foliko 1.1.13 → 1.1.14

package/.agent/plugins/puppeteer-plugin/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "puppeteer-plugin",
+  "version": "1.0.0",
+  "description": "Puppeteer 网页自动化操作插件，支持 Session 保存、页面截图、元素交互等",
+  "main": "index.js",
+  "dependencies": {
+    "puppeteer-core": "^24.40.0"
+  }
+}

package/.agent/plugins.json

@@ -1,14 +1,8 @@
 {
-  "email": {
-    "enabled": true,
-    "smtp": {
-      "host": "smtp.gmail.com",
-      "port": 587,
-      "secure": false
-    },
-    "imap": {
-      "host": "imap.gmail.com",
-      "port": 993
-    }
+  "weixin": {
+    "enabled": true
+  },
+  "poster-plugin": {
+    "enabled": true
   }
 }

package/.agent/rules/GEMINI.md

@@ -0,0 +1,273 @@
+---
+trigger: always_on
+---
+
+# GEMINI.md - Antigravity Kit
+
+> This file defines how the AI behaves in this workspace.
+
+---
+
+## CRITICAL: AGENT & SKILL PROTOCOL (START HERE)
+
+> **MANDATORY:** You MUST read the appropriate agent file and its skills BEFORE performing any implementation. This is the highest priority rule.
+
+### 1. Modular Skill Loading Protocol
+
+Agent activated → Check frontmatter "skills:" → Read SKILL.md (INDEX) → Read specific sections.
+
+- **Selective Reading:** DO NOT read ALL files in a skill folder. Read `SKILL.md` first, then only read sections matching the user's request.
+- **Rule Priority:** P0 (GEMINI.md) > P1 (Agent .md) > P2 (SKILL.md). All rules are binding.
+
+### 2. Enforcement Protocol
+
+1. **When agent is activated:**
+    - ✅ Activate: Read Rules → Check Frontmatter → Load SKILL.md → Apply All.
+2. **Forbidden:** Never skip reading agent rules or skill instructions. "Read → Understand → Apply" is mandatory.
+
+---
+
+## 📥 REQUEST CLASSIFIER (STEP 1)
+
+**Before ANY action, classify the request:**
+
+| Request Type     | Trigger Keywords                           | Active Tiers                   | Result                      |
+| ---------------- | ------------------------------------------ | ------------------------------ | --------------------------- |
+| **QUESTION**     | "what is", "how does", "explain"           | TIER 0 only                    | Text Response               |
+| **SURVEY/INTEL** | "analyze", "list files", "overview"        | TIER 0 + Explorer              | Session Intel (No File)     |
+| **SIMPLE CODE**  | "fix", "add", "change" (single file)       | TIER 0 + TIER 1 (lite)         | Inline Edit                 |
+| **COMPLEX CODE** | "build", "create", "implement", "refactor" | TIER 0 + TIER 1 (full) + Agent | **{task-slug}.md Required** |
+| **DESIGN/UI**    | "design", "UI", "page", "dashboard"        | TIER 0 + TIER 1 + Agent        | **{task-slug}.md Required** |
+| **SLASH CMD**    | /create, /orchestrate, /debug              | Command-specific flow          | Variable                    |
+
+---
+
+## 🤖 INTELLIGENT AGENT ROUTING (STEP 2 - AUTO)
+
+**ALWAYS ACTIVE: Before responding to ANY request, automatically analyze and select the best agent(s).**
+
+> 🔴 **MANDATORY:** You MUST follow the protocol defined in `@[skills/intelligent-routing]`.
+
+### Auto-Selection Protocol
+
+1. **Analyze (Silent)**: Detect domains (Frontend, Backend, Security, etc.) from user request.
+2. **Select Agent(s)**: Choose the most appropriate specialist(s).
+3. **Inform User**: Concisely state which expertise is being applied.
+4. **Apply**: Generate response using the selected agent's persona and rules.
+
+### Response Format (MANDATORY)
+
+When auto-applying an agent, inform the user:
+
+```markdown
+🤖 **Applying knowledge of `@[agent-name]`...**
+
+[Continue with specialized response]
+```
+
+**Rules:**
+
+1. **Silent Analysis**: No verbose meta-commentary ("I am analyzing...").
+2. **Respect Overrides**: If user mentions `@agent`, use it.
+3. **Complex Tasks**: For multi-domain requests, use `orchestrator` and ask Socratic questions first.
+
+### ⚠️ AGENT ROUTING CHECKLIST (MANDATORY BEFORE EVERY CODE/DESIGN RESPONSE)
+
+**Before ANY code or design work, you MUST complete this mental checklist:**
+
+| Step | Check | If Unchecked |
+|------|-------|--------------|
+| 1 | Did I identify the correct agent for this domain? | → STOP. Analyze request domain first. |
+| 2 | Did I READ the agent's `.md` file (or recall its rules)? | → STOP. Open `.agent/agents/{agent}.md` |
+| 3 | Did I announce `🤖 Applying knowledge of @[agent]...`? | → STOP. Add announcement before response. |
+| 4 | Did I load required skills from agent's frontmatter? | → STOP. Check `skills:` field and read them. |
+
+**Failure Conditions:**
+
+- ❌ Writing code without identifying an agent = **PROTOCOL VIOLATION**
+- ❌ Skipping the announcement = **USER CANNOT VERIFY AGENT WAS USED**
+- ❌ Ignoring agent-specific rules (e.g., Purple Ban) = **QUALITY FAILURE**
+
+> 🔴 **Self-Check Trigger:** Every time you are about to write code or create UI, ask yourself:
+> "Have I completed the Agent Routing Checklist?" If NO → Complete it first.
+
+---
+
+## TIER 0: UNIVERSAL RULES (Always Active)
+
+### 🌐 Language Handling
+
+When user's prompt is NOT in English:
+
+1. **Internally translate** for better comprehension
+2. **Respond in user's language** - match their communication
+3. **Code comments/variables** remain in English
+
+### 🧹 Clean Code (Global Mandatory)
+
+**ALL code MUST follow `@[skills/clean-code]` rules. No exceptions.**
+
+- **Code**: Concise, direct, no over-engineering. Self-documenting.
+- **Testing**: Mandatory. Pyramid (Unit > Int > E2E) + AAA Pattern.
+- **Performance**: Measure first. Adhere to 2025 standards (Core Web Vitals).
+- **Infra/Safety**: 5-Phase Deployment. Verify secrets security.
+
+### 📁 File Dependency Awareness
+
+**Before modifying ANY file:**
+
+1. Check `CODEBASE.md` → File Dependencies
+2. Identify dependent files
+3. Update ALL affected files together
+
+### 🗺️ System Map Read
+
+> 🔴 **MANDATORY:** Read `ARCHITECTURE.md` at session start to understand Agents, Skills, and Scripts.
+
+**Path Awareness:**
+
+- Agents: `.agent/` (Project)
+- Skills: `.agent/skills/` (Project)
+- Runtime Scripts: `.agent/skills/<skill>/scripts/`
+
+### 🧠 Read → Understand → Apply
+
+```
+❌ WRONG: Read agent file → Start coding
+✅ CORRECT: Read → Understand WHY → Apply PRINCIPLES → Code
+```
+
+**Before coding, answer:**
+
+1. What is the GOAL of this agent/skill?
+2. What PRINCIPLES must I apply?
+3. How does this DIFFER from generic output?
+
+---
+
+## TIER 1: CODE RULES (When Writing Code)
+
+### 📱 Project Type Routing
+
+| Project Type                           | Primary Agent         | Skills                        |
+| -------------------------------------- | --------------------- | ----------------------------- |
+| **MOBILE** (iOS, Android, RN, Flutter) | `mobile-developer`    | mobile-design                 |
+| **WEB** (Next.js, React web)           | `frontend-specialist` | frontend-design               |
+| **BACKEND** (API, server, DB)          | `backend-specialist`  | api-patterns, database-design |
+
+> 🔴 **Mobile + frontend-specialist = WRONG.** Mobile = mobile-developer ONLY.
+
+### 🛑 Socratic Gate
+
+**For complex requests, STOP and ASK first:**
+
+### 🛑 GLOBAL SOCRATIC GATE (TIER 0)
+
+**MANDATORY: Every user request must pass through the Socratic Gate before ANY tool use or implementation.**
+
+| Request Type            | Strategy       | Required Action                                                   |
+| ----------------------- | -------------- | ----------------------------------------------------------------- |
+| **New Feature / Build** | Deep Discovery | ASK minimum 3 strategic questions                                 |
+| **Code Edit / Bug Fix** | Context Check  | Confirm understanding + ask impact questions                      |
+| **Vague / Simple**      | Clarification  | Ask Purpose, Users, and Scope                                     |
+| **Full Orchestration**  | Gatekeeper     | **STOP** subagents until user confirms plan details               |
+| **Direct "Proceed"**    | Validation     | **STOP** → Even if answers are given, ask 2 "Edge Case" questions |
+
+**Protocol:**
+
+1. **Never Assume:** If even 1% is unclear, ASK.
+2. **Handle Spec-heavy Requests:** When user gives a list (Answers 1, 2, 3...), do NOT skip the gate. Instead, ask about **Trade-offs** or **Edge Cases** (e.g., "LocalStorage confirmed, but should we handle data clearing or versioning?") before starting.
+3. **Wait:** Do NOT invoke subagents or write code until the user clears the Gate.
+4. **Reference:** Full protocol in `@[skills/brainstorming]`.
+
+### 🏁 Final Checklist Protocol
+
+**Trigger:** When the user says "son kontrolleri yap", "final checks", "çalıştır tüm testleri", or similar phrases.
+
+| Task Stage       | Command                                            | Purpose                        |
+| ---------------- | -------------------------------------------------- | ------------------------------ |
+| **Manual Audit** | `python .agent/scripts/checklist.py .`             | Priority-based project audit   |
+| **Pre-Deploy**   | `python .agent/scripts/checklist.py . --url <URL>` | Full Suite + Performance + E2E |
+
+**Priority Execution Order:**
+
+1. **Security** → 2. **Lint** → 3. **Schema** → 4. **Tests** → 5. **UX** → 6. **Seo** → 7. **Lighthouse/E2E**
+
+**Rules:**
+
+- **Completion:** A task is NOT finished until `checklist.py` returns success.
+- **Reporting:** If it fails, fix the **Critical** blockers first (Security/Lint).
+
+**Available Scripts (12 total):**
+
+| Script                     | Skill                 | When to Use         |
+| -------------------------- | --------------------- | ------------------- |
+| `security_scan.py`         | vulnerability-scanner | Always on deploy    |
+| `dependency_analyzer.py`   | vulnerability-scanner | Weekly / Deploy     |
+| `lint_runner.py`           | lint-and-validate     | Every code change   |
+| `test_runner.py`           | testing-patterns      | After logic change  |
+| `schema_validator.py`      | database-design       | After DB change     |
+| `ux_audit.py`              | frontend-design       | After UI change     |
+| `accessibility_checker.py` | frontend-design       | After UI change     |
+| `seo_checker.py`           | seo-fundamentals      | After page change   |
+| `bundle_analyzer.py`       | performance-profiling | Before deploy       |
+| `mobile_audit.py`          | mobile-design         | After mobile change |
+| `lighthouse_audit.py`      | performance-profiling | Before deploy       |
+| `playwright_runner.py`     | webapp-testing        | Before deploy       |
+
+> 🔴 **Agents & Skills can invoke ANY script** via `python .agent/skills/<skill>/scripts/<script>.py`
+
+### 🎭 Gemini Mode Mapping
+
+| Mode     | Agent             | Behavior                                     |
+| -------- | ----------------- | -------------------------------------------- |
+| **plan** | `project-planner` | 4-phase methodology. NO CODE before Phase 4. |
+| **ask**  | -                 | Focus on understanding. Ask questions.       |
+| **edit** | `orchestrator`    | Execute. Check `{task-slug}.md` first.       |
+
+**Plan Mode (4-Phase):**
+
+1. ANALYSIS → Research, questions
+2. PLANNING → `{task-slug}.md`, task breakdown
+3. SOLUTIONING → Architecture, design (NO CODE!)
+4. IMPLEMENTATION → Code + tests
+
+> 🔴 **Edit mode:** If multi-file or structural change → Offer to create `{task-slug}.md`. For single-file fixes → Proceed directly.
+
+---
+
+## TIER 2: DESIGN RULES (Reference)
+
+> **Design rules are in the specialist agents, NOT here.**
+
+| Task         | Read                            |
+| ------------ | ------------------------------- |
+| Web UI/UX    | `.agent/frontend-specialist.md` |
+| Mobile UI/UX | `.agent/mobile-developer.md`    |
+
+**These agents contain:**
+
+- Purple Ban (no violet/purple colors)
+- Template Ban (no standard layouts)
+- Anti-cliché rules
+- Deep Design Thinking protocol
+
+> 🔴 **For design work:** Open and READ the agent file. Rules are there.
+
+---
+
+## 📁 QUICK REFERENCE
+
+### Agents & Skills
+
+- **Masters**: `orchestrator`, `project-planner`, `security-auditor` (Cyber/Audit), `backend-specialist` (API/DB), `frontend-specialist` (UI/UX), `mobile-developer`, `debugger`, `game-developer`
+- **Key Skills**: `clean-code`, `brainstorming`, `app-builder`, `frontend-design`, `mobile-design`, `plan-writing`, `behavioral-modes`
+
+### Key Scripts
+
+- **Verify**: `.agent/scripts/verify_all.py`, `.agent/scripts/checklist.py`
+- **Scanners**: `security_scan.py`, `dependency_analyzer.py`
+- **Audits**: `ux_audit.py`, `mobile_audit.py`, `lighthouse_audit.py`, `seo_checker.py`
+- **Test**: `playwright_runner.py`, `test_runner.py`
+
+---

package/.agent/rules/allow-rule.md

@@ -0,0 +1,77 @@
+---
+id: allow-rule-001
+name: "开发环境例外规则"
+description: "在开发环境中允许特定敏感文件写入"
+version: "1.0.0"
+author: "Development Team"
+
+# 触发条件
+trigger:
+  type: "on_tool_call"
+  conditions:
+    - tool_name: "file_write"
+    - path_matches: "**/.env.local"
+  scope: "global"
+
+# 优先级和冲突解决
+priority: 150  # 比安全规则更高的优先级
+conflict_resolution: "allow"
+override_priority: true  # 覆盖更高优先级的阻止规则
+
+# 执行动作
+steps:
+  - type: "allow"
+    name: "允许开发环境配置"
+    reason: "开发环境需要.local配置文件"
+    conditions:
+      - type: "javascript"
+        expression: "ctx.variables.environment === 'development'"
+
+# 验证条件
+conditions:
+  - type: "regex"
+    field: "tool.args.path"
+    pattern: "\\.local$"
+  - type: "javascript"
+    expression: "ctx.variables.environment === 'development' || ctx.variables.environment === 'test'"
+
+# 变量和上下文
+variables:
+  environment: "development"
+  allowed_users: ["developer", "tester", "admin"]
+
+# 日志和监控
+logging:
+  level: "info"
+  notify: []
+  retention_days: 7
+---
+
+# 开发环境例外规则
+
+## 规则说明
+
+此规则为开发环境提供例外，允许写入`.env.local`配置文件。在开发环境中，开发者需要能够创建本地配置文件以覆盖默认设置。
+
+## 适用条件
+
+1. **环境要求**: 仅适用于`development`或`test`环境
+2. **文件类型**: 仅适用于`.env.local`文件
+3. **用户权限**: 仅允许特定用户（developer, tester, admin）
+
+## 安全考虑
+
+虽然允许写入本地配置文件，但需要确保：
+- 不包含生产环境密钥
+- 不提交到版本控制系统
+- 定期清理过期配置
+
+## 监控
+
+所有允许的写入操作都会记录日志，供后续审计使用。
+
+## 相关规则
+
+- 开发环境安全规则
+- 配置文件管理规则
+- 版本控制排除规则

package/.agent/rules/log-rule.md

@@ -0,0 +1,83 @@
+---
+id: log-rule-001
+name: "工具调用审计规则"
+description: "记录所有工具调用用于审计和监控"
+version: "1.0.0"
+author: "Audit Team"
+
+# 触发条件
+trigger:
+  type: "on_tool_call"
+  conditions: []
+  scope: "global"
+
+# 优先级和冲突解决
+priority: 10  # 低优先级，不影响执行
+conflict_resolution: "log"
+
+# 执行动作
+steps:
+  - type: "log"
+    name: "记录工具调用"
+    logLevel: "info"
+    messageTemplate: "工具调用: {{tool.name}} 参数: {{tool.args}} 用户: {{user.id}} 时间: {{timestamp}}"
+    fields:
+      - "tool.name"
+      - "tool.args"
+      - "user.id"
+      - "session.id"
+      - "timestamp"
+
+# 验证条件
+conditions: []
+
+# 变量和上下文
+variables:
+  audit_enabled: true
+  retention_period: "90d"
+
+# 日志和监控
+logging:
+  level: "info"
+  notify: ["audit-log"]
+  retention_days: 90
+---
+
+# 工具调用审计规则
+
+## 规则说明
+
+此规则记录所有工具调用，用于系统审计、性能监控和故障排查。
+
+## 记录字段
+
+1. **工具名称**: 被调用的工具名称
+2. **调用参数**: 工具调用的参数（敏感信息会被过滤）
+3. **用户信息**: 发起调用的用户标识
+4. **会话信息**: 当前会话标识
+5. **时间戳**: 调用发生的时间
+6. **执行结果**: 工具执行的结果状态
+
+## 隐私保护
+
+为保护用户隐私和安全，以下信息会被过滤：
+- 密码、令牌等认证信息
+- 个人身份信息（PII）
+- 敏感业务数据
+
+## 存储策略
+
+审计日志会保留90天，之后自动归档或删除。紧急情况下可以延长保留期。
+
+## 使用场景
+
+1. **安全审计**: 检测异常工具调用模式
+2. **故障排查**: 分析系统问题和错误
+3. **性能监控**: 跟踪工具执行时间和频率
+4. **合规检查**: 满足监管和合规要求
+
+## 相关规则
+
+- 隐私保护规则
+- 数据保留规则
+- 异常检测规则

package/.agent/rules/security-rule.md

@@ -0,0 +1,93 @@
+---
+id: security-rule-001
+name: "文件系统安全规则"
+description: "限制对敏感目录和文件的访问"
+version: "1.0.0"
+author: "System Administrator"
+
+# 触发条件
+trigger:
+  type: "on_tool_call"
+  conditions:
+    - tool_name: "file_write"
+    - path_matches: "**/.env*"
+  scope: "global"
+
+# 优先级和冲突解决
+priority: 100  # 高优先级
+conflict_resolution: "block"
+
+# 执行动作
+steps:
+  - type: "block"
+    name: "阻止敏感文件写入"
+    message: "禁止写入敏感配置文件"
+    reason: "安全策略禁止写入.env等敏感配置文件"
+    requireApproval: false
+
+# 验证条件
+conditions:
+  - type: "regex"
+    field: "tool.args.path"
+    pattern: "^.*/\\.env"
+  - type: "regex"
+    field: "tool.args.path"
+    pattern: "^.*/passwd$"
+  - type: "regex"
+    field: "tool.args.path"
+    pattern: "^.*/shadow$"
+  - type: "regex"
+    field: "tool.args.path"
+    pattern: "^/etc/.*"
+  - type: "regex"
+    field: "tool.args.path"
+    pattern: "^/var/log/.*"
+
+# 变量和上下文
+variables:
+  allowed_paths: ["/tmp/", "/home/user/", "/var/www/"]
+  max_file_size: 10485760
+
+# 日志和监控
+logging:
+  level: "warn"
+  notify: ["security-channel"]
+  retention_days: 30
+---
+
+# 文件系统安全规则
+
+## 规则说明
+
+此规则用于保护系统敏感文件，防止未经授权的写入操作。
+
+## 保护范围
+
+1. **配置文件**: 所有`.env`文件（包含环境变量）
+2. **系统文件**: `/etc/passwd`, `/etc/shadow`等
+3. **日志文件**: `/var/log/`目录下的文件
+4. **其他敏感路径**: 根据正则表达式匹配
+
+## 例外情况
+
+以下路径允许写入：
+- `/tmp/` 临时目录
+- `/home/user/` 用户目录
+- `/var/www/` Web根目录
+
+## 审计日志
+
+所有被阻止的写入操作都会记录到安全审计日志中，安全团队会定期审查。
+
+## 紧急绕过
+
+在紧急情况下，可以通过以下方式临时禁用此规则：
+1. 将规则文件重命名为`.md.disabled`
+2. 联系安全团队获取临时令牌
+3. 通过管理界面临时禁用
+
+## 相关规则
+
+- 数据加密规则
+- 访问控制规则
+- 审计日志规则