mindforge-cc 11.7.1 → 11.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (78) hide show
  1. package/.agent/mindforge/wf-accessibility-audit.md +31 -0
  2. package/.agent/mindforge/wf-ai-model-eval.md +31 -0
  3. package/.agent/mindforge/wf-api-contract-test.md +31 -0
  4. package/.agent/mindforge/wf-api-migration.md +31 -0
  5. package/.agent/mindforge/wf-architecture-modernization.md +32 -0
  6. package/.agent/mindforge/wf-catalog.md +25 -2
  7. package/.agent/mindforge/wf-code-explainer.md +31 -0
  8. package/.agent/mindforge/wf-competitive-teardown.md +31 -0
  9. package/.agent/mindforge/wf-cost-analysis.md +31 -0
  10. package/.agent/mindforge/wf-data-pipeline-validate.md +31 -0
  11. package/.agent/mindforge/wf-database-migration.md +31 -0
  12. package/.agent/mindforge/wf-debug-detective.md +32 -0
  13. package/.agent/mindforge/wf-dependency-health.md +31 -0
  14. package/.agent/mindforge/wf-design-system-audit.md +31 -0
  15. package/.agent/mindforge/wf-documentation-gen.md +31 -0
  16. package/.agent/mindforge/wf-multi-repo-sync.md +31 -0
  17. package/.agent/mindforge/wf-mutation-testing.md +31 -0
  18. package/.agent/mindforge/wf-security-hardening.md +32 -0
  19. package/.agent/mindforge/wf-security-threat-model.md +31 -0
  20. package/.agent/mindforge/wf-test-coverage-gap.md +31 -0
  21. package/.agent/mindforge/wf-ux-heuristic-audit.md +31 -0
  22. package/.agent/mindforge/wf-writer-reviewer.md +30 -0
  23. package/.claude/commands/mindforge/wf-accessibility-audit.md +31 -0
  24. package/.claude/commands/mindforge/wf-ai-model-eval.md +31 -0
  25. package/.claude/commands/mindforge/wf-api-contract-test.md +31 -0
  26. package/.claude/commands/mindforge/wf-api-migration.md +31 -0
  27. package/.claude/commands/mindforge/wf-architecture-modernization.md +32 -0
  28. package/.claude/commands/mindforge/wf-catalog.md +25 -2
  29. package/.claude/commands/mindforge/wf-code-explainer.md +31 -0
  30. package/.claude/commands/mindforge/wf-competitive-teardown.md +31 -0
  31. package/.claude/commands/mindforge/wf-cost-analysis.md +31 -0
  32. package/.claude/commands/mindforge/wf-data-pipeline-validate.md +31 -0
  33. package/.claude/commands/mindforge/wf-database-migration.md +31 -0
  34. package/.claude/commands/mindforge/wf-debug-detective.md +32 -0
  35. package/.claude/commands/mindforge/wf-dependency-health.md +31 -0
  36. package/.claude/commands/mindforge/wf-design-system-audit.md +31 -0
  37. package/.claude/commands/mindforge/wf-documentation-gen.md +31 -0
  38. package/.claude/commands/mindforge/wf-multi-repo-sync.md +31 -0
  39. package/.claude/commands/mindforge/wf-mutation-testing.md +31 -0
  40. package/.claude/commands/mindforge/wf-security-hardening.md +32 -0
  41. package/.claude/commands/mindforge/wf-security-threat-model.md +31 -0
  42. package/.claude/commands/mindforge/wf-test-coverage-gap.md +31 -0
  43. package/.claude/commands/mindforge/wf-ux-heuristic-audit.md +31 -0
  44. package/.claude/commands/mindforge/wf-writer-reviewer.md +30 -0
  45. package/.mindforge/config.json +2 -2
  46. package/.mindforge/dynamic-workflows/REGISTRY.md +58 -60
  47. package/.mindforge/dynamic-workflows/index.json +296 -0
  48. package/.mindforge/dynamic-workflows/scripts/accessibility-audit.js +119 -0
  49. package/.mindforge/dynamic-workflows/scripts/ai-model-eval.js +82 -0
  50. package/.mindforge/dynamic-workflows/scripts/api-contract-test.js +114 -0
  51. package/.mindforge/dynamic-workflows/scripts/api-migration.js +156 -0
  52. package/.mindforge/dynamic-workflows/scripts/architecture-modernization.js +111 -0
  53. package/.mindforge/dynamic-workflows/scripts/code-explainer.js +138 -0
  54. package/.mindforge/dynamic-workflows/scripts/competitive-teardown.js +142 -0
  55. package/.mindforge/dynamic-workflows/scripts/cost-analysis.js +107 -0
  56. package/.mindforge/dynamic-workflows/scripts/data-pipeline-validate.js +69 -0
  57. package/.mindforge/dynamic-workflows/scripts/database-migration.js +113 -0
  58. package/.mindforge/dynamic-workflows/scripts/debug-detective.js +124 -0
  59. package/.mindforge/dynamic-workflows/scripts/dependency-health.js +110 -0
  60. package/.mindforge/dynamic-workflows/scripts/design-system-audit.js +115 -0
  61. package/.mindforge/dynamic-workflows/scripts/documentation-gen.js +91 -0
  62. package/.mindforge/dynamic-workflows/scripts/multi-repo-sync.js +63 -0
  63. package/.mindforge/dynamic-workflows/scripts/mutation-testing.js +148 -0
  64. package/.mindforge/dynamic-workflows/scripts/security-hardening.js +154 -0
  65. package/.mindforge/dynamic-workflows/scripts/security-threat-model.js +159 -0
  66. package/.mindforge/dynamic-workflows/scripts/test-coverage-gap.js +95 -0
  67. package/.mindforge/dynamic-workflows/scripts/ux-heuristic-audit.js +122 -0
  68. package/.mindforge/dynamic-workflows/scripts/writer-reviewer.js +85 -0
  69. package/.mindforge/memory/sync-manifest.json +1 -1
  70. package/CHANGELOG.md +17 -0
  71. package/MINDFORGE.md +2 -2
  72. package/README.md +26 -4
  73. package/RELEASENOTES.md +36 -0
  74. package/bin/workflows/workflow-runner.js +18 -2
  75. package/docs/commands-reference.md +40 -14
  76. package/docs/getting-started.md +13 -1
  77. package/docs/user-guide.md +20 -1
  78. package/package.json +1 -1
@@ -0,0 +1,154 @@
1
+ export const meta = {
2
+ name: 'security-hardening',
3
+ description: '5-angle OWASP parallel scout → 3-vote adversarial verification → threat model + remediation roadmap',
4
+ whenToUse: 'When hardening a codebase before a security review, pentest, or production launch',
5
+ phases: [
6
+ { title: 'Scope', detail: 'Define attack surface and target context' },
7
+ { title: 'Scout', detail: '5 parallel OWASP/CWE dimension scouts' },
8
+ { title: 'Verify', detail: '3-vote adversarial verification per critical finding' },
9
+ { title: 'ThreatModel', detail: 'STRIDE threat model from confirmed findings' },
10
+ { title: 'Roadmap', detail: 'Prioritized remediation roadmap with severity/effort matrix' },
11
+ ],
12
+ };
13
+
14
+ export default async function run({ agent, parallel, pipeline, phase, log, args, budget }) {
15
+ const FINDING_SCHEMA = {
16
+ type: 'object',
17
+ properties: {
18
+ dimension: { type: 'string' },
19
+ findings: {
20
+ type: 'array',
21
+ items: {
22
+ type: 'object',
23
+ properties: {
24
+ cwe: { type: 'string' },
25
+ owasp: { type: 'string' },
26
+ severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low', 'info'] },
27
+ title: { type: 'string' },
28
+ location: { type: 'string' },
29
+ description: { type: 'string' },
30
+ remediation: { type: 'string' },
31
+ },
32
+ required: ['severity', 'title', 'description', 'remediation'],
33
+ },
34
+ },
35
+ },
36
+ required: ['dimension', 'findings'],
37
+ };
38
+
39
+ const VERDICT_SCHEMA = {
40
+ type: 'object',
41
+ properties: { isReal: { type: 'boolean' }, cvssEstimate: { type: 'number' }, reason: { type: 'string' } },
42
+ required: ['isReal', 'reason'],
43
+ };
44
+
45
+ const THREAT_SCHEMA = {
46
+ type: 'object',
47
+ properties: {
48
+ strideThreats: {
49
+ type: 'array',
50
+ items: {
51
+ type: 'object',
52
+ properties: {
53
+ stride: { type: 'string', enum: ['Spoofing', 'Tampering', 'Repudiation', 'InfoDisclosure', 'DoS', 'ElevationOfPrivilege'] },
54
+ threat: { type: 'string' },
55
+ likelihood: { type: 'string', enum: ['high', 'medium', 'low'] },
56
+ impact: { type: 'string', enum: ['high', 'medium', 'low'] },
57
+ mitigation: { type: 'string' },
58
+ },
59
+ required: ['stride', 'threat', 'likelihood', 'impact', 'mitigation'],
60
+ },
61
+ },
62
+ },
63
+ required: ['strideThreats'],
64
+ };
65
+
66
+ const ROADMAP_SCHEMA = {
67
+ type: 'object',
68
+ properties: {
69
+ summary: { type: 'string' },
70
+ overallRisk: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
71
+ immediateActions: { type: 'array', items: { type: 'string' } },
72
+ roadmap: {
73
+ type: 'array',
74
+ items: {
75
+ type: 'object',
76
+ properties: {
77
+ sprint: { type: 'number' },
78
+ items: { type: 'array', items: { type: 'string' } },
79
+ riskReduction: { type: 'string' },
80
+ },
81
+ required: ['sprint', 'items', 'riskReduction'],
82
+ },
83
+ },
84
+ },
85
+ required: ['summary', 'overallRisk', 'immediateActions', 'roadmap'],
86
+ };
87
+
88
+ const target = args || 'current codebase (run from repo root)';
89
+
90
+ phase('Scope');
91
+ log(`Security hardening target: ${target}`);
92
+
93
+ const SCOUTS = [
94
+ { label: 'injection', prompt: `Scout for injection vulnerabilities in: "${target}". Cover: SQL injection, command injection, LDAP injection, XSS (stored/reflected/DOM), SSTI, XXE, path traversal (CWE-89, CWE-78, CWE-79, CWE-611, CWE-22). For each finding provide CWE ID, OWASP category, exact file/line if possible, and remediation.` },
95
+ { label: 'auth-access', prompt: `Scout for authentication and access control issues in: "${target}". Cover: broken authentication, missing auth checks, JWT flaws, session fixation, privilege escalation, IDOR, missing rate limits (OWASP A01, A07). Include CWE IDs and remediation.` },
96
+ { label: 'crypto-secrets', prompt: `Scout for cryptographic failures and secret exposure in: "${target}". Cover: hardcoded secrets, weak hashing (MD5/SHA1 for passwords), insecure random, unencrypted PII in transit/at-rest, certificate validation bypass (CWE-327, CWE-798, CWE-330). Include CWE IDs and remediation.` },
97
+ { label: 'config-supply', prompt: `Scout for security misconfiguration and supply chain risks in: "${target}". Cover: debug endpoints exposed, CORS misconfig, CSP missing, dependency vulns, unpinned deps, outdated packages with CVEs (OWASP A05, A06). Include CWE IDs and remediation.` },
98
+ { label: 'logging-monitoring', prompt: `Scout for logging, monitoring, and error handling security gaps in: "${target}". Cover: sensitive data in logs, missing audit trails, verbose error messages leaking internals, missing security event logging, SSRF via fetch/request (OWASP A09, A10, CWE-209). Include CWE IDs and remediation.` },
99
+ ];
100
+
101
+ phase('Scout');
102
+ const scouts = await parallel(
103
+ SCOUTS.map(s => () => agent(s.prompt, { schema: FINDING_SCHEMA, label: `scout:${s.label}`, phase: 'Scout' }))
104
+ );
105
+
106
+ phase('Verify');
107
+ const allFindings = scouts.filter(Boolean).flatMap(s => (s.findings || []).map(f => ({ ...f, dimension: s.dimension })));
108
+ const criticalAndHigh = allFindings.filter(f => f.severity === 'critical' || f.severity === 'high');
109
+ log(`${allFindings.length} total findings, ${criticalAndHigh.length} critical/high → 3-vote adversarial verify`);
110
+
111
+ const verified = await parallel(
112
+ criticalAndHigh.map(f => () =>
113
+ parallel([
114
+ () => agent(`Try to REFUTE this security finding — is it a false positive? Finding: [${f.severity.toUpperCase()}] ${f.title} — ${f.description}. Default refuted=false only if clearly real.`, { schema: VERDICT_SCHEMA, label: `v1:${f.title.slice(0, 25)}`, phase: 'Verify' }),
115
+ () => agent(`Challenge this finding from an attacker's perspective — is it actually exploitable? Finding: [${f.severity.toUpperCase()}] ${f.title} — ${f.description}. Rate exploitability.`, { schema: VERDICT_SCHEMA, label: `v2:${f.title.slice(0, 25)}`, phase: 'Verify' }),
116
+ () => agent(`Assess business impact of this finding being exploited. Is the severity rating accurate? Finding: [${f.severity.toUpperCase()}] ${f.title} — ${f.description}.`, { schema: VERDICT_SCHEMA, label: `v3:${f.title.slice(0, 25)}`, phase: 'Verify' }),
117
+ ]).then(votes => {
118
+ if (!votes) return { ...f, confirmed: false };
119
+ const realVotes = votes.filter(Boolean).filter(v => v.isReal).length;
120
+ return { ...f, confirmed: realVotes >= 2 };
121
+ })
122
+ )
123
+ );
124
+
125
+ const confirmedHigh = verified.filter(Boolean).filter(f => f.confirmed);
126
+ const lowerSeverity = allFindings.filter(f => f.severity !== 'critical' && f.severity !== 'high');
127
+ const allConfirmed = [...confirmedHigh, ...lowerSeverity];
128
+ log(`${confirmedHigh.length}/${criticalAndHigh.length} critical/high confirmed after 3-vote verification`);
129
+
130
+ phase('ThreatModel');
131
+ const findingSummary = allConfirmed.slice(0, 15).map(f => `[${f.severity}] ${f.title}: ${f.description}`).join('\n');
132
+ const threatModel = await agent(
133
+ `Generate a STRIDE threat model for: "${target}"\n\nBased on these confirmed findings:\n${findingSummary}\n\nFor each STRIDE category (Spoofing, Tampering, Repudiation, InfoDisclosure, DoS, ElevationOfPrivilege) identify the top threat, likelihood, impact, and mitigation.`,
134
+ { schema: THREAT_SCHEMA, label: 'threat-model', phase: 'ThreatModel' }
135
+ );
136
+ if (!threatModel) { log('Warning: agent returned null for threatModel, skipping'); return { target, error: 'agent-null' }; }
137
+
138
+ phase('Roadmap');
139
+ const threatSummary = (threatModel.strideThreats || []).map(t => `[${t.stride}] ${t.threat} (${t.likelihood} likelihood, ${t.impact} impact) → ${t.mitigation}`).join('\n');
140
+ const roadmap = await agent(
141
+ `Create a prioritized security remediation roadmap for: "${target}"\n\nConfirmed findings (${allConfirmed.length} total):\n${findingSummary}\n\nSTRIDE threats:\n${threatSummary}\n\nGroup into 3 sprints by severity+effort. Sprint 1 = immediate (critical/high, low effort). Sprint 2 = short-term (high, higher effort + medium). Sprint 3 = long-term (medium/low). Include risk reduction estimate per sprint.`,
142
+ { schema: ROADMAP_SCHEMA, label: 'roadmap', phase: 'Roadmap' }
143
+ );
144
+ if (!roadmap) { return { target, threats: threatModel, error: 'roadmap-agent-null', stats: { total: allFindings.length, criticalHigh: criticalAndHigh.length, confirmed: confirmedHigh.length } }; }
145
+
146
+ return {
147
+ target,
148
+ threats: threatModel,
149
+ report: {
150
+ ...roadmap,
151
+ stats: { total: allFindings.length, criticalHigh: criticalAndHigh.length, confirmed: confirmedHigh.length, lower: lowerSeverity.length },
152
+ },
153
+ };
154
+ }
@@ -0,0 +1,159 @@
1
+ export const meta = {
2
+ name: 'security-threat-model',
3
+ description: 'Asset inventory → STRIDE threat enumeration → parallel mitigations → CVSS-style score matrix',
4
+ whenToUse: 'When threat modeling a system architecture, new feature, or service before implementation or security review',
5
+ phases: [
6
+ { title: 'Assets', detail: 'Inventory system assets, data flows, and trust boundaries' },
7
+ { title: 'STRIDE', detail: '6 parallel STRIDE threat agents — one per threat category' },
8
+ { title: 'Mitigate', detail: 'Parallel mitigation agent per identified threat' },
9
+ { title: 'Score', detail: 'CVSS-style risk score matrix with remediation priority' },
10
+ ],
11
+ };
12
+
13
+ export default async function run({ agent, parallel, pipeline, phase, log, args, budget }) {
14
+ const ASSETS_SCHEMA = {
15
+ type: 'object',
16
+ properties: {
17
+ assets: {
18
+ type: 'array',
19
+ items: {
20
+ type: 'object',
21
+ properties: {
22
+ name: { type: 'string' },
23
+ type: { type: 'string', enum: ['data', 'service', 'credential', 'infrastructure', 'user'] },
24
+ sensitivity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
25
+ description: { type: 'string' },
26
+ },
27
+ required: ['name', 'type', 'sensitivity'],
28
+ },
29
+ },
30
+ dataFlows: { type: 'array', items: { type: 'string' } },
31
+ trustBoundaries: { type: 'array', items: { type: 'string' } },
32
+ entryPoints: { type: 'array', items: { type: 'string' } },
33
+ },
34
+ required: ['assets', 'dataFlows', 'trustBoundaries', 'entryPoints'],
35
+ };
36
+
37
+ const STRIDE_SCHEMA = {
38
+ type: 'object',
39
+ properties: {
40
+ category: { type: 'string', enum: ['Spoofing', 'Tampering', 'Repudiation', 'InformationDisclosure', 'DenialOfService', 'ElevationOfPrivilege'] },
41
+ threats: {
42
+ type: 'array',
43
+ items: {
44
+ type: 'object',
45
+ properties: {
46
+ threatId: { type: 'string' },
47
+ title: { type: 'string' },
48
+ affectedAsset: { type: 'string' },
49
+ attackVector: { type: 'string' },
50
+ likelihood: { type: 'string', enum: ['high', 'medium', 'low'] },
51
+ impact: { type: 'string', enum: ['high', 'medium', 'low'] },
52
+ description: { type: 'string' },
53
+ },
54
+ required: ['threatId', 'title', 'affectedAsset', 'likelihood', 'impact', 'description'],
55
+ },
56
+ },
57
+ },
58
+ required: ['category', 'threats'],
59
+ };
60
+
61
+ const MITIGATION_SCHEMA = {
62
+ type: 'object',
63
+ properties: {
64
+ threatId: { type: 'string' },
65
+ controls: {
66
+ type: 'array',
67
+ items: {
68
+ type: 'object',
69
+ properties: {
70
+ control: { type: 'string' },
71
+ type: { type: 'string', enum: ['preventive', 'detective', 'corrective'] },
72
+ implementation: { type: 'string' },
73
+ effort: { type: 'string', enum: ['low', 'medium', 'high'] },
74
+ },
75
+ required: ['control', 'type', 'implementation', 'effort'],
76
+ },
77
+ },
78
+ residualRisk: { type: 'string', enum: ['high', 'medium', 'low', 'accepted'] },
79
+ },
80
+ required: ['threatId', 'controls', 'residualRisk'],
81
+ };
82
+
83
+ const SCORE_SCHEMA = {
84
+ type: 'object',
85
+ properties: {
86
+ summary: { type: 'string' },
87
+ overallRiskLevel: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
88
+ scoreMatrix: {
89
+ type: 'array',
90
+ items: {
91
+ type: 'object',
92
+ properties: {
93
+ threatId: { type: 'string' },
94
+ title: { type: 'string' },
95
+ category: { type: 'string' },
96
+ cvssEstimate: { type: 'number' },
97
+ priority: { type: 'string', enum: ['p0', 'p1', 'p2', 'p3'] },
98
+ mitigationStatus: { type: 'string', enum: ['mitigated', 'partial', 'unmitigated'] },
99
+ },
100
+ required: ['threatId', 'title', 'category', 'cvssEstimate', 'priority'],
101
+ },
102
+ },
103
+ topRisks: { type: 'array', items: { type: 'string' } },
104
+ },
105
+ required: ['summary', 'overallRiskLevel', 'scoreMatrix', 'topRisks'],
106
+ };
107
+
108
+ const target = args || 'current system (run from repo root or describe the system in args)';
109
+
110
+ phase('Assets');
111
+ log(`Threat modeling target: ${target}`);
112
+ const assetModel = await agent(
113
+ `Inventory the security-relevant assets, data flows, and trust boundaries for: "${target}". Identify: (1) assets (data stores, services, credentials, infrastructure) with sensitivity level, (2) data flows between components, (3) trust boundaries (where data crosses privilege levels), (4) entry points (public APIs, user inputs, external integrations).`,
114
+ { schema: ASSETS_SCHEMA, label: 'assets' }
115
+ );
116
+ if (!assetModel) { return { target, error: 'assetModel-agent-null' }; }
117
+ log(`${assetModel.assets.length} assets, ${assetModel.trustBoundaries.length} trust boundaries, ${assetModel.entryPoints.length} entry points`);
118
+
119
+ const assetContext = `Assets: ${assetModel.assets.slice(0, 5).map(a => `${a.name}(${a.sensitivity})`).join(', ')}\nData flows: ${assetModel.dataFlows.slice(0, 3).join(', ')}\nTrust boundaries: ${assetModel.trustBoundaries.slice(0, 3).join(', ')}\nEntry points: ${assetModel.entryPoints.slice(0, 3).join(', ')}`;
120
+
121
+ phase('STRIDE');
122
+ const STRIDE_CATEGORIES = [
123
+ { cat: 'Spoofing', prompt: `Identify SPOOFING threats for: "${target}". ${assetContext}. Spoofing = an attacker pretends to be someone/something they're not. Look for: weak authentication, missing identity verification, forged tokens/sessions, impersonation attacks. Assign each threat a unique ID (S-01, S-02...), affected asset, likelihood, and impact.` },
124
+ { cat: 'Tampering', prompt: `Identify TAMPERING threats for: "${target}". ${assetContext}. Tampering = malicious modification of data. Look for: insufficient authorization on write operations, missing integrity checks, SQL/command injection, insecure deserialization, CSRF. Assign IDs (T-01...), affected asset, likelihood, impact.` },
125
+ { cat: 'Repudiation', prompt: `Identify REPUDIATION threats for: "${target}". ${assetContext}. Repudiation = ability to deny performing an action. Look for: missing audit logs, insufficient logging of sensitive operations, lack of digital signatures, no non-repudiation controls. Assign IDs (R-01...).` },
126
+ { cat: 'InformationDisclosure', prompt: `Identify INFORMATION DISCLOSURE threats for: "${target}". ${assetContext}. Info disclosure = exposure of data to unauthorized parties. Look for: verbose error messages, debug endpoints, insecure data storage, missing encryption at rest/transit, over-permissive APIs, PII exposure. Assign IDs (I-01...).` },
127
+ { cat: 'DenialOfService', prompt: `Identify DENIAL OF SERVICE threats for: "${target}". ${assetContext}. DoS = making resources unavailable. Look for: missing rate limits, resource exhaustion endpoints, expensive unbounded queries, large payload acceptance without limits, connection pool exhaustion. Assign IDs (D-01...).` },
128
+ { cat: 'ElevationOfPrivilege', prompt: `Identify ELEVATION OF PRIVILEGE threats for: "${target}". ${assetContext}. EoP = gaining unauthorized capabilities. Look for: broken access control, IDOR, privilege escalation paths, JWT/token manipulation, missing authorization checks on admin functions. Assign IDs (E-01...).` },
129
+ ];
130
+
131
+ const strideResults = await parallel(
132
+ STRIDE_CATEGORIES.map(s => () => agent(s.prompt, { schema: STRIDE_SCHEMA, label: `stride:${s.cat.toLowerCase()}`, phase: 'STRIDE' }))
133
+ );
134
+
135
+ const allThreats = strideResults.filter(Boolean).flatMap(s => s.threats.map(t => ({ category: s.category, ...t })));
136
+ log(`${allThreats.length} threats identified across 6 STRIDE categories`);
137
+
138
+ phase('Mitigate');
139
+ const highPriorityThreats = allThreats.filter(t => t.likelihood === 'high' || t.impact === 'high').slice(0, 12);
140
+ log(`Generating mitigations for ${highPriorityThreats.length} high-priority threats`);
141
+
142
+ const mitigations = await parallel(
143
+ highPriorityThreats.map(t => () => agent(
144
+ `Design mitigations for this threat in: "${target}"\n\nThreat ${t.threatId} [${t.category}]: ${t.title}\nDescription: ${t.description}\nAffected asset: ${t.affectedAsset}\nLikelihood: ${t.likelihood}, Impact: ${t.impact}\n\nProvide 2-3 security controls: preventive (stop it), detective (detect it), or corrective (respond to it). Include specific implementation steps and effort estimate. Rate residual risk after controls.`,
145
+ { schema: MITIGATION_SCHEMA, label: `mitigate:${t.threatId}`, phase: 'Mitigate' }
146
+ ))
147
+ );
148
+
149
+ phase('Score');
150
+ const threatContext = allThreats.slice(0, 15).map(t => `${t.threatId} [${t.category}/${t.likelihood}/${t.impact}]: ${t.title}`).join('\n');
151
+ const mitigationContext = mitigations.filter(Boolean).map(m => `${m.threatId}: ${m.controls.length} controls, residual=${m.residualRisk}`).join('\n');
152
+
153
+ const scoreMatrix = await agent(
154
+ `Create a CVSS-style risk score matrix for: "${target}"\n\nThreats:\n${threatContext}\n\nMitigations:\n${mitigationContext}\n\nFor each threat estimate a CVSS base score (0.0-10.0) based on likelihood×impact. Assign priority (P0=CVSS≥9, P1=7-8.9, P2=4-6.9, P3=<4). Determine overall risk level and list top 5 risks to address immediately.`,
155
+ { schema: SCORE_SCHEMA, label: 'score-matrix' }
156
+ );
157
+
158
+ return { target, assetModel, threats: allThreats, mitigations: mitigations.filter(Boolean), scoreMatrix };
159
+ }
@@ -0,0 +1,95 @@
1
+ export const meta = {
2
+ name: 'test-coverage-gap',
3
+ description: 'Parallel per-module coverage analysis → gap map → prioritized test-writing plan',
4
+ whenToUse: 'When you need to find and fix test coverage gaps across a codebase or module',
5
+ phases: [
6
+ { title: 'Discover', detail: 'Map modules and identify testable units' },
7
+ { title: 'Analyze', detail: 'Parallel coverage analysis per module' },
8
+ { title: 'GapMap', detail: 'Synthesize gaps by severity and risk' },
9
+ { title: 'Plan', detail: 'Prioritized test-writing plan with concrete test cases' },
10
+ ],
11
+ };
12
+
13
+ export default async function run({ agent, parallel, pipeline, phase, log, args, budget }) {
14
+ const MODULE_SCHEMA = {
15
+ type: 'object',
16
+ properties: {
17
+ modules: {
18
+ type: 'array',
19
+ items: {
20
+ type: 'object',
21
+ properties: { name: { type: 'string' }, path: { type: 'string' }, risk: { type: 'string', enum: ['high', 'medium', 'low'] } },
22
+ required: ['name', 'path', 'risk'],
23
+ },
24
+ },
25
+ },
26
+ required: ['modules'],
27
+ };
28
+
29
+ const COVERAGE_SCHEMA = {
30
+ type: 'object',
31
+ properties: {
32
+ module: { type: 'string' },
33
+ testedBehaviors: { type: 'array', items: { type: 'string' } },
34
+ untestedBehaviors: { type: 'array', items: { type: 'string' } },
35
+ missingEdgeCases: { type: 'array', items: { type: 'string' } },
36
+ estimatedCoverage: { type: 'number' },
37
+ },
38
+ required: ['module', 'testedBehaviors', 'untestedBehaviors', 'missingEdgeCases', 'estimatedCoverage'],
39
+ };
40
+
41
+ const PLAN_SCHEMA = {
42
+ type: 'object',
43
+ properties: {
44
+ summary: { type: 'string' },
45
+ prioritizedTests: {
46
+ type: 'array',
47
+ items: {
48
+ type: 'object',
49
+ properties: {
50
+ module: { type: 'string' },
51
+ behavior: { type: 'string' },
52
+ priority: { type: 'string', enum: ['p0', 'p1', 'p2'] },
53
+ testDescription: { type: 'string' },
54
+ skeletonCode: { type: 'string' },
55
+ },
56
+ required: ['module', 'behavior', 'priority', 'testDescription', 'skeletonCode'],
57
+ },
58
+ },
59
+ },
60
+ required: ['summary', 'prioritizedTests'],
61
+ };
62
+
63
+ const target = args || 'current codebase (run from repo root)';
64
+
65
+ phase('Discover');
66
+ log(`Discovering testable modules in: ${target}`);
67
+ const discovery = await agent(
68
+ `Discover and list all testable modules in: "${target}". For each module identify its path and risk level (high=core business logic/auth/payment, medium=data processing, low=utilities/helpers). Focus on source files that should have tests.`,
69
+ { schema: MODULE_SCHEMA, label: 'discover' }
70
+ );
71
+ const modules = ((discovery || {}).modules || []).slice(0, 12);
72
+ log(`Found ${modules.length} modules to analyze`);
73
+
74
+ phase('Analyze');
75
+ const coverageResults = await parallel(
76
+ modules.map(m => () => agent(
77
+ `Analyze test coverage for module: "${m.name}" at path: "${m.path}" in codebase: "${target}". List: (1) behaviors currently tested, (2) behaviors NOT tested that should be, (3) missing edge cases. Estimate current coverage % (0-100).`,
78
+ { schema: COVERAGE_SCHEMA, label: `cov:${m.name.slice(0, 20)}`, phase: 'Analyze' }
79
+ ))
80
+ );
81
+
82
+ phase('GapMap');
83
+ const gaps = coverageResults.filter(Boolean);
84
+ const gapSummary = gaps.map(g => `${g.module} (~${g.estimatedCoverage}% covered): untested=[${g.untestedBehaviors.slice(0, 3).join(', ')}]`).join('\n');
85
+ log(`Coverage gaps identified across ${gaps.length} modules`);
86
+
87
+ phase('Plan');
88
+ const plan = await agent(
89
+ `Create a prioritized test-writing plan for: "${target}"\n\nCoverage gaps:\n${gapSummary}\n\nFor each gap, write a concrete test description and skeleton code. Prioritize: P0=high-risk untested, P1=medium-risk gaps, P2=edge cases. Include the actual test skeleton (describe/it or test() blocks) for each.`,
90
+ { schema: PLAN_SCHEMA, label: 'plan' }
91
+ );
92
+ if (!plan) { return { target, modules, gaps, error: 'plan-agent-null' }; }
93
+
94
+ return { target, modules, gaps, plan };
95
+ }
@@ -0,0 +1,122 @@
1
+ export const meta = {
2
+ name: 'ux-heuristic-audit',
3
+ description: '10 Nielsen heuristics parallel audit → severity ranking → fix brief',
4
+ whenToUse: 'When auditing a UI for usability problems using Nielsen\'s 10 heuristics before launch or redesign',
5
+ phases: [
6
+ { title: 'Scope', detail: 'Define target UI and identify key user flows to audit' },
7
+ { title: 'Audit', detail: '10 parallel heuristic evaluators — one per Nielsen heuristic' },
8
+ { title: 'Rank', detail: 'Severity ranking of all violations by impact on user experience' },
9
+ { title: 'Brief', detail: 'Prioritized fix brief with specific design recommendations' },
10
+ ],
11
+ };
12
+
13
+ export default async function run({ agent, parallel, pipeline, phase, log, args, budget }) {
14
+ const HEURISTIC_SCHEMA = {
15
+ type: 'object',
16
+ properties: {
17
+ heuristic: { type: 'string' },
18
+ violations: {
19
+ type: 'array',
20
+ items: {
21
+ type: 'object',
22
+ properties: {
23
+ component: { type: 'string' },
24
+ severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
25
+ description: { type: 'string' },
26
+ recommendation: { type: 'string' },
27
+ },
28
+ required: ['severity', 'description', 'recommendation'],
29
+ },
30
+ },
31
+ score: { type: 'number' },
32
+ },
33
+ required: ['heuristic', 'violations', 'score'],
34
+ };
35
+
36
+ const RANK_SCHEMA = {
37
+ type: 'object',
38
+ properties: {
39
+ rankedViolations: {
40
+ type: 'array',
41
+ items: {
42
+ type: 'object',
43
+ properties: {
44
+ rank: { type: 'number' },
45
+ heuristic: { type: 'string' },
46
+ description: { type: 'string' },
47
+ severity: { type: 'string', enum: ['critical', 'high', 'medium', 'low'] },
48
+ impactScore: { type: 'number' },
49
+ },
50
+ required: ['rank', 'heuristic', 'description', 'severity', 'impactScore'],
51
+ },
52
+ },
53
+ overallUsabilityScore: { type: 'number' },
54
+ },
55
+ required: ['rankedViolations', 'overallUsabilityScore'],
56
+ };
57
+
58
+ const BRIEF_SCHEMA = {
59
+ type: 'object',
60
+ properties: {
61
+ summary: { type: 'string' },
62
+ criticalFixes: {
63
+ type: 'array',
64
+ items: {
65
+ type: 'object',
66
+ properties: {
67
+ issue: { type: 'string' },
68
+ heuristic: { type: 'string' },
69
+ fix: { type: 'string' },
70
+ effort: { type: 'string', enum: ['low', 'medium', 'high'] },
71
+ },
72
+ required: ['issue', 'heuristic', 'fix', 'effort'],
73
+ },
74
+ },
75
+ quickWins: { type: 'array', items: { type: 'string' } },
76
+ },
77
+ required: ['summary', 'criticalFixes', 'quickWins'],
78
+ };
79
+
80
+ const target = args || 'current codebase (run from repo root)';
81
+
82
+ phase('Scope');
83
+ log(`UX heuristic audit target: ${target}`);
84
+
85
+ const HEURISTICS = [
86
+ { label: 'visibility-of-status', prompt: `Evaluate Nielsen Heuristic #1 "Visibility of System Status" for: "${target}". Check: Does the UI always keep users informed about what is going on? Are loading states shown? Is progress communicated? Are confirmations displayed after actions? Score 0-100 (100=perfect) and list all violations with severity.` },
87
+ { label: 'match-real-world', prompt: `Evaluate Nielsen Heuristic #2 "Match Between System and the Real World" for: "${target}". Check: Does the UI use language and concepts familiar to users? Are metaphors and icons intuitive? Is information ordered naturally? Score 0-100 and list violations.` },
88
+ { label: 'user-control', prompt: `Evaluate Nielsen Heuristic #3 "User Control and Freedom" for: "${target}". Check: Can users undo/redo actions? Is there a clear exit from every state? Are emergency exits clearly marked? Can users cancel ongoing operations? Score 0-100 and list violations.` },
89
+ { label: 'consistency', prompt: `Evaluate Nielsen Heuristic #4 "Consistency and Standards" for: "${target}". Check: Do similar actions have similar appearance and behavior? Are platform conventions followed? Are labels consistent across screens? Score 0-100 and list violations.` },
90
+ { label: 'error-prevention', prompt: `Evaluate Nielsen Heuristic #5 "Error Prevention" for: "${target}". Check: Are good error-prone conditions eliminated? Are confirmation dialogs shown for destructive actions? Is inline validation used? Are form constraints visible before submission? Score 0-100 and list violations.` },
91
+ { label: 'recognition-over-recall', prompt: `Evaluate Nielsen Heuristic #6 "Recognition Rather Than Recall" for: "${target}". Check: Are options visible rather than remembered? Are instructions visible in context? Are recently used items surfaced? Are tooltips and help text available? Score 0-100 and list violations.` },
92
+ { label: 'flexibility', prompt: `Evaluate Nielsen Heuristic #7 "Flexibility and Efficiency of Use" for: "${target}". Check: Are there keyboard shortcuts for expert users? Can users customize frequent actions? Are there accelerators for power users? Does the UI serve both novice and expert? Score 0-100 and list violations.` },
93
+ { label: 'aesthetic-minimalism', prompt: `Evaluate Nielsen Heuristic #8 "Aesthetic and Minimalist Design" for: "${target}". Check: Does every element serve a purpose? Is irrelevant information removed? Are visual hierarchies clear? Is there excessive decoration or noise? Score 0-100 and list violations.` },
94
+ { label: 'error-recognition', prompt: `Evaluate Nielsen Heuristic #9 "Help Users Recognize, Diagnose, and Recover from Errors" for: "${target}". Check: Are error messages in plain language (not error codes)? Do they precisely indicate the problem? Do they constructively suggest solutions? Score 0-100 and list violations.` },
95
+ { label: 'help-docs', prompt: `Evaluate Nielsen Heuristic #10 "Help and Documentation" for: "${target}". Check: Is help easy to search? Is documentation focused on user tasks? Are concrete steps listed? Is context-sensitive help available? Score 0-100 and list violations.` },
96
+ ];
97
+
98
+ phase('Audit');
99
+ const auditResults = await parallel(
100
+ HEURISTICS.map(h => () => agent(h.prompt, { schema: HEURISTIC_SCHEMA, label: `heuristic:${h.label}`, phase: 'Audit' }))
101
+ );
102
+
103
+ phase('Rank');
104
+ const allViolations = auditResults.filter(Boolean).flatMap(r => (r.violations || []).map(v => ({ heuristic: r.heuristic, ...v })));
105
+ log(`${allViolations.length} violations found across 10 heuristics — ranking by severity`);
106
+
107
+ const violationSummary = allViolations.slice(0, 30).map(v => `[${v.severity}] ${v.heuristic || 'unknown'}: ${v.description}`).join('\n');
108
+ const ranked = await agent(
109
+ `Rank these UX violations by impact on user experience for: "${target}"\n\nViolations:\n${violationSummary}\n\nRank each by impact score (1-10), assign a rank number starting from 1 (most critical). Calculate an overall usability score (0-100) across all heuristics.`,
110
+ { schema: RANK_SCHEMA, label: 'rank' }
111
+ );
112
+ if (!ranked) { log('Warning: agent returned null for ranked, skipping'); return { target, error: 'agent-null' }; }
113
+
114
+ phase('Brief');
115
+ const topViolations = (ranked.rankedViolations || []).slice(0, 10).map(v => `[Rank ${v.rank}/${v.severity}] ${v.heuristic}: ${v.description}`).join('\n');
116
+ const brief = await agent(
117
+ `Create a UX fix brief for: "${target}"\n\nOverall usability score: ${ranked.overallUsabilityScore}/100\n\nTop violations:\n${topViolations}\n\nFor each critical/high violation provide: specific fix with design recommendation, implementation effort (low/medium/high). Also list quick wins (low effort, high impact fixes). Write a 2-3 sentence executive summary.`,
118
+ { schema: BRIEF_SCHEMA, label: 'brief' }
119
+ );
120
+
121
+ return { target, audits: auditResults.filter(Boolean), ranked, brief };
122
+ }
@@ -0,0 +1,85 @@
1
+ export const meta = {
2
+ name: 'writer-reviewer',
3
+ description: 'Anthropic Writer/Reviewer pattern: implement in Context A → fresh Context B reviews the diff',
4
+ whenToUse: 'When you want unbiased code review — a fresh context reviewer has no bias toward code it did not write',
5
+ phases: [
6
+ { title: 'Implement', detail: 'Writer agent implements the requested change' },
7
+ { title: 'Review', detail: 'Fresh reviewer agent inspects only the diff without implementation context' },
8
+ { title: 'Verdict', detail: 'Accept / request-changes verdict with specific actionable feedback' },
9
+ ],
10
+ };
11
+
12
+ export default async function run({ agent, parallel, pipeline, phase, log, args, budget }) {
13
+ const IMPL_SCHEMA = {
14
+ type: 'object',
15
+ properties: {
16
+ description: { type: 'string' },
17
+ filesChanged: { type: 'array', items: { type: 'string' } },
18
+ approach: { type: 'string' },
19
+ diff: { type: 'string' },
20
+ testingDone: { type: 'string' },
21
+ },
22
+ required: ['description', 'filesChanged', 'approach', 'diff'],
23
+ };
24
+
25
+ const REVIEW_SCHEMA = {
26
+ type: 'object',
27
+ properties: {
28
+ verdict: { type: 'string', enum: ['approve', 'request-changes', 'comment'] },
29
+ summary: { type: 'string' },
30
+ issues: {
31
+ type: 'array',
32
+ items: {
33
+ type: 'object',
34
+ properties: {
35
+ severity: { type: 'string', enum: ['blocker', 'major', 'minor', 'nit'] },
36
+ location: { type: 'string' },
37
+ issue: { type: 'string' },
38
+ suggestion: { type: 'string' },
39
+ },
40
+ required: ['severity', 'location', 'issue', 'suggestion'],
41
+ },
42
+ },
43
+ positives: { type: 'array', items: { type: 'string' } },
44
+ approvalConditions: { type: 'array', items: { type: 'string' } },
45
+ },
46
+ required: ['verdict', 'summary', 'issues'],
47
+ };
48
+
49
+ const task = args || 'No task specified — describe the implementation task in args.';
50
+
51
+ phase('Implement');
52
+ log(`Writer implementing: ${task.slice(0, 80)}`);
53
+ const implementation = await agent(
54
+ `Implement this task in the current codebase: "${task}"\n\nWrite the complete implementation. After implementing, provide: (1) description of what you built, (2) list of files changed, (3) your implementation approach and key decisions, (4) a diff-style summary of changes (show old → new for key parts), (5) testing done or test commands to run.`,
55
+ { schema: IMPL_SCHEMA, label: 'writer' }
56
+ );
57
+ if (!implementation) { log('Warning: agent returned null for implementation, skipping'); return { task, error: 'agent-null' }; }
58
+ log(`Writer: ${implementation.description} | Changed: ${implementation.filesChanged.join(', ')}`);
59
+
60
+ phase('Review');
61
+ const diffContext = `TASK: ${task}\n\nCHANGES MADE:\n${implementation.diff}\n\nFILES CHANGED: ${implementation.filesChanged.join(', ')}\n\nTESTING: ${implementation.testingDone || 'not specified'}`;
62
+ const review = await agent(
63
+ `You are a senior code reviewer. Review this code change with fresh eyes — you were NOT involved in the implementation.\n\n${diffContext}\n\nReview for: correctness (does it actually solve the task?), edge cases (null/empty/large inputs), security (injection, auth, secrets), performance (N+1, unbounded loops), maintainability (naming, complexity, DRY). Give a verdict: approve / request-changes / comment. For each issue: severity (blocker/major/minor/nit), exact location, what's wrong, specific suggestion.`,
64
+ { schema: REVIEW_SCHEMA, label: 'reviewer' }
65
+ );
66
+ if (!review) { log('Warning: agent returned null for review, skipping'); return { task, implementation, error: 'agent-null' }; }
67
+ log(`Reviewer verdict: ${review.verdict} | ${review.issues.length} issues (${review.issues.filter(i => i.severity === 'blocker').length} blockers)`);
68
+
69
+ phase('Verdict');
70
+ const blockers = review.issues.filter(i => i.severity === 'blocker');
71
+ const majors = review.issues.filter(i => i.severity === 'major');
72
+
73
+ return {
74
+ task,
75
+ implementation,
76
+ review,
77
+ verdict: {
78
+ decision: review.verdict,
79
+ blockerCount: blockers.length,
80
+ majorCount: majors.length,
81
+ approved: review.verdict === 'approve',
82
+ requiredFixes: blockers.concat(majors).map(i => `[${i.severity.toUpperCase()}] ${i.location}: ${i.suggestion}`),
83
+ },
84
+ };
85
+ }
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "pattern-library.jsonl": {
3
- "lastSync": "2026-06-23T08:21:37.029Z",
3
+ "lastSync": "2026-06-24T05:48:11.891Z",
4
4
  "localCount": 1
5
5
  }
6
6
  }
package/CHANGELOG.md CHANGED
@@ -1,5 +1,22 @@
1
1
  # Changelog
2
2
 
3
+ ## [11.8.0] - 2026-06-24 — Workflow Forge II
4
+
5
+ Expands the Dynamic Workflow Library from 12 to 33 workflows across 5 tiers, adding a new **Beast tier** for compound multi-phase multi-agent workflows with adversarial verification. 21 new workflows added. 92/92 tests pass.
6
+
7
+ ### Added
8
+
9
+ - **Beast tier** (3 compound workflows, 5 phases, 8+ agents): `security-hardening` (5-angle OWASP parallel scout + 3-vote adversarial verify + STRIDE threat model + remediation roadmap), `accessibility-audit` (WCAG 2.2 6-principle parallel audit + 3-vote verify + remediation spec), `security-threat-model` (asset inventory + 6-parallel STRIDE + mitigations + CVSS scoring)
10
+ - **Dev tier additions** (7): `test-coverage-gap`, `api-contract-test`, `mutation-testing`, `debug-detective`, `writer-reviewer`, `code-explainer`, `design-system-audit`
11
+ - **Ops tier additions** (4): `database-migration`, `dependency-health`, `multi-repo-sync`, `cost-analysis`
12
+ - **Intelligence tier additions** (3): `architecture-modernization`, `documentation-gen`, `api-migration`, `data-pipeline-validate` (4 total)
13
+ - **Research tier additions** (3): `ai-model-eval`, `ux-heuristic-audit`, `competitive-teardown`
14
+ - 21 new `/mindforge:wf-*` slash command pairs
15
+ - Updated `wf-catalog` listing all 33 workflows across 5 tiers
16
+ - `tests/workflow-registry.test.js` — `beast` added to valid tier allowlist
17
+
18
+ ---
19
+
3
20
  ## [11.7.1] - 2026-06-23 — Workflow Forge (patch)
4
21
 
5
22
  Patch release: adds `bin/parse-workflow-args.js` (slash command argument splitter, produced by the tdd-sprint E2E run) and resolves 2 high-severity npm vulnerabilities in the tmp/inquirer dependency chain. No feature changes; all 94 tests pass.