ma-agents 2.1.0 → 2.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ma-agents",
-  "version": "2.1.0",
+  "version": "2.3.0",
   "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor)",
   "main": "index.js",
   "bin": {

package/skills/README.md

@@ -314,6 +314,44 @@ Enforces standardized file headers and method documentation across C++, C#, JS,
 
 ---
 
+### 15. Python Security Best Practices
+**Directory:** `python-security-skill/`
+
+Enforces secure Python coding standards aligned with OWASP Top 10 2025.
+
+**Key Features:**
+- ✅ **Injection Prevention**: Bans `eval()`, `exec()`, and insecure shell commands.
+- ✅ **Secure Serialization**: Mandates `json` over `pickle` for untrusted data.
+- ✅ **Crypto Standards**: Enforces `secrets` module and modern hashing (SHA256+).
+- ✅ **Supply Chain**: Integrated with `pip-audit` and version pinning logic.
+
+---
+
+### 16. Python Dependency Management
+**Directory:** `python-dependency-mgmt/`
+
+Standardizes Python dependency handling using `uv` and `pip` (requirements.txt).
+
+**Key Features:**
+- ✅ **uv Mastery**: Full support for `uv lock`, `uv sync`, and `pyproject.toml`.
+- ✅ **Legacy Support**: Layered `requirements.txt` (pinned + hashes).
+- ✅ **Isolation**: Enforces virtual environment discipline and `.venv` usage.
+
+---
+
+### 17. JS/TS Dependency Management
+**Directory:** `js-ts-dependency-mgmt/`
+
+Standardizes package management and security across NPM, Yarn, and PNPM.
+
+**Key Features:**
+- ✅ **Build Stability**: Protocols for version pinning and lockfile discipline.
+- ✅ **Security Audit**: Mandatory `npm audit` / `yarn audit` integration.
+- ✅ **Categorization**: Correct usage of `dependencies` vs `devDependencies`.
+- ✅ **Hygiene**: Standardized `.npmrc` and registry security settings.
+
+---
+
 ## Requirements
 
 ### All Skills

package/skills/code-documentation/SKILL.md

@@ -17,6 +17,7 @@ This skill enforces high-quality, standardized documentation for source code fil
     - **C++**: Use Doxygen style (`/** ... */`).
     - **C#**: Use XML Documentation style (`/// <summary> ...`).
     - **JS/TS**: Use JSDoc style (`/** ... */`).
+    - **Python**: Use PEP 257 Docstrings (`""" ... """`).
 *   **Required Fields**:
     - **Summary**: Concise description of what the method does.
     - **Parameters**: Name and purpose of each argument.
@@ -37,6 +38,7 @@ This skill enforces high-quality, standardized documentation for source code fil
 | **C++** | Doxygen | `\brief`, `\param`, `\return`, `\throw` |
 | **C#** | XML Doc | `<summary>`, `<param>`, `<returns>`, `<exception>` |
 | **JS/TS** | JSDoc | `@description`, `@param`, `@returns`, `@throws` |
+| **Python** | Docstrings | `Args:`, `Returns:`, `Raises:` (Google/NumPy style) |
 
 ---
 

package/skills/code-documentation/examples/python.md

@@ -0,0 +1,57 @@
+# Python Documentation (Google/NumPy Style)
+
+### File Header
+Every module should start with a docstring that provides a high-level overview.
+
+```python
+"""
+data_processor.py
+~~~~~~~~~~~~~~~~~
+Handles high-performance transformation of raw sensor data using NumPy.
+
+:copyright: (c) 2026 by Antigravity.
+:license: MIT, see LICENSE for more details.
+"""
+```
+
+### Method Documentation
+Preferred style is Google or NumPy style for readability and integration with tools like Sphinx.
+
+```python
+def calculate_moving_average(data, window_size):
+    """Calculates the moving average of a dataset.
+
+    This method uses a sliding window algorithm to smooth out volatility 
+    in sensor inputs.
+
+    Args:
+        data (list[float]): A list or array of float values to process.
+        window_size (int): The size of the averaging window (must be > 0).
+
+    Returns:
+        float: The calculated moving average.
+
+    Raises:
+        ValueError: If data is empty or window_size is invalid.
+
+    Note:
+        This implementation assumes data is already cleaned.
+    """
+    if not data or window_size <= 0:
+        raise ValueError("Invalid data or window_size")
+    # ... implementation
+```
+
+### Class Documentation
+```python
+class SignalFilter:
+    """A collection of signal processing utilities.
+    
+    Attributes:
+        sampling_rate (int): The frequency at which signals are sampled.
+    """
+    
+    def __init__(self, sampling_rate):
+        """Initializes the SignalFilter with a specific sampling rate."""
+        self.sampling_rate = sampling_rate
+```

package/skills/code-documentation/skill.json

@@ -1,6 +1,6 @@
 {
     "name": "Code Documentation Best Practices",
-    "description": "Standardize file headers and method documentation across C++, C#, JS, and TS.",
+    "description": "Standardize file headers and method documentation across C++, C#, JS, TS, and Python.",
     "version": "1.0.0",
     "author": "Antigravity",
     "tags": [

package/skills/js-ts-dependency-mgmt/SKILL.md

@@ -0,0 +1,45 @@
+# JS/TS Dependency Management (NPM, Yarn, PNPM)
+
+This skill enforces best practices for managing dependencies in the JS/TS ecosystem, focusing on build stability, supply chain security, and environment hygiene.
+
+## Policies
+
+### 1. Build Stability & Reproducibility
+*   **Rule**: Always use a lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`) and pin versions.
+*   **Action**: 
+    - Use specific versions in `package.json` (prefer `1.2.3` over `^1.2.3` for critical production apps).
+    - NEVER use `*` or `latest`.
+    - Always commit the lockfile to version control.
+
+### 2. Supply Chain Security (OWASP A03:2025)
+*   **Rule**: Mandatory scanning for known vulnerabilities in dependencies.
+*   **Action**: 
+    - Consistently run `npm audit` or `yarn audit`.
+    - Ban insecure registry URLs (use HTTPS only).
+    - Avoid Git-based dependencies (`"pkg": "git+https://..."`) unless from an internal/verified source.
+    - Be cautious of "Typosquatting"—double-check package names before installation.
+
+### 3. Dependency Categorization
+*   **Rule**: Correctly distinguish between runtime and development dependencies.
+*   **Action**: 
+    - **dependencies**: Packages needed for the app to run (e.g., `express`, `react`).
+    - **devDependencies**: Packages needed only for building/testing (e.g., `typescript`, `jest`, `eslint`).
+    - **peerDependencies**: Libraries intended to be used with other specific versions of a host package.
+
+### 4. Registry Hygiene
+*   **Rule**: Standardize configuration via `.npmrc`.
+*   **Action**: 
+    - Define `save-exact=true` if pinning is the default project policy.
+    - Set up scoped registries for private packages correctly.
+
+### 5. Automated Updates
+*   **Rule**: Keep dependencies current while maintaining safety.
+*   **Action**: Use tools like `npm-check-updates` (ncu) to audit updates, but verify them in separate PRs/branches.
+
+## Process Reference
+
+| Tool | Lockfile | Installation | Audit |
+| :--- | :--- | :--- | :--- |
+| **NPM** | `package-lock.json` | `npm install` | `npm audit` |
+| **Yarn** | `yarn.lock` | `yarn install` | `yarn audit` |
+| **PNPM** | `pnpm-lock.yaml` | `pnpm install` | `pnpm audit` |

package/skills/js-ts-dependency-mgmt/examples/dependency_mgmt.md

@@ -0,0 +1,60 @@
+# JS/TS Dependency Management Examples
+
+### 1. Secure `package.json` Structure
+**Good Pattern:**
+```json
+{
+  "name": "secure-app",
+  "version": "1.0.0",
+  "dependencies": {
+    "axios": "1.6.2",        // Pinned version
+    "express": "4.18.2"      // Pinned version
+  },
+  "devDependencies": {
+    "typescript": "5.3.2",
+    "jest": "29.7.0",
+    "eslint": "8.54.0"
+  }
+}
+```
+
+### 2. Standardized `.npmrc`
+```text
+# Enforce exact version saving by default
+save-exact=true
+
+# Ensure every developer uses the same registry
+registry=https://registry.npmjs.org/
+
+# Forbid scrips for security during install if possible
+# ignore-scripts=true
+```
+
+### 3. Managing Scoped/Private Packages
+If you use a private registry (like Artifactory or GitHub Packages):
+```text
+@my-org:registry=https://npm.pkg.github.com
+//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}
+```
+
+### 4. Dependency Auditing Workflow
+**Routine Check:**
+```bash
+# Check for vulnerabilities
+npm audit
+
+# Fix minor issues automatically
+npm audit fix
+
+# Check for outdated packages without installing
+npx npm-check-updates
+```
+
+### 5. Cleaning up Node Modules
+```bash
+# Remove unused dependencies
+npm prune
+
+# Clean install (deletes node_modules and installs from lockfile)
+npm ci
+```

package/skills/js-ts-dependency-mgmt/skill.json

@@ -0,0 +1,23 @@
+{
+    "name": "JS/TS Dependency Management",
+    "description": "Standardize package management and security across NPM, Yarn, and PNPM.",
+    "version": "1.0.0",
+    "author": "Antigravity",
+    "tags": [
+        "javascript",
+        "typescript",
+        "npm",
+        "yarn",
+        "pnpm",
+        "dependencies",
+        "security",
+        "best-practices"
+    ],
+    "applies_when": [
+        "managing JavaScript or TypeScript project dependencies",
+        "configuring package.json, npmrc, or lockfiles",
+        "updating NPM/Yarn/PNPM packages",
+        "auditing JS/TS supply chain security"
+    ],
+    "always_load": true
+}

package/skills/python-dependency-mgmt/SKILL.md

@@ -0,0 +1,38 @@
+# Python Dependency Management (uv & pip)
+
+This skill ensures consistent and reproducible Python environments using modern tools like `uv` and traditional standards like `requirements.txt`.
+
+## Policies
+
+### 1. Modern Workflow with `uv`
+*   **Rule**: Use `uv` for lightning-fast project management if available.
+*   **Action**: 
+    - Use `uv lock` to generate `uv.lock`.
+    - Use `uv sync` to keep the environment in sync with the lockfile.
+    - Declare dependencies in `pyproject.toml`.
+*   **Rationale**: `uv` is significantly faster than `pip` and provides deterministic builds via lockfiles.
+
+### 2. Standardized `requirements.txt`
+*   **Rule**: If not using a modern manager, use a layered and pinned `requirements.txt` structure.
+*   **Action**: 
+    - **Layered**: Use `requirements.in` (top-level deps) and `requirements.txt` (fully pinned transitive deps).
+    - **Environment Split**: Separate `requirements.txt` from `dev-requirements.txt`.
+    - **Hashes**: Generate hashes for security (`--generate-hashes` via `pip-compile`).
+
+### 3. Strict Version Pinning
+*   **Rule**: All production dependencies must be pinned to a specific version.
+*   **Action**: Use `package==1.2.3`, never `package>=1.2.3` in the final lock/txt file.
+
+### 4. Virtual Environment Discipline
+*   **Rule**: Never install dependencies globally. 
+*   **Action**: 
+    - Always create a `.venv` in the project root.
+    - For `uv`, it handles this automatically with `uv venv` or implicitly via `uv run`.
+
+### 5. Standard Build Systems (PEP 517/518)
+*   **Rule**: Use `pyproject.toml` as the source of truth for build metadata.
+
+## Tools of Choice
+1. **uv**: (Recommended) Fastest all-in-one manager.
+2. **pip-tools**: For generating pinned `requirements.txt` from `.in` files.
+3. **venv**: Core standard for isolation.

package/skills/python-dependency-mgmt/examples/dependency_mgmt.md

@@ -0,0 +1,67 @@
+# Python Dependency Management Examples
+
+### 1. Modern Workspace with `uv`
+**pyproject.toml:**
+```toml
+[project]
+name = "my-app"
+version = "0.1.0"
+dependencies = [
+    "requests==2.31.0",
+    "structlog>=24.1.0",
+]
+
+[tool.uv]
+managed = true
+```
+
+**Commands:**
+```bash
+# Add a new dependency and update lockfile
+uv add pandas
+
+# Run a script within the isolated environment
+uv run main.py
+
+# Sync environment with the lockfile
+uv sync
+```
+
+### 2. Traditional `requirements.txt` (pip-tools)
+**requirements.in:**
+```text
+flask
+psycopg2-binary
+```
+
+**Workflow:**
+```bash
+# Generate pinned requirements.txt with hashes
+pip-compile --generate-hashes requirements.in
+
+# Install exactly what is pinned
+pip install -r requirements.txt
+```
+
+### 3. Development vs Production Deps
+**dev-requirements.in:**
+```text
+-c requirements.txt
+pytest
+black
+ruff
+```
+
+```bash
+# Generate dev-requirements.txt
+pip-compile dev-requirements.in
+```
+
+### 4. Virtual Environment Setup (Standard)
+```bash
+python -m venv .venv
+# Linux/macOS
+source .venv/bin/activate
+# Windows
+.venv\Scripts\activate
+```

package/skills/python-dependency-mgmt/skill.json

@@ -0,0 +1,21 @@
+{
+    "name": "Python Dependency Management",
+    "description": "Standardize Python dependency handling using uv and pip (requirements.txt).",
+    "version": "1.0.0",
+    "author": "Antigravity",
+    "tags": [
+        "python",
+        "uv",
+        "pip",
+        "dependencies",
+        "packaging",
+        "best-practices"
+    ],
+    "applies_when": [
+        "managing Python project dependencies",
+        "configuring Python build systems",
+        "updating requirements.txt or uv.lock",
+        "setting up Python development environments"
+    ],
+    "always_load": true
+}

package/skills/python-security-skill/SKILL.md

@@ -0,0 +1,52 @@
+# Python Security Best Practices (OWASP 2025 aligned)
+
+This skill provides mandatory security guardrails for Python applications, ensuring protection against common vulnerabilities and alignment with OWASP Top 10 standards.
+
+## Policies
+
+### 1. Zero Insecure Function Usage
+*   **Rule**: Ban functions that allow arbitrary code execution or insecure OS commands.
+*   **Action**: 
+    - NEVER use `eval()` or `exec()`.
+    - Avoid `subprocess.run(..., shell=True)`. Use lists for commands instead.
+    - Avoid `yaml.load()` without specifying a loader (use `yaml.safe_load()`).
+
+### 2. Secure Data Serialization
+*   **Rule**: Protect against insecure deserialization.
+*   - **Action**: 
+    - NEVER use `pickle` for untrusted data. Use `json` instead.
+    - Be cautious with `xml.etree.ElementTree` (vulnerable to XXE); use `defusedxml` if possible.
+
+### 3. Injection Prevention (A05:2025)
+*   **Rule**: Use parameterized queries for all database and API interactions.
+*   **Action**: 
+    - Never use f-strings or `.format()` for SQL queries.
+    - Use ORM features (Django ORM, SQLAlchemy) or parameter placeholders (`%s`, `?`).
+
+### 4. Cryptographic Standards (A04:2025)
+*   **Rule**: Use modern, collision-resistant hashing and encryption.
+*   **Action**: 
+    - Use `hashlib.sha256()` or better. Ban MD5 and SHA1.
+    - Use `secrets` module for tokens/passwords, not `random`.
+
+### 5. Dependency Integrity (A03:2025)
+*   **Rule**: Lock dependencies and scan for known vulnerabilities.
+*   **Action**: 
+    - Always commit lockfiles (`uv.lock`, `poetry.lock`, or `requirements.txt` with hashes).
+    - Periodically run `pip-audit` or `safety`.
+
+### 6. Secure Error Handling (A10:2025)
+*   **Rule**: Do not leak sensitive information in tracebacks or logs.
+*   **Action**: 
+    - Never log `pydantic` models or raw request bodies containing PII/Secrets.
+    - Use generic error messages for end-users while keeping detailed logs internally.
+
+## Python Security Mapping (OWASP 2025)
+
+| Category | Python Vulnerability | Secure Alternative |
+| :--- | :--- | :--- |
+| **A01: Access Control** | URL hijacking in `requests` | Validate redirect targets |
+| **A02: Configuration** | Debug mode in Flask/Django | `DEBUG = False` in production |
+| **A03: Supply Chain** | Typosquatting/Old deps | Pin versions + `pip-audit` |
+| **A05: Injection** | `os.system()` / RAW SQL | `subprocess.run()` list / ORM |
+| **A08: Integrity** | `pickle.load()` | `json.loads()` |

package/skills/python-security-skill/examples/security.md

@@ -0,0 +1,56 @@
+# Python Security Examples
+
+### 1. Secure Subprocess (Avoiding Injection)
+**Dangerous:**
+```python
+import os
+def delete_file(filename):
+    os.system(f"rm -rf {filename}") # VULNERABLE to injection
+```
+
+**Secure:**
+```python
+import subprocess
+def delete_file(filename):
+    # Pass as a list, shell=False by default
+    subprocess.run(["rm", "-rf", filename], check=True)
+```
+
+### 2. Secure Serialization
+**Dangerous:**
+```python
+import pickle
+def load_user(data):
+    return pickle.loads(data) # VULNERABLE to arbitrary code execution
+```
+
+**Secure:**
+```python
+import json
+def load_user(data):
+    return json.loads(data) # Safe for untrusted input
+```
+
+### 3. Preventing SQL Injection
+**Dangerous:**
+```python
+cursor.execute(f"SELECT * FROM users WHERE id = '{user_id}'")
+```
+
+**Secure:**
+```python
+cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
+```
+
+### 4. Secure Randomness
+**Dangerous:**
+```python
+import random
+token = str(random.random()) # Predictable
+```
+
+**Secure:**
+```python
+import secrets
+token = secrets.token_urlsafe(32) # Cryptographically secure
+```

package/skills/python-security-skill/skill.json

@@ -0,0 +1,20 @@
+{
+    "name": "Python Security Best Practices",
+    "description": "Enforce secure Python coding standards following OWASP Top 10 2025.",
+    "version": "1.0.0",
+    "author": "Antigravity",
+    "tags": [
+        "python",
+        "security",
+        "owasp",
+        "vulnerability-prevention",
+        "best-practices"
+    ],
+    "applies_when": [
+        "writing or reviewing Python code",
+        "managing Python dependencies",
+        "configuring Python application environments",
+        "handling sensitive data in Python"
+    ],
+    "always_load": true
+}

package/skills/test-accompanied-development/SKILL.md

@@ -33,7 +33,14 @@ To ensure high code quality and maintainability by mandating that all public int
 
 ## Example Workflow
 
+### TypeScript (Jest)
 1.  **Agent**: "I am adding a `calculateTotal` method to the `InvoiceService`. I will also create `InvoiceService.test.ts` to verify it."
 2.  **Agent**: [Writes `calculateTotal` in `InvoiceService.ts`]
 3.  **Agent**: [Writes tests in `InvoiceService.test.ts` using `test-generator` patterns]
 4.  **Agent**: "Method and tests are complete. Running tests now..."
+
+### Python (Pytest)
+1.  **Agent**: "I am adding a `validate_user` function to `auth.py`. I will also create `tests/test_auth.py` to verify it."
+2.  **Agent**: [Writes `validate_user` in `auth.py`]
+3.  **Agent**: [Writes tests in `tests/test_auth.py` using `test-generator` patterns]
+4.  **Agent**: "Implementation and tests are ready. Running `pytest`."

package/skills/test-accompanied-development/skill.json

@@ -7,7 +7,9 @@
         "testing",
         "quality",
         "policy",
-        "tdd"
+        "tdd",
+        "python",
+        "pytest"
     ],
     "applies_when": [
         "writing or reviewing public APIs",

package/skills/test-generator/SKILL.md

@@ -35,8 +35,9 @@ Generate comprehensive unit and integration tests for code.
 - Mock external dependencies
 - Clear assertion messages
 
-## Example Output
+## Example Outputs
 
+### JavaScript (Jest)
 ```javascript
 describe('ComponentName', () => {
   test('should [behavior] when [condition]', () => {
@@ -49,13 +50,25 @@ describe('ComponentName', () => {
     // Assert
     expect(result).toEqual(expectedOutput);
   });
+});
+```
 
-  test('should handle edge case', () => {
-    // ...
-  });
+### Python (Pytest)
+```python
+import pytest
+from app.module import function_under_test
 
-  test('should throw on invalid input', () => {
-    expect(() => fn(invalid)).toThrow();
-  });
-});
+def test_should_behavior_when_condition():
+    # Arrange
+    input_data = setup_test_data()
+    
+    # Act
+    result = function_under_test(input_data)
+    
+    # Assert
+    assert result == expected_output
+
+def test_should_raise_on_invalid_input():
+    with pytest.raises(ValueError):
+        function_under_test(None)
 ```

package/skills/test-generator/skill.json

@@ -7,6 +7,8 @@
     "testing",
     "unit-tests",
     "integration-tests",
+    "python",
+    "pytest",
     "quality"
   ],
   "applies_when": [