create-vasvibe 2.4.0 → 2.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (286) hide show
  1. package/README.md +170 -167
  2. package/bin/cli.mjs +9 -9
  3. package/package.json +45 -45
  4. package/src/git.mjs +47 -47
  5. package/src/index.mjs +228 -228
  6. package/src/prompts.mjs +113 -113
  7. package/src/scaffold.mjs +74 -74
  8. package/src/upgrade.mjs +121 -121
  9. package/src/utils.mjs +91 -91
  10. package/template/.agents/agents/analyst/agent.json +43 -43
  11. package/template/.agents/agents/backend/agent.json +44 -44
  12. package/template/.agents/agents/data-architect/agent.json +43 -43
  13. package/template/.agents/agents/devops/agent.json +44 -44
  14. package/template/.agents/agents/discovery/agent.json +43 -43
  15. package/template/.agents/agents/document/agent.json +43 -43
  16. package/template/.agents/agents/explorer/agent.json +43 -43
  17. package/template/.agents/agents/fixer/agent.json +44 -44
  18. package/template/.agents/agents/frontend/agent.json +44 -44
  19. package/template/.agents/agents/fullstack/agent.json +44 -44
  20. package/template/.agents/agents/initiator/agent.json +41 -41
  21. package/template/.agents/agents/logger/agent.json +43 -43
  22. package/template/.agents/agents/manual-tester/agent.json +44 -0
  23. package/template/.agents/agents/orchestrator/agent.json +44 -44
  24. package/template/.agents/agents/pm/agent.json +42 -42
  25. package/template/.agents/agents/qa/agent.json +44 -44
  26. package/template/.agents/agents/reliability/agent.json +44 -44
  27. package/template/.agents/agents/security/agent.json +44 -44
  28. package/template/.agents/agents/sysarch/agent.json +44 -44
  29. package/template/.agents/agents/tester/agent.json +44 -44
  30. package/template/.agents/agents/toolsmith/agent.json +44 -44
  31. package/template/.agents/agents/ux-designer/agent.json +43 -43
  32. package/template/.agents/skills/find-skills/SKILL.md +142 -142
  33. package/template/.agents/skills/fullstack/SKILL.md +89 -89
  34. package/template/.agents/skills/penetration-testing/SKILL.md +94 -94
  35. package/template/.agents/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
  36. package/template/.agents/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
  37. package/template/.agents/skills/penetration-testing/scripts/security-checklist.sh +30 -30
  38. package/template/.agents/skills/pm/SKILL.md +170 -170
  39. package/template/.agents/skills/ui-ux-pro-max/SKILL.md +658 -658
  40. package/template/.agents/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
  41. package/template/.agents/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
  42. package/template/.agents/skills/ui-ux-pro-max/data/design.csv +1775 -1775
  43. package/template/.agents/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
  44. package/template/.agents/skills/ui-ux-pro-max/data/icons.csv +105 -105
  45. package/template/.agents/skills/ui-ux-pro-max/data/products.csv +162 -162
  46. package/template/.agents/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
  47. package/template/.agents/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
  48. package/template/.agents/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
  49. package/template/.agents/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
  50. package/template/.agents/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
  51. package/template/.agents/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
  52. package/template/.agents/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
  53. package/template/.agents/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
  54. package/template/.agents/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
  55. package/template/.agents/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
  56. package/template/.agents/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
  57. package/template/.agents/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
  58. package/template/.agents/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
  59. package/template/.agents/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
  60. package/template/.agents/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
  61. package/template/.agents/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
  62. package/template/.agents/skills/ui-ux-pro-max/data/typography.csv +74 -74
  63. package/template/.agents/skills/ui-ux-pro-max/scripts/core.py +262 -262
  64. package/template/.agents/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
  65. package/template/.agents/workflows/build-feature.md +21 -21
  66. package/template/.agents/workflows/build-prototype.md +32 -32
  67. package/template/.agents/workflows/daily-standup.md +16 -16
  68. package/template/.agents/workflows/deliver-feature.md +16 -16
  69. package/template/.agents/workflows/explorer.md +78 -78
  70. package/template/.agents/workflows/harden-release.md +21 -21
  71. package/template/.agents/workflows/logger.md +117 -117
  72. package/template/.agents/workflows/plan-feature.md +30 -30
  73. package/template/.agents/workflows/plan-project.md +25 -25
  74. package/template/.agents/workflows/release.md +18 -18
  75. package/template/.agents/workflows/security-audit.md +19 -19
  76. package/template/.agents/workflows/setup-workspace.md +21 -21
  77. package/template/.agents/workflows/start-fix.md +18 -18
  78. package/template/.agents/workflows/test-feature.md +17 -17
  79. package/template/.claude/agents/analyst.md +109 -109
  80. package/template/.claude/agents/backend.md +61 -61
  81. package/template/.claude/agents/data-architect.md +43 -43
  82. package/template/.claude/agents/devops.md +44 -43
  83. package/template/.claude/agents/discovery.md +51 -51
  84. package/template/.claude/agents/document.md +51 -51
  85. package/template/.claude/agents/explorer.md +138 -138
  86. package/template/.claude/agents/fixer.md +87 -86
  87. package/template/.claude/agents/frontend.md +65 -65
  88. package/template/.claude/agents/fullstack.md +91 -90
  89. package/template/.claude/agents/initiator.md +74 -74
  90. package/template/.claude/agents/logger.md +143 -143
  91. package/template/.claude/agents/manual-tester.md +108 -0
  92. package/template/.claude/agents/orchestrator.md +138 -137
  93. package/template/.claude/agents/pm.md +199 -199
  94. package/template/.claude/agents/qa.md +66 -65
  95. package/template/.claude/agents/reliability.md +48 -47
  96. package/template/.claude/agents/security.md +107 -106
  97. package/template/.claude/agents/sysarch.md +301 -301
  98. package/template/.claude/agents/tester.md +100 -100
  99. package/template/.claude/agents/toolsmith.md +77 -76
  100. package/template/.claude/agents/ux-designer.md +45 -45
  101. package/template/.claude/commands/build-feature.md +22 -22
  102. package/template/.claude/commands/build-prototype.md +33 -33
  103. package/template/.claude/commands/daily-standup.md +16 -16
  104. package/template/.claude/commands/deliver-feature.md +17 -17
  105. package/template/.claude/commands/harden-release.md +22 -22
  106. package/template/.claude/commands/manual-test.md +19 -0
  107. package/template/.claude/commands/plan-feature.md +31 -31
  108. package/template/.claude/commands/plan-project.md +26 -26
  109. package/template/.claude/commands/release.md +19 -19
  110. package/template/.claude/commands/security-audit.md +20 -20
  111. package/template/.claude/commands/setup-workspace.md +22 -22
  112. package/template/.claude/commands/start-fix.md +19 -19
  113. package/template/.claude/commands/test-feature.md +18 -18
  114. package/template/.claude/skills/find-skills/SKILL.md +142 -142
  115. package/template/.claude/skills/penetration-testing/SKILL.md +94 -94
  116. package/template/.claude/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
  117. package/template/.claude/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
  118. package/template/.claude/skills/penetration-testing/scripts/security-checklist.sh +30 -30
  119. package/template/.claude/skills/ui-ux-pro-max/SKILL.md +658 -658
  120. package/template/.claude/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
  121. package/template/.claude/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
  122. package/template/.claude/skills/ui-ux-pro-max/data/design.csv +1775 -1775
  123. package/template/.claude/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
  124. package/template/.claude/skills/ui-ux-pro-max/data/icons.csv +105 -105
  125. package/template/.claude/skills/ui-ux-pro-max/data/products.csv +162 -162
  126. package/template/.claude/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
  127. package/template/.claude/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
  128. package/template/.claude/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
  129. package/template/.claude/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
  130. package/template/.claude/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
  131. package/template/.claude/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
  132. package/template/.claude/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
  133. package/template/.claude/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
  134. package/template/.claude/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
  135. package/template/.claude/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
  136. package/template/.claude/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
  137. package/template/.claude/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
  138. package/template/.claude/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
  139. package/template/.claude/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
  140. package/template/.claude/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
  141. package/template/.claude/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
  142. package/template/.claude/skills/ui-ux-pro-max/data/typography.csv +74 -74
  143. package/template/.claude/skills/ui-ux-pro-max/scripts/core.py +262 -262
  144. package/template/.claude/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
  145. package/template/.github/prompts/analyst.prompt.md +104 -104
  146. package/template/.github/prompts/backend.prompt.md +44 -44
  147. package/template/.github/prompts/data-architect.prompt.md +38 -38
  148. package/template/.github/prompts/devops.prompt.md +32 -32
  149. package/template/.github/prompts/discovery.prompt.md +39 -39
  150. package/template/.github/prompts/document.prompt.md +14 -14
  151. package/template/.github/prompts/explorer.prompt.md +133 -133
  152. package/template/.github/prompts/fixer.prompt.md +82 -81
  153. package/template/.github/prompts/frontend.prompt.md +60 -60
  154. package/template/.github/prompts/fullstack.prompt.md +86 -86
  155. package/template/.github/prompts/initiator.prompt.md +55 -55
  156. package/template/.github/prompts/logger.prompt.md +138 -138
  157. package/template/.github/prompts/manual-tester.prompt.md +103 -0
  158. package/template/.github/prompts/orchestrator.prompt.md +133 -133
  159. package/template/.github/prompts/pm.prompt.md +186 -186
  160. package/template/.github/prompts/qa.prompt.md +57 -57
  161. package/template/.github/prompts/reliability.prompt.md +44 -44
  162. package/template/.github/prompts/security.prompt.md +41 -41
  163. package/template/.github/prompts/sysarch.prompt.md +351 -351
  164. package/template/.github/prompts/tester.prompt.md +107 -107
  165. package/template/.github/prompts/toolsmith.prompt.md +46 -46
  166. package/template/.github/prompts/ux-designer.prompt.md +41 -41
  167. package/template/.opencode/agents/analyst.md +108 -108
  168. package/template/.opencode/agents/backend.md +61 -61
  169. package/template/.opencode/agents/data-architect.md +43 -43
  170. package/template/.opencode/agents/devops.md +44 -44
  171. package/template/.opencode/agents/discovery.md +51 -51
  172. package/template/.opencode/agents/document.md +51 -51
  173. package/template/.opencode/agents/explorer.md +137 -137
  174. package/template/.opencode/agents/fixer.md +86 -85
  175. package/template/.opencode/agents/frontend.md +64 -64
  176. package/template/.opencode/agents/fullstack.md +90 -89
  177. package/template/.opencode/agents/initiator.md +74 -74
  178. package/template/.opencode/agents/logger.md +142 -142
  179. package/template/.opencode/agents/manual-tester.md +107 -0
  180. package/template/.opencode/agents/orchestrator.md +137 -133
  181. package/template/.opencode/agents/pm.md +199 -199
  182. package/template/.opencode/agents/qa.md +66 -65
  183. package/template/.opencode/agents/reliability.md +48 -48
  184. package/template/.opencode/agents/security.md +107 -107
  185. package/template/.opencode/agents/sysarch.md +301 -301
  186. package/template/.opencode/agents/tester.md +100 -100
  187. package/template/.opencode/agents/toolsmith.md +77 -77
  188. package/template/.opencode/agents/ux-designer.md +45 -45
  189. package/template/.opencode/commands/build-feature.md +21 -21
  190. package/template/.opencode/commands/build-prototype.md +32 -32
  191. package/template/.opencode/commands/daily-standup.md +16 -16
  192. package/template/.opencode/commands/deliver-feature.md +16 -16
  193. package/template/.opencode/commands/harden-release.md +21 -21
  194. package/template/.opencode/commands/manual-test.md +18 -0
  195. package/template/.opencode/commands/plan-feature.md +30 -30
  196. package/template/.opencode/commands/plan-project.md +25 -25
  197. package/template/.opencode/commands/release.md +18 -18
  198. package/template/.opencode/commands/security-audit.md +19 -19
  199. package/template/.opencode/commands/setup-workspace.md +21 -21
  200. package/template/.opencode/commands/start-fix.md +18 -18
  201. package/template/.opencode/commands/test-feature.md +17 -17
  202. package/template/.opencode/skills/penetration-testing/SKILL.md +94 -94
  203. package/template/.opencode/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
  204. package/template/.opencode/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
  205. package/template/.opencode/skills/penetration-testing/scripts/security-checklist.sh +30 -30
  206. package/template/.opencode/skills/ui-ux-pro-max/SKILL.md +658 -658
  207. package/template/.opencode/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
  208. package/template/.opencode/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
  209. package/template/.opencode/skills/ui-ux-pro-max/data/design.csv +1775 -1775
  210. package/template/.opencode/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
  211. package/template/.opencode/skills/ui-ux-pro-max/data/icons.csv +105 -105
  212. package/template/.opencode/skills/ui-ux-pro-max/data/products.csv +162 -162
  213. package/template/.opencode/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
  214. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
  215. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
  216. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
  217. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
  218. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
  219. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
  220. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
  221. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
  222. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
  223. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
  224. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
  225. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
  226. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
  227. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
  228. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
  229. package/template/.opencode/skills/ui-ux-pro-max/data/typography.csv +74 -74
  230. package/template/.opencode/skills/ui-ux-pro-max/scripts/core.py +262 -262
  231. package/template/.opencode/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
  232. package/template/AGENT_PERSONAS.md +595 -551
  233. package/template/GIT_STRUCTURE_GUIDE.md +270 -270
  234. package/template/PROJECT_README.example.md +81 -81
  235. package/template/QUICK-START.md +134 -131
  236. package/template/README.md +1942 -1919
  237. package/template/_gitignore +138 -138
  238. package/template/agent/workflows/_shared/change-management.md +70 -70
  239. package/template/agent/workflows/_shared/git-branch-management.md +25 -25
  240. package/template/agent/workflows/_shared/phases.md +88 -88
  241. package/template/agent/workflows/_shared/state-management.md +87 -87
  242. package/template/agent/workflows/_shared/work-depth.md +46 -46
  243. package/template/agent/workflows/analyst.md +104 -104
  244. package/template/agent/workflows/backend.md +61 -61
  245. package/template/agent/workflows/data-architect.md +43 -43
  246. package/template/agent/workflows/devops.md +44 -44
  247. package/template/agent/workflows/discovery.md +51 -51
  248. package/template/agent/workflows/document.md +51 -51
  249. package/template/agent/workflows/explorer.md +133 -133
  250. package/template/agent/workflows/fixer.md +82 -81
  251. package/template/agent/workflows/frontend.md +60 -60
  252. package/template/agent/workflows/fullstack.md +86 -86
  253. package/template/agent/workflows/initiator.md +74 -74
  254. package/template/agent/workflows/logger.md +138 -138
  255. package/template/agent/workflows/manual-tester.md +103 -0
  256. package/template/agent/workflows/orchestrator.md +133 -133
  257. package/template/agent/workflows/pm.md +199 -199
  258. package/template/agent/workflows/qa.md +66 -66
  259. package/template/agent/workflows/reliability.md +48 -48
  260. package/template/agent/workflows/security.md +107 -107
  261. package/template/agent/workflows/sysarch.md +301 -301
  262. package/template/agent/workflows/tester.md +100 -100
  263. package/template/agent/workflows/toolsmith.md +77 -77
  264. package/template/agent/workflows/ux-designer.md +45 -45
  265. package/template/codes/.gitkeep +1 -1
  266. package/template/project_overview_example.md +54 -54
  267. package/template/schemas/adr.template.md +36 -36
  268. package/template/schemas/changelog.template.md +34 -34
  269. package/template/schemas/data-model.template.md +57 -57
  270. package/template/schemas/design-system.template.md +63 -63
  271. package/template/schemas/dev_log.template.md +20 -20
  272. package/template/schemas/product-ci.template.yml +50 -50
  273. package/template/schemas/requirements.template.md +64 -64
  274. package/template/schemas/security-standards.template.md +58 -58
  275. package/template/schemas/security_report.template.md +89 -89
  276. package/template/schemas/specification.template.md +71 -71
  277. package/template/schemas/style_guide.template.md +29 -29
  278. package/template/schemas/task_list.template.md +28 -28
  279. package/template/schemas/workspace-manifest.template.json +24 -24
  280. package/template/schemas/workspace-registry.json +95 -95
  281. package/template/skills-lock.json +11 -11
  282. package/template/specifications/.gitkeep +3 -3
  283. package/template/state/knowledge_base/.gitkeep +1 -1
  284. package/template/state/knowledge_base/requirements/.gitkeep +1 -1
  285. package/template/tests/.gitkeep +1 -1
  286. package/template/.claude/settings.local.json +0 -44
@@ -1,58 +1,58 @@
1
- # SECURITY STANDARDS — [Project Name]
2
-
3
- **Owner Agent:** Security Expert (Mode Standards)
4
- **Date:** [YYYY-MM-DD HH:MM]
5
- **Phase:** Planning
6
- **Status:** `Draft` / `Approved`
7
-
8
- > Acuan standar keamanan proyek yang ditetapkan di awal. Semua engineer WAJIB mengikuti. Diverifikasi ulang oleh Security di fase Hardening. Perubahan lewat `_shared/change-management.md`.
9
-
10
- ---
11
-
12
- ## 1. Authentication & Authorization
13
-
14
- - **Auth mechanism:** [JWT / session / OAuth2 — pilih dan jelaskan]
15
- - **Password policy:** [hashing algo (bcrypt/argon2), min length, complexity]
16
- - **Token expiry:** [access token TTL, refresh token strategy]
17
- - **Authorization model:** [RBAC / ABAC — daftar role dan permission]
18
-
19
- ## 2. Data Protection
20
-
21
- - **Encryption in transit:** TLS 1.2+ wajib
22
- - **Encryption at rest:** [field/tabel yang dienkripsi]
23
- - **PII handling:** [masking, minimization]
24
- - **Secrets management:** semua via env var, JANGAN hardcode; daftarkan di `.env.example`
25
-
26
- ## 3. Input Validation & Output Encoding
27
-
28
- - Validasi semua input di server-side
29
- - Parameterized queries (anti SQL injection)
30
- - Output encoding (anti XSS)
31
-
32
- ## 4. Security Headers & Config
33
-
34
- - CSP, HSTS, X-Frame-Options, X-Content-Type-Options
35
- - CORS policy: [origin yang diizinkan]
36
- - Rate limiting: [batas per endpoint sensitif]
37
-
38
- ## 5. Compliance Requirements
39
-
40
- - [GDPR / UU PDP / PCI-DSS — jika relevan]
41
-
42
- ## 6. Threat Model Summary
43
-
44
- [Threat utama yang diantisipasi sejak desain — referensi ke STRIDE jika sudah ada threat model.]
45
-
46
- ## 7. Security Acceptance Criteria
47
-
48
- Checklist yang harus lulus sebelum release (diverifikasi Security di Hardening):
49
- - [ ] Tidak ada hardcoded secret
50
- - [ ] Semua endpoint ter-proteksi authz
51
- - [ ] Dependency bebas CVE critical/high
52
- - [ ] OWASP Top 10 ter-review
53
-
54
- ## Revision History
55
-
56
- | Timestamp | Agen | Perubahan |
57
- |-----------|------|-----------|
58
- | [YYYY-MM-DD HH:MM] | Security | Initial security standards |
1
+ # SECURITY STANDARDS — [Project Name]
2
+
3
+ **Owner Agent:** Security Expert (Mode Standards)
4
+ **Date:** [YYYY-MM-DD HH:MM]
5
+ **Phase:** Planning
6
+ **Status:** `Draft` / `Approved`
7
+
8
+ > Acuan standar keamanan proyek yang ditetapkan di awal. Semua engineer WAJIB mengikuti. Diverifikasi ulang oleh Security di fase Hardening. Perubahan lewat `_shared/change-management.md`.
9
+
10
+ ---
11
+
12
+ ## 1. Authentication & Authorization
13
+
14
+ - **Auth mechanism:** [JWT / session / OAuth2 — pilih dan jelaskan]
15
+ - **Password policy:** [hashing algo (bcrypt/argon2), min length, complexity]
16
+ - **Token expiry:** [access token TTL, refresh token strategy]
17
+ - **Authorization model:** [RBAC / ABAC — daftar role dan permission]
18
+
19
+ ## 2. Data Protection
20
+
21
+ - **Encryption in transit:** TLS 1.2+ wajib
22
+ - **Encryption at rest:** [field/tabel yang dienkripsi]
23
+ - **PII handling:** [masking, minimization]
24
+ - **Secrets management:** semua via env var, JANGAN hardcode; daftarkan di `.env.example`
25
+
26
+ ## 3. Input Validation & Output Encoding
27
+
28
+ - Validasi semua input di server-side
29
+ - Parameterized queries (anti SQL injection)
30
+ - Output encoding (anti XSS)
31
+
32
+ ## 4. Security Headers & Config
33
+
34
+ - CSP, HSTS, X-Frame-Options, X-Content-Type-Options
35
+ - CORS policy: [origin yang diizinkan]
36
+ - Rate limiting: [batas per endpoint sensitif]
37
+
38
+ ## 5. Compliance Requirements
39
+
40
+ - [GDPR / UU PDP / PCI-DSS — jika relevan]
41
+
42
+ ## 6. Threat Model Summary
43
+
44
+ [Threat utama yang diantisipasi sejak desain — referensi ke STRIDE jika sudah ada threat model.]
45
+
46
+ ## 7. Security Acceptance Criteria
47
+
48
+ Checklist yang harus lulus sebelum release (diverifikasi Security di Hardening):
49
+ - [ ] Tidak ada hardcoded secret
50
+ - [ ] Semua endpoint ter-proteksi authz
51
+ - [ ] Dependency bebas CVE critical/high
52
+ - [ ] OWASP Top 10 ter-review
53
+
54
+ ## Revision History
55
+
56
+ | Timestamp | Agen | Perubahan |
57
+ |-----------|------|-----------|
58
+ | [YYYY-MM-DD HH:MM] | Security | Initial security standards |
@@ -1,89 +1,89 @@
1
- # SECURITY REPORT - [TASK-ID / SCOPE]
2
-
3
- **Date:** [YYYY-MM-DD HH:MM]
4
- **Agent:** Security Expert Agent
5
- **Scope:** [Deskripsi scope yang diaudit — misal: "Fitur Login & Auth", "Seluruh codebase", "v1.2.0 release"]
6
- **Mode:** [A: Threat Model / B: Vulnerability Scan / C: Security Fix / D: Pre-release Audit]
7
-
8
- ---
9
-
10
- ## Executive Summary
11
-
12
- [Ringkasan singkat — apa yang diaudit, berapa temuan, dan rekomendasi utama.]
13
-
14
- **Overall Risk Level:** `CRITICAL` / `HIGH` / `MEDIUM` / `LOW` / `CLEAR`
15
-
16
- ---
17
-
18
- ## Findings
19
-
20
- ### CRITICAL
21
- | # | Vulnerability | Location | Description | Recommendation |
22
- |---|---------------|----------|-------------|----------------|
23
- | 1 | | | | |
24
-
25
- ### HIGH
26
- | # | Vulnerability | Location | Description | Recommendation |
27
- |---|---------------|----------|-------------|----------------|
28
- | 1 | | | | |
29
-
30
- ### MEDIUM
31
- | # | Vulnerability | Location | Description | Recommendation |
32
- |---|---------------|----------|-------------|----------------|
33
- | 1 | | | | |
34
-
35
- ### LOW / INFO
36
- | # | Vulnerability | Location | Description | Recommendation |
37
- |---|---------------|----------|-------------|----------------|
38
- | 1 | | | | |
39
-
40
- ---
41
-
42
- ## OWASP Top 10 Checklist
43
-
44
- - [ ] A01: Broken Access Control
45
- - [ ] A02: Cryptographic Failures
46
- - [ ] A03: Injection (SQL, XSS, Command)
47
- - [ ] A04: Insecure Design
48
- - [ ] A05: Security Misconfiguration
49
- - [ ] A06: Vulnerable & Outdated Components
50
- - [ ] A07: Authentication & Session Failures
51
- - [ ] A08: Software & Data Integrity Failures
52
- - [ ] A09: Security Logging & Monitoring Failures
53
- - [ ] A10: Server-Side Request Forgery (SSRF)
54
-
55
- ---
56
-
57
- ## Dependency Scan Results
58
-
59
- ```
60
- [Output dari npm audit / pip audit / bundle audit]
61
- ```
62
-
63
- **Vulnerable packages found:** [X critical, Y high, Z moderate]
64
-
65
- ---
66
-
67
- ## Secrets Scan Results
68
-
69
- - [ ] No hardcoded credentials found
70
- - [ ] No API keys in source code
71
- - [ ] `.env.example` does not contain real values
72
- - [ ] `.gitignore` covers all `.env` variants
73
-
74
- ---
75
-
76
- ## Fixes Applied
77
-
78
- | # | Vulnerability | Fix Description | Files Changed | Timestamp |
79
- |---|---------------|-----------------|---------------|-----------|
80
- | 1 | | | | |
81
-
82
- ---
83
-
84
- ## Sign-off
85
-
86
- - **Status:** `Pending Fix` / `All Clear` / `Conditional Approval`
87
- - **Remaining Issues:** [Daftar temuan yang belum di-fix dan alasannya — misal: "MEDIUM-1: accepted risk, ditangani di sprint berikutnya"]
88
- - **Next Action:** [Fix CRITICAL-1 sebelum deploy / Ready for release / dll]
89
- - **Reviewed By:** [Security Agent + Human approval jika sudah di-review]
1
+ # SECURITY REPORT - [TASK-ID / SCOPE]
2
+
3
+ **Date:** [YYYY-MM-DD HH:MM]
4
+ **Agent:** Security Expert Agent
5
+ **Scope:** [Deskripsi scope yang diaudit — misal: "Fitur Login & Auth", "Seluruh codebase", "v1.2.0 release"]
6
+ **Mode:** [A: Threat Model / B: Vulnerability Scan / C: Security Fix / D: Pre-release Audit]
7
+
8
+ ---
9
+
10
+ ## Executive Summary
11
+
12
+ [Ringkasan singkat — apa yang diaudit, berapa temuan, dan rekomendasi utama.]
13
+
14
+ **Overall Risk Level:** `CRITICAL` / `HIGH` / `MEDIUM` / `LOW` / `CLEAR`
15
+
16
+ ---
17
+
18
+ ## Findings
19
+
20
+ ### CRITICAL
21
+ | # | Vulnerability | Location | Description | Recommendation |
22
+ |---|---------------|----------|-------------|----------------|
23
+ | 1 | | | | |
24
+
25
+ ### HIGH
26
+ | # | Vulnerability | Location | Description | Recommendation |
27
+ |---|---------------|----------|-------------|----------------|
28
+ | 1 | | | | |
29
+
30
+ ### MEDIUM
31
+ | # | Vulnerability | Location | Description | Recommendation |
32
+ |---|---------------|----------|-------------|----------------|
33
+ | 1 | | | | |
34
+
35
+ ### LOW / INFO
36
+ | # | Vulnerability | Location | Description | Recommendation |
37
+ |---|---------------|----------|-------------|----------------|
38
+ | 1 | | | | |
39
+
40
+ ---
41
+
42
+ ## OWASP Top 10 Checklist
43
+
44
+ - [ ] A01: Broken Access Control
45
+ - [ ] A02: Cryptographic Failures
46
+ - [ ] A03: Injection (SQL, XSS, Command)
47
+ - [ ] A04: Insecure Design
48
+ - [ ] A05: Security Misconfiguration
49
+ - [ ] A06: Vulnerable & Outdated Components
50
+ - [ ] A07: Authentication & Session Failures
51
+ - [ ] A08: Software & Data Integrity Failures
52
+ - [ ] A09: Security Logging & Monitoring Failures
53
+ - [ ] A10: Server-Side Request Forgery (SSRF)
54
+
55
+ ---
56
+
57
+ ## Dependency Scan Results
58
+
59
+ ```
60
+ [Output dari npm audit / pip audit / bundle audit]
61
+ ```
62
+
63
+ **Vulnerable packages found:** [X critical, Y high, Z moderate]
64
+
65
+ ---
66
+
67
+ ## Secrets Scan Results
68
+
69
+ - [ ] No hardcoded credentials found
70
+ - [ ] No API keys in source code
71
+ - [ ] `.env.example` does not contain real values
72
+ - [ ] `.gitignore` covers all `.env` variants
73
+
74
+ ---
75
+
76
+ ## Fixes Applied
77
+
78
+ | # | Vulnerability | Fix Description | Files Changed | Timestamp |
79
+ |---|---------------|-----------------|---------------|-----------|
80
+ | 1 | | | | |
81
+
82
+ ---
83
+
84
+ ## Sign-off
85
+
86
+ - **Status:** `Pending Fix` / `All Clear` / `Conditional Approval`
87
+ - **Remaining Issues:** [Daftar temuan yang belum di-fix dan alasannya — misal: "MEDIUM-1: accepted risk, ditangani di sprint berikutnya"]
88
+ - **Next Action:** [Fix CRITICAL-1 sebelum deploy / Ready for release / dll]
89
+ - **Reviewed By:** [Security Agent + Human approval jika sudah di-review]
@@ -1,71 +1,71 @@
1
- # SPEC-XXX: [Feature Name]
2
-
3
- ## Metadata
4
- - **Author:** Analyst Agent
5
- - **Created:** [YYYY-MM-DD]
6
- - **Status:** draft | review | approved
7
- - **Depends on:** SPEC-YYY
8
-
9
- ## User Story
10
- Sebagai [role konkret], saya ingin [action], sehingga [benefit].
11
-
12
- ## Non-Goals / Out of Scope
13
- Daftar eksplisit apa yang TIDAK dikerjakan fitur ini (pagar ruang lingkup untuk developer).
14
- - ...
15
-
16
- ## Technical Flow
17
- 1. [Langkah 1 — satu aktor + satu aksi, contoh: User submit form login]
18
- 2. [Langkah 2 — contoh: Backend validasi credentials]
19
- 3. [Langkah 3 — contoh: Return JWT token]
20
-
21
- ## Acceptance Criteria
22
- Format Given/When/Then, tiap kriteria binary (lulus/gagal). Wajib mencakup happy path & failure path.
23
- - [ ] **Given** ... **When** ... **Then** ...
24
- - [ ] **Given** ... **When** ... **Then** ...
25
-
26
- ## API Contract
27
- ### [METHOD] /api/v1/endpoint
28
- - **Auth:** [public | Bearer JWT | ...]
29
- - **Success status:** [200 | 201 | ...]
30
-
31
- **Request** — setiap field: `nama` (casing sesuai konvensi project) · tipe · required? · constraint
32
- | Field | Type | Required | Constraint |
33
- |-------|------|----------|------------|
34
- | ... | ... | ... | ... |
35
-
36
- ```json
37
- { "contoh": "nilai nyata, bukan kosong" }
38
- ```
39
- **Response (Success):**
40
- ```json
41
- { "contoh": "nilai nyata" }
42
- ```
43
- **Response (Error)** — enumerasi setiap kondisi (HTTP status + kode error):
44
- | HTTP | Error Code | Kapan terjadi |
45
- |------|-----------|---------------|
46
- | 400 | VALIDATION_ERROR | ... |
47
- | 401 | ... | ... |
48
-
49
- ## Database Changes
50
- Tabel/kolom/index baru — nama, tipe, nullability, default (harus cocok dengan `state/knowledge_base/data-model/`) — atau tulis "None".
51
-
52
- ## UI/UX
53
- Rujuk komponen dari `state/knowledge_base/design-system/` dengan nama persis; sertakan state kosong/loading/error — atau tulis "None".
54
-
55
- ## Edge Cases & Validation
56
- Aturan validasi per field (batas, format, required/optional) + pesan/kode error persis.
57
- - [ ] ...
58
-
59
- ---
60
-
61
- ## Human Approval
62
-
63
- **Human Approval Status:** pending | approved | revision_requested
64
-
65
- **Human Feedback:**
66
- > (Kosongkan jika belum ada feedback. Analyst Agent akan mengisi berdasarkan masukan reviewer.)
67
-
68
- ## Revision History
69
- | Date | Author | Changes |
70
- |------|--------|---------|
71
- | [YYYY-MM-DD] | Analyst Agent | Initial draft |
1
+ # SPEC-XXX: [Feature Name]
2
+
3
+ ## Metadata
4
+ - **Author:** Analyst Agent
5
+ - **Created:** [YYYY-MM-DD]
6
+ - **Status:** draft | review | approved
7
+ - **Depends on:** SPEC-YYY
8
+
9
+ ## User Story
10
+ Sebagai [role konkret], saya ingin [action], sehingga [benefit].
11
+
12
+ ## Non-Goals / Out of Scope
13
+ Daftar eksplisit apa yang TIDAK dikerjakan fitur ini (pagar ruang lingkup untuk developer).
14
+ - ...
15
+
16
+ ## Technical Flow
17
+ 1. [Langkah 1 — satu aktor + satu aksi, contoh: User submit form login]
18
+ 2. [Langkah 2 — contoh: Backend validasi credentials]
19
+ 3. [Langkah 3 — contoh: Return JWT token]
20
+
21
+ ## Acceptance Criteria
22
+ Format Given/When/Then, tiap kriteria binary (lulus/gagal). Wajib mencakup happy path & failure path.
23
+ - [ ] **Given** ... **When** ... **Then** ...
24
+ - [ ] **Given** ... **When** ... **Then** ...
25
+
26
+ ## API Contract
27
+ ### [METHOD] /api/v1/endpoint
28
+ - **Auth:** [public | Bearer JWT | ...]
29
+ - **Success status:** [200 | 201 | ...]
30
+
31
+ **Request** — setiap field: `nama` (casing sesuai konvensi project) · tipe · required? · constraint
32
+ | Field | Type | Required | Constraint |
33
+ |-------|------|----------|------------|
34
+ | ... | ... | ... | ... |
35
+
36
+ ```json
37
+ { "contoh": "nilai nyata, bukan kosong" }
38
+ ```
39
+ **Response (Success):**
40
+ ```json
41
+ { "contoh": "nilai nyata" }
42
+ ```
43
+ **Response (Error)** — enumerasi setiap kondisi (HTTP status + kode error):
44
+ | HTTP | Error Code | Kapan terjadi |
45
+ |------|-----------|---------------|
46
+ | 400 | VALIDATION_ERROR | ... |
47
+ | 401 | ... | ... |
48
+
49
+ ## Database Changes
50
+ Tabel/kolom/index baru — nama, tipe, nullability, default (harus cocok dengan `state/knowledge_base/data-model/`) — atau tulis "None".
51
+
52
+ ## UI/UX
53
+ Rujuk komponen dari `state/knowledge_base/design-system/` dengan nama persis; sertakan state kosong/loading/error — atau tulis "None".
54
+
55
+ ## Edge Cases & Validation
56
+ Aturan validasi per field (batas, format, required/optional) + pesan/kode error persis.
57
+ - [ ] ...
58
+
59
+ ---
60
+
61
+ ## Human Approval
62
+
63
+ **Human Approval Status:** pending | approved | revision_requested
64
+
65
+ **Human Feedback:**
66
+ > (Kosongkan jika belum ada feedback. Analyst Agent akan mengisi berdasarkan masukan reviewer.)
67
+
68
+ ## Revision History
69
+ | Date | Author | Changes |
70
+ |------|--------|---------|
71
+ | [YYYY-MM-DD] | Analyst Agent | Initial draft |
@@ -1,29 +1,29 @@
1
- # Project Style Guide & Architecture Constraints
2
-
3
- ## 1. Naming Conventions
4
- - **Files/Folders:** `kebab-case` (misal: `user-profile.tsx`, `auth-service.ts`)
5
- - **Variables/Functions:** `camelCase` (misal: `getUserProfile()`)
6
- - **Classes/Interfaces:** `PascalCase` (misal: `class UserProfile`, `interface AuthConfig`)
7
- - **Constants/Enums:** `UPPER_SNAKE_CASE` (misal: `MAX_RETRY_COUNT = 3`)
8
-
9
- ## 2. Directory Structure (`codes/`)
10
- - `src/components/` → UI Components (Dumb/Presentational)
11
- - `src/pages/` atau `app/` → Route-level components
12
- - `src/services/` → API calls, logic database, atau external services
13
- - `src/utils/` → Helper functions murni
14
- - `src/types/` → Type definitions (TypeScript)
15
-
16
- ## 3. Security Guidelines
17
- - **TIDAK BOLEH** hardcode API Keys, secrets, tokens, atau password ke dalam source code.
18
- - Selalu gunakan `process.env.VARIABLE_NAME` (Node/Next) atau setara, dan catat keys yang dibutuhkan di `.env.example`.
19
- - Selalu validasi input user baik di client maupun di server (defense in depth).
20
-
21
- ## 4. Code Quality & Formatting
22
- - **Linter:** Wajib lulus ESLint / Prettier.
23
- - **Max File Length:** Usahakan di bawah 300 baris. Jika lebih, pecah menjadi modul kecil.
24
- - **DRY (Don't Repeat Yourself):** Jika ada logika yang digunakan 3 kali atau lebih, ekstraksi menjadi function/util/hook.
25
-
26
- ## 5. Error Handling
27
- - Hindari `console.log` di production code. Gunakan logger library.
28
- - Jangan gunakan `try-catch` kosong. Selalu handle atau re-throw error.
29
- - Tampilkan error message yang ramah ke user (UI), tapi log error aslinya (Technical).
1
+ # Project Style Guide & Architecture Constraints
2
+
3
+ ## 1. Naming Conventions
4
+ - **Files/Folders:** `kebab-case` (misal: `user-profile.tsx`, `auth-service.ts`)
5
+ - **Variables/Functions:** `camelCase` (misal: `getUserProfile()`)
6
+ - **Classes/Interfaces:** `PascalCase` (misal: `class UserProfile`, `interface AuthConfig`)
7
+ - **Constants/Enums:** `UPPER_SNAKE_CASE` (misal: `MAX_RETRY_COUNT = 3`)
8
+
9
+ ## 2. Directory Structure (`codes/`)
10
+ - `src/components/` → UI Components (Dumb/Presentational)
11
+ - `src/pages/` atau `app/` → Route-level components
12
+ - `src/services/` → API calls, logic database, atau external services
13
+ - `src/utils/` → Helper functions murni
14
+ - `src/types/` → Type definitions (TypeScript)
15
+
16
+ ## 3. Security Guidelines
17
+ - **TIDAK BOLEH** hardcode API Keys, secrets, tokens, atau password ke dalam source code.
18
+ - Selalu gunakan `process.env.VARIABLE_NAME` (Node/Next) atau setara, dan catat keys yang dibutuhkan di `.env.example`.
19
+ - Selalu validasi input user baik di client maupun di server (defense in depth).
20
+
21
+ ## 4. Code Quality & Formatting
22
+ - **Linter:** Wajib lulus ESLint / Prettier.
23
+ - **Max File Length:** Usahakan di bawah 300 baris. Jika lebih, pecah menjadi modul kecil.
24
+ - **DRY (Don't Repeat Yourself):** Jika ada logika yang digunakan 3 kali atau lebih, ekstraksi menjadi function/util/hook.
25
+
26
+ ## 5. Error Handling
27
+ - Hindari `console.log` di production code. Gunakan logger library.
28
+ - Jangan gunakan `try-catch` kosong. Selalu handle atau re-throw error.
29
+ - Tampilkan error message yang ramah ke user (UI), tapi log error aslinya (Technical).
@@ -1,28 +1,28 @@
1
- # Task List — [Project Name]
2
-
3
- ## Summary
4
- | Metric | Count |
5
- |--------|-------|
6
- | Total Tasks | 0 |
7
- | Completed | 0 |
8
- | In Progress | 0 |
9
- | Blocked | 0 |
10
-
11
- ## Status Legend
12
- | Status | Meaning |
13
- |--------|---------|
14
- | `not_started` | Belum dikerjakan |
15
- | `development` | Sedang dikembangkan oleh Developer |
16
- | `ready_to_test` | Development selesai, siap test |
17
- | `testing` | Sedang ditest oleh Tester |
18
- | `fixing` | Ada bug, sedang diperbaiki Fixer |
19
- | `done` | Passed testing |
20
- | `human_validated` | Divalidasi oleh human |
21
-
22
- ## Tasks
23
-
24
- - Task XXX: [Task Name]
25
- - Spesifikasi: [spec] ../specifications/XXX_spec_*.md
26
- - Current Status: not_started
27
- - Status Logs:
28
- - Task Created: [YYYY-MM-DD HH:MM] (PM Agent)
1
+ # Task List — [Project Name]
2
+
3
+ ## Summary
4
+ | Metric | Count |
5
+ |--------|-------|
6
+ | Total Tasks | 0 |
7
+ | Completed | 0 |
8
+ | In Progress | 0 |
9
+ | Blocked | 0 |
10
+
11
+ ## Status Legend
12
+ | Status | Meaning |
13
+ |--------|---------|
14
+ | `not_started` | Belum dikerjakan |
15
+ | `development` | Sedang dikembangkan oleh Developer |
16
+ | `ready_to_test` | Development selesai, siap test |
17
+ | `testing` | Sedang ditest oleh Tester |
18
+ | `fixing` | Ada bug, sedang diperbaiki Fixer |
19
+ | `done` | Passed testing |
20
+ | `human_validated` | Divalidasi oleh human |
21
+
22
+ ## Tasks
23
+
24
+ - Task XXX: [Task Name]
25
+ - Spesifikasi: [spec] ../specifications/XXX_spec_*.md
26
+ - Current Status: not_started
27
+ - Status Logs:
28
+ - Task Created: [YYYY-MM-DD HH:MM] (PM Agent)
@@ -1,24 +1,24 @@
1
- {
2
- "_comment": "DESIRED-STATE manifest written by the Toolsmith agent to state/workspace-manifest.json. Platform-agnostic: lists WHAT skills + MCP the project wants. Re-applying to a new tool (tool-switch) reads this same file and realizes it in the new tool's config format. This is the source of truth; per-tool config files are derived artifacts.",
3
- "version": 1,
4
- "project": "<project name>",
5
- "decidedFrom": ["project_overview.md tech stack", "requirements.md", "find-skills"],
6
- "skills": [
7
- { "id": "find-skills", "reason": "discover further skills on demand" },
8
- { "id": "ui-ux-pro-max", "reason": "UI-heavy frontend (example)" }
9
- ],
10
- "mcp": [
11
- { "id": "filesystem", "reason": "ground agent in workspace" },
12
- { "id": "git", "reason": "code-aware context" }
13
- ],
14
- "appliedTo": {
15
- "_comment": "ISO timestamp of last successful apply per platform, or null if never applied. Toolsmith updates this after each apply.",
16
- "claude-code": null,
17
- "opencode": null,
18
- "antigravity": null,
19
- "github-copilot": null
20
- },
21
- "revisionHistory": [
22
- { "timestamp": "<YYYY-MM-DD HH:MM>", "agent": "toolsmith", "change": "initial provisioning" }
23
- ]
24
- }
1
+ {
2
+ "_comment": "DESIRED-STATE manifest written by the Toolsmith agent to state/workspace-manifest.json. Platform-agnostic: lists WHAT skills + MCP the project wants. Re-applying to a new tool (tool-switch) reads this same file and realizes it in the new tool's config format. This is the source of truth; per-tool config files are derived artifacts.",
3
+ "version": 1,
4
+ "project": "<project name>",
5
+ "decidedFrom": ["project_overview.md tech stack", "requirements.md", "find-skills"],
6
+ "skills": [
7
+ { "id": "find-skills", "reason": "discover further skills on demand" },
8
+ { "id": "ui-ux-pro-max", "reason": "UI-heavy frontend (example)" }
9
+ ],
10
+ "mcp": [
11
+ { "id": "filesystem", "reason": "ground agent in workspace" },
12
+ { "id": "git", "reason": "code-aware context" }
13
+ ],
14
+ "appliedTo": {
15
+ "_comment": "ISO timestamp of last successful apply per platform, or null if never applied. Toolsmith updates this after each apply.",
16
+ "claude-code": null,
17
+ "opencode": null,
18
+ "antigravity": null,
19
+ "github-copilot": null
20
+ },
21
+ "revisionHistory": [
22
+ { "timestamp": "<YYYY-MM-DD HH:MM>", "agent": "toolsmith", "change": "initial provisioning" }
23
+ ]
24
+ }