@nockdev/awf 6.2.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.agent/build.yaml +178 -0
- package/.agent/config.yaml +235 -0
- package/.agent/core/ACTIVE_MEMORY.yaml +344 -0
- package/.agent/core/ARCH_REGISTRY.yaml +252 -0
- package/.agent/core/AUDIT_POLICY.md +68 -0
- package/.agent/core/BRANDING.yaml +185 -0
- package/.agent/core/CACHE.md +59 -0
- package/.agent/core/CHECKPOINT.yaml +153 -0
- package/.agent/core/CLEANUP_ENGINE.yaml +326 -0
- package/.agent/core/CODING_STYLES.yaml +346 -0
- package/.agent/core/COMMANDS.md +93 -0
- package/.agent/core/CONTEXT_INJECTOR.yaml +325 -0
- package/.agent/core/CONTEXT_LOADER.yaml +323 -0
- package/.agent/core/CONTEXT_OPTIMIZATION.yaml +286 -0
- package/.agent/core/CONTEXT_PRIORITY.yaml +357 -0
- package/.agent/core/CUSTOMIZE.md +138 -0
- package/.agent/core/DATA_SAFETY.md +92 -0
- package/.agent/core/FLOW_ENGINE.yaml +300 -0
- package/.agent/core/GRAPH_MEMORY.yaml +420 -0
- package/.agent/core/HSA.yaml +357 -0
- package/.agent/core/HYBRID_ROUTER.yaml +346 -0
- package/.agent/core/INTENT_DETECTION.yaml +384 -0
- package/.agent/core/LIBRARY_REGISTRY.yaml +401 -0
- package/.agent/core/MCP_TOOLS.yaml +414 -0
- package/.agent/core/MEMORY_CONSOLIDATION.yaml +352 -0
- package/.agent/core/MEMORY_ENGINE.yaml +353 -0
- package/.agent/core/MEMORY_PATHS.yaml +79 -0
- package/.agent/core/MEMORY_UTILS.yaml +212 -0
- package/.agent/core/PATTERNS.yaml +319 -0
- package/.agent/core/PERMISSIONS.md +100 -0
- package/.agent/core/README.md +91 -0
- package/.agent/core/REFLECTION_ENGINE.yaml +348 -0
- package/.agent/core/ROUTER.yaml +424 -0
- package/.agent/core/SCORING_FORMULA.yaml +103 -0
- package/.agent/core/SEMANTIC_ENGINE.yaml +162 -0
- package/.agent/core/SKILLS_FLOW.yaml +341 -0
- package/.agent/core/SKILL_SCHEMA.yaml +266 -0
- package/.agent/core/STATE_MACHINE.yaml +409 -0
- package/.agent/core/SUMMARIZATION_ENGINE.yaml +258 -0
- package/.agent/core/TEMPLATES.yaml +364 -0
- package/.agent/core/TOKEN_BUDGETS.yaml +157 -0
- package/.agent/core/TOKEN_LOADING.yaml +197 -0
- package/.agent/core/TOKEN_SUMMARY.yaml +121 -0
- package/.agent/core/VERSION.yaml +240 -0
- package/.agent/core/embeddings.json +2004 -0
- package/.agent/core/session_cache.json +50 -0
- package/.agent/i18n/README.md +30 -0
- package/.agent/i18n/en.yaml +302 -0
- package/.agent/i18n/vi.yaml +302 -0
- package/.agent/ide/README.md +47 -0
- package/.agent/ide/amazonq.json +35 -0
- package/.agent/ide/amp.json +35 -0
- package/.agent/ide/antigravity.json +47 -0
- package/.agent/ide/augment.json +35 -0
- package/.agent/ide/claude.json +42 -0
- package/.agent/ide/cline.json +34 -0
- package/.agent/ide/codex.json +37 -0
- package/.agent/ide/cody.json +35 -0
- package/.agent/ide/continue.json +35 -0
- package/.agent/ide/cursor.json +42 -0
- package/.agent/ide/gemini.json +46 -0
- package/.agent/ide/jetbrains.json +35 -0
- package/.agent/ide/kiro.json +35 -0
- package/.agent/ide/opencode.json +35 -0
- package/.agent/ide/roo.json +35 -0
- package/.agent/ide/tabnine.json +35 -0
- package/.agent/ide/trae.json +35 -0
- package/.agent/ide/vscode.json +34 -0
- package/.agent/ide/windsurf.json +56 -0
- package/.agent/ide/zed.json +36 -0
- package/.agent/manifest.yaml +416 -0
- package/.agent/memory/README.md +148 -0
- package/.agent/memory/active_memories.json +35 -0
- package/.agent/memory/archive/.gitkeep +0 -0
- package/.agent/memory/audit_summary.json +58 -0
- package/.agent/memory/cleanup_log.json +34 -0
- package/.agent/memory/consolidated.md +75 -0
- package/.agent/memory/core_memory/persona.json +30 -0
- package/.agent/memory/core_memory/project.json +25 -0
- package/.agent/memory/core_memory/rules.json +29 -0
- package/.agent/memory/core_memory/user.json +24 -0
- package/.agent/memory/decisions.md +40 -0
- package/.agent/memory/graph/knowledge_graph.json +12 -0
- package/.agent/memory/insights.md +52 -0
- package/.agent/memory/metrics.json +48 -0
- package/.agent/memory/patterns/errors.json +11 -0
- package/.agent/memory/patterns/successes.json +10 -0
- package/.agent/memory/session.md +64 -0
- package/.agent/memory/session_rules.json +19 -0
- package/.agent/memory/state.json +81 -0
- package/.agent/memory/vectors/README.md +129 -0
- package/.agent/personas/README.md +180 -0
- package/.agent/personas/architect.md +186 -0
- package/.agent/personas/auditor.md +222 -0
- package/.agent/personas/debugger.md +210 -0
- package/.agent/personas/developer.md +183 -0
- package/.agent/personas/devops.md +268 -0
- package/.agent/personas/documenter.md +262 -0
- package/.agent/personas/orchestrator.md +240 -0
- package/.agent/personas/persona.schema.yaml +209 -0
- package/.agent/personas/planner.md +171 -0
- package/.agent/personas/researcher.md +194 -0
- package/.agent/personas/security.md +212 -0
- package/.agent/personas/tester.md +247 -0
- package/.agent/rules/README.md +231 -0
- package/.agent/rules/SACRED_RULES.xml +142 -0
- package/.agent/rules/constitutional/tier-0-core.yaml +182 -0
- package/.agent/rules/constitutional/tier-1-safety.yaml +272 -0
- package/.agent/rules/constitutional/tier-2-execution.yaml +294 -0
- package/.agent/rules/data/build-systems.yaml +126 -0
- package/.agent/rules/data/quality-standards.json +59 -0
- package/.agent/rules/duplication-prevention.md +138 -0
- package/.agent/rules/incremental-changes.md +146 -0
- package/.agent/rules/modules/context-management.yaml +158 -0
- package/.agent/rules/modules/edit-verification.yaml +197 -0
- package/.agent/rules/modules/evidence.yaml +185 -0
- package/.agent/rules/modules/git-workflow.yaml +165 -0
- package/.agent/rules/modules/language.yaml +155 -0
- package/.agent/rules/modules/online-research.yaml +192 -0
- package/.agent/rules/modules/quality.yaml +185 -0
- package/.agent/rules/modules/reflection.yaml +209 -0
- package/.agent/rules/modules/stop-conditions.yaml +196 -0
- package/.agent/rules/modules/terminal-safety.yaml +229 -0
- package/.agent/rules/modules/versioning.yaml +97 -0
- package/.agent/rules/modules/yagni.yaml +167 -0
- package/.agent/rules/project-detection.md +317 -0
- package/.agent/rules/prompt-injection-guard.md +260 -0
- package/.agent/rules/shell-commands.md +210 -0
- package/.agent/rules/validation-framework.md +189 -0
- package/.agent/skills/DEVELOPMENT.yaml +226 -0
- package/.agent/skills/README.md +69 -0
- package/.agent/skills/_categories.yaml +145 -0
- package/.agent/skills/_router.yaml +232 -0
- package/.agent/skills/core/_index.yaml +12 -0
- package/.agent/skills/core/api-design/META.yaml +64 -0
- package/.agent/skills/core/api-design/SKILL.md +169 -0
- package/.agent/skills/core/api-design/data/api-versioning.yaml +217 -0
- package/.agent/skills/core/api-design/data/error-responses.yaml +135 -0
- package/.agent/skills/core/api-design/data/graphql-patterns.yaml +165 -0
- package/.agent/skills/core/api-design/data/grpc-patterns.yaml +165 -0
- package/.agent/skills/core/api-design/data/http-status-codes.yaml +176 -0
- package/.agent/skills/core/api-design/data/pagination.yaml +121 -0
- package/.agent/skills/core/api-design/data/rate-limiting.yaml +135 -0
- package/.agent/skills/core/api-design/data/rest-patterns.yaml +195 -0
- package/.agent/skills/core/api-design/data/test-apis.yaml +217 -0
- package/.agent/skills/core/authentication/META.yaml +73 -0
- package/.agent/skills/core/authentication/SKILL.md +166 -0
- package/.agent/skills/core/authentication/data/anti-patterns.yaml +135 -0
- package/.agent/skills/core/authentication/data/core-patterns.yaml +256 -0
- package/.agent/skills/core/authentication/data/jwt-patterns.yaml +255 -0
- package/.agent/skills/core/authentication/data/language-csharp.yaml +215 -0
- package/.agent/skills/core/authentication/data/language-go.yaml +215 -0
- package/.agent/skills/core/authentication/data/language-java.yaml +215 -0
- package/.agent/skills/core/authentication/data/language-mobile.yaml +215 -0
- package/.agent/skills/core/authentication/data/language-python.yaml +215 -0
- package/.agent/skills/core/authentication/data/language-rust.yaml +215 -0
- package/.agent/skills/core/authentication/data/language-typescript.yaml +215 -0
- package/.agent/skills/core/authentication/data/mfa-patterns.yaml +175 -0
- package/.agent/skills/core/authentication/data/oauth-patterns.yaml +255 -0
- package/.agent/skills/core/authentication/data/oauth.yaml +248 -0
- package/.agent/skills/core/authentication/data/passkeys-webauthn.yaml +215 -0
- package/.agent/skills/core/authentication/data/passkeys.yaml +208 -0
- package/.agent/skills/core/authentication/data/password-patterns.yaml +175 -0
- package/.agent/skills/core/authentication/data/password.yaml +168 -0
- package/.agent/skills/core/authentication/data/session-patterns.yaml +215 -0
- package/.agent/skills/core/error-handling/META.yaml +71 -0
- package/.agent/skills/core/error-handling/SKILL.md +156 -0
- package/.agent/skills/core/error-handling/data/anti-patterns.yaml +105 -0
- package/.agent/skills/core/error-handling/data/api-error-patterns.yaml +135 -0
- package/.agent/skills/core/error-handling/data/core-patterns.yaml +226 -0
- package/.agent/skills/core/error-handling/data/error-codes.yaml +165 -0
- package/.agent/skills/core/error-handling/data/error-messages.yaml +165 -0
- package/.agent/skills/core/error-handling/data/language-c-cpp.yaml +226 -0
- package/.agent/skills/core/error-handling/data/language-go-rust.yaml +226 -0
- package/.agent/skills/core/error-handling/data/language-python-java.yaml +226 -0
- package/.agent/skills/core/error-handling/data/language-swift-kotlin.yaml +226 -0
- package/.agent/skills/core/error-handling/data/language-typescript-php-ruby.yaml +226 -0
- package/.agent/skills/core/error-handling/data/resilience-patterns.yaml +191 -0
- package/.agent/skills/core/error-handling/data/ui-error-patterns.yaml +135 -0
- package/.agent/skills/core/logging/META.yaml +73 -0
- package/.agent/skills/core/logging/SKILL.md +184 -0
- package/.agent/skills/core/logging/data/aggregation-patterns.yaml +191 -0
- package/.agent/skills/core/logging/data/anti-patterns.yaml +121 -0
- package/.agent/skills/core/logging/data/core-patterns.yaml +226 -0
- package/.agent/skills/core/logging/data/language-csharp.yaml +191 -0
- package/.agent/skills/core/logging/data/language-go.yaml +191 -0
- package/.agent/skills/core/logging/data/language-java.yaml +191 -0
- package/.agent/skills/core/logging/data/language-kotlin.yaml +156 -0
- package/.agent/skills/core/logging/data/language-others.yaml +184 -0
- package/.agent/skills/core/logging/data/language-python.yaml +191 -0
- package/.agent/skills/core/logging/data/language-rust.yaml +191 -0
- package/.agent/skills/core/logging/data/language-swift.yaml +156 -0
- package/.agent/skills/core/logging/data/language-typescript.yaml +191 -0
- package/.agent/skills/core/logging/data/otel-logging.yaml +156 -0
- package/.agent/skills/core/observability/META.yaml +76 -0
- package/.agent/skills/core/observability/SKILL.md +153 -0
- package/.agent/skills/core/observability/data/alerting-patterns.yaml +165 -0
- package/.agent/skills/core/observability/data/anti-patterns.yaml +105 -0
- package/.agent/skills/core/observability/data/core-patterns.yaml +195 -0
- package/.agent/skills/core/observability/data/language-cpp.yaml +165 -0
- package/.agent/skills/core/observability/data/language-csharp.yaml +165 -0
- package/.agent/skills/core/observability/data/language-go.yaml +165 -0
- package/.agent/skills/core/observability/data/language-java.yaml +165 -0
- package/.agent/skills/core/observability/data/language-others.yaml +255 -0
- package/.agent/skills/core/observability/data/language-python.yaml +165 -0
- package/.agent/skills/core/observability/data/language-rust.yaml +165 -0
- package/.agent/skills/core/observability/data/language-typescript.yaml +165 -0
- package/.agent/skills/core/observability/data/metrics-patterns.yaml +135 -0
- package/.agent/skills/core/observability/data/metrics-prometheus.yaml +165 -0
- package/.agent/skills/core/observability/data/otel-core.yaml +195 -0
- package/.agent/skills/core/observability/data/profiling-patterns.yaml +135 -0
- package/.agent/skills/core/observability/data/tracing-patterns.yaml +165 -0
- package/.agent/skills/core/observability/data/tracing-tools.yaml +135 -0
- package/.agent/skills/core/security/ADVANCED.md +269 -0
- package/.agent/skills/core/security/META.yaml +97 -0
- package/.agent/skills/core/security/SKILL.md +234 -0
- package/.agent/skills/core/security/data/ai-ml-security.yaml +261 -0
- package/.agent/skills/core/security/data/api-security.yaml +230 -0
- package/.agent/skills/core/security/data/auth-patterns.yaml +195 -0
- package/.agent/skills/core/security/data/binary-exploitation.yaml +339 -0
- package/.agent/skills/core/security/data/cloud-security.yaml +269 -0
- package/.agent/skills/core/security/data/cwe-top25.yaml +415 -0
- package/.agent/skills/core/security/data/language-specific/c-security.yaml +295 -0
- package/.agent/skills/core/security/data/language-specific/cpp-security.yaml +295 -0
- package/.agent/skills/core/security/data/language-specific/csharp-security.yaml +219 -0
- package/.agent/skills/core/security/data/language-specific/go-security.yaml +219 -0
- package/.agent/skills/core/security/data/language-specific/java-security.yaml +295 -0
- package/.agent/skills/core/security/data/language-specific/kotlin-security.yaml +198 -0
- package/.agent/skills/core/security/data/language-specific/php-security.yaml +219 -0
- package/.agent/skills/core/security/data/language-specific/python-security.yaml +295 -0
- package/.agent/skills/core/security/data/language-specific/ruby-security.yaml +198 -0
- package/.agent/skills/core/security/data/language-specific/rust-security.yaml +240 -0
- package/.agent/skills/core/security/data/language-specific/solidity-security.yaml +369 -0
- package/.agent/skills/core/security/data/language-specific/swift-security.yaml +198 -0
- package/.agent/skills/core/security/data/language-specific/typescript-security.yaml +295 -0
- package/.agent/skills/core/security/data/mobile-security.yaml +369 -0
- package/.agent/skills/core/security/data/network-security.yaml +297 -0
- package/.agent/skills/core/security/data/owasp-top10.yaml +171 -0
- package/.agent/skills/core/security/data/reverse-engineering.yaml +497 -0
- package/.agent/skills/core/security/data/supply-chain.yaml +219 -0
- package/.agent/skills/cross-cutting/_index.yaml +15 -0
- package/.agent/skills/cross-cutting/audit-pro/META.yaml +43 -0
- package/.agent/skills/cross-cutting/audit-pro/data/checklists.yaml +644 -0
- package/.agent/skills/cross-cutting/audit-pro/data/scoring.yaml +101 -0
- package/.agent/skills/cross-cutting/aws/META.yaml +75 -0
- package/.agent/skills/cross-cutting/aws/data/ai_ml.yaml +194 -0
- package/.agent/skills/cross-cutting/aws/data/compute.yaml +191 -0
- package/.agent/skills/cross-cutting/aws/data/kubernetes.yaml +199 -0
- package/.agent/skills/cross-cutting/aws/data/storage.yaml +174 -0
- package/.agent/skills/cross-cutting/bun/META.yaml +58 -0
- package/.agent/skills/cross-cutting/bun/SKILL.md +357 -0
- package/.agent/skills/cross-cutting/bun/data/database.yaml +85 -0
- package/.agent/skills/cross-cutting/bun/data/runtime.yaml +170 -0
- package/.agent/skills/cross-cutting/bun/data/tooling.yaml +192 -0
- package/.agent/skills/cross-cutting/ci-cd/META.yaml +60 -0
- package/.agent/skills/cross-cutting/ci-cd/data/github_actions.yaml +248 -0
- package/.agent/skills/cross-cutting/ci-cd/data/security.yaml +211 -0
- package/.agent/skills/cross-cutting/coding-rules/META.yaml +61 -0
- package/.agent/skills/cross-cutting/coding-rules/SKILL.md +171 -0
- package/.agent/skills/cross-cutting/coding-rules/data/architecture-patterns.yaml +96 -0
- package/.agent/skills/cross-cutting/coding-rules/data/build-systems.yaml +346 -0
- package/.agent/skills/cross-cutting/coding-rules/data/coding-rules.yaml +647 -0
- package/.agent/skills/cross-cutting/coding-rules/data/concurrency-patterns.yaml +108 -0
- package/.agent/skills/cross-cutting/coding-rules/data/design-patterns.yaml +260 -0
- package/.agent/skills/cross-cutting/coding-rules/data/framework-signatures.yaml +344 -0
- package/.agent/skills/cross-cutting/coding-rules/data/memory-management.yaml +108 -0
- package/.agent/skills/cross-cutting/coding-rules/data/naming-conventions.yaml +320 -0
- package/.agent/skills/cross-cutting/coding-rules/data/performance-benchmarks.yaml +164 -0
- package/.agent/skills/cross-cutting/coding-rules/data/solid-principles.yaml +80 -0
- package/.agent/skills/cross-cutting/coding-rules/data/test-frameworks.yaml +183 -0
- package/.agent/skills/cross-cutting/database/ADVANCED.md +465 -0
- package/.agent/skills/cross-cutting/database/META.yaml +22 -0
- package/.agent/skills/cross-cutting/database/SKILL.md +816 -0
- package/.agent/skills/cross-cutting/database/data/anti_patterns.yaml +116 -0
- package/.agent/skills/cross-cutting/database/data/distributed.yaml +152 -0
- package/.agent/skills/cross-cutting/database/data/mongodb.yaml +132 -0
- package/.agent/skills/cross-cutting/database/data/mysql.yaml +130 -0
- package/.agent/skills/cross-cutting/database/data/orm.yaml +104 -0
- package/.agent/skills/cross-cutting/database/data/postgresql.yaml +170 -0
- package/.agent/skills/cross-cutting/database/data/redis.yaml +129 -0
- package/.agent/skills/cross-cutting/deno/META.yaml +68 -0
- package/.agent/skills/cross-cutting/deno/SKILL.md +343 -0
- package/.agent/skills/cross-cutting/deno/data/runtime.yaml +260 -0
- package/.agent/skills/cross-cutting/deno/data/security.yaml +168 -0
- package/.agent/skills/cross-cutting/deno/data/tooling.yaml +133 -0
- package/.agent/skills/cross-cutting/docker/META.yaml +65 -0
- package/.agent/skills/cross-cutting/docker/data/build.yaml +197 -0
- package/.agent/skills/cross-cutting/docker/data/compose.yaml +229 -0
- package/.agent/skills/cross-cutting/docker/data/security.yaml +164 -0
- package/.agent/skills/cross-cutting/electron/META.yaml +174 -0
- package/.agent/skills/cross-cutting/electron/SKILL.md +862 -0
- package/.agent/skills/cross-cutting/electron/data/build.yaml +105 -0
- package/.agent/skills/cross-cutting/electron/data/crash.yaml +103 -0
- package/.agent/skills/cross-cutting/electron/data/ipc.yaml +85 -0
- package/.agent/skills/cross-cutting/electron/data/native.yaml +157 -0
- package/.agent/skills/cross-cutting/electron/data/security.yaml +89 -0
- package/.agent/skills/cross-cutting/electron/data/storage.yaml +100 -0
- package/.agent/skills/cross-cutting/electron/data/testing.yaml +103 -0
- package/.agent/skills/cross-cutting/electron/data/updates.yaml +99 -0
- package/.agent/skills/cross-cutting/electron/data/window.yaml +83 -0
- package/.agent/skills/cross-cutting/kubernetes/META.yaml +70 -0
- package/.agent/skills/cross-cutting/kubernetes/data/networking.yaml +270 -0
- package/.agent/skills/cross-cutting/kubernetes/data/scheduling.yaml +267 -0
- package/.agent/skills/cross-cutting/kubernetes/data/security.yaml +253 -0
- package/.agent/skills/cross-cutting/kubernetes/data/workloads.yaml +251 -0
- package/.agent/skills/cross-cutting/sql/META.yaml +88 -0
- package/.agent/skills/cross-cutting/sql/SKILL.md +296 -0
- package/.agent/skills/cross-cutting/sql/data/indexing.yaml +147 -0
- package/.agent/skills/cross-cutting/sql/data/json.yaml +156 -0
- package/.agent/skills/cross-cutting/sql/data/performance.yaml +204 -0
- package/.agent/skills/cross-cutting/sql/data/queries.yaml +150 -0
- package/.agent/skills/cross-cutting/tailwind/META.yaml +72 -0
- package/.agent/skills/cross-cutting/tailwind/SKILL.md +344 -0
- package/.agent/skills/cross-cutting/tailwind/data/build.yaml +143 -0
- package/.agent/skills/cross-cutting/tailwind/data/config.yaml +109 -0
- package/.agent/skills/cross-cutting/tailwind/data/migration.yaml +149 -0
- package/.agent/skills/cross-cutting/tailwind/data/responsive.yaml +148 -0
- package/.agent/skills/cross-cutting/tailwind/data/states.yaml +152 -0
- package/.agent/skills/cross-cutting/tailwind/data/theme.yaml +126 -0
- package/.agent/skills/cross-cutting/tailwind/data/utilities.yaml +182 -0
- package/.agent/skills/cross-cutting/tailwind/data/variants.yaml +154 -0
- package/.agent/skills/cross-cutting/testing/ADVANCED.md +245 -0
- package/.agent/skills/cross-cutting/testing/META.yaml +49 -0
- package/.agent/skills/cross-cutting/testing/SKILL.md +263 -0
- package/.agent/skills/cross-cutting/testing/data/frameworks.yaml +300 -0
- package/.agent/skills/cross-cutting/testing/data/patterns.yaml +168 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/META.yaml +108 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/SKILL.md +565 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/charts.yaml +331 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/colors.yaml +1226 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/component-decision.yaml +287 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/component-mapping.yaml +318 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/design-tokens.yaml +525 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/desktop-animation.yaml +232 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/desktop-architecture.yaml +140 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/desktop-colors.yaml +467 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/directory-structure.yaml +75 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/icons.yaml +918 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/implementation-strategy.yaml +107 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/landing.yaml +372 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/platform-frameworks.yaml +195 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/platform-guidelines.yaml +177 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/products.yaml +1339 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/prompts.yaml +180 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/react-performance.yaml +504 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/desktop.yaml +228 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/flutter.yaml +508 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/html-tailwind.yaml +543 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/nextjs.yaml +515 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/nuxt-ui.yaml +519 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/nuxtjs.yaml +599 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/react-native.yaml +496 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/react.yaml +526 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/shadcn.yaml +616 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/svelte.yaml +520 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/swiftui.yaml +486 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/stacks/vue.yaml +485 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/styles.yaml +1473 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/typography.yaml +647 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/ui-reasoning.yaml +1019 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/ux-guidelines.yaml +1009 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/data/web-interface.yaml +347 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/scripts/__pycache__/core.cpython-310.pyc +0 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/scripts/__pycache__/core.cpython-314.pyc +0 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/scripts/__pycache__/design_system.cpython-314.pyc +0 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/scripts/core.py +393 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/scripts/core_legacy.py +303 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/scripts/design_system.py +496 -0
- package/.agent/skills/cross-cutting/ui-ux-pro-max/scripts/search.py +76 -0
- package/.agent/skills/cross-cutting/web-perf/META.yaml +92 -0
- package/.agent/skills/cross-cutting/web-perf/SKILL.md +181 -0
- package/.agent/skills/cross-cutting/web-perf/data/cls_optimization.yaml +189 -0
- package/.agent/skills/cross-cutting/web-perf/data/core_web_vitals.yaml +282 -0
- package/.agent/skills/cross-cutting/web-perf/data/inp_optimization.yaml +240 -0
- package/.agent/skills/cross-cutting/web-perf/data/lcp_optimization.yaml +202 -0
- package/.agent/skills/cross-cutting/web-perf/data/measurement.yaml +170 -0
- package/.agent/skills/devops/_index.yaml +9 -0
- package/.agent/skills/devops/aws/ADVANCED.md +547 -0
- package/.agent/skills/devops/aws/META.yaml +84 -0
- package/.agent/skills/devops/aws/SKILL.md +711 -0
- package/.agent/skills/devops/ci-cd/ADVANCED.md +529 -0
- package/.agent/skills/devops/ci-cd/META.yaml +21 -0
- package/.agent/skills/devops/ci-cd/SKILL.md +821 -0
- package/.agent/skills/devops/docker/ADVANCED.md +495 -0
- package/.agent/skills/devops/docker/META.yaml +20 -0
- package/.agent/skills/devops/docker/SKILL.md +653 -0
- package/.agent/skills/devops/kubernetes/ADVANCED.md +252 -0
- package/.agent/skills/devops/kubernetes/META.yaml +15 -0
- package/.agent/skills/devops/kubernetes/SKILL.md +621 -0
- package/.agent/skills/frameworks/_index.yaml +13 -0
- package/.agent/skills/frameworks/angular/META.yaml +70 -0
- package/.agent/skills/frameworks/angular/SKILL.md +319 -0
- package/.agent/skills/frameworks/angular/data/core.yaml +209 -0
- package/.agent/skills/frameworks/angular/data/performance.yaml +210 -0
- package/.agent/skills/frameworks/angular/data/server.yaml +175 -0
- package/.agent/skills/frameworks/flutter/ADVANCED.md +491 -0
- package/.agent/skills/frameworks/flutter/META.yaml +64 -0
- package/.agent/skills/frameworks/flutter/SKILL.md +541 -0
- package/.agent/skills/frameworks/flutter/data/core.yaml +210 -0
- package/.agent/skills/frameworks/flutter/data/platform.yaml +246 -0
- package/.agent/skills/frameworks/flutter/data/state.yaml +250 -0
- package/.agent/skills/frameworks/nextjs/ADVANCED.md +225 -0
- package/.agent/skills/frameworks/nextjs/META.yaml +67 -0
- package/.agent/skills/frameworks/nextjs/SKILL.md +593 -0
- package/.agent/skills/frameworks/nextjs/data/caching.yaml +210 -0
- package/.agent/skills/frameworks/nextjs/data/core.yaml +255 -0
- package/.agent/skills/frameworks/nextjs/data/server.yaml +248 -0
- package/.agent/skills/frameworks/nuxt/META.yaml +57 -0
- package/.agent/skills/frameworks/nuxt/SKILL.md +283 -0
- package/.agent/skills/frameworks/nuxt/data/core.yaml +309 -0
- package/.agent/skills/frameworks/nuxt/data/server.yaml +271 -0
- package/.agent/skills/frameworks/react/ADVANCED.md +676 -0
- package/.agent/skills/frameworks/react/META.yaml +60 -0
- package/.agent/skills/frameworks/react/SKILL.md +263 -0
- package/.agent/skills/frameworks/react/data/core.yaml +278 -0
- package/.agent/skills/frameworks/react/data/server.yaml +283 -0
- package/.agent/skills/frameworks/react-native/META.yaml +59 -0
- package/.agent/skills/frameworks/react-native/SKILL.md +301 -0
- package/.agent/skills/frameworks/react-native/data/core.yaml +260 -0
- package/.agent/skills/frameworks/react-native/data/platform.yaml +287 -0
- package/.agent/skills/frameworks/svelte/META.yaml +62 -0
- package/.agent/skills/frameworks/svelte/SKILL.md +398 -0
- package/.agent/skills/frameworks/svelte/data/runes.yaml +239 -0
- package/.agent/skills/frameworks/svelte/data/sveltekit.yaml +244 -0
- package/.agent/skills/frameworks/vue/ADVANCED.md +214 -0
- package/.agent/skills/frameworks/vue/META.yaml +58 -0
- package/.agent/skills/frameworks/vue/SKILL.md +356 -0
- package/.agent/skills/frameworks/vue/data/advanced.yaml +253 -0
- package/.agent/skills/frameworks/vue/data/core.yaml +270 -0
- package/.agent/skills/index.json +143 -0
- package/.agent/skills/languages/_index.yaml +33 -0
- package/.agent/skills/languages/asm/ADVANCED.md +750 -0
- package/.agent/skills/languages/asm/META.yaml +84 -0
- package/.agent/skills/languages/asm/SKILL.md +753 -0
- package/.agent/skills/languages/asm/data/advanced.yaml +295 -0
- package/.agent/skills/languages/asm/data/core.yaml +280 -0
- package/.agent/skills/languages/c/ADVANCED.md +625 -0
- package/.agent/skills/languages/c/META.yaml +58 -0
- package/.agent/skills/languages/c/SKILL.md +748 -0
- package/.agent/skills/languages/c/data/core.yaml +179 -0
- package/.agent/skills/languages/c/data/embedded.yaml +251 -0
- package/.agent/skills/languages/c/data/memory.yaml +253 -0
- package/.agent/skills/languages/clojure/META.yaml +13 -0
- package/.agent/skills/languages/clojure/SKILL.md +130 -0
- package/.agent/skills/languages/clojure/data/core.yaml +326 -0
- package/.agent/skills/languages/cpp/ADVANCED.md +457 -0
- package/.agent/skills/languages/cpp/META.yaml +61 -0
- package/.agent/skills/languages/cpp/SKILL.md +936 -0
- package/.agent/skills/languages/cpp/data/core.yaml +304 -0
- package/.agent/skills/languages/cpp/data/memory.yaml +247 -0
- package/.agent/skills/languages/cpp/data/modern.yaml +334 -0
- package/.agent/skills/languages/crystal/META.yaml +30 -0
- package/.agent/skills/languages/crystal/SKILL.md +117 -0
- package/.agent/skills/languages/crystal/data/async.yaml +264 -0
- package/.agent/skills/languages/crystal/data/core.yaml +279 -0
- package/.agent/skills/languages/csharp/ADVANCED.md +592 -0
- package/.agent/skills/languages/csharp/META.yaml +23 -0
- package/.agent/skills/languages/csharp/SKILL.md +620 -0
- package/.agent/skills/languages/csharp/data/aspnet.yaml +448 -0
- package/.agent/skills/languages/csharp/data/core.yaml +362 -0
- package/.agent/skills/languages/elixir/META.yaml +18 -0
- package/.agent/skills/languages/elixir/SKILL.md +368 -0
- package/.agent/skills/languages/elixir/data/core.yaml +392 -0
- package/.agent/skills/languages/fsharp/META.yaml +14 -0
- package/.agent/skills/languages/fsharp/SKILL.md +113 -0
- package/.agent/skills/languages/fsharp/data/core.yaml +396 -0
- package/.agent/skills/languages/go/ADVANCED.md +260 -0
- package/.agent/skills/languages/go/META.yaml +64 -0
- package/.agent/skills/languages/go/SKILL.md +489 -0
- package/.agent/skills/languages/go/data/concurrency.yaml +424 -0
- package/.agent/skills/languages/go/data/core.yaml +399 -0
- package/.agent/skills/languages/go/data/http.yaml +507 -0
- package/.agent/skills/languages/haskell/META.yaml +18 -0
- package/.agent/skills/languages/haskell/SKILL.md +305 -0
- package/.agent/skills/languages/haskell/data/core.yaml +347 -0
- package/.agent/skills/languages/java/ADVANCED.md +450 -0
- package/.agent/skills/languages/java/META.yaml +89 -0
- package/.agent/skills/languages/java/SKILL.md +495 -0
- package/.agent/skills/languages/java/data/core.yaml +307 -0
- package/.agent/skills/languages/java/data/spring.yaml +437 -0
- package/.agent/skills/languages/javascript/ADVANCED.md +530 -0
- package/.agent/skills/languages/javascript/META.yaml +105 -0
- package/.agent/skills/languages/javascript/SKILL.md +455 -0
- package/.agent/skills/languages/javascript/data/async.yaml +290 -0
- package/.agent/skills/languages/javascript/data/core.yaml +380 -0
- package/.agent/skills/languages/javascript/data/modern.yaml +269 -0
- package/.agent/skills/languages/julia/META.yaml +13 -0
- package/.agent/skills/languages/julia/SKILL.md +174 -0
- package/.agent/skills/languages/julia/data/core.yaml +356 -0
- package/.agent/skills/languages/kotlin/ADVANCED.md +539 -0
- package/.agent/skills/languages/kotlin/META.yaml +24 -0
- package/.agent/skills/languages/kotlin/SKILL.md +525 -0
- package/.agent/skills/languages/kotlin/data/android.yaml +495 -0
- package/.agent/skills/languages/kotlin/data/core.yaml +366 -0
- package/.agent/skills/languages/lua/ADVANCED.md +257 -0
- package/.agent/skills/languages/lua/META.yaml +58 -0
- package/.agent/skills/languages/lua/SKILL.md +492 -0
- package/.agent/skills/languages/lua/data/core.yaml +264 -0
- package/.agent/skills/languages/lua/data/embedding.yaml +300 -0
- package/.agent/skills/languages/nim/META.yaml +30 -0
- package/.agent/skills/languages/nim/SKILL.md +116 -0
- package/.agent/skills/languages/nim/data/async.yaml +257 -0
- package/.agent/skills/languages/nim/data/core.yaml +241 -0
- package/.agent/skills/languages/ocaml/META.yaml +13 -0
- package/.agent/skills/languages/ocaml/SKILL.md +123 -0
- package/.agent/skills/languages/ocaml/data/core.yaml +357 -0
- package/.agent/skills/languages/perl/META.yaml +13 -0
- package/.agent/skills/languages/perl/SKILL.md +115 -0
- package/.agent/skills/languages/perl/data/core.yaml +360 -0
- package/.agent/skills/languages/php/ADVANCED.md +199 -0
- package/.agent/skills/languages/php/META.yaml +18 -0
- package/.agent/skills/languages/php/SKILL.md +488 -0
- package/.agent/skills/languages/php/data/core.yaml +392 -0
- package/.agent/skills/languages/php/data/laravel.yaml +525 -0
- package/.agent/skills/languages/python/ADVANCED.md +207 -0
- package/.agent/skills/languages/python/META.yaml +91 -0
- package/.agent/skills/languages/python/SKILL.md +495 -0
- package/.agent/skills/languages/python/data/async.yaml +265 -0
- package/.agent/skills/languages/python/data/core.yaml +259 -0
- package/.agent/skills/languages/python/data/fastapi.yaml +296 -0
- package/.agent/skills/languages/python/data/testing.yaml +226 -0
- package/.agent/skills/languages/r/META.yaml +16 -0
- package/.agent/skills/languages/r/SKILL.md +348 -0
- package/.agent/skills/languages/r/data/core.yaml +355 -0
- package/.agent/skills/languages/ruby/ADVANCED.md +381 -0
- package/.agent/skills/languages/ruby/META.yaml +19 -0
- package/.agent/skills/languages/ruby/SKILL.md +417 -0
- package/.agent/skills/languages/ruby/data/core.yaml +448 -0
- package/.agent/skills/languages/ruby/data/rails.yaml +415 -0
- package/.agent/skills/languages/rust/ADVANCED.md +212 -0
- package/.agent/skills/languages/rust/META.yaml +87 -0
- package/.agent/skills/languages/rust/SKILL.md +377 -0
- package/.agent/skills/languages/rust/data/async.yaml +404 -0
- package/.agent/skills/languages/rust/data/axum.yaml +450 -0
- package/.agent/skills/languages/rust/data/core.yaml +356 -0
- package/.agent/skills/languages/scala/META.yaml +17 -0
- package/.agent/skills/languages/scala/SKILL.md +202 -0
- package/.agent/skills/languages/scala/data/core.yaml +349 -0
- package/.agent/skills/languages/solidity/META.yaml +13 -0
- package/.agent/skills/languages/solidity/SKILL.md +188 -0
- package/.agent/skills/languages/solidity/data/core.yaml +528 -0
- package/.agent/skills/languages/swift/ADVANCED.md +231 -0
- package/.agent/skills/languages/swift/META.yaml +18 -0
- package/.agent/skills/languages/swift/SKILL.md +342 -0
- package/.agent/skills/languages/swift/data/core.yaml +489 -0
- package/.agent/skills/languages/typescript/ADVANCED.md +186 -0
- package/.agent/skills/languages/typescript/META.yaml +92 -0
- package/.agent/skills/languages/typescript/SKILL.md +306 -0
- package/.agent/skills/languages/typescript/data/async.yaml +397 -0
- package/.agent/skills/languages/typescript/data/core.yaml +283 -0
- package/.agent/skills/languages/typescript/data/validation.yaml +338 -0
- package/.agent/skills/languages/zig/META.yaml +52 -0
- package/.agent/skills/languages/zig/SKILL.md +354 -0
- package/.agent/skills/languages/zig/data/async.yaml +314 -0
- package/.agent/skills/languages/zig/data/core.yaml +302 -0
- package/.agent/templates/README.md +42 -0
- package/.agent/templates/audit-report.md +153 -0
- package/.agent/templates/chains/debug/step1-reproduce.md +83 -0
- package/.agent/templates/chains/debug/step2-isolate.md +73 -0
- package/.agent/templates/chains/debug/step3-analyze.md +86 -0
- package/.agent/templates/chains/debug/step4-fix.md +85 -0
- package/.agent/templates/chains/debug/step5-verify.md +122 -0
- package/.agent/templates/chains/implement/step1-plan.md +88 -0
- package/.agent/templates/chains/implement/step2-code.md +87 -0
- package/.agent/templates/chains/implement/step3-test.md +87 -0
- package/.agent/templates/chains/implement/step4-doc.md +118 -0
- package/.agent/templates/chains/review/step1-understand.md +74 -0
- package/.agent/templates/chains/review/step2-analyze.md +110 -0
- package/.agent/templates/chains/review/step3-fix.md +93 -0
- package/.agent/templates/chains/review/step4-summary.md +104 -0
- package/.agent/templates/debug-report.md +50 -0
- package/.agent/templates/deploy-plan.md +54 -0
- package/.agent/templates/doc-template.md +57 -0
- package/.agent/templates/findings.md +122 -0
- package/.agent/templates/index.yaml +239 -0
- package/.agent/templates/migrate-plan.md +50 -0
- package/.agent/templates/phase-template.md +72 -0
- package/.agent/templates/project-plan.md +87 -0
- package/.agent/templates/prompts/context_block.md +114 -0
- package/.agent/templates/prompts/guardrails_block.md +116 -0
- package/.agent/templates/prompts/persona_base.md +155 -0
- package/.agent/templates/prompts/tools_block.md +137 -0
- package/.agent/templates/reflection/critic.md +110 -0
- package/.agent/templates/reflection/error_analysis.md +149 -0
- package/.agent/templates/reflection/success_analysis.md +174 -0
- package/.agent/templates/task-list.md +144 -0
- package/.agent/templates/tasks/audit.yaml +146 -0
- package/.agent/templates/tasks/bug_fix.yaml +121 -0
- package/.agent/templates/tasks/code_implementation.yaml +110 -0
- package/.agent/templates/tasks/refactor.yaml +157 -0
- package/.agent/templates/test-report.md +52 -0
- package/.agent/workflows/ap.md +135 -0
- package/.agent/workflows/code.md +130 -0
- package/.agent/workflows/debug.md +230 -0
- package/.agent/workflows/deploy.md +192 -0
- package/.agent/workflows/dev.md +137 -0
- package/.agent/workflows/doc.md +124 -0
- package/.agent/workflows/env.md +98 -0
- package/.agent/workflows/fix.md +76 -0
- package/.agent/workflows/generate.md +28 -0
- package/.agent/workflows/git.md +97 -0
- package/.agent/workflows/help.md +75 -0
- package/.agent/workflows/init.md +148 -0
- package/.agent/workflows/migrate.md +135 -0
- package/.agent/workflows/monitor.md +133 -0
- package/.agent/workflows/onboard.md +144 -0
- package/.agent/workflows/orchestrate.md +117 -0
- package/.agent/workflows/perf.md +106 -0
- package/.agent/workflows/plan.md +106 -0
- package/.agent/workflows/recap.md +101 -0
- package/.agent/workflows/refactor.md +161 -0
- package/.agent/workflows/revert.md +99 -0
- package/.agent/workflows/review.md +106 -0
- package/.agent/workflows/scaffold.md +119 -0
- package/.agent/workflows/security.md +186 -0
- package/.agent/workflows/status.md +103 -0
- package/.agent/workflows/test.md +157 -0
- package/.agent/workflows/think.md +126 -0
- package/.agent/workflows/upgrade.md +109 -0
- package/.agent/workflows/visualize.md +295 -0
- package/.agent/workflows/workflow.md +196 -0
- package/README.md +64 -0
- package/dist/commands/add.d.ts +2 -0
- package/dist/commands/add.d.ts.map +1 -0
- package/dist/commands/add.js +70 -0
- package/dist/commands/add.js.map +1 -0
- package/dist/commands/config.d.ts +4 -0
- package/dist/commands/config.d.ts.map +1 -0
- package/dist/commands/config.js +152 -0
- package/dist/commands/config.js.map +1 -0
- package/dist/commands/doctor.d.ts +4 -0
- package/dist/commands/doctor.d.ts.map +1 -0
- package/dist/commands/doctor.js +98 -0
- package/dist/commands/doctor.js.map +1 -0
- package/dist/commands/hsa.d.ts +4 -0
- package/dist/commands/hsa.d.ts.map +1 -0
- package/dist/commands/hsa.js +194 -0
- package/dist/commands/hsa.js.map +1 -0
- package/dist/commands/info.d.ts +2 -0
- package/dist/commands/info.d.ts.map +1 -0
- package/dist/commands/info.js +149 -0
- package/dist/commands/info.js.map +1 -0
- package/dist/commands/init.d.ts +4 -0
- package/dist/commands/init.d.ts.map +1 -0
- package/dist/commands/init.js +262 -0
- package/dist/commands/init.js.map +1 -0
- package/dist/commands/install-core.d.ts +4 -0
- package/dist/commands/install-core.d.ts.map +1 -0
- package/dist/commands/install-core.js +85 -0
- package/dist/commands/install-core.js.map +1 -0
- package/dist/commands/install-helpers.d.ts +27 -0
- package/dist/commands/install-helpers.d.ts.map +1 -0
- package/dist/commands/install-helpers.js +125 -0
- package/dist/commands/install-helpers.js.map +1 -0
- package/dist/commands/install-hsa.d.ts +18 -0
- package/dist/commands/install-hsa.d.ts.map +1 -0
- package/dist/commands/install-hsa.js +61 -0
- package/dist/commands/install-hsa.js.map +1 -0
- package/dist/commands/install.d.ts +4 -0
- package/dist/commands/install.d.ts.map +1 -0
- package/dist/commands/install.js +310 -0
- package/dist/commands/install.js.map +1 -0
- package/dist/commands/list.d.ts +4 -0
- package/dist/commands/list.d.ts.map +1 -0
- package/dist/commands/list.js +91 -0
- package/dist/commands/list.js.map +1 -0
- package/dist/commands/mcp-registry.d.ts +48 -0
- package/dist/commands/mcp-registry.d.ts.map +1 -0
- package/dist/commands/mcp-registry.js +246 -0
- package/dist/commands/mcp-registry.js.map +1 -0
- package/dist/commands/mcp-writers.d.ts +20 -0
- package/dist/commands/mcp-writers.d.ts.map +1 -0
- package/dist/commands/mcp-writers.js +144 -0
- package/dist/commands/mcp-writers.js.map +1 -0
- package/dist/commands/mcp.d.ts +10 -0
- package/dist/commands/mcp.d.ts.map +1 -0
- package/dist/commands/mcp.js +319 -0
- package/dist/commands/mcp.js.map +1 -0
- package/dist/commands/update.d.ts +4 -0
- package/dist/commands/update.d.ts.map +1 -0
- package/dist/commands/update.js +79 -0
- package/dist/commands/update.js.map +1 -0
- package/dist/constants/cursor-globs.d.ts +17 -0
- package/dist/constants/cursor-globs.d.ts.map +1 -0
- package/dist/constants/cursor-globs.js +62 -0
- package/dist/constants/cursor-globs.js.map +1 -0
- package/dist/constants/ide-install-specs.d.ts +36 -0
- package/dist/constants/ide-install-specs.d.ts.map +1 -0
- package/dist/constants/ide-install-specs.js +870 -0
- package/dist/constants/ide-install-specs.js.map +1 -0
- package/dist/constants/ides.d.ts +105 -0
- package/dist/constants/ides.d.ts.map +1 -0
- package/dist/constants/ides.js +412 -0
- package/dist/constants/ides.js.map +1 -0
- package/dist/constants/skills.d.ts +40 -0
- package/dist/constants/skills.d.ts.map +1 -0
- package/dist/constants/skills.js +78 -0
- package/dist/constants/skills.js.map +1 -0
- package/dist/constants.d.ts +39 -0
- package/dist/constants.d.ts.map +1 -0
- package/dist/constants.js +75 -0
- package/dist/constants.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +122 -0
- package/dist/index.js.map +1 -0
- package/dist/types/flags.d.ts +47 -0
- package/dist/types/flags.d.ts.map +1 -0
- package/dist/types/flags.js +4 -0
- package/dist/types/flags.js.map +1 -0
- package/dist/types/ide-install.d.ts +175 -0
- package/dist/types/ide-install.d.ts.map +1 -0
- package/dist/types/ide-install.js +29 -0
- package/dist/types/ide-install.js.map +1 -0
- package/dist/utils/copy-helpers.d.ts +60 -0
- package/dist/utils/copy-helpers.d.ts.map +1 -0
- package/dist/utils/copy-helpers.js +617 -0
- package/dist/utils/copy-helpers.js.map +1 -0
- package/dist/utils/index.d.ts +3 -0
- package/dist/utils/index.d.ts.map +1 -0
- package/dist/utils/index.js +5 -0
- package/dist/utils/index.js.map +1 -0
- package/dist/utils/validation.d.ts +29 -0
- package/dist/utils/validation.d.ts.map +1 -0
- package/dist/utils/validation.js +211 -0
- package/dist/utils/validation.js.map +1 -0
- package/package.json +64 -0
|
@@ -0,0 +1,369 @@
|
|
|
1
|
+
metadata:
|
|
2
|
+
skill: security
|
|
3
|
+
domain: mobile_security
|
|
4
|
+
version: 6.2.0
|
|
5
|
+
updated: '2026-02-05'
|
|
6
|
+
migrated_from: mobile-security.csv
|
|
7
|
+
patterns_count: 35
|
|
8
|
+
columns:
|
|
9
|
+
- id
|
|
10
|
+
- name
|
|
11
|
+
- severity
|
|
12
|
+
- category
|
|
13
|
+
- platform
|
|
14
|
+
- description
|
|
15
|
+
- detection_pattern
|
|
16
|
+
- fix_pattern
|
|
17
|
+
- example_vuln
|
|
18
|
+
- example_fix
|
|
19
|
+
patterns:
|
|
20
|
+
- id: MS-01
|
|
21
|
+
name: Insecure Data Storage
|
|
22
|
+
severity: CRITICAL
|
|
23
|
+
category: Storage
|
|
24
|
+
platform: Both
|
|
25
|
+
description: Sensitive data stored unencrypted in SharedPreferences or UserDefaults
|
|
26
|
+
detection_pattern: (SharedPreferences|UserDefaults|NSUserDefaults).*put.*(password|token|secret|key)
|
|
27
|
+
fix_pattern: Use EncryptedSharedPreferences or Keychain
|
|
28
|
+
example_vuln: sharedPrefs.edit().putString('password', pwd)
|
|
29
|
+
example_fix: val encPrefs = EncryptedSharedPreferences.create(...)\nencPrefs.edit().putString('password', pwd)
|
|
30
|
+
- id: MS-02
|
|
31
|
+
name: Hardcoded Credentials
|
|
32
|
+
severity: CRITICAL
|
|
33
|
+
category: Secrets
|
|
34
|
+
platform: Both
|
|
35
|
+
description: API keys secrets or passwords hardcoded in source or resources
|
|
36
|
+
detection_pattern: (api.*key|password|secret|token)\\s*=\\s*['\][^'\"]{8
|
|
37
|
+
fix_pattern: '}[''\"]"'
|
|
38
|
+
example_vuln: Use secure key management at runtime not build time
|
|
39
|
+
example_fix: const API_KEY = 'sk-1234567890abcdef'
|
|
40
|
+
- id: MS-03
|
|
41
|
+
name: Exported Components Vulnerable
|
|
42
|
+
severity: HIGH
|
|
43
|
+
category: Android
|
|
44
|
+
platform: Android
|
|
45
|
+
description: Activities services receivers exported without permission checks
|
|
46
|
+
detection_pattern: <(activity|service|receiver).*exported\\s*=\\s*\true\"(?!.*permission)"
|
|
47
|
+
fix_pattern: Set exported=false or require custom permissions
|
|
48
|
+
example_vuln: <activity android:exported='true' />
|
|
49
|
+
example_fix: <activity android:exported='true'\n android:permission='com.app.INTERNAL' />
|
|
50
|
+
- id: MS-04
|
|
51
|
+
name: Intent Injection
|
|
52
|
+
severity: HIGH
|
|
53
|
+
category: Android
|
|
54
|
+
platform: Android
|
|
55
|
+
description: Intent data used without validation enabling injection
|
|
56
|
+
detection_pattern: getIntent\\(\\)\\.get.*(String|Extra|Data)(?!.*valid)
|
|
57
|
+
fix_pattern: Validate all Intent extras before use
|
|
58
|
+
example_vuln: val url = intent.getStringExtra('url')
|
|
59
|
+
example_fix: val url = intent.getStringExtra('url')\nif (!isValidUrl(url)) return
|
|
60
|
+
- id: MS-05
|
|
61
|
+
name: Content Provider SQL Injection
|
|
62
|
+
severity: CRITICAL
|
|
63
|
+
category: Android
|
|
64
|
+
platform: Android
|
|
65
|
+
description: Content provider query without parameterized selection
|
|
66
|
+
detection_pattern: query\\(.*selection.*\\+(?!.*param)
|
|
67
|
+
fix_pattern: Use parameterized selection with selectionArgs
|
|
68
|
+
example_vuln: query(uri, null, 'id=' + input, null)
|
|
69
|
+
example_fix: query(uri, null, 'id=?', arrayOf(input))
|
|
70
|
+
- id: MS-06
|
|
71
|
+
name: WebView JavaScript Enabled
|
|
72
|
+
severity: HIGH
|
|
73
|
+
category: WebView
|
|
74
|
+
platform: Both
|
|
75
|
+
description: WebView with JavaScript enabled handling untrusted content
|
|
76
|
+
detection_pattern: setJavaScriptEnabled\\s*\\(\\s*true\\s*\\)
|
|
77
|
+
fix_pattern: Disable JS if not needed validate all loaded URLs
|
|
78
|
+
example_vuln: webView.settings.javaScriptEnabled = true
|
|
79
|
+
example_fix: if (isTrustedUrl(url)) {\n webView.settings.javaScriptEnabled = true\n}
|
|
80
|
+
- id: MS-07
|
|
81
|
+
name: WebView File Access
|
|
82
|
+
severity: HIGH
|
|
83
|
+
category: WebView
|
|
84
|
+
platform: Android
|
|
85
|
+
description: WebView allows file:// access enabling local file theft
|
|
86
|
+
detection_pattern: setAllowFileAccess\\s*\\(\\s*true\\s*\\)
|
|
87
|
+
fix_pattern: Disable file access unless needed restrict to app files
|
|
88
|
+
example_vuln: webView.settings.allowFileAccess = true
|
|
89
|
+
example_fix: webView.settings.allowFileAccess = false\nwebView.settings.allowFileAccessFromFileURLs = false
|
|
90
|
+
- id: MS-08
|
|
91
|
+
name: Insecure Deep Links
|
|
92
|
+
severity: HIGH
|
|
93
|
+
category: Scheme
|
|
94
|
+
platform: Both
|
|
95
|
+
description: Deep link handlers do not validate parameters
|
|
96
|
+
detection_pattern: (intent\\.data|url\\.queryItems)(?!.*valid)
|
|
97
|
+
fix_pattern: Validate all deep link parameters use allowlists
|
|
98
|
+
example_vuln: val action = intent.data?.getQueryParameter('action')
|
|
99
|
+
example_fix: val action = intent.data?.getQueryParameter('action')\nif (action !in ALLOWED_ACTIONS) return
|
|
100
|
+
- id: MS-09
|
|
101
|
+
name: Broadcast Receiver Unprotected
|
|
102
|
+
severity: HIGH
|
|
103
|
+
category: Android
|
|
104
|
+
platform: Android
|
|
105
|
+
description: Broadcast receiver without permission protection
|
|
106
|
+
detection_pattern: registerReceiver\\(.*IntentFilter(?!.*permission)
|
|
107
|
+
fix_pattern: Use LocalBroadcastManager or require permissions
|
|
108
|
+
example_vuln: registerReceiver(receiver, filter)
|
|
109
|
+
example_fix: LocalBroadcastManager.getInstance(this).registerReceiver(receiver, filter)
|
|
110
|
+
- id: MS-10
|
|
111
|
+
name: Keychain Misconfiguration
|
|
112
|
+
severity: HIGH
|
|
113
|
+
category: iOS
|
|
114
|
+
platform: iOS
|
|
115
|
+
description: Keychain access not properly restricted to app
|
|
116
|
+
detection_pattern: kSecAttrAccessible.*Always|kSecAttrAccessGroupToken
|
|
117
|
+
fix_pattern: Use AfterFirstUnlock or WhenPasscodeSetThisDeviceOnly
|
|
118
|
+
example_vuln: 'kSecAttrAccessible: kSecAttrAccessibleAlways'
|
|
119
|
+
example_fix: 'kSecAttrAccessible: kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly'
|
|
120
|
+
- id: MS-11
|
|
121
|
+
name: Biometric Bypass
|
|
122
|
+
severity: HIGH
|
|
123
|
+
category: Auth
|
|
124
|
+
platform: Both
|
|
125
|
+
description: Biometric auth can be bypassed via Frida or Xposed
|
|
126
|
+
detection_pattern: BiometricPrompt|LAContext(?!.*fallback.*false)
|
|
127
|
+
fix_pattern: Combine biometric with server-side verification
|
|
128
|
+
example_vuln: LAContext().evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics)
|
|
129
|
+
example_fix: // Combine with server challenge\nlet challenge = fetchServerChallenge()\nvalidateBiometricWithChallenge(challenge)
|
|
130
|
+
- id: MS-12
|
|
131
|
+
name: Clipboard Exposure
|
|
132
|
+
severity: MEDIUM
|
|
133
|
+
category: Privacy
|
|
134
|
+
platform: Both
|
|
135
|
+
description: Sensitive data copied to clipboard without timeout
|
|
136
|
+
detection_pattern: (UIPasteboard|ClipboardManager)\\.set(?!.*expir)
|
|
137
|
+
fix_pattern: Clear clipboard after timeout or use sensitive mode
|
|
138
|
+
example_vuln: UIPasteboard.general.string = password
|
|
139
|
+
example_fix: 'UIPasteboard.general.setItems([[:password]], options: [.expirationDate: Date().addingTimeInterval(30)])'
|
|
140
|
+
- id: MS-13
|
|
141
|
+
name: Screenshot Allowed
|
|
142
|
+
severity: MEDIUM
|
|
143
|
+
category: Privacy
|
|
144
|
+
platform: Both
|
|
145
|
+
description: Sensitive screens can be captured via screenshot
|
|
146
|
+
detection_pattern: (?<!FLAG_SECURE).*setContentView|(?<!ViewController).*viewDidLoad
|
|
147
|
+
fix_pattern: Set FLAG_SECURE or use screenshot detection
|
|
148
|
+
example_vuln: setContentView(R.layout.login)
|
|
149
|
+
example_fix: window.setFlags(FLAG_SECURE, FLAG_SECURE)\nsetContentView(R.layout.login)
|
|
150
|
+
- id: MS-14
|
|
151
|
+
name: Background Snapshot
|
|
152
|
+
severity: MEDIUM
|
|
153
|
+
category: Privacy
|
|
154
|
+
platform: iOS
|
|
155
|
+
description: App snapshot visible in app switcher with sensitive data
|
|
156
|
+
detection_pattern: applicationDidEnterBackground(?!.*blur|overlay)
|
|
157
|
+
fix_pattern: Add blur overlay when entering background
|
|
158
|
+
example_vuln: func applicationDidEnterBackground() { }
|
|
159
|
+
example_fix: func applicationDidEnterBackground() {\n window?.addSubview(blurOverlay)\n}
|
|
160
|
+
- id: MS-15
|
|
161
|
+
name: Insecure Logging
|
|
162
|
+
severity: HIGH
|
|
163
|
+
category: Privacy
|
|
164
|
+
platform: Both
|
|
165
|
+
description: Sensitive data logged to console or files
|
|
166
|
+
detection_pattern: (Log\\.|NSLog|print|console\\.log).*password|token|secret
|
|
167
|
+
fix_pattern: Remove sensitive data from logs use debug-only logging
|
|
168
|
+
example_vuln: 'Log.d(''Auth'', ''Token: '' + token)'
|
|
169
|
+
example_fix: 'if (BuildConfig.DEBUG) Log.d(''Auth'', ''Token: [REDACTED]'')'
|
|
170
|
+
- id: MS-16
|
|
171
|
+
name: Certificate Transparency Missing
|
|
172
|
+
severity: MEDIUM
|
|
173
|
+
category: Network
|
|
174
|
+
platform: Both
|
|
175
|
+
description: App does not verify Certificate Transparency logs
|
|
176
|
+
detection_pattern: (?<!CT|transparency).*TrustManager|URLSession
|
|
177
|
+
fix_pattern: Enable CT verification for critical connections
|
|
178
|
+
example_vuln: // No CT check
|
|
179
|
+
example_fix: // Enable CT\nconnection.enableCertificateTransparency = true
|
|
180
|
+
- id: MS-17
|
|
181
|
+
name: Weak Crypto Algorithm
|
|
182
|
+
severity: HIGH
|
|
183
|
+
category: Crypto
|
|
184
|
+
platform: Both
|
|
185
|
+
description: Using deprecated crypto like MD5 SHA1 DES RC4
|
|
186
|
+
detection_pattern: (MD5|SHA1|DES|RC4|ECB)(?!.*deprecated|legacy)
|
|
187
|
+
fix_pattern: 'Use modern algorithms: SHA-256+ AES-GCM Argon2'
|
|
188
|
+
example_vuln: MessageDigest.getInstance('MD5')
|
|
189
|
+
example_fix: MessageDigest.getInstance('SHA-256')
|
|
190
|
+
- id: MS-18
|
|
191
|
+
name: Insecure Random
|
|
192
|
+
severity: HIGH
|
|
193
|
+
category: Crypto
|
|
194
|
+
platform: Both
|
|
195
|
+
description: Using non-cryptographic random for security tokens
|
|
196
|
+
detection_pattern: (Random|Math\\.random|rand\\(\\))(?!.*Secure)
|
|
197
|
+
fix_pattern: Use SecureRandom or platform crypto APIs
|
|
198
|
+
example_vuln: val token = Random().nextInt().toString()
|
|
199
|
+
example_fix: val token = SecureRandom().nextBytes(32).toHex()
|
|
200
|
+
- id: MS-19
|
|
201
|
+
name: Missing Certificate Validation
|
|
202
|
+
severity: CRITICAL
|
|
203
|
+
category: Network
|
|
204
|
+
platform: Both
|
|
205
|
+
description: TLS certificate validation disabled or incomplete
|
|
206
|
+
detection_pattern: (ALLOW_ALL|TrustManager.*checkServerTrusted.*\\{\\s*\\})
|
|
207
|
+
fix_pattern: Always validate certificates use system trust store
|
|
208
|
+
example_vuln: override fun checkServerTrusted() { }
|
|
209
|
+
example_fix: override fun checkServerTrusted(chain, authType) {\n defaultTrustManager.checkServerTrusted(chain, authType)\n}
|
|
210
|
+
- id: MS-20
|
|
211
|
+
name: Cleartext Traffic
|
|
212
|
+
severity: HIGH
|
|
213
|
+
category: Network
|
|
214
|
+
platform: Both
|
|
215
|
+
description: App allows HTTP cleartext traffic
|
|
216
|
+
detection_pattern: (cleartextTrafficPermitted|NSAllowsArbitraryLoads|http://)
|
|
217
|
+
fix_pattern: Enforce HTTPS only via network security config
|
|
218
|
+
example_vuln: android:usesCleartextTraffic='true'
|
|
219
|
+
example_fix: android:usesCleartextTraffic='false'\n// Or network_security_config.xml
|
|
220
|
+
- id: MS-21
|
|
221
|
+
name: Privacy Controls Missing M6
|
|
222
|
+
severity: HIGH
|
|
223
|
+
category: Privacy
|
|
224
|
+
platform: Both
|
|
225
|
+
description: Inadequate privacy controls for PII collection - OWASP 2024
|
|
226
|
+
detection_pattern: (collect|track|analytics)(?!.*consent|gdpr|privacy)
|
|
227
|
+
fix_pattern: Implement consent mechanisms and privacy controls
|
|
228
|
+
example_vuln: analytics.track(userId, event)
|
|
229
|
+
example_fix: if (userConsent.analytics) analytics.track(userId, event)
|
|
230
|
+
- id: MS-22
|
|
231
|
+
name: Data Minimization Failure
|
|
232
|
+
severity: MEDIUM
|
|
233
|
+
category: Privacy
|
|
234
|
+
platform: Both
|
|
235
|
+
description: App collects more data than necessary
|
|
236
|
+
detection_pattern: (collect|store).*(location|contacts|photos)(?!.*required)
|
|
237
|
+
fix_pattern: Collect only necessary data explain purpose
|
|
238
|
+
example_vuln: requestPermissions([CONTACTS, LOCATION, CAMERA])
|
|
239
|
+
example_fix: // Only request what's needed\nrequestPermissions([CAMERA]) // For QR scan only
|
|
240
|
+
- id: MS-23
|
|
241
|
+
name: Third Party SDK Risks
|
|
242
|
+
severity: HIGH
|
|
243
|
+
category: Privacy
|
|
244
|
+
platform: Both
|
|
245
|
+
description: Unvetted third-party SDKs with excessive permissions
|
|
246
|
+
detection_pattern: (facebook|google|firebase|analytics)(?!.*privacy.*reviewed)
|
|
247
|
+
fix_pattern: Audit SDK permissions and data collection
|
|
248
|
+
example_vuln: implementation 'com.analytics:sdk:1.0'
|
|
249
|
+
example_fix: '// Audit SDK before adding\n// Check: permissions, data collection, privacy policy'
|
|
250
|
+
- id: MS-24
|
|
251
|
+
name: Insecure Backup
|
|
252
|
+
severity: HIGH
|
|
253
|
+
category: Storage
|
|
254
|
+
platform: Android
|
|
255
|
+
description: App data included in auto-backup without encryption
|
|
256
|
+
detection_pattern: android:allowBackup\\s*=\\s*\true\"(?!.*fullBackupContent)"
|
|
257
|
+
fix_pattern: Disable backup or use encrypted backup rules
|
|
258
|
+
example_vuln: android:allowBackup='true'
|
|
259
|
+
example_fix: android:allowBackup='false'\n// Or use backup_rules.xml with encryption
|
|
260
|
+
- id: MS-25
|
|
261
|
+
name: Missing App Transport Security
|
|
262
|
+
severity: HIGH
|
|
263
|
+
category: Network
|
|
264
|
+
platform: iOS
|
|
265
|
+
description: ATS disabled allowing insecure connections
|
|
266
|
+
detection_pattern: NSAllowsArbitraryLoads.*true
|
|
267
|
+
fix_pattern: Enable ATS and only allow specific exceptions
|
|
268
|
+
example_vuln: 'NSAllowsArbitraryLoads: true'
|
|
269
|
+
example_fix: 'NSAllowsArbitraryLoads: false\n// Add specific domain exceptions only'
|
|
270
|
+
- id: MS-26
|
|
271
|
+
name: Insecure IPC
|
|
272
|
+
severity: HIGH
|
|
273
|
+
category: Android
|
|
274
|
+
platform: Android
|
|
275
|
+
description: Inter-process communication without validation
|
|
276
|
+
detection_pattern: Messenger|AIDL|ContentProvider(?!.*permission|validate)
|
|
277
|
+
fix_pattern: Validate all IPC inputs and require permissions
|
|
278
|
+
example_vuln: 'override fun onBind(intent: Intent) = binder'
|
|
279
|
+
example_fix: 'override fun onBind(intent: Intent): IBinder? {\n if (!validateCaller()) return null\n return binder\n}'
|
|
280
|
+
- id: MS-27
|
|
281
|
+
name: Tapjacking Vulnerable
|
|
282
|
+
severity: MEDIUM
|
|
283
|
+
category: Android
|
|
284
|
+
platform: Android
|
|
285
|
+
description: Views do not filter touch events behind overlays
|
|
286
|
+
detection_pattern: setOnClickListener(?!.*filterTouchesWhenObscured)
|
|
287
|
+
fix_pattern: Enable filterTouchesWhenObscured for sensitive buttons
|
|
288
|
+
example_vuln: button.setOnClickListener { transfer() }
|
|
289
|
+
example_fix: button.filterTouchesWhenObscured = true\nbutton.setOnClickListener { transfer() }
|
|
290
|
+
- id: MS-28
|
|
291
|
+
name: Pending Intent Mutable
|
|
292
|
+
severity: HIGH
|
|
293
|
+
category: Android
|
|
294
|
+
platform: Android
|
|
295
|
+
description: Mutable PendingIntent can be hijacked
|
|
296
|
+
detection_pattern: PendingIntent\\.get.*(?!.*FLAG_IMMUTABLE)
|
|
297
|
+
fix_pattern: Use FLAG_IMMUTABLE for PendingIntents
|
|
298
|
+
example_vuln: PendingIntent.getActivity(ctx, 0, intent, 0)
|
|
299
|
+
example_fix: PendingIntent.getActivity(ctx, 0, intent, FLAG_IMMUTABLE)
|
|
300
|
+
- id: MS-29
|
|
301
|
+
name: Task Affinity Hijack
|
|
302
|
+
severity: MEDIUM
|
|
303
|
+
category: Android
|
|
304
|
+
platform: Android
|
|
305
|
+
description: Default task affinity allows activity hijacking
|
|
306
|
+
detection_pattern: <activity(?!.*taskAffinity=\\").*>"
|
|
307
|
+
fix_pattern: Set empty taskAffinity for sensitive activities
|
|
308
|
+
example_vuln: <activity android:name='.PaymentActivity'/>
|
|
309
|
+
example_fix: <activity android:name='.PaymentActivity'\n android:taskAffinity='' />
|
|
310
|
+
- id: MS-30
|
|
311
|
+
name: URL Scheme Hijack
|
|
312
|
+
severity: HIGH
|
|
313
|
+
category: iOS
|
|
314
|
+
platform: iOS
|
|
315
|
+
description: Custom URL scheme can be hijacked by malicious apps
|
|
316
|
+
detection_pattern: CFBundleURLSchemes(?!.*universal.*link)
|
|
317
|
+
fix_pattern: Use Universal Links instead of custom schemes
|
|
318
|
+
example_vuln: <string>myapp</string> // Custom scheme
|
|
319
|
+
example_fix: '// Use Universal Links\nassociated-domains: applinks:example.com'
|
|
320
|
+
- id: MS-31
|
|
321
|
+
name: Extension Data Leak
|
|
322
|
+
severity: MEDIUM
|
|
323
|
+
category: iOS
|
|
324
|
+
platform: iOS
|
|
325
|
+
description: App extensions share sensitive data insecurely
|
|
326
|
+
detection_pattern: NSExtensionActivationRule.*TRUEPREDICATE
|
|
327
|
+
fix_pattern: Restrict extension activation to specific types
|
|
328
|
+
example_vuln: 'NSExtensionActivationRule: TRUEPREDICATE'
|
|
329
|
+
example_fix: 'NSExtensionActivationSupportsText: true\n// Only allow text sharing'
|
|
330
|
+
- id: MS-32
|
|
331
|
+
name: Face ID Fallback
|
|
332
|
+
severity: MEDIUM
|
|
333
|
+
category: iOS
|
|
334
|
+
platform: iOS
|
|
335
|
+
description: Face ID falls back to passcode without warning
|
|
336
|
+
detection_pattern: LAPolicy.*deviceOwnerAuthentication(?!.*biometrics)
|
|
337
|
+
fix_pattern: Use biometricsOnly policy for sensitive operations
|
|
338
|
+
example_vuln: context.evaluatePolicy(.deviceOwnerAuthentication)
|
|
339
|
+
example_fix: context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics)
|
|
340
|
+
- id: MS-33
|
|
341
|
+
name: Simulator Detection Missing
|
|
342
|
+
severity: MEDIUM
|
|
343
|
+
category: Mobile
|
|
344
|
+
platform: Both
|
|
345
|
+
description: App does not detect simulator or emulator environment
|
|
346
|
+
detection_pattern: (TARGET_IPHONE_SIMULATOR|Build\\.FINGERPRINT)(?!.*detect)
|
|
347
|
+
fix_pattern: Detect simulators and disable sensitive features
|
|
348
|
+
example_vuln: // No simulator check
|
|
349
|
+
example_fix: '#if targetEnvironment(simulator)\n sensitiveFeatures.isEnabled = false\n#endif'
|
|
350
|
+
- id: MS-34
|
|
351
|
+
name: Debug Assertions
|
|
352
|
+
severity: LOW
|
|
353
|
+
category: Debug
|
|
354
|
+
platform: Both
|
|
355
|
+
description: Debug assertions expose internal state in production
|
|
356
|
+
detection_pattern: (assert|NSAssert|precondition).*secret|password
|
|
357
|
+
fix_pattern: Remove sensitive assertions or use production guards
|
|
358
|
+
example_vuln: 'assert(password.length > 8, ''Password: \(password)'')'
|
|
359
|
+
example_fix: assert(password.length > 8) // No sensitive data
|
|
360
|
+
- id: MS-35
|
|
361
|
+
name: Universal Links Bypass
|
|
362
|
+
severity: MEDIUM
|
|
363
|
+
category: iOS
|
|
364
|
+
platform: iOS
|
|
365
|
+
description: Universal Links validation can be bypassed
|
|
366
|
+
detection_pattern: apple-app-site-association(?!.*appID.*teamID)
|
|
367
|
+
fix_pattern: Verify applinks domain and AASA file properly
|
|
368
|
+
example_vuln: // Malformed AASA file
|
|
369
|
+
example_fix: // Properly configured AASA with correct team ID and bundle ID
|
|
@@ -0,0 +1,297 @@
|
|
|
1
|
+
metadata:
|
|
2
|
+
skill: security
|
|
3
|
+
domain: network_security
|
|
4
|
+
version: 6.2.0
|
|
5
|
+
updated: '2026-02-05'
|
|
6
|
+
migrated_from: network-security.csv
|
|
7
|
+
patterns_count: 25
|
|
8
|
+
columns:
|
|
9
|
+
- id
|
|
10
|
+
- name
|
|
11
|
+
- severity
|
|
12
|
+
- category
|
|
13
|
+
- description
|
|
14
|
+
- detection_pattern
|
|
15
|
+
- fix_pattern
|
|
16
|
+
- languages
|
|
17
|
+
- example_vuln
|
|
18
|
+
- example_fix
|
|
19
|
+
patterns:
|
|
20
|
+
- id: NS-01
|
|
21
|
+
name: TLS Version Downgrade
|
|
22
|
+
severity: CRITICAL
|
|
23
|
+
category: Protocol
|
|
24
|
+
description: Allowing fallback to TLS 1.0/1.1 or SSLv3
|
|
25
|
+
detection_pattern: (SSLv3|TLSv1\\.0|TLSv1\\.1|TLS1_0|TLS1_1)
|
|
26
|
+
fix_pattern: Force TLS 1.2+ only disable legacy protocols
|
|
27
|
+
languages: all
|
|
28
|
+
example_vuln: 'minVersion: tls.VersionTLS10'
|
|
29
|
+
example_fix: 'minVersion: tls.VersionTLS12 // NIST mandatory 2024'
|
|
30
|
+
- id: NS-02
|
|
31
|
+
name: Certificate Validation Bypass
|
|
32
|
+
severity: CRITICAL
|
|
33
|
+
category: TLS
|
|
34
|
+
description: Disabling certificate verification in production
|
|
35
|
+
detection_pattern: (InsecureSkipVerify.*true|verify.*false|SSL_VERIFY_NONE|CERT_NONE|checkServerIdentity.*null)
|
|
36
|
+
fix_pattern: Always verify certificates and pin critical ones
|
|
37
|
+
languages:
|
|
38
|
+
- go
|
|
39
|
+
- python
|
|
40
|
+
- java
|
|
41
|
+
- javascript
|
|
42
|
+
- csharp
|
|
43
|
+
example_vuln: 'InsecureSkipVerify: true'
|
|
44
|
+
example_fix: 'InsecureSkipVerify: false\nRootCAs: trustedCertPool'
|
|
45
|
+
- id: NS-03
|
|
46
|
+
name: Weak Cipher Suites
|
|
47
|
+
severity: HIGH
|
|
48
|
+
category: Crypto
|
|
49
|
+
description: Using export-grade DES RC4 or weak ciphers
|
|
50
|
+
detection_pattern: (RC4|DES|3DES|EXPORT|NULL|MD5|SHA1(?!-)|anon)
|
|
51
|
+
fix_pattern: 'Use only modern ciphers: AES-GCM ChaCha20-Poly1305'
|
|
52
|
+
languages: all
|
|
53
|
+
example_vuln: TLS_RSA_WITH_RC4_128_SHA
|
|
54
|
+
example_fix: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
55
|
+
- id: NS-04
|
|
56
|
+
name: DNS Rebinding
|
|
57
|
+
severity: HIGH
|
|
58
|
+
category: Network
|
|
59
|
+
description: Application does not validate Host header allowing DNS rebinding attacks
|
|
60
|
+
detection_pattern: (Host:.*|req\\.headers\\.host)(?!.*allowlist|whitelist)
|
|
61
|
+
fix_pattern: Validate Host header against allowlist
|
|
62
|
+
languages: all
|
|
63
|
+
example_vuln: const host = req.headers.host // Untrusted
|
|
64
|
+
example_fix: const ALLOWED = ['api.example.com']\nif (!ALLOWED.includes(host)) return res.status(403)
|
|
65
|
+
- id: NS-05
|
|
66
|
+
name: WebSocket Origin Bypass
|
|
67
|
+
severity: HIGH
|
|
68
|
+
category: Protocol
|
|
69
|
+
description: Not validating Origin header for WebSocket connections
|
|
70
|
+
detection_pattern: (ws://|wss://)(?!.*origin.*valid)
|
|
71
|
+
fix_pattern: Check Origin header against allowlist
|
|
72
|
+
languages:
|
|
73
|
+
- javascript
|
|
74
|
+
- go
|
|
75
|
+
- python
|
|
76
|
+
example_vuln: ws.on('connection', (client) => {})
|
|
77
|
+
example_fix: if (req.headers.origin !== 'https://example.com') ws.close()
|
|
78
|
+
- id: NS-06
|
|
79
|
+
name: Certificate Pinning Missing
|
|
80
|
+
severity: LOW
|
|
81
|
+
category: Mobile
|
|
82
|
+
description: 'Mobile app does not pin certificates for critical domains - NOTE: largely obsolete in 2024'
|
|
83
|
+
detection_pattern: (URLSession|OkHttp|fetch)(?!.*pinning)
|
|
84
|
+
fix_pattern: Consider mTLS or Certificate Transparency instead of pinning
|
|
85
|
+
languages:
|
|
86
|
+
- swift
|
|
87
|
+
- kotlin
|
|
88
|
+
- java
|
|
89
|
+
example_vuln: URLSession.shared.dataTask(url)
|
|
90
|
+
example_fix: '// Modern: Use Certificate Transparency\n// Or: mTLS for service-to-service'
|
|
91
|
+
- id: NS-07
|
|
92
|
+
name: HTTP Request Smuggling
|
|
93
|
+
severity: HIGH
|
|
94
|
+
category: Protocol
|
|
95
|
+
description: Inconsistent parsing of Content-Length and Transfer-Encoding headers
|
|
96
|
+
detection_pattern: (Content-Length.*Transfer-Encoding|Transfer-Encoding.*Content-Length)
|
|
97
|
+
fix_pattern: Use HTTP/2 normalize headers reject ambiguous requests
|
|
98
|
+
languages: all
|
|
99
|
+
example_vuln: 'Content-Length: 6\nTransfer-Encoding: chunked'
|
|
100
|
+
example_fix: // Use HTTP/2 or reject if TE && CL both present
|
|
101
|
+
- id: NS-08
|
|
102
|
+
name: GraphQL Introspection Leak
|
|
103
|
+
severity: MEDIUM
|
|
104
|
+
category: API
|
|
105
|
+
description: GraphQL introspection enabled in production exposing schema
|
|
106
|
+
detection_pattern: (introspection.*true|__schema|__type)(?!.*prod.*false)
|
|
107
|
+
fix_pattern: Disable introspection in production
|
|
108
|
+
languages:
|
|
109
|
+
- javascript
|
|
110
|
+
- go
|
|
111
|
+
- python
|
|
112
|
+
- java
|
|
113
|
+
example_vuln: 'introspection: true'
|
|
114
|
+
example_fix: 'introspection: process.env.NODE_ENV === ''development'''
|
|
115
|
+
- id: NS-09
|
|
116
|
+
name: GraphQL Batching Attack
|
|
117
|
+
severity: HIGH
|
|
118
|
+
category: API
|
|
119
|
+
description: No limits on GraphQL batched queries enabling brute force
|
|
120
|
+
detection_pattern: (graphql.*batch|batching.*true)(?!.*limit)
|
|
121
|
+
fix_pattern: Limit batch size and add rate limiting per operation
|
|
122
|
+
languages:
|
|
123
|
+
- javascript
|
|
124
|
+
- go
|
|
125
|
+
- python
|
|
126
|
+
example_vuln: // No batch limits
|
|
127
|
+
example_fix: 'maxBatchSize: 10\nrateLimit: { window: ''1m'', max: 100 }'
|
|
128
|
+
- id: NS-10
|
|
129
|
+
name: GraphQL Query Depth DoS
|
|
130
|
+
severity: HIGH
|
|
131
|
+
category: API
|
|
132
|
+
description: No query depth limits allowing resource exhaustion
|
|
133
|
+
detection_pattern: (graphql)(?!.*depth.*limit|maxDepth)
|
|
134
|
+
fix_pattern: Set maximum query depth typically 7-10 levels
|
|
135
|
+
languages:
|
|
136
|
+
- javascript
|
|
137
|
+
- go
|
|
138
|
+
- python
|
|
139
|
+
example_vuln: // No depth limit - 69% of APIs vulnerable
|
|
140
|
+
example_fix: 'validationRules: [depthLimit(10)]'
|
|
141
|
+
- id: NS-11
|
|
142
|
+
name: GraphQL Field Duplication
|
|
143
|
+
severity: MEDIUM
|
|
144
|
+
category: API
|
|
145
|
+
description: No limits on field duplication causing redundant computation
|
|
146
|
+
detection_pattern: (graphql)(?!.*fieldDedupe|duplicateField)
|
|
147
|
+
fix_pattern: Deduplicate identical fields in queries
|
|
148
|
+
languages:
|
|
149
|
+
- javascript
|
|
150
|
+
- go
|
|
151
|
+
- python
|
|
152
|
+
example_vuln: query { user { name name name name } }
|
|
153
|
+
example_fix: // Use field deduplication middleware
|
|
154
|
+
- id: NS-12
|
|
155
|
+
name: gRPC Metadata Injection
|
|
156
|
+
severity: HIGH
|
|
157
|
+
category: Protocol
|
|
158
|
+
description: Untrusted metadata passed to gRPC without validation
|
|
159
|
+
detection_pattern: (metadata\\.append|metadata\\.set|WithOutgoingContext).*user
|
|
160
|
+
fix_pattern: Validate and sanitize all incoming metadata
|
|
161
|
+
languages:
|
|
162
|
+
- go
|
|
163
|
+
- java
|
|
164
|
+
- python
|
|
165
|
+
- csharp
|
|
166
|
+
example_vuln: md.Append('auth', req.Query.token)
|
|
167
|
+
example_fix: if (!isValidToken(token)) throw\nmd.Append('auth', sanitize(token))
|
|
168
|
+
- id: NS-13
|
|
169
|
+
name: WebRTC IP Leak
|
|
170
|
+
severity: MEDIUM
|
|
171
|
+
category: Browser
|
|
172
|
+
description: WebRTC reveals real IP even behind VPN or proxy
|
|
173
|
+
detection_pattern: (RTCPeerConnection|getUserMedia)(?!.*TURN)
|
|
174
|
+
fix_pattern: Use TURN servers only or disable WebRTC
|
|
175
|
+
languages: javascript
|
|
176
|
+
example_vuln: new RTCPeerConnection()
|
|
177
|
+
example_fix: 'iceServers: [{ urls: ''turn:relay.example.com'' }]\niceCandidatePoolSize: 0'
|
|
178
|
+
- id: NS-14
|
|
179
|
+
name: Missing HSTS Header
|
|
180
|
+
severity: HIGH
|
|
181
|
+
category: HTTP
|
|
182
|
+
description: Strict-Transport-Security header not set
|
|
183
|
+
detection_pattern: (?<!Strict-Transport-Security.*)response\\.header
|
|
184
|
+
fix_pattern: Add HSTS header with min 1 year max-age
|
|
185
|
+
languages: all
|
|
186
|
+
example_vuln: // No HSTS header
|
|
187
|
+
example_fix: 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload'
|
|
188
|
+
- id: NS-15
|
|
189
|
+
name: Missing CSP Header
|
|
190
|
+
severity: MEDIUM
|
|
191
|
+
category: HTTP
|
|
192
|
+
description: Content-Security-Policy header not configured
|
|
193
|
+
detection_pattern: (?<!Content-Security-Policy.*)response\\.header
|
|
194
|
+
fix_pattern: Set restrictive CSP with nonce or hash
|
|
195
|
+
languages: all
|
|
196
|
+
example_vuln: // No CSP
|
|
197
|
+
example_fix: 'Content-Security-Policy: default-src ''self''; script-src ''nonce-{random}'''
|
|
198
|
+
- id: NS-16
|
|
199
|
+
name: CORS Wildcard
|
|
200
|
+
severity: HIGH
|
|
201
|
+
category: HTTP
|
|
202
|
+
description: Access-Control-Allow-Origin set to * with credentials
|
|
203
|
+
detection_pattern: Access-Control-Allow-Origin.*\\*.*credentials
|
|
204
|
+
fix_pattern: Use specific origin allowlist not wildcard
|
|
205
|
+
languages: all
|
|
206
|
+
example_vuln: 'Access-Control-Allow-Origin: *'
|
|
207
|
+
example_fix: 'Access-Control-Allow-Origin: https://trusted.example.com'
|
|
208
|
+
- id: NS-17
|
|
209
|
+
name: Missing X-Frame-Options
|
|
210
|
+
severity: MEDIUM
|
|
211
|
+
category: HTTP
|
|
212
|
+
description: X-Frame-Options or CSP frame-ancestors not set
|
|
213
|
+
detection_pattern: (?<!X-Frame-Options|frame-ancestors.*)response
|
|
214
|
+
fix_pattern: 'Add X-Frame-Options: DENY or SAMEORIGIN'
|
|
215
|
+
languages: all
|
|
216
|
+
example_vuln: // No frame protection
|
|
217
|
+
example_fix: 'X-Frame-Options: DENY\n// Or CSP: frame-ancestors ''none'''
|
|
218
|
+
- id: NS-18
|
|
219
|
+
name: Cookie Without Secure Flag
|
|
220
|
+
severity: HIGH
|
|
221
|
+
category: HTTP
|
|
222
|
+
description: Sensitive cookies without Secure SameSite HttpOnly flags
|
|
223
|
+
detection_pattern: (Set-Cookie|cookie)(?!.*(Secure|HttpOnly|SameSite))
|
|
224
|
+
fix_pattern: Always set Secure HttpOnly SameSite=Strict for auth cookies
|
|
225
|
+
languages: all
|
|
226
|
+
example_vuln: 'Set-Cookie: session=abc123'
|
|
227
|
+
example_fix: 'Set-Cookie: session=abc123; Secure; HttpOnly; SameSite=Strict'
|
|
228
|
+
- id: NS-19
|
|
229
|
+
name: Server Version Disclosure
|
|
230
|
+
severity: LOW
|
|
231
|
+
category: HTTP
|
|
232
|
+
description: Server header exposes software version information
|
|
233
|
+
detection_pattern: Server:.*(Apache|nginx|IIS).*\\d+\\.\\d+
|
|
234
|
+
fix_pattern: Remove or obfuscate Server header in production
|
|
235
|
+
languages: all
|
|
236
|
+
example_vuln: 'Server: nginx/1.21.0'
|
|
237
|
+
example_fix: 'Server: web-server'
|
|
238
|
+
- id: NS-20
|
|
239
|
+
name: SSRF via URL Parameter
|
|
240
|
+
severity: CRITICAL
|
|
241
|
+
category: Network
|
|
242
|
+
description: User-controlled URLs fetched without validation
|
|
243
|
+
detection_pattern: (fetch|request|urllib|http\\.get)\\(.*req\\.(query|body|params)
|
|
244
|
+
fix_pattern: Validate URLs against allowlist block internal IPs
|
|
245
|
+
languages: all
|
|
246
|
+
example_vuln: fetch(req.query.url)
|
|
247
|
+
example_fix: const parsed = new URL(req.query.url)\nif (!ALLOWED_HOSTS.includes(parsed.host)) throw
|
|
248
|
+
- id: NS-21
|
|
249
|
+
name: Open Redirect
|
|
250
|
+
severity: MEDIUM
|
|
251
|
+
category: HTTP
|
|
252
|
+
description: Redirects based on user input without validation
|
|
253
|
+
detection_pattern: (redirect|location).*=.*req\\.(query|body|params)
|
|
254
|
+
fix_pattern: Validate redirect URLs against allowlist
|
|
255
|
+
languages: all
|
|
256
|
+
example_vuln: res.redirect(req.query.next)
|
|
257
|
+
example_fix: if (!isInternalUrl(req.query.next)) throw\nres.redirect(req.query.next)
|
|
258
|
+
- id: NS-22
|
|
259
|
+
name: Missing OCSP Stapling
|
|
260
|
+
severity: LOW
|
|
261
|
+
category: TLS
|
|
262
|
+
description: OCSP stapling not enabled causing latency and privacy issues
|
|
263
|
+
detection_pattern: (?<!ocsp.*stapl)
|
|
264
|
+
fix_pattern: Enable OCSP stapling for faster TLS handshakes
|
|
265
|
+
languages: all
|
|
266
|
+
example_vuln: // No OCSP stapling config
|
|
267
|
+
example_fix: ssl_stapling on;\nssl_stapling_verify on;
|
|
268
|
+
- id: NS-23
|
|
269
|
+
name: Missing DNSSEC
|
|
270
|
+
severity: LOW
|
|
271
|
+
category: DNS
|
|
272
|
+
description: DNS responses not validated with DNSSEC
|
|
273
|
+
detection_pattern: (?<!dnssec)
|
|
274
|
+
fix_pattern: Enable DNSSEC validation for DNS queries
|
|
275
|
+
languages: all
|
|
276
|
+
example_vuln: // No DNSSEC validation
|
|
277
|
+
example_fix: resolver.dnssec = true
|
|
278
|
+
- id: NS-24
|
|
279
|
+
name: Insecure WebSocket
|
|
280
|
+
severity: HIGH
|
|
281
|
+
category: Protocol
|
|
282
|
+
description: WebSocket connection over ws:// instead of wss://
|
|
283
|
+
detection_pattern: ws://(?!localhost|127\\.0\\.0\\.1)
|
|
284
|
+
fix_pattern: Always use wss:// for WebSocket connections
|
|
285
|
+
languages: all
|
|
286
|
+
example_vuln: ws://api.example.com/socket
|
|
287
|
+
example_fix: wss://api.example.com/socket
|
|
288
|
+
- id: NS-25
|
|
289
|
+
name: Missing Rate Limiting
|
|
290
|
+
severity: HIGH
|
|
291
|
+
category: API
|
|
292
|
+
description: No rate limiting on API endpoints enabling DoS and brute force
|
|
293
|
+
detection_pattern: (express|fastify|gin|echo)(?!.*rateLimit|throttle)
|
|
294
|
+
fix_pattern: Implement rate limiting per IP and per user
|
|
295
|
+
languages: all
|
|
296
|
+
example_vuln: app.get('/api/login')
|
|
297
|
+
example_fix: 'app.use(rateLimit({ windowMs: 60000, max: 100 }))'
|