npm - gitlab-skill - Versions diffs - 1.0.0 - Mend

gitlab-skill 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/GITLAB_API_COMPREHENSIVE_GUIDE.md +3885 -0
package/PRACTICAL_SCRIPTS.md +1351 -0
package/QUICK_REFERENCE.md +682 -0
package/README.md +461 -0
package/SKILL.md +789 -0
package/SKILL_SETUP.md +50 -0
package/package.json +42 -0
package/scripts/install-skill.mjs +119 -0
package/skill-features/00-auth-and-bootstrap.md +81 -0
package/skill-features/01-discovery-and-projects.md +73 -0
package/skill-features/02-repository-and-code.md +101 -0
package/skill-features/03-issues-and-merge-requests.md +69 -0
package/skill-features/04-cicd-pipelines-jobs.md +86 -0
package/skill-features/05-security-and-vulnerabilities.md +125 -0
package/skill-features/06-graphql-and-glab-playbook.md +68 -0

package/skill-features/05-security-and-vulnerabilities.md ADDED Viewed

@@ -0,0 +1,125 @@
+# Security and Vulnerabilities
+## Objetivo
+Habilitar un flujo autónomo para "listar vulnerabilidades del proyecto X" combinando:
+- endpoints REST de seguridad disponibles en OpenAPI v2 local,
+- GraphQL (fuente recomendada para objetos de vulnerabilidad),
+- evidencia CI/CD y artefactos.
+## REST de seguridad en OpenAPI v2 (disponible en este repo)
+### NPM advisory/audit (proyecto)
+- `POST /api/v4/projects/{id}/packages/npm/-/npm/v1/security/advisories/bulk`
+- `POST /api/v4/projects/{id}/packages/npm/-/npm/v1/security/audits/quick`
+```bash
+curl --request POST --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+  --header "Content-Type: application/json" \
+  --data '{"name":"mobilcash-web","version":"1.0.0","requires":{},"dependencies":{}}' \
+  "$GITLAB_HOST/api/v4/projects/$PROJECT_ENC/packages/npm/-/npm/v1/security/advisories/bulk"
+curl --request POST --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+  --header "Content-Type: application/json" \
+  --data '{"name":"mobilcash-web","version":"1.0.0","requires":{},"dependencies":{}}' \
+  "$GITLAB_HOST/api/v4/projects/$PROJECT_ENC/packages/npm/-/npm/v1/security/audits/quick"
+```
+### NPM advisory/audit (grupo)
+- `POST /api/v4/groups/{id}/-/packages/npm/-/npm/v1/security/advisories/bulk`
+- `POST /api/v4/groups/{id}/-/packages/npm/-/npm/v1/security/audits/quick`
+```bash
+curl --request POST --header "PRIVATE-TOKEN: $GITLAB_TOKEN" \
+  --header "Content-Type: application/json" \
+  --data '{"name":"mobilcash-web","version":"1.0.0","requires":{},"dependencies":{}}' \
+  "$GITLAB_HOST/api/v4/groups/$GROUP_ENC/-/packages/npm/-/npm/v1/security/audits/quick"
+```
+## GraphQL recomendado para vulnerabilidades
+El esquema GraphQL es versionless; para robustez, siempre hacer introspección antes de consultas críticas.
+### Paso 1: introspección rápida
+```bash
+curl --request POST \
+  --url "$GITLAB_HOST/api/graphql" \
+  --header "Authorization: Bearer $GITLAB_TOKEN" \
+  --header "Content-Type: application/json" \
+  --data '{"query":"query { __type(name:\"Project\") { fields { name } } }"}'
+```
+### Paso 2: query base de vulnerabilidades (ajustar según schema)
+```graphql
+query($fullPath: ID!, $first: Int!, $after: String) {
+  project(fullPath: $fullPath) {
+    vulnerabilities(first: $first, after: $after) {
+      nodes {
+        id
+        title
+        description
+        severity
+        state
+        reportType
+        confidence
+      }
+      pageInfo {
+        endCursor
+        hasNextPage
+      }
+    }
+  }
+}
+```
+### Paso 3: paginación
+- Inicial: `after=null`, `first=100`.
+- Repetir mientras `hasNextPage=true`.
+- Acumular todos los `nodes`.
+## Pipeline de "listar vulnerabilidades de Mobilcash Web"
+1. Resolver proyecto (`PROJECT_ENC` y `fullPath`).
+2. Pull de vulnerabilidades por GraphQL paginado.
+3. Pull de evidencia CI:
+   - pipelines recientes (`/pipelines`)
+   - jobs de seguridad (`/pipelines/{id}/jobs`)
+   - traces de jobs fallidos (`/jobs/{job_id}/trace`)
+4. Si aplica NPM, ejecutar audit/advisory REST.
+5. Consolidar:
+   - resumen por severidad (`critical/high/medium/low`)
+   - resumen por estado (`detected/confirmed/resolved/...`)
+   - tabla de hallazgos con evidencia (`pipeline_id`, `job_id`, `web_url`)
+6. Entregar acciones sugeridas:
+   - parche de dependencia
+   - MR recomendado
+   - variable/policy de CI a ajustar
+## Formato de salida sugerido para agentes
+```json
+{
+  "project": "group/mobilcash-web",
+  "generated_at": "2026-02-18T00:00:00Z",
+  "summary": {
+    "total": 0,
+    "by_severity": {"critical": 0, "high": 0, "medium": 0, "low": 0},
+    "by_state": {"detected": 0, "confirmed": 0, "resolved": 0}
+  },
+  "findings": [],
+  "evidence": {
+    "pipelines_checked": [],
+    "jobs_checked": [],
+    "audit_sources": ["graphql", "npm_audit_quick"]
+  }
+}
+```
+## Nota de precisión
+En este snapshot `openapi_v2.yaml`, la cobertura directa de recursos de vulnerabilidades es parcial en REST. Para cobertura completa, preferir GraphQL + introspección activa.

package/skill-features/06-graphql-and-glab-playbook.md ADDED Viewed

@@ -0,0 +1,68 @@
+# GraphQL and glab Playbook
+## Objetivo
+Estandarizar operación avanzada por GraphQL y por `glab api` para agentes autónomos.
+## GraphQL: patrones
+### Query con variables
+```bash
+curl --request POST \
+  --url "$GITLAB_HOST/api/graphql" \
+  --header "Authorization: Bearer $GITLAB_TOKEN" \
+  --header "Content-Type: application/json" \
+  --data '{"query":"query($fullPath: ID!){ project(fullPath:$fullPath){ id fullPath } }","variables":{"fullPath":"'"$TARGET_PROJECT_PATH"'"}}'
+```
+### Introspección de tipo
+```bash
+curl --request POST \
+  --url "$GITLAB_HOST/api/graphql" \
+  --header "Authorization: Bearer $GITLAB_TOKEN" \
+  --header "Content-Type: application/json" \
+  --data '{"query":"query { __type(name:\"Query\") { fields { name } } }"}'
+```
+### Reglas de calidad GraphQL
+- Usar `variables` para no exceder 10k chars.
+- Mantener complejidad bajo límite (auth: 250).
+- Tratar Global IDs como opacos (`gid://gitlab/...`).
+- Implementar paginación por `pageInfo`.
+## glab: comandos útiles
+```bash
+# Estado
+glab auth status
+glab api "/user"
+# REST por API
+glab api "/projects/$PROJECT_ENC"
+glab api "/projects/$PROJECT_ENC/issues?state=opened&per_page=100" --paginate
+glab api "/projects/$PROJECT_ENC/merge_requests?scope=all&state=opened&per_page=100" --paginate
+glab api "/projects/$PROJECT_ENC/pipelines?per_page=100" --paginate
+# GraphQL por CLI
+glab api graphql -f query='query { currentUser { id username name } }'
+glab api graphql -f query='query { __type(name:"Project") { fields { name } } }'
+```
+## Plantilla de ejecución autónoma
+1. Validar auth (`glab auth status` o ping API).
+2. Resolver proyecto/grupo.
+3. Ejecutar feature workflow (archivo correspondiente).
+4. Guardar resultados JSON intermedios.
+5. Generar resumen final + acciones.
+## Convención de salida
+- `status`: `ok|partial|error`
+- `scope`: `project|group|instance`
+- `operations`: lista de llamadas ejecutadas
+- `errors`: lista normalizada `{http_code, endpoint, message}`
+- `artifacts`: archivos JSON/CSV/reportes generados