mindforge-cc 11.5.1 → 11.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (214) hide show
  1. package/.agent/mindforge/skill-tdd.md +53 -0
  2. package/.agent/mindforge/skills-index.md +118 -0
  3. package/.agent/mindforge/systematic-debug.md +60 -0
  4. package/.agent/mindforge/wf-catalog.md +37 -0
  5. package/.agent/mindforge/wf-code-audit.md +31 -0
  6. package/.agent/mindforge/wf-competitive-analysis.md +31 -0
  7. package/.agent/mindforge/wf-deep-research.md +32 -0
  8. package/.agent/mindforge/wf-feature-planner.md +31 -0
  9. package/.agent/mindforge/wf-incident-response.md +31 -0
  10. package/.agent/mindforge/wf-onboard-codebase.md +31 -0
  11. package/.agent/mindforge/wf-perf-optimize.md +31 -0
  12. package/.agent/mindforge/wf-pr-review.md +31 -0
  13. package/.agent/mindforge/wf-refactor-plan.md +31 -0
  14. package/.agent/mindforge/wf-release-prep.md +31 -0
  15. package/.agent/mindforge/wf-tdd-sprint.md +31 -0
  16. package/.agent/mindforge/wf-tech-evaluation.md +31 -0
  17. package/.agent/skills/1password-skill/SKILL.md +156 -0
  18. package/.agent/skills/1password-skill/references/cli-examples.md +31 -0
  19. package/.agent/skills/1password-skill/references/get-started.md +21 -0
  20. package/.agent/skills/article-illustrator/SKILL.md +199 -0
  21. package/.agent/skills/article-illustrator/references/prompt-construction.md +426 -0
  22. package/.agent/skills/article-illustrator/references/style-presets.md +80 -0
  23. package/.agent/skills/article-illustrator/references/styles.md +224 -0
  24. package/.agent/skills/article-illustrator/references/usage.md +50 -0
  25. package/.agent/skills/article-illustrator/references/workflow.md +332 -0
  26. package/.agent/skills/arxiv/SKILL.md +275 -0
  27. package/.agent/skills/blogwatcher/SKILL.md +130 -0
  28. package/.agent/skills/code-wiki/SKILL.md +438 -0
  29. package/.agent/skills/code-wiki/templates/README.md +31 -0
  30. package/.agent/skills/code-wiki/templates/architecture.md +30 -0
  31. package/.agent/skills/code-wiki/templates/getting-started.md +47 -0
  32. package/.agent/skills/code-wiki/templates/module.md +38 -0
  33. package/.agent/skills/codebase-inspection/SKILL.md +109 -0
  34. package/.agent/skills/comic-creator/SKILL.md +240 -0
  35. package/.agent/skills/comic-creator/references/analysis-framework.md +176 -0
  36. package/.agent/skills/comic-creator/references/auto-selection.md +71 -0
  37. package/.agent/skills/comic-creator/references/base-prompt.md +98 -0
  38. package/.agent/skills/comic-creator/references/character-template.md +180 -0
  39. package/.agent/skills/comic-creator/references/ohmsha-guide.md +85 -0
  40. package/.agent/skills/comic-creator/references/partial-workflows.md +106 -0
  41. package/.agent/skills/comic-creator/references/storyboard-template.md +143 -0
  42. package/.agent/skills/comic-creator/references/workflow.md +401 -0
  43. package/.agent/skills/concept-diagrams/SKILL.md +355 -0
  44. package/.agent/skills/concept-diagrams/references/dashboard-patterns.md +43 -0
  45. package/.agent/skills/concept-diagrams/references/infrastructure-patterns.md +144 -0
  46. package/.agent/skills/concept-diagrams/references/physical-shape-cookbook.md +42 -0
  47. package/.agent/skills/creative-ideation/SKILL.md +144 -0
  48. package/.agent/skills/creative-ideation/references/full-prompt-library.md +110 -0
  49. package/.agent/skills/devops-cli/SKILL.md +149 -0
  50. package/.agent/skills/devops-cli/references/app-discovery.md +112 -0
  51. package/.agent/skills/devops-cli/references/authentication.md +59 -0
  52. package/.agent/skills/devops-cli/references/cli-reference.md +104 -0
  53. package/.agent/skills/devops-cli/references/running-apps.md +171 -0
  54. package/.agent/skills/devops-watchers/SKILL.md +103 -0
  55. package/.agent/skills/docker-management/SKILL.md +273 -0
  56. package/.agent/skills/domain-intel/SKILL.md +96 -0
  57. package/.agent/skills/duckduckgo-search/SKILL.md +230 -0
  58. package/.agent/skills/github-auth/SKILL.md +240 -0
  59. package/.agent/skills/github-code-review/SKILL.md +474 -0
  60. package/.agent/skills/github-code-review/references/review-output-template.md +74 -0
  61. package/.agent/skills/github-issues/SKILL.md +363 -0
  62. package/.agent/skills/github-issues/templates/bug-report.md +35 -0
  63. package/.agent/skills/github-issues/templates/feature-request.md +31 -0
  64. package/.agent/skills/github-pr-workflow/SKILL.md +360 -0
  65. package/.agent/skills/github-pr-workflow/references/ci-troubleshooting.md +183 -0
  66. package/.agent/skills/github-pr-workflow/references/conventional-commits.md +71 -0
  67. package/.agent/skills/github-pr-workflow/templates/pr-body-bugfix.md +35 -0
  68. package/.agent/skills/github-pr-workflow/templates/pr-body-feature.md +33 -0
  69. package/.agent/skills/github-repo-management/SKILL.md +509 -0
  70. package/.agent/skills/github-repo-management/references/github-api-cheatsheet.md +161 -0
  71. package/.agent/skills/godmode/SKILL.md +396 -0
  72. package/.agent/skills/godmode/references/jailbreak-templates.md +128 -0
  73. package/.agent/skills/godmode/references/refusal-detection.md +142 -0
  74. package/.agent/skills/hyperframes/SKILL.md +182 -0
  75. package/.agent/skills/hyperframes/references/cli.md +185 -0
  76. package/.agent/skills/hyperframes/references/composition.md +129 -0
  77. package/.agent/skills/hyperframes/references/features.md +289 -0
  78. package/.agent/skills/hyperframes/references/gsap.md +136 -0
  79. package/.agent/skills/hyperframes/references/troubleshooting.md +137 -0
  80. package/.agent/skills/hyperframes/references/website-to-video.md +145 -0
  81. package/.agent/skills/jupyter-live-kernel/SKILL.md +160 -0
  82. package/.agent/skills/kanban-orchestrator/SKILL.md +209 -0
  83. package/.agent/skills/kanban-worker/SKILL.md +188 -0
  84. package/.agent/skills/llm-wiki/SKILL.md +499 -0
  85. package/.agent/skills/meme-generation/SKILL.md +122 -0
  86. package/.agent/skills/node-inspect-debugger/SKILL.md +312 -0
  87. package/.agent/skills/obsidian/SKILL.md +60 -0
  88. package/.agent/skills/osint-investigation/SKILL.md +269 -0
  89. package/.agent/skills/osint-investigation/templates/source-template.md +59 -0
  90. package/.agent/skills/oss-forensics/SKILL.md +422 -0
  91. package/.agent/skills/oss-forensics/references/evidence-types.md +89 -0
  92. package/.agent/skills/oss-forensics/references/github-archive-guide.md +184 -0
  93. package/.agent/skills/oss-forensics/references/investigation-templates.md +131 -0
  94. package/.agent/skills/oss-forensics/references/recovery-techniques.md +164 -0
  95. package/.agent/skills/oss-forensics/templates/forensic-report.md +151 -0
  96. package/.agent/skills/oss-forensics/templates/malicious-package-report.md +43 -0
  97. package/.agent/skills/parallel-cli/SKILL.md +384 -0
  98. package/.agent/skills/pinggy-tunnel/SKILL.md +302 -0
  99. package/.agent/skills/pixel-art/SKILL.md +209 -0
  100. package/.agent/skills/pixel-art/references/palettes.md +49 -0
  101. package/.agent/skills/plan/SKILL.md +331 -0
  102. package/.agent/skills/polymarket/SKILL.md +75 -0
  103. package/.agent/skills/polymarket/references/api-endpoints.md +220 -0
  104. package/.agent/skills/python-debugpy/SKILL.md +368 -0
  105. package/.agent/skills/requesting-code-review/SKILL.md +273 -0
  106. package/.agent/skills/research-paper-writing/SKILL.md +2367 -0
  107. package/.agent/skills/research-paper-writing/references/autoreason-methodology.md +394 -0
  108. package/.agent/skills/research-paper-writing/references/checklists.md +434 -0
  109. package/.agent/skills/research-paper-writing/references/citation-workflow.md +563 -0
  110. package/.agent/skills/research-paper-writing/references/experiment-patterns.md +728 -0
  111. package/.agent/skills/research-paper-writing/references/human-evaluation.md +476 -0
  112. package/.agent/skills/research-paper-writing/references/paper-types.md +481 -0
  113. package/.agent/skills/research-paper-writing/references/reviewer-guidelines.md +433 -0
  114. package/.agent/skills/research-paper-writing/references/sources.md +191 -0
  115. package/.agent/skills/research-paper-writing/references/writing-guide.md +474 -0
  116. package/.agent/skills/research-paper-writing/templates/README.md +251 -0
  117. package/.agent/skills/rest-graphql-debug/SKILL.md +507 -0
  118. package/.agent/skills/s6-container-supervision/SKILL.md +171 -0
  119. package/.agent/skills/scrapling/SKILL.md +328 -0
  120. package/.agent/skills/sherlock/SKILL.md +186 -0
  121. package/.agent/skills/simplify-code/SKILL.md +168 -0
  122. package/.agent/skills/skill-authoring/SKILL.md +158 -0
  123. package/.agent/skills/spike/SKILL.md +190 -0
  124. package/.agent/skills/subagent-driven-development/SKILL.md +345 -0
  125. package/.agent/skills/subagent-driven-development/references/context-budget-discipline.md +53 -0
  126. package/.agent/skills/subagent-driven-development/references/gates-taxonomy.md +93 -0
  127. package/.agent/skills/systematic-debugging/SKILL.md +360 -0
  128. package/.agent/skills/test-driven-development/SKILL.md +336 -0
  129. package/.agent/skills/video-orchestrator/SKILL.md +194 -0
  130. package/.agent/skills/video-orchestrator/references/examples.md +227 -0
  131. package/.agent/skills/video-orchestrator/references/intake.md +166 -0
  132. package/.agent/skills/video-orchestrator/references/kanban-setup.md +278 -0
  133. package/.agent/skills/video-orchestrator/references/monitoring.md +180 -0
  134. package/.agent/skills/video-orchestrator/references/role-archetypes.md +298 -0
  135. package/.agent/skills/video-orchestrator/references/tool-matrix.md +317 -0
  136. package/.agent/skills/web-pentest/SKILL.md +332 -0
  137. package/.agent/skills/web-pentest/references/bypass-techniques.md +133 -0
  138. package/.agent/skills/web-pentest/references/exploitation-techniques.md +204 -0
  139. package/.agent/skills/web-pentest/references/scope-enforcement.md +110 -0
  140. package/.agent/skills/web-pentest/references/vuln-taxonomy.md +81 -0
  141. package/.agent/skills/web-pentest/templates/authorization.md +69 -0
  142. package/.agent/skills/web-pentest/templates/pentest-report.md +178 -0
  143. package/.claude/commands/mindforge/skill-tdd.md +53 -0
  144. package/.claude/commands/mindforge/skills-index.md +118 -0
  145. package/.claude/commands/mindforge/systematic-debug.md +60 -0
  146. package/.claude/commands/mindforge/wf-catalog.md +37 -0
  147. package/.claude/commands/mindforge/wf-code-audit.md +31 -0
  148. package/.claude/commands/mindforge/wf-competitive-analysis.md +31 -0
  149. package/.claude/commands/mindforge/wf-deep-research.md +32 -0
  150. package/.claude/commands/mindforge/wf-feature-planner.md +31 -0
  151. package/.claude/commands/mindforge/wf-incident-response.md +31 -0
  152. package/.claude/commands/mindforge/wf-onboard-codebase.md +31 -0
  153. package/.claude/commands/mindforge/wf-perf-optimize.md +31 -0
  154. package/.claude/commands/mindforge/wf-pr-review.md +31 -0
  155. package/.claude/commands/mindforge/wf-refactor-plan.md +31 -0
  156. package/.claude/commands/mindforge/wf-release-prep.md +31 -0
  157. package/.claude/commands/mindforge/wf-tdd-sprint.md +31 -0
  158. package/.claude/commands/mindforge/wf-tech-evaluation.md +31 -0
  159. package/.mindforge/config.json +2 -2
  160. package/.mindforge/dynamic-workflows/REGISTRY.md +65 -0
  161. package/.mindforge/dynamic-workflows/index.json +171 -0
  162. package/.mindforge/dynamic-workflows/scripts/code-audit.js +103 -0
  163. package/.mindforge/dynamic-workflows/scripts/competitive-analysis.js +85 -0
  164. package/.mindforge/dynamic-workflows/scripts/deep-research.js +151 -0
  165. package/.mindforge/dynamic-workflows/scripts/feature-planner.js +104 -0
  166. package/.mindforge/dynamic-workflows/scripts/incident-response.js +106 -0
  167. package/.mindforge/dynamic-workflows/scripts/onboard-codebase.js +102 -0
  168. package/.mindforge/dynamic-workflows/scripts/perf-optimize.js +128 -0
  169. package/.mindforge/dynamic-workflows/scripts/pr-review.js +87 -0
  170. package/.mindforge/dynamic-workflows/scripts/refactor-plan.js +121 -0
  171. package/.mindforge/dynamic-workflows/scripts/release-prep.js +102 -0
  172. package/.mindforge/dynamic-workflows/scripts/tdd-sprint.js +103 -0
  173. package/.mindforge/dynamic-workflows/scripts/tech-evaluation.js +72 -0
  174. package/.mindforge/memory/sync-manifest.json +1 -1
  175. package/.mindforge/skills/arxiv/SKILL.md +294 -0
  176. package/.mindforge/skills/blogwatcher/SKILL.md +147 -0
  177. package/.mindforge/skills/code-wiki/SKILL.md +457 -0
  178. package/.mindforge/skills/codebase-inspection/SKILL.md +126 -0
  179. package/.mindforge/skills/concept-diagrams/SKILL.md +373 -0
  180. package/.mindforge/skills/creative-ideation/SKILL.md +162 -0
  181. package/.mindforge/skills/domain-intel/SKILL.md +116 -0
  182. package/.mindforge/skills/duckduckgo-search/SKILL.md +249 -0
  183. package/.mindforge/skills/github-code-review/SKILL.md +493 -0
  184. package/.mindforge/skills/github-issues/SKILL.md +382 -0
  185. package/.mindforge/skills/github-pr-workflow/SKILL.md +379 -0
  186. package/.mindforge/skills/jupyter-live-kernel/SKILL.md +179 -0
  187. package/.mindforge/skills/kanban-orchestrator/SKILL.md +227 -0
  188. package/.mindforge/skills/kanban-worker/SKILL.md +206 -0
  189. package/.mindforge/skills/meme-generation/SKILL.md +141 -0
  190. package/.mindforge/skills/obsidian/SKILL.md +80 -0
  191. package/.mindforge/skills/osint-investigation/SKILL.md +288 -0
  192. package/.mindforge/skills/oss-forensics/SKILL.md +421 -0
  193. package/.mindforge/skills/pixel-art/SKILL.md +228 -0
  194. package/.mindforge/skills/plan/SKILL.md +350 -0
  195. package/.mindforge/skills/requesting-code-review/SKILL.md +292 -0
  196. package/.mindforge/skills/research-paper-writing/SKILL.md +2384 -0
  197. package/.mindforge/skills/scrapling/SKILL.md +345 -0
  198. package/.mindforge/skills/sherlock/SKILL.md +203 -0
  199. package/.mindforge/skills/simplify-code/SKILL.md +187 -0
  200. package/.mindforge/skills/spike/SKILL.md +209 -0
  201. package/.mindforge/skills/subagent-driven-development/SKILL.md +364 -0
  202. package/.mindforge/skills/systematic-debugging/SKILL.md +379 -0
  203. package/.mindforge/skills/test-driven-development/SKILL.md +355 -0
  204. package/.mindforge/skills/web-pentest/SKILL.md +327 -0
  205. package/CHANGELOG.md +71 -0
  206. package/MINDFORGE.md +2 -2
  207. package/README.md +72 -3
  208. package/RELEASENOTES.md +109 -0
  209. package/bin/installer-core.js +6 -2
  210. package/bin/mindforge-cli.js +7 -0
  211. package/bin/workflows/workflow-runner.js +110 -0
  212. package/docs/commands-reference.md +25 -0
  213. package/docs/getting-started.md +42 -5
  214. package/package.json +2 -1
@@ -0,0 +1,317 @@
1
+ # Tool Matrix — Skills + Toolsets per Role
2
+
3
+ Maps each role archetype to the skills it should `always_load` and the
4
+ toolsets it needs. Only references skills that ship in the public
5
+ repository (under `skills/` or `optional-skills/`). External APIs and CLIs are
6
+ called from the terminal toolset; they don't appear in `always_load`.
7
+
8
+ ## Skills relevant to video production
9
+
10
+ ### Visual / rendering skills (`
11
+
12
+ | Skill | What it does | Best fit for |
13
+ |-------|--------------|--------------|
14
+ | `ascii-video` | Production pipeline for ASCII art video — generative, audio-reactive, video-to-ASCII | Renderer for ASCII / terminal / retro pixel content; cinematographer for ASCII projects |
15
+ | `ascii-art` | Static ASCII art generation | Concept artist for ASCII style frames; secondary tool for ASCII renderer |
16
+ | `manim-video` | Manim CE animations — math, algorithms, 3Blue1Brown-style explainers | Renderer for math, algorithm walkthroughs, technical concept explainers |
17
+ | `p5js` | p5.js sketches — generative art, shaders, interactive, 3D | Renderer for generative art, particle systems, organic motion, web-canvas content |
18
+ | `comfyui` | Generate images, video, audio with ComfyUI workflows (image-to-image, image-to-video, etc.) | image-generator, image-to-video-generator, or general renderer for AI-generated content |
19
+ | `touchdesigner-mcp` | Control a running TouchDesigner instance — real-time visuals, audio-reactive installation art, VJ | Renderer for real-time/audio-reactive content; installation art; live performance |
20
+ | `blender-mcp` *(optional)* | Control Blender 4.3+ via MCP — 3D modeling, animation, rendering | Renderer for 3D scenes, photoreal environments, character animation |
21
+ | `pixel-art` | Pixel art with era palettes (NES, Game Boy, PICO-8) | Renderer for retro game aesthetic; concept artist for pixel-style frames |
22
+ | `baoyu-comic` | Knowledge-comic generation (educational, biography, tutorial) | Renderer for comic-style narrative; explainer in panel form |
23
+ | `baoyu-infographic` | Infographic generation | Renderer for data-driven explainer scenes |
24
+ | `meme-generation` *(optional)* | Generate meme images by overlaying text on templates | Generator for satirical/social content; meme-style stills |
25
+
26
+ ### Design / pre-production skills (`
27
+
28
+ | Skill | What it does | Best fit for |
29
+ |-------|--------------|--------------|
30
+ | `claude-design` | Design one-off HTML artifacts (landing, deck, prototype) | Concept artist for product video style frames; storyboarder for UI-heavy content |
31
+ | `design-md` | Design markdown docs | Concept artist documenting visual specs |
32
+ | `popular-web-designs` | Reference patterns for popular web designs | Concept artist; cinematographer when matching a known UI aesthetic |
33
+ | `sketch` | Throwaway HTML mockups (2-3 design variants to compare) | Concept artist exploring directions; storyboarder for UI flows |
34
+ | `excalidraw` | Excalidraw-style hand-drawn diagrams | Storyboarder; concept artist for sketch-style frames |
35
+ | `architecture-diagram` | Software architecture diagrams | Storyboarder for technical content; explainer scenes about systems |
36
+ | `concept-diagrams` *(optional)* | Flat, minimal SVG diagrams (educational visual language; physics, chemistry, math, anatomy, etc.) | Renderer / storyboarder for explainer scenes with clean educational diagrams |
37
+ | `pretext` | Mathematical/scientific content authoring | Writer / cinematographer for technical-explainer pretexts |
38
+ | `creative-ideation` | Constraint-driven project ideation | Director / cinematographer when the brief is wide-open and needs framing |
39
+ | `humanizer` | Strip AI-isms from text, add real voice | Writer / copywriter post-process to avoid AI-tells in scripts and VO copy |
40
+
41
+ ### Audio / media skills (`
42
+
43
+ | Skill | What it does | Best fit for |
44
+ |-------|--------------|--------------|
45
+ | `songwriting-and-ai-music` | Songwriting craft + Suno prompt patterns | Music supervisor when commissioning a track via Suno |
46
+ | `heartmula` | Open-source music generation (Apache-2.0, Suno-like) | Music supervisor generating bespoke tracks without external APIs |
47
+ | `songsee` | Spectrograms, mel/chroma/MFCC of audio files | Music supervisor analyzing tracks; foley-designer designing to a beat; editor visualizing a mix |
48
+ | `spotify` | Spotify control — play, search, queue, manage playlists | Music supervisor sourcing existing tracks; reference research |
49
+ | `youtube-content` | Fetch transcripts + transform to chapters/summaries/posts | Documentary cut, content adaptation, research for explainers |
50
+ | `gif-search` | Find existing GIFs | Editor / concept artist sourcing references |
51
+ | `gifs` | GIF tooling | Masterer producing GIF deliverables |
52
+
53
+ ### Kanban infrastructure (`
54
+
55
+ | Skill | What it does | When to load |
56
+ |-------|--------------|--------------|
57
+ | `kanban-orchestrator` | Decomposition playbook + anti-temptation rules for orchestrator profiles | Director only |
58
+ | `kanban-worker` | Pitfalls, examples, edge cases for kanban workers (deeper than auto-injected guidance) | Any profile — load when handling tricky multi-step workflows |
59
+
60
+ The kanban plugin auto-injects baseline orchestration guidance into every
61
+ worker's system prompt — the `kanban_create` fan-out pattern, claim/handoff
62
+ lifecycle, and the "decompose, don't execute" rule for orchestrators.
63
+ `kanban-orchestrator` and `kanban-worker` are deeper playbooks loaded when a
64
+ profile needs them.
65
+
66
+ ## External tools (called from terminal toolset)
67
+
68
+ These are **not** skills but external CLIs / APIs that profiles invoke.
69
+ They don't appear in `always_load`; instead the role's terminal commands hit
70
+ them directly.
71
+
72
+ | Tool | What it does | Profile that uses it |
73
+ |------|--------------|----------------------|
74
+ | `ffmpeg` | Video / audio encode, splice, mux | renderer, editor, audio-mixer, masterer |
75
+ | `ffprobe` | Inspect media | All media-touching profiles |
76
+ | Whisper (CLI or API) | Speech-to-text for captions | captioner |
77
+ | Text-to-image API (FAL / Replicate / OpenAI / Midjourney) | Stills generation | image-generator (alternative to local `comfyui`) |
78
+ | Image-to-video API (Runway / Kling / Luma / Pika) | Animate stills | image-to-video-generator |
79
+ | Text-to-speech API (ElevenLabs / OpenAI TTS / etc.) | Voiceover generation | voice-talent |
80
+ | Suno API or web | Track composition (paired with `songwriting-and-ai-music`) | music-supervisor |
81
+ | Remotion CLI (`npx remotion render`) | React-based motion graphics | renderer-motion-graphics |
82
+ | Manim CE (`manim`) | Math animation render (driven by `manim-video` skill's recipes) | renderer-manim |
83
+ | Blender (`blender -b`) | 3D rendering (alternative to `blender-mcp`) | renderer-3d |
84
+
85
+ ## Built-in tools for media review
86
+
87
+ These are native tools — not invoked via terminal but through their own
88
+ toolsets. Enable them per-profile by adding the toolset to the profile config.
89
+
90
+ | Tool | Toolset | What it does | Profile that uses it |
91
+ |------|---------|--------------|----------------------|
92
+ | `video_analyze` | `video` (opt-in — `hermes tools enable video`) | Native video understanding — sends full clip to a multimodal LLM (Gemini via OpenRouter) for review without frame extraction. Supports mp4, webm, mov, avi, mkv. 50 MB cap. Model: `AUXILIARY_VIDEO_MODEL` env → `AUXILIARY_VISION_MODEL` fallback. | reviewer, cinematographer, editor |
93
+ | `vision_analyze` | `vision` (core — enabled by default) | Image/frame analysis — review stills, thumbnails, exported frames. Already available to all profiles without opt-in. | reviewer, cinematographer, concept-artist |
94
+
95
+ ## Standard toolset configurations per role
96
+
97
+ ### director
98
+
99
+ ```yaml
100
+ toolsets:
101
+ - kanban
102
+ - terminal
103
+ - file
104
+ skills:
105
+ always_load:
106
+ - kanban-orchestrator
107
+ ```
108
+
109
+ The director's terminal access is conventional but the SOUL.md rules forbid
110
+ execution. Audit logs catch violations.
111
+
112
+ ### writer / copywriter
113
+
114
+ ```yaml
115
+ toolsets:
116
+ - kanban
117
+ - file
118
+ skills:
119
+ always_load:
120
+ - kanban-worker
121
+ - humanizer # post-process scripts to strip AI-tells
122
+ ```
123
+
124
+ No terminal — writers don't need it.
125
+
126
+ ### concept-artist
127
+
128
+ ```yaml
129
+ toolsets:
130
+ - kanban
131
+ - terminal
132
+ - file
133
+ skills:
134
+ always_load:
135
+ - kanban-worker
136
+ # plus one or more (style-dependent):
137
+ # - claude-design (UI / web product video)
138
+ # - sketch (quick mockup variants)
139
+ # - excalidraw (hand-drawn frames)
140
+ # - ascii-art (ASCII style frames)
141
+ # - pixel-art (retro/game aesthetic)
142
+ # - popular-web-designs (matching known web aesthetic)
143
+ # - design-md (text-based design docs)
144
+ ```
145
+
146
+ ### storyboarder
147
+
148
+ ```yaml
149
+ toolsets:
150
+ - kanban
151
+ - file
152
+ skills:
153
+ always_load:
154
+ - kanban-worker
155
+ # one of:
156
+ # - excalidraw (sketch storyboards)
157
+ # - architecture-diagram (technical/system content)
158
+ # - concept-diagrams (educational / scientific content)
159
+ ```
160
+
161
+ ### cinematographer
162
+
163
+ ```yaml
164
+ toolsets:
165
+ - kanban
166
+ - terminal
167
+ - file
168
+ - video # video_analyze — review full clips natively
169
+ - vision # vision_analyze — review stills / exported frames
170
+ skills:
171
+ always_load:
172
+ - kanban-worker
173
+ # the visual skill that matches the project, e.g.:
174
+ # - ascii-video (ASCII projects)
175
+ # - manim-video (math/explainer)
176
+ # - p5js (generative)
177
+ # - comfyui (AI-generated visuals)
178
+ # - blender-mcp (3D)
179
+ # - touchdesigner-mcp (real-time/installation)
180
+ ```
181
+
182
+ ### renderer (specialized variants)
183
+
184
+ ```yaml
185
+ toolsets:
186
+ - kanban
187
+ - terminal
188
+ - file
189
+ skills:
190
+ always_load:
191
+ - kanban-worker
192
+ # ONE skill per renderer variant (or empty for external-API renderers):
193
+ # - ascii-video (renderer-ascii)
194
+ # - manim-video (renderer-manim)
195
+ # - p5js (renderer-p5js)
196
+ # - comfyui (renderer-comfyui — img/video AI gen)
197
+ # - touchdesigner-mcp (renderer-touchdesigner)
198
+ # - blender-mcp (renderer-3d)
199
+ # - pixel-art (renderer-pixel)
200
+ # - baoyu-comic (renderer-comic)
201
+ # - meme-generation (renderer-meme)
202
+ ```
203
+
204
+ For external-API renderers (image-to-video-generator using Runway, voice-talent
205
+ using ElevenLabs, renderer-motion-graphics using Remotion), `always_load` only
206
+ contains `kanban-worker` — the role's work is API-driven and the API key +
207
+ terminal commands suffice.
208
+
209
+ For multi-skill renderer setups (rare — usually one variant per skill is
210
+ cleaner) use `--skill <name>` on individual `kanban_create` calls to override
211
+ which skill loads for that specific task.
212
+
213
+ ### image-generator / image-to-video-generator / voice-talent
214
+
215
+ ```yaml
216
+ toolsets:
217
+ - kanban
218
+ - terminal
219
+ - file
220
+ skills:
221
+ always_load:
222
+ - kanban-worker
223
+ # for image-generator that drives ComfyUI locally:
224
+ # - comfyui
225
+ env_required:
226
+ # populate based on the chosen API:
227
+ - FAL_KEY # or REPLICATE_API_TOKEN, OPENAI_API_KEY for image-gen
228
+ - RUNWAY_API_KEY # or KLING_API_KEY, LUMA_API_KEY for image-to-video
229
+ - ELEVENLABS_API_KEY # or OPENAI_API_KEY for TTS
230
+ ```
231
+
232
+ If the user's setup has ComfyUI installed locally, the `comfyui` skill can
233
+ replace the external image-gen API entirely (cheaper, more control, supports
234
+ custom workflows for image-to-video too).
235
+
236
+ ### music-supervisor
237
+
238
+ ```yaml
239
+ toolsets:
240
+ - kanban
241
+ - terminal
242
+ - file
243
+ skills:
244
+ always_load:
245
+ - kanban-worker
246
+ - songsee # spectrograms / audio analysis
247
+ # plus (depending on what the project needs):
248
+ # - songwriting-and-ai-music (commissioning Suno tracks)
249
+ # - heartmula (commissioning open-source local generation)
250
+ # - spotify (sourcing existing tracks)
251
+ ```
252
+
253
+ ### editor / audio-mixer / captioner / masterer
254
+
255
+ ```yaml
256
+ toolsets:
257
+ - kanban
258
+ - terminal
259
+ - file
260
+ - video # video_analyze — editor reviews assembled cuts natively
261
+ - vision # vision_analyze — spot-check frames
262
+ skills:
263
+ always_load:
264
+ - kanban-worker
265
+ ```
266
+
267
+ These are mostly ffmpeg-driven; no special skill needed beyond `kanban-worker`.
268
+ For captioner add Whisper invocation patterns to the SOUL.md.
269
+
270
+ ### reviewer / brand-cop
271
+
272
+ ```yaml
273
+ toolsets:
274
+ - kanban
275
+ - terminal # for media inspection (ffprobe, etc.)
276
+ - file
277
+ - video # video_analyze — review full clips natively
278
+ - vision # vision_analyze — review stills / exported frames
279
+ skills:
280
+ always_load:
281
+ - kanban-worker
282
+ ```
283
+
284
+ ## API key requirements
285
+
286
+ Track these in the project setup. The setup script should verify each required
287
+ key is present in `${HERMES_HOME:-~/.hermes}/.env` (or macOS Keychain) before firing the kanban.
288
+
289
+ | Service | Env var | Used by |
290
+ |---------|---------|---------|
291
+ | ElevenLabs | `ELEVENLABS_API_KEY` | voice-talent |
292
+ | OpenAI | `OPENAI_API_KEY` | image-generator (DALL-E), voice-talent (TTS) |
293
+ | OpenRouter | `OPENROUTER_API_KEY` | reviewer, cinematographer, editor (`video_analyze` routes through `AUXILIARY_VIDEO_MODEL` → OpenRouter) |
294
+ | FAL | `FAL_KEY` | image-generator (FAL flux models) |
295
+ | Replicate | `REPLICATE_API_TOKEN` | image-generator (alternate provider) |
296
+ | Runway | `RUNWAY_API_KEY` | image-to-video-generator |
297
+ | Kling | `KLING_API_KEY` | image-to-video-generator (alternate) |
298
+ | Luma | `LUMA_API_KEY` | image-to-video-generator (alternate) |
299
+ | Suno | `SUNO_API_KEY` | music-supervisor (paired with `songwriting-and-ai-music`) |
300
+ | Spotify | `SPOTIFY_CLIENT_ID` + `SPOTIFY_CLIENT_SECRET` | music-supervisor (paired with `spotify` skill) |
301
+ | Anthropic | `ANTHROPIC_API_KEY` | every agent profile (Claude) |
302
+
303
+ If a key is missing, prompt the user to add it. Storage methods, in order of
304
+ preference: macOS Keychain → `${HERMES_HOME:-~/.hermes}/.env` → environment variable.
305
+
306
+ ## Skill version pinning
307
+
308
+ If a specific skill version is desired, pass it via the per-task
309
+ `--skill <name>=<version>` flag. The default is whatever's installed.
310
+
311
+ ## Adding a new skill to the matrix
312
+
313
+ When a new video skill ships:
314
+
315
+ 1. Add a row to the relevant table at the top of this file
316
+ 2. If it warrants a specialized renderer variant, add to `role-archetypes.md`
317
+ 3. Update relevant per-style examples in `examples.md`
@@ -0,0 +1,332 @@
1
+ ---
2
+ name: web-pentest
3
+ description: |
4
+ Authorized web application penetration testing — reconnaissance, vulnerability
5
+ analysis, proof-based exploitation, and professional reporting. Adapts
6
+ Shannon's "No Exploit, No Report" methodology with hard guardrails for
7
+ scope, authorization, and aux-client leakage. Active testing against running
8
+ applications you own or have written authorization to test.
9
+ category: security
10
+ triggers:
11
+ - "pentest [URL]"
12
+ - "pentest this app"
13
+ - "penetration test [URL]"
14
+ - "security test this web app"
15
+ - "test [URL] for vulnerabilities"
16
+ - "find vulns in [URL]"
17
+ - "OWASP test [URL]"
18
+ toolsets:
19
+ - terminal
20
+ - web
21
+ - browser
22
+ - file
23
+ - delegation
24
+ ---
25
+
26
+ # Web Application Penetration Testing
27
+
28
+ A phased pentesting workflow for running web applications. Adapted from
29
+ Shannon's pipeline (Keygraph, AGPL — concepts only, no code borrowed).
30
+ Built around three rules:
31
+
32
+ 1. No exploit, no report — every finding requires reproducible evidence.
33
+ 2. Bounded scope — every active request goes against a target the operator
34
+ pre-declared. Off-scope hosts are refused.
35
+ 3. Bypass exhaustion before false-positive dismissal — a "blocked" payload
36
+ is not a clean bill of health until you've tried the bypass set.
37
+
38
+ ---
39
+
40
+ ## ⚠️ Hard Guardrails — Read Before Every Engagement
41
+
42
+ Violating any of these invalidates the engagement and may be illegal.
43
+
44
+ 1. **Authorization gate.** Before the first active scan in a session, you
45
+ MUST confirm with the user, in writing, that they own or have written
46
+ authorization to test the target. Record the acknowledgement in
47
+ `engagement/authorization.md` (see template). No acknowledgement → no
48
+ active scanning. Reading public pages with `curl` is fine; sending
49
+ payloads is not.
50
+
51
+ 2. **Scope allowlist.** Maintain `engagement/scope.txt` — one hostname or
52
+ CIDR per line. Every `nmap`, `curl`, `whatweb`, browser navigation, or
53
+ payload-bearing request MUST be against an entry in scope. If a target
54
+ redirects you off-scope (3xx to a different host, a link in HTML),
55
+ STOP and confirm with the user before following.
56
+
57
+ 3. **No production systems without paper.** If the user hasn't told you
58
+ "yes, prod is in scope and I have written sign-off," assume not. Default
59
+ targets are staging, local docker, dedicated test instances.
60
+
61
+ 4. **Cloud metadata is off by default.** Do not probe `169.254.169.254`,
62
+ `metadata.google.internal`, `100.100.100.200`, `[fd00:ec2::254]`, or
63
+ equivalent unless the engagement explicitly includes SSRF-to-metadata
64
+ as a goal AND the target is one you control. The agent's browser tool
65
+ can reach these from inside your own infrastructure — don't.
66
+
67
+ 5. **Destructive payloads need approval.** SQLi payloads that DROP/DELETE,
68
+ filesystem-write SSTI, command injection with `rm`/`shutdown`/`mkfs`,
69
+ anything that mutates beyond a single test row → ASK FIRST. The
70
+ `approval.py` system catches some; don't rely on it alone.
71
+
72
+ 6. **Aux-client leakage risk.** This skill produces
73
+ sessions full of SQLi/XSS/RCE payloads, captured credentials, JWT
74
+ tokens. context compression and title-generation paths replay history
75
+ through the auxiliary client (often the main model). Anything sensitive
76
+ you write to the conversation can leave the box on the next compress.
77
+ Mitigation:
78
+ - Redact captured tokens/credentials to the LAST 6 CHARS before logging
79
+ them in any message. Full values go to `engagement/evidence/` files,
80
+ never into chat history.
81
+ - If the engagement is sensitive, set `auxiliary.title_generation.enabled: false`
82
+ in `~/.agent/config.yaml` for the session.
83
+
84
+ 7. **Rate limit yourself.** Default 200ms between active requests against
85
+ any single host. The recon-scan.sh script enforces this. Don't bypass
86
+ it without operator approval.
87
+
88
+ 8. **Authority of the report.** This skill produces a security
89
+ assessment, not a "PASS." Even a clean run is "no exploitable issues
90
+ FOUND in scope X within time T using methods Y" — not "the application
91
+ is secure." Mirror that language in the report.
92
+
93
+ ---
94
+
95
+ ## Phase 0: Engagement Setup
96
+
97
+ Before any scanning happens, create the engagement directory and
98
+ authorization acknowledgement.
99
+
100
+ ```bash
101
+ ENGAGEMENT=engagement-$(date +%Y%m%d-%H%M%S)
102
+ mkdir -p "$ENGAGEMENT"/{evidence,findings,reports}
103
+ cd "$ENGAGEMENT"
104
+ ```
105
+
106
+ 1. **Ask the user (verbatim):**
107
+ > "Confirm: (a) the target URL is [X], (b) you own this application
108
+ > or have written authorization to test it, and (c) the engagement
109
+ > may run for up to [N] hours starting now. Reply 'authorized' to
110
+ > proceed."
111
+
112
+ 2. **Wait for explicit `authorized` response.** Any other answer means STOP.
113
+
114
+ 3. **Record authorization** to `engagement/authorization.md` using the
115
+ template in `templates/authorization.md`. Include:
116
+ - Target URL(s) and IP(s)
117
+ - Authorization basis (ownership / written authz from $name)
118
+ - Engagement window
119
+ - Out-of-scope items (production, third-party services, etc.)
120
+ - Operator name (the user driving this session)
121
+
122
+ 4. **Build scope.txt:**
123
+ ```
124
+ localhost
125
+ 127.0.0.1
126
+ staging.example.com
127
+ 192.168.1.0/24 # internal lab only, with operator OK
128
+ ```
129
+
130
+ 5. **Read** `references/scope-enforcement.md` before issuing the first
131
+ active request — that doc has the host-extraction rules you apply
132
+ to every command/URL before it goes out.
133
+
134
+ ---
135
+
136
+ ## Phase 1: Pre-Recon (Code Analysis, optional)
137
+
138
+ Skip if no source access (black-box engagement).
139
+
140
+ If you have read access to the application source:
141
+
142
+ 1. **Map the architecture** — framework, routing, middleware stack
143
+ 2. **Inventory sinks** — every `execute(`, `os.system(`, `eval(`,
144
+ template render, file read/write, redirect target
145
+ 3. **Map auth** — session cookie vs JWT, OAuth flows, password reset,
146
+ privileged endpoints
147
+ 4. **Identify trust boundaries** — what's authenticated, what's not,
148
+ what comes from `request.*`
149
+ 5. **Backward taint** from each sink to a request source. Early-terminate
150
+ when proper sanitization is found (parameterized queries, allowlists,
151
+ `shlex.quote`, well-known escapers).
152
+
153
+ Output: `evidence/pre-recon.md` — architecture map, sink inventory,
154
+ suspected vulnerable code paths.
155
+
156
+ This is OFFLINE work. No traffic to the target.
157
+
158
+ ---
159
+
160
+ ## Phase 2: Recon (Live, Read-Only)
161
+
162
+ Maps the attack surface. All requests are GETs of public pages, no
163
+ payloads yet. Still scope-bounded.
164
+
165
+ 1. **Verify scope.** Resolve every target hostname → IP. Confirm IPs are
166
+ in scope (avoids the "DNS points somewhere unexpected" trap).
167
+
168
+ 2. **Network surface** (only if scope permits port scanning):
169
+ ```bash
170
+ nmap -sT -T3 --top-ports 100 -oN evidence/nmap.txt $TARGET
171
+ ```
172
+ Use `-T3` (default), not `-T4/-T5`. Stealthier and avoids tripping
173
+ IDS/IPS in shared environments.
174
+
175
+ 3. **Tech fingerprint:**
176
+ ```bash
177
+ whatweb -v $TARGET_URL > evidence/whatweb.txt
178
+ curl -sIk $TARGET_URL > evidence/headers.txt
179
+ ```
180
+
181
+ 4. **Endpoint discovery:**
182
+ - Crawl the app with the browser tool (`browser_navigate`,
183
+ `browser_get_images`, follow links).
184
+ - Inspect `robots.txt`, `sitemap.xml`, `.well-known/*`.
185
+ - Use the developer tools network panel via browser tool to capture
186
+ XHR/fetch calls.
187
+
188
+ 5. **Auth surface:** Identify login, registration, password reset,
189
+ session cookie names, token formats. Do NOT send credentials yet —
190
+ just observe.
191
+
192
+ 6. **Correlate with pre-recon** (if you have source). For each
193
+ `evidence/pre-recon.md` finding, mark whether the live surface
194
+ confirms it's reachable.
195
+
196
+ Output: `evidence/recon.md` — endpoints, technologies, auth model,
197
+ input vectors.
198
+
199
+ ---
200
+
201
+ ## Phase 3: Vulnerability Analysis
202
+
203
+ One delegate_task per vulnerability class. Each agent reads
204
+ `evidence/recon.md` (+ `evidence/pre-recon.md` if present), produces
205
+ `findings/<class>-queue.json` using `templates/exploitation-queue.json`.
206
+
207
+ Use `delegate_task` with these focused subagents (parallel where possible):
208
+
209
+ | Class | Goal | Reference |
210
+ |-------|------|-----------|
211
+ | `injection` | SQLi, command, path traversal, SSTI, LFI/RFI, deserialization | `references/vuln-taxonomy.md` (slot types) |
212
+ | `xss` | Reflected, stored, DOM-based | `references/vuln-taxonomy.md` (render contexts) |
213
+ | `auth` | Login bypass, JWT confusion, session fixation, OAuth flaws | `references/exploitation-techniques.md` |
214
+ | `authz` | IDOR, vertical/horizontal escalation, business logic | `references/exploitation-techniques.md` |
215
+ | `ssrf` | Internal reachability, metadata, protocol smuggling | Skip metadata unless explicitly authorized |
216
+ | `infra` | Misconfig, info disclosure, default creds, exposed admin | `references/exploitation-techniques.md` |
217
+
218
+ Each queue entry has: id, vuln class, source (file:line if known),
219
+ endpoint, parameter, slot type, suspected defense, verdict
220
+ (`identified` / `partial` / `confirmed` / `critical`), witness payload,
221
+ confidence (0-1), notes.
222
+
223
+ The analysis phase doesn't send malicious payloads yet — it stages them.
224
+ The exploitation phase actually fires them.
225
+
226
+ ---
227
+
228
+ ## Phase 4: Exploitation (Proof-Based, Conditional)
229
+
230
+ Only run a sub-agent per class where the analysis queue has actionable
231
+ entries (`identified` or `partial`).
232
+
233
+ For each candidate:
234
+
235
+ 1. **Pre-send check** — host in scope? auth gate satisfied? payload
236
+ approved if destructive?
237
+ 2. **Send the witness payload** — minimal proof. SQLi: `' AND 1=1--`
238
+ then `' AND 1=2--`. XSS: a benign marker like
239
+ `<svg/onload=console.log("HERMES-PENTEST-XSS")>`. Never `alert(1)` in
240
+ stored XSS — it'll fire for other users in shared environments.
241
+ 3. **Verify the witness fires** — for blind injection, use a sleep
242
+ probe (`SLEEP(5)`) and time the response. For SSRF, use a
243
+ tester-controlled callback host you own (NOT a public service like
244
+ webhook.site for sensitive engagements — exfil paths).
245
+ 4. **Promote level:**
246
+ - **L1 Identified** — pattern matched, no behavior change
247
+ - **L2 Partial** — sink reached, but defense in place
248
+ - **L3 Confirmed** — payload changed app behavior in observable way
249
+ - **L4 Critical** — data extracted, code executed, access escalated
250
+ 5. **Bypass exhaustion before classifying as FP.** For each candidate
251
+ that blocks: try at least the bypass set in
252
+ `references/bypass-techniques.md` for that class. Only after the set
253
+ is exhausted may you write `verdict: false_positive`.
254
+ 6. **Record evidence** for every L3/L4:
255
+ - Full request (method, URL, headers, body)
256
+ - Response (status, headers, relevant body excerpt)
257
+ - Reproducer command (curl one-liner)
258
+ - Impact statement
259
+
260
+ Output: `findings/exploitation-evidence.md`
261
+
262
+ **Redact in evidence files:**
263
+ - Any captured credentials/tokens → last 6 chars only in chat;
264
+ full value to `findings/secrets-vault.md` (gitignored).
265
+ - Other users' PII → redact.
266
+ - Your test credentials → fine to keep.
267
+
268
+ ---
269
+
270
+ ## Phase 5: Reporting
271
+
272
+ Generate the final report using `templates/pentest-report.md`. Sections:
273
+
274
+ 1. Executive summary
275
+ 2. Engagement scope (from `engagement/scope.txt`)
276
+ 3. Authorization (from `engagement/authorization.md`)
277
+ 4. Findings (L3/L4 only — proof-required). Per finding:
278
+ - Title, severity (CVSS 3.1), CWE
279
+ - Affected endpoint(s)
280
+ - Proof (request + response excerpt)
281
+ - Reproduction steps
282
+ - Impact
283
+ - Remediation
284
+ 5. Not-exploited candidates (L1/L2 with notes on what blocked them)
285
+ 6. Out-of-scope observations
286
+ 7. Methodology / tools used
287
+ 8. Limitations and what was NOT tested
288
+
289
+ **Severity policy:** CVSS only for L3/L4. L1/L2 are "candidates pending
290
+ verification" — don't assign CVSS to unverified findings.
291
+
292
+ ---
293
+
294
+ ## When to Stop
295
+
296
+ - The user revokes authorization.
297
+ - A candidate finding clearly impacts production data and you don't have
298
+ approval for destructive testing — STOP and ask.
299
+ - The target starts returning 503/429 storms — back off, reconvene with
300
+ the operator.
301
+ - You discover something *outside* the contracted scope (e.g. an exposed
302
+ customer database while testing an unrelated endpoint). STOP, document,
303
+ report to the operator. Do not pivot without explicit approval — that
304
+ pivot is what makes pentesting illegal.
305
+
306
+ ---
307
+
308
+ ## What This Skill Does NOT Cover
309
+
310
+ - Network-layer pentesting beyond port scanning (no Metasploit,
311
+ Cobalt Strike, AD attacks, network protocol fuzzing).
312
+ - Reverse engineering / binary analysis (see issue #383).
313
+ - Source-only static analysis (see issue #382).
314
+ - Active social engineering / phishing.
315
+ - Anything against systems the operator hasn't pre-authorized.
316
+
317
+ If the engagement needs any of these, escalate to a professional
318
+ pentester. This skill complements professional pentesting; it does
319
+ not replace it.
320
+
321
+ ---
322
+
323
+ ## Further Reading
324
+
325
+ - `references/scope-enforcement.md` — how to bound every active request
326
+ - `references/vuln-taxonomy.md` — slot types, render contexts, OWASP map
327
+ - `references/exploitation-techniques.md` — per-class payload patterns
328
+ - `references/bypass-techniques.md` — common WAF/filter bypasses
329
+ - `templates/authorization.md` — engagement authorization template
330
+ - `templates/pentest-report.md` — final report template
331
+ - `templates/exploitation-queue.json` — per-class finding queue schema
332
+ - `scripts/recon-scan.sh` — rate-limited nmap+whatweb+headers wrapper