@jgamaraalv/ts-dev-kit 1.0.0

package/skills/nextjs-best-practices/references/scripts.md

@@ -0,0 +1,148 @@
+# Scripts
+
+Loading third-party scripts in Next.js.
+
+## Table of Contents
+
+- [Use next/script](#use-nextscript)
+- [Inline Scripts Need ID](#inline-scripts-need-id)
+- [Don't Put Script in Head](#dont-put-script-in-head)
+- [Loading Strategies](#loading-strategies)
+- [Google Analytics](#google-analytics)
+- [Google Tag Manager](#google-tag-manager)
+- [Other Third-Party Scripts](#other-third-party-scripts)
+- [Quick Reference](#quick-reference)
+
+## Use next/script
+
+Always use `next/script` instead of native `<script>` tags for better performance.
+
+```tsx
+// Bad: Native script tag
+<script src="https://example.com/script.js"></script>;
+
+// Good: Next.js Script component
+import Script from "next/script";
+
+<Script src="https://example.com/script.js" />;
+```
+
+## Inline Scripts Need ID
+
+Inline scripts require an `id` attribute for Next.js to track them.
+
+```tsx
+// Bad: Missing id
+<Script dangerouslySetInnerHTML={{ __html: 'console.log("hi")' }} />
+
+// Good: Has id
+<Script id="my-script" dangerouslySetInnerHTML={{ __html: 'console.log("hi")' }} />
+
+// Good: Inline with id
+<Script id="show-banner">
+  {`document.getElementById('banner').classList.remove('hidden')`}
+</Script>
+```
+
+## Don't Put Script in Head
+
+`next/script` should not be placed inside `next/head`. It handles its own positioning.
+
+```tsx
+// Bad: Script inside Head
+import Head from 'next/head'
+import Script from 'next/script'
+
+<Head>
+  <Script src="/analytics.js" />
+</Head>
+
+// Good: Script outside Head
+<Head>
+  <title>Page</title>
+</Head>
+<Script src="/analytics.js" />
+```
+
+## Loading Strategies
+
+```tsx
+// afterInteractive (default) - Load after page is interactive
+<Script src="/analytics.js" strategy="afterInteractive" />
+
+// lazyOnload - Load during idle time
+<Script src="/widget.js" strategy="lazyOnload" />
+
+// beforeInteractive - Load before page is interactive (use sparingly)
+// Only works in app/layout.tsx or pages/_document.js
+<Script src="/critical.js" strategy="beforeInteractive" />
+
+// worker - Load in web worker (experimental)
+<Script src="/heavy.js" strategy="worker" />
+```
+
+## Google Analytics
+
+Use `@next/third-parties` instead of inline GA scripts.
+
+```tsx
+// Bad: Inline GA script
+<Script src="https://www.googletagmanager.com/gtag/js?id=G-XXXXX" />
+<Script id="ga-init">
+  {`window.dataLayer = window.dataLayer || [];
+    function gtag(){dataLayer.push(arguments);}
+    gtag('js', new Date());
+    gtag('config', 'G-XXXXX');`}
+</Script>
+
+// Good: Next.js component
+import { GoogleAnalytics } from '@next/third-parties/google'
+
+export default function Layout({ children }) {
+  return (
+    <html>
+      <body>{children}</body>
+      <GoogleAnalytics gaId="G-XXXXX" />
+    </html>
+  )
+}
+```
+
+## Google Tag Manager
+
+```tsx
+import { GoogleTagManager } from "@next/third-parties/google";
+
+export default function Layout({ children }) {
+  return (
+    <html>
+      <GoogleTagManager gtmId="GTM-XXXXX" />
+      <body>{children}</body>
+    </html>
+  );
+}
+```
+
+## Other Third-Party Scripts
+
+```tsx
+// YouTube embed
+import { YouTubeEmbed } from "@next/third-parties/google";
+
+<YouTubeEmbed videoid="dQw4w9WgXcQ" />;
+
+// Google Maps
+import { GoogleMapsEmbed } from "@next/third-parties/google";
+
+<GoogleMapsEmbed apiKey="YOUR_API_KEY" mode="place" q="Brooklyn+Bridge,New+York,NY" />;
+```
+
+## Quick Reference
+
+| Pattern                                       | Issue                      | Fix                       |
+| --------------------------------------------- | -------------------------- | ------------------------- |
+| `<script src="...">`                          | No optimization            | Use `next/script`         |
+| `<Script>` without id                         | Can't track inline scripts | Add `id` attribute        |
+| `<Script>` inside `<Head>`                    | Wrong placement            | Move outside Head         |
+| Inline GA/GTM scripts                         | No optimization            | Use `@next/third-parties` |
+| `strategy="beforeInteractive"` outside layout | Won't work                 | Only use in root layout   |

package/skills/nextjs-best-practices/references/self-hosting.md

@@ -0,0 +1,210 @@
+# Self-Hosting Next.js
+
+Deploy Next.js outside of Vercel with confidence.
+
+## Table of Contents
+
+- [Standalone Output](#standalone-output)
+- [ISR and Cache Handlers](#isr-and-cache-handlers)
+- [What Works vs What Needs Setup](#what-works-vs-what-needs-setup)
+- [Image Optimization](#image-optimization)
+- [Environment Variables](#environment-variables)
+- [OpenNext: Serverless Without Vercel](#opennext-serverless-without-vercel)
+- [Pre-Deployment Checklist](#pre-deployment-checklist)
+- [Testing Cache Handler](#testing-cache-handler)
+
+## Standalone Output
+
+For Docker or any containerized deployment, use standalone output:
+
+```js
+// next.config.js
+export default {
+  output: "standalone",
+};
+```
+
+This creates a minimal `standalone` folder with only production dependencies:
+
+```
+.next/
+├── standalone/
+│   ├── server.js          # Entry point
+│   ├── node_modules/      # Only production deps
+│   └── .next/             # Build output
+└── static/                # Must be copied separately
+```
+
+**Key points for containers:**
+
+- Set `HOSTNAME="0.0.0.0"` for containers
+- Copy `public/` and `.next/static/` separately (not included in standalone)
+- Run with `node server.js`
+
+## ISR and Cache Handlers
+
+### The Problem
+
+ISR (Incremental Static Regeneration) uses filesystem caching by default. This **breaks with multiple instances**:
+
+- Instance A regenerates page -> saves to its local disk
+- Instance B serves stale page -> doesn't see Instance A's cache
+- Load balancer sends users to random instances -> inconsistent content
+
+### Solution: Custom Cache Handler
+
+Next.js 14+ supports custom cache handlers for shared storage:
+
+```js
+// next.config.js
+import { resolve } from "node:path";
+
+export default {
+  cacheHandler: resolve("./cache-handler.js"),
+  cacheMaxMemorySize: 0, // Disable in-memory cache
+};
+```
+
+#### Redis Cache Handler Example
+
+```js
+// cache-handler.js
+import { Redis } from "ioredis";
+
+const redis = new Redis(process.env.REDIS_URL);
+const CACHE_PREFIX = "nextjs:";
+
+export default class CacheHandler {
+  constructor(options) {
+    this.options = options;
+  }
+
+  async get(key) {
+    const data = await redis.get(CACHE_PREFIX + key);
+    if (!data) return null;
+
+    const parsed = JSON.parse(data);
+    return {
+      value: parsed.value,
+      lastModified: parsed.lastModified,
+    };
+  }
+
+  async set(key, data, ctx) {
+    const cacheData = {
+      value: data,
+      lastModified: Date.now(),
+    };
+
+    if (ctx?.revalidate) {
+      await redis.setex(CACHE_PREFIX + key, ctx.revalidate, JSON.stringify(cacheData));
+    } else {
+      await redis.set(CACHE_PREFIX + key, JSON.stringify(cacheData));
+    }
+  }
+
+  async revalidateTag(tags) {
+    // Implement tag-based invalidation
+    // This requires tracking which keys have which tags
+  }
+}
+```
+
+## What Works vs What Needs Setup
+
+| Feature              | Single Instance | Multi-Instance      | Notes                       |
+| -------------------- | --------------- | ------------------- | --------------------------- |
+| SSR                  | Yes             | Yes                 | No special setup            |
+| SSG                  | Yes             | Yes                 | Built at deploy time        |
+| ISR                  | Yes             | Needs cache handler | Filesystem cache breaks     |
+| Image Optimization   | Yes             | Yes                 | CPU-intensive, consider CDN |
+| Middleware           | Yes             | Yes                 | Runs on Node.js             |
+| Edge Runtime         | Limited         | Limited             | Some features Node-only     |
+| `revalidatePath/Tag` | Yes             | Needs cache handler | Must share cache            |
+| `next/font`          | Yes             | Yes                 | Fonts bundled at build      |
+| Draft Mode           | Yes             | Yes                 | Cookie-based                |
+
+## Image Optimization
+
+Next.js Image Optimization works out of the box but is CPU-intensive. For scale, offload to an external loader (Cloudinary, Imgix, etc.):
+
+```js
+// next.config.js
+export default {
+  images: {
+    loader: "custom",
+    loaderFile: "./lib/image-loader.js",
+  },
+};
+```
+
+```js
+// lib/image-loader.js
+export default function cloudinaryLoader({ src, width, quality }) {
+  const params = ["f_auto", "c_limit", `w_${width}`, `q_${quality || "auto"}`];
+  return `https://res.cloudinary.com/demo/image/upload/${params.join(",")}${src}`;
+}
+```
+
+For simple setups, tune the built-in optimizer with `minimumCacheTTL` and limited `deviceSizes`.
+
+## Environment Variables
+
+### Build-time vs Runtime
+
+```js
+// Available at build time only (baked into bundle)
+NEXT_PUBLIC_API_URL=https://api.example.com
+
+// Available at runtime (server-side only)
+DATABASE_URL=postgresql://...
+API_SECRET=...
+```
+
+### Runtime Configuration
+
+For truly dynamic config, don't use `NEXT_PUBLIC_*`. Instead:
+
+```tsx
+// app/api/config/route.ts
+export async function GET() {
+  return Response.json({
+    apiUrl: process.env.API_URL,
+    features: process.env.FEATURES?.split(","),
+  });
+}
+```
+
+## OpenNext: Serverless Without Vercel
+
+[OpenNext](https://open-next.js.org/) adapts Next.js for AWS Lambda, Cloudflare Workers, etc. Supports AWS Lambda + CloudFront, Cloudflare Workers, Netlify Functions, and Deno Deploy.
+
+## Pre-Deployment Checklist
+
+1. **Build locally first**: `npm run build` - catch errors before deploy
+2. **Test standalone output**: `node .next/standalone/server.js`
+3. **Set `output: 'standalone'`** for Docker
+4. **Configure cache handler** for multi-instance ISR
+5. **Set `HOSTNAME="0.0.0.0"`** for containers
+6. **Copy `public/` and `.next/static/`** - not included in standalone
+7. **Add health check endpoint**
+8. **Test ISR revalidation** after deployment
+9. **Monitor memory usage** - Node.js defaults may need tuning
+
+## Testing Cache Handler
+
+**Critical**: Test your cache handler on every Next.js upgrade:
+
+```bash
+# Start multiple instances
+PORT=3001 node .next/standalone/server.js &
+PORT=3002 node .next/standalone/server.js &
+
+# Trigger ISR revalidation
+curl http://localhost:3001/api/revalidate?path=/posts
+
+# Verify both instances see the update
+curl http://localhost:3001/posts
+curl http://localhost:3002/posts
+# Should return identical content
+```

package/skills/nextjs-best-practices/references/suspense-boundaries.md

@@ -0,0 +1,67 @@
+# Suspense Boundaries
+
+Client hooks that cause CSR bailout without Suspense boundaries.
+
+## useSearchParams
+
+Always requires Suspense boundary in static routes. Without it, the entire page becomes client-side rendered.
+
+```tsx
+// Bad: Entire page becomes CSR
+"use client";
+
+import { useSearchParams } from "next/navigation";
+
+export default function SearchBar() {
+  const searchParams = useSearchParams();
+  return <div>Query: {searchParams.get("q")}</div>;
+}
+```
+
+```tsx
+// Good: Wrap in Suspense
+import { Suspense } from "react";
+import SearchBar from "./search-bar";
+
+export default function Page() {
+  return (
+    <Suspense fallback={<div>Loading...</div>}>
+      <SearchBar />
+    </Suspense>
+  );
+}
+```
+
+## usePathname
+
+Requires Suspense boundary when route has dynamic parameters.
+
+```tsx
+// In dynamic route [slug]
+// Bad: No Suspense
+"use client";
+import { usePathname } from "next/navigation";
+
+export function Breadcrumb() {
+  const pathname = usePathname();
+  return <nav>{pathname}</nav>;
+}
+```
+
+```tsx
+// Good: Wrap in Suspense
+<Suspense fallback={<BreadcrumbSkeleton />}>
+  <Breadcrumb />
+</Suspense>
+```
+
+If you use `generateStaticParams`, Suspense is optional.
+
+## Quick Reference
+
+| Hook                | Suspense Required    |
+| ------------------- | -------------------- |
+| `useSearchParams()` | Yes                  |
+| `usePathname()`     | Yes (dynamic routes) |
+| `useParams()`       | No                   |
+| `useRouter()`       | No                   |

package/skills/owasp-security-review/SKILL.md

@@ -0,0 +1,98 @@
+---
+name: owasp-security-review
+description: "Review code and architectures against the OWASP Top 10:2025 — the ten most critical web application security risks. Use when: (1) reviewing code for security vulnerabilities, (2) auditing a feature or codebase against OWASP categories, (3) providing remediation guidance for identified vulnerabilities, (4) writing new code and needing secure coding patterns. Triggers: 'review for security', 'OWASP audit', 'check for vulnerabilities','security checklist', 'is this code secure', 'security review', 'fix vulnerability'."
+---
+
+# OWASP Top 10:2025 Security Review
+
+## Quick reference
+
+| #   | Category                              | Key risk                                                               | Avg incidence |
+| --- | ------------------------------------- | ---------------------------------------------------------------------- | ------------- |
+| A01 | Broken Access Control                 | Unauthorized data access, privilege escalation, SSRF, CSRF             | 3.74%         |
+| A02 | Security Misconfiguration             | Default creds, verbose errors, missing hardening, XXE                  | 3.00%         |
+| A03 | Software Supply Chain Failures        | Vulnerable/malicious dependencies, compromised build pipelines         | 5.72%         |
+| A04 | Cryptographic Failures                | Weak algorithms, hardcoded keys, missing encryption, weak hashing      | 3.80%         |
+| A05 | Injection                             | SQLi, XSS, command injection, LDAP/XPath/EL injection                  | 3.08%         |
+| A06 | Insecure Design                       | Missing threat modeling, business logic flaws, insufficient controls   | 1.86%         |
+| A07 | Authentication Failures               | Credential stuffing, weak passwords, session fixation, missing MFA     | 2.92%         |
+| A08 | Software/Data Integrity Failures      | Unsigned updates, insecure deserialization, untrusted CDN code         | 2.75%         |
+| A09 | Security Logging & Alerting Failures  | Missing audit logs, no alerting, log injection, sensitive data in logs | 3.91%         |
+| A10 | Mishandling of Exceptional Conditions | Failing open, info leakage via errors, unchecked return values         | 2.95%         |
+
+## Workflows
+
+### 1. Code review for security
+
+Systematically check the code against each relevant category:
+
+1. **Identify the code's surface area** — Does it handle auth? User input? File uploads? External data? Crypto? Error responses?
+2. **Select relevant categories** from the table above based on the surface area.
+3. **Load the reference file** for each relevant category and check the code against the "What to look for" section.
+4. **Report findings** grouped by category with severity (Critical/High/Medium/Low), the specific code location, and a concrete fix.
+
+Priority order for review (highest impact first):
+
+- `[CRITICAL]` Input handling code → A05 (Injection), A01 (Access Control)
+- `[CRITICAL]` Auth/session code → A07 (Authentication), A01 (Access Control)
+- `[HIGH]` Data storage/transmission → A04 (Cryptographic Failures)
+- `[HIGH]` Configuration/deployment → A02 (Security Misconfiguration)
+- `[HIGH]` Dependencies → A03 (Supply Chain)
+- `[MEDIUM]` Error handling → A10 (Exceptional Conditions), A09 (Logging)
+- `[MEDIUM]` Architecture/design → A06 (Insecure Design)
+- `[MEDIUM]` Data integrity → A08 (Integrity Failures)
+
+### 2. Security audit checklist
+
+Generate a checklist for a feature or codebase:
+
+1. Read the feature/codebase to understand its scope.
+2. For each of the 10 categories, determine if it applies.
+3. For applicable categories, load the reference file and produce a checklist of items to verify.
+4. Output a markdown checklist grouped by category.
+
+### 3. Remediation guidance
+
+When a vulnerability is identified:
+
+1. Classify it into the correct OWASP category.
+2. Load the corresponding reference file.
+3. Apply the prevention checklist to produce a specific, actionable fix.
+4. Provide a code example of the fix when possible.
+
+## Reference files
+
+Load the relevant file when you need detailed guidance for a specific category:
+
+- **A01 Broken Access Control** — authorization checks, IDOR, CORS, CSRF, path traversal: [references/a01-broken-access-control.md](references/a01-broken-access-control.md)
+- **A02 Security Misconfiguration** — hardening, default creds, error messages, headers, XXE: [references/a02-security-misconfiguration.md](references/a02-security-misconfiguration.md)
+- **A03 Supply Chain Failures** — dependency management, SBOM, build pipeline security: [references/a03-supply-chain-failures.md](references/a03-supply-chain-failures.md)
+- **A04 Cryptographic Failures** — encryption, hashing, key management, TLS, PRNG: [references/a04-cryptographic-failures.md](references/a04-cryptographic-failures.md)
+- **A05 Injection** — SQL, XSS, command, ORM, LDAP, template injection: [references/a05-injection.md](references/a05-injection.md)
+- **A06 Insecure Design** — threat modeling, business logic, secure SDLC: [references/a06-insecure-design.md](references/a06-insecure-design.md)
+- **A07 Authentication Failures** — credential stuffing, MFA, session management, password policy: [references/a07-authentication-failures.md](references/a07-authentication-failures.md)
+- **A08 Integrity Failures** — deserialization, code signing, untrusted sources, CDN trust: [references/a08-integrity-failures.md](references/a08-integrity-failures.md)
+- **A09 Logging & Alerting** — audit trails, log injection, alerting, sensitive data in logs: [references/a09-logging-alerting-failures.md](references/a09-logging-alerting-failures.md)
+- **A10 Exceptional Conditions** — error handling, fail-closed, resource cleanup, info leakage: [references/a10-exceptional-conditions.md](references/a10-exceptional-conditions.md)
+
+## Severity classification
+
+Use these severity levels when reporting findings:
+
+- **Critical**: Directly exploitable, leads to full system compromise or mass data breach (e.g., SQLi with no parameterization, hardcoded admin credentials, missing auth on admin endpoints).
+- **High**: Exploitable with moderate effort, significant data exposure or privilege escalation (e.g., IDOR, weak password hashing, SSRF, deserialization of untrusted data).
+- **Medium**: Exploitable under specific conditions, limited impact (e.g., missing CSRF protection, verbose error messages, missing security headers).
+- **Low**: Defense-in-depth issue, minimal direct impact (e.g., missing rate limiting, incomplete logging, suboptimal crypto configuration).
+
+## Output format
+
+When reporting security findings, use this structure:
+
+```
+### [SEVERITY] A0X: Category Name — Brief title
+
+**Location**: `file:line`
+**Risk**: What can go wrong and the impact.
+**Finding**: What the code does wrong.
+**Fix**: Specific remediation with code example.
+```

package/skills/owasp-security-review/references/a01-broken-access-control.md

@@ -0,0 +1,78 @@
+# A01:2025 Broken Access Control
+
+The #1 risk. 40 CWEs, 3.74% avg incidence, 1.8M+ occurrences. Includes SSRF (previously separate).
+
+## What to look for
+
+**Missing authorization checks:**
+
+- API endpoints without auth middleware or role checks
+- Routes accessible without login (force browsing)
+- Missing ownership validation — user can access/modify another user's records by changing an ID
+- POST/PUT/DELETE endpoints with no access control
+- Admin endpoints accessible to regular users
+
+**IDOR (Insecure Direct Object References):**
+
+- Sequential/predictable IDs in URLs or request bodies (`/api/users/123`)
+- No ownership check when accessing resources by ID
+- Database queries using user-supplied IDs without verifying the requester owns the record
+
+**CORS misconfiguration:**
+
+- `Access-Control-Allow-Origin: *` on authenticated endpoints
+- Reflecting the `Origin` header without validation
+- Allowing credentials with wildcard origins
+
+**CSRF:**
+
+- State-changing operations (POST/PUT/DELETE) without CSRF tokens
+- Cookie-based auth without SameSite attribute
+
+**Path traversal:**
+
+- File paths constructed from user input without sanitization
+- `../` sequences not blocked
+- Symlink following without checks
+
+**JWT/session issues:**
+
+- JWTs not validated (signature, expiry, audience, issuer)
+- Long-lived JWTs without refresh token rotation
+- Sessions not invalidated on logout
+- Session IDs in URLs
+
+**SSRF:**
+
+- Server makes HTTP requests to user-supplied URLs
+- No allowlist for internal/external URL targets
+- DNS rebinding not mitigated
+
+## Prevention checklist
+
+- [ ] Deny by default — only grant access explicitly
+- [ ] Implement access control once, reuse everywhere (middleware/decorator pattern)
+- [ ] Enforce record ownership in queries (`WHERE user_id = ?` with authenticated user's ID)
+- [ ] Validate JWT claims: `aud`, `iss`, `exp`, scopes
+- [ ] Set short JWT expiry + refresh token pattern
+- [ ] Invalidate sessions server-side on logout
+- [ ] Use CSRF tokens or SameSite cookies for state-changing requests
+- [ ] Restrict CORS to specific trusted origins
+- [ ] Disable directory listing; remove `.git`, backups from web root
+- [ ] Log and alert on access control failures
+- [ ] Rate-limit API and controller access
+- [ ] For SSRF: allowlist target hosts/IPs, block internal ranges (169.254.x.x, 10.x.x.x, etc.)
+- [ ] Include access control tests in unit/integration test suites
+
+## Key CWEs
+
+| CWE | Name                                                    | Common in                      |
+| --- | ------------------------------------------------------- | ------------------------------ |
+| 200 | Exposure of Sensitive Information to Unauthorized Actor | API responses leaking data     |
+| 284 | Improper Access Control                                 | Missing auth middleware        |
+| 285 | Improper Authorization                                  | Role check bypass              |
+| 352 | Cross-Site Request Forgery                              | Cookie-based auth without CSRF |
+| 862 | Missing Authorization                                   | Endpoints without auth         |
+| 863 | Incorrect Authorization                                 | Flawed role logic              |
+| 918 | Server-Side Request Forgery                             | URL fetch from user input      |
+| 639 | Authorization Bypass Through User-Controlled Key        | IDOR                           |

package/skills/owasp-security-review/references/a02-security-misconfiguration.md

@@ -0,0 +1,81 @@
+# A02:2025 Security Misconfiguration
+
+Moved from #5 to #2. 16 CWEs, 3.00% avg incidence, 719K+ occurrences.
+
+## What to look for
+
+**Default and unchanged credentials:**
+
+- Default admin accounts still active
+- Default passwords in config files or environment variables
+- Database connections using default credentials
+
+**Verbose error messages:**
+
+- Stack traces exposed to end users
+- Database error details in API responses
+- Framework/library version info in error pages
+- Missing custom error pages (default 404/500 pages)
+
+**Unnecessary features enabled:**
+
+- Debug mode enabled in production (`DEBUG=true`, `NODE_ENV=development`)
+- Unused ports/services running
+- Sample/test endpoints deployed to production
+- Admin console publicly accessible
+- Directory listing enabled
+
+**Missing security headers:**
+
+- No `Strict-Transport-Security` (HSTS)
+- No `Content-Security-Policy` (CSP)
+- No `X-Content-Type-Options: nosniff`
+- No `X-Frame-Options` or `Content-Security-Policy: frame-ancestors`
+- No `Referrer-Policy`
+- No `Permissions-Policy`
+
+**XXE (XML External Entity):**
+
+- XML parsers with external entity processing enabled
+- DTD processing not disabled
+- SOAP services accepting XML without entity restrictions
+
+**Cloud/infra misconfig:**
+
+- S3 buckets or cloud storage publicly accessible
+- Overly permissive IAM roles
+- Security groups allowing 0.0.0.0/0 ingress
+- Secrets/keys hardcoded or in plaintext config
+
+**Cookie security:**
+
+- Missing `Secure` flag on cookies in HTTPS
+- Missing `HttpOnly` flag on session cookies
+- Missing or incorrect `SameSite` attribute
+- Sensitive data stored in cookies in cleartext
+
+## Prevention checklist
+
+- [ ] Automate environment hardening — identical config for dev/QA/prod (only credentials differ)
+- [ ] Remove all unused features, frameworks, sample apps, documentation
+- [ ] Set `NODE_ENV=production` (or equivalent) in production
+- [ ] Implement custom error pages; never expose stack traces
+- [ ] Add all security headers (HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy)
+- [ ] Set cookie flags: `Secure`, `HttpOnly`, `SameSite=Strict` or `Lax`
+- [ ] Disable XML external entity processing and DTDs
+- [ ] Review cloud storage permissions (S3, GCS, Azure Blob)
+- [ ] Use identity federation and short-lived credentials instead of static keys
+- [ ] Automate configuration verification across all environments
+- [ ] Disable directory listing on web servers
+
+## Key CWEs
+
+| CWE  | Name                               | Common in                |
+| ---- | ---------------------------------- | ------------------------ |
+| 16   | Configuration                      | Broad misconfiguration   |
+| 611  | Improper Restriction of XXE        | XML parsers              |
+| 489  | Active Debug Code                  | Debug mode in production |
+| 1004 | Sensitive Cookie Without HttpOnly  | Session cookies          |
+| 614  | Sensitive Cookie Without Secure    | HTTPS cookies            |
+| 942  | Permissive Cross-domain Policy     | CORS/crossdomain.xml     |
+| 526  | Exposure via Environment Variables | Leaked env vars          |