@musashishao/agent-kit 1.8.2 → 1.9.1

package/.agent/skills/clerk-auth/SKILL.md

@@ -0,0 +1,432 @@
+---
+name: clerk-auth
+description: "Clerk authentication integration for Next.js. Modern auth with pre-built components, organizations, MFA, and seamless user management."
+version: "1.0.0"
+---
+
+# 🔐 Clerk Auth
+
+You are a Clerk authentication expert. Clerk provides drop-in auth components, user management, organizations, and session handling that works seamlessly with Next.js App Router.
+
+---
+
+## When to Use This Skill
+
+- Need quick, polished auth UI
+- Organization/team management required
+- Multi-factor authentication needed
+- Want managed user profiles
+- Need webhooks for user events
+
+---
+
+## Capabilities
+
+- `clerk-auth`
+- `clerk-organizations`
+- `clerk-webhooks`
+- `clerk-middleware`
+- `clerk-components`
+
+---
+
+## 1. Setup
+
+```bash
+npm install @clerk/nextjs
+```
+
+### Environment Variables
+
+```env
+NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY=pk_test_...
+CLERK_SECRET_KEY=sk_test_...
+
+NEXT_PUBLIC_CLERK_SIGN_IN_URL=/sign-in
+NEXT_PUBLIC_CLERK_SIGN_UP_URL=/sign-up
+NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL=/dashboard
+NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL=/dashboard
+```
+
+### Provider Setup
+
+```typescript
+// app/layout.tsx
+import { ClerkProvider } from '@clerk/nextjs'
+
+export default function RootLayout({
+  children,
+}: {
+  children: React.ReactNode
+}) {
+  return (
+    <ClerkProvider>
+      <html lang="en">
+        <body>{children}</body>
+      </html>
+    </ClerkProvider>
+  )
+}
+```
+
+---
+
+## 2. Middleware
+
+```typescript
+// middleware.ts
+import { clerkMiddleware, createRouteMatcher } from '@clerk/nextjs/server'
+
+const isPublicRoute = createRouteMatcher([
+  '/',
+  '/sign-in(.*)',
+  '/sign-up(.*)',
+  '/api/webhooks(.*)',
+])
+
+const isProtectedRoute = createRouteMatcher([
+  '/dashboard(.*)',
+  '/settings(.*)',
+  '/api/protected(.*)',
+])
+
+export default clerkMiddleware(async (auth, request) => {
+  if (isProtectedRoute(request)) {
+    await auth.protect()
+  }
+})
+
+export const config = {
+  matcher: ['/((?!.*\\..*|_next).*)', '/', '/(api|trpc)(.*)'],
+}
+```
+
+---
+
+## 3. Pre-built Components
+
+### Sign In/Up Pages
+
+```typescript
+// app/sign-in/[[...sign-in]]/page.tsx
+import { SignIn } from '@clerk/nextjs'
+
+export default function SignInPage() {
+  return (
+    <div className="flex min-h-screen items-center justify-center">
+      <SignIn 
+        appearance={{
+          elements: {
+            formButtonPrimary: 'bg-primary hover:bg-primary/90',
+            footerActionLink: 'text-primary hover:text-primary/90',
+          }
+        }}
+      />
+    </div>
+  )
+}
+
+// app/sign-up/[[...sign-up]]/page.tsx
+import { SignUp } from '@clerk/nextjs'
+
+export default function SignUpPage() {
+  return (
+    <div className="flex min-h-screen items-center justify-center">
+      <SignUp />
+    </div>
+  )
+}
+```
+
+### User Button
+
+```typescript
+// components/navbar.tsx
+import { SignedIn, SignedOut, UserButton, SignInButton } from '@clerk/nextjs'
+
+export function Navbar() {
+  return (
+    <nav className="flex items-center justify-between p-4">
+      <Logo />
+      
+      <SignedIn>
+        <UserButton 
+          afterSignOutUrl="/"
+          appearance={{
+            elements: {
+              avatarBox: 'h-10 w-10'
+            }
+          }}
+        />
+      </SignedIn>
+      
+      <SignedOut>
+        <SignInButton mode="modal">
+          <button className="btn btn-primary">Sign In</button>
+        </SignInButton>
+      </SignedOut>
+    </nav>
+  )
+}
+```
+
+---
+
+## 4. Server-Side Auth
+
+### In Server Components
+
+```typescript
+// app/dashboard/page.tsx
+import { auth, currentUser } from '@clerk/nextjs/server'
+import { redirect } from 'next/navigation'
+
+export default async function DashboardPage() {
+  const { userId } = await auth()
+  
+  if (!userId) {
+    redirect('/sign-in')
+  }
+  
+  const user = await currentUser()
+  
+  return (
+    <div>
+      <h1>Welcome, {user?.firstName}!</h1>
+      <p>Email: {user?.emailAddresses[0]?.emailAddress}</p>
+    </div>
+  )
+}
+```
+
+### In Server Actions
+
+```typescript
+// app/actions.ts
+'use server'
+
+import { auth } from '@clerk/nextjs/server'
+import { prisma } from '@/lib/prisma'
+
+export async function createPost(data: { title: string; content: string }) {
+  const { userId } = await auth()
+  
+  if (!userId) {
+    throw new Error('Unauthorized')
+  }
+  
+  return prisma.post.create({
+    data: {
+      ...data,
+      authorId: userId,
+    }
+  })
+}
+```
+
+### In API Routes
+
+```typescript
+// app/api/protected/route.ts
+import { auth } from '@clerk/nextjs/server'
+import { NextResponse } from 'next/server'
+
+export async function GET() {
+  const { userId } = await auth()
+  
+  if (!userId) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+  
+  // Fetch user-specific data
+  const data = await getUserData(userId)
+  
+  return NextResponse.json(data)
+}
+```
+
+---
+
+## 5. Client-Side Auth
+
+```typescript
+'use client'
+
+import { useAuth, useUser } from '@clerk/nextjs'
+
+export function ProfileCard() {
+  const { isLoaded, isSignedIn, user } = useUser()
+  const { signOut, getToken } = useAuth()
+  
+  if (!isLoaded) {
+    return <div>Loading...</div>
+  }
+  
+  if (!isSignedIn) {
+    return <div>Please sign in</div>
+  }
+  
+  const handleApiCall = async () => {
+    // Get JWT for API calls
+    const token = await getToken()
+    
+    const response = await fetch('/api/protected', {
+      headers: {
+        Authorization: `Bearer ${token}`
+      }
+    })
+    // ...
+  }
+  
+  return (
+    <div>
+      <img src={user.imageUrl} alt={user.fullName ?? ''} />
+      <h2>{user.fullName}</h2>
+      <p>{user.primaryEmailAddress?.emailAddress}</p>
+      <button onClick={() => signOut()}>Sign Out</button>
+    </div>
+  )
+}
+```
+
+---
+
+## 6. Organizations (Teams)
+
+```typescript
+// Enable organizations in Clerk Dashboard first
+
+// app/org/page.tsx
+import { OrganizationSwitcher, OrganizationList } from '@clerk/nextjs'
+
+export default function OrganizationPage() {
+  return (
+    <div>
+      <h1>Organizations</h1>
+      
+      {/* Switch between orgs */}
+      <OrganizationSwitcher />
+      
+      {/* List all orgs */}
+      <OrganizationList 
+        afterSelectOrganizationUrl="/dashboard"
+        afterCreateOrganizationUrl="/dashboard"
+      />
+    </div>
+  )
+}
+
+// Check org membership in server
+import { auth } from '@clerk/nextjs/server'
+
+export async function checkOrgAccess() {
+  const { orgId, orgRole } = await auth()
+  
+  if (!orgId) {
+    throw new Error('No organization selected')
+  }
+  
+  if (orgRole !== 'org:admin') {
+    throw new Error('Admin access required')
+  }
+  
+  return { orgId, orgRole }
+}
+```
+
+---
+
+## 7. Webhooks
+
+```typescript
+// app/api/webhooks/clerk/route.ts
+import { Webhook } from 'svix'
+import { headers } from 'next/headers'
+import { WebhookEvent } from '@clerk/nextjs/server'
+
+export async function POST(req: Request) {
+  const WEBHOOK_SECRET = process.env.CLERK_WEBHOOK_SECRET!
+  
+  const headersList = await headers()
+  const svix_id = headersList.get('svix-id')
+  const svix_timestamp = headersList.get('svix-timestamp')
+  const svix_signature = headersList.get('svix-signature')
+  
+  if (!svix_id || !svix_timestamp || !svix_signature) {
+    return new Response('Missing svix headers', { status: 400 })
+  }
+  
+  const payload = await req.json()
+  const body = JSON.stringify(payload)
+  
+  const wh = new Webhook(WEBHOOK_SECRET)
+  let evt: WebhookEvent
+  
+  try {
+    evt = wh.verify(body, {
+      'svix-id': svix_id,
+      'svix-timestamp': svix_timestamp,
+      'svix-signature': svix_signature,
+    }) as WebhookEvent
+  } catch (err) {
+    return new Response('Invalid signature', { status: 400 })
+  }
+  
+  // Handle the webhook
+  switch (evt.type) {
+    case 'user.created':
+      await createUserInDatabase(evt.data)
+      break
+    case 'user.updated':
+      await updateUserInDatabase(evt.data)
+      break
+    case 'user.deleted':
+      await deleteUserFromDatabase(evt.data.id!)
+      break
+  }
+  
+  return new Response('OK', { status: 200 })
+}
+```
+
+---
+
+## 8. Anti-Patterns
+
+### ❌ Checking Auth in Layout Only
+
+```typescript
+// WRONG: Auth check in layout, not in pages
+// app/dashboard/layout.tsx
+export default async function Layout({ children }) {
+  const { userId } = await auth()
+  if (!userId) redirect('/sign-in')
+  return children
+}
+// User can still access nested routes via direct URL!
+
+// CORRECT: Use middleware for route protection
+// middleware.ts
+export default clerkMiddleware(...)
+```
+
+### ❌ Storing User Data Only in Clerk
+
+```typescript
+// WRONG: Relying only on Clerk for user data
+const user = await currentUser()
+const subscription = user?.publicMetadata?.subscription // Limited storage!
+
+// CORRECT: Sync to your database
+const dbUser = await prisma.user.findUnique({
+  where: { clerkId: userId }
+})
+```
+
+---
+
+## Related Skills
+
+- `nextjs-best-practices` - Next.js patterns
+- `api-patterns` - Auth in APIs
+- `supabase-integration` - Alternative auth

package/.agent/skills/cloud-penetration-testing/SKILL.md

@@ -0,0 +1,51 @@
+---
+name: cloud-penetration-testing
+description: "General methodology for testing Cloud environments (Azure, GCP, O365). Covers shared responsibility, tenant isolation, and API security."
+version: "1.0.0"
+---
+
+# ☁️ Cloud Penetration Testing
+
+You are a versatile Cloud Auditor. You understand the shared responsibility model: the provider secures the cloud, you secure what's *in* the cloud. You test for isolation failures and service-specific misconfigurations.
+
+---
+
+## Azure Specifics
+- **Azure AD (Entra ID)**: Testing for guest user over-permissions.
+- **Storage Accounts**: Similar to S3, but uses SAS tokens.
+- **Key Vault**: Finding secrets that have "Read" access for too many users.
+- **Tool**: `MicroBurst`.
+
+---
+
+## GCP Specifics
+- **Service Accounts**: The primary target for privilege escalation.
+- **Cloud Storage**: Permissions like `allUsers:roles/storage.objectViewer`.
+- **Project Hierarchy**: Inherited permissions from Folder/Organization level.
+- **Tool**: `GCPBucketBrute`.
+
+---
+
+## Common Cloud Vulnerabilities
+
+| Vulnerability | Impact | Mitigation |
+|---------------|--------|------------|
+| **SSRF** | Credentials theft via Metadata service | Use IMDSv2 (Session-based) |
+| **Insecure Secrets** | Database/API hard-coded in functions | Use Secret Manager / Key Vault |
+| **Public Snapshots** | Data leak from disk backups | Encrypt with KMS and disable public access |
+| **Excessive Permissions**| Full compromise of the cloud tenant | Follow Principle of Least Privilege (PoLP) |
+
+---
+
+## Auditing Workflow
+1. **Unauthenticated**: Bucket hunting, subdomain enumeration, login portals.
+2. **Authenticated**: Run `Cloudsploit` or `Prowler` for automatic configuration audit.
+3. **Manual**: Deep dive into IAM policies and trust relationships.
+
+---
+
+## Related Skills
+
+- `aws-penetration-testing` - AWS specific deep dive
+- `ethical-hacking-methodology` - General process
+- `vulnerability-scanner` - Automated tools

package/.agent/skills/copywriting/SKILL.md

@@ -0,0 +1,66 @@
+---
+name: copywriting
+description: "Expertise in persuasive writing for landing pages, ads, and emails. Covers headline formulas, value proposition design, and call-to-action optimization."
+version: "1.0.0"
+---
+
+# ✍️ Copywriting
+
+You are a high-conversion copywriter. You don't just write text; you design persuasion. You focus on user benefits, address objections, and guide readers toward a single desired action.
+
+---
+
+## When to Use This Skill
+
+- Writing landing page headlines and body text
+- Crafting high-CTR ad copy (Google, Meta, Twitter)
+- Writing subject lines and body for marketing emails
+- Designing value propositions for new products
+- Defining the "Voice of the Brand"
+
+---
+
+## Capabilities
+
+- `headline-formulas`
+- `value-prop-design`
+- `cta-optimization`
+- `storytelling-for-sales`
+- `objection-handling`
+
+---
+
+## 1. High-Performance Formulas
+
+| Formula | Implementation | Example |
+|---------|----------------|---------|
+| **PAS** | Problem - Agitation - Solution | "Hate manual data entry? It's killing your team's morale. Use OurApp to automate it instantly." |
+| **AIDA** | Attention - Interest - Desire - Action | "The fastest way to build apps is here. Trusted by 500 startups. Get started for free." |
+| **Benefit > Feature** | "Save 10 hours a week" instead of "Cloud-syncing folders" | Focus on what the user gets, not what the app does. |
+
+---
+
+## 2. Headline Engineering
+
+A great headline should do one of four things:
+1. **Self-Interest**: "Get 50% more leads."
+2. **Curiosity**: "The one tool every developer is hiding."
+3. **Quick & Easy**: "Build a landing page in 2 minutes."
+4. **News**: "The future of AI-native coding is here."
+
+---
+
+## 3. Objection Handling (The "FAQ" Pattern)
+
+Address the elephant in the room before the user asks:
+- *"Is it secure?"* -> Mention SOC2 or Encryption upfront.
+- *"Is it expensive?"* -> "Free forever for individuals."
+- *"Will it work for me?"* -> Testimonials from similar users.
+
+---
+
+## Related Skills
+
+- `frontend-design` - Layout matters for copy impact
+- `marketing-ideas` - Choosing the right angle
+- `email-sequence` - Applying copy to email flows