@laitszkin/apollo-toolkit 3.9.1 → 3.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/README.md +2 -2
  3. package/analyse-app-logs/scripts/__pycache__/filter_logs_by_time.cpython-312.pyc +0 -0
  4. package/analyse-app-logs/scripts/__pycache__/log_cli_utils.cpython-312.pyc +0 -0
  5. package/analyse-app-logs/scripts/__pycache__/search_logs.cpython-312.pyc +0 -0
  6. package/commit-and-push/README.md +1 -1
  7. package/commit-and-push/SKILL.md +9 -8
  8. package/commit-and-push/agents/openai.yaml +1 -1
  9. package/develop-new-features/SKILL.md +2 -2
  10. package/discover-edge-cases/README.md +2 -2
  11. package/discover-edge-cases/SKILL.md +61 -90
  12. package/discover-edge-cases/agents/openai.yaml +2 -2
  13. package/{harden-app-security → discover-security-issues}/CHANGELOG.md +5 -0
  14. package/discover-security-issues/README.md +35 -0
  15. package/discover-security-issues/SKILL.md +88 -0
  16. package/discover-security-issues/agents/openai.yaml +4 -0
  17. package/docs-to-voice/scripts/__pycache__/docs_to_voice.cpython-312.pyc +0 -0
  18. package/enhance-existing-features/SKILL.md +2 -2
  19. package/generate-spec/scripts/__pycache__/create-specscpython-312.pyc +0 -0
  20. package/implement-specs/SKILL.md +9 -8
  21. package/implement-specs-with-subagents/SKILL.md +3 -3
  22. package/implement-specs-with-worktree/SKILL.md +4 -4
  23. package/katex/scripts/__pycache__/render_katex.cpython-312.pyc +0 -0
  24. package/merge-conflict-resolver/SKILL.md +3 -3
  25. package/open-github-issue/scripts/__pycache__/open_github_issue.cpython-312.pyc +0 -0
  26. package/open-source-pr-workflow/SKILL.md +12 -7
  27. package/package.json +1 -1
  28. package/read-github-issue/scripts/__pycache__/find_issues.cpython-312.pyc +0 -0
  29. package/read-github-issue/scripts/__pycache__/read_issue.cpython-312.pyc +0 -0
  30. package/resolve-review-comments/SKILL.md +14 -8
  31. package/resolve-review-comments/scripts/__pycache__/review_threads.cpython-312.pyc +0 -0
  32. package/review-change-set/README.md +3 -3
  33. package/review-change-set/SKILL.md +50 -65
  34. package/review-change-set/agents/openai.yaml +2 -2
  35. package/review-spec-related-changes/README.md +1 -1
  36. package/review-spec-related-changes/SKILL.md +4 -4
  37. package/review-spec-related-changes/agents/openai.yaml +1 -1
  38. package/solve-issues-found-during-review/README.md +1 -1
  39. package/solve-issues-found-during-review/SKILL.md +3 -3
  40. package/text-to-short-video/scripts/__pycache__/enforce_video_aspect_ratio.cpython-312.pyc +0 -0
  41. package/version-release/README.md +1 -1
  42. package/version-release/SKILL.md +2 -2
  43. package/version-release/agents/openai.yaml +1 -1
  44. package/harden-app-security/README.md +0 -46
  45. package/harden-app-security/SKILL.md +0 -127
  46. package/harden-app-security/agents/openai.yaml +0 -4
  47. /package/{harden-app-security → discover-security-issues}/LICENSE +0 -0
  48. /package/{harden-app-security → discover-security-issues}/references/agent-attack-catalog.md +0 -0
  49. /package/{harden-app-security → discover-security-issues}/references/common-software-attack-catalog.md +0 -0
  50. /package/{harden-app-security → discover-security-issues}/references/red-team-extreme-scenarios.md +0 -0
  51. /package/{harden-app-security → discover-security-issues}/references/risk-checklist.md +0 -0
  52. /package/{harden-app-security → discover-security-issues}/references/security-test-patterns-agent.md +0 -0
  53. /package/{harden-app-security → discover-security-issues}/references/security-test-patterns-finance.md +0 -0
  54. /package/{harden-app-security → discover-security-issues}/references/test-snippets.md +0 -0
package/harden-app-security/SKILL.md DELETED
@@ -1,127 +0,0 @@
1
- ---
2
- name: harden-app-security
3
- description: "Evidence-first adversarial security audit workflow focused on vulnerability discovery only. Use when users ask to find exploitable flaws, reproduce them with concrete evidence, and report prioritized risks across agent systems, financial programs, and common software/web apps (including SQL injection and related attacks)."
4
- ---
5
-
6
- # Harden App Security
7
-
8
- ## Dependencies
9
-
10
- - Required: none.
11
- - Conditional: none.
12
- - Optional: none.
13
- - Fallback: not applicable.
14
-
15
- ## Standards
16
-
17
- - Evidence: Keep only reproducible vulnerabilities with exploit payloads, exact commands or requests, and concrete code evidence.
18
- - Execution: Stay discovery-only, choose the relevant module catalog, execute deterministic attack scenarios, and validate each exploit at least twice.
19
- - Quality: Prioritize findings by impact, exploitability, and reach, and keep hypotheses clearly separated from confirmed risks.
20
- - Output: Return prioritized findings, attack evidence, risk prioritization, hardening guidance, and residual risk without changing code.
21
-
22
- ## Overview
23
-
24
- Use this skill to run adversarial security audits focused only on finding and proving vulnerabilities.
25
-
26
- ## Non-negotiable Boundaries
27
-
28
- - This skill is discovery-only: do not edit code, do not apply patches, do not open PRs.
29
- - Do not run "fix workflow" or "auto remediation" behavior.
30
- - Keep only reproducible vulnerabilities with clear exploit evidence.
31
- - Mark unverified ideas as hypotheses and separate them from confirmed findings.
32
-
33
- ## Modules
34
-
35
- ### 1) `agent-system`
36
-
37
- - Open `references/agent-attack-catalog.md`.
38
- - Optionally consult `references/security-test-patterns-agent.md` when you need deterministic exploit reproduction ideas.
39
- - Focus on prompt injection, tool abuse, memory poisoning, and data exfiltration risks.
40
-
41
- ### 2) `financial-program`
42
-
43
- - Open `references/red-team-extreme-scenarios.md` and `references/risk-checklist.md`.
44
- - Optionally consult `references/security-test-patterns-finance.md` when you need deterministic exploit reproduction ideas.
45
- - Focus on money-critical vulnerabilities such as broken authorization, replay/race/idempotency issues, precision loss, and lifecycle inconsistencies.
46
-
47
- ### 3) `software-system`
48
-
49
- - Open `references/common-software-attack-catalog.md`.
50
- - Focus on common software/web vulnerabilities such as SQL/NoSQL injection, command injection, XSS, CSRF, SSRF, path traversal, broken authentication/authorization, insecure session/JWT handling, unsafe file upload, and sensitive data exposure.
51
-
52
- ### 4) `combined`
53
-
54
- - Run any relevant combination of modules and test cross-boundary exploit chains (for example: prompt injection triggering privileged APIs, or SQL injection used to pivot into financial transfer endpoints).
55
-
56
- ## Core Workflow
57
-
58
- ### 1) Scope and define trust boundaries
59
-
60
- - List untrusted inputs, privileged actions, and protected assets before testing.
61
- - Define module-specific invariants that must never break.
62
-
63
- ### 2) Execute attack scenarios and capture evidence
64
-
65
- - Run deterministic exploit scenarios from the selected module references.
66
- - Record payload, preconditions, observed behavior, and exact code evidence (`path:line`).
67
- - Keep only reproducible findings; mark anything else as hypothesis.
68
-
69
- ### 3) Prioritize confirmed risks
70
-
71
- - Score each finding by impact and exploitability (add system reach for multi-tenant or high-blast-radius risks).
72
- - Prioritize Critical/High first, then Medium, then Low.
73
- - Include exploit preconditions and blast radius for each confirmed issue.
74
-
75
- ### 4) Validate exploit reproducibility
76
-
77
- - Reproduce each confirmed exploit at least twice using the same payload path.
78
- - Add nearby payload variants (encoding, casing, delimiter tricks, parameter smuggling) for high-risk paths.
79
- - Capture exact commands/requests and observable security failure.
80
-
81
- ### 5) Report findings only
82
-
83
- - Deliver prioritized findings with exploit steps and evidence.
84
- - Provide hardening recommendations as guidance only (no code changes).
85
- - Clearly list residual risk, unknowns, and follow-up validation ideas.
86
-
87
- ## Minimum Coverage
88
-
89
- Apply all relevant checks for selected modules:
90
-
91
- - Core: trust-boundary enforcement, authentication/authorization checks, unsafe input-to-control-flow paths, and sensitive data handling.
92
- - Agent system: prompt injection defense, indirect injection defense, unauthorized tool/action blocking, secret/data exfiltration blocking, memory poisoning resistance.
93
- - Financial program: authorization/object access checks, replay/race/idempotency protection, precision and value-conservation checks, external dependency/oracle safety, lifecycle consistency under failure.
94
- - Software system: SQL/NoSQL/command/template injection, XSS/CSRF/SSRF, path traversal and unsafe file upload, IDOR/BOLA, session/JWT weakness, insecure deserialization, weak rate limiting/brute-force resistance, security misconfiguration (CORS/debug endpoints/secrets exposure).
95
- - Combined: include all selected module checks plus cross-boundary exploit chains.
96
-
97
- ## Output Format
98
-
99
- 1. Findings (high to low severity)
100
- - Title and severity
101
- - Evidence (`path:line`)
102
- - Reproduction payload and steps
103
- - Impacted asset/invariant
104
- 2. Attack evidence
105
- - Preconditions and trigger path
106
- - Commands/requests and observed insecure behavior
107
- - Reproducibility notes (including variant payload results)
108
- 3. Risk prioritization
109
- - Impact, exploitability, and reach
110
- - Why this matters in the target system context
111
- 4. Hardening guidance (advice only)
112
- - Recommended fix direction
113
- - Suggested validation focus after remediation
114
- 5. Residual risk
115
- - Hypotheses, assumptions, and follow-up hardening tasks
116
-
117
- ## Resources
118
-
119
- - Agent module
120
- - `references/agent-attack-catalog.md`: AI agent attack surface checklist and scenario catalog.
121
- - `references/security-test-patterns-agent.md`: Optional exploit reproduction pattern reference.
122
- - Financial module
123
- - `references/red-team-extreme-scenarios.md`: Extreme attacker scenarios for money-critical systems.
124
- - `references/risk-checklist.md`: Finance risk checklist and evidence standard.
125
- - `references/security-test-patterns-finance.md`: Optional exploit reproduction pattern reference.
126
- - Software module
127
- - `references/common-software-attack-catalog.md`: Adversarial scenarios for common software/web systems.
package/harden-app-security/agents/openai.yaml DELETED
@@ -1,4 +0,0 @@
1
- interface:
2
- display_name: "Harden App Security"
3
- short_description: "Adversarial vulnerability discovery across agent, finance, and software systems"
4
- default_prompt: "Use $harden-app-security to run a discovery-only adversarial audit. Reproduce exploitable vulnerabilities with concrete evidence and severity prioritization across agent-system, financial-program, and software-system scopes (including SQL injection and common web flaws). Do not apply code fixes or PR actions."