@cubis/foundry 0.3.70 → 0.3.72

package/workflows/powers/security-engineer/POWER.md

@@ -0,0 +1,129 @@
+````markdown
+---
+inclusion: manual
+name: security-engineer
+description: Apply secure coding practices, OWASP Top 10 mitigations, threat modeling, input validation, and vulnerability prevention across web, API, and backend systems.
+license: Apache-2.0
+metadata:
+  author: cubis-foundry
+  version: "3.0"
+compatibility: Claude Code, Codex, GitHub Copilot, Gemini CLI
+---
+
+# Security Engineer
+
+## Purpose
+
+Guide secure software development practices. Identify and fix vulnerabilities, apply OWASP Top 10 mitigations, build threat models, and enforce secure coding patterns across the full stack.
+
+## When to Use
+
+- Reviewing code for security vulnerabilities
+- Designing authentication, authorization, or data protection
+- Implementing input validation and output encoding
+- Building threat models for new features or systems
+- Hardening APIs, databases, or infrastructure
+- Responding to security incidents or CVE disclosures
+
+## Instructions
+
+### Step 1 — Identify the Attack Surface
+
+Map what's exposed:
+
+- **User inputs**: forms, URL params, headers, cookies, file uploads
+- **APIs**: endpoints, authentication, rate limiting, CORS
+- **Data stores**: database queries, file system access, caches
+- **Third-party**: external services, SDKs, dependencies
+- **Infrastructure**: secrets management, network exposure, permissions
+
+### Step 2 — Apply OWASP Top 10 Checks
+
+| #   | Risk                      | Key Mitigation                                                                  |
+| --- | ------------------------- | ------------------------------------------------------------------------------- |
+| A01 | Broken Access Control     | Deny by default, validate permissions on every request, server-side enforcement |
+| A02 | Cryptographic Failures    | TLS everywhere, hash passwords with Argon2/bcrypt, never roll custom crypto     |
+| A03 | Injection                 | Parameterized queries, prepared statements, contextual output encoding          |
+| A04 | Insecure Design           | Threat modeling before implementation, abuse case analysis                      |
+| A05 | Security Misconfiguration | Minimal permissions, disable debug in production, security headers              |
+| A06 | Vulnerable Components     | Dependency scanning, automated updates, SBOM                                    |
+| A07 | Auth Failures             | MFA, rate limiting, secure session management, credential stuffing protection   |
+| A08 | Data Integrity Failures   | Verify signatures, integrity checks on CI/CD, signed artifacts                  |
+| A09 | Logging Failures          | Log security events, never log secrets, tamper-evident logs                     |
+| A10 | SSRF                      | Allowlist outbound URLs, validate/sanitize URLs, block internal network access  |
+
+### Step 3 — Secure Coding Patterns
+
+**Input Validation**:
+
+- Validate on the server (client validation is UX, not security)
+- Allowlist valid inputs rather than blocklisting bad ones
+- Validate type, length, range, and format
+- Reject early and fail safely
+
+**Output Encoding**:
+
+- HTML context: HTML-entity encode
+- JavaScript context: JavaScript-encode
+- URL context: URL-encode
+- SQL context: parameterized queries (never string concatenation)
+
+**Authentication**:
+
+- Hash passwords with Argon2id (preferred) or bcrypt (minimum work factor 12)
+- Use constant-time comparison for secrets
+- Implement account lockout with progressive delays
+- Session tokens: cryptographically random, HttpOnly, Secure, SameSite=Strict
+
+**Authorization**:
+
+- Check permissions on every request (not just UI hiding)
+- Use RBAC or ABAC — not role checks scattered in business logic
+- Principle of least privilege for all service accounts
+
+**Secrets Management**:
+
+- Never hardcode secrets in source code
+- Use environment variables or secret managers (Vault, AWS Secrets Manager)
+- Rotate secrets regularly
+- Audit secret access
+
+### Step 4 — Threat Modeling
+
+Use STRIDE for systematic analysis:
+
+| Threat                     | Question                                       |
+| -------------------------- | ---------------------------------------------- |
+| **S**poofing               | Can someone impersonate a user or service?     |
+| **T**ampering              | Can someone modify data in transit or at rest? |
+| **R**epudiation            | Can someone deny performing an action?         |
+| **I**nformation Disclosure | Can someone access unauthorized data?          |
+| **D**enial of Service      | Can someone make the system unavailable?       |
+| **E**levation of Privilege | Can someone gain unauthorized access levels?   |
+
+## Output Format
+
+```
+## Security Review Summary
+[Overall risk assessment: Low / Medium / High / Critical]
+
+## Critical Findings
+- **[OWASP #]**: [vulnerability] → [specific fix with code]
+
+## Recommendations
+- [priority-ordered list of security improvements]
+
+## Secure Patterns Applied
+- ✓ [what's already done well]
+```
+
+## Examples
+
+**User**: "Review this login endpoint for security issues"
+
+**Response approach**: Check password hashing algorithm, session management, rate limiting, CSRF protection, input validation, error messages (no user enumeration), audit logging, TLS enforcement.
+
+**User**: "We're building a file upload feature"
+
+**Response approach**: Validate file type (magic bytes, not just extension), limit file size, store outside web root, generate random filenames, scan for malware, set Content-Disposition headers, restrict MIME types.
+````

package/workflows/powers/security-engineer/SKILL.md

@@ -0,0 +1,126 @@
+---
+name: security-engineer
+description: Apply secure coding practices, OWASP Top 10 mitigations, threat modeling, input validation, and vulnerability prevention across web, API, and backend systems.
+license: Apache-2.0
+metadata:
+  author: cubis-foundry
+  version: "3.0"
+compatibility: Claude Code, Codex, GitHub Copilot, Gemini CLI
+---
+
+# Security Engineer
+
+## Purpose
+
+Guide secure software development practices. Identify and fix vulnerabilities, apply OWASP Top 10 mitigations, build threat models, and enforce secure coding patterns across the full stack.
+
+## When to Use
+
+- Reviewing code for security vulnerabilities
+- Designing authentication, authorization, or data protection
+- Implementing input validation and output encoding
+- Building threat models for new features or systems
+- Hardening APIs, databases, or infrastructure
+- Responding to security incidents or CVE disclosures
+
+## Instructions
+
+### Step 1 — Identify the Attack Surface
+
+Map what's exposed:
+
+- **User inputs**: forms, URL params, headers, cookies, file uploads
+- **APIs**: endpoints, authentication, rate limiting, CORS
+- **Data stores**: database queries, file system access, caches
+- **Third-party**: external services, SDKs, dependencies
+- **Infrastructure**: secrets management, network exposure, permissions
+
+### Step 2 — Apply OWASP Top 10 Checks
+
+| #   | Risk                      | Key Mitigation                                                                  |
+| --- | ------------------------- | ------------------------------------------------------------------------------- |
+| A01 | Broken Access Control     | Deny by default, validate permissions on every request, server-side enforcement |
+| A02 | Cryptographic Failures    | TLS everywhere, hash passwords with Argon2/bcrypt, never roll custom crypto     |
+| A03 | Injection                 | Parameterized queries, prepared statements, contextual output encoding          |
+| A04 | Insecure Design           | Threat modeling before implementation, abuse case analysis                      |
+| A05 | Security Misconfiguration | Minimal permissions, disable debug in production, security headers              |
+| A06 | Vulnerable Components     | Dependency scanning, automated updates, SBOM                                    |
+| A07 | Auth Failures             | MFA, rate limiting, secure session management, credential stuffing protection   |
+| A08 | Data Integrity Failures   | Verify signatures, integrity checks on CI/CD, signed artifacts                  |
+| A09 | Logging Failures          | Log security events, never log secrets, tamper-evident logs                     |
+| A10 | SSRF                      | Allowlist outbound URLs, validate/sanitize URLs, block internal network access  |
+
+### Step 3 — Secure Coding Patterns
+
+**Input Validation**:
+
+- Validate on the server (client validation is UX, not security)
+- Allowlist valid inputs rather than blocklisting bad ones
+- Validate type, length, range, and format
+- Reject early and fail safely
+
+**Output Encoding**:
+
+- HTML context: HTML-entity encode
+- JavaScript context: JavaScript-encode
+- URL context: URL-encode
+- SQL context: parameterized queries (never string concatenation)
+
+**Authentication**:
+
+- Hash passwords with Argon2id (preferred) or bcrypt (minimum work factor 12)
+- Use constant-time comparison for secrets
+- Implement account lockout with progressive delays
+- Session tokens: cryptographically random, HttpOnly, Secure, SameSite=Strict
+
+**Authorization**:
+
+- Check permissions on every request (not just UI hiding)
+- Use RBAC or ABAC — not role checks scattered in business logic
+- Principle of least privilege for all service accounts
+
+**Secrets Management**:
+
+- Never hardcode secrets in source code
+- Use environment variables or secret managers (Vault, AWS Secrets Manager)
+- Rotate secrets regularly
+- Audit secret access
+
+### Step 4 — Threat Modeling
+
+Use STRIDE for systematic analysis:
+
+| Threat                     | Question                                       |
+| -------------------------- | ---------------------------------------------- |
+| **S**poofing               | Can someone impersonate a user or service?     |
+| **T**ampering              | Can someone modify data in transit or at rest? |
+| **R**epudiation            | Can someone deny performing an action?         |
+| **I**nformation Disclosure | Can someone access unauthorized data?          |
+| **D**enial of Service      | Can someone make the system unavailable?       |
+| **E**levation of Privilege | Can someone gain unauthorized access levels?   |
+
+## Output Format
+
+```
+## Security Review Summary
+[Overall risk assessment: Low / Medium / High / Critical]
+
+## Critical Findings
+- **[OWASP #]**: [vulnerability] → [specific fix with code]
+
+## Recommendations
+- [priority-ordered list of security improvements]
+
+## Secure Patterns Applied
+- ✓ [what's already done well]
+```
+
+## Examples
+
+**User**: "Review this login endpoint for security issues"
+
+**Response approach**: Check password hashing algorithm, session management, rate limiting, CSRF protection, input validation, error messages (no user enumeration), audit logging, TLS enforcement.
+
+**User**: "We're building a file upload feature"
+
+**Response approach**: Validate file type (magic bytes, not just extension), limit file size, store outside web root, generate random filenames, scan for malware, set Content-Disposition headers, restrict MIME types.

package/workflows/powers/seo-fundamentals/POWER.md

@@ -2,131 +2,88 @@
 ---
 inclusion: manual
 name: seo-fundamentals
-description: SEO fundamentals, E-E-A-T, Core Web Vitals, and Google algorithm principles.
-allowed-tools: Read, Glob, Grep
+description: "Use when implementing technical SEO, content optimization, schema markup, or Core Web Vitals improvements for search engine visibility."
+license: MIT
+metadata:
+  author: cubis-foundry
+  version: "1.0"
+compatibility: Claude Code, Codex, GitHub Copilot
 ---
 
 # SEO Fundamentals
 
-> Principles for search engine visibility.
+## Purpose
 
----
-
-## 1. E-E-A-T Framework
-
-| Principle | Signals |
-|-----------|---------|
-| **Experience** | First-hand knowledge, real examples |
-| **Expertise** | Credentials, depth of knowledge |
-| **Authoritativeness** | Backlinks, mentions, industry recognition |
-| **Trustworthiness** | HTTPS, transparency, accurate info |
+Use when implementing technical SEO, content optimization, schema markup, or Core Web Vitals improvements for search engine visibility.
 
----
+## When to Use
 
-## 2. Core Web Vitals
+- Implementing technical SEO (sitemaps, robots.txt, canonical tags, HTTPS, meta tags).
+- Optimizing Core Web Vitals (LCP, INP, CLS) for search ranking.
+- Adding structured data and schema markup (Article, FAQPage, Product, Organization).
+- Improving content quality using E-E-A-T framework.
+- Auditing a site for SEO issues and prioritizing fixes.
 
-| Metric | Target | Measures |
-|--------|--------|----------|
-| **LCP** | < 2.5s | Loading performance |
-| **INP** | < 200ms | Interactivity |
-| **CLS** | < 0.1 | Visual stability |
+## Instructions
 
----
+1. Audit technical SEO fundamentals — sitemaps, robots.txt, canonical tags, HTTPS, meta tags.
+2. Measure Core Web Vitals — LCP < 2.5s, INP < 200ms, CLS < 0.1.
+3. Implement structured data with appropriate schema types.
+4. Evaluate content quality against E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness).
+5. Prioritize fixes by impact: content quality > backlinks > page experience > technical SEO.
 
-## 3. Technical SEO Principles
+### Baseline standards
 
-### Site Structure
+- Core Web Vitals targets: LCP < 2.5s, INP < 200ms, CLS < 0.1.
+- Every page must have unique title + meta description.
+- XML sitemap must be current and submitted.
+- Canonical tags must prevent duplicate content issues.
+- Schema markup must validate against Google's structured data testing tool.
 
-| Element | Purpose |
-|---------|---------|
-| XML sitemap | Help crawling |
-| robots.txt | Control access |
-| Canonical tags | Prevent duplicates |
-| HTTPS | Security signal |
+### Ranking factors priority
 
-### Performance
+| Priority | Factor                                     |
+| -------- | ------------------------------------------ |
+| 1        | Content quality and relevance              |
+| 2        | Backlink profile                           |
+| 3        | Page experience (Core Web Vitals)          |
+| 4        | Technical SEO (crawlability, indexability) |
+| 5        | Content freshness                          |
 
-| Factor | Impact |
-|--------|--------|
-| Page speed | Core Web Vital |
-| Mobile-friendly | Ranking factor |
-| Clean URLs | Crawlability |
+### Schema types reference
 
----
+| Type           | Use For                   |
+| -------------- | ------------------------- |
+| Article        | Blog posts, news articles |
+| Organization   | Company info, contact     |
+| FAQPage        | FAQ sections              |
+| Product        | E-commerce product pages  |
+| Review         | User reviews, ratings     |
+| BreadcrumbList | Navigation breadcrumbs    |
+| HowTo          | Step-by-step guides       |
 
-## 4. Content SEO Principles
+### Constraints
 
-### Page Elements
+- Never use hidden text, keyword stuffing, or cloaking.
+- Never create doorway pages or thin content for ranking.
+- Always follow Google's webmaster guidelines.
+- Always validate schema markup before deploying.
 
-| Element | Best Practice |
-|---------|---------------|
-| Title tag | 50-60 chars, keyword front |
-| Meta description | 150-160 chars, compelling |
-| H1 | One per page, main keyword |
-| H2-H6 | Logical hierarchy |
-| Alt text | Descriptive, not stuffed |
+## Output Format
 
-### Content Quality
+Provide SEO audit findings, implementation guidance, schema markup code, and Core Web Vitals optimization recommendations.
 
-| Factor | Importance |
-|--------|------------|
-| Depth | Comprehensive coverage |
-| Freshness | Regular updates |
-| Uniqueness | Original value |
-| Readability | Clear writing |
+## References
 
----
-
-## 5. Schema Markup Types
-
-| Type | Use |
-|------|-----|
-| Article | Blog posts, news |
-| Organization | Company info |
-| Person | Author profiles |
-| FAQPage | Q&A content |
-| Product | E-commerce |
-| Review | Ratings |
-| BreadcrumbList | Navigation |
-
----
+No reference files for this skill right now.
 
-## 6. AI Content Guidelines
+## Scripts
 
-### What Google Looks For
+No helper scripts are required for this skill right now.
 
-| ✅ Do | ❌ Don't |
-|-------|----------|
-| AI draft + human edit | Publish raw AI content |
-| Add original insights | Copy without value |
-| Expert review | Skip fact-checking |
-| Follow E-E-A-T | Keyword stuffing |
-
----
-
-## 7. Ranking Factors (Prioritized)
-
-| Priority | Factor |
-|----------|--------|
-| 1 | Quality, relevant content |
-| 2 | Backlinks from authority sites |
-| 3 | Page experience (Core Web Vitals) |
-| 4 | Mobile optimization |
-| 5 | Technical SEO fundamentals |
-
----
-
-## 8. Measurement
-
-| Metric | Tool |
-|--------|------|
-| Rankings | Search Console, Ahrefs |
-| Traffic | Analytics |
-| Core Web Vitals | PageSpeed Insights |
-| Indexing | Search Console |
-| Backlinks | Ahrefs, Semrush |
-
----
+## Examples
 
-> **Remember:** SEO is a long-term game. Quality content + technical excellence + patience = results.
+- "Audit this Next.js site for SEO issues and prioritize fixes"
+- "Add structured data markup for our product pages"
+- "Improve Core Web Vitals scores on our landing pages"
 ````

package/workflows/powers/seo-fundamentals/SKILL.md

@@ -1,129 +1,86 @@
 ---
 name: seo-fundamentals
-description: SEO fundamentals, E-E-A-T, Core Web Vitals, and Google algorithm principles.
-allowed-tools: Read, Glob, Grep
+description: "Use when implementing technical SEO, content optimization, schema markup, or Core Web Vitals improvements for search engine visibility."
+license: MIT
+metadata:
+  author: cubis-foundry
+  version: "1.0"
+compatibility: Claude Code, Codex, GitHub Copilot
 ---
 
 # SEO Fundamentals
 
-> Principles for search engine visibility.
+## Purpose
 
----
-
-## 1. E-E-A-T Framework
-
-| Principle | Signals |
-|-----------|---------|
-| **Experience** | First-hand knowledge, real examples |
-| **Expertise** | Credentials, depth of knowledge |
-| **Authoritativeness** | Backlinks, mentions, industry recognition |
-| **Trustworthiness** | HTTPS, transparency, accurate info |
+Use when implementing technical SEO, content optimization, schema markup, or Core Web Vitals improvements for search engine visibility.
 
----
+## When to Use
 
-## 2. Core Web Vitals
+- Implementing technical SEO (sitemaps, robots.txt, canonical tags, HTTPS, meta tags).
+- Optimizing Core Web Vitals (LCP, INP, CLS) for search ranking.
+- Adding structured data and schema markup (Article, FAQPage, Product, Organization).
+- Improving content quality using E-E-A-T framework.
+- Auditing a site for SEO issues and prioritizing fixes.
 
-| Metric | Target | Measures |
-|--------|--------|----------|
-| **LCP** | < 2.5s | Loading performance |
-| **INP** | < 200ms | Interactivity |
-| **CLS** | < 0.1 | Visual stability |
+## Instructions
 
----
+1. Audit technical SEO fundamentals — sitemaps, robots.txt, canonical tags, HTTPS, meta tags.
+2. Measure Core Web Vitals — LCP < 2.5s, INP < 200ms, CLS < 0.1.
+3. Implement structured data with appropriate schema types.
+4. Evaluate content quality against E-E-A-T (Experience, Expertise, Authoritativeness, Trustworthiness).
+5. Prioritize fixes by impact: content quality > backlinks > page experience > technical SEO.
 
-## 3. Technical SEO Principles
+### Baseline standards
 
-### Site Structure
+- Core Web Vitals targets: LCP < 2.5s, INP < 200ms, CLS < 0.1.
+- Every page must have unique title + meta description.
+- XML sitemap must be current and submitted.
+- Canonical tags must prevent duplicate content issues.
+- Schema markup must validate against Google's structured data testing tool.
 
-| Element | Purpose |
-|---------|---------|
-| XML sitemap | Help crawling |
-| robots.txt | Control access |
-| Canonical tags | Prevent duplicates |
-| HTTPS | Security signal |
+### Ranking factors priority
 
-### Performance
+| Priority | Factor                                     |
+| -------- | ------------------------------------------ |
+| 1        | Content quality and relevance              |
+| 2        | Backlink profile                           |
+| 3        | Page experience (Core Web Vitals)          |
+| 4        | Technical SEO (crawlability, indexability) |
+| 5        | Content freshness                          |
 
-| Factor | Impact |
-|--------|--------|
-| Page speed | Core Web Vital |
-| Mobile-friendly | Ranking factor |
-| Clean URLs | Crawlability |
+### Schema types reference
 
----
+| Type           | Use For                   |
+| -------------- | ------------------------- |
+| Article        | Blog posts, news articles |
+| Organization   | Company info, contact     |
+| FAQPage        | FAQ sections              |
+| Product        | E-commerce product pages  |
+| Review         | User reviews, ratings     |
+| BreadcrumbList | Navigation breadcrumbs    |
+| HowTo          | Step-by-step guides       |
 
-## 4. Content SEO Principles
+### Constraints
 
-### Page Elements
+- Never use hidden text, keyword stuffing, or cloaking.
+- Never create doorway pages or thin content for ranking.
+- Always follow Google's webmaster guidelines.
+- Always validate schema markup before deploying.
 
-| Element | Best Practice |
-|---------|---------------|
-| Title tag | 50-60 chars, keyword front |
-| Meta description | 150-160 chars, compelling |
-| H1 | One per page, main keyword |
-| H2-H6 | Logical hierarchy |
-| Alt text | Descriptive, not stuffed |
+## Output Format
 
-### Content Quality
+Provide SEO audit findings, implementation guidance, schema markup code, and Core Web Vitals optimization recommendations.
 
-| Factor | Importance |
-|--------|------------|
-| Depth | Comprehensive coverage |
-| Freshness | Regular updates |
-| Uniqueness | Original value |
-| Readability | Clear writing |
+## References
 
----
-
-## 5. Schema Markup Types
-
-| Type | Use |
-|------|-----|
-| Article | Blog posts, news |
-| Organization | Company info |
-| Person | Author profiles |
-| FAQPage | Q&A content |
-| Product | E-commerce |
-| Review | Ratings |
-| BreadcrumbList | Navigation |
-
----
+No reference files for this skill right now.
 
-## 6. AI Content Guidelines
+## Scripts
 
-### What Google Looks For
+No helper scripts are required for this skill right now.
 
-| ✅ Do | ❌ Don't |
-|-------|----------|
-| AI draft + human edit | Publish raw AI content |
-| Add original insights | Copy without value |
-| Expert review | Skip fact-checking |
-| Follow E-E-A-T | Keyword stuffing |
-
----
-
-## 7. Ranking Factors (Prioritized)
-
-| Priority | Factor |
-|----------|--------|
-| 1 | Quality, relevant content |
-| 2 | Backlinks from authority sites |
-| 3 | Page experience (Core Web Vitals) |
-| 4 | Mobile optimization |
-| 5 | Technical SEO fundamentals |
-
----
-
-## 8. Measurement
-
-| Metric | Tool |
-|--------|------|
-| Rankings | Search Console, Ahrefs |
-| Traffic | Analytics |
-| Core Web Vitals | PageSpeed Insights |
-| Indexing | Search Console |
-| Backlinks | Ahrefs, Semrush |
-
----
+## Examples
 
-> **Remember:** SEO is a long-term game. Quality content + technical excellence + patience = results.
+- "Audit this Next.js site for SEO issues and prioritize fixes"
+- "Add structured data markup for our product pages"
+- "Improve Core Web Vitals scores on our landing pages"