@mrtrinhvn/ag-kit 1.0.10 → 1.1.0

package/.agent/skills/testing-patterns/scripts/test_runner.py

@@ -1,219 +0,0 @@
-#!/usr/bin/env python3
-"""
-Test Runner - Unified test execution and coverage reporting
-Runs tests and generates coverage report based on project type.
-
-Usage:
-    python test_runner.py <project_path> [--coverage]
-
-Supports:
-    - Node.js: npm test, jest, vitest
-    - Python: pytest, unittest
-"""
-
-import subprocess
-import sys
-import json
-from pathlib import Path
-from datetime import datetime
-
-# Fix Windows console encoding
-try:
-    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
-except:
-    pass
-
-
-def detect_test_framework(project_path: Path) -> dict:
-    """Detect test framework and commands."""
-    result = {
-        "type": "unknown",
-        "framework": None,
-        "cmd": None,
-        "coverage_cmd": None
-    }
-    
-    # Node.js project
-    package_json = project_path / "package.json"
-    if package_json.exists():
-        result["type"] = "node"
-        try:
-            pkg = json.loads(package_json.read_text(encoding='utf-8'))
-            scripts = pkg.get("scripts", {})
-            deps = {**pkg.get("dependencies", {}), **pkg.get("devDependencies", {})}
-            
-            # Check for test script
-            if "test" in scripts:
-                result["framework"] = "npm test"
-                result["cmd"] = ["npm", "test"]
-                
-                # Try to detect specific framework for coverage
-                if "vitest" in deps:
-                    result["framework"] = "vitest"
-                    result["coverage_cmd"] = ["npx", "vitest", "run", "--coverage"]
-                elif "jest" in deps:
-                    result["framework"] = "jest"
-                    result["coverage_cmd"] = ["npx", "jest", "--coverage"]
-            elif "vitest" in deps:
-                result["framework"] = "vitest"
-                result["cmd"] = ["npx", "vitest", "run"]
-                result["coverage_cmd"] = ["npx", "vitest", "run", "--coverage"]
-            elif "jest" in deps:
-                result["framework"] = "jest"
-                result["cmd"] = ["npx", "jest"]
-                result["coverage_cmd"] = ["npx", "jest", "--coverage"]
-                
-        except:
-            pass
-    
-    # Python project
-    if (project_path / "pyproject.toml").exists() or (project_path / "requirements.txt").exists():
-        result["type"] = "python"
-        result["framework"] = "pytest"
-        result["cmd"] = ["python", "-m", "pytest", "-v"]
-        result["coverage_cmd"] = ["python", "-m", "pytest", "--cov", "--cov-report=term-missing"]
-    
-    return result
-
-
-def run_tests(cmd: list, cwd: Path) -> dict:
-    """Run tests and return results."""
-    result = {
-        "passed": False,
-        "output": "",
-        "error": "",
-        "tests_run": 0,
-        "tests_passed": 0,
-        "tests_failed": 0
-    }
-    
-    try:
-        proc = subprocess.run(
-            cmd,
-            cwd=str(cwd),
-            capture_output=True,
-            text=True,
-            encoding='utf-8',
-            errors='replace',
-            timeout=300  # 5 min timeout for tests
-        )
-        
-        result["output"] = proc.stdout[:3000] if proc.stdout else ""
-        result["error"] = proc.stderr[:500] if proc.stderr else ""
-        result["passed"] = proc.returncode == 0
-        
-        # Try to parse test counts from output
-        output = proc.stdout or ""
-        
-        # Jest/Vitest pattern: "Tests: X passed, Y failed, Z total"
-        if "passed" in output.lower() and "failed" in output.lower():
-            import re
-            match = re.search(r'(\d+)\s+passed', output, re.IGNORECASE)
-            if match:
-                result["tests_passed"] = int(match.group(1))
-            match = re.search(r'(\d+)\s+failed', output, re.IGNORECASE)
-            if match:
-                result["tests_failed"] = int(match.group(1))
-            result["tests_run"] = result["tests_passed"] + result["tests_failed"]
-        
-        # Pytest pattern: "X passed, Y failed"
-        if "pytest" in str(cmd):
-            import re
-            match = re.search(r'(\d+)\s+passed', output)
-            if match:
-                result["tests_passed"] = int(match.group(1))
-            match = re.search(r'(\d+)\s+failed', output)
-            if match:
-                result["tests_failed"] = int(match.group(1))
-            result["tests_run"] = result["tests_passed"] + result["tests_failed"]
-        
-    except FileNotFoundError:
-        result["error"] = f"Command not found: {cmd[0]}"
-    except subprocess.TimeoutExpired:
-        result["error"] = "Timeout after 300s"
-    except Exception as e:
-        result["error"] = str(e)
-    
-    return result
-
-
-def main():
-    project_path = Path(sys.argv[1] if len(sys.argv) > 1 else ".").resolve()
-    with_coverage = "--coverage" in sys.argv
-    
-    print(f"\n{'='*60}")
-    print(f"[TEST RUNNER] Unified Test Execution")
-    print(f"{'='*60}")
-    print(f"Project: {project_path}")
-    print(f"Coverage: {'enabled' if with_coverage else 'disabled'}")
-    print(f"Time: {datetime.now().strftime('%Y-%m-%d %H:%M:%S')}")
-    
-    # Detect test framework
-    test_info = detect_test_framework(project_path)
-    print(f"Type: {test_info['type']}")
-    print(f"Framework: {test_info['framework']}")
-    print("-"*60)
-    
-    if not test_info["cmd"]:
-        print("No test framework found for this project.")
-        output = {
-            "script": "test_runner",
-            "project": str(project_path),
-            "type": test_info["type"],
-            "framework": None,
-            "passed": True,
-            "message": "No tests configured"
-        }
-        print(json.dumps(output, indent=2))
-        sys.exit(0)
-    
-    # Choose command
-    cmd = test_info["coverage_cmd"] if with_coverage and test_info["coverage_cmd"] else test_info["cmd"]
-    
-    print(f"Running: {' '.join(cmd)}")
-    print("-"*60)
-    
-    # Run tests
-    result = run_tests(cmd, project_path)
-    
-    # Print output (truncated)
-    if result["output"]:
-        lines = result["output"].split("\n")
-        for line in lines[:30]:
-            print(line)
-        if len(lines) > 30:
-            print(f"... ({len(lines) - 30} more lines)")
-    
-    # Summary
-    print("\n" + "="*60)
-    print("SUMMARY")
-    print("="*60)
-    
-    if result["passed"]:
-        print("[PASS] All tests passed")
-    else:
-        print("[FAIL] Some tests failed")
-        if result["error"]:
-            print(f"Error: {result['error'][:200]}")
-    
-    if result["tests_run"] > 0:
-        print(f"Tests: {result['tests_run']} total, {result['tests_passed']} passed, {result['tests_failed']} failed")
-    
-    output = {
-        "script": "test_runner",
-        "project": str(project_path),
-        "type": test_info["type"],
-        "framework": test_info["framework"],
-        "tests_run": result["tests_run"],
-        "tests_passed": result["tests_passed"],
-        "tests_failed": result["tests_failed"],
-        "passed": result["passed"]
-    }
-    
-    print("\n" + json.dumps(output, indent=2))
-    
-    sys.exit(0 if result["passed"] else 1)
-
-
-if __name__ == "__main__":
-    main()

package/.agent/skills/vulnerability-scanner/SKILL.md

@@ -1,276 +0,0 @@
----
-name: vulnerability-scanner
-description: Advanced vulnerability analysis principles. OWASP 2025, Supply Chain Security, attack surface mapping, risk prioritization.
-allowed-tools: Read, Glob, Grep, Bash
----
-
-# Vulnerability Scanner
-
-> Think like an attacker, defend like an expert. 2025 threat landscape awareness.
-
-## 🔧 Runtime Scripts
-
-**Execute for automated validation:**
-
-| Script | Purpose | Usage |
-|--------|---------|-------|
-| `scripts/security_scan.py` | Validate security principles applied | `python scripts/security_scan.py <project_path>` |
-
-## 📋 Reference Files
-
-| File | Purpose |
-|------|---------|
-| [checklists.md](checklists.md) | OWASP Top 10, Auth, API, Data protection checklists |
-
----
-
-## 1. Security Expert Mindset
-
-### Core Principles
-
-| Principle | Application |
-|-----------|-------------|
-| **Assume Breach** | Design as if attacker already inside |
-| **Zero Trust** | Never trust, always verify |
-| **Defense in Depth** | Multiple layers, no single point |
-| **Least Privilege** | Minimum required access only |
-| **Fail Secure** | On error, deny access |
-
-### Threat Modeling Questions
-
-Before scanning, ask:
-1. What are we protecting? (Assets)
-2. Who would attack? (Threat actors)
-3. How would they attack? (Attack vectors)
-4. What's the impact? (Business risk)
-
----
-
-## 2. OWASP Top 10:2025
-
-### Risk Categories
-
-| Rank | Category | Think About |
-|------|----------|-------------|
-| **A01** | Broken Access Control | Who can access what? IDOR, SSRF |
-| **A02** | Security Misconfiguration | Defaults, headers, exposed services |
-| **A03** | Software Supply Chain 🆕 | Dependencies, CI/CD, build integrity |
-| **A04** | Cryptographic Failures | Weak crypto, exposed secrets |
-| **A05** | Injection | User input → system commands |
-| **A06** | Insecure Design | Flawed architecture |
-| **A07** | Authentication Failures | Session, credential management |
-| **A08** | Integrity Failures | Unsigned updates, tampered data |
-| **A09** | Logging & Alerting | Blind spots, no monitoring |
-| **A10** | Exceptional Conditions 🆕 | Error handling, fail-open states |
-
-### 2025 Key Changes
-
-```
-2021 → 2025 Shifts:
-├── SSRF merged into A01 (Access Control)
-├── A02 elevated (Cloud/Container configs)
-├── A03 NEW: Supply Chain (major focus)
-├── A10 NEW: Exceptional Conditions
-└── Focus shift: Root causes > Symptoms
-```
-
----
-
-## 3. Supply Chain Security (A03)
-
-### Attack Surface
-
-| Vector | Risk | Question to Ask |
-|--------|------|-----------------|
-| **Dependencies** | Malicious packages | Do we audit new deps? |
-| **Lock files** | Integrity attacks | Are they committed? |
-| **Build pipeline** | CI/CD compromise | Who can modify? |
-| **Registry** | Typosquatting | Verified sources? |
-
-### Defense Principles
-
-- Verify package integrity (checksums)
-- Pin versions, audit updates
-- Use private registries for critical deps
-- Sign and verify artifacts
-
----
-
-## 4. Attack Surface Mapping
-
-### What to Map
-
-| Category | Elements |
-|----------|----------|
-| **Entry Points** | APIs, forms, file uploads |
-| **Data Flows** | Input → Process → Output |
-| **Trust Boundaries** | Where auth/authz checked |
-| **Assets** | Secrets, PII, business data |
-
-### Prioritization Matrix
-
-```
-Risk = Likelihood × Impact
-
-High Impact + High Likelihood → CRITICAL
-High Impact + Low Likelihood  → HIGH
-Low Impact + High Likelihood  → MEDIUM
-Low Impact + Low Likelihood   → LOW
-```
-
----
-
-## 5. Risk Prioritization
-
-### CVSS + Context
-
-| Factor | Weight | Question |
-|--------|--------|----------|
-| **CVSS Score** | Base severity | How severe is the vuln? |
-| **EPSS Score** | Exploit likelihood | Is it being exploited? |
-| **Asset Value** | Business context | What's at risk? |
-| **Exposure** | Attack surface | Internet-facing? |
-
-### Prioritization Decision Tree
-
-```
-Is it actively exploited (EPSS >0.5)?
-├── YES → CRITICAL: Immediate action
-└── NO → Check CVSS
-         ├── CVSS ≥9.0 → HIGH
-         ├── CVSS 7.0-8.9 → Consider asset value
-         └── CVSS <7.0 → Schedule for later
-```
-
----
-
-## 6. Exceptional Conditions (A10 - New)
-
-### Fail-Open vs Fail-Closed
-
-| Scenario | Fail-Open (BAD) | Fail-Closed (GOOD) |
-|----------|-----------------|---------------------|
-| Auth error | Allow access | Deny access |
-| Parsing fails | Accept input | Reject input |
-| Timeout | Retry forever | Limit + abort |
-
-### What to Check
-
-- Exception handlers that catch-all and ignore
-- Missing error handling on security operations
-- Race conditions in auth/authz
-- Resource exhaustion scenarios
-
----
-
-## 7. Scanning Methodology
-
-### Phase-Based Approach
-
-```
-1. RECONNAISSANCE
-   └── Understand the target
-       ├── Technology stack
-       ├── Entry points
-       └── Data flows
-
-2. DISCOVERY
-   └── Identify potential issues
-       ├── Configuration review
-       ├── Dependency analysis
-       └── Code pattern search
-
-3. ANALYSIS
-   └── Validate and prioritize
-       ├── False positive elimination
-       ├── Risk scoring
-       └── Attack chain mapping
-
-4. REPORTING
-   └── Actionable findings
-       ├── Clear reproduction steps
-       ├── Business impact
-       └── Remediation guidance
-```
-
----
-
-## 8. Code Pattern Analysis
-
-### High-Risk Patterns
-
-| Pattern | Risk | Look For |
-|---------|------|----------|
-| **String concat in queries** | Injection | `"SELECT * FROM " + user_input` |
-| **Dynamic code execution** | RCE | `eval()`, `exec()`, `Function()` |
-| **Unsafe deserialization** | RCE | `pickle.loads()`, `unserialize()` |
-| **Path manipulation** | Traversal | User input in file paths |
-| **Disabled security** | Various | `verify=False`, `--insecure` |
-
-### Secret Patterns
-
-| Type | Indicators |
-|------|-----------|
-| API Keys | `api_key`, `apikey`, high entropy |
-| Tokens | `token`, `bearer`, `jwt` |
-| Credentials | `password`, `secret`, `key` |
-| Cloud | `AWS_`, `AZURE_`, `GCP_` prefixes |
-
----
-
-## 9. Cloud Security Considerations
-
-### Shared Responsibility
-
-| Layer | You Own | Provider Owns |
-|-------|---------|---------------|
-| Data | ✅ | ❌ |
-| Application | ✅ | ❌ |
-| OS/Runtime | Depends | Depends |
-| Infrastructure | ❌ | ✅ |
-
-### Cloud-Specific Checks
-
-- IAM: Least privilege applied?
-- Storage: Public buckets?
-- Network: Security groups tightened?
-- Secrets: Using secrets manager?
-
----
-
-## 10. Anti-Patterns
-
-| ❌ Don't | ✅ Do |
-|----------|-------|
-| Scan without understanding | Map attack surface first |
-| Alert on every CVE | Prioritize by exploitability + asset |
-| Ignore false positives | Maintain verified baseline |
-| Fix symptoms only | Address root causes |
-| Scan once before deploy | Continuous scanning |
-| Trust third-party deps blindly | Verify integrity, audit code |
-
----
-
-## 11. Reporting Principles
-
-### Finding Structure
-
-Each finding should answer:
-1. **What?** - Clear vulnerability description
-2. **Where?** - Exact location (file, line, endpoint)
-3. **Why?** - Root cause explanation
-4. **Impact?** - Business consequence
-5. **How to fix?** - Specific remediation
-
-### Severity Classification
-
-| Severity | Criteria |
-|----------|----------|
-| **Critical** | RCE, auth bypass, mass data exposure |
-| **High** | Data exposure, privilege escalation |
-| **Medium** | Limited scope, requires conditions |
-| **Low** | Informational, best practice |
-
----
-
-> **Remember:** Vulnerability scanning finds issues. Expert thinking prioritizes what matters. Always ask: "What would an attacker do with this?"

package/.agent/skills/vulnerability-scanner/checklists.md

@@ -1,121 +0,0 @@
-# Security Checklists
-
-> Quick reference checklists for security audits. Use alongside vulnerability-scanner principles.
-
----
-
-## OWASP Top 10 Audit Checklist
-
-### A01: Broken Access Control
-- [ ] Authorization on all protected routes
-- [ ] Deny by default
-- [ ] Rate limiting implemented
-- [ ] CORS properly configured
-
-### A02: Cryptographic Failures
-- [ ] Passwords hashed (bcrypt/argon2, cost 12+)
-- [ ] Sensitive data encrypted at rest
-- [ ] TLS 1.2+ for all connections
-- [ ] No secrets in code/logs
-
-### A03: Injection
-- [ ] Parameterized queries
-- [ ] Input validation on all user data
-- [ ] Output encoding for XSS
-- [ ] No eval() or dynamic code execution
-
-### A04: Insecure Design
-- [ ] Threat modeling done
-- [ ] Security requirements defined
-- [ ] Business logic validated
-
-### A05: Security Misconfiguration
-- [ ] Unnecessary features disabled
-- [ ] Error messages sanitized
-- [ ] Security headers configured
-- [ ] Default credentials changed
-
-### A06: Vulnerable Components
-- [ ] Dependencies up to date
-- [ ] No known vulnerabilities
-- [ ] Unused dependencies removed
-
-### A07: Authentication Failures
-- [ ] MFA available
-- [ ] Session invalidation on logout
-- [ ] Session timeout implemented
-- [ ] Brute force protection
-
-### A08: Integrity Failures
-- [ ] Dependency integrity verified
-- [ ] CI/CD pipeline secured
-- [ ] Update mechanism secured
-
-### A09: Logging Failures
-- [ ] Security events logged
-- [ ] Logs protected
-- [ ] No sensitive data in logs
-- [ ] Alerting configured
-
-### A10: SSRF
-- [ ] URL validation implemented
-- [ ] Allow-list for external calls
-- [ ] Network segmentation
-
----
-
-## Authentication Checklist
-
-- [ ] Strong password policy
-- [ ] Account lockout
-- [ ] Secure password reset
-- [ ] Session management
-- [ ] Token expiration
-- [ ] Logout invalidation
-
----
-
-## API Security Checklist
-
-- [ ] Authentication required
-- [ ] Authorization per endpoint
-- [ ] Input validation
-- [ ] Rate limiting
-- [ ] Output sanitization
-- [ ] Error handling
-
----
-
-## Data Protection Checklist
-
-- [ ] Encryption at rest
-- [ ] Encryption in transit
-- [ ] Key management
-- [ ] Data minimization
-- [ ] Secure deletion
-
----
-
-## Security Headers
-
-| Header | Purpose |
-|--------|---------|
-| **Content-Security-Policy** | XSS prevention |
-| **X-Content-Type-Options** | MIME sniffing |
-| **X-Frame-Options** | Clickjacking |
-| **Strict-Transport-Security** | Force HTTPS |
-| **Referrer-Policy** | Referrer control |
-
----
-
-## Quick Audit Commands
-
-| Check | What to Look For |
-|-------|------------------|
-| Secrets in code | password, api_key, secret |
-| Dangerous patterns | eval, innerHTML, SQL concat |
-| Dependency issues | npm audit, snyk |
-
----
-
-> **Usage:** Copy relevant checklists into your PLAN.md or security report.