@maestro-ai/cli 1.0.0

package/content/skills/testing-patterns/scripts/test_runner.py

@@ -0,0 +1,219 @@
+#!/usr/bin/env python3
+"""
+Test Runner - Unified test execution and coverage reporting
+Runs tests and generates coverage report based on project type.
+
+Usage:
+    python test_runner.py <project_path> [--coverage]
+
+Supports:
+    - Node.js: npm test, jest, vitest
+    - Python: pytest, unittest
+"""
+
+import subprocess
+import sys
+import json
+from pathlib import Path
+from datetime import datetime
+
+# Fix Windows console encoding
+try:
+    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
+except:
+    pass
+
+
+def detect_test_framework(project_path: Path) -> dict:
+    """Detect test framework and commands."""
+    result = {
+        "type": "unknown",
+        "framework": None,
+        "cmd": None,
+        "coverage_cmd": None
+    }
+    
+    # Node.js project
+    package_json = project_path / "package.json"
+    if package_json.exists():
+        result["type"] = "node"
+        try:
+            pkg = json.loads(package_json.read_text(encoding='utf-8'))
+            scripts = pkg.get("scripts", {})
+            deps = {**pkg.get("dependencies", {}), **pkg.get("devDependencies", {})}
+            
+            # Check for test script
+            if "test" in scripts:
+                result["framework"] = "npm test"
+                result["cmd"] = ["npm", "test"]
+                
+                # Try to detect specific framework for coverage
+                if "vitest" in deps:
+                    result["framework"] = "vitest"
+                    result["coverage_cmd"] = ["npx", "vitest", "run", "--coverage"]
+                elif "jest" in deps:
+                    result["framework"] = "jest"
+                    result["coverage_cmd"] = ["npx", "jest", "--coverage"]
+            elif "vitest" in deps:
+                result["framework"] = "vitest"
+                result["cmd"] = ["npx", "vitest", "run"]
+                result["coverage_cmd"] = ["npx", "vitest", "run", "--coverage"]
+            elif "jest" in deps:
+                result["framework"] = "jest"
+                result["cmd"] = ["npx", "jest"]
+                result["coverage_cmd"] = ["npx", "jest", "--coverage"]
+                
+        except:
+            pass
+    
+    # Python project
+    if (project_path / "pyproject.toml").exists() or (project_path / "requirements.txt").exists():
+        result["type"] = "python"
+        result["framework"] = "pytest"
+        result["cmd"] = ["python", "-m", "pytest", "-v"]
+        result["coverage_cmd"] = ["python", "-m", "pytest", "--cov", "--cov-report=term-missing"]
+    
+    return result
+
+
+def run_tests(cmd: list, cwd: Path) -> dict:
+    """Run tests and return results."""
+    result = {
+        "passed": False,
+        "output": "",
+        "error": "",
+        "tests_run": 0,
+        "tests_passed": 0,
+        "tests_failed": 0
+    }
+    
+    try:
+        proc = subprocess.run(
+            cmd,
+            cwd=str(cwd),
+            capture_output=True,
+            text=True,
+            encoding='utf-8',
+            errors='replace',
+            timeout=300  # 5 min timeout for tests
+        )
+        
+        result["output"] = proc.stdout[:3000] if proc.stdout else ""
+        result["error"] = proc.stderr[:500] if proc.stderr else ""
+        result["passed"] = proc.returncode == 0
+        
+        # Try to parse test counts from output
+        output = proc.stdout or ""
+        
+        # Jest/Vitest pattern: "Tests: X passed, Y failed, Z total"
+        if "passed" in output.lower() and "failed" in output.lower():
+            import re
+            match = re.search(r'(\d+)\s+passed', output, re.IGNORECASE)
+            if match:
+                result["tests_passed"] = int(match.group(1))
+            match = re.search(r'(\d+)\s+failed', output, re.IGNORECASE)
+            if match:
+                result["tests_failed"] = int(match.group(1))
+            result["tests_run"] = result["tests_passed"] + result["tests_failed"]
+        
+        # Pytest pattern: "X passed, Y failed"
+        if "pytest" in str(cmd):
+            import re
+            match = re.search(r'(\d+)\s+passed', output)
+            if match:
+                result["tests_passed"] = int(match.group(1))
+            match = re.search(r'(\d+)\s+failed', output)
+            if match:
+                result["tests_failed"] = int(match.group(1))
+            result["tests_run"] = result["tests_passed"] + result["tests_failed"]
+        
+    except FileNotFoundError:
+        result["error"] = f"Command not found: {cmd[0]}"
+    except subprocess.TimeoutExpired:
+        result["error"] = "Timeout after 300s"
+    except Exception as e:
+        result["error"] = str(e)
+    
+    return result
+
+
+def main():
+    project_path = Path(sys.argv[1] if len(sys.argv) > 1 else ".").resolve()
+    with_coverage = "--coverage" in sys.argv
+    
+    print(f"\n{'='*60}")
+    print(f"[TEST RUNNER] Unified Test Execution")
+    print(f"{'='*60}")
+    print(f"Project: {project_path}")
+    print(f"Coverage: {'enabled' if with_coverage else 'disabled'}")
+    print(f"Time: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
+    
+    # Detect test framework
+    test_info = detect_test_framework(project_path)
+    print(f"Type: {test_info['type']}")
+    print(f"Framework: {test_info['framework']}")
+    print("-"*60)
+    
+    if not test_info["cmd"]:
+        print("No test framework found for this project.")
+        output = {
+            "script": "test_runner",
+            "project": str(project_path),
+            "type": test_info["type"],
+            "framework": None,
+            "passed": True,
+            "message": "No tests configured"
+        }
+        print(json.dumps(output, indent=2))
+        sys.exit(0)
+    
+    # Choose command
+    cmd = test_info["coverage_cmd"] if with_coverage and test_info["coverage_cmd"] else test_info["cmd"]
+    
+    print(f"Running: {' '.join(cmd)}")
+    print("-"*60)
+    
+    # Run tests
+    result = run_tests(cmd, project_path)
+    
+    # Print output (truncated)
+    if result["output"]:
+        lines = result["output"].split("\n")
+        for line in lines[:30]:
+            print(line)
+        if len(lines) > 30:
+            print(f"... ({len(lines) - 30} more lines)")
+    
+    # Summary
+    print("\n" + "="*60)
+    print("SUMMARY")
+    print("="*60)
+    
+    if result["passed"]:
+        print("[PASS] All tests passed")
+    else:
+        print("[FAIL] Some tests failed")
+        if result["error"]:
+            print(f"Error: {result['error'][:200]}")
+    
+    if result["tests_run"] > 0:
+        print(f"Tests: {result['tests_run']} total, {result['tests_passed']} passed, {result['tests_failed']} failed")
+    
+    output = {
+        "script": "test_runner",
+        "project": str(project_path),
+        "type": test_info["type"],
+        "framework": test_info["framework"],
+        "tests_run": result["tests_run"],
+        "tests_passed": result["tests_passed"],
+        "tests_failed": result["tests_failed"],
+        "passed": result["passed"]
+    }
+    
+    print("\n" + json.dumps(output, indent=2))
+    
+    sys.exit(0 if result["passed"] else 1)
+
+
+if __name__ == "__main__":
+    main()

package/content/skills/vulnerability-scanner/SKILL.md

@@ -0,0 +1,276 @@
+---
+name: vulnerability-scanner
+description: Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
+allowed-tools: Read, Glob, Grep, Bash
+---
+
+# Vulnerability Scanner
+
+> Think like an attacker, defend like an expert. 2025 threat landscape awareness.
+
+## 🔧 Runtime Scripts
+
+**Execute for automated validation:**
+
+| Script | Purpose | Usage |
+|--------|---------|-------|
+| `scripts/security_scan.py` | Validate security principles applied | `python scripts/security_scan.py <project_path>` |
+
+## 📋 Reference Files
+
+| File | Purpose |
+|------|---------|
+| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |
+
+---
+
+## 1. Security Expert Mindset
+
+### Core Principles
+
+| Principle | Application |
+|-----------|-------------|
+| **Assume Breach** | Design as if attacker already inside |
+| **Zero Trust** | Never trust, always verify |
+| **Defense in Depth** | Multiple layers, no single point |
+| **Least Privilege** | Minimum required access only |
+| **Fail Secure** | On error, deny access |
+
+### Threat Modeling Questions
+
+Before scanning, ask:
+1. What are we protecting? (Assets)
+2. Who would attack? (Threat actors)
+3. How would they attack? (Attack vectors)
+4. What's the impact? (Business risk)
+
+---
+
+## 2. OWASP Top 10:2025
+
+### Risk Categories
+
+| Rank | Category | Think About |
+|------|----------|-------------|
+| **A01** | Broken Access Control | Who can access what? IDOR, SSRF |
+| **A02** | Security Misconfiguration | Defaults, headers, exposed services |
+| **A03** | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |
+| **A04** | Cryptographic Failures | Weak crypto, exposed secrets |
+| **A05** | Injection | User input → system commands |
+| **A06** | Insecure Design | Flawed architecture |
+| **A07** | Authentication Failures | Session, credential management |
+| **A08** | Integrity Failures | Unsigned updates, tampered data |
+| **A09** | Logging & Alerting | Blind spots, no monitoring |
+| **A10** | Exceptional Conditions 🆕 | Error handling, fail-open states |
+
+### 2025 Key Changes
+
+```
+2021 → 2025 Shifts:
+├── SSRF merged into A01 (Access Control)
+├── A02 elevated (Cloud/Container configs)
+├── A03 NEW: Supply Chain (major focus)
+├── A10 NEW: Exceptional Conditions
+└── Focus shift: Root causes > Symptoms
+```
+
+---
+
+## 3. Supply Chain Security (A03)
+
+### Attack Surface
+
+| Vector | Risk | Question to Ask |
+|--------|------|-----------------|
+| **Dependencies** | Malicious packages | Do we audit new deps? |
+| **Lock files** | Integrity attacks | Are they committed? |
+| **Build pipeline** | CI/CD compromise | Who can modify? |
+| **Registry** | Typosquatting | Verified sources? |
+
+### Defense Principles
+
+- Verify package integrity (checksums)
+- Pin versions, audit updates
+- Use private registries for critical deps
+- Sign and verify artifacts
+
+---
+
+## 4. Attack Surface Mapping
+
+### What to Map
+
+| Category | Elements |
+|----------|----------|
+| **Entry Points** | APIs, forms, file uploads |
+| **Data Flows** | Input → Process → Output |
+| **Trust Boundaries** | Where auth/authz checked |
+| **Assets** | Secrets, PII, business data |
+
+### Prioritization Matrix
+
+```
+Risk = Likelihood × Impact
+
+High Impact + High Likelihood → CRITICAL
+High Impact + Low Likelihood  → HIGH
+Low Impact + High Likelihood  → MEDIUM
+Low Impact + Low Likelihood   → LOW
+```
+
+---
+
+## 5. Risk Prioritization
+
+### CVSS + Context
+
+| Factor | Weight | Question |
+|--------|--------|----------|
+| **CVSS Score** | Base severity | How severe is the vuln? |
+| **EPSS Score** | Exploit likelihood | Is it being exploited? |
+| **Asset Value** | Business context | What's at risk? |
+| **Exposure** | Attack surface | Internet-facing? |
+
+### Prioritization Decision Tree
+
+```
+Is it actively exploited (EPSS >0.5)?
+├── YES → CRITICAL: Immediate action
+└── NO → Check CVSS
+         ├── CVSS ≥9.0 → HIGH
+         ├── CVSS 7.0-8.9 → Consider asset value
+         └── CVSS <7.0 → Schedule for later
+```
+
+---
+
+## 6. Exceptional Conditions (A10 - New)
+
+### Fail-Open vs Fail-Closed
+
+| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |
+|----------|-----------------|---------------------|
+| Auth error | Allow access | Deny access |
+| Parsing fails | Accept input | Reject input |
+| Timeout | Retry forever | Limit + abort |
+
+### What to Check
+
+- Exception handlers that catch-all and ignore
+- Missing error handling on security operations
+- Race conditions in auth/authz
+- Resource exhaustion scenarios
+
+---
+
+## 7. Scanning Methodology
+
+### Phase-Based Approach
+
+```
+1. RECONNAISSANCE
+   └── Understand the target
+       ├── Technology stack
+       ├── Entry points
+       └── Data flows
+
+2. DISCOVERY
+   └── Identify potential issues
+       ├── Configuration review
+       ├── Dependency analysis
+       └── Code pattern search
+
+3. ANALYSIS
+   └── Validate and prioritize
+       ├── False positive elimination
+       ├── Risk scoring
+       └── Attack chain mapping
+
+4. REPORTING
+   └── Actionable findings
+       ├── Clear reproduction steps
+       ├── Business impact
+       └── Remediation guidance
+```
+
+---
+
+## 8. Code Pattern Analysis
+
+### High-Risk Patterns
+
+| Pattern | Risk | Look For |
+|---------|------|----------|
+| **String concat in queries** | Injection | `"SELECT * FROM " + user_input` |
+| **Dynamic code execution** | RCE | `eval()`, `exec()`, `Function()` |
+| **Unsafe deserialization** | RCE | `pickle.loads()`, `unserialize()` |
+| **Path manipulation** | Traversal | User input in file paths |
+| **Disabled security** | Various | `verify=False`, `--insecure` |
+
+### Secret Patterns
+
+| Type | Indicators |
+|------|-----------|
+| API Keys | `api_key`, `apikey`, high entropy |
+| Tokens | `token`, `bearer`, `jwt` |
+| Credentials | `password`, `secret`, `key` |
+| Cloud | `AWS_`, `AZURE_`, `GCP_` prefixes |
+
+---
+
+## 9. Cloud Security Considerations
+
+### Shared Responsibility
+
+| Layer | You Own | Provider Owns |
+|-------|---------|---------------|
+| Data | ✅ | ❌ |
+| Application | ✅ | ❌ |
+| OS/Runtime | Depends | Depends |
+| Infrastructure | ❌ | ✅ |
+
+### Cloud-Specific Checks
+
+- IAM: Least privilege applied?
+- Storage: Public buckets?
+- Network: Security groups tightened?
+- Secrets: Using secrets manager?
+
+---
+
+## 10. Anti-Patterns
+
+| ❌ Don't | ✅ Do |
+|----------|-------|
+| Scan without understanding | Map attack surface first |
+| Alert on every CVE | Prioritize by exploitability + asset |
+| Ignore false positives | Maintain verified baseline |
+| Fix symptoms only | Address root causes |
+| Scan once before deploy | Continuous scanning |
+| Trust third-party deps blindly | Verify integrity, audit code |
+
+---
+
+## 11. Reporting Principles
+
+### Finding Structure
+
+Each finding should answer:
+1. **What?** - Clear vulnerability description
+2. **Where?** - Exact location (file, line, endpoint)
+3. **Why?** - Root cause explanation
+4. **Impact?** - Business consequence
+5. **How to fix?** - Specific remediation
+
+### Severity Classification
+
+| Severity | Criteria |
+|----------|----------|
+| **Critical** | RCE, auth bypass, mass data exposure |
+| **High** | Data exposure, privilege escalation |
+| **Medium** | Limited scope, requires conditions |
+| **Low** | Informational, best practice |
+
+---
+
+> **Remember:** Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"

package/content/skills/vulnerability-scanner/checklists.md

@@ -0,0 +1,121 @@
+# Security Checklists
+
+> Quick reference checklists for security audits. Use alongside vulnerability-scanner principles.
+
+---
+
+## OWASP Top 10 Audit Checklist
+
+### A01: Broken Access Control
+- [ ] Authorization on all protected routes
+- [ ] Deny by default
+- [ ] Rate limiting implemented
+- [ ] CORS properly configured
+
+### A02: Cryptographic Failures
+- [ ] Passwords hashed (bcrypt/argon2, cost 12+)
+- [ ] Sensitive data encrypted at rest
+- [ ] TLS 1.2+ for all connections
+- [ ] No secrets in code/logs
+
+### A03: Injection
+- [ ] Parameterized queries
+- [ ] Input validation on all user data
+- [ ] Output encoding for XSS
+- [ ] No eval() or dynamic code execution
+
+### A04: Insecure Design
+- [ ] Threat modeling done
+- [ ] Security requirements defined
+- [ ] Business logic validated
+
+### A05: Security Misconfiguration
+- [ ] Unnecessary features disabled
+- [ ] Error messages sanitized
+- [ ] Security headers configured
+- [ ] Default credentials changed
+
+### A06: Vulnerable Components
+- [ ] Dependencies up to date
+- [ ] No known vulnerabilities
+- [ ] Unused dependencies removed
+
+### A07: Authentication Failures
+- [ ] MFA available
+- [ ] Session invalidation on logout
+- [ ] Session timeout implemented
+- [ ] Brute force protection
+
+### A08: Integrity Failures
+- [ ] Dependency integrity verified
+- [ ] CI/CD pipeline secured
+- [ ] Update mechanism secured
+
+### A09: Logging Failures
+- [ ] Security events logged
+- [ ] Logs protected
+- [ ] No sensitive data in logs
+- [ ] Alerting configured
+
+### A10: SSRF
+- [ ] URL validation implemented
+- [ ] Allow-list for external calls
+- [ ] Network segmentation
+
+---
+
+## Authentication Checklist
+
+- [ ] Strong password policy
+- [ ] Account lockout
+- [ ] Secure password reset
+- [ ] Session management
+- [ ] Token expiration
+- [ ] Logout invalidation
+
+---
+
+## API Security Checklist
+
+- [ ] Authentication required
+- [ ] Authorization per endpoint
+- [ ] Input validation
+- [ ] Rate limiting
+- [ ] Output sanitization
+- [ ] Error handling
+
+---
+
+## Data Protection Checklist
+
+- [ ] Encryption at rest
+- [ ] Encryption in transit
+- [ ] Key management
+- [ ] Data minimization
+- [ ] Secure deletion
+
+---
+
+## Security Headers
+
+| Header | Purpose |
+|--------|---------|
+| **Content-Security-Policy** | XSS prevention |
+| **X-Content-Type-Options** | MIME sniffing |
+| **X-Frame-Options** | Clickjacking |
+| **Strict-Transport-Security** | Force HTTPS |
+| **Referrer-Policy** | Referrer control |
+
+---
+
+## Quick Audit Commands
+
+| Check | What to Look For |
+|-------|------------------|
+| Secrets in code | password, api_key, secret |
+| Dangerous patterns | eval, innerHTML, SQL concat |
+| Dependency issues | npm audit, snyk |
+
+---
+
+> **Usage:** Copy relevant checklists into your PLAN.md or security report.