start-vibing 4.4.10 → 4.4.12

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "start-vibing",
-	"version": "4.4.10",
+	"version": "4.4.12",
 	"description": "Setup Claude Code with 9 plugins, 6 community skills, and 8 MCP servers. Parallel install, auto-accept, superpowers + ralph-loop. e2e-audit 0.2.0 refactor (skill-only, no agents): SessionStart hook + slash command make the skill keyword-invokable (\"e2e audit\", \"roda o e2e\", \"integration test\", \"test coverage gaps\"). Source-first discovery via detect-stack, discover-routes (Next app/pages/Remix/SvelteKit/Nuxt/Astro), discover-api-surface (HTTP handlers, tRPC procedures, GraphQL, server actions, middleware auth), inventory-existing-tests (preserve prior corpus + sha256 drift hash), and detect-uncovered (branch-diff vs origin/main finds changes not covered by existing specs). Report-then-ask between mapping and Playwright run; post-run-feedback report before writing findings. SHOT+TRACE+ASSERT+SOURCE evidence quad per non-meta finding; meta rules (coverage-gap-*, uncovered-*, test-drift, stack-detect, post-run-feedback) exempt. verify-audit.sh enforces schema + quad. Generic (no project leakage). super-design 0.7.0 carries over.",
 	"type": "module",
 	"bin": {

package/template/.claude/skills/super-design/SKILL.md

@@ -1,13 +1,13 @@
 ---
 name: super-design
 description: >
-  Performs end-to-end design audits on web projects. MUST BE USED when the user
-  mentions super-design, design audit, UX review, accessibility review, design
-  critique, competitor analysis, WCAG, Core Web Vitals, usability audit, or asks
-  to evaluate their website's design quality. Produces market analysis, live-site
-  UX audit (WCAG 2.2 AA, Nielsen heuristics, Baymard, CWV), and synthesized
-  overview. Re-audits only what changed since last run. On explicit user request,
-  applies surgical fixes with full rollback.
+    Performs end-to-end design audits on web projects. MUST BE USED when the user
+    mentions super-design, design audit, UX review, accessibility review, design
+    critique, competitor analysis, WCAG, Core Web Vitals, usability audit, or asks
+    to evaluate their website's design quality. Produces market analysis, live-site
+    UX audit (WCAG 2.2 AA, Nielsen heuristics, Baymard, CWV), and synthesized
+    overview. Re-audits only what changed since last run. On explicit user request,
+    applies surgical fixes with full rollback.
 version: 0.7.0
 ---
 
@@ -23,41 +23,41 @@ Four-phase pipeline with 6 specialist agents:
    produces market-analysis.md + component-comparison.md.
 2. **UI/UX audit** (sd-audit) — drives browser via Playwright MCP directly.
    Six layers:
-   - Route discovery + static snap (Nielsen + WCAG 2.2 AA + Baymard + CWV)
-   - **Step 1.5 source-first discovery** (0.7.0+) —
-     `discover-surfaces.sh` reads the repo FIRST and emits an authoritative
-     inventory of modals, forms, triggers, internal nav, and Next.js
-     layout/error/loading/not-found/parallel/intercepting routes BEFORE
-     Playwright runs. `extract-project-rules.sh` parses FORBIDDEN tables
-     from CLAUDE.md / AGENTS.md / .cursorrules into audit-applicable
-     rules. Runtime cross-checks surface these as `modal-coverage-gap`,
-     `form-coverage-gap`, and `project-forbidden-<slug>` findings.
-   - **Step 2.5 component/modal/flow discovery** (Phase A inventory, B modal
-     enumeration, C flow exercising, D state matrix, E form coverage) — this
-     is where modal contents, empty/loading/error states, and flow errors
-     get real evidence instead of "checklist hypothetical". Phase B now
-     cross-references `surfaces.json` and files a `modal-coverage-gap`
-     finding for anything declared in source but never opened.
-   - **Step 3g design-intelligence scoring** (17-category rubric → DIS 0–100)
-     catches implicit best practices checklists miss (cards-in-flex-col,
-     low density, weak CTA hierarchy, vibecode smell). Emits MANDATORY
-     `design-intelligence-craft-summary` finding per page × viewport so
-     overview.md has one holistic verdict row ("admin mobile is 38/100
-     WEAK — holistic redesign scope") per combination, not just discrete
-     per-category findings.
-   - **Step 3h mobile-native audit** (21-item Duolingo/Linear/Arc/Cash-App
-     checklist) — replaces "responsive-web-on-a-phone" thinking.
-   - **Step 3i project-rule enforcement** (0.7.0+) — consumes
-     `project-rules.json` and fires primary findings keyed to the
-     project's own FORBIDDEN wording (e.g. `project-forbidden-use-cards-on-mobile`)
-     when the rule is violated at runtime. Not a tag, not a severity
-     bump — the project owner's rule IS the rule source.
-   - C16 ≤ 4 → **DSC-choice** proposal: sd-synthesis runs
-     `scripts/score-typeui.mjs --from-audit <dir>` to derive a 7-axis site
-     fingerprint (density/contrast/geometry/color/typography/motion/audience)
-     and rank all installed typeui-* skills by fit 0-1. Top-3 are written to
-     `typeui-proposal.json` + shown in overview.md with a copy-paste CLI.
-   Produces findings.json + design-intelligence.json with SHOT+QUOTE+SEL+VAL.
+    - Route discovery + static snap (Nielsen + WCAG 2.2 AA + Baymard + CWV)
+    - **Step 1.5 source-first discovery** (0.7.0+) —
+      `discover-surfaces.sh` reads the repo FIRST and emits an authoritative
+      inventory of modals, forms, triggers, internal nav, and Next.js
+      layout/error/loading/not-found/parallel/intercepting routes BEFORE
+      Playwright runs. `extract-project-rules.sh` parses FORBIDDEN tables
+      from CLAUDE.md / AGENTS.md / .cursorrules into audit-applicable
+      rules. Runtime cross-checks surface these as `modal-coverage-gap`,
+      `form-coverage-gap`, and `project-forbidden-<slug>` findings.
+    - **Step 2.5 component/modal/flow discovery** (Phase A inventory, B modal
+      enumeration, C flow exercising, D state matrix, E form coverage) — this
+      is where modal contents, empty/loading/error states, and flow errors
+      get real evidence instead of "checklist hypothetical". Phase B now
+      cross-references `surfaces.json` and files a `modal-coverage-gap`
+      finding for anything declared in source but never opened.
+    - **Step 3g design-intelligence scoring** (17-category rubric → DIS 0–100)
+      catches implicit best practices checklists miss (cards-in-flex-col,
+      low density, weak CTA hierarchy, vibecode smell). Emits MANDATORY
+      `design-intelligence-craft-summary` finding per page × viewport so
+      overview.md has one holistic verdict row ("admin mobile is 38/100
+      WEAK — holistic redesign scope") per combination, not just discrete
+      per-category findings.
+    - **Step 3h mobile-native audit** (21-item Duolingo/Linear/Arc/Cash-App
+      checklist) — replaces "responsive-web-on-a-phone" thinking.
+    - **Step 3i project-rule enforcement** (0.7.0+) — consumes
+      `project-rules.json` and fires primary findings keyed to the
+      project's own FORBIDDEN wording (e.g. `project-forbidden-use-cards-on-mobile`)
+      when the rule is violated at runtime. Not a tag, not a severity
+      bump — the project owner's rule IS the rule source.
+    - C16 ≤ 4 → **DSC-choice** proposal: sd-synthesis runs
+      `scripts/score-typeui.mjs --from-audit <dir>` to derive a 7-axis site
+      fingerprint (density/contrast/geometry/color/typography/motion/audience)
+      and rank all installed typeui-\* skills by fit 0-1. Top-3 are written to
+      `typeui-proposal.json` + shown in overview.md with a copy-paste CLI.
+      Produces findings.json + design-intelligence.json with SHOT+QUOTE+SEL+VAL.
 3. **Synthesis** (sd-synthesis) — unifies research + audit + design-intelligence
    into overview.md (per-page DIS table + executive summary + typeui proposal
    when craft ≤ 4).
@@ -67,7 +67,7 @@ Four-phase pipeline with 6 specialist agents:
    A1-A15 a11y · V1-V8 design · U1-U10 ux · P1-P10 perf · **M1-M15 mobile**
    (cards-in-flex-col → compact list, table-on-mobile → card-per-row,
    centered-modal → bottom-sheet, etc.) · **DSC-1 design-skill advisory**
-   (proposes typeui-* direction). With `--typeui <name>` flag, sd-fix loads
+   (proposes typeui-\* direction). With `--typeui <name>` flag, sd-fix loads
    the chosen typeui skill (tokens: primary, radius, spacing scale,
    typography) and rebrands V1-V8 fixes so every spacing/color/radius target
    snaps to that direction's scale — turning advisory into applied. After each
@@ -91,6 +91,7 @@ fi
 ### Step 2: Scope decision (if incremental)
 
 Apply cascade from `references/change-detection-playbook.md` §4:
+
 - Run `scripts/detect-changes.sh $LAST_SHA` → classify changed files.
 - theory_doc_sha changed OR tokens changed OR major dep bump OR >180d old → FULL.
 - Only components changed → re-audit pages importing them (N=3 hops via madge).
@@ -109,6 +110,8 @@ Record scope in overview.md changelog banner.
 4. sd-fix         (ONLY if user asked; uses verify-technical + verify-semantic)
 ```
 
+**MCP serialization (HARD RULE):** Dispatch agents in this order **strictly sequentially** — wait for each agent to fully return before launching the next. NEVER launch two Playwright-MCP-using agents in the same message or while another is still running. Playwright MCP holds a single shared browser session; concurrent agents collide on the tab and the run bugs out (snapshots interleave, navigations race, sessions dangle). MCP-using agents that MUST be serialized: `sd-research`, `sd-audit`, `sd-fix`, `sd-fix-verify-semantic`. The only agent safe to run alongside (no MCP) is `sd-synthesis`, but per the order above it runs after the MCP agents anyway.
+
 Pass findings via files under `.super-design/sessions/<id>/`, not chat.
 
 ### Step 4: Write state + history
@@ -143,7 +146,7 @@ Do NOT paste overview into chat.
   block. Without this flag, DSC-1 stays advisory. Run
   `bash scripts/score-typeui.mjs --list` to see all installed directions.
 - `--harvest-typeui` — run `scripts/harvest-typeui.sh` first to pull
-  missing typeui-* and related design skills (typeui.sh registry with
+  missing typeui-\* and related design skills (typeui.sh registry with
   built-in catalog fallback). Idempotent; add `--refresh` to re-download.
 - `--dry-run` — artifacts without committing state
 - `--ci` — non-interactive, create PR, exit non-zero on blockers
@@ -161,13 +164,13 @@ is auto-detected; nothing else to configure.
 
 `scripts/detect-apps.sh` reads the first workspace manifest it finds:
 
-| Manifest | Source of globs |
-|----------|-----------------|
-| `pnpm-workspace.yaml` | `packages:` list |
-| `package.json` | `workspaces: [...]` or `workspaces.packages: [...]` (npm, yarn, Bun) |
-| `turbo.json` | Presence → uses pnpm/npm/yarn workspaces; falls back to `apps/*` + `packages/*` if none |
-| `nx.json` | `workspaceLayout.appsDir` / `libsDir` (default `apps/*`, `libs/*`) |
-| `bunfig.toml` | Presence → falls back to `apps/*` + `packages/*` if package.json has no workspaces |
+| Manifest              | Source of globs                                                                         |
+| --------------------- | --------------------------------------------------------------------------------------- |
+| `pnpm-workspace.yaml` | `packages:` list                                                                        |
+| `package.json`        | `workspaces: [...]` or `workspaces.packages: [...]` (npm, yarn, Bun)                    |
+| `turbo.json`          | Presence → uses pnpm/npm/yarn workspaces; falls back to `apps/*` + `packages/*` if none |
+| `nx.json`             | `workspaceLayout.appsDir` / `libsDir` (default `apps/*`, `libs/*`)                      |
+| `bunfig.toml`         | Presence → falls back to `apps/*` + `packages/*` if package.json has no workspaces      |
 
 Each matched directory that also has a `package.json` becomes an app
 with `name` taken from `package.json#name` (scope stripped), `path` the
@@ -231,14 +234,14 @@ Windows git-bash + Linux.
   (`{nodes, edges, hash, backend}`) and persists `import_graph_sha` to
   state. Prefers `npx madge --json <roots>`; falls back to a regex
   scanner (JS/TS only, no alias resolution) if madge is missing.
-  - Query: `bash .../build-import-graph.sh importers <file> --hops 3`
-    → BFS over reversed edges; `detect-changes.sh` uses this to close
-    the component→pages gap when only components changed (Step 2 scope
-    decision: "Only components changed → re-audit pages importing them
-    (N=3 hops via madge)").
+    - Query: `bash .../build-import-graph.sh importers <file> --hops 3`
+      → BFS over reversed edges; `detect-changes.sh` uses this to close
+      the component→pages gap when only components changed (Step 2 scope
+      decision: "Only components changed → re-audit pages importing them
+      (N=3 hops via madge)").
 - `hash-pages.sh` — captures 3 viewports per URL (mobile_375, tablet_768,
   desktop_1280), emits `{html_hash, dom_structure_hash, viewport_hashes:
-  {<vp>: {sha256, phash, png_path}}}` per page to
+{<vp>: {sha256, phash, png_path}}}` per page to
   `docs/super-design/.cache/hashes/hashes.json` and persists each PNG to
   `<cache>/screenshots/<url-enc>/<vp>.png`. Applies artifact §3.4 mask
   defaults plus `MASK_SELECTORS`; `phash` uses `sharp` when available

package/template/CLAUDE.md

@@ -18,6 +18,26 @@ UPDATE THIS WITH YOUR PROJECT DESCRIPTION
 
 ---
 
+## Language Policy (HARD RULE)
+
+> **ENGLISH ONLY — for everything Claude produces — UNLESS the user explicitly asks for another language in the current request.**
+
+This applies to **every** output, with **no exceptions** beyond an explicit user override:
+
+- Chat replies, status updates, summaries, questions back to the user
+- Code (identifiers, variables, function/class names, type names)
+- Comments, JSDoc, docstrings
+- Commit messages, PR titles, PR descriptions, branch names
+- Documentation (`/docs/**`, README, CLAUDE.md updates, changelogs, ADRs)
+- Test names, error messages, log messages, CLI help strings
+- File and folder names, configuration keys
+
+The user may write to Claude in Portuguese, Spanish, or any other language — **Claude still responds and writes in English** unless the user explicitly says e.g. "responda em português", "write this in Spanish", "use PT-BR for the docs". An override applies **only to the current request**; revert to English on the next turn unless re-confirmed. Mixing English + another language in the same output is forbidden.
+
+If unsure whether a request is an override, default to English and ask one short clarifying question.
+
+---
+
 ## Stack
 
 | Component  | Technology                 |
@@ -87,17 +107,17 @@ project-root/
 
 ## Key Plugins (9 installed)
 
-| Plugin | Purpose | Invocation |
-|--------|---------|------------|
-| **superpowers** | TDD, debugging, brainstorming, planning | Auto + `/brainstorming`, `/execute-plan` |
-| **ralph-loop** | Iterative autonomous dev loop | `/ralph-loop "task" --max-iterations 10` |
-| **context7** | Auto library docs (replaces MCP) | Auto-invokes on library mentions |
-| **code-simplifier** | Refine code quality post-implementation | `/simplify` or ask Claude |
-| **typescript-lsp** | Type diagnostics, go-to-def | Auto (LSP server) |
-| **security-guidance** | OWASP vulnerability scan | Auto (PreToolUse hook) |
-| **code-review** | PR analysis | `/code-review` |
-| **commit-commands** | Git commit, push, PR | `/commit` |
-| **frontend-design** | Production-grade UI design | `/frontend-design` |
+| Plugin                | Purpose                                 | Invocation                               |
+| --------------------- | --------------------------------------- | ---------------------------------------- |
+| **superpowers**       | TDD, debugging, brainstorming, planning | Auto + `/brainstorming`, `/execute-plan` |
+| **ralph-loop**        | Iterative autonomous dev loop           | `/ralph-loop "task" --max-iterations 10` |
+| **context7**          | Auto library docs (replaces MCP)        | Auto-invokes on library mentions         |
+| **code-simplifier**   | Refine code quality post-implementation | `/simplify` or ask Claude                |
+| **typescript-lsp**    | Type diagnostics, go-to-def             | Auto (LSP server)                        |
+| **security-guidance** | OWASP vulnerability scan                | Auto (PreToolUse hook)                   |
+| **code-review**       | PR analysis                             | `/code-review`                           |
+| **commit-commands**   | Git commit, push, PR                    | `/commit`                                |
+| **frontend-design**   | Production-grade UI design              | `/frontend-design`                       |
 
 ### Superpowers Workflow (USE THIS)
 
@@ -121,12 +141,12 @@ Claude works autonomously until the task is complete or hits the iteration limit
 
 ## Agent System (4 Subagents)
 
-| Agent | Purpose |
-|-------|---------|
-| **research-web** | Researches best practices before new features |
-| **commit-manager** | Manages git commits, conventional format |
-| **claude-md-compactor** | Compacts CLAUDE.md when > 40k chars |
-| **tester-unit** | Creates unit tests with Vitest |
+| Agent                   | Purpose                                       |
+| ----------------------- | --------------------------------------------- |
+| **research-web**        | Researches best practices before new features |
+| **commit-manager**      | Manages git commits, conventional format      |
+| **claude-md-compactor** | Compacts CLAUDE.md when > 40k chars           |
+| **tester-unit**         | Creates unit tests with Vitest                |
 
 ---
 
@@ -135,6 +155,7 @@ Claude works autonomously until the task is complete or hits the iteration limit
 > Documentation lives in `/docs` and is created **only when the user asks**.
 
 After completing any task, Claude should ask:
+
 ```
 Done! Finished [task description]. Want me to:
 1. Document this in /docs?
@@ -149,12 +170,12 @@ Do NOT auto-document. Do NOT maintain domain docs. Keep it simple.
 
 > After ANY implementation, update this file to reflect the current state.
 
-| Change Type | Sections to Update |
-|-------------|-------------------|
+| Change Type     | Sections to Update                  |
+| --------------- | ----------------------------------- |
 | Any file change | Last Change (branch, date, summary) |
-| New feature | 30s Overview, Architecture |
-| New dependency | Stack |
-| Workflow change | Workflow section |
+| New feature     | 30s Overview, Architecture          |
+| New dependency  | Stack                               |
+| Workflow change | Workflow section                    |
 
 Keep only the LATEST Last Change entry (no stacking).
 
@@ -164,13 +185,13 @@ Keep only the LATEST Last Change entry (no stacking).
 
 ### HTTP Requests (MANDATORY)
 
-| Rule | Implementation |
-|------|----------------|
-| Use axios ONLY | Never `fetch()` or raw `axios` |
-| `withCredentials: true` | ALWAYS for cookies/sessions |
-| Extend base instance | Create `lib/api/axios.ts` |
-| Type responses | `api.get<User>('/users')` |
-| Centralize errors | Use interceptors |
+| Rule                    | Implementation                 |
+| ----------------------- | ------------------------------ |
+| Use axios ONLY          | Never `fetch()` or raw `axios` |
+| `withCredentials: true` | ALWAYS for cookies/sessions    |
+| Extend base instance    | Create `lib/api/axios.ts`      |
+| Type responses          | `api.get<User>('/users')`      |
+| Centralize errors       | Use interceptors               |
 
 ### Path Aliases (MANDATORY)
 
@@ -216,20 +237,20 @@ Types: `feat`, `fix`, `refactor`, `docs`, `chore`
 
 ## FORBIDDEN Actions
 
-| Action                         | Reason                       |
-| ------------------------------ | ---------------------------- |
-| Write in non-English           | ALL code/docs MUST be in EN  |
-| Skip typecheck                 | Catches runtime errors       |
-| Use `any` type                 | Defeats strict mode          |
-| Define types in `src/`         | Must be in `types/`          |
-| Commit directly to main        | Create feature/fix branches  |
-| Use MUI/Chakra                 | Use shadcn/ui + Radix        |
-| Wildcard icon imports          | Use named imports            |
-| Files > 400 lines              | MUST split into smaller      |
-| 'use client' at top level      | Push to leaf components only |
-| Waterfall data fetching        | Use Promise.all() for parallel |
-| Auto-document without asking   | Ask user first               |
-| Skip superpowers for features  | Use brainstorming + TDD      |
+| Action                        | Reason                                                                                                                |
+| ----------------------------- | --------------------------------------------------------------------------------------------------------------------- |
+| Speak/write in non-English    | EN ONLY (chat, code, docs, commits) — see Language Policy. Override only via explicit user request, current turn only |
+| Skip typecheck                | Catches runtime errors                                                                                                |
+| Use `any` type                | Defeats strict mode                                                                                                   |
+| Define types in `src/`        | Must be in `types/`                                                                                                   |
+| Commit directly to main       | Create feature/fix branches                                                                                           |
+| Use MUI/Chakra                | Use shadcn/ui + Radix                                                                                                 |
+| Wildcard icon imports         | Use named imports                                                                                                     |
+| Files > 400 lines             | MUST split into smaller                                                                                               |
+| 'use client' at top level     | Push to leaf components only                                                                                          |
+| Waterfall data fetching       | Use Promise.all() for parallel                                                                                        |
+| Auto-document without asking  | Ask user first                                                                                                        |
+| Skip superpowers for features | Use brainstorming + TDD                                                                                               |
 
 ---
 
@@ -247,13 +268,13 @@ Types: `feat`, `fix`, `refactor`, `docs`, `chore`
 
 ## MCP Servers
 
-| Server                | Purpose                 | When to Use                          |
-| --------------------- | ----------------------- | ------------------------------------ |
-| `sequential-thinking` | Complex problem-solving | Multi-step tasks, planning           |
-| `memory`              | Persistent knowledge    | Store/recall project patterns        |
-| `playwright`          | Browser automation      | UI testing, page verification        |
-| `nextjs-devtools`     | Next.js dev tools       | Next.js projects only                |
-| `mongodb`             | Database operations     | DB queries, schema inspection        |
+| Server                | Purpose                 | When to Use                   |
+| --------------------- | ----------------------- | ----------------------------- |
+| `sequential-thinking` | Complex problem-solving | Multi-step tasks, planning    |
+| `memory`              | Persistent knowledge    | Store/recall project patterns |
+| `playwright`          | Browser automation      | UI testing, page verification |
+| `nextjs-devtools`     | Next.js dev tools       | Next.js projects only         |
+| `mongodb`             | Database operations     | DB queries, schema inspection |
 
 > Note: `context7` is now a **plugin** (auto-invokes on library mentions).
 
@@ -261,13 +282,13 @@ Types: `feat`, `fix`, `refactor`, `docs`, `chore`
 
 ## Community Skills (from GitHub)
 
-| Skill | Source | Purpose |
-|-------|--------|---------|
-| **react-best-practices** | vercel-labs | React/Next.js perf optimization rules |
-| **web-design-guidelines** | vercel-labs | 100+ WCAG + UX audit rules |
-| **composition-patterns** | vercel-labs | Compound component patterns |
-| **webapp-testing** | anthropics | Real browser test execution |
-| **mcp-builder** | anthropics | MCP server development guide |
+| Skill                     | Source      | Purpose                               |
+| ------------------------- | ----------- | ------------------------------------- |
+| **react-best-practices**  | vercel-labs | React/Next.js perf optimization rules |
+| **web-design-guidelines** | vercel-labs | 100+ WCAG + UX audit rules            |
+| **composition-patterns**  | vercel-labs | Compound component patterns           |
+| **webapp-testing**        | anthropics  | Real browser test execution           |
+| **mcp-builder**           | anthropics  | MCP server development guide          |
 
 ---