@kaademos/secure-sdlc 1.1.0 → 1.2.0

package/.claude/agents/grc-analyst.md

@@ -29,7 +29,9 @@ Maintain awareness of applicable controls from:
 - **PCI DSS v4.0** (if payment card data is in scope)
 - **OWASP ASVS** (as the technical requirements anchor)
 - **GDPR / UK GDPR** (if personal data is processed)
-- **DORA** (if applicable to financial services)
+- **HIPAA** (Security & Privacy Rules — if protected health information is in scope)
+- **DORA** (if applicable to EU financial services)
+- **FedRAMP** (NIST SP 800-53 baseline — if selling to US federal agencies)
 
 ---
 
@@ -54,10 +56,14 @@ When invoked at the start of a project or feature:
 ```markdown
 ## Control Mapping
 
-| ASVS Ref | Requirement | SOC 2 | ISO 27001 | NIST CSF | PCI DSS |
-|----------|-------------|-------|-----------|----------|---------|
-| V2.1.1 | Password complexity | CC6.1 | A.8.5 | PR.AC-1 | Req 8.3 |
-| V6.1.1 | Encryption at rest | CC6.7 | A.8.24 | PR.DS-1 | Req 3.5 |
+| ASVS Ref | Requirement | SOC 2 | ISO 27001 | NIST CSF | PCI DSS | HIPAA | DORA | FedRAMP |
+|----------|-------------|-------|-----------|----------|---------|-------|------|---------|
+| V6.2.1 | Password complexity | CC6.1 | A.8.5 | PR.AC-1 | Req 8.3 | §164.312(d) | Art. 9 | IA-5 |
+| V14.1.1 | Encryption at rest | CC6.7 | A.8.24 | PR.DS-1 | Req 3.5 | §164.312(a)(2)(iv) | Art. 9 | SC-28 |
+
+> Only populate columns for frameworks selected in `secure-sdlc.yaml`. Add HIPAA when
+> protected health information is processed, DORA for EU financial entities, and FedRAMP
+> (NIST SP 800-53 control families: AC, AU, IA, SC, …) when targeting US federal agencies.
 ```
 
 ---

package/.claude/agents/product-manager.md

@@ -51,9 +51,9 @@ For each feature, produce a `docs/security-requirements.md` using this structure
 
 | ID | Requirement | ASVS Ref | Priority | Acceptance Criteria |
 |----|-------------|----------|----------|---------------------|
-| SR-001 | All API endpoints require authentication | V4.1.1 | MUST | Unauthenticated requests return HTTP 401 |
-| SR-002 | Passwords must meet complexity requirements | V2.1.1 | MUST | Passwords < 8 chars or common passwords rejected |
-| SR-003 | Sensitive data encrypted at rest | V6.1.1 | MUST | AES-256 or equivalent; key management documented |
+| SR-001 | All API endpoints require authentication | V8.3.1 | MUST | Unauthenticated requests return HTTP 401 |
+| SR-002 | Passwords must meet complexity requirements | V6.2.1 | MUST | Passwords < 8 chars or common passwords rejected |
+| SR-003 | Sensitive data encrypted at rest | V14.1.1 | MUST | AES-256 or equivalent; key management documented |
 
 ### Privacy Requirements
 - [ ] Data minimisation: only collect fields required for this feature

package/.claude-plugin/marketplace.json

@@ -0,0 +1,51 @@
+{
+  "name": "secure-sdlc-agents",
+  "owner": {
+    "name": "Kaademos",
+    "email": "kaademos@github.com"
+  },
+  "metadata": {
+    "description": "A team of 8 AI security specialists embedded in your coding workflow — covering every phase of the Secure SDLC from requirements to release gating.",
+    "version": "1.2.0"
+  },
+  "plugins": [
+    {
+      "name": "secure-sdlc-agents",
+      "source": {
+        "source": "github",
+        "repo": "Kaademos/secure-sdlc-agents"
+      },
+      "description": "8 AI security specialist agents for the full Secure SDLC: threat modelling, AppSec, GRC, IaC review, AI/LLM security, and release gating. Works with Claude Code, Cursor, Windsurf, and any MCP-compatible tool.",
+      "version": "1.2.0",
+      "author": {
+        "name": "Kaademos"
+      },
+      "homepage": "https://github.com/Kaademos/secure-sdlc-agents",
+      "repository": "https://github.com/Kaademos/secure-sdlc-agents",
+      "license": "MIT",
+      "keywords": [
+        "security",
+        "appsec",
+        "sdlc",
+        "owasp",
+        "asvs",
+        "compliance",
+        "threat-modeling",
+        "secure-coding",
+        "devsecops",
+        "grc"
+      ],
+      "category": "security",
+      "tags": [
+        "security",
+        "appsec",
+        "devsecops",
+        "owasp",
+        "compliance",
+        "threat-modeling",
+        "agent-skills"
+      ],
+      "strict": true
+    }
+  ]
+}

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "secure-sdlc-agents",
-  "version": "1.0.0",
+  "version": "1.2.0",
   "description": "A team of AI security specialists embedded in your coding workflow. 8 agents covering every phase of the Secure SDLC: requirements, threat modelling, code review, IaC security, compliance, and release gating. Works with Claude Code, Cursor, Windsurf, and any MCP-compatible tool.",
   "author": {
     "name": "Kaademos",

package/.github/workflows/secure-sdlc-gate.yml

@@ -241,7 +241,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['javascript-typescript', 'python']
+        language: ['javascript-typescript', 'python', 'ruby', 'go', 'java-kotlin']
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -250,25 +250,64 @@ jobs:
         id: check-lang
         run: |
           LANG="${{ matrix.language }}"
+          # EXISTS gates every downstream step so absent languages skip cleanly.
+          # BUILD_MODE tells CodeQL how to build: interpreted languages need no
+          # build ("none"); Go must be built ("autobuild"); java-kotlin can use
+          # "none" for pure-Java repos but MUST build when Kotlin is present
+          # (Kotlin analysis has no build-mode: none support).
+          EXISTS=false
+          BUILD_MODE=none
           if [ "$LANG" = "javascript-typescript" ]; then
-            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -q . && echo "EXISTS=true" >> $GITHUB_OUTPUT || echo "EXISTS=false" >> $GITHUB_OUTPUT
+            find . -name "*.js" -o -name "*.ts" | grep -v node_modules | grep -q . && EXISTS=true
           elif [ "$LANG" = "python" ]; then
-            find . -name "*.py" | grep -q . && echo "EXISTS=true" >> $GITHUB_OUTPUT || echo "EXISTS=false" >> $GITHUB_OUTPUT
+            find . -name "*.py" | grep -q . && EXISTS=true
+          elif [ "$LANG" = "ruby" ]; then
+            find . -name "*.rb" | grep -q . && EXISTS=true
+          elif [ "$LANG" = "go" ]; then
+            find . -name "*.go" | grep -q . && EXISTS=true
+            BUILD_MODE=autobuild
+          elif [ "$LANG" = "java-kotlin" ]; then
+            find . -name "*.java" -o -name "*.kt" | grep -q . && EXISTS=true
+            # Kotlin requires a build; pure-Java repos skip it for reliability.
+            if find . -name "*.kt" | grep -q .; then
+              BUILD_MODE=autobuild
+            fi
           else
-            echo "EXISTS=true" >> $GITHUB_OUTPUT
+            EXISTS=true
           fi
+          echo "EXISTS=$EXISTS" >> $GITHUB_OUTPUT
+          echo "BUILD_MODE=$BUILD_MODE" >> $GITHUB_OUTPUT
+          echo "Language=$LANG Exists=$EXISTS BuildMode=$BUILD_MODE"
+
+      # Set up the toolchain BEFORE CodeQL so autobuild can resolve the build.
+      # Without a matching toolchain, autobuild is the #1 cause of CodeQL CI
+      # failures on enterprise Go/Maven/Gradle projects.
+      - name: Set up Go
+        if: steps.check-lang.outputs.EXISTS == 'true' && matrix.language == 'go'
+        uses: actions/setup-go@v5
+        with:
+          go-version: stable
+          cache: false  # no go.sum path assumptions; CodeQL only needs a build
+
+      - name: Set up JDK
+        if: steps.check-lang.outputs.EXISTS == 'true' && matrix.language == 'java-kotlin' && steps.check-lang.outputs.BUILD_MODE == 'autobuild'
+        uses: actions/setup-java@v4
+        with:
+          distribution: temurin
+          # Latest LTS. If your project targets an older JDK (11/17) and the
+          # build fails, change this to match — that's the one knob to turn.
+          java-version: '21'
 
       - name: Initialize CodeQL
         if: steps.check-lang.outputs.EXISTS == 'true'
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
+          build-mode: ${{ steps.check-lang.outputs.BUILD_MODE }}
           queries: security-and-quality
 
-      - name: Autobuild
-        if: steps.check-lang.outputs.EXISTS == 'true'
-        uses: github/codeql-action/autobuild@v3
-
+      # No standalone Autobuild step: build-mode "autobuild" runs the autobuilder
+      # during analysis, and build-mode "none" needs no build at all.
       - name: Perform CodeQL Analysis
         if: steps.check-lang.outputs.EXISTS == 'true'
         uses: github/codeql-action/analyze@v3

package/CHANGELOG.md

@@ -6,6 +6,30 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 ---
 
+## [1.2.0] — 2026-06-26
+
+### Added
+- **Go stack profile** (`stacks/golang.md`) — dense, code-driven security guidance for Go (net/http, Gin, Echo, Fiber): `html/template` XSS, `database/sql`/GORM parameterisation, CORS, security headers, `gosec`/`govulncheck`
+- **Go security notes** in `getStackSecurityNotes()` plus a `getStackProfile()` resolver so detected `gin`/`echo`/`fiber` projects map to the `golang` profile and notes
+- **Worked example `04-oauth-flow`** — OAuth 2.0 / OIDC social login (authorization-code + PKCE); `redirect_uri` exact matching, `state` vs `nonce`, ID-token validation, anchored to ASVS 5.0 V10 and RFC 9700
+- **Worked example `05-payment-processing`** — redirect-based hosted checkout (PCI DSS SAQ A); webhook signature verification, idempotency, server-side amount, reflecting the Jan 2025 SAQ A changes
+- **HIPAA, DORA, and FedRAMP** control tables in `compliance-attestation.md` and the GRC agent's control-mapping example
+- **Automated test suite** (`test/`, Node built-in runner, zero new dependencies) — guards version sync across manifests, agent frontmatter, and the stack-detection ↔ `stacks/*.md` mapping
+- **CI workflow** (`.github/workflows/ci.yml`) — runs the suite on Node 18, 20, and 22 plus an `npm pack` content check
+- **Release workflow** (`.github/workflows/release.yml`) — publishes to npm with provenance and creates a GitHub Release on `v*` tags
+- **`CODE_OF_CONDUCT.md`** (Contributor Covenant 2.1), **`.editorconfig`**, npm/CI/Node README badges, and a committed `package-lock.json`
+
+### Changed
+- **CodeQL SAST** (`secure-sdlc-gate.yml`) — matrix expanded to `ruby`, `go`, and `java-kotlin`; per-language `build-mode` with toolchain setup so compiled-language scans are reliable on enterprise repos (pure-Java uses `build-mode: none`)
+- **ASVS references migrated from 4.0 to 5.0** repo-wide using the official OWASP `mapping_v4.0.3_to_v5.0.0` mapping (stack profiles, examples, agents, templates, skill, PR template)
+- **`secure-sdlc init`** only prints a `stacks/<name>.md` pointer when that profile actually ships
+
+### Fixed
+- Pre-existing CSRF control mislabel in the Django, Express, Rails, and Go stack profiles (`V14.4.5`/HSTS → real CSRF control `V3.5.1`)
+- Broken `stacks/<gin|echo|fiber>.md` reference — Go framework projects now resolve to `stacks/golang.md`
+
+---
+
 ## [1.0.2]
 
 ---

package/CLAUDE.md

@@ -175,6 +175,7 @@ If the project uses one of these stacks, reference the relevant profile in `stac
 | Django | `stacks/django.md` |
 | Express.js | `stacks/express.md` |
 | Ruby on Rails | `stacks/rails.md` |
+| Go (net/http, Gin, Echo, Fiber) | `stacks/golang.md` |
 
 Stack profiles contain framework-specific vulnerability patterns, secure coding examples,
 and recommended libraries. Reference them when the dev-lead or appsec-engineer agents

package/README.md

@@ -1,7 +1,8 @@
-![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)
-![Claude Code](https://img.shields.io/badge/Claude_Code-Sub--Agents-blueviolet)
-![Cursor MCP](https://img.shields.io/badge/Cursor-MCP%20Ready-blue)
-![OWASP ASVS](https://img.shields.io/badge/OWASP-ASVS%20L2-orange)
+[![CI](https://github.com/Kaademos/secure-sdlc-agents/actions/workflows/ci.yml/badge.svg)](https://github.com/Kaademos/secure-sdlc-agents/actions/workflows/ci.yml)
+[![npm version](https://img.shields.io/npm/v/@kaademos/secure-sdlc?logo=npm)](https://www.npmjs.com/package/@kaademos/secure-sdlc)
+[![node](https://img.shields.io/node/v/@kaademos/secure-sdlc)](https://nodejs.org)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
+![OWASP ASVS](https://img.shields.io/badge/OWASP-ASVS%205.0-orange)
 ![Works With](https://img.shields.io/badge/Works%20With-Claude%20%7C%20Cursor%20%7C%20Windsurf%20%7C%20Warp-brightgreen)
 
 # Secure SDLC Agents
@@ -9,6 +10,7 @@
 **8 AI security specialists. Invoked at the exact phase where each vulnerability would have been caught.**
 
 Requirements → threat modelling → code review → IaC → compliance → release gate.  
+
 Works in Claude Code, Cursor, Windsurf, Warp, and any MCP-compatible tool.
 
 ---
@@ -92,10 +94,12 @@ What are you working on?
 
 ## Quick start
 
-### Option 0 — Claude Code Plugin Marketplace (one command, nothing to install)
+### Option 0 — Claude Code Plugin Marketplace
 
 ```bash
 /plugin marketplace add Kaademos/secure-sdlc-agents
+
+/plugin install secure-sdlc-agents@secure-sdlc-agents
 ```
 
 All 8 agents are immediately available in your session. No cloning, no npm, no file copying.
@@ -331,6 +335,7 @@ Deep, framework-specific security guidance in `stacks/`:
 | Django | [`stacks/django.md`](stacks/django.md) — CSRF, strong params, ORM injection, production settings |
 | Express.js | [`stacks/express.md`](stacks/express.md) — helmet, rate limiting, CSRF, Zod validation |
 | Ruby on Rails | [`stacks/rails.md`](stacks/rails.md) — Brakeman, Pundit, strong parameters, credentials |
+| Go (net/http, Gin, Echo, Fiber) | [`stacks/golang.md`](stacks/golang.md) — html/template XSS, database/sql & GORM injection, CORS, gosec/govulncheck |
 
 ---
 
@@ -372,6 +377,8 @@ In `warp-workflows/` — import into Warp for one-click SDLC automation:
 | [`01-login-feature/`](examples/01-login-feature/) | Auth flow (bcrypt, MFA, sessions) | JWT alg:none, hardcoded secrets, cost factor |
 | [`02-api-endpoint/`](examples/02-api-endpoint/) | Public REST API | IDOR via UUID path param, IAM over-privilege |
 | [`03-file-upload/`](examples/03-file-upload/) | File upload to S3 | SVG XSS, magic byte validation, public bucket |
+| [`04-oauth-flow/`](examples/04-oauth-flow/) | OAuth 2.0 / OIDC social login | redirect_uri exact match, PKCE, state vs nonce, ID-token validation |
+| [`05-payment-processing/`](examples/05-payment-processing/) | Card checkout (hosted page) | PCI DSS SAQ A scoping, webhook signature, idempotency, amount tampering |
 
 ---
 

package/cli/src/commands/init.js

@@ -163,12 +163,17 @@ export default async function init(options) {
   console.log(chalk.dim(`     secure-sdlc kickoff\n`));
 
   if (stack.name !== "unknown") {
-    const { getStackSecurityNotes } = await import("../utils/stack-detect.js");
+    const { getStackSecurityNotes, getStackProfile } = await import("../utils/stack-detect.js");
     const notes = getStackSecurityNotes(stack.name);
     if (notes.length) {
       console.log(chalk.bold(`\n${stack.display} security notes for your team:\n`));
       notes.slice(0, 3).forEach((n) => console.log(chalk.dim(`  • ${n}`)));
-      console.log(chalk.dim(`  (see stacks/${stack.name}.md for full guidance)\n`));
+      // Only point to a profile that actually ships — avoids a broken reference
+      // for stacks that have notes but no dedicated stacks/<name>.md (e.g. terraform).
+      const profile = getStackProfile(stack.name);
+      if (existsSync(join(REPO_ROOT, "stacks", `${profile}.md`))) {
+        console.log(chalk.dim(`  (see stacks/${profile}.md for full guidance)\n`));
+      }
     }
   }
 }

package/cli/src/utils/stack-detect.js

@@ -79,10 +79,29 @@ export function detectStack(projectRoot) {
   return { name: "unknown", display: "Unknown", language: "Unknown" };
 }
 
+/**
+ * Maps a detected stack name to the stack that owns its security guidance.
+ * Framework variants (e.g. Gin/Echo/Fiber) share their language's profile and notes.
+ */
+const STACK_ALIASES = {
+  gin: "golang",
+  echo: "golang",
+  fiber: "golang",
+};
+
+/**
+ * Resolves the stack profile (notes key + stacks/<name>.md) for a detected stack.
+ * Falls back to the stack name itself when no alias applies.
+ */
+export function getStackProfile(stackName) {
+  return STACK_ALIASES[stackName] || stackName;
+}
+
 /**
  * Returns the top security considerations for a given stack.
  */
 export function getStackSecurityNotes(stackName) {
+  stackName = getStackProfile(stackName);
   const notes = {
     nextjs: [
       "Review Server Actions for CSRF and authorisation — they're POST endpoints by default",
@@ -120,6 +139,13 @@ export function getStackSecurityNotes(stackName) {
       "Audit before_action filters for auth — ensure every controller action is covered",
       "Brakeman is the standard Rails SAST tool — run on every PR",
     ],
+    golang: [
+      "Render HTML with html/template (context-aware escaping) — never text/template, and avoid template.HTML on user input",
+      "Use database/sql placeholders ($1/?) or GORM's ? conditions — never fmt.Sprintf user input into queries",
+      "CORS: set an explicit AllowedOrigins list — never combine wildcard/AllowAllOrigins with AllowCredentials:true",
+      "net/http ships no security headers — add CSP, HSTS, X-Content-Type-Options via middleware (e.g. unrolled/secure)",
+      "Run gosec (SAST) and govulncheck (vulnerable deps) in CI; hash passwords with bcrypt (cost ≥ 12) or argon2id",
+    ],
     terraform: [
       "Pin provider versions with ~> constraints, not latest",
       "Use terraform-aws-modules/terraform-google-modules — don't write IAM from scratch",

package/docs/templates/compliance-attestation.md

@@ -3,7 +3,7 @@
 **Release version:** v[X.Y.Z]
 **Date:** [YYYY-MM-DD]
 **Author:** GRC Analyst Agent + [Human GRC lead]
-**Frameworks in scope:** [SOC 2 / ISO 27001 / NIST CSF / PCI DSS / GDPR — delete inapplicable]
+**Frameworks in scope:** [SOC 2 / ISO 27001 / NIST CSF / PCI DSS / GDPR / HIPAA / DORA / FedRAMP — delete inapplicable]
 **Status:** Draft / Review / Approved
 
 ---
@@ -110,6 +110,45 @@ ISO/IEC 27001:2022 Annex A, NIST CSF 2.0]
 
 ---
 
+### HIPAA *(complete only if protected health information (PHI) is in scope)*
+
+| Standard / Rule | Safeguard | Status | Evidence Reference | Notes |
+|-----------------|-----------|--------|--------------------|-------|
+| §164.308(a)(1) | Security Rule — Security management process (risk analysis) | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| §164.312(a)(1) | Security Rule — Access control (technical safeguards) | | | |
+| §164.312(b) | Security Rule — Audit controls | | | |
+| §164.312(e)(1) | Security Rule — Transmission security (encryption in transit) | | | |
+| §164.502(b) | Privacy Rule — Minimum necessary use and disclosure | | | |
+
+*Extend with additional Security/Privacy Rule standards (e.g. §164.308 administrative, §164.310 physical) relevant to the systems in scope.*
+
+---
+
+### DORA *(complete only if an EU financial entity or critical ICT third-party provider)*
+
+| Article / Pillar | Requirement | Status | Evidence Reference | Notes |
+|------------------|-------------|--------|--------------------|-------|
+| Art. 5–15 | ICT risk management framework | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| Art. 17–23 | ICT-related incident management, classification & reporting | | | |
+| Art. 24–27 | Digital operational resilience testing (incl. TLPT) | | | |
+| Art. 28–30 | ICT third-party risk management | | | |
+
+---
+
+### FedRAMP *(complete only if selling to US federal agencies — NIST SP 800-53 baseline)*
+
+| Control Family | Control | Status | Evidence Reference | Notes |
+|----------------|---------|--------|--------------------|-------|
+| AC — Access Control | AC-2 Account management | ✅ Met / ⚠️ Gap / 🚫 Fail | | |
+| AU — Audit & Accountability | AU-2 Event logging | | | |
+| IA — Identification & Authentication | IA-2 Identification and authentication (organisational users) | | | |
+| SC — System & Communications Protection | SC-7 Boundary protection | | | |
+| SC — System & Communications Protection | SC-28 Protection of information at rest | | | |
+
+*Select the impact baseline (Low / Moderate / High) and extend with the corresponding 800-53 control families (CM, CP, IR, RA, SI, …).*
+
+---
+
 ## Gaps
 
 Controls that are not fully met at the time of this attestation:

package/docs/templates/threat-model.md

@@ -116,7 +116,7 @@ Priority list of mitigations to carry into the build phase:
 
 | Priority | Threat ID(s) | Mitigation | Owner | ASVS Ref |
 |----------|-------------|------------|-------|----------|
-| 1 | T-001, T-004 | Implement account lockout and generic error responses | Dev Lead | V2.2.1, V8.3.4 |
+| 1 | T-001, T-004 | Implement account lockout and generic error responses | Dev Lead | V6.3.1, V14.1.1 |
 | 2 | | | | |
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kaademos/secure-sdlc",
-  "version": "1.1.0",
+  "version": "1.2.0",
   "description": "Secure SDLC agent team — CLI to scaffold docs, hooks, CI, and MCP-ready security workflows",
   "type": "module",
   "bin": {
@@ -29,6 +29,7 @@
   "scripts": {
     "prepack": "node cli/bin/secure-sdlc.js --version",
     "sdlc": "node cli/bin/secure-sdlc.js",
+    "test": "node --test test/*.test.js",
     "test:pack": "npm pack --dry-run --ignore-scripts 2>&1"
   },
   "keywords": [

package/skills/compliance-and-audit/SKILL.md

@@ -66,9 +66,9 @@ Produce a control mapping table that connects ASVS requirements to applicable fr
 ```markdown
 | ASVS Ref | Requirement | SOC 2 | ISO 27001 | NIST CSF | PCI DSS |
 |----------|-------------|-------|-----------|----------|---------| 
-| V2.1.1 | Password complexity ≥ 12 chars | CC6.1 | A.8.5 | PR.AC-1 | Req 8.3 |
-| V6.1.1 | Encryption at rest (AES-256) | CC6.7 | A.8.24 | PR.DS-1 | Req 3.5 |
-| V9.1.1 | TLS 1.2+ for all external comms | CC6.7 | A.8.20 | PR.DS-2 | Req 4.2 |
+| V6.2.1 | Password complexity ≥ 12 chars | CC6.1 | A.8.5 | PR.AC-1 | Req 8.3 |
+| V14.1.1 | Encryption at rest (AES-256) | CC6.7 | A.8.24 | PR.DS-1 | Req 3.5 |
+| V12.2.1 | TLS 1.2+ for all external comms | CC6.7 | A.8.20 | PR.DS-2 | Req 4.2 |
 ```
 
 ### Step 4 — Collect audit evidence at time of implementation

package/stacks/django.md

@@ -194,13 +194,13 @@ DATABASE_URL = env('DATABASE_URL')
 
 | ASVS Ref | Control | Django Implementation |
 |----------|---------|----------------------|
-| V2.1.1 | Password complexity | `AUTH_PASSWORD_VALIDATORS` |
-| V3.3.1 | Session invalidation on logout | `django.contrib.auth.logout()` clears session |
-| V4.1.1 | Auth on endpoints | `@login_required` / `permission_classes` |
-| V4.2.1 | Object-level auth | Explicit ownership checks before returning objects |
-| V5.3.4 | No SQL injection | Use ORM; avoid `.raw()` with user input |
-| V14.4.1 | Security headers | Django SecurityMiddleware |
-| V14.4.5 | CSRF | CsrfViewMiddleware (enabled by default) |
+| V6.2.1 | Password complexity | `AUTH_PASSWORD_VALIDATORS` |
+| V7.4.1 | Session invalidation on logout | `django.contrib.auth.logout()` clears session |
+| V8.3.1 | Auth on endpoints | `@login_required` / `permission_classes` |
+| V8.2.2 | Object-level auth | Explicit ownership checks before returning objects |
+| V1.2.4 | No SQL injection | Use ORM; avoid `.raw()` with user input |
+| V4.1.1 | Security headers | Django SecurityMiddleware |
+| V3.5.1 | CSRF | CsrfViewMiddleware (enabled by default) |
 
 ---
 

package/stacks/express.md

@@ -204,12 +204,12 @@ const user = await prisma.user.findUnique({ where: { id: userId } });
 
 | ASVS Ref | Control | Express Implementation |
 |----------|---------|----------------------|
-| V4.1.1 | Auth middleware | passport.js + per-route authentication middleware |
-| V4.2.1 | Object-level auth | Ownership check in every route handler |
-| V5.1.3 | Input validation | Zod validation middleware |
-| V13.2.5 | Rate limiting | express-rate-limit per endpoint |
-| V14.4.1 | Security headers | helmet() |
-| V14.4.5 | CSRF | csrf-csrf or csurf |
+| V8.3.1 | Auth middleware | passport.js + per-route authentication middleware |
+| V8.2.2 | Object-level auth | Ownership check in every route handler |
+| V2.2.1 | Input validation | Zod validation middleware |
+| V3.5.2 | Rate limiting | express-rate-limit per endpoint |
+| V4.1.1 | Security headers | helmet() |
+| V3.5.1 | CSRF | csrf-csrf or csurf |
 
 ---
 

package/stacks/fastapi.md

@@ -224,12 +224,12 @@ settings = Settings()
 
 | ASVS Ref | Control | FastAPI Implementation |
 |----------|---------|----------------------|
-| V4.1.1 | Auth on all endpoints | `Depends(get_current_user)` on every protected endpoint |
-| V4.2.1 | Object-level authorisation | `resource.owner_id == current_user.id` check |
-| V5.1.3 | Input validation | Pydantic models with `Field` constraints |
-| V8.3.4 | Don't confirm resource existence | Return 404 (not 403) for resources the user can't see |
-| V13.2.5 | Rate limiting | slowapi or similar |
-| V14.4.1 | Security headers | Add `SecurityHeadersMiddleware` |
+| V8.3.1 | Auth on all endpoints | `Depends(get_current_user)` on every protected endpoint |
+| V8.2.2 | Object-level authorisation | `resource.owner_id == current_user.id` check |
+| V2.2.1 | Input validation | Pydantic models with `Field` constraints |
+| V14.1.1 | Don't confirm resource existence | Return 404 (not 403) for resources the user can't see |
+| V3.5.2 | Rate limiting | slowapi or similar |
+| V4.1.1 | Security headers | Add `SecurityHeadersMiddleware` |
 
 ---
 

package/stacks/golang.md

@@ -0,0 +1,274 @@
+# Go Security Profile
+
+**Language:** Go 1.22+
+**Frameworks:** net/http (stdlib), Gin, Echo, Fiber
+**ASVS Baseline:** L2
+
+---
+
+## Go's Standard Library Is Safe — Until You Reach Around It
+
+Go's stdlib gives you memory safety, `html/template` context-aware escaping, and
+`database/sql` placeholders for free. Almost every Go web vulnerability comes from
+*opting out* of these: using `text/template` for HTML, building SQL with `fmt.Sprintf`,
+running shell strings through `exec.Command("sh", "-c", ...)`, or enabling a wildcard CORS
+policy alongside credentials. This profile focuses on those opt-out traps.
+
+---
+
+## XSS — Use `html/template`, Never `text/template`, for HTML
+
+`html/template` escapes output based on context (HTML body, attribute, JS, URL, CSS).
+`text/template` performs **zero** escaping and must never render attacker-influenced HTML.
+
+```go
+import (
+	"html/template" // ✓ context-aware auto-escaping
+	// "text/template" // ✗ NO escaping — XSS if used for HTML
+)
+
+// ✓ Safe — html/template escapes .Name in HTML context
+var tmpl = template.Must(template.New("p").Parse(`<p>Hello {{ .Name }}</p>`))
+tmpl.Execute(w, map[string]string{"Name": userInput}) // <script> becomes &lt;script&gt;
+```
+
+```go
+// ✗ Unsafe — template.HTML tells the engine "this is already safe", disabling escaping
+tmpl.Execute(w, map[string]any{"Bio": template.HTML(user.Bio)}) // stored XSS
+
+// ✓ Safe — sanitise untrusted HTML first, then mark trusted
+import "github.com/microcosm-cc/bluemonday"
+
+p := bluemonday.UGCPolicy()
+safe := template.HTML(p.Sanitize(user.Bio)) // allow-list of tags/attrs only
+```
+
+**Other escaping bypasses to flag in review:** `template.JS`, `template.URL`,
+`template.CSS`, `template.HTMLAttr` — each disables escaping for that context. They are
+only safe with values your code fully controls, never with user input.
+
+> Framework note: Gin's `c.HTML()`, Echo's `c.Render()`, and Fiber's `html/v2` engine all
+> build on `html/template`, so context escaping applies. Setting `Content-Type: text/html`
+> by hand and writing a `fmt.Sprintf`'d string with `c.String()`/`w.Write()` bypasses it.
+
+---
+
+## SQL Injection — Placeholders, Never `fmt.Sprintf`
+
+### `database/sql`
+
+```go
+// ✗ SQL injection — string formatting builds the query
+q := fmt.Sprintf("SELECT * FROM users WHERE email = '%s'", email)
+rows, err := db.Query(q)
+
+// ✓ Parameterised — driver sends value separately from SQL
+rows, err := db.Query("SELECT * FROM users WHERE email = $1", email)        // pq / pgx
+rows, err := db.Query("SELECT * FROM users WHERE email = ?", email)         // MySQL / SQLite
+err := db.QueryRow("SELECT id FROM users WHERE email = $1", email).Scan(&id)
+```
+
+Identifiers (table/column names, `ORDER BY`) **cannot** be parameterised — allow-list them:
+
+```go
+// ✗ Unsafe — attacker controls the ORDER BY clause
+db.Query("SELECT * FROM users ORDER BY " + r.URL.Query().Get("sort"))
+
+// ✓ Safe — validate against a fixed set before interpolating
+var allowedSort = map[string]string{"name": "name", "created": "created_at"}
+col, ok := allowedSort[r.URL.Query().Get("sort")]
+if !ok {
+	col = "created_at"
+}
+db.Query("SELECT * FROM users ORDER BY " + col) // col is now a known-safe literal
+```
+
+### GORM
+
+```go
+// ✓ Safe — ? placeholders are escaped by GORM
+db.Where("email = ?", email).First(&user)
+db.Raw("SELECT * FROM users WHERE email = ?", email).Scan(&user)
+
+// ✗ Unsafe — Sprintf into the condition string defeats GORM's escaping
+db.Where(fmt.Sprintf("email = '%s'", email)).First(&user)
+
+// ✗ Unsafe — user-controlled column name in a struct/map update can corrupt other fields
+db.Model(&user).Updates(userControlledMap) // allow-list keys, or use a typed struct
+```
+
+---
+
+## CORS — Never Wildcard Origin *with* Credentials
+
+`Access-Control-Allow-Origin: *` combined with `Allow-Credentials: true` is rejected by
+browsers, so the usual "fix" is reflecting the request `Origin` — which silently allows
+**every** site. Always use an explicit allow-list.
+
+```go
+// stdlib via github.com/rs/cors
+import "github.com/rs/cors"
+
+// ✗ Unsafe — allows any origin to make credentialed requests
+c := cors.New(cors.Options{
+	AllowedOrigins:   []string{"*"},
+	AllowCredentials: true,
+})
+
+// ✓ Safe — explicit origins, credentials only for those
+c := cors.New(cors.Options{
+	AllowedOrigins:   []string{"https://app.example.com"},
+	AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE"},
+	AllowCredentials: true,
+	MaxAge:           300,
+})
+handler := c.Handler(mux)
+```
+
+```go
+// Gin — github.com/gin-contrib/cors
+import "github.com/gin-contrib/cors"
+
+// ✗ Unsafe — AllowAllOrigins + credentials reflects every Origin
+r.Use(cors.New(cors.Config{AllowAllOrigins: true, AllowCredentials: true}))
+
+// ✓ Safe — explicit list
+r.Use(cors.New(cors.Config{
+	AllowOrigins:     []string{"https://app.example.com"},
+	AllowCredentials: true,
+}))
+```
+
+```go
+// Echo — middleware.CORSWithConfig (AllowOrigins) and
+// Fiber — github.com/gofiber/fiber/v2/middleware/cors (AllowOrigins) follow the same rule:
+// list real origins; never set AllowOrigins:"*" together with AllowCredentials:true.
+```
+
+---
+
+## Security Headers — Stdlib Has None
+
+`net/http` sends no security headers. Add them via middleware on every response.
+
+```go
+func secureHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		h := w.Header()
+		h.Set("Content-Security-Policy", "default-src 'self'")
+		h.Set("X-Content-Type-Options", "nosniff")
+		h.Set("X-Frame-Options", "DENY")
+		h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload")
+		h.Set("Referrer-Policy", "strict-origin-when-cross-origin")
+		next.ServeHTTP(w, r)
+	})
+}
+// Or use github.com/unrolled/secure for a configurable equivalent.
+// Gin: gin-contrib/secure · Echo: middleware.Secure() · Fiber: middleware/helmet
+```
+
+---
+
+## Authentication & Passwords
+
+```go
+// ✓ Password hashing — bcrypt (cost ≥ 12) or argon2id
+import "golang.org/x/crypto/bcrypt"
+
+hash, err := bcrypt.GenerateFromPassword([]byte(pw), 12)
+err = bcrypt.CompareHashAndPassword(hash, []byte(pw)) // constant-time
+
+// ✗ Never — fast/unsalted hashes for passwords
+sum := sha256.Sum256([]byte(pw)) // brute-forceable
+```
+
+```go
+// ✓ Constant-time comparison for tokens/HMACs — avoid timing leaks
+import "crypto/subtle"
+
+if subtle.ConstantTimeCompare(got, want) == 1 { /* match */ }
+
+// ✗ Unsafe — == short-circuits and leaks length/prefix via timing
+if string(got) == string(want) { /* ... */ }
+```
+
+JWT: pin the expected algorithm in the keyfunc to defeat `alg: none` / algorithm-confusion:
+
+```go
+token, err := jwt.Parse(raw, func(t *jwt.Token) (any, error) {
+	if _, ok := t.Method.(*jwt.SigningMethodHMAC); !ok { // ✓ reject unexpected alg
+		return nil, fmt.Errorf("unexpected signing method: %v", t.Header["alg"])
+	}
+	return secret, nil
+})
+```
+
+---
+
+## Command Injection & SSRF
+
+```go
+import "os/exec"
+
+// ✗ Command injection — user input in a shell string
+exec.Command("sh", "-c", "convert "+userFile+" out.png").Run()
+
+// ✓ Safe — pass args as a slice; no shell, no word-splitting
+exec.Command("convert", userFile, "out.png").Run()
+```
+
+```go
+// ✗ SSRF — fetching a user-supplied URL lets attackers hit internal services / metadata
+http.Get(r.FormValue("url"))
+
+// ✓ Resolve + validate the host against an allow-list and block private/link-local IPs
+// before dialing (deny 169.254.169.254, 10/8, 127/8, ::1, etc.).
+```
+
+---
+
+## Secrets & Config
+
+```go
+// ✓ Read secrets from the environment / a secrets manager — never hardcode
+dsn := os.Getenv("DATABASE_URL")
+if dsn == "" {
+	log.Fatal("DATABASE_URL is required")
+}
+
+// ✗ Never commit credentials
+const apiKey = "sk_live_8f2b..." // gitleaks/gosec will flag this
+```
+
+Run `gitleaks` in CI and keep `.env` out of git. Use `errors.Is`/`%w` and return generic
+client errors — never write `err.Error()` (which can leak DSNs, paths, SQL) into responses.
+
+---
+
+## ASVS Controls for Go Projects
+
+| ASVS Ref | Control | Go Implementation |
+|----------|---------|-------------------|
+| V2.2.1 | Input validation | `go-playground/validator` on bound structs |
+| V1.3.1 | Output encoding (XSS) | `html/template`; sanitise with `bluemonday` |
+| V1.2.4 | No SQL injection | `database/sql` placeholders; GORM `?` params |
+| V1.2.5 | No OS command injection | `exec.Command` with arg slices, no `sh -c` |
+| V11.4.2 | Password storage | `bcrypt` (cost ≥ 12) or `argon2id` |
+| V3.5.1 | CSRF | `gorilla/csrf` for cookie-based sessions |
+| V4.1.1 | Security headers | `unrolled/secure` middleware |
+
+---
+
+## Recommended Security Tooling (2026)
+
+| Category | Tool |
+|----------|------|
+| SAST | `gosec` (`securego/gosec`) |
+| Vulnerable dependencies | `govulncheck` (official, stdlib-aware) |
+| Secret scanning | `gitleaks` |
+| Input validation | `go-playground/validator` |
+| HTML sanitisation | `bluemonday` |
+| Security headers | `unrolled/secure` |
+| CSRF | `gorilla/csrf` |
+| Password hashing | `golang.org/x/crypto/bcrypt`, `argon2` |
+| CORS | `rs/cors`, `gin-contrib/cors` |

package/stacks/nextjs.md

@@ -164,12 +164,12 @@ export async function createPost(formData: FormData) {
 
 | ASVS Ref | Control | Next.js Implementation |
 |----------|---------|----------------------|
-| V4.1.1 | Authentication on all endpoints | `getServerSession()` in every route handler and Server Action |
-| V4.2.1 | Object-level authorisation | Check `resource.userId === session.user.id` before returning/modifying |
-| V5.1.3 | Input validation | Zod schemas on all Server Action inputs |
-| V7.1.1 | Log security events | Log auth events in NextAuth callbacks |
-| V9.1.1 | TLS everywhere | Enforced by Vercel/host; add HSTS header |
-| V14.4.1 | Security headers | `securityHeaders` in next.config.js |
+| V8.3.1 | Authentication on all endpoints | `getServerSession()` in every route handler and Server Action |
+| V8.2.2 | Object-level authorisation | Check `resource.userId === session.user.id` before returning/modifying |
+| V2.2.1 | Input validation | Zod schemas on all Server Action inputs |
+| V16.2.5 | Log security events | Log auth events in NextAuth callbacks |
+| V12.2.1 | TLS everywhere | Enforced by Vercel/host; add HSTS header |
+| V4.1.1 | Security headers | `securityHeaders` in next.config.js |
 
 ---
 

package/stacks/rails.md

@@ -225,12 +225,12 @@ session fixation, and many other Rails-specific issues.
 
 | ASVS Ref | Control | Rails Implementation |
 |----------|---------|---------------------|
-| V2.1.1 | Password complexity | Devise validates :password strength |
-| V2.2.1 | Account lockout | Devise :lockable |
-| V4.1.1 | Auth on all actions | `before_action :authenticate_user!` |
-| V4.2.1 | Object-level auth | Pundit policies with `authorize @resource` |
-| V5.3.4 | No SQL injection | ActiveRecord ORM; never string-interpolate in where() |
-| V14.4.5 | CSRF | `protect_from_forgery` (default) |
+| V6.2.1 | Password complexity | Devise validates :password strength |
+| V6.3.1 | Account lockout | Devise :lockable |
+| V8.3.1 | Auth on all actions | `before_action :authenticate_user!` |
+| V8.2.2 | Object-level auth | Pundit policies with `authorize @resource` |
+| V1.2.4 | No SQL injection | ActiveRecord ORM; never string-interpolate in where() |
+| V3.5.1 | CSRF | `protect_from_forgery` (default) |
 
 ---