Execute qualquer Skill no Manus
com um clique

Execute qualquer Skill no Manus com um clique

ship-loop-sanity

Estrelas1

Forks0

Atualizado30 de abril de 2026 às 17:12

Security/quality gate child loop. Runs auth ratchet test, npm audit, parallel auth-coverage script, and a secret-leak diff-scan. Updates ship-loop-state.json with per-gate state. On failure applies one recovery recipe (typically auth ratchet triage or audit fix), retries once, escalates. Use standalone via /loop ship-loop-sanity or wired into the master orchestrator.

Instalação

Instalar com Codex ou Claude Copie este prompt, cole no Codex, Claude ou outro assistente e deixe que ele revise a página da skill e instale para você.

Executar no Manus

Fonte

CleanExpo

CleanExpo/Synthex

Abrir repositório GitHub Ver repositórios do creator

Download

Executar no Manus

Ocupações relacionadasSOC

Baseado na classificação ocupacional SOC

Analistas de segurança da informaçãoInformática e Matemática·SOC 15-1212

SKILL.md

readonly

name	ship-loop-sanity
description	Security/quality gate child loop. Runs auth ratchet test, npm audit, parallel auth-coverage script, and a secret-leak diff-scan. Updates ship-loop-state.json with per-gate state. On failure applies one recovery recipe (typically auth ratchet triage or audit fix), retries once, escalates. Use standalone via /loop ship-loop-sanity or wired into the master orchestrator.
type	child-loop
context	persistent

ship-loop-sanity — security/quality gate child loop

Activation

Standalone: /loop ship-loop-sanity
Orchestrated: invoked by ship-loop-master every 60 min OR when sanity.state !== 'green'

Process

Step 1: Run four sanity gates in order

cd D:/Synthex

# Gate A: auth ratchet — already-built jest test, baseline VIOLATION_BASELINE = 0
npx jest --config jest.worktree.cjs tests/auth/route-coverage.test.ts

# Gate B: npm audit (production deps only)
npm audit --omit=dev --json > /tmp/sanity-audit.json
# Parse for HIGH severity count

# Gate C: parallel CLI auth-coverage script (catches mismatches with ratchet test)
npx tsx scripts/check-auth-coverage.ts

# Gate D: secret leak diff-scan (uncommitted + ahead-of-origin diff)
git diff origin/main...HEAD | grep -nE "(sk-[a-zA-Z0-9]{20,}|sk_live_[a-zA-Z0-9]{20,}|SUPABASE_SERVICE_ROLE_KEY=[a-zA-Z0-9]|STRIPE_SECRET_KEY=[a-zA-Z0-9]|ANTHROPIC_API_KEY=[a-zA-Z0-9])" || echo "secret_scan_clean"

Step 2: Update state

Atomic update to layers.sanity:

{
  "state": "green" | "red",
  "last_run": "<iso>",
  "retries": <int>,
  "details": {
    "auth_ratchet": { "pass": true|false, "violations": <int>, "baseline": <int> },
    "npm_audit": { "pass": true|false, "high": <int>, "moderate": <int> },
    "auth_script": { "pass": true|false, "violations": <int> },
    "secret_scan": { "pass": true|false, "leaks": ["<file:line>", ...] }
  }
}

state === 'green' IFF all four gates pass. Note for npm_audit: pass = (high === 0) only — moderates are noted but don't block.

Step 3: Recovery sub-loop on red

For each failing gate:

Gate A failed (auth ratchet)

Recipe #7: parse stderr for "New unprotected routes detected" list
For each: read the route, classify (admin / public / inline-supabase / other auth pattern)
If clear pattern: wrap with withAuth from @/lib/auth/with-auth OR add prefix to EXEMPT_PREFIXES with comment
If ambiguous: escalate to escalations.md with the route path and three options for human

Gate B failed (HIGH npm vuln introduced)

Recipe #8: npm audit fix (non---force)
Re-run gate; if still HIGH, escalate (likely needs --force which is a CEO-only call)

Gate C failed (script mismatch with ratchet test)

Indicates AUTH_IMPORT_PATTERNS or EXEMPT_PREFIXES diverged between tests/auth/route-coverage.test.ts and scripts/check-auth-coverage.ts
Diff the two files; suggest sync edit; escalate (don't auto-edit — CEO needs to confirm intent)

Gate D failed (secret leak)

HALT IMMEDIATELY — do not retry, do not auto-fix
Append to escalations.md as ## P0 — Secret leak detected
The P0 will block the master loop from advancing until human clears it (per master's hard-stop logic)
Do NOT log the matched secret value into the events file (that would defeat the purpose)

Recipe priorities for this loop

#7 auth ratchet (Gate A) — high priority match
#8 npm audit (Gate B) — high priority match
Custom secret-leak P0 (Gate D) — never recipe; always escalate

Verification

Add an unprotected route to app/api/test-route/route.ts and re-run; expect Gate A red, recipe #7 attempts wrap, escalates if pattern unclear
Stage a fake API key string in a tracked file and re-run; expect Gate D red, P0 escalation, master halts on next tick
Add a low-severity vuln (none should be auto-detected as HIGH but verify gate handles 0 HIGH correctly)

Out of scope

Snyk / Trivy deeper scans (those run in CI, not the loop — noisy and slow)
License compliance scanning (separate concern)
Dependency update suggestions (out of scope — Renovate/Dependabot domain)

Mais deste repositório

mesmo repositório

north-star

CleanExpo/Synthex

The engineering navigation layer for Synthex — holds the mission, the current course, the rules of the ship, and routes work to the right existing specialist. Load at the START of any planning, prioritisation, "what's next", roadmap, scope, or new-feature decision. NEVER let work drift off the critical path or add capabilities the ship already carries (see dependency-discipline). NEVER claim done without the verification gate. NEVER merge to production or change prod data without a human gate. ALWAYS trace a task to the NorthStar, the live Linear epic, and an existing system before writing code.

2026-06-241

playwright-cli

CleanExpo/Synthex

Authenticated browser automation for Synthex — drive real Chrome to log in, screenshot, and audit dashboard/integration surfaces. Use for live visual verification, "audit the dashboard", "check what's connected", or closing the verification gate on /dashboard/* routes. Two backends: the Playwright MCP server (interactive, in-session tools) and the committed CLI scripts (scripts/browser/*.mjs, reliable + headless). RUNS WHERE THE BROWSER + NETWORK + AUTH EXIST — i.e. a local machine, not a network-restricted sandbox.

2026-06-241

api-testing

CleanExpo/Synthex

Synthex API testing enforcer. NEVER mock the database in integration tests — use real Supabase. NEVER skip the 401 (unauthenticated) or 403 (wrong org) test cases. NEVER use pnpm. ALWAYS structure tests as: 401 → 403 → 400 → 200/201 happy path. Activate on ANY request to write API tests, validate endpoints, add test coverage, or check test quality.

2026-06-231

database-prisma

CleanExpo/Synthex

Synthex database operations enforcer. NEVER use prisma db push for schema changes — use migrate diff + db execute. NEVER add non-nullable columns without defaults. NEVER write Prisma queries without organizationId scope. ALWAYS use backward-compatible migrations and validate with prisma validate first. Activate on ANY request to change schema, write a query, create a migration, add a model, or modify database operations.

2026-06-231

design

CleanExpo/Synthex

Synthex design system enforcer. NEVER use Inter as a heading font, purple (#8B5CF6) gradients on white, or generic glassmorphism without Synthex tokens. ALWAYS use Space Grotesk headings, #f97316 brand orange, #0f172a slate background, and the Synthex glass token set. Activate on ANY request involving UI, components, styling, layout, visual design, colour, typography, spacing, shadows, animations, or anything a user will see on screen.

2026-06-231

security-hardener

CleanExpo/Synthex

Synthex security posture enforcer. NEVER apply generic OWASP checklists without grounding in Synthex's specific threat model. NEVER suggest any auth system other than Supabase. ALWAYS audit: SSRF via validateExternalUrl, JWT tier elevation via resolveVerifiedTier, CORS via CORS_ORIGIN exact-match, org-scope bypass in Prisma. Activate on ANY request to harden security, audit vulnerabilities, review auth patterns, check for injection risks, or assess an attack surface.

2026-06-231

name	ship-loop-sanity
description	Security/quality gate child loop. Runs auth ratchet test, npm audit, parallel auth-coverage script, and a secret-leak diff-scan. Updates ship-loop-state.json with per-gate state. On failure applies one recovery recipe (typically auth ratchet triage or audit fix), retries once, escalates. Use standalone via /loop ship-loop-sanity or wired into the master orchestrator.
type	child-loop
context	persistent

ship-loop-sanity — security/quality gate child loop

Activation

Standalone: /loop ship-loop-sanity
Orchestrated: invoked by ship-loop-master every 60 min OR when sanity.state !== 'green'

Process

Step 1: Run four sanity gates in order

cd D:/Synthex

# Gate A: auth ratchet — already-built jest test, baseline VIOLATION_BASELINE = 0
npx jest --config jest.worktree.cjs tests/auth/route-coverage.test.ts

# Gate B: npm audit (production deps only)
npm audit --omit=dev --json > /tmp/sanity-audit.json
# Parse for HIGH severity count

# Gate C: parallel CLI auth-coverage script (catches mismatches with ratchet test)
npx tsx scripts/check-auth-coverage.ts

# Gate D: secret leak diff-scan (uncommitted + ahead-of-origin diff)
git diff origin/main...HEAD | grep -nE "(sk-[a-zA-Z0-9]{20,}|sk_live_[a-zA-Z0-9]{20,}|SUPABASE_SERVICE_ROLE_KEY=[a-zA-Z0-9]|STRIPE_SECRET_KEY=[a-zA-Z0-9]|ANTHROPIC_API_KEY=[a-zA-Z0-9])" || echo "secret_scan_clean"

Step 2: Update state

Atomic update to layers.sanity:

{
  "state": "green" | "red",
  "last_run": "<iso>",
  "retries": <int>,
  "details": {
    "auth_ratchet": { "pass": true|false, "violations": <int>, "baseline": <int> },
    "npm_audit": { "pass": true|false, "high": <int>, "moderate": <int> },
    "auth_script": { "pass": true|false, "violations": <int> },
    "secret_scan": { "pass": true|false, "leaks": ["<file:line>", ...] }
  }
}

state === 'green' IFF all four gates pass. Note for npm_audit: pass = (high === 0) only — moderates are noted but don't block.

Step 3: Recovery sub-loop on red

For each failing gate:

Gate A failed (auth ratchet)

Recipe #7: parse stderr for "New unprotected routes detected" list
For each: read the route, classify (admin / public / inline-supabase / other auth pattern)
If clear pattern: wrap with withAuth from @/lib/auth/with-auth OR add prefix to EXEMPT_PREFIXES with comment
If ambiguous: escalate to escalations.md with the route path and three options for human

Gate B failed (HIGH npm vuln introduced)

Recipe #8: npm audit fix (non---force)
Re-run gate; if still HIGH, escalate (likely needs --force which is a CEO-only call)

Gate C failed (script mismatch with ratchet test)

Indicates AUTH_IMPORT_PATTERNS or EXEMPT_PREFIXES diverged between tests/auth/route-coverage.test.ts and scripts/check-auth-coverage.ts
Diff the two files; suggest sync edit; escalate (don't auto-edit — CEO needs to confirm intent)

Gate D failed (secret leak)

HALT IMMEDIATELY — do not retry, do not auto-fix
Append to escalations.md as ## P0 — Secret leak detected
The P0 will block the master loop from advancing until human clears it (per master's hard-stop logic)
Do NOT log the matched secret value into the events file (that would defeat the purpose)

Recipe priorities for this loop

#7 auth ratchet (Gate A) — high priority match
#8 npm audit (Gate B) — high priority match
Custom secret-leak P0 (Gate D) — never recipe; always escalate

Verification

Add an unprotected route to app/api/test-route/route.ts and re-run; expect Gate A red, recipe #7 attempts wrap, escalates if pattern unclear
Stage a fake API key string in a tracked file and re-run; expect Gate D red, P0 escalation, master halts on next tick
Add a low-severity vuln (none should be auto-detected as HIGH but verify gate handles 0 HIGH correctly)

Out of scope

Snyk / Trivy deeper scans (those run in CI, not the loop — noisy and slow)
License compliance scanning (separate concern)
Dependency update suggestions (out of scope — Renovate/Dependabot domain)