
+
def after_request(response):
|
|
311
|
+
response.headers['Access-Control-Allow-Origin'] = '*'
|
|
312
|
+
response.headers['Access-Control-Allow-Credentials'] = 'true'
|
|
313
|
+
return response
|
|
314
|
+
```
|
|
315
|
+
**Why vulnerable:** CORS misconfiguration. Allows credential theft from any site.
|
|
316
|
+
|
|
317
|
+
### ✅ SECURE - Skip These
|
|
318
|
+
|
|
319
|
+
**Explicitly configured permissiveness with justification**
|
|
320
|
+
```python
|
|
321
|
+
# File: src/storage/public_assets.py
|
|
322
|
+
def create_public_asset(path):
|
|
323
|
+
"""Create world-readable asset for CDN distribution"""
|
|
324
|
+
# Intentionally public - static assets only
|
|
325
|
+
fd = os.open(path, os.O_CREAT | os.O_WRONLY, 0o644)
|
|
326
|
+
return fd
|
|
327
|
+
```
|
|
328
|
+
|
|
329
|
+
**Restrictive by default**
|
|
330
|
+
```python
|
|
331
|
+
# File: infrastructure/storage.py
|
|
332
|
+
def create_storage_bucket(name, public=False):
|
|
333
|
+
acl = 'public-read' if public else 'private'
|
|
334
|
+
if public:
|
|
335
|
+
logger.warning(f'Creating PUBLIC bucket: {name}')
|
|
336
|
+
bucket = s3.create_bucket(Bucket=name, ACL=acl)
|
|
337
|
+
```
|
|
338
|
+
|
|
339
|
+
---
|
|
340
|
+
|
|
341
|
+
## Debug Features
|
|
342
|
+
|
|
343
|
+
### ❌ VULNERABLE - Report These
|
|
344
|
+
|
|
345
|
+
**Stack traces in API responses**
|
|
346
|
+
```python
|
|
347
|
+
# File: app.py
|
|
348
|
+
@app.errorhandler(Exception)
|
|
349
|
+
def handle_error(error):
|
|
350
|
+
return jsonify({
|
|
351
|
+
'error': str(error),
|
|
352
|
+
'traceback': traceback.format_exc() # Leaks internal paths, library versions
|
|
353
|
+
}), 500
|
|
354
|
+
```
|
|
355
|
+
**Why vulnerable:** Exposes internal implementation details to attackers.
|
|
356
|
+
|
|
357
|
+
**GraphQL introspection enabled**
|
|
358
|
+
```javascript
|
|
359
|
+
// File: server.js
|
|
360
|
+
const server = new ApolloServer({
|
|
361
|
+
typeDefs,
|
|
362
|
+
resolvers,
|
|
363
|
+
introspection: true, // Enabled in production
|
|
364
|
+
playground: true
|
|
365
|
+
});
|
|
366
|
+
```
|
|
367
|
+
**Why vulnerable:** Attackers can discover entire API schema, including admin-only fields.
|
|
368
|
+
|
|
369
|
+
**Verbose error messages**
|
|
370
|
+
```java
|
|
371
|
+
// File: UserController.java
|
|
372
|
+
catch (SQLException e) {
|
|
373
|
+
return ResponseEntity.status(500).body(
|
|
374
|
+
"Database error: " + e.getMessage() // Leaks table names, constraints
|
|
375
|
+
);
|
|
376
|
+
}
|
|
377
|
+
```
|
|
378
|
+
**Why vulnerable:** SQL error messages reveal database structure.
|
|
379
|
+
|
|
380
|
+
### ✅ SECURE - Skip These
|
|
381
|
+
|
|
382
|
+
**Debug features in logging only**
|
|
383
|
+
```python
|
|
384
|
+
# File: app.py
|
|
385
|
+
@app.errorhandler(Exception)
|
|
386
|
+
def handle_error(error):
|
|
387
|
+
logger.exception('Request failed', exc_info=error) # Logs full trace
|
|
388
|
+
return jsonify({'error': 'Internal server error'}), 500 # Generic to user
|
|
389
|
+
```
|
|
390
|
+
|
|
391
|
+
**Environment-aware debug settings**
|
|
392
|
+
```javascript
|
|
393
|
+
// File: server.js
|
|
394
|
+
const server = new ApolloServer({
|
|
395
|
+
typeDefs,
|
|
396
|
+
resolvers,
|
|
397
|
+
introspection: process.env.NODE_ENV !== 'production',
|
|
398
|
+
playground: process.env.NODE_ENV !== 'production'
|
|
399
|
+
});
|
|
400
|
+
```
|
|
401
|
+
|
|
402
|
+
**Generic user-facing errors**
|
|
403
|
+
```java
|
|
404
|
+
// File: UserController.java
|
|
405
|
+
catch (SQLException e) {
|
|
406
|
+
logger.error("Database error", e); // Full details to logs
|
|
407
|
+
return ResponseEntity.status(500).body("Unable to process request"); // Generic
|
|
408
|
+
}
|
|
409
|
+
```
|
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: "jupyter-notebook"
|
|
3
|
+
description: "Use when the user asks to create, scaffold, or edit Jupyter notebooks (`.ipynb`) for experiments, explorations, or tutorials; prefer the bundled templates and run the helper script `new_notebook.py` to generate a clean starting notebook."
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
|
|
7
|
+
# Jupyter Notebook Skill
|
|
8
|
+
|
|
9
|
+
Create clean, reproducible Jupyter notebooks for two primary modes:
|
|
10
|
+
|
|
11
|
+
- Experiments and exploratory analysis
|
|
12
|
+
- Tutorials and teaching-oriented walkthroughs
|
|
13
|
+
|
|
14
|
+
Prefer the bundled templates and the helper script for consistent structure and fewer JSON mistakes.
|
|
15
|
+
|
|
16
|
+
## When to use
|
|
17
|
+
- Create a new `.ipynb` notebook from scratch.
|
|
18
|
+
- Convert rough notes or scripts into a structured notebook.
|
|
19
|
+
- Refactor an existing notebook to be more reproducible and skimmable.
|
|
20
|
+
- Build experiments or tutorials that will be read or re-run by other people.
|
|
21
|
+
|
|
22
|
+
## Decision tree
|
|
23
|
+
- If the request is exploratory, analytical, or hypothesis-driven, choose `experiment`.
|
|
24
|
+
- If the request is instructional, step-by-step, or audience-specific, choose `tutorial`.
|
|
25
|
+
- If editing an existing notebook, treat it as a refactor: preserve intent and improve structure.
|
|
26
|
+
|
|
27
|
+
## Skill path (set once)
|
|
28
|
+
|
|
29
|
+
```bash
|
|
30
|
+
export CODEX_HOME="${CODEX_HOME:-$HOME/.codex}"
|
|
31
|
+
export JUPYTER_NOTEBOOK_CLI="$CODEX_HOME/skills/jupyter-notebook/scripts/new_notebook.py"
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
User-scoped skills install under `$CODEX_HOME/skills` (default: `~/.codex/skills`).
|
|
35
|
+
|
|
36
|
+
## Workflow
|
|
37
|
+
1. Lock the intent.
|
|
38
|
+
Identify the notebook kind: `experiment` or `tutorial`.
|
|
39
|
+
Capture the objective, audience, and what "done" looks like.
|
|
40
|
+
|
|
41
|
+
2. Scaffold from the template.
|
|
42
|
+
Use the helper script to avoid hand-authoring raw notebook JSON.
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
uv run --python 3.12 python "$JUPYTER_NOTEBOOK_CLI" \
|
|
46
|
+
--kind experiment \
|
|
47
|
+
--title "Compare prompt variants" \
|
|
48
|
+
--out output/jupyter-notebook/compare-prompt-variants.ipynb
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
```bash
|
|
52
|
+
uv run --python 3.12 python "$JUPYTER_NOTEBOOK_CLI" \
|
|
53
|
+
--kind tutorial \
|
|
54
|
+
--title "Intro to embeddings" \
|
|
55
|
+
--out output/jupyter-notebook/intro-to-embeddings.ipynb
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
3. Fill the notebook with small, runnable steps.
|
|
59
|
+
Keep each code cell focused on one step.
|
|
60
|
+
Add short markdown cells that explain the purpose and expected result.
|
|
61
|
+
Avoid large, noisy outputs when a short summary works.
|
|
62
|
+
|
|
63
|
+
4. Apply the right pattern.
|
|
64
|
+
For experiments, follow `references/experiment-patterns.md`.
|
|
65
|
+
For tutorials, follow `references/tutorial-patterns.md`.
|
|
66
|
+
|
|
67
|
+
5. Edit safely when working with existing notebooks.
|
|
68
|
+
Preserve the notebook structure; avoid reordering cells unless it improves the top-to-bottom story.
|
|
69
|
+
Prefer targeted edits over full rewrites.
|
|
70
|
+
If you must edit raw JSON, review `references/notebook-structure.md` first.
|
|
71
|
+
|
|
72
|
+
6. Validate the result.
|
|
73
|
+
Run the notebook top-to-bottom when the environment allows.
|
|
74
|
+
If execution is not possible, say so explicitly and call out how to validate locally.
|
|
75
|
+
Use the final pass checklist in `references/quality-checklist.md`.
|
|
76
|
+
|
|
77
|
+
## Templates and helper script
|
|
78
|
+
- Templates live in `assets/experiment-template.ipynb` and `assets/tutorial-template.ipynb`.
|
|
79
|
+
- The helper script loads a template, updates the title cell, and writes a notebook.
|
|
80
|
+
|
|
81
|
+
Script path:
|
|
82
|
+
- `$JUPYTER_NOTEBOOK_CLI` (installed default: `$CODEX_HOME/skills/jupyter-notebook/scripts/new_notebook.py`)
|
|
83
|
+
|
|
84
|
+
## Temp and output conventions
|
|
85
|
+
- Use `tmp/jupyter-notebook/` for intermediate files; delete when done.
|
|
86
|
+
- Write final artifacts under `output/jupyter-notebook/` when working in this repo.
|
|
87
|
+
- Use stable, descriptive filenames (for example, `ablation-temperature.ipynb`).
|
|
88
|
+
|
|
89
|
+
## Dependencies (install only when needed)
|
|
90
|
+
Prefer `uv` for dependency management.
|
|
91
|
+
|
|
92
|
+
Optional Python packages for local notebook execution:
|
|
93
|
+
|
|
94
|
+
```bash
|
|
95
|
+
uv pip install jupyterlab ipykernel
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
The bundled scaffold script uses only the Python standard library and does not require extra dependencies.
|
|
99
|
+
|
|
100
|
+
## Environment
|
|
101
|
+
No required environment variables.
|
|
102
|
+
|
|
103
|
+
## Reference map
|
|
104
|
+
- `references/experiment-patterns.md`: experiment structure and heuristics.
|
|
105
|
+
- `references/tutorial-patterns.md`: tutorial structure and teaching flow.
|
|
106
|
+
- `references/notebook-structure.md`: notebook JSON shape and safe editing rules.
|
|
107
|
+
- `references/quality-checklist.md`: final validation checklist.
|