create-issflow 1.1.0 → 1.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/bin/cli.js +3 -2
- package/package.json +1 -1
- package/template/.claude/commands/qa-audit.md +53 -0
- package/template/.claude/commands/security-audit.md +56 -0
- package/template/.claude/commands/ui-audit.md +54 -0
- package/template/.claude/istartsoft-flow/METHODOLOGY.md +29 -0
- package/template/.claude/skills/ux-design/SKILL.md +4 -0
package/README.md
CHANGED
|
@@ -25,7 +25,7 @@ Flags:
|
|
|
25
25
|
The portable kit (every tool) in `<project>/.claude/`:
|
|
26
26
|
|
|
27
27
|
- `agents/` — planner · researcher · implementer · test-author · debugger · e2e-runner · synthesizer
|
|
28
|
-
- `commands/` — `/overview` `/propose` `/phase` `/change-request` `/replan` `/quick` `/synthesize` `/store-wisdom` `/log-issue` `/log-decision` `/unstuck`
|
|
28
|
+
- `commands/` — `/overview` `/propose` `/phase` `/ui-audit` `/qa-audit` `/security-audit` `/change-request` `/replan` `/quick` `/synthesize` `/store-wisdom` `/log-issue` `/log-decision` `/unstuck`
|
|
29
29
|
- `skills/` — caveman · grill-me · karpathy-guidelines · ux-design
|
|
30
30
|
- `hooks/` — session-start · pre-compact · subagent-stop
|
|
31
31
|
- `istartsoft-flow/METHODOLOGY.md` — the full methodology (single source of truth)
|
package/bin/cli.js
CHANGED
|
@@ -198,8 +198,9 @@ function agentsMd() {
|
|
|
198
198
|
'## Roles — `.claude/agents/`', '',
|
|
199
199
|
'planner · researcher · implementer · test-author · debugger · e2e-runner · synthesizer', '',
|
|
200
200
|
'## Procedures — `.claude/commands/` (run as `/name`)', '',
|
|
201
|
-
'/overview · /propose · /phase · /
|
|
202
|
-
'/
|
|
201
|
+
'/overview · /propose · /phase · /ui-audit · /qa-audit · /security-audit ·',
|
|
202
|
+
'/change-request · /replan · /quick · /synthesize · /store-wisdom · /log-issue ·',
|
|
203
|
+
'/log-decision · /unstuck', '',
|
|
203
204
|
'## Skills — `.claude/skills/` (loaded on demand)', '',
|
|
204
205
|
'caveman · grill-me · karpathy-guidelines · ux-design · security (Secure SDLC) · code-standards', '',
|
|
205
206
|
'## Autonomy', '',
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "create-issflow",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.2.0",
|
|
4
4
|
"description": "Scaffold the iStartSoftFlow AI-coding workflow into a project. Stack-agnostic, tool-agnostic (Claude Code, Codex, Cursor, Gemini, Aider), non-destructive.",
|
|
5
5
|
"bin": {
|
|
6
6
|
"create-issflow": "bin/cli.js"
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Holistic QA audit — sweep the WHOLE product's functional quality (test-coverage gaps, regression health, flaky tests, critical-flow e2e, error/edge handling), score it, and produce a prioritized findings report. On-demand or before a release. NOT the per-phase gate — the phase gate runs one phase's real suite; this audits the entire test estate + behaviour.
|
|
3
|
+
argument-hint: [optional scope]
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
Caveman ULTRA mode. You are the ORCHESTRATOR.
|
|
7
|
+
|
|
8
|
+
Purpose: a whole-product FUNCTIONAL QA audit — the QA counterpart of `/ui-audit`.
|
|
9
|
+
The per-phase gate (rule 5) proves ONE phase's real suite is green; this audit checks
|
|
10
|
+
the health + coverage of the ENTIRE test estate and the product's behaviour, end to
|
|
11
|
+
end. Run before a release, after big changes, or on request.
|
|
12
|
+
|
|
13
|
+
QA = "does it WORK right?" — a DIFFERENT axis from UI audit ("does it LOOK / meet
|
|
14
|
+
standards right?"). Passing one never implies the other.
|
|
15
|
+
|
|
16
|
+
## PRE-FLIGHT
|
|
17
|
+
Read `docs/ENDPOINTS.md` (the surface), `docs/PLAN.md` (acceptance specs), and the
|
|
18
|
+
`tests/` + `e2e/` suites. The acceptance criteria + ENDPOINTS are the rubric.
|
|
19
|
+
|
|
20
|
+
## STEP 1 — INVENTORY
|
|
21
|
+
List the public surface (endpoints, exported functions, CLI, message contracts) and
|
|
22
|
+
the critical user flows (from OVERVIEW). These are what MUST be covered.
|
|
23
|
+
|
|
24
|
+
## STEP 2 — SWEEP (dispatch a worker to keep context lean)
|
|
25
|
+
- **Coverage** — every ENDPOINTS entry + acceptance criterion has a real-API
|
|
26
|
+
regression test? List gaps. Untested branches / error paths?
|
|
27
|
+
- **Critical flows** — does e2e cover the must-work journeys (auth, the core slice,
|
|
28
|
+
payments / data)?
|
|
29
|
+
- **Regression health** — run the full REAL corpus (`scripts/regression.sh --real`).
|
|
30
|
+
Any reds?
|
|
31
|
+
- **Flakiness** — tests that pass only on rerun (timing) — flag; don't hide.
|
|
32
|
+
- **Negative / edge** — are abuse cases + edge inputs asserted, not just the happy path?
|
|
33
|
+
- **Contract drift** — do the mock suites still match the real API?
|
|
34
|
+
- **Test integrity** — tests written BLIND from the spec (no overfit)? None edited to pass?
|
|
35
|
+
|
|
36
|
+
## STEP 3 — SCORE + FINDINGS
|
|
37
|
+
Rate each dimension PASS / WARN / FAIL. Per finding:
|
|
38
|
+
- **severity**: BLOCKER (red real test · uncovered critical flow) · MAJOR (coverage
|
|
39
|
+
gap · flaky) · MINOR (polish)
|
|
40
|
+
- **location**: suite + case (or the uncovered surface)
|
|
41
|
+
- **issue** + **fix**: the concrete change
|
|
42
|
+
|
|
43
|
+
## STEP 4 — REPORT
|
|
44
|
+
Write `docs/qa-audit-<YYYY-MM-DD>.md`: coverage map · per-dimension scoreboard ·
|
|
45
|
+
findings sorted by severity · prioritized fix list. Log BLOCKER / MAJOR to
|
|
46
|
+
`docs/ISSUES.md`.
|
|
47
|
+
**VERDICT: SHIP | FIX-FIRST** — never ship with a red real test or an uncovered
|
|
48
|
+
critical flow.
|
|
49
|
+
|
|
50
|
+
## STEP 5 — REMEDIATE
|
|
51
|
+
AUTO: dispatch `test-author` (BLIND) to fill coverage gaps, `debugger` for reds
|
|
52
|
+
(budget 3), then re-run. Park what's blocked + report. Tests are written by
|
|
53
|
+
`test-author` for impartiality — never weaken a test to make it pass.
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Holistic security audit — sweep the WHOLE product against the security cookbook (OWASP Top 10 / ASVS / WSTG / secrets / SCA / SAST / supply chain), score it, and produce a prioritized findings report. On-demand or before a release. NOT the per-phase gate — rule 11 checks one phase while coding; this audits the whole attack surface.
|
|
3
|
+
argument-hint: [optional scope]
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
Caveman ULTRA mode. You are the ORCHESTRATOR.
|
|
7
|
+
|
|
8
|
+
Purpose: a whole-product SECURITY audit — the security counterpart of `/ui-audit`
|
|
9
|
+
and `/qa-audit`. The per-phase gate (rule 11) checks secrets/SCA/SAST + secure coding
|
|
10
|
+
on ONE phase; this audit sweeps the ENTIRE attack surface and the product's security
|
|
11
|
+
posture. Run before a release, after auth/data changes, or on request — and before
|
|
12
|
+
the pre-deploy pentest, not instead of it.
|
|
13
|
+
|
|
14
|
+
Security = "is it SAFE?" — a different axis from QA ("does it work?") and UI
|
|
15
|
+
("does it look right?"). Passing those never implies this.
|
|
16
|
+
|
|
17
|
+
## PRE-FLIGHT
|
|
18
|
+
Read the rubric: `.claude/skills/security/SKILL.md` (the Secure SDLC cookbook) and
|
|
19
|
+
its `references/` (OWASP Top 10 / ASVS / WSTG / ISO 27001 / SLSA). The cookbook IS the
|
|
20
|
+
checklist — audit against it; don't invent criteria.
|
|
21
|
+
|
|
22
|
+
## STEP 1 — INVENTORY (attack surface)
|
|
23
|
+
Map it from `docs/ENDPOINTS.md` + the code: entry points (routes, inputs, file
|
|
24
|
+
uploads, webhooks), trust boundaries, auth/session, data stores + PII, secrets,
|
|
25
|
+
third-party deps, and outbound calls.
|
|
26
|
+
|
|
27
|
+
## STEP 2 — SWEEP (dispatch a worker to keep context lean)
|
|
28
|
+
- **OWASP Top 10** — broken access control, crypto failures, injection (SQLi/XSS/
|
|
29
|
+
cmd), insecure design, misconfiguration, vulnerable components, auth failures,
|
|
30
|
+
integrity failures, logging/monitoring gaps, SSRF.
|
|
31
|
+
- **AuthN / AuthZ** — every protected route enforces it; no IDOR; least privilege.
|
|
32
|
+
- **Secrets** — none in code/history/config/prompts (run gitleaks/trufflehog if present).
|
|
33
|
+
- **Dependencies (SCA)** — known CVEs (run `npm audit` / `pip-audit` / `osv-scanner`).
|
|
34
|
+
- **SAST** — run semgrep / CodeQL if present; review hotspots otherwise.
|
|
35
|
+
- **Input validation + output encoding** at every boundary; safe file handling.
|
|
36
|
+
- **Crypto** — strong algorithms, no hardcoded keys, secrets at rest/in transit.
|
|
37
|
+
- **Supply chain (SLSA)** — pinned deps, build integrity, no untrusted scripts.
|
|
38
|
+
- **Logging / monitoring** — security events logged; no sensitive data in logs.
|
|
39
|
+
- **Threat-model coverage** — were the design-stage abuse cases actually tested?
|
|
40
|
+
|
|
41
|
+
## STEP 3 — SCORE + FINDINGS
|
|
42
|
+
Rate each area PASS / WARN / FAIL. Per finding:
|
|
43
|
+
- **severity**: CRITICAL · HIGH · MEDIUM · LOW (map to CVSS where it helps)
|
|
44
|
+
- **location**: endpoint / file / dependency
|
|
45
|
+
- **issue** + the OWASP/ASVS reference it breaks + **fix**
|
|
46
|
+
|
|
47
|
+
## STEP 4 — REPORT
|
|
48
|
+
Write `docs/security-audit-<YYYY-MM-DD>.md`: attack-surface map · per-area scoreboard ·
|
|
49
|
+
findings sorted by severity · prioritized remediation. Log HIGH/CRITICAL to
|
|
50
|
+
`docs/ISSUES.md`.
|
|
51
|
+
**VERDICT: SHIP | FIX-FIRST** — never ship with an open HIGH or CRITICAL.
|
|
52
|
+
|
|
53
|
+
## STEP 5 — REMEDIATE
|
|
54
|
+
A security fix is security-sensitive (autonomy hard-stop): in AUTO, fix and re-audit
|
|
55
|
+
but SURFACE the change for human sign-off before it lands. Park what's blocked +
|
|
56
|
+
report. A clean `/security-audit` is a precondition for the pre-deploy pentest gate.
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Holistic UI audit — sweep the WHOLE product's UI against the ux-design cookbook (+ a11y / responsive / consistency), score it, and produce a prioritized findings report. On-demand or before a release. This is NOT the per-phase gate — the `ux-design` gate checks one screen at phase close (pass/block); this audit sweeps every screen and reports accumulated drift.
|
|
3
|
+
argument-hint: [optional scope — a route, or "all"]
|
|
4
|
+
---
|
|
5
|
+
|
|
6
|
+
Caveman ULTRA mode. You are the ORCHESTRATOR.
|
|
7
|
+
|
|
8
|
+
Purpose: a periodic, WHOLE-PRODUCT UI audit — distinct from the inline `ux-design`
|
|
9
|
+
gate. The gate validates ONE screen at phase close; this AUDIT sweeps EVERY screen,
|
|
10
|
+
scores the product, and surfaces drift that accumulated across changes. Run before a
|
|
11
|
+
release, after big UI work, or on request.
|
|
12
|
+
|
|
13
|
+
## PRE-FLIGHT
|
|
14
|
+
Read the rubric: `.claude/skills/ux-design/SKILL.md` (the cookbook) and
|
|
15
|
+
`references/wireframe-template.md` (the frame). The cookbook IS the checklist —
|
|
16
|
+
do not invent new criteria; audit against it.
|
|
17
|
+
|
|
18
|
+
## STEP 1 — INVENTORY
|
|
19
|
+
List every screen / route / major component to audit (from the router, the
|
|
20
|
+
wireframe baseline, or `$ARGUMENTS`). Audit shared components once.
|
|
21
|
+
|
|
22
|
+
## STEP 2 — SWEEP (dispatch a worker per area to keep context lean)
|
|
23
|
+
Score each screen against the cookbook dimensions:
|
|
24
|
+
- design tokens · 8-pt spacing · type scale (no raw hex/px)
|
|
25
|
+
- iconography — a real SVG set, **NEVER emoji**
|
|
26
|
+
- accessibility (WCAG 2.1 AA): contrast ≥ 4.5:1, visible focus, keyboard reach,
|
|
27
|
+
semantic HTML, labels / alt / aria, 44×44 targets, `prefers-reduced-motion`
|
|
28
|
+
- state matrix: default · hover · focus · active · disabled · loading · empty · error
|
|
29
|
+
- responsive breakpoints (no overflow / break)
|
|
30
|
+
- content & i18n (no hardcoded strings; growth-safe)
|
|
31
|
+
- consistency / wireframe conformance (no drift BETWEEN screens)
|
|
32
|
+
Run automated tools if the project has them (axe-core / Lighthouse / pa11y) and fold
|
|
33
|
+
their output in; otherwise do the manual cookbook sweep.
|
|
34
|
+
|
|
35
|
+
## STEP 3 — SCORE + FINDINGS
|
|
36
|
+
Rate each dimension PASS / WARN / FAIL. For every finding record:
|
|
37
|
+
- **severity**: BLOCKER (a11y / contrast / unusable) · MAJOR (drift / missing state)
|
|
38
|
+
· MINOR (polish)
|
|
39
|
+
- **location**: screen + element
|
|
40
|
+
- **issue** + the cookbook rule it breaks
|
|
41
|
+
- **fix**: the concrete change
|
|
42
|
+
|
|
43
|
+
## STEP 4 — REPORT
|
|
44
|
+
Write `docs/ui-audit-<YYYY-MM-DD>.md`:
|
|
45
|
+
- coverage (screens audited) · a per-dimension scoreboard · the findings table sorted
|
|
46
|
+
by severity · a prioritized fix list.
|
|
47
|
+
- Log BLOCKER / MAJOR findings to `docs/ISSUES.md`.
|
|
48
|
+
- **VERDICT: SHIP | FIX-FIRST** — a release must not ship with open BLOCKERs.
|
|
49
|
+
|
|
50
|
+
## STEP 5 — REMEDIATE
|
|
51
|
+
AUTO: fix MINOR / MAJOR that don't change the visual direction, re-audit them, log.
|
|
52
|
+
A new visual direction or a design-token change → confirm with the user first
|
|
53
|
+
(hard rule 9 — UI conforms to the frame; new direction is a human call).
|
|
54
|
+
Hand back the report + what was fixed vs parked.
|
|
@@ -174,6 +174,15 @@ Named procedures, each with a canonical body in `.claude/commands/<name>.md`.
|
|
|
174
174
|
coverage gate.
|
|
175
175
|
- **quick [change]** — small, obvious, non-phase change; no agent chain. Stays
|
|
176
176
|
non-TDD. Runs the mock regression corpus after the change.
|
|
177
|
+
- **ui-audit** — whole-product UI audit against the `ux-design` cookbook (a11y /
|
|
178
|
+
responsive / consistency); scored findings report. Periodic / pre-release. Distinct
|
|
179
|
+
from the per-phase ux-design gate (one screen) — this sweeps every screen.
|
|
180
|
+
- **qa-audit** — whole-product FUNCTIONAL QA audit (coverage gaps, regression health,
|
|
181
|
+
flaky tests, critical-flow e2e, edge/error handling); scored report. The QA
|
|
182
|
+
counterpart of `ui-audit`. Distinct from the per-phase real-suite gate.
|
|
183
|
+
- **security-audit** — whole-product SECURITY audit against the `security` cookbook
|
|
184
|
+
(OWASP/ASVS/WSTG/secrets/SCA/SAST/supply-chain); scored report. On-demand; a
|
|
185
|
+
precondition for the pre-deploy pentest. Distinct from the per-phase rule-11 gate.
|
|
177
186
|
- **unstuck** — deep re-research after a circuit breaker (auto-run once in AUTO on
|
|
178
187
|
first stuck; human-triggered in GUIDED).
|
|
179
188
|
- **synthesize** — compress STATE.md, dedup ISSUES.md, prune snapshots. Run
|
|
@@ -332,6 +341,26 @@ development run that follows the spec and logs every problem so it never recurs.
|
|
|
332
341
|
|
|
333
342
|
-----
|
|
334
343
|
|
|
344
|
+
## Quality model (orthogonal axes — each audited)
|
|
345
|
+
|
|
346
|
+
Quality is checked on independent axes. Passing one NEVER implies another. Each has a
|
|
347
|
+
STANDARD, an inline GATE (per phase), and — for the user-facing ones — a holistic
|
|
348
|
+
AUDIT (whole product, pre-release):
|
|
349
|
+
|
|
350
|
+
| Axis | Question | Standard | Inline gate (per phase) | Whole-product audit |
|
|
351
|
+
|------|----------|----------|-------------------------|---------------------|
|
|
352
|
+
| **Functional / QA** | does it WORK? | blind TDD, RED-first (rules 5–6) | real suite green + regression corpus | full REAL corpus (final phase) · `/qa-audit` |
|
|
353
|
+
| **UI / UX** | is it usable + on-brand? | `ux-design` cookbook | the ux-design check (rule 9) | `/ui-audit` |
|
|
354
|
+
| **Security** | is it safe? | `security` cookbook (OWASP/ASVS/ISO) | secrets/SCA/SAST + secure coding (rule 11) | `/security-audit` · pentest + review before deploy |
|
|
355
|
+
| **Code** | is it consistent? | `code-standards` (naming/architecture) | lint/format + idiom (rule 12) | — |
|
|
356
|
+
|
|
357
|
+
**QA is the test discipline**, not a single agent: `test-author` (blind tests) +
|
|
358
|
+
`e2e-runner` (functional E2E) + the phase gate + the regression corpus + `debugger`.
|
|
359
|
+
UI audit checks *presentation*; QA checks *behaviour* — a button can pass one and
|
|
360
|
+
fail the other.
|
|
361
|
+
|
|
362
|
+
-----
|
|
363
|
+
|
|
335
364
|
## Shared KB (optional)
|
|
336
365
|
|
|
337
366
|
If `.claude/kb-config.json` exists, the SESSION-OPEN ritual pulls the KB and loads
|
|
@@ -31,6 +31,10 @@ confirmed with the user before building — design is where human taste matters.
|
|
|
31
31
|
- Reviewing a UI diff (the "ตรวจ" pass).
|
|
32
32
|
- CLOSE gate of any frontend phase — the cookbook check MUST pass.
|
|
33
33
|
|
|
34
|
+
This skill is the STANDARD + the inline GATE (one screen, at phase close). For a
|
|
35
|
+
WHOLE-PRODUCT sweep against this same cookbook — periodic or before a release — run
|
|
36
|
+
`/ui-audit` (same rubric, broader scope, a scored report).
|
|
37
|
+
|
|
34
38
|
Order: **wireframe first** (does the layout match the baseline frame?) ->
|
|
35
39
|
**cookbook** (do the details obey the system?). Never invent layout the
|
|
36
40
|
wireframe does not have. If the design truly needs a frame the wireframe lacks,
|