@devo-bmad-custom/agent-orchestration 1.0.1 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/installer.js +44 -11
- package/package.json +1 -1
- package/src/.agents/skills/audit-website/README.md +20 -20
- package/src/.agents/skills/audit-website/SKILL.md +470 -470
- package/src/.agents/skills/audit-website/agents/openai.yaml +6 -6
- package/src/.agents/skills/audit-website/assets/icon-small.svg +41 -41
- package/src/.agents/skills/audit-website/references/OUTPUT-FORMAT.md +250 -250
- package/src/.agents/skills/clean-code-standards/SKILL.md +104 -104
- package/src/.agents/skills/excalidraw-dark-standard/SKILL.md +281 -281
- package/src/.agents/skills/frontend-responsive-design-standards/SKILL.md +434 -434
- package/src/.agents/skills/java-fundamentals/SKILL.md +116 -116
- package/src/.agents/skills/java-performance/SKILL.md +119 -119
- package/src/.agents/skills/next-best-practices/SKILL.md +153 -153
- package/src/.agents/skills/next-best-practices/async-patterns.md +87 -87
- package/src/.agents/skills/next-best-practices/bundling.md +180 -180
- package/src/.agents/skills/next-best-practices/data-patterns.md +297 -297
- package/src/.agents/skills/next-best-practices/debug-tricks.md +105 -105
- package/src/.agents/skills/next-best-practices/directives.md +73 -73
- package/src/.agents/skills/next-best-practices/error-handling.md +227 -227
- package/src/.agents/skills/next-best-practices/file-conventions.md +140 -140
- package/src/.agents/skills/next-best-practices/font.md +245 -245
- package/src/.agents/skills/next-best-practices/functions.md +108 -108
- package/src/.agents/skills/next-best-practices/hydration-error.md +91 -91
- package/src/.agents/skills/next-best-practices/image.md +173 -173
- package/src/.agents/skills/next-best-practices/metadata.md +301 -301
- package/src/.agents/skills/next-best-practices/parallel-routes.md +287 -287
- package/src/.agents/skills/next-best-practices/route-handlers.md +146 -146
- package/src/.agents/skills/next-best-practices/rsc-boundaries.md +159 -159
- package/src/.agents/skills/next-best-practices/runtime-selection.md +39 -39
- package/src/.agents/skills/next-best-practices/scripts.md +141 -141
- package/src/.agents/skills/next-best-practices/self-hosting.md +371 -371
- package/src/.agents/skills/next-best-practices/suspense-boundaries.md +67 -67
- package/src/.agents/skills/nextjs-app-router-patterns/SKILL.md +537 -537
- package/src/.agents/skills/postgresql-optimization/SKILL.md +404 -404
- package/src/.agents/skills/python-backend/SKILL.md +153 -153
- package/src/.agents/skills/python-fundamentals/SKILL.md +234 -234
- package/src/.agents/skills/python-performance/SKILL.md +404 -404
- package/src/.agents/skills/react-expert/SKILL.md +335 -335
- package/src/.agents/skills/redis-best-practices/SKILL.md +438 -438
- package/src/.agents/skills/security-best-practices/SKILL.md +288 -288
- package/src/.agents/skills/security-review/LICENSE +22 -22
- package/src/.agents/skills/security-review/SKILL.md +312 -312
- package/src/.agents/skills/security-review/infrastructure/docker.md +432 -432
- package/src/.agents/skills/security-review/languages/javascript.md +388 -388
- package/src/.agents/skills/security-review/languages/python.md +363 -363
- package/src/.agents/skills/security-review/references/api-security.md +519 -519
- package/src/.agents/skills/security-review/references/authentication.md +353 -353
- package/src/.agents/skills/security-review/references/authorization.md +372 -372
- package/src/.agents/skills/security-review/references/business-logic.md +443 -443
- package/src/.agents/skills/security-review/references/cryptography.md +329 -329
- package/src/.agents/skills/security-review/references/csrf.md +398 -398
- package/src/.agents/skills/security-review/references/data-protection.md +378 -378
- package/src/.agents/skills/security-review/references/deserialization.md +410 -410
- package/src/.agents/skills/security-review/references/error-handling.md +436 -436
- package/src/.agents/skills/security-review/references/file-security.md +457 -457
- package/src/.agents/skills/security-review/references/injection.md +259 -259
- package/src/.agents/skills/security-review/references/logging.md +433 -433
- package/src/.agents/skills/security-review/references/misconfiguration.md +435 -435
- package/src/.agents/skills/security-review/references/modern-threats.md +475 -475
- package/src/.agents/skills/security-review/references/ssrf.md +415 -415
- package/src/.agents/skills/security-review/references/supply-chain.md +405 -405
- package/src/.agents/skills/security-review/references/xss.md +336 -336
- package/src/.agents/skills/subagent-driven-development/SKILL.md +275 -275
- package/src/.agents/skills/subagent-driven-development/code-quality-reviewer-prompt.md +26 -26
- package/src/.agents/skills/subagent-driven-development/implementer-prompt.md +113 -113
- package/src/.agents/skills/subagent-driven-development/spec-reviewer-prompt.md +61 -61
- package/src/.agents/skills/systematic-debugging/CREATION-LOG.md +119 -119
- package/src/.agents/skills/systematic-debugging/SKILL.md +296 -296
- package/src/.agents/skills/systematic-debugging/condition-based-waiting-example.ts +158 -158
- package/src/.agents/skills/systematic-debugging/condition-based-waiting.md +115 -115
- package/src/.agents/skills/systematic-debugging/defense-in-depth.md +122 -122
- package/src/.agents/skills/systematic-debugging/root-cause-tracing.md +169 -169
- package/src/.agents/skills/systematic-debugging/test-academic.md +14 -14
- package/src/.agents/skills/systematic-debugging/test-pressure-1.md +58 -58
- package/src/.agents/skills/systematic-debugging/test-pressure-2.md +68 -68
- package/src/.agents/skills/systematic-debugging/test-pressure-3.md +69 -69
- package/src/.agents/skills/typescript-best-practices/SKILL.md +373 -373
- package/src/.agents/skills/ui-ux-pro-custom/SKILL.md +348 -348
- package/src/.agents/skills/ui-ux-pro-custom/data/charts.csv +26 -26
- package/src/.agents/skills/ui-ux-pro-custom/data/colors.csv +97 -97
- package/src/.agents/skills/ui-ux-pro-custom/data/icons.csv +101 -101
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/SKILL.md +106 -106
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/accessibility.md +475 -475
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/animation.md +466 -466
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/composition-locals.md +231 -231
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/deprecated-patterns.md +323 -323
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/lists-scrolling.md +400 -400
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/modifiers.md +331 -331
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/navigation.md +416 -416
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/performance.md +446 -446
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/side-effects.md +516 -516
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/source-code/foundation-source.md +13327 -13327
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/source-code/material3-source.md +19097 -19097
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/source-code/navigation-source.md +2947 -2947
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/source-code/runtime-source.md +11316 -11316
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/source-code/ui-source.md +7896 -7896
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/state-management.md +377 -377
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/styles-experimental.md +470 -470
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/theming-material3.md +349 -349
- package/src/.agents/skills/ui-ux-pro-custom/data/jetpack-compose-expert-skill/references/view-composition.md +595 -595
- package/src/.agents/skills/ui-ux-pro-custom/data/landing.csv +31 -31
- package/src/.agents/skills/ui-ux-pro-custom/data/mobile-ui-layout.md +654 -654
- package/src/.agents/skills/ui-ux-pro-custom/data/products.csv +96 -96
- package/src/.agents/skills/ui-ux-pro-custom/data/react-performance.csv +45 -45
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/astro.csv +54 -54
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/flutter.csv +53 -53
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/html-tailwind.csv +56 -56
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/jetpack-compose.csv +53 -53
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/nextjs.csv +53 -53
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/nuxt-ui.csv +51 -51
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/nuxtjs.csv +59 -59
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/react-native.csv +56 -56
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/react.csv +54 -54
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/shadcn.csv +61 -61
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/svelte.csv +54 -54
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/swiftui.csv +51 -51
- package/src/.agents/skills/ui-ux-pro-custom/data/stacks/vue.csv +50 -50
- package/src/.agents/skills/ui-ux-pro-custom/data/styles.csv +68 -68
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/alarmkit/SKILL.md +438 -438
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/alarmkit/references/alarmkit-patterns.md +584 -584
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/app-clips/SKILL.md +436 -436
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/app-intents/SKILL.md +489 -489
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/app-intents/references/appintents-advanced.md +1076 -1076
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/app-store-review/SKILL.md +340 -340
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/app-store-review/references/privacy-manifest.md +90 -90
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/app-store-review/references/review-checklists.md +106 -106
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/apple-on-device-ai/SKILL.md +500 -500
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/apple-on-device-ai/references/coreml-conversion.md +425 -425
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/apple-on-device-ai/references/coreml-optimization.md +344 -344
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/apple-on-device-ai/references/foundation-models.md +508 -508
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/apple-on-device-ai/references/mlx-swift.md +285 -285
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/authentication/SKILL.md +496 -496
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/authentication/references/keychain-biometric.md +211 -211
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/background-processing/SKILL.md +499 -499
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/background-processing/references/background-task-patterns.md +390 -390
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/callkit-voip/SKILL.md +461 -461
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/callkit-voip/references/callkit-patterns.md +425 -425
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/cloudkit-sync/SKILL.md +492 -492
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/cloudkit-sync/references/cloudkit-patterns.md +461 -461
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/codable-patterns/SKILL.md +467 -467
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/contacts-framework/SKILL.md +425 -425
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/contacts-framework/references/contacts-patterns.md +409 -409
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/core-bluetooth/SKILL.md +491 -491
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/core-bluetooth/references/ble-patterns.md +435 -435
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/core-motion/SKILL.md +388 -388
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/core-motion/references/motion-patterns.md +405 -405
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/core-nfc/SKILL.md +495 -495
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/core-nfc/references/nfc-patterns.md +420 -420
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/coreml/SKILL.md +459 -459
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/coreml/references/coreml-swift-integration.md +765 -765
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/debugging-instruments/SKILL.md +422 -422
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/debugging-instruments/references/instruments-guide.md +387 -387
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/debugging-instruments/references/lldb-patterns.md +298 -298
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/device-integrity/SKILL.md +477 -477
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/energykit/SKILL.md +460 -460
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/energykit/references/energykit-patterns.md +541 -541
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/eventkit-calendar/SKILL.md +483 -483
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/eventkit-calendar/references/eventkit-patterns.md +326 -326
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/healthkit/SKILL.md +498 -498
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/healthkit/references/healthkit-patterns.md +602 -602
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/homekit-matter/SKILL.md +496 -496
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/homekit-matter/references/matter-commissioning.md +455 -455
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-accessibility/SKILL.md +301 -301
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-accessibility/references/a11y-patterns.md +140 -140
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-localization/SKILL.md +418 -418
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-localization/references/formatstyle-locale.md +627 -627
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-localization/references/string-catalogs.md +462 -462
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-networking/SKILL.md +441 -441
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-networking/references/background-websocket.md +862 -862
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-networking/references/lightweight-clients.md +93 -93
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-networking/references/network-framework.md +563 -563
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-networking/references/urlsession-patterns.md +1116 -1116
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-security/SKILL.md +496 -496
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-security/references/app-review-guidelines.md +174 -174
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-security/references/cryptokit-advanced.md +296 -296
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-security/references/file-storage-patterns.md +354 -354
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/ios-security/references/privacy-manifest.md +117 -117
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/live-activities/SKILL.md +500 -500
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/live-activities/references/live-activity-patterns.md +868 -868
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/mapkit-location/SKILL.md +485 -485
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/mapkit-location/references/corelocation-patterns.md +730 -730
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/mapkit-location/references/mapkit-patterns.md +748 -748
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/metrickit-diagnostics/SKILL.md +479 -479
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/musickit-audio/SKILL.md +395 -395
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/musickit-audio/references/musickit-patterns.md +363 -363
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/natural-language/SKILL.md +412 -412
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/natural-language/references/translation-patterns.md +311 -311
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/passkit-wallet/SKILL.md +398 -398
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/passkit-wallet/references/wallet-passes.md +254 -254
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/pencilkit-drawing/SKILL.md +387 -387
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/pencilkit-drawing/references/paperkit-integration.md +376 -376
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/pencilkit-drawing/references/pencilkit-patterns.md +302 -302
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/permissionkit/SKILL.md +446 -446
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/permissionkit/references/permissionkit-patterns.md +435 -435
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/photos-camera-media/SKILL.md +500 -500
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/photos-camera-media/references/av-playback.md +701 -701
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/photos-camera-media/references/camera-capture.md +774 -774
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/photos-camera-media/references/image-loading-caching.md +869 -869
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/photos-camera-media/references/photospicker-patterns.md +597 -597
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/push-notifications/SKILL.md +500 -500
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/push-notifications/references/notification-patterns.md +677 -677
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/push-notifications/references/rich-notifications.md +745 -745
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/realitykit-ar/SKILL.md +479 -479
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/realitykit-ar/references/realitykit-patterns.md +480 -480
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/shareplay-activities/SKILL.md +483 -483
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/shareplay-activities/references/shareplay-patterns.md +544 -544
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/speech-recognition/SKILL.md +485 -485
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/storekit/SKILL.md +478 -478
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/storekit/references/app-review-guidelines.md +58 -58
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/storekit/references/storekit-advanced.md +755 -755
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-charts/SKILL.md +487 -487
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-charts/references/charts-patterns.md +895 -895
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-concurrency/SKILL.md +408 -408
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-concurrency/references/approachable-concurrency.md +80 -80
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-concurrency/references/swift-6-2-concurrency.md +233 -233
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-concurrency/references/swiftui-concurrency.md +187 -187
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-concurrency/references/synchronization-primitives.md +341 -341
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-language/SKILL.md +498 -498
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-language/references/swift-patterns-extended.md +505 -505
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-testing/SKILL.md +467 -467
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swift-testing/references/testing-patterns.md +504 -504
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftdata/SKILL.md +334 -334
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftdata/references/core-data-coexistence.md +504 -504
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftdata/references/swiftdata-advanced.md +975 -975
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftdata/references/swiftdata-queries.md +675 -675
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-animation/SKILL.md +481 -481
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-animation/references/animation-advanced.md +804 -804
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-animation/references/core-animation-bridge.md +553 -553
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-gestures/SKILL.md +450 -450
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-gestures/references/gesture-patterns.md +425 -425
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-layout-components/SKILL.md +336 -336
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-layout-components/references/form.md +97 -97
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-layout-components/references/grids.md +69 -69
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-layout-components/references/list.md +99 -99
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-layout-components/references/scrollview.md +147 -147
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-liquid-glass/SKILL.md +325 -325
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-liquid-glass/references/liquid-glass.md +387 -387
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-navigation/SKILL.md +262 -262
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-navigation/references/deeplinks.md +207 -207
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-navigation/references/navigationstack.md +177 -177
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-navigation/references/sheets.md +169 -169
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-navigation/references/tabview.md +178 -178
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-patterns/SKILL.md +381 -381
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-patterns/references/architecture-patterns.md +486 -486
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-patterns/references/deprecated-migration.md +1097 -1097
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-patterns/references/design-polish.md +780 -780
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-patterns/references/platform-and-sharing.md +696 -696
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-performance/SKILL.md +491 -491
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-performance/references/demystify-swiftui-performance-wwdc23.md +46 -46
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-performance/references/optimizing-swiftui-performance-instruments.md +29 -29
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-performance/references/understanding-hangs-in-your-app.md +33 -33
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-performance/references/understanding-improving-swiftui-performance.md +52 -52
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-uikit-interop/SKILL.md +428 -428
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-uikit-interop/references/hosting-migration.md +534 -534
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/swiftui-uikit-interop/references/representable-recipes.md +1133 -1133
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/tipkit/SKILL.md +494 -494
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/tipkit/references/tipkit-patterns.md +782 -782
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/vision-framework/SKILL.md +475 -475
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/vision-framework/references/vision-requests.md +736 -736
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/vision-framework/references/visionkit-scanner.md +738 -738
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/weatherkit/SKILL.md +410 -410
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/weatherkit/references/weatherkit-patterns.md +567 -567
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/widgetkit/SKILL.md +497 -497
- package/src/.agents/skills/ui-ux-pro-custom/data/swift-ios-skills/widgetkit/references/widgetkit-advanced.md +871 -871
- package/src/.agents/skills/ui-ux-pro-custom/data/typography.csv +57 -57
- package/src/.agents/skills/ui-ux-pro-custom/data/ui-reasoning.csv +101 -101
- package/src/.agents/skills/ui-ux-pro-custom/data/ux-guidelines.csv +99 -99
- package/src/.agents/skills/ui-ux-pro-custom/data/web-interface.csv +31 -31
- package/src/.agents/skills/ui-ux-pro-custom/scripts/core.py +253 -253
- package/src/.agents/skills/ui-ux-pro-custom/scripts/design_system.py +1067 -1067
- package/src/.agents/skills/ui-ux-pro-custom/scripts/search.py +114 -114
- package/src/.agents/skills/ux-audit/SKILL.md +150 -150
- package/src/.agents/skills/websocket-engineer/SKILL.md +168 -168
- package/src/.agents/skills/websocket-engineer/references/alternatives.md +391 -391
- package/src/.agents/skills/websocket-engineer/references/patterns.md +400 -400
- package/src/.agents/skills/websocket-engineer/references/protocol.md +195 -195
- package/src/.agents/skills/websocket-engineer/references/scaling.md +333 -333
- package/src/.agents/skills/websocket-engineer/references/security.md +474 -474
- package/src/.agents/skills/writing-skills/SKILL.md +655 -655
- package/src/.agents/skills/writing-skills/anthropic-best-practices.md +1150 -1150
- package/src/.agents/skills/writing-skills/examples/CLAUDE_MD_TESTING.md +189 -189
- package/src/.agents/skills/writing-skills/graphviz-conventions.dot +171 -171
- package/src/.agents/skills/writing-skills/persuasion-principles.md +187 -187
- package/src/.agents/skills/writing-skills/render-graphs.js +168 -168
- package/src/.agents/skills/writing-skills/testing-skills-with-subagents.md +384 -384
- package/src/.claude/commands/bmad-track-compact.md +1 -1
- package/src/.claude/commands/bmad-track-extended.md +1 -1
- package/src/.claude/commands/bmad-track-large.md +1 -1
- package/src/.claude/commands/bmad-track-medium.md +1 -1
- package/src/.claude/commands/bmad-track-nano.md +1 -1
- package/src/.claude/commands/bmad-track-rv.md +1 -1
- package/src/.claude/commands/bmad-track-small.md +1 -1
- package/src/.claude/commands/master-orchestrator.md +15 -0
- package/src/_memory/config.yaml +11 -11
- package/src/_memory/master-orchestrator-sidecar/instructions.md +85 -32
- package/src/_memory/skills/nimbalyst-tracking/SKILL.md +103 -103
- package/src/_memory/skills/writing-skills/SKILL.md +655 -655
- package/src/bmb/agents/agent-builder.md +59 -59
- package/src/bmb/agents/module-builder.md +60 -60
- package/src/bmb/agents/workflow-builder.md +61 -61
- package/src/bmb/config.yaml +12 -12
- package/src/bmb/module-help.csv +13 -13
- package/src/bmb/workflows/agent/data/agent-architecture.md +258 -258
- package/src/bmb/workflows/agent/data/agent-compilation.md +185 -185
- package/src/bmb/workflows/agent/data/agent-menu-patterns.md +189 -189
- package/src/bmb/workflows/agent/data/agent-metadata.md +133 -133
- package/src/bmb/workflows/agent/data/agent-validation.md +111 -111
- package/src/bmb/workflows/agent/data/brainstorm-context.md +96 -96
- package/src/bmb/workflows/agent/data/communication-presets.csv +61 -61
- package/src/bmb/workflows/agent/data/critical-actions.md +75 -75
- package/src/bmb/workflows/agent/data/persona-properties.md +252 -252
- package/src/bmb/workflows/agent/data/principles-crafting.md +142 -142
- package/src/bmb/workflows/agent/data/reference/module-examples/architect.md +68 -68
- package/src/bmb/workflows/agent/data/reference/with-sidecar/journal-keeper/journal-keeper-sidecar/entries/yy-mm-dd-entry-template.md +16 -16
- package/src/bmb/workflows/agent/data/understanding-agent-types.md +126 -126
- package/src/bmb/workflows/agent/steps-c/step-01-brainstorm.md +129 -129
- package/src/bmb/workflows/agent/steps-c/step-02-discovery.md +170 -170
- package/src/bmb/workflows/agent/steps-c/step-03-sidecar-metadata.md +309 -309
- package/src/bmb/workflows/agent/steps-c/step-04-persona.md +213 -213
- package/src/bmb/workflows/agent/steps-c/step-05-commands-menu.md +179 -179
- package/src/bmb/workflows/agent/steps-c/step-06-activation.md +278 -278
- package/src/bmb/workflows/agent/steps-c/step-07-build-agent.md +316 -316
- package/src/bmb/workflows/agent/steps-c/step-08-celebrate.md +247 -247
- package/src/bmb/workflows/agent/steps-e/e-01-load-existing.md +221 -221
- package/src/bmb/workflows/agent/steps-e/e-02-discover-edits.md +195 -195
- package/src/bmb/workflows/agent/steps-e/e-04-sidecar-metadata.md +126 -126
- package/src/bmb/workflows/agent/steps-e/e-05-persona.md +135 -135
- package/src/bmb/workflows/agent/steps-e/e-06-commands-menu.md +123 -123
- package/src/bmb/workflows/agent/steps-e/e-07-activation.md +124 -124
- package/src/bmb/workflows/agent/steps-e/e-08-edit-agent.md +197 -197
- package/src/bmb/workflows/agent/steps-e/e-09-celebrate.md +155 -155
- package/src/bmb/workflows/agent/steps-v/v-01-load-review.md +137 -137
- package/src/bmb/workflows/agent/steps-v/v-02a-validate-metadata.md +116 -116
- package/src/bmb/workflows/agent/steps-v/v-02b-validate-persona.md +124 -124
- package/src/bmb/workflows/agent/steps-v/v-02c-validate-menu.md +127 -127
- package/src/bmb/workflows/agent/steps-v/v-02d-validate-structure.md +134 -134
- package/src/bmb/workflows/agent/steps-v/v-02e-validate-sidecar.md +134 -134
- package/src/bmb/workflows/agent/steps-v/v-03-summary.md +104 -104
- package/src/bmb/workflows/agent/templates/agent-plan.template.md +5 -5
- package/src/bmb/workflows/agent/templates/agent-template.md +89 -89
- package/src/bmb/workflows/agent/workflow-create-agent.md +72 -72
- package/src/bmb/workflows/agent/workflow-edit-agent.md +75 -75
- package/src/bmb/workflows/agent/workflow-validate-agent.md +73 -73
- package/src/bmb/workflows/module/data/agent-architecture.md +179 -179
- package/src/bmb/workflows/module/data/agent-spec-template.md +79 -79
- package/src/bmb/workflows/module/data/module-standards.md +263 -263
- package/src/bmb/workflows/module/data/module-yaml-conventions.md +392 -392
- package/src/bmb/workflows/module/module-help-generate.md +254 -254
- package/src/bmb/workflows/module/steps-b/step-01-welcome.md +148 -148
- package/src/bmb/workflows/module/steps-b/step-02-spark.md +141 -141
- package/src/bmb/workflows/module/steps-b/step-03-module-type.md +149 -149
- package/src/bmb/workflows/module/steps-b/step-04-vision.md +83 -83
- package/src/bmb/workflows/module/steps-b/step-05-identity.md +97 -97
- package/src/bmb/workflows/module/steps-b/step-06-users.md +86 -86
- package/src/bmb/workflows/module/steps-b/step-07-value.md +76 -76
- package/src/bmb/workflows/module/steps-b/step-08-agents.md +97 -97
- package/src/bmb/workflows/module/steps-b/step-09-workflows.md +83 -83
- package/src/bmb/workflows/module/steps-b/step-10-tools.md +91 -91
- package/src/bmb/workflows/module/steps-b/step-11-scenarios.md +84 -84
- package/src/bmb/workflows/module/steps-b/step-12-creative.md +95 -95
- package/src/bmb/workflows/module/steps-b/step-13-review.md +105 -105
- package/src/bmb/workflows/module/steps-b/step-14-finalize.md +117 -117
- package/src/bmb/workflows/module/steps-c/step-01-load-brief.md +179 -179
- package/src/bmb/workflows/module/steps-c/step-01b-continue.md +82 -82
- package/src/bmb/workflows/module/steps-c/step-02-structure.md +105 -105
- package/src/bmb/workflows/module/steps-c/step-03-config.md +119 -119
- package/src/bmb/workflows/module/steps-c/step-04-agents.md +168 -168
- package/src/bmb/workflows/module/steps-c/step-05-workflows.md +184 -184
- package/src/bmb/workflows/module/steps-c/step-06-docs.md +401 -401
- package/src/bmb/workflows/module/steps-c/step-07-complete.md +152 -152
- package/src/bmb/workflows/module/steps-e/step-01-load-target.md +81 -81
- package/src/bmb/workflows/module/steps-e/step-02-select-edit.md +77 -77
- package/src/bmb/workflows/module/steps-e/step-03-apply-edit.md +77 -77
- package/src/bmb/workflows/module/steps-e/step-04-review.md +80 -80
- package/src/bmb/workflows/module/steps-e/step-05-confirm.md +75 -75
- package/src/bmb/workflows/module/steps-v/step-01-load-target.md +96 -96
- package/src/bmb/workflows/module/steps-v/step-02-file-structure.md +93 -93
- package/src/bmb/workflows/module/steps-v/step-03-module-yaml.md +99 -99
- package/src/bmb/workflows/module/steps-v/step-04-agent-specs.md +152 -152
- package/src/bmb/workflows/module/steps-v/step-05-workflow-specs.md +152 -152
- package/src/bmb/workflows/module/steps-v/step-06-documentation.md +143 -143
- package/src/bmb/workflows/module/steps-v/step-07-installation.md +102 -102
- package/src/bmb/workflows/module/steps-v/step-08-report.md +197 -197
- package/src/bmb/workflows/module/templates/brief-template.md +154 -154
- package/src/bmb/workflows/module/templates/workflow-spec-template.md +96 -96
- package/src/bmb/workflows/module/workflow-create-module-brief.md +71 -71
- package/src/bmb/workflows/module/workflow-create-module.md +86 -86
- package/src/bmb/workflows/module/workflow-edit-module.md +66 -66
- package/src/bmb/workflows/module/workflow-validate-module.md +66 -66
- package/src/bmb/workflows/workflow/data/architecture.md +150 -150
- package/src/bmb/workflows/workflow/data/common-workflow-tools.csv +19 -19
- package/src/bmb/workflows/workflow/data/csv-data-file-standards.md +53 -53
- package/src/bmb/workflows/workflow/data/frontmatter-standards.md +184 -184
- package/src/bmb/workflows/workflow/data/input-discovery-standards.md +191 -191
- package/src/bmb/workflows/workflow/data/intent-vs-prescriptive-spectrum.md +44 -44
- package/src/bmb/workflows/workflow/data/menu-handling-standards.md +133 -133
- package/src/bmb/workflows/workflow/data/output-format-standards.md +135 -135
- package/src/bmb/workflows/workflow/data/step-file-rules.md +235 -235
- package/src/bmb/workflows/workflow/data/step-type-patterns.md +257 -257
- package/src/bmb/workflows/workflow/data/subprocess-optimization-patterns.md +188 -188
- package/src/bmb/workflows/workflow/data/trimodal-workflow-structure.md +164 -164
- package/src/bmb/workflows/workflow/data/workflow-chaining-standards.md +222 -222
- package/src/bmb/workflows/workflow/data/workflow-examples.md +232 -232
- package/src/bmb/workflows/workflow/data/workflow-type-criteria.md +134 -134
- package/src/bmb/workflows/workflow/steps-c/step-00-conversion.md +263 -263
- package/src/bmb/workflows/workflow/steps-c/step-01-discovery.md +194 -194
- package/src/bmb/workflows/workflow/steps-c/step-01b-continuation.md +3 -3
- package/src/bmb/workflows/workflow/steps-c/step-02-classification.md +270 -270
- package/src/bmb/workflows/workflow/steps-c/step-03-requirements.md +283 -283
- package/src/bmb/workflows/workflow/steps-c/step-04-tools.md +282 -282
- package/src/bmb/workflows/workflow/steps-c/step-05-plan-review.md +243 -243
- package/src/bmb/workflows/workflow/steps-c/step-06-design.md +330 -330
- package/src/bmb/workflows/workflow/steps-c/step-07-foundation.md +239 -239
- package/src/bmb/workflows/workflow/steps-c/step-08-build-step-01.md +379 -379
- package/src/bmb/workflows/workflow/steps-c/step-09-build-next-step.md +350 -350
- package/src/bmb/workflows/workflow/steps-c/step-10-confirmation.md +322 -322
- package/src/bmb/workflows/workflow/steps-c/step-11-completion.md +191 -191
- package/src/bmb/workflows/workflow/steps-e/step-e-01-assess-workflow.md +237 -237
- package/src/bmb/workflows/workflow/steps-e/step-e-02-discover-edits.md +251 -251
- package/src/bmb/workflows/workflow/steps-e/step-e-03-fix-validation.md +254 -254
- package/src/bmb/workflows/workflow/steps-e/step-e-04-direct-edit.md +277 -277
- package/src/bmb/workflows/workflow/steps-e/step-e-05-apply-edit.md +154 -154
- package/src/bmb/workflows/workflow/steps-e/step-e-06-validate-after.md +190 -190
- package/src/bmb/workflows/workflow/steps-e/step-e-07-complete.md +206 -206
- package/src/bmb/workflows/workflow/steps-v/step-01-validate-max-mode.md +109 -109
- package/src/bmb/workflows/workflow/steps-v/step-01-validate.md +221 -221
- package/src/bmb/workflows/workflow/steps-v/step-01b-structure.md +152 -152
- package/src/bmb/workflows/workflow/steps-v/step-02-frontmatter-validation.md +199 -199
- package/src/bmb/workflows/workflow/steps-v/step-02b-path-violations.md +265 -265
- package/src/bmb/workflows/workflow/steps-v/step-03-menu-validation.md +164 -164
- package/src/bmb/workflows/workflow/steps-v/step-04-step-type-validation.md +211 -211
- package/src/bmb/workflows/workflow/steps-v/step-05-output-format-validation.md +200 -200
- package/src/bmb/workflows/workflow/steps-v/step-06-validation-design-check.md +195 -195
- package/src/bmb/workflows/workflow/steps-v/step-07-instruction-style-check.md +209 -209
- package/src/bmb/workflows/workflow/steps-v/step-08-collaborative-experience-check.md +199 -199
- package/src/bmb/workflows/workflow/steps-v/step-08b-subprocess-optimization.md +179 -179
- package/src/bmb/workflows/workflow/steps-v/step-09-cohesive-review.md +186 -186
- package/src/bmb/workflows/workflow/steps-v/step-10-report-complete.md +154 -154
- package/src/bmb/workflows/workflow/steps-v/step-11-plan-validation.md +237 -237
- package/src/bmb/workflows/workflow/templates/minimal-output-template.md +11 -11
- package/src/bmb/workflows/workflow/templates/step-01-init-continuable-template.md +241 -241
- package/src/bmb/workflows/workflow/templates/step-1b-template.md +224 -224
- package/src/bmb/workflows/workflow/templates/step-template.md +294 -294
- package/src/bmb/workflows/workflow/templates/workflow-template.md +102 -102
- package/src/bmb/workflows/workflow/workflow-create-workflow.md +79 -79
- package/src/bmb/workflows/workflow/workflow-edit-workflow.md +65 -65
- package/src/bmb/workflows/workflow/workflow-rework-workflow.md +65 -65
- package/src/bmb/workflows/workflow/workflow-validate-max-parallel-workflow.md +66 -66
- package/src/bmb/workflows/workflow/workflow-validate-workflow.md +65 -65
- package/src/bmm/agents/analyst.md +104 -104
- package/src/bmm/agents/dev.md +100 -100
- package/src/bmm/agents/qa.md +100 -90
- package/src/bmm/agents/review-agent.md +1 -1
- package/src/bmm/agents/tech-writer/tech-writer.md +94 -94
- package/src/bmm/module-help.csv +31 -31
- package/src/bmm/workflows/1-analysis/create-product-brief/steps/step-01-init.md +115 -115
- package/src/bmm/workflows/1-analysis/create-product-brief/steps/step-01b-continue.md +107 -107
- package/src/bmm/workflows/1-analysis/create-product-brief/steps/step-02-vision.md +141 -141
- package/src/bmm/workflows/1-analysis/create-product-brief/steps/step-03-users.md +144 -144
- package/src/bmm/workflows/1-analysis/create-product-brief/steps/step-04-metrics.md +147 -147
- package/src/bmm/workflows/1-analysis/create-product-brief/steps/step-05-scope.md +161 -161
- package/src/bmm/workflows/1-analysis/create-product-brief/steps/step-06-complete.md +99 -99
- package/src/bmm/workflows/1-analysis/create-product-brief/workflow.md +57 -57
- package/src/bmm/workflows/1-analysis/research/domain-steps/step-01-init.md +87 -87
- package/src/bmm/workflows/1-analysis/research/domain-steps/step-02-domain-analysis.md +156 -156
- package/src/bmm/workflows/1-analysis/research/domain-steps/step-03-competitive-landscape.md +165 -165
- package/src/bmm/workflows/1-analysis/research/domain-steps/step-04-regulatory-focus.md +140 -140
- package/src/bmm/workflows/1-analysis/research/domain-steps/step-05-technical-trends.md +152 -152
- package/src/bmm/workflows/1-analysis/research/domain-steps/step-06-research-synthesis.md +345 -345
- package/src/bmm/workflows/1-analysis/research/market-steps/step-01-init.md +92 -92
- package/src/bmm/workflows/1-analysis/research/market-steps/step-02-customer-behavior.md +164 -164
- package/src/bmm/workflows/1-analysis/research/market-steps/step-03-customer-pain-points.md +174 -174
- package/src/bmm/workflows/1-analysis/research/market-steps/step-04-customer-decisions.md +184 -184
- package/src/bmm/workflows/1-analysis/research/market-steps/step-05-competitive-analysis.md +105 -105
- package/src/bmm/workflows/1-analysis/research/market-steps/step-06-research-completion.md +360 -360
- package/src/bmm/workflows/1-analysis/research/technical-steps/step-01-init.md +87 -87
- package/src/bmm/workflows/1-analysis/research/technical-steps/step-02-technical-overview.md +165 -165
- package/src/bmm/workflows/1-analysis/research/technical-steps/step-03-integration-patterns.md +174 -174
- package/src/bmm/workflows/1-analysis/research/technical-steps/step-04-architectural-patterns.md +141 -141
- package/src/bmm/workflows/1-analysis/research/technical-steps/step-05-implementation-research.md +159 -159
- package/src/bmm/workflows/1-analysis/research/technical-steps/step-06-research-synthesis.md +387 -387
- package/src/bmm/workflows/1-analysis/research/workflow-domain-research.md +54 -54
- package/src/bmm/workflows/1-analysis/research/workflow-market-research.md +54 -54
- package/src/bmm/workflows/1-analysis/research/workflow-technical-research.md +54 -54
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-01b-continue.md +100 -100
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-02-discovery.md +160 -160
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-02b-vision.md +88 -88
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-02c-executive-summary.md +99 -99
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-03-success.md +169 -169
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-04-journeys.md +156 -156
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-05-domain.md +136 -136
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-06-innovation.md +176 -176
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-07-project-type.md +184 -184
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-08-scoping.md +174 -174
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-09-functional.md +175 -175
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-10-nonfunctional.md +189 -189
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-11-polish.md +162 -162
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-c/step-12-complete.md +79 -79
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-e/step-e-01-discovery.md +183 -183
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-e/step-e-01b-legacy-conversion.md +149 -149
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-e/step-e-02-review.md +187 -187
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-e/step-e-03-edit.md +192 -192
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-e/step-e-04-complete.md +108 -108
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-01-discovery.md +166 -166
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-02-format-detection.md +131 -131
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-02b-parity-check.md +150 -150
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-03-density-validation.md +118 -118
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-04-brief-coverage-validation.md +155 -155
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-05-measurability-validation.md +170 -170
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-06-traceability-validation.md +158 -158
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-07-implementation-leakage-validation.md +147 -147
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-08-domain-compliance-validation.md +182 -182
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-09-project-type-validation.md +202 -202
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-10-smart-validation.md +148 -148
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-11-holistic-quality-validation.md +201 -201
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-12-completeness-validation.md +179 -179
- package/src/bmm/workflows/2-plan-workflows/create-prd/steps-v/step-v-13-report-complete.md +164 -164
- package/src/bmm/workflows/2-plan-workflows/create-prd/workflow-create-prd.md +65 -65
- package/src/bmm/workflows/2-plan-workflows/create-prd/workflow-edit-prd.md +65 -65
- package/src/bmm/workflows/2-plan-workflows/create-prd/workflow-validate-prd.md +63 -63
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-01b-continue.md +63 -63
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-02-discovery.md +106 -106
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-03-core-experience.md +111 -111
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-04-emotional-response.md +115 -115
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-05-inspiration.md +127 -127
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-06-design-system.md +167 -167
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-07-defining-experience.md +143 -143
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-08-visual-foundation.md +118 -118
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-09-design-directions.md +154 -154
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-10-user-journeys.md +136 -136
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-11-component-strategy.md +165 -165
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-12-ux-patterns.md +135 -135
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-13-responsive-accessibility.md +192 -192
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/steps/step-14-complete.md +101 -101
- package/src/bmm/workflows/2-plan-workflows/create-ux-design/workflow.md +45 -45
- package/src/bmm/workflows/3-solutioning/check-implementation-readiness/steps/step-01-document-discovery.md +185 -185
- package/src/bmm/workflows/3-solutioning/check-implementation-readiness/steps/step-02-prd-analysis.md +129 -129
- package/src/bmm/workflows/3-solutioning/check-implementation-readiness/steps/step-03-epic-coverage-validation.md +130 -130
- package/src/bmm/workflows/3-solutioning/check-implementation-readiness/steps/step-04-ux-alignment.md +93 -93
- package/src/bmm/workflows/3-solutioning/check-implementation-readiness/steps/step-05-epic-quality-review.md +196 -196
- package/src/bmm/workflows/3-solutioning/check-implementation-readiness/steps/step-06-final-assessment.md +129 -129
- package/src/bmm/workflows/3-solutioning/check-implementation-readiness/workflow.md +54 -54
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-01b-continue.md +82 -82
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-02-context.md +106 -106
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-03-starter.md +138 -138
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-04-decisions.md +129 -129
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-05-patterns.md +166 -166
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-06-structure.md +186 -186
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-07-validation.md +163 -163
- package/src/bmm/workflows/3-solutioning/create-architecture/steps/step-08-complete.md +38 -38
- package/src/bmm/workflows/3-solutioning/create-architecture/workflow.md +49 -49
- package/src/bmm/workflows/3-solutioning/create-epics-and-stories/steps/step-02-design-epics.md +124 -124
- package/src/bmm/workflows/3-solutioning/create-epics-and-stories/steps/step-03-create-stories.md +122 -122
- package/src/bmm/workflows/3-solutioning/create-epics-and-stories/steps/step-04-final-validation.md +84 -84
- package/src/bmm/workflows/3-solutioning/create-epics-and-stories/workflow.md +58 -58
- package/src/bmm/workflows/4-implementation/code-review/workflow.yaml +43 -43
- package/src/bmm/workflows/4-implementation/correct-course/workflow.yaml +53 -53
- package/src/bmm/workflows/4-implementation/create-story/checklist.md +159 -159
- package/src/bmm/workflows/4-implementation/create-story/template.md +79 -79
- package/src/bmm/workflows/4-implementation/create-story/workflow.yaml +52 -52
- package/src/bmm/workflows/4-implementation/dev-story/workflow.yaml +20 -20
- package/src/bmm/workflows/4-implementation/retrospective/workflow.yaml +52 -52
- package/src/bmm/workflows/4-implementation/sprint-planning/workflow.yaml +52 -52
- package/src/bmm/workflows/4-implementation/sprint-status/workflow.yaml +25 -25
- package/src/bmm/workflows/bmad-quick-flow/quick-dev/steps/step-01-mode-detection.md +158 -158
- package/src/bmm/workflows/bmad-quick-flow/quick-dev/steps/step-02-context-gathering.md +122 -122
- package/src/bmm/workflows/bmad-quick-flow/quick-dev/steps/step-03-execute.md +93 -93
- package/src/bmm/workflows/bmad-quick-flow/quick-dev/steps/step-04-self-check.md +93 -93
- package/src/bmm/workflows/bmad-quick-flow/quick-dev/steps/step-05-adversarial-review.md +87 -87
- package/src/bmm/workflows/bmad-quick-flow/quick-dev/steps/step-06-resolve-findings.md +146 -146
- package/src/bmm/workflows/bmad-quick-flow/quick-dev/workflow.md +50 -50
- package/src/bmm/workflows/bmad-quick-flow/quick-spec/steps/step-02-investigate.md +152 -152
- package/src/bmm/workflows/bmad-quick-flow/quick-spec/steps/step-03-generate.md +123 -123
- package/src/bmm/workflows/bmad-quick-flow/quick-spec/steps/step-04-review.md +201 -201
- package/src/bmm/workflows/bmad-quick-flow/quick-spec/workflow.md +79 -79
- package/src/bmm/workflows/document-project/workflow.yaml +22 -22
- package/src/bmm/workflows/generate-project-context/steps/step-01-discover.md +184 -184
- package/src/bmm/workflows/generate-project-context/steps/step-02-generate.md +322 -322
- package/src/bmm/workflows/generate-project-context/steps/step-03-complete.md +235 -235
- package/src/bmm/workflows/generate-project-context/workflow.md +49 -49
- package/src/bmm/workflows/qa/automate/workflow.yaml +233 -233
- package/src/bmm/workflows/qa-generate-e2e-tests/workflow.yaml +42 -42
- package/src/core/agents/master-orchestrator.md +3 -3
- package/src/core/config.yaml +9 -9
- package/src/core/module-help.csv +10 -10
- package/src/core/scripts/generate-loop-report.py +72 -72
- package/src/core/tasks/editorial-review-prose.xml +101 -101
- package/src/core/tasks/editorial-review-structure.xml +207 -207
- package/src/core/tasks/help.md +86 -86
- package/src/core/tasks/index-docs.xml +64 -64
- package/src/core/tasks/review-adversarial-general.xml +66 -66
- package/src/core/tasks/review-adversarial-loop.xml +46 -46
- package/src/core/tasks/review-edge-case-hunter.xml +63 -63
- package/src/core/tasks/review-party-loop.xml +46 -46
- package/src/core/tasks/shard-doc.xml +107 -107
- package/src/core/tasks/workflow.xml +235 -235
- package/src/core/templates/review-loop-report.html +88 -88
- package/src/core/templates/review-loop-report.md +5 -5
- package/src/core/workflows/advanced-elicitation/workflow.xml +117 -117
- package/src/core/workflows/brainstorming/steps/step-01-session-setup.md +212 -212
- package/src/core/workflows/brainstorming/steps/step-01b-continue.md +122 -122
- package/src/core/workflows/brainstorming/steps/step-02a-user-selected.md +225 -225
- package/src/core/workflows/brainstorming/steps/step-02b-ai-recommended.md +237 -237
- package/src/core/workflows/brainstorming/steps/step-02c-random-selection.md +209 -209
- package/src/core/workflows/brainstorming/steps/step-02d-progressive-flow.md +264 -264
- package/src/core/workflows/brainstorming/steps/step-02e-deep-dive.md +68 -68
- package/src/core/workflows/brainstorming/steps/step-03-technique-execution.md +403 -403
- package/src/core/workflows/brainstorming/steps/step-04-idea-organization.md +303 -303
- package/src/core/workflows/brainstorming/workflow.md +60 -60
- package/src/core/workflows/extract-trackers/workflow.md +45 -45
- package/src/core/workflows/party-mode/steps/step-01-agent-loading.md +142 -142
- package/src/core/workflows/party-mode/workflow.md +194 -194
- package/src/docs/dev/tmux/actions_popup.py +291 -291
- package/src/docs/dev/tmux/tmux-setup.md +62 -1
|
@@ -1,372 +1,372 @@
|
|
|
1
|
-
# Authorization Security Reference
|
|
2
|
-
|
|
3
|
-
## Overview
|
|
4
|
-
|
|
5
|
-
Authorization verifies that a requested action or service is approved for a specific entity—distinct from authentication, which verifies identity. A user who has been authenticated is often not authorized to access every resource and perform every action.
|
|
6
|
-
|
|
7
|
-
## Core Principles
|
|
8
|
-
|
|
9
|
-
### 1. Deny by Default
|
|
10
|
-
|
|
11
|
-
Every permission must be explicitly granted. The default position is denial.
|
|
12
|
-
|
|
13
|
-
```python
|
|
14
|
-
# VULNERABLE: Implicit allow
|
|
15
|
-
def get_document(request, doc_id):
|
|
16
|
-
return Document.objects.get(id=doc_id)
|
|
17
|
-
|
|
18
|
-
# SAFE: Explicit authorization
|
|
19
|
-
def get_document(request, doc_id):
|
|
20
|
-
doc = Document.objects.get(id=doc_id)
|
|
21
|
-
if not request.user.has_permission('read', doc):
|
|
22
|
-
raise PermissionDenied()
|
|
23
|
-
return doc
|
|
24
|
-
```
|
|
25
|
-
|
|
26
|
-
### 2. Enforce Least Privilege
|
|
27
|
-
|
|
28
|
-
Assign users only the minimum necessary permissions for their role.
|
|
29
|
-
|
|
30
|
-
```python
|
|
31
|
-
# Define minimal permission sets
|
|
32
|
-
ROLE_PERMISSIONS = {
|
|
33
|
-
'viewer': ['read'],
|
|
34
|
-
'editor': ['read', 'write'],
|
|
35
|
-
'admin': ['read', 'write', 'delete', 'admin']
|
|
36
|
-
}
|
|
37
|
-
```
|
|
38
|
-
|
|
39
|
-
### 3. Validate Permissions on Every Request
|
|
40
|
-
|
|
41
|
-
Never rely on UI hiding or client-side checks alone.
|
|
42
|
-
|
|
43
|
-
```python
|
|
44
|
-
# VULNERABLE: Authorization only on some endpoints
|
|
45
|
-
@app.route('/api/admin/users', methods=['GET'])
|
|
46
|
-
@require_admin # Good
|
|
47
|
-
def list_users():
|
|
48
|
-
pass
|
|
49
|
-
|
|
50
|
-
@app.route('/api/admin/users/<id>', methods=['DELETE'])
|
|
51
|
-
def delete_user(id): # Missing authorization check!
|
|
52
|
-
User.delete(id)
|
|
53
|
-
|
|
54
|
-
# SAFE: Consistent authorization
|
|
55
|
-
@app.route('/api/admin/users/<id>', methods=['DELETE'])
|
|
56
|
-
@require_admin # Always check
|
|
57
|
-
def delete_user(id):
|
|
58
|
-
User.delete(id)
|
|
59
|
-
```
|
|
60
|
-
|
|
61
|
-
---
|
|
62
|
-
|
|
63
|
-
## Insecure Direct Object References (IDOR)
|
|
64
|
-
|
|
65
|
-
### The Vulnerability
|
|
66
|
-
|
|
67
|
-
IDOR occurs when attackers access or modify objects by manipulating identifiers.
|
|
68
|
-
|
|
69
|
-
```python
|
|
70
|
-
# VULNERABLE: No ownership validation
|
|
71
|
-
@app.route('/api/orders/<order_id>')
|
|
72
|
-
def get_order(order_id):
|
|
73
|
-
return Order.query.get(order_id).to_dict()
|
|
74
|
-
|
|
75
|
-
# Attack: User A accesses /api/orders/123 (User B's order)
|
|
76
|
-
```
|
|
77
|
-
|
|
78
|
-
### Prevention
|
|
79
|
-
|
|
80
|
-
**1. Validate Object Ownership**
|
|
81
|
-
|
|
82
|
-
```python
|
|
83
|
-
# SAFE: Scope queries to current user
|
|
84
|
-
@app.route('/api/orders/<order_id>')
|
|
85
|
-
def get_order(order_id):
|
|
86
|
-
order = Order.query.filter_by(
|
|
87
|
-
id=order_id,
|
|
88
|
-
user_id=current_user.id # Ownership check
|
|
89
|
-
).first_or_404()
|
|
90
|
-
return order.to_dict()
|
|
91
|
-
```
|
|
92
|
-
|
|
93
|
-
**2. Use Indirect References**
|
|
94
|
-
|
|
95
|
-
```python
|
|
96
|
-
# Map user-specific indices to actual IDs
|
|
97
|
-
def get_user_order_map(user_id):
|
|
98
|
-
orders = Order.query.filter_by(user_id=user_id).all()
|
|
99
|
-
return {i: order.id for i, order in enumerate(orders)}
|
|
100
|
-
|
|
101
|
-
@app.route('/api/orders/<int:index>')
|
|
102
|
-
def get_order(index):
|
|
103
|
-
order_map = get_user_order_map(current_user.id)
|
|
104
|
-
real_id = order_map.get(index)
|
|
105
|
-
if not real_id:
|
|
106
|
-
raise NotFound()
|
|
107
|
-
return Order.query.get(real_id).to_dict()
|
|
108
|
-
```
|
|
109
|
-
|
|
110
|
-
**3. Perform Object-Level Checks**
|
|
111
|
-
|
|
112
|
-
```python
|
|
113
|
-
# Check permission on the specific object, not just object type
|
|
114
|
-
def check_permission(user, action, resource):
|
|
115
|
-
# Bad: Type-level check only
|
|
116
|
-
# if user.can('read', 'Order'): return True
|
|
117
|
-
|
|
118
|
-
# Good: Object-level check
|
|
119
|
-
if resource.owner_id == user.id:
|
|
120
|
-
return True
|
|
121
|
-
if resource.organization_id in user.organization_ids:
|
|
122
|
-
return user.has_org_permission(action, resource.organization_id)
|
|
123
|
-
return False
|
|
124
|
-
```
|
|
125
|
-
|
|
126
|
-
---
|
|
127
|
-
|
|
128
|
-
## Access Control Models
|
|
129
|
-
|
|
130
|
-
### Role-Based Access Control (RBAC)
|
|
131
|
-
|
|
132
|
-
Simple but limited. Good for straightforward permission structures.
|
|
133
|
-
|
|
134
|
-
```python
|
|
135
|
-
ROLES = {
|
|
136
|
-
'admin': {'create', 'read', 'update', 'delete'},
|
|
137
|
-
'editor': {'create', 'read', 'update'},
|
|
138
|
-
'viewer': {'read'}
|
|
139
|
-
}
|
|
140
|
-
|
|
141
|
-
def has_permission(user, action):
|
|
142
|
-
return action in ROLES.get(user.role, set())
|
|
143
|
-
```
|
|
144
|
-
|
|
145
|
-
### Attribute-Based Access Control (ABAC)
|
|
146
|
-
|
|
147
|
-
More flexible. Supports complex policies with multiple attributes.
|
|
148
|
-
|
|
149
|
-
```python
|
|
150
|
-
def evaluate_policy(subject, action, resource, environment):
|
|
151
|
-
"""
|
|
152
|
-
Subject: user attributes (role, department, clearance)
|
|
153
|
-
Action: what they're trying to do
|
|
154
|
-
Resource: object attributes (owner, classification, type)
|
|
155
|
-
Environment: context (time, location, device)
|
|
156
|
-
"""
|
|
157
|
-
# Example: Only managers can approve during business hours
|
|
158
|
-
if action == 'approve':
|
|
159
|
-
return (
|
|
160
|
-
subject.role == 'manager' and
|
|
161
|
-
resource.department == subject.department and
|
|
162
|
-
environment.is_business_hours
|
|
163
|
-
)
|
|
164
|
-
return False
|
|
165
|
-
```
|
|
166
|
-
|
|
167
|
-
### Relationship-Based Access Control (ReBAC)
|
|
168
|
-
|
|
169
|
-
Access based on relationships between entities.
|
|
170
|
-
|
|
171
|
-
```python
|
|
172
|
-
# User can view document if:
|
|
173
|
-
# - They own it
|
|
174
|
-
# - They're in a group that has access
|
|
175
|
-
# - They're in the same organization
|
|
176
|
-
def can_view(user, document):
|
|
177
|
-
if document.owner_id == user.id:
|
|
178
|
-
return True
|
|
179
|
-
if user.groups.intersection(document.shared_with_groups):
|
|
180
|
-
return True
|
|
181
|
-
if document.org_id == user.org_id and document.org_visible:
|
|
182
|
-
return True
|
|
183
|
-
return False
|
|
184
|
-
```
|
|
185
|
-
|
|
186
|
-
---
|
|
187
|
-
|
|
188
|
-
## Common Vulnerabilities
|
|
189
|
-
|
|
190
|
-
### Horizontal Privilege Escalation
|
|
191
|
-
|
|
192
|
-
Accessing resources belonging to other users at the same privilege level.
|
|
193
|
-
|
|
194
|
-
```python
|
|
195
|
-
# VULNERABLE: User A can access User B's profile
|
|
196
|
-
@app.route('/api/profile/<user_id>')
|
|
197
|
-
def get_profile(user_id):
|
|
198
|
-
return User.query.get(user_id).profile
|
|
199
|
-
|
|
200
|
-
# SAFE: Only access own profile
|
|
201
|
-
@app.route('/api/profile')
|
|
202
|
-
def get_profile():
|
|
203
|
-
return current_user.profile
|
|
204
|
-
```
|
|
205
|
-
|
|
206
|
-
### Vertical Privilege Escalation
|
|
207
|
-
|
|
208
|
-
Accessing higher-privilege functionality.
|
|
209
|
-
|
|
210
|
-
```python
|
|
211
|
-
# VULNERABLE: Hidden admin endpoint
|
|
212
|
-
@app.route('/api/admin/delete-all')
|
|
213
|
-
def delete_all():
|
|
214
|
-
# No authorization check
|
|
215
|
-
Database.delete_all()
|
|
216
|
-
|
|
217
|
-
# SAFE: Explicit admin check
|
|
218
|
-
@app.route('/api/admin/delete-all')
|
|
219
|
-
@require_role('super_admin')
|
|
220
|
-
def delete_all():
|
|
221
|
-
Database.delete_all()
|
|
222
|
-
```
|
|
223
|
-
|
|
224
|
-
### Path Traversal in Authorization
|
|
225
|
-
|
|
226
|
-
```python
|
|
227
|
-
# VULNERABLE: Path-based authorization bypass
|
|
228
|
-
@app.route('/files/<path:filepath>')
|
|
229
|
-
def get_file(filepath):
|
|
230
|
-
# Attacker: /files/../../../etc/passwd
|
|
231
|
-
return send_file(filepath)
|
|
232
|
-
|
|
233
|
-
# SAFE: Validate and sanitize path
|
|
234
|
-
@app.route('/files/<path:filepath>')
|
|
235
|
-
def get_file(filepath):
|
|
236
|
-
base_dir = '/app/user_files'
|
|
237
|
-
full_path = os.path.realpath(os.path.join(base_dir, filepath))
|
|
238
|
-
if not full_path.startswith(base_dir):
|
|
239
|
-
raise PermissionDenied()
|
|
240
|
-
return send_file(full_path)
|
|
241
|
-
```
|
|
242
|
-
|
|
243
|
-
### Mass Assignment
|
|
244
|
-
|
|
245
|
-
```python
|
|
246
|
-
# VULNERABLE: User can set admin flag
|
|
247
|
-
@app.route('/api/users/<id>', methods=['PATCH'])
|
|
248
|
-
def update_user(id):
|
|
249
|
-
user = User.query.get(id)
|
|
250
|
-
user.update(**request.json) # Includes is_admin!
|
|
251
|
-
|
|
252
|
-
# SAFE: Allowlist fields
|
|
253
|
-
@app.route('/api/users/<id>', methods=['PATCH'])
|
|
254
|
-
def update_user(id):
|
|
255
|
-
ALLOWED_FIELDS = {'name', 'email', 'bio'}
|
|
256
|
-
user = User.query.get(id)
|
|
257
|
-
data = {k: v for k, v in request.json.items() if k in ALLOWED_FIELDS}
|
|
258
|
-
user.update(**data)
|
|
259
|
-
```
|
|
260
|
-
|
|
261
|
-
---
|
|
262
|
-
|
|
263
|
-
## Implementation Patterns
|
|
264
|
-
|
|
265
|
-
### Middleware/Filter Pattern
|
|
266
|
-
|
|
267
|
-
```python
|
|
268
|
-
# Apply authorization consistently via middleware
|
|
269
|
-
class AuthorizationMiddleware:
|
|
270
|
-
def process_request(self, request):
|
|
271
|
-
if not self.is_authorized(request):
|
|
272
|
-
raise PermissionDenied()
|
|
273
|
-
|
|
274
|
-
def is_authorized(self, request):
|
|
275
|
-
# Extract resource and action from request
|
|
276
|
-
resource = self.get_resource(request)
|
|
277
|
-
action = self.get_action(request)
|
|
278
|
-
return request.user.has_permission(action, resource)
|
|
279
|
-
```
|
|
280
|
-
|
|
281
|
-
### Policy Objects
|
|
282
|
-
|
|
283
|
-
```python
|
|
284
|
-
class DocumentPolicy:
|
|
285
|
-
def __init__(self, user, document):
|
|
286
|
-
self.user = user
|
|
287
|
-
self.document = document
|
|
288
|
-
|
|
289
|
-
def can_view(self):
|
|
290
|
-
return (
|
|
291
|
-
self.document.is_public or
|
|
292
|
-
self.document.owner_id == self.user.id or
|
|
293
|
-
self.user.is_admin
|
|
294
|
-
)
|
|
295
|
-
|
|
296
|
-
def can_edit(self):
|
|
297
|
-
return self.document.owner_id == self.user.id
|
|
298
|
-
|
|
299
|
-
def can_delete(self):
|
|
300
|
-
return self.document.owner_id == self.user.id or self.user.is_admin
|
|
301
|
-
|
|
302
|
-
# Usage
|
|
303
|
-
policy = DocumentPolicy(current_user, document)
|
|
304
|
-
if not policy.can_view():
|
|
305
|
-
raise PermissionDenied()
|
|
306
|
-
```
|
|
307
|
-
|
|
308
|
-
---
|
|
309
|
-
|
|
310
|
-
## Grep Patterns for Detection
|
|
311
|
-
|
|
312
|
-
```bash
|
|
313
|
-
# Missing authorization checks
|
|
314
|
-
grep -rn "def get_\|def post_\|def put_\|def delete_" --include="*.py" | grep -v "@require\|@login\|permission"
|
|
315
|
-
|
|
316
|
-
# Direct object access without ownership check
|
|
317
|
-
grep -rn "\.get(.*id)\|\.filter(id=" --include="*.py" | grep -v "user_id\|owner"
|
|
318
|
-
|
|
319
|
-
# Mass assignment
|
|
320
|
-
grep -rn "\*\*request\.\|update(\*\*\|create(\*\*" --include="*.py"
|
|
321
|
-
|
|
322
|
-
# Path traversal risk
|
|
323
|
-
grep -rn "os\.path\.join.*request\|open(.*request" --include="*.py"
|
|
324
|
-
|
|
325
|
-
# Admin endpoints
|
|
326
|
-
grep -rn "admin\|superuser" --include="*.py" | grep "route\|endpoint"
|
|
327
|
-
```
|
|
328
|
-
|
|
329
|
-
---
|
|
330
|
-
|
|
331
|
-
## Authorization Testing
|
|
332
|
-
|
|
333
|
-
### Test Cases
|
|
334
|
-
|
|
335
|
-
1. **Horizontal access**: Can User A access User B's resources?
|
|
336
|
-
2. **Vertical access**: Can regular users access admin endpoints?
|
|
337
|
-
3. **Missing checks**: Are all endpoints protected?
|
|
338
|
-
4. **Parameter tampering**: Can IDs be manipulated?
|
|
339
|
-
5. **Path traversal**: Can file paths escape allowed directories?
|
|
340
|
-
6. **Mass assignment**: Can protected fields be modified?
|
|
341
|
-
|
|
342
|
-
### Test Automation
|
|
343
|
-
|
|
344
|
-
```python
|
|
345
|
-
def test_horizontal_access():
|
|
346
|
-
user_a = create_user()
|
|
347
|
-
user_b = create_user()
|
|
348
|
-
resource = create_resource(owner=user_a)
|
|
349
|
-
|
|
350
|
-
# User B should not access User A's resource
|
|
351
|
-
client.login(user_b)
|
|
352
|
-
response = client.get(f'/api/resources/{resource.id}')
|
|
353
|
-
assert response.status_code == 403
|
|
354
|
-
|
|
355
|
-
def test_idor_enumeration():
|
|
356
|
-
# Try sequential IDs
|
|
357
|
-
for i in range(1, 100):
|
|
358
|
-
response = client.get(f'/api/resources/{i}')
|
|
359
|
-
if response.status_code == 200:
|
|
360
|
-
# Should be denied or return 404, not 200
|
|
361
|
-
assert False, f"IDOR vulnerability: /api/resources/{i}"
|
|
362
|
-
```
|
|
363
|
-
|
|
364
|
-
---
|
|
365
|
-
|
|
366
|
-
## References
|
|
367
|
-
|
|
368
|
-
- [OWASP Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html)
|
|
369
|
-
- [OWASP IDOR Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)
|
|
370
|
-
- [OWASP Access Control Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)
|
|
371
|
-
- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
|
|
372
|
-
- [CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)
|
|
1
|
+
# Authorization Security Reference
|
|
2
|
+
|
|
3
|
+
## Overview
|
|
4
|
+
|
|
5
|
+
Authorization verifies that a requested action or service is approved for a specific entity—distinct from authentication, which verifies identity. A user who has been authenticated is often not authorized to access every resource and perform every action.
|
|
6
|
+
|
|
7
|
+
## Core Principles
|
|
8
|
+
|
|
9
|
+
### 1. Deny by Default
|
|
10
|
+
|
|
11
|
+
Every permission must be explicitly granted. The default position is denial.
|
|
12
|
+
|
|
13
|
+
```python
|
|
14
|
+
# VULNERABLE: Implicit allow
|
|
15
|
+
def get_document(request, doc_id):
|
|
16
|
+
return Document.objects.get(id=doc_id)
|
|
17
|
+
|
|
18
|
+
# SAFE: Explicit authorization
|
|
19
|
+
def get_document(request, doc_id):
|
|
20
|
+
doc = Document.objects.get(id=doc_id)
|
|
21
|
+
if not request.user.has_permission('read', doc):
|
|
22
|
+
raise PermissionDenied()
|
|
23
|
+
return doc
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
### 2. Enforce Least Privilege
|
|
27
|
+
|
|
28
|
+
Assign users only the minimum necessary permissions for their role.
|
|
29
|
+
|
|
30
|
+
```python
|
|
31
|
+
# Define minimal permission sets
|
|
32
|
+
ROLE_PERMISSIONS = {
|
|
33
|
+
'viewer': ['read'],
|
|
34
|
+
'editor': ['read', 'write'],
|
|
35
|
+
'admin': ['read', 'write', 'delete', 'admin']
|
|
36
|
+
}
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
### 3. Validate Permissions on Every Request
|
|
40
|
+
|
|
41
|
+
Never rely on UI hiding or client-side checks alone.
|
|
42
|
+
|
|
43
|
+
```python
|
|
44
|
+
# VULNERABLE: Authorization only on some endpoints
|
|
45
|
+
@app.route('/api/admin/users', methods=['GET'])
|
|
46
|
+
@require_admin # Good
|
|
47
|
+
def list_users():
|
|
48
|
+
pass
|
|
49
|
+
|
|
50
|
+
@app.route('/api/admin/users/<id>', methods=['DELETE'])
|
|
51
|
+
def delete_user(id): # Missing authorization check!
|
|
52
|
+
User.delete(id)
|
|
53
|
+
|
|
54
|
+
# SAFE: Consistent authorization
|
|
55
|
+
@app.route('/api/admin/users/<id>', methods=['DELETE'])
|
|
56
|
+
@require_admin # Always check
|
|
57
|
+
def delete_user(id):
|
|
58
|
+
User.delete(id)
|
|
59
|
+
```
|
|
60
|
+
|
|
61
|
+
---
|
|
62
|
+
|
|
63
|
+
## Insecure Direct Object References (IDOR)
|
|
64
|
+
|
|
65
|
+
### The Vulnerability
|
|
66
|
+
|
|
67
|
+
IDOR occurs when attackers access or modify objects by manipulating identifiers.
|
|
68
|
+
|
|
69
|
+
```python
|
|
70
|
+
# VULNERABLE: No ownership validation
|
|
71
|
+
@app.route('/api/orders/<order_id>')
|
|
72
|
+
def get_order(order_id):
|
|
73
|
+
return Order.query.get(order_id).to_dict()
|
|
74
|
+
|
|
75
|
+
# Attack: User A accesses /api/orders/123 (User B's order)
|
|
76
|
+
```
|
|
77
|
+
|
|
78
|
+
### Prevention
|
|
79
|
+
|
|
80
|
+
**1. Validate Object Ownership**
|
|
81
|
+
|
|
82
|
+
```python
|
|
83
|
+
# SAFE: Scope queries to current user
|
|
84
|
+
@app.route('/api/orders/<order_id>')
|
|
85
|
+
def get_order(order_id):
|
|
86
|
+
order = Order.query.filter_by(
|
|
87
|
+
id=order_id,
|
|
88
|
+
user_id=current_user.id # Ownership check
|
|
89
|
+
).first_or_404()
|
|
90
|
+
return order.to_dict()
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
**2. Use Indirect References**
|
|
94
|
+
|
|
95
|
+
```python
|
|
96
|
+
# Map user-specific indices to actual IDs
|
|
97
|
+
def get_user_order_map(user_id):
|
|
98
|
+
orders = Order.query.filter_by(user_id=user_id).all()
|
|
99
|
+
return {i: order.id for i, order in enumerate(orders)}
|
|
100
|
+
|
|
101
|
+
@app.route('/api/orders/<int:index>')
|
|
102
|
+
def get_order(index):
|
|
103
|
+
order_map = get_user_order_map(current_user.id)
|
|
104
|
+
real_id = order_map.get(index)
|
|
105
|
+
if not real_id:
|
|
106
|
+
raise NotFound()
|
|
107
|
+
return Order.query.get(real_id).to_dict()
|
|
108
|
+
```
|
|
109
|
+
|
|
110
|
+
**3. Perform Object-Level Checks**
|
|
111
|
+
|
|
112
|
+
```python
|
|
113
|
+
# Check permission on the specific object, not just object type
|
|
114
|
+
def check_permission(user, action, resource):
|
|
115
|
+
# Bad: Type-level check only
|
|
116
|
+
# if user.can('read', 'Order'): return True
|
|
117
|
+
|
|
118
|
+
# Good: Object-level check
|
|
119
|
+
if resource.owner_id == user.id:
|
|
120
|
+
return True
|
|
121
|
+
if resource.organization_id in user.organization_ids:
|
|
122
|
+
return user.has_org_permission(action, resource.organization_id)
|
|
123
|
+
return False
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
## Access Control Models
|
|
129
|
+
|
|
130
|
+
### Role-Based Access Control (RBAC)
|
|
131
|
+
|
|
132
|
+
Simple but limited. Good for straightforward permission structures.
|
|
133
|
+
|
|
134
|
+
```python
|
|
135
|
+
ROLES = {
|
|
136
|
+
'admin': {'create', 'read', 'update', 'delete'},
|
|
137
|
+
'editor': {'create', 'read', 'update'},
|
|
138
|
+
'viewer': {'read'}
|
|
139
|
+
}
|
|
140
|
+
|
|
141
|
+
def has_permission(user, action):
|
|
142
|
+
return action in ROLES.get(user.role, set())
|
|
143
|
+
```
|
|
144
|
+
|
|
145
|
+
### Attribute-Based Access Control (ABAC)
|
|
146
|
+
|
|
147
|
+
More flexible. Supports complex policies with multiple attributes.
|
|
148
|
+
|
|
149
|
+
```python
|
|
150
|
+
def evaluate_policy(subject, action, resource, environment):
|
|
151
|
+
"""
|
|
152
|
+
Subject: user attributes (role, department, clearance)
|
|
153
|
+
Action: what they're trying to do
|
|
154
|
+
Resource: object attributes (owner, classification, type)
|
|
155
|
+
Environment: context (time, location, device)
|
|
156
|
+
"""
|
|
157
|
+
# Example: Only managers can approve during business hours
|
|
158
|
+
if action == 'approve':
|
|
159
|
+
return (
|
|
160
|
+
subject.role == 'manager' and
|
|
161
|
+
resource.department == subject.department and
|
|
162
|
+
environment.is_business_hours
|
|
163
|
+
)
|
|
164
|
+
return False
|
|
165
|
+
```
|
|
166
|
+
|
|
167
|
+
### Relationship-Based Access Control (ReBAC)
|
|
168
|
+
|
|
169
|
+
Access based on relationships between entities.
|
|
170
|
+
|
|
171
|
+
```python
|
|
172
|
+
# User can view document if:
|
|
173
|
+
# - They own it
|
|
174
|
+
# - They're in a group that has access
|
|
175
|
+
# - They're in the same organization
|
|
176
|
+
def can_view(user, document):
|
|
177
|
+
if document.owner_id == user.id:
|
|
178
|
+
return True
|
|
179
|
+
if user.groups.intersection(document.shared_with_groups):
|
|
180
|
+
return True
|
|
181
|
+
if document.org_id == user.org_id and document.org_visible:
|
|
182
|
+
return True
|
|
183
|
+
return False
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
---
|
|
187
|
+
|
|
188
|
+
## Common Vulnerabilities
|
|
189
|
+
|
|
190
|
+
### Horizontal Privilege Escalation
|
|
191
|
+
|
|
192
|
+
Accessing resources belonging to other users at the same privilege level.
|
|
193
|
+
|
|
194
|
+
```python
|
|
195
|
+
# VULNERABLE: User A can access User B's profile
|
|
196
|
+
@app.route('/api/profile/<user_id>')
|
|
197
|
+
def get_profile(user_id):
|
|
198
|
+
return User.query.get(user_id).profile
|
|
199
|
+
|
|
200
|
+
# SAFE: Only access own profile
|
|
201
|
+
@app.route('/api/profile')
|
|
202
|
+
def get_profile():
|
|
203
|
+
return current_user.profile
|
|
204
|
+
```
|
|
205
|
+
|
|
206
|
+
### Vertical Privilege Escalation
|
|
207
|
+
|
|
208
|
+
Accessing higher-privilege functionality.
|
|
209
|
+
|
|
210
|
+
```python
|
|
211
|
+
# VULNERABLE: Hidden admin endpoint
|
|
212
|
+
@app.route('/api/admin/delete-all')
|
|
213
|
+
def delete_all():
|
|
214
|
+
# No authorization check
|
|
215
|
+
Database.delete_all()
|
|
216
|
+
|
|
217
|
+
# SAFE: Explicit admin check
|
|
218
|
+
@app.route('/api/admin/delete-all')
|
|
219
|
+
@require_role('super_admin')
|
|
220
|
+
def delete_all():
|
|
221
|
+
Database.delete_all()
|
|
222
|
+
```
|
|
223
|
+
|
|
224
|
+
### Path Traversal in Authorization
|
|
225
|
+
|
|
226
|
+
```python
|
|
227
|
+
# VULNERABLE: Path-based authorization bypass
|
|
228
|
+
@app.route('/files/<path:filepath>')
|
|
229
|
+
def get_file(filepath):
|
|
230
|
+
# Attacker: /files/../../../etc/passwd
|
|
231
|
+
return send_file(filepath)
|
|
232
|
+
|
|
233
|
+
# SAFE: Validate and sanitize path
|
|
234
|
+
@app.route('/files/<path:filepath>')
|
|
235
|
+
def get_file(filepath):
|
|
236
|
+
base_dir = '/app/user_files'
|
|
237
|
+
full_path = os.path.realpath(os.path.join(base_dir, filepath))
|
|
238
|
+
if not full_path.startswith(base_dir):
|
|
239
|
+
raise PermissionDenied()
|
|
240
|
+
return send_file(full_path)
|
|
241
|
+
```
|
|
242
|
+
|
|
243
|
+
### Mass Assignment
|
|
244
|
+
|
|
245
|
+
```python
|
|
246
|
+
# VULNERABLE: User can set admin flag
|
|
247
|
+
@app.route('/api/users/<id>', methods=['PATCH'])
|
|
248
|
+
def update_user(id):
|
|
249
|
+
user = User.query.get(id)
|
|
250
|
+
user.update(**request.json) # Includes is_admin!
|
|
251
|
+
|
|
252
|
+
# SAFE: Allowlist fields
|
|
253
|
+
@app.route('/api/users/<id>', methods=['PATCH'])
|
|
254
|
+
def update_user(id):
|
|
255
|
+
ALLOWED_FIELDS = {'name', 'email', 'bio'}
|
|
256
|
+
user = User.query.get(id)
|
|
257
|
+
data = {k: v for k, v in request.json.items() if k in ALLOWED_FIELDS}
|
|
258
|
+
user.update(**data)
|
|
259
|
+
```
|
|
260
|
+
|
|
261
|
+
---
|
|
262
|
+
|
|
263
|
+
## Implementation Patterns
|
|
264
|
+
|
|
265
|
+
### Middleware/Filter Pattern
|
|
266
|
+
|
|
267
|
+
```python
|
|
268
|
+
# Apply authorization consistently via middleware
|
|
269
|
+
class AuthorizationMiddleware:
|
|
270
|
+
def process_request(self, request):
|
|
271
|
+
if not self.is_authorized(request):
|
|
272
|
+
raise PermissionDenied()
|
|
273
|
+
|
|
274
|
+
def is_authorized(self, request):
|
|
275
|
+
# Extract resource and action from request
|
|
276
|
+
resource = self.get_resource(request)
|
|
277
|
+
action = self.get_action(request)
|
|
278
|
+
return request.user.has_permission(action, resource)
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
### Policy Objects
|
|
282
|
+
|
|
283
|
+
```python
|
|
284
|
+
class DocumentPolicy:
|
|
285
|
+
def __init__(self, user, document):
|
|
286
|
+
self.user = user
|
|
287
|
+
self.document = document
|
|
288
|
+
|
|
289
|
+
def can_view(self):
|
|
290
|
+
return (
|
|
291
|
+
self.document.is_public or
|
|
292
|
+
self.document.owner_id == self.user.id or
|
|
293
|
+
self.user.is_admin
|
|
294
|
+
)
|
|
295
|
+
|
|
296
|
+
def can_edit(self):
|
|
297
|
+
return self.document.owner_id == self.user.id
|
|
298
|
+
|
|
299
|
+
def can_delete(self):
|
|
300
|
+
return self.document.owner_id == self.user.id or self.user.is_admin
|
|
301
|
+
|
|
302
|
+
# Usage
|
|
303
|
+
policy = DocumentPolicy(current_user, document)
|
|
304
|
+
if not policy.can_view():
|
|
305
|
+
raise PermissionDenied()
|
|
306
|
+
```
|
|
307
|
+
|
|
308
|
+
---
|
|
309
|
+
|
|
310
|
+
## Grep Patterns for Detection
|
|
311
|
+
|
|
312
|
+
```bash
|
|
313
|
+
# Missing authorization checks
|
|
314
|
+
grep -rn "def get_\|def post_\|def put_\|def delete_" --include="*.py" | grep -v "@require\|@login\|permission"
|
|
315
|
+
|
|
316
|
+
# Direct object access without ownership check
|
|
317
|
+
grep -rn "\.get(.*id)\|\.filter(id=" --include="*.py" | grep -v "user_id\|owner"
|
|
318
|
+
|
|
319
|
+
# Mass assignment
|
|
320
|
+
grep -rn "\*\*request\.\|update(\*\*\|create(\*\*" --include="*.py"
|
|
321
|
+
|
|
322
|
+
# Path traversal risk
|
|
323
|
+
grep -rn "os\.path\.join.*request\|open(.*request" --include="*.py"
|
|
324
|
+
|
|
325
|
+
# Admin endpoints
|
|
326
|
+
grep -rn "admin\|superuser" --include="*.py" | grep "route\|endpoint"
|
|
327
|
+
```
|
|
328
|
+
|
|
329
|
+
---
|
|
330
|
+
|
|
331
|
+
## Authorization Testing
|
|
332
|
+
|
|
333
|
+
### Test Cases
|
|
334
|
+
|
|
335
|
+
1. **Horizontal access**: Can User A access User B's resources?
|
|
336
|
+
2. **Vertical access**: Can regular users access admin endpoints?
|
|
337
|
+
3. **Missing checks**: Are all endpoints protected?
|
|
338
|
+
4. **Parameter tampering**: Can IDs be manipulated?
|
|
339
|
+
5. **Path traversal**: Can file paths escape allowed directories?
|
|
340
|
+
6. **Mass assignment**: Can protected fields be modified?
|
|
341
|
+
|
|
342
|
+
### Test Automation
|
|
343
|
+
|
|
344
|
+
```python
|
|
345
|
+
def test_horizontal_access():
|
|
346
|
+
user_a = create_user()
|
|
347
|
+
user_b = create_user()
|
|
348
|
+
resource = create_resource(owner=user_a)
|
|
349
|
+
|
|
350
|
+
# User B should not access User A's resource
|
|
351
|
+
client.login(user_b)
|
|
352
|
+
response = client.get(f'/api/resources/{resource.id}')
|
|
353
|
+
assert response.status_code == 403
|
|
354
|
+
|
|
355
|
+
def test_idor_enumeration():
|
|
356
|
+
# Try sequential IDs
|
|
357
|
+
for i in range(1, 100):
|
|
358
|
+
response = client.get(f'/api/resources/{i}')
|
|
359
|
+
if response.status_code == 200:
|
|
360
|
+
# Should be denied or return 404, not 200
|
|
361
|
+
assert False, f"IDOR vulnerability: /api/resources/{i}"
|
|
362
|
+
```
|
|
363
|
+
|
|
364
|
+
---
|
|
365
|
+
|
|
366
|
+
## References
|
|
367
|
+
|
|
368
|
+
- [OWASP Authorization Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authorization_Cheat_Sheet.html)
|
|
369
|
+
- [OWASP IDOR Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)
|
|
370
|
+
- [OWASP Access Control Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Access_Control_Cheat_Sheet.html)
|
|
371
|
+
- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)
|
|
372
|
+
- [CWE-862: Missing Authorization](https://cwe.mitre.org/data/definitions/862.html)
|