Skip to content

feat(skills): add 5-skill suite (recon, inventory, explore, screenshot-all, diff)#121

Open
HermeticOrmus wants to merge 2 commits into
VibiumDev:mainfrom
HermeticOrmus:feature/vibe-skills-suite
Open

feat(skills): add 5-skill suite (recon, inventory, explore, screenshot-all, diff)#121
HermeticOrmus wants to merge 2 commits into
VibiumDev:mainfrom
HermeticOrmus:feature/vibe-skills-suite

Conversation

@HermeticOrmus

Copy link
Copy Markdown

Why

vibe-check covers the "execute a known plan against a known UI" use case. This PR adds five complementary skills for the workflows Vibium users hit before and around that:

Skill Question it answers
vibe-recon What is this app and how does auth work? (no login)
vibe-inventory What does it do, structurally? Routes + APIs + permissions
vibe-explore What can I do here? Click everything safely and report
vibe-screenshot-all Show me what every page looks like
vibe-diff What changed since last time?

Each skill is self-contained — SKILL.md + bash runner + helper JS where needed. Binary resolution mirrors vibe-check's pattern (vibium./clicker/bin/vibium./node_modules/.bin/vibium). No Go binary changes; pure-additive PR.

What changed

skills/
├── vibe-recon/             4 files — recon.sh + bundle-grep.sh + probe.js + SKILL.md
├── vibe-inventory/         5 files — inventory.sh + walk.sh + bundle-grep.sh + probe.js + SKILL.md
├── vibe-explore/           5 files — explore.sh + dismiss-consent.js + enumerate-clickables.js + probe-state.js + SKILL.md
├── vibe-screenshot-all/    2 files — screenshot-all.sh + SKILL.md
└── vibe-diff/              2 files — diff.sh + SKILL.md

+18 files, ~830 lines, 0 existing files modified.

vibe-recon — auth-wall + edge mapping (no login)

Edge curl, redirect chain, security headers, navigates the landing page, captures any visible login DOM, pulls the SPA bundle for grep-based route discovery. Read-only mode for "look but don't touch."

vibe-inventory — structural feature map

Walks every route the SPA bundle declares (capped at --max-routes, default 30), captures per-route status / tables / grids / inputs / buttons, screenshots each, and grep the bundle for /api/* endpoints + permission tokens (Word:Word:Word) + role names. Login-aware via --auth-required (pause for manual sign-in).

vibe-explore — click safe elements + rank capabilities

Inverse of vibe-check: clicks every safe interactive element on the page, classifies each outcome (navigation / modal / inline-disclosure / external / noop / route-error), screenshots before+after, then produces a ranked "what you can do here" report.

Hard safety filter on by default — skips delete / submit / pay / sign-out / send / post / checkout patterns, form submits, external-origin links, target=_blank anchors. --include-destructive lifts the filter.

Includes a 4-strategy consent-banner dismissal (visible-button-text → vendor-specific Usercentrics/OneTrust/Cookiebot → shadow-DOM walk → force-hide-CSS). Required to make the click loop work on real-world consent-walled sites.

vibe-screenshot-all — visual catalog

One PNG per route + a contact-sheet HTML for stakeholder review or visual regression baselines. No DOM probe, no clicking.

vibe-diff — what changed between two snapshots

Pure file-based diff between two vibe-inventory run dirs. Surfaces new/removed routes, new/removed API endpoints, new/removed permission tokens, version bump, bundle-size delta. No browser, no daemon — just comm and diff against the artifacts.

How to test

Each skill ships a self-contained bash runner. Smoke tests run against public sites, no login required:

make build-go

# vibe-recon
mkdir /tmp/recon && skills/vibe-recon/recon.sh /tmp/recon https://raven-eye.app
# expect: edge-headers.txt, app.bundle.js (~10 MB), api-endpoints.txt (~280 lines), 01-landing.png

# vibe-inventory (will only walk routes the bundle declares)
mkdir /tmp/inv && skills/vibe-inventory/inventory.sh /tmp/inv https://raven-eye.app --max-routes 5
# expect: per-route JSON + PNG in routes/, api-endpoints.txt, permissions.txt

# vibe-explore against any public site
mkdir /tmp/expl && skills/vibe-explore/explore.sh /tmp/expl https://github.com/VibiumDev/vibium --max 8
# expect: 8 clicks attempted, results.jsonl with outcome per click, before/after screenshots

# vibe-screenshot-all
mkdir /tmp/shots && skills/vibe-screenshot-all/screenshot-all.sh /tmp/shots https://raven-eye.app --max-routes 5
# expect: contact-sheet.html with embedded PNGs

# vibe-diff (after two inventory runs)
skills/vibe-diff/diff.sh /tmp/inv-old /tmp/inv-new
# expect: DIFF.md in /tmp/inv-new with route/endpoint/permission deltas

All bash scripts pass bash -n; all JS helpers pass new Function(code) parse. vibe-recon end-to-end against https://raven-eye.app produces 280 API endpoints across 60 domains, 25 React Router patterns. vibe-explore end-to-end against https://github.com/VibiumDev/vibium produces 7/8 clicks landing real outcomes including mega-menu disclosures.

Notes

  • Each skill stands alone — maintainers can accept any subset. The two commits split as vibe-recon + vibe-inventory + vibe-screenshot-all + vibe-diff first, then vibe-explore second; happy to squash if preferred.
  • One bug surfaced and fixed during smoke-testing: the bundle-grep.sh regex /assets/<name>.js was matching /assets/manifest.json truncated to .js on greedy-prefix engines. Fix requires a non-word boundary after .js (commit ce7df57).
  • vibe-explore was originally a separate branch (feature/vibe-explore-skill); consolidated into this suite branch and the standalone branch retired.
  • Each skill is run via its bash entry point. The SKILL.md files are the agent-facing one-pagers (matching vibe-check's style); the bash runners are what an operator would invoke directly.
  • No new prerequisites beyond vibium and jq — both already required by other parts of the repo or trivially installable.

…be-diff

Four new skills that complement vibe-check + vibe-explore:

- vibe-recon: maps a web app's auth wall + edge surface without logging
  in. Edge curl, redirect chain, security headers, navigates the
  landing page, captures any visible login DOM, pulls the SPA bundle
  for grep-based route discovery. The "look but don't touch" mode.

- vibe-inventory: walks every visible route a SPA declares, captures
  per-route status (200 / /error / 404), screenshots each, and grep
  the JS bundle for API endpoints, permission tokens, and role names.
  Produces a structural feature map. Login-aware via --auth-required.

- vibe-screenshot-all: pure visual catalog mode. Walks routes from the
  bundle, screenshots each, builds a contact-sheet HTML for stakeholder
  review or visual regression baselines. No DOM probe, no clicking.

- vibe-diff: compares two vibe-inventory snapshots and surfaces what
  changed — new/removed routes, new/removed API endpoints, new/removed
  permission tokens, version bump, bundle-size delta. No browser, pure
  file-based diff. Useful for periodic re-inventories during a
  long-running rebuild or vendor audit.

Each skill is self-contained: SKILL.md frontmatter + bash runner +
helper JS where needed. Binary resolution mirrors vibe-check's pattern
(vibium → ./clicker/bin/vibium → ./node_modules/.bin/vibium).

Smoke-tested vibe-recon against https://raven-eye.app: pulls the 10.7
MB Vite bundle, finds 280 API endpoints across 60 domains, 25 React
Router route patterns. The bundle-grep regex required a fix to avoid
matching /assets/manifest.json as /assets/manifest.js (require
non-word boundary after .js).
…ilities

vibe-explore is the inverse of vibe-check: instead of executing a known
plan against a known UI, it clicks every safe interactive element on
the page and reports what each one does, then produces a ranked
"what you can do here" report.

Hard safety filter on by default — skips delete/submit/pay/sign-out/
send/post/checkout patterns, form submits, external-origin links, and
target=_blank anchors. --include-destructive lifts the filter.

Includes a 4-strategy consent-banner dismissal (visible-button-text →
vendor-specific Usercentrics/OneTrust/Cookiebot → shadow-DOM walk →
force-hide-CSS) so the click loop runs on real-world consent-walled
sites.

Smoke-tested against https://github.com/VibiumDev/vibium: 143
clickables found, 123 safe, 7/8 clicks landed real outcomes including
mega-menu disclosures and intra-site navigation.

Completes the skill suite (vibe-recon → vibe-inventory → vibe-explore
→ vibe-screenshot-all → vibe-diff) alongside the existing vibe-check.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant