@heytherevibin/skillforge 0.2.1

package/skills/security-review/cloud-infrastructure-security.md

@@ -0,0 +1,361 @@
+| name | description |
+|------|-------------|
+| cloud-infrastructure-security | Use this skill when deploying to cloud platforms, configuring infrastructure, managing IAM policies, setting up logging/monitoring, or implementing CI/CD pipelines. Provides cloud security checklist aligned with best practices. |
+
+# Cloud & Infrastructure Security Skill
+
+This skill ensures cloud infrastructure, CI/CD pipelines, and deployment configurations follow security best practices and comply with industry standards.
+
+## When to Activate
+
+- Deploying applications to cloud platforms (AWS, Vercel, Railway, Cloudflare)
+- Configuring IAM roles and permissions
+- Setting up CI/CD pipelines
+- Implementing infrastructure as code (Terraform, CloudFormation)
+- Configuring logging and monitoring
+- Managing secrets in cloud environments
+- Setting up CDN and edge security
+- Implementing disaster recovery and backup strategies
+
+## Cloud Security Checklist
+
+### 1. IAM & Access Control
+
+#### Principle of Least Privilege
+
+```yaml
+# PASS: CORRECT: Minimal permissions
+iam_role:
+  permissions:
+    - s3:GetObject  # Only read access
+    - s3:ListBucket
+  resources:
+    - arn:aws:s3:::my-bucket/*  # Specific bucket only
+
+# FAIL: WRONG: Overly broad permissions
+iam_role:
+  permissions:
+    - s3:*  # All S3 actions
+  resources:
+    - "*"  # All resources
+```
+
+#### Multi-Factor Authentication (MFA)
+
+```bash
+# ALWAYS enable MFA for root/admin accounts
+aws iam enable-mfa-device \
+  --user-name admin \
+  --serial-number arn:aws:iam::123456789:mfa/admin \
+  --authentication-code1 123456 \
+  --authentication-code2 789012
+```
+
+#### Verification Steps
+
+- [ ] No root account usage in production
+- [ ] MFA enabled for all privileged accounts
+- [ ] Service accounts use roles, not long-lived credentials
+- [ ] IAM policies follow least privilege
+- [ ] Regular access reviews conducted
+- [ ] Unused credentials rotated or removed
+
+### 2. Secrets Management
+
+#### Cloud Secrets Managers
+
+```typescript
+// PASS: CORRECT: Use cloud secrets manager
+import { SecretsManager } from '@aws-sdk/client-secrets-manager';
+
+const client = new SecretsManager({ region: 'us-east-1' });
+const secret = await client.getSecretValue({ SecretId: 'prod/api-key' });
+const apiKey = JSON.parse(secret.SecretString).key;
+
+// FAIL: WRONG: Hardcoded or in environment variables only
+const apiKey = process.env.API_KEY; // Not rotated, not audited
+```
+
+#### Secrets Rotation
+
+```bash
+# Set up automatic rotation for database credentials
+aws secretsmanager rotate-secret \
+  --secret-id prod/db-password \
+  --rotation-lambda-arn arn:aws:lambda:region:account:function:rotate \
+  --rotation-rules AutomaticallyAfterDays=30
+```
+
+#### Verification Steps
+
+- [ ] All secrets stored in cloud secrets manager (AWS Secrets Manager, Vercel Secrets)
+- [ ] Automatic rotation enabled for database credentials
+- [ ] API keys rotated at least quarterly
+- [ ] No secrets in code, logs, or error messages
+- [ ] Audit logging enabled for secret access
+
+### 3. Network Security
+
+#### VPC and Firewall Configuration
+
+```terraform
+# PASS: CORRECT: Restricted security group
+resource "aws_security_group" "app" {
+  name = "app-sg"
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/16"]  # Internal VPC only
+  }
+
+  egress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]  # Only HTTPS outbound
+  }
+}
+
+# FAIL: WRONG: Open to the internet
+resource "aws_security_group" "bad" {
+  ingress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]  # All ports, all IPs!
+  }
+}
+```
+
+#### Verification Steps
+
+- [ ] Database not publicly accessible
+- [ ] SSH/RDP ports restricted to VPN/bastion only
+- [ ] Security groups follow least privilege
+- [ ] Network ACLs configured
+- [ ] VPC flow logs enabled
+
+### 4. Logging & Monitoring
+
+#### CloudWatch/Logging Configuration
+
+```typescript
+// PASS: CORRECT: Comprehensive logging
+import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs';
+
+const logSecurityEvent = async (event: SecurityEvent) => {
+  await cloudwatch.putLogEvents({
+    logGroupName: '/aws/security/events',
+    logStreamName: 'authentication',
+    logEvents: [{
+      timestamp: Date.now(),
+      message: JSON.stringify({
+        type: event.type,
+        userId: event.userId,
+        ip: event.ip,
+        result: event.result,
+        // Never log sensitive data
+      })
+    }]
+  });
+};
+```
+
+#### Verification Steps
+
+- [ ] CloudWatch/logging enabled for all services
+- [ ] Failed authentication attempts logged
+- [ ] Admin actions audited
+- [ ] Log retention configured (90+ days for compliance)
+- [ ] Alerts configured for suspicious activity
+- [ ] Logs centralized and tamper-proof
+
+### 5. CI/CD Pipeline Security
+
+#### Secure Pipeline Configuration
+
+```yaml
+# PASS: CORRECT: Secure GitHub Actions workflow
+name: Deploy
+
+on:
+  push:
+    branches: [main]
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read  # Minimal permissions
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # Scan for secrets
+      - name: Secret scanning
+        uses: trufflesecurity/trufflehog@main
+
+      # Dependency audit
+      - name: Audit dependencies
+        run: npm audit --audit-level=high
+
+      # Use OIDC, not long-lived tokens
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
+          aws-region: us-east-1
+```
+
+#### Supply Chain Security
+
+```json
+// package.json - Use lock files and integrity checks
+{
+  "scripts": {
+    "install": "npm ci",  // Use ci for reproducible builds
+    "audit": "npm audit --audit-level=moderate",
+    "check": "npm outdated"
+  }
+}
+```
+
+#### Verification Steps
+
+- [ ] OIDC used instead of long-lived credentials
+- [ ] Secrets scanning in pipeline
+- [ ] Dependency vulnerability scanning
+- [ ] Container image scanning (if applicable)
+- [ ] Branch protection rules enforced
+- [ ] Code review required before merge
+- [ ] Signed commits enforced
+
+### 6. Cloudflare & CDN Security
+
+#### Cloudflare Security Configuration
+
+```typescript
+// PASS: CORRECT: Cloudflare Workers with security headers
+export default {
+  async fetch(request: Request): Promise<Response> {
+    const response = await fetch(request);
+
+    // Add security headers
+    const headers = new Headers(response.headers);
+    headers.set('X-Frame-Options', 'DENY');
+    headers.set('X-Content-Type-Options', 'nosniff');
+    headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    headers.set('Permissions-Policy', 'geolocation=(), microphone=()');
+
+    return new Response(response.body, {
+      status: response.status,
+      headers
+    });
+  }
+};
+```
+
+#### WAF Rules
+
+```bash
+# Enable Cloudflare WAF managed rules
+# - OWASP Core Ruleset
+# - Cloudflare Managed Ruleset
+# - Rate limiting rules
+# - Bot protection
+```
+
+#### Verification Steps
+
+- [ ] WAF enabled with OWASP rules
+- [ ] Rate limiting configured
+- [ ] Bot protection active
+- [ ] DDoS protection enabled
+- [ ] Security headers configured
+- [ ] SSL/TLS strict mode enabled
+
+### 7. Backup & Disaster Recovery
+
+#### Automated Backups
+
+```terraform
+# PASS: CORRECT: Automated RDS backups
+resource "aws_db_instance" "main" {
+  allocated_storage     = 20
+  engine               = "postgres"
+
+  backup_retention_period = 30  # 30 days retention
+  backup_window          = "03:00-04:00"
+  maintenance_window     = "mon:04:00-mon:05:00"
+
+  enabled_cloudwatch_logs_exports = ["postgresql"]
+
+  deletion_protection = true  # Prevent accidental deletion
+}
+```
+
+#### Verification Steps
+
+- [ ] Automated daily backups configured
+- [ ] Backup retention meets compliance requirements
+- [ ] Point-in-time recovery enabled
+- [ ] Backup testing performed quarterly
+- [ ] Disaster recovery plan documented
+- [ ] RPO and RTO defined and tested
+
+## Pre-Deployment Cloud Security Checklist
+
+Before ANY production cloud deployment:
+
+- [ ] **IAM**: Root account not used, MFA enabled, least privilege policies
+- [ ] **Secrets**: All secrets in cloud secrets manager with rotation
+- [ ] **Network**: Security groups restricted, no public databases
+- [ ] **Logging**: CloudWatch/logging enabled with retention
+- [ ] **Monitoring**: Alerts configured for anomalies
+- [ ] **CI/CD**: OIDC auth, secrets scanning, dependency audits
+- [ ] **CDN/WAF**: Cloudflare WAF enabled with OWASP rules
+- [ ] **Encryption**: Data encrypted at rest and in transit
+- [ ] **Backups**: Automated backups with tested recovery
+- [ ] **Compliance**: GDPR/HIPAA requirements met (if applicable)
+- [ ] **Documentation**: Infrastructure documented, runbooks created
+- [ ] **Incident Response**: Security incident plan in place
+
+## Common Cloud Security Misconfigurations
+
+### S3 Bucket Exposure
+
+```bash
+# FAIL: WRONG: Public bucket
+aws s3api put-bucket-acl --bucket my-bucket --acl public-read
+
+# PASS: CORRECT: Private bucket with specific access
+aws s3api put-bucket-acl --bucket my-bucket --acl private
+aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
+```
+
+### RDS Public Access
+
+```terraform
+# FAIL: WRONG
+resource "aws_db_instance" "bad" {
+  publicly_accessible = true  # NEVER do this!
+}
+
+# PASS: CORRECT
+resource "aws_db_instance" "good" {
+  publicly_accessible = false
+  vpc_security_group_ids = [aws_security_group.db.id]
+}
+```
+
+## Resources
+
+- [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/)
+- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services)
+- [Cloudflare Security Documentation](https://developers.cloudflare.com/security/)
+- [OWASP Cloud Security](https://owasp.org/www-project-cloud-security/)
+- [Terraform Security Best Practices](https://www.terraform.io/docs/cloud/guides/recommended-practices/)
+
+**Remember**: Cloud misconfigurations are the leading cause of data breaches. A single exposed S3 bucket or overly permissive IAM policy can compromise your entire infrastructure. Always follow the principle of least privilege and defense in depth.

package/skills/seo/SKILL.md

@@ -0,0 +1,153 @@
+---
+name: seo
+description: Audit, plan, and implement SEO improvements across technical SEO, on-page optimization, structured data, Core Web Vitals, and content strategy. Use when the user wants better search visibility, SEO remediation, schema markup, sitemap/robots work, or keyword mapping.
+---
+
+# SEO
+
+Improve search visibility through technical correctness, performance, and content relevance, not gimmicks.
+
+## When to Use
+
+Use this skill when:
+- auditing crawlability, indexability, canonicals, or redirects
+- improving title tags, meta descriptions, and heading structure
+- adding or validating structured data
+- improving Core Web Vitals
+- doing keyword research and mapping keywords to URLs
+- planning internal linking or sitemap / robots changes
+
+## How It Works
+
+### Principles
+
+1. Fix technical blockers before content optimization.
+2. One page should have one clear primary search intent.
+3. Prefer long-term quality signals over manipulative patterns.
+4. Mobile-first assumptions matter because indexing is mobile-first.
+5. Recommendations should be page-specific and implementable.
+
+### Technical SEO checklist
+
+#### Crawlability
+
+- `robots.txt` should allow important pages and block low-value surfaces
+- no important page should be unintentionally `noindex`
+- important pages should be reachable within a shallow click depth
+- avoid redirect chains longer than two hops
+- canonical tags should be self-consistent and non-looping
+
+#### Indexability
+
+- preferred URL format should be consistent
+- multilingual pages need correct hreflang if used
+- sitemaps should reflect the intended public surface
+- no duplicate URLs should compete without canonical control
+
+#### Performance
+
+- LCP < 2.5s
+- INP < 200ms
+- CLS < 0.1
+- common fixes: preload hero assets, reduce render-blocking work, reserve layout space, trim heavy JS
+
+#### Structured data
+
+- homepage: organization or business schema where appropriate
+- editorial pages: `Article` / `BlogPosting`
+- product pages: `Product` and `Offer`
+- interior pages: `BreadcrumbList`
+- Q&A sections: `FAQPage` only when the content truly matches
+
+### On-page rules
+
+#### Title tags
+
+- aim for roughly 50-60 characters
+- put the primary keyword or concept near the front
+- make the title legible to humans, not stuffed for bots
+
+#### Meta descriptions
+
+- aim for roughly 120-160 characters
+- describe the page honestly
+- include the main topic naturally
+
+#### Heading structure
+
+- one clear `H1`
+- `H2` and `H3` should reflect actual content hierarchy
+- do not skip structure just for visual styling
+
+### Keyword mapping
+
+1. define the search intent
+2. gather realistic keyword variants
+3. prioritize by intent match, likely value, and competition
+4. map one primary keyword/theme to one URL
+5. detect and avoid cannibalization
+
+### Internal linking
+
+- link from strong pages to pages you want to rank
+- use descriptive anchor text
+- avoid generic anchors when a more specific one is possible
+- backfill links from new pages to relevant existing ones
+
+## Examples
+
+### Title formula
+
+```text
+Primary Topic - Specific Modifier | Brand
+```
+
+### Meta description formula
+
+```text
+Action + topic + value proposition + one supporting detail
+```
+
+### JSON-LD example
+
+```json
+{
+  "@context": "https://schema.org",
+  "@type": "Article",
+  "headline": "Page Title Here",
+  "author": {
+    "@type": "Person",
+    "name": "Author Name"
+  },
+  "publisher": {
+    "@type": "Organization",
+    "name": "Brand Name"
+  }
+}
+```
+
+### Audit output shape
+
+```text
+[HIGH] Duplicate title tags on product pages
+Location: src/routes/products/[slug].tsx
+Issue: Dynamic titles collapse to the same default string, which weakens relevance and creates duplicate signals.
+Fix: Generate a unique title per product using the product name and primary category.
+```
+
+## Anti-Patterns
+
+| Anti-pattern | Fix |
+| --- | --- |
+| keyword stuffing | write for users first |
+| thin near-duplicate pages | consolidate or differentiate them |
+| schema for content that is not actually present | match schema to reality |
+| content advice without checking the actual page | read the real page first |
+| generic “improve SEO” outputs | tie every recommendation to a page or asset |
+
+## Related Skills
+
+- `seo-specialist`
+- `frontend-patterns`
+- `brand-voice`
+- `market-research`

package/skills/skill-comply/SKILL.md

@@ -0,0 +1,57 @@
+---
+name: skill-comply
+description: Visualize whether skills, rules, and agent definitions are actually followed — auto-generates scenarios at 3 prompt strictness levels, runs agents, classifies behavioral sequences, and reports compliance rates with full tool call timelines
+tools: Read, Bash
+---
+
+# skill-comply: Automated Compliance Measurement
+
+Measures whether coding agents actually follow skills, rules, or agent definitions by:
+1. Auto-generating expected behavioral sequences (specs) from any .md file
+2. Auto-generating scenarios with decreasing prompt strictness (supportive → neutral → competing)
+3. Running `claude -p` and capturing tool call traces via stream-json
+4. Classifying tool calls against spec steps using LLM (not regex)
+5. Checking temporal ordering deterministically
+6. Generating self-contained reports with spec, prompts, and timelines
+
+## Supported Targets
+
+- **Skills** (`skills/*/SKILL.md`): Workflow skills like search-first, TDD guides
+- **Rules** (`rules/common/*.md`): Mandatory rules like testing.md, security.md, git-workflow.md
+- **Agent definitions** (`agents/*.md`): Whether an agent gets invoked when expected (internal workflow verification not yet supported)
+
+## When to Activate
+
+- User runs `/skill-comply <path>`
+- User asks "is this rule actually being followed?"
+- After adding new rules/skills, to verify agent compliance
+- Periodically as part of quality maintenance
+
+## Usage
+
+```bash
+# Full run
+uv run python -m scripts.run ~/.claude/rules/common/testing.md
+
+# Dry run (no cost, spec + scenarios only)
+uv run python -m scripts.run --dry-run ~/.claude/skills/search-first/SKILL.md
+
+# Custom models
+uv run python -m scripts.run --gen-model haiku --model sonnet <path>
+```
+
+## Key Concept: Prompt Independence
+
+Measures whether a skill/rule is followed even when the prompt doesn't explicitly support it.
+
+## Report Contents
+
+Reports are self-contained and include:
+1. Expected behavioral sequence (auto-generated spec)
+2. Scenario prompts (what was asked at each strictness level)
+3. Compliance scores per scenario
+4. Tool call timelines with LLM classification labels
+
+### Advanced (optional)
+
+For users familiar with hooks, reports also include hook promotion recommendations for steps with low compliance. This is informational — the main value is the compliance visibility itself.

package/skills/skill-comply/fixtures/compliant_trace.jsonl

@@ -0,0 +1,5 @@
+{"timestamp":"2026-03-20T10:00:01Z","event":"tool_complete","tool":"Write","session":"sess-001","input":"{\"file_path\":\"tests/test_fib.py\",\"content\":\"def test_fib(): assert fib(0) == 0\"}","output":"File created"}
+{"timestamp":"2026-03-20T10:00:10Z","event":"tool_complete","tool":"Bash","session":"sess-001","input":"{\"command\":\"cd /tmp/sandbox && pytest tests/\"}","output":"FAILED - 1 failed"}
+{"timestamp":"2026-03-20T10:00:20Z","event":"tool_complete","tool":"Write","session":"sess-001","input":"{\"file_path\":\"src/fib.py\",\"content\":\"def fib(n): return n if n <= 1 else fib(n-1)+fib(n-2)\"}","output":"File created"}
+{"timestamp":"2026-03-20T10:00:30Z","event":"tool_complete","tool":"Bash","session":"sess-001","input":"{\"command\":\"cd /tmp/sandbox && pytest tests/\"}","output":"1 passed"}
+{"timestamp":"2026-03-20T10:00:40Z","event":"tool_complete","tool":"Edit","session":"sess-001","input":"{\"file_path\":\"src/fib.py\",\"old_string\":\"return n if\",\"new_string\":\"if n < 0: raise ValueError\\n    return n if\"}","output":"File edited"}

package/skills/skill-comply/fixtures/noncompliant_trace.jsonl

@@ -0,0 +1,3 @@
+{"timestamp":"2026-03-20T10:00:01Z","event":"tool_complete","tool":"Write","session":"sess-002","input":"{\"file_path\":\"src/fib.py\",\"content\":\"def fib(n): return n if n <= 1 else fib(n-1)+fib(n-2)\"}","output":"File created"}
+{"timestamp":"2026-03-20T10:00:10Z","event":"tool_complete","tool":"Write","session":"sess-002","input":"{\"file_path\":\"tests/test_fib.py\",\"content\":\"def test_fib(): assert fib(0) == 0\"}","output":"File created"}
+{"timestamp":"2026-03-20T10:00:20Z","event":"tool_complete","tool":"Bash","session":"sess-002","input":"{\"command\":\"cd /tmp/sandbox && pytest tests/\"}","output":"1 passed"}

package/skills/skill-comply/fixtures/tdd_spec.yaml

@@ -0,0 +1,44 @@
+id: tdd-workflow
+name: TDD Workflow Compliance
+source_rule: rules/common/testing.md
+version: "2.0"
+
+steps:
+  - id: write_test
+    description: "Write test file BEFORE implementation"
+    required: true
+    detector:
+      description: "A Write or Edit to a test file (filename contains 'test')"
+      before_step: write_impl
+
+  - id: run_test_red
+    description: "Run test and confirm FAIL (RED phase)"
+    required: true
+    detector:
+      description: "Run pytest or test command that produces a FAIL/ERROR result"
+      after_step: write_test
+      before_step: write_impl
+
+  - id: write_impl
+    description: "Write minimal implementation (GREEN phase)"
+    required: true
+    detector:
+      description: "Write or Edit an implementation file (not a test file)"
+      after_step: run_test_red
+
+  - id: run_test_green
+    description: "Run test and confirm PASS (GREEN phase)"
+    required: true
+    detector:
+      description: "Run pytest or test command that produces a PASS result"
+      after_step: write_impl
+
+  - id: refactor
+    description: "Refactor (IMPROVE phase)"
+    required: false
+    detector:
+      description: "Edit a source file for refactoring after tests pass"
+      after_step: run_test_green
+
+scoring:
+  threshold_promote_to_hook: 0.6

package/skills/skill-comply/prompts/classifier.md

@@ -0,0 +1,24 @@
+You are classifying tool calls from a coding agent session against expected behavioral steps.
+
+For each tool call, determine which step (if any) it belongs to. A tool call can match at most one step.
+
+Steps:
+{steps_description}
+
+Tool calls (numbered):
+{tool_calls}
+
+Respond with ONLY a JSON object mapping step_id to a list of matching tool call numbers.
+Include only steps that have at least one match. If no tool calls match a step, omit it.
+
+Example response:
+{"write_test": [0, 1], "run_test_red": [2], "write_impl": [3, 4]}
+
+Rules:
+- Match based on the MEANING of the tool call, not just keywords
+- A Write to "test_calculator.py" is a test file write, even if the content is implementation-like
+- A Write to "calculator.py" is an implementation write, even if it contains test helpers
+- A Bash running "pytest" that outputs "FAILED" is a RED phase test run
+- A Bash running "pytest" that outputs "passed" is a GREEN phase test run
+- Each tool call should match at most one step (pick the best match)
+- If a tool call doesn't match any step, don't include it