@girardmedia/bootspring 1.2.0 → 2.0.3

package/skills/patterns/security/secrets.md

@@ -1,261 +0,0 @@
-# Secrets Management Patterns
-
-Patterns for secure handling of secrets and credentials.
-
-## Environment Variables
-
-```typescript
-// lib/env.ts
-import { z } from 'zod'
-
-const envSchema = z.object({
-  // Database
-  DATABASE_URL: z.string().url(),
-
-  // Auth
-  NEXTAUTH_SECRET: z.string().min(32),
-  NEXTAUTH_URL: z.string().url(),
-
-  // Stripe
-  STRIPE_SECRET_KEY: z.string().startsWith('sk_'),
-  STRIPE_WEBHOOK_SECRET: z.string().startsWith('whsec_'),
-  NEXT_PUBLIC_STRIPE_KEY: z.string().startsWith('pk_'),
-
-  // Email
-  RESEND_API_KEY: z.string().startsWith('re_'),
-
-  // Optional
-  SENTRY_DSN: z.string().url().optional()
-})
-
-// Validate at startup
-function validateEnv() {
-  const parsed = envSchema.safeParse(process.env)
-
-  if (!parsed.success) {
-    console.error('Invalid environment variables:')
-    console.error(parsed.error.flatten().fieldErrors)
-    throw new Error('Invalid environment configuration')
-  }
-
-  return parsed.data
-}
-
-export const env = validateEnv()
-
-// Type-safe access
-// env.DATABASE_URL - TypeScript knows this is a string
-```
-
-## Runtime Secret Loading
-
-```typescript
-// lib/secrets.ts
-interface SecretStore {
-  get(key: string): Promise<string | undefined>
-}
-
-// Local development
-class EnvSecretStore implements SecretStore {
-  async get(key: string) {
-    return process.env[key]
-  }
-}
-
-// AWS Secrets Manager
-class AwsSecretStore implements SecretStore {
-  private client: SecretsManagerClient
-
-  constructor() {
-    this.client = new SecretsManagerClient({})
-  }
-
-  async get(key: string) {
-    const command = new GetSecretValueCommand({ SecretId: key })
-    const response = await this.client.send(command)
-    return response.SecretString
-  }
-}
-
-// Factory
-export function createSecretStore(): SecretStore {
-  if (process.env.NODE_ENV === 'development') {
-    return new EnvSecretStore()
-  }
-  return new AwsSecretStore()
-}
-
-// Usage
-const secrets = createSecretStore()
-const apiKey = await secrets.get('STRIPE_SECRET_KEY')
-```
-
-## Encrypted Secrets
-
-```typescript
-// lib/crypto.ts
-import { createCipheriv, createDecipheriv, randomBytes, scrypt } from 'crypto'
-import { promisify } from 'util'
-
-const scryptAsync = promisify(scrypt)
-
-export async function encryptSecret(plaintext: string, password: string): Promise<string> {
-  const salt = randomBytes(16)
-  const key = (await scryptAsync(password, salt, 32)) as Buffer
-  const iv = randomBytes(16)
-
-  const cipher = createCipheriv('aes-256-gcm', key, iv)
-  const encrypted = Buffer.concat([
-    cipher.update(plaintext, 'utf8'),
-    cipher.final()
-  ])
-  const authTag = cipher.getAuthTag()
-
-  // Combine: salt + iv + authTag + encrypted
-  const combined = Buffer.concat([salt, iv, authTag, encrypted])
-  return combined.toString('base64')
-}
-
-export async function decryptSecret(ciphertext: string, password: string): Promise<string> {
-  const combined = Buffer.from(ciphertext, 'base64')
-
-  const salt = combined.subarray(0, 16)
-  const iv = combined.subarray(16, 32)
-  const authTag = combined.subarray(32, 48)
-  const encrypted = combined.subarray(48)
-
-  const key = (await scryptAsync(password, salt, 32)) as Buffer
-
-  const decipher = createDecipheriv('aes-256-gcm', key, iv)
-  decipher.setAuthTag(authTag)
-
-  const decrypted = Buffer.concat([
-    decipher.update(encrypted),
-    decipher.final()
-  ])
-
-  return decrypted.toString('utf8')
-}
-```
-
-## API Key Storage
-
-```typescript
-// lib/api-keys.ts
-import { randomBytes, createHash } from 'crypto'
-import { prisma } from '@/lib/db'
-
-export async function createApiKey(userId: string, name: string) {
-  // Generate key: prefix_randomBytes
-  const keyValue = `bs_${randomBytes(24).toString('hex')}`
-
-  // Hash for storage (never store plain key)
-  const keyHash = createHash('sha256').update(keyValue).digest('hex')
-
-  // Store last 4 chars for display
-  const keyHint = keyValue.slice(-4)
-
-  await prisma.apiKey.create({
-    data: {
-      userId,
-      name,
-      keyHash,
-      keyHint
-    }
-  })
-
-  // Only return the full key once!
-  return keyValue
-}
-
-export async function validateApiKey(key: string) {
-  const keyHash = createHash('sha256').update(key).digest('hex')
-
-  const apiKey = await prisma.apiKey.findUnique({
-    where: { keyHash },
-    include: { user: true }
-  })
-
-  if (!apiKey || apiKey.revokedAt) {
-    return null
-  }
-
-  // Update last used
-  await prisma.apiKey.update({
-    where: { id: apiKey.id },
-    data: { lastUsedAt: new Date() }
-  })
-
-  return apiKey.user
-}
-```
-
-## Secure Token Generation
-
-```typescript
-// lib/tokens.ts
-import { randomBytes } from 'crypto'
-
-// URL-safe token
-export function generateToken(bytes = 32): string {
-  return randomBytes(bytes).toString('base64url')
-}
-
-// Numeric OTP
-export function generateOtp(length = 6): string {
-  const max = Math.pow(10, length) - 1
-  const randomNum = parseInt(randomBytes(4).toString('hex'), 16)
-  return String(randomNum % (max + 1)).padStart(length, '0')
-}
-
-// Short code (for user input)
-export function generateCode(length = 8): string {
-  const chars = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789' // No confusing chars
-  let code = ''
-
-  for (let i = 0; i < length; i++) {
-    const randomIndex = randomBytes(1)[0] % chars.length
-    code += chars[randomIndex]
-  }
-
-  return code
-}
-```
-
-## Secret Rotation
-
-```typescript
-// lib/rotation.ts
-import { prisma } from '@/lib/db'
-
-export async function rotateEncryptionKey() {
-  const oldKey = process.env.ENCRYPTION_KEY!
-  const newKey = process.env.NEW_ENCRYPTION_KEY!
-
-  // Find all encrypted records
-  const records = await prisma.secretData.findMany()
-
-  for (const record of records) {
-    // Decrypt with old key
-    const plaintext = await decryptSecret(record.encryptedValue, oldKey)
-
-    // Re-encrypt with new key
-    const newEncrypted = await encryptSecret(plaintext, newKey)
-
-    // Update record
-    await prisma.secretData.update({
-      where: { id: record.id },
-      data: { encryptedValue: newEncrypted }
-    })
-  }
-
-  console.log(`Rotated ${records.length} secrets`)
-}
-```
-
-## When to Use
-
-- API keys
-- Database credentials
-- Encryption keys
-- Third-party tokens

package/skills/patterns/security/validation.md

@@ -1,268 +0,0 @@
-# Input Validation & Security Patterns
-
-Battle-tested patterns for secure input handling.
-
-## Zod Schema Validation
-
-```typescript
-// lib/validations/user.ts
-import { z } from 'zod'
-
-export const CreateUserSchema = z.object({
-  email: z.string().email('Invalid email address'),
-  name: z.string()
-    .min(1, 'Name is required')
-    .max(100, 'Name too long')
-    .regex(/^[a-zA-Z\s'-]+$/, 'Invalid characters in name'),
-  password: z.string()
-    .min(8, 'Password must be at least 8 characters')
-    .regex(/[A-Z]/, 'Password must contain uppercase letter')
-    .regex(/[a-z]/, 'Password must contain lowercase letter')
-    .regex(/[0-9]/, 'Password must contain number')
-    .regex(/[^A-Za-z0-9]/, 'Password must contain special character'),
-  age: z.number()
-    .int('Age must be a whole number')
-    .min(13, 'Must be at least 13 years old')
-    .max(120, 'Invalid age')
-    .optional()
-})
-
-export const UpdateProfileSchema = z.object({
-  name: z.string().min(1).max(100).optional(),
-  bio: z.string().max(500).optional(),
-  website: z.string().url().optional().or(z.literal(''))
-})
-
-export type CreateUserInput = z.infer<typeof CreateUserSchema>
-export type UpdateProfileInput = z.infer<typeof UpdateProfileSchema>
-```
-
-## Server Action with Validation
-
-```typescript
-// actions/user.ts
-'use server'
-
-import { CreateUserSchema } from '@/lib/validations/user'
-import { prisma } from '@/lib/db'
-
-type ActionResult =
-  | { success: true; data: { id: string } }
-  | { success: false; error: string; fieldErrors?: Record<string, string[]> }
-
-export async function createUser(formData: FormData): Promise<ActionResult> {
-  // Parse and validate
-  const raw = {
-    email: formData.get('email'),
-    name: formData.get('name'),
-    password: formData.get('password'),
-    age: formData.get('age') ? Number(formData.get('age')) : undefined
-  }
-
-  const result = CreateUserSchema.safeParse(raw)
-
-  if (!result.success) {
-    return {
-      success: false,
-      error: 'Validation failed',
-      fieldErrors: result.error.flatten().fieldErrors
-    }
-  }
-
-  // Hash password before storing
-  const hashedPassword = await hashPassword(result.data.password)
-
-  const user = await prisma.user.create({
-    data: {
-      ...result.data,
-      password: hashedPassword
-    }
-  })
-
-  return { success: true, data: { id: user.id } }
-}
-```
-
-## Sanitizing User Input
-
-```typescript
-// lib/sanitize.ts
-import DOMPurify from 'isomorphic-dompurify'
-
-// Sanitize HTML content (for rich text)
-export function sanitizeHtml(dirty: string): string {
-  return DOMPurify.sanitize(dirty, {
-    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p', 'br', 'ul', 'ol', 'li'],
-    ALLOWED_ATTR: ['href', 'target', 'rel']
-  })
-}
-
-// Strip all HTML (for plain text fields)
-export function stripHtml(input: string): string {
-  return DOMPurify.sanitize(input, { ALLOWED_TAGS: [] })
-}
-
-// Sanitize for SQL-safe strings (use with parameterized queries)
-export function escapeString(input: string): string {
-  return input
-    .replace(/\\/g, '\\\\')
-    .replace(/'/g, "\\'")
-    .replace(/"/g, '\\"')
-}
-
-// URL validation and sanitization
-export function sanitizeUrl(url: string): string | null {
-  try {
-    const parsed = new URL(url)
-    // Only allow http/https
-    if (!['http:', 'https:'].includes(parsed.protocol)) {
-      return null
-    }
-    return parsed.toString()
-  } catch {
-    return null
-  }
-}
-```
-
-## Rate Limiting
-
-```typescript
-// lib/rate-limit.ts
-import { Ratelimit } from '@upstash/ratelimit'
-import { Redis } from '@upstash/redis'
-
-// Using Upstash Redis for serverless
-const redis = new Redis({
-  url: process.env.UPSTASH_REDIS_REST_URL!,
-  token: process.env.UPSTASH_REDIS_REST_TOKEN!
-})
-
-// Different rate limiters for different purposes
-export const authLimiter = new Ratelimit({
-  redis,
-  limiter: Ratelimit.slidingWindow(5, '1 m'), // 5 attempts per minute
-  prefix: 'ratelimit:auth'
-})
-
-export const apiLimiter = new Ratelimit({
-  redis,
-  limiter: Ratelimit.slidingWindow(100, '1 m'), // 100 requests per minute
-  prefix: 'ratelimit:api'
-})
-
-// Usage in API route
-export async function POST(request: Request) {
-  const ip = request.headers.get('x-forwarded-for') ?? 'anonymous'
-
-  const { success, limit, remaining, reset } = await authLimiter.limit(ip)
-
-  if (!success) {
-    return new Response('Too many requests', {
-      status: 429,
-      headers: {
-        'X-RateLimit-Limit': limit.toString(),
-        'X-RateLimit-Remaining': remaining.toString(),
-        'X-RateLimit-Reset': reset.toString()
-      }
-    })
-  }
-
-  // Continue with handler...
-}
-```
-
-## CSRF Protection
-
-```typescript
-// lib/csrf.ts
-import { cookies } from 'next/headers'
-import { randomBytes, createHmac } from 'crypto'
-
-const SECRET = process.env.CSRF_SECRET!
-
-export async function generateCsrfToken(): Promise<string> {
-  const token = randomBytes(32).toString('hex')
-  const signature = createHmac('sha256', SECRET).update(token).digest('hex')
-  const fullToken = `${token}.${signature}`
-
-  const cookieStore = await cookies()
-  cookieStore.set('csrf-token', fullToken, {
-    httpOnly: true,
-    secure: process.env.NODE_ENV === 'production',
-    sameSite: 'strict',
-    maxAge: 60 * 60 // 1 hour
-  })
-
-  return token // Only return the token part to the client
-}
-
-export async function validateCsrfToken(clientToken: string): Promise<boolean> {
-  const cookieStore = await cookies()
-  const cookieToken = cookieStore.get('csrf-token')?.value
-
-  if (!cookieToken) return false
-
-  const [storedToken, storedSignature] = cookieToken.split('.')
-  const expectedSignature = createHmac('sha256', SECRET)
-    .update(storedToken)
-    .digest('hex')
-
-  return (
-    storedToken === clientToken &&
-    storedSignature === expectedSignature
-  )
-}
-```
-
-## Security Headers Middleware
-
-```typescript
-// middleware.ts
-import { NextResponse } from 'next/server'
-import type { NextRequest } from 'next/server'
-
-export function middleware(request: NextRequest) {
-  const response = NextResponse.next()
-
-  // Security headers
-  response.headers.set('X-Frame-Options', 'DENY')
-  response.headers.set('X-Content-Type-Options', 'nosniff')
-  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin')
-  response.headers.set('X-XSS-Protection', '1; mode=block')
-
-  // Content Security Policy
-  response.headers.set(
-    'Content-Security-Policy',
-    [
-      "default-src 'self'",
-      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
-      "style-src 'self' 'unsafe-inline'",
-      "img-src 'self' data: https:",
-      "font-src 'self'",
-      "connect-src 'self' https://api.stripe.com",
-      "frame-ancestors 'none'"
-    ].join('; ')
-  )
-
-  return response
-}
-```
-
-## Environment Variable Validation
-
-```typescript
-// lib/env.ts
-import { z } from 'zod'
-
-const envSchema = z.object({
-  DATABASE_URL: z.string().url(),
-  STRIPE_SECRET_KEY: z.string().startsWith('sk_'),
-  STRIPE_WEBHOOK_SECRET: z.string().startsWith('whsec_'),
-  NEXT_PUBLIC_URL: z.string().url(),
-  NODE_ENV: z.enum(['development', 'production', 'test'])
-})
-
-// Validate at build/startup time
-export const env = envSchema.parse(process.env)
-```