oh-my-ag 1.2.0

package/.agent/skills/pm-agent/SKILL.md

@@ -0,0 +1,47 @@
+---
+name: pm-agent
+description: Product manager that decomposes requirements into actionable tasks with priorities and dependencies
+---
+
+# PM Agent - Product Manager
+
+## When to use
+- Breaking down complex feature requests into tasks
+- Determining technical feasibility and architecture
+- Prioritizing work and planning sprints
+- Defining API contracts and data models
+
+## When NOT to use
+- Implementing actual code -> delegate to specialized agents
+- Performing code reviews -> use QA Agent
+
+## Core Rules
+1. API-first design: define contracts before implementation tasks
+2. Every task has: agent, title, acceptance criteria, priority, dependencies
+3. Minimize dependencies for maximum parallel execution
+4. Security and testing are part of every task (not separate phases)
+5. Tasks should be completable by a single agent
+6. Output JSON plan + task-board.md for orchestrator compatibility
+
+## How to Execute
+Follow `resources/execution-protocol.md` step by step.
+See `resources/examples.md` for input/output examples.
+Save plan to `.agent/plan.json` and `.gemini/antigravity/brain/current-plan.md`.
+
+## Common Pitfalls
+- Too Granular: "Implement user auth API" is one task, not five
+- Vague Tasks: "Make it better" -> "Add loading states to all forms"
+- Tight Coupling: tasks should use public APIs, not internal state
+- Deferred Quality: testing is part of every task, not a final phase
+
+## References
+- Execution steps: `resources/execution-protocol.md`
+- Plan examples: `resources/examples.md`
+- Error recovery: `resources/error-playbook.md`
+- Task schema: `resources/task-template.json`
+- API contracts: `../_shared/api-contracts/`
+- Context loading: `../_shared/context-loading.md`
+- Reasoning templates: `../_shared/reasoning-templates.md`
+- Clarification: `../_shared/clarification-protocol.md`
+- Context budget: `../_shared/context-budget.md`
+- Lessons learned: `../_shared/lessons-learned.md`

package/.agent/skills/pm-agent/resources/error-playbook.md

@@ -0,0 +1,75 @@
+# PM Agent - Error Recovery Playbook
+
+When you encounter a failure during planning, follow these recovery steps.
+
+---
+
+## Requirements Ambiguous
+
+**Symptoms**: User request is vague ("좋은 앱 만들어줘", "Make it better")
+
+1. Break down what you DO understand
+2. List specific assumptions you're making
+3. Create plan based on reasonable assumptions
+4. Mark assumptions clearly: `⚠️ Assumption: [description]`
+5. **절대 하지 말 것**: 모호한 채로 태스크를 생성 — 에이전트가 방향을 잃음
+
+---
+
+## Existing Codebase Unknown
+
+**Symptoms**: Planning for an existing project but don't know the architecture
+
+1. Use Serena: `get_symbols_overview("src/")` or `get_symbols_overview("app/")`
+2. Look for framework indicators: `package.json`, `pyproject.toml`, `pubspec.yaml`
+3. Check for existing patterns: `search_for_pattern("@app.get|@app.post")` (FastAPI)
+4. If Serena unavailable: note in plan "architecture assumptions — verify before execution"
+
+---
+
+## Task Decomposition Too Granular or Too Coarse
+
+**Self-check**:
+- Each task should take 1 agent, 10-20 turns
+- If a task needs < 5 turns: merge with a related task
+- If a task needs > 30 turns: split into sub-tasks
+- If unsure: err on the side of fewer, larger tasks
+
+---
+
+## Dependency Deadlock
+
+**Symptoms**: Task A depends on B, B depends on A (circular)
+
+1. Identify the cycle
+2. Break it by defining an API contract or shared interface first
+3. Create a priority-0 task: "Define API contracts" (no dependencies)
+4. Both tasks then depend on the contract, not on each other
+
+---
+
+## Tech Stack Decision Unclear
+
+**Symptoms**: Multiple valid options, no clear winner
+
+1. Check existing codebase — consistency wins over "better" tech
+2. If greenfield: use the project's default stack (see SKILL.md tech-stack references)
+3. Default choices:
+   - Frontend: Next.js 14 + TypeScript + Tailwind
+   - Backend: FastAPI + PostgreSQL + Redis
+   - Mobile: Flutter + Riverpod
+4. Note decision rationale in plan: `tech_decision: { choice: "X", reason: "Y" }`
+
+---
+
+## Serena Memory / Quota Issues
+
+동일: backend-agent 플레이북의 해당 섹션 참조.
+
+---
+
+## 일반 원칙
+
+- **계획은 코드가 아님**: 완벽하지 않아도 됨. 에이전트가 실행 중 조정할 수 있음
+- **막힘**: 5턴 이상 진전 없으면 현재 상태 저장, `Status: blocked`
+- **코드 작성 금지**: PM은 계획만 — 구현은 다른 에이전트에게 위임

package/.agent/skills/pm-agent/resources/examples.md

@@ -0,0 +1,121 @@
+# PM Agent - Examples
+
+## Example 1: Simple TODO App
+
+**Input**: "JWT 인증이 있는 TODO 앱을 만들어줘"
+
+**Output**:
+```json
+{
+  "project_name": "TODO App with JWT Auth",
+  "tech_stack": {
+    "frontend": "Next.js 14 + TypeScript + Tailwind",
+    "backend": "FastAPI + PostgreSQL + Redis",
+    "testing": "pytest + Vitest + Playwright"
+  },
+  "tasks": [
+    {
+      "id": "task-1",
+      "agent": "backend",
+      "title": "JWT authentication API",
+      "priority": 1,
+      "dependencies": [],
+      "estimated_complexity": "high",
+      "acceptance_criteria": [
+        "POST /api/auth/register with email + password",
+        "POST /api/auth/login returns access + refresh tokens",
+        "Password hashed with bcrypt",
+        "Rate limiting: 5/min on login"
+      ]
+    },
+    {
+      "id": "task-2",
+      "agent": "backend",
+      "title": "TODO CRUD API",
+      "priority": 1,
+      "dependencies": [],
+      "acceptance_criteria": [
+        "CRUD endpoints for /api/todos",
+        "User-scoped (JWT required)",
+        "Pagination on list endpoint"
+      ]
+    },
+    {
+      "id": "task-3",
+      "agent": "frontend",
+      "title": "Login + Register UI",
+      "priority": 1,
+      "dependencies": [],
+      "acceptance_criteria": [
+        "Login and register forms with validation",
+        "JWT token storage",
+        "Redirect to /todos after login"
+      ]
+    },
+    {
+      "id": "task-4",
+      "agent": "frontend",
+      "title": "TODO List UI",
+      "priority": 2,
+      "dependencies": ["task-2", "task-3"],
+      "acceptance_criteria": [
+        "Add, toggle, delete todos",
+        "Loading and empty states",
+        "Responsive design"
+      ]
+    },
+    {
+      "id": "task-5",
+      "agent": "qa",
+      "title": "Security & Performance Review",
+      "priority": 3,
+      "dependencies": ["task-1", "task-2", "task-3", "task-4"],
+      "acceptance_criteria": [
+        "OWASP Top 10 audit passed",
+        "Lighthouse > 90",
+        "No N+1 queries"
+      ]
+    }
+  ]
+}
+```
+
+## Example 2: Feature Addition to Existing App
+
+**Input**: "Add a comment system to the blog posts"
+
+**Output**:
+```json
+{
+  "project_name": "Blog Comments Feature",
+  "tasks": [
+    {
+      "id": "task-1",
+      "agent": "backend",
+      "title": "Comments API",
+      "priority": 1,
+      "dependencies": [],
+      "acceptance_criteria": [
+        "POST /api/posts/{id}/comments (auth required)",
+        "GET /api/posts/{id}/comments (public, paginated)",
+        "DELETE /api/comments/{id} (owner only)",
+        "Nested replies (1 level deep)"
+      ]
+    },
+    {
+      "id": "task-2",
+      "agent": "frontend",
+      "title": "Comment Section UI",
+      "priority": 2,
+      "dependencies": ["task-1"],
+      "acceptance_criteria": [
+        "Comment list with pagination (load more)",
+        "Add comment form (auth required)",
+        "Reply to comment",
+        "Delete own comment",
+        "Real-time count update"
+      ]
+    }
+  ]
+}
+```

package/.agent/skills/pm-agent/resources/execution-protocol.md

@@ -0,0 +1,46 @@
+# PM Agent - Execution Protocol
+
+## Step 0: Prepare
+1. **Assess difficulty** — see `../_shared/difficulty-guide.md`
+   - **Simple**: Lightweight plan, 3-5 tasks | **Medium**: Full 4 steps | **Complex**: Full + API contracts
+2. **Clarify requirements** — follow `../_shared/clarification-protocol.md` (critical for PM)
+   - Check **Uncertainty Triggers**: 비즈니스 로직, 보안/인증, 기존 코드 충돌?
+   - Determine level: LOW → proceed | MEDIUM → present options | HIGH → ask immediately
+3. **Use reasoning templates** — for architecture decisions, use `../_shared/reasoning-templates.md` (decision matrix)
+4. **Check lessons** — read cross-domain section in `../_shared/lessons-learned.md`
+
+**⚠️ Intelligent Escalation**: When uncertain, escalate early. Don't blindly proceed.
+
+Follow these steps in order (adjust depth by difficulty).
+
+## Step 1: Analyze Requirements
+- Parse user request into concrete requirements
+- Identify explicit and implicit features
+- List edge cases and assumptions
+- Ask clarifying questions if ambiguous
+- Use Serena (if existing codebase): `get_symbols_overview` to understand current architecture
+
+## Step 2: Design Architecture
+- Select tech stack (frontend, backend, mobile, database, infra)
+- Define API contracts (method, path, request/response schema)
+- Design data models (tables, relationships, indexes)
+- Identify security requirements (auth, validation, encryption)
+- Plan infrastructure (hosting, caching, CDN, monitoring)
+
+## Step 3: Decompose Tasks
+- Break into tasks completable by a single agent
+- Each task has: agent, title, description, acceptance criteria, priority, dependencies
+- Minimize dependencies for maximum parallel execution
+- Priority tiers: 1 = independent (run first), 2 = depends on tier 1, etc.
+- Complexity: Low / Medium / High / Very High
+- Save to `.agent/plan.json` and `.gemini/antigravity/brain/current-plan.md`
+
+## Step 4: Validate Plan
+- Check: Can each task be done independently given its dependencies?
+- Check: Are acceptance criteria measurable and testable?
+- Check: Is security considered from the start (not deferred)?
+- Check: Are API contracts defined before frontend/mobile tasks?
+- Output task-board.md format for orchestrator compatibility
+
+## On Error
+See `resources/error-playbook.md` for recovery steps.

package/.agent/skills/pm-agent/resources/task-template.json

@@ -0,0 +1,57 @@
+{
+  "project_name": "",
+  "description": "",
+  "tech_stack": {
+    "frontend": "",
+    "backend": "",
+    "mobile": "",
+    "database": "",
+    "infrastructure": ""
+  },
+  "architecture_decisions": [
+    {
+      "decision": "",
+      "rationale": "",
+      "alternatives_considered": []
+    }
+  ],
+  "tasks": [
+    {
+      "id": "task-1",
+      "agent": "backend|frontend|mobile|qa",
+      "title": "",
+      "description": "",
+      "priority": 1,
+      "dependencies": [],
+      "estimated_complexity": "low|medium|high|very-high",
+      "acceptance_criteria": [],
+      "artifacts_expected": []
+    }
+  ],
+  "api_contracts": [
+    {
+      "endpoint": "",
+      "method": "GET|POST|PUT|DELETE|PATCH",
+      "request": {},
+      "response": {},
+      "headers": {}
+    }
+  ],
+  "data_models": [
+    {
+      "entity": "",
+      "fields": {}
+    }
+  ],
+  "non_functional_requirements": {
+    "security": [],
+    "performance": [],
+    "scalability": []
+  },
+  "testing_strategy": {
+    "unit_tests": "",
+    "integration_tests": "",
+    "e2e_tests": "",
+    "performance_tests": ""
+  }
+}

package/.agent/skills/qa-agent/SKILL.md

@@ -0,0 +1,43 @@
+---
+name: qa-agent
+description: Quality assurance specialist for security, performance, accessibility, and comprehensive testing
+---
+
+# QA Agent - Quality Assurance Specialist
+
+## When to use
+- Final review before deployment
+- Security audits (OWASP Top 10)
+- Performance analysis
+- Accessibility compliance (WCAG 2.1 AA)
+- Test coverage analysis
+
+## When NOT to use
+- Initial implementation -> let specialists build first
+- Writing new features -> use domain agents
+
+## Core Rules
+1. Review in priority order: Security > Performance > Accessibility > Code Quality
+2. Every finding must include file:line, description, and fix
+3. Severity: CRITICAL (security breach/data loss), HIGH (blocks launch), MEDIUM (this sprint), LOW (backlog)
+4. Run automated tools first: `npm audit`, `bandit`, `lighthouse`
+5. No false positives - every finding must be reproducible
+6. Provide remediation code, not just descriptions
+
+## How to Execute
+Follow `resources/execution-protocol.md` step by step.
+See `resources/examples.md` for input/output examples.
+Before submitting, run `resources/self-check.md`.
+
+## Serena Memory (CLI Mode)
+See `../_shared/serena-memory-protocol.md`.
+
+## References
+- Execution steps: `resources/execution-protocol.md`
+- Report examples: `resources/examples.md`
+- QA checklist: `resources/checklist.md`
+- Self-check: `resources/self-check.md`
+- Error recovery: `resources/error-playbook.md`
+- Context loading: `../_shared/context-loading.md`
+- Context budget: `../_shared/context-budget.md`
+- Lessons learned: `../_shared/lessons-learned.md`

package/.agent/skills/qa-agent/resources/checklist.md

@@ -0,0 +1,294 @@
+# QA Review Checklist
+
+## Security Checklist
+
+### Authentication & Authorization
+- [ ] Passwords hashed with bcrypt/argon2 (not MD5/SHA1)
+- [ ] Password strength requirements enforced (min 8 chars)
+- [ ] JWT tokens properly signed and validated
+- [ ] Refresh tokens implemented (if long sessions needed)
+- [ ] Token expiry reasonable (15min access, 7day refresh)
+- [ ] Authorization checks on ALL endpoints
+- [ ] Users can only access their own data
+- [ ] Admin functions require admin role
+- [ ] Rate limiting on auth endpoints (5-10 attempts/min)
+- [ ] Account lockout after failed login attempts (optional)
+- [ ] MFA available (optional, but recommended)
+
+### Input Validation & Injection
+- [ ] SQL injection: ORM used OR parameterized queries
+- [ ] XSS: Input sanitized, CSP headers set
+- [ ] Command injection: No shell execution with user input
+- [ ] Path traversal: File paths validated
+- [ ] LDAP injection: LDAP queries parameterized
+- [ ] XML injection: XML parsing secure
+- [ ] Email validation (proper regex/library)
+- [ ] URL validation (allowlist for external requests)
+
+### Data Protection
+- [ ] HTTPS enforced (redirect HTTP to HTTPS)
+- [ ] Sensitive data NOT in logs
+- [ ] Sensitive data NOT in error messages
+- [ ] Sensitive data NOT in URLs (use POST body)
+- [ ] Database backups encrypted
+- [ ] PII data encrypted at rest (if applicable)
+- [ ] Secure session management (httpOnly, secure, sameSite cookies)
+
+### API Security
+- [ ] CORS properly configured (not `*` in production)
+- [ ] CSRF protection enabled
+- [ ] Rate limiting on API endpoints
+- [ ] API keys/tokens NOT in source code
+- [ ] API versioning implemented
+- [ ] Proper error handling (no stack traces exposed)
+
+### Dependencies
+- [ ] No high/critical vulnerabilities (npm audit / safety check)
+- [ ] Dependencies up-to-date
+- [ ] No unused dependencies
+- [ ] License compliance checked
+
+---
+
+## Performance Checklist
+
+### Backend Performance
+- [ ] API response time < 200ms (p95)
+- [ ] Database queries optimized (no N+1)
+- [ ] Database indexes on foreign keys and frequent queries
+- [ ] Connection pooling configured
+- [ ] Caching implemented (Redis for frequent queries)
+- [ ] Pagination for large result sets
+- [ ] Async operations where appropriate
+- [ ] Background jobs for heavy tasks
+
+### Frontend Performance
+- [ ] Lighthouse Performance score > 90
+- [ ] First Contentful Paint (FCP) < 1.5s
+- [ ] Largest Contentful Paint (LCP) < 2.5s
+- [ ] Cumulative Layout Shift (CLS) < 0.1
+- [ ] Time to Interactive (TTI) < 3.5s
+- [ ] Bundle size < 500KB (main bundle)
+- [ ] Code splitting implemented
+- [ ] Lazy loading for non-critical components
+- [ ] Images optimized (WebP, compression)
+- [ ] Images lazy loaded (loading="lazy")
+- [ ] Fonts optimized (font-display: swap)
+- [ ] No render-blocking resources
+- [ ] Service worker for caching (optional)
+
+### Mobile Performance
+- [ ] App size < 30MB (Android), < 50MB (iOS)
+- [ ] Cold start < 2s
+- [ ] Smooth scrolling (60fps)
+- [ ] No memory leaks
+- [ ] Battery usage minimal
+- [ ] Offline support (if required)
+
+---
+
+## Accessibility Checklist (WCAG 2.1 AA)
+
+### Perceivable
+- [ ] All images have alt text
+- [ ] Decorative images have empty alt (`alt=""`)
+- [ ] Color contrast 4.5:1 (normal text), 3:1 (large text)
+- [ ] Text resizable up to 200% without loss of content
+- [ ] Content understandable without color alone
+- [ ] Audio/video has captions (if applicable)
+
+### Operable
+- [ ] All functionality available via keyboard
+- [ ] No keyboard trap
+- [ ] Focus order is logical
+- [ ] Focus indicators visible
+- [ ] Skip to main content link
+- [ ] No content flashes more than 3 times per second
+- [ ] Enough time to read/interact with content
+- [ ] Pause/stop for moving content
+
+### Understandable
+- [ ] Page language set (`<html lang="en">`)
+- [ ] Clear labels on form inputs
+- [ ] Error messages clear and helpful
+- [ ] Required fields indicated
+- [ ] Consistent navigation across pages
+- [ ] Predictable behavior (no unexpected popups)
+
+### Robust
+- [ ] Valid HTML (semantic tags)
+- [ ] ARIA labels where needed
+- [ ] ARIA roles appropriate
+- [ ] Works with screen readers (test with NVDA/JAWS)
+- [ ] Works in different browsers (Chrome, Firefox, Safari, Edge)
+
+---
+
+## Testing Checklist
+
+### Unit Tests
+- [ ] Test coverage > 80%
+- [ ] All business logic functions tested
+- [ ] Edge cases covered
+- [ ] Error handling tested
+- [ ] Mocks used appropriately
+- [ ] Tests run fast (< 10s total)
+- [ ] No flaky tests
+
+### Integration Tests
+- [ ] All API endpoints tested
+- [ ] Database operations tested
+- [ ] Auth flow tested
+- [ ] Error responses tested (401, 403, 404, 500)
+- [ ] Request validation tested
+
+### E2E Tests
+- [ ] Critical user flows tested (registration, login, main feature)
+- [ ] Happy path tested
+- [ ] Error scenarios tested
+- [ ] Mobile responsive tested
+- [ ] Cross-browser tested (Chrome, Firefox, Safari)
+
+### Performance Tests
+- [ ] Load testing (1000 concurrent users)
+- [ ] Stress testing (identify breaking point)
+- [ ] Database under load tested
+- [ ] API rate limits tested
+
+---
+
+## Code Quality Checklist
+
+### Architecture
+- [ ] Clear separation of concerns
+- [ ] DRY principle followed (no duplication > 5%)
+- [ ] SOLID principles followed
+- [ ] Dependency injection used
+- [ ] Repository pattern (backend)
+- [ ] Component composition (frontend)
+
+### Code Metrics
+- [ ] Cyclomatic complexity < 10 per function
+- [ ] Function length < 50 lines
+- [ ] File length < 500 lines
+- [ ] No deeply nested code (< 4 levels)
+- [ ] Meaningful variable names
+
+### Error Handling
+- [ ] All async operations have try/catch
+- [ ] Errors logged appropriately
+- [ ] User-friendly error messages
+- [ ] No silent failures
+- [ ] Graceful degradation
+
+### Documentation
+- [ ] README with setup instructions
+- [ ] API documentation (OpenAPI/Swagger)
+- [ ] Complex logic documented
+- [ ] Environment variables documented
+- [ ] No TODO/FIXME in production code
+
+---
+
+## Browser Compatibility Checklist
+
+### Desktop
+- [ ] Chrome (latest 2 versions)
+- [ ] Firefox (latest 2 versions)
+- [ ] Safari (latest 2 versions)
+- [ ] Edge (latest 2 versions)
+
+### Mobile
+- [ ] iOS Safari (latest 2 versions)
+- [ ] Android Chrome (latest 2 versions)
+- [ ] Responsive breakpoints (320px, 768px, 1024px, 1440px)
+
+---
+
+## DevOps Checklist
+
+### Environment
+- [ ] Environment variables used (not hardcoded)
+- [ ] .env.example provided
+- [ ] Secrets NOT in source code
+- [ ] Different configs for dev/staging/prod
+
+### Logging
+- [ ] Appropriate log levels (DEBUG, INFO, WARNING, ERROR)
+- [ ] No sensitive data in logs
+- [ ] Structured logging (JSON format)
+- [ ] Log rotation configured
+
+### Monitoring
+- [ ] Health check endpoint (`/health`)
+- [ ] Error tracking (Sentry, Rollbar, etc.)
+- [ ] Performance monitoring (APM)
+- [ ] Uptime monitoring
+
+### Deployment
+- [ ] CI/CD pipeline configured
+- [ ] Automated tests in CI
+- [ ] Database migrations automated
+- [ ] Rollback plan documented
+- [ ] Zero-downtime deployment (if required)
+
+---
+
+## Final Sign-Off
+
+### Critical (Must Pass)
+- [ ] No CRITICAL security vulnerabilities
+- [ ] No HIGH security vulnerabilities
+- [ ] All E2E tests passing
+- [ ] Performance meets requirements
+- [ ] No data loss scenarios
+
+### Important (Should Pass)
+- [ ] Test coverage > 80%
+- [ ] Accessibility WCAG 2.1 AA
+- [ ] Code quality metrics met
+- [ ] Documentation complete
+
+### Nice-to-Have (Can Address Later)
+- [ ] Code refactoring opportunities documented
+- [ ] Performance optimization ideas documented
+- [ ] Future enhancement ideas documented
+
+---
+
+## Issue Prioritization
+
+### 🔴 CRITICAL (Block Deployment)
+- Security vulnerabilities (SQL injection, XSS, auth bypass)
+- Data loss bugs
+- Application crashes
+- Complete feature breakage
+
+### 🟠 HIGH (Fix Before Launch)
+- Performance issues (> 5s load time)
+- Major accessibility violations
+- Missing auth checks
+- Broken core functionality
+
+### 🟡 MEDIUM (Fix in Sprint)
+- Minor bugs
+- Code quality issues
+- Missing tests
+- Minor accessibility issues
+
+### 🔵 LOW (Backlog)
+- Refactoring opportunities
+- Performance optimizations
+- Nice-to-have features
+- Documentation improvements
+
+---
+
+## Notes
+
+- Run automated tools FIRST: `npm audit`, `bandit`, `lighthouse`
+- Use Serena MCP for code analysis patterns
+- Use Antigravity Browser for E2E testing
+- Document all findings with file:line references
+- Provide remediation code examples
+- Estimate fix time for each issue