Update frontend-design skill

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

.claude-plugin/marketplace.json

@@ -19,7 +19,7 @@
         "url": "https://github.com/42Crunch-AI/claude-plugins.git",
         "path": "plugins/api-security-testing",
         "ref": "v1.5.5",
-        "sha": "db2fb7e53e3d93a863930b6f6b7895be5ee01f21"
+        "sha": "b7e131e30ff033be2176faf796c94c151a68c63a"
       },
       "homepage": "https://42crunch.com"
     },
@@ -35,7 +35,7 @@
         "url": "https://github.com/adobe/skills.git",
         "path": "plugins/creative-cloud/adobe-for-creativity",
         "ref": "main",
-        "sha": "e23271f65aa7572f567d085d6baec5c2408e2ad5"
+        "sha": "253f56901e058800ccb97ffd5bf1e3329d5f2e00"
       },
       "homepage": "https://github.com/adobe/skills/tree/main/plugins/creative-cloud/adobe-for-creativity"
     },
@@ -67,7 +67,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/endorlabs/ai-plugins.git",
-        "sha": "975f0ce422b1f2677681ffd085aef34ea1826b70"
+        "sha": "a6737fcf72336399e212e45cd25a250c2df3b7b4"
       },
       "homepage": "https://www.endorlabs.com"
     },
@@ -93,7 +93,7 @@
         "url": "https://github.com/Airtable/skills.git",
         "path": "plugins/airtable",
         "ref": "main",
-        "sha": "21d2fe52774d861e2f2f997eeac2bf965e8590b8"
+        "sha": "295ab93b7d765912ee1a0dc7f1abb0ecaf73f138"
       },
       "homepage": "https://www.airtable.com"
     },
@@ -109,7 +109,7 @@
         "url": "https://github.com/airwallex/airwallex-marketplace.git",
         "path": "plugins/airwallex",
         "ref": "master",
-        "sha": "a903ab7693a5f6d46f2fab6f895a2f96a879ee0f"
+        "sha": "a49ef1ec801fd776adc4db9f2bb4a78463981bc9"
       },
       "homepage": "https://www.airwallex.com/docs"
     },
@@ -150,7 +150,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/amazon-location-service",
         "ref": "main",
-        "sha": "fc54dfa24a1f05095b9fcbb4baa4750996bb171d"
+        "sha": "d8243e5f8f3933d656b3bdfe09cd658a5d9b9fac"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -291,7 +291,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-agents",
         "ref": "main",
-        "sha": "55b9acfefdcf0866b6bc6cc56c16e6e18e65bd2b"
+        "sha": "c0991f463b54ac94af32a730d6d13293dcff98cf"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -304,7 +304,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/aws-amplify",
         "ref": "main",
-        "sha": "fc54dfa24a1f05095b9fcbb4baa4750996bb171d"
+        "sha": "d8243e5f8f3933d656b3bdfe09cd658a5d9b9fac"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -320,7 +320,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-core",
         "ref": "main",
-        "sha": "55b9acfefdcf0866b6bc6cc56c16e6e18e65bd2b"
+        "sha": "c0991f463b54ac94af32a730d6d13293dcff98cf"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -336,7 +336,7 @@
         "url": "https://github.com/aws/agent-toolkit-for-aws.git",
         "path": "plugins/aws-data-analytics",
         "ref": "main",
-        "sha": "55b9acfefdcf0866b6bc6cc56c16e6e18e65bd2b"
+        "sha": "c0991f463b54ac94af32a730d6d13293dcff98cf"
       },
       "homepage": "https://github.com/aws/agent-toolkit-for-aws"
     },
@@ -365,7 +365,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/aws-serverless",
         "ref": "main",
-        "sha": "fc54dfa24a1f05095b9fcbb4baa4750996bb171d"
+        "sha": "d8243e5f8f3933d656b3bdfe09cd658a5d9b9fac"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -381,7 +381,7 @@
         "url": "https://github.com/awslabs/startups.git",
         "path": "advisor/plugins/aws-startup-advisor",
         "ref": "main",
-        "sha": "1dd909352dc228f978c2685724cb38e64efe6be4"
+        "sha": "b3e5ee487ed27d8c776d9b854d7e109f1514c75b"
       },
       "homepage": "https://github.com/awslabs/startups"
     },
@@ -392,7 +392,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/microsoft/azure-skills.git",
-        "sha": "02a614f6ee1f052826f834d65c61e430ad152c8e"
+        "sha": "966330ee4fc61978b6e324993687e917125a1f36"
       },
       "homepage": "https://github.com/microsoft/azure-skills"
     },
@@ -502,7 +502,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-cap-table",
         "ref": "main",
-        "sha": "9eb312908f4a2e2d15e4e935320981433a549f77"
+        "sha": "c39482a45c1e4c02922fe5cef3d61fb010a0b2d9"
       },
       "homepage": "https://carta.com"
     },
@@ -518,7 +518,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-crm",
         "ref": "main",
-        "sha": "9eb312908f4a2e2d15e4e935320981433a549f77"
+        "sha": "c39482a45c1e4c02922fe5cef3d61fb010a0b2d9"
       },
       "homepage": "https://carta.com"
     },
@@ -534,7 +534,7 @@
         "url": "https://github.com/carta/plugins.git",
         "path": "plugins/carta-investors",
         "ref": "main",
-        "sha": "9eb312908f4a2e2d15e4e935320981433a549f77"
+        "sha": "c39482a45c1e4c02922fe5cef3d61fb010a0b2d9"
       },
       "homepage": "https://carta.com"
     },
@@ -561,7 +561,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/ChromeDevTools/chrome-devtools-mcp.git",
-        "sha": "702d3734f276a18efd67561ae00b88ce954cc515"
+        "sha": "6bd8c91678035b5aa18ee40f72e1f630aa528837"
       },
       "homepage": "https://github.com/ChromeDevTools/chrome-devtools-mcp"
     },
@@ -872,7 +872,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/CrowdStrike/foundry-skills.git",
-        "sha": "c542c932956fd19177a62b94577f288c832d4680"
+        "sha": "0a651a1472e4c03603780517374c654236bcce8b"
       },
       "homepage": "https://github.com/CrowdStrike/foundry-skills"
     },
@@ -943,7 +943,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/data-agent-kit-starter-pack.git",
-        "sha": "fb9086456d5fbc780edf86f0ac413345ba628173"
+        "sha": "b47cae53405e90dd97d1ecde890a8d4707d1f115"
       },
       "homepage": "https://github.com/gemini-cli-extensions/data-agent-kit-starter-pack"
     },
@@ -966,7 +966,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/databases-on-aws",
         "ref": "main",
-        "sha": "fc54dfa24a1f05095b9fcbb4baa4750996bb171d"
+        "sha": "d8243e5f8f3933d656b3bdfe09cd658a5d9b9fac"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -1008,7 +1008,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/gemini-cli-extensions/dataproc.git",
-        "sha": "20eec06eee7683311689f4a1437cbb14ac8cd33e"
+        "sha": "80d126d27d84ded752c84668472dd6f75896fc59"
       },
       "homepage": "https://github.com/gemini-cli-extensions/dataproc"
     },
@@ -1035,7 +1035,7 @@
         "url": "https://github.com/microsoft/Dataverse-skills.git",
         "path": ".github/plugins/dataverse",
         "ref": "main",
-        "sha": "2d50cf65f80efc17ac50632222d61fb374115a70"
+        "sha": "2c37394346be1afc1db12cc5b89f5dee3617c45c"
       },
       "homepage": "https://github.com/microsoft/Dataverse-skills"
     },
@@ -1048,7 +1048,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/deploy-on-aws",
         "ref": "main",
-        "sha": "fc54dfa24a1f05095b9fcbb4baa4750996bb171d"
+        "sha": "d8243e5f8f3933d656b3bdfe09cd658a5d9b9fac"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -1126,7 +1126,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/exa-labs/exa-mcp-server.git",
-        "sha": "f08388256c5806f457fae777b5528eb02a48e703"
+        "sha": "9ea4ba3e67f87c462c3e06b192470e837ed9009e"
       },
       "homepage": "https://exa.ai/docs/reference/exa-mcp"
     },
@@ -1166,7 +1166,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/fastly/fastly-agent-toolkit.git",
-        "sha": "6bd17d685a1b361a2b368bf0236f39efb1be62d6"
+        "sha": "73af5b94a98448ffeed6e2993495dc83c9a597be"
       },
       "homepage": "https://github.com/fastly/fastly-agent-toolkit/blob/main/README.md"
     },
@@ -1198,7 +1198,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/figma/mcp-server-guide.git",
-        "sha": "a742f0a700a7772ff5ed85f7c9fc1dad5afa9fcc"
+        "sha": "54ad156019d7362a56d8024b9adbe99952aa29b6"
       },
       "homepage": "https://github.com/figma/mcp-server-guide"
     },
@@ -1216,7 +1216,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/firecrawl/firecrawl-claude-plugin.git",
-        "sha": "6768fb78185aab9e5b5a04777f84703863fb025b"
+        "sha": "b33447585ac521b091eae672bd4cad4ec1d093f6"
       },
       "homepage": "https://github.com/firecrawl/firecrawl-claude-plugin.git"
     },
@@ -1244,7 +1244,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/atlassian/forge-skills.git",
-        "sha": "02103cca4addb4c42d64d4e18a9d1a7f186edf6c"
+        "sha": "c7df956176eb1c2a10ffabc4eaacc5d843d8bede"
       },
       "homepage": "https://developer.atlassian.com/platform/forge/"
     },
@@ -1347,7 +1347,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/hunter-io/claude-plugin.git",
-        "sha": "494b0bd6ac252c7c8d78402cb51c7f635b1469ad"
+        "sha": "06bcb94a4e6498d8557a4543f8d5c4ea429b0c0a"
       },
       "homepage": "https://hunter.io"
     },
@@ -1361,7 +1361,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/heygen-com/hyperframes.git",
-        "sha": "25420bf4cfc37b179b4efeace9db25a7178b61bf"
+        "sha": "acd8e11789a7bf92f0ed4fac24ff030cd758da37"
       },
       "homepage": "https://hyperframes.heygen.com"
     },
@@ -1415,7 +1415,7 @@
         "source": "github",
         "repo": "jfrog/claude-plugin",
         "commit": "259c8e718266c16e99b4f30ae9b1ed0f9f00d98d",
-        "sha": "117febaa29cbe9449cfb42d1c39b83b858d801a1"
+        "sha": "6788fe15d4a63d47f038c05e58ae533aeb2dadb6"
       },
       "homepage": "https://jfrog.com"
     },
@@ -1540,7 +1540,7 @@
         "url": "https://github.com/pydantic/skills.git",
         "path": "plugins/logfire",
         "ref": "main",
-        "sha": "e412b6d8d4b6199ac577c5ee8653dcff840b3e92"
+        "sha": "ddc7d00569458f3838c6cf489f5be6c59afaf8c1"
       },
       "homepage": "https://github.com/pydantic/skills/tree/main/plugins/logfire"
     },
@@ -1708,7 +1708,7 @@
         "url": "https://github.com/awslabs/startups.git",
         "path": "migrate/plugins/migration-to-aws",
         "ref": "main",
-        "sha": "1dd909352dc228f978c2685724cb38e64efe6be4"
+        "sha": "3c5d6a7deb24c3318be8b78ef75545539ab1bbcd"
       },
       "homepage": "https://github.com/awslabs/startups"
     },
@@ -1770,7 +1770,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/netlify/context-and-tools.git",
-        "sha": "5f777ba63df12f4eb189be4c58bd35d0c8316505"
+        "sha": "22025ef6c9dc9ef88d0c9c047980c10cacb178ee"
       },
       "homepage": "https://github.com/netlify/context-and-tools"
     },
@@ -1839,7 +1839,7 @@
         "url": "https://github.com/NVIDIA/skills.git",
         "path": "plugins/nvidia-skills",
         "ref": "main",
-        "sha": "0482ebce81bd8f2d39990317bb3cfb07637e39fd"
+        "sha": "fd1e6fd1971eb7113a4dd206a028246fa4b3d8b4"
       },
       "homepage": "https://github.com/NVIDIA/skills"
     },
@@ -1885,7 +1885,7 @@
         "url": "https://github.com/growthxai/output.git",
         "path": "coding_assistants/claude/plugins/outputai",
         "ref": "main",
-        "sha": "2cc4685ebadfba9586f01890df48e1b25bd1049a"
+        "sha": "65cd087132dce880362c52384b8237eb9202ceea"
       },
       "homepage": "https://output.ai"
     },
@@ -2050,7 +2050,7 @@
         "url": "https://github.com/pydantic/skills.git",
         "path": "plugins/ai",
         "ref": "main",
-        "sha": "e412b6d8d4b6199ac577c5ee8653dcff840b3e92"
+        "sha": "ddc7d00569458f3838c6cf489f5be6c59afaf8c1"
       },
       "homepage": "https://github.com/pydantic/skills/tree/main/plugins/ai"
     },
@@ -2127,7 +2127,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/quarkusio/quarkus-agent-mcp.git",
-        "sha": "e711107a1171507212dd0edd17b5a922212c3a97"
+        "sha": "91c7986e41234827db2632ed07770301468c9dbc"
       },
       "homepage": "https://quarkus.io"
     },
@@ -2300,7 +2300,7 @@
         "url": "https://github.com/awslabs/agent-plugins.git",
         "path": "plugins/sagemaker-ai",
         "ref": "main",
-        "sha": "fc54dfa24a1f05095b9fcbb4baa4750996bb171d"
+        "sha": "d8243e5f8f3933d656b3bdfe09cd658a5d9b9fac"
       },
       "homepage": "https://github.com/awslabs/agent-plugins"
     },
@@ -2348,7 +2348,7 @@
         "url": "https://github.com/SAP/open-ux-tools.git",
         "path": "packages/fiori-mcp-server",
         "ref": "main",
-        "sha": "fbfe8c32fb9fc64583aa72ac03ab64f553c407ee"
+        "sha": "604f28952b720579ca9369978ba73493092fdf13"
       },
       "homepage": "https://github.com/SAP/open-ux-tools/tree/main/packages/fiori-mcp-server"
     },
@@ -2415,7 +2415,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/getsentry/sentry-for-claude.git",
-        "sha": "030b01fb76b21f5d7ef6af5a3c3dfa658a9b5024"
+        "sha": "87de81a1300acc03fffa2438877fa2dcf078e703"
       },
       "homepage": "https://github.com/getsentry/sentry-for-claude/tree/main"
     },
@@ -2431,7 +2431,7 @@
         "url": "https://github.com/getsentry/cli.git",
         "path": "plugins/sentry-cli",
         "ref": "main",
-        "sha": "9e9fe0fb6444f18ed109058b2749cced3c21f87e"
+        "sha": "18111b95ac8819d58e4f0334d4b8ee8f72513d1e"
       },
       "homepage": "https://sentry.io"
     },
@@ -2534,7 +2534,7 @@
         "url": "https://github.com/Snowflake-Labs/snowflake-ai-kit.git",
         "path": "plugins/cortex-code",
         "ref": "main",
-        "sha": "6a22eb1ff3b451c35e40468a118bbee54610c9bd"
+        "sha": "7d2c7e7e0788e255019a64a8690aa5f85d073a2c"
       },
       "homepage": "https://docs.snowflake.com/en/user-guide/cortex-code"
     },
@@ -2620,7 +2620,7 @@
         "source": "url",
         "url": "https://github.com/sumup/sumup-skills.git",
         "path": "providers/claude/plugin",
-        "sha": "715464b459def2d16e930e9ec8008f60e18a8b4d"
+        "sha": "5b9b2d72c63fefd9038db0a9c571d3d64ff6353c"
       },
       "homepage": "https://www.sumup.com/"
     },
@@ -2707,7 +2707,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/togethercomputer/skills.git",
-        "sha": "fb94cc1402900eb608c31e7102fc23566f8b0363"
+        "sha": "8aa08ca126a50d5e76f6d378f47386cee4267984"
       },
       "homepage": "https://www.together.ai"
     },
@@ -2881,7 +2881,7 @@
       "source": {
         "source": "url",
         "url": "https://github.com/wix/skills.git",
-        "sha": "188ed338f39d70e5aef7f9a2582bbf338f223b78"
+        "sha": "9666bc8d4856d9028e815610c23ab4f48d8ddd3b"
       },
       "homepage": "https://dev.wix.com/docs/wix-cli/guides/development/about-wix-skills"
     },
@@ -2907,7 +2907,7 @@
         "url": "https://github.com/workos/skills.git",
         "path": "plugins/workos",
         "ref": "main",
-        "sha": "e8900cc504fd759407d1a963d13f59383fa39ebc"
+        "sha": "2c3acef61ea29296cb6e73e0c59fb5e98f0b1847"
       },
       "homepage": "https://workos.com"
     },

plugins/code-modernization/README.md

@@ -29,6 +29,10 @@ The commands degrade gracefully, but each of these makes the output meaningfully
 - **The whole system in the tree**: deployment descriptors (JCL, CICS definitions, route configs), copybooks/includes, and DDL/schemas. Entry-point detection and data lineage in `/modernize-map` are guesswork without them.
 - **Production telemetry** (optional): an observability MCP server or batch job logs enable the runtime overlay in `/modernize-assess` and timing annotations on critical paths.
 
+## Secret handling
+
+Legacy systems routinely contain live credentials, and assessment artifacts get committed and shared. **Every agent in this plugin masks credential values** — findings, rule-card parameters, architecture notes, and test fixtures cite `file:line` with a masked preview (`AKIA****`), never the value. When credentials are found, a per-credential inventory (type, location, blast radius, rotation recommendation) is written to `analysis/<system>/SECRETS.local.md`, which the commands gitignore before writing; on non-git projects the quarantine file goes to `~/.modernize/<system>/` instead. `/modernize-harden` splits its remediation diff so credential-removal hunks (which necessarily contain the raw value) land in a gitignored `security_remediation.local.patch`, never the shareable patch. Pass `--show-secrets` to include raw values in the quarantine file (and only there). If you ran an earlier version of this plugin on a real system, check whether `analysis/` artifacts containing credentials were committed or shared, and rotate anything that was.
+
 ## Commands
 
 The commands are designed to be run in order, but each produces a standalone artifact so you can stop, review, and resume.

plugins/code-modernization/agents/architecture-critic.md

@@ -29,6 +29,12 @@ For **transformed code**:
 - Does the test suite actually pin behavior, or just exercise code paths?
 - What would the on-call engineer need at 3am that isn't here?
 
+## Secret handling (mandatory)
+
+When a finding quotes code containing a credential, key, token, or
+connection string, mask the value (`'Pr0d****'`) and cite `file:line` —
+findings get appended verbatim to committed notes files.
+
 ## Output
 
 Findings ranked **Blocker / High / Medium / Nit**. Each with: what, where,

plugins/code-modernization/agents/business-rules-extractor.md

@@ -40,6 +40,15 @@ of the technology, skip it.
    from structure/names), **Low** (ambiguous; needs SME).
 6. If confidence < High, write the exact question an SME must answer.
 
+## Secret handling (mandatory)
+
+Rule parameters sometimes *are* credentials — hardcoded passwords in auth
+checks, API keys in partner-service calls, connection strings in batch
+routines. Record the **rule**, never the **value**: write the parameter as
+`<credential — masked, see file:line>` with at most a 2–4 character
+preview. Rule cards flow into briefs and steering decks; a raw credential
+in a parameter list is a leak.
+
 ## Output format
 
 One "Rule Card" per rule (see the format in the `/modernize-extract-rules`

plugins/code-modernization/agents/legacy-analyst.md

@@ -32,6 +32,15 @@ and explain it in terms a modern engineer can act on.
 - **Note what's missing.** Unhandled error paths, TODO comments, commented-out
   blocks, magic numbers — these are signals about history and risk.
 
+## Secret handling (mandatory)
+
+Legacy code is full of live credentials, and your findings get copied into
+shareable reports. When the evidence for a finding — hardcoded config,
+dead code, debt, an interface payload — includes a credential, API key,
+token, connection string, or private key, **never reproduce the value**.
+Cite `file:line` with a masked preview (`VALUE 'Pr0d****'`,
+`password=****`). The finding is the practice, not the value.
+
 ## Output format
 
 Default to structured markdown: tables for inventories, Mermaid for graphs,

plugins/code-modernization/agents/security-auditor.md

@@ -39,7 +39,30 @@ terminal/screen items don't apply to a SPA. Work through what's relevant:
 
 Use available SAST where it helps (npm audit, pip-audit, grep for known-bad
 patterns) but **read the code** — tools miss logic flaws. Show tool output
-verbatim, then add your manual findings.
+verbatim — except secret values, which you redact (see below) — then add
+your manual findings.
+
+## Secret handling (mandatory)
+
+Legacy codebases routinely contain live production credentials, and your
+findings get pasted into decks, tickets, and committed markdown. Copying a
+secret into a report multiplies the exposure you were hired to find.
+
+When you discover a hardcoded credential, API key, token, connection
+string, or private key:
+
+- **Never write the secret's value into any output** — no finding table,
+  no report, no quoted code excerpt, no echoed tool output. Mask it to the
+  first 2–4 identifying characters plus `****` (`AKIA****`,
+  `postgres://app_user:****@db-prod…`). If a scanner prints a secret,
+  redact it before including the excerpt.
+- Cite `file:line`. The source file is the canonical location — anyone who
+  legitimately needs the value can open it there.
+- State what the credential appears to grant access to (database, queue,
+  cloud account, third-party API) and whether it looks like a production
+  or test credential.
+- Recommend rotation for anything that looks live — exposure in source
+  means it is already compromised, independent of any modernization plan.
 
 ## Reporting standard
 

plugins/code-modernization/agents/test-engineer.md

@@ -28,6 +28,15 @@ someone thinks it should do) so that a rewrite can be proven equivalent.
   `@Disabled("pending RULE-NNN")` / `@pytest.mark.skip` / `it.todo()` — never
   deleted.
 
+## Secret handling (mandatory)
+
+Never copy credential-like literals — passwords, API keys, tokens,
+connection strings — from legacy code into test fixtures. Tests live in
+the deliverable codebase and get committed. Substitute clearly-fake values
+of the same shape and length and note the substitution in a comment.
+Anything a test genuinely needs live (e.g. a real database connection for
+a dual-run harness) is read from an environment variable, never inlined.
+
 ## Output
 
 Idiomatic tests for the requested target stack (JUnit 5 / pytest / Vitest /

plugins/code-modernization/commands/modernize-assess.md

@@ -1,11 +1,13 @@
 ---
 description: Full discovery & portfolio analysis of a legacy system — inventory, complexity, debt, effort estimation
-argument-hint: <system-dir> | --portfolio <parent-dir>
+argument-hint: <system-dir> [--show-secrets] | --portfolio <parent-dir>
 ---
 
 **Mode select.** If `$ARGUMENTS` starts with `--portfolio`, run **Portfolio
 mode** against the directory that follows. Otherwise run **Single-system
-mode** against `legacy/$1`.
+mode** against the system dir. Parse flags positionally-independently:
+`--show-secrets` may appear before or after the system dir — the system
+dir is the first non-flag token.
 
 ---
 
@@ -108,12 +110,16 @@ Spawn three subagents **in parallel**:
 2. **legacy-analyst** — "Identify technical debt in legacy/$1: dead code,
    deprecated APIs, copy-paste duplication, god objects/programs, missing
    error handling, hardcoded config. Return the top 10 findings ranked by
-   remediation value, each with file:line evidence."
+   remediation value, each with file:line evidence. If evidence contains a
+   credential value, mask it per your secret-handling rules — never quote
+   it."
 
 3. **security-auditor** — "Scan legacy/$1 for security vulnerabilities:
    injection, auth weaknesses, hardcoded secrets, vulnerable dependencies,
    missing input validation. Return findings in CWE-tagged table form with
-   file:line evidence and severity."
+   file:line evidence and severity. Mask every discovered credential value
+   per your secret-handling rules — file:line plus a 2–4 character masked
+   preview, never the value itself."
 
 Wait for all three. Synthesize their findings.
 
@@ -141,6 +147,31 @@ need explained.
 
 ## Step 6 — Write the assessment
 
+**Secrets quarantine first.** The assessment gets shared and committed —
+discovered credential values must never appear in it. If the
+security-auditor found any hardcoded credentials:
+
+1. Ensure `analysis/.gitignore` exists and contains the lines
+   `SECRETS.local.md` and `*.local.patch` (create or append as needed —
+   the patch pattern is used by `/modernize-harden`; writing both now
+   means the ignore set is complete from first contact). If the project is a
+   git repo, verify with `git check-ignore -q analysis/$1/SECRETS.local.md`
+   — do not write any findings until the check passes. If there is **no
+   git repo** (check for `.svn`/`.hg`/`CVS` too — a `.gitignore` protects
+   nothing under another VCS): refuse `--show-secrets` and write
+   `SECRETS.local.md` to `~/.modernize/$1/` instead of the project tree,
+   telling the user where it went and why.
+2. Write `SECRETS.local.md`: one row per credential — masked preview,
+   `file:line`, credential type, what it grants access to,
+   production/test guess, rotation recommendation. Only if the user passed
+   `--show-secrets`, add the raw value column here — this file only, never
+   ASSESSMENT.md.
+3. Masking applies to **every section of ASSESSMENT.md**, whichever agent
+   produced the finding — the Technical Debt section quotes hardcoded
+   config; those quotes follow the same masking rule as Security Findings.
+   The Security Findings section adds a one-line pointer:
+   "Credential inventory in SECRETS.local.md (gitignored; not for sharing)."
+
 Create `analysis/$1/ASSESSMENT.md` with these sections:
 - **Executive Summary** (3-4 sentences: what it is, how big, how risky, headline recommendation)
 - **System Inventory** (the scc table + tech fingerprint)

plugins/code-modernization/commands/modernize-extract-rules.md

@@ -46,7 +46,7 @@ Merge the three result sets. Deduplicate. For each distinct rule, write a
   When  <trigger>
   Then  <outcome>
   [And  <additional outcome>]
-**Parameters:** <constants, rates, thresholds with their current values>
+**Parameters:** <constants, rates, thresholds with their current values — credentials masked: `<credential — masked, see file:line>`>
 **Edge cases handled:** <list>
 **Suspected defect:** <optional — legacy behavior that looks wrong; decide preserve-vs-fix during transform>
 **Confidence:** High | Medium | Low — <why; if < High, state the exact SME question>

plugins/code-modernization/commands/modernize-harden.md

@@ -1,14 +1,42 @@
 ---
 description: Security vulnerability scan with a reviewable remediation patch — OWASP, CWE, CVE, secrets, injection
-argument-hint: <system-dir>
+argument-hint: <system-dir> [--show-secrets]
 ---
 
-Run a **security hardening pass** on `legacy/$1`: find vulnerabilities, rank
-them, and produce a reviewable patch for the critical ones.
+Run a **security hardening pass** on the legacy system: find
+vulnerabilities, rank them, and produce a reviewable patch for the
+critical ones. Parse arguments flag-independently: the system dir
+(referred to as `$1` below) is the first non-flag token in `$ARGUMENTS`;
+`--show-secrets` may appear anywhere.
 
 This command never edits `legacy/` — it writes findings and a proposed patch
 to `analysis/$1/`. The user reviews and applies (or not).
 
+## Step 0 — Secrets quarantine setup
+
+Findings files get shared, committed, and pasted into decks — discovered
+credential values must never land in them. Before any scanning:
+
+1. Ensure `analysis/.gitignore` exists and contains the lines
+   `SECRETS.local.md` and `*.local.patch`. Create the file or append the
+   missing lines.
+2. If the project is a git repo, verify with
+   `git check-ignore -q analysis/$1/SECRETS.local.md` — if that exits
+   non-zero, fix the ignore rule before proceeding. Do not write any
+   findings until this check passes.
+3. **If there is no git repo** (check for `.svn`/`.hg`/`CVS` too — a
+   `.gitignore` protects nothing under another VCS): refuse
+   `--show-secrets`, and write `SECRETS.local.md` and any `.local.patch`
+   file to `~/.modernize/$1/` instead of the project tree, telling the
+   user where they went and why.
+
+All secret values in every shareable artifact this command produces are
+**masked** (`AKIA****`, `password=****`) and cited by `file:line`. Raw
+values may appear in exactly two places, both gitignored: the
+`*.local.patch` remediation hunks (unavoidably — see Remediate) and, only
+with `--show-secrets`, `SECRETS.local.md`. Never in SECURITY_FINDINGS.md
+or patch commentary.
+
 ## Scan
 
 Spawn the **security-auditor** subagent:
@@ -20,7 +48,9 @@ hardcoded secrets, vulnerable dependency versions, missing input validation,
 path traversal. For each finding return: CWE ID, severity
 (Critical/High/Med/Low), file:line, one-sentence exploit scenario, and
 recommended fix. Run any available SAST tooling (npm audit, pip-audit,
-OWASP dependency-check) and include its raw output."
+OWASP dependency-check) and include its raw output. Mask every discovered
+credential value per your secret-handling rules — file:line plus a 2–4
+character masked preview, never the value itself."
 
 ## Triage
 
@@ -29,26 +59,50 @@ Write `analysis/$1/SECURITY_FINDINGS.md`:
 - Findings table sorted by severity
 - Dependency CVE table (package, installed version, CVE, fixed version)
 
+If any hardcoded credentials were found, also write
+`analysis/$1/SECRETS.local.md` (the gitignored quarantine file from Step 0):
+one row per credential — masked preview, `file:line`, credential type, what
+it appears to grant access to, production/test guess, and a rotation
+recommendation. With `--show-secrets`, append the raw value column here —
+this file only. SECURITY_FINDINGS.md gets a one-line pointer:
+"N hardcoded credentials found — inventory in SECRETS.local.md (gitignored;
+not for sharing)."
+
 ## Remediate
 
 For each **Critical** and **High** finding, draft a minimal, targeted fix.
-Do **not** edit `legacy/` — write all fixes as a single unified diff to
-`analysis/$1/security_remediation.patch`, with a comment line above each
-hunk citing the finding ID it addresses (`# SEC-001: parameterize the query`).
+Do **not** edit `legacy/` — write fixes as unified diffs with **paths
+relative to the project root** (`legacy/$1/...`), applied from the project
+root, with a comment line above each hunk citing the finding ID it
+addresses (`# SEC-001: parameterize the query`).
+
+**Credential findings split into two files.** A diff that removes a
+hardcoded secret necessarily contains the raw value on its `-` and
+context lines — that cannot go in the shareable patch:
+
+- `analysis/$1/security_remediation.patch` (shareable) — every
+  non-credential hunk, plus for each credential finding a comment-only
+  placeholder: `# SEC-NNN: credential remediation — hunk in
+  security_remediation.local.patch (gitignored; not for sharing)`.
+- `analysis/$1/security_remediation.local.patch` (gitignored in Step 0) —
+  the real, applyable hunks for credential findings only.
 
 Add a **Remediation Log** section to SECURITY_FINDINGS.md mapping each
-finding ID → one-line summary of the proposed fix and the patch hunk that
-implements it.
+finding ID → one-line summary of the proposed fix and which patch file
+carries the hunk.
 
 ## Verify
 
-Spawn the **security-auditor** again to **review the patch** against the
-original code:
+Spawn the **security-auditor** again to **review both patches** against
+the original code:
 
-"Review analysis/$1/security_remediation.patch against legacy/$1. For each
+"Review analysis/$1/security_remediation.patch and
+analysis/$1/security_remediation.local.patch against legacy/$1. For each
 hunk: does it fully remediate the cited finding? Does it introduce new
-vulnerabilities or change behavior beyond the fix? Return one verdict per
-hunk: RESOLVES / PARTIAL / INTRODUCES-RISK, with a one-line reason."
+vulnerabilities or change behavior beyond the fix? Confirm no raw
+credential values appear anywhere in the shareable patch. Return one
+verdict per hunk: RESOLVES / PARTIAL / INTRODUCES-RISK, with a one-line
+reason."
 
 Add a **Patch Review** section to SECURITY_FINDINGS.md with the verdicts.
 If any hunk is PARTIAL or INTRODUCES-RISK, revise the patch and re-review.
@@ -57,8 +111,12 @@ If any hunk is PARTIAL or INTRODUCES-RISK, revise the patch and re-review.
 
 Tell the user the artifacts are ready:
 - `analysis/$1/SECURITY_FINDINGS.md` — findings, remediation log, patch review
-- `analysis/$1/security_remediation.patch` — review, then apply if appropriate
-  with `git -C legacy/$1 apply ../../analysis/$1/security_remediation.patch`
+- `analysis/$1/security_remediation.patch` — review, then apply **from the
+  project root**: `git apply analysis/$1/security_remediation.patch`
+  (if `legacy/$1` is a symlink, use `git apply --unsafe-paths` or apply
+  with `patch -p0` from the project root)
+- `analysis/$1/security_remediation.local.patch` — the credential fixes;
+  apply the same way, and rotate the affected credentials regardless
 - Re-run `/modernize-harden $1` after applying to confirm resolution
 
 Suggest: `glow -p analysis/$1/SECURITY_FINDINGS.md`

plugins/frontend-design/skills/frontend-design/LICENSE.txt

@@ -0,0 +1,177 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS

plugins/frontend-design/skills/frontend-design/SKILL.md

@@ -1,42 +1,55 @@
 ---
 name: frontend-design
-description: Create distinctive, production-grade frontend interfaces with high design quality. Use this skill when the user asks to build web components, pages, or applications. Generates creative, polished code that avoids generic AI aesthetics.
+description: Guidance for distinctive, intentional visual design when building new UI or reshaping an existing one. Helps with aesthetic direction, typography, and making choices that don't read as templated defaults.
 license: Complete terms in LICENSE.txt
 ---
 
-This skill guides creation of distinctive, production-grade frontend interfaces that avoid generic "AI slop" aesthetics. Implement real working code with exceptional attention to aesthetic details and creative choices.
+# Frontend Design
 
-The user provides frontend requirements: a component, page, application, or interface to build. They may include context about the purpose, audience, or technical constraints.
+Approach this as the design lead at a small studio known for giving every client a visual identity that could not be mistaken for anyone else's. This client has already rejected proposals that felt templated, and is paying for a distinctive point of view: make deliberate, opinionated choices about palette, typography, and layout that are specific to this brief, and take one real aesthetic risk you can justify.
 
-## Design Thinking
+## Ground it in the subject
 
-Before coding, understand the context and commit to a BOLD aesthetic direction:
-- **Purpose**: What problem does this interface solve? Who uses it?
-- **Tone**: Pick an extreme: brutally minimal, maximalist chaos, retro-futuristic, organic/natural, luxury/refined, playful/toy-like, editorial/magazine, brutalist/raw, art deco/geometric, soft/pastel, industrial/utilitarian, etc. There are so many flavors to choose from. Use these for inspiration but design one that is true to the aesthetic direction.
-- **Constraints**: Technical requirements (framework, performance, accessibility).
-- **Differentiation**: What makes this UNFORGETTABLE? What's the one thing someone will remember?
+If the brief does not pin down what the product or subject is, pin it yourself before designing: name one concrete subject, its audience, and the page's single job, and state your choice. If there's any information in your memory about the human's preferences, context about what they're building, or designs you've made before – use that as a hint. The subject's own world, its materials, instruments, artifacts, and vernacular, is where distinctive choices come from. Build with the brief's real content and subject matter throughout.
 
-**CRITICAL**: Choose a clear conceptual direction and execute it with precision. Bold maximalism and refined minimalism both work - the key is intentionality, not intensity.
+## Design principles
 
-Then implement working code (HTML/CSS/JS, React, Vue, etc.) that is:
-- Production-grade and functional
-- Visually striking and memorable
-- Cohesive with a clear aesthetic point-of-view
-- Meticulously refined in every detail
+For web designs, the hero is a thesis. Open with the most characteristic thing in the subject's world, in whatever form makes sense for it: a headline, an image, an animation, a live demo, an interactive moment. Be deliberate with your choice: a big number with a small label, supporting stats, and a gradient accent is the template answer, only use if that's truly the best option.
 
-## Frontend Aesthetics Guidelines
+Typography carries the personality of the page. Pair the display and body faces deliberately, not the same families you would reach for on any other project, and set a clear type scale with intentional weights, widths, and spacing. Make the type treatment itself a memorable part of the design, not a neutral delivery vehicle for the content.
 
-Focus on:
-- **Typography**: Choose fonts that are beautiful, unique, and interesting. Avoid generic fonts like Arial and Inter; opt instead for distinctive choices that elevate the frontend's aesthetics; unexpected, characterful font choices. Pair a distinctive display font with a refined body font.
-- **Color & Theme**: Commit to a cohesive aesthetic. Use CSS variables for consistency. Dominant colors with sharp accents outperform timid, evenly-distributed palettes.
-- **Motion**: Use animations for effects and micro-interactions. Prioritize CSS-only solutions for HTML. Use Motion library for React when available. Focus on high-impact moments: one well-orchestrated page load with staggered reveals (animation-delay) creates more delight than scattered micro-interactions. Use scroll-triggering and hover states that surprise.
-- **Spatial Composition**: Unexpected layouts. Asymmetry. Overlap. Diagonal flow. Grid-breaking elements. Generous negative space OR controlled density.
-- **Backgrounds & Visual Details**: Create atmosphere and depth rather than defaulting to solid colors. Add contextual effects and textures that match the overall aesthetic. Apply creative forms like gradient meshes, noise textures, geometric patterns, layered transparencies, dramatic shadows, decorative borders, custom cursors, and grain overlays.
+Structure is information. Structural devices, numbering, eyebrows, dividers, labels, should encode something true about the content, not decorate it. Many generic designs use numbered markers (01 / 02 / 03), but that's only appropriate if the content actually is a sequence - like a real process or a typed timeline where order carries information the reader needs. Question if choices like numbered markers actually make sense before incorporating them.
 
-NEVER use generic AI-generated aesthetics like overused font families (Inter, Roboto, Arial, system fonts), cliched color schemes (particularly purple gradients on white backgrounds), predictable layouts and component patterns, and cookie-cutter design that lacks context-specific character.
+Leverage motion deliberately. Think about where and if animation can serve the subject: a page-load sequence, a scroll-triggered reveal, hover micro-interactions, ambient atmosphere. An orchestrated moment usually lands harder than scattered effects; choose what the direction calls for. However, sometimes less is more, and extra animation contributes to the feeling that the design is AI-generated.
 
-Interpret creatively and make unexpected choices that feel genuinely designed for the context. No design should be the same. Vary between light and dark themes, different fonts, different aesthetics. NEVER converge on common choices (Space Grotesk, for example) across generations.
+Match complexity to the vision. Maximalist directions need elaborate execution; minimal directions need precision in spacing, type, and detail. Elegance is executing the chosen vision well.
 
-**IMPORTANT**: Match implementation complexity to the aesthetic vision. Maximalist designs need elaborate code with extensive animations and effects. Minimalist or refined designs need restraint, precision, and careful attention to spacing, typography, and subtle details. Elegance comes from executing the vision well.
+Consider written content carefully. Often a design brief may not contain real content, and it's up to you to come up with copy. Copy can make a design feel as templated as the design itself. See the below section on writing for more guidance.
 
-Remember: Claude is capable of extraordinary creative work. Don't hold back, show what can truly be created when thinking outside the box and committing fully to a distinctive vision.
+## Process: brainstorm, explore, plan, critique, build, critique again
+
+For calibration: AI-generated design right now clusters around three looks: (1) a warm cream background (near #F4F1EA) with a high-contrast serif display and a terracotta accent; (2) a near-black background with a single bright acid-green or vermilion accent; (3) a broadsheet-style layout with hairline rules, zero border-radius, and dense newspaper-like columns. All three are legitimate for some briefs, but they are defaults rather than choices, and they appear regardless of subject. Where the brief pins down a visual direction, follow it exactly — the brief's own words always win, including when it asks for one of these looks. Where it leaves an axis free, don't spend that freedom on one of these defaults. Just like a human designer who's hired, there's often a careful balance between doing what you're good at and taking each project as a chance to experiment and learn.
+
+Work in two passes. First, brainstorm a short design plan based on the human's design brief: create a compact token system with color, type, layout, and signature. Color: describe the palette as 4–6 named hex values. Type: the typefaces for 2+ roles (a characterful display face that's used with restraint, a complementary body face, and a utility face for captions or data if needed). Layout: a layout concept, using one-sentence prose descriptions and ASCII wireframes to ideate and compare. Signature: the single unique element this page will be remembered by that embodies the brief in an appropriate way.
+
+Then review that plan against the brief before building: if any part of it reads like the generic default you would produce for any similar page (work through a similar prompt to see if you arrive somewhere similar) rather than a choice made for this specific brief — revise that part, say what you changed and why. Only after you've confirmed the relative uniqueness of your design plan should you start to write the code, following the revised plan exactly and deriving every color and type decision from it.
+
+When writing the code, be careful of structuring your CSS selector specificities. It's easy to generate CSS classes that cancel each other out (especially with a type-based selector like .section and a element-based selector like .cta). This can happen often with paddings/margins between sections.
+
+Try to do a lot of this planning and iteration in your thinking, and only show ideas to the user when you have higher confidence it'll delight them.
+
+## Restraint and self-critique
+
+Spend your boldness in one place. Let the signature element be the one memorable thing, keep everything around it quiet and disciplined, and cut any decoration that does not serve the brief. Not taking a risk can be a risk itself! Build to a quality floor without announcing it: responsive down to mobile, visible keyboard focus, reduced motion respected. Critique your own work as you build, taking screenshots if your environment supports it – a picture is worth 1000 tokens. Consider Chanel's advice: before leaving the house, take a look in the mirror and remove one accessory. Human creators have memory and always try to do something new, so if you have a space to quickly jot down notes about what you've tried, it can help you in future passes.
+
+## More on writing in design
+
+Words appear in a design for one reason: to make it easier to understand, and therefore easier to use. They are design material, not decoration. Bring the same intentionality to copy that you would bring to spacing and color. Before writing anything, ask what the design needs to say, and how it can best be said to help the person navigate the experience.
+
+Write from the end user's side of the screen. Name things by what people control and recognize, never by how the system is built. A person manages notifications, not webhook config. Describe what something does in plain terms rather than selling it. Being specific is always better than being clever.
+
+Use active voice as default. A control should say exactly what happens when it's used: "Save changes," not "Submit." An action keeps the same name through the whole flow, so the button that says "Publish" produces a toast that says "Published." The vocabulary of an interface is the signposting for someone navigating the product. Cohesion and consistency are how people learn their way around.
+
+Treat failure and emptiness as moments for direction, not mood. Explain what went wrong and how to fix it, in the interface's voice rather than a person's. Errors don't apologize, and they are never vague about what happened. An empty screen is an invitation to act.
+
+Keep the register conversational and tuned: plain verbs, sentence case, no filler, with tone matched to the brand and the audience. Let each element do exactly one job. A label labels, an example demonstrates, and nothing quietly does double duty.