ma-agents 2.2.0 → 2.3.1

package/bin/cli.js

@@ -189,21 +189,37 @@ async function installWizard(preselectedSkill, preselectedAgents, customPath, fo
 
   // Step 1: Select skills
   if (selectedSkillIds.length === 0 || isUpdate) {
-    const { skills: chosen } = await prompts({
-      type: 'multiselect',
-      name: 'skills',
-      message: 'Select the skills you want to have installed:',
-      choices: skills.map(s => ({
-        title: chalk.white(s.name) + chalk.gray(` v${s.version} - ${s.description}`),
-        value: s.id,
-        selected: selectedSkillIds.includes(s.id)
-      })),
-      instructions: chalk.gray('  Use space to select, enter to confirm'),
-      min: 1
+    const { selectionType } = await prompts({
+      type: 'select',
+      name: 'selectionType',
+      message: 'Would you like to install all available skills or choose specific ones?',
+      choices: [
+        { title: 'Install all available skills', value: 'all' },
+        { title: 'Choose which skills to install', value: 'custom' }
+      ]
     });
 
-    if (!chosen) process.exit(0);
-    selectedSkillIds = chosen;
+    if (!selectionType) process.exit(0);
+
+    if (selectionType === 'all') {
+      selectedSkillIds = skills.map(s => s.id);
+    } else {
+      const { skills: chosen } = await prompts({
+        type: 'multiselect',
+        name: 'skills',
+        message: 'Select the skills you want to have installed:',
+        choices: skills.map(s => ({
+          title: chalk.white(s.name) + chalk.gray(` v${s.version} - ${s.description}`),
+          value: s.id,
+          selected: selectedSkillIds.includes(s.id)
+        })),
+        instructions: chalk.gray('  Use space to select, enter to confirm'),
+        min: 1
+      });
+
+      if (!chosen) process.exit(0);
+      selectedSkillIds = chosen;
+    }
   }
 
   // Step 2: Select agents

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ma-agents",
-  "version": "2.2.0",
+  "version": "2.3.1",
   "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor)",
   "main": "index.js",
   "bin": {

package/skills/README.md

@@ -339,6 +339,19 @@ Standardizes Python dependency handling using `uv` and `pip` (requirements.txt).
 
 ---
 
+### 17. JS/TS Dependency Management
+**Directory:** `js-ts-dependency-mgmt/`
+
+Standardizes package management and security across NPM, Yarn, and PNPM.
+
+**Key Features:**
+- ✅ **Build Stability**: Protocols for version pinning and lockfile discipline.
+- ✅ **Security Audit**: Mandatory `npm audit` / `yarn audit` integration.
+- ✅ **Categorization**: Correct usage of `dependencies` vs `devDependencies`.
+- ✅ **Hygiene**: Standardized `.npmrc` and registry security settings.
+
+---
+
 ## Requirements
 
 ### All Skills

package/skills/js-ts-dependency-mgmt/SKILL.md

@@ -0,0 +1,45 @@
+# JS/TS Dependency Management (NPM, Yarn, PNPM)
+
+This skill enforces best practices for managing dependencies in the JS/TS ecosystem, focusing on build stability, supply chain security, and environment hygiene.
+
+## Policies
+
+### 1. Build Stability & Reproducibility
+*   **Rule**: Always use a lockfile (`package-lock.json`, `yarn.lock`, or `pnpm-lock.yaml`) and pin versions.
+*   **Action**: 
+    - Use specific versions in `package.json` (prefer `1.2.3` over `^1.2.3` for critical production apps).
+    - NEVER use `*` or `latest`.
+    - Always commit the lockfile to version control.
+
+### 2. Supply Chain Security (OWASP A03:2025)
+*   **Rule**: Mandatory scanning for known vulnerabilities in dependencies.
+*   **Action**: 
+    - Consistently run `npm audit` or `yarn audit`.
+    - Ban insecure registry URLs (use HTTPS only).
+    - Avoid Git-based dependencies (`"pkg": "git+https://..."`) unless from an internal/verified source.
+    - Be cautious of "Typosquatting"—double-check package names before installation.
+
+### 3. Dependency Categorization
+*   **Rule**: Correctly distinguish between runtime and development dependencies.
+*   **Action**: 
+    - **dependencies**: Packages needed for the app to run (e.g., `express`, `react`).
+    - **devDependencies**: Packages needed only for building/testing (e.g., `typescript`, `jest`, `eslint`).
+    - **peerDependencies**: Libraries intended to be used with other specific versions of a host package.
+
+### 4. Registry Hygiene
+*   **Rule**: Standardize configuration via `.npmrc`.
+*   **Action**: 
+    - Define `save-exact=true` if pinning is the default project policy.
+    - Set up scoped registries for private packages correctly.
+
+### 5. Automated Updates
+*   **Rule**: Keep dependencies current while maintaining safety.
+*   **Action**: Use tools like `npm-check-updates` (ncu) to audit updates, but verify them in separate PRs/branches.
+
+## Process Reference
+
+| Tool | Lockfile | Installation | Audit |
+| :--- | :--- | :--- | :--- |
+| **NPM** | `package-lock.json` | `npm install` | `npm audit` |
+| **Yarn** | `yarn.lock` | `yarn install` | `yarn audit` |
+| **PNPM** | `pnpm-lock.yaml` | `pnpm install` | `pnpm audit` |

package/skills/js-ts-dependency-mgmt/examples/dependency_mgmt.md

@@ -0,0 +1,60 @@
+# JS/TS Dependency Management Examples
+
+### 1. Secure `package.json` Structure
+**Good Pattern:**
+```json
+{
+  "name": "secure-app",
+  "version": "1.0.0",
+  "dependencies": {
+    "axios": "1.6.2",        // Pinned version
+    "express": "4.18.2"      // Pinned version
+  },
+  "devDependencies": {
+    "typescript": "5.3.2",
+    "jest": "29.7.0",
+    "eslint": "8.54.0"
+  }
+}
+```
+
+### 2. Standardized `.npmrc`
+```text
+# Enforce exact version saving by default
+save-exact=true
+
+# Ensure every developer uses the same registry
+registry=https://registry.npmjs.org/
+
+# Forbid scrips for security during install if possible
+# ignore-scripts=true
+```
+
+### 3. Managing Scoped/Private Packages
+If you use a private registry (like Artifactory or GitHub Packages):
+```text
+@my-org:registry=https://npm.pkg.github.com
+//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}
+```
+
+### 4. Dependency Auditing Workflow
+**Routine Check:**
+```bash
+# Check for vulnerabilities
+npm audit
+
+# Fix minor issues automatically
+npm audit fix
+
+# Check for outdated packages without installing
+npx npm-check-updates
+```
+
+### 5. Cleaning up Node Modules
+```bash
+# Remove unused dependencies
+npm prune
+
+# Clean install (deletes node_modules and installs from lockfile)
+npm ci
+```

package/skills/js-ts-dependency-mgmt/skill.json

@@ -0,0 +1,23 @@
+{
+    "name": "JS/TS Dependency Management",
+    "description": "Standardize package management and security across NPM, Yarn, and PNPM.",
+    "version": "1.0.0",
+    "author": "Antigravity",
+    "tags": [
+        "javascript",
+        "typescript",
+        "npm",
+        "yarn",
+        "pnpm",
+        "dependencies",
+        "security",
+        "best-practices"
+    ],
+    "applies_when": [
+        "managing JavaScript or TypeScript project dependencies",
+        "configuring package.json, npmrc, or lockfiles",
+        "updating NPM/Yarn/PNPM packages",
+        "auditing JS/TS supply chain security"
+    ],
+    "always_load": true
+}