@geraldmaron/construct 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.env.example +69 -0
- package/LICENSE +21 -0
- package/README.md +344 -0
- package/agents/prompts/cx-accessibility.md +29 -0
- package/agents/prompts/cx-ai-engineer.md +31 -0
- package/agents/prompts/cx-architect.md +40 -0
- package/agents/prompts/cx-business-strategist.md +25 -0
- package/agents/prompts/cx-data-analyst.md +30 -0
- package/agents/prompts/cx-data-engineer.md +32 -0
- package/agents/prompts/cx-debugger.md +27 -0
- package/agents/prompts/cx-designer.md +33 -0
- package/agents/prompts/cx-devil-advocate.md +36 -0
- package/agents/prompts/cx-docs-keeper.md +50 -0
- package/agents/prompts/cx-engineer.md +36 -0
- package/agents/prompts/cx-evaluator.md +26 -0
- package/agents/prompts/cx-explorer.md +38 -0
- package/agents/prompts/cx-legal-compliance.md +25 -0
- package/agents/prompts/cx-operations.md +28 -0
- package/agents/prompts/cx-orchestrator.md +30 -0
- package/agents/prompts/cx-platform-engineer.md +25 -0
- package/agents/prompts/cx-product-manager.md +30 -0
- package/agents/prompts/cx-qa.md +42 -0
- package/agents/prompts/cx-rd-lead.md +25 -0
- package/agents/prompts/cx-release-manager.md +31 -0
- package/agents/prompts/cx-researcher.md +31 -0
- package/agents/prompts/cx-reviewer.md +36 -0
- package/agents/prompts/cx-security.md +37 -0
- package/agents/prompts/cx-sre.md +26 -0
- package/agents/prompts/cx-test-automation.md +35 -0
- package/agents/prompts/cx-trace-reviewer.md +76 -0
- package/agents/prompts/cx-ux-researcher.md +30 -0
- package/agents/registry.json +879 -0
- package/agents/teams.json +94 -0
- package/bin/construct +613 -0
- package/commands/build/feature.md +21 -0
- package/commands/build/fix.md +20 -0
- package/commands/design/access.md +19 -0
- package/commands/design/flow.md +16 -0
- package/commands/design/ui.md +18 -0
- package/commands/measure/experiment.md +18 -0
- package/commands/measure/metrics.md +18 -0
- package/commands/measure/results.md +18 -0
- package/commands/plan/api.md +19 -0
- package/commands/plan/challenge.md +18 -0
- package/commands/plan/decide.md +20 -0
- package/commands/plan/feature.md +49 -0
- package/commands/plan/requirements.md +24 -0
- package/commands/remember/context.md +26 -0
- package/commands/remember/handoff.md +19 -0
- package/commands/remember/runbook.md +20 -0
- package/commands/review/code.md +21 -0
- package/commands/review/quality.md +19 -0
- package/commands/review/security.md +16 -0
- package/commands/ship/ready.md +19 -0
- package/commands/ship/release.md +19 -0
- package/commands/ship/status.md +18 -0
- package/commands/understand/docs.md +22 -0
- package/commands/understand/research.md +22 -0
- package/commands/understand/this.md +23 -0
- package/commands/understand/why.md +18 -0
- package/commands/work/clean.md +32 -0
- package/commands/work/drive.md +69 -0
- package/commands/work/optimize-prompts.md +46 -0
- package/commands/work/parallel-review.md +40 -0
- package/db/migrations/001_init.sql +38 -0
- package/langfuse/docker-compose.yml +82 -0
- package/lib/audit-skills.mjs +118 -0
- package/lib/auto-docs.mjs +293 -0
- package/lib/cli-commands.mjs +409 -0
- package/lib/codex-config.mjs +114 -0
- package/lib/comment-lint.mjs +191 -0
- package/lib/completions.mjs +170 -0
- package/lib/context-state.mjs +99 -0
- package/lib/cost.mjs +213 -0
- package/lib/distill.mjs +403 -0
- package/lib/efficiency.mjs +139 -0
- package/lib/env-config.mjs +53 -0
- package/lib/eval-harness.mjs +59 -0
- package/lib/features.mjs +209 -0
- package/lib/headhunt.mjs +597 -0
- package/lib/hooks/adaptive-lint.mjs +112 -0
- package/lib/hooks/agent-tracker.mjs +50 -0
- package/lib/hooks/bootstrap-guard.mjs +90 -0
- package/lib/hooks/comment-lint.mjs +26 -0
- package/lib/hooks/config-protection.mjs +52 -0
- package/lib/hooks/console-warn.mjs +43 -0
- package/lib/hooks/context-window-recovery.mjs +90 -0
- package/lib/hooks/continuation-enforcer.mjs +72 -0
- package/lib/hooks/dep-audit.mjs +155 -0
- package/lib/hooks/drive-guard.mjs +89 -0
- package/lib/hooks/edit-accumulator.mjs +36 -0
- package/lib/hooks/edit-error-recovery.mjs +46 -0
- package/lib/hooks/edit-guard.mjs +109 -0
- package/lib/hooks/env-check.mjs +80 -0
- package/lib/hooks/guard-bash.mjs +83 -0
- package/lib/hooks/mcp-audit.mjs +57 -0
- package/lib/hooks/mcp-health-check.mjs +51 -0
- package/lib/hooks/mcp-task-scope.mjs +47 -0
- package/lib/hooks/model-fallback.mjs +105 -0
- package/lib/hooks/pre-compact.mjs +212 -0
- package/lib/hooks/pre-push-gate.mjs +129 -0
- package/lib/hooks/read-tracker.mjs +129 -0
- package/lib/hooks/registry-sync.mjs +23 -0
- package/lib/hooks/scan-secrets.mjs +76 -0
- package/lib/hooks/session-start.mjs +95 -0
- package/lib/hooks/stop-notify.mjs +191 -0
- package/lib/hooks/stop-typecheck.mjs +83 -0
- package/lib/hooks/task-completed-guard.mjs +43 -0
- package/lib/hooks/teammate-idle-guard.mjs +54 -0
- package/lib/hooks/workflow-guard.mjs +62 -0
- package/lib/host-capabilities.mjs +123 -0
- package/lib/init-docs.mjs +382 -0
- package/lib/mcp/server.mjs +1123 -0
- package/lib/mcp-catalog.json +243 -0
- package/lib/mcp-manager.mjs +433 -0
- package/lib/mcp-platform-config.mjs +104 -0
- package/lib/model-router.mjs +810 -0
- package/lib/opencode-config.mjs +44 -0
- package/lib/opencode-runtime-plugin.mjs +909 -0
- package/lib/opencode-telemetry.mjs +433 -0
- package/lib/orchestration-policy.mjs +258 -0
- package/lib/prompt-composer.mjs +196 -0
- package/lib/prompt-metadata.mjs +68 -0
- package/lib/review.mjs +429 -0
- package/lib/role-preload.mjs +52 -0
- package/lib/schemas/decision.json +50 -0
- package/lib/schemas/implementation.json +51 -0
- package/lib/schemas/review-report.json +32 -0
- package/lib/schemas/test-report.json +43 -0
- package/lib/server/index.mjs +334 -0
- package/lib/server/static/app.js +841 -0
- package/lib/server/static/index.html +820 -0
- package/lib/service-manager.mjs +225 -0
- package/lib/setup.mjs +319 -0
- package/lib/status.mjs +707 -0
- package/lib/storage/backend.mjs +44 -0
- package/lib/storage/embeddings.mjs +70 -0
- package/lib/storage/hybrid-query.mjs +184 -0
- package/lib/storage/sql-store.mjs +55 -0
- package/lib/storage/state-source.mjs +101 -0
- package/lib/storage/sync.mjs +164 -0
- package/lib/storage/vector-store.mjs +59 -0
- package/lib/telemetry/backends/langfuse.mjs +58 -0
- package/lib/telemetry/backends/noop.mjs +16 -0
- package/lib/telemetry/langfuse-ingest.mjs +108 -0
- package/lib/telemetry/langfuse-model-sync.mjs +270 -0
- package/lib/telemetry/team-rollup.mjs +143 -0
- package/lib/toolkit-env.mjs +30 -0
- package/lib/validator.mjs +181 -0
- package/lib/workflow-state.mjs +794 -0
- package/package.json +53 -0
- package/personas/construct.md +94 -0
- package/platforms/claude/CLAUDE.md +30 -0
- package/platforms/claude/settings.template.json +472 -0
- package/platforms/opencode/config.template.json +65 -0
- package/platforms/opencode/plugins/construct-fallback.js +5 -0
- package/platforms/opencode/sync-config.mjs +69 -0
- package/rules/common/agents.md +55 -0
- package/rules/common/code-review.md +129 -0
- package/rules/common/coding-style.md +95 -0
- package/rules/common/comments.md +139 -0
- package/rules/common/cx-agent-routing.md +61 -0
- package/rules/common/cx-skill-routing.md +11 -0
- package/rules/common/development-workflow.md +49 -0
- package/rules/common/git-workflow.md +29 -0
- package/rules/common/hooks.md +35 -0
- package/rules/common/patterns.md +36 -0
- package/rules/common/performance.md +71 -0
- package/rules/common/security.md +34 -0
- package/rules/common/testing.md +62 -0
- package/rules/golang/coding-style.md +37 -0
- package/rules/golang/hooks.md +22 -0
- package/rules/golang/patterns.md +50 -0
- package/rules/golang/security.md +39 -0
- package/rules/golang/testing.md +36 -0
- package/rules/python/coding-style.md +47 -0
- package/rules/python/hooks.md +24 -0
- package/rules/python/patterns.md +44 -0
- package/rules/python/security.md +35 -0
- package/rules/python/testing.md +43 -0
- package/rules/swift/coding-style.md +52 -0
- package/rules/swift/hooks.md +25 -0
- package/rules/swift/patterns.md +71 -0
- package/rules/swift/security.md +38 -0
- package/rules/swift/testing.md +50 -0
- package/rules/typescript/coding-style.md +204 -0
- package/rules/typescript/hooks.md +27 -0
- package/rules/typescript/patterns.md +57 -0
- package/rules/typescript/security.md +33 -0
- package/rules/typescript/testing.md +23 -0
- package/rules/web/coding-style.md +101 -0
- package/rules/web/design-quality.md +68 -0
- package/rules/web/hooks.md +125 -0
- package/rules/web/patterns.md +84 -0
- package/rules/web/performance.md +69 -0
- package/rules/web/security.md +62 -0
- package/rules/web/testing.md +60 -0
- package/rules/zh/README.md +113 -0
- package/rules/zh/agents.md +55 -0
- package/rules/zh/code-review.md +129 -0
- package/rules/zh/coding-style.md +53 -0
- package/rules/zh/development-workflow.md +49 -0
- package/rules/zh/git-workflow.md +29 -0
- package/rules/zh/hooks.md +35 -0
- package/rules/zh/patterns.md +36 -0
- package/rules/zh/performance.md +60 -0
- package/rules/zh/security.md +34 -0
- package/rules/zh/testing.md +34 -0
- package/skills/ai/agent-dev.md +102 -0
- package/skills/ai/llm-security.md +105 -0
- package/skills/ai/ml-ops.md +169 -0
- package/skills/ai/orchestration-workflow.md +87 -0
- package/skills/ai/prompt-and-eval.md +114 -0
- package/skills/ai/prompt-optimizer.md +114 -0
- package/skills/ai/rag-system.md +104 -0
- package/skills/architecture/api-design.md +100 -0
- package/skills/architecture/caching.md +101 -0
- package/skills/architecture/cloud-native.md +97 -0
- package/skills/architecture/message-queue.md +100 -0
- package/skills/architecture/security-arch.md +105 -0
- package/skills/development/cpp.md +127 -0
- package/skills/development/go.md +129 -0
- package/skills/development/java.md +134 -0
- package/skills/development/kotlin.md +140 -0
- package/skills/development/mobile-crossplatform.md +144 -0
- package/skills/development/python.md +109 -0
- package/skills/development/rust.md +127 -0
- package/skills/development/shell.md +127 -0
- package/skills/development/swift.md +129 -0
- package/skills/development/typescript.md +129 -0
- package/skills/devops/ci-cd.md +108 -0
- package/skills/devops/containerization.md +106 -0
- package/skills/devops/cost-optimization.md +105 -0
- package/skills/devops/data-engineering.md +181 -0
- package/skills/devops/database.md +95 -0
- package/skills/devops/dependency-management.md +91 -0
- package/skills/devops/devsecops.md +96 -0
- package/skills/devops/git-workflow.md +100 -0
- package/skills/devops/incident-response.md +167 -0
- package/skills/devops/monorepo.md +87 -0
- package/skills/devops/observability.md +103 -0
- package/skills/devops/performance.md +104 -0
- package/skills/devops/testing.md +104 -0
- package/skills/docs/adr-workflow.md +32 -0
- package/skills/docs/backlog-proposal-workflow.md +19 -0
- package/skills/docs/customer-profile-workflow.md +22 -0
- package/skills/docs/evidence-ingest-workflow.md +23 -0
- package/skills/docs/init-docs.md +160 -0
- package/skills/docs/init-project.md +50 -0
- package/skills/docs/prd-workflow.md +57 -0
- package/skills/docs/prfaq-workflow.md +25 -0
- package/skills/docs/product-intelligence-review.md +22 -0
- package/skills/docs/product-intelligence-workflow.md +62 -0
- package/skills/docs/product-signal-workflow.md +27 -0
- package/skills/docs/research-workflow.md +28 -0
- package/skills/docs/runbook-workflow.md +24 -0
- package/skills/exploration/repo-map.md +297 -0
- package/skills/frameworks/django.md +159 -0
- package/skills/frameworks/nextjs.md +148 -0
- package/skills/frameworks/react.md +132 -0
- package/skills/frameworks/spring-boot.md +165 -0
- package/skills/frontend-design/accessibility.md +153 -0
- package/skills/frontend-design/component-patterns.md +111 -0
- package/skills/frontend-design/engineering.md +122 -0
- package/skills/frontend-design/state-management.md +118 -0
- package/skills/frontend-design/ui-aesthetics.md +102 -0
- package/skills/frontend-design/ux-principles.md +126 -0
- package/skills/quality-gates/review-work.md +90 -0
- package/skills/quality-gates/verify-change.md +94 -0
- package/skills/quality-gates/verify-module.md +96 -0
- package/skills/quality-gates/verify-quality.md +93 -0
- package/skills/quality-gates/verify-security.md +95 -0
- package/skills/roles/architect.ai-systems.md +37 -0
- package/skills/roles/architect.data.md +37 -0
- package/skills/roles/architect.enterprise.md +37 -0
- package/skills/roles/architect.integration.md +37 -0
- package/skills/roles/architect.md +68 -0
- package/skills/roles/architect.platform.md +37 -0
- package/skills/roles/data-analyst.experiment.md +37 -0
- package/skills/roles/data-analyst.md +68 -0
- package/skills/roles/data-analyst.product-intelligence.md +37 -0
- package/skills/roles/data-analyst.product.md +37 -0
- package/skills/roles/data-analyst.telemetry.md +37 -0
- package/skills/roles/data-engineer.pipeline.md +37 -0
- package/skills/roles/data-engineer.vector-retrieval.md +37 -0
- package/skills/roles/data-engineer.warehouse.md +37 -0
- package/skills/roles/debugger.md +68 -0
- package/skills/roles/designer.accessibility.md +43 -0
- package/skills/roles/designer.md +68 -0
- package/skills/roles/engineer.ai.md +49 -0
- package/skills/roles/engineer.data.md +49 -0
- package/skills/roles/engineer.md +85 -0
- package/skills/roles/engineer.platform.md +49 -0
- package/skills/roles/operator.docs.md +43 -0
- package/skills/roles/operator.md +68 -0
- package/skills/roles/operator.release.md +43 -0
- package/skills/roles/operator.sre.md +43 -0
- package/skills/roles/orchestrator.md +66 -0
- package/skills/roles/product-manager.ai-product.md +37 -0
- package/skills/roles/product-manager.business-strategy.md +43 -0
- package/skills/roles/product-manager.enterprise.md +37 -0
- package/skills/roles/product-manager.growth.md +37 -0
- package/skills/roles/product-manager.md +67 -0
- package/skills/roles/product-manager.platform.md +37 -0
- package/skills/roles/product-manager.product.md +37 -0
- package/skills/roles/qa.ai-eval.md +37 -0
- package/skills/roles/qa.api-contract.md +37 -0
- package/skills/roles/qa.data-pipeline.md +37 -0
- package/skills/roles/qa.md +68 -0
- package/skills/roles/qa.test-automation.md +49 -0
- package/skills/roles/qa.web-ui.md +37 -0
- package/skills/roles/researcher.explorer.md +43 -0
- package/skills/roles/researcher.md +68 -0
- package/skills/roles/researcher.ux.md +43 -0
- package/skills/roles/reviewer.devil-advocate.md +43 -0
- package/skills/roles/reviewer.evaluator.md +43 -0
- package/skills/roles/reviewer.md +68 -0
- package/skills/roles/reviewer.trace.md +43 -0
- package/skills/roles/security.ai.md +37 -0
- package/skills/roles/security.appsec.md +37 -0
- package/skills/roles/security.cloud.md +37 -0
- package/skills/roles/security.legal-compliance.md +49 -0
- package/skills/roles/security.md +68 -0
- package/skills/roles/security.privacy.md +37 -0
- package/skills/roles/security.supply-chain.md +37 -0
- package/skills/routing.md +139 -0
- package/skills/security/blue-team.md +83 -0
- package/skills/security/code-audit.md +94 -0
- package/skills/security/pentest.md +84 -0
- package/skills/security/red-team.md +81 -0
- package/skills/security/threat-intel.md +89 -0
- package/skills/security/vuln-research.md +87 -0
- package/skills/utility/clean-code.md +165 -0
- package/sync-agents.mjs +899 -0
- package/templates/docs/adr.md +27 -0
- package/templates/docs/backlog-proposal.md +26 -0
- package/templates/docs/customer-profile.md +34 -0
- package/templates/docs/evidence-brief.md +37 -0
- package/templates/docs/incident-report.md +46 -0
- package/templates/docs/memo.md +27 -0
- package/templates/docs/meta-prd.md +56 -0
- package/templates/docs/one-pager.md +24 -0
- package/templates/docs/prd-business.md +61 -0
- package/templates/docs/prd-platform.md +62 -0
- package/templates/docs/prd.md +47 -0
- package/templates/docs/prfaq.md +31 -0
- package/templates/docs/product-intelligence-report.md +31 -0
- package/templates/docs/research-brief.md +29 -0
- package/templates/docs/rfc-platform.md +60 -0
- package/templates/docs/rfc.md +46 -0
- package/templates/docs/runbook.md +33 -0
- package/templates/docs/signal-brief.md +25 -0
|
@@ -0,0 +1,68 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/security.md — Anti-pattern guidance for the Security role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the security domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-security, cx-legal-compliance.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: security
|
|
10
|
+
applies_to: [cx-security, cx-legal-compliance]
|
|
11
|
+
inherits: null
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Security — Role guidance
|
|
15
|
+
|
|
16
|
+
Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
|
|
17
|
+
|
|
18
|
+
|
|
19
|
+
### 1. Defense in absence
|
|
20
|
+
**Symptom**: protection depends on a single layer — a firewall, a middleware, a validation step — with no defense if that layer is bypassed.
|
|
21
|
+
**Why it fails**: one misconfiguration or bug eliminates all protection at once.
|
|
22
|
+
**Counter-move**: assume any single control can fail. Layer controls at the network, application, and data boundaries.
|
|
23
|
+
|
|
24
|
+
### 2. Secrets in config
|
|
25
|
+
**Symptom**: API keys, tokens, or passwords committed to the repo, hardcoded in code, or checked into `.env` files in source control.
|
|
26
|
+
**Why it fails**: git history preserves them forever; every developer, CI run, and forked repo now has them.
|
|
27
|
+
**Counter-move**: secrets go in a secret manager. The repo contains variable names and example values only.
|
|
28
|
+
|
|
29
|
+
### 3. Trusting user input
|
|
30
|
+
**Symptom**: user-supplied strings concatenated into SQL, shell commands, file paths, URLs, or rendered HTML without validation or escaping.
|
|
31
|
+
**Why it fails**: injection attacks are the most common root cause of data breaches. None of them require a clever attacker.
|
|
32
|
+
**Counter-move**: validate input at the boundary. Use parameterized queries, safe templating, and path canonicalization.
|
|
33
|
+
|
|
34
|
+
### 4. No threat model
|
|
35
|
+
**Symptom**: security review cannot answer "who are we defending against and what do they want".
|
|
36
|
+
**Why it fails**: effort is spent on showy controls while real attack paths go unconsidered.
|
|
37
|
+
**Counter-move**: name the attacker, the asset, and the worst-case outcome before choosing controls.
|
|
38
|
+
|
|
39
|
+
### 5. Authentication without authorization
|
|
40
|
+
**Symptom**: the system checks who the user is but not whether they are allowed to do this specific thing with this specific resource.
|
|
41
|
+
**Why it fails**: IDOR and privilege-escalation bugs. Any authenticated user can see or modify any record.
|
|
42
|
+
**Counter-move**: every protected resource access is accompanied by a per-resource authorization check, not just a session check.
|
|
43
|
+
|
|
44
|
+
### 6. Silent failures in crypto
|
|
45
|
+
**Symptom**: signature verification, token expiry, or certificate validation failures are logged and ignored, or caught and swallowed.
|
|
46
|
+
**Why it fails**: an attacker with a forged token or expired session gets the same treatment as a legitimate user.
|
|
47
|
+
**Counter-move**: crypto failures halt the operation. Errors are surfaced, not logged-and-continued.
|
|
48
|
+
|
|
49
|
+
### 7. Rolling your own
|
|
50
|
+
**Symptom**: hand-written crypto, session management, password hashing, or random-number generation.
|
|
51
|
+
**Why it fails**: subtle flaws that a specialist would catch in seconds but the author will never see.
|
|
52
|
+
**Counter-move**: use the standard library or a vetted third-party library. Review configuration, not implementation.
|
|
53
|
+
|
|
54
|
+
### 8. Error messages that leak
|
|
55
|
+
**Symptom**: production errors return stack traces, SQL queries, internal paths, or schema details.
|
|
56
|
+
**Why it fails**: gives an attacker a map of the system; turns a reconnaissance step into a freebie.
|
|
57
|
+
**Counter-move**: user-facing errors are generic. Detailed context goes to logs with appropriate access controls.
|
|
58
|
+
|
|
59
|
+
## Self-check before shipping
|
|
60
|
+
|
|
61
|
+
- [ ] No single control is the only line of defense
|
|
62
|
+
- [ ] Secrets live in a secret manager, not in the repo
|
|
63
|
+
- [ ] User input is validated and escaped at every boundary
|
|
64
|
+
- [ ] Threat model names attacker, asset, and worst case
|
|
65
|
+
- [ ] Every protected resource has a per-resource authorization check
|
|
66
|
+
- [ ] Crypto failures halt the operation and surface explicitly
|
|
67
|
+
- [ ] No custom crypto; vetted libraries only
|
|
68
|
+
- [ ] Production errors are generic; details are in controlled logs
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/security.privacy.md — Anti-pattern guidance for the Security.privacy (privacy) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the security.privacy (privacy) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-security, cx-legal-compliance.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: security.privacy
|
|
10
|
+
applies_to: [cx-security, cx-legal-compliance]
|
|
11
|
+
inherits: security
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Privacy Security Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the security core.
|
|
17
|
+
|
|
18
|
+
### 1. Data collection without minimization
|
|
19
|
+
**Symptom**: events, logs, prompts, or exports include fields because they might be useful later.
|
|
20
|
+
**Why it fails**: unnecessary data increases breach, compliance, and deletion risk.
|
|
21
|
+
**Counter-move**: require purpose, minimization, retention, deletion, and consent/legal basis for personal data.
|
|
22
|
+
|
|
23
|
+
### 2. PII hidden in operational paths
|
|
24
|
+
**Symptom**: support tools, traces, analytics, or embeddings store sensitive data outside primary databases.
|
|
25
|
+
**Why it fails**: privacy reviews often miss secondary stores.
|
|
26
|
+
**Counter-move**: inventory every store and transfer path, including telemetry and vector indexes.
|
|
27
|
+
|
|
28
|
+
### 3. Deletion impossible to prove
|
|
29
|
+
**Symptom**: user deletion removes primary records but not logs, caches, exports, or embeddings.
|
|
30
|
+
**Why it fails**: deletion obligations require complete lifecycle control.
|
|
31
|
+
**Counter-move**: define deletion propagation, retention exceptions, and evidence of completion.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Purpose, minimization, retention, and legal basis are explicit
|
|
35
|
+
- [ ] Telemetry, traces, exports, and embeddings are included in the data map
|
|
36
|
+
- [ ] Deletion and access requests have end-to-end handling
|
|
37
|
+
- [ ] Sensitive data is redacted before logs or prompts
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/roles/security.supply-chain.md — Anti-pattern guidance for the Security.supply-chain (supply chain) role.
|
|
3
|
+
|
|
4
|
+
Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
|
|
5
|
+
Covers common failure modes for the security.supply-chain (supply chain) domain and counter-moves to avoid them.
|
|
6
|
+
Applies to: cx-security, cx-platform-engineer.
|
|
7
|
+
-->
|
|
8
|
+
---
|
|
9
|
+
role: security.supply-chain
|
|
10
|
+
applies_to: [cx-security, cx-platform-engineer]
|
|
11
|
+
inherits: security
|
|
12
|
+
version: 1
|
|
13
|
+
---
|
|
14
|
+
# Supply Chain Security Overlay
|
|
15
|
+
|
|
16
|
+
Additional failure modes on top of the security core.
|
|
17
|
+
|
|
18
|
+
### 1. Dependency trust by popularity
|
|
19
|
+
**Symptom**: packages, actions, images, or plugins are accepted because they are common.
|
|
20
|
+
**Why it fails**: supply-chain incidents often target trusted transitive paths.
|
|
21
|
+
**Counter-move**: verify provenance, pin versions, inspect permissions, and track CVEs.
|
|
22
|
+
|
|
23
|
+
### 2. CI as an unguarded privileged system
|
|
24
|
+
**Symptom**: workflows can access secrets broadly or run untrusted code with write permissions.
|
|
25
|
+
**Why it fails**: CI compromise becomes source, package, or credential compromise.
|
|
26
|
+
**Counter-move**: scope tokens, split trusted/untrusted workflows, and protect release jobs.
|
|
27
|
+
|
|
28
|
+
### 3. Release artifacts not reproducible
|
|
29
|
+
**Symptom**: builds cannot prove what source produced the shipped artifact.
|
|
30
|
+
**Why it fails**: incident response and rollback become guesswork.
|
|
31
|
+
**Counter-move**: require lockfiles, SBOMs, provenance attestations, and signed artifacts where appropriate.
|
|
32
|
+
|
|
33
|
+
## Self-check before shipping
|
|
34
|
+
- [ ] Dependencies, actions, images, and plugins are pinned or justified
|
|
35
|
+
- [ ] CI permissions and secret exposure are scoped
|
|
36
|
+
- [ ] SBOM/provenance/signing expectations are defined
|
|
37
|
+
- [ ] Release artifact source can be traced
|
|
@@ -0,0 +1,139 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/routing.md — Construct AI Agent — Skill Routing — Read the matching skill file before responding when the user's request matches t
|
|
3
|
+
|
|
4
|
+
Read the matching skill file before responding when the user's request matches trigger keywords below. ## Exploration Domain
|
|
5
|
+
-->
|
|
6
|
+
# Construct AI Agent — Skill Routing
|
|
7
|
+
|
|
8
|
+
Read the matching skill file before responding when the user's request matches trigger keywords below.
|
|
9
|
+
|
|
10
|
+
## Exploration Domain
|
|
11
|
+
|
|
12
|
+
| Trigger Keywords | Skill File | Description |
|
|
13
|
+
|---|---|---|
|
|
14
|
+
| explore repo, map codebase, understand codebase, unfamiliar codebase, slog through, get oriented, codebase map, how is this structured, how does this work, where is X, entry point, hot path, code map | `skills/exploration/repo-map.md` | Systematic repo exploration — produce .cx/codebase-map.md |
|
|
15
|
+
|
|
16
|
+
## Quality Gates
|
|
17
|
+
|
|
18
|
+
| Trigger Keywords | Skill File | Description |
|
|
19
|
+
|---|---|---|
|
|
20
|
+
| security scan, vulnerability, secrets, auth audit | `skills/quality-gates/verify-security.md` | Security vulnerability scan |
|
|
21
|
+
| code quality, complexity, code smell, naming | `skills/quality-gates/verify-quality.md` | Code quality analysis |
|
|
22
|
+
| change impact, what broke, doc sync, regression | `skills/quality-gates/verify-change.md` | Change impact analysis |
|
|
23
|
+
| module structure, exports, completeness | `skills/quality-gates/verify-module.md` | Module structure check |
|
|
24
|
+
| parallel review, adversarial review, 5-reviewer, pre-merge review | `skills/quality-gates/review-work.md` | 5-role parallel adversarial review methodology |
|
|
25
|
+
|
|
26
|
+
## Utility Domain
|
|
27
|
+
|
|
28
|
+
| Trigger Keywords | Skill File | Description |
|
|
29
|
+
|---|---|---|
|
|
30
|
+
| ai slop, verbose code, over-commented, clean code, hedging names, dead comments, unnecessary wrapper | `skills/utility/clean-code.md` | AI slop removal patterns and heuristics |
|
|
31
|
+
|
|
32
|
+
## Security Domain
|
|
33
|
+
|
|
34
|
+
| Trigger Keywords | Skill File | Description |
|
|
35
|
+
|---|---|---|
|
|
36
|
+
| pentest, red team, exploit, C2, lateral movement, privilege escalation, evasion, persistence | `skills/security/red-team.md` | Red team attack techniques |
|
|
37
|
+
| blue team, alert, IOC, incident response, forensics, SIEM, EDR, containment | `skills/security/blue-team.md` | Blue team defense and incident response |
|
|
38
|
+
| web pentest, API security, OWASP, SQLi, XSS, SSRF, RCE, injection | `skills/security/pentest.md` | Web and API penetration testing |
|
|
39
|
+
| code audit, dangerous function, taint analysis, sink, source | `skills/security/code-audit.md` | Source code security audit |
|
|
40
|
+
| binary, reversing, PWN, fuzzing, stack overflow, heap overflow, ROP | `skills/security/vuln-research.md` | Vulnerability research and exploitation |
|
|
41
|
+
| OSINT, threat intelligence, threat modeling, ATT&CK, threat hunting | `skills/security/threat-intel.md` | Threat intelligence and OSINT |
|
|
42
|
+
|
|
43
|
+
## Architecture Domain
|
|
44
|
+
|
|
45
|
+
| Trigger Keywords | Skill File | Description |
|
|
46
|
+
|---|---|---|
|
|
47
|
+
| API design, REST, GraphQL, gRPC, endpoint, versioning | `skills/architecture/api-design.md` | API design patterns |
|
|
48
|
+
| caching, Redis, Memcached, cache invalidation, CDN | `skills/architecture/caching.md` | Caching strategies |
|
|
49
|
+
| cloud native, Kubernetes, Docker, microservice, service mesh | `skills/architecture/cloud-native.md` | Cloud-native architecture |
|
|
50
|
+
| message queue, Kafka, RabbitMQ, event driven, pub/sub | `skills/architecture/message-queue.md` | Message queue and event-driven patterns |
|
|
51
|
+
| security architecture, zero trust, defense in depth, IAM | `skills/architecture/security-arch.md` | Security architecture |
|
|
52
|
+
|
|
53
|
+
## AI / MLOps Domain
|
|
54
|
+
|
|
55
|
+
| Trigger Keywords | Skill File | Description |
|
|
56
|
+
|---|---|---|
|
|
57
|
+
| RAG, retrieval augmented, vector database, embedding, chunking | `skills/ai/rag-system.md` | RAG system design |
|
|
58
|
+
| AI agent, tool use, function calling, agent framework, orchestration | `skills/ai/agent-dev.md` | AI agent development |
|
|
59
|
+
| workflow state, orchestration state, task key, handoff contract, phase gate, project alignment | `skills/ai/orchestration-workflow.md` | Construct-style workflow state and phase alignment |
|
|
60
|
+
| LLM security, prompt injection, jailbreak, guardrail | `skills/ai/llm-security.md` | LLM security and guardrails |
|
|
61
|
+
| prompt engineering, model evaluation, benchmark, fine-tuning | `skills/ai/prompt-and-eval.md` | Prompt engineering and evaluation |
|
|
62
|
+
| prompt optimization, improve prompt, optimize agent, quality score, staging prompt, promotion | `skills/ai/prompt-optimizer.md` | Closed-loop prompt auto-optimization via Langfuse traces |
|
|
63
|
+
| MLOps, ML pipeline, model registry, model deployment, feature store, drift detection, model monitoring, training pipeline | `skills/ai/ml-ops.md` | ML operations and model lifecycle |
|
|
64
|
+
|
|
65
|
+
## DevOps Domain
|
|
66
|
+
|
|
67
|
+
| Trigger Keywords | Skill File | Description |
|
|
68
|
+
|---|---|---|
|
|
69
|
+
| Git workflow, branching strategy, trunk-based, GitFlow | `skills/devops/git-workflow.md` | Git workflow patterns |
|
|
70
|
+
| testing strategy, unit test, integration test, e2e, test pyramid | `skills/devops/testing.md` | Testing strategy |
|
|
71
|
+
| database, migration, schema design, indexing, query optimization | `skills/devops/database.md` | Database patterns |
|
|
72
|
+
| performance, profiling, load test, latency, throughput | `skills/devops/performance.md` | Performance engineering |
|
|
73
|
+
| observability, logging, tracing, metrics, Prometheus, Grafana | `skills/devops/observability.md` | Observability and monitoring |
|
|
74
|
+
| DevSecOps, CI security, SAST, DAST, supply chain | `skills/devops/devsecops.md` | DevSecOps practices |
|
|
75
|
+
| cost optimization, cloud cost, FinOps, resource right-sizing | `skills/devops/cost-optimization.md` | Cloud cost optimization |
|
|
76
|
+
| CI/CD, pipeline, GitHub Actions, GitLab CI, workflow, continuous integration, continuous deployment, build pipeline | `skills/devops/ci-cd.md` | CI/CD pipeline design and optimization |
|
|
77
|
+
| monorepo, pnpm workspaces, Turborepo, Nx, Bazel, workspace, multi-package, affected builds | `skills/devops/monorepo.md` | Monorepo tooling and management |
|
|
78
|
+
| dependency upgrade, package update, lock file, Dependabot, Renovate, transitive CVE, npm audit, vulnerability, outdated packages | `skills/devops/dependency-management.md` | Dependency management and upgrade safety |
|
|
79
|
+
| Docker, container, Dockerfile, multi-stage, image scanning, Trivy, Snyk, OCI, containerize | `skills/devops/containerization.md` | Docker and OCI container best practices |
|
|
80
|
+
| incident response, on-call, runbook, post-mortem, blameless, PagerDuty, SLA, outage, escalation | `skills/devops/incident-response.md` | Incident response and post-mortem process |
|
|
81
|
+
| data pipeline, ELT, ETL, dbt, Airflow, Kafka, Spark, Flink, data warehouse, feature store, data contract | `skills/devops/data-engineering.md` | Data pipeline and warehouse engineering |
|
|
82
|
+
|
|
83
|
+
## Development Domain
|
|
84
|
+
|
|
85
|
+
| Trigger Keywords | Skill File | Description |
|
|
86
|
+
|---|---|---|
|
|
87
|
+
| Python, Django, Flask, FastAPI, pip, poetry | `skills/development/python.md` | Python best practices |
|
|
88
|
+
| Go, Golang, goroutine, channel | `skills/development/go.md` | Go best practices |
|
|
89
|
+
| Rust, cargo, borrow checker, lifetime | `skills/development/rust.md` | Rust best practices |
|
|
90
|
+
| TypeScript, JavaScript, Node, Deno, Bun | `skills/development/typescript.md` | TypeScript best practices |
|
|
91
|
+
| Java, Kotlin, Spring, JVM, Maven, Gradle | `skills/development/java.md` | Java best practices |
|
|
92
|
+
| C, C++, CMake, pointer, memory management | `skills/development/cpp.md` | C/C++ best practices |
|
|
93
|
+
| Shell, Bash, Zsh, scripting, CLI | `skills/development/shell.md` | Shell scripting best practices |
|
|
94
|
+
| Swift, iOS, SwiftUI, Xcode, UIKit, Combine | `skills/development/swift.md` | Swift / iOS development |
|
|
95
|
+
| Kotlin Android, Jetpack Compose, coroutines, Android, Hilt | `skills/development/kotlin.md` | Kotlin / Android development |
|
|
96
|
+
| Flutter, React Native, cross-platform mobile, Dart, Expo | `skills/development/mobile-crossplatform.md` | Cross-platform mobile frameworks |
|
|
97
|
+
|
|
98
|
+
## Frontend Design Domain
|
|
99
|
+
|
|
100
|
+
| Trigger Keywords | Skill File | Description |
|
|
101
|
+
|---|---|---|
|
|
102
|
+
| UI aesthetics, visual design, color theory, layout | `skills/frontend-design/ui-aesthetics.md` | UI visual design |
|
|
103
|
+
| UX principles, usability, user flow, information architecture | `skills/frontend-design/ux-principles.md` | UX design principles |
|
|
104
|
+
| component patterns, design system, atomic design | `skills/frontend-design/component-patterns.md` | Component architecture |
|
|
105
|
+
| state management, Redux, Zustand, Pinia, context | `skills/frontend-design/state-management.md` | Frontend state management |
|
|
106
|
+
| frontend engineering, build tool, bundler, SSR, SSG | `skills/frontend-design/engineering.md` | Frontend engineering |
|
|
107
|
+
| accessibility, WCAG, ARIA, screen reader, keyboard navigation, a11y, color contrast, inclusive design | `skills/frontend-design/accessibility.md` | WCAG 2.2 accessibility and inclusive design |
|
|
108
|
+
|
|
109
|
+
## Frameworks Domain
|
|
110
|
+
|
|
111
|
+
| Trigger Keywords | Skill File | Description |
|
|
112
|
+
|---|---|---|
|
|
113
|
+
| React, JSX, hooks, useState, useEffect, RSC, Server Components | `skills/frameworks/react.md` | React patterns and best practices |
|
|
114
|
+
| Next.js, App Router, Server Actions, ISR, route handler, Vercel | `skills/frameworks/nextjs.md` | Next.js App Router |
|
|
115
|
+
| Django, DRF, Django REST, Django ORM, Django views | `skills/frameworks/django.md` | Django and Django REST Framework |
|
|
116
|
+
| Spring Boot, Spring Security, JPA, @RestController, @Service | `skills/frameworks/spring-boot.md` | Spring Boot layered architecture |
|
|
117
|
+
|
|
118
|
+
## Documentation Domain
|
|
119
|
+
|
|
120
|
+
| Trigger Keywords | Skill File | Description |
|
|
121
|
+
|---|---|---|
|
|
122
|
+
| init docs, create docs structure, set up documentation, docs scaffold, documentation init | `skills/docs/init-docs.md` | Initialize required project-state docs and documentation structure |
|
|
123
|
+
| research X, investigate X, find evidence, gather evidence | `skills/docs/research-workflow.md` | Research workflow — question to .cx/research/ file |
|
|
124
|
+
| product intelligence, customer notes, field notes, product signals, customer profile, evidence brief, signal brief, backlog proposal | `skills/docs/product-intelligence-workflow.md` | Product Intelligence workflow — evidence to product artifacts |
|
|
125
|
+
| ingest evidence, ingest customer notes, ingest Slack thread, ingest support ticket, normalize field notes | `skills/docs/evidence-ingest-workflow.md` | Evidence ingest workflow — raw source to .cx/product-intel/ |
|
|
126
|
+
| write a PRD, create requirements, spec out, requirements document, Meta PRD, platform PRD | `skills/docs/prd-workflow.md` | PRD workflow — requirements to docs/prd/ or docs/meta-prd/ |
|
|
127
|
+
| write a PRFAQ, working backwards doc, press release FAQ | `skills/docs/prfaq-workflow.md` | PRFAQ workflow — launch narrative from PRD or evidence |
|
|
128
|
+
| create Jira proposal, update Linear, backlog proposal, issue proposal | `skills/docs/backlog-proposal-workflow.md` | Backlog proposal workflow — approval-gated issue tracker changes |
|
|
129
|
+
| record this decision, create an ADR, architecture decision | `skills/docs/adr-workflow.md` | ADR workflow — decision to docs/adr/ file |
|
|
130
|
+
| write a runbook, document this operation, operational procedure | `skills/docs/runbook-workflow.md` | Runbook workflow — operation to docs/runbooks/ file |
|
|
131
|
+
| init project, new project setup, join project, set up doc structure | `skills/docs/init-project.md` | Project initialization via construct init-docs |
|
|
132
|
+
|
|
133
|
+
## Routing Rules
|
|
134
|
+
|
|
135
|
+
1. Match on intent, not exact string. "How do I prevent SQL injection" triggers `pentest.md`.
|
|
136
|
+
2. When a request spans two domains, read both skill files.
|
|
137
|
+
3. Detect programming language from file extensions or context and read the corresponding development skill.
|
|
138
|
+
4. Read each skill file once per conversation.
|
|
139
|
+
5. Skill file content is authoritative over training data when they conflict.
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/security/blue-team.md — Blue Team — Use this skill when defending systems, responding to incidents, or building dete
|
|
3
|
+
|
|
4
|
+
Use this skill when defending systems, responding to incidents, or building detection and monitoring capabilities. ## Detection Engineering
|
|
5
|
+
-->
|
|
6
|
+
# Blue Team
|
|
7
|
+
|
|
8
|
+
Use this skill when defending systems, responding to incidents, or building detection and monitoring capabilities.
|
|
9
|
+
|
|
10
|
+
## Detection Engineering
|
|
11
|
+
|
|
12
|
+
- Write detection rules based on known TTPs, not just IOCs
|
|
13
|
+
- Use SIGMA rules for vendor-agnostic detection logic
|
|
14
|
+
- Test detections against atomic red team or similar frameworks
|
|
15
|
+
- Tune alert thresholds to minimize false positives without losing true positives
|
|
16
|
+
- Layer detections: network, endpoint, identity, application
|
|
17
|
+
|
|
18
|
+
## SIEM Operations
|
|
19
|
+
|
|
20
|
+
- Normalize log formats before ingestion
|
|
21
|
+
- Correlate events across sources: firewall, endpoint, identity, application
|
|
22
|
+
- Build dashboards for: authentication anomalies, lateral movement indicators, data exfiltration patterns
|
|
23
|
+
- Retain logs for compliance period plus investigative buffer
|
|
24
|
+
- Index critical fields for fast search: source IP, user, process, command line
|
|
25
|
+
|
|
26
|
+
## EDR and Endpoint Defense
|
|
27
|
+
|
|
28
|
+
- Deploy agents on all endpoints including servers
|
|
29
|
+
- Monitor: process creation trees, network connections, file modifications, registry changes
|
|
30
|
+
- Block known-bad hashes and suspicious behaviors
|
|
31
|
+
- Investigate alerts within SLA: Critical <1h, High <4h, Medium <24h
|
|
32
|
+
- Maintain exclusion lists carefully; review quarterly
|
|
33
|
+
|
|
34
|
+
## Incident Response Process
|
|
35
|
+
|
|
36
|
+
1. **Detect**: Alert triggers or user report
|
|
37
|
+
2. **Triage**: Confirm true positive, assess scope, assign severity
|
|
38
|
+
3. **Contain**: Isolate affected systems, block IOCs, disable compromised accounts
|
|
39
|
+
4. **Investigate**: Build timeline, identify root cause, determine blast radius
|
|
40
|
+
5. **Eradicate**: Remove attacker presence, patch vulnerability, rotate credentials
|
|
41
|
+
6. **Recover**: Restore from clean backups, monitor for re-compromise
|
|
42
|
+
7. **Lessons learned**: Document findings, update runbooks, improve detections
|
|
43
|
+
|
|
44
|
+
## Forensics Fundamentals
|
|
45
|
+
|
|
46
|
+
- Preserve evidence before remediation (memory dumps, disk images, logs)
|
|
47
|
+
- Maintain chain of custody documentation
|
|
48
|
+
- Analyze artifacts: prefetch, event logs, browser history, shellbags, MFT
|
|
49
|
+
- Timeline analysis using multiple artifact sources
|
|
50
|
+
- Hash all evidence for integrity verification
|
|
51
|
+
|
|
52
|
+
## Threat Hunting
|
|
53
|
+
|
|
54
|
+
- Hypothesis-driven: start from a TTP, look for evidence
|
|
55
|
+
- Data-driven: anomaly detection on baselines (unusual process, new scheduled task, rare DNS query)
|
|
56
|
+
- Hunt regularly, not only after incidents
|
|
57
|
+
- Document and share findings to improve detection coverage
|
|
58
|
+
- Track hunt coverage against MITRE ATT&CK matrix
|
|
59
|
+
|
|
60
|
+
## IOC Management
|
|
61
|
+
|
|
62
|
+
- Categorize: IP, domain, hash, URL, email, certificate, mutex
|
|
63
|
+
- Score by confidence and relevance
|
|
64
|
+
- Expire IOCs that are no longer active
|
|
65
|
+
- Automate ingestion from threat feeds into blocking and detection tools
|
|
66
|
+
- Share IOCs with trusted peers via STIX/TAXII or equivalent
|
|
67
|
+
|
|
68
|
+
## Hardening Baselines
|
|
69
|
+
|
|
70
|
+
- CIS benchmarks as starting point for OS and service hardening
|
|
71
|
+
- Disable unnecessary services and protocols
|
|
72
|
+
- Enforce least privilege on all accounts
|
|
73
|
+
- Segment networks by trust zone
|
|
74
|
+
- Patch within SLA: Critical <48h, High <7d, Medium <30d
|
|
75
|
+
- Review firewall rules quarterly; remove stale entries
|
|
76
|
+
|
|
77
|
+
## Metrics
|
|
78
|
+
|
|
79
|
+
- Mean time to detect (MTTD)
|
|
80
|
+
- Mean time to respond (MTTR)
|
|
81
|
+
- Alert-to-incident ratio (false positive rate)
|
|
82
|
+
- MITRE ATT&CK technique coverage percentage
|
|
83
|
+
- Patch compliance rate
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/security/code-audit.md — Code Audit — Use this skill when reviewing source code for security vulnerabilities through s
|
|
3
|
+
|
|
4
|
+
Use this skill when reviewing source code for security vulnerabilities through static analysis. ## Taint Analysis
|
|
5
|
+
-->
|
|
6
|
+
# Code Audit
|
|
7
|
+
|
|
8
|
+
Use this skill when reviewing source code for security vulnerabilities through static analysis.
|
|
9
|
+
|
|
10
|
+
## Taint Analysis
|
|
11
|
+
|
|
12
|
+
Trace data flow from sources to sinks. Any path from untrusted input to a dangerous operation without sanitization is a finding.
|
|
13
|
+
|
|
14
|
+
### Sources (Untrusted Input)
|
|
15
|
+
- HTTP request: params, headers, cookies, body, uploaded files
|
|
16
|
+
- Database reads (if user-influenced)
|
|
17
|
+
- Environment variables from external config
|
|
18
|
+
- File reads, IPC, message queue payloads
|
|
19
|
+
- Third-party API responses
|
|
20
|
+
- URL fragments and query strings
|
|
21
|
+
|
|
22
|
+
### Sinks (Dangerous Operations)
|
|
23
|
+
- SQL/NoSQL query construction
|
|
24
|
+
- OS command execution (`exec`, `system`, `spawn`, `popen`)
|
|
25
|
+
- File system operations (open, read, write, delete, path construction)
|
|
26
|
+
- HTML/template rendering
|
|
27
|
+
- HTTP redirects and URL construction
|
|
28
|
+
- Deserialization (`pickle`, `unserialize`, `JSON.parse` of untrusted classes)
|
|
29
|
+
- Dynamic code evaluation (`eval`, `Function()`, `exec()`)
|
|
30
|
+
- Logging (sensitive data leakage)
|
|
31
|
+
|
|
32
|
+
### Sanitization Verification
|
|
33
|
+
- Is the sanitizer appropriate for the sink? (HTML escaping does not prevent SQL injection)
|
|
34
|
+
- Is the sanitizer applied consistently on all paths?
|
|
35
|
+
- Is the sanitizer applied before the sink, not after?
|
|
36
|
+
- Does the sanitizer handle edge cases: null bytes, Unicode normalization, double encoding?
|
|
37
|
+
|
|
38
|
+
## Dangerous Function Patterns
|
|
39
|
+
|
|
40
|
+
### Language-Specific Red Flags
|
|
41
|
+
|
|
42
|
+
**JavaScript/TypeScript**: `eval`, `Function()`, `innerHTML`, `document.write`, `child_process.exec`, `require()` with dynamic input
|
|
43
|
+
**Python**: `eval`, `exec`, `pickle.loads`, `subprocess.shell=True`, `os.system`, `yaml.load` (use safe_load)
|
|
44
|
+
**Java**: `Runtime.exec`, `ProcessBuilder`, `ObjectInputStream.readObject`, `Statement.execute` (use PreparedStatement)
|
|
45
|
+
**Go**: `os/exec.Command` with user input, `html/template` vs `text/template` confusion, `unsafe` package usage
|
|
46
|
+
**Rust**: `unsafe` blocks, `Command::new` with user input, raw pointer operations
|
|
47
|
+
**PHP**: `eval`, `system`, `exec`, `passthru`, `preg_replace` with `e` modifier, `unserialize`
|
|
48
|
+
|
|
49
|
+
## Authentication and Session Review
|
|
50
|
+
|
|
51
|
+
- Password comparison uses constant-time comparison
|
|
52
|
+
- Session tokens generated with CSPRNG
|
|
53
|
+
- Session invalidated on logout and password change
|
|
54
|
+
- Token expiry enforced server-side
|
|
55
|
+
- No session data in URLs
|
|
56
|
+
|
|
57
|
+
## Access Control Review
|
|
58
|
+
|
|
59
|
+
- Authorization checked on every request, not cached from prior request
|
|
60
|
+
- Role checks happen server-side
|
|
61
|
+
- Object-level authorization verified (not just endpoint-level)
|
|
62
|
+
- Admin functionality isolated from user-facing code paths
|
|
63
|
+
|
|
64
|
+
## Cryptography Review
|
|
65
|
+
|
|
66
|
+
- No custom cryptographic implementations
|
|
67
|
+
- Key material not hardcoded or logged
|
|
68
|
+
- IV/nonce never reused with the same key
|
|
69
|
+
- Signatures verified before trusting data
|
|
70
|
+
- Constant-time comparison for MAC/signature verification
|
|
71
|
+
|
|
72
|
+
## File and Path Operations
|
|
73
|
+
|
|
74
|
+
- User input never directly used in file paths
|
|
75
|
+
- Path traversal prevention: canonicalize then validate prefix
|
|
76
|
+
- File uploads: validate type, limit size, store outside webroot, randomize names
|
|
77
|
+
- Temporary files created securely and cleaned up
|
|
78
|
+
|
|
79
|
+
## Error Handling Review
|
|
80
|
+
|
|
81
|
+
- Exceptions do not expose internal state to users
|
|
82
|
+
- Catch blocks do not silently swallow security-relevant errors
|
|
83
|
+
- Fallback behavior does not weaken security (fail-open vs fail-closed)
|
|
84
|
+
- Resource cleanup happens in all exit paths
|
|
85
|
+
|
|
86
|
+
## Reporting Format
|
|
87
|
+
|
|
88
|
+
For each finding:
|
|
89
|
+
1. **Location**: file, line, function
|
|
90
|
+
2. **Category**: injection, auth, crypto, data exposure, etc.
|
|
91
|
+
3. **Severity**: Critical / High / Medium / Low
|
|
92
|
+
4. **Data flow**: source -> [transforms] -> sink
|
|
93
|
+
5. **Proof**: concrete exploit scenario or test case
|
|
94
|
+
6. **Fix**: specific remediation with code example
|
|
@@ -0,0 +1,84 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/security/pentest.md — Penetration Testing — Use this skill when testing web applications or APIs for security vulnerabilitie
|
|
3
|
+
|
|
4
|
+
Use this skill when testing web applications or APIs for security vulnerabilities. ## OWASP Top 10 Checklist
|
|
5
|
+
-->
|
|
6
|
+
# Penetration Testing
|
|
7
|
+
|
|
8
|
+
Use this skill when testing web applications or APIs for security vulnerabilities.
|
|
9
|
+
|
|
10
|
+
## OWASP Top 10 Checklist
|
|
11
|
+
|
|
12
|
+
### Broken Access Control
|
|
13
|
+
- Test horizontal privilege escalation: access another user's resources by changing IDs
|
|
14
|
+
- Test vertical privilege escalation: access admin functions as regular user
|
|
15
|
+
- Test IDOR on every endpoint that accepts an identifier
|
|
16
|
+
- Verify server-side enforcement, not just UI hiding
|
|
17
|
+
|
|
18
|
+
### Cryptographic Failures
|
|
19
|
+
- Check for sensitive data in URLs, logs, and error messages
|
|
20
|
+
- Verify TLS configuration (SSL Labs A+ target)
|
|
21
|
+
- Check for weak cipher suites and protocol versions
|
|
22
|
+
- Verify sensitive data encrypted at rest
|
|
23
|
+
|
|
24
|
+
### Injection
|
|
25
|
+
- SQL: test with `' OR 1=1--`, time-based blind, UNION-based
|
|
26
|
+
- NoSQL: test with `{"$gt": ""}` and operator injection
|
|
27
|
+
- OS Command: test with `; id`, `| whoami`, backtick substitution
|
|
28
|
+
- LDAP, XPath, template injection where applicable
|
|
29
|
+
|
|
30
|
+
### Insecure Design
|
|
31
|
+
- Business logic flaws: race conditions, price manipulation, workflow bypass
|
|
32
|
+
- Missing rate limiting on sensitive operations
|
|
33
|
+
- Lack of fraud detection on financial transactions
|
|
34
|
+
|
|
35
|
+
### Security Misconfiguration
|
|
36
|
+
- Default credentials on admin panels, databases, services
|
|
37
|
+
- Unnecessary HTTP methods enabled (TRACE, OPTIONS)
|
|
38
|
+
- Directory listing enabled
|
|
39
|
+
- Stack traces and debug info in production responses
|
|
40
|
+
- CORS misconfiguration: wildcard origins, credential reflection
|
|
41
|
+
|
|
42
|
+
### Vulnerable Components
|
|
43
|
+
- Run `npm audit`, `pip audit`, `cargo audit`
|
|
44
|
+
- Check for known CVEs in server software and frameworks
|
|
45
|
+
- Verify component versions against vulnerability databases
|
|
46
|
+
|
|
47
|
+
### Authentication Failures
|
|
48
|
+
- Brute force resistance: account lockout or progressive delays
|
|
49
|
+
- Credential stuffing protection
|
|
50
|
+
- Session fixation and session hijacking
|
|
51
|
+
- JWT: algorithm confusion, none algorithm, key leakage, expiry validation
|
|
52
|
+
- Password reset flow: token predictability, expiry, single use
|
|
53
|
+
|
|
54
|
+
### Data Integrity Failures
|
|
55
|
+
- Deserialization: test for RCE via crafted objects
|
|
56
|
+
- Verify integrity of software updates and CI/CD pipelines
|
|
57
|
+
- Check for unsigned or unverified data in trust decisions
|
|
58
|
+
|
|
59
|
+
### Logging and Monitoring Failures
|
|
60
|
+
- Verify login attempts are logged
|
|
61
|
+
- Verify failed access control is logged
|
|
62
|
+
- Check that logs do not contain sensitive data
|
|
63
|
+
- Confirm alerting exists for suspicious patterns
|
|
64
|
+
|
|
65
|
+
### SSRF
|
|
66
|
+
- Test URL parameters for internal network access
|
|
67
|
+
- Check for cloud metadata endpoint access (169.254.169.254)
|
|
68
|
+
- Test DNS rebinding scenarios
|
|
69
|
+
- Verify allowlist-based URL validation
|
|
70
|
+
|
|
71
|
+
## API-Specific Testing
|
|
72
|
+
|
|
73
|
+
- Test all HTTP methods on each endpoint
|
|
74
|
+
- Fuzz parameters with unexpected types and sizes
|
|
75
|
+
- Test pagination for data leakage beyond authorized scope
|
|
76
|
+
- Verify rate limiting per endpoint and per user
|
|
77
|
+
- Check GraphQL: introspection disabled in prod, query depth limits, batch attack resistance
|
|
78
|
+
|
|
79
|
+
## Reporting
|
|
80
|
+
|
|
81
|
+
- Severity rated by exploitability and business impact
|
|
82
|
+
- Each finding includes: description, reproduction steps, evidence, remediation
|
|
83
|
+
- Group findings by category for systemic issues
|
|
84
|
+
- Provide a prioritized remediation roadmap
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
<!--
|
|
2
|
+
skills/security/red-team.md — Red Team — Use this skill when planning or executing offensive security assessments, advers
|
|
3
|
+
|
|
4
|
+
Use this skill when planning or executing offensive security assessments, adversary emulation, or attack simulations. ## Reconnaissance
|
|
5
|
+
-->
|
|
6
|
+
# Red Team
|
|
7
|
+
|
|
8
|
+
Use this skill when planning or executing offensive security assessments, adversary emulation, or attack simulations.
|
|
9
|
+
|
|
10
|
+
## Reconnaissance
|
|
11
|
+
|
|
12
|
+
- Passive: DNS records, WHOIS, certificate transparency, public repos, social media, job postings
|
|
13
|
+
- Active: port scanning, service fingerprinting, directory brute-forcing, virtual host enumeration
|
|
14
|
+
- Map the attack surface before attempting exploitation
|
|
15
|
+
- Document all discovered assets, services, and potential entry points
|
|
16
|
+
|
|
17
|
+
## Initial Access
|
|
18
|
+
|
|
19
|
+
- Phishing: credential harvesting, macro-enabled documents, HTML smuggling
|
|
20
|
+
- Exposed services: default credentials, known CVEs, misconfigured cloud storage
|
|
21
|
+
- Supply chain: compromised dependencies, typosquatting packages
|
|
22
|
+
- Web application: authentication bypass, injection, file upload abuse
|
|
23
|
+
- Always verify scope before attempting access vectors
|
|
24
|
+
|
|
25
|
+
## Privilege Escalation
|
|
26
|
+
|
|
27
|
+
- Linux: SUID binaries, writable cron jobs, kernel exploits, sudo misconfigurations, capability abuse
|
|
28
|
+
- Windows: unquoted service paths, DLL hijacking, token impersonation, AlwaysInstallElevated, PrintNightmare variants
|
|
29
|
+
- Cloud: over-permissive IAM roles, instance metadata SSRF, cross-account trust abuse
|
|
30
|
+
- Enumerate before escalating; avoid unnecessary noise
|
|
31
|
+
|
|
32
|
+
## Lateral Movement
|
|
33
|
+
|
|
34
|
+
- Credential reuse across hosts
|
|
35
|
+
- Pass-the-hash and pass-the-ticket (Kerberos)
|
|
36
|
+
- Remote services: WMI, PSRemoting, SSH, RDP
|
|
37
|
+
- Internal pivoting through compromised hosts
|
|
38
|
+
- Abuse of administrative shares and trust relationships
|
|
39
|
+
- Document each hop for the attack path narrative
|
|
40
|
+
|
|
41
|
+
## Persistence
|
|
42
|
+
|
|
43
|
+
- Scheduled tasks and cron jobs
|
|
44
|
+
- Registry run keys and startup folders
|
|
45
|
+
- Web shells and reverse shells
|
|
46
|
+
- Service creation and modification
|
|
47
|
+
- Golden/silver tickets in Active Directory
|
|
48
|
+
- Cloud: persistent IAM keys, backdoor roles, lambda triggers
|
|
49
|
+
|
|
50
|
+
## Command and Control
|
|
51
|
+
|
|
52
|
+
- HTTP/HTTPS beaconing with domain fronting
|
|
53
|
+
- DNS tunneling for restrictive networks
|
|
54
|
+
- Encrypted channels with jitter and sleep intervals
|
|
55
|
+
- Redirectors to protect infrastructure
|
|
56
|
+
- Avoid patterns that trigger common EDR signatures
|
|
57
|
+
|
|
58
|
+
## Evasion
|
|
59
|
+
|
|
60
|
+
- AMSI bypass techniques for PowerShell
|
|
61
|
+
- Living-off-the-land binaries (LOLBins)
|
|
62
|
+
- Process injection: hollowing, DLL injection, APC queue
|
|
63
|
+
- Timestomping and log tampering (document for report, do not destroy evidence)
|
|
64
|
+
- Obfuscation of tooling and payloads
|
|
65
|
+
|
|
66
|
+
## Reporting
|
|
67
|
+
|
|
68
|
+
- Document the full kill chain with timestamps
|
|
69
|
+
- Map findings to MITRE ATT&CK techniques
|
|
70
|
+
- Provide reproduction steps for each finding
|
|
71
|
+
- Rate severity by business impact, not technical complexity
|
|
72
|
+
- Include remediation recommendations with priority
|
|
73
|
+
- Separate executive summary from technical details
|
|
74
|
+
|
|
75
|
+
## Rules of Engagement
|
|
76
|
+
|
|
77
|
+
- Operate strictly within authorized scope
|
|
78
|
+
- Maintain out-of-band communication with the client
|
|
79
|
+
- Have emergency stop procedures ready
|
|
80
|
+
- Log all actions for accountability
|
|
81
|
+
- Never exfiltrate real sensitive data; use proof-of-access artifacts
|