waypoint-skills 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (132) hide show
  1. package/LICENSE +21 -0
  2. package/README.md +348 -0
  3. package/README.npm.md +56 -0
  4. package/cli/bin/cli.js +127 -0
  5. package/cli/bin/lib/paths.mjs +31 -0
  6. package/cli/bin/postinstall.mjs +25 -0
  7. package/manifest.json +107 -0
  8. package/package.json +44 -0
  9. package/packages/agents/inspiration-scout.md +105 -0
  10. package/packages/agents/orchestrator.md +186 -0
  11. package/packages/agents/scrutiny-validator.md +136 -0
  12. package/packages/agents/user-testing-validator.md +171 -0
  13. package/packages/agents/validator.md +102 -0
  14. package/packages/agents/worker.md +116 -0
  15. package/packages/agents/wp-router.md +69 -0
  16. package/packages/hooks/hooks.json.example +12 -0
  17. package/packages/hooks/templates/mission-worktree-bootstrap.sh +88 -0
  18. package/packages/hooks/templates/run-assertions.sh +48 -0
  19. package/packages/rules/adversarial-context-isolation.mdc +57 -0
  20. package/packages/rules/serial-git-enforcement.mdc +77 -0
  21. package/packages/skills/caveman/SKILL.md +78 -0
  22. package/packages/skills/design-taste-frontend/SKILL.md +1206 -0
  23. package/packages/skills/gpt-taste/SKILL.md +74 -0
  24. package/packages/skills/impeccable/SKILL.md +164 -0
  25. package/packages/skills/impeccable/reference/adapt.md +311 -0
  26. package/packages/skills/impeccable/reference/animate.md +201 -0
  27. package/packages/skills/impeccable/reference/audit.md +133 -0
  28. package/packages/skills/impeccable/reference/bolder.md +120 -0
  29. package/packages/skills/impeccable/reference/brand.md +108 -0
  30. package/packages/skills/impeccable/reference/clarify.md +288 -0
  31. package/packages/skills/impeccable/reference/codex.md +105 -0
  32. package/packages/skills/impeccable/reference/colorize.md +257 -0
  33. package/packages/skills/impeccable/reference/craft.md +123 -0
  34. package/packages/skills/impeccable/reference/critique.md +780 -0
  35. package/packages/skills/impeccable/reference/delight.md +302 -0
  36. package/packages/skills/impeccable/reference/distill.md +111 -0
  37. package/packages/skills/impeccable/reference/document.md +429 -0
  38. package/packages/skills/impeccable/reference/extract.md +69 -0
  39. package/packages/skills/impeccable/reference/harden.md +347 -0
  40. package/packages/skills/impeccable/reference/hooks.md +90 -0
  41. package/packages/skills/impeccable/reference/init.md +172 -0
  42. package/packages/skills/impeccable/reference/interaction-design.md +189 -0
  43. package/packages/skills/impeccable/reference/layout.md +161 -0
  44. package/packages/skills/impeccable/reference/live.md +718 -0
  45. package/packages/skills/impeccable/reference/onboard.md +234 -0
  46. package/packages/skills/impeccable/reference/optimize.md +258 -0
  47. package/packages/skills/impeccable/reference/overdrive.md +130 -0
  48. package/packages/skills/impeccable/reference/polish.md +241 -0
  49. package/packages/skills/impeccable/reference/product.md +60 -0
  50. package/packages/skills/impeccable/reference/quieter.md +99 -0
  51. package/packages/skills/impeccable/reference/shape.md +165 -0
  52. package/packages/skills/impeccable/reference/typeset.md +279 -0
  53. package/packages/skills/impeccable/scripts/command-metadata.json +94 -0
  54. package/packages/skills/impeccable/scripts/context-signals.mjs +225 -0
  55. package/packages/skills/impeccable/scripts/context.mjs +961 -0
  56. package/packages/skills/impeccable/scripts/critique-storage.mjs +242 -0
  57. package/packages/skills/impeccable/scripts/detect-csp.mjs +198 -0
  58. package/packages/skills/impeccable/scripts/detect.mjs +21 -0
  59. package/packages/skills/impeccable/scripts/detector/browser/injected/index.mjs +1937 -0
  60. package/packages/skills/impeccable/scripts/detector/cli/main.mjs +290 -0
  61. package/packages/skills/impeccable/scripts/detector/design-system.mjs +750 -0
  62. package/packages/skills/impeccable/scripts/detector/detect-antipatterns-browser.js +5185 -0
  63. package/packages/skills/impeccable/scripts/detector/detect-antipatterns.mjs +50 -0
  64. package/packages/skills/impeccable/scripts/detector/engines/browser/detect-url.mjs +277 -0
  65. package/packages/skills/impeccable/scripts/detector/engines/regex/detect-text.mjs +568 -0
  66. package/packages/skills/impeccable/scripts/detector/engines/static-html/css-cascade.mjs +1015 -0
  67. package/packages/skills/impeccable/scripts/detector/engines/static-html/detect-html.mjs +234 -0
  68. package/packages/skills/impeccable/scripts/detector/engines/visual/screenshot-contrast.mjs +189 -0
  69. package/packages/skills/impeccable/scripts/detector/findings.mjs +12 -0
  70. package/packages/skills/impeccable/scripts/detector/node/file-system.mjs +198 -0
  71. package/packages/skills/impeccable/scripts/detector/profile/profiler.mjs +166 -0
  72. package/packages/skills/impeccable/scripts/detector/registry/antipatterns.mjs +459 -0
  73. package/packages/skills/impeccable/scripts/detector/rules/checks.mjs +2707 -0
  74. package/packages/skills/impeccable/scripts/detector/shared/color.mjs +124 -0
  75. package/packages/skills/impeccable/scripts/detector/shared/constants.mjs +101 -0
  76. package/packages/skills/impeccable/scripts/detector/shared/inline-ignores.mjs +148 -0
  77. package/packages/skills/impeccable/scripts/detector/shared/page.mjs +7 -0
  78. package/packages/skills/impeccable/scripts/hook-admin.mjs +660 -0
  79. package/packages/skills/impeccable/scripts/hook-before-edit.mjs +476 -0
  80. package/packages/skills/impeccable/scripts/hook-lib.mjs +1632 -0
  81. package/packages/skills/impeccable/scripts/hook.mjs +61 -0
  82. package/packages/skills/impeccable/scripts/lib/design-parser.mjs +842 -0
  83. package/packages/skills/impeccable/scripts/lib/impeccable-config.mjs +638 -0
  84. package/packages/skills/impeccable/scripts/lib/impeccable-paths.mjs +128 -0
  85. package/packages/skills/impeccable/scripts/lib/is-generated.mjs +69 -0
  86. package/packages/skills/impeccable/scripts/lib/target-args.mjs +42 -0
  87. package/packages/skills/impeccable/scripts/live/browser-script-parts.mjs +49 -0
  88. package/packages/skills/impeccable/scripts/live/completion.mjs +19 -0
  89. package/packages/skills/impeccable/scripts/live/event-validation.mjs +137 -0
  90. package/packages/skills/impeccable/scripts/live/insert-ui.mjs +458 -0
  91. package/packages/skills/impeccable/scripts/live/manual-apply.mjs +939 -0
  92. package/packages/skills/impeccable/scripts/live/manual-edit-routes.mjs +357 -0
  93. package/packages/skills/impeccable/scripts/live/manual-edits-buffer.mjs +152 -0
  94. package/packages/skills/impeccable/scripts/live/session-store.mjs +289 -0
  95. package/packages/skills/impeccable/scripts/live/svelte-component.mjs +826 -0
  96. package/packages/skills/impeccable/scripts/live/sveltekit-adapter.mjs +274 -0
  97. package/packages/skills/impeccable/scripts/live/ui-core.mjs +180 -0
  98. package/packages/skills/impeccable/scripts/live/vocabulary.mjs +36 -0
  99. package/packages/skills/impeccable/scripts/live-accept.mjs +812 -0
  100. package/packages/skills/impeccable/scripts/live-browser-dom.js +146 -0
  101. package/packages/skills/impeccable/scripts/live-browser-session.js +123 -0
  102. package/packages/skills/impeccable/scripts/live-browser.js +11173 -0
  103. package/packages/skills/impeccable/scripts/live-commit-manual-edits.mjs +1241 -0
  104. package/packages/skills/impeccable/scripts/live-complete.mjs +75 -0
  105. package/packages/skills/impeccable/scripts/live-copy-edit-agent.mjs +683 -0
  106. package/packages/skills/impeccable/scripts/live-discard-manual-edits.mjs +51 -0
  107. package/packages/skills/impeccable/scripts/live-inject.mjs +583 -0
  108. package/packages/skills/impeccable/scripts/live-insert.mjs +272 -0
  109. package/packages/skills/impeccable/scripts/live-manual-edit-evidence.mjs +363 -0
  110. package/packages/skills/impeccable/scripts/live-poll.mjs +384 -0
  111. package/packages/skills/impeccable/scripts/live-resume.mjs +94 -0
  112. package/packages/skills/impeccable/scripts/live-server.mjs +1135 -0
  113. package/packages/skills/impeccable/scripts/live-status.mjs +61 -0
  114. package/packages/skills/impeccable/scripts/live-target.mjs +30 -0
  115. package/packages/skills/impeccable/scripts/live-wrap.mjs +894 -0
  116. package/packages/skills/impeccable/scripts/live.mjs +297 -0
  117. package/packages/skills/impeccable/scripts/modern-screenshot.umd.js +14 -0
  118. package/packages/skills/impeccable/scripts/palette.mjs +633 -0
  119. package/packages/skills/impeccable/scripts/pin.mjs +214 -0
  120. package/packages/skills/ponytail/SKILL.md +117 -0
  121. package/packages/skills/stitch-design-taste/DESIGN.md +121 -0
  122. package/packages/skills/stitch-design-taste/SKILL.md +184 -0
  123. package/packages/skills/waypoint/SKILL.md +67 -0
  124. package/packages/skills/wp/SKILL.md +330 -0
  125. package/packages/skills/wp/caveman-wire.md +148 -0
  126. package/packages/skills/wp/reference.md +411 -0
  127. package/scripts/detect-platform.sh +32 -0
  128. package/scripts/install.sh +123 -0
  129. package/scripts/lib/common.sh +215 -0
  130. package/scripts/sync-skills.sh +21 -0
  131. package/scripts/uninstall.sh +38 -0
  132. package/scripts/waypoint +281 -0
@@ -0,0 +1,242 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * Critique persistence helper.
4
+ *
5
+ * Each run of /impeccable critique writes a per-target snapshot to
6
+ * .impeccable/critique/<timestamp>__<slug>.md
7
+ * with a small YAML frontmatter carrying the score + P0/P1 counts.
8
+ *
9
+ * /impeccable polish reads the latest matching snapshot at start as its
10
+ * fix backlog. No other skill auto-reads critique output.
11
+ *
12
+ * The slug is derived mechanically from the *resolved* primary artifact
13
+ * (file path or URL), never from the user's natural-language phrasing.
14
+ * Slug stability across runs is what lets the trend display work.
15
+ *
16
+ * CLI entry points (called from skill instructions):
17
+ * node critique-storage.mjs slug <resolved-target>
18
+ * node critique-storage.mjs write <slug> <snapshot-body-file>
19
+ * node critique-storage.mjs latest <slug>
20
+ * node critique-storage.mjs trend <slug> [limit]
21
+ *
22
+ * Note: there is intentionally no `ignore` subcommand. ignore.md is a plain
23
+ * markdown file; the model reads it directly with its file-read tool. This
24
+ * helper only exists for operations the model can't trivially do inline
25
+ * (normalizing paths, generating filenames, globbing + parsing frontmatter).
26
+ */
27
+
28
+ import fs from 'node:fs';
29
+ import path from 'node:path';
30
+ import { fileURLToPath, pathToFileURL } from 'node:url';
31
+ import { getCritiqueDir } from './lib/impeccable-paths.mjs';
32
+
33
+ const SLUG_MAX = 50;
34
+
35
+ /**
36
+ * Mechanically derive a slug from a resolved target. Returns null if the
37
+ * input doesn't look like a stable identifier (empty, project root, etc).
38
+ *
39
+ * Accepts file paths and URLs. The model resolves "the homepage" to a
40
+ * concrete artifact before calling this — we never slug a natural-language
41
+ * phrase.
42
+ */
43
+ export function slugFromTarget(resolved, { cwd = process.cwd() } = {}) {
44
+ if (!resolved || typeof resolved !== 'string') return null;
45
+ const trimmed = resolved.trim();
46
+ if (!trimmed) return null;
47
+
48
+ // URL
49
+ if (/^https?:\/\//i.test(trimmed)) {
50
+ let url;
51
+ try { url = new URL(trimmed); } catch { return null; }
52
+ const hostPath = `${url.hostname}${url.pathname}`;
53
+ return kebab(hostPath);
54
+ }
55
+
56
+ // File path. Make it project-relative so two devs critiquing the same
57
+ // checkout get the same slug regardless of where their repo is cloned.
58
+ const abs = path.isAbsolute(trimmed) ? trimmed : path.resolve(cwd, trimmed);
59
+ let rel = path.relative(cwd, abs);
60
+ // If the target is outside cwd, fall back to the basename so we still
61
+ // produce a stable slug (vs the absolute path, which would include
62
+ // home dirs / usernames).
63
+ if (rel.startsWith('..') || path.isAbsolute(rel)) {
64
+ rel = path.basename(abs);
65
+ }
66
+ if (!rel || rel === '.' || rel === '') return null;
67
+ return kebab(rel);
68
+ }
69
+
70
+ function kebab(s) {
71
+ const slug = s
72
+ .toLowerCase()
73
+ .replace(/[/\\.]+/g, '-')
74
+ .replace(/[^a-z0-9-]+/g, '-')
75
+ .replace(/-+/g, '-')
76
+ .replace(/^-|-$/g, '');
77
+ if (!slug) return null;
78
+ // Cap from the tail — the tail (filename) is more identifying than the
79
+ // top-level directory.
80
+ return slug.length <= SLUG_MAX ? slug : slug.slice(slug.length - SLUG_MAX).replace(/^-/, '');
81
+ }
82
+
83
+ /**
84
+ * Filename-safe UTC ISO timestamp: hyphens for separators, trailing Z.
85
+ * Plain colons aren't allowed on Windows filesystems.
86
+ */
87
+ export function nowFilenameStamp(date = new Date()) {
88
+ const iso = date.toISOString(); // 2026-05-12T18:30:00.123Z
89
+ return iso.replace(/[:.]/g, '-').replace(/-\d+Z$/, 'Z');
90
+ }
91
+
92
+ /**
93
+ * Write a snapshot for `slug`. `meta` carries the small structured frontmatter
94
+ * keys read back by readTrend(). `body` is the human-readable critique
95
+ * report (everything below the frontmatter).
96
+ *
97
+ * Returns the absolute path written.
98
+ */
99
+ export function writeSnapshot({ slug, meta, body, cwd = process.cwd(), now = new Date() }) {
100
+ if (!slug) throw new Error('writeSnapshot requires a slug');
101
+ const dir = getCritiqueDir(cwd);
102
+ fs.mkdirSync(dir, { recursive: true });
103
+ const timestamp = nowFilenameStamp(now);
104
+ const filePath = path.join(dir, `${timestamp}__${slug}.md`);
105
+ // Spread `meta` first so internally computed `timestamp` and `slug`
106
+ // always win. Otherwise a caller-supplied meta blob (parsed from the
107
+ // IMPECCABLE_CRITIQUE_META env var) could clobber them, leaving the
108
+ // filename in disagreement with its frontmatter and corrupting trends.
109
+ const front = serializeFrontmatter({ ...meta, timestamp, slug });
110
+ fs.writeFileSync(filePath, `${front}\n${body.trim()}\n`, 'utf-8');
111
+ return filePath;
112
+ }
113
+
114
+ function serializeFrontmatter(obj) {
115
+ const lines = ['---'];
116
+ for (const [key, value] of Object.entries(obj)) {
117
+ if (value === undefined || value === null) continue;
118
+ const str = typeof value === 'string' ? value : String(value);
119
+ // Quote strings that contain : or # to keep parsing simple.
120
+ const needsQuotes = typeof value === 'string' && /[:#]/.test(str);
121
+ lines.push(`${key}: ${needsQuotes ? JSON.stringify(str) : str}`);
122
+ }
123
+ lines.push('---');
124
+ return lines.join('\n');
125
+ }
126
+
127
+ function parseFrontmatter(text) {
128
+ const match = text.match(/^---\r?\n([\s\S]*?)\r?\n---/);
129
+ if (!match) return {};
130
+ const out = {};
131
+ for (const line of match[1].split(/\r?\n/)) {
132
+ const colon = line.indexOf(':');
133
+ if (colon < 0) continue;
134
+ const key = line.slice(0, colon).trim();
135
+ let value = line.slice(colon + 1).trim();
136
+ if (/^".*"$/.test(value)) {
137
+ try { value = JSON.parse(value); } catch { /* leave as-is */ }
138
+ } else if (/^-?\d+$/.test(value)) {
139
+ value = Number(value);
140
+ }
141
+ out[key] = value;
142
+ }
143
+ return out;
144
+ }
145
+
146
+ /**
147
+ * Return all snapshot files for `slug`, sorted oldest → newest.
148
+ */
149
+ function listSnapshotsForSlug(slug, cwd) {
150
+ const dir = getCritiqueDir(cwd);
151
+ if (!fs.existsSync(dir)) return [];
152
+ const suffix = `__${slug}.md`;
153
+ return fs.readdirSync(dir)
154
+ .filter((f) => f.endsWith(suffix))
155
+ .sort()
156
+ .map((f) => path.join(dir, f));
157
+ }
158
+
159
+ /**
160
+ * Return the most recent snapshot for `slug`, or null. Polish reads this
161
+ * to find its fix backlog when the slug matches.
162
+ */
163
+ export function readLatestSnapshot(slug, { cwd = process.cwd() } = {}) {
164
+ const all = listSnapshotsForSlug(slug, cwd);
165
+ if (!all.length) return null;
166
+ const latest = all[all.length - 1];
167
+ const body = fs.readFileSync(latest, 'utf-8');
168
+ return { path: latest, body, meta: parseFrontmatter(body) };
169
+ }
170
+
171
+ /**
172
+ * Return the last `limit` snapshots' frontmatter, oldest → newest.
173
+ * Critique appends a one-line trend to its output using this.
174
+ */
175
+ export function readTrend(slug, { limit = 5, cwd = process.cwd() } = {}) {
176
+ const all = listSnapshotsForSlug(slug, cwd);
177
+ const slice = all.slice(-limit);
178
+ return slice.map((file) => parseFrontmatter(fs.readFileSync(file, 'utf-8')));
179
+ }
180
+
181
+ // ---- CLI ---------------------------------------------------------------
182
+
183
+ function main(argv) {
184
+ const [cmd, ...args] = argv;
185
+ switch (cmd) {
186
+ case 'slug': {
187
+ const slug = slugFromTarget(args[0]);
188
+ if (!slug) { process.stderr.write('no stable slug for input\n'); process.exit(1); }
189
+ process.stdout.write(`${slug}\n`);
190
+ return;
191
+ }
192
+ case 'write': {
193
+ const [slug, bodyFile] = args;
194
+ if (!slug || !bodyFile) { process.stderr.write('usage: write <slug> <body-file>\n'); process.exit(1); }
195
+ const raw = fs.readFileSync(bodyFile, 'utf-8');
196
+ // The body file may be a full report. The caller passes the meta as
197
+ // a JSON object on stdin if it wants structured frontmatter; otherwise
198
+ // we write with minimal metadata.
199
+ let meta = {};
200
+ const metaArg = process.env.IMPECCABLE_CRITIQUE_META;
201
+ if (metaArg) {
202
+ try { meta = JSON.parse(metaArg); } catch { /* ignore */ }
203
+ }
204
+ const out = writeSnapshot({ slug, meta, body: raw });
205
+ process.stdout.write(`${out}\n`);
206
+ return;
207
+ }
208
+ case 'latest': {
209
+ const latest = readLatestSnapshot(args[0]);
210
+ if (!latest) { process.exit(2); }
211
+ process.stdout.write(latest.body);
212
+ return;
213
+ }
214
+ case 'trend': {
215
+ const rows = readTrend(args[0], { limit: args[1] ? Number(args[1]) : 5 });
216
+ process.stdout.write(JSON.stringify(rows, null, 2) + '\n');
217
+ return;
218
+ }
219
+ default:
220
+ process.stderr.write('usage: critique-storage.mjs <slug|write|latest|trend> [args]\n');
221
+ process.exit(1);
222
+ }
223
+ }
224
+
225
+ function isMainModule() {
226
+ if (!process.argv[1]) return false;
227
+ try {
228
+ return fs.realpathSync(fileURLToPath(import.meta.url)) === fs.realpathSync(process.argv[1]);
229
+ } catch {
230
+ // pathToFileURL normalizes Windows paths; keep it as a fallback for any
231
+ // environment where realpath is unavailable.
232
+ return import.meta.url === pathToFileURL(process.argv[1]).href;
233
+ }
234
+ }
235
+
236
+ // Why the realpath check: generated skills are often reached through symlinked
237
+ // harness directories (for example a demo repo's `.agents` -> source `.agents`).
238
+ // Node resolves import.meta.url to the real file, while process.argv[1] keeps
239
+ // the symlink path. Comparing canonical paths prevents a silent exit-0 no-op.
240
+ if (isMainModule()) {
241
+ main(process.argv.slice(2));
242
+ }
@@ -0,0 +1,198 @@
1
+ /**
2
+ * Scan a project tree for Content-Security-Policy signals and classify the
3
+ * shape so the agent knows which patch template to propose.
4
+ *
5
+ * Used at first-time `live.mjs` setup. Mechanical (grep-based) — no network,
6
+ * no dev server, no JS evaluation. The classification drives a user-facing
7
+ * consent prompt; the agent does the actual patch writing.
8
+ *
9
+ * Shapes are named by patch mechanism, not framework origin:
10
+ * - "append-arrays": CSP defined as structured directive arrays. Patch
11
+ * appends a dev-only localhost entry. Covers:
12
+ * - Monorepo helpers with additional*Src options
13
+ * (e.g. createBaseNextConfig for Next)
14
+ * - SvelteKit kit.csp.directives
15
+ * - nuxt-security module's contentSecurityPolicy
16
+ * - "append-string": CSP built as a literal value string. Patch splices
17
+ * a dev-only token into script-src and connect-src.
18
+ * Covers:
19
+ * - Inline Next.js headers() with CSP string
20
+ * - Nuxt routeRules / nitro.routeRules CSP headers
21
+ * - "middleware": CSP set dynamically in middleware.{ts,js}.
22
+ * Detected but not auto-patched in v1.
23
+ * - "meta-tag": <meta http-equiv="Content-Security-Policy"> in
24
+ * layout files. Detected but not auto-patched in v1.
25
+ * - null: no CSP signals found; no patch needed.
26
+ */
27
+
28
+ import fs from 'node:fs';
29
+ import path from 'node:path';
30
+
31
+ const SKIP_DIRS = new Set([
32
+ 'node_modules',
33
+ '.git',
34
+ '.next',
35
+ '.turbo',
36
+ '.svelte-kit',
37
+ '.nuxt',
38
+ '.astro',
39
+ 'dist',
40
+ 'build',
41
+ 'out',
42
+ '.vercel',
43
+ ]);
44
+
45
+ const SCAN_EXTS = new Set(['.js', '.mjs', '.cjs', '.ts', '.mts', '.cts', '.tsx', '.jsx']);
46
+ const LAYOUT_EXTS = new Set(['.tsx', '.jsx', '.astro', '.vue', '.svelte', '.html']);
47
+ const MAX_DEPTH = 6;
48
+ const MAX_READ_BYTES = 64 * 1024;
49
+
50
+ // append-arrays signals: CSP expressed as structured directive arrays
51
+ const MONOREPO_HELPER_SIGNALS = [
52
+ /\bbuildCSPConfig\b/,
53
+ /\bbuildSecurityHeaders\b/,
54
+ /\badditionalScriptSrc\b/,
55
+ /\badditionalConnectSrc\b/,
56
+ /\bcreateBaseNextConfig\b/,
57
+ ];
58
+ const SVELTEKIT_CSP_SIGNALS = [
59
+ /\bkit\s*:/,
60
+ /\bcsp\s*:/,
61
+ /\bdirectives\s*:/,
62
+ ];
63
+ const NUXT_SECURITY_SIGNALS = [
64
+ /['"]nuxt-security['"]/,
65
+ /\bcontentSecurityPolicy\b/,
66
+ ];
67
+
68
+ // append-string signals: CSP written as a literal value string
69
+ const INLINE_HEADER_SIGNALS = [
70
+ /["']Content-Security-Policy["']/i,
71
+ /\bscript-src\b/,
72
+ /\bconnect-src\b/,
73
+ ];
74
+ const NUXT_ROUTE_RULES_SIGNALS = [
75
+ /\brouteRules\b/,
76
+ /Content-Security-Policy/i,
77
+ /\bscript-src\b/,
78
+ ];
79
+
80
+ const MIDDLEWARE_HINT = /headers\.set\(\s*["']Content-Security-Policy["']/i;
81
+ const META_TAG_HINT = /http-equiv\s*=\s*["']Content-Security-Policy["']/i;
82
+
83
+ /**
84
+ * @param {string} cwd Project root.
85
+ * @returns {{ shape: string|null, signals: string[] }}
86
+ */
87
+ export function detectCsp(cwd = process.cwd()) {
88
+ const hits = { appendArrays: [], appendString: [], middleware: [], metaTag: [] };
89
+
90
+ walk(cwd, cwd, 0, (absPath, relPath, body) => {
91
+ const ext = path.extname(absPath);
92
+ const base = path.basename(absPath).toLowerCase();
93
+ const isConfig = (name) =>
94
+ new RegExp('(^|/)' + name + '\\.config\\.').test(relPath);
95
+
96
+ // === append-arrays candidates ===
97
+
98
+ // Monorepo CSP helper: packages/*/src/.../(config|security)/*
99
+ if (SCAN_EXTS.has(ext) &&
100
+ /packages\/[^/]+\/src\/.*(config|next-config|security)/.test(relPath) &&
101
+ MONOREPO_HELPER_SIGNALS.some((re) => re.test(body))) {
102
+ hits.appendArrays.push(relPath);
103
+ return;
104
+ }
105
+
106
+ // SvelteKit kit.csp.directives
107
+ if (SCAN_EXTS.has(ext) && isConfig('svelte') &&
108
+ SVELTEKIT_CSP_SIGNALS.every((re) => re.test(body))) {
109
+ hits.appendArrays.push(relPath);
110
+ return;
111
+ }
112
+
113
+ // Nuxt nuxt-security module
114
+ if (SCAN_EXTS.has(ext) && isConfig('nuxt') &&
115
+ NUXT_SECURITY_SIGNALS.every((re) => re.test(body))) {
116
+ hits.appendArrays.push(relPath);
117
+ return;
118
+ }
119
+
120
+ // === append-string candidates ===
121
+
122
+ // Inline headers in Next/Nuxt/SvelteKit/Astro/Vite config
123
+ if (SCAN_EXTS.has(ext) &&
124
+ /(^|\/)(next|nuxt|vite|astro|svelte)\.config\./.test(relPath) &&
125
+ INLINE_HEADER_SIGNALS.every((re) => re.test(body))) {
126
+ // Nuxt routeRules is a sub-shape of append-string; we already covered
127
+ // nuxt-security above via return, so any remaining Nuxt CSP match here
128
+ // is a route-rules / inline-headers case. Either way, same patch
129
+ // mechanism.
130
+ hits.appendString.push(relPath);
131
+ return;
132
+ }
133
+
134
+ // === detect-only shapes ===
135
+
136
+ if ((base === 'middleware.ts' || base === 'middleware.js' || base === 'middleware.mjs') &&
137
+ MIDDLEWARE_HINT.test(body)) {
138
+ hits.middleware.push(relPath);
139
+ }
140
+
141
+ if (LAYOUT_EXTS.has(ext) && META_TAG_HINT.test(body)) {
142
+ hits.metaTag.push(relPath);
143
+ }
144
+ });
145
+
146
+ // Priority: append-arrays > append-string > middleware > meta-tag.
147
+ // Structured patches are safer than string splices; runtime and HTML
148
+ // injection patches are less reliable and v1 doesn't auto-apply them.
149
+ if (hits.appendArrays.length > 0) {
150
+ return { shape: 'append-arrays', signals: hits.appendArrays };
151
+ }
152
+ if (hits.appendString.length > 0) {
153
+ return { shape: 'append-string', signals: hits.appendString };
154
+ }
155
+ if (hits.middleware.length > 0) {
156
+ return { shape: 'middleware', signals: hits.middleware };
157
+ }
158
+ if (hits.metaTag.length > 0) {
159
+ return { shape: 'meta-tag', signals: hits.metaTag };
160
+ }
161
+ return { shape: null, signals: [] };
162
+ }
163
+
164
+ function walk(root, dir, depth, visit) {
165
+ if (depth > MAX_DEPTH) return;
166
+ let entries;
167
+ try { entries = fs.readdirSync(dir, { withFileTypes: true }); }
168
+ catch { return; }
169
+
170
+ for (const entry of entries) {
171
+ const abs = path.join(dir, entry.name);
172
+ if (entry.isDirectory()) {
173
+ if (SKIP_DIRS.has(entry.name)) continue;
174
+ walk(root, abs, depth + 1, visit);
175
+ continue;
176
+ }
177
+ if (!entry.isFile()) continue;
178
+ const ext = path.extname(entry.name);
179
+ if (!SCAN_EXTS.has(ext) && !LAYOUT_EXTS.has(ext)) continue;
180
+ let body;
181
+ try {
182
+ const fd = fs.openSync(abs, 'r');
183
+ try {
184
+ const buf = Buffer.alloc(MAX_READ_BYTES);
185
+ const n = fs.readSync(fd, buf, 0, MAX_READ_BYTES, 0);
186
+ body = buf.slice(0, n).toString('utf-8');
187
+ } finally { fs.closeSync(fd); }
188
+ } catch { continue; }
189
+ visit(abs, path.relative(root, abs), body);
190
+ }
191
+ }
192
+
193
+ // CLI mode
194
+ const _running = process.argv[1];
195
+ if (_running?.endsWith('detect-csp.mjs') || _running?.endsWith('detect-csp.mjs/')) {
196
+ const result = detectCsp(process.cwd());
197
+ console.log(JSON.stringify(result, null, 2));
198
+ }
@@ -0,0 +1,21 @@
1
+ #!/usr/bin/env node
2
+
3
+ import fs from 'node:fs';
4
+ import path from 'node:path';
5
+ import { pathToFileURL, fileURLToPath } from 'node:url';
6
+
7
+ const __dirname = path.dirname(fileURLToPath(import.meta.url));
8
+ const candidates = [
9
+ path.join(__dirname, 'detector', 'detect-antipatterns.mjs'),
10
+ path.join(__dirname, '..', '..', 'cli', 'engine', 'detect-antipatterns.mjs'),
11
+ ];
12
+ const detectorPath = candidates.find(p => fs.existsSync(p));
13
+
14
+ if (!detectorPath) {
15
+ process.stderr.write('Error: bundled detector not found.\n');
16
+ process.exit(1);
17
+ }
18
+
19
+ const { detectCli } = await import(pathToFileURL(detectorPath));
20
+
21
+ await detectCli();