@esreekarreddy/ai-prompts 1.0.0

package/chains/security-hardening.md

@@ -0,0 +1,242 @@
+# Chain: Security Hardening
+
+> Comprehensive workflow for securing an application
+
+## Overview
+
+```
+Audit → Prioritize → Fix → Verify → Monitor
+```
+
+---
+
+## Step 1: Security Audit
+
+**Prompt:**
+```
+Security audit this codebase.
+
+Check for:
+
+1. Injection: SQL injection, command injection, XSS
+2. Auth: Hardcoded secrets, weak passwords, missing rate limiting, non-expiring sessions
+3. Authorization: IDOR, missing auth checks, bypassable role checks
+4. Data exposure: Sensitive data in logs, stack traces to users, PII leaks
+5. Config: Debug mode, permissive CORS, missing security headers
+
+For each issue: severity (critical/high/medium/low), file/line, how to exploit, how to fix with code.
+
+Be thorough. Ultrathink.
+```
+
+**Expected Output:**
+- Comprehensive issue list
+- Severity ratings
+- Exploitation details
+- Fix recommendations
+
+---
+
+## Step 2: Prioritize Fixes
+
+**Prompt:**
+```
+Based on the security audit, help me prioritize:
+
+Issues found:
+[List issues]
+
+For each severity:
+1. Critical: Must fix immediately, could be actively exploited
+2. High: Fix this sprint, significant risk
+3. Medium: Plan to fix soon
+4. Low: Address opportunistically
+
+Also consider:
+- Dependencies between fixes
+- Quick wins vs. major changes
+- External exposure (public vs. internal)
+
+Create a prioritized action plan.
+```
+
+**Expected Output:**
+- Prioritized fix order
+- Timeline recommendations
+- Dependencies noted
+
+**Decision Point:** Agree on priority and timeline.
+
+---
+
+## Step 3: Fix Critical Issues
+
+**Prompt:**
+```
+Fix this critical security issue:
+
+Issue: [Issue details]
+Location: [File and line]
+Exploitation: [How it could be exploited]
+
+Requirements:
+1. Completely eliminate the vulnerability
+2. Don't break existing functionality
+3. Add test to prevent regression
+4. Follow security best practices
+
+Show the fix and explain why it's secure.
+```
+
+**Expected Output:**
+- Security fix
+- Explanation
+- Regression test
+
+**Repeat** for each critical/high issue.
+
+---
+
+## Step 4: Add Security Controls
+
+**Prompt:**
+```
+Beyond fixing specific issues, add these security controls:
+
+1. Rate limiting on sensitive endpoints
+2. Input validation on all user input
+3. Security headers (CSP, HSTS, X-Frame-Options)
+4. Proper CORS configuration
+5. Audit logging for security events
+
+For each:
+- What to implement
+- Where to add it
+- Configuration recommendations
+```
+
+**Expected Output:**
+- Security middleware
+- Headers configuration
+- Logging setup
+
+---
+
+## Step 5: Verify Security Fixes
+
+**Prompt:**
+```
+Verify the security fixes are effective:
+
+For each fix made:
+1. Attempt the original exploit - should fail
+2. Check for bypass possibilities
+3. Verify no regressions
+4. Confirm logging works
+
+Also:
+- Run OWASP ZAP or similar scanner
+- Review with security checklist
+- Check for new issues introduced
+
+Report findings.
+```
+
+**Expected Output:**
+- Verification results
+- Any remaining issues
+- Scanner results
+
+---
+
+## Step 6: Security Documentation
+
+**Prompt:**
+```
+Document the security measures:
+
+1. What security controls are in place?
+2. How is authentication handled?
+3. How is authorization handled?
+4. What data is encrypted?
+5. What is logged (and not logged)?
+6. How to report security issues?
+7. Incident response process?
+
+Create a security section for documentation.
+```
+
+**Expected Output:**
+- Security documentation
+- Incident response plan
+- Reporting process
+
+---
+
+## Step 7: Ongoing Monitoring
+
+**Prompt:**
+```
+Set up security monitoring:
+
+1. What security events should trigger alerts?
+2. What dashboards should exist?
+3. How often should security scans run?
+4. What's the process for security updates?
+5. How to handle vulnerability disclosures?
+
+Create a security operations plan.
+```
+
+**Expected Output:**
+- Monitoring configuration
+- Alert rules
+- Operational procedures
+
+---
+
+## Chain Summary
+
+| Step | Focus | Output |
+|------|-------|--------|
+| 1 | Audit | Issue inventory |
+| 2 | Prioritize | Action plan |
+| 3 | Fix | Patched vulnerabilities |
+| 4 | Controls | Security infrastructure |
+| 5 | Verify | Confirmed secure |
+| 6 | Document | Security docs |
+| 7 | Monitor | Ongoing vigilance |
+
+## Security Checklist
+
+### Authentication
+- [ ] Passwords hashed with bcrypt/argon2
+- [ ] Sessions expire appropriately
+- [ ] MFA available for sensitive accounts
+- [ ] Account lockout after failures
+- [ ] Secure password reset flow
+
+### Authorization
+- [ ] Every endpoint checks permissions
+- [ ] Role checks on sensitive operations
+- [ ] No IDOR vulnerabilities
+- [ ] Principle of least privilege
+
+### Input/Output
+- [ ] All input validated
+- [ ] Output encoded/escaped
+- [ ] File uploads validated
+- [ ] No SQL injection possible
+- [ ] No XSS possible
+
+### Data Protection
+- [ ] Sensitive data encrypted at rest
+- [ ] TLS for data in transit
+- [ ] No PII in logs
+- [ ] Secure secret storage
+
+### Infrastructure
+- [ ] Security headers configured
+- [ ] CORS properly restricted
+- [ ] Rate limiting in place
+- [ ] Debug mode disabled

package/contexts/guides/api-design.md

@@ -0,0 +1,229 @@
+# API Design Guide
+
+> Best practices for designing REST APIs
+
+## URL Structure
+
+### Resource-Based URLs
+```
+GET    /users              # List users
+GET    /users/123          # Get user 123
+POST   /users              # Create user
+PUT    /users/123          # Replace user 123
+PATCH  /users/123          # Update user 123
+DELETE /users/123          # Delete user 123
+
+# Nested resources
+GET    /users/123/posts    # Posts by user 123
+POST   /users/123/posts    # Create post for user 123
+```
+
+### URL Guidelines
+
+| Do | Don't |
+|----|-------|
+| `/users` | `/getUsers` |
+| `/users/123` | `/user?id=123` |
+| `/orders/456/items` | `/getOrderItems?orderId=456` |
+| Use plural nouns | Use verbs in URLs |
+| Use kebab-case | Use camelCase in URLs |
+
+## HTTP Methods
+
+| Method | Use | Idempotent | Body |
+|--------|-----|------------|------|
+| GET | Read | Yes | No |
+| POST | Create | No | Yes |
+| PUT | Replace | Yes | Yes |
+| PATCH | Update | Yes | Yes |
+| DELETE | Delete | Yes | No |
+
+## Status Codes
+
+### Success
+- `200 OK` - General success
+- `201 Created` - Resource created
+- `204 No Content` - Success, no body (DELETE)
+
+### Client Errors
+- `400 Bad Request` - Invalid input
+- `401 Unauthorized` - Not authenticated
+- `403 Forbidden` - Not authorized
+- `404 Not Found` - Resource doesn't exist
+- `409 Conflict` - Duplicate, state conflict
+- `422 Unprocessable Entity` - Validation failed
+
+### Server Errors
+- `500 Internal Server Error` - Server bug
+- `503 Service Unavailable` - Temporary outage
+
+## Request/Response Format
+
+### Request Body
+```json
+{
+  "email": "user@example.com",
+  "name": "John Doe"
+}
+```
+
+### Success Response
+```json
+{
+  "data": {
+    "id": "123",
+    "email": "user@example.com",
+    "name": "John Doe",
+    "createdAt": "2024-01-15T10:00:00Z"
+  }
+}
+```
+
+### Error Response
+```json
+{
+  "error": {
+    "code": "VALIDATION_ERROR",
+    "message": "Invalid input",
+    "details": [
+      { "field": "email", "message": "Invalid format" }
+    ]
+  }
+}
+```
+
+### Collection Response
+```json
+{
+  "data": [
+    { "id": "1", "name": "Item 1" },
+    { "id": "2", "name": "Item 2" }
+  ],
+  "meta": {
+    "page": 1,
+    "perPage": 20,
+    "total": 45,
+    "totalPages": 3
+  }
+}
+```
+
+## Pagination
+
+### Query Parameters
+```
+GET /users?page=2&per_page=20
+GET /users?offset=20&limit=20
+GET /users?cursor=abc123
+```
+
+### Response Headers
+```
+Link: <https://api.example.com/users?page=3>; rel="next",
+      <https://api.example.com/users?page=1>; rel="prev"
+X-Total-Count: 100
+```
+
+## Filtering & Sorting
+
+```
+# Filtering
+GET /products?category=electronics&min_price=100
+
+# Sorting
+GET /products?sort=price
+GET /products?sort=-createdAt  # Descending
+GET /products?sort=category,price
+
+# Searching
+GET /products?search=laptop
+GET /products?q=laptop
+
+# Field selection
+GET /users?fields=id,name,email
+```
+
+## Versioning
+
+### URL Versioning (Recommended)
+```
+/api/v1/users
+/api/v2/users
+```
+
+### Header Versioning
+```
+Accept: application/vnd.api+json;version=1
+```
+
+## Authentication
+
+### Bearer Token
+```
+Authorization: Bearer eyJhbGciOiJIUzI1NiIs...
+```
+
+### API Key
+```
+X-API-Key: your-api-key
+```
+
+## Rate Limiting
+
+### Headers
+```
+X-RateLimit-Limit: 100
+X-RateLimit-Remaining: 95
+X-RateLimit-Reset: 1640000000
+```
+
+### Response (429 Too Many Requests)
+```json
+{
+  "error": {
+    "code": "RATE_LIMIT_EXCEEDED",
+    "message": "Too many requests",
+    "retryAfter": 60
+  }
+}
+```
+
+## Common Patterns
+
+### Partial Updates (PATCH)
+```json
+// Only update provided fields
+PATCH /users/123
+{
+  "name": "New Name"
+}
+```
+
+### Bulk Operations
+```
+POST /users/bulk
+{
+  "operations": [
+    { "action": "create", "data": {...} },
+    { "action": "update", "id": "123", "data": {...} }
+  ]
+}
+```
+
+### Async Operations
+```
+POST /reports
+→ 202 Accepted
+{
+  "id": "job-123",
+  "status": "processing",
+  "statusUrl": "/jobs/job-123"
+}
+
+GET /jobs/job-123
+→ 200 OK
+{
+  "status": "completed",
+  "result": {...}
+}
+```

package/contexts/guides/error-handling.md

@@ -0,0 +1,219 @@
+# Error Handling Guide
+
+> Best practices for handling errors across the stack
+
+## Principles
+
+1. **Fail fast**: Validate early, throw early
+2. **Be specific**: Custom errors over generic ones
+3. **Don't hide**: Log everything, show appropriate messages
+4. **Recover gracefully**: Degrade instead of crash
+
+## Error Types
+
+### Operational Errors (Expected)
+- Invalid user input
+- Resource not found
+- Permission denied
+- External service failure
+
+**Handling**: Catch, handle gracefully, inform user
+
+### Programmer Errors (Bugs)
+- Type errors
+- Null pointer exceptions
+- Assertion failures
+
+**Handling**: Crash, fix the bug, deploy
+
+## Custom Error Classes
+
+### TypeScript
+
+```typescript
+// Base error
+class AppError extends Error {
+  constructor(
+    message: string,
+    public statusCode: number = 500,
+    public code: string = 'INTERNAL_ERROR',
+    public isOperational: boolean = true
+  ) {
+    super(message);
+    this.name = 'AppError';
+    Error.captureStackTrace(this, this.constructor);
+  }
+}
+
+// Specific errors
+class NotFoundError extends AppError {
+  constructor(resource: string) {
+    super(`${resource} not found`, 404, 'NOT_FOUND');
+  }
+}
+
+class ValidationError extends AppError {
+  constructor(message: string, public details?: object) {
+    super(message, 400, 'VALIDATION_ERROR');
+  }
+}
+
+class UnauthorizedError extends AppError {
+  constructor(message = 'Unauthorized') {
+    super(message, 401, 'UNAUTHORIZED');
+  }
+}
+
+class ForbiddenError extends AppError {
+  constructor(message = 'Forbidden') {
+    super(message, 403, 'FORBIDDEN');
+  }
+}
+
+class ConflictError extends AppError {
+  constructor(message: string) {
+    super(message, 409, 'CONFLICT');
+  }
+}
+```
+
+### Python
+
+```python
+class AppError(Exception):
+    def __init__(
+        self,
+        message: str,
+        status_code: int = 500,
+        code: str = "INTERNAL_ERROR"
+    ):
+        self.message = message
+        self.status_code = status_code
+        self.code = code
+        super().__init__(message)
+
+class NotFoundError(AppError):
+    def __init__(self, resource: str):
+        super().__init__(f"{resource} not found", 404, "NOT_FOUND")
+
+class ValidationError(AppError):
+    def __init__(self, message: str, details: dict = None):
+        super().__init__(message, 400, "VALIDATION_ERROR")
+        self.details = details
+```
+
+## Error Handling Patterns
+
+### Express Middleware
+
+```typescript
+// Global error handler
+function errorHandler(
+  err: Error,
+  req: Request,
+  res: Response,
+  next: NextFunction
+) {
+  // Log error
+  logger.error({
+    message: err.message,
+    stack: err.stack,
+    path: req.path,
+    method: req.method,
+  });
+
+  // Operational error - send to client
+  if (err instanceof AppError && err.isOperational) {
+    return res.status(err.statusCode).json({
+      error: {
+        code: err.code,
+        message: err.message,
+      },
+    });
+  }
+
+  // Programmer error - generic message
+  res.status(500).json({
+    error: {
+      code: 'INTERNAL_ERROR',
+      message: 'Something went wrong',
+    },
+  });
+}
+```
+
+### Async Handler Wrapper
+
+```typescript
+function asyncHandler(fn: RequestHandler): RequestHandler {
+  return (req, res, next) => {
+    Promise.resolve(fn(req, res, next)).catch(next);
+  };
+}
+
+// Usage
+router.get('/users/:id', asyncHandler(async (req, res) => {
+  const user = await userService.getById(req.params.id);
+  if (!user) throw new NotFoundError('User');
+  res.json(user);
+}));
+```
+
+### FastAPI
+
+```python
+from fastapi import FastAPI, Request
+from fastapi.responses import JSONResponse
+
+app = FastAPI()
+
+@app.exception_handler(AppError)
+async def app_error_handler(request: Request, exc: AppError):
+    return JSONResponse(
+        status_code=exc.status_code,
+        content={"error": {"code": exc.code, "message": exc.message}}
+    )
+```
+
+## Client-Facing Errors
+
+### Response Format
+
+```json
+{
+  "error": {
+    "code": "VALIDATION_ERROR",
+    "message": "Invalid input",
+    "details": [
+      { "field": "email", "message": "Invalid email format" },
+      { "field": "password", "message": "Must be at least 8 characters" }
+    ]
+  }
+}
+```
+
+### Never Expose
+
+- Stack traces
+- Database errors
+- Internal paths
+- Implementation details
+
+## Logging Errors
+
+```typescript
+// Good error log
+logger.error('Failed to process payment', {
+  error: err.message,
+  stack: err.stack,
+  userId: user.id,
+  orderId: order.id,
+  paymentMethod: method.type,
+});
+
+// Bad - logs sensitive data
+logger.error('Payment failed', { 
+  cardNumber: card.number,  // Don't log!
+  error: err 
+});
+```