Skillget

fwstack

mcp
Security Audit
Fail
Health Pass
  • License — License: MIT
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 10 GitHub stars
Code Fail
  • fs.rmSync — Destructive file system operation in dist/cli.js
  • process.env — Environment variable access in dist/cli.js
Permissions Pass
  • Permissions — No dangerous permissions requested
Purpose
This tool provides compiled, deterministic development workflows for AI coding assistants. It orchestrates tools like ESLint and Git to enforce step-by-step processes, such as automated code reviews, pausing only for the AI to analyze the results.

Security Assessment
The tool requires careful review before use. The automated scan flagged a destructive file system operation (`fs.rmSync`) inside the compiled JavaScript file (`dist/cli.js`). While this may simply be standard cleanup behavior for a CLI tool, bundled code can easily hide malicious capabilities, so you should verify exactly what is being deleted. The package accesses environment variables and runs local shell commands, which is expected for a workflow orchestrator managing Git and test runners. No hardcoded secrets were found, and it does not request explicitly dangerous permissions. Overall risk: Medium.

Quality Assessment
The project is actively maintained, with recent updates pushed today. It is distributed under the standard MIT license. However, community trust is currently very low; with only 10 GitHub stars, the project has not yet seen widespread public adoption or independent security scrutiny by a larger developer community.

Verdict
Use with caution—the project is active and useful, but you should manually inspect the compiled `dist/cli.js` file to ensure the destructive file operations are safe before integrating it into your environment.
SUMMARY

Compiled dev workflows for AI coding assistants. 10 deterministic pipelines + community registry. Works on Claude Code, Cursor, Copilot, Codex, Windsurf. Powered by Flow Weaver.

README.md

fwstack

CI
Tests
Coverage
Website
Flow Weaver
Discord
Reddit

Compiled dev workflows for AI coding assistants. 10 pipelines, community registry, works everywhere.

What it does

Your AI skips steps. fwstack doesn't let it.

Each workflow is a compiled pipeline. Real tools run (eslint, npm test, git diff, semgrep). The AI only gets control at waitForAgent pauses. Everything else is deterministic — enforced by the compiler, not by a prompt.

/fwstack:review

codeReview
  1. ✓ diff (2.3s), ✓ lint (2.3s)  (parallel)
  2. ✓ reviewer (6.1s)  (agent)
  3. ✓ extract (<1ms)
  4. ✓ rank (<1ms)
  5. ✓ report (<1ms)
  ✓ complete (6.0s)

Install

Claude Code:

/plugin marketplace add synergenius-fw/claude-plugins
/plugin install fwstack

Any AI (Cursor, Copilot, Windsurf, Codex, or any terminal):

npx fwstack review --project .
npx fwstack browse
npx fwstack install depAudit

MCP server (for Cursor, Copilot, Windsurf, Codex):

npx fwstack-mcp

Ready-to-copy configs in adapters/:
Cursor · Copilot · Codex · Windsurf

How it works

Each command calls a compiled Flow Weaver workflow via MCP or CLI.

  1. Deterministic nodes run real tools (git diff, eslint, npm test)
  2. waitForAgent pauses the workflow and returns context + prompt
  3. The AI responds with analysis, decisions, or code
  4. resume feeds the response back — workflow continues
  5. More deterministic nodes extract, validate, format the result

The workflow stays in memory between calls. No re-execution on resume.

Workflows

Core

Workflow What it does Diagram
/fwstack:review Lint + diff in parallel → AI review → extract → rank → report
/fwstack:plan Gather context → AI plans with acceptance criteria → validate
/fwstack:tdd AI writes test → run (assert RED) → AI implements → run (assert GREEN)
/fwstack:security SAST tools + code gather → AI OWASP/STRIDE review → confidence gate → rank
/fwstack:ship Preconditions → tests (hard gate) → diff → AI changelog

Meta (workflows that build workflows)

Workflow What it does Diagram
/fwstack:create Describe what you want → spec validated → AI builds → fw validate → install
/fwstack:migrate Parse .md skill → classify steps → approve plan → AI builds → install

Community

Workflow What it does Diagram
/fwstack:browse Search community workflows by name or tag (no auth)
/fwstack:install Download + install + auto-install npm deps
/fwstack:publish Validate → confirm metadata → PR to registry
Workflow details (click to expand)

/fwstack:review

Gathers git diff and runs linters in parallel. Pauses for the AI to analyze. Extracts findings as structured JSON, deduplicates by file:line, sorts by severity.

codeReview
  1. ✓ diff (2.3s), ✓ lint (2.3s)  (parallel)
  2. ✓ reviewer (6.1s)  (agent)
  3. ✓ extract (<1ms)
  4. ✓ rank (<1ms)
  5. ✓ report (<1ms)
  ✓ complete (6.0s)

/fwstack:plan

Reads your codebase (file tree, package.json, git log). Pauses for the AI to generate a plan with acceptance criteria. Every task needs a file path and shell commands that prove it's done. Validator rejects vague language and weak commands (echo, true, exit 0, ls).

In implement mode, iterates over each task: pauses for the AI to implement, then runs the acceptance checks.

/fwstack:tdd

Two pauses. First: AI writes a failing test. Workflow runs npm test, checks exit code != 0. Second: AI implements. Workflow runs tests again, checks exit code == 0. Can't skip to implementation because the RED gate blocks.

tddCycle
  1. ✓ writeTest (10.7s)  (agent)
  2. ✓ runRed (175ms)
  3. ✓ assertRed (<1ms)
  4. ✓ implement (14.5s)  (agent)
  5. ✓ runGreen (156ms)
  6. ✓ assertGreen (<1ms)
  ✓ complete (26.0s)

/fwstack:security

Gathers source code and runs SAST tools (npm audit, semgrep) in parallel. Pauses for OWASP + STRIDE analysis. Drops findings below 8/10 confidence. Ranks by severity.

/fwstack:ship

Checks you're on a feature branch. Runs full test suite. If tests fail, stops. No override. If tests pass, gathers the diff and pauses for changelog generation.

shipRelease
  1. ✓ precheck (48ms)
  2. ✓ tests (115ms)
  3. ✓ gate (<1ms)
  4. ✓ changes (166ms)
  5. ✓ changelogAgent (7.9s)  (agent)
  ✓ complete (8.1s)

/fwstack:create

Describe what you want, the workflow builds itself. Gathers project context, pauses for a structured spec, validates (rejects vague requirements and missing gates), loads authoring docs, pauses to build the workflow file, validates with fw validate, installs dependencies, copies to .fwstack/workflows/.

/fwstack:migrate

Convert existing markdown skill files into compiled workflows. Reads your .md file, detects the format (Claude Code command, gstack skill, freeform), extracts steps, code blocks, personas, and constraints. Classifies each step as deterministic/agent/gate. Validates the plan, pauses for your approval, then builds and installs.

/fwstack:browse

Search the community registry by name, description, or tag. No auth required. Fetches from GitHub, filters, formats.

/fwstack:install

Download a community workflow, install to .fwstack/workflows/, auto-install npm dependencies. Auto-discovered on the next tool call.

/fwstack:publish

Validate a workflow for publishing (self-containment, anti-patterns, fw validate), confirm metadata, create a PR to the community registry via gh CLI.

Community registry

Browse and install workflows shared by the community:

/fwstack:browse

Community Workflows (4 of 4)

**depAudit** by Ricardo Morais — Dependency audit: outdated + vulns + unused, gate on critical CVEs
Tags: dependencies, security, audit, npm | Nodes: 7 | Agent: yes
Install: /fwstack:install depAudit

Publish your own:

/fwstack:publish .fwstack/workflows/myWorkflow.ts

Registry: fwstack-community

Custom workflows

Drop a .ts workflow file in .fwstack/workflows/ in your project. fwstack discovers it automatically and registers it as a new command.

Links

License: MIT

Reviews (0)

No results found