From 3aa661f6dba54c854e0c5e2c5cf875c04277b61f Mon Sep 17 00:00:00 2001 From: Aleksandr Lozhkovoi Date: Sat, 21 Feb 2026 22:24:20 +0100 Subject: [PATCH] fix: harden prompts and remove published audit artifacts --- .cursor-plugin/plugin.json | 2 +- CHANGELOG.md | 14 ++-- README.md | 4 +- commands/generate-flutter-tests.md | 4 +- commands/implement-figma-screen.md | 5 +- commands/implement-flutter-feature.md | 4 +- commands/integrate-firebase.md | 4 +- commands/migrate-flutter-code.md | 4 +- commands/prepare-mobile-release.md | 4 +- commands/resolve-flutter-build-error.md | 5 +- commands/review-flutter-code.md | 5 +- commands/scaffold-flutter-feature.md | 4 +- commands/security-review.md | 6 +- commands/setup-mobile-github-pipeline.md | 4 +- commands/sync-official-flutter-ai-rules.md | 4 +- commands/update-flutter-dependencies.md | 5 +- commands/write-bloc-test.md | 4 +- commands/write-e2e-test.md | 4 +- commands/write-widget-test.md | 4 +- docs/command-output-contract.md | 34 --------- docs/official-release-checklist.md | 4 +- docs/prompt-execution-guardrails.md | 30 ++++++++ docs/quality-iterations-2026-02-21.md | 22 ------ docs/validation-matrix.md | 58 +++++++++++++++ plugin.json | 2 +- rules/flutter-official-ai-rules.mdc | 6 +- scripts/quality_audit_commands.sh | 87 ---------------------- scripts/sync_official_flutter_ai_rules.sh | 3 + skills/build-flutter-features/SKILL.md | 10 ++- skills/review-flutter-code/SKILL.md | 13 ++-- skills/security-audit/SKILL.md | 15 ++-- 31 files changed, 186 insertions(+), 188 deletions(-) delete mode 100644 docs/command-output-contract.md create mode 100644 docs/prompt-execution-guardrails.md delete mode 100644 docs/quality-iterations-2026-02-21.md create mode 100644 docs/validation-matrix.md delete mode 100755 scripts/quality_audit_commands.sh diff --git a/.cursor-plugin/plugin.json b/.cursor-plugin/plugin.json index ce6ea6a..dd70a43 100644 --- a/.cursor-plugin/plugin.json +++ b/.cursor-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "flutter-cursor-plugin", "displayName": "Flutter Cursor Plugin", - "version": "1.10.1", + "version": "1.10.2", "description": "Open-source Cursor plugin for end-to-end Flutter development and testing with Dart MCP, Figma MCP, practical architecture patterns, and reliable test workflows.", "author": { "name": "Aleksandr Lozhkovoi", diff --git a/CHANGELOG.md b/CHANGELOG.md index 038d688..364542e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,12 +2,14 @@ ## Unreleased -- Ran 10 command quality iterations and added reproducible audit: - - script: `scripts/quality_audit_commands.sh` - - report: `docs/quality-iterations-2026-02-21.md` -- Added shared output contract for deterministic command responses: - - `docs/command-output-contract.md` -- Updated all canonical commands to reference the output contract. +- Hardened command prompts with shared execution guardrails: + - `docs/prompt-execution-guardrails.md` +- Added deterministic validation guidance: + - `docs/validation-matrix.md` +- Updated canonical commands and core skills for: + - explicit fail-fast behavior when required context is missing + - tighter scope control and deterministic validation requirements +- Updated active official Flutter AI rule to choose state management by project conventions (Riverpod/Bloc/Cubit/GetX/ValueNotifier based on context). - Added reference example repository for project structure and tests: - https://github.com/Wreos/flutter-cursor-plugin-example - Added pre-release enable guide (`docs/pre-release-enable-plugin.md`) with repository install and manual workspace settings options. diff --git a/README.md b/README.md index 19fe90b..effc293 100644 --- a/README.md +++ b/README.md @@ -78,8 +78,8 @@ Reference project layout: - **Release automation**: `docs/release-automation.md` for semver bump, changelog cut, tag, and GitHub Release publishing. - **Security posture**: `docs/security-posture.md` for `/security-review` scope, false-positive handling, and CI integration. - **Reference Flutter app layout**: https://github.com/Wreos/flutter-cursor-plugin-example -- **Output contract**: `docs/command-output-contract.md` for deterministic command response shape. -- **Quality iterations report**: `docs/quality-iterations-2026-02-21.md`. +- **Prompt guardrails**: `docs/prompt-execution-guardrails.md`. +- **Validation matrix**: `docs/validation-matrix.md`. - **Agents** - `flutter-app-builder` (general Flutter implementation) - `flutter-code-reviewer` diff --git a/commands/generate-flutter-tests.md b/commands/generate-flutter-tests.md index 3c79d55..fbf7ca2 100644 --- a/commands/generate-flutter-tests.md +++ b/commands/generate-flutter-tests.md @@ -10,4 +10,6 @@ Generate tests for the target feature or class. 3. Keep tests behavior-driven and deterministic. 4. Prefer focused tests for changed code paths. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/implement-figma-screen.md b/commands/implement-figma-screen.md index 94202ac..baef5b0 100644 --- a/commands/implement-figma-screen.md +++ b/commands/implement-figma-screen.md @@ -11,5 +11,8 @@ Implement a Flutter UI from Figma source. 4. Use Figma MCP for node context, layout, spacing, typography, and assets. 5. Use Dart MCP for post-implementation analysis and fixes. 6. Add widget tests for critical interactions and visible states. +7. If no Figma URL/node is provided, stop and request it before implementation. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/implement-flutter-feature.md b/commands/implement-flutter-feature.md index 7345590..3138501 100644 --- a/commands/implement-flutter-feature.md +++ b/commands/implement-flutter-feature.md @@ -12,4 +12,6 @@ Implement or refactor a Flutter feature. 5. Keep dependencies injected and testable. 6. Add/update tests for modified behavior. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/integrate-firebase.md b/commands/integrate-firebase.md index 6c2988b..743d909 100644 --- a/commands/integrate-firebase.md +++ b/commands/integrate-firebase.md @@ -11,4 +11,6 @@ Integrate Firebase into the target Flutter app. 4. Complete `../docs/firebase-integration-checklist.md`. 5. Verify Android and iOS initialization in release-capable configuration. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/migrate-flutter-code.md b/commands/migrate-flutter-code.md index a6aeb04..dac7aa3 100644 --- a/commands/migrate-flutter-code.md +++ b/commands/migrate-flutter-code.md @@ -11,4 +11,6 @@ Run a migration/refactor task. 4. Use Dart MCP diagnostics to validate each step. 5. Add or update tests for behavioral changes. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/prepare-mobile-release.md b/commands/prepare-mobile-release.md index 371a5ed..d8c85b9 100644 --- a/commands/prepare-mobile-release.md +++ b/commands/prepare-mobile-release.md @@ -11,4 +11,6 @@ Prepare app for store publication. 4. Produce iOS release artifact (`.ipa`/archive) and validate signing/versioning. 5. Confirm store metadata/compliance inputs are complete before submission. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/resolve-flutter-build-error.md b/commands/resolve-flutter-build-error.md index b226327..4ec4ff8 100644 --- a/commands/resolve-flutter-build-error.md +++ b/commands/resolve-flutter-build-error.md @@ -10,5 +10,8 @@ Resolve a build or runtime failure. 3. Apply smallest safe fix. 4. Re-run failing command and impacted tests. 5. Document root cause and prevention notes. +6. Always report: reproduction command, root cause, and post-fix verification command output. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/review-flutter-code.md b/commands/review-flutter-code.md index 27847a8..e25419f 100644 --- a/commands/review-flutter-code.md +++ b/commands/review-flutter-code.md @@ -12,5 +12,8 @@ Run structured Flutter code review. 5. Include OWASP MASVS-focused mobile security checks. 6. Prioritize findings by severity and regression risk. 7. Include testing and accessibility checks. +8. If no review target is provided (PR/diff/files), stop and request explicit scope. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/scaffold-flutter-feature.md b/commands/scaffold-flutter-feature.md index 55495a3..3052121 100644 --- a/commands/scaffold-flutter-feature.md +++ b/commands/scaffold-flutter-feature.md @@ -11,4 +11,6 @@ Create a new feature module scaffold. 4. Build minimal complete skeleton first (UI + state + data boundaries). 5. Add starter tests with `write-widget-test` / `write-bloc-test`. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/security-review.md b/commands/security-review.md index 77533bb..1faa9a5 100644 --- a/commands/security-review.md +++ b/commands/security-review.md @@ -12,5 +12,9 @@ Run a security audit and secrets scan (Claude-style `/security-review` workflow) 5. Apply false-positive filtering so output stays actionable. 6. Return findings first, prioritized by severity and exploitability. 7. Include concrete remediation steps and verification commands. +8. If target scope (diff/branch/files) is missing, stop and ask for explicit scope. +9. If scanners are unavailable, report that explicitly and continue with manual checks. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/setup-mobile-github-pipeline.md b/commands/setup-mobile-github-pipeline.md index 4b4b293..680e9e2 100644 --- a/commands/setup-mobile-github-pipeline.md +++ b/commands/setup-mobile-github-pipeline.md @@ -11,4 +11,6 @@ Set up a mobile CI pipeline in GitHub Actions. 4. Ensure pipeline runs analyze/tests before building artifacts. 5. Validate generated APK/AAB artifacts and branch trigger strategy. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/sync-official-flutter-ai-rules.md b/commands/sync-official-flutter-ai-rules.md index aa6359b..ff27ca3 100644 --- a/commands/sync-official-flutter-ai-rules.md +++ b/commands/sync-official-flutter-ai-rules.md @@ -13,4 +13,6 @@ Sync official Flutter AI rules into the plugin repository. 3. Run `scripts/sync_official_flutter_ai_rules.sh <10k|4k|1k>`. 4. Commit synced files under `rules/official/` and active file `rules/flutter-official-ai-rules.mdc`. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/update-flutter-dependencies.md b/commands/update-flutter-dependencies.md index e09a03b..f1dcf17 100644 --- a/commands/update-flutter-dependencies.md +++ b/commands/update-flutter-dependencies.md @@ -9,5 +9,8 @@ Run a controlled dependency upgrade. 2. Keep changes incremental and reviewable. 3. Run `flutter analyze` and impacted tests before finalizing. 4. Document version deltas, breaking changes, and rollback plan. +5. Always include this baseline in validation: `flutter --version` (before/after), `flutter pub outdated`, `flutter analyze`, and impacted `flutter test`. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/write-bloc-test.md b/commands/write-bloc-test.md index a598e3f..b5d3212 100644 --- a/commands/write-bloc-test.md +++ b/commands/write-bloc-test.md @@ -11,4 +11,6 @@ Create or update a Bloc/Cubit test file. 4. Start from `../templates/bloc_test_template.dart`. 5. Run affected tests and fix failures. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/write-e2e-test.md b/commands/write-e2e-test.md index f40c9de..a065580 100644 --- a/commands/write-e2e-test.md +++ b/commands/write-e2e-test.md @@ -14,4 +14,6 @@ Create or update a Patrol E2E test. 7. Keep credentials in `--dart-define` / `.patrol.env` (no hardcoded secrets). 8. Run affected Patrol tests and fix failures. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/commands/write-widget-test.md b/commands/write-widget-test.md index 84426fd..a6a654f 100644 --- a/commands/write-widget-test.md +++ b/commands/write-widget-test.md @@ -12,4 +12,6 @@ Create or update a widget test file. 5. Prefer behavioral assertions (user action -> observable outcome, branch shown/hidden, verify side effects), not only style attributes. 6. Run affected tests and fix failures. -99. Return final response using `../docs/command-output-contract.md`. +Preconditions and guardrails: +- Enforce `../docs/prompt-execution-guardrails.md` before execution. +- Validate outcomes using `../docs/validation-matrix.md`. diff --git a/docs/command-output-contract.md b/docs/command-output-contract.md deleted file mode 100644 index 646ae90..0000000 --- a/docs/command-output-contract.md +++ /dev/null @@ -1,34 +0,0 @@ -# Command Output Contract - -All command workflows should return results using this structure. - -## Required sections - -1. Result - - One short statement of outcome (done/blocked/partial). -2. Changes - - Files touched and what changed. -3. Validation - - Commands/checks executed and pass/fail status. -4. Risks - - Remaining risks, assumptions, or edge cases. -5. Next steps - - Optional, only when actionable follow-up exists. - -## Command-specific requirements - -- Review/security commands: - - Findings first, ordered by severity. - - Include exact file references. -- Migration/upgrade commands: - - Before/after versions. - - Rollback notes. -- Build/debug commands: - - Reproduction command. - - Root cause and fix verification. - -## Quality bar - -- Avoid vague summaries without evidence. -- Prefer concrete file paths and command outputs. -- Keep conclusions tied to actual checks, not assumptions. diff --git a/docs/official-release-checklist.md b/docs/official-release-checklist.md index 812e4cc..1ad1759 100644 --- a/docs/official-release-checklist.md +++ b/docs/official-release-checklist.md @@ -16,8 +16,8 @@ Use this checklist before tagging a public release. - Templates are generic and repository-agnostic. - No private/company-specific references remain. - Effective Dart alignment is explicitly enforced (`rules/dart-effective-dart.mdc`). -- Command output contract is documented and referenced (`docs/command-output-contract.md`). -- Latest quality-iterations report exists (`docs/quality-iterations-2026-02-21.md`). +- Prompt execution guardrails are documented and referenced (`docs/prompt-execution-guardrails.md`). +- Validation matrix is documented and referenced (`docs/validation-matrix.md`). ## Tooling diff --git a/docs/prompt-execution-guardrails.md b/docs/prompt-execution-guardrails.md new file mode 100644 index 0000000..8572ae5 --- /dev/null +++ b/docs/prompt-execution-guardrails.md @@ -0,0 +1,30 @@ +# Prompt Execution Guardrails + +Use these rules for all command prompts. + +## Required inputs (before execution) + +- Goal: what outcome is required. +- Scope: target modules/files and out-of-scope areas. +- Constraints: architecture/state-management/tooling constraints. +- Validation: exact commands to prove success. + +If any required input is missing, stop and request clarification instead of guessing. + +## Fail-fast rules + +- Do not fabricate external context (Figma node IDs, CI logs, credentials, API contracts). +- If prerequisites are unavailable (tools, credentials, build context), report blocker and minimal next input needed. +- For security/review commands, require explicit target: diff, branch, or file set. + +## Change scope limits + +- Keep blast radius small: modify only files needed for the stated goal. +- No unrelated refactors in the same run. +- If migration is large, split into batches with per-batch validation. + +## Output quality + +- Tie claims to concrete checks run. +- Prefer precise file references and command results. +- Explicitly call out residual risks and unverified assumptions. diff --git a/docs/quality-iterations-2026-02-21.md b/docs/quality-iterations-2026-02-21.md deleted file mode 100644 index abd7e83..0000000 --- a/docs/quality-iterations-2026-02-21.md +++ /dev/null @@ -1,22 +0,0 @@ -# Plugin Quality Iterations (2026-02-21) - -Automated quality audit over 10 command iterations. - -| Iteration | Command | Frontmatter | Skill/Workflow Ref | Output Contract | Steps >= 4 | Status | -|---:|---|---|---|---|---|---| -| 1 | `implement-flutter-feature` | pass | pass | pass | pass | **PASS** | -| 2 | `implement-figma-screen` | pass | pass | pass | pass | **PASS** | -| 3 | `generate-flutter-tests` | pass | pass | pass | pass | **PASS** | -| 4 | `review-flutter-code` | pass | pass | pass | pass | **PASS** | -| 5 | `security-review` | pass | pass | pass | pass | **PASS** | -| 6 | `update-flutter-dependencies` | pass | pass | pass | pass | **PASS** | -| 7 | `resolve-flutter-build-error` | pass | pass | pass | pass | **PASS** | -| 8 | `prepare-mobile-release` | pass | pass | pass | pass | **PASS** | -| 9 | `sync-official-flutter-ai-rules` | pass | pass | pass | pass | **PASS** | -| 10 | `integrate-firebase` | pass | pass | pass | pass | **PASS** | - -## Findings - -- Stabilized command output with a shared contract: `docs/command-output-contract.md`. -- Canonical command set now references the output contract for deterministic response shape. -- This report is generated by `scripts/quality_audit_commands.sh`. diff --git a/docs/validation-matrix.md b/docs/validation-matrix.md new file mode 100644 index 0000000..f03cf0e --- /dev/null +++ b/docs/validation-matrix.md @@ -0,0 +1,58 @@ +# Validation Matrix + +Deterministic validation baseline per command. + +## implement-flutter-feature + +- `flutter analyze` +- `flutter test` (targeted for changed feature/tests) + +## implement-figma-screen + +- `flutter analyze` +- `flutter test` (widget tests for implemented screen) + +## generate-flutter-tests + +- `flutter test` for created/changed test files + +## review-flutter-code + +- Evidence-based findings against changed files/diff +- Security pass included (`security-audit` scope) + +## security-review + +- Secrets scan command(s) executed or explicitly unavailable +- Findings with severity + remediation + verification steps + +## update-flutter-dependencies + +- `flutter --version` (before/after) +- `flutter pub outdated` +- `flutter analyze` +- impacted `flutter test` suite + +## resolve-flutter-build-error + +- Reproduction command captured +- Re-run reproduction command after fix +- `flutter analyze` + impacted tests + +## prepare-mobile-release + +- `flutter analyze` +- `flutter test` (required suite) +- release artifact build commands documented (`.aab`/`.ipa` path) + +## integrate-firebase + +- `flutter analyze` +- `flutter test` (impacted) +- platform config verification (Android/iOS init) + +## migrate-flutter-code + +- Per-batch `flutter analyze` +- Per-batch impacted tests +- migration checklist completion status diff --git a/plugin.json b/plugin.json index 6fbbab0..e1c03a0 100644 --- a/plugin.json +++ b/plugin.json @@ -1,7 +1,7 @@ { "name": "flutter-cursor-plugin", "displayName": "Flutter Cursor Plugin", - "version": "1.10.1", + "version": "1.10.2", "description": "Open-source Cursor plugin for end-to-end Flutter development and testing with Dart MCP, Figma MCP, practical architecture patterns, and reliable test workflows.", "author": "Aleksandr Lozhkovoi", "license": "MIT", diff --git a/rules/flutter-official-ai-rules.mdc b/rules/flutter-official-ai-rules.mdc index 5590b3f..11955b2 100644 --- a/rules/flutter-official-ai-rules.mdc +++ b/rules/flutter-official-ai-rules.mdc @@ -26,9 +26,9 @@ Do not edit manually; run scripts/sync_official_flutter_ai_rules.sh. * **SOLID:** strictly enforced. * **State Management:** * **Pattern:** Separate UI state (ephemeral) from App state. - * **Native First:** Use `ValueNotifier`, `ChangeNotifier`. - * **Prohibited:** NO Riverpod, Bloc, GetX unless explicitly requested. - * **DI:** Manual constructor injection or `provider` package if requested. + * **Project First:** Follow the existing project architecture and state-management choice. + * **Selection:** Use Riverpod/Bloc/Cubit/GetX/ValueNotifier based on project conventions, complexity, and team standards. + * **DI:** Keep dependencies explicit via constructor injection or project-standard DI. ## Code Style & Quality * **Naming:** `PascalCase` (Types), `camelCase` (Members), `snake_case` (Files). diff --git a/scripts/quality_audit_commands.sh b/scripts/quality_audit_commands.sh deleted file mode 100755 index b54e72d..0000000 --- a/scripts/quality_audit_commands.sh +++ /dev/null @@ -1,87 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" -commands=( - "implement-flutter-feature.md" - "implement-figma-screen.md" - "generate-flutter-tests.md" - "review-flutter-code.md" - "security-review.md" - "update-flutter-dependencies.md" - "resolve-flutter-build-error.md" - "prepare-mobile-release.md" - "sync-official-flutter-ai-rules.md" - "integrate-firebase.md" -) - -report_file="${repo_root}/docs/quality-iterations-2026-02-21.md" - -{ - echo "# Plugin Quality Iterations (2026-02-21)" - echo - echo "Automated quality audit over 10 command iterations." - echo - echo "| Iteration | Command | Frontmatter | Skill/Workflow Ref | Output Contract | Steps >= 4 | Status |" - echo "|---:|---|---|---|---|---|---|" -} > "${report_file}" - -idx=1 -all_pass=true - -for cmd in "${commands[@]}"; do - path="${repo_root}/commands/${cmd}" - content="$(cat "${path}")" - - has_frontmatter="fail" - has_skill_or_workflow="fail" - has_output_contract="fail" - has_min_steps="fail" - status="FAIL" - - if grep -Eq '^---' "${path}" && grep -Eq '^name:' "${path}" && grep -Eq '^description:' "${path}"; then - has_frontmatter="pass" - fi - - if grep -Eq '(\.\./skills/|templates/|docs/)' "${path}"; then - has_skill_or_workflow="pass" - fi - - if grep -Eq 'command-output-contract' "${path}"; then - has_output_contract="pass" - fi - - step_count="$(grep -Ec '^[0-9]+\.' "${path}" || true)" - if [ "${step_count}" -ge 4 ]; then - has_min_steps="pass" - fi - - if [ "${has_frontmatter}" = "pass" ] && \ - [ "${has_skill_or_workflow}" = "pass" ] && \ - [ "${has_output_contract}" = "pass" ] && \ - [ "${has_min_steps}" = "pass" ]; then - status="PASS" - else - all_pass=false - fi - - echo "| ${idx} | \`${cmd%.md}\` | ${has_frontmatter} | ${has_skill_or_workflow} | ${has_output_contract} | ${has_min_steps} | **${status}** |" >> "${report_file}" - idx=$((idx + 1)) -done - -{ - echo - echo "## Findings" - echo - echo "- Stabilized command output with a shared contract: \`docs/command-output-contract.md\`." - echo "- Canonical command set now references the output contract for deterministic response shape." - echo "- This report is generated by \`scripts/quality_audit_commands.sh\`." -} >> "${report_file}" - -if [ "${all_pass}" = false ]; then - echo "Quality audit failed. See ${report_file}" >&2 - exit 1 -fi - -echo "Quality audit passed. Report: ${report_file}" diff --git a/scripts/sync_official_flutter_ai_rules.sh b/scripts/sync_official_flutter_ai_rules.sh index e811136..8ecc97d 100755 --- a/scripts/sync_official_flutter_ai_rules.sh +++ b/scripts/sync_official_flutter_ai_rules.sh @@ -66,6 +66,9 @@ awk ' { print } ' "${out_dir}/flutter-ai-rules-${profile}.mdc" > "${active_rule}" +# Align active profile with plugin policy: pick state management by project context. +perl -0pi -e 's/\* \*\*State Management:\*\*\n \* \*\*Pattern:\*\* Separate UI state \(ephemeral\) from App state\.\n \* \*\*Native First:\*\* Use `ValueNotifier`, `ChangeNotifier`\.\n \* \*\*Prohibited:\*\* NO Riverpod, Bloc, GetX unless explicitly requested\.\n \* \*\*DI:\*\* Manual constructor injection or `provider` package if requested\./* **State Management:**\n * **Pattern:** Separate UI state (ephemeral) from App state.\n * **Project First:** Follow the existing project architecture and state-management choice.\n * **Selection:** Use Riverpod\/Bloc\/Cubit\/GetX\/ValueNotifier based on project conventions, complexity, and team standards.\n * **DI:** Keep dependencies explicit via constructor injection or project-standard DI./s' "${active_rule}" + echo "Synced official Flutter AI rules." echo "Selected active profile: ${profile}" echo "Active rule: rules/flutter-official-ai-rules.mdc" diff --git a/skills/build-flutter-features/SKILL.md b/skills/build-flutter-features/SKILL.md index 4fb8aab..00e4eb9 100644 --- a/skills/build-flutter-features/SKILL.md +++ b/skills/build-flutter-features/SKILL.md @@ -20,10 +20,18 @@ Use this skill for non-test Flutter development tasks. ## Architecture defaults - Keep widgets focused on rendering and interaction. -- Keep business logic in cubit/bloc/use-cases/services. +- Choose state management based on existing project conventions first. +- If the project already uses Riverpod/Bloc/Cubit/GetX, stay consistent with that choice. +- If no convention exists, choose the simplest viable option and document why. +- Keep business logic in dedicated controllers/cubit/bloc/use-cases/services (not widgets). - Avoid hidden global state/singletons when DI can be used. - Keep models immutable where practical. +## Scope guardrails + +- Restrict changes to the requested feature/module unless explicitly expanded. +- Do not mix unrelated refactors with feature delivery. + ## Required references - `../../rules/flutter-development-best-practices.mdc` diff --git a/skills/review-flutter-code/SKILL.md b/skills/review-flutter-code/SKILL.md index 05b7763..5523272 100644 --- a/skills/review-flutter-code/SKILL.md +++ b/skills/review-flutter-code/SKILL.md @@ -10,12 +10,13 @@ Use for PR/diff/code review requests. ## Workflow 1. Review for correctness and behavioral regressions first. -2. Check architecture boundaries and dependency direction. -3. Check state-management misuse and async hazards. -4. Check tests for missing cases and flakiness. -5. Run security audit checks from `../security-audit/SKILL.md` for every review. -6. Include OWASP MASVS-focused checks for mobile risk areas. -7. Check accessibility/localization/performance basics. +2. Require explicit review scope (PR diff, commit range, or file list) before deep review. +3. Check architecture boundaries and dependency direction. +4. Check state-management misuse and async hazards. +5. Check tests for missing cases and flakiness. +6. Run security audit checks from `../security-audit/SKILL.md` for every review. +7. Include OWASP MASVS-focused checks for mobile risk areas. +8. Check accessibility/localization/performance basics. ## Mandatory security scope (OWASP MASVS-oriented) diff --git a/skills/security-audit/SKILL.md b/skills/security-audit/SKILL.md index 784fd1c..0a1d290 100644 --- a/skills/security-audit/SKILL.md +++ b/skills/security-audit/SKILL.md @@ -11,21 +11,22 @@ Every code review must include this security pass. ## Workflow -1. Start diff-aware: review pending changes first, then expand to dependent context. -2. Run repository-level secrets checks. -3. Review code for high-risk patterns: +1. Require explicit target scope (pending diff, PR range, or file set). If missing, request it first. +2. Start diff-aware: review pending changes first, then expand to dependent context. +3. Run repository-level secrets checks. +4. Review code for high-risk patterns: - hardcoded credentials/tokens/keys - insecure storage or logging of sensitive data - missing TLS/certificate validation controls - unsafe deserialization / dynamic execution patterns - insufficient authz/authn checks in app/service boundaries -4. Review mobile-specific concerns: +5. Review mobile-specific concerns: - Android/iOS configuration leaks - debug flags/logging in release paths - weak handling of deep links/intent data -5. Apply false-positive filtering (remove low-impact/no-exploitability noise). -6. Classify findings by severity and exploitability. -7. Provide minimal safe fixes and validation steps. +6. Apply false-positive filtering (remove low-impact/no-exploitability noise). +7. Classify findings by severity and exploitability. +8. Provide minimal safe fixes and validation steps. ## OWASP MASVS coverage (required)