paqad-ai 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. package/README.md +27 -23
  2. package/dist/cli/index.js +869 -244
  3. package/dist/cli/index.js.map +1 -1
  4. package/dist/index.d.ts +83 -10
  5. package/dist/index.js +1977 -940
  6. package/dist/index.js.map +1 -1
  7. package/package.json +1 -1
  8. package/runtime/base/skills/workflow-router/SKILL.md +153 -0
  9. package/runtime/base/skills/workflow-router/agents/openai.yaml +3 -0
  10. package/runtime/base/skills/workflow-router/references/routing-rules.md +3 -0
  11. package/runtime/capabilities/coding/stacks/flutter/pack.yaml +5 -1
  12. package/runtime/capabilities/coding/stacks/laravel/pack.yaml +15 -1
  13. package/runtime/capabilities/coding/stacks/node-cli/pack.yaml +122 -0
  14. package/runtime/capabilities/coding/stacks/node-cli/rules/conventions.md +90 -0
  15. package/runtime/capabilities/coding/stacks/node-library/pack.yaml +107 -0
  16. package/runtime/capabilities/coding/stacks/node-library/rules/conventions.md +95 -0
  17. package/runtime/capabilities/coding/stacks/node-service/pack.yaml +118 -0
  18. package/runtime/capabilities/coding/stacks/node-service/rules/conventions.md +87 -0
  19. package/runtime/capabilities/coding/stacks/react/pack.yaml +6 -2
  20. package/runtime/capabilities/coding/stacks/vue/pack.yaml +6 -2
  21. package/runtime/capabilities/security/rules/pentest.md +109 -9
  22. package/runtime/capabilities/security/skills/auth-mechanism-review/SKILL.md +88 -0
  23. package/runtime/capabilities/security/skills/auth-mechanism-review/agents/openai.yaml +3 -0
  24. package/runtime/capabilities/security/skills/auth-mechanism-review/references/auth-attack-checklist.md +84 -0
  25. package/runtime/capabilities/security/skills/business-logic-abuse-review/references/abuse-cases.md +33 -5
  26. package/runtime/capabilities/security/skills/cryptographic-review/SKILL.md +72 -0
  27. package/runtime/capabilities/security/skills/cryptographic-review/agents/openai.yaml +3 -0
  28. package/runtime/capabilities/security/skills/cryptographic-review/references/crypto-weakness-patterns.md +156 -0
  29. package/runtime/capabilities/security/skills/dependency-advisory-triage/references/advisory-normalization.md +33 -1
  30. package/runtime/capabilities/security/skills/input-validation-review/SKILL.md +75 -0
  31. package/runtime/capabilities/security/skills/input-validation-review/agents/openai.yaml +3 -0
  32. package/runtime/capabilities/security/skills/input-validation-review/references/input-attack-patterns.md +74 -0
  33. package/runtime/capabilities/security/skills/logging-monitoring-review/SKILL.md +72 -0
  34. package/runtime/capabilities/security/skills/logging-monitoring-review/agents/openai.yaml +3 -0
  35. package/runtime/capabilities/security/skills/logging-monitoring-review/references/logging-gaps-checklist.md +77 -0
  36. package/runtime/capabilities/security/skills/permission-boundary-review/references/boundary-checklist.md +31 -1
  37. package/runtime/capabilities/security/skills/rate-limiting-review/SKILL.md +67 -0
  38. package/runtime/capabilities/security/skills/rate-limiting-review/agents/openai.yaml +3 -0
  39. package/runtime/capabilities/security/skills/rate-limiting-review/references/rate-limit-signals.md +153 -0
  40. package/runtime/capabilities/security/skills/runtime-surface-probing/references/runtime-surface-checks.md +57 -3
  41. package/runtime/capabilities/security/skills/stride-threat-model/SKILL.md +60 -0
  42. package/runtime/capabilities/security/skills/stride-threat-model/agents/openai.yaml +3 -0
  43. package/runtime/capabilities/security/skills/stride-threat-model/references/stride-checklist.md +69 -0
  44. package/runtime/hooks/silent-update.sh +115 -0
  45. package/scripts/deprecate-old-versions.sh +55 -0
package/README.md CHANGED
@@ -89,6 +89,8 @@ After onboarding, documentation is created through the framework workflow. An ac
89
89
  6. generate module docs, including `business.md` and `technical.md`
90
90
  7. track progress in `.paqad/doc-progress.json`
91
91
 
92
+ Workflow selection is now skill-driven. The built-in `workflow-router` skill matches raw prompts to canonical workflows such as `documentation-update`, `pentest`, `pentest-retest`, `root-cause-analysis`, project questions, and implementation flows. If no routing rule matches, the pipeline returns a null route and does not fall back into a default workflow.
93
+
92
94
  ## ✅ Quality Gates
93
95
 
94
96
  Local and CI verification use the same command:
@@ -182,11 +184,12 @@ paqad-ai onboard --project-root . --stack laravel
182
184
 
183
185
  - `react` and `vue` are mutually exclusive. Select only one frontend framework.
184
186
  - Standalone React and Vue projects are supported directly; Laravel continues to use `react` and `vue` as capabilities when paired with backend-driven frontend code.
187
+ - Node.js CLI tools, libraries, and services that don't match a framework pack are detected via archetype packs (`node-cli`, `node-library`, `node-service`) and onboard with `coding` and `security` capabilities.
185
188
  - Empty or content-only repositories onboard without a domain prompt and persist `active_capabilities: [content]`.
186
189
  - Standalone React/Vue onboarding copies the selected sub-stack rule bundle, so `next`, `remix`, `vite-spa`, `gatsby`, `nuxt`, and `quasar` each bring their own project rules when selected.
187
190
  - Laravel testing commands now detect Pest and PHPUnit from Composer dependencies and write the matching defaults into the generated project profile.
188
191
  - Docker, Docker Compose, and Laravel Sail are detected as environment traits and mirrored into `.paqad/stack-snapshot.json`.
189
- - If no `--providers` flag is passed in a non-interactive context, files for all four providers are generated.
192
+ - If no `--providers` flag is passed, onboarding defaults to `claude-code` unless a caller explicitly supplies adapters programmatically.
190
193
  - Onboarding is idempotent: running it twice with the same selections produces the same output.
191
194
 
192
195
  ### Behavior
@@ -267,28 +270,29 @@ Use `update` when the package version changes or when framework-managed scaffold
267
270
 
268
271
  ## 🌟 Feature Overview
269
272
 
270
- | Feature | What it does |
271
- | --------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
272
- | 14 built-in coding packs | Ships first-party packs for `laravel`, `flutter`, `react`, `vue`, `django`, `fastapi`, `rails`, `spring-boot`, `express`, `angular`, `svelte`, `astro`, `go-web`, and `rust-web`. |
273
- | Multi-provider support | Generates repo-managed output for Claude Code, Codex CLI, Gemini CLI, and Junie from the same framework state. |
274
- | Capability-first onboarding | Starts every repo with `content`, activates `coding` and `security` from matched packs or explicit capability changes. |
275
- | Stack Pack architecture | Uses `pack.yaml` manifests to drive detection, resolver behavior, MCP defaults, pentest mappings, and stack docs. |
276
- | Thin provider entry files | Generates concise `AGENTS.md`, `CLAUDE.md`, `GEMINI.md`, and `.junie/AGENTS.md` files that point to project-owned docs. |
277
- | Project-owned instruction bundles | Copies rules and stack references into `docs/instructions/**` so the repo owns the operational guidance. |
278
- | Stack snapshot docs | Writes human-readable stack docs under `docs/instructions/stack/**` from detected manifests and lockfiles. |
279
- | Documentation workflow | Builds architecture docs, design-system docs, and module docs from the real project state after onboarding. |
280
- | Capability management CLI | Supports `capabilities list`, `available`, `add`, and `remove` with canonical capability normalization. |
281
- | Health checks | Verifies framework artifacts, copied instructions, adapter output, MCP config, and documentation completeness. |
282
- | Refresh and update flows | Regenerates framework-managed artifacts and records stack/capability drift without forcing a full re-onboard. |
283
- | MCP integration | Enables stack-aware MCP defaults for supported adapters and pack-specific environments. |
284
- | Pentest workflows | Ships canonical `pentest` and `pentest-retest` workflows with saved reports and resumable state. |
285
- | Semantic context loader | Builds chunk indexes and load statistics so agents can pull targeted context instead of scanning whole repos. |
286
- | Predictive skill cache | Tracks transition probabilities and cache metrics to prewarm likely skills between workflow steps. |
287
- | Context budget optimizer | Enforces context budgets and records token savings from summarization and eviction. |
288
- | Context deduplication | Replaces duplicate resolved artifacts with references and records dedup savings per session. |
289
- | Smart handoff compression | Writes structured handoff artifacts and compression stats for resumable multi-step workflows. |
290
- | Workflow engine | Runs canonical workflows plus user-defined `docs/instructions/workflows/*.yaml` templates with resumable state. |
291
- | Pack management CLI | Supports `packs list`, `install`, `remove`, `validate`, and `create` for built-in, global, and project pack workflows. |
273
+ | Feature | What it does |
274
+ | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
275
+ | 17 built-in stack packs | Ships 14 framework packs (`laravel`, `flutter`, `react`, `vue`, `django`, `fastapi`, `rails`, `spring-boot`, `express`, `angular`, `svelte`, `astro`, `go-web`, `rust-web`) plus 3 archetype packs (`node-cli`, `node-library`, `node-service`) for projects that don't match a framework. |
276
+ | Multi-provider support | Generates repo-managed output for Claude Code, Codex CLI, Gemini CLI, and Junie from the same framework state. |
277
+ | Capability-first onboarding | Starts every repo with `content`, activates `coding` and `security` from matched packs or explicit capability changes. |
278
+ | Two-phase stack detection | Framework packs are evaluated first; archetype packs (`node-cli`, `node-library`, `node-service`) activate as a fallback for CLI tools, libraries, and raw services. |
279
+ | Stack Pack architecture | Uses `pack.yaml` manifests to drive detection, resolver behavior, MCP defaults, pentest mappings, and stack docs. Supports `tier: archetype` for fallback detection. |
280
+ | Thin provider entry files | Generates concise `AGENTS.md`, `CLAUDE.md`, `GEMINI.md`, and `.junie/AGENTS.md` files that point to project-owned docs. |
281
+ | Project-owned instruction bundles | Copies rules and stack references into `docs/instructions/**` so the repo owns the operational guidance. |
282
+ | Stack snapshot docs | Writes human-readable stack docs under `docs/instructions/stack/**` from detected manifests and lockfiles. |
283
+ | Documentation workflow | Builds architecture docs, design-system docs, and module docs from the real project state after onboarding. |
284
+ | Capability management CLI | Supports `capabilities list`, `available`, `add`, and `remove` with canonical capability normalization. |
285
+ | Health checks | Verifies framework artifacts, copied instructions, adapter output, MCP config, and documentation completeness. |
286
+ | Refresh and update flows | Regenerates framework-managed artifacts and records stack/capability drift without forcing a full re-onboard. |
287
+ | MCP integration | Enables stack-aware MCP defaults for supported adapters and pack-specific environments. |
288
+ | Pentest workflows | Ships canonical `pentest` and `pentest-retest` workflows with saved reports and resumable state. |
289
+ | Semantic context loader | Builds chunk indexes and load statistics so agents can pull targeted context instead of scanning whole repos. |
290
+ | Predictive skill cache | Tracks transition probabilities and cache metrics to prewarm likely skills between workflow steps. |
291
+ | Context budget optimizer | Enforces context budgets and records token savings from summarization and eviction. |
292
+ | Context deduplication | Replaces duplicate resolved artifacts with references and records dedup savings per session. |
293
+ | Smart handoff compression | Writes structured handoff artifacts and compression stats for resumable multi-step workflows. |
294
+ | Workflow engine | Runs canonical workflows plus user-defined `docs/instructions/workflows/*.yaml` templates with resumable state. |
295
+ | Pack management CLI | Supports `packs list`, `install`, `remove`, `validate`, and `create` for built-in, global, and project pack workflows. |
292
296
 
293
297
  ## 🔄 Workflow Overview
294
298