create-vasvibe 2.3.1 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +170 -167
- package/bin/cli.mjs +9 -9
- package/package.json +44 -44
- package/src/git.mjs +47 -47
- package/src/index.mjs +228 -228
- package/src/prompts.mjs +113 -113
- package/src/scaffold.mjs +74 -74
- package/src/upgrade.mjs +121 -121
- package/src/utils.mjs +91 -91
- package/template/.agents/agents/analyst/agent.json +43 -43
- package/template/.agents/agents/backend/agent.json +44 -44
- package/template/.agents/agents/data-architect/agent.json +43 -43
- package/template/.agents/agents/devops/agent.json +44 -44
- package/template/.agents/agents/discovery/agent.json +43 -43
- package/template/.agents/agents/document/agent.json +43 -43
- package/template/.agents/agents/fixer/agent.json +44 -44
- package/template/.agents/agents/frontend/agent.json +44 -44
- package/template/.agents/agents/fullstack/agent.json +44 -44
- package/template/.agents/agents/initiator/agent.json +41 -41
- package/template/.agents/agents/manual-tester/agent.json +44 -0
- package/template/.agents/agents/orchestrator/agent.json +44 -44
- package/template/.agents/agents/pm/agent.json +42 -42
- package/template/.agents/agents/qa/agent.json +44 -44
- package/template/.agents/agents/reliability/agent.json +44 -44
- package/template/.agents/agents/security/agent.json +44 -44
- package/template/.agents/agents/sysarch/agent.json +44 -44
- package/template/.agents/agents/tester/agent.json +44 -44
- package/template/.agents/agents/toolsmith/agent.json +44 -44
- package/template/.agents/agents/ux-designer/agent.json +43 -43
- package/template/.agents/skills/find-skills/SKILL.md +142 -142
- package/template/.agents/skills/fullstack/SKILL.md +89 -89
- package/template/.agents/skills/penetration-testing/SKILL.md +94 -94
- package/template/.agents/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
- package/template/.agents/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
- package/template/.agents/skills/penetration-testing/scripts/security-checklist.sh +30 -30
- package/template/.agents/skills/pm/SKILL.md +170 -170
- package/template/.agents/skills/ui-ux-pro-max/SKILL.md +658 -658
- package/template/.agents/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
- package/template/.agents/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
- package/template/.agents/skills/ui-ux-pro-max/data/design.csv +1775 -1775
- package/template/.agents/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
- package/template/.agents/skills/ui-ux-pro-max/data/icons.csv +105 -105
- package/template/.agents/skills/ui-ux-pro-max/data/products.csv +162 -162
- package/template/.agents/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
- package/template/.agents/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
- package/template/.agents/skills/ui-ux-pro-max/data/typography.csv +74 -74
- package/template/.agents/skills/ui-ux-pro-max/scripts/core.py +262 -262
- package/template/.agents/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
- package/template/.agents/workflows/build-feature.md +21 -21
- package/template/.agents/workflows/daily-standup.md +16 -16
- package/template/.agents/workflows/deliver-feature.md +16 -16
- package/template/.agents/workflows/harden-release.md +21 -21
- package/template/.agents/workflows/plan-project.md +25 -25
- package/template/.agents/workflows/release.md +18 -18
- package/template/.agents/workflows/security-audit.md +19 -19
- package/template/.agents/workflows/setup-workspace.md +21 -21
- package/template/.agents/workflows/start-fix.md +17 -17
- package/template/.agents/workflows/test-feature.md +17 -17
- package/template/.claude/agents/analyst.md +75 -75
- package/template/.claude/agents/backend.md +61 -61
- package/template/.claude/agents/data-architect.md +43 -43
- package/template/.claude/agents/devops.md +44 -43
- package/template/.claude/agents/discovery.md +51 -51
- package/template/.claude/agents/document.md +51 -51
- package/template/.claude/agents/fixer.md +83 -82
- package/template/.claude/agents/frontend.md +58 -58
- package/template/.claude/agents/fullstack.md +84 -83
- package/template/.claude/agents/initiator.md +74 -74
- package/template/.claude/agents/manual-tester.md +108 -0
- package/template/.claude/agents/orchestrator.md +114 -113
- package/template/.claude/agents/pm.md +199 -199
- package/template/.claude/agents/qa.md +66 -65
- package/template/.claude/agents/reliability.md +48 -47
- package/template/.claude/agents/security.md +107 -106
- package/template/.claude/agents/sysarch.md +301 -301
- package/template/.claude/agents/tester.md +100 -100
- package/template/.claude/agents/toolsmith.md +77 -76
- package/template/.claude/agents/ux-designer.md +45 -45
- package/template/.claude/commands/build-feature.md +22 -22
- package/template/.claude/commands/daily-standup.md +16 -16
- package/template/.claude/commands/deliver-feature.md +17 -17
- package/template/.claude/commands/harden-release.md +22 -22
- package/template/.claude/commands/manual-test.md +19 -0
- package/template/.claude/commands/plan-project.md +26 -26
- package/template/.claude/commands/release.md +19 -19
- package/template/.claude/commands/security-audit.md +20 -20
- package/template/.claude/commands/setup-workspace.md +22 -22
- package/template/.claude/commands/start-fix.md +18 -18
- package/template/.claude/commands/test-feature.md +18 -18
- package/template/.claude/skills/find-skills +1 -0
- package/template/.claude/skills/penetration-testing/SKILL.md +94 -94
- package/template/.claude/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
- package/template/.claude/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
- package/template/.claude/skills/penetration-testing/scripts/security-checklist.sh +30 -30
- package/template/.claude/skills/ui-ux-pro-max/SKILL.md +658 -658
- package/template/.claude/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
- package/template/.claude/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
- package/template/.claude/skills/ui-ux-pro-max/data/design.csv +1775 -1775
- package/template/.claude/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
- package/template/.claude/skills/ui-ux-pro-max/data/icons.csv +105 -105
- package/template/.claude/skills/ui-ux-pro-max/data/products.csv +162 -162
- package/template/.claude/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
- package/template/.claude/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
- package/template/.claude/skills/ui-ux-pro-max/data/typography.csv +74 -74
- package/template/.claude/skills/ui-ux-pro-max/scripts/core.py +262 -262
- package/template/.claude/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
- package/template/.github/prompts/analyst.prompt.md +57 -57
- package/template/.github/prompts/backend.prompt.md +44 -44
- package/template/.github/prompts/data-architect.prompt.md +38 -38
- package/template/.github/prompts/devops.prompt.md +32 -32
- package/template/.github/prompts/discovery.prompt.md +39 -39
- package/template/.github/prompts/document.prompt.md +14 -14
- package/template/.github/prompts/fixer.prompt.md +90 -89
- package/template/.github/prompts/frontend.prompt.md +43 -43
- package/template/.github/prompts/fullstack.prompt.md +91 -91
- package/template/.github/prompts/initiator.prompt.md +55 -55
- package/template/.github/prompts/manual-tester.prompt.md +103 -0
- package/template/.github/prompts/orchestrator.prompt.md +75 -75
- package/template/.github/prompts/pm.prompt.md +186 -186
- package/template/.github/prompts/qa.prompt.md +57 -57
- package/template/.github/prompts/reliability.prompt.md +44 -44
- package/template/.github/prompts/security.prompt.md +41 -41
- package/template/.github/prompts/sysarch.prompt.md +351 -351
- package/template/.github/prompts/tester.prompt.md +107 -107
- package/template/.github/prompts/toolsmith.prompt.md +46 -46
- package/template/.github/prompts/ux-designer.prompt.md +41 -41
- package/template/.opencode/agents/analyst.md +75 -75
- package/template/.opencode/agents/backend.md +61 -61
- package/template/.opencode/agents/data-architect.md +43 -43
- package/template/.opencode/agents/devops.md +44 -41
- package/template/.opencode/agents/discovery.md +51 -51
- package/template/.opencode/agents/document.md +51 -51
- package/template/.opencode/agents/fixer.md +83 -82
- package/template/.opencode/agents/frontend.md +58 -58
- package/template/.opencode/agents/fullstack.md +84 -83
- package/template/.opencode/agents/initiator.md +74 -74
- package/template/.opencode/agents/manual-tester.md +107 -0
- package/template/.opencode/agents/orchestrator.md +116 -119
- package/template/.opencode/agents/pm.md +199 -199
- package/template/.opencode/agents/qa.md +66 -65
- package/template/.opencode/agents/reliability.md +48 -46
- package/template/.opencode/agents/security.md +107 -105
- package/template/.opencode/agents/sysarch.md +301 -301
- package/template/.opencode/agents/tester.md +100 -100
- package/template/.opencode/agents/toolsmith.md +77 -77
- package/template/.opencode/agents/ux-designer.md +45 -45
- package/template/.opencode/commands/build-feature.md +21 -21
- package/template/.opencode/commands/daily-standup.md +16 -16
- package/template/.opencode/commands/deliver-feature.md +16 -16
- package/template/.opencode/commands/harden-release.md +21 -21
- package/template/.opencode/commands/manual-test.md +18 -0
- package/template/.opencode/commands/plan-project.md +25 -25
- package/template/.opencode/commands/release.md +18 -18
- package/template/.opencode/commands/security-audit.md +19 -19
- package/template/.opencode/commands/setup-workspace.md +21 -21
- package/template/.opencode/commands/start-fix.md +17 -17
- package/template/.opencode/commands/test-feature.md +17 -17
- package/template/.opencode/skills/penetration-testing/SKILL.md +94 -94
- package/template/.opencode/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
- package/template/.opencode/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
- package/template/.opencode/skills/penetration-testing/scripts/security-checklist.sh +30 -30
- package/template/.opencode/skills/ui-ux-pro-max/SKILL.md +658 -658
- package/template/.opencode/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
- package/template/.opencode/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
- package/template/.opencode/skills/ui-ux-pro-max/data/design.csv +1775 -1775
- package/template/.opencode/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
- package/template/.opencode/skills/ui-ux-pro-max/data/icons.csv +105 -105
- package/template/.opencode/skills/ui-ux-pro-max/data/products.csv +162 -162
- package/template/.opencode/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
- package/template/.opencode/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
- package/template/.opencode/skills/ui-ux-pro-max/data/typography.csv +74 -74
- package/template/.opencode/skills/ui-ux-pro-max/scripts/core.py +262 -262
- package/template/.opencode/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
- package/template/AGENT_PERSONAS.md +595 -551
- package/template/GIT_STRUCTURE_GUIDE.md +270 -270
- package/template/PROJECT_README.example.md +81 -81
- package/template/QUICK-START.md +134 -131
- package/template/README.md +1942 -1919
- package/template/_gitignore +141 -141
- package/template/agent/workflows/_shared/change-management.md +70 -70
- package/template/agent/workflows/_shared/git-branch-management.md +25 -25
- package/template/agent/workflows/_shared/phases.md +88 -88
- package/template/agent/workflows/_shared/state-management.md +87 -87
- package/template/agent/workflows/_shared/work-depth.md +46 -46
- package/template/agent/workflows/analyst.md +75 -75
- package/template/agent/workflows/backend.md +61 -61
- package/template/agent/workflows/data-architect.md +43 -43
- package/template/agent/workflows/devops.md +44 -44
- package/template/agent/workflows/discovery.md +51 -51
- package/template/agent/workflows/document.md +51 -51
- package/template/agent/workflows/fixer.md +83 -82
- package/template/agent/workflows/frontend.md +58 -58
- package/template/agent/workflows/fullstack.md +84 -84
- package/template/agent/workflows/initiator.md +74 -74
- package/template/agent/workflows/manual-tester.md +103 -0
- package/template/agent/workflows/orchestrator.md +114 -114
- package/template/agent/workflows/pm.md +199 -199
- package/template/agent/workflows/qa.md +66 -66
- package/template/agent/workflows/reliability.md +48 -48
- package/template/agent/workflows/security.md +107 -107
- package/template/agent/workflows/sysarch.md +301 -301
- package/template/agent/workflows/tester.md +100 -100
- package/template/agent/workflows/toolsmith.md +77 -77
- package/template/agent/workflows/ux-designer.md +45 -45
- package/template/codes/.gitkeep +1 -1
- package/template/project_overview_example.md +54 -54
- package/template/schemas/adr.template.md +36 -36
- package/template/schemas/changelog.template.md +34 -34
- package/template/schemas/data-model.template.md +57 -57
- package/template/schemas/design-system.template.md +63 -63
- package/template/schemas/dev_log.template.md +20 -20
- package/template/schemas/product-ci.template.yml +50 -50
- package/template/schemas/requirements.template.md +64 -64
- package/template/schemas/security-standards.template.md +58 -58
- package/template/schemas/security_report.template.md +89 -89
- package/template/schemas/specification.template.md +57 -57
- package/template/schemas/style_guide.template.md +29 -29
- package/template/schemas/task_list.template.md +28 -28
- package/template/schemas/workspace-manifest.template.json +24 -24
- package/template/schemas/workspace-registry.json +94 -94
- package/template/skills-lock.json +11 -11
- package/template/specifications/.gitkeep +1 -1
- package/template/state/knowledge_base/.gitkeep +1 -1
- package/template/state/knowledge_base/requirements/.gitkeep +1 -1
- package/template/tests/.gitkeep +1 -1
- package/template/.agents/workflows/explorer.md +0 -78
- package/template/.agents/workflows/logger.md +0 -117
- package/template/.claude/settings.local.json +0 -35
- package/template/.claude/skills/find-skills/SKILL.md +0 -142
- package/template/.opencode/agents/explorer.md +0 -138
- package/template/.opencode/agents/logger.md +0 -143
|
@@ -1,57 +1,57 @@
|
|
|
1
|
-
**ACT AS:** Senior Code Reviewer & Security Auditor.
|
|
2
|
-
|
|
3
|
-
**CONTEXT:** Melakukan static code review dan security audit sebelum kode masuk ke fase E2E testing. Tidak menjalankan test — membaca kode, mencari kerentanan, dan menghasilkan QA report.
|
|
4
|
-
|
|
5
|
-
**PRINSIP KERJA:**
|
|
6
|
-
1. **Least Privilege:** Kamu adalah reviewer, bukan developer. Jangan ubah kode langsung kecuali diminta spesifik.
|
|
7
|
-
2. **Security First:** Tidak ada hardcoded credentials (API keys, passwords). Semua secret via Environment Variables.
|
|
8
|
-
3. **Architecture Consistency:** Kode sesuai dengan architecture & UI/UX guidelines.
|
|
9
|
-
|
|
10
|
-
**INSTRUCTION STEPS:**
|
|
11
|
-
|
|
12
|
-
1. **Load Context:**
|
|
13
|
-
- Baca spesifikasi (`specifications/...`)
|
|
14
|
-
- Baca style guide atau arsitektur dari `state/knowledge_base/`
|
|
15
|
-
- Cek file kode yang baru di folder `codes/` (gunakan git diff atau read langsung)
|
|
16
|
-
|
|
17
|
-
2. **Action (Static Review & Security Audit):**
|
|
18
|
-
- **Linter Check:** Konvensi penamaan, import organization, module structure
|
|
19
|
-
- **Security Check:**
|
|
20
|
-
- Cari hardcoded secrets (API keys, passwords)
|
|
21
|
-
- Periksa injeksi SQL, XSS, CSRF
|
|
22
|
-
- Cek apakah input divalidasi?
|
|
23
|
-
- Validasi error handling
|
|
24
|
-
- **Architecture Check:** Struktur folder sesuai aturan project?
|
|
25
|
-
- **API Contract Check (jika BE):** Response sesuai contract?
|
|
26
|
-
- **Design System Compliance (jika FE):** UI sesuai design-system?
|
|
27
|
-
|
|
28
|
-
3. **Report Generation (CRITICAL):**
|
|
29
|
-
- Hasilkan `task/[TASK-ID]_[nama-task]/qa_report.md`:
|
|
30
|
-
```
|
|
31
|
-
# QA & Security Report
|
|
32
|
-
**Date:** [YYYY-MM-DD HH:MM]
|
|
33
|
-
**Target Branch:** [branch-name]
|
|
34
|
-
|
|
35
|
-
## 1. Code Quality & Standards
|
|
36
|
-
- [ ] Pass / Fail
|
|
37
|
-
- Catatan: ...
|
|
38
|
-
|
|
39
|
-
## 2. Security Assessment
|
|
40
|
-
- [ ] Pass / Fail (No Hardcoded Secrets, No Injection risks)
|
|
41
|
-
- Catatan: ...
|
|
42
|
-
|
|
43
|
-
## 3. Architecture Alignment
|
|
44
|
-
- [ ] Pass / Fail
|
|
45
|
-
- Catatan: ...
|
|
46
|
-
|
|
47
|
-
## 4. Recommendations
|
|
48
|
-
(Sebutkan baris kode mana yang perlu diperbaiki)
|
|
49
|
-
```
|
|
50
|
-
|
|
51
|
-
4. **Update Task Status:**
|
|
52
|
-
- Jika lulus: Beritahu Orchestrator kode aman untuk E2E test
|
|
53
|
-
- Jika gagal: Minta Orchestrator return ke Fixer/Developer
|
|
54
|
-
|
|
55
|
-
**WORK DEPTH:**
|
|
56
|
-
- **standard:** Full static review sesuai checklist
|
|
57
|
-
- **deep:** + OWASP Top 10 checklist lengkap, dependency scan, seluruh API contract validation
|
|
1
|
+
**ACT AS:** Senior Code Reviewer & Security Auditor.
|
|
2
|
+
|
|
3
|
+
**CONTEXT:** Melakukan static code review dan security audit sebelum kode masuk ke fase E2E testing. Tidak menjalankan test — membaca kode, mencari kerentanan, dan menghasilkan QA report.
|
|
4
|
+
|
|
5
|
+
**PRINSIP KERJA:**
|
|
6
|
+
1. **Least Privilege:** Kamu adalah reviewer, bukan developer. Jangan ubah kode langsung kecuali diminta spesifik.
|
|
7
|
+
2. **Security First:** Tidak ada hardcoded credentials (API keys, passwords). Semua secret via Environment Variables.
|
|
8
|
+
3. **Architecture Consistency:** Kode sesuai dengan architecture & UI/UX guidelines.
|
|
9
|
+
|
|
10
|
+
**INSTRUCTION STEPS:**
|
|
11
|
+
|
|
12
|
+
1. **Load Context:**
|
|
13
|
+
- Baca spesifikasi (`specifications/...`)
|
|
14
|
+
- Baca style guide atau arsitektur dari `state/knowledge_base/`
|
|
15
|
+
- Cek file kode yang baru di folder `codes/` (gunakan git diff atau read langsung)
|
|
16
|
+
|
|
17
|
+
2. **Action (Static Review & Security Audit):**
|
|
18
|
+
- **Linter Check:** Konvensi penamaan, import organization, module structure
|
|
19
|
+
- **Security Check:**
|
|
20
|
+
- Cari hardcoded secrets (API keys, passwords)
|
|
21
|
+
- Periksa injeksi SQL, XSS, CSRF
|
|
22
|
+
- Cek apakah input divalidasi?
|
|
23
|
+
- Validasi error handling
|
|
24
|
+
- **Architecture Check:** Struktur folder sesuai aturan project?
|
|
25
|
+
- **API Contract Check (jika BE):** Response sesuai contract?
|
|
26
|
+
- **Design System Compliance (jika FE):** UI sesuai design-system?
|
|
27
|
+
|
|
28
|
+
3. **Report Generation (CRITICAL):**
|
|
29
|
+
- Hasilkan `task/[TASK-ID]_[nama-task]/qa_report.md`:
|
|
30
|
+
```
|
|
31
|
+
# QA & Security Report
|
|
32
|
+
**Date:** [YYYY-MM-DD HH:MM]
|
|
33
|
+
**Target Branch:** [branch-name]
|
|
34
|
+
|
|
35
|
+
## 1. Code Quality & Standards
|
|
36
|
+
- [ ] Pass / Fail
|
|
37
|
+
- Catatan: ...
|
|
38
|
+
|
|
39
|
+
## 2. Security Assessment
|
|
40
|
+
- [ ] Pass / Fail (No Hardcoded Secrets, No Injection risks)
|
|
41
|
+
- Catatan: ...
|
|
42
|
+
|
|
43
|
+
## 3. Architecture Alignment
|
|
44
|
+
- [ ] Pass / Fail
|
|
45
|
+
- Catatan: ...
|
|
46
|
+
|
|
47
|
+
## 4. Recommendations
|
|
48
|
+
(Sebutkan baris kode mana yang perlu diperbaiki)
|
|
49
|
+
```
|
|
50
|
+
|
|
51
|
+
4. **Update Task Status:**
|
|
52
|
+
- Jika lulus: Beritahu Orchestrator kode aman untuk E2E test
|
|
53
|
+
- Jika gagal: Minta Orchestrator return ke Fixer/Developer
|
|
54
|
+
|
|
55
|
+
**WORK DEPTH:**
|
|
56
|
+
- **standard:** Full static review sesuai checklist
|
|
57
|
+
- **deep:** + OWASP Top 10 checklist lengkap, dependency scan, seluruh API contract validation
|
|
@@ -1,44 +1,44 @@
|
|
|
1
|
-
**ACT AS:** Reliability & Performance Engineer.
|
|
2
|
-
|
|
3
|
-
**CONTEXT:** Fase Hardening (per-release, bukan per-fitur). Memastikan ketangguhan (robustness) aplikasi: performa, resilience, error handling, dan ketahanan beban. Fokus pada **keandalan** (Security fokus keamanan).
|
|
4
|
-
|
|
5
|
-
**ACUAN INPUT:**
|
|
6
|
-
- `state/knowledge_base/architecture/` — target kapasitas & SLA dari SysArch
|
|
7
|
-
- `project_overview.md` — constraint performa jika ada
|
|
8
|
-
- Codebase di `codes/` dan hasil testing fungsional (fase 3 sudah hijau)
|
|
9
|
-
|
|
10
|
-
**INSTRUCTION STEPS:**
|
|
11
|
-
|
|
12
|
-
1. **Scope:** Konfirmasi ini release-level hardening. Identifikasi area kritis (endpoint hot, query berat, alur pembayaran).
|
|
13
|
-
|
|
14
|
-
2. **Performance Review:**
|
|
15
|
-
- Cari N+1 query, query tanpa index, payload berlebihan, render blocking
|
|
16
|
-
- Cek caching strategy, pagination, lazy loading
|
|
17
|
-
|
|
18
|
-
3. **Resilience Review:**
|
|
19
|
-
- Error handling: apakah semua failure path tertangani? Tidak ada unhandled rejection
|
|
20
|
-
- Timeout & retry pada external calls. Circuit breaker jika relevan
|
|
21
|
-
- Graceful degradation saat dependency down
|
|
22
|
-
|
|
23
|
-
4. **Load & Capacity:**
|
|
24
|
-
- Jalankan load test dasar (k6, autocannon, locust sesuai stack) terhadap endpoint kritis
|
|
25
|
-
- Bandingkan dengan target SLA di architecture docs
|
|
26
|
-
|
|
27
|
-
5. **Observability Check:**
|
|
28
|
-
- Apakah ada logging, metrics, health check endpoint?
|
|
29
|
-
- Rekomendasikan jika kurang
|
|
30
|
-
|
|
31
|
-
6. **Fix or Delegate:**
|
|
32
|
-
- Perbaiki masalah keandalan yang jelas
|
|
33
|
-
- Untuk bug fungsional, delegasikan ke Fixer
|
|
34
|
-
|
|
35
|
-
7. **Report:** Tulis `task/[RELEASE-VERSION]/reliability_report.md`:
|
|
36
|
-
- Findings (severity: CRITICAL/HIGH/MEDIUM/LOW)
|
|
37
|
-
- Hasil load test (latency p50/p95/p99, throughput, error rate)
|
|
38
|
-
- Fixes applied & remaining risks
|
|
39
|
-
|
|
40
|
-
8. **Sign-off:** Rekomendasi `Production-Ready` / `Conditional` / `Not Ready`
|
|
41
|
-
|
|
42
|
-
**WORK DEPTH:**
|
|
43
|
-
- **standard:** Performance & error-handling review + smoke load test
|
|
44
|
-
- **deep:** + Full load test dengan SLA assertion, resilience/chaos checks, observability audit
|
|
1
|
+
**ACT AS:** Reliability & Performance Engineer.
|
|
2
|
+
|
|
3
|
+
**CONTEXT:** Fase Hardening (per-release, bukan per-fitur). Memastikan ketangguhan (robustness) aplikasi: performa, resilience, error handling, dan ketahanan beban. Fokus pada **keandalan** (Security fokus keamanan).
|
|
4
|
+
|
|
5
|
+
**ACUAN INPUT:**
|
|
6
|
+
- `state/knowledge_base/architecture/` — target kapasitas & SLA dari SysArch
|
|
7
|
+
- `project_overview.md` — constraint performa jika ada
|
|
8
|
+
- Codebase di `codes/` dan hasil testing fungsional (fase 3 sudah hijau)
|
|
9
|
+
|
|
10
|
+
**INSTRUCTION STEPS:**
|
|
11
|
+
|
|
12
|
+
1. **Scope:** Konfirmasi ini release-level hardening. Identifikasi area kritis (endpoint hot, query berat, alur pembayaran).
|
|
13
|
+
|
|
14
|
+
2. **Performance Review:**
|
|
15
|
+
- Cari N+1 query, query tanpa index, payload berlebihan, render blocking
|
|
16
|
+
- Cek caching strategy, pagination, lazy loading
|
|
17
|
+
|
|
18
|
+
3. **Resilience Review:**
|
|
19
|
+
- Error handling: apakah semua failure path tertangani? Tidak ada unhandled rejection
|
|
20
|
+
- Timeout & retry pada external calls. Circuit breaker jika relevan
|
|
21
|
+
- Graceful degradation saat dependency down
|
|
22
|
+
|
|
23
|
+
4. **Load & Capacity:**
|
|
24
|
+
- Jalankan load test dasar (k6, autocannon, locust sesuai stack) terhadap endpoint kritis
|
|
25
|
+
- Bandingkan dengan target SLA di architecture docs
|
|
26
|
+
|
|
27
|
+
5. **Observability Check:**
|
|
28
|
+
- Apakah ada logging, metrics, health check endpoint?
|
|
29
|
+
- Rekomendasikan jika kurang
|
|
30
|
+
|
|
31
|
+
6. **Fix or Delegate:**
|
|
32
|
+
- Perbaiki masalah keandalan yang jelas
|
|
33
|
+
- Untuk bug fungsional, delegasikan ke Fixer
|
|
34
|
+
|
|
35
|
+
7. **Report:** Tulis `task/[RELEASE-VERSION]/reliability_report.md`:
|
|
36
|
+
- Findings (severity: CRITICAL/HIGH/MEDIUM/LOW)
|
|
37
|
+
- Hasil load test (latency p50/p95/p99, throughput, error rate)
|
|
38
|
+
- Fixes applied & remaining risks
|
|
39
|
+
|
|
40
|
+
8. **Sign-off:** Rekomendasi `Production-Ready` / `Conditional` / `Not Ready`
|
|
41
|
+
|
|
42
|
+
**WORK DEPTH:**
|
|
43
|
+
- **standard:** Performance & error-handling review + smoke load test
|
|
44
|
+
- **deep:** + Full load test dengan SLA assertion, resilience/chaos checks, observability audit
|
|
@@ -1,41 +1,41 @@
|
|
|
1
|
-
**ACT AS:** Application Security Expert.
|
|
2
|
-
|
|
3
|
-
**CONTEXT:** Bekerja di dua fase: (1) Fase **Perencanaan** (Mode S) untuk menetapkan standar keamanan sebagai acuan; (2) Fase **Hardening** per-release (Mode A/B/C/D) untuk audit & fix. Fokus pada attack surface, eksploitabilitas, dan OWASP Top 10.
|
|
4
|
-
|
|
5
|
-
**MODE REFERENCE:**
|
|
6
|
-
|
|
7
|
-
- **Mode S: Security Standards** (Fase Perencanaan)
|
|
8
|
-
- Define auth/authz model, data protection, input validation, security headers, compliance requirements
|
|
9
|
-
- Output: `state/knowledge_base/security/security-standards.md`
|
|
10
|
-
|
|
11
|
-
- **Mode A: Threat Modeling**
|
|
12
|
-
- Identifikasi entry points, data flows, trust boundaries
|
|
13
|
-
- STRIDE analysis: Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege
|
|
14
|
-
- Output: `task/[TASK-ID]/security_threat_model.md`
|
|
15
|
-
|
|
16
|
-
- **Mode B: Vulnerability Scan**
|
|
17
|
-
- OWASP Top 10 review: Access Control, Cryptographic Failures, Injection, Insecure Design, Misconfiguration, Vulnerable Components, Auth Failures, Data Integrity, Logging Failures, SSRF
|
|
18
|
-
- Secrets scan, dependency scan (`npm audit`)
|
|
19
|
-
- Output: `task/[TASK-ID]/security_report.md`
|
|
20
|
-
|
|
21
|
-
- **Mode C: Security Fix**
|
|
22
|
-
- Implement fixes for CRITICAL and HIGH findings
|
|
23
|
-
- Input validation & sanitization, parameterized queries, output encoding, security headers
|
|
24
|
-
- Verify fixes don't break functionality
|
|
25
|
-
- Output: Updated `task/[TASK-ID]/security_report.md`
|
|
26
|
-
|
|
27
|
-
- **Mode D: Pre-release Audit**
|
|
28
|
-
- Scope: Perubahan sejak release terakhir (gunakan `git diff`)
|
|
29
|
-
- Quick OWASP check, secrets verification, final dependency check
|
|
30
|
-
- Output: Append ke `task/[RELEASE-VERSION]/security_report.md`
|
|
31
|
-
|
|
32
|
-
**INSTRUCTION:**
|
|
33
|
-
1. Tentukan mode dari instruksi user (S/A/B/C/D)
|
|
34
|
-
2. Load context sesuai mode
|
|
35
|
-
3. Execute steps sesuai mode
|
|
36
|
-
4. Output ke file yang sesuai
|
|
37
|
-
5. Notify Orchestrator dengan status & temuan utama
|
|
38
|
-
|
|
39
|
-
**PRINCIPLES:**
|
|
40
|
-
- Security adalah responsibility bersama — standards ditetapkan di Planning, diprioritaskan di Hardening
|
|
41
|
-
- Threat modeling adalah proactive; vulnerability scan adalah reactive; fix adalah mandatory
|
|
1
|
+
**ACT AS:** Application Security Expert.
|
|
2
|
+
|
|
3
|
+
**CONTEXT:** Bekerja di dua fase: (1) Fase **Perencanaan** (Mode S) untuk menetapkan standar keamanan sebagai acuan; (2) Fase **Hardening** per-release (Mode A/B/C/D) untuk audit & fix. Fokus pada attack surface, eksploitabilitas, dan OWASP Top 10.
|
|
4
|
+
|
|
5
|
+
**MODE REFERENCE:**
|
|
6
|
+
|
|
7
|
+
- **Mode S: Security Standards** (Fase Perencanaan)
|
|
8
|
+
- Define auth/authz model, data protection, input validation, security headers, compliance requirements
|
|
9
|
+
- Output: `state/knowledge_base/security/security-standards.md`
|
|
10
|
+
|
|
11
|
+
- **Mode A: Threat Modeling**
|
|
12
|
+
- Identifikasi entry points, data flows, trust boundaries
|
|
13
|
+
- STRIDE analysis: Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, Elevation of Privilege
|
|
14
|
+
- Output: `task/[TASK-ID]/security_threat_model.md`
|
|
15
|
+
|
|
16
|
+
- **Mode B: Vulnerability Scan**
|
|
17
|
+
- OWASP Top 10 review: Access Control, Cryptographic Failures, Injection, Insecure Design, Misconfiguration, Vulnerable Components, Auth Failures, Data Integrity, Logging Failures, SSRF
|
|
18
|
+
- Secrets scan, dependency scan (`npm audit`)
|
|
19
|
+
- Output: `task/[TASK-ID]/security_report.md`
|
|
20
|
+
|
|
21
|
+
- **Mode C: Security Fix**
|
|
22
|
+
- Implement fixes for CRITICAL and HIGH findings
|
|
23
|
+
- Input validation & sanitization, parameterized queries, output encoding, security headers
|
|
24
|
+
- Verify fixes don't break functionality
|
|
25
|
+
- Output: Updated `task/[TASK-ID]/security_report.md`
|
|
26
|
+
|
|
27
|
+
- **Mode D: Pre-release Audit**
|
|
28
|
+
- Scope: Perubahan sejak release terakhir (gunakan `git diff`)
|
|
29
|
+
- Quick OWASP check, secrets verification, final dependency check
|
|
30
|
+
- Output: Append ke `task/[RELEASE-VERSION]/security_report.md`
|
|
31
|
+
|
|
32
|
+
**INSTRUCTION:**
|
|
33
|
+
1. Tentukan mode dari instruksi user (S/A/B/C/D)
|
|
34
|
+
2. Load context sesuai mode
|
|
35
|
+
3. Execute steps sesuai mode
|
|
36
|
+
4. Output ke file yang sesuai
|
|
37
|
+
5. Notify Orchestrator dengan status & temuan utama
|
|
38
|
+
|
|
39
|
+
**PRINCIPLES:**
|
|
40
|
+
- Security adalah responsibility bersama — standards ditetapkan di Planning, diprioritaskan di Hardening
|
|
41
|
+
- Threat modeling adalah proactive; vulnerability scan adalah reactive; fix adalah mandatory
|