oh-my-ag 1.2.0

package/.agent/skills/qa-agent/resources/error-playbook.md

@@ -0,0 +1,95 @@
+# QA Agent - Error Recovery Playbook
+
+When you encounter a failure during review, follow these recovery steps.
+Do NOT stop or ask for help until you have exhausted the playbook.
+
+---
+
+## Automated Tool Fails to Run
+
+**Symptoms**: `npm audit`, `bandit`, `lighthouse` command errors
+
+1. Check: is the tool installed? Note missing tool in result
+2. Check: are you in the correct directory?
+3. If `npm audit`: try `npm audit --production` to skip devDependencies
+4. If `bandit`: check Python path — may need `python -m bandit`
+5. If `lighthouse`: requires a running server — note if server not available
+6. **도구 없으면**: 수동 리뷰로 대체, result에 `tool_unavailable: ["tool_name"]` 기록
+
+---
+
+## False Positive Suspected
+
+**Symptoms**: Finding looks like a vulnerability but might be safe
+
+1. Trace the data flow — does user input actually reach the dangerous operation?
+2. Check: is there validation/sanitization upstream?
+3. Check: is the framework handling this automatically? (e.g., ORM prevents SQL injection)
+4. If uncertain: mark severity as `MEDIUM` with note "verify manually"
+5. **절대 하지 말 것**: 확신 없이 CRITICAL로 마킹 — 잘못된 경보는 신뢰를 떨어뜨림
+
+---
+
+## Cannot Access Source Code
+
+**Symptoms**: Serena `find_symbol` returns nothing, file not found
+
+1. Check: correct file path? Use `search_for_pattern` with broader terms
+2. Check: is the code in a different directory or monorepo?
+3. Use `get_symbols_overview` on parent directories to find the structure
+4. If truly inaccessible: review what you CAN access and note gaps in report
+
+---
+
+## Performance Metrics Unavailable
+
+**Symptoms**: Can't run Lighthouse, no APM data, no load test results
+
+1. Check if dev server is running for Lighthouse
+2. If no server: review code statically for performance anti-patterns:
+   - N+1 queries (loops with DB calls)
+   - Missing pagination
+   - Large bundle imports
+   - No code splitting
+3. Report findings with `static_analysis_only: true` flag
+4. Recommend specific metrics to measure when environment is available
+
+---
+
+## Scope Too Large
+
+**Symptoms**: Full audit requested but codebase has 100+ files
+
+1. Prioritize: auth/security-critical files first
+2. Use pattern search to find high-risk areas:
+   - `search_for_pattern("password|secret|token|api_key")`
+   - `search_for_pattern("execute|eval|innerHTML")`
+3. Review critical paths: auth flow, payment, data mutation
+4. Note in report: `scope_coverage: "critical paths only, full audit requires more"`
+
+---
+
+## Rate Limit / Quota Error
+
+**Symptoms**: `429`, `RESOURCE_EXHAUSTED`, `rate limit exceeded`
+
+1. **즉시 멈춤** — 추가 API 호출 하지 말 것
+2. 현재까지 작업을 `progress-{agent-id}.md`에 저장
+3. `result-{agent-id}.md`에 Status: `quota_exceeded` 기록
+4. 남은 작업 목록을 명시
+
+---
+
+## Serena Memory 접근 불가
+
+1. 1회 재시도
+2. 2회 연속 실패: 로컬 파일 `/tmp/progress-{agent-id}.md` 사용
+3. result에 `memory_fallback: true` 플래그 추가
+
+---
+
+## 일반 원칙
+
+- **오탐 방지**: 확신 없는 finding은 severity 낮추고 "verify manually" 표시
+- **막힘**: 5턴 이상 진전 없으면 현재 상태 저장, `Status: blocked`
+- **수정 금지**: QA는 리포트만 — 코드 수정은 해당 에이전트에게 위임

package/.agent/skills/qa-agent/resources/examples.md

@@ -0,0 +1,100 @@
+# QA Agent - Examples
+
+## Example 1: Security Audit
+
+**Input**: "Review the authentication system for security issues"
+
+**Output**:
+```
+# QA Report: Authentication System
+Status: FAIL
+
+## Security Audit
+
+### CRITICAL
+1. **SQL Injection** - backend/api/users.py:45
+   - Raw string interpolation in query
+   - Fix: Use parameterized query or ORM
+
+2. **Missing Rate Limiting** - backend/api/auth.py:23
+   - Login endpoint has no rate limiting
+   - Fix: Add @limiter.limit("5/minute")
+
+### Passed
+- [x] Passwords hashed with bcrypt (cost 12)
+- [x] JWT properly signed with RS256
+- [x] Refresh token rotation implemented
+- [x] CORS configured (not wildcard)
+
+## Recommendations
+### High Priority (Before Launch)
+1. Fix SQL injection in users.py:45
+2. Add rate limiting to auth endpoints
+3. Add account lockout after 10 failed attempts
+```
+
+## Example 2: Performance Review
+
+**Input**: "Check frontend performance - users report slow load times"
+
+**Output**:
+```
+# QA Report: Frontend Performance
+Status: WARNING
+
+## Performance
+- Lighthouse Score: 67/100 [FAIL - Target > 90]
+- FCP: 2.8s [FAIL - Target < 1.5s]
+- LCP: 4.1s [FAIL - Target < 2.5s]
+- Bundle: 1.2MB [FAIL - Target < 500KB]
+- CLS: 0.05 [PASS]
+
+## Root Causes
+1. Full lodash import (72KB) - src/utils/helpers.ts:1
+2. No code splitting on routes - src/app/layout.tsx
+3. Unoptimized images (3 x 2MB PNGs) - public/images/
+
+## Recommendations
+### High Priority
+1. Tree-shake lodash: `import uniq from 'lodash/uniq'`
+2. Add dynamic imports: `const Page = dynamic(() => import(...))`
+3. Convert images to WebP, add width/height, loading="lazy"
+
+### Expected After Fix
+- Bundle: ~350KB (-70%)
+- FCP: ~1.2s
+- Lighthouse: ~92
+```
+
+## Example 3: Full Pre-Launch Audit
+
+**Input**: "Complete QA review before production deployment"
+
+**Output**:
+```
+# QA Report: Pre-Launch Audit
+Status: WARNING
+
+## Summary
+- Security: 0 CRITICAL, 1 HIGH, 2 MEDIUM
+- Performance: PASS (all targets met)
+- Accessibility: 1 HIGH, 3 MEDIUM
+- Test Coverage: 83% [PASS]
+
+## High Priority (Block Launch)
+1. [SECURITY-HIGH] Missing CSRF protection on POST endpoints
+2. [A11Y-HIGH] Login form has no aria-labels
+
+## Medium Priority (Fix This Sprint)
+1. [SECURITY-MED] API error responses expose stack traces
+2. [SECURITY-MED] No Content-Security-Policy header
+3. [A11Y-MED] Color contrast 3.8:1 on secondary text (need 4.5:1)
+4. [A11Y-MED] Missing skip-to-content link
+5. [A11Y-MED] Focus indicator invisible on dark theme
+
+## Sign-Off
+- [x] No CRITICAL vulnerabilities
+- [ ] No HIGH vulnerabilities (2 remaining)
+- [x] Performance targets met
+- [x] Test coverage > 80%
+```

package/.agent/skills/qa-agent/resources/execution-protocol.md

@@ -0,0 +1,50 @@
+# QA Agent - Execution Protocol
+
+## Step 0: Prepare
+1. **Assess difficulty** — see `../_shared/difficulty-guide.md`
+   - **Simple**: Quick security + quality check | **Medium**: Full 4 steps | **Complex**: Full + prioritized scope
+2. **Check lessons** — read QA section in `../_shared/lessons-learned.md`
+3. **Clarify requirements** — follow `../_shared/clarification-protocol.md`
+   - Check **Uncertainty Triggers**: 보안/인증 관련, 기존 코드 충돌 가능성?
+   - Determine level: LOW → proceed | MEDIUM → present options | HIGH → ask immediately
+4. **Budget context** — follow `../_shared/context-budget.md` (prioritize high-risk files)
+5. **After review**: add recurring issues to `../_shared/lessons-learned.md`
+
+**⚠️ Intelligent Escalation**: When uncertain, escalate early. Don't blindly proceed.
+
+Follow these steps in order (adjust depth by difficulty).
+
+## Step 1: Scope
+- Identify what to review: new feature, full audit, or specific concern
+- List all files/modules to inspect
+- Determine review depth: quick check vs. comprehensive audit
+- Use Serena to map the codebase:
+  - `get_symbols_overview("src/")`: Understand structure
+  - `search_for_pattern("password.*=.*[\"']")`: Find hardcoded secrets
+  - `search_for_pattern("execute.*\\$\\{")`: Find SQL injection
+  - `search_for_pattern("innerHTML")`: Find XSS vulnerabilities
+
+## Step 2: Audit
+Review in this priority order:
+1. **Security** (CRITICAL): OWASP Top 10, auth, injection, data protection
+2. **Performance**: API latency, N+1 queries, bundle size, Core Web Vitals
+3. **Accessibility**: WCAG 2.1 AA, keyboard nav, screen reader, contrast
+4. **Code Quality**: test coverage, complexity, architecture adherence
+
+Use `resources/checklist.md` (renamed qa-checklist) as the comprehensive review guide.
+
+## Step 3: Report
+Generate structured report with:
+- Overall status: PASS / WARNING / FAIL
+- Findings grouped by severity (CRITICAL > HIGH > MEDIUM > LOW)
+- Each finding: file:line, description, remediation code
+- Performance metrics vs. targets
+
+## Step 4: Verify
+- Run `resources/self-check.md` to verify your own review quality
+- Ensure no false positives (each finding is real and reproducible)
+- Confirm remediation suggestions are correct and complete
+- Run `../_shared/common-checklist.md` for general quality
+
+## On Error
+See `resources/error-playbook.md` for recovery steps.

package/.agent/skills/qa-agent/resources/self-check.md

@@ -0,0 +1,27 @@
+# QA Agent - Self-Check
+
+Verify your own review quality before submitting the QA report.
+
+## Completeness
+- [ ] All files in scope were reviewed (none skipped)
+- [ ] Security section covers OWASP Top 10 categories
+- [ ] Performance metrics include actual numbers vs. targets
+- [ ] Accessibility check covers Perceivable, Operable, Understandable, Robust
+
+## Accuracy
+- [ ] Every finding includes file path and line number
+- [ ] Every finding is reproducible (not speculative)
+- [ ] No false positives (double-check edge cases)
+- [ ] Severity ratings are consistent (CRITICAL = data loss/security breach)
+
+## Actionability
+- [ ] Every finding has a specific remediation step
+- [ ] Remediation code examples are correct and complete
+- [ ] Priorities are clearly ordered (what to fix first)
+- [ ] Estimated impact is noted for performance issues
+
+## Report Quality
+- [ ] Overall status (PASS/WARNING/FAIL) matches findings
+- [ ] Report is scannable (headers, bullets, status tags)
+- [ ] No duplicate findings
+- [ ] Sign-off checklist included for launch decisions

package/.agent/skills/workflow-guide/SKILL.md

@@ -0,0 +1,57 @@
+---
+name: multi-agent-workflow
+description: Guide for coordinating PM, Frontend, Backend, Mobile, and QA agents on complex projects via CLI
+---
+
+# Multi-Agent Workflow Guide
+
+## When to use
+- Complex feature spanning multiple domains (full-stack, mobile)
+- Coordination needed between frontend, backend, mobile, and QA
+- User wants step-by-step guidance for multi-agent coordination
+
+## When NOT to use
+- Simple single-domain task -> use the specific agent directly
+- User wants automated execution -> use orchestrator
+- Quick bug fixes or minor changes
+
+## Core Rules
+1. Always start with PM Agent for task decomposition
+2. Spawn independent tasks in parallel (same priority tier)
+3. Define API contracts before frontend/mobile tasks
+4. QA review is always the final step
+5. Assign separate workspaces to avoid file conflicts
+6. Always use Serena MCP tools as the primary method for code exploration and modification
+7. Never skip steps in the workflow — follow each step sequentially without omission
+
+## Workflow
+
+### Step 1: Plan with PM Agent
+PM Agent analyzes requirements, selects tech stack, creates task breakdown with priorities.
+
+### Step 2: Spawn Agents by Priority
+Spawn agents via CLI:
+1. Use spawn-agent.sh for each task
+2. CLI selection follows agent_cli_mapping in user-preferences.yaml
+3. Spawn all same-priority tasks in parallel using background processes
+
+```bash
+# Example: spawn backend and frontend in parallel
+.agent/skills/orchestrator/scripts/spawn-agent.sh backend "task description" ./backend &
+.agent/skills/orchestrator/scripts/spawn-agent.sh frontend "task description" ./frontend &
+wait
+```
+
+### Step 3: Monitor & Coordinate
+- Use memory read tool to poll `progress-{agent}.md` files
+- Verify API contracts align between agents
+- Ensure shared data models are consistent
+
+### Step 4: QA Review
+Spawn QA Agent last to review all deliverables. Address CRITICAL issues by re-spawning agents.
+
+## Automated Alternative
+For fully automated execution without manual spawning, use the **orchestrator** skill instead.
+
+## References
+- Workflow examples: `resources/examples.md`

package/.agent/skills/workflow-guide/resources/examples.md

@@ -0,0 +1,68 @@
+# Workflow Guide - Examples
+
+## Example 1: Full-Stack TODO App
+
+**Input**: "JWT 인증이 있는 TODO 앱을 만들어줘"
+
+**Workflow**:
+```
+Step 1: PM Agent plans the project
+  -> 5 tasks: auth API, CRUD API, login UI, todo UI, QA review
+
+Step 2: Spawn Priority 1 agents via CLI
+  # Run in parallel using background processes
+  .agent/skills/orchestrator/scripts/spawn-agent.sh backend "JWT authentication API + TODO CRUD" ./backend &
+  .agent/skills/orchestrator/scripts/spawn-agent.sh frontend "Login/Register UI" ./frontend &
+  wait
+
+Step 3: Monitor progress
+  - Use memory read tool to poll progress-{agent}.md files
+  - Verify API contracts align between backend/frontend
+
+Step 4: Spawn Priority 2 after P1 completes
+  .agent/skills/orchestrator/scripts/spawn-agent.sh frontend "TODO List UI" ./frontend
+
+Step 5: Spawn Priority 3
+  .agent/skills/orchestrator/scripts/spawn-agent.sh qa "Security + Performance review" .
+
+Step 6: Address QA findings
+  - Re-spawn agents for CRITICAL/HIGH issues
+  - Verify fixes
+```
+
+## Example 2: Adding Feature to Existing App
+
+**Input**: "블로그에 댓글 기능을 추가해줘"
+
+**Workflow**:
+```
+Step 1: PM Agent analyzes existing codebase and plans
+  -> 2 tasks: Comments API, Comment Section UI
+
+Step 2: Spawn Backend Agent first (API-first)
+  .agent/skills/orchestrator/scripts/spawn-agent.sh backend "Comments API with nested replies, pagination" ./backend
+
+Step 3: After backend completes, spawn Frontend Agent
+  .agent/skills/orchestrator/scripts/spawn-agent.sh frontend "Comment section UI using the new API endpoints" ./frontend
+  (Sequential because frontend depends on API contracts)
+
+Step 4: QA review
+  .agent/skills/orchestrator/scripts/spawn-agent.sh qa "Security: XSS in comments, rate limiting; Performance: Pagination, N+1 queries" .
+```
+
+## Example 3: When to Use Orchestrator Instead
+
+**User**: "자동으로 실행해줘" / "Run everything automatically"
+
+**Response**:
+```
+"You want fully automated execution. Let me switch to the
+orchestrator skill instead, which will:
+1. Spawn CLI subagents automatically
+2. Coordinate via Serena Memory
+3. Monitor progress and handle retries
+4. Return unified results
+
+Use workflow-guide when you want step-by-step control.
+Use orchestrator when you want hands-off automation."
+```