@musashishao/agent-kit 1.8.1 → 1.9.0

package/.agent/skills/graphql/SKILL.md

@@ -0,0 +1,492 @@
+---
+name: graphql
+description: "GraphQL gives clients exactly the data they need. Covers schema design, resolvers, DataLoader for N+1 prevention, federation, and client integration with Apollo/urql."
+version: "1.0.0"
+source: "antigravity-awesome-skills (adapted)"
+---
+
+# 🔮 GraphQL
+
+You're a developer who has built GraphQL APIs at scale. You've seen the N+1 query problem bring down production servers. You know that GraphQL's power is also its danger.
+
+**Key insight**: GraphQL is a contract. The schema is the API documentation. Design it carefully.
+
+---
+
+## When to Use This Skill
+
+- Building APIs with complex data requirements
+- Clients need flexible data fetching
+- Multiple frontends (web, mobile) sharing API
+- Microservices needing unified graph
+- Real-time subscriptions
+
+---
+
+## Capabilities
+
+- `graphql-schema-design`
+- `graphql-resolvers`
+- `graphql-federation`
+- `graphql-subscriptions`
+- `graphql-dataloader`
+- `graphql-codegen`
+- `apollo-server`
+- `apollo-client`
+
+---
+
+## 1. Schema Design
+
+### Type-Safe Schema
+
+```graphql
+# schema.graphql
+
+# Custom scalars
+scalar DateTime
+scalar UUID
+
+# Enums
+enum OrderStatus {
+  PENDING
+  PROCESSING
+  SHIPPED
+  DELIVERED
+  CANCELLED
+}
+
+# Types with relations
+type User {
+  id: UUID!
+  email: String!
+  name: String
+  avatar: String
+  createdAt: DateTime!
+  orders: [Order!]!
+  ordersCount: Int!
+}
+
+type Order {
+  id: UUID!
+  status: OrderStatus!
+  total: Float!
+  items: [OrderItem!]!
+  user: User!
+  createdAt: DateTime!
+  updatedAt: DateTime!
+}
+
+type OrderItem {
+  id: UUID!
+  quantity: Int!
+  unitPrice: Float!
+  product: Product!
+}
+
+type Product {
+  id: UUID!
+  name: String!
+  description: String
+  price: Float!
+  inventory: Int!
+  category: Category!
+}
+
+# Paginated response
+type UserConnection {
+  edges: [UserEdge!]!
+  pageInfo: PageInfo!
+  totalCount: Int!
+}
+
+type UserEdge {
+  node: User!
+  cursor: String!
+}
+
+type PageInfo {
+  hasNextPage: Boolean!
+  hasPreviousPage: Boolean!
+  startCursor: String
+  endCursor: String
+}
+
+# Queries
+type Query {
+  user(id: UUID!): User
+  users(first: Int, after: String): UserConnection!
+  order(id: UUID!): Order
+  products(category: String, limit: Int = 20): [Product!]!
+}
+
+# Mutations
+type Mutation {
+  createUser(input: CreateUserInput!): User!
+  updateUser(id: UUID!, input: UpdateUserInput!): User!
+  createOrder(input: CreateOrderInput!): Order!
+  cancelOrder(id: UUID!): Order!
+}
+
+# Input types
+input CreateUserInput {
+  email: String!
+  name: String
+  password: String!
+}
+
+input UpdateUserInput {
+  name: String
+  avatar: String
+}
+
+input CreateOrderInput {
+  items: [OrderItemInput!]!
+}
+
+input OrderItemInput {
+  productId: UUID!
+  quantity: Int!
+}
+
+# Subscriptions
+type Subscription {
+  orderStatusChanged(orderId: UUID!): Order!
+}
+```
+
+---
+
+## 2. Resolvers with DataLoader
+
+### DataLoader for N+1 Prevention
+
+```typescript
+// dataloaders.ts
+import DataLoader from 'dataloader';
+import { prisma } from './prisma';
+
+export function createLoaders() {
+  return {
+    user: new DataLoader<string, User>(async (ids) => {
+      const users = await prisma.user.findMany({
+        where: { id: { in: [...ids] } }
+      });
+      
+      // Map results to match input order
+      const userMap = new Map(users.map(u => [u.id, u]));
+      return ids.map(id => userMap.get(id) || null);
+    }),
+    
+    product: new DataLoader<string, Product>(async (ids) => {
+      const products = await prisma.product.findMany({
+        where: { id: { in: [...ids] } }
+      });
+      const productMap = new Map(products.map(p => [p.id, p]));
+      return ids.map(id => productMap.get(id) || null);
+    }),
+    
+    // Batch load related items
+    orderItems: new DataLoader<string, OrderItem[]>(async (orderIds) => {
+      const items = await prisma.orderItem.findMany({
+        where: { orderId: { in: [...orderIds] } }
+      });
+      
+      // Group by orderId
+      const itemsByOrder = new Map<string, OrderItem[]>();
+      items.forEach(item => {
+        const existing = itemsByOrder.get(item.orderId) || [];
+        existing.push(item);
+        itemsByOrder.set(item.orderId, existing);
+      });
+      
+      return orderIds.map(id => itemsByOrder.get(id) || []);
+    }),
+  };
+}
+
+export type Loaders = ReturnType<typeof createLoaders>;
+```
+
+### Resolvers
+
+```typescript
+// resolvers.ts
+import { GraphQLContext } from './context';
+
+export const resolvers = {
+  Query: {
+    user: async (_, { id }, ctx: GraphQLContext) => {
+      return ctx.loaders.user.load(id);
+    },
+    
+    users: async (_, { first = 20, after }, ctx: GraphQLContext) => {
+      const cursor = after ? { id: after } : undefined;
+      
+      const users = await ctx.prisma.user.findMany({
+        take: first + 1, // Fetch one extra for hasNextPage
+        cursor,
+        skip: cursor ? 1 : 0,
+        orderBy: { createdAt: 'desc' }
+      });
+      
+      const hasNextPage = users.length > first;
+      const edges = users.slice(0, first).map(user => ({
+        node: user,
+        cursor: user.id
+      }));
+      
+      return {
+        edges,
+        pageInfo: {
+          hasNextPage,
+          hasPreviousPage: !!after,
+          startCursor: edges[0]?.cursor,
+          endCursor: edges[edges.length - 1]?.cursor
+        },
+        totalCount: await ctx.prisma.user.count()
+      };
+    },
+  },
+  
+  Mutation: {
+    createUser: async (_, { input }, ctx: GraphQLContext) => {
+      return ctx.prisma.user.create({
+        data: {
+          email: input.email,
+          name: input.name,
+          passwordHash: await hash(input.password)
+        }
+      });
+    },
+    
+    createOrder: async (_, { input }, ctx: GraphQLContext) => {
+      // Verify auth
+      if (!ctx.user) {
+        throw new Error('Unauthorized');
+      }
+      
+      return ctx.prisma.$transaction(async (tx) => {
+        // Calculate total
+        const products = await tx.product.findMany({
+          where: { id: { in: input.items.map(i => i.productId) } }
+        });
+        
+        const total = input.items.reduce((sum, item) => {
+          const product = products.find(p => p.id === item.productId);
+          return sum + (product?.price ?? 0) * item.quantity;
+        }, 0);
+        
+        // Create order
+        return tx.order.create({
+          data: {
+            userId: ctx.user.id,
+            status: 'PENDING',
+            total,
+            items: {
+              create: input.items.map(item => ({
+                productId: item.productId,
+                quantity: item.quantity,
+                unitPrice: products.find(p => p.id === item.productId)?.price ?? 0
+              }))
+            }
+          }
+        });
+      });
+    }
+  },
+  
+  // Field resolvers
+  User: {
+    orders: (user, _, ctx: GraphQLContext) => {
+      return ctx.prisma.order.findMany({
+        where: { userId: user.id }
+      });
+    },
+    ordersCount: (user, _, ctx: GraphQLContext) => {
+      return ctx.prisma.order.count({
+        where: { userId: user.id }
+      });
+    }
+  },
+  
+  Order: {
+    user: (order, _, ctx: GraphQLContext) => {
+      return ctx.loaders.user.load(order.userId);
+    },
+    items: (order, _, ctx: GraphQLContext) => {
+      return ctx.loaders.orderItems.load(order.id);
+    }
+  },
+  
+  OrderItem: {
+    product: (item, _, ctx: GraphQLContext) => {
+      return ctx.loaders.product.load(item.productId);
+    }
+  }
+};
+```
+
+---
+
+## 3. Apollo Server Setup
+
+```typescript
+// server.ts
+import { ApolloServer } from '@apollo/server';
+import { expressMiddleware } from '@apollo/server/express4';
+import { createLoaders } from './dataloaders';
+import { prisma } from './prisma';
+import { typeDefs } from './schema';
+import { resolvers } from './resolvers';
+
+const server = new ApolloServer({
+  typeDefs,
+  resolvers,
+  plugins: [
+    // Disable introspection in production
+    ...(process.env.NODE_ENV === 'production' 
+      ? [{ async serverWillStart() { return { async drainServer() {} }; } }]
+      : []),
+  ],
+  validationRules: [
+    // Limit query depth
+    depthLimit(10),
+    // Limit query complexity
+    createComplexityLimitRule(1000),
+  ],
+});
+
+await server.start();
+
+app.use(
+  '/graphql',
+  expressMiddleware(server, {
+    context: async ({ req }) => {
+      const token = req.headers.authorization?.replace('Bearer ', '');
+      const user = token ? await verifyToken(token) : null;
+      
+      return {
+        user,
+        prisma,
+        loaders: createLoaders(), // Fresh loaders per request
+      };
+    },
+  })
+);
+```
+
+---
+
+## 4. Apollo Client Setup
+
+```typescript
+// lib/apollo-client.ts
+import { ApolloClient, InMemoryCache, createHttpLink } from '@apollo/client';
+
+const httpLink = createHttpLink({
+  uri: process.env.NEXT_PUBLIC_GRAPHQL_URL,
+});
+
+export const apolloClient = new ApolloClient({
+  link: httpLink,
+  cache: new InMemoryCache({
+    typePolicies: {
+      Query: {
+        fields: {
+          users: {
+            // Cursor-based pagination
+            keyArgs: false,
+            merge(existing, incoming, { args }) {
+              if (!args?.after) {
+                return incoming;
+              }
+              return {
+                ...incoming,
+                edges: [...(existing?.edges ?? []), ...incoming.edges],
+              };
+            },
+          },
+        },
+      },
+    },
+  }),
+});
+```
+
+---
+
+## 5. Anti-Patterns
+
+### ❌ No DataLoader
+
+```typescript
+// WRONG: N+1 queries
+const Order = {
+  items: async (order) => {
+    return prisma.orderItem.findMany({ where: { orderId: order.id } });
+    // 100 orders = 100 queries!
+  }
+};
+
+// CORRECT: Use DataLoader
+const Order = {
+  items: (order, _, ctx) => ctx.loaders.orderItems.load(order.id)
+  // 100 orders = 1 batched query!
+};
+```
+
+### ❌ No Query Depth Limiting
+
+```graphql
+# WRONG: Allow unlimited depth
+query DeeplyNested {
+  user(id: "1") {
+    orders {
+      items {
+        product {
+          category {
+            products {
+              # ... infinite nesting
+            }
+          }
+        }
+      }
+    }
+  }
+}
+```
+
+### ❌ Introspection in Production
+
+```typescript
+// WRONG: Schema exposed in production
+const server = new ApolloServer({ typeDefs, resolvers });
+
+// CORRECT: Disable introspection
+const server = new ApolloServer({
+  typeDefs,
+  resolvers,
+  introspection: process.env.NODE_ENV !== 'production',
+});
+```
+
+---
+
+## 6. Sharp Edges
+
+| Issue | Severity | Solution |
+|-------|----------|----------|
+| N+1 queries | Critical | USE DATALOADER |
+| Deep nesting DoS | Critical | LIMIT DEPTH AND COMPLEXITY |
+| Introspection exposed | High | DISABLE IN PRODUCTION |
+| Auth only in directives | High | AUTHORIZE IN RESOLVERS |
+| Non-null cascading nulls | Medium | DESIGN NULLABILITY |
+
+---
+
+## Related Skills
+
+- `api-patterns` - REST comparison
+- `database-design` - Schema design
+- `prisma-expert` - ORM integration

package/.agent/skills/idor-testing/SKILL.md

@@ -0,0 +1,64 @@
+---
+name: idor-testing
+description: "Specialized skill for finding Insecure Direct Object Reference (IDOR) vulnerabilities. Covers parameter tampering, mass assignment, and BOLA (API)."
+version: "1.0.0"
+---
+
+# 🔑 IDOR Testing
+
+You are a Bug Bounty hunter who specializes in IDORs—the most common and impactful web vulnerability. You understand that IDOR is a logic flaw that scanners almost always miss.
+
+---
+
+## What is IDOR?
+When an application uses user-supplied input to access objects directly without an authorization check.
+- **Example**: `/api/v1/orders/1001` -> works. Change to `/api/v1/orders/1002` -> access another user's order.
+
+---
+
+## Advanced IDOR Patterns
+
+### 1. Parameter Pollution
+Standard IDOR: `?id=123`
+Bypass: `?id=123&id=456` (Server might process the second one while checking the first).
+
+### 2. ID Type Conversion
+`GET /user/123` -> Forbidden.
+Try: `GET /user/admin` or `GET /user/me`.
+
+### 3. Path Traversal in API
+`GET /api/users/123/profile` -> Forbidden.
+Try: `GET /api/users/999/../123/profile`.
+
+### 4. Wrapped IDOR (JSON)
+```json
+// Original
+{ "user_id": 123 }
+
+// Attempt
+{ "user_id": [123, 456] }
+{ "user_id": { "id": 456 } }
+```
+
+---
+
+## Broken Object Level Authorization (BOLA)
+The API version of IDOR.
+- **Technique**: Use a GUID instead of an Integer. 
+- **Bypass**: Where do you get the GUIDs? Try public profile pages, search results, or leak them from another API endpoint (e.g., `GET /api/v1/search?q=...`).
+
+---
+
+## Testing Workflow (The "Two User" Method)
+1. Login as **User A** and **User B**.
+2. Intercept User A's request to "Update Profile".
+3. Replace User A's ID/Token with User B's ID/Token.
+4. If User B's profile is updated while using User A's session -> **CRITICAL IDOR**.
+
+---
+
+## Related Skills
+
+- `burp-suite-testing` - The primary tool for IDOR
+- `api-fuzzing-bug-bounty` - Scaling IDOR testing
+- `broken-authentication` - Related auth flaws

package/.agent/skills/inngest/SKILL.md

@@ -0,0 +1,128 @@
+---
+name: inngest
+description: "Expertise in building reliable, event-driven applications with Inngest. Covers durable functions, background jobs, and multi-step workflows."
+version: "1.0.0"
+---
+
+# ⚡ Inngest
+
+You are an expert in Inngest—the durable execution engine for TypeScript. You know how to build background jobs, delayed functions, and complex multi-step workflows without managing queues or cron infrastructure.
+
+---
+
+## When to Use This Skill
+
+- Building background jobs in Next.js/Edge environments
+- Implementing multi-step AI pipelines (e.g., Generate -> Review -> Notify)
+- Setting up durable cron jobs
+- Handling high-concurrency event processing
+- Orchestrating complex user onboarding flows
+
+---
+
+## Capabilities
+
+- `durable-functions`
+- `event-driven-architecture`
+- `step-functions-in-typescript`
+- `background-job-management`
+- `inngest-middleware`
+- `fan-out-fan-in-patterns`
+
+---
+
+## 1. Defining Functions
+
+Inngest functions are event-driven and durable by default.
+
+```typescript
+import { Inngest } from "inngest";
+
+const inngest = new Inngest({ id: "my-app" });
+
+export const helloWorld = inngest.createFunction(
+  { id: "hello-world" },
+  { event: "test/hello.world" },
+  async ({ event, step }) => {
+    await step.run("log-hello", () => {
+      console.log("Hello", event.data.name);
+    });
+    
+    const result = await step.run("calculate", () => 2 + 2);
+    
+    return { result };
+  }
+);
+```
+
+---
+
+## 2. Multi-Step AI Workflow
+
+A common pattern for AI agents where steps might time out or need retries.
+
+```typescript
+export const processArticle = inngest.createFunction(
+  { id: "process-article", retries: 3 },
+  { event: "article/submitted" },
+  async ({ event, step }) => {
+    // 1. Generate Summary
+    const summary = await step.run("generate-summary", async () => {
+      return await llm.summarize(event.data.text);
+    });
+
+    // 2. Wait for a specific duration or external signal
+    await step.sleep("wait-for-review", "1h");
+
+    // 3. Notify user
+    await step.run("notify-user", async () => {
+      await resend.emails.send({
+        to: event.data.email,
+        subject: "Your summary is ready",
+        text: summary
+      });
+    });
+  }
+);
+```
+
+---
+
+## 3. Fan-Out Pattern (Batch Processing)
+
+```typescript
+export const handleMigration = inngest.createFunction(
+  { id: "master-migration" },
+  { event: "db/migrate-all" },
+  async ({ step }) => {
+    const users = await step.run("fetch-users", () => db.users.findMany());
+
+    // Fan-out: create a separate function execution for each user
+    const events = users.map(user => ({
+      name: "db/user.migrate",
+      data: { userId: user.id }
+    }));
+
+    await step.sendEvent("send-migration-events", events);
+  }
+);
+```
+
+---
+
+## 4. Advanced Features
+
+| Feature | Description |
+|---------|-------------|
+| **Concurrency** | Limit how many instances of a function run at once. |
+| **Idempotency** | Ensure functions only process the same event once via `idempotencyKey`. |
+| **Cancellation** | Stop a running workflow if a specific event is received (e.g., `order/cancelled`). |
+| **Throttling** | Limit events over a duration per user. |
+
+---
+
+## Related Skills
+
+- `api-patterns` - For event design
+- `nodejs-best-practices` - General backend
+- `bullmq-specialist` - Alternative for complex Redis-based queues