create-issflow 1.1.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -25,7 +25,7 @@ Flags:
25
25
  The portable kit (every tool) in `<project>/.claude/`:
26
26
 
27
27
  - `agents/` — planner · researcher · implementer · test-author · debugger · e2e-runner · synthesizer
28
- - `commands/` — `/overview` `/propose` `/phase` `/change-request` `/replan` `/quick` `/synthesize` `/store-wisdom` `/log-issue` `/log-decision` `/unstuck`
28
+ - `commands/` — `/overview` `/propose` `/phase` `/ui-audit` `/qa-audit` `/security-audit` `/change-request` `/replan` `/quick` `/synthesize` `/store-wisdom` `/log-issue` `/log-decision` `/unstuck`
29
29
  - `skills/` — caveman · grill-me · karpathy-guidelines · ux-design
30
30
  - `hooks/` — session-start · pre-compact · subagent-stop
31
31
  - `istartsoft-flow/METHODOLOGY.md` — the full methodology (single source of truth)
package/bin/cli.js CHANGED
@@ -198,8 +198,9 @@ function agentsMd() {
198
198
  '## Roles — `.claude/agents/`', '',
199
199
  'planner · researcher · implementer · test-author · debugger · e2e-runner · synthesizer', '',
200
200
  '## Procedures — `.claude/commands/` (run as `/name`)', '',
201
- '/overview · /propose · /phase · /change-request · /replan · /quick · /synthesize ·',
202
- '/store-wisdom · /log-issue · /log-decision · /unstuck', '',
201
+ '/overview · /propose · /phase · /ui-audit · /qa-audit · /security-audit ·',
202
+ '/change-request · /replan · /quick · /synthesize · /store-wisdom · /log-issue ·',
203
+ '/log-decision · /unstuck', '',
203
204
  '## Skills — `.claude/skills/` (loaded on demand)', '',
204
205
  'caveman · grill-me · karpathy-guidelines · ux-design · security (Secure SDLC) · code-standards', '',
205
206
  '## Autonomy', '',
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "create-issflow",
3
- "version": "1.1.0",
3
+ "version": "1.2.0",
4
4
  "description": "Scaffold the iStartSoftFlow AI-coding workflow into a project. Stack-agnostic, tool-agnostic (Claude Code, Codex, Cursor, Gemini, Aider), non-destructive.",
5
5
  "bin": {
6
6
  "create-issflow": "bin/cli.js"
@@ -0,0 +1,53 @@
1
+ ---
2
+ description: Holistic QA audit — sweep the WHOLE product's functional quality (test-coverage gaps, regression health, flaky tests, critical-flow e2e, error/edge handling), score it, and produce a prioritized findings report. On-demand or before a release. NOT the per-phase gate — the phase gate runs one phase's real suite; this audits the entire test estate + behaviour.
3
+ argument-hint: [optional scope]
4
+ ---
5
+
6
+ Caveman ULTRA mode. You are the ORCHESTRATOR.
7
+
8
+ Purpose: a whole-product FUNCTIONAL QA audit — the QA counterpart of `/ui-audit`.
9
+ The per-phase gate (rule 5) proves ONE phase's real suite is green; this audit checks
10
+ the health + coverage of the ENTIRE test estate and the product's behaviour, end to
11
+ end. Run before a release, after big changes, or on request.
12
+
13
+ QA = "does it WORK right?" — a DIFFERENT axis from UI audit ("does it LOOK / meet
14
+ standards right?"). Passing one never implies the other.
15
+
16
+ ## PRE-FLIGHT
17
+ Read `docs/ENDPOINTS.md` (the surface), `docs/PLAN.md` (acceptance specs), and the
18
+ `tests/` + `e2e/` suites. The acceptance criteria + ENDPOINTS are the rubric.
19
+
20
+ ## STEP 1 — INVENTORY
21
+ List the public surface (endpoints, exported functions, CLI, message contracts) and
22
+ the critical user flows (from OVERVIEW). These are what MUST be covered.
23
+
24
+ ## STEP 2 — SWEEP (dispatch a worker to keep context lean)
25
+ - **Coverage** — every ENDPOINTS entry + acceptance criterion has a real-API
26
+ regression test? List gaps. Untested branches / error paths?
27
+ - **Critical flows** — does e2e cover the must-work journeys (auth, the core slice,
28
+ payments / data)?
29
+ - **Regression health** — run the full REAL corpus (`scripts/regression.sh --real`).
30
+ Any reds?
31
+ - **Flakiness** — tests that pass only on rerun (timing) — flag; don't hide.
32
+ - **Negative / edge** — are abuse cases + edge inputs asserted, not just the happy path?
33
+ - **Contract drift** — do the mock suites still match the real API?
34
+ - **Test integrity** — tests written BLIND from the spec (no overfit)? None edited to pass?
35
+
36
+ ## STEP 3 — SCORE + FINDINGS
37
+ Rate each dimension PASS / WARN / FAIL. Per finding:
38
+ - **severity**: BLOCKER (red real test · uncovered critical flow) · MAJOR (coverage
39
+ gap · flaky) · MINOR (polish)
40
+ - **location**: suite + case (or the uncovered surface)
41
+ - **issue** + **fix**: the concrete change
42
+
43
+ ## STEP 4 — REPORT
44
+ Write `docs/qa-audit-<YYYY-MM-DD>.md`: coverage map · per-dimension scoreboard ·
45
+ findings sorted by severity · prioritized fix list. Log BLOCKER / MAJOR to
46
+ `docs/ISSUES.md`.
47
+ **VERDICT: SHIP | FIX-FIRST** — never ship with a red real test or an uncovered
48
+ critical flow.
49
+
50
+ ## STEP 5 — REMEDIATE
51
+ AUTO: dispatch `test-author` (BLIND) to fill coverage gaps, `debugger` for reds
52
+ (budget 3), then re-run. Park what's blocked + report. Tests are written by
53
+ `test-author` for impartiality — never weaken a test to make it pass.
@@ -0,0 +1,56 @@
1
+ ---
2
+ description: Holistic security audit — sweep the WHOLE product against the security cookbook (OWASP Top 10 / ASVS / WSTG / secrets / SCA / SAST / supply chain), score it, and produce a prioritized findings report. On-demand or before a release. NOT the per-phase gate — rule 11 checks one phase while coding; this audits the whole attack surface.
3
+ argument-hint: [optional scope]
4
+ ---
5
+
6
+ Caveman ULTRA mode. You are the ORCHESTRATOR.
7
+
8
+ Purpose: a whole-product SECURITY audit — the security counterpart of `/ui-audit`
9
+ and `/qa-audit`. The per-phase gate (rule 11) checks secrets/SCA/SAST + secure coding
10
+ on ONE phase; this audit sweeps the ENTIRE attack surface and the product's security
11
+ posture. Run before a release, after auth/data changes, or on request — and before
12
+ the pre-deploy pentest, not instead of it.
13
+
14
+ Security = "is it SAFE?" — a different axis from QA ("does it work?") and UI
15
+ ("does it look right?"). Passing those never implies this.
16
+
17
+ ## PRE-FLIGHT
18
+ Read the rubric: `.claude/skills/security/SKILL.md` (the Secure SDLC cookbook) and
19
+ its `references/` (OWASP Top 10 / ASVS / WSTG / ISO 27001 / SLSA). The cookbook IS the
20
+ checklist — audit against it; don't invent criteria.
21
+
22
+ ## STEP 1 — INVENTORY (attack surface)
23
+ Map it from `docs/ENDPOINTS.md` + the code: entry points (routes, inputs, file
24
+ uploads, webhooks), trust boundaries, auth/session, data stores + PII, secrets,
25
+ third-party deps, and outbound calls.
26
+
27
+ ## STEP 2 — SWEEP (dispatch a worker to keep context lean)
28
+ - **OWASP Top 10** — broken access control, crypto failures, injection (SQLi/XSS/
29
+ cmd), insecure design, misconfiguration, vulnerable components, auth failures,
30
+ integrity failures, logging/monitoring gaps, SSRF.
31
+ - **AuthN / AuthZ** — every protected route enforces it; no IDOR; least privilege.
32
+ - **Secrets** — none in code/history/config/prompts (run gitleaks/trufflehog if present).
33
+ - **Dependencies (SCA)** — known CVEs (run `npm audit` / `pip-audit` / `osv-scanner`).
34
+ - **SAST** — run semgrep / CodeQL if present; review hotspots otherwise.
35
+ - **Input validation + output encoding** at every boundary; safe file handling.
36
+ - **Crypto** — strong algorithms, no hardcoded keys, secrets at rest/in transit.
37
+ - **Supply chain (SLSA)** — pinned deps, build integrity, no untrusted scripts.
38
+ - **Logging / monitoring** — security events logged; no sensitive data in logs.
39
+ - **Threat-model coverage** — were the design-stage abuse cases actually tested?
40
+
41
+ ## STEP 3 — SCORE + FINDINGS
42
+ Rate each area PASS / WARN / FAIL. Per finding:
43
+ - **severity**: CRITICAL · HIGH · MEDIUM · LOW (map to CVSS where it helps)
44
+ - **location**: endpoint / file / dependency
45
+ - **issue** + the OWASP/ASVS reference it breaks + **fix**
46
+
47
+ ## STEP 4 — REPORT
48
+ Write `docs/security-audit-<YYYY-MM-DD>.md`: attack-surface map · per-area scoreboard ·
49
+ findings sorted by severity · prioritized remediation. Log HIGH/CRITICAL to
50
+ `docs/ISSUES.md`.
51
+ **VERDICT: SHIP | FIX-FIRST** — never ship with an open HIGH or CRITICAL.
52
+
53
+ ## STEP 5 — REMEDIATE
54
+ A security fix is security-sensitive (autonomy hard-stop): in AUTO, fix and re-audit
55
+ but SURFACE the change for human sign-off before it lands. Park what's blocked +
56
+ report. A clean `/security-audit` is a precondition for the pre-deploy pentest gate.
@@ -0,0 +1,54 @@
1
+ ---
2
+ description: Holistic UI audit — sweep the WHOLE product's UI against the ux-design cookbook (+ a11y / responsive / consistency), score it, and produce a prioritized findings report. On-demand or before a release. This is NOT the per-phase gate — the `ux-design` gate checks one screen at phase close (pass/block); this audit sweeps every screen and reports accumulated drift.
3
+ argument-hint: [optional scope — a route, or "all"]
4
+ ---
5
+
6
+ Caveman ULTRA mode. You are the ORCHESTRATOR.
7
+
8
+ Purpose: a periodic, WHOLE-PRODUCT UI audit — distinct from the inline `ux-design`
9
+ gate. The gate validates ONE screen at phase close; this AUDIT sweeps EVERY screen,
10
+ scores the product, and surfaces drift that accumulated across changes. Run before a
11
+ release, after big UI work, or on request.
12
+
13
+ ## PRE-FLIGHT
14
+ Read the rubric: `.claude/skills/ux-design/SKILL.md` (the cookbook) and
15
+ `references/wireframe-template.md` (the frame). The cookbook IS the checklist —
16
+ do not invent new criteria; audit against it.
17
+
18
+ ## STEP 1 — INVENTORY
19
+ List every screen / route / major component to audit (from the router, the
20
+ wireframe baseline, or `$ARGUMENTS`). Audit shared components once.
21
+
22
+ ## STEP 2 — SWEEP (dispatch a worker per area to keep context lean)
23
+ Score each screen against the cookbook dimensions:
24
+ - design tokens · 8-pt spacing · type scale (no raw hex/px)
25
+ - iconography — a real SVG set, **NEVER emoji**
26
+ - accessibility (WCAG 2.1 AA): contrast ≥ 4.5:1, visible focus, keyboard reach,
27
+ semantic HTML, labels / alt / aria, 44×44 targets, `prefers-reduced-motion`
28
+ - state matrix: default · hover · focus · active · disabled · loading · empty · error
29
+ - responsive breakpoints (no overflow / break)
30
+ - content & i18n (no hardcoded strings; growth-safe)
31
+ - consistency / wireframe conformance (no drift BETWEEN screens)
32
+ Run automated tools if the project has them (axe-core / Lighthouse / pa11y) and fold
33
+ their output in; otherwise do the manual cookbook sweep.
34
+
35
+ ## STEP 3 — SCORE + FINDINGS
36
+ Rate each dimension PASS / WARN / FAIL. For every finding record:
37
+ - **severity**: BLOCKER (a11y / contrast / unusable) · MAJOR (drift / missing state)
38
+ · MINOR (polish)
39
+ - **location**: screen + element
40
+ - **issue** + the cookbook rule it breaks
41
+ - **fix**: the concrete change
42
+
43
+ ## STEP 4 — REPORT
44
+ Write `docs/ui-audit-<YYYY-MM-DD>.md`:
45
+ - coverage (screens audited) · a per-dimension scoreboard · the findings table sorted
46
+ by severity · a prioritized fix list.
47
+ - Log BLOCKER / MAJOR findings to `docs/ISSUES.md`.
48
+ - **VERDICT: SHIP | FIX-FIRST** — a release must not ship with open BLOCKERs.
49
+
50
+ ## STEP 5 — REMEDIATE
51
+ AUTO: fix MINOR / MAJOR that don't change the visual direction, re-audit them, log.
52
+ A new visual direction or a design-token change → confirm with the user first
53
+ (hard rule 9 — UI conforms to the frame; new direction is a human call).
54
+ Hand back the report + what was fixed vs parked.
@@ -174,6 +174,15 @@ Named procedures, each with a canonical body in `.claude/commands/<name>.md`.
174
174
  coverage gate.
175
175
  - **quick [change]** — small, obvious, non-phase change; no agent chain. Stays
176
176
  non-TDD. Runs the mock regression corpus after the change.
177
+ - **ui-audit** — whole-product UI audit against the `ux-design` cookbook (a11y /
178
+ responsive / consistency); scored findings report. Periodic / pre-release. Distinct
179
+ from the per-phase ux-design gate (one screen) — this sweeps every screen.
180
+ - **qa-audit** — whole-product FUNCTIONAL QA audit (coverage gaps, regression health,
181
+ flaky tests, critical-flow e2e, edge/error handling); scored report. The QA
182
+ counterpart of `ui-audit`. Distinct from the per-phase real-suite gate.
183
+ - **security-audit** — whole-product SECURITY audit against the `security` cookbook
184
+ (OWASP/ASVS/WSTG/secrets/SCA/SAST/supply-chain); scored report. On-demand; a
185
+ precondition for the pre-deploy pentest. Distinct from the per-phase rule-11 gate.
177
186
  - **unstuck** — deep re-research after a circuit breaker (auto-run once in AUTO on
178
187
  first stuck; human-triggered in GUIDED).
179
188
  - **synthesize** — compress STATE.md, dedup ISSUES.md, prune snapshots. Run
@@ -332,6 +341,26 @@ development run that follows the spec and logs every problem so it never recurs.
332
341
 
333
342
  -----
334
343
 
344
+ ## Quality model (orthogonal axes — each audited)
345
+
346
+ Quality is checked on independent axes. Passing one NEVER implies another. Each has a
347
+ STANDARD, an inline GATE (per phase), and — for the user-facing ones — a holistic
348
+ AUDIT (whole product, pre-release):
349
+
350
+ | Axis | Question | Standard | Inline gate (per phase) | Whole-product audit |
351
+ |------|----------|----------|-------------------------|---------------------|
352
+ | **Functional / QA** | does it WORK? | blind TDD, RED-first (rules 5–6) | real suite green + regression corpus | full REAL corpus (final phase) · `/qa-audit` |
353
+ | **UI / UX** | is it usable + on-brand? | `ux-design` cookbook | the ux-design check (rule 9) | `/ui-audit` |
354
+ | **Security** | is it safe? | `security` cookbook (OWASP/ASVS/ISO) | secrets/SCA/SAST + secure coding (rule 11) | `/security-audit` · pentest + review before deploy |
355
+ | **Code** | is it consistent? | `code-standards` (naming/architecture) | lint/format + idiom (rule 12) | — |
356
+
357
+ **QA is the test discipline**, not a single agent: `test-author` (blind tests) +
358
+ `e2e-runner` (functional E2E) + the phase gate + the regression corpus + `debugger`.
359
+ UI audit checks *presentation*; QA checks *behaviour* — a button can pass one and
360
+ fail the other.
361
+
362
+ -----
363
+
335
364
  ## Shared KB (optional)
336
365
 
337
366
  If `.claude/kb-config.json` exists, the SESSION-OPEN ritual pulls the KB and loads
@@ -31,6 +31,10 @@ confirmed with the user before building — design is where human taste matters.
31
31
  - Reviewing a UI diff (the "ตรวจ" pass).
32
32
  - CLOSE gate of any frontend phase — the cookbook check MUST pass.
33
33
 
34
+ This skill is the STANDARD + the inline GATE (one screen, at phase close). For a
35
+ WHOLE-PRODUCT sweep against this same cookbook — periodic or before a release — run
36
+ `/ui-audit` (same rubric, broader scope, a scored report).
37
+
34
38
  Order: **wireframe first** (does the layout match the baseline frame?) ->
35
39
  **cookbook** (do the details obey the system?). Never invent layout the
36
40
  wireframe does not have. If the design truly needs a frame the wireframe lacks,