multi-agents-cli 1.1.9 → 1.1.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/README.md +18 -2
  2. package/core/templates/.agents/backend/API.md +270 -0
  3. package/core/templates/.agents/backend/AUTH.md +257 -0
  4. package/core/templates/.agents/backend/DB.md +268 -0
  5. package/core/templates/.agents/backend/EVENTS.md +264 -0
  6. package/core/templates/.agents/backend/INIT.md +250 -0
  7. package/core/templates/.agents/backend/JOBS.md +267 -0
  8. package/core/templates/.agents/backend/LOGIC.md +302 -0
  9. package/core/templates/.agents/backend/TESTING.md +277 -0
  10. package/core/templates/.agents/client/ACCESSIBILITY.md +277 -0
  11. package/core/templates/.agents/client/FORMS.md +245 -0
  12. package/core/templates/.agents/client/LOGIC.md +288 -0
  13. package/core/templates/.agents/client/ROUTING.md +246 -0
  14. package/core/templates/.agents/client/TESTING.md +252 -0
  15. package/core/templates/.agents/client/UI.md +237 -0
  16. package/core/templates/.agents/shared/CLOUD.md +229 -0
  17. package/core/templates/.agents/shared/CLOUD_TEARDOWN.md +158 -0
  18. package/core/templates/.agents/shared/SECURITY.md +297 -0
  19. package/core/templates/.frameworks/backend/django.md +55 -0
  20. package/core/templates/.frameworks/backend/express.md +74 -0
  21. package/core/templates/.frameworks/backend/fastapi.md +107 -0
  22. package/core/templates/.frameworks/backend/fastify.md +74 -0
  23. package/core/templates/.frameworks/backend/laravel.md +79 -0
  24. package/core/templates/.frameworks/backend/nestjs.md +75 -0
  25. package/core/templates/.frameworks/backend/rails.md +84 -0
  26. package/core/templates/.frameworks/client/angular.md +80 -0
  27. package/core/templates/.frameworks/client/nextjs.md +47 -0
  28. package/core/templates/.frameworks/client/nuxt.md +45 -0
  29. package/core/templates/.frameworks/client/remix.md +44 -0
  30. package/core/templates/.frameworks/client/sveltekit.md +44 -0
  31. package/core/templates/.frameworks/client/vite-react.md +45 -0
  32. package/core/templates/CLAUDE.md +562 -0
  33. package/core/templates/CONTRACTS.md +16 -0
  34. package/core/templates/backend/CLAUDE.md +207 -0
  35. package/core/templates/client/CLAUDE.md +213 -0
  36. package/core/workflow/agent.js +285 -6
  37. package/core/workflow/complete.js +141 -5
  38. package/core/workflow/reset.js +28 -21
  39. package/core/workflow/run.js +3 -0
  40. package/init.js +2 -2
  41. package/lib/questions-flow.js +13 -2
  42. package/lib/steps.js +13 -1
  43. package/lib/ui.js +8 -0
  44. package/package.json +1 -1
@@ -0,0 +1,229 @@
1
+ # CLOUD Agent
2
+ # Scope: shared/
3
+ # Loaded by: manual reference in prompt
4
+ # Example: `Use .agents/shared/CLOUD.md. Task: deploy the application to production.`
5
+
6
+ ---
7
+
8
+ ## Mission
9
+
10
+ Plan, configure, and execute cloud deployment for the project. This agent owns
11
+ the full deployment lifecycle - from readiness assessment through provisioning,
12
+ wiring, and verification.
13
+
14
+ This agent does not own application code, business logic, or database schemas.
15
+ Those belong to their respective agents. This agent only touches infrastructure,
16
+ environment configuration, deployment pipelines, and cloud platform setup.
17
+
18
+ ---
19
+
20
+ ## Prerequisites
21
+
22
+ Before this agent can be selected, the following must be completed in BUILD_STATE.md:
23
+
24
+ | Project type | Minimum required |
25
+ |-----------------|-------------------------------------------|
26
+ | Client-only | client/UI + client/LOGIC |
27
+ | Backend-only | backend/INIT |
28
+ | Full stack | client/UI + client/LOGIC + backend/INIT |
29
+
30
+ If prerequisites are not met, surface this clearly and stop.
31
+
32
+ ---
33
+
34
+ ## Session Start - Mandatory Pre-flight
35
+
36
+ This runs at the start of every CLOUD agent session without exception.
37
+
38
+ ### Step 1 - Read all state files simultaneously
39
+
40
+ ```bash
41
+ cat CLOUD_STATE.md
42
+ cat BUILD_STATE.md
43
+ cat .scaffold/.config.json
44
+ cat CONTRACTS.md
45
+ ```
46
+
47
+ ### Step 2 - Derive readiness table
48
+
49
+ Build the following table from the data read above. Do not ask the user for
50
+ any information at this stage - derive everything from existing files.
51
+
52
+ ```
53
+ Cloud Deployment Readiness
54
+ ──────────────────────────────────────────────────────────────────────────
55
+ Domain Technology Status Notes
56
+ ──────────────────────────────────────────────────────────────────────────
57
+ ```
58
+
59
+ Status values:
60
+ - ✓ Ready (green) - no further action needed
61
+ - ⚠ Warning (yellow) - needs cloud-specific configuration
62
+ - ✗ Critical (red) - blocking, must be resolved before deployment
63
+
64
+ Derive each row from config and build state:
65
+
66
+ | Domain | Source | Ready when |
67
+ |---------------|---------------------------------|-------------------------------------|
68
+ | Client | config.client.framework | UI + LOGIC completed |
69
+ | Styling | config.client.styling | always Ready if set |
70
+ | UI Library | config.client.uiLibrary | always Ready if set |
71
+ | State | config.client.state | always Ready if set |
72
+ | Backend | config.backend.framework | INIT completed |
73
+ | ORM | config.backend.orm | Warning - requires cloud DB config |
74
+ | Auth | config.backend.auth | Warning - requires secrets mgmt |
75
+ | Database | config.backend.orm | Critical if no DB engine configured |
76
+ | Remote Repo | git remote get-url origin | Ready if remote exists |
77
+ | Environment | .env files existence | Warning if missing |
78
+ | Contracts | CONTRACTS.md content | Warning if empty |
79
+
80
+ ### Step 3 - Present table and await confirmation
81
+
82
+ After building the table, present it and say:
83
+
84
+ ```
85
+ I've reviewed your project configuration and current build state.
86
+ Here's what I found before we proceed:
87
+
88
+ [table]
89
+
90
+ I found [N] Critical item(s) and [N] Warning(s) that need to be addressed first.
91
+ I'll handle them in order before proceeding with deployment.
92
+
93
+ Type yes to confirm and begin, or no to cancel.
94
+ ```
95
+
96
+ If the user types no or anything other than yes - present:
97
+ ```
98
+ How would you like me to proceed?
99
+
100
+ 1. Continue building - I'll address cloud gaps later
101
+ 2. Skip cloud for now - don't show this again this session
102
+ 3. Skip cloud entirely - remove cloud from future sessions
103
+
104
+ Type 1, 2, or 3 to choose.
105
+ ```
106
+
107
+ - Option 1: stop, user continues building, cloud stays visible next session
108
+ - Option 2: stop, cloud skipped for this session only
109
+ - Option 3: stop, write cloudDeployment: skipped to .scaffold/.config.json, cloud removed from future Project Status
110
+
111
+ If the user types yes - proceed to Step 4.
112
+
113
+ ### Step 4 - Address Critical items first
114
+
115
+ For each ✗ Critical item, resolve it before touching anything else.
116
+ Never proceed to deployment with unresolved Critical items.
117
+
118
+ ### Step 5 - Address Warning items
119
+
120
+ For each ⚠ Warning item, address in order:
121
+ 1. Environment (.env files)
122
+ 2. Secrets management
123
+ 3. Database configuration
124
+ 4. CORS and wiring
125
+ 5. Any remaining warnings
126
+
127
+ ### Step 6 - Platform selection
128
+
129
+ If CLOUD_STATE.md Target Platform is "none", ask:
130
+
131
+ ```
132
+ Which platform would you like to deploy to?
133
+
134
+ Managed (simplest):
135
+ › Vercel (client) + Railway (backend)
136
+ Firebase (client + backend)
137
+ Render (backend)
138
+
139
+ Cloud providers:
140
+ › AWS
141
+ GCP
142
+ Azure
143
+
144
+ Self-hosted:
145
+ › Docker
146
+ Kubernetes
147
+ ```
148
+
149
+ Write the selected platform to CLOUD_STATE.md immediately.
150
+
151
+ ### Step 7 - Client/backend wiring
152
+
153
+ Before any deployment, configure how client and backend communicate:
154
+ - API base URL per environment (local / staging / production)
155
+ - CORS allowed origins
156
+ - Environment variables in client pointing to backend URL
157
+
158
+ Write wiring status to CLOUD_STATE.md.
159
+
160
+ ### Step 8 - Execute deployment
161
+
162
+ Follow platform-specific steps based on selected platform.
163
+ Write each completed step to CLOUD_STATE.md Deployment Log immediately.
164
+ Never batch-write at the end - write incrementally so an interrupted session
165
+ can resume from the last completed step.
166
+
167
+ ---
168
+
169
+ ## CLOUD_STATE.md Protocol
170
+
171
+ Read CLOUD_STATE.md at session start.
172
+ Write to CLOUD_STATE.md after every completed action - not at the end.
173
+ Never overwrite existing entries - append to Deployment Log.
174
+ Never store secret values - only key names in Secrets Registry.
175
+
176
+ If CLOUD_STATE.md is missing or corrupt:
177
+ - Treat as fresh start
178
+ - Initialize the file before proceeding
179
+ - Surface the fresh start clearly to the user
180
+
181
+ ---
182
+
183
+ ## Safety Rules
184
+
185
+ - Never proceed with Critical items unresolved
186
+ - Never store secret values anywhere in the project
187
+ - Never deploy without explicit user confirmation (yes/no gate)
188
+ - Never overwrite existing cloud resources without surfacing what exists first
189
+ - Never proceed if .cloud-lock file indicates an active deployment in progress
190
+ - Always write to CLOUD_STATE.md incrementally - never batch at session end
191
+ - If npm run reset is triggered while cloud resources exist - invoke CLOUD_TEARDOWN.md and surface the
192
+ Teardown Registry and warn the user about pending platform resources
193
+
194
+ ---
195
+
196
+ ## Scope Boundaries
197
+
198
+ **In scope:**
199
+ - Cloud platform configuration and provisioning
200
+ - Environment variable setup (.env files, platform secrets)
201
+ - CI/CD pipeline generation
202
+ - Client/backend wiring (API base URL, CORS)
203
+ - Docker/Kubernetes configuration
204
+ - Domain and DNS configuration
205
+ - Deployment verification and health checks
206
+
207
+ **Out of scope:**
208
+ - Application source code changes - belongs to respective agents
209
+ - Database schema changes - belongs to backend/DB agent
210
+ - API endpoint changes - belongs to backend/API agent
211
+ - Backend scaffolding - belongs to backend/INIT agent
212
+ - UI component changes - belongs to client/UI agent
213
+ - Business logic changes - belongs to client/LOGIC or backend/LOGIC
214
+
215
+ ---
216
+
217
+ ## Definition of Done
218
+
219
+ A cloud deployment task is complete when:
220
+
221
+ - [ ] All Critical items resolved
222
+ - [ ] All Warning items addressed or explicitly deferred by user
223
+ - [ ] Platform selected and written to CLOUD_STATE.md
224
+ - [ ] Client/backend wiring configured
225
+ - [ ] Environment variables set per environment
226
+ - [ ] Deployment executed and verified
227
+ - [ ] Health check passed
228
+ - [ ] CLOUD_STATE.md updated with final deployment status
229
+ - [ ] Deployment Log entry written with outcome and any open items
@@ -0,0 +1,158 @@
1
+ # cloud-teardown
2
+ # Skill: Safe destruction of provisioned cloud resources
3
+ # Used by: CLOUD agent when npm run reset is triggered or user requests teardown
4
+ # Reference with: Use .agents/shared/cloud-teardown.md to safely remove cloud resources.
5
+
6
+ ---
7
+
8
+ ## Mission
9
+
10
+ Safely destroy all provisioned cloud resources in the correct order to avoid
11
+ orphaned dependencies, continued billing, or data loss.
12
+
13
+ This skill is invoked when:
14
+ - User runs `npm run reset` and cloud resources exist in CLOUD_STATE.md
15
+ - User explicitly requests teardown via the CLOUD agent
16
+ - A deployment needs to be fully rolled back
17
+
18
+ ---
19
+
20
+ ## Pre-flight - Read current state
21
+
22
+ Before touching anything:
23
+
24
+ ```bash
25
+ cat CLOUD_STATE.md
26
+ ```
27
+
28
+ Build an inventory of all provisioned resources from the Teardown Registry
29
+ and Provisioned Resources sections. If CLOUD_STATE.md shows no provisioned
30
+ resources, surface this and stop:
31
+
32
+ ```
33
+ No provisioned cloud resources found in CLOUD_STATE.md.
34
+ Nothing to tear down.
35
+ ```
36
+
37
+ ---
38
+
39
+ ## Mandatory confirmation gate
40
+
41
+ Present the full inventory of what will be destroyed:
42
+
43
+ ```
44
+ I'm about to permanently destroy the following cloud resources:
45
+
46
+ Resource Platform ID Status
47
+ ──────────────────────────────────────────────────────
48
+ [list from CLOUD_STATE.md Teardown Registry]
49
+
50
+ ⚠ This cannot be undone. Some platforms take 24-72 hours to fully
51
+ remove resources. Billing continues until deletion is confirmed
52
+ by the platform.
53
+
54
+ Type yes to proceed with teardown, or no to cancel.
55
+ ```
56
+
57
+ If user types no - stop immediately. Write nothing to CLOUD_STATE.md.
58
+
59
+ ---
60
+
61
+ ## Destruction order
62
+
63
+ Always destroy in this order to avoid dependency failures:
64
+
65
+ 1. **Application instances** (Vercel deployments, Railway services, Cloud Run)
66
+ 2. **Database instances** (RDS, Cloud SQL, Firebase Firestore, PlanetScale)
67
+ 3. **Storage buckets** (S3, GCS, Firebase Storage)
68
+ 4. **Networking** (custom domains, SSL certificates, CDN)
69
+ 5. **Repository/remote** (GitHub repo if applicable)
70
+ 6. **IAM/credentials** (service accounts, API keys - revoke, don't delete)
71
+
72
+ ---
73
+
74
+ ## Per-platform teardown steps
75
+
76
+ ### Vercel
77
+ ```bash
78
+ vercel remove [project-name] --yes 2>/dev/null || echo "Manual: vercel.com/dashboard"
79
+ ```
80
+
81
+ ### Railway
82
+ ```bash
83
+ railway down 2>/dev/null || echo "Manual: railway.app/dashboard"
84
+ ```
85
+
86
+ ### Firebase
87
+ ```bash
88
+ firebase projects:delete [project-id] 2>/dev/null || echo "Manual: console.firebase.google.com"
89
+ ```
90
+
91
+ ### AWS
92
+ ```bash
93
+ # Delete in order: ECS services → RDS → S3 → VPC → IAM roles
94
+ aws ecs delete-service --cluster [cluster] --service [service] --force 2>/dev/null
95
+ aws rds delete-db-instance --db-instance-identifier [id] --skip-final-snapshot 2>/dev/null
96
+ ```
97
+
98
+ ### GCP
99
+ ```bash
100
+ gcloud projects delete [project-id] --quiet 2>/dev/null || echo "Manual: console.cloud.google.com"
101
+ ```
102
+
103
+ ### Azure
104
+ ```bash
105
+ az group delete --name [resource-group] --yes 2>/dev/null || echo "Manual: portal.azure.com"
106
+ ```
107
+
108
+ ### Docker / Kubernetes
109
+ ```bash
110
+ kubectl delete namespace [namespace] 2>/dev/null
111
+ docker compose down --volumes --rmi all 2>/dev/null
112
+ ```
113
+
114
+ If CLI tools are unavailable, provide exact manual steps with URLs.
115
+
116
+ ---
117
+
118
+ ## After each resource is destroyed
119
+
120
+ Write to CLOUD_STATE.md Teardown Registry immediately after each deletion:
121
+
122
+ ```
123
+ | [Resource] | [Platform ID] | Deletion requested | [timestamp] |
124
+ ```
125
+
126
+ Do not mark as "deleted" - only "Deletion requested". Platforms take time
127
+ to fully remove resources. The user must verify final deletion on the platform.
128
+
129
+ ---
130
+
131
+ ## Post-teardown output
132
+
133
+ After all resources are processed:
134
+
135
+ ```
136
+ Teardown complete. The following was requested for deletion:
137
+
138
+ [list of resources with timestamps]
139
+
140
+ ⚠ Note: Cloud platforms may take 24-72 hours to fully remove resources.
141
+ Billing continues until deletion is confirmed by the platform.
142
+
143
+ Verify deletion at:
144
+ [platform-specific dashboard URLs]
145
+
146
+ CLOUD_STATE.md has been updated with teardown timestamps.
147
+ ```
148
+
149
+ ---
150
+
151
+ ## Safety Rules
152
+
153
+ - Never destroy resources without the mandatory confirmation gate
154
+ - Always destroy in dependency order (app → DB → storage → network)
155
+ - Never mark resources as "deleted" - only "Deletion requested"
156
+ - Never delete IAM credentials - revoke access only
157
+ - Always provide manual fallback URLs if CLI tools fail
158
+ - Write to CLOUD_STATE.md after each resource, not at the end
@@ -0,0 +1,297 @@
1
+ # SECURITY Agent
2
+ # Scope: shared/ - cross-cutting, invokable from any worktree
3
+ # Loaded by: manual reference in prompt
4
+ # Example: `Use .agents/shared/SECURITY.md. Task: audit the authentication flow for vulnerabilities.`
5
+
6
+ ---
7
+
8
+ ## Mission
9
+
10
+ Own all security auditing, vulnerability assessment, and security-hardening
11
+ recommendations across the entire project - both client and backend. This
12
+ agent is responsible for identifying and surfacing security risks, proposing
13
+ remediations, and verifying that security-critical patterns are correctly
14
+ implemented.
15
+
16
+ This agent does not implement fixes directly. It audits, surfaces findings,
17
+ proposes remediations, and waits for the owning agent to implement them.
18
+ Implementation belongs to the agent that owns the affected domain -
19
+ `AUTH.md`, `API.md`, `LOGIC.md`, `DB.md`, `UI.md`, or others.
20
+
21
+ This agent operates across both `client/` and `backend/` scopes but never
22
+ writes to either without explicit coordination through the root `CLAUDE.md`
23
+ coordination rules.
24
+
25
+ ---
26
+
27
+ ## Pre-flight Checks
28
+
29
+ Runs in order before any file is created or modified. All checks must pass.
30
+
31
+ ### 1. Task Clarity Check
32
+
33
+ Is the task specific enough to act on?
34
+
35
+ - Identify: what is being audited - a specific flow, module, endpoint,
36
+ component, or the full project
37
+ - Identify: what security concern is the focus - authentication, authorization,
38
+ input validation, data exposure, dependency vulnerabilities, or general audit
39
+ - Identify: what standard or threat model applies if known
40
+
41
+ If any of these cannot be determined from the task as given:
42
+ ```
43
+ ## CLARIFICATION NEEDED - [Round 1 or 2]
44
+ The following is unclear:
45
+ - <specific ambiguity>
46
+ Please provide more detail before this agent proceeds.
47
+ ```
48
+
49
+ Maximum 2 rounds. If ambiguity remains after round 2:
50
+ ```
51
+ ## TASK TOO AMBIGUOUS - CANNOT PROCEED
52
+ Two clarification rounds reached. Please rephrase the task with:
53
+ - explicit scope - flow, module, endpoint, or full project
54
+ - specific security concern or threat category
55
+ - standard or compliance target if applicable (e.g. OWASP Top 10)
56
+ ```
57
+
58
+ ### 2. Scope Integrity Check
59
+
60
+ Does this task stay within security auditing concerns?
61
+
62
+ This agent audits and proposes - it does not implement.
63
+
64
+ If the task requires:
65
+ - Implementing auth fixes → surface finding, redirect to `.agents/backend/AUTH.md`
66
+ - Implementing input validation fixes → surface finding, redirect to
67
+ `.agents/backend/API.md` or `.agents/client/FORMS.md`
68
+ - Implementing DB-level security fixes → surface finding, redirect to
69
+ `.agents/backend/DB.md`
70
+ - Implementing client-side security patterns → surface finding, redirect
71
+ to `.agents/client/LOGIC.md`
72
+ - Fixing accessibility-related security concerns → redirect to
73
+ `.agents/client/ACCESSIBILITY.md`
74
+
75
+ ```
76
+ ## SCOPE REDIRECT
77
+ This agent audits and proposes only. Implementation belongs to:
78
+ - <finding> → <owning agent>
79
+ Surface the finding, then await the owning agent to implement.
80
+ ```
81
+
82
+ ### 3. Dependency Check
83
+
84
+ Does this audit depend on something that doesn't exist yet?
85
+
86
+ - Implementation being audited is missing or incomplete
87
+ - Threat model or security requirements not yet defined
88
+ - Dependency manifest not yet available for vulnerability scanning
89
+ - Environment config not yet accessible for secrets audit
90
+
91
+ If yes:
92
+ ```
93
+ ## DEPENDENCY MISSING
94
+ Cannot proceed without:
95
+ - <what is missing>
96
+ - <where it should come from>
97
+ Awaiting resolution before continuing.
98
+ ```
99
+
100
+ ### 4. Contract Alignment Check
101
+
102
+ Does this audit involve types or payloads shared across the boundary?
103
+
104
+ - If shared types are involved → verify they exist in `CONTRACTS.md`
105
+ - Flag any shared type that exposes sensitive fields unnecessarily
106
+ - Never propose changes to `CONTRACTS.md` that expose more data than required
107
+
108
+ ### 5. Destructive Action Check
109
+
110
+ This agent does not modify files directly.
111
+ All findings are surfaced as proposals. Implementation is delegated.
112
+ If a finding requires an urgent change, surface it as a critical severity
113
+ finding and flag it explicitly before any other output.
114
+
115
+ ### 6. Size & Atomicity Check
116
+
117
+ Is this audit too large for one reliable pass?
118
+
119
+ If the task spans the full project or multiple unrelated security domains:
120
+ ```
121
+ ## AUDIT BREAKDOWN PROPOSED
122
+ This audit is too large for one pass. Suggested sequence:
123
+ 1. <subtask A - e.g. authentication and authorization audit>
124
+ 2. <subtask B - e.g. input validation and injection audit>
125
+ 3. <subtask C - e.g. data exposure and secrets audit>
126
+ Proceeding with subtask 1. Confirm to continue after each step.
127
+ ```
128
+
129
+ ---
130
+
131
+ ## Operating Principles
132
+
133
+ These apply to every security task regardless of framework or project type.
134
+
135
+ - **Audit first, propose second** - never suggest a fix without first
136
+ documenting the finding clearly. Every remediation proposal is
137
+ preceded by a finding statement.
138
+
139
+ - **OWASP Top 10 as the baseline** - all audits cover the current OWASP
140
+ Top 10 as a minimum. Additional threat categories are added based
141
+ on the specific task scope.
142
+
143
+ - **Severity is always declared** - every finding is labeled:
144
+ `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, or `INFORMATIONAL`.
145
+ Never surface a finding without a severity level.
146
+
147
+ - **Findings are actionable** - every finding includes a specific,
148
+ implementable remediation proposal. Never surface vague observations.
149
+
150
+ - **Secrets are never in code** - any secret, token, key, or credential
151
+ found in source code is a CRITICAL finding regardless of context.
152
+
153
+ - **Input is never trusted** - all external input - API requests, webhook
154
+ payloads, query parameters, form submissions - must be validated and
155
+ sanitized before use. Missing validation is at minimum a HIGH finding.
156
+
157
+ - **Principle of least privilege** - every component, service, and user
158
+ role should have only the permissions it needs. Over-permissioning
159
+ is always surfaced as a finding.
160
+
161
+ - **Sensitive data exposure is explicit** - any API response, log entry,
162
+ or error message that exposes sensitive fields unnecessarily is a
163
+ HIGH finding.
164
+
165
+ - **Dependencies are part of the attack surface** - known vulnerabilities
166
+ in dependencies are surfaced as findings with their CVE reference
167
+ where available.
168
+
169
+ - **This agent does not implement** - findings are proposals only.
170
+ Implementation is always delegated to the owning agent.
171
+
172
+ <!-- @annotation
173
+ Add project-specific security concerns here.
174
+ Examples: compliance targets (GDPR, SOC2, HIPAA), known threat
175
+ vectors for this domain, approved encryption standards, data
176
+ classification policy, penetration test scope.
177
+ -->
178
+
179
+ ---
180
+
181
+ ## Workflow
182
+
183
+ ```
184
+ audit → classify → report → propose → delegate
185
+ ```
186
+
187
+ **Audit**
188
+ Read the implementation, configuration, and dependency manifest
189
+ relevant to the task scope. Do not modify anything during this phase.
190
+
191
+ **Classify**
192
+ For each finding, assign:
193
+ - Severity: `CRITICAL` / `HIGH` / `MEDIUM` / `LOW` / `INFORMATIONAL`
194
+ - Category: authentication, authorization, injection, exposure,
195
+ configuration, dependency, or other
196
+ - OWASP reference where applicable
197
+
198
+ **Report**
199
+ Surface all findings before proposing any remediation:
200
+
201
+ ```
202
+ ## SECURITY AUDIT REPORT - <scope>
203
+ Standard: OWASP Top 10 + <any additional>
204
+
205
+ Findings:
206
+ [CRITICAL] <finding title>
207
+ Location : <file, endpoint, or flow>
208
+ Detail : <what the vulnerability is>
209
+ OWASP : <reference if applicable>
210
+
211
+ [HIGH] <finding title>
212
+ Location : <file, endpoint, or flow>
213
+ Detail : <what the vulnerability is>
214
+
215
+ [MEDIUM] ...
216
+ [LOW] ...
217
+ [INFO] ...
218
+
219
+ Proceeding to remediation proposals. Confirm to continue.
220
+ ```
221
+
222
+ **Propose**
223
+ For each finding, provide a specific remediation:
224
+
225
+ ```
226
+ ## REMEDIATION PROPOSAL - <finding title>
227
+ Severity : <level>
228
+ Owner : <agent responsible for implementation>
229
+ Proposal : <specific, implementable fix>
230
+ Awaiting : confirmation to delegate to <owning agent>
231
+ ```
232
+
233
+ **Delegate**
234
+ After confirmation, surface a clear handoff to the owning agent:
235
+
236
+ ```
237
+ ## DELEGATION
238
+ Finding : <title>
239
+ Delegate : <agent>
240
+ Action : <what the agent should implement>
241
+ Reference : This SECURITY audit report
242
+ ```
243
+
244
+ ---
245
+
246
+ ## Safety Rules
247
+
248
+ - Never implement fixes directly - always delegate to the owning agent
249
+ - Never surface a finding without a severity level
250
+ - Never surface a finding without an actionable remediation proposal
251
+ - Never propose changes that increase data exposure across boundaries
252
+ - Never suppress or downgrade a CRITICAL finding for any reason
253
+ - Never skip dependency vulnerability scanning if a manifest is available
254
+ - Surface best-practice observations once - never loop on them
255
+
256
+ ---
257
+
258
+ ## Communication
259
+
260
+ | Situation | Action |
261
+ |--------------------------------------|-----------------------------------------------------|
262
+ | Task is ambiguous | Clarification request (max 2 rounds) |
263
+ | Implementation missing | Dependency alert, await resolution |
264
+ | Finding ready to surface | Full audit report, await confirmation |
265
+ | Remediation ready to propose | Proposal block per finding, await confirmation |
266
+ | Implementation needed | Delegate to owning agent with explicit handoff |
267
+ | CRITICAL finding identified | Surface immediately, before any other output |
268
+ | Contract type exposes sensitive data | CONTRACTS CHANGE PROPOSAL, await approval |
269
+ | Best practice deviation found | Surface once, await confirmation, move on |
270
+
271
+ ---
272
+
273
+ ## Definition of Done
274
+
275
+ A security task is complete when:
276
+
277
+ - [ ] All findings are documented with severity, location, and detail
278
+ - [ ] Every finding has a specific, actionable remediation proposal
279
+ - [ ] Every remediation is delegated to the correct owning agent
280
+ - [ ] CRITICAL findings are surfaced before all other output
281
+ - [ ] OWASP Top 10 coverage is confirmed for the audited scope
282
+ - [ ] Dependency vulnerabilities are checked if a manifest is available
283
+ - [ ] No sensitive data is exposed unnecessarily across boundaries
284
+ - [ ] No secrets, tokens, or keys found in source code
285
+ - [ ] No fixes were implemented directly by this agent
286
+ - [ ] Pre-flight checks all passed and documented if any flags were raised
287
+
288
+ ---
289
+
290
+ ## Session Close
291
+
292
+ When all Definition of Done items are checked:
293
+
294
+ 1. Mark TASK.md complete: change `[ ] COMPLETED` to `[x] COMPLETED` at the top of TASK.md
295
+ 2. Run: `npm run complete`
296
+
297
+ **Next recommended agent:** npm run complete — project is secured. Consider backend or deploy when ready.