@geraldmaron/construct 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (352) hide show
  1. package/.env.example +69 -0
  2. package/LICENSE +21 -0
  3. package/README.md +344 -0
  4. package/agents/prompts/cx-accessibility.md +29 -0
  5. package/agents/prompts/cx-ai-engineer.md +31 -0
  6. package/agents/prompts/cx-architect.md +40 -0
  7. package/agents/prompts/cx-business-strategist.md +25 -0
  8. package/agents/prompts/cx-data-analyst.md +30 -0
  9. package/agents/prompts/cx-data-engineer.md +32 -0
  10. package/agents/prompts/cx-debugger.md +27 -0
  11. package/agents/prompts/cx-designer.md +33 -0
  12. package/agents/prompts/cx-devil-advocate.md +36 -0
  13. package/agents/prompts/cx-docs-keeper.md +50 -0
  14. package/agents/prompts/cx-engineer.md +36 -0
  15. package/agents/prompts/cx-evaluator.md +26 -0
  16. package/agents/prompts/cx-explorer.md +38 -0
  17. package/agents/prompts/cx-legal-compliance.md +25 -0
  18. package/agents/prompts/cx-operations.md +28 -0
  19. package/agents/prompts/cx-orchestrator.md +30 -0
  20. package/agents/prompts/cx-platform-engineer.md +25 -0
  21. package/agents/prompts/cx-product-manager.md +30 -0
  22. package/agents/prompts/cx-qa.md +42 -0
  23. package/agents/prompts/cx-rd-lead.md +25 -0
  24. package/agents/prompts/cx-release-manager.md +31 -0
  25. package/agents/prompts/cx-researcher.md +31 -0
  26. package/agents/prompts/cx-reviewer.md +36 -0
  27. package/agents/prompts/cx-security.md +37 -0
  28. package/agents/prompts/cx-sre.md +26 -0
  29. package/agents/prompts/cx-test-automation.md +35 -0
  30. package/agents/prompts/cx-trace-reviewer.md +76 -0
  31. package/agents/prompts/cx-ux-researcher.md +30 -0
  32. package/agents/registry.json +879 -0
  33. package/agents/teams.json +94 -0
  34. package/bin/construct +613 -0
  35. package/commands/build/feature.md +21 -0
  36. package/commands/build/fix.md +20 -0
  37. package/commands/design/access.md +19 -0
  38. package/commands/design/flow.md +16 -0
  39. package/commands/design/ui.md +18 -0
  40. package/commands/measure/experiment.md +18 -0
  41. package/commands/measure/metrics.md +18 -0
  42. package/commands/measure/results.md +18 -0
  43. package/commands/plan/api.md +19 -0
  44. package/commands/plan/challenge.md +18 -0
  45. package/commands/plan/decide.md +20 -0
  46. package/commands/plan/feature.md +49 -0
  47. package/commands/plan/requirements.md +24 -0
  48. package/commands/remember/context.md +26 -0
  49. package/commands/remember/handoff.md +19 -0
  50. package/commands/remember/runbook.md +20 -0
  51. package/commands/review/code.md +21 -0
  52. package/commands/review/quality.md +19 -0
  53. package/commands/review/security.md +16 -0
  54. package/commands/ship/ready.md +19 -0
  55. package/commands/ship/release.md +19 -0
  56. package/commands/ship/status.md +18 -0
  57. package/commands/understand/docs.md +22 -0
  58. package/commands/understand/research.md +22 -0
  59. package/commands/understand/this.md +23 -0
  60. package/commands/understand/why.md +18 -0
  61. package/commands/work/clean.md +32 -0
  62. package/commands/work/drive.md +69 -0
  63. package/commands/work/optimize-prompts.md +46 -0
  64. package/commands/work/parallel-review.md +40 -0
  65. package/db/migrations/001_init.sql +38 -0
  66. package/langfuse/docker-compose.yml +82 -0
  67. package/lib/audit-skills.mjs +118 -0
  68. package/lib/auto-docs.mjs +293 -0
  69. package/lib/cli-commands.mjs +409 -0
  70. package/lib/codex-config.mjs +114 -0
  71. package/lib/comment-lint.mjs +191 -0
  72. package/lib/completions.mjs +170 -0
  73. package/lib/context-state.mjs +99 -0
  74. package/lib/cost.mjs +213 -0
  75. package/lib/distill.mjs +403 -0
  76. package/lib/efficiency.mjs +139 -0
  77. package/lib/env-config.mjs +53 -0
  78. package/lib/eval-harness.mjs +59 -0
  79. package/lib/features.mjs +209 -0
  80. package/lib/headhunt.mjs +597 -0
  81. package/lib/hooks/adaptive-lint.mjs +112 -0
  82. package/lib/hooks/agent-tracker.mjs +50 -0
  83. package/lib/hooks/bootstrap-guard.mjs +90 -0
  84. package/lib/hooks/comment-lint.mjs +26 -0
  85. package/lib/hooks/config-protection.mjs +52 -0
  86. package/lib/hooks/console-warn.mjs +43 -0
  87. package/lib/hooks/context-window-recovery.mjs +90 -0
  88. package/lib/hooks/continuation-enforcer.mjs +72 -0
  89. package/lib/hooks/dep-audit.mjs +155 -0
  90. package/lib/hooks/drive-guard.mjs +89 -0
  91. package/lib/hooks/edit-accumulator.mjs +36 -0
  92. package/lib/hooks/edit-error-recovery.mjs +46 -0
  93. package/lib/hooks/edit-guard.mjs +109 -0
  94. package/lib/hooks/env-check.mjs +80 -0
  95. package/lib/hooks/guard-bash.mjs +83 -0
  96. package/lib/hooks/mcp-audit.mjs +57 -0
  97. package/lib/hooks/mcp-health-check.mjs +51 -0
  98. package/lib/hooks/mcp-task-scope.mjs +47 -0
  99. package/lib/hooks/model-fallback.mjs +105 -0
  100. package/lib/hooks/pre-compact.mjs +212 -0
  101. package/lib/hooks/pre-push-gate.mjs +129 -0
  102. package/lib/hooks/read-tracker.mjs +129 -0
  103. package/lib/hooks/registry-sync.mjs +23 -0
  104. package/lib/hooks/scan-secrets.mjs +76 -0
  105. package/lib/hooks/session-start.mjs +95 -0
  106. package/lib/hooks/stop-notify.mjs +191 -0
  107. package/lib/hooks/stop-typecheck.mjs +83 -0
  108. package/lib/hooks/task-completed-guard.mjs +43 -0
  109. package/lib/hooks/teammate-idle-guard.mjs +54 -0
  110. package/lib/hooks/workflow-guard.mjs +62 -0
  111. package/lib/host-capabilities.mjs +123 -0
  112. package/lib/init-docs.mjs +382 -0
  113. package/lib/mcp/server.mjs +1123 -0
  114. package/lib/mcp-catalog.json +243 -0
  115. package/lib/mcp-manager.mjs +433 -0
  116. package/lib/mcp-platform-config.mjs +104 -0
  117. package/lib/model-router.mjs +810 -0
  118. package/lib/opencode-config.mjs +44 -0
  119. package/lib/opencode-runtime-plugin.mjs +909 -0
  120. package/lib/opencode-telemetry.mjs +433 -0
  121. package/lib/orchestration-policy.mjs +258 -0
  122. package/lib/prompt-composer.mjs +196 -0
  123. package/lib/prompt-metadata.mjs +68 -0
  124. package/lib/review.mjs +429 -0
  125. package/lib/role-preload.mjs +52 -0
  126. package/lib/schemas/decision.json +50 -0
  127. package/lib/schemas/implementation.json +51 -0
  128. package/lib/schemas/review-report.json +32 -0
  129. package/lib/schemas/test-report.json +43 -0
  130. package/lib/server/index.mjs +334 -0
  131. package/lib/server/static/app.js +841 -0
  132. package/lib/server/static/index.html +820 -0
  133. package/lib/service-manager.mjs +225 -0
  134. package/lib/setup.mjs +319 -0
  135. package/lib/status.mjs +707 -0
  136. package/lib/storage/backend.mjs +44 -0
  137. package/lib/storage/embeddings.mjs +70 -0
  138. package/lib/storage/hybrid-query.mjs +184 -0
  139. package/lib/storage/sql-store.mjs +55 -0
  140. package/lib/storage/state-source.mjs +101 -0
  141. package/lib/storage/sync.mjs +164 -0
  142. package/lib/storage/vector-store.mjs +59 -0
  143. package/lib/telemetry/backends/langfuse.mjs +58 -0
  144. package/lib/telemetry/backends/noop.mjs +16 -0
  145. package/lib/telemetry/langfuse-ingest.mjs +108 -0
  146. package/lib/telemetry/langfuse-model-sync.mjs +270 -0
  147. package/lib/telemetry/team-rollup.mjs +143 -0
  148. package/lib/toolkit-env.mjs +30 -0
  149. package/lib/validator.mjs +181 -0
  150. package/lib/workflow-state.mjs +794 -0
  151. package/package.json +53 -0
  152. package/personas/construct.md +94 -0
  153. package/platforms/claude/CLAUDE.md +30 -0
  154. package/platforms/claude/settings.template.json +472 -0
  155. package/platforms/opencode/config.template.json +65 -0
  156. package/platforms/opencode/plugins/construct-fallback.js +5 -0
  157. package/platforms/opencode/sync-config.mjs +69 -0
  158. package/rules/common/agents.md +55 -0
  159. package/rules/common/code-review.md +129 -0
  160. package/rules/common/coding-style.md +95 -0
  161. package/rules/common/comments.md +139 -0
  162. package/rules/common/cx-agent-routing.md +61 -0
  163. package/rules/common/cx-skill-routing.md +11 -0
  164. package/rules/common/development-workflow.md +49 -0
  165. package/rules/common/git-workflow.md +29 -0
  166. package/rules/common/hooks.md +35 -0
  167. package/rules/common/patterns.md +36 -0
  168. package/rules/common/performance.md +71 -0
  169. package/rules/common/security.md +34 -0
  170. package/rules/common/testing.md +62 -0
  171. package/rules/golang/coding-style.md +37 -0
  172. package/rules/golang/hooks.md +22 -0
  173. package/rules/golang/patterns.md +50 -0
  174. package/rules/golang/security.md +39 -0
  175. package/rules/golang/testing.md +36 -0
  176. package/rules/python/coding-style.md +47 -0
  177. package/rules/python/hooks.md +24 -0
  178. package/rules/python/patterns.md +44 -0
  179. package/rules/python/security.md +35 -0
  180. package/rules/python/testing.md +43 -0
  181. package/rules/swift/coding-style.md +52 -0
  182. package/rules/swift/hooks.md +25 -0
  183. package/rules/swift/patterns.md +71 -0
  184. package/rules/swift/security.md +38 -0
  185. package/rules/swift/testing.md +50 -0
  186. package/rules/typescript/coding-style.md +204 -0
  187. package/rules/typescript/hooks.md +27 -0
  188. package/rules/typescript/patterns.md +57 -0
  189. package/rules/typescript/security.md +33 -0
  190. package/rules/typescript/testing.md +23 -0
  191. package/rules/web/coding-style.md +101 -0
  192. package/rules/web/design-quality.md +68 -0
  193. package/rules/web/hooks.md +125 -0
  194. package/rules/web/patterns.md +84 -0
  195. package/rules/web/performance.md +69 -0
  196. package/rules/web/security.md +62 -0
  197. package/rules/web/testing.md +60 -0
  198. package/rules/zh/README.md +113 -0
  199. package/rules/zh/agents.md +55 -0
  200. package/rules/zh/code-review.md +129 -0
  201. package/rules/zh/coding-style.md +53 -0
  202. package/rules/zh/development-workflow.md +49 -0
  203. package/rules/zh/git-workflow.md +29 -0
  204. package/rules/zh/hooks.md +35 -0
  205. package/rules/zh/patterns.md +36 -0
  206. package/rules/zh/performance.md +60 -0
  207. package/rules/zh/security.md +34 -0
  208. package/rules/zh/testing.md +34 -0
  209. package/skills/ai/agent-dev.md +102 -0
  210. package/skills/ai/llm-security.md +105 -0
  211. package/skills/ai/ml-ops.md +169 -0
  212. package/skills/ai/orchestration-workflow.md +87 -0
  213. package/skills/ai/prompt-and-eval.md +114 -0
  214. package/skills/ai/prompt-optimizer.md +114 -0
  215. package/skills/ai/rag-system.md +104 -0
  216. package/skills/architecture/api-design.md +100 -0
  217. package/skills/architecture/caching.md +101 -0
  218. package/skills/architecture/cloud-native.md +97 -0
  219. package/skills/architecture/message-queue.md +100 -0
  220. package/skills/architecture/security-arch.md +105 -0
  221. package/skills/development/cpp.md +127 -0
  222. package/skills/development/go.md +129 -0
  223. package/skills/development/java.md +134 -0
  224. package/skills/development/kotlin.md +140 -0
  225. package/skills/development/mobile-crossplatform.md +144 -0
  226. package/skills/development/python.md +109 -0
  227. package/skills/development/rust.md +127 -0
  228. package/skills/development/shell.md +127 -0
  229. package/skills/development/swift.md +129 -0
  230. package/skills/development/typescript.md +129 -0
  231. package/skills/devops/ci-cd.md +108 -0
  232. package/skills/devops/containerization.md +106 -0
  233. package/skills/devops/cost-optimization.md +105 -0
  234. package/skills/devops/data-engineering.md +181 -0
  235. package/skills/devops/database.md +95 -0
  236. package/skills/devops/dependency-management.md +91 -0
  237. package/skills/devops/devsecops.md +96 -0
  238. package/skills/devops/git-workflow.md +100 -0
  239. package/skills/devops/incident-response.md +167 -0
  240. package/skills/devops/monorepo.md +87 -0
  241. package/skills/devops/observability.md +103 -0
  242. package/skills/devops/performance.md +104 -0
  243. package/skills/devops/testing.md +104 -0
  244. package/skills/docs/adr-workflow.md +32 -0
  245. package/skills/docs/backlog-proposal-workflow.md +19 -0
  246. package/skills/docs/customer-profile-workflow.md +22 -0
  247. package/skills/docs/evidence-ingest-workflow.md +23 -0
  248. package/skills/docs/init-docs.md +160 -0
  249. package/skills/docs/init-project.md +50 -0
  250. package/skills/docs/prd-workflow.md +57 -0
  251. package/skills/docs/prfaq-workflow.md +25 -0
  252. package/skills/docs/product-intelligence-review.md +22 -0
  253. package/skills/docs/product-intelligence-workflow.md +62 -0
  254. package/skills/docs/product-signal-workflow.md +27 -0
  255. package/skills/docs/research-workflow.md +28 -0
  256. package/skills/docs/runbook-workflow.md +24 -0
  257. package/skills/exploration/repo-map.md +297 -0
  258. package/skills/frameworks/django.md +159 -0
  259. package/skills/frameworks/nextjs.md +148 -0
  260. package/skills/frameworks/react.md +132 -0
  261. package/skills/frameworks/spring-boot.md +165 -0
  262. package/skills/frontend-design/accessibility.md +153 -0
  263. package/skills/frontend-design/component-patterns.md +111 -0
  264. package/skills/frontend-design/engineering.md +122 -0
  265. package/skills/frontend-design/state-management.md +118 -0
  266. package/skills/frontend-design/ui-aesthetics.md +102 -0
  267. package/skills/frontend-design/ux-principles.md +126 -0
  268. package/skills/quality-gates/review-work.md +90 -0
  269. package/skills/quality-gates/verify-change.md +94 -0
  270. package/skills/quality-gates/verify-module.md +96 -0
  271. package/skills/quality-gates/verify-quality.md +93 -0
  272. package/skills/quality-gates/verify-security.md +95 -0
  273. package/skills/roles/architect.ai-systems.md +37 -0
  274. package/skills/roles/architect.data.md +37 -0
  275. package/skills/roles/architect.enterprise.md +37 -0
  276. package/skills/roles/architect.integration.md +37 -0
  277. package/skills/roles/architect.md +68 -0
  278. package/skills/roles/architect.platform.md +37 -0
  279. package/skills/roles/data-analyst.experiment.md +37 -0
  280. package/skills/roles/data-analyst.md +68 -0
  281. package/skills/roles/data-analyst.product-intelligence.md +37 -0
  282. package/skills/roles/data-analyst.product.md +37 -0
  283. package/skills/roles/data-analyst.telemetry.md +37 -0
  284. package/skills/roles/data-engineer.pipeline.md +37 -0
  285. package/skills/roles/data-engineer.vector-retrieval.md +37 -0
  286. package/skills/roles/data-engineer.warehouse.md +37 -0
  287. package/skills/roles/debugger.md +68 -0
  288. package/skills/roles/designer.accessibility.md +43 -0
  289. package/skills/roles/designer.md +68 -0
  290. package/skills/roles/engineer.ai.md +49 -0
  291. package/skills/roles/engineer.data.md +49 -0
  292. package/skills/roles/engineer.md +85 -0
  293. package/skills/roles/engineer.platform.md +49 -0
  294. package/skills/roles/operator.docs.md +43 -0
  295. package/skills/roles/operator.md +68 -0
  296. package/skills/roles/operator.release.md +43 -0
  297. package/skills/roles/operator.sre.md +43 -0
  298. package/skills/roles/orchestrator.md +66 -0
  299. package/skills/roles/product-manager.ai-product.md +37 -0
  300. package/skills/roles/product-manager.business-strategy.md +43 -0
  301. package/skills/roles/product-manager.enterprise.md +37 -0
  302. package/skills/roles/product-manager.growth.md +37 -0
  303. package/skills/roles/product-manager.md +67 -0
  304. package/skills/roles/product-manager.platform.md +37 -0
  305. package/skills/roles/product-manager.product.md +37 -0
  306. package/skills/roles/qa.ai-eval.md +37 -0
  307. package/skills/roles/qa.api-contract.md +37 -0
  308. package/skills/roles/qa.data-pipeline.md +37 -0
  309. package/skills/roles/qa.md +68 -0
  310. package/skills/roles/qa.test-automation.md +49 -0
  311. package/skills/roles/qa.web-ui.md +37 -0
  312. package/skills/roles/researcher.explorer.md +43 -0
  313. package/skills/roles/researcher.md +68 -0
  314. package/skills/roles/researcher.ux.md +43 -0
  315. package/skills/roles/reviewer.devil-advocate.md +43 -0
  316. package/skills/roles/reviewer.evaluator.md +43 -0
  317. package/skills/roles/reviewer.md +68 -0
  318. package/skills/roles/reviewer.trace.md +43 -0
  319. package/skills/roles/security.ai.md +37 -0
  320. package/skills/roles/security.appsec.md +37 -0
  321. package/skills/roles/security.cloud.md +37 -0
  322. package/skills/roles/security.legal-compliance.md +49 -0
  323. package/skills/roles/security.md +68 -0
  324. package/skills/roles/security.privacy.md +37 -0
  325. package/skills/roles/security.supply-chain.md +37 -0
  326. package/skills/routing.md +139 -0
  327. package/skills/security/blue-team.md +83 -0
  328. package/skills/security/code-audit.md +94 -0
  329. package/skills/security/pentest.md +84 -0
  330. package/skills/security/red-team.md +81 -0
  331. package/skills/security/threat-intel.md +89 -0
  332. package/skills/security/vuln-research.md +87 -0
  333. package/skills/utility/clean-code.md +165 -0
  334. package/sync-agents.mjs +899 -0
  335. package/templates/docs/adr.md +27 -0
  336. package/templates/docs/backlog-proposal.md +26 -0
  337. package/templates/docs/customer-profile.md +34 -0
  338. package/templates/docs/evidence-brief.md +37 -0
  339. package/templates/docs/incident-report.md +46 -0
  340. package/templates/docs/memo.md +27 -0
  341. package/templates/docs/meta-prd.md +56 -0
  342. package/templates/docs/one-pager.md +24 -0
  343. package/templates/docs/prd-business.md +61 -0
  344. package/templates/docs/prd-platform.md +62 -0
  345. package/templates/docs/prd.md +47 -0
  346. package/templates/docs/prfaq.md +31 -0
  347. package/templates/docs/product-intelligence-report.md +31 -0
  348. package/templates/docs/research-brief.md +29 -0
  349. package/templates/docs/rfc-platform.md +60 -0
  350. package/templates/docs/rfc.md +46 -0
  351. package/templates/docs/runbook.md +33 -0
  352. package/templates/docs/signal-brief.md +25 -0
@@ -0,0 +1,68 @@
1
+ <!--
2
+ skills/roles/security.md — Anti-pattern guidance for the Security role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the security domain and counter-moves to avoid them.
6
+ Applies to: cx-security, cx-legal-compliance.
7
+ -->
8
+ ---
9
+ role: security
10
+ applies_to: [cx-security, cx-legal-compliance]
11
+ inherits: null
12
+ version: 1
13
+ ---
14
+ # Security — Role guidance
15
+
16
+ Load this before drafting. These are the failure modes that separate strong role output from weak role output — check your draft against each.
17
+
18
+
19
+ ### 1. Defense in absence
20
+ **Symptom**: protection depends on a single layer — a firewall, a middleware, a validation step — with no defense if that layer is bypassed.
21
+ **Why it fails**: one misconfiguration or bug eliminates all protection at once.
22
+ **Counter-move**: assume any single control can fail. Layer controls at the network, application, and data boundaries.
23
+
24
+ ### 2. Secrets in config
25
+ **Symptom**: API keys, tokens, or passwords committed to the repo, hardcoded in code, or checked into `.env` files in source control.
26
+ **Why it fails**: git history preserves them forever; every developer, CI run, and forked repo now has them.
27
+ **Counter-move**: secrets go in a secret manager. The repo contains variable names and example values only.
28
+
29
+ ### 3. Trusting user input
30
+ **Symptom**: user-supplied strings concatenated into SQL, shell commands, file paths, URLs, or rendered HTML without validation or escaping.
31
+ **Why it fails**: injection attacks are the most common root cause of data breaches. None of them require a clever attacker.
32
+ **Counter-move**: validate input at the boundary. Use parameterized queries, safe templating, and path canonicalization.
33
+
34
+ ### 4. No threat model
35
+ **Symptom**: security review cannot answer "who are we defending against and what do they want".
36
+ **Why it fails**: effort is spent on showy controls while real attack paths go unconsidered.
37
+ **Counter-move**: name the attacker, the asset, and the worst-case outcome before choosing controls.
38
+
39
+ ### 5. Authentication without authorization
40
+ **Symptom**: the system checks who the user is but not whether they are allowed to do this specific thing with this specific resource.
41
+ **Why it fails**: IDOR and privilege-escalation bugs. Any authenticated user can see or modify any record.
42
+ **Counter-move**: every protected resource access is accompanied by a per-resource authorization check, not just a session check.
43
+
44
+ ### 6. Silent failures in crypto
45
+ **Symptom**: signature verification, token expiry, or certificate validation failures are logged and ignored, or caught and swallowed.
46
+ **Why it fails**: an attacker with a forged token or expired session gets the same treatment as a legitimate user.
47
+ **Counter-move**: crypto failures halt the operation. Errors are surfaced, not logged-and-continued.
48
+
49
+ ### 7. Rolling your own
50
+ **Symptom**: hand-written crypto, session management, password hashing, or random-number generation.
51
+ **Why it fails**: subtle flaws that a specialist would catch in seconds but the author will never see.
52
+ **Counter-move**: use the standard library or a vetted third-party library. Review configuration, not implementation.
53
+
54
+ ### 8. Error messages that leak
55
+ **Symptom**: production errors return stack traces, SQL queries, internal paths, or schema details.
56
+ **Why it fails**: gives an attacker a map of the system; turns a reconnaissance step into a freebie.
57
+ **Counter-move**: user-facing errors are generic. Detailed context goes to logs with appropriate access controls.
58
+
59
+ ## Self-check before shipping
60
+
61
+ - [ ] No single control is the only line of defense
62
+ - [ ] Secrets live in a secret manager, not in the repo
63
+ - [ ] User input is validated and escaped at every boundary
64
+ - [ ] Threat model names attacker, asset, and worst case
65
+ - [ ] Every protected resource has a per-resource authorization check
66
+ - [ ] Crypto failures halt the operation and surface explicitly
67
+ - [ ] No custom crypto; vetted libraries only
68
+ - [ ] Production errors are generic; details are in controlled logs
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/security.privacy.md — Anti-pattern guidance for the Security.privacy (privacy) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the security.privacy (privacy) domain and counter-moves to avoid them.
6
+ Applies to: cx-security, cx-legal-compliance.
7
+ -->
8
+ ---
9
+ role: security.privacy
10
+ applies_to: [cx-security, cx-legal-compliance]
11
+ inherits: security
12
+ version: 1
13
+ ---
14
+ # Privacy Security Overlay
15
+
16
+ Additional failure modes on top of the security core.
17
+
18
+ ### 1. Data collection without minimization
19
+ **Symptom**: events, logs, prompts, or exports include fields because they might be useful later.
20
+ **Why it fails**: unnecessary data increases breach, compliance, and deletion risk.
21
+ **Counter-move**: require purpose, minimization, retention, deletion, and consent/legal basis for personal data.
22
+
23
+ ### 2. PII hidden in operational paths
24
+ **Symptom**: support tools, traces, analytics, or embeddings store sensitive data outside primary databases.
25
+ **Why it fails**: privacy reviews often miss secondary stores.
26
+ **Counter-move**: inventory every store and transfer path, including telemetry and vector indexes.
27
+
28
+ ### 3. Deletion impossible to prove
29
+ **Symptom**: user deletion removes primary records but not logs, caches, exports, or embeddings.
30
+ **Why it fails**: deletion obligations require complete lifecycle control.
31
+ **Counter-move**: define deletion propagation, retention exceptions, and evidence of completion.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Purpose, minimization, retention, and legal basis are explicit
35
+ - [ ] Telemetry, traces, exports, and embeddings are included in the data map
36
+ - [ ] Deletion and access requests have end-to-end handling
37
+ - [ ] Sensitive data is redacted before logs or prompts
@@ -0,0 +1,37 @@
1
+ <!--
2
+ skills/roles/security.supply-chain.md — Anti-pattern guidance for the Security.supply-chain (supply chain) role.
3
+
4
+ Loaded at sync time to inline role-specific failure modes into specialist agent prompts.
5
+ Covers common failure modes for the security.supply-chain (supply chain) domain and counter-moves to avoid them.
6
+ Applies to: cx-security, cx-platform-engineer.
7
+ -->
8
+ ---
9
+ role: security.supply-chain
10
+ applies_to: [cx-security, cx-platform-engineer]
11
+ inherits: security
12
+ version: 1
13
+ ---
14
+ # Supply Chain Security Overlay
15
+
16
+ Additional failure modes on top of the security core.
17
+
18
+ ### 1. Dependency trust by popularity
19
+ **Symptom**: packages, actions, images, or plugins are accepted because they are common.
20
+ **Why it fails**: supply-chain incidents often target trusted transitive paths.
21
+ **Counter-move**: verify provenance, pin versions, inspect permissions, and track CVEs.
22
+
23
+ ### 2. CI as an unguarded privileged system
24
+ **Symptom**: workflows can access secrets broadly or run untrusted code with write permissions.
25
+ **Why it fails**: CI compromise becomes source, package, or credential compromise.
26
+ **Counter-move**: scope tokens, split trusted/untrusted workflows, and protect release jobs.
27
+
28
+ ### 3. Release artifacts not reproducible
29
+ **Symptom**: builds cannot prove what source produced the shipped artifact.
30
+ **Why it fails**: incident response and rollback become guesswork.
31
+ **Counter-move**: require lockfiles, SBOMs, provenance attestations, and signed artifacts where appropriate.
32
+
33
+ ## Self-check before shipping
34
+ - [ ] Dependencies, actions, images, and plugins are pinned or justified
35
+ - [ ] CI permissions and secret exposure are scoped
36
+ - [ ] SBOM/provenance/signing expectations are defined
37
+ - [ ] Release artifact source can be traced
@@ -0,0 +1,139 @@
1
+ <!--
2
+ skills/routing.md — Construct AI Agent — Skill Routing — Read the matching skill file before responding when the user's request matches t
3
+
4
+ Read the matching skill file before responding when the user's request matches trigger keywords below. ## Exploration Domain
5
+ -->
6
+ # Construct AI Agent — Skill Routing
7
+
8
+ Read the matching skill file before responding when the user's request matches trigger keywords below.
9
+
10
+ ## Exploration Domain
11
+
12
+ | Trigger Keywords | Skill File | Description |
13
+ |---|---|---|
14
+ | explore repo, map codebase, understand codebase, unfamiliar codebase, slog through, get oriented, codebase map, how is this structured, how does this work, where is X, entry point, hot path, code map | `skills/exploration/repo-map.md` | Systematic repo exploration — produce .cx/codebase-map.md |
15
+
16
+ ## Quality Gates
17
+
18
+ | Trigger Keywords | Skill File | Description |
19
+ |---|---|---|
20
+ | security scan, vulnerability, secrets, auth audit | `skills/quality-gates/verify-security.md` | Security vulnerability scan |
21
+ | code quality, complexity, code smell, naming | `skills/quality-gates/verify-quality.md` | Code quality analysis |
22
+ | change impact, what broke, doc sync, regression | `skills/quality-gates/verify-change.md` | Change impact analysis |
23
+ | module structure, exports, completeness | `skills/quality-gates/verify-module.md` | Module structure check |
24
+ | parallel review, adversarial review, 5-reviewer, pre-merge review | `skills/quality-gates/review-work.md` | 5-role parallel adversarial review methodology |
25
+
26
+ ## Utility Domain
27
+
28
+ | Trigger Keywords | Skill File | Description |
29
+ |---|---|---|
30
+ | ai slop, verbose code, over-commented, clean code, hedging names, dead comments, unnecessary wrapper | `skills/utility/clean-code.md` | AI slop removal patterns and heuristics |
31
+
32
+ ## Security Domain
33
+
34
+ | Trigger Keywords | Skill File | Description |
35
+ |---|---|---|
36
+ | pentest, red team, exploit, C2, lateral movement, privilege escalation, evasion, persistence | `skills/security/red-team.md` | Red team attack techniques |
37
+ | blue team, alert, IOC, incident response, forensics, SIEM, EDR, containment | `skills/security/blue-team.md` | Blue team defense and incident response |
38
+ | web pentest, API security, OWASP, SQLi, XSS, SSRF, RCE, injection | `skills/security/pentest.md` | Web and API penetration testing |
39
+ | code audit, dangerous function, taint analysis, sink, source | `skills/security/code-audit.md` | Source code security audit |
40
+ | binary, reversing, PWN, fuzzing, stack overflow, heap overflow, ROP | `skills/security/vuln-research.md` | Vulnerability research and exploitation |
41
+ | OSINT, threat intelligence, threat modeling, ATT&CK, threat hunting | `skills/security/threat-intel.md` | Threat intelligence and OSINT |
42
+
43
+ ## Architecture Domain
44
+
45
+ | Trigger Keywords | Skill File | Description |
46
+ |---|---|---|
47
+ | API design, REST, GraphQL, gRPC, endpoint, versioning | `skills/architecture/api-design.md` | API design patterns |
48
+ | caching, Redis, Memcached, cache invalidation, CDN | `skills/architecture/caching.md` | Caching strategies |
49
+ | cloud native, Kubernetes, Docker, microservice, service mesh | `skills/architecture/cloud-native.md` | Cloud-native architecture |
50
+ | message queue, Kafka, RabbitMQ, event driven, pub/sub | `skills/architecture/message-queue.md` | Message queue and event-driven patterns |
51
+ | security architecture, zero trust, defense in depth, IAM | `skills/architecture/security-arch.md` | Security architecture |
52
+
53
+ ## AI / MLOps Domain
54
+
55
+ | Trigger Keywords | Skill File | Description |
56
+ |---|---|---|
57
+ | RAG, retrieval augmented, vector database, embedding, chunking | `skills/ai/rag-system.md` | RAG system design |
58
+ | AI agent, tool use, function calling, agent framework, orchestration | `skills/ai/agent-dev.md` | AI agent development |
59
+ | workflow state, orchestration state, task key, handoff contract, phase gate, project alignment | `skills/ai/orchestration-workflow.md` | Construct-style workflow state and phase alignment |
60
+ | LLM security, prompt injection, jailbreak, guardrail | `skills/ai/llm-security.md` | LLM security and guardrails |
61
+ | prompt engineering, model evaluation, benchmark, fine-tuning | `skills/ai/prompt-and-eval.md` | Prompt engineering and evaluation |
62
+ | prompt optimization, improve prompt, optimize agent, quality score, staging prompt, promotion | `skills/ai/prompt-optimizer.md` | Closed-loop prompt auto-optimization via Langfuse traces |
63
+ | MLOps, ML pipeline, model registry, model deployment, feature store, drift detection, model monitoring, training pipeline | `skills/ai/ml-ops.md` | ML operations and model lifecycle |
64
+
65
+ ## DevOps Domain
66
+
67
+ | Trigger Keywords | Skill File | Description |
68
+ |---|---|---|
69
+ | Git workflow, branching strategy, trunk-based, GitFlow | `skills/devops/git-workflow.md` | Git workflow patterns |
70
+ | testing strategy, unit test, integration test, e2e, test pyramid | `skills/devops/testing.md` | Testing strategy |
71
+ | database, migration, schema design, indexing, query optimization | `skills/devops/database.md` | Database patterns |
72
+ | performance, profiling, load test, latency, throughput | `skills/devops/performance.md` | Performance engineering |
73
+ | observability, logging, tracing, metrics, Prometheus, Grafana | `skills/devops/observability.md` | Observability and monitoring |
74
+ | DevSecOps, CI security, SAST, DAST, supply chain | `skills/devops/devsecops.md` | DevSecOps practices |
75
+ | cost optimization, cloud cost, FinOps, resource right-sizing | `skills/devops/cost-optimization.md` | Cloud cost optimization |
76
+ | CI/CD, pipeline, GitHub Actions, GitLab CI, workflow, continuous integration, continuous deployment, build pipeline | `skills/devops/ci-cd.md` | CI/CD pipeline design and optimization |
77
+ | monorepo, pnpm workspaces, Turborepo, Nx, Bazel, workspace, multi-package, affected builds | `skills/devops/monorepo.md` | Monorepo tooling and management |
78
+ | dependency upgrade, package update, lock file, Dependabot, Renovate, transitive CVE, npm audit, vulnerability, outdated packages | `skills/devops/dependency-management.md` | Dependency management and upgrade safety |
79
+ | Docker, container, Dockerfile, multi-stage, image scanning, Trivy, Snyk, OCI, containerize | `skills/devops/containerization.md` | Docker and OCI container best practices |
80
+ | incident response, on-call, runbook, post-mortem, blameless, PagerDuty, SLA, outage, escalation | `skills/devops/incident-response.md` | Incident response and post-mortem process |
81
+ | data pipeline, ELT, ETL, dbt, Airflow, Kafka, Spark, Flink, data warehouse, feature store, data contract | `skills/devops/data-engineering.md` | Data pipeline and warehouse engineering |
82
+
83
+ ## Development Domain
84
+
85
+ | Trigger Keywords | Skill File | Description |
86
+ |---|---|---|
87
+ | Python, Django, Flask, FastAPI, pip, poetry | `skills/development/python.md` | Python best practices |
88
+ | Go, Golang, goroutine, channel | `skills/development/go.md` | Go best practices |
89
+ | Rust, cargo, borrow checker, lifetime | `skills/development/rust.md` | Rust best practices |
90
+ | TypeScript, JavaScript, Node, Deno, Bun | `skills/development/typescript.md` | TypeScript best practices |
91
+ | Java, Kotlin, Spring, JVM, Maven, Gradle | `skills/development/java.md` | Java best practices |
92
+ | C, C++, CMake, pointer, memory management | `skills/development/cpp.md` | C/C++ best practices |
93
+ | Shell, Bash, Zsh, scripting, CLI | `skills/development/shell.md` | Shell scripting best practices |
94
+ | Swift, iOS, SwiftUI, Xcode, UIKit, Combine | `skills/development/swift.md` | Swift / iOS development |
95
+ | Kotlin Android, Jetpack Compose, coroutines, Android, Hilt | `skills/development/kotlin.md` | Kotlin / Android development |
96
+ | Flutter, React Native, cross-platform mobile, Dart, Expo | `skills/development/mobile-crossplatform.md` | Cross-platform mobile frameworks |
97
+
98
+ ## Frontend Design Domain
99
+
100
+ | Trigger Keywords | Skill File | Description |
101
+ |---|---|---|
102
+ | UI aesthetics, visual design, color theory, layout | `skills/frontend-design/ui-aesthetics.md` | UI visual design |
103
+ | UX principles, usability, user flow, information architecture | `skills/frontend-design/ux-principles.md` | UX design principles |
104
+ | component patterns, design system, atomic design | `skills/frontend-design/component-patterns.md` | Component architecture |
105
+ | state management, Redux, Zustand, Pinia, context | `skills/frontend-design/state-management.md` | Frontend state management |
106
+ | frontend engineering, build tool, bundler, SSR, SSG | `skills/frontend-design/engineering.md` | Frontend engineering |
107
+ | accessibility, WCAG, ARIA, screen reader, keyboard navigation, a11y, color contrast, inclusive design | `skills/frontend-design/accessibility.md` | WCAG 2.2 accessibility and inclusive design |
108
+
109
+ ## Frameworks Domain
110
+
111
+ | Trigger Keywords | Skill File | Description |
112
+ |---|---|---|
113
+ | React, JSX, hooks, useState, useEffect, RSC, Server Components | `skills/frameworks/react.md` | React patterns and best practices |
114
+ | Next.js, App Router, Server Actions, ISR, route handler, Vercel | `skills/frameworks/nextjs.md` | Next.js App Router |
115
+ | Django, DRF, Django REST, Django ORM, Django views | `skills/frameworks/django.md` | Django and Django REST Framework |
116
+ | Spring Boot, Spring Security, JPA, @RestController, @Service | `skills/frameworks/spring-boot.md` | Spring Boot layered architecture |
117
+
118
+ ## Documentation Domain
119
+
120
+ | Trigger Keywords | Skill File | Description |
121
+ |---|---|---|
122
+ | init docs, create docs structure, set up documentation, docs scaffold, documentation init | `skills/docs/init-docs.md` | Initialize required project-state docs and documentation structure |
123
+ | research X, investigate X, find evidence, gather evidence | `skills/docs/research-workflow.md` | Research workflow — question to .cx/research/ file |
124
+ | product intelligence, customer notes, field notes, product signals, customer profile, evidence brief, signal brief, backlog proposal | `skills/docs/product-intelligence-workflow.md` | Product Intelligence workflow — evidence to product artifacts |
125
+ | ingest evidence, ingest customer notes, ingest Slack thread, ingest support ticket, normalize field notes | `skills/docs/evidence-ingest-workflow.md` | Evidence ingest workflow — raw source to .cx/product-intel/ |
126
+ | write a PRD, create requirements, spec out, requirements document, Meta PRD, platform PRD | `skills/docs/prd-workflow.md` | PRD workflow — requirements to docs/prd/ or docs/meta-prd/ |
127
+ | write a PRFAQ, working backwards doc, press release FAQ | `skills/docs/prfaq-workflow.md` | PRFAQ workflow — launch narrative from PRD or evidence |
128
+ | create Jira proposal, update Linear, backlog proposal, issue proposal | `skills/docs/backlog-proposal-workflow.md` | Backlog proposal workflow — approval-gated issue tracker changes |
129
+ | record this decision, create an ADR, architecture decision | `skills/docs/adr-workflow.md` | ADR workflow — decision to docs/adr/ file |
130
+ | write a runbook, document this operation, operational procedure | `skills/docs/runbook-workflow.md` | Runbook workflow — operation to docs/runbooks/ file |
131
+ | init project, new project setup, join project, set up doc structure | `skills/docs/init-project.md` | Project initialization via construct init-docs |
132
+
133
+ ## Routing Rules
134
+
135
+ 1. Match on intent, not exact string. "How do I prevent SQL injection" triggers `pentest.md`.
136
+ 2. When a request spans two domains, read both skill files.
137
+ 3. Detect programming language from file extensions or context and read the corresponding development skill.
138
+ 4. Read each skill file once per conversation.
139
+ 5. Skill file content is authoritative over training data when they conflict.
@@ -0,0 +1,83 @@
1
+ <!--
2
+ skills/security/blue-team.md — Blue Team — Use this skill when defending systems, responding to incidents, or building dete
3
+
4
+ Use this skill when defending systems, responding to incidents, or building detection and monitoring capabilities. ## Detection Engineering
5
+ -->
6
+ # Blue Team
7
+
8
+ Use this skill when defending systems, responding to incidents, or building detection and monitoring capabilities.
9
+
10
+ ## Detection Engineering
11
+
12
+ - Write detection rules based on known TTPs, not just IOCs
13
+ - Use SIGMA rules for vendor-agnostic detection logic
14
+ - Test detections against atomic red team or similar frameworks
15
+ - Tune alert thresholds to minimize false positives without losing true positives
16
+ - Layer detections: network, endpoint, identity, application
17
+
18
+ ## SIEM Operations
19
+
20
+ - Normalize log formats before ingestion
21
+ - Correlate events across sources: firewall, endpoint, identity, application
22
+ - Build dashboards for: authentication anomalies, lateral movement indicators, data exfiltration patterns
23
+ - Retain logs for compliance period plus investigative buffer
24
+ - Index critical fields for fast search: source IP, user, process, command line
25
+
26
+ ## EDR and Endpoint Defense
27
+
28
+ - Deploy agents on all endpoints including servers
29
+ - Monitor: process creation trees, network connections, file modifications, registry changes
30
+ - Block known-bad hashes and suspicious behaviors
31
+ - Investigate alerts within SLA: Critical <1h, High <4h, Medium <24h
32
+ - Maintain exclusion lists carefully; review quarterly
33
+
34
+ ## Incident Response Process
35
+
36
+ 1. **Detect**: Alert triggers or user report
37
+ 2. **Triage**: Confirm true positive, assess scope, assign severity
38
+ 3. **Contain**: Isolate affected systems, block IOCs, disable compromised accounts
39
+ 4. **Investigate**: Build timeline, identify root cause, determine blast radius
40
+ 5. **Eradicate**: Remove attacker presence, patch vulnerability, rotate credentials
41
+ 6. **Recover**: Restore from clean backups, monitor for re-compromise
42
+ 7. **Lessons learned**: Document findings, update runbooks, improve detections
43
+
44
+ ## Forensics Fundamentals
45
+
46
+ - Preserve evidence before remediation (memory dumps, disk images, logs)
47
+ - Maintain chain of custody documentation
48
+ - Analyze artifacts: prefetch, event logs, browser history, shellbags, MFT
49
+ - Timeline analysis using multiple artifact sources
50
+ - Hash all evidence for integrity verification
51
+
52
+ ## Threat Hunting
53
+
54
+ - Hypothesis-driven: start from a TTP, look for evidence
55
+ - Data-driven: anomaly detection on baselines (unusual process, new scheduled task, rare DNS query)
56
+ - Hunt regularly, not only after incidents
57
+ - Document and share findings to improve detection coverage
58
+ - Track hunt coverage against MITRE ATT&CK matrix
59
+
60
+ ## IOC Management
61
+
62
+ - Categorize: IP, domain, hash, URL, email, certificate, mutex
63
+ - Score by confidence and relevance
64
+ - Expire IOCs that are no longer active
65
+ - Automate ingestion from threat feeds into blocking and detection tools
66
+ - Share IOCs with trusted peers via STIX/TAXII or equivalent
67
+
68
+ ## Hardening Baselines
69
+
70
+ - CIS benchmarks as starting point for OS and service hardening
71
+ - Disable unnecessary services and protocols
72
+ - Enforce least privilege on all accounts
73
+ - Segment networks by trust zone
74
+ - Patch within SLA: Critical <48h, High <7d, Medium <30d
75
+ - Review firewall rules quarterly; remove stale entries
76
+
77
+ ## Metrics
78
+
79
+ - Mean time to detect (MTTD)
80
+ - Mean time to respond (MTTR)
81
+ - Alert-to-incident ratio (false positive rate)
82
+ - MITRE ATT&CK technique coverage percentage
83
+ - Patch compliance rate
@@ -0,0 +1,94 @@
1
+ <!--
2
+ skills/security/code-audit.md — Code Audit — Use this skill when reviewing source code for security vulnerabilities through s
3
+
4
+ Use this skill when reviewing source code for security vulnerabilities through static analysis. ## Taint Analysis
5
+ -->
6
+ # Code Audit
7
+
8
+ Use this skill when reviewing source code for security vulnerabilities through static analysis.
9
+
10
+ ## Taint Analysis
11
+
12
+ Trace data flow from sources to sinks. Any path from untrusted input to a dangerous operation without sanitization is a finding.
13
+
14
+ ### Sources (Untrusted Input)
15
+ - HTTP request: params, headers, cookies, body, uploaded files
16
+ - Database reads (if user-influenced)
17
+ - Environment variables from external config
18
+ - File reads, IPC, message queue payloads
19
+ - Third-party API responses
20
+ - URL fragments and query strings
21
+
22
+ ### Sinks (Dangerous Operations)
23
+ - SQL/NoSQL query construction
24
+ - OS command execution (`exec`, `system`, `spawn`, `popen`)
25
+ - File system operations (open, read, write, delete, path construction)
26
+ - HTML/template rendering
27
+ - HTTP redirects and URL construction
28
+ - Deserialization (`pickle`, `unserialize`, `JSON.parse` of untrusted classes)
29
+ - Dynamic code evaluation (`eval`, `Function()`, `exec()`)
30
+ - Logging (sensitive data leakage)
31
+
32
+ ### Sanitization Verification
33
+ - Is the sanitizer appropriate for the sink? (HTML escaping does not prevent SQL injection)
34
+ - Is the sanitizer applied consistently on all paths?
35
+ - Is the sanitizer applied before the sink, not after?
36
+ - Does the sanitizer handle edge cases: null bytes, Unicode normalization, double encoding?
37
+
38
+ ## Dangerous Function Patterns
39
+
40
+ ### Language-Specific Red Flags
41
+
42
+ **JavaScript/TypeScript**: `eval`, `Function()`, `innerHTML`, `document.write`, `child_process.exec`, `require()` with dynamic input
43
+ **Python**: `eval`, `exec`, `pickle.loads`, `subprocess.shell=True`, `os.system`, `yaml.load` (use safe_load)
44
+ **Java**: `Runtime.exec`, `ProcessBuilder`, `ObjectInputStream.readObject`, `Statement.execute` (use PreparedStatement)
45
+ **Go**: `os/exec.Command` with user input, `html/template` vs `text/template` confusion, `unsafe` package usage
46
+ **Rust**: `unsafe` blocks, `Command::new` with user input, raw pointer operations
47
+ **PHP**: `eval`, `system`, `exec`, `passthru`, `preg_replace` with `e` modifier, `unserialize`
48
+
49
+ ## Authentication and Session Review
50
+
51
+ - Password comparison uses constant-time comparison
52
+ - Session tokens generated with CSPRNG
53
+ - Session invalidated on logout and password change
54
+ - Token expiry enforced server-side
55
+ - No session data in URLs
56
+
57
+ ## Access Control Review
58
+
59
+ - Authorization checked on every request, not cached from prior request
60
+ - Role checks happen server-side
61
+ - Object-level authorization verified (not just endpoint-level)
62
+ - Admin functionality isolated from user-facing code paths
63
+
64
+ ## Cryptography Review
65
+
66
+ - No custom cryptographic implementations
67
+ - Key material not hardcoded or logged
68
+ - IV/nonce never reused with the same key
69
+ - Signatures verified before trusting data
70
+ - Constant-time comparison for MAC/signature verification
71
+
72
+ ## File and Path Operations
73
+
74
+ - User input never directly used in file paths
75
+ - Path traversal prevention: canonicalize then validate prefix
76
+ - File uploads: validate type, limit size, store outside webroot, randomize names
77
+ - Temporary files created securely and cleaned up
78
+
79
+ ## Error Handling Review
80
+
81
+ - Exceptions do not expose internal state to users
82
+ - Catch blocks do not silently swallow security-relevant errors
83
+ - Fallback behavior does not weaken security (fail-open vs fail-closed)
84
+ - Resource cleanup happens in all exit paths
85
+
86
+ ## Reporting Format
87
+
88
+ For each finding:
89
+ 1. **Location**: file, line, function
90
+ 2. **Category**: injection, auth, crypto, data exposure, etc.
91
+ 3. **Severity**: Critical / High / Medium / Low
92
+ 4. **Data flow**: source -> [transforms] -> sink
93
+ 5. **Proof**: concrete exploit scenario or test case
94
+ 6. **Fix**: specific remediation with code example
@@ -0,0 +1,84 @@
1
+ <!--
2
+ skills/security/pentest.md — Penetration Testing — Use this skill when testing web applications or APIs for security vulnerabilitie
3
+
4
+ Use this skill when testing web applications or APIs for security vulnerabilities. ## OWASP Top 10 Checklist
5
+ -->
6
+ # Penetration Testing
7
+
8
+ Use this skill when testing web applications or APIs for security vulnerabilities.
9
+
10
+ ## OWASP Top 10 Checklist
11
+
12
+ ### Broken Access Control
13
+ - Test horizontal privilege escalation: access another user's resources by changing IDs
14
+ - Test vertical privilege escalation: access admin functions as regular user
15
+ - Test IDOR on every endpoint that accepts an identifier
16
+ - Verify server-side enforcement, not just UI hiding
17
+
18
+ ### Cryptographic Failures
19
+ - Check for sensitive data in URLs, logs, and error messages
20
+ - Verify TLS configuration (SSL Labs A+ target)
21
+ - Check for weak cipher suites and protocol versions
22
+ - Verify sensitive data encrypted at rest
23
+
24
+ ### Injection
25
+ - SQL: test with `' OR 1=1--`, time-based blind, UNION-based
26
+ - NoSQL: test with `{"$gt": ""}` and operator injection
27
+ - OS Command: test with `; id`, `| whoami`, backtick substitution
28
+ - LDAP, XPath, template injection where applicable
29
+
30
+ ### Insecure Design
31
+ - Business logic flaws: race conditions, price manipulation, workflow bypass
32
+ - Missing rate limiting on sensitive operations
33
+ - Lack of fraud detection on financial transactions
34
+
35
+ ### Security Misconfiguration
36
+ - Default credentials on admin panels, databases, services
37
+ - Unnecessary HTTP methods enabled (TRACE, OPTIONS)
38
+ - Directory listing enabled
39
+ - Stack traces and debug info in production responses
40
+ - CORS misconfiguration: wildcard origins, credential reflection
41
+
42
+ ### Vulnerable Components
43
+ - Run `npm audit`, `pip audit`, `cargo audit`
44
+ - Check for known CVEs in server software and frameworks
45
+ - Verify component versions against vulnerability databases
46
+
47
+ ### Authentication Failures
48
+ - Brute force resistance: account lockout or progressive delays
49
+ - Credential stuffing protection
50
+ - Session fixation and session hijacking
51
+ - JWT: algorithm confusion, none algorithm, key leakage, expiry validation
52
+ - Password reset flow: token predictability, expiry, single use
53
+
54
+ ### Data Integrity Failures
55
+ - Deserialization: test for RCE via crafted objects
56
+ - Verify integrity of software updates and CI/CD pipelines
57
+ - Check for unsigned or unverified data in trust decisions
58
+
59
+ ### Logging and Monitoring Failures
60
+ - Verify login attempts are logged
61
+ - Verify failed access control is logged
62
+ - Check that logs do not contain sensitive data
63
+ - Confirm alerting exists for suspicious patterns
64
+
65
+ ### SSRF
66
+ - Test URL parameters for internal network access
67
+ - Check for cloud metadata endpoint access (169.254.169.254)
68
+ - Test DNS rebinding scenarios
69
+ - Verify allowlist-based URL validation
70
+
71
+ ## API-Specific Testing
72
+
73
+ - Test all HTTP methods on each endpoint
74
+ - Fuzz parameters with unexpected types and sizes
75
+ - Test pagination for data leakage beyond authorized scope
76
+ - Verify rate limiting per endpoint and per user
77
+ - Check GraphQL: introspection disabled in prod, query depth limits, batch attack resistance
78
+
79
+ ## Reporting
80
+
81
+ - Severity rated by exploitability and business impact
82
+ - Each finding includes: description, reproduction steps, evidence, remediation
83
+ - Group findings by category for systemic issues
84
+ - Provide a prioritized remediation roadmap
@@ -0,0 +1,81 @@
1
+ <!--
2
+ skills/security/red-team.md — Red Team — Use this skill when planning or executing offensive security assessments, advers
3
+
4
+ Use this skill when planning or executing offensive security assessments, adversary emulation, or attack simulations. ## Reconnaissance
5
+ -->
6
+ # Red Team
7
+
8
+ Use this skill when planning or executing offensive security assessments, adversary emulation, or attack simulations.
9
+
10
+ ## Reconnaissance
11
+
12
+ - Passive: DNS records, WHOIS, certificate transparency, public repos, social media, job postings
13
+ - Active: port scanning, service fingerprinting, directory brute-forcing, virtual host enumeration
14
+ - Map the attack surface before attempting exploitation
15
+ - Document all discovered assets, services, and potential entry points
16
+
17
+ ## Initial Access
18
+
19
+ - Phishing: credential harvesting, macro-enabled documents, HTML smuggling
20
+ - Exposed services: default credentials, known CVEs, misconfigured cloud storage
21
+ - Supply chain: compromised dependencies, typosquatting packages
22
+ - Web application: authentication bypass, injection, file upload abuse
23
+ - Always verify scope before attempting access vectors
24
+
25
+ ## Privilege Escalation
26
+
27
+ - Linux: SUID binaries, writable cron jobs, kernel exploits, sudo misconfigurations, capability abuse
28
+ - Windows: unquoted service paths, DLL hijacking, token impersonation, AlwaysInstallElevated, PrintNightmare variants
29
+ - Cloud: over-permissive IAM roles, instance metadata SSRF, cross-account trust abuse
30
+ - Enumerate before escalating; avoid unnecessary noise
31
+
32
+ ## Lateral Movement
33
+
34
+ - Credential reuse across hosts
35
+ - Pass-the-hash and pass-the-ticket (Kerberos)
36
+ - Remote services: WMI, PSRemoting, SSH, RDP
37
+ - Internal pivoting through compromised hosts
38
+ - Abuse of administrative shares and trust relationships
39
+ - Document each hop for the attack path narrative
40
+
41
+ ## Persistence
42
+
43
+ - Scheduled tasks and cron jobs
44
+ - Registry run keys and startup folders
45
+ - Web shells and reverse shells
46
+ - Service creation and modification
47
+ - Golden/silver tickets in Active Directory
48
+ - Cloud: persistent IAM keys, backdoor roles, lambda triggers
49
+
50
+ ## Command and Control
51
+
52
+ - HTTP/HTTPS beaconing with domain fronting
53
+ - DNS tunneling for restrictive networks
54
+ - Encrypted channels with jitter and sleep intervals
55
+ - Redirectors to protect infrastructure
56
+ - Avoid patterns that trigger common EDR signatures
57
+
58
+ ## Evasion
59
+
60
+ - AMSI bypass techniques for PowerShell
61
+ - Living-off-the-land binaries (LOLBins)
62
+ - Process injection: hollowing, DLL injection, APC queue
63
+ - Timestomping and log tampering (document for report, do not destroy evidence)
64
+ - Obfuscation of tooling and payloads
65
+
66
+ ## Reporting
67
+
68
+ - Document the full kill chain with timestamps
69
+ - Map findings to MITRE ATT&CK techniques
70
+ - Provide reproduction steps for each finding
71
+ - Rate severity by business impact, not technical complexity
72
+ - Include remediation recommendations with priority
73
+ - Separate executive summary from technical details
74
+
75
+ ## Rules of Engagement
76
+
77
+ - Operate strictly within authorized scope
78
+ - Maintain out-of-band communication with the client
79
+ - Have emergency stop procedures ready
80
+ - Log all actions for accountability
81
+ - Never exfiltrate real sensitive data; use proof-of-access artifacts