cli-jaw 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.ko.md +411 -0
- package/README.md +416 -0
- package/README.zh-CN.md +411 -0
- package/dist/bin/cli-jaw.js +108 -0
- package/dist/bin/cli-jaw.js.map +1 -0
- package/dist/bin/commands/browser.js +241 -0
- package/dist/bin/commands/browser.js.map +1 -0
- package/dist/bin/commands/chat.js +878 -0
- package/dist/bin/commands/chat.js.map +1 -0
- package/dist/bin/commands/doctor.js +152 -0
- package/dist/bin/commands/doctor.js.map +1 -0
- package/dist/bin/commands/employee.js +70 -0
- package/dist/bin/commands/employee.js.map +1 -0
- package/dist/bin/commands/init.js +110 -0
- package/dist/bin/commands/init.js.map +1 -0
- package/dist/bin/commands/mcp.js +219 -0
- package/dist/bin/commands/mcp.js.map +1 -0
- package/dist/bin/commands/memory.js +105 -0
- package/dist/bin/commands/memory.js.map +1 -0
- package/dist/bin/commands/reset.js +109 -0
- package/dist/bin/commands/reset.js.map +1 -0
- package/dist/bin/commands/serve.js +75 -0
- package/dist/bin/commands/serve.js.map +1 -0
- package/dist/bin/commands/skill.js +232 -0
- package/dist/bin/commands/skill.js.map +1 -0
- package/dist/bin/commands/status.js +51 -0
- package/dist/bin/commands/status.js.map +1 -0
- package/dist/bin/postinstall.js +218 -0
- package/dist/bin/postinstall.js.map +1 -0
- package/dist/lib/mcp-sync.js +639 -0
- package/dist/lib/mcp-sync.js.map +1 -0
- package/dist/lib/quota-copilot.js +62 -0
- package/dist/lib/quota-copilot.js.map +1 -0
- package/dist/lib/upload.js +72 -0
- package/dist/lib/upload.js.map +1 -0
- package/dist/server.js +832 -0
- package/dist/server.js.map +1 -0
- package/dist/src/agent/args.js +66 -0
- package/dist/src/agent/args.js.map +1 -0
- package/dist/src/agent/events.js +328 -0
- package/dist/src/agent/events.js.map +1 -0
- package/dist/src/agent/spawn.js +646 -0
- package/dist/src/agent/spawn.js.map +1 -0
- package/dist/src/browser/actions.js +168 -0
- package/dist/src/browser/actions.js.map +1 -0
- package/dist/src/browser/connection.js +79 -0
- package/dist/src/browser/connection.js.map +1 -0
- package/dist/src/browser/index.js +4 -0
- package/dist/src/browser/index.js.map +1 -0
- package/dist/src/browser/vision.js +128 -0
- package/dist/src/browser/vision.js.map +1 -0
- package/dist/src/cli/acp-client.js +298 -0
- package/dist/src/cli/acp-client.js.map +1 -0
- package/dist/src/cli/commands.js +267 -0
- package/dist/src/cli/commands.js.map +1 -0
- package/dist/src/cli/handlers.js +405 -0
- package/dist/src/cli/handlers.js.map +1 -0
- package/dist/src/cli/registry.js +87 -0
- package/dist/src/cli/registry.js.map +1 -0
- package/dist/src/command-contract/catalog.js +36 -0
- package/dist/src/command-contract/catalog.js.map +1 -0
- package/dist/src/command-contract/help-renderer.js +39 -0
- package/dist/src/command-contract/help-renderer.js.map +1 -0
- package/dist/src/command-contract/policy.js +34 -0
- package/dist/src/command-contract/policy.js.map +1 -0
- package/dist/src/core/bus.js +17 -0
- package/dist/src/core/bus.js.map +1 -0
- package/dist/src/core/config.js +198 -0
- package/dist/src/core/config.js.map +1 -0
- package/dist/src/core/db.js +97 -0
- package/dist/src/core/db.js.map +1 -0
- package/dist/src/core/i18n.js +86 -0
- package/dist/src/core/i18n.js.map +1 -0
- package/dist/src/core/logger.js +14 -0
- package/dist/src/core/logger.js.map +1 -0
- package/dist/src/core/settings-merge.js +40 -0
- package/dist/src/core/settings-merge.js.map +1 -0
- package/dist/src/http/async-handler.js +6 -0
- package/dist/src/http/async-handler.js.map +1 -0
- package/dist/src/http/error-middleware.js +24 -0
- package/dist/src/http/error-middleware.js.map +1 -0
- package/dist/src/http/response.js +16 -0
- package/dist/src/http/response.js.map +1 -0
- package/dist/src/memory/heartbeat.js +106 -0
- package/dist/src/memory/heartbeat.js.map +1 -0
- package/dist/src/memory/memory.js +119 -0
- package/dist/src/memory/memory.js.map +1 -0
- package/dist/src/memory/worklog.js +154 -0
- package/dist/src/memory/worklog.js.map +1 -0
- package/dist/src/orchestrator/distribute.js +310 -0
- package/dist/src/orchestrator/distribute.js.map +1 -0
- package/dist/src/orchestrator/parser.js +118 -0
- package/dist/src/orchestrator/parser.js.map +1 -0
- package/dist/src/orchestrator/pipeline.js +343 -0
- package/dist/src/orchestrator/pipeline.js.map +1 -0
- package/dist/src/prompt/builder.js +531 -0
- package/dist/src/prompt/builder.js.map +1 -0
- package/dist/src/routes/browser.js +126 -0
- package/dist/src/routes/browser.js.map +1 -0
- package/dist/src/routes/quota.js +94 -0
- package/dist/src/routes/quota.js.map +1 -0
- package/dist/src/security/decode.js +23 -0
- package/dist/src/security/decode.js.map +1 -0
- package/dist/src/security/path-guards.js +62 -0
- package/dist/src/security/path-guards.js.map +1 -0
- package/dist/src/telegram/bot.js +469 -0
- package/dist/src/telegram/bot.js.map +1 -0
- package/dist/src/telegram/forwarder.js +93 -0
- package/dist/src/telegram/forwarder.js.map +1 -0
- package/package.json +80 -0
- package/public/css/chat.css +571 -0
- package/public/css/layout.css +350 -0
- package/public/css/markdown.css +270 -0
- package/public/css/modals.css +172 -0
- package/public/css/sidebar.css +225 -0
- package/public/css/variables.css +142 -0
- package/public/index.html +470 -0
- package/public/js/api.js +55 -0
- package/public/js/constants.js +119 -0
- package/public/js/features/appname.js +43 -0
- package/public/js/features/chat.js +242 -0
- package/public/js/features/employees.js +120 -0
- package/public/js/features/heartbeat.js +80 -0
- package/public/js/features/i18n.js +125 -0
- package/public/js/features/memory.js +85 -0
- package/public/js/features/settings.js +512 -0
- package/public/js/features/sidebar.js +88 -0
- package/public/js/features/skills.js +68 -0
- package/public/js/features/slash-commands.js +231 -0
- package/public/js/features/theme.js +40 -0
- package/public/js/locale.js +23 -0
- package/public/js/main.js +281 -0
- package/public/js/render.js +294 -0
- package/public/js/state.js +16 -0
- package/public/js/ui.js +172 -0
- package/public/js/ws.js +76 -0
- package/public/locales/en.json +180 -0
- package/public/locales/ko.json +180 -0
- package/public/theme-test.html +545 -0
- package/skills_ref/1password/SKILL.md +70 -0
- package/skills_ref/agents-sdk/SKILL.md +155 -0
- package/skills_ref/agents-sdk/references/callable.md +92 -0
- package/skills_ref/agents-sdk/references/codemode.md +207 -0
- package/skills_ref/agents-sdk/references/email.md +146 -0
- package/skills_ref/agents-sdk/references/mcp.md +154 -0
- package/skills_ref/agents-sdk/references/state-scheduling.md +164 -0
- package/skills_ref/agents-sdk/references/streaming-chat.md +178 -0
- package/skills_ref/agents-sdk/references/workflows.md +132 -0
- package/skills_ref/algorithmic-art/LICENSE.txt +202 -0
- package/skills_ref/algorithmic-art/SKILL.md +405 -0
- package/skills_ref/algorithmic-art/templates/generator_template.js +223 -0
- package/skills_ref/algorithmic-art/templates/viewer.html +599 -0
- package/skills_ref/apple-notes/SKILL.md +77 -0
- package/skills_ref/apple-reminders/SKILL.md +118 -0
- package/skills_ref/atlas/SKILL.md +99 -0
- package/skills_ref/brainstorming/SKILL.md +96 -0
- package/skills_ref/browser/SKILL.md +179 -0
- package/skills_ref/canvas-design/LICENSE.txt +202 -0
- package/skills_ref/canvas-design/SKILL.md +130 -0
- package/skills_ref/canvas-design/canvas-fonts/ArsenalSC-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/ArsenalSC-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BigShoulders-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BigShoulders-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/BigShoulders-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Boldonse-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Boldonse-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BricolageGrotesque-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/BricolageGrotesque-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/BricolageGrotesque-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/CrimsonPro-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/DMMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/DMMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/EricaOne-OFL.txt +94 -0
- package/skills_ref/canvas-design/canvas-fonts/EricaOne-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/GeistMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/GeistMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/GeistMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Gloock-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Gloock-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/IBMPlexSerif-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSans-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSerif-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/InstrumentSerif-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Italiana-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Italiana-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/JetBrainsMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/JetBrainsMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/JetBrainsMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Jura-Light.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Jura-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Jura-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/LibreBaskerville-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/LibreBaskerville-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Lora-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/NationalPark-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/NationalPark-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/NationalPark-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/NothingYouCouldDo-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/NothingYouCouldDo-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Outfit-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Outfit-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Outfit-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/PixelifySans-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/PixelifySans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/PoiretOne-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/PoiretOne-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/RedHatMono-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/RedHatMono-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/RedHatMono-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Silkscreen-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Silkscreen-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/SmoochSans-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/SmoochSans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Tektur-Medium.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/Tektur-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/Tektur-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-Bold.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-BoldItalic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-Italic.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/WorkSans-Regular.ttf +0 -0
- package/skills_ref/canvas-design/canvas-fonts/YoungSerif-OFL.txt +93 -0
- package/skills_ref/canvas-design/canvas-fonts/YoungSerif-Regular.ttf +0 -0
- package/skills_ref/changelog-generator/SKILL.md +104 -0
- package/skills_ref/cloudflare-deploy/SKILL.md +207 -0
- package/skills_ref/codebase-orientation/SKILL.md +29 -0
- package/skills_ref/config-file-explainer/SKILL.md +26 -0
- package/skills_ref/context-compression/SKILL.md +265 -0
- package/skills_ref/context-compression/references/evaluation-framework.md +213 -0
- package/skills_ref/context-compression/scripts/compression_evaluator.py +658 -0
- package/skills_ref/data-structure-chooser/SKILL.md +26 -0
- package/skills_ref/debugging-checklist/SKILL.md +26 -0
- package/skills_ref/debugging-helpers/CREATION-LOG.md +119 -0
- package/skills_ref/debugging-helpers/SKILL.md +296 -0
- package/skills_ref/debugging-helpers/condition-based-waiting-example.ts +158 -0
- package/skills_ref/debugging-helpers/condition-based-waiting.md +115 -0
- package/skills_ref/debugging-helpers/defense-in-depth.md +122 -0
- package/skills_ref/debugging-helpers/find-polluter.sh +63 -0
- package/skills_ref/debugging-helpers/root-cause-tracing.md +169 -0
- package/skills_ref/debugging-helpers/test-academic.md +14 -0
- package/skills_ref/debugging-helpers/test-pressure-1.md +58 -0
- package/skills_ref/debugging-helpers/test-pressure-2.md +68 -0
- package/skills_ref/debugging-helpers/test-pressure-3.md +69 -0
- package/skills_ref/deep-research/.env.example +7 -0
- package/skills_ref/deep-research/README.md +246 -0
- package/skills_ref/deep-research/SKILL.md +106 -0
- package/skills_ref/deep-research/requirements.txt +2 -0
- package/skills_ref/deep-research/scripts/research.py +692 -0
- package/skills_ref/dependency-install-helper/SKILL.md +26 -0
- package/skills_ref/dev/SKILL.md +65 -0
- package/skills_ref/dev-backend/SKILL.md +61 -0
- package/skills_ref/dev-data/SKILL.md +76 -0
- package/skills_ref/dev-frontend/LICENSE.txt +177 -0
- package/skills_ref/dev-frontend/SKILL.md +42 -0
- package/skills_ref/dev-testing/LICENSE.txt +202 -0
- package/skills_ref/dev-testing/SKILL.md +96 -0
- package/skills_ref/dev-testing/examples/console_logging.py +35 -0
- package/skills_ref/dev-testing/examples/element_discovery.py +40 -0
- package/skills_ref/dev-testing/examples/static_html_automation.py +33 -0
- package/skills_ref/dev-testing/scripts/with_server.py +106 -0
- package/skills_ref/develop-web-game/SKILL.md +149 -0
- package/skills_ref/differential-review/.claude-plugin/plugin.json +10 -0
- package/skills_ref/differential-review/README.md +109 -0
- package/skills_ref/differential-review/commands/diff-review.md +21 -0
- package/skills_ref/differential-review/skills/differential-review/SKILL.md +220 -0
- package/skills_ref/differential-review/skills/differential-review/adversarial.md +203 -0
- package/skills_ref/differential-review/skills/differential-review/methodology.md +234 -0
- package/skills_ref/differential-review/skills/differential-review/patterns.md +300 -0
- package/skills_ref/differential-review/skills/differential-review/reporting.md +369 -0
- package/skills_ref/dispatching-parallel-agents/SKILL.md +180 -0
- package/skills_ref/doc-coauthoring/SKILL.md +375 -0
- package/skills_ref/docx/LICENSE.txt +30 -0
- package/skills_ref/docx/SKILL.md +481 -0
- package/skills_ref/docx/scripts/__init__.py +1 -0
- package/skills_ref/docx/scripts/accept_changes.py +135 -0
- package/skills_ref/docx/scripts/comment.py +318 -0
- package/skills_ref/docx/scripts/office/helpers/__init__.py +0 -0
- package/skills_ref/docx/scripts/office/helpers/merge_runs.py +199 -0
- package/skills_ref/docx/scripts/office/helpers/simplify_redlines.py +197 -0
- package/skills_ref/docx/scripts/office/pack.py +159 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
- package/skills_ref/docx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
- package/skills_ref/docx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
- package/skills_ref/docx/scripts/office/schemas/mce/mc.xsd +75 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
- package/skills_ref/docx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
- package/skills_ref/docx/scripts/office/soffice.py +183 -0
- package/skills_ref/docx/scripts/office/unpack.py +132 -0
- package/skills_ref/docx/scripts/office/validate.py +111 -0
- package/skills_ref/docx/scripts/office/validators/__init__.py +15 -0
- package/skills_ref/docx/scripts/office/validators/base.py +847 -0
- package/skills_ref/docx/scripts/office/validators/docx.py +446 -0
- package/skills_ref/docx/scripts/office/validators/pptx.py +275 -0
- package/skills_ref/docx/scripts/office/validators/redlining.py +247 -0
- package/skills_ref/docx/scripts/templates/comments.xml +3 -0
- package/skills_ref/docx/scripts/templates/commentsExtended.xml +3 -0
- package/skills_ref/docx/scripts/templates/commentsExtensible.xml +3 -0
- package/skills_ref/docx/scripts/templates/commentsIds.xml +3 -0
- package/skills_ref/docx/scripts/templates/people.xml +3 -0
- package/skills_ref/durable-objects/SKILL.md +186 -0
- package/skills_ref/durable-objects/references/rules.md +286 -0
- package/skills_ref/durable-objects/references/testing.md +264 -0
- package/skills_ref/durable-objects/references/workers.md +346 -0
- package/skills_ref/email-draft-polish/SKILL.md +24 -0
- package/skills_ref/error-message-explainer/SKILL.md +27 -0
- package/skills_ref/fal-image-edit/SKILL.md +249 -0
- package/skills_ref/fal-image-edit/scripts/edit-image.sh +199 -0
- package/skills_ref/figma-implement-design/SKILL.md +264 -0
- package/skills_ref/git-worktrees/SKILL.md +218 -0
- package/skills_ref/github/SKILL.md +210 -0
- package/skills_ref/gog/SKILL.md +116 -0
- package/skills_ref/goplaces/SKILL.md +52 -0
- package/skills_ref/himalaya/SKILL.md +257 -0
- package/skills_ref/hugging-face-cli/SKILL.md +186 -0
- package/skills_ref/hugging-face-cli/references/commands.md +954 -0
- package/skills_ref/hugging-face-cli/references/examples.md +374 -0
- package/skills_ref/hugging-face-evaluation/SKILL.md +651 -0
- package/skills_ref/hugging-face-evaluation/examples/.env.example +7 -0
- package/skills_ref/hugging-face-evaluation/examples/USAGE_EXAMPLES.md +382 -0
- package/skills_ref/hugging-face-evaluation/examples/artificial_analysis_to_hub.py +141 -0
- package/skills_ref/hugging-face-evaluation/examples/example_readme_tables.md +135 -0
- package/skills_ref/hugging-face-evaluation/examples/metric_mapping.json +50 -0
- package/skills_ref/hugging-face-evaluation/requirements.txt +20 -0
- package/skills_ref/hugging-face-evaluation/scripts/evaluation_manager.py +1374 -0
- package/skills_ref/hugging-face-evaluation/scripts/inspect_eval_uv.py +104 -0
- package/skills_ref/hugging-face-evaluation/scripts/inspect_vllm_uv.py +317 -0
- package/skills_ref/hugging-face-evaluation/scripts/lighteval_vllm_uv.py +303 -0
- package/skills_ref/hugging-face-evaluation/scripts/run_eval_job.py +98 -0
- package/skills_ref/hugging-face-evaluation/scripts/run_vllm_eval_job.py +331 -0
- package/skills_ref/hugging-face-evaluation/scripts/test_extraction.py +206 -0
- package/skills_ref/hugging-face-model-trainer/SKILL.md +718 -0
- package/skills_ref/hugging-face-model-trainer/references/gguf_conversion.md +296 -0
- package/skills_ref/hugging-face-model-trainer/references/hardware_guide.md +283 -0
- package/skills_ref/hugging-face-model-trainer/references/hub_saving.md +364 -0
- package/skills_ref/hugging-face-model-trainer/references/reliability_principles.md +371 -0
- package/skills_ref/hugging-face-model-trainer/references/trackio_guide.md +189 -0
- package/skills_ref/hugging-face-model-trainer/references/training_methods.md +150 -0
- package/skills_ref/hugging-face-model-trainer/references/training_patterns.md +203 -0
- package/skills_ref/hugging-face-model-trainer/references/troubleshooting.md +282 -0
- package/skills_ref/hugging-face-model-trainer/references/unsloth.md +313 -0
- package/skills_ref/hugging-face-model-trainer/scripts/convert_to_gguf.py +424 -0
- package/skills_ref/hugging-face-model-trainer/scripts/dataset_inspector.py +417 -0
- package/skills_ref/hugging-face-model-trainer/scripts/estimate_cost.py +150 -0
- package/skills_ref/hugging-face-model-trainer/scripts/train_dpo_example.py +106 -0
- package/skills_ref/hugging-face-model-trainer/scripts/train_grpo_example.py +89 -0
- package/skills_ref/hugging-face-model-trainer/scripts/train_sft_example.py +122 -0
- package/skills_ref/hugging-face-model-trainer/scripts/unsloth_sft_example.py +512 -0
- package/skills_ref/imagegen/SKILL.md +174 -0
- package/skills_ref/insecure-defaults/.claude-plugin/plugin.json +10 -0
- package/skills_ref/insecure-defaults/README.md +45 -0
- package/skills_ref/insecure-defaults/skills/insecure-defaults/SKILL.md +117 -0
- package/skills_ref/insecure-defaults/skills/insecure-defaults/references/examples.md +409 -0
- package/skills_ref/jupyter-notebook/SKILL.md +107 -0
- package/skills_ref/linear/SKILL.md +87 -0
- package/skills_ref/linter-fix-guide/SKILL.md +27 -0
- package/skills_ref/log-summarizer/SKILL.md +27 -0
- package/skills_ref/mcp-builder/LICENSE.txt +202 -0
- package/skills_ref/mcp-builder/SKILL.md +236 -0
- package/skills_ref/mcp-builder/reference/evaluation.md +602 -0
- package/skills_ref/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/skills_ref/mcp-builder/reference/node_mcp_server.md +970 -0
- package/skills_ref/mcp-builder/reference/python_mcp_server.md +719 -0
- package/skills_ref/mcp-builder/scripts/connections.py +151 -0
- package/skills_ref/mcp-builder/scripts/evaluation.py +373 -0
- package/skills_ref/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/skills_ref/mcp-builder/scripts/requirements.txt +2 -0
- package/skills_ref/memory/SKILL.md +129 -0
- package/skills_ref/modern-python/.claude-plugin/plugin.json +10 -0
- package/skills_ref/modern-python/README.md +66 -0
- package/skills_ref/modern-python/hooks/hooks.json +16 -0
- package/skills_ref/modern-python/hooks/setup-shims.bats +70 -0
- package/skills_ref/modern-python/hooks/setup-shims.sh +24 -0
- package/skills_ref/modern-python/hooks/shims/pip +27 -0
- package/skills_ref/modern-python/hooks/shims/pip-shim.bats +45 -0
- package/skills_ref/modern-python/hooks/shims/pip3 +27 -0
- package/skills_ref/modern-python/hooks/shims/pipx +41 -0
- package/skills_ref/modern-python/hooks/shims/pipx-shim.bats +64 -0
- package/skills_ref/modern-python/hooks/shims/python +26 -0
- package/skills_ref/modern-python/hooks/shims/python-shim.bats +53 -0
- package/skills_ref/modern-python/hooks/shims/python3 +26 -0
- package/skills_ref/modern-python/hooks/shims/uv +27 -0
- package/skills_ref/modern-python/hooks/shims/uv-shim.bats +47 -0
- package/skills_ref/modern-python/skills/modern-python/SKILL.md +333 -0
- package/skills_ref/modern-python/skills/modern-python/references/dependabot.md +43 -0
- package/skills_ref/modern-python/skills/modern-python/references/migration-checklist.md +141 -0
- package/skills_ref/modern-python/skills/modern-python/references/pep723-scripts.md +259 -0
- package/skills_ref/modern-python/skills/modern-python/references/prek.md +211 -0
- package/skills_ref/modern-python/skills/modern-python/references/pyproject.md +254 -0
- package/skills_ref/modern-python/skills/modern-python/references/ruff-config.md +240 -0
- package/skills_ref/modern-python/skills/modern-python/references/security-setup.md +255 -0
- package/skills_ref/modern-python/skills/modern-python/references/testing.md +284 -0
- package/skills_ref/modern-python/skills/modern-python/references/uv-commands.md +200 -0
- package/skills_ref/modern-python/skills/modern-python/templates/dependabot.yml +36 -0
- package/skills_ref/modern-python/skills/modern-python/templates/pre-commit-config.yaml +66 -0
- package/skills_ref/nano-banana-pro/SKILL.md +58 -0
- package/skills_ref/netlify-deploy/SKILL.md +233 -0
- package/skills_ref/notion/SKILL.md +304 -0
- package/skills_ref/notion-knowledge-capture/SKILL.md +56 -0
- package/skills_ref/notion-meeting-intelligence/SKILL.md +60 -0
- package/skills_ref/notion-research-documentation/SKILL.md +59 -0
- package/skills_ref/notion-spec-to-implementation/SKILL.md +58 -0
- package/skills_ref/obsidian/SKILL.md +81 -0
- package/skills_ref/openai-docs/SKILL.md +56 -0
- package/skills_ref/openhue/SKILL.md +112 -0
- package/skills_ref/pdf/SKILL.md +69 -0
- package/skills_ref/postgres/README.md +77 -0
- package/skills_ref/postgres/SKILL.md +129 -0
- package/skills_ref/postgres/connections.example.json +34 -0
- package/skills_ref/postgres/requirements.txt +1 -0
- package/skills_ref/postgres/scripts/query.py +262 -0
- package/skills_ref/pptx/LICENSE.txt +30 -0
- package/skills_ref/pptx/SKILL.md +232 -0
- package/skills_ref/pptx/editing.md +205 -0
- package/skills_ref/pptx/pptxgenjs.md +420 -0
- package/skills_ref/pptx/scripts/__init__.py +0 -0
- package/skills_ref/pptx/scripts/add_slide.py +195 -0
- package/skills_ref/pptx/scripts/clean.py +286 -0
- package/skills_ref/pptx/scripts/office/helpers/__init__.py +0 -0
- package/skills_ref/pptx/scripts/office/helpers/merge_runs.py +199 -0
- package/skills_ref/pptx/scripts/office/helpers/simplify_redlines.py +197 -0
- package/skills_ref/pptx/scripts/office/pack.py +159 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
- package/skills_ref/pptx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
- package/skills_ref/pptx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
- package/skills_ref/pptx/scripts/office/schemas/mce/mc.xsd +75 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
- package/skills_ref/pptx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
- package/skills_ref/pptx/scripts/office/soffice.py +183 -0
- package/skills_ref/pptx/scripts/office/unpack.py +132 -0
- package/skills_ref/pptx/scripts/office/validate.py +111 -0
- package/skills_ref/pptx/scripts/office/validators/__init__.py +15 -0
- package/skills_ref/pptx/scripts/office/validators/base.py +847 -0
- package/skills_ref/pptx/scripts/office/validators/docx.py +446 -0
- package/skills_ref/pptx/scripts/office/validators/pptx.py +275 -0
- package/skills_ref/pptx/scripts/office/validators/redlining.py +247 -0
- package/skills_ref/pptx/scripts/thumbnail.py +289 -0
- package/skills_ref/property-based-testing/.claude-plugin/plugin.json +9 -0
- package/skills_ref/property-based-testing/README.md +47 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/README.md +88 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/SKILL.md +123 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/design.md +191 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/generating.md +204 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/interpreting-failures.md +239 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/libraries.md +130 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/refactoring.md +181 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/reviewing.md +209 -0
- package/skills_ref/property-based-testing/skills/property-based-testing/references/strategies.md +124 -0
- package/skills_ref/react-best-practices/AGENTS.md +2934 -0
- package/skills_ref/react-best-practices/README.md +123 -0
- package/skills_ref/react-best-practices/SKILL.md +136 -0
- package/skills_ref/react-best-practices/metadata.json +15 -0
- package/skills_ref/react-best-practices/rules/_sections.md +46 -0
- package/skills_ref/react-best-practices/rules/_template.md +28 -0
- package/skills_ref/react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/skills_ref/react-best-practices/rules/advanced-init-once.md +42 -0
- package/skills_ref/react-best-practices/rules/advanced-use-latest.md +39 -0
- package/skills_ref/react-best-practices/rules/async-api-routes.md +38 -0
- package/skills_ref/react-best-practices/rules/async-defer-await.md +80 -0
- package/skills_ref/react-best-practices/rules/async-dependencies.md +51 -0
- package/skills_ref/react-best-practices/rules/async-parallel.md +28 -0
- package/skills_ref/react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/skills_ref/react-best-practices/rules/bundle-barrel-imports.md +59 -0
- package/skills_ref/react-best-practices/rules/bundle-conditional.md +31 -0
- package/skills_ref/react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/skills_ref/react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/skills_ref/react-best-practices/rules/bundle-preload.md +50 -0
- package/skills_ref/react-best-practices/rules/client-event-listeners.md +74 -0
- package/skills_ref/react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/skills_ref/react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/skills_ref/react-best-practices/rules/client-swr-dedup.md +56 -0
- package/skills_ref/react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/skills_ref/react-best-practices/rules/js-cache-function-results.md +80 -0
- package/skills_ref/react-best-practices/rules/js-cache-property-access.md +28 -0
- package/skills_ref/react-best-practices/rules/js-cache-storage.md +70 -0
- package/skills_ref/react-best-practices/rules/js-combine-iterations.md +32 -0
- package/skills_ref/react-best-practices/rules/js-early-exit.md +50 -0
- package/skills_ref/react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/skills_ref/react-best-practices/rules/js-index-maps.md +37 -0
- package/skills_ref/react-best-practices/rules/js-length-check-first.md +49 -0
- package/skills_ref/react-best-practices/rules/js-min-max-loop.md +82 -0
- package/skills_ref/react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/skills_ref/react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/skills_ref/react-best-practices/rules/rendering-activity.md +26 -0
- package/skills_ref/react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/skills_ref/react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/skills_ref/react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/skills_ref/react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/skills_ref/react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/skills_ref/react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/skills_ref/react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/skills_ref/react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/skills_ref/react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/skills_ref/react-best-practices/rules/rerender-dependencies.md +45 -0
- package/skills_ref/react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/skills_ref/react-best-practices/rules/rerender-derived-state.md +29 -0
- package/skills_ref/react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/skills_ref/react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/skills_ref/react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/skills_ref/react-best-practices/rules/rerender-memo.md +44 -0
- package/skills_ref/react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/skills_ref/react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/skills_ref/react-best-practices/rules/rerender-transitions.md +40 -0
- package/skills_ref/react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/skills_ref/react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/skills_ref/react-best-practices/rules/server-auth-actions.md +96 -0
- package/skills_ref/react-best-practices/rules/server-cache-lru.md +41 -0
- package/skills_ref/react-best-practices/rules/server-cache-react.md +76 -0
- package/skills_ref/react-best-practices/rules/server-dedup-props.md +65 -0
- package/skills_ref/react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/skills_ref/react-best-practices/rules/server-serialization.md +38 -0
- package/skills_ref/receiving-code-review/SKILL.md +213 -0
- package/skills_ref/registry.json +1493 -0
- package/skills_ref/render-deploy/SKILL.md +462 -0
- package/skills_ref/requesting-code-review/SKILL.md +105 -0
- package/skills_ref/requesting-code-review/code-reviewer.md +146 -0
- package/skills_ref/screen-capture/SKILL.md +162 -0
- package/skills_ref/security-best-practices/LICENSE.txt +201 -0
- package/skills_ref/security-best-practices/SKILL.md +86 -0
- package/skills_ref/security-best-practices/agents/openai.yaml +4 -0
- package/skills_ref/security-best-practices/references/golang-general-backend-security.md +826 -0
- package/skills_ref/security-best-practices/references/javascript-express-web-server-security.md +1158 -0
- package/skills_ref/security-best-practices/references/javascript-general-web-frontend-security.md +747 -0
- package/skills_ref/security-best-practices/references/javascript-jquery-web-frontend-security.md +678 -0
- package/skills_ref/security-best-practices/references/javascript-typescript-nextjs-web-server-security.md +1144 -0
- package/skills_ref/security-best-practices/references/javascript-typescript-react-web-frontend-security.md +990 -0
- package/skills_ref/security-best-practices/references/javascript-typescript-vue-web-frontend-security.md +791 -0
- package/skills_ref/security-best-practices/references/python-django-web-server-security.md +882 -0
- package/skills_ref/security-best-practices/references/python-fastapi-web-server-security.md +1036 -0
- package/skills_ref/security-best-practices/references/python-flask-web-server-security.md +705 -0
- package/skills_ref/security-ownership-map/LICENSE.txt +201 -0
- package/skills_ref/security-ownership-map/SKILL.md +206 -0
- package/skills_ref/security-ownership-map/agents/openai.yaml +4 -0
- package/skills_ref/security-ownership-map/references/neo4j-import.md +60 -0
- package/skills_ref/security-ownership-map/scripts/build_ownership_map.py +956 -0
- package/skills_ref/security-ownership-map/scripts/community_maintainers.py +544 -0
- package/skills_ref/security-ownership-map/scripts/query_ownership.py +483 -0
- package/skills_ref/security-ownership-map/scripts/run_ownership_map.py +200 -0
- package/skills_ref/security-threat-model/LICENSE.txt +201 -0
- package/skills_ref/security-threat-model/SKILL.md +81 -0
- package/skills_ref/security-threat-model/agents/openai.yaml +4 -0
- package/skills_ref/security-threat-model/references/prompt-template.md +255 -0
- package/skills_ref/security-threat-model/references/security-controls-and-assets.md +32 -0
- package/skills_ref/sentry/SKILL.md +123 -0
- package/skills_ref/skill-creator/SKILL.md +372 -0
- package/skills_ref/sora/SKILL.md +153 -0
- package/skills_ref/speech/SKILL.md +144 -0
- package/skills_ref/spotify-player/SKILL.md +64 -0
- package/skills_ref/static-analysis/.claude-plugin/plugin.json +8 -0
- package/skills_ref/static-analysis/README.md +65 -0
- package/skills_ref/static-analysis/agents/semgrep-scanner.md +71 -0
- package/skills_ref/static-analysis/agents/semgrep-triager.md +107 -0
- package/skills_ref/static-analysis/skills/codeql/SKILL.md +119 -0
- package/skills_ref/static-analysis/skills/codeql/references/diagnostic-query-templates.md +339 -0
- package/skills_ref/static-analysis/skills/codeql/references/language-details.md +207 -0
- package/skills_ref/static-analysis/skills/codeql/references/performance-tuning.md +111 -0
- package/skills_ref/static-analysis/skills/codeql/references/ruleset-catalog.md +63 -0
- package/skills_ref/static-analysis/skills/codeql/references/threat-models.md +44 -0
- package/skills_ref/static-analysis/skills/codeql/workflows/build-database.md +669 -0
- package/skills_ref/static-analysis/skills/codeql/workflows/create-data-extensions.md +536 -0
- package/skills_ref/static-analysis/skills/codeql/workflows/run-analysis.md +436 -0
- package/skills_ref/static-analysis/skills/sarif-parsing/SKILL.md +479 -0
- package/skills_ref/static-analysis/skills/sarif-parsing/resources/jq-queries.md +162 -0
- package/skills_ref/static-analysis/skills/sarif-parsing/resources/sarif_helpers.py +331 -0
- package/skills_ref/static-analysis/skills/semgrep/SKILL.md +431 -0
- package/skills_ref/static-analysis/skills/semgrep/references/rulesets.md +162 -0
- package/skills_ref/static-analysis/skills/semgrep/references/scanner-task-prompt.md +102 -0
- package/skills_ref/static-analysis/skills/semgrep/references/triage-task-prompt.md +122 -0
- package/skills_ref/static-analysis/skills/semgrep/scripts/merge_triaged_sarif.py +252 -0
- package/skills_ref/summarize/SKILL.md +87 -0
- package/skills_ref/tdd/SKILL.md +371 -0
- package/skills_ref/tdd/testing-anti-patterns.md +299 -0
- package/skills_ref/telegram-send/SKILL.md +99 -0
- package/skills_ref/terraform/README.md +105 -0
- package/skills_ref/terraform/code-generation/.claude-plugin/plugin.json +30 -0
- package/skills_ref/terraform/code-generation/skills/azure-verified-modules/SKILL.md +613 -0
- package/skills_ref/terraform/code-generation/skills/terraform-style-guide/SKILL.md +353 -0
- package/skills_ref/terraform/code-generation/skills/terraform-test/SKILL.md +1669 -0
- package/skills_ref/terraform/module-generation/.claude-plugin/plugin.json +30 -0
- package/skills_ref/terraform/module-generation/skills/refactor-module/SKILL.md +538 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/SKILL.md +468 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/api-monitoring.md +543 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/component-blocks.md +476 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/deployment-blocks.md +391 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/examples.md +1529 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/linked-stacks.md +187 -0
- package/skills_ref/terraform/module-generation/skills/terraform-stacks/references/troubleshooting.md +671 -0
- package/skills_ref/terraform/provider-development/.claude-plugin/plugin.json +13 -0
- package/skills_ref/terraform/provider-development/skills/new-terraform-provider/SKILL.md +25 -0
- package/skills_ref/terraform/provider-development/skills/new-terraform-provider/assets/main.go +40 -0
- package/skills_ref/terraform/provider-development/skills/provider-actions/SKILL.md +478 -0
- package/skills_ref/terraform/provider-development/skills/provider-resources/SKILL.md +599 -0
- package/skills_ref/terraform/provider-development/skills/run-acceptance-tests/SKILL.md +41 -0
- package/skills_ref/theme-factory/LICENSE.txt +202 -0
- package/skills_ref/theme-factory/SKILL.md +59 -0
- package/skills_ref/theme-factory/theme-showcase.pdf +0 -0
- package/skills_ref/theme-factory/themes/arctic-frost.md +19 -0
- package/skills_ref/theme-factory/themes/botanical-garden.md +19 -0
- package/skills_ref/theme-factory/themes/desert-rose.md +19 -0
- package/skills_ref/theme-factory/themes/forest-canopy.md +19 -0
- package/skills_ref/theme-factory/themes/golden-hour.md +19 -0
- package/skills_ref/theme-factory/themes/midnight-galaxy.md +19 -0
- package/skills_ref/theme-factory/themes/modern-minimalist.md +19 -0
- package/skills_ref/theme-factory/themes/ocean-depths.md +19 -0
- package/skills_ref/theme-factory/themes/sunset-boulevard.md +19 -0
- package/skills_ref/theme-factory/themes/tech-innovation.md +19 -0
- package/skills_ref/things-mac/SKILL.md +86 -0
- package/skills_ref/tmux/SKILL.md +153 -0
- package/skills_ref/transcribe/SKILL.md +81 -0
- package/skills_ref/trello/SKILL.md +95 -0
- package/skills_ref/tts/SKILL.md +99 -0
- package/skills_ref/vercel-deploy/SKILL.md +115 -0
- package/skills_ref/video-downloader/SKILL.md +99 -0
- package/skills_ref/video-downloader/scripts/download_video.py +145 -0
- package/skills_ref/video-frames/SKILL.md +46 -0
- package/skills_ref/vision-click/SKILL.md +128 -0
- package/skills_ref/weather/SKILL.md +112 -0
- package/skills_ref/web-artifacts-builder/LICENSE.txt +202 -0
- package/skills_ref/web-artifacts-builder/SKILL.md +74 -0
- package/skills_ref/web-artifacts-builder/scripts/bundle-artifact.sh +54 -0
- package/skills_ref/web-artifacts-builder/scripts/init-artifact.sh +322 -0
- package/skills_ref/web-artifacts-builder/scripts/shadcn-components.tar.gz +0 -0
- package/skills_ref/web-perf/SKILL.md +193 -0
- package/skills_ref/web-routing/SKILL.md +26 -0
- package/skills_ref/whatsapp/SKILL.md +255 -0
- package/skills_ref/whatsapp/assets/agent-app-integration-example.json +35 -0
- package/skills_ref/whatsapp/assets/databases-example.json +11 -0
- package/skills_ref/whatsapp/assets/function-decide-route-interactive-buttons.json +6 -0
- package/skills_ref/whatsapp/assets/functions-example.json +5 -0
- package/skills_ref/whatsapp/assets/workflow-agent-simple.json +31 -0
- package/skills_ref/whatsapp/assets/workflow-api-template-wait-agent.json +59 -0
- package/skills_ref/whatsapp/assets/workflow-customer-support-intake-agent.json +56 -0
- package/skills_ref/whatsapp/assets/workflow-decision.json +83 -0
- package/skills_ref/whatsapp/assets/workflow-interactive-buttons-decide-ai.json +89 -0
- package/skills_ref/whatsapp/assets/workflow-interactive-buttons-decide-function.json +88 -0
- package/skills_ref/whatsapp/assets/workflow-linear.json +53 -0
- package/skills_ref/whatsapp/package.json +10 -0
- package/skills_ref/whatsapp/references/app-integrations.md +89 -0
- package/skills_ref/whatsapp/references/databases-reference.md +21 -0
- package/skills_ref/whatsapp/references/execution-context.md +42 -0
- package/skills_ref/whatsapp/references/function-contracts.md +55 -0
- package/skills_ref/whatsapp/references/functions-payloads.md +87 -0
- package/skills_ref/whatsapp/references/functions-reference.md +133 -0
- package/skills_ref/whatsapp/references/graph-contract.md +145 -0
- package/skills_ref/whatsapp/references/node-types.md +430 -0
- package/skills_ref/whatsapp/references/triggers.md +20 -0
- package/skills_ref/whatsapp/references/workflow-overview.md +22 -0
- package/skills_ref/whatsapp/references/workflow-reference.md +123 -0
- package/skills_ref/whatsapp/scripts/configure-prop.js +113 -0
- package/skills_ref/whatsapp/scripts/create-connect-token.js +38 -0
- package/skills_ref/whatsapp/scripts/create-function.js +64 -0
- package/skills_ref/whatsapp/scripts/create-integration.js +137 -0
- package/skills_ref/whatsapp/scripts/create-row.js +47 -0
- package/skills_ref/whatsapp/scripts/create-trigger.js +88 -0
- package/skills_ref/whatsapp/scripts/create-workflow.js +85 -0
- package/skills_ref/whatsapp/scripts/delete-integration.js +44 -0
- package/skills_ref/whatsapp/scripts/delete-row.js +49 -0
- package/skills_ref/whatsapp/scripts/delete-trigger.js +44 -0
- package/skills_ref/whatsapp/scripts/deploy-function.js +47 -0
- package/skills_ref/whatsapp/scripts/edit-graph.js +289 -0
- package/skills_ref/whatsapp/scripts/get-action-schema.js +44 -0
- package/skills_ref/whatsapp/scripts/get-context-value.js +80 -0
- package/skills_ref/whatsapp/scripts/get-execution-event.js +55 -0
- package/skills_ref/whatsapp/scripts/get-execution.js +44 -0
- package/skills_ref/whatsapp/scripts/get-function.js +43 -0
- package/skills_ref/whatsapp/scripts/get-graph.js +85 -0
- package/skills_ref/whatsapp/scripts/get-table.js +45 -0
- package/skills_ref/whatsapp/scripts/get-workflow.js +44 -0
- package/skills_ref/whatsapp/scripts/invoke-function.js +60 -0
- package/skills_ref/whatsapp/scripts/lib/databases/args.js +87 -0
- package/skills_ref/whatsapp/scripts/lib/databases/filters.js +30 -0
- package/skills_ref/whatsapp/scripts/lib/databases/kapso-api.js +70 -0
- package/skills_ref/whatsapp/scripts/lib/functions/args.js +55 -0
- package/skills_ref/whatsapp/scripts/lib/functions/kapso-api.js +70 -0
- package/skills_ref/whatsapp/scripts/lib/workflows/args.js +53 -0
- package/skills_ref/whatsapp/scripts/lib/workflows/kapso-api.js +123 -0
- package/skills_ref/whatsapp/scripts/lib/workflows/result.js +16 -0
- package/skills_ref/whatsapp/scripts/list-accounts.js +62 -0
- package/skills_ref/whatsapp/scripts/list-apps.js +42 -0
- package/skills_ref/whatsapp/scripts/list-execution-events.js +61 -0
- package/skills_ref/whatsapp/scripts/list-executions.js +53 -0
- package/skills_ref/whatsapp/scripts/list-function-invocations.js +53 -0
- package/skills_ref/whatsapp/scripts/list-functions.js +41 -0
- package/skills_ref/whatsapp/scripts/list-integrations.js +41 -0
- package/skills_ref/whatsapp/scripts/list-provider-models.js +48 -0
- package/skills_ref/whatsapp/scripts/list-tables.js +41 -0
- package/skills_ref/whatsapp/scripts/list-triggers.js +44 -0
- package/skills_ref/whatsapp/scripts/list-whatsapp-phone-numbers.js +56 -0
- package/skills_ref/whatsapp/scripts/list-workflows.js +44 -0
- package/skills_ref/whatsapp/scripts/openapi-explore.mjs +1273 -0
- package/skills_ref/whatsapp/scripts/query-rows.js +71 -0
- package/skills_ref/whatsapp/scripts/reload-props.js +110 -0
- package/skills_ref/whatsapp/scripts/resume-execution.js +75 -0
- package/skills_ref/whatsapp/scripts/search-actions.js +64 -0
- package/skills_ref/whatsapp/scripts/update-execution-status.js +51 -0
- package/skills_ref/whatsapp/scripts/update-function.js +65 -0
- package/skills_ref/whatsapp/scripts/update-graph.js +154 -0
- package/skills_ref/whatsapp/scripts/update-integration.js +82 -0
- package/skills_ref/whatsapp/scripts/update-row.js +51 -0
- package/skills_ref/whatsapp/scripts/update-trigger.js +60 -0
- package/skills_ref/whatsapp/scripts/update-workflow-settings.js +67 -0
- package/skills_ref/whatsapp/scripts/upsert-row.js +64 -0
- package/skills_ref/whatsapp/scripts/validate-graph.js +293 -0
- package/skills_ref/whatsapp/scripts/variables-delete.js +37 -0
- package/skills_ref/whatsapp/scripts/variables-list.js +55 -0
- package/skills_ref/whatsapp/scripts/variables-set.js +39 -0
- package/skills_ref/writing-plans/SKILL.md +116 -0
- package/skills_ref/xlsx/LICENSE.txt +30 -0
- package/skills_ref/xlsx/SKILL.md +292 -0
- package/skills_ref/xlsx/scripts/office/helpers/__init__.py +0 -0
- package/skills_ref/xlsx/scripts/office/helpers/merge_runs.py +199 -0
- package/skills_ref/xlsx/scripts/office/helpers/simplify_redlines.py +197 -0
- package/skills_ref/xlsx/scripts/office/pack.py +159 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chart.xsd +1499 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-chartDrawing.xsd +146 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-diagram.xsd +1085 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-lockedCanvas.xsd +11 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-main.xsd +3081 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-picture.xsd +23 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-spreadsheetDrawing.xsd +185 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/dml-wordprocessingDrawing.xsd +287 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/pml.xsd +1676 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-additionalCharacteristics.xsd +28 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-bibliography.xsd +144 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-commonSimpleTypes.xsd +174 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlDataProperties.xsd +25 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-customXmlSchemaProperties.xsd +18 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesCustom.xsd +59 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesExtended.xsd +56 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-documentPropertiesVariantTypes.xsd +195 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-math.xsd +582 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/shared-relationshipReference.xsd +25 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/sml.xsd +4439 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-main.xsd +570 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-officeDrawing.xsd +509 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-presentationDrawing.xsd +12 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-spreadsheetDrawing.xsd +108 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/vml-wordprocessingDrawing.xsd +96 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/wml.xsd +3646 -0
- package/skills_ref/xlsx/scripts/office/schemas/ISO-IEC29500-4_2016/xml.xsd +116 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-contentTypes.xsd +42 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-coreProperties.xsd +50 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-digSig.xsd +49 -0
- package/skills_ref/xlsx/scripts/office/schemas/ecma/fouth-edition/opc-relationships.xsd +33 -0
- package/skills_ref/xlsx/scripts/office/schemas/mce/mc.xsd +75 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-2010.xsd +560 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-2012.xsd +67 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-2018.xsd +14 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-cex-2018.xsd +20 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-cid-2016.xsd +13 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-sdtdatahash-2020.xsd +4 -0
- package/skills_ref/xlsx/scripts/office/schemas/microsoft/wml-symex-2015.xsd +8 -0
- package/skills_ref/xlsx/scripts/office/soffice.py +183 -0
- package/skills_ref/xlsx/scripts/office/unpack.py +132 -0
- package/skills_ref/xlsx/scripts/office/validate.py +111 -0
- package/skills_ref/xlsx/scripts/office/validators/__init__.py +15 -0
- package/skills_ref/xlsx/scripts/office/validators/base.py +847 -0
- package/skills_ref/xlsx/scripts/office/validators/docx.py +446 -0
- package/skills_ref/xlsx/scripts/office/validators/pptx.py +275 -0
- package/skills_ref/xlsx/scripts/office/validators/redlining.py +247 -0
- package/skills_ref/xlsx/scripts/recalc.py +184 -0
- package/skills_ref/xurl/SKILL.md +461 -0
|
@@ -0,0 +1,536 @@
|
|
|
1
|
+
# Create Data Extensions Workflow
|
|
2
|
+
|
|
3
|
+
Generate data extension YAML files to improve CodeQL's data flow coverage for project-specific APIs. Runs after database build and before analysis.
|
|
4
|
+
|
|
5
|
+
## Task System
|
|
6
|
+
|
|
7
|
+
Create these tasks on workflow start:
|
|
8
|
+
|
|
9
|
+
```
|
|
10
|
+
TaskCreate: "Check for existing data extensions" (Step 1)
|
|
11
|
+
TaskCreate: "Query known sources and sinks" (Step 2) - blockedBy: Step 1
|
|
12
|
+
TaskCreate: "Identify missing sources and sinks" (Step 3) - blockedBy: Step 2
|
|
13
|
+
TaskCreate: "Create data extension files" (Step 4) - blockedBy: Step 3
|
|
14
|
+
TaskCreate: "Validate with re-analysis" (Step 5) - blockedBy: Step 4
|
|
15
|
+
```
|
|
16
|
+
|
|
17
|
+
### Early Exit Points
|
|
18
|
+
|
|
19
|
+
| After Step | Condition | Action |
|
|
20
|
+
|------------|-----------|--------|
|
|
21
|
+
| Step 1 | Extensions already exist | Return found packs/files to run-analysis workflow, finish |
|
|
22
|
+
| Step 3 | No missing models identified | Report coverage is adequate, finish |
|
|
23
|
+
|
|
24
|
+
---
|
|
25
|
+
|
|
26
|
+
## Steps
|
|
27
|
+
|
|
28
|
+
### Step 1: Check for Existing Data Extensions
|
|
29
|
+
|
|
30
|
+
Search the project for existing data extensions and model packs.
|
|
31
|
+
|
|
32
|
+
**1. In-repo model packs** — `qlpack.yml` or `codeql-pack.yml` with `dataExtensions`:
|
|
33
|
+
|
|
34
|
+
```bash
|
|
35
|
+
fd '(qlpack|codeql-pack)\.yml$' . --exclude codeql_*.db | while read -r f; do
|
|
36
|
+
if grep -q 'dataExtensions' "$f"; then
|
|
37
|
+
echo "MODEL PACK: $(dirname "$f") - $(grep '^name:' "$f")"
|
|
38
|
+
fi
|
|
39
|
+
done
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
**2. Standalone data extension files** — `.yml` files with `extensions:` key:
|
|
43
|
+
|
|
44
|
+
```bash
|
|
45
|
+
rg -l '^extensions:' --glob '*.yml' --glob '!codeql_*.db/**' | head -20
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
**3. Installed model packs:**
|
|
49
|
+
|
|
50
|
+
```bash
|
|
51
|
+
codeql resolve qlpacks 2>/dev/null | grep -iE 'model|extension'
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
**If any found:** Report to user what was found and finish. These will be picked up by the run-analysis workflow's model pack detection (Step 2b).
|
|
55
|
+
|
|
56
|
+
**If none found:** Proceed to Step 2.
|
|
57
|
+
|
|
58
|
+
---
|
|
59
|
+
|
|
60
|
+
### Step 2: Query Known Sources and Sinks
|
|
61
|
+
|
|
62
|
+
Run custom QL queries against the database to enumerate all sources and sinks CodeQL currently recognizes. This gives a direct inventory of what is modeled vs. what is not.
|
|
63
|
+
|
|
64
|
+
#### 2a: Select Database and Language
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
DB_NAME=$(ls -dt codeql_*.db 2>/dev/null | head -1)
|
|
68
|
+
LANG=$(codeql resolve database --format=json -- "$DB_NAME" | jq -r '.languages[0]')
|
|
69
|
+
echo "Database: $DB_NAME, Language: $LANG"
|
|
70
|
+
|
|
71
|
+
DIAG_DIR="${DB_NAME%.db}-diagnostics"
|
|
72
|
+
mkdir -p "$DIAG_DIR"
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
#### 2b: Write Source Enumeration Query
|
|
76
|
+
|
|
77
|
+
Use the `Write` tool to create `$DIAG_DIR/list-sources.ql` using the source template from [diagnostic-query-templates.md](../references/diagnostic-query-templates.md#source-enumeration-query). Pick the correct import block for `$LANG`.
|
|
78
|
+
|
|
79
|
+
#### 2c: Write Sink Enumeration Query
|
|
80
|
+
|
|
81
|
+
Use the `Write` tool to create `$DIAG_DIR/list-sinks.ql` using the language-specific sink template from [diagnostic-query-templates.md](../references/diagnostic-query-templates.md#sink-enumeration-queries). The Concepts API differs significantly across languages — use the exact template for the detected language.
|
|
82
|
+
|
|
83
|
+
**For Java:** Also create `$DIAG_DIR/qlpack.yml` with a `codeql/java-all` dependency and run `codeql pack install` before executing queries. See the Java section in the templates reference.
|
|
84
|
+
|
|
85
|
+
#### 2d: Run Queries
|
|
86
|
+
|
|
87
|
+
```bash
|
|
88
|
+
# Run sources query
|
|
89
|
+
codeql query run \
|
|
90
|
+
--database="$DB_NAME" \
|
|
91
|
+
--output="$DIAG_DIR/sources.bqrs" \
|
|
92
|
+
-- "$DIAG_DIR/list-sources.ql"
|
|
93
|
+
|
|
94
|
+
codeql bqrs decode \
|
|
95
|
+
--format=csv \
|
|
96
|
+
--output="$DIAG_DIR/sources.csv" \
|
|
97
|
+
-- "$DIAG_DIR/sources.bqrs"
|
|
98
|
+
|
|
99
|
+
# Run sinks query
|
|
100
|
+
codeql query run \
|
|
101
|
+
--database="$DB_NAME" \
|
|
102
|
+
--output="$DIAG_DIR/sinks.bqrs" \
|
|
103
|
+
-- "$DIAG_DIR/list-sinks.ql"
|
|
104
|
+
|
|
105
|
+
codeql bqrs decode \
|
|
106
|
+
--format=csv \
|
|
107
|
+
--output="$DIAG_DIR/sinks.csv" \
|
|
108
|
+
-- "$DIAG_DIR/sinks.bqrs"
|
|
109
|
+
```
|
|
110
|
+
|
|
111
|
+
#### 2e: Summarize Results
|
|
112
|
+
|
|
113
|
+
```bash
|
|
114
|
+
echo "=== Known Sources ==="
|
|
115
|
+
wc -l < "$DIAG_DIR/sources.csv"
|
|
116
|
+
# Show unique source types
|
|
117
|
+
cut -d',' -f2 "$DIAG_DIR/sources.csv" | sort -u
|
|
118
|
+
|
|
119
|
+
echo "=== Known Sinks ==="
|
|
120
|
+
wc -l < "$DIAG_DIR/sinks.csv"
|
|
121
|
+
# Show unique sink kinds
|
|
122
|
+
cut -d',' -f2 "$DIAG_DIR/sinks.csv" | sort -u
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
Read both CSV files and present a summary to the user:
|
|
126
|
+
|
|
127
|
+
```
|
|
128
|
+
## CodeQL Known Models
|
|
129
|
+
|
|
130
|
+
### Sources (<N> total):
|
|
131
|
+
- remote: <count> (HTTP handlers, request parsing)
|
|
132
|
+
- local: <count> (CLI args, file reads)
|
|
133
|
+
- ...
|
|
134
|
+
|
|
135
|
+
### Sinks (<N> total):
|
|
136
|
+
- sql-execution: <count>
|
|
137
|
+
- command-execution: <count>
|
|
138
|
+
- file-access: <count>
|
|
139
|
+
- ...
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
---
|
|
143
|
+
|
|
144
|
+
### Step 3: Identify Missing Sources and Sinks
|
|
145
|
+
|
|
146
|
+
This is the core analysis step. Cross-reference the project's API surface against CodeQL's known models.
|
|
147
|
+
|
|
148
|
+
#### 3a: Map the Project's API Surface
|
|
149
|
+
|
|
150
|
+
Read source code to identify security-relevant patterns. Look for:
|
|
151
|
+
|
|
152
|
+
| Pattern | What To Find | Likely Model Type |
|
|
153
|
+
|---------|-------------|-------------------|
|
|
154
|
+
| HTTP/request handlers | Custom request parsing, parameter access | `sourceModel` (kind: `remote`) |
|
|
155
|
+
| Database layers | Custom ORM methods, raw query wrappers | `sinkModel` (kind: `sql-injection`) |
|
|
156
|
+
| Command execution | Shell wrappers, process spawners | `sinkModel` (kind: `command-injection`) |
|
|
157
|
+
| File operations | Custom file read/write, path construction | `sinkModel` (kind: `path-injection`) |
|
|
158
|
+
| Template rendering | HTML output, response builders | `sinkModel` (kind: `xss`) |
|
|
159
|
+
| Deserialization | Custom deserializers, data loaders | `sinkModel` (kind: `unsafe-deserialization`) |
|
|
160
|
+
| HTTP clients | URL construction, request builders | `sinkModel` (kind: `ssrf`) |
|
|
161
|
+
| Sanitizers | Input validation, escaping functions | `neutralModel` |
|
|
162
|
+
| Pass-through wrappers | Logging, caching, encoding | `summaryModel` (kind: `taint`) |
|
|
163
|
+
|
|
164
|
+
Use `Grep` to search for these patterns in source code:
|
|
165
|
+
|
|
166
|
+
```bash
|
|
167
|
+
# Examples for Python - adapt patterns per language
|
|
168
|
+
rg -n 'def (get_param|get_header|get_body|parse_request)' --type py
|
|
169
|
+
rg -n '(execute|query|raw_sql|cursor\.)' --type py
|
|
170
|
+
rg -n '(subprocess|os\.system|popen|exec)' --type py
|
|
171
|
+
rg -n '(open|read_file|write_file|path\.join)' --type py
|
|
172
|
+
rg -n '(render|template|html)' --type py
|
|
173
|
+
rg -n '(requests\.|urlopen|fetch|http_client)' --type py
|
|
174
|
+
```
|
|
175
|
+
|
|
176
|
+
#### 3b: Cross-Reference Against Known Sources and Sinks
|
|
177
|
+
|
|
178
|
+
For each API pattern found in 3a, check if it appears in the source/sink CSVs from Step 2:
|
|
179
|
+
|
|
180
|
+
```bash
|
|
181
|
+
# Check if a specific file/function appears in known sources
|
|
182
|
+
grep -i "<function_or_file>" "$DIAG_DIR/sources.csv"
|
|
183
|
+
|
|
184
|
+
# Check if a specific file/function appears in known sinks
|
|
185
|
+
grep -i "<function_or_file>" "$DIAG_DIR/sinks.csv"
|
|
186
|
+
```
|
|
187
|
+
|
|
188
|
+
**An API is "missing" if:**
|
|
189
|
+
- It handles user input but does not appear in `sources.csv`
|
|
190
|
+
- It performs a dangerous operation but does not appear in `sinks.csv`
|
|
191
|
+
- It wraps/transforms tainted data but CodeQL has no summary model for it (these won't appear in either CSV — identify by reading the code for wrapper patterns around known sources/sinks)
|
|
192
|
+
|
|
193
|
+
#### 3c: Report Gaps
|
|
194
|
+
|
|
195
|
+
Present findings to user:
|
|
196
|
+
|
|
197
|
+
```
|
|
198
|
+
## Data Flow Coverage Gaps
|
|
199
|
+
|
|
200
|
+
### Missing Sources (user input not tracked):
|
|
201
|
+
- `myapp.http.Request.get_param()` — custom parameter access
|
|
202
|
+
- `myapp.auth.Token.decode()` — untrusted token data
|
|
203
|
+
|
|
204
|
+
### Missing Sinks (dangerous operations not checked):
|
|
205
|
+
- `myapp.db.Connection.raw_query()` — SQL execution wrapper
|
|
206
|
+
- `myapp.shell.Runner.execute()` — command execution
|
|
207
|
+
|
|
208
|
+
### Missing Summaries (taint lost through wrappers):
|
|
209
|
+
- `myapp.cache.Cache.get()` — taint not propagated through cache
|
|
210
|
+
- `myapp.utils.encode_json()` — taint lost in serialization
|
|
211
|
+
|
|
212
|
+
Proceed to create data extension files?
|
|
213
|
+
```
|
|
214
|
+
|
|
215
|
+
Use `AskUserQuestion`:
|
|
216
|
+
|
|
217
|
+
```
|
|
218
|
+
header: "Extensions"
|
|
219
|
+
question: "Create data extension files for the identified gaps?"
|
|
220
|
+
options:
|
|
221
|
+
- label: "Create all (Recommended)"
|
|
222
|
+
description: "Generate extensions for all identified gaps"
|
|
223
|
+
- label: "Select individually"
|
|
224
|
+
description: "Choose which gaps to model"
|
|
225
|
+
- label: "Skip"
|
|
226
|
+
description: "No extensions needed, proceed to analysis"
|
|
227
|
+
```
|
|
228
|
+
|
|
229
|
+
**If "Skip":** Finish workflow.
|
|
230
|
+
|
|
231
|
+
**If "Select individually":** Use `AskUserQuestion` with `multiSelect: true` listing each gap.
|
|
232
|
+
|
|
233
|
+
---
|
|
234
|
+
|
|
235
|
+
### Step 4: Create Data Extension Files
|
|
236
|
+
|
|
237
|
+
Generate YAML data extension files for the gaps confirmed by the user.
|
|
238
|
+
|
|
239
|
+
#### File Structure
|
|
240
|
+
|
|
241
|
+
Create files in a `codeql-extensions/` directory at project root:
|
|
242
|
+
|
|
243
|
+
```
|
|
244
|
+
codeql-extensions/
|
|
245
|
+
sources.yml # sourceModel entries
|
|
246
|
+
sinks.yml # sinkModel entries
|
|
247
|
+
summaries.yml # summaryModel and neutralModel entries
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
#### YAML Format
|
|
251
|
+
|
|
252
|
+
All extension files follow this structure:
|
|
253
|
+
|
|
254
|
+
```yaml
|
|
255
|
+
extensions:
|
|
256
|
+
- addsTo:
|
|
257
|
+
pack: codeql/<language>-all # Target library pack
|
|
258
|
+
extensible: <model-type> # sourceModel, sinkModel, summaryModel, neutralModel
|
|
259
|
+
data:
|
|
260
|
+
- [<columns>]
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
#### Source Models
|
|
264
|
+
|
|
265
|
+
Columns: `[package, type, subtypes, name, signature, ext, output, kind, provenance]`
|
|
266
|
+
|
|
267
|
+
| Column | Description | Example |
|
|
268
|
+
|--------|-------------|---------|
|
|
269
|
+
| package | Module/package path | `myapp.auth` |
|
|
270
|
+
| type | Class or module name | `AuthManager` |
|
|
271
|
+
| subtypes | Include subclasses | `True` (Java: capitalized) / `true` (Python/JS/Go) |
|
|
272
|
+
| name | Method name | `get_token` |
|
|
273
|
+
| signature | Method signature (optional) | `""` (Python/JS), `"(String,int)"` (Java) |
|
|
274
|
+
| ext | Extension (optional) | `""` |
|
|
275
|
+
| output | What is tainted | `ReturnValue`, `Parameter[0]` (Java) / `Argument[0]` (Python/JS/Go) |
|
|
276
|
+
| kind | Source category | `remote`, `local`, `file`, `environment`, `database` |
|
|
277
|
+
| provenance | How model was created | `manual` |
|
|
278
|
+
|
|
279
|
+
**Java-specific format differences:**
|
|
280
|
+
- **subtypes**: Use `True` / `False` (capitalized, Python-style), not `true` / `false`
|
|
281
|
+
- **output for parameters**: Use `Parameter[N]` (not `Argument[N]`) to mark method parameters as sources
|
|
282
|
+
- **signature**: Required for disambiguation — use Java type syntax: `"(String)"`, `"(String,int)"`
|
|
283
|
+
- **Parameter ranges**: Use `Parameter[0..2]` to mark multiple consecutive parameters
|
|
284
|
+
|
|
285
|
+
Example (Python):
|
|
286
|
+
|
|
287
|
+
```yaml
|
|
288
|
+
# codeql-extensions/sources.yml
|
|
289
|
+
extensions:
|
|
290
|
+
- addsTo:
|
|
291
|
+
pack: codeql/python-all
|
|
292
|
+
extensible: sourceModel
|
|
293
|
+
data:
|
|
294
|
+
- ["myapp.http", "Request", true, "get_param", "", "", "ReturnValue", "remote", "manual"]
|
|
295
|
+
- ["myapp.http", "Request", true, "get_header", "", "", "ReturnValue", "remote", "manual"]
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
Example (Java — note `True`, `Parameter[N]`, and signature):
|
|
299
|
+
|
|
300
|
+
```yaml
|
|
301
|
+
# codeql-extensions/sources.yml
|
|
302
|
+
extensions:
|
|
303
|
+
- addsTo:
|
|
304
|
+
pack: codeql/java-all
|
|
305
|
+
extensible: sourceModel
|
|
306
|
+
data:
|
|
307
|
+
- ["com.myapp.controller", "ApiController", True, "search", "(String)", "", "Parameter[0]", "remote", "manual"]
|
|
308
|
+
- ["com.myapp.service", "FileService", True, "upload", "(String,String)", "", "Parameter[0..1]", "remote", "manual"]
|
|
309
|
+
```
|
|
310
|
+
|
|
311
|
+
#### Sink Models
|
|
312
|
+
|
|
313
|
+
Columns: `[package, type, subtypes, name, signature, ext, input, kind, provenance]`
|
|
314
|
+
|
|
315
|
+
Note: column 7 is `input` (which argument receives tainted data), not `output`.
|
|
316
|
+
|
|
317
|
+
| Kind | Vulnerability |
|
|
318
|
+
|------|---------------|
|
|
319
|
+
| `sql-injection` | SQL injection |
|
|
320
|
+
| `command-injection` | Command injection |
|
|
321
|
+
| `path-injection` | Path traversal |
|
|
322
|
+
| `xss` | Cross-site scripting |
|
|
323
|
+
| `code-injection` | Code injection |
|
|
324
|
+
| `ssrf` | Server-side request forgery |
|
|
325
|
+
| `unsafe-deserialization` | Insecure deserialization |
|
|
326
|
+
|
|
327
|
+
Example (Python):
|
|
328
|
+
|
|
329
|
+
```yaml
|
|
330
|
+
# codeql-extensions/sinks.yml
|
|
331
|
+
extensions:
|
|
332
|
+
- addsTo:
|
|
333
|
+
pack: codeql/python-all
|
|
334
|
+
extensible: sinkModel
|
|
335
|
+
data:
|
|
336
|
+
- ["myapp.db", "Connection", true, "raw_query", "", "", "Argument[0]", "sql-injection", "manual"]
|
|
337
|
+
- ["myapp.shell", "Runner", false, "execute", "", "", "Argument[0]", "command-injection", "manual"]
|
|
338
|
+
```
|
|
339
|
+
|
|
340
|
+
Example (Java — note `True` and `Argument[N]` for sink input):
|
|
341
|
+
|
|
342
|
+
```yaml
|
|
343
|
+
extensions:
|
|
344
|
+
- addsTo:
|
|
345
|
+
pack: codeql/java-all
|
|
346
|
+
extensible: sinkModel
|
|
347
|
+
data:
|
|
348
|
+
- ["com.myapp.db", "QueryRunner", True, "execute", "(String)", "", "Argument[0]", "sql-injection", "manual"]
|
|
349
|
+
```
|
|
350
|
+
|
|
351
|
+
#### Summary Models
|
|
352
|
+
|
|
353
|
+
Columns: `[package, type, subtypes, name, signature, ext, input, output, kind, provenance]`
|
|
354
|
+
|
|
355
|
+
| Kind | Description |
|
|
356
|
+
|------|-------------|
|
|
357
|
+
| `taint` | Data flows through, still tainted |
|
|
358
|
+
| `value` | Data flows through, exact value preserved |
|
|
359
|
+
|
|
360
|
+
Example:
|
|
361
|
+
|
|
362
|
+
```yaml
|
|
363
|
+
# codeql-extensions/summaries.yml
|
|
364
|
+
extensions:
|
|
365
|
+
# Pass-through: taint propagates
|
|
366
|
+
- addsTo:
|
|
367
|
+
pack: codeql/python-all
|
|
368
|
+
extensible: summaryModel
|
|
369
|
+
data:
|
|
370
|
+
- ["myapp.cache", "Cache", true, "get", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
|
|
371
|
+
- ["myapp.utils", "JSON", false, "parse", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
|
|
372
|
+
|
|
373
|
+
# Sanitizer: taint blocked
|
|
374
|
+
- addsTo:
|
|
375
|
+
pack: codeql/python-all
|
|
376
|
+
extensible: neutralModel
|
|
377
|
+
data:
|
|
378
|
+
- ["myapp.security", "Sanitizer", "escape_html", "", "summary", "manual"]
|
|
379
|
+
```
|
|
380
|
+
|
|
381
|
+
**`neutralModel` vs no model:** If a function has no model at all, CodeQL may still infer flow through it. Use `neutralModel` to explicitly block taint propagation through known-safe functions.
|
|
382
|
+
|
|
383
|
+
#### Language-Specific Notes
|
|
384
|
+
|
|
385
|
+
**Python:** Use dotted module paths for `package` (e.g., `myapp.db`).
|
|
386
|
+
|
|
387
|
+
**JavaScript:** `package` is often `""` for project-local code. Use the import path for npm packages.
|
|
388
|
+
|
|
389
|
+
**Go:** Use full import paths (e.g., `myapp/internal/db`). `type` is often `""` for package-level functions.
|
|
390
|
+
|
|
391
|
+
**Java:** Use fully qualified package names (e.g., `com.myapp.db`).
|
|
392
|
+
|
|
393
|
+
**C/C++:** Use `""` for package, put the namespace in `type`.
|
|
394
|
+
|
|
395
|
+
#### Write the Files
|
|
396
|
+
|
|
397
|
+
Use the `Write` tool to create each file. Only create files that have entries — skip empty categories.
|
|
398
|
+
|
|
399
|
+
#### Deploy the Extensions
|
|
400
|
+
|
|
401
|
+
**Known limitation:** `--additional-packs` and `--model-packs` flags do not work with pre-compiled query packs (bundled CodeQL distributions that cache `java-all` inside `.codeql/libraries/`). Extensions placed in a standalone model pack directory will be resolved by `codeql resolve qlpacks` but silently ignored during `codeql database analyze`.
|
|
402
|
+
|
|
403
|
+
**Workaround — copy extensions into the library pack's `ext/` directory:**
|
|
404
|
+
|
|
405
|
+
> **Warning:** Files copied into the `ext/` directory live inside CodeQL's managed pack cache. They will be **lost** when packs are updated via `codeql pack download` or version upgrades. After any pack update, re-run this deployment step to restore the extensions.
|
|
406
|
+
|
|
407
|
+
```bash
|
|
408
|
+
# Find the java-all ext directory used by the query pack
|
|
409
|
+
JAVA_ALL_EXT=$(find "$(codeql resolve qlpacks 2>/dev/null | grep 'java-queries' | awk '{print $NF}' | tr -d '()')" \
|
|
410
|
+
-path '*/.codeql/libraries/codeql/java-all/*/ext' -type d 2>/dev/null | head -1)
|
|
411
|
+
|
|
412
|
+
if [ -n "$JAVA_ALL_EXT" ]; then
|
|
413
|
+
PROJECT_NAME=$(basename "$(pwd)")
|
|
414
|
+
cp codeql-extensions/sources.yml "$JAVA_ALL_EXT/${PROJECT_NAME}.sources.model.yml"
|
|
415
|
+
[ -f codeql-extensions/sinks.yml ] && cp codeql-extensions/sinks.yml "$JAVA_ALL_EXT/${PROJECT_NAME}.sinks.model.yml"
|
|
416
|
+
[ -f codeql-extensions/summaries.yml ] && cp codeql-extensions/summaries.yml "$JAVA_ALL_EXT/${PROJECT_NAME}.summaries.model.yml"
|
|
417
|
+
|
|
418
|
+
# Verify deployment — confirm files landed correctly
|
|
419
|
+
DEPLOYED=$(ls "$JAVA_ALL_EXT/${PROJECT_NAME}".*.model.yml 2>/dev/null | wc -l)
|
|
420
|
+
if [ "$DEPLOYED" -gt 0 ]; then
|
|
421
|
+
echo "Extensions deployed to $JAVA_ALL_EXT ($DEPLOYED files):"
|
|
422
|
+
ls -la "$JAVA_ALL_EXT/${PROJECT_NAME}".*.model.yml
|
|
423
|
+
else
|
|
424
|
+
echo "ERROR: Files were copied but verification failed. Check path: $JAVA_ALL_EXT"
|
|
425
|
+
fi
|
|
426
|
+
else
|
|
427
|
+
echo "WARNING: Could not find java-all ext directory. Extensions may not load."
|
|
428
|
+
echo "Attempted path lookup from: codeql resolve qlpacks | grep java-queries"
|
|
429
|
+
echo "Run 'codeql resolve qlpacks' manually to debug."
|
|
430
|
+
fi
|
|
431
|
+
```
|
|
432
|
+
|
|
433
|
+
**For Python/JS/Go:** The same limitation may apply. Locate the `<lang>-all` pack's `ext/` directory and copy extensions there.
|
|
434
|
+
|
|
435
|
+
**Alternative (if query packs are NOT pre-compiled):** Use `--additional-packs=./codeql-extensions` with a proper model pack `qlpack.yml`:
|
|
436
|
+
|
|
437
|
+
```yaml
|
|
438
|
+
# codeql-extensions/qlpack.yml
|
|
439
|
+
name: custom/<project>-extensions
|
|
440
|
+
version: 0.0.1
|
|
441
|
+
library: true
|
|
442
|
+
extensionTargets:
|
|
443
|
+
codeql/<lang>-all: "*"
|
|
444
|
+
dataExtensions:
|
|
445
|
+
- sources.yml
|
|
446
|
+
- sinks.yml
|
|
447
|
+
- summaries.yml
|
|
448
|
+
```
|
|
449
|
+
|
|
450
|
+
---
|
|
451
|
+
|
|
452
|
+
### Step 5: Validate with Re-Analysis
|
|
453
|
+
|
|
454
|
+
Run a full security analysis with and without extensions to measure the finding delta. This is more reliable than re-running source/sink enumeration queries, which may not reflect the `sourceModel` extensible being used by taint-tracking queries.
|
|
455
|
+
|
|
456
|
+
#### 5a: Run Baseline Analysis (without extensions)
|
|
457
|
+
|
|
458
|
+
```bash
|
|
459
|
+
RESULTS_DIR="${DB_NAME%.db}-results"
|
|
460
|
+
mkdir -p "$RESULTS_DIR"
|
|
461
|
+
|
|
462
|
+
# Baseline run (or skip if already run in a previous step)
|
|
463
|
+
codeql database analyze "$DB_NAME" \
|
|
464
|
+
--format=sarif-latest \
|
|
465
|
+
--output="$RESULTS_DIR/baseline.sarif" \
|
|
466
|
+
--threads=0 \
|
|
467
|
+
-- codeql/<lang>-queries:codeql-suites/<lang>-security-extended.qls
|
|
468
|
+
```
|
|
469
|
+
|
|
470
|
+
#### 5b: Run Analysis with Extensions
|
|
471
|
+
|
|
472
|
+
```bash
|
|
473
|
+
# Clean cache to force re-evaluation
|
|
474
|
+
codeql database cleanup "$DB_NAME"
|
|
475
|
+
|
|
476
|
+
codeql database analyze "$DB_NAME" \
|
|
477
|
+
--format=sarif-latest \
|
|
478
|
+
--output="$RESULTS_DIR/with-extensions.sarif" \
|
|
479
|
+
--threads=0 \
|
|
480
|
+
--rerun \
|
|
481
|
+
-- codeql/<lang>-queries:codeql-suites/<lang>-security-extended.qls
|
|
482
|
+
```
|
|
483
|
+
|
|
484
|
+
Use `-vvv` flag to verify extensions are being loaded — look for `Loading data extensions in ... <your-extension-file>.yml` in stderr.
|
|
485
|
+
|
|
486
|
+
#### 5c: Compare Findings
|
|
487
|
+
|
|
488
|
+
```bash
|
|
489
|
+
BASELINE=$(python3 -c "import json; print(sum(len(r.get('results',[])) for r in json.load(open('$RESULTS_DIR/baseline.sarif')).get('runs',[])))")
|
|
490
|
+
WITH_EXT=$(python3 -c "import json; print(sum(len(r.get('results',[])) for r in json.load(open('$RESULTS_DIR/with-extensions.sarif')).get('runs',[])))")
|
|
491
|
+
echo "Findings: $BASELINE → $WITH_EXT (+$((WITH_EXT - BASELINE)))"
|
|
492
|
+
```
|
|
493
|
+
|
|
494
|
+
**If counts did not increase:** The extension YAML may have syntax errors or column values that don't match the code. Check:
|
|
495
|
+
|
|
496
|
+
| Issue | Solution |
|
|
497
|
+
|-------|----------|
|
|
498
|
+
| Extension not loaded | Run with `-vvv` and grep for your extension filename in output |
|
|
499
|
+
| Pre-compiled pack ignores extensions | Use the `ext/` directory workaround above |
|
|
500
|
+
| Java: No new findings | Verify `True`/`False` (capitalized) for subtypes, `Parameter[N]` for sources |
|
|
501
|
+
| No new sources/sinks | Verify column values match actual code signatures exactly |
|
|
502
|
+
| Type not found | Use exact type name as it appears in CodeQL database |
|
|
503
|
+
| Wrong argument index | Arguments are 0-indexed; `self` is `Argument[self]` (Python), `Parameter[0]` (Java) |
|
|
504
|
+
|
|
505
|
+
Fix the extension files, re-deploy to `ext/`, and re-run 5b until counts increase.
|
|
506
|
+
|
|
507
|
+
---
|
|
508
|
+
|
|
509
|
+
## Final Output
|
|
510
|
+
|
|
511
|
+
```
|
|
512
|
+
## Data Extensions Created
|
|
513
|
+
|
|
514
|
+
**Database:** $DB_NAME
|
|
515
|
+
**Language:** <LANG>
|
|
516
|
+
|
|
517
|
+
### Files Created:
|
|
518
|
+
- codeql-extensions/sources.yml — <N> source models
|
|
519
|
+
- codeql-extensions/sinks.yml — <N> sink models
|
|
520
|
+
- codeql-extensions/summaries.yml — <N> summary/neutral models
|
|
521
|
+
|
|
522
|
+
### Model Coverage:
|
|
523
|
+
- Sources: <BEFORE> → <AFTER> (+<DELTA>)
|
|
524
|
+
- Sinks: <BEFORE> → <AFTER> (+<DELTA>)
|
|
525
|
+
|
|
526
|
+
### Usage:
|
|
527
|
+
Extensions deployed to `<lang>-all` ext/ directory (auto-loaded).
|
|
528
|
+
Source files in `codeql-extensions/` for version control.
|
|
529
|
+
Run the run-analysis workflow to use them.
|
|
530
|
+
```
|
|
531
|
+
|
|
532
|
+
## References
|
|
533
|
+
|
|
534
|
+
- [Threat models reference](../references/threat-models.md) — control which source categories are active during analysis
|
|
535
|
+
- [CodeQL data extensions](https://codeql.github.com/docs/codeql-cli/using-custom-queries-with-the-codeql-cli/#using-extension-packs)
|
|
536
|
+
- [Customizing library models](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-python/)
|