@girardmedia/bootspring 1.2.0 → 2.0.3

package/skills/patterns/security/headers.md

@@ -1,252 +0,0 @@
-# Security Headers Patterns
-
-Patterns for HTTP security headers.
-
-## Next.js Headers Config
-
-```typescript
-// next.config.js
-/** @type {import('next').NextConfig} */
-const nextConfig = {
-  async headers() {
-    return [
-      {
-        source: '/:path*',
-        headers: [
-          {
-            key: 'X-DNS-Prefetch-Control',
-            value: 'on'
-          },
-          {
-            key: 'Strict-Transport-Security',
-            value: 'max-age=63072000; includeSubDomains; preload'
-          },
-          {
-            key: 'X-Frame-Options',
-            value: 'SAMEORIGIN'
-          },
-          {
-            key: 'X-Content-Type-Options',
-            value: 'nosniff'
-          },
-          {
-            key: 'Referrer-Policy',
-            value: 'strict-origin-when-cross-origin'
-          },
-          {
-            key: 'Permissions-Policy',
-            value: 'camera=(), microphone=(), geolocation=()'
-          }
-        ]
-      }
-    ]
-  }
-}
-
-module.exports = nextConfig
-```
-
-## Content Security Policy
-
-```typescript
-// lib/csp.ts
-type CspDirective =
-  | 'default-src'
-  | 'script-src'
-  | 'style-src'
-  | 'img-src'
-  | 'font-src'
-  | 'connect-src'
-  | 'media-src'
-  | 'object-src'
-  | 'frame-src'
-  | 'frame-ancestors'
-  | 'base-uri'
-  | 'form-action'
-  | 'upgrade-insecure-requests'
-
-export function buildCsp(directives: Partial<Record<CspDirective, string[]>>): string {
-  const defaults: Partial<Record<CspDirective, string[]>> = {
-    'default-src': ["'self'"],
-    'script-src': ["'self'"],
-    'style-src': ["'self'", "'unsafe-inline'"],
-    'img-src': ["'self'", 'data:', 'https:'],
-    'font-src': ["'self'"],
-    'connect-src': ["'self'"],
-    'frame-ancestors': ["'none'"],
-    'base-uri': ["'self'"],
-    'form-action': ["'self'"]
-  }
-
-  const merged = { ...defaults, ...directives }
-
-  return Object.entries(merged)
-    .map(([key, values]) => `${key} ${values!.join(' ')}`)
-    .join('; ')
-}
-
-// Usage
-const csp = buildCsp({
-  'script-src': ["'self'", 'https://js.stripe.com'],
-  'frame-src': ["'self'", 'https://js.stripe.com'],
-  'connect-src': ["'self'", 'https://api.stripe.com']
-})
-```
-
-## Middleware with Security Headers
-
-```typescript
-// middleware.ts
-import { NextResponse } from 'next/server'
-import type { NextRequest } from 'next/server'
-import { buildCsp } from '@/lib/csp'
-
-export function middleware(request: NextRequest) {
-  const response = NextResponse.next()
-
-  // Generate nonce for inline scripts
-  const nonce = Buffer.from(crypto.randomUUID()).toString('base64')
-
-  const csp = buildCsp({
-    'script-src': ["'self'", `'nonce-${nonce}'`],
-    'style-src': ["'self'", "'unsafe-inline'"],
-    'connect-src': [
-      "'self'",
-      'https://api.stripe.com',
-      process.env.NEXT_PUBLIC_API_URL!
-    ]
-  })
-
-  response.headers.set('Content-Security-Policy', csp)
-  response.headers.set('X-Nonce', nonce)
-
-  return response
-}
-```
-
-## Nonce for Inline Scripts
-
-```tsx
-// app/layout.tsx
-import { headers } from 'next/headers'
-
-export default function RootLayout({ children }: { children: React.ReactNode }) {
-  const nonce = headers().get('X-Nonce') ?? ''
-
-  return (
-    <html lang="en">
-      <head>
-        <script
-          nonce={nonce}
-          dangerouslySetInnerHTML={{
-            __html: `
-              // Inline script with nonce
-              window.__CONFIG__ = ${JSON.stringify({ apiUrl: process.env.NEXT_PUBLIC_API_URL })}
-            `
-          }}
-        />
-      </head>
-      <body>{children}</body>
-    </html>
-  )
-}
-```
-
-## CORS Headers
-
-```typescript
-// lib/cors.ts
-const ALLOWED_ORIGINS = [
-  'https://app.example.com',
-  'https://admin.example.com'
-]
-
-export function getCorsHeaders(origin: string | null) {
-  const headers: Record<string, string> = {}
-
-  if (origin && ALLOWED_ORIGINS.includes(origin)) {
-    headers['Access-Control-Allow-Origin'] = origin
-    headers['Access-Control-Allow-Methods'] = 'GET, POST, PUT, DELETE, OPTIONS'
-    headers['Access-Control-Allow-Headers'] = 'Content-Type, Authorization'
-    headers['Access-Control-Allow-Credentials'] = 'true'
-    headers['Access-Control-Max-Age'] = '86400'
-  }
-
-  return headers
-}
-
-// Usage in API route
-export async function OPTIONS(request: Request) {
-  const origin = request.headers.get('origin')
-  const corsHeaders = getCorsHeaders(origin)
-
-  return new Response(null, {
-    status: 204,
-    headers: corsHeaders
-  })
-}
-
-export async function GET(request: Request) {
-  const origin = request.headers.get('origin')
-  const corsHeaders = getCorsHeaders(origin)
-
-  const data = await getData()
-
-  return Response.json(data, { headers: corsHeaders })
-}
-```
-
-## Cache Control Headers
-
-```typescript
-// API responses with sensitive data
-export async function GET() {
-  const sensitiveData = await getSensitiveData()
-
-  return Response.json(sensitiveData, {
-    headers: {
-      'Cache-Control': 'no-store, no-cache, must-revalidate, private',
-      'Pragma': 'no-cache',
-      'Expires': '0'
-    }
-  })
-}
-
-// Static/public data
-export async function GET() {
-  const publicData = await getPublicData()
-
-  return Response.json(publicData, {
-    headers: {
-      'Cache-Control': 'public, max-age=3600, s-maxage=3600',
-      'CDN-Cache-Control': 'public, max-age=86400'
-    }
-  })
-}
-```
-
-## Feature Policy / Permissions Policy
-
-```typescript
-// Restrict browser features
-const permissionsPolicy = [
-  'camera=()',
-  'microphone=()',
-  'geolocation=()',
-  'interest-cohort=()', // Disable FLoC
-  'payment=(self)',
-  'usb=()',
-  'magnetometer=()',
-  'gyroscope=()',
-  'accelerometer=()'
-].join(', ')
-
-response.headers.set('Permissions-Policy', permissionsPolicy)
-```
-
-## When to Use
-
-- All production deployments
-- API endpoints
-- Pages with sensitive data
-- Third-party integrations

package/skills/patterns/security/sanitization.md

@@ -1,258 +0,0 @@
-# Input Sanitization Patterns
-
-Patterns for sanitizing and validating user input.
-
-## Zod Validation with Sanitization
-
-```typescript
-// lib/schemas.ts
-import { z } from 'zod'
-import DOMPurify from 'isomorphic-dompurify'
-
-// Trim and normalize whitespace
-const trimmedString = z.string().transform(s => s.trim().replace(/\s+/g, ' '))
-
-// Strip HTML tags
-const plainText = z.string().transform(s =>
-  DOMPurify.sanitize(s, { ALLOWED_TAGS: [] })
-)
-
-// Normalize email
-const normalizedEmail = z.string()
-  .email()
-  .transform(s => s.toLowerCase().trim())
-
-// Sanitize rich text
-const richText = z.string().transform(s =>
-  DOMPurify.sanitize(s, {
-    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p', 'br', 'ul', 'ol', 'li'],
-    ALLOWED_ATTR: ['href']
-  })
-)
-
-// Example schema
-export const UserInputSchema = z.object({
-  name: trimmedString.min(1).max(100),
-  email: normalizedEmail,
-  bio: plainText.max(500).optional(),
-  about: richText.max(5000).optional()
-})
-```
-
-## SQL Injection Prevention
-
-```typescript
-// ALWAYS use parameterized queries
-
-// DON'T do this:
-// await prisma.$queryRawUnsafe(`SELECT * FROM users WHERE id = '${userId}'`)
-
-// DO this:
-await prisma.$queryRaw`SELECT * FROM users WHERE id = ${userId}`
-
-// Or use Prisma's type-safe queries:
-await prisma.user.findUnique({ where: { id: userId } })
-
-// For dynamic column names (be careful):
-const allowedColumns = ['name', 'email', 'createdAt']
-const orderBy = allowedColumns.includes(input.sortBy)
-  ? input.sortBy
-  : 'createdAt'
-
-await prisma.user.findMany({
-  orderBy: { [orderBy]: 'desc' }
-})
-```
-
-## Path Traversal Prevention
-
-```typescript
-// lib/files.ts
-import path from 'path'
-
-const UPLOAD_DIR = '/app/uploads'
-
-export function sanitizePath(userPath: string): string {
-  // Remove null bytes
-  const cleaned = userPath.replace(/\0/g, '')
-
-  // Get basename only (no directory traversal)
-  const basename = path.basename(cleaned)
-
-  // Remove special characters
-  const safe = basename.replace(/[^a-zA-Z0-9._-]/g, '')
-
-  return safe
-}
-
-export function getUploadPath(filename: string): string {
-  const safeName = sanitizePath(filename)
-
-  if (!safeName) {
-    throw new Error('Invalid filename')
-  }
-
-  const fullPath = path.join(UPLOAD_DIR, safeName)
-
-  // Ensure path is within upload directory
-  if (!fullPath.startsWith(UPLOAD_DIR)) {
-    throw new Error('Invalid path')
-  }
-
-  return fullPath
-}
-```
-
-## Command Injection Prevention
-
-```typescript
-// DON'T do this:
-// exec(`convert ${userInput}.png output.jpg`)
-
-// DO this - use spawn with arguments array:
-import { spawn } from 'child_process'
-
-function convertImage(inputFile: string, outputFile: string) {
-  // Validate filenames first
-  if (!/^[a-zA-Z0-9_-]+\.(png|jpg|gif)$/.test(inputFile)) {
-    throw new Error('Invalid input filename')
-  }
-
-  return new Promise((resolve, reject) => {
-    const process = spawn('convert', [inputFile, outputFile])
-
-    process.on('close', code => {
-      code === 0 ? resolve(true) : reject(new Error(`Exit code: ${code}`))
-    })
-  })
-}
-
-// Even better - use libraries instead of shell commands
-import sharp from 'sharp'
-
-async function convertImage(inputPath: string, outputPath: string) {
-  await sharp(inputPath)
-    .toFormat('jpeg')
-    .toFile(outputPath)
-}
-```
-
-## URL Sanitization
-
-```typescript
-// lib/url.ts
-const ALLOWED_PROTOCOLS = ['http:', 'https:']
-const BLOCKED_HOSTS = ['localhost', '127.0.0.1', '0.0.0.0']
-
-export function sanitizeUrl(input: string): string | null {
-  try {
-    const url = new URL(input)
-
-    // Check protocol
-    if (!ALLOWED_PROTOCOLS.includes(url.protocol)) {
-      return null
-    }
-
-    // Block internal hosts
-    if (BLOCKED_HOSTS.some(h => url.hostname.includes(h))) {
-      return null
-    }
-
-    // Block private IPs
-    if (isPrivateIp(url.hostname)) {
-      return null
-    }
-
-    return url.toString()
-  } catch {
-    return null
-  }
-}
-
-function isPrivateIp(hostname: string): boolean {
-  const ipPatterns = [
-    /^10\./,
-    /^172\.(1[6-9]|2[0-9]|3[0-1])\./,
-    /^192\.168\./,
-    /^169\.254\./,
-    /^fc00:/i,
-    /^fe80:/i
-  ]
-
-  return ipPatterns.some(pattern => pattern.test(hostname))
-}
-```
-
-## JSON Sanitization
-
-```typescript
-// lib/json.ts
-
-// Safe JSON parse that limits depth and size
-export function safeJsonParse<T>(
-  input: string,
-  maxSize = 1024 * 1024, // 1MB
-  maxDepth = 10
-): T {
-  if (input.length > maxSize) {
-    throw new Error('JSON too large')
-  }
-
-  // Count nesting depth
-  let depth = 0
-  let maxReached = 0
-
-  for (const char of input) {
-    if (char === '{' || char === '[') {
-      depth++
-      maxReached = Math.max(maxReached, depth)
-    } else if (char === '}' || char === ']') {
-      depth--
-    }
-
-    if (maxReached > maxDepth) {
-      throw new Error('JSON too deeply nested')
-    }
-  }
-
-  return JSON.parse(input)
-}
-```
-
-## Filename Sanitization
-
-```typescript
-// lib/filename.ts
-
-export function sanitizeFilename(filename: string): string {
-  // Remove path components
-  const basename = filename.split(/[\\/]/).pop() || ''
-
-  // Remove special characters, keep alphanumeric, dots, dashes, underscores
-  const cleaned = basename
-    .replace(/[^a-zA-Z0-9._-]/g, '_')
-    .replace(/\.{2,}/g, '.') // No consecutive dots
-    .replace(/^\.+|\.+$/g, '') // No leading/trailing dots
-
-  // Ensure not empty
-  if (!cleaned) {
-    return 'file'
-  }
-
-  // Limit length
-  if (cleaned.length > 255) {
-    const ext = cleaned.split('.').pop() || ''
-    const name = cleaned.slice(0, 255 - ext.length - 1)
-    return `${name}.${ext}`
-  }
-
-  return cleaned
-}
-```
-
-## When to Use
-
-- User input processing
-- File uploads
-- Database queries
-- External URLs