@jigyasudham/veto 0.8.3 → 1.1.0

package/src/skills/quality/skill-code-review.ts

@@ -1,84 +0,0 @@
-// Skill: code-review — 20-point code review checklist
-
-export interface SkillInput {
-  task: string;
-  context?: string;
-  options?: Record<string, unknown>;
-}
-
-export interface SkillOutput {
-  skill: string;
-  template?: string;
-  checklist: string[];
-  patterns: string[];
-  gotchas: string[];
-  resources: string[];
-}
-
-export function run(input: SkillInput): SkillOutput {
-  return {
-    skill: 'code-review',
-    template: undefined,
-    checklist: [
-      // Correctness (1-4)
-      '1. CORRECTNESS — Does the code do what the PR description says? Walk through the logic manually with a concrete example.',
-      '2. EDGE CASES — Does it handle null/undefined, empty collections, zero, negative numbers, very large inputs, and concurrent calls correctly?',
-      '3. ERROR HANDLING — Are all errors caught, typed, and handled? No silent swallowed errors, no bare catch blocks that discard the error.',
-      '4. CONCURRENCY — Does shared mutable state have proper synchronisation? Are async operations correctly awaited? No floating promises.',
-
-      // Security (5-7)
-      '5. INPUT VALIDATION — Is all user-supplied input validated with a schema library (zod/joi) before use? No raw string concatenation into queries.',
-      '6. AUTHENTICATION & AUTHORISATION — Does every data-access path check that the requesting user owns the resource? Is auth middleware applied?',
-      '7. SECRETS — No hardcoded credentials, API keys, or tokens in the diff. No sensitive values logged or included in error responses.',
-
-      // Performance (8-9)
-      '8. N+1 QUERIES — Are list endpoints fetching related records in a loop? Use batch/include/join instead.',
-      '9. COMPLEXITY — Are there any O(n²) or worse algorithms on large datasets? Is database access inside a loop?',
-
-      // Types and naming (10-12)
-      '10. TYPES — Is TypeScript used strictly (no `any`, no type assertions without comment)? Are interfaces and return types explicit on public functions?',
-      '11. NAMING — Are variables, functions, and classes named clearly and consistently? Do boolean variables use is/has/should prefixes?',
-      '12. MAGIC VALUES — Are all magic numbers and magic strings replaced with named constants or enums?',
-
-      // Style and complexity (13-14)
-      '13. COMPLEXITY — Are functions short (< 30 lines) and single-purpose? If a function requires a long comment to explain it, refactor instead.',
-      '14. DUPLICATION — Is the same logic copy-pasted from elsewhere? Extract a shared utility or extend an existing one.',
-
-      // Tests (15-16)
-      '15. TEST COVERAGE — Are there tests for the new code? Do they cover the happy path, error paths, and at least one edge case?',
-      '16. TEST QUALITY — Do the tests assert on the right things? Are mocks minimal and purposeful? Tests should not duplicate implementation logic.',
-
-      // Documentation (17)
-      '17. DOCUMENTATION — Do complex functions have a JSDoc comment explaining the why (not just the what)? Are public API changes reflected in the OpenAPI spec?',
-
-      // Dependencies and build (18)
-      '18. DEPENDENCIES — Are new npm packages justified? Check for license compatibility, maintenance status, and security advisories (npm audit).',
-
-      // Observability (19)
-      '19. OBSERVABILITY — Are significant operations logged at the appropriate level? Are errors logged with enough context to diagnose? No passwords in logs.',
-
-      // Review hygiene (20)
-      '20. BREAKING CHANGES — Does the change break any existing API contracts, DB schemas, or public interfaces? If so, is it properly versioned or migrated?',
-    ],
-    patterns: [
-      'Review the diff, not the file — focus on what changed and why',
-      'Ask questions instead of issuing commands: "Could this be null here?" vs "Fix this"',
-      'Distinguish blocking issues (must fix) from suggestions (nice to have) in comments',
-      'Approve with comments for minor non-blocking issues rather than blocking for style',
-      'Check the tests before the implementation — tests reveal the intended behaviour',
-    ],
-    gotchas: [
-      'Approving without running or reading the tests — tests are part of the code',
-      'Nitpicking style when an auto-formatter (Prettier/ESLint) should enforce it',
-      'Missing the forest for the trees: reviewing individual lines but missing a design flaw',
-      'Not reviewing DB migrations for data safety (missing IF NOT EXISTS, backfill plan)',
-      'Forgetting to check error message text — "null pointer exception" leaking to the user',
-    ],
-    resources: [
-      'https://google.github.io/eng-practices/review/reviewer/',
-      'https://mtlynch.io/code-review-love/',
-      'https://www.conventionalcommits.org/ (PR title / commit message style)',
-      'https://cheatsheetseries.owasp.org/cheatsheets/Code_Review_Guide_Introduction_Cheat_Sheet.html',
-    ],
-  };
-}

package/src/skills/quality/skill-security-scan.ts

@@ -1,91 +0,0 @@
-// Skill: security-scan — OWASP Top 10 scan process with tool commands
-
-export interface SkillInput {
-  task: string;
-  context?: string;
-  options?: Record<string, unknown>;
-}
-
-export interface SkillOutput {
-  skill: string;
-  template?: string;
-  checklist: string[];
-  patterns: string[];
-  gotchas: string[];
-  resources: string[];
-}
-
-export function run(input: SkillInput): SkillOutput {
-  return {
-    skill: 'security-scan',
-    template: undefined,
-    checklist: [
-      // Dependency scanning
-      '1. Run npm audit: npx npm audit --audit-level=high (fail CI if high/critical found)',
-      '2. Run Snyk for deeper CVE analysis: npx snyk test --severity-threshold=high',
-      '3. Check for outdated packages: npx npm-check-updates (review before upgrading)',
-      '4. Verify lockfile integrity: npm ci (uses lockfile exactly; fails if lockfile is dirty)',
-
-      // Secrets scanning
-      '5. Scan for hardcoded secrets: npx gitleaks detect --source . --verbose',
-      '6. Run trufflehog on git history: trufflehog git file://. --since-commit HEAD~20',
-      '7. Verify .gitignore covers .env, *.key, *.pem, secrets.json, credentials.json',
-
-      // Static analysis
-      '8. Run ESLint security plugin: eslint --plugin security --rule "security/detect-eval-with-expression: error"',
-      '9. Run Semgrep OWASP ruleset: semgrep --config=p/owasp-top-ten --error .',
-      '10. Run CodeQL (GitHub Actions): use codeql-action/analyze with javascript/typescript queries',
-
-      // A01 – Broken Access Control
-      '11. A01 – Review every route handler: confirm auth middleware precedes data access',
-      '12. A01 – Search for direct object references: grep -r "req.params.id" src/ — verify ownership check in each',
-
-      // A02 – Cryptographic Failures
-      '13. A02 – Search for weak hashes: grep -r "md5\\|sha1\\|DES\\|RC4" src/ (flag any match)',
-      '14. A02 – Verify HTTPS enforcement: check for HSTS header and HTTP→HTTPS redirect in server config',
-
-      // A03 – Injection
-      '15. A03 – Search for SQL concatenation: grep -r "SELECT.*+" src/ — all DB calls should use parameterised queries',
-      '16. A03 – Search for eval: grep -rn "eval(" src/ — no eval() in production code',
-
-      // A05 – Misconfiguration
-      '17. A05 – Run security headers check: curl -I https://your-domain.com | grep -E "Content-Security|X-Frame|Strict-Transport|X-Content"',
-      '18. A05 – Verify no debug routes in production: grep -r "/debug\\|/__admin" src/routes/',
-
-      // A07 – Auth failures
-      '19. A07 – Confirm rate limiting on auth endpoints: grep -r "rateLimit" src/routes/auth',
-      '20. A07 – Verify account lockout logic exists: grep -r "lockedUntil\\|failedAttempts" src/services/auth',
-
-      // DAST
-      '21. Run OWASP ZAP baseline scan: docker run -t owasp/zap2docker-stable zap-baseline.py -t https://staging.example.com',
-      '22. Check Content-Security-Policy with observatory: npx observatory-cli your-domain.com --format report',
-
-      // Final gate
-      '23. Review all HIGH/CRITICAL findings; create tickets for each; do not ship with open criticals',
-      '24. Add security scan steps to CI pipeline so every PR is checked automatically',
-    ],
-    patterns: [
-      'Shift-left security: scan in CI on every PR, not only before release',
-      'Defence in depth: layered scanning (dependency + static + dynamic)',
-      'Fail-fast: non-zero CI exit code on any high/critical finding',
-      'Security-as-code: Semgrep rules and ZAP configs version-controlled alongside application',
-    ],
-    gotchas: [
-      'npm audit reports transitive dependency vulnerabilities — check if exploitable in your code path before panicking',
-      'Semgrep false positives on test files — add --exclude "tests/" to production scans',
-      'ZAP baseline scan covers only unauthenticated paths — run a full scan with an auth script for coverage',
-      'Gitleaks detects secrets committed at any point in history, not just HEAD — clean git history with git-filter-repo if needed',
-      'Snyk requires authentication for full CVE database access — set SNYK_TOKEN in CI secrets',
-    ],
-    resources: [
-      'https://owasp.org/www-project-top-ten/',
-      'https://owasp.org/www-project-zap/',
-      'https://semgrep.dev/p/owasp-top-ten',
-      'https://github.com/gitleaks/gitleaks',
-      'https://snyk.io/docs/snyk-cli/',
-      'https://cheatsheetseries.owasp.org/cheatsheets/Nodejs_Security_Cheat_Sheet.html',
-      'https://docs.npmjs.com/cli/v10/commands/npm-audit',
-      'https://observatory.mozilla.org/',
-    ],
-  };
-}

package/src/skills/quality/skill-test-suite.ts

@@ -1,290 +0,0 @@
-// Skill: test-suite — complete test suite structure guide
-
-export interface SkillInput {
-  task: string;
-  context?: string;
-  options?: Record<string, unknown>;
-}
-
-export interface SkillOutput {
-  skill: string;
-  template?: string;
-  checklist: string[];
-  patterns: string[];
-  gotchas: string[];
-  resources: string[];
-}
-
-const TEMPLATE = `
-// ── Unit test: ItemService (tests/unit/item.service.test.ts) ──────────────
-import { describe, it, expect, beforeEach, vi } from 'vitest';
-import { ItemService } from '../../src/services/item.service';
-import type { ItemRepository } from '../../src/repositories/item.repository';
-
-// Test fixture factory — create minimal valid objects
-function makeItem(overrides: Partial<Item> = {}): Item {
-  return {
-    id: 'item-1',
-    name: 'Test Item',
-    userId: 'user-1',
-    createdAt: new Date('2024-01-01'),
-    updatedAt: new Date('2024-01-01'),
-    ...overrides,
-  };
-}
-
-describe('ItemService', () => {
-  let service: ItemService;
-  let repo: ItemRepository;
-
-  beforeEach(() => {
-    repo = {
-      findById: vi.fn(),
-      findAllByUser: vi.fn(),
-      create: vi.fn(),
-      update: vi.fn(),
-      delete: vi.fn(),
-    };
-    service = new ItemService(repo);
-  });
-
-  // ── Happy path ──────────────────────────────────────────────────────────
-  describe('getItem', () => {
-    it('returns the item when found and owned by the requesting user', async () => {
-      const item = makeItem({ userId: 'user-1' });
-      vi.mocked(repo.findById).mockResolvedValue(item);
-
-      const result = await service.getItem('item-1', 'user-1');
-      expect(result).toEqual(item);
-    });
-
-    // ── Error cases ───────────────────────────────────────────────────────
-    it('throws NotFoundError when item does not exist', async () => {
-      vi.mocked(repo.findById).mockResolvedValue(null);
-      await expect(service.getItem('missing', 'user-1')).rejects.toThrow(NotFoundError);
-    });
-
-    it('throws ForbiddenError when item belongs to a different user', async () => {
-      const item = makeItem({ userId: 'user-2' });
-      vi.mocked(repo.findById).mockResolvedValue(item);
-      await expect(service.getItem('item-1', 'user-1')).rejects.toThrow(ForbiddenError);
-    });
-  });
-
-  // ── Edge cases ─────────────────────────────────────────────────────────
-  describe('createItem', () => {
-    it('trims whitespace from name before storing', async () => {
-      const item = makeItem({ name: 'Trimmed' });
-      vi.mocked(repo.create).mockResolvedValue(item);
-
-      await service.createItem('user-1', { name: '  Trimmed  ' });
-      expect(repo.create).toHaveBeenCalledWith('user-1', { name: 'Trimmed' });
-    });
-
-    it('propagates repository errors', async () => {
-      vi.mocked(repo.create).mockRejectedValue(new Error('DB connection failed'));
-      await expect(service.createItem('user-1', { name: 'x' })).rejects.toThrow('DB connection failed');
-    });
-  });
-});
-
-// ── Integration test: Items API (tests/integration/items.test.ts) ─────────
-import request from 'supertest';
-import { createApp } from '../../src/app';
-import { signAccessToken } from '../../src/utils/tokens';
-
-describe('Items API', () => {
-  let app: Express.Application;
-  let authToken: string;
-
-  beforeAll(async () => {
-    app = await createApp({ db: testDb });
-    authToken = signAccessToken('user-1', 'user');
-    await testDb.user.create({ data: { id: 'user-1', email: 'test@example.com', passwordHash: 'x' } });
-  });
-
-  afterEach(async () => {
-    await testDb.item.deleteMany();
-  });
-
-  describe('GET /v1/items', () => {
-    it('returns empty list when no items exist', async () => {
-      const res = await request(app)
-        .get('/v1/items')
-        .set('Authorization', \`Bearer \${authToken}\`);
-
-      expect(res.status).toBe(200);
-      expect(res.body.data).toEqual([]);
-    });
-
-    it('returns only items belonging to the authenticated user', async () => {
-      await testDb.item.createMany({
-        data: [
-          { name: 'My Item', userId: 'user-1' },
-          { name: 'Other Item', userId: 'user-2' },
-        ],
-      });
-
-      const res = await request(app)
-        .get('/v1/items')
-        .set('Authorization', \`Bearer \${authToken}\`);
-
-      expect(res.status).toBe(200);
-      expect(res.body.data).toHaveLength(1);
-      expect(res.body.data[0].name).toBe('My Item');
-    });
-
-    it('returns 401 when no token provided', async () => {
-      const res = await request(app).get('/v1/items');
-      expect(res.status).toBe(401);
-    });
-  });
-
-  describe('POST /v1/items', () => {
-    it('creates an item and returns 201 with Location header', async () => {
-      const res = await request(app)
-        .post('/v1/items')
-        .set('Authorization', \`Bearer \${authToken}\`)
-        .send({ name: 'New Item', description: 'A test item' });
-
-      expect(res.status).toBe(201);
-      expect(res.headers['location']).toMatch(/\\/v1\\/items\\//);
-      expect(res.body.data.name).toBe('New Item');
-    });
-
-    it('returns 422 when name is missing', async () => {
-      const res = await request(app)
-        .post('/v1/items')
-        .set('Authorization', \`Bearer \${authToken}\`)
-        .send({ description: 'No name' });
-
-      expect(res.status).toBe(422);
-      expect(res.body.error.code).toBe('VALIDATION_ERROR');
-    });
-  });
-
-  describe('GET /v1/items/:id', () => {
-    it('returns 403 when requesting another user\\'s item', async () => {
-      const item = await testDb.item.create({ data: { name: 'Other', userId: 'user-2' } });
-
-      const res = await request(app)
-        .get(\`/v1/items/\${item.id}\`)
-        .set('Authorization', \`Bearer \${authToken}\`);
-
-      expect(res.status).toBe(403);
-    });
-
-    it('returns 404 when item does not exist', async () => {
-      const res = await request(app)
-        .get('/v1/items/00000000-0000-0000-0000-000000000000')
-        .set('Authorization', \`Bearer \${authToken}\`);
-
-      expect(res.status).toBe(404);
-    });
-  });
-});
-
-// ── E2E test: full user journey (tests/e2e/user-journey.test.ts) ──────────
-describe('User journey: register → create item → retrieve → delete', () => {
-  let accessToken: string;
-  let itemId: string;
-
-  it('registers a new user', async () => {
-    const res = await request(app)
-      .post('/v1/auth/register')
-      .send({ email: 'journey@example.com', password: 'SecurePass123!' });
-    expect(res.status).toBe(201);
-  });
-
-  it('logs in and receives an access token', async () => {
-    const res = await request(app)
-      .post('/v1/auth/login')
-      .send({ email: 'journey@example.com', password: 'SecurePass123!' });
-    expect(res.status).toBe(200);
-    accessToken = res.body.data.accessToken;
-  });
-
-  it('creates an item', async () => {
-    const res = await request(app)
-      .post('/v1/items')
-      .set('Authorization', \`Bearer \${accessToken}\`)
-      .send({ name: 'Journey Item' });
-    expect(res.status).toBe(201);
-    itemId = res.body.data.id;
-  });
-
-  it('retrieves the created item', async () => {
-    const res = await request(app)
-      .get(\`/v1/items/\${itemId}\`)
-      .set('Authorization', \`Bearer \${accessToken}\`);
-    expect(res.status).toBe(200);
-    expect(res.body.data.name).toBe('Journey Item');
-  });
-
-  it('deletes the item', async () => {
-    const res = await request(app)
-      .delete(\`/v1/items/\${itemId}\`)
-      .set('Authorization', \`Bearer \${accessToken}\`);
-    expect(res.status).toBe(204);
-  });
-
-  it('confirms item is gone after deletion', async () => {
-    const res = await request(app)
-      .get(\`/v1/items/\${itemId}\`)
-      .set('Authorization', \`Bearer \${accessToken}\`);
-    expect(res.status).toBe(404);
-  });
-});
-`.trim();
-
-export function run(input: SkillInput): SkillOutput {
-  return {
-    skill: 'test-suite',
-    template: TEMPLATE,
-    checklist: [
-      'Install vitest (or jest) and supertest: npm install -D vitest supertest @types/supertest',
-      'Configure vitest.config.ts: coverage provider v8, include src/**/*.ts, threshold 80%',
-      'Create tests/ directory with unit/, integration/, and e2e/ subdirectories',
-      'Write test fixture factories that create minimal valid objects with optional overrides',
-      'Unit tests: test each service method in isolation — mock all dependencies with vi.fn()',
-      'Unit test happy path: expected input produces expected output',
-      'Unit test error cases: not found, forbidden, validation errors, repository failures',
-      'Unit test edge cases: empty strings, boundary values, null/undefined, concurrent calls',
-      'Integration tests: use supertest to send HTTP requests to the real Express app',
-      'Integration test auth: verify 401 without token, 401 with expired token, 200 with valid token',
-      'Integration test authorisation: verify 403 when accessing another user\'s resource',
-      'Integration test validation: verify 422 with missing required fields, invalid types, out-of-range values',
-      'Integration test pagination: verify page=1&pageSize=2 returns 2 items, meta.total is correct',
-      'E2E tests: simulate a complete user journey from registration through full workflow to deletion',
-      'Run coverage report: npx vitest run --coverage; verify no critical paths are uncovered',
-      'Add CI step: vitest run --coverage --reporter=verbose fails the build if coverage < 80%',
-      'Use afterEach to clean up test data; never rely on test execution order',
-      'Separate test database or use transactions that are rolled back after each test',
-      'Snapshot tests for complex output shapes (e.g., generated reports, API response structure)',
-      'Add test for rate-limiting endpoint: 11th request in window should return 429',
-    ],
-    patterns: [
-      'AAA pattern: Arrange → Act → Assert in every test case',
-      'Test fixture factory: makeUser(), makeItem() functions with optional overrides',
-      'Mock at the boundary: mock repositories in unit tests, use real DB in integration tests',
-      'Test pyramid: many unit tests, fewer integration tests, few E2E tests',
-      'Describe → nested describe → it hierarchy mirrors the module structure',
-    ],
-    gotchas: [
-      'Testing implementation details instead of behaviour — tests break on every refactor',
-      'Sharing mutable state between tests without cleanup — flaky test ordering dependency',
-      'Mocking too deep: mocking the DB client instead of the repository causes brittle tests',
-      'Not testing error paths — happy-path-only coverage misses the most bug-prone code',
-      'Writing assertions on the wrong field — test passes but is not actually verifying the behaviour',
-      'Not testing auth in integration tests — security bugs not caught until production',
-      'Using setTimeout in tests without fake timers — slow and non-deterministic',
-    ],
-    resources: [
-      'https://vitest.dev/guide/',
-      'https://github.com/ladjs/supertest',
-      'https://martinfowler.com/articles/practical-test-pyramid.html',
-      'https://testing-library.com/docs/ (for React component tests)',
-      'https://jestjs.io/docs/expect (matcher reference, compatible with vitest)',
-    ],
-  };
-}

package/tsconfig.json

@@ -1,20 +0,0 @@
-{
-  "compilerOptions": {
-    "target": "ES2022",
-    "module": "NodeNext",
-    "moduleResolution": "NodeNext",
-    "lib": ["ES2022"],
-    "outDir": "./dist",
-    "rootDir": "./src",
-    "strict": true,
-    "esModuleInterop": true,
-    "skipLibCheck": true,
-    "forceConsistentCasingInFileNames": true,
-    "resolveJsonModule": true,
-    "declaration": true,
-    "declarationMap": true,
-    "sourceMap": true
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules", "dist"]
-}