@musashishao/agent-kit 1.8.1 → 1.9.0

package/.agent/skills/aws-serverless/SKILL.md

@@ -0,0 +1,327 @@
+---
+name: aws-serverless
+description: "Production-ready serverless applications on AWS. Covers Lambda functions, API Gateway, DynamoDB, SQS/SNS event-driven patterns, SAM/CDK deployment, and cold start optimization."
+version: "1.0.0"
+source: "antigravity-awesome-skills (adapted)"
+---
+
+# ☁️ AWS Serverless
+
+You are an AWS serverless expert who has built production applications handling millions of requests. You understand Lambda's execution model, cold starts, and cost optimization strategies.
+
+---
+
+## When to Use This Skill
+
+- Building serverless APIs with Lambda + API Gateway
+- Event-driven architectures with SQS/SNS/EventBridge
+- DynamoDB data modeling and access patterns
+- SAM or CDK infrastructure as code
+- Cold start optimization for latency-sensitive apps
+
+---
+
+## Capabilities
+
+- `aws-lambda`
+- `api-gateway`
+- `dynamodb`
+- `sqs-sns`
+- `eventbridge`
+- `sam-cdk`
+- `step-functions`
+- `s3-events`
+
+---
+
+## 1. Lambda Handler Patterns
+
+### Node.js Handler
+
+```javascript
+// handler.js
+// Initialize OUTSIDE handler (reused across invocations)
+const { DynamoDBClient } = require('@aws-sdk/client-dynamodb');
+const { DynamoDBDocumentClient, GetCommand } = require('@aws-sdk/lib-dynamodb');
+
+const client = new DynamoDBClient({});
+const docClient = DynamoDBDocumentClient.from(client);
+
+exports.handler = async (event, context) => {
+  // Don't wait for event loop to clear
+  context.callbackWaitsForEmptyEventLoop = false;
+  
+  try {
+    const body = typeof event.body === 'string'
+      ? JSON.parse(event.body)
+      : event.body;
+    
+    const result = await processRequest(body);
+    
+    return {
+      statusCode: 200,
+      headers: {
+        'Content-Type': 'application/json',
+        'Access-Control-Allow-Origin': '*'
+      },
+      body: JSON.stringify(result)
+    };
+  } catch (error) {
+    console.error('Error:', JSON.stringify({
+      error: error.message,
+      stack: error.stack,
+      requestId: context.awsRequestId
+    }));
+    
+    return {
+      statusCode: error.statusCode || 500,
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: error.message })
+    };
+  }
+};
+```
+
+### Python Handler
+
+```python
+# handler.py
+import json
+import os
+import logging
+import boto3
+
+# Initialize OUTSIDE handler (reused across invocations)
+logger = logging.getLogger()
+logger.setLevel(logging.INFO)
+
+dynamodb = boto3.resource('dynamodb')
+table = dynamodb.Table(os.environ['TABLE_NAME'])
+
+def handler(event, context):
+    try:
+        body = json.loads(event.get('body', '{}'))
+        result = table.get_item(Key={'id': body['id']})
+        
+        return {
+            'statusCode': 200,
+            'headers': {'Content-Type': 'application/json'},
+            'body': json.dumps(result.get('Item', {}))
+        }
+    except Exception as e:
+        logger.error(f"Error: {str(e)}")
+        return {
+            'statusCode': 500,
+            'body': json.dumps({'error': str(e)})
+        }
+```
+
+---
+
+## 2. SAM Template Pattern
+
+```yaml
+# template.yaml
+AWSTemplateFormatVersion: '2010-09-09'
+Transform: AWS::Serverless-2016-10-31
+
+Globals:
+  Function:
+    Runtime: nodejs20.x
+    Timeout: 30
+    MemorySize: 256
+    Environment:
+      Variables:
+        TABLE_NAME: !Ref ItemsTable
+
+Resources:
+  # HTTP API (recommended)
+  HttpApi:
+    Type: AWS::Serverless::HttpApi
+    Properties:
+      StageName: prod
+      CorsConfiguration:
+        AllowOrigins: ["*"]
+        AllowMethods: [GET, POST, DELETE]
+        AllowHeaders: ["*"]
+
+  # Lambda Functions
+  GetItemFunction:
+    Type: AWS::Serverless::Function
+    Properties:
+      Handler: src/handlers/get.handler
+      Events:
+        GetItem:
+          Type: HttpApi
+          Properties:
+            ApiId: !Ref HttpApi
+            Path: /items/{id}
+            Method: GET
+      Policies:
+        - DynamoDBReadPolicy:
+            TableName: !Ref ItemsTable
+
+  # DynamoDB Table
+  ItemsTable:
+    Type: AWS::DynamoDB::Table
+    Properties:
+      AttributeDefinitions:
+        - AttributeName: id
+          AttributeType: S
+      KeySchema:
+        - AttributeName: id
+          KeyType: HASH
+      BillingMode: PAY_PER_REQUEST
+
+Outputs:
+  ApiUrl:
+    Value: !Sub "https://${HttpApi}.execute-api.${AWS::Region}.amazonaws.com/prod"
+```
+
+---
+
+## 3. Event-Driven Patterns
+
+### SQS Processing
+
+```javascript
+// sqs-handler.js
+exports.handler = async (event) => {
+  const failedRecords = [];
+  
+  for (const record of event.Records) {
+    try {
+      const body = JSON.parse(record.body);
+      await processMessage(body);
+    } catch (error) {
+      console.error(`Failed: ${record.messageId}`, error);
+      failedRecords.push({ itemIdentifier: record.messageId });
+    }
+  }
+  
+  // Partial batch response
+  return {
+    batchItemFailures: failedRecords
+  };
+};
+```
+
+### EventBridge Rule
+
+```yaml
+# SAM template
+ProcessOrderRule:
+  Type: AWS::Events::Rule
+  Properties:
+    EventPattern:
+      source: ["orders"]
+      detail-type: ["OrderCreated"]
+    Targets:
+      - Id: ProcessOrderLambda
+        Arn: !GetAtt ProcessOrderFunction.Arn
+```
+
+---
+
+## 4. DynamoDB Patterns
+
+### Single Table Design
+
+```javascript
+// Access patterns in one table
+const patterns = {
+  // Get user by ID
+  getUser: { PK: 'USER#123', SK: 'PROFILE' },
+  
+  // Get user's orders
+  getUserOrders: { 
+    PK: 'USER#123', 
+    SK: { begins_with: 'ORDER#' }
+  },
+  
+  // Get order by ID (GSI)
+  getOrder: { 
+    GSI1PK: 'ORDER#456',
+    GSI1SK: 'ORDER#456'
+  }
+};
+```
+
+### Access Pattern Matrix
+
+| Access Pattern | PK | SK | Index |
+|----------------|----|----|-------|
+| Get user | USER#{id} | PROFILE | - |
+| User's orders | USER#{id} | ORDER#{date} | - |
+| Order by ID | - | - | GSI1 |
+| Orders by date | - | - | GSI2 |
+
+---
+
+## 5. Cold Start Optimization
+
+| Strategy | Impact | Implementation |
+|----------|--------|----------------|
+| **Provisioned Concurrency** | Best | Keep instances warm |
+| **Smaller packages** | High | Tree-shake, omit dev deps |
+| **ARM64 (Graviton)** | Medium | Faster boot, lower cost |
+| **Connection pooling** | Medium | Initialize outside handler |
+| **Lambda SnapStart** | High | Java only, snapshot restore |
+
+```yaml
+# Provisioned concurrency
+MyFunction:
+  Type: AWS::Serverless::Function
+  Properties:
+    AutoPublishAlias: live
+    ProvisionedConcurrencyConfig:
+      ProvisionedConcurrentExecutions: 5
+```
+
+---
+
+## 6. Anti-Patterns
+
+### ❌ Initialize Inside Handler
+
+```javascript
+// WRONG
+exports.handler = async (event) => {
+  const dynamodb = new DynamoDB();  // Cold on every call!
+};
+
+// CORRECT
+const dynamodb = new DynamoDB();  // Reused!
+exports.handler = async (event) => {};
+```
+
+### ❌ Synchronous Everything
+
+```javascript
+// WRONG: Wait for each
+for (const item of items) {
+  await processItem(item);
+}
+
+// CORRECT: Parallel
+await Promise.all(items.map(processItem));
+```
+
+### ❌ No Dead Letter Queue
+
+```yaml
+# CORRECT: Always add DLQ
+MyFunction:
+  Properties:
+    DeadLetterQueue:
+      Type: SQS
+      TargetArn: !GetAtt DLQ.Arn
+```
+
+---
+
+## Related Skills
+
+- `database-design` - DynamoDB modeling
+- `api-patterns` - REST/GraphQL design
+- `deployment-procedures` - CI/CD for serverless

package/.agent/skills/azure-functions/SKILL.md

@@ -0,0 +1,340 @@
+---
+name: azure-functions
+description: "Azure Functions serverless patterns. Covers HTTP triggers, queue triggers, timer triggers, Durable Functions orchestration, and deployment with Azure CLI/Bicep."
+version: "1.0.0"
+---
+
+# ☁️ Azure Functions
+
+You are an Azure Functions expert who has built event-driven applications at scale. You understand the Azure serverless ecosystem, consumption vs premium plans, and Durable Functions for complex workflows.
+
+---
+
+## When to Use This Skill
+
+- Building serverless APIs on Azure
+- Event-driven processing with queues and blobs
+- Complex workflows with Durable Functions
+- Timer-based scheduled tasks
+- Integration with Azure services
+
+---
+
+## Capabilities
+
+- `azure-functions`
+- `http-trigger`
+- `queue-trigger`
+- `timer-trigger`
+- `durable-functions`
+- `blob-trigger`
+- `cosmosdb-trigger`
+- `bicep-deployment`
+
+---
+
+## 1. HTTP Trigger Pattern
+
+### TypeScript Function
+
+```typescript
+// src/functions/httpTrigger.ts
+import { app, HttpRequest, HttpResponseInit, InvocationContext } from "@azure/functions";
+
+export async function httpTrigger(
+  request: HttpRequest,
+  context: InvocationContext
+): Promise<HttpResponseInit> {
+  context.log(`HTTP function processed request for url "${request.url}"`);
+  
+  try {
+    const body = await request.json() as { name?: string };
+    const name = body.name || request.query.get('name') || 'World';
+    
+    return {
+      status: 200,
+      jsonBody: { message: `Hello, ${name}!` }
+    };
+  } catch (error) {
+    context.error('Error processing request:', error);
+    return {
+      status: 500,
+      jsonBody: { error: 'Internal server error' }
+    };
+  }
+}
+
+app.http('httpTrigger', {
+  methods: ['GET', 'POST'],
+  authLevel: 'function',
+  handler: httpTrigger
+});
+```
+
+### JavaScript Function (v4 Model)
+
+```javascript
+// src/functions/getUser.js
+const { app } = require('@azure/functions');
+const { CosmosClient } = require('@azure/cosmos');
+
+// Initialize outside handler
+const client = new CosmosClient(process.env.COSMOS_CONNECTION);
+const container = client.database('mydb').container('users');
+
+app.http('getUser', {
+  methods: ['GET'],
+  authLevel: 'anonymous',
+  route: 'users/{id}',
+  handler: async (request, context) => {
+    const id = request.params.id;
+    
+    try {
+      const { resource } = await container.item(id, id).read();
+      
+      if (!resource) {
+        return { status: 404, jsonBody: { error: 'User not found' } };
+      }
+      
+      return { jsonBody: resource };
+    } catch (error) {
+      context.error('Error:', error);
+      return { status: 500, jsonBody: { error: error.message } };
+    }
+  }
+});
+```
+
+---
+
+## 2. Queue Trigger Pattern
+
+```typescript
+// src/functions/queueTrigger.ts
+import { app, InvocationContext } from "@azure/functions";
+
+interface QueueMessage {
+  orderId: string;
+  customerId: string;
+  items: Array<{ id: string; quantity: number }>;
+}
+
+export async function processOrder(
+  message: QueueMessage,
+  context: InvocationContext
+): Promise<void> {
+  context.log(`Processing order: ${message.orderId}`);
+  
+  try {
+    // Process the order
+    await processOrderItems(message.items);
+    
+    // Output to another queue
+    context.extraOutputs.set('notification', {
+      type: 'order_processed',
+      orderId: message.orderId
+    });
+  } catch (error) {
+    context.error(`Failed to process order ${message.orderId}:`, error);
+    throw error; // Will move to poison queue after retries
+  }
+}
+
+app.storageQueue('processOrder', {
+  queueName: 'orders',
+  connection: 'AzureWebJobsStorage',
+  handler: processOrder,
+  extraOutputs: [
+    { type: 'storageQueue', queueName: 'notifications', connection: 'AzureWebJobsStorage' }
+  ]
+});
+```
+
+---
+
+## 3. Timer Trigger Pattern
+
+```typescript
+// src/functions/dailyCleanup.ts
+import { app, InvocationContext, Timer } from "@azure/functions";
+
+export async function dailyCleanup(
+  timer: Timer,
+  context: InvocationContext
+): Promise<void> {
+  context.log('Daily cleanup started at:', new Date().toISOString());
+  
+  if (timer.isPastDue) {
+    context.log('Timer is running late!');
+  }
+  
+  // Cleanup logic
+  await cleanupOldRecords();
+  await archiveCompletedOrders();
+  
+  context.log('Daily cleanup completed');
+}
+
+app.timer('dailyCleanup', {
+  // Every day at 2 AM UTC
+  schedule: '0 0 2 * * *',
+  handler: dailyCleanup
+});
+```
+
+---
+
+## 4. Durable Functions Pattern
+
+Orchestrate complex workflows with automatic checkpointing.
+
+```typescript
+// src/functions/orderOrchestrator.ts
+import * as df from "durable-functions";
+import { app, HttpRequest, HttpResponseInit, InvocationContext } from "@azure/functions";
+
+// Orchestrator function
+df.app.orchestration('orderWorkflow', function* (context) {
+  const orderId = context.df.getInput<string>();
+  
+  // Step 1: Validate order
+  const isValid = yield context.df.callActivity('validateOrder', orderId);
+  if (!isValid) {
+    return { status: 'rejected', reason: 'Invalid order' };
+  }
+  
+  // Step 2: Reserve inventory (with retry)
+  const retryOptions = new df.RetryOptions(5000, 3);
+  const reserved = yield context.df.callActivityWithRetry(
+    'reserveInventory', 
+    retryOptions, 
+    orderId
+  );
+  
+  // Step 3: Process payment
+  const payment = yield context.df.callActivity('processPayment', orderId);
+  
+  // Step 4: Ship order (async, wait for external event)
+  const shippingTask = context.df.waitForExternalEvent('shippingConfirmed');
+  const timeoutTask = context.df.createTimer(
+    new Date(context.df.currentUtcDateTime.getTime() + 24 * 60 * 60 * 1000)
+  );
+  
+  const winner = yield context.df.Task.any([shippingTask, timeoutTask]);
+  
+  if (winner === timeoutTask) {
+    return { status: 'failed', reason: 'Shipping timeout' };
+  }
+  
+  return { status: 'completed', orderId };
+});
+
+// Activity functions
+df.app.activity('validateOrder', { handler: async (orderId: string) => true });
+df.app.activity('reserveInventory', { handler: async (orderId: string) => true });
+df.app.activity('processPayment', { handler: async (orderId: string) => ({ success: true }) });
+
+// HTTP starter
+app.http('startOrder', {
+  methods: ['POST'],
+  route: 'orders/start',
+  extraInputs: [df.input.durableClient()],
+  handler: async (request: HttpRequest, context: InvocationContext) => {
+    const client = df.getClient(context);
+    const body = await request.json() as { orderId: string };
+    
+    const instanceId = await client.startNew('orderWorkflow', {
+      input: body.orderId
+    });
+    
+    return client.createCheckStatusResponse(request, instanceId);
+  }
+});
+```
+
+---
+
+## 5. Deployment Pattern (Bicep)
+
+```bicep
+// main.bicep
+param location string = resourceGroup().location
+param functionAppName string
+
+resource storageAccount 'Microsoft.Storage/storageAccounts@2021-02-01' = {
+  name: '${functionAppName}storage'
+  location: location
+  sku: { name: 'Standard_LRS' }
+  kind: 'StorageV2'
+}
+
+resource hostingPlan 'Microsoft.Web/serverfarms@2021-02-01' = {
+  name: '${functionAppName}-plan'
+  location: location
+  sku: {
+    name: 'Y1'
+    tier: 'Dynamic'
+  }
+}
+
+resource functionApp 'Microsoft.Web/sites@2021-02-01' = {
+  name: functionAppName
+  location: location
+  kind: 'functionapp'
+  properties: {
+    serverFarmId: hostingPlan.id
+    siteConfig: {
+      appSettings: [
+        { name: 'AzureWebJobsStorage', value: storageAccount.properties.primaryEndpoints.blob }
+        { name: 'FUNCTIONS_EXTENSION_VERSION', value: '~4' }
+        { name: 'FUNCTIONS_WORKER_RUNTIME', value: 'node' }
+      ]
+    }
+  }
+}
+```
+
+---
+
+## 6. Anti-Patterns
+
+### ❌ Long-Running HTTP Functions
+
+```javascript
+// WRONG: HTTP function running > 230 seconds
+app.http('longProcess', {
+  handler: async (req) => {
+    await processFor10Minutes(); // Will timeout!
+  }
+});
+
+// CORRECT: Use Durable Functions for long processes
+app.http('startLongProcess', {
+  handler: async (req, context) => {
+    const client = df.getClient(context);
+    const instanceId = await client.startNew('longWorkflow');
+    return client.createCheckStatusResponse(req, instanceId);
+  }
+});
+```
+
+### ❌ Cold Start Heavy
+
+```typescript
+// WRONG: Heavy initialization in handler
+export async function handler(req, context) {
+  const client = new HeavyClient(); // Cold every time!
+}
+
+// CORRECT: Initialize outside
+const client = new HeavyClient();
+export async function handler(req, context) {}
+```
+
+---
+
+## Related Skills
+
+- `aws-serverless` - Compare with AWS patterns
+- `database-design` - CosmosDB patterns
+- `api-patterns` - API design

package/.agent/skills/broken-authentication/SKILL.md

@@ -0,0 +1,53 @@
+---
+name: broken-authentication
+description: "Techniques for attacking authentication mechanisms: JWT bypass, Multi-Factor Authentication (MFA) bypass, OAuth flaws, and Session hijacking."
+version: "1.0.0"
+---
+
+# 🔓 Broken Authentication
+
+You are an authentication security expert. You know that login is the most sensitive gate in an app, and developers often take shortcuts in its implementation.
+
+---
+
+## Key Attack Vectors
+
+### 1. JWT (JSON Web Token) Bypasses
+- **None Algorithm**: Change `alg` in header to `None` and remove signature.
+- **Key Confusion**: Use the Public Key to sign as if it were a Private Key (HMAC vs RSA).
+- **Weak Secret**: Brute forcing the JWT secret using `hashcat`.
+
+### 2. MFA Bypass
+- **Response Manipulation**: Change `{"mfa": "required"}` to `{"mfa": "success"}` in the intercepting proxy.
+- **Broken Logic**: Check if you can access `/dashboard` directly after entering the password but *before* the MFA code.
+- **Rate Limit**: Brute force the 4-6 digit MFA code if no lockout is present.
+
+### 3. OAuth 2.0 Flaws
+- **Redirect URI Hijacking**: Changing the `redirect_uri` to a malicious site to steal the code/token.
+- **CSRF via Lack of `state`**: If the `state` parameter is missing or static, you can link a victim's account to your identity.
+
+---
+
+## Session Management Flaws
+| Flaw | Description | Impact |
+|------|-------------|--------|
+| **Fixed Session** | Session ID doesn't change after login. | Session Fixation attack. |
+| **No Secure/HttpOnly** | Cookies accessible via JS. | XSS can steal the session. |
+| **Long Persistence** | Sessions never expire. | Long-term account hijack. |
+
+---
+
+## Checklist for Auth Audit
+- [ ] Is password complexity enforced?
+- [ ] Are brute force attacks possible (no rate limit/lockout)?
+- [ ] Does the session die upon Logout?
+- [ ] Are JWTs signed with a strong, rotated key?
+- [ ] Is MFA truly required for all sensitive actions?
+
+---
+
+## Related Skills
+
+- `burp-suite-testing` - Intercepting auth traffic
+- `ethical-hacking-methodology` - "Gaining Access" phase
+- `idor-testing` - Related authorization flaws