implannotator 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (144) hide show
  1. package/CHANGELOG.md +19 -0
  2. package/LICENSE +21 -0
  3. package/README.md +76 -0
  4. package/THIRD_PARTY_NOTICES.md +9 -0
  5. package/docs/architecture.md +12 -0
  6. package/docs/compatibility.md +9 -0
  7. package/docs/configuration.md +25 -0
  8. package/docs/installation.md +30 -0
  9. package/docs/qa.md +5 -0
  10. package/docs/security.md +10 -0
  11. package/docs/troubleshooting.md +17 -0
  12. package/docs/workflow.md +12 -0
  13. package/extensions/commands/register.ts +39 -0
  14. package/extensions/config/defaults.ts +16 -0
  15. package/extensions/config/loader.ts +84 -0
  16. package/extensions/domain/types.ts +94 -0
  17. package/extensions/index.ts +44 -0
  18. package/extensions/plannotator/availability.ts +13 -0
  19. package/extensions/plannotator/client.ts +54 -0
  20. package/extensions/plannotator/contracts.ts +20 -0
  21. package/extensions/policy/change-inventory.ts +23 -0
  22. package/extensions/policy/mutation-gate.ts +40 -0
  23. package/extensions/policy/non-git-diff.ts +29 -0
  24. package/extensions/qa/checklist.ts +31 -0
  25. package/extensions/qa/classifier.ts +23 -0
  26. package/extensions/review/final-report.ts +6 -0
  27. package/extensions/state/atomic-file.ts +14 -0
  28. package/extensions/state/redaction.ts +19 -0
  29. package/extensions/state/run-layout.ts +40 -0
  30. package/extensions/state/run-store.ts +97 -0
  31. package/extensions/tools/control-tool.ts +95 -0
  32. package/extensions/workflow/approval-policy.ts +21 -0
  33. package/extensions/workflow/orchestrator.ts +290 -0
  34. package/extensions/workflow/transitions.ts +26 -0
  35. package/package.json +77 -0
  36. package/schemas/config.schema.json +63 -0
  37. package/schemas/decision.schema.json +16 -0
  38. package/schemas/qa-report.schema.json +14 -0
  39. package/schemas/run.schema.json +15 -0
  40. package/scripts/assert-publish-ready.mjs +6 -0
  41. package/scripts/check-plannotator-compat.mjs +23 -0
  42. package/scripts/update-check.mjs +32 -0
  43. package/scripts/verify-implannotator-snapshot.mjs +24 -0
  44. package/skills/implannotator/SKILL.md +194 -0
  45. package/skills/implannotator/agents/implannotator_asset_producer.toml +92 -0
  46. package/skills/implannotator/agents/implannotator_manual_edit_applier.toml +95 -0
  47. package/skills/implannotator/agents/openai.yaml +4 -0
  48. package/skills/implannotator/reference/adapt.md +311 -0
  49. package/skills/implannotator/reference/animate.md +201 -0
  50. package/skills/implannotator/reference/approval.md +26 -0
  51. package/skills/implannotator/reference/audit.md +133 -0
  52. package/skills/implannotator/reference/bolder.md +113 -0
  53. package/skills/implannotator/reference/brand.md +108 -0
  54. package/skills/implannotator/reference/clarify.md +288 -0
  55. package/skills/implannotator/reference/codex.md +105 -0
  56. package/skills/implannotator/reference/colorize.md +257 -0
  57. package/skills/implannotator/reference/craft.md +123 -0
  58. package/skills/implannotator/reference/critique.md +790 -0
  59. package/skills/implannotator/reference/delight.md +302 -0
  60. package/skills/implannotator/reference/distill.md +111 -0
  61. package/skills/implannotator/reference/document.md +429 -0
  62. package/skills/implannotator/reference/extract.md +69 -0
  63. package/skills/implannotator/reference/harden.md +347 -0
  64. package/skills/implannotator/reference/hooks.md +90 -0
  65. package/skills/implannotator/reference/implannotator-workflow.md +65 -0
  66. package/skills/implannotator/reference/init.md +172 -0
  67. package/skills/implannotator/reference/interaction-design.md +189 -0
  68. package/skills/implannotator/reference/layout.md +161 -0
  69. package/skills/implannotator/reference/live.md +720 -0
  70. package/skills/implannotator/reference/onboard.md +234 -0
  71. package/skills/implannotator/reference/optimize.md +258 -0
  72. package/skills/implannotator/reference/overdrive.md +130 -0
  73. package/skills/implannotator/reference/polish.md +241 -0
  74. package/skills/implannotator/reference/product.md +60 -0
  75. package/skills/implannotator/reference/qa.md +40 -0
  76. package/skills/implannotator/reference/quieter.md +99 -0
  77. package/skills/implannotator/reference/review-repair.md +10 -0
  78. package/skills/implannotator/reference/shape.md +165 -0
  79. package/skills/implannotator/reference/typeset.md +279 -0
  80. package/skills/implannotator/scripts/command-metadata.json +94 -0
  81. package/skills/implannotator/scripts/context-signals.mjs +225 -0
  82. package/skills/implannotator/scripts/context.mjs +280 -0
  83. package/skills/implannotator/scripts/critique-storage.mjs +242 -0
  84. package/skills/implannotator/scripts/detect-csp.mjs +198 -0
  85. package/skills/implannotator/scripts/detect.mjs +21 -0
  86. package/skills/implannotator/scripts/detector/browser/injected/index.mjs +1937 -0
  87. package/skills/implannotator/scripts/detector/cli/main.mjs +268 -0
  88. package/skills/implannotator/scripts/detector/design-system.mjs +750 -0
  89. package/skills/implannotator/scripts/detector/detect-antipatterns-browser.js +5138 -0
  90. package/skills/implannotator/scripts/detector/detect-antipatterns.mjs +50 -0
  91. package/skills/implannotator/scripts/detector/engines/browser/detect-url.mjs +277 -0
  92. package/skills/implannotator/scripts/detector/engines/regex/detect-text.mjs +564 -0
  93. package/skills/implannotator/scripts/detector/engines/static-html/css-cascade.mjs +1015 -0
  94. package/skills/implannotator/scripts/detector/engines/static-html/detect-html.mjs +229 -0
  95. package/skills/implannotator/scripts/detector/engines/visual/screenshot-contrast.mjs +189 -0
  96. package/skills/implannotator/scripts/detector/findings.mjs +12 -0
  97. package/skills/implannotator/scripts/detector/node/file-system.mjs +198 -0
  98. package/skills/implannotator/scripts/detector/profile/profiler.mjs +166 -0
  99. package/skills/implannotator/scripts/detector/registry/antipatterns.mjs +448 -0
  100. package/skills/implannotator/scripts/detector/rules/checks.mjs +2671 -0
  101. package/skills/implannotator/scripts/detector/shared/color.mjs +124 -0
  102. package/skills/implannotator/scripts/detector/shared/constants.mjs +101 -0
  103. package/skills/implannotator/scripts/detector/shared/page.mjs +7 -0
  104. package/skills/implannotator/scripts/hook-admin.mjs +636 -0
  105. package/skills/implannotator/scripts/hook-before-edit.mjs +476 -0
  106. package/skills/implannotator/scripts/hook-lib.mjs +1526 -0
  107. package/skills/implannotator/scripts/hook.mjs +61 -0
  108. package/skills/implannotator/scripts/lib/design-parser.mjs +842 -0
  109. package/skills/implannotator/scripts/lib/implannotator-config.mjs +638 -0
  110. package/skills/implannotator/scripts/lib/implannotator-paths.mjs +126 -0
  111. package/skills/implannotator/scripts/lib/is-generated.mjs +69 -0
  112. package/skills/implannotator/scripts/live/browser-script-parts.mjs +49 -0
  113. package/skills/implannotator/scripts/live/completion.mjs +19 -0
  114. package/skills/implannotator/scripts/live/event-validation.mjs +137 -0
  115. package/skills/implannotator/scripts/live/insert-ui.mjs +458 -0
  116. package/skills/implannotator/scripts/live/manual-apply.mjs +939 -0
  117. package/skills/implannotator/scripts/live/manual-edit-routes.mjs +357 -0
  118. package/skills/implannotator/scripts/live/manual-edits-buffer.mjs +152 -0
  119. package/skills/implannotator/scripts/live/session-store.mjs +289 -0
  120. package/skills/implannotator/scripts/live/svelte-component.mjs +826 -0
  121. package/skills/implannotator/scripts/live/sveltekit-adapter.mjs +274 -0
  122. package/skills/implannotator/scripts/live/ui-core.mjs +180 -0
  123. package/skills/implannotator/scripts/live/vocabulary.mjs +36 -0
  124. package/skills/implannotator/scripts/live-accept.mjs +812 -0
  125. package/skills/implannotator/scripts/live-browser-dom.js +146 -0
  126. package/skills/implannotator/scripts/live-browser-session.js +123 -0
  127. package/skills/implannotator/scripts/live-browser.js +11161 -0
  128. package/skills/implannotator/scripts/live-commit-manual-edits.mjs +1241 -0
  129. package/skills/implannotator/scripts/live-complete.mjs +75 -0
  130. package/skills/implannotator/scripts/live-copy-edit-agent.mjs +683 -0
  131. package/skills/implannotator/scripts/live-discard-manual-edits.mjs +51 -0
  132. package/skills/implannotator/scripts/live-inject.mjs +583 -0
  133. package/skills/implannotator/scripts/live-insert.mjs +272 -0
  134. package/skills/implannotator/scripts/live-manual-edit-evidence.mjs +363 -0
  135. package/skills/implannotator/scripts/live-poll.mjs +379 -0
  136. package/skills/implannotator/scripts/live-resume.mjs +94 -0
  137. package/skills/implannotator/scripts/live-server.mjs +1134 -0
  138. package/skills/implannotator/scripts/live-status.mjs +61 -0
  139. package/skills/implannotator/scripts/live-wrap.mjs +894 -0
  140. package/skills/implannotator/scripts/live.mjs +246 -0
  141. package/skills/implannotator/scripts/modern-screenshot.umd.js +14 -0
  142. package/skills/implannotator/scripts/palette.mjs +633 -0
  143. package/skills/implannotator/scripts/pin.mjs +214 -0
  144. package/skills/implannotator/vendor/impeccable-manifest.json +680 -0
@@ -0,0 +1,198 @@
1
+ /**
2
+ * Scan a project tree for Content-Security-Policy signals and classify the
3
+ * shape so the agent knows which patch template to propose.
4
+ *
5
+ * Used at first-time `live.mjs` setup. Mechanical (grep-based) — no network,
6
+ * no dev server, no JS evaluation. The classification drives a user-facing
7
+ * consent prompt; the agent does the actual patch writing.
8
+ *
9
+ * Shapes are named by patch mechanism, not framework origin:
10
+ * - "append-arrays": CSP defined as structured directive arrays. Patch
11
+ * appends a dev-only localhost entry. Covers:
12
+ * - Monorepo helpers with additional*Src options
13
+ * (e.g. createBaseNextConfig for Next)
14
+ * - SvelteKit kit.csp.directives
15
+ * - nuxt-security module's contentSecurityPolicy
16
+ * - "append-string": CSP built as a literal value string. Patch splices
17
+ * a dev-only token into script-src and connect-src.
18
+ * Covers:
19
+ * - Inline Next.js headers() with CSP string
20
+ * - Nuxt routeRules / nitro.routeRules CSP headers
21
+ * - "middleware": CSP set dynamically in middleware.{ts,js}.
22
+ * Detected but not auto-patched in v1.
23
+ * - "meta-tag": <meta http-equiv="Content-Security-Policy"> in
24
+ * layout files. Detected but not auto-patched in v1.
25
+ * - null: no CSP signals found; no patch needed.
26
+ */
27
+
28
+ import fs from 'node:fs';
29
+ import path from 'node:path';
30
+
31
+ const SKIP_DIRS = new Set([
32
+ 'node_modules',
33
+ '.git',
34
+ '.next',
35
+ '.turbo',
36
+ '.svelte-kit',
37
+ '.nuxt',
38
+ '.astro',
39
+ 'dist',
40
+ 'build',
41
+ 'out',
42
+ '.vercel',
43
+ ]);
44
+
45
+ const SCAN_EXTS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts', '.cts', '.tsx', '.jsx']);
46
+ const LAYOUT_EXTS = new Set(['.tsx', '.jsx', '.astro', '.vue', '.svelte', '.html']);
47
+ const MAX_DEPTH = 6;
48
+ const MAX_READ_BYTES = 64 * 1024;
49
+
50
+ // append-arrays signals: CSP expressed as structured directive arrays
51
+ const MONOREPO_HELPER_SIGNALS = [
52
+ /\bbuildCSPConfig\b/,
53
+ /\bbuildSecurityHeaders\b/,
54
+ /\badditionalScriptSrc\b/,
55
+ /\badditionalConnectSrc\b/,
56
+ /\bcreateBaseNextConfig\b/,
57
+ ];
58
+ const SVELTEKIT_CSP_SIGNALS = [
59
+ /\bkit\s*:/,
60
+ /\bcsp\s*:/,
61
+ /\bdirectives\s*:/,
62
+ ];
63
+ const NUXT_SECURITY_SIGNALS = [
64
+ /['"]nuxt-security['"]/,
65
+ /\bcontentSecurityPolicy\b/,
66
+ ];
67
+
68
+ // append-string signals: CSP written as a literal value string
69
+ const INLINE_HEADER_SIGNALS = [
70
+ /["']Content-Security-Policy["']/i,
71
+ /\bscript-src\b/,
72
+ /\bconnect-src\b/,
73
+ ];
74
+ const NUXT_ROUTE_RULES_SIGNALS = [
75
+ /\brouteRules\b/,
76
+ /Content-Security-Policy/i,
77
+ /\bscript-src\b/,
78
+ ];
79
+
80
+ const MIDDLEWARE_HINT = /headers\.set\(\s*["']Content-Security-Policy["']/i;
81
+ const META_TAG_HINT = /http-equiv\s*=\s*["']Content-Security-Policy["']/i;
82
+
83
+ /**
84
+ * @param {string} cwd Project root.
85
+ * @returns {{ shape: string|null, signals: string[] }}
86
+ */
87
+ export function detectCsp(cwd = process.cwd()) {
88
+ const hits = { appendArrays: [], appendString: [], middleware: [], metaTag: [] };
89
+
90
+ walk(cwd, cwd, 0, (absPath, relPath, body) => {
91
+ const ext = path.extname(absPath);
92
+ const base = path.basename(absPath).toLowerCase();
93
+ const isConfig = (name) =>
94
+ new RegExp('(^|/)' + name + '\\.config\\.').test(relPath);
95
+
96
+ // === append-arrays candidates ===
97
+
98
+ // Monorepo CSP helper: packages/*/src/.../(config|security)/*
99
+ if (SCAN_EXTS.has(ext) &&
100
+ /packages\/[^/]+\/src\/.*(config|next-config|security)/.test(relPath) &&
101
+ MONOREPO_HELPER_SIGNALS.some((re) => re.test(body))) {
102
+ hits.appendArrays.push(relPath);
103
+ return;
104
+ }
105
+
106
+ // SvelteKit kit.csp.directives
107
+ if (SCAN_EXTS.has(ext) && isConfig('svelte') &&
108
+ SVELTEKIT_CSP_SIGNALS.every((re) => re.test(body))) {
109
+ hits.appendArrays.push(relPath);
110
+ return;
111
+ }
112
+
113
+ // Nuxt nuxt-security module
114
+ if (SCAN_EXTS.has(ext) && isConfig('nuxt') &&
115
+ NUXT_SECURITY_SIGNALS.every((re) => re.test(body))) {
116
+ hits.appendArrays.push(relPath);
117
+ return;
118
+ }
119
+
120
+ // === append-string candidates ===
121
+
122
+ // Inline headers in Next/Nuxt/SvelteKit/Astro/Vite config
123
+ if (SCAN_EXTS.has(ext) &&
124
+ /(^|\/)(next|nuxt|vite|astro|svelte)\.config\./.test(relPath) &&
125
+ INLINE_HEADER_SIGNALS.every((re) => re.test(body))) {
126
+ // Nuxt routeRules is a sub-shape of append-string; we already covered
127
+ // nuxt-security above via return, so any remaining Nuxt CSP match here
128
+ // is a route-rules / inline-headers case. Either way, same patch
129
+ // mechanism.
130
+ hits.appendString.push(relPath);
131
+ return;
132
+ }
133
+
134
+ // === detect-only shapes ===
135
+
136
+ if ((base === 'middleware.ts' || base === 'middleware.js' || base === 'middleware.mjs') &&
137
+ MIDDLEWARE_HINT.test(body)) {
138
+ hits.middleware.push(relPath);
139
+ }
140
+
141
+ if (LAYOUT_EXTS.has(ext) && META_TAG_HINT.test(body)) {
142
+ hits.metaTag.push(relPath);
143
+ }
144
+ });
145
+
146
+ // Priority: append-arrays > append-string > middleware > meta-tag.
147
+ // Structured patches are safer than string splices; runtime and HTML
148
+ // injection patches are less reliable and v1 doesn't auto-apply them.
149
+ if (hits.appendArrays.length > 0) {
150
+ return { shape: 'append-arrays', signals: hits.appendArrays };
151
+ }
152
+ if (hits.appendString.length > 0) {
153
+ return { shape: 'append-string', signals: hits.appendString };
154
+ }
155
+ if (hits.middleware.length > 0) {
156
+ return { shape: 'middleware', signals: hits.middleware };
157
+ }
158
+ if (hits.metaTag.length > 0) {
159
+ return { shape: 'meta-tag', signals: hits.metaTag };
160
+ }
161
+ return { shape: null, signals: [] };
162
+ }
163
+
164
+ function walk(root, dir, depth, visit) {
165
+ if (depth > MAX_DEPTH) return;
166
+ let entries;
167
+ try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
168
+ catch { return; }
169
+
170
+ for (const entry of entries) {
171
+ const abs = path.join(dir, entry.name);
172
+ if (entry.isDirectory()) {
173
+ if (SKIP_DIRS.has(entry.name)) continue;
174
+ walk(root, abs, depth + 1, visit);
175
+ continue;
176
+ }
177
+ if (!entry.isFile()) continue;
178
+ const ext = path.extname(entry.name);
179
+ if (!SCAN_EXTS.has(ext) && !LAYOUT_EXTS.has(ext)) continue;
180
+ let body;
181
+ try {
182
+ const fd = fs.openSync(abs, 'r');
183
+ try {
184
+ const buf = Buffer.alloc(MAX_READ_BYTES);
185
+ const n = fs.readSync(fd, buf, 0, MAX_READ_BYTES, 0);
186
+ body = buf.slice(0, n).toString('utf-8');
187
+ } finally { fs.closeSync(fd); }
188
+ } catch { continue; }
189
+ visit(abs, path.relative(root, abs), body);
190
+ }
191
+ }
192
+
193
+ // CLI mode
194
+ const _running = process.argv[1];
195
+ if (_running?.endsWith('detect-csp.mjs') || _running?.endsWith('detect-csp.mjs/')) {
196
+ const result = detectCsp(process.cwd());
197
+ console.log(JSON.stringify(result, null, 2));
198
+ }
@@ -0,0 +1,21 @@
1
+ #!/usr/bin/env node
2
+
3
+ import fs from 'node:fs';
4
+ import path from 'node:path';
5
+ import { pathToFileURL, fileURLToPath } from 'node:url';
6
+
7
+ const __dirname = path.dirname(fileURLToPath(import.meta.url));
8
+ const candidates = [
9
+ path.join(__dirname, 'detector', 'detect-antipatterns.mjs'),
10
+ path.join(__dirname, '..', '..', 'cli', 'engine', 'detect-antipatterns.mjs'),
11
+ ];
12
+ const detectorPath = candidates.find(p => fs.existsSync(p));
13
+
14
+ if (!detectorPath) {
15
+ process.stderr.write('Error: bundled detector not found.\n');
16
+ process.exit(1);
17
+ }
18
+
19
+ const { detectCli } = await import(pathToFileURL(detectorPath));
20
+
21
+ await detectCli();