@jetrabbits/agentic 0.0.1

package/areas/software/security/skills/crypto-standards/SKILL.md

@@ -0,0 +1,42 @@
+# Skill: Cryptography Standards
+
+## When to load
+
+When implementing password storage, data encryption, token signing, or key management.
+
+## Approved Algorithms
+
+| Use Case | Approved | Forbidden |
+|:---|:---|:---|
+| Password hashing | Argon2id, bcrypt (cost≥12) | MD5, SHA-1, unsalted SHA-256 |
+| Data encryption | AES-256-GCM, ChaCha20-Poly1305 | DES, 3DES, AES-ECB |
+| Token signing | RS256, ES256 | HS256 in distributed systems |
+| TLS | TLS 1.2+, prefer TLS 1.3 | SSLv3, TLS 1.0, TLS 1.1 |
+
+## Password Storage (Argon2id)
+
+```python
+from argon2 import PasswordHasher
+
+ph = PasswordHasher(time_cost=2, memory_cost=65536, parallelism=2)
+hashed = ph.hash(plain_password)
+
+try:
+    ph.verify(stored_hash, provided_password)
+    if ph.check_needs_rehash(stored_hash):
+        new_hash = ph.hash(provided_password)
+        db.update_password_hash(user_id, new_hash)
+except VerifyMismatchError:
+    raise InvalidCredentials()
+```
+
+## Envelope Encryption
+
+```
+Never encrypt data directly with a master key.
+
+1. Generate unique Data Encryption Key (DEK) per record
+2. Encrypt data with DEK (AES-256-GCM)
+3. Encrypt DEK with Key Encryption Key (KEK) in KMS
+4. Store: encrypted_data + encrypted_DEK + IV
+```

package/areas/software/security/skills/dependency-audit/SKILL.md

@@ -0,0 +1,29 @@
+# Skill: Dependency Audit
+
+## When to load
+
+When adding new packages, reviewing a PR that adds dependencies, or performing security reviews.
+
+## Pre-Add Checklist
+
+```
+Before npm install [package]:
+1. POPULARITY: > 100k weekly downloads?
+2. MAINTENANCE: Last commit within 12 months? Open PRs reviewed?
+3. OWNERSHIP: Well-known org/individual? History of incidents?
+4. SCOPE: Does the package scope match its stated purpose?
+          (A CSV parser with network dependencies is suspicious)
+5. AUDIT: Run npm audit / snyk test immediately after adding
+6. SIZE: Check bundlephobia.com
+7. ALTERNATIVES: Is there a built-in API that does this?
+```
+
+## Supply Chain Attack Red Flags
+
+```
+- Recently transferred ownership
+- Sudden version bump with no changelog
+- Minified/obfuscated code in source (not just dist)
+- postinstall / preinstall scripts making network requests
+- Name similar to popular package (typosquatting)
+```

package/areas/software/security/skills/sast-dast-interpretation/SKILL.md

@@ -0,0 +1,33 @@
+# Skill: SAST/DAST Results Interpretation
+
+## When to load
+
+When reviewing security scan results, triaging vulnerabilities, or deciding which findings to fix vs. accept.
+
+## SAST Triage Matrix
+
+| Severity | CVSS | Action | Timeline |
+|:---|:---|:---|:---|
+| Critical | 9.0–10.0 | Block merge, fix immediately | Same day |
+| High | 7.0–8.9 | Block deploy | 72 hours |
+| Medium | 4.0–6.9 | Track as tech debt | 2 weeks |
+| Low | 0.1–3.9 | Backlog | Next quarter |
+
+## Common False Positives
+
+```
+False positive: "SQL Injection" on ORM query
+→ Verify ORM parameterizes internally → add suppression comment:
+// snyk:ignore:sql-injection -- parameterized ORM query
+
+False positive: "Hardcoded credential" on config key name
+→ Verify value comes from env var → suppress with justification
+```
+
+## OWASP ZAP Priority Findings
+
+1. Missing security headers (CSP, X-Frame-Options) → always exploitable, easy fix
+2. Information disclosure in error responses → check stack traces
+3. CSRF → verify token on all state-changing requests
+4. Clickjacking → add `frame-ancestors` CSP directive
+5. Insecure cookies → verify Secure, HttpOnly, SameSite=Strict/Lax

package/areas/software/security/skills/security-headers/SKILL.md

@@ -0,0 +1,29 @@
+# Skill: HTTP Security Headers
+
+## When to load
+
+When configuring web servers, API gateways, or reviewing HTTP responses.
+
+## Required Headers
+
+```nginx
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+add_header X-Content-Type-Options "nosniff" always;
+add_header X-Frame-Options "DENY" always;
+add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;
+add_header Content-Security-Policy "
+  default-src 'self';
+  script-src 'self' 'nonce-{NONCE}';
+  style-src 'self' 'unsafe-inline';
+  img-src 'self' data: https://cdn.mycompany.com;
+  connect-src 'self' https://api.mycompany.com;
+  frame-ancestors 'none';
+" always;
+```
+
+## API-Specific
+
+- Remove: `X-Powered-By`, `Server` (information disclosure)
+- Add: `X-Request-ID` (tracing), `Cache-Control: no-store` (auth responses)
+- CORS: Never `Access-Control-Allow-Origin: *` for credentialed requests

package/areas/software/security/skills/threat-modeling/SKILL.md

@@ -0,0 +1,36 @@
+# Skill: Threat Modeling
+
+## When to load
+
+When designing a new system, adding an integration, reviewing an architecture, or preparing for a security review.
+
+## STRIDE Framework
+
+| Threat | Question | Example |
+|:---|:---|:---|
+| **S**poofing | Can an attacker impersonate a user/service? | Forged JWT, SSRF to metadata service |
+| **T**ampering | Can data be modified in transit/at rest? | SQL injection, cache poisoning |
+| **R**epudiation | Can users deny performing an action? | Missing audit logs |
+| **I**nformation Disclosure | Can sensitive data be exposed? | Error messages leaking stack traces |
+| **D**enial of Service | Can the service be made unavailable? | No rate limiting on public endpoints |
+| **E**levation of Privilege | Can a low-privilege user gain higher access? | IDOR, broken object-level authorization |
+
+## IDOR — Most Common API Vulnerability
+
+```python
+# ❌ Vulnerable
+@app.get("/invoices/{invoice_id}")
+def get_invoice(invoice_id: int, current_user: User = Depends(get_current_user)):
+    return db.query(Invoice).filter(Invoice.id == invoice_id).first()
+
+# ✅ Safe: always scope to authenticated user
+@app.get("/invoices/{invoice_id}")
+def get_invoice(invoice_id: int, current_user: User = Depends(get_current_user)):
+    invoice = db.query(Invoice).filter(
+        Invoice.id == invoice_id,
+        Invoice.owner_id == current_user.id  # ← ownership check
+    ).first()
+    if not invoice:
+        raise HTTPException(status_code=404)  # 404, not 403
+    return invoice
+```

package/areas/software/security/workflows/compliance-report.md

@@ -0,0 +1,57 @@
+---
+name: compliance-report
+type: workflow
+trigger: /compliance-report
+description: Generate a compliance artifact with control evidence for self-assessment against SOC2, ISO27001, GDPR, or PCI.
+inputs:
+  - compliance_standard
+  - reporting_period
+outputs:
+  - compliance_report
+  - gap_analysis
+roles:
+  - team-lead
+  - developer
+  - qa
+execution:
+  initiator: team-lead
+related-rules:
+  - compliance-baseline.md
+  - secrets-policy.md
+uses-skills:
+  - threat-modeling
+  - dependency-audit
+quality-gates:
+  - all controls evaluated (Compliant / Partial / Non-Compliant / N/A)
+  - remediation plan exists for all Non-Compliant controls
+  - report flagged for human review before external sharing
+---
+
+## Steps
+
+### 1. Map Controls — `@team-lead`
+- **Input:** compliance standard, period
+- **Actions:** load control framework for requested standard; map each control to evidence sources (automated logs, documents, manual evidence)
+- **Output:** control mapping table
+- **Done when:** all controls mapped
+
+### 2. Collect Evidence — `@developer` + `@qa`
+- **Input:** control mapping
+- **Actions:** automated evidence: CloudTrail, Vault audit logs, CI scan results; document evidence: `.security/` threat models, pentest reports; flag controls needing manual evidence (training records, access reviews)
+- **Output:** evidence collection per control
+- **Done when:** all controls have at least one evidence source or are flagged for manual collection
+
+### 3. Evaluate Compliance — `@team-lead`
+- **Input:** evidence collection
+- **Actions:** assign status per control: Compliant / Partial / Non-Compliant / N/A; for Partial/Non-Compliant: document gap and remediation plan with timeline
+- **Output:** evaluated control matrix
+- **Done when:** all controls have status; all gaps have remediation plans
+
+### 4. Generate Report — `@team-lead`
+- **Input:** evaluated matrix
+- **Actions:** produce executive summary: overall compliance %; control matrix: all controls with status and evidence links; gap analysis: non-compliant controls with risk and timeline; flag for human review before sharing externally; note: self-assessment aid, not certified audit
+- **Output:** compliance report document
+- **Done when:** report complete; human review flag set
+
+## Exit
+Complete control matrix + gap analysis + human review flag = report ready for review.

package/areas/software/security/workflows/pen-test-sim.md

@@ -0,0 +1,63 @@
+---
+name: pen-test-sim
+type: workflow
+trigger: /pen-test-sim
+description: Run automated OWASP Top-10 penetration test simulation against a staging environment.
+inputs:
+  - target_url
+  - scope
+outputs:
+  - pentest_report
+  - remediation_list
+roles:
+  - qa
+  - developer
+  - team-lead
+execution:
+  initiator: team-lead
+related-rules:
+  - secure-coding.md
+  - compliance-baseline.md
+uses-skills:
+  - sast-dast-interpretation
+  - security-headers
+quality-gates:
+  - target confirmed as staging (never production)
+  - all OWASP Top-10 categories evaluated
+  - Critical/High findings have remediation assigned
+---
+
+## Steps
+
+### 1. Scope Confirmation — `@team-lead`
+- **Input:** target URL
+- **Actions:** verify target is staging/preview — NEVER production; log test start time for audit correlation; confirm scope (OWASP Top-10 or custom)
+- **Output:** scope confirmation logged
+- **Done when:** target and scope confirmed; never production
+
+### 2. Passive Recon — `@qa`
+- **Input:** confirmed target
+- **Actions:** ZAP spider to discover all endpoints; identify technologies via response headers; check `robots.txt`, `sitemap.xml`
+- **Output:** endpoint inventory; technology fingerprint
+- **Done when:** full endpoint map produced
+
+### 3. Active Scanning — `@qa`
+- **Input:** endpoint inventory
+- **Actions:** A01 Broken Access Control: IDOR on all object endpoints; A02 Crypto Failures: SSL config and header policies; A03 Injection: SQLi and XSS probes on all inputs; A05 Security Misconfiguration: headers, error responses; A07 Auth Failures: rate limiting, brute force protection
+- **Output:** raw findings per OWASP category
+- **Done when:** all in-scope categories evaluated
+
+### 4. Manual Checks — `@qa`
+- **Input:** active scan results
+- **Actions:** auth token in URL parameters?; password reset: token expiry and single-use?; mass assignment on PUT/PATCH endpoints?
+- **Output:** manual check results
+- **Done when:** manual checks complete
+
+### 5. Report — `@team-lead`
+- **Input:** all findings
+- **Actions:** produce OWASP-format finding report; include per finding: severity, evidence (request/response), remediation, CVSS score; assign remediation owners for Critical/High
+- **Output:** `pentest_report_<date>.md`; remediation assignments
+- **Done when:** report reviewed; remediation owners assigned
+
+## Exit
+Published report + Critical/High findings assigned = pen-test complete.

package/areas/software/security/workflows/secret-rotation.md

@@ -0,0 +1,67 @@
+---
+name: secret-rotation
+type: workflow
+trigger: /secret-rotation
+description: Safely rotate a production secret with zero downtime using dual-read window.
+inputs:
+  - secret_name
+  - is_emergency
+outputs:
+  - rotated_secret
+  - audit_record
+roles:
+  - developer
+  - team-lead
+execution:
+  initiator: developer
+related-rules:
+  - secrets-policy.md
+  - security-posture.md
+uses-skills:
+  - secrets-management
+quality-gates:
+  - old credential revoked only after zero auth errors confirmed
+  - audit log entry created with rotation metadata
+  - next rotation date set (+90 days)
+---
+
+## Steps
+
+### 1. Prepare New Secret — `@developer`
+- **Input:** secret name
+- **Actions:** generate new credential (strong, random); store in Secrets Manager as new version — old version stays active
+- **Output:** new secret version created; old version still active
+- **Done when:** both versions active in Secrets Manager
+
+### 2. Dual-Read Window — `@developer`
+- **Input:** new secret version
+- **Actions:** update service to accept BOTH old and new credential; if single-credential only → schedule 2-minute maintenance window
+- **Output:** service accepts both versions
+- **Done when:** service deployed with dual-read capability
+
+### 3. Deploy New Secret — `@developer`
+- **Input:** dual-read service
+- **Actions:** trigger rolling restart to pick up new version; monitor pod restarts and error rates for 5 minutes
+- **Output:** all pods using new secret
+- **Done when:** zero auth errors post-restart
+
+### 4. Validate — `@team-lead`
+- **Input:** deployed rotation
+- **Actions:** confirm zero auth errors in monitoring; verify old credential is rejected by service
+- **Output:** validation confirmation
+- **Done when:** old credential confirmed rejected
+
+### 5. Revoke Old Secret — `@developer`
+- **Input:** validated rotation
+- **Actions:** delete old version from Secrets Manager; confirm no reads on old version in audit log
+- **Output:** old secret version deleted
+- **Done when:** audit log confirms zero reads on old version
+
+### 6. Document — `@developer`
+- **Input:** completed rotation
+- **Actions:** record in secret inventory: name, date, rotated by; set next rotation date (+90 days)
+- **Output:** audit record updated
+- **Done when:** inventory current; next rotation scheduled
+
+## Exit
+Old secret revoked + audit record updated = rotation complete.

package/areas/software/security/workflows/security-scan.md

@@ -0,0 +1,64 @@
+---
+name: security-scan
+type: workflow
+trigger: /security-scan
+description: Run a comprehensive security scan (SAST, deps, secrets, IaC) and produce a prioritized finding report.
+inputs:
+  - scan_scope
+  - scan_mode
+outputs:
+  - finding_report
+  - pr_review_comments
+roles:
+  - developer
+  - team-lead
+  - qa
+execution:
+  initiator: developer
+related-rules:
+  - secure-coding.md
+  - dependency-policy.md
+  - secrets-policy.md
+uses-skills:
+  - sast-dast-interpretation
+  - dependency-audit
+quality-gates:
+  - no critical findings unaddressed before merge
+  - high findings have 72-hour SLA assigned
+  - secrets scan covers full git log (--full mode)
+---
+
+## Steps
+
+### 1. SAST Scan — `@developer`
+- **Input:** codebase
+- **Actions:** `semgrep --config=p/security-audit`; `snyk code test`
+- **Output:** SAST finding list
+- **Done when:** scan complete; results saved
+
+### 2. Dependency Audit — `@developer`
+- **Input:** dependency files
+- **Actions:** `npm audit --json` / `pip-audit` / `trivy fs`; cross-reference with OSV database; flag Critical (block) and High (plan) findings
+- **Output:** dependency finding list with severity
+- **Done when:** all deps scanned; Critical/High flagged
+
+### 3. Secret Scanning — `@qa`
+- **Input:** staged changes (PR mode) or full git log (full mode)
+- **Actions:** `trufflehog filesystem` on staged changes; `gitleaks` on git log (last 100 commits if PR, full history if --full)
+- **Output:** secret scan results
+- **Done when:** no unreviewed secrets in scope
+
+### 4. Infrastructure Scan — `@developer` (if IaC exists)
+- **Input:** Terraform / K8s manifests
+- **Actions:** `checkov -d terraform/`; `kube-score` on K8s manifests
+- **Output:** IaC finding list
+- **Done when:** all manifests scanned
+
+### 5. Synthesize & Report — `@team-lead`
+- **Input:** all scan results
+- **Actions:** merge all findings; deduplicate by location; prioritize: Critical → High → Medium → Low; for Critical/High provide specific remediation code; post to PR as review comment; Critical → request changes (block merge); High → comment with 72-hour SLA; save full report: `.security/scan-results-<timestamp>.json`
+- **Output:** `finding_report.md`; PR review comments
+- **Done when:** report published; PR status set per findings
+
+## Exit
+No unaddressed Critical findings + report saved = scan complete.

package/areas/software/security/workflows/threat-model-review.md

@@ -0,0 +1,62 @@
+---
+name: threat-model-review
+type: workflow
+trigger: /threat-model-review
+description: Perform a STRIDE threat modeling session for a new feature or system component and produce a mitigation plan.
+inputs:
+  - feature_name
+outputs:
+  - threat_model_document
+  - required_mitigations
+roles:
+  - team-lead
+  - developer
+  - qa
+execution:
+  initiator: team-lead
+related-rules:
+  - secure-coding.md
+  - compliance-baseline.md
+uses-skills:
+  - threat-modeling
+  - auth-patterns
+quality-gates:
+  - all trust boundary crossings evaluated for all 6 STRIDE categories
+  - required mitigations mapped to controls before implementation
+  - threat model saved to .security/threat-models/
+---
+
+## Steps
+
+### 1. Parse Feature — `@team-lead`
+- **Input:** feature description
+- **Actions:** extract: data processed, actors, trust boundaries crossed, entry points (APIs, file inputs, queues)
+- **Output:** feature decomposition note
+- **Done when:** trust boundaries explicitly identified
+
+### 2. Data Flow Diagram — `@developer`
+- **Input:** feature decomposition
+- **Actions:** map: External Entities → Processes → Data Stores → Trust Boundaries
+- **Output:** DFD (Mermaid or draw.io)
+- **Done when:** all entry points visible in diagram
+
+### 3. STRIDE Analysis — `@team-lead` + `@qa`
+- **Input:** DFD
+- **Actions:** for each trust boundary crossing, evaluate all 6 STRIDE categories (Spoofing / Tampering / Repudiation / Information Disclosure / Denial of Service / Elevation of Privilege); generate one finding per identified threat
+- **Output:** STRIDE finding list
+- **Done when:** all crossings evaluated; no category skipped
+
+### 4. Prioritize — `@team-lead`
+- **Input:** STRIDE findings
+- **Actions:** score each: Likelihood (1–3) × Impact (1–3) = Risk Score; sort descending; classify: Required / Recommended / Accepted risk
+- **Output:** prioritized risk register
+- **Done when:** all findings classified
+
+### 5. Generate Mitigations — `@developer`
+- **Input:** prioritized risks
+- **Actions:** map each Required threat to a control from `auth-patterns` or `crypto-standards` skills; document in threat model
+- **Output:** `.security/threat-models/threat-model-<feature>.md` — DFD + STRIDE table + mitigations
+- **Done when:** all Required findings have assigned controls; document complete
+
+## Exit
+Published threat model + Required mitigations assigned = secure implementation can proceed.

package/areas/template/AGENTS-area.tmpl.md

@@ -0,0 +1,61 @@
+# {{DOMAIN_NAME}} — area guidance index
+
+<!--
+AGENT INSTRUCTIONS:
+This is the ROOT AGENTS.md for the entire area.
+Load it before any spec-level guidance.
+It defines:
+  1. What this area covers
+  2. Spec selection (which spec to load for which task)
+  3. Cross-cutting constraints applying to ALL specs in this area
+  4. The full spec map
+Target: under 100 lines.
+Delete all AGENT INSTRUCTIONS comments before finalising.
+-->
+
+## What this area covers
+
+{{ONE_PARAGRAPH: what domain this area covers, who uses it, what kinds of work it guides agents through.}}
+
+## Spec selection
+
+Match the task to the spec that owns it:
+
+| Task type | Spec to load |
+|:---|:---|
+| {{TASK_TYPE_1}} | `{{spec-name}}/` |
+| {{TASK_TYPE_2}} | `{{spec-name}}/` |
+| {{TASK_TYPE_3}} | `{{spec-name}}/` |
+| General / cross-cutting | `general/` (if present) |
+
+If the task spans multiple specs, load the primary spec's full chain, then the secondary spec's `rules/*` only.
+
+## Cross-cutting constraints
+
+<!--
+Constraints that apply to ALL specs in this area.
+Not duplicated in individual spec rule files.
+Write in imperative form.
+-->
+
+- **{{CONSTRAINT_1_NAME}}** — {{one sentence, imperative, e.g. "never commit secrets to source control."}}
+- **{{CONSTRAINT_2_NAME}}** — {{one sentence, imperative}}
+- **{{CONSTRAINT_3_NAME}}** — {{one sentence, imperative}}
+
+## Load order
+
+1. This file (`areas/{{domain}}/AGENTS.md`)
+2. Spec `AGENTS.md` (`areas/{{domain}}/{{spec}}/AGENTS.md`)
+3. Spec `rules/*.md` — all rules for the selected spec
+4. Spec `skills/*/SKILL.md` — on-demand, matching "When to load"
+5. Spec `workflows/*.md` — matching the slash command trigger
+
+## Specs in this area
+
+```text
+areas/{{domain}}/
+├── {{spec-1}}/    # {{one_line_scope}}
+├── {{spec-2}}/    # {{one_line_scope}}
+├── {{spec-3}}/    # {{one_line_scope}}
+└── {{spec-4}}/    # {{one_line_scope}}
+```

package/areas/template/AGENTS.tmpl.md

@@ -0,0 +1,67 @@
+# {{SPEC_NAME}} — guidance index
+
+<!--
+AGENT INSTRUCTIONS:
+This file is the entry point for agents working in this specialization.
+Load it FIRST before any rules, skills, or workflows.
+Target: under 80 lines — this is a navigation map, not a knowledge document.
+Delete all AGENT INSTRUCTIONS comments before finalising.
+-->
+
+## What this area covers
+
+{{ONE_PARAGRAPH: what domain this spec covers, who uses it, and what kinds of work it guides agents through.}}
+
+## Guidance chain
+
+Load in this order:
+
+1. Project `.agent/` baseline (`AGENTS.md` + `.agent/*`)
+2. `{{domain}}/{{spec}}/rules/*` — load all rules for this spec
+3. `{{domain}}/{{spec}}/skills/*/SKILL.md` — load only the skill matching the current task (see "When to load" in each skill)
+4. `{{domain}}/{{spec}}/workflows/*` — load the workflow matching the triggered slash command
+
+## Inherited from {{DOMAIN_NAME}} area
+
+<!--
+List cross-cutting constraints that apply from the parent area's AGENTS.md.
+These do NOT need to be repeated in this spec's rule files.
+-->
+
+- {{INHERITED_CONSTRAINT_1 — e.g. "All IaC changes must be version-controlled; no manual console edits."}}
+- {{INHERITED_CONSTRAINT_2}}
+
+## {{SPEC_NAME}}-specific constraints
+
+<!--
+List constraints where this spec diverges from or extends the area-wide defaults.
+Write in imperative form: "must", "never", "required", "forbidden".
+Avoid advice-language: "consider", "try to", "ideally".
+-->
+
+- {{CONSTRAINT_1 — e.g. "Every new service must expose the four golden signals before shipping."}}
+- {{CONSTRAINT_2}}
+
+## Spec map
+
+```text
+{{spec-name}}/
+├── rules/
+│   ├── {{filename}}.md     ← {{one_line_description}}
+│   └── {{filename}}.md     ← {{one_line_description}}
+├── skills/
+│   ├── {{skill-dir}}/SKILL.md    ← {{one_line_description}}
+│   └── {{skill-dir}}/SKILL.md    ← {{one_line_description}}
+├── workflows/
+│   ├── {{filename}}.md     ← /{{command}} — {{one_line_description}}
+│   └── {{filename}}.md     ← /{{command}} — {{one_line_description}}
+└── prompts/
+    └── *.md
+```
+
+## Discovery patterns
+
+- `rules/*.md`
+- `skills/*/SKILL.md`
+- `workflows/*.md`
+- `prompts/*.md`