npm - @mytechtoday/augment-extensions - Versions diffs - 0.1.0 → 0.1.2 - Mend

@mytechtoday/augment-extensions 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (102) hide show

package/augment-extensions/domain-rules/security/rules/web-security.md ADDED Viewed

@@ -0,0 +1,268 @@
+# Web Security
+Web-specific security vulnerabilities and mitigations.
+## Cross-Site Scripting (XSS)
+### Reflected XSS
+```typescript
+// Bad - Reflected XSS
+app.get('/search', (req, res) => {
+  res.send(`<h1>Results for: ${req.query.q}</h1>`);  // ❌ XSS vulnerability
+});
+// Good - Escape output
+import escapeHtml from 'escape-html';
+app.get('/search', (req, res) => {
+  res.send(`<h1>Results for: ${escapeHtml(req.query.q)}</h1>`);
+});
+// Better - Use template engine with auto-escaping
+app.get('/search', (req, res) => {
+  res.render('search', { query: req.query.q });  // Handlebars, EJS auto-escape
+});
+```
+### Stored XSS
+```typescript
+// Bad - Storing unsanitized HTML
+app.post('/comments', async (req, res) => {
+  await db.comments.create({
+    content: req.body.content  // ❌ Stores malicious script
+  });
+});
+// Good - Sanitize HTML
+import DOMPurify from 'isomorphic-dompurify';
+app.post('/comments', async (req, res) => {
+  const sanitized = DOMPurify.sanitize(req.body.content, {
+    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a'],
+    ALLOWED_ATTR: ['href']
+  });
+  await db.comments.create({ content: sanitized });
+});
+```
+### Content Security Policy (CSP)
+```typescript
+// Good - Strict CSP
+app.use((req, res, next) => {
+  res.setHeader(
+    'Content-Security-Policy',
+    [
+      "default-src 'self'",
+      "script-src 'self'",
+      "style-src 'self' 'unsafe-inline'",
+      "img-src 'self' data: https:",
+      "font-src 'self'",
+      "connect-src 'self'",
+      "frame-ancestors 'none'",
+      "base-uri 'self'",
+      "form-action 'self'"
+    ].join('; ')
+  );
+  next();
+});
+// Good - CSP with nonce for inline scripts
+const nonce = crypto.randomBytes(16).toString('base64');
+res.setHeader('Content-Security-Policy', `script-src 'nonce-${nonce}'`);
+res.render('page', { nonce });
+// In template:
+// <script nonce="{{nonce}}">...</script>
+```
+## Cross-Site Request Forgery (CSRF)
+```typescript
+import csrf from 'csurf';
+// Good - CSRF protection
+const csrfProtection = csrf({ cookie: true });
+app.get('/form', csrfProtection, (req, res) => {
+  res.render('form', { csrfToken: req.csrfToken() });
+});
+app.post('/form', csrfProtection, (req, res) => {
+  // CSRF token validated automatically
+});
+// In HTML form:
+// <input type="hidden" name="_csrf" value="{{csrfToken}}">
+// Good - SameSite cookies (additional protection)
+app.use(session({
+  cookie: {
+    sameSite: 'strict',  // or 'lax'
+    secure: true,
+    httpOnly: true
+  }
+}));
+```
+## Clickjacking
+```typescript
+// Good - X-Frame-Options header
+app.use((req, res, next) => {
+  res.setHeader('X-Frame-Options', 'DENY');
+  next();
+});
+// Good - CSP frame-ancestors
+app.use((req, res, next) => {
+  res.setHeader('Content-Security-Policy', "frame-ancestors 'none'");
+  next();
+});
+// Allow specific domains
+res.setHeader('Content-Security-Policy', "frame-ancestors 'self' https://trusted.com");
+```
+## CORS (Cross-Origin Resource Sharing)
+```typescript
+import cors from 'cors';
+// Bad - Allow all origins
+app.use(cors({ origin: '*' }));  // ❌ Too permissive
+// Good - Whitelist specific origins
+const allowedOrigins = ['https://example.com', 'https://app.example.com'];
+app.use(cors({
+  origin: (origin, callback) => {
+    if (!origin || allowedOrigins.includes(origin)) {
+      callback(null, true);
+    } else {
+      callback(new Error('Not allowed by CORS'));
+    }
+  },
+  credentials: true,  // Allow cookies
+  methods: ['GET', 'POST', 'PUT', 'DELETE'],
+  allowedHeaders: ['Content-Type', 'Authorization']
+}));
+```
+## Security Headers
+```typescript
+import helmet from 'helmet';
+// Good - Use helmet for security headers
+app.use(helmet());
+// Manual configuration
+app.use((req, res, next) => {
+  // Prevent MIME sniffing
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  // XSS protection (legacy browsers)
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  // Clickjacking protection
+  res.setHeader('X-Frame-Options', 'DENY');
+  // HTTPS enforcement
+  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains; preload');
+  // Referrer policy
+  res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+  // Permissions policy
+  res.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+  next();
+});
+```
+## Cookie Security
+```typescript
+// Good - Secure cookie configuration
+res.cookie('sessionId', sessionId, {
+  httpOnly: true,      // Prevent JavaScript access
+  secure: true,        // HTTPS only
+  sameSite: 'strict',  // CSRF protection
+  maxAge: 3600000,     // 1 hour
+  domain: '.example.com',
+  path: '/',
+  signed: true         // Sign cookie
+});
+// Bad - Insecure cookie
+res.cookie('sessionId', sessionId);  // ❌ No security flags
+```
+## Session Fixation Prevention
+```typescript
+// Good - Regenerate session on login
+app.post('/login', async (req, res) => {
+  const user = await authenticate(req.body.email, req.body.password);
+  if (user) {
+    // Regenerate session ID
+    req.session.regenerate((err) => {
+      if (err) {
+        return res.status(500).json({ error: 'Login failed' });
+      }
+      req.session.userId = user.id;
+      res.json({ success: true });
+    });
+  }
+});
+```
+## Open Redirect Prevention
+```typescript
+// Bad - Open redirect vulnerability
+app.get('/redirect', (req, res) => {
+  res.redirect(req.query.url);  // ❌ Redirects to any URL
+});
+// Good - Validate redirect URL
+const allowedRedirects = ['/dashboard', '/profile', '/settings'];
+app.get('/redirect', (req, res) => {
+  const url = req.query.url;
+  if (!allowedRedirects.includes(url)) {
+    return res.status(400).json({ error: 'Invalid redirect' });
+  }
+  res.redirect(url);
+});
+// Good - Validate external redirects
+const allowedDomains = ['example.com', 'app.example.com'];
+const url = new URL(req.query.url);
+if (!allowedDomains.includes(url.hostname)) {
+  return res.status(400).json({ error: 'Invalid redirect domain' });
+}
+```
+## Best Practices
+1. **Prevent XSS** - Sanitize HTML, use CSP
+2. **CSRF protection** - Use CSRF tokens, SameSite cookies
+3. **Prevent clickjacking** - X-Frame-Options, CSP frame-ancestors
+4. **Configure CORS** - Whitelist specific origins
+5. **Security headers** - Use helmet middleware
+6. **Secure cookies** - httpOnly, secure, sameSite
+7. **Regenerate sessions** - On login/privilege change
+8. **Validate redirects** - Whitelist allowed URLs
+9. **Content-Type** - Set correct Content-Type headers
+10. **HTTPS only** - Enforce HTTPS with HSTS

package/augment-extensions/examples/design-patterns/README.md ADDED Viewed

@@ -0,0 +1,37 @@
+# Design Patterns Examples
+Common design patterns with TypeScript/JavaScript implementations and real-world use cases.
+## Overview
+This module provides comprehensive examples of classic design patterns, including creational, structural, and behavioral patterns. Each pattern includes TypeScript implementations, use cases, and best practices.
+## Key Benefits
+- **Practical Examples**: Real-world implementations
+- **TypeScript Support**: Fully typed examples
+- **Use Cases**: When to use each pattern
+- **Best Practices**: Common pitfalls and solutions
+## Installation
+```bash
+augx link examples/design-patterns
+```
+## Contents
+### Examples
+- **creational-patterns.md** - Singleton, Factory, Builder, Prototype
+- **structural-patterns.md** - Adapter, Decorator, Facade, Proxy
+- **behavioral-patterns.md** - Observer, Strategy, Command, State
+## Character Count
+~42,000 characters
+## Version
+1.0.0

package/augment-extensions/examples/design-patterns/examples/behavioral-patterns.md ADDED Viewed

@@ -0,0 +1,370 @@
+# Behavioral Design Patterns
+Patterns for communication between objects.
+## Observer Pattern
+Define one-to-many dependency between objects.
+### Implementation
+```typescript
+interface Observer {
+  update(data: any): void;
+}
+interface Subject {
+  attach(observer: Observer): void;
+  detach(observer: Observer): void;
+  notify(): void;
+}
+class NewsAgency implements Subject {
+  private observers: Observer[] = [];
+  private news: string = '';
+  attach(observer: Observer): void {
+    this.observers.push(observer);
+  }
+  detach(observer: Observer): void {
+    const index = this.observers.indexOf(observer);
+    if (index > -1) {
+      this.observers.splice(index, 1);
+    }
+  }
+  notify(): void {
+    for (const observer of this.observers) {
+      observer.update(this.news);
+    }
+  }
+  setNews(news: string): void {
+    this.news = news;
+    this.notify();
+  }
+}
+class NewsChannel implements Observer {
+  constructor(private name: string) {}
+  update(news: string): void {
+    console.log(`${this.name} received news: ${news}`);
+  }
+}
+// Usage
+const agency = new NewsAgency();
+const cnn = new NewsChannel('CNN');
+const bbc = new NewsChannel('BBC');
+agency.attach(cnn);
+agency.attach(bbc);
+agency.setNews('Breaking: New design pattern discovered!');
+// CNN received news: Breaking: New design pattern discovered!
+// BBC received news: Breaking: New design pattern discovered!
+```
+### Use Cases
+- Event handling systems
+- Model-View-Controller (MVC)
+- Pub/Sub messaging
+- Real-time notifications
+---
+## Strategy Pattern
+Define family of algorithms, encapsulate each one, make them interchangeable.
+### Implementation
+```typescript
+interface PaymentStrategy {
+  pay(amount: number): void;
+}
+class CreditCardPayment implements PaymentStrategy {
+  constructor(
+    private cardNumber: string,
+    private cvv: string
+  ) {}
+  pay(amount: number): void {
+    console.log(`Paid $${amount} using Credit Card ${this.cardNumber}`);
+  }
+}
+class PayPalPayment implements PaymentStrategy {
+  constructor(private email: string) {}
+  pay(amount: number): void {
+    console.log(`Paid $${amount} using PayPal account ${this.email}`);
+  }
+}
+class CryptoPayment implements PaymentStrategy {
+  constructor(private walletAddress: string) {}
+  pay(amount: number): void {
+    console.log(`Paid $${amount} using Crypto wallet ${this.walletAddress}`);
+  }
+}
+class ShoppingCart {
+  private items: string[] = [];
+  private paymentStrategy?: PaymentStrategy;
+  addItem(item: string): void {
+    this.items.push(item);
+  }
+  setPaymentStrategy(strategy: PaymentStrategy): void {
+    this.paymentStrategy = strategy;
+  }
+  checkout(amount: number): void {
+    if (!this.paymentStrategy) {
+      throw new Error('Payment strategy not set');
+    }
+    this.paymentStrategy.pay(amount);
+  }
+}
+// Usage
+const cart = new ShoppingCart();
+cart.addItem('Laptop');
+cart.addItem('Mouse');
+// Pay with credit card
+cart.setPaymentStrategy(new CreditCardPayment('1234-5678', '123'));
+cart.checkout(1500);
+// Pay with PayPal
+cart.setPaymentStrategy(new PayPalPayment('user@example.com'));
+cart.checkout(1500);
+```
+### Use Cases
+- Payment processing
+- Sorting algorithms
+- Compression algorithms
+- Validation strategies
+---
+## Command Pattern
+Encapsulate request as an object.
+### Implementation
+```typescript
+interface Command {
+  execute(): void;
+  undo(): void;
+}
+class Light {
+  turnOn(): void {
+    console.log('Light is ON');
+  }
+  turnOff(): void {
+    console.log('Light is OFF');
+  }
+}
+class LightOnCommand implements Command {
+  constructor(private light: Light) {}
+  execute(): void {
+    this.light.turnOn();
+  }
+  undo(): void {
+    this.light.turnOff();
+  }
+}
+class LightOffCommand implements Command {
+  constructor(private light: Light) {}
+  execute(): void {
+    this.light.turnOff();
+  }
+  undo(): void {
+    this.light.turnOn();
+  }
+}
+class RemoteControl {
+  private history: Command[] = [];
+  executeCommand(command: Command): void {
+    command.execute();
+    this.history.push(command);
+  }
+  undo(): void {
+    const command = this.history.pop();
+    if (command) {
+      command.undo();
+    }
+  }
+}
+// Usage
+const light = new Light();
+const remote = new RemoteControl();
+const lightOn = new LightOnCommand(light);
+const lightOff = new LightOffCommand(light);
+remote.executeCommand(lightOn);  // Light is ON
+remote.executeCommand(lightOff); // Light is OFF
+remote.undo();                   // Light is ON (undo last command)
+```
+### Use Cases
+- Undo/Redo functionality
+- Transaction systems
+- Job queues
+- Macro recording
+---
+## State Pattern
+Allow object to alter behavior when internal state changes.
+### Implementation
+```typescript
+interface State {
+  insertCoin(): void;
+  ejectCoin(): void;
+  dispense(): void;
+}
+class VendingMachine {
+  private noCoinState: State;
+  private hasCoinState: State;
+  private soldState: State;
+  private currentState: State;
+  constructor() {
+    this.noCoinState = new NoCoinState(this);
+    this.hasCoinState = new HasCoinState(this);
+    this.soldState = new SoldState(this);
+    this.currentState = this.noCoinState;
+  }
+  setState(state: State): void {
+    this.currentState = state;
+  }
+  getNoCoinState(): State {
+    return this.noCoinState;
+  }
+  getHasCoinState(): State {
+    return this.hasCoinState;
+  }
+  getSoldState(): State {
+    return this.soldState;
+  }
+  insertCoin(): void {
+    this.currentState.insertCoin();
+  }
+  ejectCoin(): void {
+    this.currentState.ejectCoin();
+  }
+  dispense(): void {
+    this.currentState.dispense();
+  }
+}
+class NoCoinState implements State {
+  constructor(private machine: VendingMachine) {}
+  insertCoin(): void {
+    console.log('Coin inserted');
+    this.machine.setState(this.machine.getHasCoinState());
+  }
+  ejectCoin(): void {
+    console.log('No coin to eject');
+  }
+  dispense(): void {
+    console.log('Insert coin first');
+  }
+}
+class HasCoinState implements State {
+  constructor(private machine: VendingMachine) {}
+  insertCoin(): void {
+    console.log('Coin already inserted');
+  }
+  ejectCoin(): void {
+    console.log('Coin ejected');
+    this.machine.setState(this.machine.getNoCoinState());
+  }
+  dispense(): void {
+    console.log('Dispensing product');
+    this.machine.setState(this.machine.getSoldState());
+  }
+}
+class SoldState implements State {
+  constructor(private machine: VendingMachine) {}
+  insertCoin(): void {
+    console.log('Please wait, dispensing product');
+  }
+  ejectCoin(): void {
+    console.log('Cannot eject, already dispensing');
+  }
+  dispense(): void {
+    console.log('Product dispensed');
+    this.machine.setState(this.machine.getNoCoinState());
+  }
+}
+// Usage
+const machine = new VendingMachine();
+machine.insertCoin(); // Coin inserted
+machine.dispense();   // Dispensing product
+machine.dispense();   // Product dispensed
+```
+### Use Cases
+- Workflow engines
+- Game character states
+- Connection states (connected, disconnected, etc.)
+- Order processing states
+### Best Practices
+1. **Observer**: Use for event-driven systems
+2. **Strategy**: Use when you need to switch algorithms at runtime
+3. **Command**: Use for undo/redo and transaction systems
+4. **State**: Use when object behavior changes based on state