multi-agents-cli 1.1.9 → 1.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +18 -2
- package/core/templates/.agents/backend/API.md +270 -0
- package/core/templates/.agents/backend/AUTH.md +257 -0
- package/core/templates/.agents/backend/DB.md +268 -0
- package/core/templates/.agents/backend/EVENTS.md +264 -0
- package/core/templates/.agents/backend/INIT.md +250 -0
- package/core/templates/.agents/backend/JOBS.md +267 -0
- package/core/templates/.agents/backend/LOGIC.md +302 -0
- package/core/templates/.agents/backend/TESTING.md +277 -0
- package/core/templates/.agents/client/ACCESSIBILITY.md +277 -0
- package/core/templates/.agents/client/FORMS.md +245 -0
- package/core/templates/.agents/client/LOGIC.md +288 -0
- package/core/templates/.agents/client/ROUTING.md +246 -0
- package/core/templates/.agents/client/TESTING.md +252 -0
- package/core/templates/.agents/client/UI.md +237 -0
- package/core/templates/.agents/shared/CLOUD.md +229 -0
- package/core/templates/.agents/shared/CLOUD_TEARDOWN.md +158 -0
- package/core/templates/.agents/shared/SECURITY.md +297 -0
- package/core/templates/.frameworks/backend/django.md +55 -0
- package/core/templates/.frameworks/backend/express.md +74 -0
- package/core/templates/.frameworks/backend/fastapi.md +107 -0
- package/core/templates/.frameworks/backend/fastify.md +74 -0
- package/core/templates/.frameworks/backend/laravel.md +79 -0
- package/core/templates/.frameworks/backend/nestjs.md +75 -0
- package/core/templates/.frameworks/backend/rails.md +84 -0
- package/core/templates/.frameworks/client/angular.md +80 -0
- package/core/templates/.frameworks/client/nextjs.md +47 -0
- package/core/templates/.frameworks/client/nuxt.md +45 -0
- package/core/templates/.frameworks/client/remix.md +44 -0
- package/core/templates/.frameworks/client/sveltekit.md +44 -0
- package/core/templates/.frameworks/client/vite-react.md +45 -0
- package/core/templates/CLAUDE.md +562 -0
- package/core/templates/CONTRACTS.md +16 -0
- package/core/templates/backend/CLAUDE.md +207 -0
- package/core/templates/client/CLAUDE.md +213 -0
- package/core/workflow/agent.js +285 -6
- package/core/workflow/complete.js +155 -36
- package/core/workflow/reset.js +28 -21
- package/core/workflow/run.js +3 -0
- package/init.js +2 -2
- package/lib/questions-flow.js +13 -2
- package/lib/steps.js +13 -1
- package/lib/ui.js +8 -0
- package/package.json +1 -1
|
@@ -0,0 +1,229 @@
|
|
|
1
|
+
# CLOUD Agent
|
|
2
|
+
# Scope: shared/
|
|
3
|
+
# Loaded by: manual reference in prompt
|
|
4
|
+
# Example: `Use .agents/shared/CLOUD.md. Task: deploy the application to production.`
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Mission
|
|
9
|
+
|
|
10
|
+
Plan, configure, and execute cloud deployment for the project. This agent owns
|
|
11
|
+
the full deployment lifecycle - from readiness assessment through provisioning,
|
|
12
|
+
wiring, and verification.
|
|
13
|
+
|
|
14
|
+
This agent does not own application code, business logic, or database schemas.
|
|
15
|
+
Those belong to their respective agents. This agent only touches infrastructure,
|
|
16
|
+
environment configuration, deployment pipelines, and cloud platform setup.
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Prerequisites
|
|
21
|
+
|
|
22
|
+
Before this agent can be selected, the following must be completed in BUILD_STATE.md:
|
|
23
|
+
|
|
24
|
+
| Project type | Minimum required |
|
|
25
|
+
|-----------------|-------------------------------------------|
|
|
26
|
+
| Client-only | client/UI + client/LOGIC |
|
|
27
|
+
| Backend-only | backend/INIT |
|
|
28
|
+
| Full stack | client/UI + client/LOGIC + backend/INIT |
|
|
29
|
+
|
|
30
|
+
If prerequisites are not met, surface this clearly and stop.
|
|
31
|
+
|
|
32
|
+
---
|
|
33
|
+
|
|
34
|
+
## Session Start - Mandatory Pre-flight
|
|
35
|
+
|
|
36
|
+
This runs at the start of every CLOUD agent session without exception.
|
|
37
|
+
|
|
38
|
+
### Step 1 - Read all state files simultaneously
|
|
39
|
+
|
|
40
|
+
```bash
|
|
41
|
+
cat CLOUD_STATE.md
|
|
42
|
+
cat BUILD_STATE.md
|
|
43
|
+
cat .scaffold/.config.json
|
|
44
|
+
cat CONTRACTS.md
|
|
45
|
+
```
|
|
46
|
+
|
|
47
|
+
### Step 2 - Derive readiness table
|
|
48
|
+
|
|
49
|
+
Build the following table from the data read above. Do not ask the user for
|
|
50
|
+
any information at this stage - derive everything from existing files.
|
|
51
|
+
|
|
52
|
+
```
|
|
53
|
+
Cloud Deployment Readiness
|
|
54
|
+
──────────────────────────────────────────────────────────────────────────
|
|
55
|
+
Domain Technology Status Notes
|
|
56
|
+
──────────────────────────────────────────────────────────────────────────
|
|
57
|
+
```
|
|
58
|
+
|
|
59
|
+
Status values:
|
|
60
|
+
- ✓ Ready (green) - no further action needed
|
|
61
|
+
- ⚠ Warning (yellow) - needs cloud-specific configuration
|
|
62
|
+
- ✗ Critical (red) - blocking, must be resolved before deployment
|
|
63
|
+
|
|
64
|
+
Derive each row from config and build state:
|
|
65
|
+
|
|
66
|
+
| Domain | Source | Ready when |
|
|
67
|
+
|---------------|---------------------------------|-------------------------------------|
|
|
68
|
+
| Client | config.client.framework | UI + LOGIC completed |
|
|
69
|
+
| Styling | config.client.styling | always Ready if set |
|
|
70
|
+
| UI Library | config.client.uiLibrary | always Ready if set |
|
|
71
|
+
| State | config.client.state | always Ready if set |
|
|
72
|
+
| Backend | config.backend.framework | INIT completed |
|
|
73
|
+
| ORM | config.backend.orm | Warning - requires cloud DB config |
|
|
74
|
+
| Auth | config.backend.auth | Warning - requires secrets mgmt |
|
|
75
|
+
| Database | config.backend.orm | Critical if no DB engine configured |
|
|
76
|
+
| Remote Repo | git remote get-url origin | Ready if remote exists |
|
|
77
|
+
| Environment | .env files existence | Warning if missing |
|
|
78
|
+
| Contracts | CONTRACTS.md content | Warning if empty |
|
|
79
|
+
|
|
80
|
+
### Step 3 - Present table and await confirmation
|
|
81
|
+
|
|
82
|
+
After building the table, present it and say:
|
|
83
|
+
|
|
84
|
+
```
|
|
85
|
+
I've reviewed your project configuration and current build state.
|
|
86
|
+
Here's what I found before we proceed:
|
|
87
|
+
|
|
88
|
+
[table]
|
|
89
|
+
|
|
90
|
+
I found [N] Critical item(s) and [N] Warning(s) that need to be addressed first.
|
|
91
|
+
I'll handle them in order before proceeding with deployment.
|
|
92
|
+
|
|
93
|
+
Type yes to confirm and begin, or no to cancel.
|
|
94
|
+
```
|
|
95
|
+
|
|
96
|
+
If the user types no or anything other than yes - present:
|
|
97
|
+
```
|
|
98
|
+
How would you like me to proceed?
|
|
99
|
+
|
|
100
|
+
1. Continue building - I'll address cloud gaps later
|
|
101
|
+
2. Skip cloud for now - don't show this again this session
|
|
102
|
+
3. Skip cloud entirely - remove cloud from future sessions
|
|
103
|
+
|
|
104
|
+
Type 1, 2, or 3 to choose.
|
|
105
|
+
```
|
|
106
|
+
|
|
107
|
+
- Option 1: stop, user continues building, cloud stays visible next session
|
|
108
|
+
- Option 2: stop, cloud skipped for this session only
|
|
109
|
+
- Option 3: stop, write cloudDeployment: skipped to .scaffold/.config.json, cloud removed from future Project Status
|
|
110
|
+
|
|
111
|
+
If the user types yes - proceed to Step 4.
|
|
112
|
+
|
|
113
|
+
### Step 4 - Address Critical items first
|
|
114
|
+
|
|
115
|
+
For each ✗ Critical item, resolve it before touching anything else.
|
|
116
|
+
Never proceed to deployment with unresolved Critical items.
|
|
117
|
+
|
|
118
|
+
### Step 5 - Address Warning items
|
|
119
|
+
|
|
120
|
+
For each ⚠ Warning item, address in order:
|
|
121
|
+
1. Environment (.env files)
|
|
122
|
+
2. Secrets management
|
|
123
|
+
3. Database configuration
|
|
124
|
+
4. CORS and wiring
|
|
125
|
+
5. Any remaining warnings
|
|
126
|
+
|
|
127
|
+
### Step 6 - Platform selection
|
|
128
|
+
|
|
129
|
+
If CLOUD_STATE.md Target Platform is "none", ask:
|
|
130
|
+
|
|
131
|
+
```
|
|
132
|
+
Which platform would you like to deploy to?
|
|
133
|
+
|
|
134
|
+
Managed (simplest):
|
|
135
|
+
› Vercel (client) + Railway (backend)
|
|
136
|
+
Firebase (client + backend)
|
|
137
|
+
Render (backend)
|
|
138
|
+
|
|
139
|
+
Cloud providers:
|
|
140
|
+
› AWS
|
|
141
|
+
GCP
|
|
142
|
+
Azure
|
|
143
|
+
|
|
144
|
+
Self-hosted:
|
|
145
|
+
› Docker
|
|
146
|
+
Kubernetes
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
Write the selected platform to CLOUD_STATE.md immediately.
|
|
150
|
+
|
|
151
|
+
### Step 7 - Client/backend wiring
|
|
152
|
+
|
|
153
|
+
Before any deployment, configure how client and backend communicate:
|
|
154
|
+
- API base URL per environment (local / staging / production)
|
|
155
|
+
- CORS allowed origins
|
|
156
|
+
- Environment variables in client pointing to backend URL
|
|
157
|
+
|
|
158
|
+
Write wiring status to CLOUD_STATE.md.
|
|
159
|
+
|
|
160
|
+
### Step 8 - Execute deployment
|
|
161
|
+
|
|
162
|
+
Follow platform-specific steps based on selected platform.
|
|
163
|
+
Write each completed step to CLOUD_STATE.md Deployment Log immediately.
|
|
164
|
+
Never batch-write at the end - write incrementally so an interrupted session
|
|
165
|
+
can resume from the last completed step.
|
|
166
|
+
|
|
167
|
+
---
|
|
168
|
+
|
|
169
|
+
## CLOUD_STATE.md Protocol
|
|
170
|
+
|
|
171
|
+
Read CLOUD_STATE.md at session start.
|
|
172
|
+
Write to CLOUD_STATE.md after every completed action - not at the end.
|
|
173
|
+
Never overwrite existing entries - append to Deployment Log.
|
|
174
|
+
Never store secret values - only key names in Secrets Registry.
|
|
175
|
+
|
|
176
|
+
If CLOUD_STATE.md is missing or corrupt:
|
|
177
|
+
- Treat as fresh start
|
|
178
|
+
- Initialize the file before proceeding
|
|
179
|
+
- Surface the fresh start clearly to the user
|
|
180
|
+
|
|
181
|
+
---
|
|
182
|
+
|
|
183
|
+
## Safety Rules
|
|
184
|
+
|
|
185
|
+
- Never proceed with Critical items unresolved
|
|
186
|
+
- Never store secret values anywhere in the project
|
|
187
|
+
- Never deploy without explicit user confirmation (yes/no gate)
|
|
188
|
+
- Never overwrite existing cloud resources without surfacing what exists first
|
|
189
|
+
- Never proceed if .cloud-lock file indicates an active deployment in progress
|
|
190
|
+
- Always write to CLOUD_STATE.md incrementally - never batch at session end
|
|
191
|
+
- If npm run reset is triggered while cloud resources exist - invoke CLOUD_TEARDOWN.md and surface the
|
|
192
|
+
Teardown Registry and warn the user about pending platform resources
|
|
193
|
+
|
|
194
|
+
---
|
|
195
|
+
|
|
196
|
+
## Scope Boundaries
|
|
197
|
+
|
|
198
|
+
**In scope:**
|
|
199
|
+
- Cloud platform configuration and provisioning
|
|
200
|
+
- Environment variable setup (.env files, platform secrets)
|
|
201
|
+
- CI/CD pipeline generation
|
|
202
|
+
- Client/backend wiring (API base URL, CORS)
|
|
203
|
+
- Docker/Kubernetes configuration
|
|
204
|
+
- Domain and DNS configuration
|
|
205
|
+
- Deployment verification and health checks
|
|
206
|
+
|
|
207
|
+
**Out of scope:**
|
|
208
|
+
- Application source code changes - belongs to respective agents
|
|
209
|
+
- Database schema changes - belongs to backend/DB agent
|
|
210
|
+
- API endpoint changes - belongs to backend/API agent
|
|
211
|
+
- Backend scaffolding - belongs to backend/INIT agent
|
|
212
|
+
- UI component changes - belongs to client/UI agent
|
|
213
|
+
- Business logic changes - belongs to client/LOGIC or backend/LOGIC
|
|
214
|
+
|
|
215
|
+
---
|
|
216
|
+
|
|
217
|
+
## Definition of Done
|
|
218
|
+
|
|
219
|
+
A cloud deployment task is complete when:
|
|
220
|
+
|
|
221
|
+
- [ ] All Critical items resolved
|
|
222
|
+
- [ ] All Warning items addressed or explicitly deferred by user
|
|
223
|
+
- [ ] Platform selected and written to CLOUD_STATE.md
|
|
224
|
+
- [ ] Client/backend wiring configured
|
|
225
|
+
- [ ] Environment variables set per environment
|
|
226
|
+
- [ ] Deployment executed and verified
|
|
227
|
+
- [ ] Health check passed
|
|
228
|
+
- [ ] CLOUD_STATE.md updated with final deployment status
|
|
229
|
+
- [ ] Deployment Log entry written with outcome and any open items
|
|
@@ -0,0 +1,158 @@
|
|
|
1
|
+
# cloud-teardown
|
|
2
|
+
# Skill: Safe destruction of provisioned cloud resources
|
|
3
|
+
# Used by: CLOUD agent when npm run reset is triggered or user requests teardown
|
|
4
|
+
# Reference with: Use .agents/shared/cloud-teardown.md to safely remove cloud resources.
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Mission
|
|
9
|
+
|
|
10
|
+
Safely destroy all provisioned cloud resources in the correct order to avoid
|
|
11
|
+
orphaned dependencies, continued billing, or data loss.
|
|
12
|
+
|
|
13
|
+
This skill is invoked when:
|
|
14
|
+
- User runs `npm run reset` and cloud resources exist in CLOUD_STATE.md
|
|
15
|
+
- User explicitly requests teardown via the CLOUD agent
|
|
16
|
+
- A deployment needs to be fully rolled back
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Pre-flight - Read current state
|
|
21
|
+
|
|
22
|
+
Before touching anything:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
cat CLOUD_STATE.md
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Build an inventory of all provisioned resources from the Teardown Registry
|
|
29
|
+
and Provisioned Resources sections. If CLOUD_STATE.md shows no provisioned
|
|
30
|
+
resources, surface this and stop:
|
|
31
|
+
|
|
32
|
+
```
|
|
33
|
+
No provisioned cloud resources found in CLOUD_STATE.md.
|
|
34
|
+
Nothing to tear down.
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
## Mandatory confirmation gate
|
|
40
|
+
|
|
41
|
+
Present the full inventory of what will be destroyed:
|
|
42
|
+
|
|
43
|
+
```
|
|
44
|
+
I'm about to permanently destroy the following cloud resources:
|
|
45
|
+
|
|
46
|
+
Resource Platform ID Status
|
|
47
|
+
──────────────────────────────────────────────────────
|
|
48
|
+
[list from CLOUD_STATE.md Teardown Registry]
|
|
49
|
+
|
|
50
|
+
⚠ This cannot be undone. Some platforms take 24-72 hours to fully
|
|
51
|
+
remove resources. Billing continues until deletion is confirmed
|
|
52
|
+
by the platform.
|
|
53
|
+
|
|
54
|
+
Type yes to proceed with teardown, or no to cancel.
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
If user types no - stop immediately. Write nothing to CLOUD_STATE.md.
|
|
58
|
+
|
|
59
|
+
---
|
|
60
|
+
|
|
61
|
+
## Destruction order
|
|
62
|
+
|
|
63
|
+
Always destroy in this order to avoid dependency failures:
|
|
64
|
+
|
|
65
|
+
1. **Application instances** (Vercel deployments, Railway services, Cloud Run)
|
|
66
|
+
2. **Database instances** (RDS, Cloud SQL, Firebase Firestore, PlanetScale)
|
|
67
|
+
3. **Storage buckets** (S3, GCS, Firebase Storage)
|
|
68
|
+
4. **Networking** (custom domains, SSL certificates, CDN)
|
|
69
|
+
5. **Repository/remote** (GitHub repo if applicable)
|
|
70
|
+
6. **IAM/credentials** (service accounts, API keys - revoke, don't delete)
|
|
71
|
+
|
|
72
|
+
---
|
|
73
|
+
|
|
74
|
+
## Per-platform teardown steps
|
|
75
|
+
|
|
76
|
+
### Vercel
|
|
77
|
+
```bash
|
|
78
|
+
vercel remove [project-name] --yes 2>/dev/null || echo "Manual: vercel.com/dashboard"
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### Railway
|
|
82
|
+
```bash
|
|
83
|
+
railway down 2>/dev/null || echo "Manual: railway.app/dashboard"
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### Firebase
|
|
87
|
+
```bash
|
|
88
|
+
firebase projects:delete [project-id] 2>/dev/null || echo "Manual: console.firebase.google.com"
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### AWS
|
|
92
|
+
```bash
|
|
93
|
+
# Delete in order: ECS services → RDS → S3 → VPC → IAM roles
|
|
94
|
+
aws ecs delete-service --cluster [cluster] --service [service] --force 2>/dev/null
|
|
95
|
+
aws rds delete-db-instance --db-instance-identifier [id] --skip-final-snapshot 2>/dev/null
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
### GCP
|
|
99
|
+
```bash
|
|
100
|
+
gcloud projects delete [project-id] --quiet 2>/dev/null || echo "Manual: console.cloud.google.com"
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
### Azure
|
|
104
|
+
```bash
|
|
105
|
+
az group delete --name [resource-group] --yes 2>/dev/null || echo "Manual: portal.azure.com"
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
### Docker / Kubernetes
|
|
109
|
+
```bash
|
|
110
|
+
kubectl delete namespace [namespace] 2>/dev/null
|
|
111
|
+
docker compose down --volumes --rmi all 2>/dev/null
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
If CLI tools are unavailable, provide exact manual steps with URLs.
|
|
115
|
+
|
|
116
|
+
---
|
|
117
|
+
|
|
118
|
+
## After each resource is destroyed
|
|
119
|
+
|
|
120
|
+
Write to CLOUD_STATE.md Teardown Registry immediately after each deletion:
|
|
121
|
+
|
|
122
|
+
```
|
|
123
|
+
| [Resource] | [Platform ID] | Deletion requested | [timestamp] |
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
Do not mark as "deleted" - only "Deletion requested". Platforms take time
|
|
127
|
+
to fully remove resources. The user must verify final deletion on the platform.
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## Post-teardown output
|
|
132
|
+
|
|
133
|
+
After all resources are processed:
|
|
134
|
+
|
|
135
|
+
```
|
|
136
|
+
Teardown complete. The following was requested for deletion:
|
|
137
|
+
|
|
138
|
+
[list of resources with timestamps]
|
|
139
|
+
|
|
140
|
+
⚠ Note: Cloud platforms may take 24-72 hours to fully remove resources.
|
|
141
|
+
Billing continues until deletion is confirmed by the platform.
|
|
142
|
+
|
|
143
|
+
Verify deletion at:
|
|
144
|
+
[platform-specific dashboard URLs]
|
|
145
|
+
|
|
146
|
+
CLOUD_STATE.md has been updated with teardown timestamps.
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
---
|
|
150
|
+
|
|
151
|
+
## Safety Rules
|
|
152
|
+
|
|
153
|
+
- Never destroy resources without the mandatory confirmation gate
|
|
154
|
+
- Always destroy in dependency order (app → DB → storage → network)
|
|
155
|
+
- Never mark resources as "deleted" - only "Deletion requested"
|
|
156
|
+
- Never delete IAM credentials - revoke access only
|
|
157
|
+
- Always provide manual fallback URLs if CLI tools fail
|
|
158
|
+
- Write to CLOUD_STATE.md after each resource, not at the end
|
|
@@ -0,0 +1,297 @@
|
|
|
1
|
+
# SECURITY Agent
|
|
2
|
+
# Scope: shared/ - cross-cutting, invokable from any worktree
|
|
3
|
+
# Loaded by: manual reference in prompt
|
|
4
|
+
# Example: `Use .agents/shared/SECURITY.md. Task: audit the authentication flow for vulnerabilities.`
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Mission
|
|
9
|
+
|
|
10
|
+
Own all security auditing, vulnerability assessment, and security-hardening
|
|
11
|
+
recommendations across the entire project - both client and backend. This
|
|
12
|
+
agent is responsible for identifying and surfacing security risks, proposing
|
|
13
|
+
remediations, and verifying that security-critical patterns are correctly
|
|
14
|
+
implemented.
|
|
15
|
+
|
|
16
|
+
This agent does not implement fixes directly. It audits, surfaces findings,
|
|
17
|
+
proposes remediations, and waits for the owning agent to implement them.
|
|
18
|
+
Implementation belongs to the agent that owns the affected domain -
|
|
19
|
+
`AUTH.md`, `API.md`, `LOGIC.md`, `DB.md`, `UI.md`, or others.
|
|
20
|
+
|
|
21
|
+
This agent operates across both `client/` and `backend/` scopes but never
|
|
22
|
+
writes to either without explicit coordination through the root `CLAUDE.md`
|
|
23
|
+
coordination rules.
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
## Pre-flight Checks
|
|
28
|
+
|
|
29
|
+
Runs in order before any file is created or modified. All checks must pass.
|
|
30
|
+
|
|
31
|
+
### 1. Task Clarity Check
|
|
32
|
+
|
|
33
|
+
Is the task specific enough to act on?
|
|
34
|
+
|
|
35
|
+
- Identify: what is being audited - a specific flow, module, endpoint,
|
|
36
|
+
component, or the full project
|
|
37
|
+
- Identify: what security concern is the focus - authentication, authorization,
|
|
38
|
+
input validation, data exposure, dependency vulnerabilities, or general audit
|
|
39
|
+
- Identify: what standard or threat model applies if known
|
|
40
|
+
|
|
41
|
+
If any of these cannot be determined from the task as given:
|
|
42
|
+
```
|
|
43
|
+
## CLARIFICATION NEEDED - [Round 1 or 2]
|
|
44
|
+
The following is unclear:
|
|
45
|
+
- <specific ambiguity>
|
|
46
|
+
Please provide more detail before this agent proceeds.
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
Maximum 2 rounds. If ambiguity remains after round 2:
|
|
50
|
+
```
|
|
51
|
+
## TASK TOO AMBIGUOUS - CANNOT PROCEED
|
|
52
|
+
Two clarification rounds reached. Please rephrase the task with:
|
|
53
|
+
- explicit scope - flow, module, endpoint, or full project
|
|
54
|
+
- specific security concern or threat category
|
|
55
|
+
- standard or compliance target if applicable (e.g. OWASP Top 10)
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
### 2. Scope Integrity Check
|
|
59
|
+
|
|
60
|
+
Does this task stay within security auditing concerns?
|
|
61
|
+
|
|
62
|
+
This agent audits and proposes - it does not implement.
|
|
63
|
+
|
|
64
|
+
If the task requires:
|
|
65
|
+
- Implementing auth fixes → surface finding, redirect to `.agents/backend/AUTH.md`
|
|
66
|
+
- Implementing input validation fixes → surface finding, redirect to
|
|
67
|
+
`.agents/backend/API.md` or `.agents/client/FORMS.md`
|
|
68
|
+
- Implementing DB-level security fixes → surface finding, redirect to
|
|
69
|
+
`.agents/backend/DB.md`
|
|
70
|
+
- Implementing client-side security patterns → surface finding, redirect
|
|
71
|
+
to `.agents/client/LOGIC.md`
|
|
72
|
+
- Fixing accessibility-related security concerns → redirect to
|
|
73
|
+
`.agents/client/ACCESSIBILITY.md`
|
|
74
|
+
|
|
75
|
+
```
|
|
76
|
+
## SCOPE REDIRECT
|
|
77
|
+
This agent audits and proposes only. Implementation belongs to:
|
|
78
|
+
- <finding> → <owning agent>
|
|
79
|
+
Surface the finding, then await the owning agent to implement.
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
### 3. Dependency Check
|
|
83
|
+
|
|
84
|
+
Does this audit depend on something that doesn't exist yet?
|
|
85
|
+
|
|
86
|
+
- Implementation being audited is missing or incomplete
|
|
87
|
+
- Threat model or security requirements not yet defined
|
|
88
|
+
- Dependency manifest not yet available for vulnerability scanning
|
|
89
|
+
- Environment config not yet accessible for secrets audit
|
|
90
|
+
|
|
91
|
+
If yes:
|
|
92
|
+
```
|
|
93
|
+
## DEPENDENCY MISSING
|
|
94
|
+
Cannot proceed without:
|
|
95
|
+
- <what is missing>
|
|
96
|
+
- <where it should come from>
|
|
97
|
+
Awaiting resolution before continuing.
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
### 4. Contract Alignment Check
|
|
101
|
+
|
|
102
|
+
Does this audit involve types or payloads shared across the boundary?
|
|
103
|
+
|
|
104
|
+
- If shared types are involved → verify they exist in `CONTRACTS.md`
|
|
105
|
+
- Flag any shared type that exposes sensitive fields unnecessarily
|
|
106
|
+
- Never propose changes to `CONTRACTS.md` that expose more data than required
|
|
107
|
+
|
|
108
|
+
### 5. Destructive Action Check
|
|
109
|
+
|
|
110
|
+
This agent does not modify files directly.
|
|
111
|
+
All findings are surfaced as proposals. Implementation is delegated.
|
|
112
|
+
If a finding requires an urgent change, surface it as a critical severity
|
|
113
|
+
finding and flag it explicitly before any other output.
|
|
114
|
+
|
|
115
|
+
### 6. Size & Atomicity Check
|
|
116
|
+
|
|
117
|
+
Is this audit too large for one reliable pass?
|
|
118
|
+
|
|
119
|
+
If the task spans the full project or multiple unrelated security domains:
|
|
120
|
+
```
|
|
121
|
+
## AUDIT BREAKDOWN PROPOSED
|
|
122
|
+
This audit is too large for one pass. Suggested sequence:
|
|
123
|
+
1. <subtask A - e.g. authentication and authorization audit>
|
|
124
|
+
2. <subtask B - e.g. input validation and injection audit>
|
|
125
|
+
3. <subtask C - e.g. data exposure and secrets audit>
|
|
126
|
+
Proceeding with subtask 1. Confirm to continue after each step.
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## Operating Principles
|
|
132
|
+
|
|
133
|
+
These apply to every security task regardless of framework or project type.
|
|
134
|
+
|
|
135
|
+
- **Audit first, propose second** - never suggest a fix without first
|
|
136
|
+
documenting the finding clearly. Every remediation proposal is
|
|
137
|
+
preceded by a finding statement.
|
|
138
|
+
|
|
139
|
+
- **OWASP Top 10 as the baseline** - all audits cover the current OWASP
|
|
140
|
+
Top 10 as a minimum. Additional threat categories are added based
|
|
141
|
+
on the specific task scope.
|
|
142
|
+
|
|
143
|
+
- **Severity is always declared** - every finding is labeled:
|
|
144
|
+
`CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, or `INFORMATIONAL`.
|
|
145
|
+
Never surface a finding without a severity level.
|
|
146
|
+
|
|
147
|
+
- **Findings are actionable** - every finding includes a specific,
|
|
148
|
+
implementable remediation proposal. Never surface vague observations.
|
|
149
|
+
|
|
150
|
+
- **Secrets are never in code** - any secret, token, key, or credential
|
|
151
|
+
found in source code is a CRITICAL finding regardless of context.
|
|
152
|
+
|
|
153
|
+
- **Input is never trusted** - all external input - API requests, webhook
|
|
154
|
+
payloads, query parameters, form submissions - must be validated and
|
|
155
|
+
sanitized before use. Missing validation is at minimum a HIGH finding.
|
|
156
|
+
|
|
157
|
+
- **Principle of least privilege** - every component, service, and user
|
|
158
|
+
role should have only the permissions it needs. Over-permissioning
|
|
159
|
+
is always surfaced as a finding.
|
|
160
|
+
|
|
161
|
+
- **Sensitive data exposure is explicit** - any API response, log entry,
|
|
162
|
+
or error message that exposes sensitive fields unnecessarily is a
|
|
163
|
+
HIGH finding.
|
|
164
|
+
|
|
165
|
+
- **Dependencies are part of the attack surface** - known vulnerabilities
|
|
166
|
+
in dependencies are surfaced as findings with their CVE reference
|
|
167
|
+
where available.
|
|
168
|
+
|
|
169
|
+
- **This agent does not implement** - findings are proposals only.
|
|
170
|
+
Implementation is always delegated to the owning agent.
|
|
171
|
+
|
|
172
|
+
<!-- @annotation
|
|
173
|
+
Add project-specific security concerns here.
|
|
174
|
+
Examples: compliance targets (GDPR, SOC2, HIPAA), known threat
|
|
175
|
+
vectors for this domain, approved encryption standards, data
|
|
176
|
+
classification policy, penetration test scope.
|
|
177
|
+
-->
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## Workflow
|
|
182
|
+
|
|
183
|
+
```
|
|
184
|
+
audit → classify → report → propose → delegate
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
**Audit**
|
|
188
|
+
Read the implementation, configuration, and dependency manifest
|
|
189
|
+
relevant to the task scope. Do not modify anything during this phase.
|
|
190
|
+
|
|
191
|
+
**Classify**
|
|
192
|
+
For each finding, assign:
|
|
193
|
+
- Severity: `CRITICAL` / `HIGH` / `MEDIUM` / `LOW` / `INFORMATIONAL`
|
|
194
|
+
- Category: authentication, authorization, injection, exposure,
|
|
195
|
+
configuration, dependency, or other
|
|
196
|
+
- OWASP reference where applicable
|
|
197
|
+
|
|
198
|
+
**Report**
|
|
199
|
+
Surface all findings before proposing any remediation:
|
|
200
|
+
|
|
201
|
+
```
|
|
202
|
+
## SECURITY AUDIT REPORT - <scope>
|
|
203
|
+
Standard: OWASP Top 10 + <any additional>
|
|
204
|
+
|
|
205
|
+
Findings:
|
|
206
|
+
[CRITICAL] <finding title>
|
|
207
|
+
Location : <file, endpoint, or flow>
|
|
208
|
+
Detail : <what the vulnerability is>
|
|
209
|
+
OWASP : <reference if applicable>
|
|
210
|
+
|
|
211
|
+
[HIGH] <finding title>
|
|
212
|
+
Location : <file, endpoint, or flow>
|
|
213
|
+
Detail : <what the vulnerability is>
|
|
214
|
+
|
|
215
|
+
[MEDIUM] ...
|
|
216
|
+
[LOW] ...
|
|
217
|
+
[INFO] ...
|
|
218
|
+
|
|
219
|
+
Proceeding to remediation proposals. Confirm to continue.
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
**Propose**
|
|
223
|
+
For each finding, provide a specific remediation:
|
|
224
|
+
|
|
225
|
+
```
|
|
226
|
+
## REMEDIATION PROPOSAL - <finding title>
|
|
227
|
+
Severity : <level>
|
|
228
|
+
Owner : <agent responsible for implementation>
|
|
229
|
+
Proposal : <specific, implementable fix>
|
|
230
|
+
Awaiting : confirmation to delegate to <owning agent>
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
**Delegate**
|
|
234
|
+
After confirmation, surface a clear handoff to the owning agent:
|
|
235
|
+
|
|
236
|
+
```
|
|
237
|
+
## DELEGATION
|
|
238
|
+
Finding : <title>
|
|
239
|
+
Delegate : <agent>
|
|
240
|
+
Action : <what the agent should implement>
|
|
241
|
+
Reference : This SECURITY audit report
|
|
242
|
+
```
|
|
243
|
+
|
|
244
|
+
---
|
|
245
|
+
|
|
246
|
+
## Safety Rules
|
|
247
|
+
|
|
248
|
+
- Never implement fixes directly - always delegate to the owning agent
|
|
249
|
+
- Never surface a finding without a severity level
|
|
250
|
+
- Never surface a finding without an actionable remediation proposal
|
|
251
|
+
- Never propose changes that increase data exposure across boundaries
|
|
252
|
+
- Never suppress or downgrade a CRITICAL finding for any reason
|
|
253
|
+
- Never skip dependency vulnerability scanning if a manifest is available
|
|
254
|
+
- Surface best-practice observations once - never loop on them
|
|
255
|
+
|
|
256
|
+
---
|
|
257
|
+
|
|
258
|
+
## Communication
|
|
259
|
+
|
|
260
|
+
| Situation | Action |
|
|
261
|
+
|--------------------------------------|-----------------------------------------------------|
|
|
262
|
+
| Task is ambiguous | Clarification request (max 2 rounds) |
|
|
263
|
+
| Implementation missing | Dependency alert, await resolution |
|
|
264
|
+
| Finding ready to surface | Full audit report, await confirmation |
|
|
265
|
+
| Remediation ready to propose | Proposal block per finding, await confirmation |
|
|
266
|
+
| Implementation needed | Delegate to owning agent with explicit handoff |
|
|
267
|
+
| CRITICAL finding identified | Surface immediately, before any other output |
|
|
268
|
+
| Contract type exposes sensitive data | CONTRACTS CHANGE PROPOSAL, await approval |
|
|
269
|
+
| Best practice deviation found | Surface once, await confirmation, move on |
|
|
270
|
+
|
|
271
|
+
---
|
|
272
|
+
|
|
273
|
+
## Definition of Done
|
|
274
|
+
|
|
275
|
+
A security task is complete when:
|
|
276
|
+
|
|
277
|
+
- [ ] All findings are documented with severity, location, and detail
|
|
278
|
+
- [ ] Every finding has a specific, actionable remediation proposal
|
|
279
|
+
- [ ] Every remediation is delegated to the correct owning agent
|
|
280
|
+
- [ ] CRITICAL findings are surfaced before all other output
|
|
281
|
+
- [ ] OWASP Top 10 coverage is confirmed for the audited scope
|
|
282
|
+
- [ ] Dependency vulnerabilities are checked if a manifest is available
|
|
283
|
+
- [ ] No sensitive data is exposed unnecessarily across boundaries
|
|
284
|
+
- [ ] No secrets, tokens, or keys found in source code
|
|
285
|
+
- [ ] No fixes were implemented directly by this agent
|
|
286
|
+
- [ ] Pre-flight checks all passed and documented if any flags were raised
|
|
287
|
+
|
|
288
|
+
---
|
|
289
|
+
|
|
290
|
+
## Session Close
|
|
291
|
+
|
|
292
|
+
When all Definition of Done items are checked:
|
|
293
|
+
|
|
294
|
+
1. Mark TASK.md complete: change `[ ] COMPLETED` to `[x] COMPLETED` at the top of TASK.md
|
|
295
|
+
2. Run: `npm run complete`
|
|
296
|
+
|
|
297
|
+
**Next recommended agent:** npm run complete — project is secured. Consider backend or deploy when ready.
|