@kaademos/secure-sdlc 1.0.0

package/stacks/rails.md

@@ -0,0 +1,247 @@
+# Ruby on Rails Security Profile
+
+**Framework:** Ruby on Rails 7.x / 8.x
+**Language:** Ruby 3.x
+**ASVS Baseline:** L2
+
+---
+
+## Rails Security Defaults — Preserve Them
+
+Rails ships with strong security defaults. The most common vulnerabilities come from
+disabling or incorrectly configuring built-in protections.
+
+---
+
+## Authentication — Don't Roll Your Own
+
+Use **Devise** (or Rails 8's built-in authentication generator) rather than building auth from scratch:
+
+```bash
+# Rails 8 built-in generator
+rails generate authentication
+```
+
+```ruby
+# Devise — most common Rails auth solution
+# Gemfile
+gem 'devise'
+gem 'devise-two-factor'  # Add TOTP MFA
+
+# In User model
+class User < ApplicationRecord
+  devise :database_authenticatable, :registerable,
+         :recoverable, :rememberable, :validatable,
+         :lockable,           # Account lockout after N failed attempts
+         :timeoutable,        # Session timeout after inactivity
+         :trackable           # Track login timestamps and IP
+         
+  # Lockout configuration
+  # devise.rb initializer:
+  # config.maximum_attempts = 5
+  # config.unlock_strategy = :time
+  # config.unlock_in = 15.minutes
+end
+```
+
+---
+
+## Strong Parameters — Always
+
+Rails 4+ requires strong parameters. Never skip them:
+
+```ruby
+# ✗ Mass assignment vulnerability — any field can be set
+@user = User.new(params[:user])
+
+# ✓ Strong parameters
+class UsersController < ApplicationController
+  def create
+    @user = User.new(user_params)
+    ...
+  end
+  
+  private
+  
+  def user_params
+    # Only permit the fields you expect
+    params.require(:user).permit(:name, :email, :password, :password_confirmation)
+    # ✗ Never: params.require(:user).permit!  — permits ALL attributes
+  end
+end
+```
+
+---
+
+## CSRF Protection
+
+Rails includes CSRF protection by default. Don't disable it:
+
+```ruby
+# ✓ Default — keep this in ApplicationController
+class ApplicationController < ActionController::Base
+  protect_from_forgery with: :exception  # Raises on CSRF failure
+  # OR: :null_session — resets session (use only for API endpoints)
+  # OR: :reset_session — resets session
+end
+
+# For API-only controllers that use Bearer token auth (not cookies):
+class Api::V1::BaseController < ActionController::API
+  # ActionController::API does NOT include CSRF protection by default
+  # Token-based auth (Authorization: Bearer) is CSRF-safe by design
+  # ✗ Never include protect_from_forgery :null_session on API controllers
+  # that are already protected by Bearer token validation
+end
+```
+
+---
+
+## Access Control — Pundit or CanCanCan
+
+Authorisation is not built into Rails. Use a policy library:
+
+```ruby
+# Pundit
+class PostPolicy < ApplicationPolicy
+  def show?
+    record.author == user  # ✓ Object-level auth
+  end
+  
+  def update?
+    record.author == user
+  end
+  
+  def destroy?
+    record.author == user || user.admin?
+  end
+end
+
+class PostsController < ApplicationController
+  before_action :authenticate_user!  # Devise: ensure user is logged in
+  
+  def show
+    @post = Post.find(params[:id])
+    authorize @post  # ✓ Will call PostPolicy#show? — raises Pundit::NotAuthorizedError if fails
+    render json: @post
+  end
+  
+  # ✓ Add this to catch missing authorization calls
+  after_action :verify_authorized
+end
+```
+
+**Common mistake:** Forget `authorize @resource` in a controller action. `after_action :verify_authorized`
+will catch this and raise an error in development, preventing it reaching production.
+
+---
+
+## SQL Injection
+
+Rails ActiveRecord is safe by default. Injection is only possible with:
+
+```ruby
+# ✓ Safe — ActiveRecord parameterises automatically
+User.where(email: params[:email])
+User.where(id: params[:id])
+
+# ✗ Unsafe — string interpolation in where clause
+User.where("email = '#{params[:email]}'")  # SQL injection
+
+# ✓ Safe — use ? or named params with raw where
+User.where("email = ?", params[:email])
+User.where("email = :email", email: params[:email])
+
+# ✗ Unsafe — order() clause injection is less obvious
+User.order(params[:sort_column])  # ✗ Attacker controls SQL ORDER BY
+
+# ✓ Safe — whitelist sort columns
+ALLOWED_SORT_COLUMNS = %w[name email created_at].freeze
+sort_col = ALLOWED_SORT_COLUMNS.include?(params[:sort]) ? params[:sort] : 'created_at'
+User.order(sort_col)
+```
+
+---
+
+## XSS — ERB Auto-Escaping
+
+Rails ERB templates auto-escape HTML output. The risk is explicitly disabling it:
+
+```erb
+<!-- ✓ Safe — auto-escaped -->
+<%= @user.name %>
+
+<!-- ✗ Unsafe — disables escaping -->
+<%= raw @user.bio %>
+<%== @user.bio %>  # Also disables escaping
+
+<!-- ✓ Safe HTML rendering — use sanitize for user-provided HTML -->
+<%= sanitize @user.bio, tags: %w[p strong em a], attributes: %w[href] %>
+```
+
+---
+
+## Secrets Management — Rails Credentials
+
+```bash
+# Rails 7+ encrypted credentials
+rails credentials:edit
+
+# Access in code
+Rails.application.credentials.dig(:aws, :access_key_id)
+Rails.application.credentials.secret_key_base
+
+# ✓ Master key in .gitignore (already there by default)
+# ✗ Never commit config/master.key
+```
+
+For team environments, use per-environment credentials:
+
+```bash
+rails credentials:edit --environment production
+# Creates config/credentials/production.yml.enc + config/credentials/production.key
+# Commit the .enc file, keep .key in your secrets manager
+```
+
+---
+
+## Brakeman — Rails SAST Tool
+
+Run Brakeman on every PR. It understands Rails-specific patterns:
+
+```bash
+gem install brakeman
+brakeman --no-pager --format json > brakeman.json
+
+# In CI (block on high confidence findings)
+brakeman --exit-on-warn --confidence-level 2
+```
+
+Brakeman detects: SQL injection, XSS, CSRF bypass, mass assignment, redirect injection,
+session fixation, and many other Rails-specific issues.
+
+---
+
+## ASVS Controls for Rails Projects
+
+| ASVS Ref | Control | Rails Implementation |
+|----------|---------|---------------------|
+| V2.1.1 | Password complexity | Devise validates :password strength |
+| V2.2.1 | Account lockout | Devise :lockable |
+| V4.1.1 | Auth on all actions | `before_action :authenticate_user!` |
+| V4.2.1 | Object-level auth | Pundit policies with `authorize @resource` |
+| V5.3.4 | No SQL injection | ActiveRecord ORM; never string-interpolate in where() |
+| V14.4.5 | CSRF | `protect_from_forgery` (default) |
+
+---
+
+## Recommended Tools
+
+| Category | Tool |
+|----------|------|
+| Auth | Devise, Rodauth |
+| Authorisation | Pundit, CanCanCan |
+| SAST | Brakeman |
+| Dependency scan | bundler-audit |
+| 2FA | devise-two-factor |
+| Rate limiting | rack-attack |
+| Secrets | Rails credentials, Doppler |

package/warp-workflows/README.md

@@ -0,0 +1,25 @@
+# Warp Terminal Workflows — Secure SDLC
+
+Pre-built [Warp Workflows](https://docs.warp.dev/features/workflows) for the Secure SDLC agent team.
+Workflows turn multi-step secure development processes into single-command executions in Warp.
+
+## Installation
+
+1. Open Warp terminal
+2. Press `Ctrl+Shift+R` to open Workflows
+3. Click "Import" and import each `.yaml` file from this directory
+
+Or copy them to your Warp workflows directory:
+```bash
+cp warp-workflows/*.yaml ~/.warp/workflows/
+```
+
+## Available Workflows
+
+| Workflow | Description |
+|---|---|
+| `feature-kickoff.yaml` | Start a new feature with full Secure SDLC coverage |
+| `pr-security-review.yaml` | Security review a pull request |
+| `release-gate.yaml` | Run the pre-release security gate |
+| `threat-model.yaml` | Kick off a threat modelling session |
+| `sdlc-status.yaml` | Check current SDLC phase and artefact status |

package/warp-workflows/feature-kickoff.yaml

@@ -0,0 +1,49 @@
+---
+name: "Secure SDLC: Feature Kickoff"
+command: |
+  # ── Secure SDLC Feature Kickoff ───────────────────────────────────────────
+  # Starts a new feature with ASVS requirements, risk register, and a threat
+  # model — the Plan and Design phases in one interactive session.
+  #
+  # Step 1: Initialise docs directory if not present
+  mkdir -p docs/audit-evidence
+
+  # Step 2: Generate security requirements (Plan phase)
+  echo "🔵 PLAN PHASE — Security Requirements"
+  claude --agent product-manager \
+    "Define security requirements for: {{feature_description}}. \
+     Stack: {{stack}}. \
+     ASVS Level: {{asvs_level}}. \
+     Compliance frameworks: {{compliance_frameworks}}. \
+     Save output to docs/security-requirements.md"
+
+  # Step 3: Initialise risk register
+  echo ""
+  echo "🔵 PLAN PHASE — Risk Register"
+  claude --agent grc-analyst \
+    "Initialise risk register for: {{feature_description}}. \
+     Map requirements from docs/security-requirements.md to compliance controls. \
+     Save output to docs/risk-register.md"
+
+  echo ""
+  echo "✅ Plan phase complete. Review docs/security-requirements.md and docs/risk-register.md"
+  echo ""
+  echo "Next: Design phase — run 'Secure SDLC: Threat Model' workflow after documenting your architecture."
+tags:
+  - security
+  - sdlc
+  - plan
+  - requirements
+arguments:
+  - name: feature_description
+    description: "What you're building (e.g. 'user authentication with email/password and TOTP MFA')"
+    default_value: ""
+  - name: stack
+    description: "Technology stack (e.g. 'Next.js + PostgreSQL', 'Python FastAPI + AWS')"
+    default_value: "Node.js"
+  - name: asvs_level
+    description: "ASVS level (L1/L2/L3)"
+    default_value: "L2"
+  - name: compliance_frameworks
+    description: "Compliance frameworks (e.g. 'SOC2, GDPR' or 'none')"
+    default_value: "none"

package/warp-workflows/pr-security-review.yaml

@@ -0,0 +1,47 @@
+---
+name: "Secure SDLC: PR Security Review"
+command: |
+  # ── Secure SDLC PR Security Review ─────────────────────────────────────────
+  # Runs dev-lead + appsec-engineer review on a pull request.
+  # Reference: docs/security-requirements.md for acceptance criteria.
+
+  echo "🟡 BUILD PHASE — PR Security Review #{{pr_number}}"
+  echo ""
+
+  # Dev Lead: secure coding review
+  echo "Dev Lead review..."
+  claude --agent dev-lead \
+    "Security review PR #{{pr_number}} — {{pr_description}}. \
+     Stack: {{stack}}. \
+     Reference security requirements in docs/security-requirements.md. \
+     Flag any CRITICAL or HIGH issues that must be fixed before merge. \
+     Note any new dependencies added."
+
+  echo ""
+  echo "AppSec triage..."
+
+  # AppSec Engineer: SAST triage and deeper vuln analysis
+  claude --agent appsec-engineer \
+    "Triage security findings for PR #{{pr_number}} — {{pr_description}}. \
+     Review dev-lead findings and add any additional vulnerability analysis. \
+     Update docs/sast-findings.md with any new findings."
+
+  echo ""
+  echo "✅ PR security review complete."
+  echo "   CRITICAL/HIGH findings must be resolved before merge."
+  echo "   MEDIUM findings should be resolved or risk-accepted before release."
+tags:
+  - security
+  - sdlc
+  - build
+  - pr-review
+arguments:
+  - name: pr_number
+    description: "Pull request number (e.g. '42')"
+    default_value: ""
+  - name: pr_description
+    description: "Brief description of what the PR does"
+    default_value: ""
+  - name: stack
+    description: "Technology stack"
+    default_value: ""

package/warp-workflows/release-gate.yaml

@@ -0,0 +1,44 @@
+---
+name: "Secure SDLC: Release Gate"
+command: |
+  # ── Secure SDLC Release Gate ────────────────────────────────────────────────
+  # Runs the full pre-release security checklist.
+  # ALL CRITICAL must be resolved. HIGH must be resolved or have accepted risk.
+
+  echo "🟢 RELEASE PHASE — Security Gate for {{version}}"
+  echo ""
+
+  # CLI gate check (artefact presence + open findings heuristic)
+  if command -v secure-sdlc &> /dev/null; then
+    secure-sdlc gate {{version}}
+    echo ""
+  fi
+
+  # Formal release manager sign-off
+  echo "Release Manager: formal go/no-go decision..."
+  claude --agent release-manager \
+    "Run pre-release security checklist for {{version}}. \
+     Check artefacts in docs/. \
+     Apply severity gates: CRITICAL = block, HIGH without accepted risk = block. \
+     Produce formal go/no-go decision and save to docs/release-security-sign-off.md."
+
+  echo ""
+
+  # GRC compliance attestation
+  echo "GRC Analyst: compliance attestation..."
+  claude --agent grc-analyst \
+    "Produce compliance attestation for {{version}}. \
+     Reference docs/risk-register.md and all phase artefacts. \
+     Save to docs/audit-evidence/compliance-attestation-{{version}}.md."
+
+  echo ""
+  echo "Release gate complete. Check docs/release-security-sign-off.md for the decision."
+tags:
+  - security
+  - sdlc
+  - release
+  - gate
+arguments:
+  - name: version
+    description: "Release version (e.g. 'v1.2.0')"
+    default_value: "v1.0.0"

package/warp-workflows/sdlc-status.yaml

@@ -0,0 +1,48 @@
+---
+name: "Secure SDLC: Check Status"
+command: |
+  # ── Secure SDLC Status Check ───────────────────────────────────────────────
+  # Shows which phases are complete and what's next.
+
+  if command -v secure-sdlc &> /dev/null; then
+    secure-sdlc status
+  else
+    echo "Checking SDLC artefacts manually..."
+    echo ""
+
+    check() {
+      if [ -f "$1" ]; then
+        echo "  ✓ $1"
+      else
+        echo "  ○ $1 (missing)"
+      fi
+    }
+
+    echo "PLAN:"
+    check "docs/security-requirements.md"
+    check "docs/risk-register.md"
+
+    echo ""
+    echo "DESIGN:"
+    check "docs/threat-model.md"
+    check "docs/infra-security-review.md"
+
+    echo ""
+    echo "BUILD:"
+    check "docs/sast-findings.md"
+
+    echo ""
+    echo "TEST:"
+    check "docs/test-security-report.md"
+
+    echo ""
+    echo "RELEASE:"
+    check "docs/release-security-sign-off.md"
+
+    echo ""
+    echo "Install the CLI for richer output: npm install -g secure-sdlc"
+  fi
+tags:
+  - security
+  - sdlc
+  - status

package/warp-workflows/threat-model.yaml

@@ -0,0 +1,56 @@
+---
+name: "Secure SDLC: Threat Model"
+command: |
+  # ── Secure SDLC Threat Model ────────────────────────────────────────────────
+  # Runs a STRIDE threat model (+ optional LINDDUN) on your architecture.
+  # Prerequisites: docs/security-requirements.md must exist (run Plan phase first).
+
+  echo "🟣 DESIGN PHASE — Threat Model: {{feature_name}}"
+  echo ""
+
+  if [ ! -f "docs/security-requirements.md" ]; then
+    echo "⚠  docs/security-requirements.md not found."
+    echo "   Run the 'Feature Kickoff' workflow first to generate requirements."
+    echo ""
+  fi
+
+  claude --agent appsec-engineer \
+    "Threat model {{feature_name}} using STRIDE. \
+     Architecture: {{architecture_description}}. \
+     {{pii_flag}} \
+     Reference security requirements in docs/security-requirements.md. \
+     Save threat model to docs/threat-model.md."
+
+  echo ""
+
+  if [ "{{has_infra}}" = "true" ]; then
+    echo "Cloud/Platform Engineer: infrastructure review..."
+    claude --agent cloud-platform-engineer \
+      "Review infrastructure design for {{feature_name}}: {{infra_description}}. \
+       Save review to docs/infra-security-review.md."
+    echo ""
+  fi
+
+  echo "✅ Design phase outputs saved to docs/."
+  echo "   Review CRITICAL and HIGH threats before implementation begins."
+tags:
+  - security
+  - sdlc
+  - design
+  - threat-model
+arguments:
+  - name: feature_name
+    description: "Feature or system name being modelled"
+    default_value: ""
+  - name: architecture_description
+    description: "Architecture description: components, data flows, trust boundaries, protocols, auth"
+    default_value: ""
+  - name: pii_flag
+    description: "Set to 'Also run LINDDUN privacy threat model — PII is in scope.' if feature handles PII"
+    default_value: ""
+  - name: has_infra
+    description: "Include infrastructure review? (true/false)"
+    default_value: "false"
+  - name: infra_description
+    description: "Infrastructure description (if has_infra is true)"
+    default_value: ""