@kaademos/secure-sdlc 1.0.0

package/package.json

@@ -0,0 +1,67 @@
+{
+  "name": "@kaademos/secure-sdlc",
+  "version": "1.0.0",
+  "description": "Secure SDLC agent team — CLI to scaffold docs, hooks, CI, and MCP-ready security workflows",
+  "type": "module",
+  "bin": {
+    "secure-sdlc": "./cli/bin/secure-sdlc.js"
+  },
+  "files": [
+    "cli/bin",
+    "cli/src",
+    "mcp/package.json",
+    "mcp/README.md",
+    "mcp/src",
+    "docs/templates",
+    "hooks",
+    "stacks",
+    "warp-workflows",
+    ".github/workflows/secure-sdlc-gate.yml",
+    ".cursor/rules",
+    ".claude/agents",
+    "LICENSE",
+    "README.md",
+    "CHANGELOG.md",
+    "CLAUDE.md"
+  ],
+  "scripts": {
+    "prepack": "node cli/bin/secure-sdlc.js --version",
+    "sdlc": "node cli/bin/secure-sdlc.js",
+    "test:pack": "npm pack --dry-run --ignore-scripts 2>&1"
+  },
+  "keywords": [
+    "security",
+    "sdlc",
+    "appsec",
+    "compliance",
+    "owasp",
+    "asvs",
+    "claude",
+    "cursor",
+    "mcp",
+    "ai-coding",
+    "secure-by-default"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Kaademos/secure-sdlc-agents.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Kaademos/secure-sdlc-agents/issues"
+  },
+  "homepage": "https://github.com/Kaademos/secure-sdlc-agents#readme",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.0.0",
+    "chalk": "^5.3.0",
+    "commander": "^12.0.0",
+    "inquirer": "^9.2.0",
+    "ora": "^8.0.0"
+  }
+}

package/stacks/django.md

@@ -0,0 +1,216 @@
+# Django Security Profile
+
+**Framework:** Django (4.x / 5.x)
+**Language:** Python 3.10+
+**ASVS Baseline:** L2
+
+---
+
+## Django's Built-In Security — Don't Disable It
+
+Django ships with more security defaults than most frameworks. The most common vulnerability
+pattern in Django apps is **disabling or misconfiguring built-in protections**, not missing them.
+
+### Never disable these:
+
+```python
+# settings.py — NEVER set these to False in production
+
+# CSRF protection
+MIDDLEWARE = [
+    ...
+    'django.middleware.csrf.CsrfViewMiddleware',  # Never remove
+    ...
+]
+
+# Clickjacking protection
+X_FRAME_OPTIONS = 'DENY'  # Default; never change to 'ALLOWALL'
+
+# Secure cookies
+SESSION_COOKIE_SECURE = True   # HTTPS only
+CSRF_COOKIE_SECURE = True
+SESSION_COOKIE_HTTPONLY = True  # Prevents JS access to session cookie
+```
+
+### Production Settings Checklist
+
+```python
+# settings.py — required for production
+
+DEBUG = False                          # Non-negotiable
+ALLOWED_HOSTS = ['yourdomain.com']     # Explicit, never ['*']
+SECRET_KEY = env('SECRET_KEY')         # From environment, never in code
+
+# HTTPS enforcement
+SECURE_SSL_REDIRECT = True
+SECURE_HSTS_SECONDS = 63072000         # 2 years
+SECURE_HSTS_INCLUDE_SUBDOMAINS = True
+SECURE_HSTS_PRELOAD = True
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')  # If behind load balancer
+
+# Session
+SESSION_COOKIE_AGE = 3600              # 1 hour default; set appropriately
+SESSION_EXPIRE_AT_BROWSER_CLOSE = True  # Optional but good for sensitive apps
+
+# Content security
+SECURE_CONTENT_TYPE_NOSNIFF = True
+SECURE_BROWSER_XSS_FILTER = True  # Deprecated in modern browsers but harmless
+```
+
+---
+
+## Authentication
+
+Django's built-in auth is solid. Common mistakes:
+
+### Password Storage (Already Handled by Django)
+
+Django uses PBKDF2 by default. For higher assurance, switch to Argon2:
+
+```python
+# settings.py
+PASSWORD_HASHERS = [
+    'django.contrib.auth.hashers.Argon2PasswordHasher',  # Best
+    'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',  # Good
+    'django.contrib.auth.hashers.PBKDF2PasswordHasher',  # Default — acceptable
+]
+
+# Minimum password validation
+AUTH_PASSWORD_VALIDATORS = [
+    {'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator'},
+    {'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+     'OPTIONS': {'min_length': 12}},
+    {'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator'},
+    {'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator'},
+]
+```
+
+---
+
+## Access Control — Django Views and DRF
+
+### Function-Based Views
+
+```python
+from django.contrib.auth.decorators import login_required
+from django.core.exceptions import PermissionDenied
+
+@login_required  # Redirects unauthenticated users to LOGIN_URL
+def my_view(request):
+    # IDOR check: verify the requested object belongs to request.user
+    post = get_object_or_404(Post, pk=pk)
+    if post.author != request.user:
+        raise PermissionDenied  # Returns 403
+    ...
+```
+
+### Django REST Framework
+
+```python
+from rest_framework.permissions import IsAuthenticated
+from rest_framework.views import APIView
+
+class PostDetailView(APIView):
+    permission_classes = [IsAuthenticated]
+    
+    def get(self, request, pk):
+        # ✓ Object-level permission check
+        post = get_object_or_404(Post, pk=pk)
+        if post.author != request.user:
+            return Response(status=403)
+        serializer = PostSerializer(post)
+        return Response(serializer.data)
+
+# Or using DRF object-level permissions:
+class IsOwner(BasePermission):
+    def has_object_permission(self, request, view, obj):
+        return obj.author == request.user
+```
+
+**Never use `DEFAULT_AUTHENTICATION_CLASSES = []`** or **`DEFAULT_PERMISSION_CLASSES = []`** in
+production DRF settings — these remove authentication and permission checks globally.
+
+---
+
+## ORM — Avoiding the Rare Django SQL Injection
+
+Django's ORM is safe by default. Injection is only possible when using `.raw()` or `extra()`:
+
+```python
+# ✓ Safe — ORM parameterises automatically
+Post.objects.filter(title=user_input)
+
+# ✗ Unsafe — direct string formatting in raw query
+Post.objects.raw(f"SELECT * FROM posts WHERE title = '{user_input}'")
+
+# ✓ Safe raw query — use %s parameterisation
+Post.objects.raw("SELECT * FROM posts WHERE title = %s", [user_input])
+
+# ✗ Unsafe extra()
+Post.objects.extra(where=[f"title = '{user_input}'"])
+
+# ✓ Safe extra()
+Post.objects.extra(where=["title = %s"], params=[user_input])
+```
+
+---
+
+## CSRF for APIs
+
+If you're building a REST API consumed by non-browser clients, configure CSRF correctly:
+
+```python
+# For DRF APIs using session auth from a browser:
+# Keep CSRF enabled — use CsrfExemptSessionAuthentication or the Django CSRF view decorator
+
+# For DRF APIs using token auth (not cookies):
+# CSRF protection is not needed — tokens in Authorization header are CSRF-safe by design
+
+# For hybrid (some browser, some API clients):
+# Exempt specific views using @csrf_exempt and compensate with other controls (CORS, Origin check)
+```
+
+---
+
+## Secrets Management
+
+```python
+# ✗ Never
+SECRET_KEY = 'hardcoded-secret-key'
+DATABASE_URL = 'postgresql://user:password@localhost/db'
+
+# ✓ Use django-environ or python-decouple
+import environ
+env = environ.Env()
+environ.Env.read_env()  # Reads .env for local dev (never commit .env)
+
+SECRET_KEY = env('SECRET_KEY')
+DATABASE_URL = env('DATABASE_URL')
+```
+
+---
+
+## ASVS Controls for Django Projects
+
+| ASVS Ref | Control | Django Implementation |
+|----------|---------|----------------------|
+| V2.1.1 | Password complexity | `AUTH_PASSWORD_VALIDATORS` |
+| V3.3.1 | Session invalidation on logout | `django.contrib.auth.logout()` clears session |
+| V4.1.1 | Auth on endpoints | `@login_required` / `permission_classes` |
+| V4.2.1 | Object-level auth | Explicit ownership checks before returning objects |
+| V5.3.4 | No SQL injection | Use ORM; avoid `.raw()` with user input |
+| V14.4.1 | Security headers | Django SecurityMiddleware |
+| V14.4.5 | CSRF | CsrfViewMiddleware (enabled by default) |
+
+---
+
+## Recommended Tools
+
+| Category | Tool |
+|----------|------|
+| SAST | Bandit, Semgrep (Django rules) |
+| DAST | OWASP ZAP |
+| Dependency scan | pip-audit, Safety |
+| Secrets | python-decouple, django-environ |
+| 2FA | django-two-factor-auth, django-otp |
+| Rate limiting | django-ratelimit, django-axes (login lockout) |

package/stacks/express.md

@@ -0,0 +1,229 @@
+# Express.js Security Profile
+
+**Framework:** Express.js 4.x / 5.x
+**Language:** JavaScript / TypeScript (Node.js)
+**ASVS Baseline:** L2
+
+---
+
+## Express has No Security Defaults — You Must Add Everything
+
+Express is minimal by design. Unlike Django or Rails, it ships with no security headers, no CSRF
+protection, no input validation, and no rate limiting. Every security control must be explicitly added.
+
+---
+
+## Minimum Required Security Middleware
+
+Add these to every new Express application:
+
+```javascript
+import express from 'express';
+import helmet from 'helmet';
+import { rateLimit } from 'express-rate-limit';
+import cors from 'cors';
+import { doubleCsrf } from 'csrf-csrf';
+
+const app = express();
+
+// 1. Security headers (CSP, HSTS, X-Frame-Options, etc.)
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+    },
+  },
+  hsts: {
+    maxAge: 63072000,
+    includeSubDomains: true,
+    preload: true,
+  },
+}));
+
+// 2. Rate limiting — global baseline
+const globalLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,  // 15 minutes
+  max: 100,
+  standardHeaders: true,
+  legacyHeaders: false,
+  message: { error: 'Too many requests' },
+});
+app.use(globalLimiter);
+
+// 3. Strict rate limiting for auth endpoints
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 10,  // Only 10 login attempts per 15 minutes per IP
+  skipSuccessfulRequests: true,
+});
+app.use('/auth', authLimiter);
+
+// 4. CORS — explicit origins only
+app.use(cors({
+  origin: process.env.ALLOWED_ORIGINS?.split(',') ?? [],
+  credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH'],
+}));
+
+// 5. CSRF protection (for session-based auth)
+const { doubleCsrfProtection } = doubleCsrf({
+  getSecret: () => process.env.CSRF_SECRET,
+  cookieName: '__Host-psifi.x-csrf-token',
+  cookieOptions: { secure: true, sameSite: 'strict' },
+});
+app.use(doubleCsrfProtection);
+
+// 6. Body parsing with size limits
+app.use(express.json({ limit: '10kb' }));       // Prevent JSON body DoS
+app.use(express.urlencoded({ extended: true, limit: '10kb' }));
+```
+
+---
+
+## Authentication
+
+Express has no built-in auth. Options:
+
+```javascript
+// Using passport.js with bcrypt
+import passport from 'passport';
+import { Strategy as LocalStrategy } from 'passport-local';
+import bcrypt from 'bcrypt';
+
+passport.use(new LocalStrategy(async (username, password, done) => {
+  try {
+    const user = await User.findOne({ username });
+    if (!user) {
+      // ✓ Same error for wrong username OR wrong password (user enumeration prevention)
+      return done(null, false, { message: 'Invalid credentials' });
+    }
+    
+    const isValid = await bcrypt.compare(password, user.passwordHash);
+    if (!isValid) {
+      return done(null, false, { message: 'Invalid credentials' });
+    }
+    
+    return done(null, user);
+  } catch (err) {
+    return done(err);
+  }
+}));
+
+// Password hashing — minimum cost factor 12
+const BCRYPT_ROUNDS = 12;
+const hash = await bcrypt.hash(password, BCRYPT_ROUNDS);
+```
+
+---
+
+## Input Validation with Zod
+
+`req.body`, `req.params`, and `req.query` are **completely untyped** in Express. Validate everything:
+
+```typescript
+import { z } from 'zod';
+import type { Request, Response, NextFunction } from 'express';
+
+const CreateUserSchema = z.object({
+  username: z.string().min(3).max(50).regex(/^[a-zA-Z0-9_]+$/),
+  email: z.string().email().max(255),
+  password: z.string().min(12).max(128),
+});
+
+// Reusable validation middleware factory
+const validate = (schema: z.ZodSchema) => (req: Request, res: Response, next: NextFunction) => {
+  const result = schema.safeParse(req.body);
+  if (!result.success) {
+    return res.status(400).json({ 
+      error: 'Validation failed',
+      details: result.error.flatten().fieldErrors  // Safe to return — no internal info
+    });
+  }
+  req.body = result.data;  // Replace with validated/parsed data
+  next();
+};
+
+router.post('/users', validate(CreateUserSchema), async (req, res) => {
+  // req.body is now validated and typed
+  const { username, email, password } = req.body;
+  ...
+});
+```
+
+---
+
+## Error Handling — No Stack Trace Leakage
+
+```javascript
+// ✗ Express default error handler sends the full error in development
+// ✗ Custom handler that leaks details
+app.use((err, req, res, next) => {
+  res.status(500).json({ error: err.message, stack: err.stack }); // Never in production
+});
+
+// ✓ Generic user response, detailed server-side logging
+import { logger } from './logger';
+
+app.use((err: Error, req: Request, res: Response, next: NextFunction) => {
+  logger.error({
+    message: err.message,
+    stack: err.stack,
+    path: req.path,
+    method: req.method,
+    userId: req.user?.id ?? 'anonymous',
+    requestId: req.id,
+  });
+  
+  res.status(500).json({ error: 'An internal error occurred' });
+});
+```
+
+---
+
+## Database Queries — Never String Concatenate
+
+```javascript
+// Using pg (node-postgres)
+
+// ✗ SQL injection
+const user = await pool.query(`SELECT * FROM users WHERE id = ${userId}`);
+
+// ✓ Parameterised query
+const user = await pool.query('SELECT * FROM users WHERE id = $1', [userId]);
+
+// Using an ORM (Prisma, Drizzle) — safe by default
+const user = await prisma.user.findUnique({ where: { id: userId } });
+```
+
+---
+
+## ASVS Controls for Express Projects
+
+| ASVS Ref | Control | Express Implementation |
+|----------|---------|----------------------|
+| V4.1.1 | Auth middleware | passport.js + per-route authentication middleware |
+| V4.2.1 | Object-level auth | Ownership check in every route handler |
+| V5.1.3 | Input validation | Zod validation middleware |
+| V13.2.5 | Rate limiting | express-rate-limit per endpoint |
+| V14.4.1 | Security headers | helmet() |
+| V14.4.5 | CSRF | csrf-csrf or csurf |
+
+---
+
+## Recommended Security Stack (2026)
+
+| Category | Recommended |
+|----------|-------------|
+| Security headers | helmet |
+| Rate limiting | express-rate-limit |
+| CSRF | csrf-csrf |
+| Auth | passport.js, express-jwt |
+| Input validation | zod, express-validator |
+| Password hashing | bcrypt (min rounds: 12) |
+| Session | express-session + connect-redis |
+| ORM | Prisma, Drizzle ORM |
+| Logging | pino (structured JSON) |
+| Secrets | dotenv-vault, Doppler |