@curdx/flow 1.1.4 → 1.1.6

package/gates/security-gate.md

@@ -0,0 +1,218 @@
+---
+gate: security-gate
+category: enterprise-mode
+severity: blocking
+depends_on: []
+---
+
+# Security Gate — Security Baseline Enforcement
+
+> Enabled by default in Enterprise mode. Violating "high-risk" items blocks release.
+
+---
+
+## Trigger Timing
+
+- When `/curdx-flow:security` runs
+- Before `/curdx-flow:ship` (auto-triggered, Phase 6+)
+- When committing specs involving auth / payments / PII
+
+---
+
+## Core Red Lines (high-risk, blocking)
+
+### SR-01: Hardcoded Credentials
+
+Scan:
+```bash
+grep -rnE "(api[_-]?key|secret|password|token)[[:space:]]*[:=][[:space:]]*['\"][^'\"]{12,}" src/
+```
+
+Hit → block release + force rotate credential.
+
+### SR-02: SQL/Command Injection Points
+
+```bash
+# String-concatenated SQL
+grep -rn "db.query.*\${.*req\." src/
+grep -rn "execute.*\${.*user" src/
+
+# Command injection
+grep -rn "exec.*\${\|spawn.*\${" src/
+```
+
+Hit → block, must switch to parameterized queries or shell escape.
+
+### SR-03: XSS Injection Points
+
+```bash
+grep -rn "innerHTML\|dangerouslySetInnerHTML" src/
+```
+
+Hit → must review data source. If it comes from user input without sanitization → block.
+
+### SR-04: Sensitive Data in Logs
+
+```bash
+grep -rnE "(console|logger)\.(log|info|warn|error).*(password|token|secret|creditCard|ssn)" src/
+```
+
+Hit → block, switch to a redact wrapper.
+
+### SR-05: Secret Management
+
+- JWT secret / DB password must be env variables
+- Validate at startup (fail fast)
+- Must not fall back to default values
+
+---
+
+## Warning Items (non-blocking, must fix)
+
+### SW-01: Error Message Leaks Existence
+
+```
+"User not found" vs "Wrong password"
+```
+
+Different messages = can be enumerated. Recommend unifying to "Invalid credentials".
+
+### SW-02: Timing Attack
+
+Response-time differences leak information. bcrypt should run even for unknown users (using a fake hash).
+
+### SW-03: CORS Too Permissive
+
+`Access-Control-Allow-Origin: *` must be fixed before release.
+
+### SW-04: Rate Limiting Missing
+
+Login, registration, and password-reset paths without rate limit → can be brute-forced.
+
+### SW-05: Dependency CVE
+
+`npm audit` reports high/critical → must upgrade or exempt.
+
+---
+
+## Mandatory Items (Enterprise default requirements)
+
+### SM-01: All APIs Have Authorization
+
+Not "public" by default. New endpoints default to `requireAuth`.
+
+### SM-02: User Data Isolation
+
+`WHERE user_id = ?` must use the current session's user_id; cannot trust the frontend parameter.
+
+### SM-03: HTTPS Enforced
+
+Production environment only accepts HTTPS. HTTP requests → 301 to HTTPS.
+
+### SM-04: Cookie Security Flags
+
+- HttpOnly (prevent XSS reads)
+- Secure (HTTPS only)
+- SameSite=Strict/Lax (prevent CSRF)
+
+### SM-05: Password Storage
+
+- Must be bcrypt/argon2 (not md5/sha)
+- cost factor ≥ 12
+
+---
+
+## Checking Methods
+
+### Automated Scan
+
+```bash
+# Run all scans
+bash scripts/security-scan.sh  # provided by project (if available)
+
+# Or use flow-security-auditor agent
+/curdx-flow:security
+```
+
+### Dependency CVE
+
+```bash
+npm audit --audit-level=high
+# or
+pnpm audit
+```
+
+### Manual Review (design layer)
+
+- Check if AD-NN in design.md has security relevance
+- Check NFR-S in requirements.md
+- Threat modeling (STRIDE)
+
+---
+
+## Violation Handling
+
+### Blocking Items
+
+- If SR-01 ~ SR-05 are found → block immediately, prohibit `/curdx-flow:ship`
+- Must fix or explicitly exempt (record in STATE.md as tech debt + commitment to fix before release)
+
+### Warning Items
+
+- If SW-01 ~ SW-05 are found → warning, non-blocking
+- But record in `security-debt.md`
+- Re-check in the next audit
+
+### Mandatory Items
+
+- Missing SM-01 ~ SM-05 → warning (new features), blocking (production paths)
+
+---
+
+## Exemption Path
+
+If you truly need to skip a security check:
+
+1. Record in `.flow/STATE.md`:
+```markdown
+## Security Exemptions
+- D-SEC-01 | 2026-04-19 | temporarily hardcoding JWT_SECRET in dev environment
+  - Exemption scope: dev environment only
+  - Risk owner: wdx
+  - Fix commitment: migrate to env before 2026-04-26
+```
+
+2. Explicitly mention in PR description
+
+3. Next audit must re-check whether it has been fixed
+
+---
+
+## Output Format
+
+```markdown
+## Security Gate Report
+
+Scan: commits abc..xyz + npm audit
+Time: YYYY-MM-DD
+
+### Blockers (SR): 1
+- [SR-04] src/auth/login.ts:60 — logger records password field
+
+### Warnings (SW): 2
+- [SW-01] Inconsistent login error messages → enumerable
+- [SW-05] axios 1.5.0 has CVE → `npm install axios@^1.6.0`
+
+### Mandatory (SM): all satisfied
+
+Verdict: BLOCKED (1 SR)
+
+Fix list:
+1. SR-04: wrap logger with redactPassword() (blocking, required)
+2. SW-01: unify error messages (recommended)
+3. SW-05: upgrade axios (recommended)
+```
+
+---
+
+_source: OWASP Top 10 + STRIDE + accumulated project experience._

package/gates/tdd-gate.md

@@ -0,0 +1,188 @@
+---
+gate: tdd-gate
+category: standard-mode
+severity: blocking
+depends_on: []
+---
+
+# TDD Gate — Red/Green/Yellow Cycle Enforcement
+
+> **Iron rule**: NO PRODUCTION CODE WITHOUT A FAILING TEST FIRST.
+>
+> Source: superpowers' test-driven-development skill.
+
+---
+
+## Trigger Timing
+
+- All tasks in Phase 3 (Testing)
+- Production code changes outside the POC phase
+- Tasks explicitly marked `[RED]` / `[GREEN]` / `[YELLOW]`
+
+---
+
+## Applicability
+
+✓ **TDD enforced**:
+- Adding production logic (business rules, algorithms, data transformations)
+- Modifying existing logic (even one line)
+- Bug fixes (must have a failing test that reproduces the bug)
+
+⊘ **Exemptible from TDD**:
+- POC phase (Phase 1 of POC-First)
+- Pure configuration changes (`.json` / `.yaml`)
+- Documentation (`.md`)
+- Formatting (does not change behavior)
+- Dependency upgrades (only modify package.json, unless major version)
+
+---
+
+## RED → GREEN → YELLOW Enforcement Rules
+
+### RED (failing test)
+
+**Rules**:
+- The test **must actually fail** before continuing
+- "I wrote the test but haven't run it" is not allowed
+- "The test passes as soon as written" is not allowed (this means it doesn't actually test anything)
+
+**Check**:
+```bash
+# Expect a non-zero exit code
+npm test -- <test-file>
+echo "Exit: $?"  # must be non-0
+```
+
+**Commit format**: `test(scope): red - <what the test verifies>`
+
+**Violations**:
+- ✗ Wrote the test but didn't run it (no fresh evidence)
+- ✗ Test passes the first time it runs
+- ✗ Started writing implementation before writing the test
+
+---
+
+### GREEN (minimal implementation)
+
+**Rules**:
+- Write the **least code** needed to pass the RED test
+- Don't think about elegance, abstraction, or extensibility
+- Focus on making the test pass
+
+**Check**:
+```bash
+npm test -- <test-file>
+echo "Exit: $?"  # must be 0
+```
+
+**Commit format**: `feat(scope): green - <what was implemented>`
+
+**Violations**:
+- ✗ Added functionality beyond what makes the test pass
+- ✗ Did abstraction and implementation at the same time
+- ✗ Other tests also pass but those tests were written outside this cycle
+
+---
+
+### YELLOW (refactor)
+
+**Rules**:
+- Clean up GREEN-phase code; **tests must still pass**
+- No new behavior
+- No new tests
+
+**Check**:
+```bash
+# Tests run before and after, both exit 0
+npm test -- <test-file>
+```
+
+**Commit format**: `refactor(scope): yellow - <what was cleaned up>`
+
+**Violations**:
+- ✗ Test fails during YELLOW (means behavior changed)
+- ✗ YELLOW added new functionality
+- ✗ Deleted hard-to-change code (violates surgical changes)
+
+---
+
+## Reasons to Refuse (agent must reject these excuses)
+
+| Excuse | Agent Response |
+|------|---------|
+| "This is too simple to test" | Simple code can break too. Write a minimal test. |
+| "Write code first, test later" | After-the-fact tests miss edge cases. Go back to RED. |
+| "I already tested manually" | No automation record means no regression. Write an automated test. |
+| "Existing code has no tests, I won't either" | Coverage only goes up or down. New code must at least cover the new logic. |
+| "Time pressure" | fast mode or /curdx-flow:fast can exempt. Otherwise go through full TDD. |
+
+---
+
+## Exemption Path (explicit)
+
+If you really need to skip TDD, you must:
+
+1. Mark in `.flow/CONTEXT.md` or `.state.json`
+2. Provide an exemption reason
+3. Add a "tech debt" entry to `.flow/STATE.md`, with a commitment to fix later
+
+```markdown
+# STATE.md
+## Tech Debt
+- D-TDD-01 | 2026-04-19 | auth-system's refresh-token module skipped TDD
+  - Reason: urgent hotfix, CI takes 1 hour to complete
+  - Commitment: add tests next sprint, deadline 2026-04-26
+```
+
+No exemption record → TDD enforced.
+
+---
+
+## Checking Methods
+
+### flow-reviewer's Stage 2 invokes this gate
+
+Scan git log; for each `feat(xxx):` commit:
+1. Find the preceding `test(xxx): red -` commit
+2. If none, that feat violates TDD
+3. Exception: commit message contains `[skip-tdd]` and a corresponding record exists in STATE.md
+
+### Coverage Check (auxiliary)
+
+```bash
+npm test -- --coverage
+# Line coverage for new code must be ≥ 80%
+# Uncovered lines must be explained in STATE.md
+```
+
+---
+
+## Output Format
+
+```markdown
+## TDD Gate Check Result
+
+Scan range: commits abc123..def456
+Feat commits: 5
+Test commits (red): 4
+
+[T1] commit abc123 "feat(auth): add login endpoint"
+     Preceding RED: ✓ commit 789xyz "test(auth): red - login endpoint tests"
+     Verdict: compliant
+
+[T2] commit def456 "feat(auth): add password hashing"
+     Preceding RED: ✗ no preceding test commit
+     Verdict: violation
+     Exception check: no [skip-tdd] marker, no STATE.md exemption
+     Block: yes
+
+Violations: 1
+Compliant: 4
+
+Fix recommendations:
+  T2: add test test(auth): red - password hashing, verify it fails, then redo GREEN
+```
+
+---
+
+_Source: superpowers' test-driven-development skill._

package/gates/verification-gate.md

@@ -0,0 +1,183 @@
+---
+gate: verification-gate
+category: always-on
+severity: blocking
+depends_on: []
+---
+
+# Verification Gate — Verification Required Before Completion
+
+> **Always enabled**. No evidence = no completion. This is the Superpowers "Verification Before Completion" iron rule.
+
+---
+
+## Core Rule
+
+**Do not declare `done`, `fixed`, `passed`, `working`, `okay` unless there is fresh execution evidence.**
+
+---
+
+## Trigger Timing
+
+- Before any agent outputs a "done/fixed/passed" conclusion
+- Before commit messages contain forbidden words
+- Before Phase transitions (research → requirements, requirements → design, etc.)
+
+---
+
+## Forbidden Word List (English + Chinese)
+
+Fresh evidence required to use:
+
+**English**:
+- `done`, `fixed`, `working`, `passed`, `resolved`, `completed`
+- `should work`, `probably`, `likely`, `might work`
+- `seems to`, `appears to`, `looks good`, `looks right`
+- `great!`, `perfect!`, `all set`
+
+**Chinese**:
+- `完成`, `搞定`, `好了`, `可以了`, `修好了`
+- `应该`, `可能`, `大概`, `似乎`, `好像`
+- `看起来没问题`, `应该能工作`
+
+---
+
+## Allowed Conclusions Must Carry Evidence
+
+✗ **Violation**:
+> I fixed the login bug
+
+✓ **Compliant**:
+> I fixed the login bug. Re-running `npm test -- auth/login` produced:
+> ```
+> ✓ login endpoint rejects empty email
+> ✓ login endpoint accepts valid credentials
+> Test Suites: 1 passed, Tests: 2 passed
+> ```
+
+✗ **Violation**:
+> The code looks fine
+
+✓ **Compliant**:
+> Ran `npx tsc --noEmit` → 0 errors
+> Ran `npx eslint src/auth/` → 0 errors, 0 warnings
+
+---
+
+## Evidence Types
+
+| Claim | Required Evidence |
+|------|---------|
+| "Fixed X" | command reproducing X + execution output |
+| "Tests pass" | full `npm test` output including pass count |
+| "Code is valid" | `tsc --noEmit` exit code + output |
+| "API works" | `curl` response + status code |
+| "Deployment succeeded" | deployment log + health check response |
+| "User can log in" | browser / chrome-devtools test screenshot or log |
+| "Performance meets target" | benchmark command + numbers |
+
+---
+
+## Checking Methods
+
+### Agent Built-in (self-check)
+
+Each agent runs an internal check before outputting:
+
+```
+For each conclusion sentence, ask yourself:
+1. Does this sentence contain a forbidden word?
+2. If so, do I have fresh evidence supporting it?
+3. Is the evidence from a just-executed command, or older / assumed?
+4. If the evidence is not fresh or does not exist, re-run or delete this sentence.
+```
+
+### flow-reviewer Agent (external check)
+
+Scan:
+- `commit messages` for forbidden words
+- declarative sentences in `.progress.md`
+- the conclusion section of agent output
+
+---
+
+## Violation Handling
+
+### Severe (block)
+
+- commit message contains forbidden word without evidence
+- `.progress.md` says "done" but has no verify output
+
+**Actions**:
+- Block the commit (pre-commit hook, Phase 4+)
+- Or dispatch flow-executor to re-run Verify and update the record
+- Rewrite the commit message
+
+### Medium (warning)
+
+- Verbally saying "looks good" (not in commit or file)
+- Using "should" as a hypothetical statement (acceptable)
+
+**Action**: mark, non-blocking
+
+---
+
+## Special Cases
+
+### "I already checked"
+
+Not enough. "Checked" is a subjective claim. You need **execution output**.
+
+```
+✗ "I checked that all tests pass"
+✓ "Ran npm test: Test Suites: 5 passed, Tests: 47 passed, Snapshots: 0 total"
+```
+
+### Partial Completion
+
+Do not describe partial completion as complete. Clearly categorize:
+
+```
+✓ Completed:
+  - FR-01 login endpoint: passed (test output)
+  - FR-02 password encryption: passed (test output)
+
+⚠ Partially completed:
+  - FR-03 Token refresh: code written but tests not yet run
+
+✗ Not started:
+  - FR-04 Logout
+```
+
+---
+
+## Output Format
+
+```markdown
+## Verification Gate Check Result
+
+Scan range: commit abc123..def456
+Statements containing forbidden words: 3
+
+[V1] "Login bug fixed" (commit abc123)
+     Evidence: ✗ none (no corresponding test output or verify record found)
+     Verdict: block
+
+[V2] "All tests pass" (.progress.md line 12)
+     Evidence: ✓ "npm test: 47/47 passed" (same file, line 11)
+     Verdict: compliant
+
+[V3] "Should handle concurrency" (design.md AD-05)
+     Evidence: ⚠ "should" is hypothetical tone, acceptable
+     Verdict: warning (recommend adding a spike to verify)
+
+Blockers: 1
+Warnings: 1
+
+Fix recommendations:
+  V1: dispatch flow-executor to run tests, add evidence to the commit message body
+```
+
+---
+
+_Source: superpowers' verification-before-completion skill. CurDX-Flow turns it into a gate._

package/hooks/hooks.json

@@ -0,0 +1,56 @@
+{
+  "hooks": {
+    "SessionStart": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/scripts/session-start.sh"
+          }
+        ]
+      }
+    ],
+    "InstructionsLoaded": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/scripts/inject-karpathy.sh"
+          }
+        ]
+      }
+    ],
+    "PostToolUseFailure": [
+      {
+        "matcher": "Bash|Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/scripts/fail-tracker.sh"
+          }
+        ]
+      }
+    ],
+    "Stop": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/scripts/stop-watcher.sh"
+          }
+        ]
+      }
+    ],
+    "PreToolUse": [
+      {
+        "matcher": "AskUserQuestion",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "${CLAUDE_PLUGIN_ROOT}/hooks/scripts/quick-mode-guard.sh"
+          }
+        ]
+      }
+    ]
+  }
+}

package/hooks/scripts/fail-tracker.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+# CurDX-Flow PostToolUseFailure Hook
+# Tracks consecutive tool failures to enable pua integration (Phase 4+).
+# For now, just maintains a counter in plugin data directory.
+#
+# Future: when pua is installed and fail_count >= threshold, auto-invoke /pua:pua.
+
+set -u
+
+DATA_DIR="${CLAUDE_PLUGIN_DATA:-$HOME/.claude/plugins/data/curdx-flow}"
+COUNTER="$DATA_DIR/fail-count"
+
+mkdir -p "$DATA_DIR" 2>/dev/null || true
+
+# Read current count
+CURRENT=0
+[ -f "$COUNTER" ] && CURRENT="$(cat "$COUNTER" 2>/dev/null || echo 0)"
+
+# Increment
+NEXT=$((CURRENT + 1))
+echo "$NEXT" > "$COUNTER" 2>/dev/null || true
+
+# Placeholder for future pua escalation (Phase 4+):
+# if [ "$NEXT" -ge 2 ] && command -v claude >/dev/null 2>&1; then
+#   if claude plugin list 2>/dev/null | grep -q 'pua'; then
+#     # Inject escalation suggestion via hook output
+#     ...
+#   fi
+# fi
+
+exit 0