@oriro/orirocli 0.1.8 → 0.1.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ATTRIBUTION.md +53 -45
- package/LICENSE +21 -0
- package/README.md +20 -17
- package/dist/cli.js +4425 -2975
- package/package.json +64 -64
- package/skills/1password/SKILL.md +118 -118
- package/skills/1password/references/cli-examples.md +29 -29
- package/skills/1password/references/get-started.md +21 -21
- package/skills/21stdev/SKILL.md +64 -0
- package/skills/algorithmic-art/LICENSE +21 -21
- package/skills/algorithmic-art/SKILL.md +446 -446
- package/skills/algorithmic-art/templates/generator_template.js +223 -223
- package/skills/algorithmic-art/templates/viewer.html +598 -598
- package/skills/apple-notes/SKILL.md +81 -81
- package/skills/apple-reminders/SKILL.md +122 -122
- package/skills/bear-notes/SKILL.md +111 -111
- package/skills/blogwatcher/SKILL.md +73 -73
- package/skills/blucli/SKILL.md +51 -51
- package/skills/brand-guidelines/LICENSE +21 -21
- package/skills/brand-guidelines/SKILL.md +76 -76
- package/skills/business/biz-analysis/LICENSE +21 -21
- package/skills/business/biz-analysis/SKILL.md +103 -103
- package/skills/business/biz-corporate-strategy/LICENSE +21 -21
- package/skills/business/biz-corporate-strategy/SKILL.md +76 -76
- package/skills/business/biz-customer-success/LICENSE +21 -21
- package/skills/business/biz-customer-success/SKILL.md +55 -55
- package/skills/business/biz-entrepreneurship/LICENSE +21 -21
- package/skills/business/biz-entrepreneurship/SKILL.md +72 -72
- package/skills/business/biz-hr/LICENSE +21 -21
- package/skills/business/biz-hr/SKILL.md +67 -67
- package/skills/business/biz-international/LICENSE +21 -21
- package/skills/business/biz-international/SKILL.md +51 -51
- package/skills/business/biz-leadership/LICENSE +21 -21
- package/skills/business/biz-leadership/SKILL.md +106 -106
- package/skills/business/biz-marketing-strategy/LICENSE +21 -21
- package/skills/business/biz-marketing-strategy/SKILL.md +119 -119
- package/skills/business/biz-negotiation/LICENSE +21 -21
- package/skills/business/biz-negotiation/SKILL.md +152 -152
- package/skills/business/biz-operations/LICENSE +21 -21
- package/skills/business/biz-operations/SKILL.md +74 -74
- package/skills/business/biz-project/LICENSE +21 -21
- package/skills/business/biz-project/SKILL.md +203 -203
- package/skills/business/biz-risk/LICENSE +21 -21
- package/skills/business/biz-risk/SKILL.md +85 -85
- package/skills/business/biz-sales/LICENSE +21 -21
- package/skills/business/biz-sales/SKILL.md +92 -92
- package/skills/business/biz-startup-ops/LICENSE +21 -21
- package/skills/business/biz-startup-ops/SKILL.md +70 -70
- package/skills/business/biz-strategy/LICENSE +21 -21
- package/skills/business/biz-strategy/SKILL.md +233 -233
- package/skills/business/biz-supply-chain-advanced/LICENSE +21 -21
- package/skills/business/biz-supply-chain-advanced/SKILL.md +68 -68
- package/skills/business/fin-chartered-exams/LICENSE +21 -21
- package/skills/business/fin-chartered-exams/SKILL.md +69 -69
- package/skills/camsnap/SKILL.md +49 -49
- package/skills/canvas/SKILL.md +82 -82
- package/skills/canvas-design/LICENSE +21 -21
- package/skills/canvas-design/SKILL.md +140 -140
- package/skills/canvas-design/canvas-fonts/ArsenalSC-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/BigShoulders-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/Boldonse-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/BricolageGrotesque-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/CrimsonPro-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/DMMono-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/EricaOne-OFL.txt +94 -94
- package/skills/canvas-design/canvas-fonts/GeistMono-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/Gloock-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/IBMPlexMono-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/InstrumentSans-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/JetBrainsMono-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/Jura-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/LibreBaskerville-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/Lora-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/NationalPark-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/Outfit-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/PixelifySans-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/RedHatMono-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/Silkscreen-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/SmoochSans-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/Tektur-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/WorkSans-OFL.txt +93 -93
- package/skills/canvas-design/canvas-fonts/YoungSerif-OFL.txt +93 -93
- package/skills/coding-agent/SKILL.md +146 -146
- package/skills/communication/comm-business-writing/LICENSE +21 -21
- package/skills/communication/comm-business-writing/SKILL.md +67 -67
- package/skills/communication/comm-cross-cultural/LICENSE +21 -21
- package/skills/communication/comm-cross-cultural/SKILL.md +88 -88
- package/skills/communication/comm-journalism/LICENSE +21 -21
- package/skills/communication/comm-journalism/SKILL.md +81 -81
- package/skills/communication/comm-linguistics/LICENSE +21 -21
- package/skills/communication/comm-linguistics/SKILL.md +82 -82
- package/skills/communication/comm-negotiation/LICENSE +21 -21
- package/skills/communication/comm-negotiation/SKILL.md +120 -120
- package/skills/communication/comm-presentations/LICENSE +21 -21
- package/skills/communication/comm-presentations/SKILL.md +93 -93
- package/skills/communication/comm-public-speaking/LICENSE +21 -21
- package/skills/communication/comm-public-speaking/SKILL.md +68 -68
- package/skills/communication/comm-writing/LICENSE +21 -21
- package/skills/communication/comm-writing/SKILL.md +69 -69
- package/skills/craft/ai-engineering/LICENSE +21 -21
- package/skills/craft/ai-engineering/SKILL.md +828 -828
- package/skills/craft/app-builder-guide/LICENSE +21 -21
- package/skills/craft/app-builder-guide/SKILL.md +332 -332
- package/skills/craft/become-an-ai-engineer-26/CONTRIBUTING.md +46 -46
- package/skills/craft/become-an-ai-engineer-26/LICENSE +21 -21
- package/skills/craft/become-an-ai-engineer-26/README.md +270 -270
- package/skills/craft/become-an-ai-engineer-26/SKILL.md +667 -667
- package/skills/craft/become-an-ai-engineer-26/community/BUILDS.md +13 -13
- package/skills/craft/become-an-ai-engineer-26/community/DISCUSSIONS.md +8 -8
- package/skills/craft/become-an-ai-engineer-26/phases/phase-0-mental-models/README.md +14 -14
- package/skills/craft/become-an-ai-engineer-26/phases/phase-0-mental-models/project/TEMPLATE.md +33 -33
- package/skills/craft/become-an-ai-engineer-26/phases/phase-1-first-agent/README.md +25 -25
- package/skills/craft/become-an-ai-engineer-26/phases/phase-1-first-agent/code/raw_loop.py +126 -126
- package/skills/craft/become-an-ai-engineer-26/phases/phase-2-architecture/README.md +17 -17
- package/skills/craft/become-an-ai-engineer-26/phases/phase-3-harness/README.md +17 -17
- package/skills/craft/become-an-ai-engineer-26/phases/phase-4-evals/README.md +21 -21
- package/skills/craft/become-an-ai-engineer-26/phases/phase-4-evals/code/.github/workflows/eval.yml +40 -40
- package/skills/craft/become-an-ai-engineer-26/phases/phase-5-production/README.md +16 -16
- package/skills/craft/become-an-ai-engineer-26/projects/1-mobile-app-slm/README.md +11 -11
- package/skills/craft/become-an-ai-engineer-26/projects/2-self-improving-coder/README.md +11 -11
- package/skills/craft/become-an-ai-engineer-26/projects/3-video-editor-agent/README.md +11 -11
- package/skills/craft/become-an-ai-engineer-26/projects/4-personal-life-os/README.md +12 -12
- package/skills/craft/become-an-ai-engineer-26/projects/5-enterprise-workflow/README.md +12 -12
- package/skills/craft/become-an-ai-engineer-26/references/benchmark-numbers.md +41 -41
- package/skills/craft/become-an-ai-engineer-26/references/mhc-stable-training.md +73 -73
- package/skills/craft/become-an-ai-engineer-26/references/stack-decisions.md +37 -37
- package/skills/craft/become-an-ai-engineer-26/references/yarn-context-extension.md +123 -123
- package/skills/craft/codex-result-handling/LICENSE +21 -21
- package/skills/craft/codex-result-handling/SKILL.md +26 -26
- package/skills/craft/debug-and-build-methodology/LICENSE +21 -21
- package/skills/craft/debug-and-build-methodology/SKILL.md +432 -432
- package/skills/craft/design/LICENSE +21 -21
- package/skills/craft/design/SKILL.md +274 -274
- package/skills/craft/dev/LICENSE +21 -21
- package/skills/craft/dev/SKILL.md +12 -12
- package/skills/craft/dev/release.md +85 -85
- package/skills/craft/dev/roll.md +50 -50
- package/skills/craft/doc-coauthoring/LICENSE +21 -21
- package/skills/craft/doc-coauthoring/SKILL.md +397 -397
- package/skills/craft/focus/LICENSE +21 -21
- package/skills/craft/focus/SKILL.md +432 -432
- package/skills/craft/focus/UPSTREAM_README.md +233 -233
- package/skills/craft/gh/LICENSE +21 -21
- package/skills/craft/gh/SKILL.md +84 -84
- package/skills/craft/gh-skill/LICENSE +21 -21
- package/skills/craft/gh-skill/SKILL.md +121 -121
- package/skills/craft/godmode/LICENSE +21 -21
- package/skills/craft/godmode/SKILL.md +87 -87
- package/skills/craft/godmode/references/android-launch.md +680 -680
- package/skills/craft/godmode/references/data-gcp.md +1038 -1038
- package/skills/craft/godmode/references/expo-eas.md +816 -816
- package/skills/craft/godmode/references/ios-launch.md +734 -734
- package/skills/craft/google-ai-latest/LICENSE +21 -21
- package/skills/craft/google-ai-latest/SKILL.md +682 -682
- package/skills/craft/gpt-5-4-prompting/LICENSE +21 -21
- package/skills/craft/gpt-5-4-prompting/SKILL.md +63 -63
- package/skills/craft/gpt-5-4-prompting/references/codex-prompt-antipatterns.md +101 -101
- package/skills/craft/gpt-5-4-prompting/references/codex-prompt-recipes.md +150 -150
- package/skills/craft/gpt-5-4-prompting/references/prompt-blocks.md +172 -172
- package/skills/craft/grill-me/LICENSE +21 -21
- package/skills/craft/grill-me/SKILL.md +13 -13
- package/skills/craft/idea-to-deploy/LICENSE +21 -21
- package/skills/craft/idea-to-deploy/SKILL.md +292 -292
- package/skills/craft/idea-to-deploy/references/auth-playbook.md +195 -195
- package/skills/craft/idea-to-deploy/references/gcp-deployment.md +268 -268
- package/skills/craft/idea-to-deploy/references/stack-selection.md +117 -117
- package/skills/craft/image-generation-engineer/LICENSE +21 -21
- package/skills/craft/image-generation-engineer/SKILL.md +183 -183
- package/skills/craft/image-generation-engineer/references/architectures.md +260 -260
- package/skills/craft/image-generation-engineer/references/foundations.md +107 -107
- package/skills/craft/image-generation-engineer/references/inference-and-serving.md +253 -253
- package/skills/craft/image-generation-engineer/references/training.md +149 -149
- package/skills/craft/marketing/LICENSE +21 -21
- package/skills/craft/marketing/SKILL.md +1954 -1954
- package/skills/craft/master-architect/LICENSE +21 -21
- package/skills/craft/master-architect/SKILL.md +361 -361
- package/skills/craft/master-architect/references/ai-ml.md +317 -317
- package/skills/craft/master-architect/references/architecture.md +268 -268
- package/skills/craft/master-architect/references/auth-playbook.md +195 -195
- package/skills/craft/master-architect/references/cloud.md +323 -323
- package/skills/craft/master-architect/references/cyber.md +839 -839
- package/skills/craft/master-architect/references/data-eng.md +366 -366
- package/skills/craft/master-architect/references/devops.md +550 -550
- package/skills/craft/master-architect/references/gcp-deployment.md +268 -268
- package/skills/craft/master-architect/references/languages.md +748 -748
- package/skills/craft/master-architect/references/legacy.md +240 -240
- package/skills/craft/master-architect/references/mobile.md +447 -447
- package/skills/craft/master-architect/references/patterns.md +451 -451
- package/skills/craft/master-architect/references/saas-patterns.md +379 -379
- package/skills/craft/master-architect/references/sdlc.md +349 -349
- package/skills/craft/master-architect/references/stack-selection.md +117 -117
- package/skills/craft/oriro-ui-2026/LICENSE +21 -21
- package/skills/craft/oriro-ui-2026/SKILL.md +329 -329
- package/skills/craft/playwright-cli/LICENSE +21 -21
- package/skills/craft/playwright-cli/SKILL.md +393 -393
- package/skills/craft/playwright-cli/references/element-attributes.md +23 -23
- package/skills/craft/playwright-cli/references/playwright-tests.md +39 -39
- package/skills/craft/playwright-cli/references/request-mocking.md +87 -87
- package/skills/craft/playwright-cli/references/running-code.md +240 -240
- package/skills/craft/playwright-cli/references/session-management.md +226 -226
- package/skills/craft/playwright-cli/references/spec-driven-testing.md +312 -312
- package/skills/craft/playwright-cli/references/storage-state.md +275 -275
- package/skills/craft/playwright-cli/references/test-generation.md +134 -134
- package/skills/craft/playwright-cli/references/tracing.md +142 -142
- package/skills/craft/playwright-cli/references/video-recording.md +150 -150
- package/skills/craft/remotion-best-practices/LICENSE +21 -21
- package/skills/craft/remotion-best-practices/SKILL.md +345 -345
- package/skills/craft/remotion-best-practices/rules/3d.md +86 -86
- package/skills/craft/remotion-best-practices/rules/assets/charts-bar-chart.tsx +165 -165
- package/skills/craft/remotion-best-practices/rules/assets/text-animations-typewriter.tsx +89 -89
- package/skills/craft/remotion-best-practices/rules/assets/text-animations-word-highlight.tsx +101 -101
- package/skills/craft/remotion-best-practices/rules/audio-visualization.md +195 -195
- package/skills/craft/remotion-best-practices/rules/audio.md +167 -167
- package/skills/craft/remotion-best-practices/rules/calculate-metadata.md +118 -118
- package/skills/craft/remotion-best-practices/rules/compositions.md +132 -132
- package/skills/craft/remotion-best-practices/rules/display-captions.md +176 -176
- package/skills/craft/remotion-best-practices/rules/ffmpeg.md +34 -34
- package/skills/craft/remotion-best-practices/rules/get-audio-duration.md +58 -58
- package/skills/craft/remotion-best-practices/rules/get-video-dimensions.md +68 -68
- package/skills/craft/remotion-best-practices/rules/get-video-duration.md +60 -60
- package/skills/craft/remotion-best-practices/rules/gifs.md +135 -135
- package/skills/craft/remotion-best-practices/rules/google-fonts.md +72 -72
- package/skills/craft/remotion-best-practices/rules/html-in-canvas.md +122 -122
- package/skills/craft/remotion-best-practices/rules/images.md +67 -67
- package/skills/craft/remotion-best-practices/rules/import-srt-captions.md +69 -69
- package/skills/craft/remotion-best-practices/rules/light-leaks.md +73 -73
- package/skills/craft/remotion-best-practices/rules/local-fonts.md +65 -65
- package/skills/craft/remotion-best-practices/rules/lottie.md +67 -67
- package/skills/craft/remotion-best-practices/rules/maplibre.md +441 -441
- package/skills/craft/remotion-best-practices/rules/measuring-dom-nodes.md +34 -34
- package/skills/craft/remotion-best-practices/rules/measuring-text.md +140 -140
- package/skills/craft/remotion-best-practices/rules/parameters.md +109 -109
- package/skills/craft/remotion-best-practices/rules/sequencing.md +144 -144
- package/skills/craft/remotion-best-practices/rules/sfx.md +30 -30
- package/skills/craft/remotion-best-practices/rules/silence-detection.md +73 -73
- package/skills/craft/remotion-best-practices/rules/subtitles.md +36 -36
- package/skills/craft/remotion-best-practices/rules/tailwind.md +11 -11
- package/skills/craft/remotion-best-practices/rules/text-animations.md +20 -20
- package/skills/craft/remotion-best-practices/rules/timing.md +130 -130
- package/skills/craft/remotion-best-practices/rules/transcribe-captions.md +70 -70
- package/skills/craft/remotion-best-practices/rules/transitions.md +193 -193
- package/skills/craft/remotion-best-practices/rules/transparent-videos.md +102 -102
- package/skills/craft/remotion-best-practices/rules/trimming.md +51 -51
- package/skills/craft/remotion-best-practices/rules/videos.md +169 -169
- package/skills/craft/remotion-best-practices/rules/voiceover.md +94 -94
- package/skills/craft/supabase-postgres-best-practices/CHANGELOG.md +25 -25
- package/skills/craft/supabase-postgres-best-practices/LICENSE +21 -21
- package/skills/craft/supabase-postgres-best-practices/SKILL.md +69 -69
- package/skills/craft/supabase-postgres-best-practices/references/_contributing.md +166 -166
- package/skills/craft/supabase-postgres-best-practices/references/_sections.md +47 -47
- package/skills/craft/supabase-postgres-best-practices/references/_template.md +34 -34
- package/skills/craft/supabase-postgres-best-practices/references/advanced-full-text-search.md +55 -55
- package/skills/craft/supabase-postgres-best-practices/references/advanced-jsonb-indexing.md +49 -49
- package/skills/craft/supabase-postgres-best-practices/references/conn-idle-timeout.md +46 -46
- package/skills/craft/supabase-postgres-best-practices/references/conn-limits.md +44 -44
- package/skills/craft/supabase-postgres-best-practices/references/conn-pooling.md +41 -41
- package/skills/craft/supabase-postgres-best-practices/references/conn-prepared-statements.md +46 -46
- package/skills/craft/supabase-postgres-best-practices/references/data-batch-inserts.md +54 -54
- package/skills/craft/supabase-postgres-best-practices/references/data-n-plus-one.md +53 -53
- package/skills/craft/supabase-postgres-best-practices/references/data-pagination.md +50 -50
- package/skills/craft/supabase-postgres-best-practices/references/data-upsert.md +50 -50
- package/skills/craft/supabase-postgres-best-practices/references/lock-advisory.md +56 -56
- package/skills/craft/supabase-postgres-best-practices/references/lock-deadlock-prevention.md +68 -68
- package/skills/craft/supabase-postgres-best-practices/references/lock-short-transactions.md +50 -50
- package/skills/craft/supabase-postgres-best-practices/references/lock-skip-locked.md +54 -54
- package/skills/craft/supabase-postgres-best-practices/references/monitor-explain-analyze.md +45 -45
- package/skills/craft/supabase-postgres-best-practices/references/monitor-pg-stat-statements.md +55 -55
- package/skills/craft/supabase-postgres-best-practices/references/monitor-vacuum-analyze.md +55 -55
- package/skills/craft/supabase-postgres-best-practices/references/query-composite-indexes.md +44 -44
- package/skills/craft/supabase-postgres-best-practices/references/query-covering-indexes.md +40 -40
- package/skills/craft/supabase-postgres-best-practices/references/query-index-types.md +48 -48
- package/skills/craft/supabase-postgres-best-practices/references/query-missing-indexes.md +43 -43
- package/skills/craft/supabase-postgres-best-practices/references/query-partial-indexes.md +45 -45
- package/skills/craft/supabase-postgres-best-practices/references/schema-constraints.md +80 -80
- package/skills/craft/supabase-postgres-best-practices/references/schema-data-types.md +46 -46
- package/skills/craft/supabase-postgres-best-practices/references/schema-foreign-key-indexes.md +59 -59
- package/skills/craft/supabase-postgres-best-practices/references/schema-lowercase-identifiers.md +55 -55
- package/skills/craft/supabase-postgres-best-practices/references/schema-partitioning.md +55 -55
- package/skills/craft/supabase-postgres-best-practices/references/schema-primary-keys.md +61 -61
- package/skills/craft/supabase-postgres-best-practices/references/security-privileges.md +54 -54
- package/skills/craft/supabase-postgres-best-practices/references/security-rls-basics.md +50 -50
- package/skills/craft/supabase-postgres-best-practices/references/security-rls-performance.md +63 -63
- package/skills/craft/uipm-banner-design/LICENSE +21 -21
- package/skills/craft/uipm-banner-design/SKILL.md +201 -201
- package/skills/craft/uipm-banner-design/references/banner-sizes-and-styles.md +129 -129
- package/skills/craft/uipm-brand/LICENSE +21 -21
- package/skills/craft/uipm-brand/SKILL.md +104 -104
- package/skills/craft/uipm-brand/references/approval-checklist.md +184 -184
- package/skills/craft/uipm-brand/references/asset-organization.md +167 -167
- package/skills/craft/uipm-brand/references/brand-guideline-template.md +161 -161
- package/skills/craft/uipm-brand/references/color-palette-management.md +203 -203
- package/skills/craft/uipm-brand/references/consistency-checklist.md +105 -105
- package/skills/craft/uipm-brand/references/logo-usage-rules.md +204 -204
- package/skills/craft/uipm-brand/references/messaging-framework.md +91 -91
- package/skills/craft/uipm-brand/references/typography-specifications.md +265 -265
- package/skills/craft/uipm-brand/references/update.md +128 -128
- package/skills/craft/uipm-brand/references/visual-identity.md +109 -109
- package/skills/craft/uipm-brand/references/voice-framework.md +99 -99
- package/skills/craft/uipm-brand/scripts/extract-colors.cjs +333 -333
- package/skills/craft/uipm-brand/scripts/inject-brand-context.cjs +324 -324
- package/skills/craft/uipm-brand/scripts/sync-brand-to-tokens.cjs +269 -269
- package/skills/craft/uipm-brand/scripts/validate-asset.cjs +361 -361
- package/skills/craft/uipm-brand/templates/brand-guidelines-starter.md +280 -280
- package/skills/craft/uipm-design/LICENSE +21 -21
- package/skills/craft/uipm-design/SKILL.md +305 -305
- package/skills/craft/uipm-design/data/cip/deliverables.csv +50 -50
- package/skills/craft/uipm-design/data/cip/industries.csv +20 -20
- package/skills/craft/uipm-design/data/cip/mockup-contexts.csv +20 -20
- package/skills/craft/uipm-design/data/cip/styles.csv +20 -20
- package/skills/craft/uipm-design/data/icon/styles.csv +16 -16
- package/skills/craft/uipm-design/data/logo/colors.csv +56 -56
- package/skills/craft/uipm-design/data/logo/industries.csv +56 -56
- package/skills/craft/uipm-design/data/logo/styles.csv +56 -56
- package/skills/craft/uipm-design/references/banner-sizes-and-styles.md +129 -129
- package/skills/craft/uipm-design/references/cip-deliverable-guide.md +111 -111
- package/skills/craft/uipm-design/references/cip-design.md +121 -121
- package/skills/craft/uipm-design/references/cip-prompt-engineering.md +94 -94
- package/skills/craft/uipm-design/references/cip-style-guide.md +76 -76
- package/skills/craft/uipm-design/references/design-routing.md +226 -226
- package/skills/craft/uipm-design/references/icon-design.md +122 -122
- package/skills/craft/uipm-design/references/logo-color-psychology.md +113 -113
- package/skills/craft/uipm-design/references/logo-design.md +92 -92
- package/skills/craft/uipm-design/references/logo-prompt-engineering.md +176 -176
- package/skills/craft/uipm-design/references/logo-style-guide.md +129 -129
- package/skills/craft/uipm-design/references/slides-copywriting-formulas.md +92 -92
- package/skills/craft/uipm-design/references/slides-create.md +5 -5
- package/skills/craft/uipm-design/references/slides-html-template.md +374 -374
- package/skills/craft/uipm-design/references/slides-layout-patterns.md +155 -155
- package/skills/craft/uipm-design/references/slides-strategies.md +97 -97
- package/skills/craft/uipm-design/references/slides.md +42 -42
- package/skills/craft/uipm-design/references/social-photos-design.md +353 -353
- package/skills/craft/uipm-design/scripts/cip/core.py +215 -215
- package/skills/craft/uipm-design/scripts/cip/generate.py +484 -484
- package/skills/craft/uipm-design/scripts/cip/render-html.py +424 -424
- package/skills/craft/uipm-design/scripts/cip/search.py +127 -127
- package/skills/craft/uipm-design/scripts/icon/generate.py +487 -487
- package/skills/craft/uipm-design/scripts/logo/core.py +175 -175
- package/skills/craft/uipm-design/scripts/logo/generate.py +362 -362
- package/skills/craft/uipm-design/scripts/logo/search.py +114 -114
- package/skills/craft/uipm-design-system/LICENSE +21 -21
- package/skills/craft/uipm-design-system/SKILL.md +255 -255
- package/skills/craft/uipm-design-system/data/slide-backgrounds.csv +11 -11
- package/skills/craft/uipm-design-system/data/slide-charts.csv +26 -26
- package/skills/craft/uipm-design-system/data/slide-color-logic.csv +14 -14
- package/skills/craft/uipm-design-system/data/slide-copy.csv +26 -26
- package/skills/craft/uipm-design-system/data/slide-layout-logic.csv +16 -16
- package/skills/craft/uipm-design-system/data/slide-layouts.csv +26 -26
- package/skills/craft/uipm-design-system/data/slide-strategies.csv +16 -16
- package/skills/craft/uipm-design-system/data/slide-typography.csv +15 -15
- package/skills/craft/uipm-design-system/references/component-specs.md +236 -236
- package/skills/craft/uipm-design-system/references/component-tokens.md +214 -214
- package/skills/craft/uipm-design-system/references/primitive-tokens.md +199 -199
- package/skills/craft/uipm-design-system/references/semantic-tokens.md +215 -215
- package/skills/craft/uipm-design-system/references/states-and-variants.md +243 -243
- package/skills/craft/uipm-design-system/references/tailwind-integration.md +257 -257
- package/skills/craft/uipm-design-system/references/token-architecture.md +226 -226
- package/skills/craft/uipm-design-system/scripts/embed-tokens.cjs +97 -97
- package/skills/craft/uipm-design-system/scripts/fetch-background.py +317 -317
- package/skills/craft/uipm-design-system/scripts/generate-slide.py +753 -753
- package/skills/craft/uipm-design-system/scripts/generate-tokens.cjs +213 -213
- package/skills/craft/uipm-design-system/scripts/html-token-validator.py +327 -327
- package/skills/craft/uipm-design-system/scripts/search-slides.py +218 -218
- package/skills/craft/uipm-design-system/scripts/slide-token-validator.py +35 -35
- package/skills/craft/uipm-design-system/scripts/slide_search_core.py +453 -453
- package/skills/craft/uipm-design-system/scripts/validate-tokens.cjs +254 -254
- package/skills/craft/uipm-design-system/templates/design-tokens-starter.json +143 -143
- package/skills/craft/uipm-slides/LICENSE +21 -21
- package/skills/craft/uipm-slides/SKILL.md +45 -45
- package/skills/craft/uipm-slides/references/copywriting-formulas.md +92 -92
- package/skills/craft/uipm-slides/references/create.md +5 -5
- package/skills/craft/uipm-slides/references/html-template.md +374 -374
- package/skills/craft/uipm-slides/references/layout-patterns.md +155 -155
- package/skills/craft/uipm-slides/references/slide-strategies.md +97 -97
- package/skills/craft/uipm-ui-ux-pro-max/LICENSE +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/SKILL.md +678 -678
- package/skills/craft/uipm-ui-ux-pro-max/data/_sync_all.py +414 -414
- package/skills/craft/uipm-ui-ux-pro-max/data/app-interface.csv +30 -30
- package/skills/craft/uipm-ui-ux-pro-max/data/charts.csv +26 -26
- package/skills/craft/uipm-ui-ux-pro-max/data/colors.csv +161 -161
- package/skills/craft/uipm-ui-ux-pro-max/data/design.csv +1775 -1775
- package/skills/craft/uipm-ui-ux-pro-max/data/draft.csv +1778 -1778
- package/skills/craft/uipm-ui-ux-pro-max/data/google-fonts.csv +1924 -1924
- package/skills/craft/uipm-ui-ux-pro-max/data/icons.csv +105 -105
- package/skills/craft/uipm-ui-ux-pro-max/data/landing.csv +35 -35
- package/skills/craft/uipm-ui-ux-pro-max/data/products.csv +162 -162
- package/skills/craft/uipm-ui-ux-pro-max/data/react-performance.csv +45 -45
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/angular.csv +51 -51
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/astro.csv +54 -54
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/flutter.csv +53 -53
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/laravel.csv +51 -51
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/react-native.csv +52 -52
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/react.csv +54 -54
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/svelte.csv +54 -54
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/threejs.csv +54 -54
- package/skills/craft/uipm-ui-ux-pro-max/data/stacks/vue.csv +50 -50
- package/skills/craft/uipm-ui-ux-pro-max/data/styles.csv +85 -85
- package/skills/craft/uipm-ui-ux-pro-max/data/typography.csv +74 -74
- package/skills/craft/uipm-ui-ux-pro-max/data/ui-reasoning.csv +162 -162
- package/skills/craft/uipm-ui-ux-pro-max/data/ux-guidelines.csv +99 -99
- package/skills/craft/uipm-ui-ux-pro-max/scripts/core.py +262 -262
- package/skills/craft/uipm-ui-ux-pro-max/scripts/design_system.py +1148 -1148
- package/skills/craft/uipm-ui-ux-pro-max/scripts/search.py +114 -114
- package/skills/craft/uipm-ui-ux-pro-max/templates/base/quick-reference.md +297 -297
- package/skills/craft/uipm-ui-ux-pro-max/templates/base/skill-content.md +375 -375
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/agent.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/augment.json +18 -18
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/claude.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/codebuddy.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/codex.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/continue.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/copilot.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/cursor.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/droid.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/gemini.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/kilocode.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/kiro.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/opencode.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/qoder.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/roocode.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/trae.json +21 -21
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/warp.json +18 -18
- package/skills/craft/uipm-ui-ux-pro-max/templates/platforms/windsurf.json +21 -21
- package/skills/craft/vercel-optimize/AGENTS.md +48 -48
- package/skills/craft/vercel-optimize/CONTRIBUTING.md +41 -41
- package/skills/craft/vercel-optimize/LICENSE +21 -21
- package/skills/craft/vercel-optimize/README.md +91 -91
- package/skills/craft/vercel-optimize/SKILL.md +325 -325
- package/skills/craft/vercel-optimize/lib/auth-route.mjs +23 -23
- package/skills/craft/vercel-optimize/lib/budget-summary.mjs +208 -208
- package/skills/craft/vercel-optimize/lib/citations.mjs +147 -147
- package/skills/craft/vercel-optimize/lib/cost-coverage.mjs +162 -162
- package/skills/craft/vercel-optimize/lib/dedup-recs.mjs +340 -340
- package/skills/craft/vercel-optimize/lib/deep-dive.mjs +371 -371
- package/skills/craft/vercel-optimize/lib/display-labels.mjs +219 -219
- package/skills/craft/vercel-optimize/lib/extract-claims.mjs +640 -640
- package/skills/craft/vercel-optimize/lib/framework-support.mjs +69 -69
- package/skills/craft/vercel-optimize/lib/gates/build-minutes-fanout.mjs +73 -73
- package/skills/craft/vercel-optimize/lib/gates/cold-start.mjs +72 -72
- package/skills/craft/vercel-optimize/lib/gates/contract.mjs +82 -82
- package/skills/craft/vercel-optimize/lib/gates/cwv-poor.mjs +95 -95
- package/skills/craft/vercel-optimize/lib/gates/external-api-slow.mjs +60 -60
- package/skills/craft/vercel-optimize/lib/gates/hard-gates.mjs +70 -70
- package/skills/craft/vercel-optimize/lib/gates/index.mjs +45 -45
- package/skills/craft/vercel-optimize/lib/gates/isr-overrevalidation.mjs +62 -62
- package/skills/craft/vercel-optimize/lib/gates/middleware-heavy.mjs +53 -53
- package/skills/craft/vercel-optimize/lib/gates/observability-events-attribution.mjs +58 -58
- package/skills/craft/vercel-optimize/lib/gates/platform-bot-protection.mjs +123 -123
- package/skills/craft/vercel-optimize/lib/gates/platform-fluid-compute.mjs +94 -94
- package/skills/craft/vercel-optimize/lib/gates/region-misconfig.mjs +71 -71
- package/skills/craft/vercel-optimize/lib/gates/route-errors.mjs +95 -95
- package/skills/craft/vercel-optimize/lib/gates/scanner-driven.mjs +150 -150
- package/skills/craft/vercel-optimize/lib/gates/select-candidates.mjs +137 -137
- package/skills/craft/vercel-optimize/lib/gates/slow-route.mjs +97 -97
- package/skills/craft/vercel-optimize/lib/gates/types.d.ts +38 -38
- package/skills/craft/vercel-optimize/lib/gates/uncached-route.mjs +103 -103
- package/skills/craft/vercel-optimize/lib/gates/usage-spike-triage.mjs +122 -122
- package/skills/craft/vercel-optimize/lib/grade-recommendation.mjs +170 -170
- package/skills/craft/vercel-optimize/lib/impact-label.mjs +128 -128
- package/skills/craft/vercel-optimize/lib/impact-magnitude.mjs +66 -66
- package/skills/craft/vercel-optimize/lib/investigation-brief.mjs +751 -751
- package/skills/craft/vercel-optimize/lib/observation-safety.mjs +217 -217
- package/skills/craft/vercel-optimize/lib/project-facts.mjs +101 -101
- package/skills/craft/vercel-optimize/lib/queries.mjs +333 -333
- package/skills/craft/vercel-optimize/lib/reconcile-candidates.mjs +388 -388
- package/skills/craft/vercel-optimize/lib/render-report.mjs +1065 -1065
- package/skills/craft/vercel-optimize/lib/repo-root.mjs +97 -97
- package/skills/craft/vercel-optimize/lib/route-normalize.mjs +224 -224
- package/skills/craft/vercel-optimize/lib/sanitizers/bot-protection-certainty.mjs +56 -56
- package/skills/craft/vercel-optimize/lib/sanitizers/cache-tag-invalidation-certainty.mjs +33 -33
- package/skills/craft/vercel-optimize/lib/sanitizers/count-correct.mjs +53 -53
- package/skills/craft/vercel-optimize/lib/sanitizers/function-duration-invocations.mjs +32 -32
- package/skills/craft/vercel-optimize/lib/sanitizers/index.mjs +87 -87
- package/skills/craft/vercel-optimize/lib/sanitizers/middleware-conflict.mjs +37 -37
- package/skills/craft/vercel-optimize/lib/sanitizers/missing-citation.mjs +16 -16
- package/skills/craft/vercel-optimize/lib/sanitizers/pre-release.mjs +75 -75
- package/skills/craft/vercel-optimize/lib/sanitizers/rate-limit.mjs +73 -73
- package/skills/craft/vercel-optimize/lib/sanitizers/rendering-mode-mislabel.mjs +42 -42
- package/skills/craft/vercel-optimize/lib/sanitizers/undeclared-dep.mjs +110 -110
- package/skills/craft/vercel-optimize/lib/sanitizers/vercel-directive-strip.mjs +37 -37
- package/skills/craft/vercel-optimize/lib/sanitizers/window-units.mjs +26 -26
- package/skills/craft/vercel-optimize/lib/scanners/cache-components-suspense-dedupe.mjs +114 -114
- package/skills/craft/vercel-optimize/lib/scanners/edge-heavy-import.mjs +102 -102
- package/skills/craft/vercel-optimize/lib/scanners/force-dynamic.mjs +39 -39
- package/skills/craft/vercel-optimize/lib/scanners/headers-in-page.mjs +43 -43
- package/skills/craft/vercel-optimize/lib/scanners/index.mjs +35 -35
- package/skills/craft/vercel-optimize/lib/scanners/large-static-asset.mjs +93 -93
- package/skills/craft/vercel-optimize/lib/scanners/max-age-without-s-maxage.mjs +47 -47
- package/skills/craft/vercel-optimize/lib/scanners/middleware-broad-matcher.mjs +53 -53
- package/skills/craft/vercel-optimize/lib/scanners/missing-cache-headers.mjs +97 -97
- package/skills/craft/vercel-optimize/lib/scanners/prisma-include-tree.mjs +39 -39
- package/skills/craft/vercel-optimize/lib/scanners/region-pin-in-config.mjs +89 -89
- package/skills/craft/vercel-optimize/lib/scanners/source-maps-production.mjs +33 -33
- package/skills/craft/vercel-optimize/lib/scanners/sveltekit-prerender-missing.mjs +47 -47
- package/skills/craft/vercel-optimize/lib/scanners/turbo-force-bypass.mjs +136 -136
- package/skills/craft/vercel-optimize/lib/scanners/unoptimized-image.mjs +127 -127
- package/skills/craft/vercel-optimize/lib/scanners/use-cache-date-stamp.mjs +112 -112
- package/skills/craft/vercel-optimize/lib/support-topics.mjs +365 -365
- package/skills/craft/vercel-optimize/lib/throttle.mjs +280 -280
- package/skills/craft/vercel-optimize/lib/util.mjs +17 -17
- package/skills/craft/vercel-optimize/lib/vercel.mjs +855 -855
- package/skills/craft/vercel-optimize/lib/verify-claim.mjs +1843 -1843
- package/skills/craft/vercel-optimize/lib/workspace-resolver.mjs +552 -552
- package/skills/craft/vercel-optimize/metadata.json +14 -14
- package/skills/craft/vercel-optimize/references/candidates.md +176 -176
- package/skills/craft/vercel-optimize/references/data-collection.md +224 -224
- package/skills/craft/vercel-optimize/references/docs-library.json +683 -683
- package/skills/craft/vercel-optimize/references/doctrine.md +108 -108
- package/skills/craft/vercel-optimize/references/observability-plus.md +109 -109
- package/skills/craft/vercel-optimize/references/playbooks/README.md +57 -57
- package/skills/craft/vercel-optimize/references/playbooks/ai-application.md +32 -32
- package/skills/craft/vercel-optimize/references/playbooks/api-service.md +30 -30
- package/skills/craft/vercel-optimize/references/playbooks/content-site.md +30 -30
- package/skills/craft/vercel-optimize/references/playbooks/ecommerce.md +30 -30
- package/skills/craft/vercel-optimize/references/playbooks/marketing.md +30 -30
- package/skills/craft/vercel-optimize/references/playbooks/saas.md +31 -31
- package/skills/craft/vercel-optimize/references/playbooks/sveltekit.md +75 -75
- package/skills/craft/vercel-optimize/references/recommendations.md +214 -214
- package/skills/craft/vercel-optimize/references/scanner-patterns.md +266 -266
- package/skills/craft/vercel-optimize/references/scoring.md +208 -208
- package/skills/craft/vercel-optimize/references/support-topics/README.md +50 -50
- package/skills/craft/vercel-optimize/references/support-topics/astro-edge-middleware-scope.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/astro-output-mode-and-isr.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/auth-preserving-parallelization.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/bot-protection-product-guardrails.md +32 -32
- package/skills/craft/vercel-optimize/references/support-topics/build-minutes-monorepo-fanout.md +32 -32
- package/skills/craft/vercel-optimize/references/support-topics/cache-components-static-shell-boundaries.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/cache-components-suspense-dedupe-pitfall.md +32 -32
- package/skills/craft/vercel-optimize/references/support-topics/cdn-cache-auth-safety.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/cold-start-initialization-bundle.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/core-web-vitals-client-bottlenecks.md +33 -33
- package/skills/craft/vercel-optimize/references/support-topics/database-egress-pooling-region.md +32 -32
- package/skills/craft/vercel-optimize/references/support-topics/dynamic-rendering-traps.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/external-api-critical-path-platform.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/external-api-critical-path.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/fast-data-transfer-payloads.md +26 -26
- package/skills/craft/vercel-optimize/references/support-topics/fluid-compute-caveats.md +26 -26
- package/skills/craft/vercel-optimize/references/support-topics/function-duration-io-and-after.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/function-invocation-reduction.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/function-region-misconfiguration-ttfb.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/image-optimization-cost-control.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/isr-revalidation-static-generation.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/middleware-proxy-edge-cost.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/next-fetch-revalidate-floor.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/next-font-cls-self-hosting.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/next-heavy-ui-lazy-load-boundaries.md +28 -28
- package/skills/craft/vercel-optimize/references/support-topics/next-image-lcp-preload-sizes.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/next-route-handler-get-cache-defaults.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/next-script-third-party-strategy.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/nextjs-version-cache-semantics.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/not-found-catchall-request-waste.md +33 -33
- package/skills/craft/vercel-optimize/references/support-topics/nuxt-route-rules-cache-isr.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/observability-events-cost-attribution.md +27 -27
- package/skills/craft/vercel-optimize/references/support-topics/post-response-work-waituntil.md +26 -26
- package/skills/craft/vercel-optimize/references/support-topics/route-error-durable-offload.md +33 -33
- package/skills/craft/vercel-optimize/references/support-topics/route-error-runtime-limits.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/runtime-cache-reusable-data.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/sveltekit-isr-prerender-safety.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/sveltekit-split-cold-start-tradeoff.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/usage-spike-triage.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/use-cache-date-stamp-isr-write-amplifier.md +31 -31
- package/skills/craft/vercel-optimize/references/support-topics/use-cache-remote-shared-origin-data.md +30 -30
- package/skills/craft/vercel-optimize/references/support-topics/workflow-resumable-stream-routes.md +32 -32
- package/skills/craft/vercel-optimize/references/verification.md +102 -102
- package/skills/craft/vercel-optimize/references/voice.md +76 -76
- package/skills/craft/vercel-optimize/scripts/budget-summary.mjs +58 -58
- package/skills/craft/vercel-optimize/scripts/build-docs.mjs +76 -76
- package/skills/craft/vercel-optimize/scripts/check-citations.mjs +91 -91
- package/skills/craft/vercel-optimize/scripts/check-docs-fresh.mjs +100 -100
- package/skills/craft/vercel-optimize/scripts/collect-signals.mjs +638 -638
- package/skills/craft/vercel-optimize/scripts/collect-sub-agent-outputs.mjs +306 -306
- package/skills/craft/vercel-optimize/scripts/deep-dive.mjs +358 -358
- package/skills/craft/vercel-optimize/scripts/gate-investigations.mjs +178 -178
- package/skills/craft/vercel-optimize/scripts/merge-signals.mjs +203 -203
- package/skills/craft/vercel-optimize/scripts/prepare-investigation-brief.mjs +249 -249
- package/skills/craft/vercel-optimize/scripts/reconcile-candidates.mjs +69 -69
- package/skills/craft/vercel-optimize/scripts/render-report.mjs +462 -462
- package/skills/craft/vercel-optimize/scripts/scan-codebase.mjs +361 -361
- package/skills/craft/vercel-optimize/scripts/verify-and-regen.mjs +379 -379
- package/skills/craft/vercel-optimize/scripts/verify-finding.mjs +21 -21
- package/skills/craft/web-design-guidelines/LICENSE +21 -21
- package/skills/craft/web-design-guidelines/SKILL.md +43 -43
- package/skills/craft/zero-to-live/LICENSE +21 -21
- package/skills/craft/zero-to-live/SKILL.md +422 -422
- package/skills/creative/creative-3d-modeling/LICENSE +21 -21
- package/skills/creative/creative-3d-modeling/SKILL.md +70 -70
- package/skills/creative/creative-architecture/LICENSE +21 -21
- package/skills/creative/creative-architecture/SKILL.md +94 -94
- package/skills/creative/creative-design-principles/LICENSE +21 -21
- package/skills/creative/creative-design-principles/SKILL.md +95 -95
- package/skills/creative/creative-fashion-advanced/LICENSE +21 -21
- package/skills/creative/creative-fashion-advanced/SKILL.md +68 -68
- package/skills/creative/creative-fashion-design/LICENSE +21 -21
- package/skills/creative/creative-fashion-design/SKILL.md +66 -66
- package/skills/creative/creative-game-design/LICENSE +21 -21
- package/skills/creative/creative-game-design/SKILL.md +77 -77
- package/skills/creative/creative-industrial-design/LICENSE +21 -21
- package/skills/creative/creative-industrial-design/SKILL.md +57 -57
- package/skills/creative/creative-interior-design/LICENSE +21 -21
- package/skills/creative/creative-interior-design/SKILL.md +59 -59
- package/skills/creative/creative-music-theory/LICENSE +21 -21
- package/skills/creative/creative-music-theory/SKILL.md +98 -98
- package/skills/creative/creative-photography/LICENSE +21 -21
- package/skills/creative/creative-photography/SKILL.md +87 -87
- package/skills/creative/creative-textile-science/LICENSE +21 -21
- package/skills/creative/creative-textile-science/SKILL.md +67 -67
- package/skills/creative/creative-ux/LICENSE +21 -21
- package/skills/creative/creative-ux/SKILL.md +81 -81
- package/skills/creative/creative-video/LICENSE +21 -21
- package/skills/creative/creative-video/SKILL.md +84 -84
- package/skills/creative/creative-writing-craft/LICENSE +21 -21
- package/skills/creative/creative-writing-craft/SKILL.md +91 -91
- package/skills/diagram-maker/SKILL.md +56 -56
- package/skills/diagram-maker/references/excalidraw-patterns.md +85 -85
- package/skills/diagram-maker/references/svg-template.md +112 -112
- package/skills/discord/SKILL.md +140 -140
- package/skills/education/edu-adult-learning/LICENSE +21 -21
- package/skills/education/edu-adult-learning/SKILL.md +81 -81
- package/skills/education/edu-africa-multilingual/LICENSE +21 -21
- package/skills/education/edu-africa-multilingual/SKILL.md +55 -55
- package/skills/education/edu-arabic/LICENSE +21 -21
- package/skills/education/edu-arabic/SKILL.md +60 -60
- package/skills/education/edu-australia-nz/LICENSE +21 -21
- package/skills/education/edu-australia-nz/SKILL.md +48 -48
- package/skills/education/edu-china-mandarin/LICENSE +21 -21
- package/skills/education/edu-china-mandarin/SKILL.md +58 -58
- package/skills/education/edu-critical-thinking/LICENSE +21 -21
- package/skills/education/edu-critical-thinking/SKILL.md +86 -86
- package/skills/education/edu-curriculum/LICENSE +21 -21
- package/skills/education/edu-curriculum/SKILL.md +87 -87
- package/skills/education/edu-ed-tech/LICENSE +21 -21
- package/skills/education/edu-ed-tech/SKILL.md +73 -73
- package/skills/education/edu-france/LICENSE +21 -21
- package/skills/education/edu-france/SKILL.md +42 -42
- package/skills/education/edu-germany/LICENSE +21 -21
- package/skills/education/edu-germany/SKILL.md +46 -46
- package/skills/education/edu-india-competitive/LICENSE +21 -21
- package/skills/education/edu-india-competitive/SKILL.md +159 -159
- package/skills/education/edu-india-east/LICENSE +21 -21
- package/skills/education/edu-india-east/SKILL.md +60 -60
- package/skills/education/edu-india-hindi/LICENSE +21 -21
- package/skills/education/edu-india-hindi/SKILL.md +107 -107
- package/skills/education/edu-india-south/LICENSE +21 -21
- package/skills/education/edu-india-south/SKILL.md +64 -64
- package/skills/education/edu-india-west/LICENSE +21 -21
- package/skills/education/edu-india-west/SKILL.md +68 -68
- package/skills/education/edu-indonesia-malay/LICENSE +21 -21
- package/skills/education/edu-indonesia-malay/SKILL.md +57 -57
- package/skills/education/edu-international-ib/LICENSE +21 -21
- package/skills/education/edu-international-ib/SKILL.md +61 -61
- package/skills/education/edu-japan/LICENSE +21 -21
- package/skills/education/edu-japan/SKILL.md +48 -48
- package/skills/education/edu-korea/LICENSE +21 -21
- package/skills/education/edu-korea/SKILL.md +48 -48
- package/skills/education/edu-learning-science/LICENSE +21 -21
- package/skills/education/edu-learning-science/SKILL.md +76 -76
- package/skills/education/edu-portuguese-brazil/LICENSE +21 -21
- package/skills/education/edu-portuguese-brazil/SKILL.md +51 -51
- package/skills/education/edu-russia/LICENSE +21 -21
- package/skills/education/edu-russia/SKILL.md +50 -50
- package/skills/education/edu-spain-latam/LICENSE +21 -21
- package/skills/education/edu-spain-latam/SKILL.md +55 -55
- package/skills/education/edu-special/LICENSE +21 -21
- package/skills/education/edu-special/SKILL.md +76 -76
- package/skills/education/edu-thailand/LICENSE +21 -21
- package/skills/education/edu-thailand/SKILL.md +55 -55
- package/skills/education/edu-turkey/LICENSE +21 -21
- package/skills/education/edu-turkey/SKILL.md +58 -58
- package/skills/education/edu-uk-gcse-alevel/LICENSE +21 -21
- package/skills/education/edu-uk-gcse-alevel/SKILL.md +51 -51
- package/skills/education/edu-usa-graduate/LICENSE +21 -21
- package/skills/education/edu-usa-graduate/SKILL.md +57 -57
- package/skills/education/edu-usa-sat-act/LICENSE +21 -21
- package/skills/education/edu-usa-sat-act/SKILL.md +55 -55
- package/skills/education/edu-vietnam/LICENSE +21 -21
- package/skills/education/edu-vietnam/SKILL.md +53 -53
- package/skills/eightctl/SKILL.md +54 -54
- package/skills/engineering/eng-aerospace/LICENSE +21 -21
- package/skills/engineering/eng-aerospace/SKILL.md +117 -117
- package/skills/engineering/eng-chemical/LICENSE +21 -21
- package/skills/engineering/eng-chemical/SKILL.md +63 -63
- package/skills/engineering/eng-civil/LICENSE +21 -21
- package/skills/engineering/eng-civil/SKILL.md +223 -223
- package/skills/engineering/eng-control-systems/LICENSE +21 -21
- package/skills/engineering/eng-control-systems/SKILL.md +158 -158
- package/skills/engineering/eng-cryogenics/LICENSE +21 -21
- package/skills/engineering/eng-cryogenics/SKILL.md +151 -151
- package/skills/engineering/eng-electrical/LICENSE +21 -21
- package/skills/engineering/eng-electrical/SKILL.md +70 -70
- package/skills/engineering/eng-electronics-embedded/LICENSE +21 -21
- package/skills/engineering/eng-electronics-embedded/SKILL.md +89 -89
- package/skills/engineering/eng-environmental/LICENSE +21 -21
- package/skills/engineering/eng-environmental/SKILL.md +66 -66
- package/skills/engineering/eng-manufacturing/LICENSE +21 -21
- package/skills/engineering/eng-manufacturing/SKILL.md +78 -78
- package/skills/engineering/eng-mechanical/LICENSE +21 -21
- package/skills/engineering/eng-mechanical/SKILL.md +66 -66
- package/skills/engineering/eng-project/LICENSE +21 -21
- package/skills/engineering/eng-project/SKILL.md +72 -72
- package/skills/engineering/eng-propulsion/LICENSE +21 -21
- package/skills/engineering/eng-propulsion/SKILL.md +133 -133
- package/skills/engineering/eng-robotics/LICENSE +21 -21
- package/skills/engineering/eng-robotics/SKILL.md +92 -92
- package/skills/engineering/eng-systems/LICENSE +21 -21
- package/skills/engineering/eng-systems/SKILL.md +81 -81
- package/skills/environment/env-biodiversity/LICENSE +21 -21
- package/skills/environment/env-biodiversity/SKILL.md +66 -66
- package/skills/environment/env-circular-economy/LICENSE +21 -21
- package/skills/environment/env-circular-economy/SKILL.md +71 -71
- package/skills/environment/env-climate-action/LICENSE +21 -21
- package/skills/environment/env-climate-action/SKILL.md +55 -55
- package/skills/environment/env-energy/LICENSE +21 -21
- package/skills/environment/env-energy/SKILL.md +83 -83
- package/skills/environment/env-sustainability-biz/LICENSE +21 -21
- package/skills/environment/env-sustainability-biz/SKILL.md +65 -65
- package/skills/environment/env-water/LICENSE +21 -21
- package/skills/environment/env-water/SKILL.md +67 -67
- package/skills/finance/finance-accounting/LICENSE +21 -21
- package/skills/finance/finance-accounting/SKILL.md +239 -239
- package/skills/finance/finance-banking/LICENSE +21 -21
- package/skills/finance/finance-banking/SKILL.md +54 -54
- package/skills/finance/finance-corporate/LICENSE +21 -21
- package/skills/finance/finance-corporate/SKILL.md +105 -105
- package/skills/finance/finance-crypto/LICENSE +21 -21
- package/skills/finance/finance-crypto/SKILL.md +94 -94
- package/skills/finance/finance-debt-management/LICENSE +21 -21
- package/skills/finance/finance-debt-management/SKILL.md +87 -87
- package/skills/finance/finance-insurance/LICENSE +21 -21
- package/skills/finance/finance-insurance/SKILL.md +91 -91
- package/skills/finance/finance-investing/LICENSE +21 -21
- package/skills/finance/finance-investing/SKILL.md +269 -269
- package/skills/finance/finance-options-derivatives/LICENSE +21 -21
- package/skills/finance/finance-options-derivatives/SKILL.md +68 -68
- package/skills/finance/finance-personal/LICENSE +21 -21
- package/skills/finance/finance-personal/SKILL.md +268 -268
- package/skills/finance/finance-real-estate/LICENSE +21 -21
- package/skills/finance/finance-real-estate/SKILL.md +110 -110
- package/skills/finance/finance-startup/LICENSE +21 -21
- package/skills/finance/finance-startup/SKILL.md +253 -253
- package/skills/finance/finance-tax-planning/LICENSE +21 -21
- package/skills/finance/finance-tax-planning/SKILL.md +89 -89
- package/skills/finance/finance-trading/LICENSE +21 -21
- package/skills/finance/finance-trading/SKILL.md +112 -112
- package/skills/gemini/SKILL.md +51 -51
- package/skills/gh-issues/SKILL.md +216 -216
- package/skills/gifgrep/SKILL.md +89 -89
- package/skills/github/SKILL.md +87 -87
- package/skills/gog/SKILL.md +120 -120
- package/skills/goplaces/SKILL.md +56 -56
- package/skills/graphify/SKILL.md +619 -0
- package/skills/graphify/__init__.py +28 -0
- package/skills/graphify/__main__.py +4582 -0
- package/skills/graphify/affected.py +154 -0
- package/skills/graphify/always_on/agents-md.md +12 -0
- package/skills/graphify/always_on/antigravity-rules.md +14 -0
- package/skills/graphify/always_on/claude-md.md +9 -0
- package/skills/graphify/always_on/gemini-md.md +9 -0
- package/skills/graphify/always_on/kiro-steering.md +5 -0
- package/skills/graphify/always_on/vscode-instructions.md +17 -0
- package/skills/graphify/analyze.py +724 -0
- package/skills/graphify/benchmark.py +155 -0
- package/skills/graphify/build.py +487 -0
- package/skills/graphify/cache.py +417 -0
- package/skills/graphify/callflow_html.py +2020 -0
- package/skills/graphify/cluster.py +272 -0
- package/skills/graphify/command-kilo.md +15 -0
- package/skills/graphify/dedup.py +429 -0
- package/skills/graphify/detect.py +1379 -0
- package/skills/graphify/diagnostics.py +390 -0
- package/skills/graphify/export.py +1408 -0
- package/skills/graphify/extract.py +11570 -0
- package/skills/graphify/global_graph.py +159 -0
- package/skills/graphify/google_workspace.py +223 -0
- package/skills/graphify/hooks.py +457 -0
- package/skills/graphify/ingest.py +331 -0
- package/skills/graphify/llm.py +1896 -0
- package/skills/graphify/manifest.py +4 -0
- package/skills/graphify/mcp_ingest.py +392 -0
- package/skills/graphify/multigraph_compat.py +212 -0
- package/skills/graphify/pg_introspect.py +142 -0
- package/skills/graphify/prs.py +748 -0
- package/skills/graphify/querylog.py +70 -0
- package/skills/graphify/report.py +218 -0
- package/skills/graphify/scip_ingest.py +363 -0
- package/skills/graphify/security.py +336 -0
- package/skills/graphify/semantic_cleanup.py +319 -0
- package/skills/graphify/serve.py +1309 -0
- package/skills/graphify/skill-aider.md +1246 -0
- package/skills/graphify/skill-amp.md +613 -0
- package/skills/graphify/skill-claw.md +616 -0
- package/skills/graphify/skill-codex.md +613 -0
- package/skills/graphify/skill-copilot.md +616 -0
- package/skills/graphify/skill-devin.md +1372 -0
- package/skills/graphify/skill-droid.md +613 -0
- package/skills/graphify/skill-kilo.md +625 -0
- package/skills/graphify/skill-kiro.md +615 -0
- package/skills/graphify/skill-opencode.md +608 -0
- package/skills/graphify/skill-pi.md +615 -0
- package/skills/graphify/skill-trae.md +614 -0
- package/skills/graphify/skill-vscode.md +612 -0
- package/skills/graphify/skill-windows.md +651 -0
- package/skills/graphify/skills/amp/references/add-watch.md +56 -0
- package/skills/graphify/skills/amp/references/exports.md +71 -0
- package/skills/graphify/skills/amp/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/amp/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/amp/references/hooks.md +33 -0
- package/skills/graphify/skills/amp/references/query.md +249 -0
- package/skills/graphify/skills/amp/references/transcribe.md +48 -0
- package/skills/graphify/skills/amp/references/update.md +179 -0
- package/skills/graphify/skills/claude/references/add-watch.md +56 -0
- package/skills/graphify/skills/claude/references/exports.md +71 -0
- package/skills/graphify/skills/claude/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/claude/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/claude/references/hooks.md +33 -0
- package/skills/graphify/skills/claude/references/query.md +103 -0
- package/skills/graphify/skills/claude/references/transcribe.md +48 -0
- package/skills/graphify/skills/claude/references/update.md +179 -0
- package/skills/graphify/skills/claw/references/add-watch.md +56 -0
- package/skills/graphify/skills/claw/references/exports.md +71 -0
- package/skills/graphify/skills/claw/references/extraction-spec.md +29 -0
- package/skills/graphify/skills/claw/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/claw/references/hooks.md +33 -0
- package/skills/graphify/skills/claw/references/query.md +249 -0
- package/skills/graphify/skills/claw/references/transcribe.md +48 -0
- package/skills/graphify/skills/claw/references/update.md +179 -0
- package/skills/graphify/skills/codex/references/add-watch.md +56 -0
- package/skills/graphify/skills/codex/references/exports.md +71 -0
- package/skills/graphify/skills/codex/references/extraction-spec.md +29 -0
- package/skills/graphify/skills/codex/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/codex/references/hooks.md +33 -0
- package/skills/graphify/skills/codex/references/query.md +249 -0
- package/skills/graphify/skills/codex/references/transcribe.md +48 -0
- package/skills/graphify/skills/codex/references/update.md +179 -0
- package/skills/graphify/skills/copilot/references/add-watch.md +56 -0
- package/skills/graphify/skills/copilot/references/exports.md +71 -0
- package/skills/graphify/skills/copilot/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/copilot/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/copilot/references/hooks.md +33 -0
- package/skills/graphify/skills/copilot/references/query.md +249 -0
- package/skills/graphify/skills/copilot/references/transcribe.md +48 -0
- package/skills/graphify/skills/copilot/references/update.md +179 -0
- package/skills/graphify/skills/droid/references/add-watch.md +56 -0
- package/skills/graphify/skills/droid/references/exports.md +71 -0
- package/skills/graphify/skills/droid/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/droid/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/droid/references/hooks.md +33 -0
- package/skills/graphify/skills/droid/references/query.md +249 -0
- package/skills/graphify/skills/droid/references/transcribe.md +48 -0
- package/skills/graphify/skills/droid/references/update.md +179 -0
- package/skills/graphify/skills/kilo/references/add-watch.md +56 -0
- package/skills/graphify/skills/kilo/references/exports.md +71 -0
- package/skills/graphify/skills/kilo/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/kilo/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/kilo/references/hooks.md +33 -0
- package/skills/graphify/skills/kilo/references/query.md +249 -0
- package/skills/graphify/skills/kilo/references/transcribe.md +48 -0
- package/skills/graphify/skills/kilo/references/update.md +179 -0
- package/skills/graphify/skills/kiro/references/add-watch.md +56 -0
- package/skills/graphify/skills/kiro/references/exports.md +71 -0
- package/skills/graphify/skills/kiro/references/extraction-spec.md +29 -0
- package/skills/graphify/skills/kiro/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/kiro/references/hooks.md +33 -0
- package/skills/graphify/skills/kiro/references/query.md +249 -0
- package/skills/graphify/skills/kiro/references/transcribe.md +48 -0
- package/skills/graphify/skills/kiro/references/update.md +179 -0
- package/skills/graphify/skills/opencode/references/add-watch.md +56 -0
- package/skills/graphify/skills/opencode/references/exports.md +71 -0
- package/skills/graphify/skills/opencode/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/opencode/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/opencode/references/hooks.md +33 -0
- package/skills/graphify/skills/opencode/references/query.md +249 -0
- package/skills/graphify/skills/opencode/references/transcribe.md +48 -0
- package/skills/graphify/skills/opencode/references/update.md +179 -0
- package/skills/graphify/skills/pi/references/add-watch.md +56 -0
- package/skills/graphify/skills/pi/references/exports.md +71 -0
- package/skills/graphify/skills/pi/references/extraction-spec.md +29 -0
- package/skills/graphify/skills/pi/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/pi/references/hooks.md +33 -0
- package/skills/graphify/skills/pi/references/query.md +249 -0
- package/skills/graphify/skills/pi/references/transcribe.md +48 -0
- package/skills/graphify/skills/pi/references/update.md +179 -0
- package/skills/graphify/skills/trae/references/add-watch.md +56 -0
- package/skills/graphify/skills/trae/references/exports.md +71 -0
- package/skills/graphify/skills/trae/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/trae/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/trae/references/hooks.md +35 -0
- package/skills/graphify/skills/trae/references/query.md +249 -0
- package/skills/graphify/skills/trae/references/transcribe.md +48 -0
- package/skills/graphify/skills/trae/references/update.md +179 -0
- package/skills/graphify/skills/vscode/references/add-watch.md +56 -0
- package/skills/graphify/skills/vscode/references/exports.md +71 -0
- package/skills/graphify/skills/vscode/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/vscode/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/vscode/references/hooks.md +33 -0
- package/skills/graphify/skills/vscode/references/query.md +249 -0
- package/skills/graphify/skills/vscode/references/transcribe.md +48 -0
- package/skills/graphify/skills/vscode/references/update.md +179 -0
- package/skills/graphify/skills/windows/references/add-watch.md +56 -0
- package/skills/graphify/skills/windows/references/exports.md +71 -0
- package/skills/graphify/skills/windows/references/extraction-spec.md +68 -0
- package/skills/graphify/skills/windows/references/github-and-merge.md +46 -0
- package/skills/graphify/skills/windows/references/hooks.md +33 -0
- package/skills/graphify/skills/windows/references/query.md +249 -0
- package/skills/graphify/skills/windows/references/transcribe.md +48 -0
- package/skills/graphify/skills/windows/references/update.md +179 -0
- package/skills/graphify/symbol_resolution.py +538 -0
- package/skills/graphify/transcribe.py +184 -0
- package/skills/graphify/tree_html.py +582 -0
- package/skills/graphify/validate.py +72 -0
- package/skills/graphify/watch.py +898 -0
- package/skills/graphify/wiki.py +282 -0
- package/skills/health/health-aging/LICENSE +21 -21
- package/skills/health/health-aging/SKILL.md +82 -82
- package/skills/health/health-chronic/LICENSE +21 -21
- package/skills/health/health-chronic/SKILL.md +202 -202
- package/skills/health/health-dental/LICENSE +21 -21
- package/skills/health/health-dental/SKILL.md +41 -41
- package/skills/health/health-eye-care/LICENSE +21 -21
- package/skills/health/health-eye-care/SKILL.md +56 -56
- package/skills/health/health-first-aid/LICENSE +21 -21
- package/skills/health/health-first-aid/SKILL.md +201 -201
- package/skills/health/health-fitness/LICENSE +21 -21
- package/skills/health/health-fitness/SKILL.md +111 -111
- package/skills/health/health-general/LICENSE +21 -21
- package/skills/health/health-general/SKILL.md +277 -277
- package/skills/health/health-mens/LICENSE +21 -21
- package/skills/health/health-mens/SKILL.md +53 -53
- package/skills/health/health-mental/LICENSE +21 -21
- package/skills/health/health-mental/SKILL.md +221 -221
- package/skills/health/health-naturopathy-ayurveda/LICENSE +21 -21
- package/skills/health/health-naturopathy-ayurveda/SKILL.md +60 -60
- package/skills/health/health-nutrition/LICENSE +21 -21
- package/skills/health/health-nutrition/SKILL.md +262 -262
- package/skills/health/health-pediatric/LICENSE +21 -21
- package/skills/health/health-pediatric/SKILL.md +94 -94
- package/skills/health/health-pharmacology/LICENSE +21 -21
- package/skills/health/health-pharmacology/SKILL.md +87 -87
- package/skills/health/health-pregnancy/LICENSE +21 -21
- package/skills/health/health-pregnancy/SKILL.md +71 -71
- package/skills/health/health-skin/LICENSE +21 -21
- package/skills/health/health-skin/SKILL.md +71 -71
- package/skills/health/health-sleep/LICENSE +21 -21
- package/skills/health/health-sleep/SKILL.md +81 -81
- package/skills/health/health-womens/LICENSE +21 -21
- package/skills/health/health-womens/SKILL.md +72 -72
- package/skills/health/health-yoga-wellness/LICENSE +21 -21
- package/skills/health/health-yoga-wellness/SKILL.md +58 -58
- package/skills/healthcare-systems/health-sys-global/LICENSE +21 -21
- package/skills/healthcare-systems/health-sys-global/SKILL.md +69 -69
- package/skills/healthcare-systems/health-sys-management/LICENSE +21 -21
- package/skills/healthcare-systems/health-sys-management/SKILL.md +71 -71
- package/skills/healthcare-systems/health-sys-navigation/LICENSE +21 -21
- package/skills/healthcare-systems/health-sys-navigation/SKILL.md +60 -60
- package/skills/healthcare-systems/health-sys-public/LICENSE +21 -21
- package/skills/healthcare-systems/health-sys-public/SKILL.md +71 -71
- package/skills/healthcheck/SKILL.md +109 -109
- package/skills/himalaya/SKILL.md +84 -84
- package/skills/himalaya/references/configuration.md +184 -184
- package/skills/himalaya/references/message-composition.md +199 -199
- package/skills/humanities/humanities-history-world/LICENSE +21 -21
- package/skills/humanities/humanities-history-world/SKILL.md +59 -59
- package/skills/humanities/humanities-indian-classical/LICENSE +21 -21
- package/skills/humanities/humanities-indian-classical/SKILL.md +104 -104
- package/skills/humanities/humanities-philosophy/LICENSE +21 -21
- package/skills/humanities/humanities-philosophy/SKILL.md +105 -105
- package/skills/humanities/humanities-world-religions/LICENSE +21 -21
- package/skills/humanities/humanities-world-religions/SKILL.md +67 -67
- package/skills/impeccable/SKILL.md +186 -0
- package/skills/impeccable/agents/impeccable_asset_producer.toml +92 -0
- package/skills/impeccable/agents/impeccable_manual_edit_applier.toml +95 -0
- package/skills/impeccable/agents/openai.yaml +4 -0
- package/skills/impeccable/reference/adapt.md +311 -0
- package/skills/impeccable/reference/animate.md +201 -0
- package/skills/impeccable/reference/audit.md +133 -0
- package/skills/impeccable/reference/bolder.md +113 -0
- package/skills/impeccable/reference/brand.md +108 -0
- package/skills/impeccable/reference/clarify.md +288 -0
- package/skills/impeccable/reference/codex.md +105 -0
- package/skills/impeccable/reference/colorize.md +257 -0
- package/skills/impeccable/reference/craft.md +123 -0
- package/skills/impeccable/reference/critique.md +790 -0
- package/skills/impeccable/reference/delight.md +302 -0
- package/skills/impeccable/reference/distill.md +111 -0
- package/skills/impeccable/reference/document.md +429 -0
- package/skills/impeccable/reference/extract.md +69 -0
- package/skills/impeccable/reference/harden.md +347 -0
- package/skills/impeccable/reference/init.md +172 -0
- package/skills/impeccable/reference/interaction-design.md +189 -0
- package/skills/impeccable/reference/layout.md +161 -0
- package/skills/impeccable/reference/live.md +720 -0
- package/skills/impeccable/reference/onboard.md +234 -0
- package/skills/impeccable/reference/optimize.md +258 -0
- package/skills/impeccable/reference/overdrive.md +130 -0
- package/skills/impeccable/reference/polish.md +241 -0
- package/skills/impeccable/reference/product.md +60 -0
- package/skills/impeccable/reference/quieter.md +99 -0
- package/skills/impeccable/reference/shape.md +165 -0
- package/skills/impeccable/reference/typeset.md +279 -0
- package/skills/impeccable/scripts/cleanup-deprecated.mjs +284 -0
- package/skills/impeccable/scripts/command-metadata.json +94 -0
- package/skills/impeccable/scripts/context-signals.mjs +225 -0
- package/skills/impeccable/scripts/context.mjs +266 -0
- package/skills/impeccable/scripts/critique-storage.mjs +242 -0
- package/skills/impeccable/scripts/design-parser.mjs +835 -0
- package/skills/impeccable/scripts/detect-csp.mjs +198 -0
- package/skills/impeccable/scripts/detect.mjs +21 -0
- package/skills/impeccable/scripts/detector/browser/injected/index.mjs +1733 -0
- package/skills/impeccable/scripts/detector/cli/main.mjs +244 -0
- package/skills/impeccable/scripts/detector/detect-antipatterns-browser.js +4618 -0
- package/skills/impeccable/scripts/detector/detect-antipatterns.mjs +43 -0
- package/skills/impeccable/scripts/detector/engines/browser/detect-url.mjs +252 -0
- package/skills/impeccable/scripts/detector/engines/regex/detect-text.mjs +535 -0
- package/skills/impeccable/scripts/detector/engines/static-html/css-cascade.mjs +986 -0
- package/skills/impeccable/scripts/detector/engines/static-html/detect-html.mjs +208 -0
- package/skills/impeccable/scripts/detector/engines/visual/screenshot-contrast.mjs +189 -0
- package/skills/impeccable/scripts/detector/findings.mjs +12 -0
- package/skills/impeccable/scripts/detector/node/file-system.mjs +198 -0
- package/skills/impeccable/scripts/detector/profile/profiler.mjs +166 -0
- package/skills/impeccable/scripts/detector/registry/antipatterns.mjs +419 -0
- package/skills/impeccable/scripts/detector/rules/checks.mjs +2384 -0
- package/skills/impeccable/scripts/detector/shared/color.mjs +124 -0
- package/skills/impeccable/scripts/detector/shared/constants.mjs +101 -0
- package/skills/impeccable/scripts/detector/shared/page.mjs +7 -0
- package/skills/impeccable/scripts/impeccable-paths.mjs +126 -0
- package/skills/impeccable/scripts/is-generated.mjs +69 -0
- package/skills/impeccable/scripts/live-accept.mjs +812 -0
- package/skills/impeccable/scripts/live-browser-session.js +123 -0
- package/skills/impeccable/scripts/live-browser.js +10295 -0
- package/skills/impeccable/scripts/live-commit-manual-edits.mjs +1241 -0
- package/skills/impeccable/scripts/live-complete.mjs +75 -0
- package/skills/impeccable/scripts/live-completion.mjs +19 -0
- package/skills/impeccable/scripts/live-copy-edit-agent.mjs +683 -0
- package/skills/impeccable/scripts/live-discard-manual-edits.mjs +51 -0
- package/skills/impeccable/scripts/live-event-validation.mjs +137 -0
- package/skills/impeccable/scripts/live-inject.mjs +557 -0
- package/skills/impeccable/scripts/live-insert-ui.mjs +458 -0
- package/skills/impeccable/scripts/live-insert.mjs +272 -0
- package/skills/impeccable/scripts/live-manual-edit-evidence.mjs +363 -0
- package/skills/impeccable/scripts/live-manual-edits-buffer.mjs +152 -0
- package/skills/impeccable/scripts/live-poll.mjs +379 -0
- package/skills/impeccable/scripts/live-resume.mjs +94 -0
- package/skills/impeccable/scripts/live-server.mjs +2326 -0
- package/skills/impeccable/scripts/live-session-store.mjs +289 -0
- package/skills/impeccable/scripts/live-status.mjs +61 -0
- package/skills/impeccable/scripts/live-svelte-component.mjs +826 -0
- package/skills/impeccable/scripts/live-sveltekit-adapter.mjs +274 -0
- package/skills/impeccable/scripts/live-ui-core.mjs +179 -0
- package/skills/impeccable/scripts/live-vocabulary.mjs +36 -0
- package/skills/impeccable/scripts/live-wrap.mjs +894 -0
- package/skills/impeccable/scripts/live.mjs +246 -0
- package/skills/impeccable/scripts/modern-screenshot.umd.js +14 -0
- package/skills/impeccable/scripts/palette.mjs +633 -0
- package/skills/impeccable/scripts/pin.mjs +214 -0
- package/skills/imsg/SKILL.md +126 -126
- package/skills/industry/industry-construction/LICENSE +21 -21
- package/skills/industry/industry-construction/SKILL.md +81 -81
- package/skills/industry/industry-education-sector/LICENSE +21 -21
- package/skills/industry/industry-education-sector/SKILL.md +49 -49
- package/skills/industry/industry-fashion/LICENSE +21 -21
- package/skills/industry/industry-fashion/SKILL.md +82 -82
- package/skills/industry/industry-food/LICENSE +21 -21
- package/skills/industry/industry-food/SKILL.md +79 -79
- package/skills/industry/industry-government/LICENSE +21 -21
- package/skills/industry/industry-government/SKILL.md +80 -80
- package/skills/industry/industry-hospitality/LICENSE +21 -21
- package/skills/industry/industry-hospitality/SKILL.md +73 -73
- package/skills/industry/industry-insurance-sector/LICENSE +21 -21
- package/skills/industry/industry-insurance-sector/SKILL.md +57 -57
- package/skills/industry/industry-logistics/LICENSE +21 -21
- package/skills/industry/industry-logistics/SKILL.md +80 -80
- package/skills/industry/industry-media/LICENSE +21 -21
- package/skills/industry/industry-media/SKILL.md +66 -66
- package/skills/industry/industry-nonprofit/LICENSE +21 -21
- package/skills/industry/industry-nonprofit/SKILL.md +77 -77
- package/skills/industry/industry-pharma/LICENSE +21 -21
- package/skills/industry/industry-pharma/SKILL.md +69 -69
- package/skills/industry/industry-real-estate/LICENSE +21 -21
- package/skills/industry/industry-real-estate/SKILL.md +61 -61
- package/skills/industry/industry-sports/LICENSE +21 -21
- package/skills/industry/industry-sports/SKILL.md +71 -71
- package/skills/industry/industry-tech-startup/LICENSE +21 -21
- package/skills/industry/industry-tech-startup/SKILL.md +82 -82
- package/skills/internal-comms/LICENSE +21 -21
- package/skills/internal-comms/SKILL.md +38 -38
- package/skills/internal-comms/examples/3p-updates.md +49 -49
- package/skills/internal-comms/examples/company-newsletter.md +76 -76
- package/skills/internal-comms/examples/faq-answers.md +35 -35
- package/skills/internal-comms/examples/general-comms.md +19 -19
- package/skills/legal/legal-business/LICENSE +21 -21
- package/skills/legal/legal-business/SKILL.md +227 -227
- package/skills/legal/legal-consumer/LICENSE +21 -21
- package/skills/legal/legal-consumer/SKILL.md +155 -155
- package/skills/legal/legal-contracts/LICENSE +21 -21
- package/skills/legal/legal-contracts/SKILL.md +268 -268
- package/skills/legal/legal-corporate-governance/LICENSE +21 -21
- package/skills/legal/legal-corporate-governance/SKILL.md +53 -53
- package/skills/legal/legal-employment/LICENSE +21 -21
- package/skills/legal/legal-employment/SKILL.md +291 -291
- package/skills/legal/legal-immigration/LICENSE +21 -21
- package/skills/legal/legal-immigration/SKILL.md +146 -146
- package/skills/legal/legal-international/LICENSE +21 -21
- package/skills/legal/legal-international/SKILL.md +51 -51
- package/skills/legal/legal-ip/LICENSE +21 -21
- package/skills/legal/legal-ip/SKILL.md +264 -264
- package/skills/legal/legal-privacy/LICENSE +21 -21
- package/skills/legal/legal-privacy/SKILL.md +161 -161
- package/skills/legal/legal-real-estate/LICENSE +21 -21
- package/skills/legal/legal-real-estate/SKILL.md +142 -142
- package/skills/legal/legal-startup/LICENSE +21 -21
- package/skills/legal/legal-startup/SKILL.md +182 -182
- package/skills/legal/legal-tax/LICENSE +21 -21
- package/skills/legal/legal-tax/SKILL.md +156 -156
- package/skills/mcp-builder/LICENSE +21 -21
- package/skills/mcp-builder/SKILL.md +257 -257
- package/skills/mcp-builder/reference/evaluation.md +630 -630
- package/skills/mcp-builder/reference/mcp_best_practices.md +269 -269
- package/skills/mcp-builder/reference/node_mcp_server.md +980 -980
- package/skills/mcp-builder/reference/python_mcp_server.md +737 -737
- package/skills/mcp-builder/scripts/connections.py +151 -151
- package/skills/mcp-builder/scripts/evaluation.py +373 -373
- package/skills/mcp-builder/scripts/example_evaluation.xml +22 -22
- package/skills/mcp-builder/scripts/requirements.txt +2 -2
- package/skills/mcporter/SKILL.md +65 -65
- package/skills/meme-maker/SKILL.md +46 -46
- package/skills/meme-maker/references/templates.json +358 -358
- package/skills/meme-maker/scripts/meme.mjs +398 -398
- package/skills/mental-health/mental-health-cbt/LICENSE +21 -21
- package/skills/mental-health/mental-health-cbt/SKILL.md +254 -254
- package/skills/mental-health/psych-addiction/LICENSE +21 -21
- package/skills/mental-health/psych-addiction/SKILL.md +79 -79
- package/skills/mental-health/psych-behavioral-econ/LICENSE +21 -21
- package/skills/mental-health/psych-behavioral-econ/SKILL.md +84 -84
- package/skills/mental-health/psych-child/LICENSE +21 -21
- package/skills/mental-health/psych-child/SKILL.md +84 -84
- package/skills/mental-health/psych-grief/LICENSE +21 -21
- package/skills/mental-health/psych-grief/SKILL.md +85 -85
- package/skills/mental-health/psych-mindfulness/LICENSE +21 -21
- package/skills/mental-health/psych-mindfulness/SKILL.md +71 -71
- package/skills/mental-health/psych-org/LICENSE +21 -21
- package/skills/mental-health/psych-org/SKILL.md +115 -115
- package/skills/mental-health/psych-positive/LICENSE +21 -21
- package/skills/mental-health/psych-positive/SKILL.md +86 -86
- package/skills/mental-health/psych-relationships/LICENSE +21 -21
- package/skills/mental-health/psych-relationships/SKILL.md +100 -100
- package/skills/mental-health/psych-trauma/LICENSE +21 -21
- package/skills/mental-health/psych-trauma/SKILL.md +109 -109
- package/skills/model-usage/SKILL.md +75 -75
- package/skills/model-usage/references/codexbar-cli.md +33 -33
- package/skills/model-usage/scripts/model_usage.py +319 -319
- package/skills/model-usage/scripts/test_model_usage.py +40 -40
- package/skills/nano-pdf/SKILL.md +42 -42
- package/skills/node-connect/SKILL.md +147 -147
- package/skills/node-inspect-debugger/SKILL.md +88 -88
- package/skills/notion/SKILL.md +154 -154
- package/skills/obsidian/SKILL.md +123 -123
- package/skills/openai-whisper/SKILL.md +42 -42
- package/skills/openai-whisper-api/SKILL.md +75 -75
- package/skills/openai-whisper-api/scripts/transcribe.sh +154 -154
- package/skills/openhue/SKILL.md +116 -116
- package/skills/oracle/SKILL.md +130 -130
- package/skills/ordercli/SKILL.md +82 -82
- package/skills/peekaboo/SKILL.md +217 -217
- package/skills/pyproject.toml +10 -10
- package/skills/python-debugpy/SKILL.md +76 -76
- package/skills/sag/SKILL.md +91 -91
- package/skills/science/sci-astronomy/LICENSE +21 -21
- package/skills/science/sci-astronomy/SKILL.md +80 -80
- package/skills/science/sci-biology/LICENSE +21 -21
- package/skills/science/sci-biology/SKILL.md +74 -74
- package/skills/science/sci-chemistry/LICENSE +21 -21
- package/skills/science/sci-chemistry/SKILL.md +89 -89
- package/skills/science/sci-climate/LICENSE +21 -21
- package/skills/science/sci-climate/SKILL.md +72 -72
- package/skills/science/sci-data-analysis/LICENSE +21 -21
- package/skills/science/sci-data-analysis/SKILL.md +87 -87
- package/skills/science/sci-environmental-science/LICENSE +21 -21
- package/skills/science/sci-environmental-science/SKILL.md +69 -69
- package/skills/science/sci-geology/LICENSE +21 -21
- package/skills/science/sci-geology/SKILL.md +56 -56
- package/skills/science/sci-method/LICENSE +21 -21
- package/skills/science/sci-method/SKILL.md +77 -77
- package/skills/science/sci-neuroscience/LICENSE +21 -21
- package/skills/science/sci-neuroscience/SKILL.md +79 -79
- package/skills/science/sci-physics/LICENSE +21 -21
- package/skills/science/sci-physics/SKILL.md +78 -78
- package/skills/science/sci-research-methods/LICENSE +21 -21
- package/skills/science/sci-research-methods/SKILL.md +83 -83
- package/skills/science/sci-statistics/LICENSE +21 -21
- package/skills/science/sci-statistics/SKILL.md +249 -249
- package/skills/session-logs/SKILL.md +155 -155
- package/skills/sherpa-onnx-tts/SKILL.md +113 -113
- package/skills/skill-creator/SKILL.md +81 -81
- package/skills/skill-creator/license.txt +202 -202
- package/skills/skill-creator/scripts/init_skill.py +378 -378
- package/skills/skill-creator/scripts/package_skill.py +144 -144
- package/skills/skill-creator/scripts/quick_validate.py +169 -169
- package/skills/skill-creator/scripts/test_init_skill.py +51 -51
- package/skills/skill-creator/scripts/test_package_skill.py +199 -199
- package/skills/skill-creator/scripts/test_quick_validate.py +116 -116
- package/skills/slack/SKILL.md +82 -82
- package/skills/slack-gif-creator/LICENSE +21 -21
- package/skills/slack-gif-creator/SKILL.md +293 -293
- package/skills/slack-gif-creator/requirements.txt +3 -3
- package/skills/social-sciences/social-anthropology/LICENSE +21 -21
- package/skills/social-sciences/social-anthropology/SKILL.md +62 -62
- package/skills/social-sciences/social-economics/LICENSE +21 -21
- package/skills/social-sciences/social-economics/SKILL.md +88 -88
- package/skills/social-sciences/social-geography/LICENSE +21 -21
- package/skills/social-sciences/social-geography/SKILL.md +61 -61
- package/skills/social-sciences/social-international-dev/LICENSE +21 -21
- package/skills/social-sciences/social-international-dev/SKILL.md +76 -76
- package/skills/social-sciences/social-political-science/LICENSE +21 -21
- package/skills/social-sciences/social-political-science/SKILL.md +70 -70
- package/skills/social-sciences/social-public-policy/LICENSE +21 -21
- package/skills/social-sciences/social-public-policy/SKILL.md +73 -73
- package/skills/social-sciences/social-sociology/LICENSE +21 -21
- package/skills/social-sciences/social-sociology/SKILL.md +78 -78
- package/skills/songsee/SKILL.md +53 -53
- package/skills/sonoscli/SKILL.md +69 -69
- package/skills/spike/SKILL.md +55 -55
- package/skills/spotify-player/SKILL.md +68 -68
- package/skills/summarize/SKILL.md +90 -90
- package/skills/taskflow/SKILL.md +153 -153
- package/skills/taskflow/examples/inbox-triage.lobster +33 -33
- package/skills/taskflow/examples/pr-intake.lobster +32 -32
- package/skills/taskflow-inbox-triage/SKILL.md +123 -123
- package/skills/technical/ai-ethics/LICENSE +21 -21
- package/skills/technical/ai-ethics/SKILL.md +92 -92
- package/skills/technical/ai-product-builder/LICENSE +21 -21
- package/skills/technical/ai-product-builder/SKILL.md +180 -180
- package/skills/technical/analytics-setup/LICENSE +21 -21
- package/skills/technical/analytics-setup/SKILL.md +125 -125
- package/skills/technical/api-builder/LICENSE +21 -21
- package/skills/technical/api-builder/SKILL.md +202 -202
- package/skills/technical/architecture-decisions/LICENSE +21 -21
- package/skills/technical/architecture-decisions/SKILL.md +120 -120
- package/skills/technical/auth-security/LICENSE +21 -21
- package/skills/technical/auth-security/SKILL.md +209 -209
- package/skills/technical/blockchain-web3/LICENSE +21 -21
- package/skills/technical/blockchain-web3/SKILL.md +84 -84
- package/skills/technical/cloud-architecture/LICENSE +21 -21
- package/skills/technical/cloud-architecture/SKILL.md +85 -85
- package/skills/technical/content-platform/LICENSE +21 -21
- package/skills/technical/content-platform/SKILL.md +134 -134
- package/skills/technical/cybersecurity-advanced/LICENSE +21 -21
- package/skills/technical/cybersecurity-advanced/SKILL.md +99 -99
- package/skills/technical/data-engineering/LICENSE +21 -21
- package/skills/technical/data-engineering/SKILL.md +117 -117
- package/skills/technical/database-design/LICENSE +21 -21
- package/skills/technical/database-design/SKILL.md +185 -185
- package/skills/technical/devops-cicd/LICENSE +21 -21
- package/skills/technical/devops-cicd/SKILL.md +181 -181
- package/skills/technical/ecommerce-builder/LICENSE +21 -21
- package/skills/technical/ecommerce-builder/SKILL.md +123 -123
- package/skills/technical/email-marketing/LICENSE +21 -21
- package/skills/technical/email-marketing/SKILL.md +128 -128
- package/skills/technical/fintech-builder/LICENSE +21 -21
- package/skills/technical/fintech-builder/SKILL.md +141 -141
- package/skills/technical/full-stack-web/LICENSE +21 -21
- package/skills/technical/full-stack-web/SKILL.md +173 -173
- package/skills/technical/gdpr-basics/LICENSE +21 -21
- package/skills/technical/gdpr-basics/SKILL.md +145 -145
- package/skills/technical/launch-playbook/LICENSE +21 -21
- package/skills/technical/launch-playbook/SKILL.md +95 -95
- package/skills/technical/marketing-copy/LICENSE +21 -21
- package/skills/technical/marketing-copy/SKILL.md +126 -126
- package/skills/technical/marketplace-builder/LICENSE +21 -21
- package/skills/technical/marketplace-builder/SKILL.md +105 -105
- package/skills/technical/mobile-pwa/LICENSE +21 -21
- package/skills/technical/mobile-pwa/SKILL.md +191 -191
- package/skills/technical/no-code-tools/LICENSE +21 -21
- package/skills/technical/no-code-tools/SKILL.md +80 -80
- package/skills/technical/open-source/LICENSE +21 -21
- package/skills/technical/open-source/SKILL.md +71 -71
- package/skills/technical/performance-optimization/LICENSE +21 -21
- package/skills/technical/performance-optimization/SKILL.md +155 -155
- package/skills/technical/pricing-design/LICENSE +21 -21
- package/skills/technical/pricing-design/SKILL.md +87 -87
- package/skills/technical/product-management/LICENSE +21 -21
- package/skills/technical/product-management/SKILL.md +94 -94
- package/skills/technical/saas-builder/LICENSE +21 -21
- package/skills/technical/saas-builder/SKILL.md +138 -138
- package/skills/technical/scope-estimation/LICENSE +21 -21
- package/skills/technical/scope-estimation/SKILL.md +99 -99
- package/skills/technical/secrets-management/LICENSE +21 -21
- package/skills/technical/secrets-management/SKILL.md +135 -135
- package/skills/technical/seo-technical/LICENSE +21 -21
- package/skills/technical/seo-technical/SKILL.md +136 -136
- package/skills/technical/technical-writing/LICENSE +21 -21
- package/skills/technical/technical-writing/SKILL.md +149 -149
- package/skills/technical/ux-research-tools/LICENSE +21 -21
- package/skills/technical/ux-research-tools/SKILL.md +54 -54
- package/skills/theme-factory/LICENSE +21 -21
- package/skills/theme-factory/SKILL.md +65 -65
- package/skills/theme-factory/themes/arctic-frost.md +19 -19
- package/skills/theme-factory/themes/botanical-garden.md +19 -19
- package/skills/theme-factory/themes/desert-rose.md +19 -19
- package/skills/theme-factory/themes/forest-canopy.md +19 -19
- package/skills/theme-factory/themes/golden-hour.md +19 -19
- package/skills/theme-factory/themes/midnight-galaxy.md +19 -19
- package/skills/theme-factory/themes/modern-minimalist.md +19 -19
- package/skills/theme-factory/themes/ocean-depths.md +19 -19
- package/skills/theme-factory/themes/sunset-boulevard.md +19 -19
- package/skills/theme-factory/themes/tech-innovation.md +19 -19
- package/skills/things-mac/SKILL.md +90 -90
- package/skills/tmux/SKILL.md +95 -95
- package/skills/tmux/scripts/find-sessions.sh +112 -112
- package/skills/tmux/scripts/wait-for-text.sh +83 -83
- package/skills/trades/trades-agriculture/LICENSE +21 -21
- package/skills/trades/trades-agriculture/SKILL.md +80 -80
- package/skills/trades/trades-automotive/LICENSE +21 -21
- package/skills/trades/trades-automotive/SKILL.md +84 -84
- package/skills/trades/trades-carpentry/LICENSE +21 -21
- package/skills/trades/trades-carpentry/SKILL.md +71 -71
- package/skills/trades/trades-cooking-pro/LICENSE +21 -21
- package/skills/trades/trades-cooking-pro/SKILL.md +90 -90
- package/skills/trades/trades-electrical/LICENSE +21 -21
- package/skills/trades/trades-electrical/SKILL.md +146 -146
- package/skills/trades/trades-hvac/LICENSE +21 -21
- package/skills/trades/trades-hvac/SKILL.md +80 -80
- package/skills/trades/trades-landscaping/LICENSE +21 -21
- package/skills/trades/trades-landscaping/SKILL.md +60 -60
- package/skills/trades/trades-metalworking/LICENSE +21 -21
- package/skills/trades/trades-metalworking/SKILL.md +64 -64
- package/skills/trades/trades-painting/LICENSE +21 -21
- package/skills/trades/trades-painting/SKILL.md +70 -70
- package/skills/trades/trades-plumbing/LICENSE +21 -21
- package/skills/trades/trades-plumbing/SKILL.md +160 -160
- package/skills/trades/trades-welding/LICENSE +21 -21
- package/skills/trades/trades-welding/SKILL.md +82 -82
- package/skills/trello/SKILL.md +112 -112
- package/skills/uipm-ui-styling/LICENSE.txt +202 -0
- package/skills/uipm-ui-styling/SKILL.md +328 -0
- package/skills/uipm-ui-styling/canvas-fonts/ArsenalSC-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/ArsenalSC-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/BigShoulders-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/BigShoulders-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/BigShoulders-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Boldonse-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Boldonse-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/BricolageGrotesque-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/BricolageGrotesque-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/BricolageGrotesque-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/CrimsonPro-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/CrimsonPro-Italic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/CrimsonPro-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/CrimsonPro-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/DMMono-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/DMMono-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/EricaOne-OFL.txt +94 -0
- package/skills/uipm-ui-styling/canvas-fonts/EricaOne-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/GeistMono-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/GeistMono-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/GeistMono-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Gloock-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Gloock-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/IBMPlexMono-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/IBMPlexMono-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/IBMPlexMono-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/IBMPlexSerif-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/IBMPlexSerif-BoldItalic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/IBMPlexSerif-Italic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/IBMPlexSerif-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/InstrumentSans-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/InstrumentSans-BoldItalic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/InstrumentSans-Italic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/InstrumentSans-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/InstrumentSans-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/InstrumentSerif-Italic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/InstrumentSerif-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Italiana-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Italiana-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/JetBrainsMono-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/JetBrainsMono-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/JetBrainsMono-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Jura-Light.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Jura-Medium.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Jura-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/LibreBaskerville-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/LibreBaskerville-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Lora-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Lora-BoldItalic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Lora-Italic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Lora-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Lora-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/NationalPark-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/NationalPark-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/NationalPark-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/NothingYouCouldDo-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/NothingYouCouldDo-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Outfit-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Outfit-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Outfit-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/PixelifySans-Medium.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/PixelifySans-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/PoiretOne-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/PoiretOne-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/RedHatMono-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/RedHatMono-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/RedHatMono-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Silkscreen-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Silkscreen-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/SmoochSans-Medium.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/SmoochSans-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Tektur-Medium.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/Tektur-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/Tektur-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/WorkSans-Bold.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/WorkSans-BoldItalic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/WorkSans-Italic.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/WorkSans-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/WorkSans-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/canvas-fonts/YoungSerif-OFL.txt +93 -0
- package/skills/uipm-ui-styling/canvas-fonts/YoungSerif-Regular.ttf +0 -0
- package/skills/uipm-ui-styling/references/canvas-design-system.md +320 -0
- package/skills/uipm-ui-styling/references/shadcn-accessibility.md +471 -0
- package/skills/uipm-ui-styling/references/shadcn-components.md +424 -0
- package/skills/uipm-ui-styling/references/shadcn-theming.md +373 -0
- package/skills/uipm-ui-styling/references/tailwind-customization.md +483 -0
- package/skills/uipm-ui-styling/references/tailwind-responsive.md +382 -0
- package/skills/uipm-ui-styling/references/tailwind-utilities.md +455 -0
- package/skills/uipm-ui-styling/scripts/.coverage +0 -0
- package/skills/uipm-ui-styling/scripts/requirements.txt +17 -0
- package/skills/uipm-ui-styling/scripts/shadcn_add.py +292 -0
- package/skills/uipm-ui-styling/scripts/tailwind_config_gen.py +456 -0
- package/skills/uipm-ui-styling/scripts/tests/coverage-ui.json +1 -0
- package/skills/uipm-ui-styling/scripts/tests/requirements.txt +3 -0
- package/skills/uipm-ui-styling/scripts/tests/test_shadcn_add.py +266 -0
- package/skills/uipm-ui-styling/scripts/tests/test_tailwind_config_gen.py +336 -0
- package/skills/video-frames/SKILL.md +50 -50
- package/skills/video-frames/scripts/frame.sh +81 -81
- package/skills/voice-call/SKILL.md +49 -49
- package/skills/wacli/SKILL.md +76 -76
- package/skills/weather/SKILL.md +91 -91
- package/skills/web-artifacts-builder/LICENSE +21 -21
- package/skills/web-artifacts-builder/SKILL.md +82 -82
- package/skills/web-artifacts-builder/scripts/bundle-artifact.sh +53 -53
- package/skills/web-artifacts-builder/scripts/init-artifact.sh +322 -322
- package/skills/xurl/SKILL.md +124 -124
|
@@ -1,839 +1,839 @@
|
|
|
1
|
-
# Cybersecurity Intelligence Reference
|
|
2
|
-
|
|
3
|
-
# Covers: AppSec, NetSec, CloudSec, DevSecOps, Threat Intel, SIEM, Compliance, Fraud, Incident Response
|
|
4
|
-
|
|
5
|
-
## DEFENSE IN DEPTH MODEL
|
|
6
|
-
|
|
7
|
-
Never rely on a single control. Layer security at every level:
|
|
8
|
-
|
|
9
|
-
```
|
|
10
|
-
Layer 1 — Perimeter: WAF, DDoS protection, CDN edge rules, geo-blocking
|
|
11
|
-
Layer 2 — Network: Firewall rules, VPC isolation, private subnets, VPN, zero-trust network access
|
|
12
|
-
Layer 3 — Identity: MFA, SSO, PAM, least privilege, just-in-time access
|
|
13
|
-
Layer 4 — Application: Input validation, auth/authz, CSRF, rate limiting, API security
|
|
14
|
-
Layer 5 — Data: Encryption at rest + transit, tokenization, masking, key management
|
|
15
|
-
Layer 6 — Endpoint: EDR, patch management, container hardening, OS baselines
|
|
16
|
-
Layer 7 — Detection: SIEM, anomaly detection, threat intel feeds, behavioral analytics
|
|
17
|
-
Layer 8 — Response: IR playbooks, forensics capability, backup/restore tested weekly
|
|
18
|
-
|
|
19
|
-
Principle: Assume every layer will eventually be breached. Design so that one breach ≠ catastrophe.
|
|
20
|
-
```
|
|
21
|
-
|
|
22
|
-
---
|
|
23
|
-
|
|
24
|
-
## OWASP TOP 10 — WEB (2021) — Fix Every One
|
|
25
|
-
|
|
26
|
-
### A01: Broken Access Control (Most Common)
|
|
27
|
-
|
|
28
|
-
```
|
|
29
|
-
Attack: Access /api/users/456 as user 123. Horizontal privilege escalation.
|
|
30
|
-
Fix: Always verify ownership: WHERE id = $1 AND org_id = $current_org
|
|
31
|
-
Row-Level Security in PostgreSQL enforces this at DB level.
|
|
32
|
-
Never trust user-supplied IDs without authorization check.
|
|
33
|
-
Test: Authenticated as User A, attempt all User B's resource endpoints.
|
|
34
|
-
|
|
35
|
-
Code fix:
|
|
36
|
-
// BAD:
|
|
37
|
-
const tx = await db.transaction.findUnique({ where: { id: req.params.id }})
|
|
38
|
-
|
|
39
|
-
// GOOD:
|
|
40
|
-
const tx = await db.transaction.findUnique({
|
|
41
|
-
where: { id: req.params.id, userId: req.user.id } // scope to authenticated user
|
|
42
|
-
})
|
|
43
|
-
if (!tx) throw new NotFoundError() // same error whether missing or unauthorized
|
|
44
|
-
```
|
|
45
|
-
|
|
46
|
-
### A02: Cryptographic Failures
|
|
47
|
-
|
|
48
|
-
```
|
|
49
|
-
Attack: Sensitive data in plaintext DB, MD5 passwords, HTTP traffic, weak keys.
|
|
50
|
-
Fix: TLS 1.3 everywhere. AES-256-GCM for data at rest.
|
|
51
|
-
Passwords: argon2id (winner of PHC). Never MD5/SHA1/bcrypt(cost<12).
|
|
52
|
-
PII fields: encrypt at application layer (not just disk encryption).
|
|
53
|
-
No secrets in logs. No PAN/SSN in URLs.
|
|
54
|
-
|
|
55
|
-
Password hashing:
|
|
56
|
-
import argon2 from 'argon2'
|
|
57
|
-
const hash = await argon2.hash(password, {
|
|
58
|
-
type: argon2.argon2id,
|
|
59
|
-
memoryCost: 65536, // 64MB
|
|
60
|
-
timeCost: 3, // 3 iterations
|
|
61
|
-
parallelism: 4 // 4 threads
|
|
62
|
-
})
|
|
63
|
-
```
|
|
64
|
-
|
|
65
|
-
### A03: Injection (SQL, NoSQL, LDAP, Command)
|
|
66
|
-
|
|
67
|
-
```
|
|
68
|
-
Attack: User inputs: ' OR '1'='1 → dumps entire table.
|
|
69
|
-
Fix: Parameterized queries. ALWAYS. No string concatenation in queries.
|
|
70
|
-
ORM query builders (Prisma, SQLAlchemy) are safe by default.
|
|
71
|
-
Command injection: never exec() user input. Use allowlists.
|
|
72
|
-
|
|
73
|
-
// NEVER:
|
|
74
|
-
db.query(`SELECT * FROM users WHERE email = '${email}'`)
|
|
75
|
-
|
|
76
|
-
// ALWAYS:
|
|
77
|
-
db.query('SELECT * FROM users WHERE email = $1', [email])
|
|
78
|
-
```
|
|
79
|
-
|
|
80
|
-
### A04: Insecure Design
|
|
81
|
-
|
|
82
|
-
```
|
|
83
|
-
Attack: Business logic flaws — buy item for $0, skip payment step, replay coupons.
|
|
84
|
-
Fix: Threat model every feature before coding.
|
|
85
|
-
State machine validation — enforce valid state transitions server-side.
|
|
86
|
-
Rate limit sensitive operations (password reset: 3/hour, not 1000/hour).
|
|
87
|
-
Never trust client-side price/discount calculation.
|
|
88
|
-
```
|
|
89
|
-
|
|
90
|
-
### A05: Security Misconfiguration
|
|
91
|
-
|
|
92
|
-
```
|
|
93
|
-
Common: Default credentials, directory listing, verbose error messages in prod,
|
|
94
|
-
open S3 buckets, unrestricted CORS, unused ports open, debug mode on.
|
|
95
|
-
Fix: Infrastructure as Code — configuration is reviewed, version-controlled.
|
|
96
|
-
CSPM tool (Wiz, Prisma Cloud, or free: CloudSploit) scans continuously.
|
|
97
|
-
Env diff check: prod config audited against security baseline weekly.
|
|
98
|
-
Error responses: generic in prod, never stack traces to client.
|
|
99
|
-
```
|
|
100
|
-
|
|
101
|
-
### A06: Vulnerable and Outdated Components
|
|
102
|
-
|
|
103
|
-
```
|
|
104
|
-
Fix: Renovate Bot or Dependabot — auto-PRs for dependency updates weekly.
|
|
105
|
-
Snyk or OWASP Dependency-Check in CI — block on critical CVEs.
|
|
106
|
-
Container base image scanning — Trivy on every Docker build.
|
|
107
|
-
SBOM (Software Bill of Materials) generated on every release.
|
|
108
|
-
Never use packages with 0 maintenance activity in past 12 months.
|
|
109
|
-
Pin exact versions in lockfiles (package-lock.json, requirements.txt).
|
|
110
|
-
```
|
|
111
|
-
|
|
112
|
-
### A07: Identification and Authentication Failures
|
|
113
|
-
|
|
114
|
-
```
|
|
115
|
-
Attack: Credential stuffing, brute force, session fixation, weak tokens.
|
|
116
|
-
Fix: MFA mandatory for admin, recommended for all users.
|
|
117
|
-
Account lockout: 5 failed attempts → 15min lockout + alert.
|
|
118
|
-
Secure session: HttpOnly, Secure, SameSite=Strict cookies.
|
|
119
|
-
Token storage: never localStorage (XSS), always HttpOnly cookies.
|
|
120
|
-
Password policy: min 12 chars, check against HaveIBeenPwned API.
|
|
121
|
-
JWT: RS256 (not HS256), short TTL (15min), rotate signing keys quarterly.
|
|
122
|
-
```
|
|
123
|
-
|
|
124
|
-
### A08: Software and Data Integrity Failures
|
|
125
|
-
|
|
126
|
-
```
|
|
127
|
-
Attack: Tampered auto-updates, unsigned packages, CI/CD pipeline compromise.
|
|
128
|
-
Fix: Verify checksums/signatures on all downloaded artifacts.
|
|
129
|
-
Sigstore/Cosign for container image signing.
|
|
130
|
-
SLSA framework for supply chain levels (target SLSA Level 3).
|
|
131
|
-
CI/CD: separate credentials per environment, audit pipeline configs.
|
|
132
|
-
npm: use --ignore-scripts flag, audit before install.
|
|
133
|
-
```
|
|
134
|
-
|
|
135
|
-
### A09: Security Logging and Monitoring Failures
|
|
136
|
-
|
|
137
|
-
```
|
|
138
|
-
Fix: Log: every auth event, admin action, failed access, data mutation.
|
|
139
|
-
Include: timestamp (UTC), user_id, org_id, IP, action, resource, result.
|
|
140
|
-
Never log: passwords, tokens, PAN, SSN, CVV, full credit card.
|
|
141
|
-
Alert within 15 minutes on: impossible travel, mass data export,
|
|
142
|
-
admin privilege escalation, >10 auth failures.
|
|
143
|
-
Log retention: 90 days hot, 1 year cold (PCI DSS requires 1 year).
|
|
144
|
-
SIEM: ingest all logs, alert on patterns, not just individual events.
|
|
145
|
-
```
|
|
146
|
-
|
|
147
|
-
### A10: Server-Side Request Forgery (SSRF)
|
|
148
|
-
|
|
149
|
-
```
|
|
150
|
-
Attack: User supplies URL → server fetches it → attacker reads internal metadata API.
|
|
151
|
-
AWS: http://169.254.169.254/latest/meta-data/iam/security-credentials/
|
|
152
|
-
Fix: Allowlist permitted URL destinations — never arbitrary user-supplied URLs.
|
|
153
|
-
Block RFC 1918 addresses (10.x, 172.16.x, 192.168.x) and 169.254.x.
|
|
154
|
-
Use DNS resolution + IP check BEFORE fetching.
|
|
155
|
-
Disable HTTP redirects or validate redirect target against allowlist.
|
|
156
|
-
```
|
|
157
|
-
|
|
158
|
-
---
|
|
159
|
-
|
|
160
|
-
## OWASP API SECURITY TOP 10 (2023)
|
|
161
|
-
|
|
162
|
-
```
|
|
163
|
-
API1: Broken Object Level Authorization → Scope every query to authenticated user/org
|
|
164
|
-
API2: Broken Authentication → Short-lived tokens, rotate refresh tokens
|
|
165
|
-
API3: Broken Object Property Auth → Allowlist response fields, never return full DB row
|
|
166
|
-
API4: Unrestricted Resource Consumption → Rate limit, payload size limits, pagination required
|
|
167
|
-
API5: Broken Function Level Auth → Admin endpoints on separate auth check, not just UI hide
|
|
168
|
-
API6: Unrestricted Access to Sensitive Business Flows → Bot detection, device fingerprinting
|
|
169
|
-
API7: Server-Side Request Forgery → Same as web SSRF above
|
|
170
|
-
API8: Security Misconfiguration → No CORS *, no debug headers, no default paths
|
|
171
|
-
API9: Improper Inventory Management → API versioning, decommission old versions with traffic
|
|
172
|
-
API10: Unsafe Consumption of APIs → Validate all third-party API responses before use
|
|
173
|
-
```
|
|
174
|
-
|
|
175
|
-
---
|
|
176
|
-
|
|
177
|
-
## THREAT MODELING
|
|
178
|
-
|
|
179
|
-
### STRIDE Framework (Apply to Every Feature)
|
|
180
|
-
|
|
181
|
-
```
|
|
182
|
-
S — Spoofing: Can an attacker impersonate a legitimate user or service?
|
|
183
|
-
Mitigate: Strong auth, mutual TLS, digital signatures
|
|
184
|
-
|
|
185
|
-
T — Tampering: Can data be modified in transit or at rest without detection?
|
|
186
|
-
Mitigate: Integrity checks, signed tokens, audit logs, TLS
|
|
187
|
-
|
|
188
|
-
R — Repudiation: Can someone deny performing an action?
|
|
189
|
-
Mitigate: Immutable audit logs, signed requests, non-repudiation tokens
|
|
190
|
-
|
|
191
|
-
I — Information Disclosure: Can sensitive data be exposed to unauthorized parties?
|
|
192
|
-
Mitigate: Least privilege, encryption, data classification, masking
|
|
193
|
-
|
|
194
|
-
D — Denial of Service: Can an attacker disrupt availability?
|
|
195
|
-
Mitigate: Rate limiting, auto-scaling, circuit breakers, DDoS protection
|
|
196
|
-
|
|
197
|
-
E — Elevation of Privilege: Can a user gain more access than they should have?
|
|
198
|
-
Mitigate: RBAC, least privilege, privilege validation server-side
|
|
199
|
-
```
|
|
200
|
-
|
|
201
|
-
### Threat Modeling Process (Per Feature)
|
|
202
|
-
|
|
203
|
-
```
|
|
204
|
-
Step 1: DECOMPOSE — Draw data flow diagram. Identify trust boundaries, entry points, data stores.
|
|
205
|
-
Step 2: THREATS — For each component, apply STRIDE. List all plausible attacks.
|
|
206
|
-
Step 3: RANK — Severity × Likelihood = Risk score (DREAD or CVSS)
|
|
207
|
-
Step 4: MITIGATE — For each threat: mitigate, transfer, accept, or avoid.
|
|
208
|
-
Step 5: VALIDATE — Write security test for each mitigated threat.
|
|
209
|
-
Step 6: REPEAT — Re-threat-model when architecture changes.
|
|
210
|
-
|
|
211
|
-
Time required: 2-4 hours per major feature. Non-negotiable for financial features.
|
|
212
|
-
```
|
|
213
|
-
|
|
214
|
-
---
|
|
215
|
-
|
|
216
|
-
## APPLICATION SECURITY (APPSEC) PIPELINE
|
|
217
|
-
|
|
218
|
-
### DevSecOps — Shift Left
|
|
219
|
-
|
|
220
|
-
```
|
|
221
|
-
Pre-commit: git-secrets / detect-secrets / Gitleaks — block secret commits
|
|
222
|
-
IDE plugins: Snyk IntelliJ, SonarLint VSCode (real-time SAST)
|
|
223
|
-
|
|
224
|
-
PR / CI: SAST — Static analysis (Semgrep, SonarQube, CodeQL)
|
|
225
|
-
SCA — Dependency check (Snyk, OWASP DC, npm audit)
|
|
226
|
-
Secrets scan — Gitleaks, TruffleHog
|
|
227
|
-
IaC scan — Checkov, tfsec (Terraform misconfigs)
|
|
228
|
-
Container scan — Trivy (image CVEs)
|
|
229
|
-
|
|
230
|
-
Pre-deploy: DAST — Dynamic scan against staging (OWASP ZAP, Burp Suite)
|
|
231
|
-
API fuzzing — Schemathesis, restler-fuzzer
|
|
232
|
-
|
|
233
|
-
Production: RASP — Runtime application self-protection (contrast, sqreen)
|
|
234
|
-
WAF — Cloudflare WAF / AWS WAF / Cloud Armor (rules updated weekly)
|
|
235
|
-
Dependency monitor — Snyk monitor / Dependabot alerts
|
|
236
|
-
```
|
|
237
|
-
|
|
238
|
-
### SAST Tool Selection
|
|
239
|
-
|
|
240
|
-
```
|
|
241
|
-
Semgrep: Fast, open source, custom rules, CI-native. Best first choice.
|
|
242
|
-
SonarQube: Comprehensive, CI integration, tracks debt over time. Self-hosted or cloud.
|
|
243
|
-
CodeQL: GitHub-native, deep semantic analysis, best for complex vulnerability patterns.
|
|
244
|
-
Checkmarx: Enterprise, expensive, deep analysis.
|
|
245
|
-
Veracode: Enterprise SaaS, compliance-oriented.
|
|
246
|
-
|
|
247
|
-
Run Semgrep + SonarQube minimum. CodeQL for GitHub repos (free for public).
|
|
248
|
-
```
|
|
249
|
-
|
|
250
|
-
### Penetration Testing Methodology
|
|
251
|
-
|
|
252
|
-
```
|
|
253
|
-
Phase 1 — Reconnaissance:
|
|
254
|
-
Passive: Shodan, Censys, Google dorks, LinkedIn (OSINT)
|
|
255
|
-
Active: nmap port scan, service fingerprinting, SSL/TLS scan (testssl.sh)
|
|
256
|
-
|
|
257
|
-
Phase 2 — Enumeration:
|
|
258
|
-
Web: Dirb/ffuf (directory brute-force), nikto (web scanner)
|
|
259
|
-
API: Postman collection analysis, OpenAPI spec review, parameter fuzzing
|
|
260
|
-
Auth: JWT inspection, session token analysis, OAuth flow review
|
|
261
|
-
|
|
262
|
-
Phase 3 — Exploitation:
|
|
263
|
-
Automated: OWASP ZAP active scan, SQLmap (SQL injection), Nuclei templates
|
|
264
|
-
Manual: Business logic testing, auth bypass, IDOR, race conditions
|
|
265
|
-
|
|
266
|
-
Phase 4 — Post-Exploitation:
|
|
267
|
-
Lateral movement (if scoped), privilege escalation, persistence mechanisms
|
|
268
|
-
|
|
269
|
-
Phase 5 — Reporting:
|
|
270
|
-
CVSS scores for each finding, reproduction steps, remediation guidance, risk rating
|
|
271
|
-
|
|
272
|
-
Cadence: Annual third-party pentest + quarterly internal. Before major releases.
|
|
273
|
-
Tools: Burp Suite Pro, OWASP ZAP, Metasploit, Nmap, Nikto, SQLmap, Nuclei, Amass
|
|
274
|
-
```
|
|
275
|
-
|
|
276
|
-
---
|
|
277
|
-
|
|
278
|
-
## ZERO TRUST ARCHITECTURE
|
|
279
|
-
|
|
280
|
-
```
|
|
281
|
-
Core Principles:
|
|
282
|
-
1. Never trust, always verify — network location grants zero trust
|
|
283
|
-
2. Least privilege access — time-limited, just enough, just-in-time
|
|
284
|
-
3. Assume breach — segment everything, monitor everything, limit blast radius
|
|
285
|
-
4. Verify explicitly — authenticate and authorize every request, every time
|
|
286
|
-
|
|
287
|
-
Implementation:
|
|
288
|
-
Identity: Every user + device verified before access (MFA + device health check)
|
|
289
|
-
Device: Managed devices only for admin access. MDM enrolled.
|
|
290
|
-
Network: Micro-segmentation. Services can't talk unless explicitly allowed.
|
|
291
|
-
Replace VPN with identity-aware proxy (Google BeyondCorp, Cloudflare Access)
|
|
292
|
-
Application: Each app verifies identity independently. No "trusted" internal networks.
|
|
293
|
-
Data: Classify data. Apply policy per classification. Encrypt in use.
|
|
294
|
-
|
|
295
|
-
GCP Implementation:
|
|
296
|
-
Identity-Aware Proxy (IAP) → protects internal apps without VPN
|
|
297
|
-
VPC Service Controls → data perimeter, prevents data exfil from GCP services
|
|
298
|
-
Organization Policy → org-wide guardrails (no public IPs, require CMEK, etc.)
|
|
299
|
-
Access Context Manager → attribute-based access (IP, device, user)
|
|
300
|
-
```
|
|
301
|
-
|
|
302
|
-
---
|
|
303
|
-
|
|
304
|
-
## CLOUD SECURITY (CSPM + CWPP)
|
|
305
|
-
|
|
306
|
-
### Cloud Security Posture Management (CSPM)
|
|
307
|
-
|
|
308
|
-
```
|
|
309
|
-
What it does: Continuously scans cloud config for misconfigurations and compliance violations
|
|
310
|
-
Tools:
|
|
311
|
-
Wiz: Best coverage, agentless, fast. $15K+/yr
|
|
312
|
-
Prisma Cloud: Palo Alto, comprehensive, expensive
|
|
313
|
-
Lacework: Behavioral analysis + CSPM combo
|
|
314
|
-
CloudSploit: Open source, GCP/AWS/Azure. Free.
|
|
315
|
-
ScoutSuite: Open source audit tool. Run quarterly.
|
|
316
|
-
|
|
317
|
-
Must-catch misconfigs:
|
|
318
|
-
□ Public S3/GCS buckets
|
|
319
|
-
□ Unrestricted security group rules (0.0.0.0/0 inbound)
|
|
320
|
-
□ Unencrypted database instances
|
|
321
|
-
□ MFA not enabled on root/admin accounts
|
|
322
|
-
□ Logging disabled (CloudTrail/Cloud Audit Logs)
|
|
323
|
-
□ Old IAM access keys (>90 days)
|
|
324
|
-
□ Public SSH/RDP ports exposed (22, 3389)
|
|
325
|
-
□ Default VPC in use for production
|
|
326
|
-
```
|
|
327
|
-
|
|
328
|
-
### Container & Kubernetes Security
|
|
329
|
-
|
|
330
|
-
```
|
|
331
|
-
Image security:
|
|
332
|
-
□ Base image: use distroless or alpine (minimal attack surface)
|
|
333
|
-
□ Never run as root (USER nobody in Dockerfile)
|
|
334
|
-
□ No secrets in image layers (check with Trivy --secret)
|
|
335
|
-
□ Sign images with Cosign (Sigstore)
|
|
336
|
-
□ Image pull policy: Always (never cached stale images in prod)
|
|
337
|
-
|
|
338
|
-
Kubernetes:
|
|
339
|
-
□ RBAC: no cluster-admin for workloads. Namespace-scoped roles only.
|
|
340
|
-
□ Network Policies: default deny all, explicit allow per service pair
|
|
341
|
-
□ Pod Security Standards: Restricted profile in production
|
|
342
|
-
□ Secrets: use External Secrets Operator (GCP Secret Manager → K8s Secret)
|
|
343
|
-
□ No privileged containers. No hostPID/hostNetwork.
|
|
344
|
-
□ Resource limits on every container (prevents noisy neighbor + DoS)
|
|
345
|
-
□ Admission controllers: OPA/Gatekeeper or Kyverno policy engine
|
|
346
|
-
□ Runtime: Falco (detects anomalous container behavior in real-time)
|
|
347
|
-
|
|
348
|
-
Runtime security:
|
|
349
|
-
Falco rules to alert on:
|
|
350
|
-
- Shell spawned in container (exec into running container)
|
|
351
|
-
- Unexpected outbound connections from container
|
|
352
|
-
- Sensitive file read (/etc/shadow, /proc/*/mem)
|
|
353
|
-
- Privilege escalation attempts
|
|
354
|
-
```
|
|
355
|
-
|
|
356
|
-
### GCP Security Hardening Checklist
|
|
357
|
-
|
|
358
|
-
```
|
|
359
|
-
Organization level:
|
|
360
|
-
□ Organization Policy: Restrict public IPs on Cloud SQL
|
|
361
|
-
□ Organization Policy: Require OS Login for Compute Engine
|
|
362
|
-
□ Organization Policy: Restrict allowed APIs per project
|
|
363
|
-
□ Cloud Audit Logs: DATA_READ + DATA_WRITE + ADMIN_WRITE on all services
|
|
364
|
-
□ SCC (Security Command Center) Premium enabled
|
|
365
|
-
|
|
366
|
-
Project level:
|
|
367
|
-
□ Default service accounts not used (create custom, least privilege)
|
|
368
|
-
□ Service account keys: rotate quarterly or use Workload Identity instead
|
|
369
|
-
□ Cloud SQL: private IP only, no public IP, SSL required
|
|
370
|
-
□ GCS: uniform bucket-level access, no legacy ACLs
|
|
371
|
-
□ Cloud Run: no unauthenticated invocations (except public endpoints)
|
|
372
|
-
□ Secret Manager: audit access log enabled, rotation schedule set
|
|
373
|
-
□ VPC: Private Google Access enabled, no default firewall rules
|
|
374
|
-
```
|
|
375
|
-
|
|
376
|
-
---
|
|
377
|
-
|
|
378
|
-
## SECURITY MONITORING & SIEM
|
|
379
|
-
|
|
380
|
-
### What to Log (Mandatory)
|
|
381
|
-
|
|
382
|
-
```
|
|
383
|
-
Authentication events:
|
|
384
|
-
login_success, login_failure, logout, mfa_challenge, mfa_success, mfa_failure,
|
|
385
|
-
password_reset_requested, password_changed, token_refreshed, token_revoked,
|
|
386
|
-
session_expired, account_locked, account_unlocked
|
|
387
|
-
|
|
388
|
-
Authorization events:
|
|
389
|
-
access_denied, privilege_escalation_attempt, role_assigned, role_revoked,
|
|
390
|
-
admin_action (any), api_key_created, api_key_deleted
|
|
391
|
-
|
|
392
|
-
Data events:
|
|
393
|
-
record_created, record_updated, record_deleted (with before/after for sensitive fields),
|
|
394
|
-
bulk_export, bulk_delete, pii_accessed (who accessed whose data)
|
|
395
|
-
|
|
396
|
-
Infrastructure events:
|
|
397
|
-
deploy_started, deploy_completed, deploy_failed, config_changed,
|
|
398
|
-
secret_accessed (who, when, which secret), IAM_policy_changed
|
|
399
|
-
|
|
400
|
-
Format (every log line must have all fields):
|
|
401
|
-
{
|
|
402
|
-
"timestamp": "2024-01-15T10:30:00.000Z", // UTC always
|
|
403
|
-
"trace_id": "abc-123", // correlate across services
|
|
404
|
-
"user_id": "usr_xyz", // who did it
|
|
405
|
-
"org_id": "org_abc", // tenant context
|
|
406
|
-
"ip": "1.2.3.4", // source IP
|
|
407
|
-
"user_agent": "...", // client context
|
|
408
|
-
"action": "transaction.created", // what happened
|
|
409
|
-
"resource_id": "tx_123", // on what
|
|
410
|
-
"result": "success", // success/failure/denied
|
|
411
|
-
"duration_ms": 45 // performance context
|
|
412
|
-
}
|
|
413
|
-
```
|
|
414
|
-
|
|
415
|
-
### SIEM Architecture
|
|
416
|
-
|
|
417
|
-
```
|
|
418
|
-
Sources: App logs, Cloud Audit Logs, WAF logs, VPC Flow Logs, DNS logs
|
|
419
|
-
Ingestion: Pub/Sub (GCP) or Kafka → log pipeline
|
|
420
|
-
Normalization: Parse into common schema (CEF or ECS — Elastic Common Schema)
|
|
421
|
-
Storage: BigQuery (GCP) or Elasticsearch — index for fast search
|
|
422
|
-
Correlation: Detection rules — alert on patterns, not single events
|
|
423
|
-
Alerting: PagerDuty / OpsGenie → on-call rotation
|
|
424
|
-
Response: SOAR (Security Orchestration) — auto-remediate known patterns
|
|
425
|
-
|
|
426
|
-
Tools:
|
|
427
|
-
Managed: Google Chronicle, Microsoft Sentinel, Splunk, Sumo Logic
|
|
428
|
-
Open source: ELK Stack (Elasticsearch + Logstash + Kibana) + Sigma rules
|
|
429
|
-
Lightweight: Grafana + Loki + alert rules (good for small teams, low cost)
|
|
430
|
-
GCP-native: Chronicle SIEM (Google's) — best GCP log integration
|
|
431
|
-
```
|
|
432
|
-
|
|
433
|
-
### Detection Rules (Critical Alerts — PagerDuty Immediately)
|
|
434
|
-
|
|
435
|
-
```
|
|
436
|
-
Brute force: >10 auth failures from same IP in 5 minutes
|
|
437
|
-
Credential stuffing: >5 failed logins across different accounts from same IP
|
|
438
|
-
Impossible travel: Login from country A, then country B within 2 hours
|
|
439
|
-
Mass data export: Single user exports >1000 records in 10 minutes
|
|
440
|
-
Privilege escalation: Role change granting admin-level access
|
|
441
|
-
New admin account: Any new user assigned admin/owner role
|
|
442
|
-
Off-hours admin: Admin action between 10PM-6AM (tune per org)
|
|
443
|
-
API key abuse: Single API key >10,000 requests in 1 hour
|
|
444
|
-
Secret access: Service accessing secrets it has never accessed before
|
|
445
|
-
Public resource: Cloud storage bucket or DB made publicly accessible
|
|
446
|
-
New external IP: Cloud Run service starts communicating with unknown external IP
|
|
447
|
-
```
|
|
448
|
-
|
|
449
|
-
### Threat Intelligence Integration
|
|
450
|
-
|
|
451
|
-
```
|
|
452
|
-
Feeds to consume:
|
|
453
|
-
MITRE ATT&CK: Adversary tactics, techniques, procedures (TTPs) — map detections to ATT&CK
|
|
454
|
-
CISA KEV: Known Exploited Vulnerabilities — patch these IMMEDIATELY (cisa.gov/kev)
|
|
455
|
-
NVD CVE: National Vulnerability Database — monitor for new critical CVEs
|
|
456
|
-
AlienVault OTX: Open threat intelligence — IP/domain/hash reputation
|
|
457
|
-
Shodan: Monitor your own external attack surface
|
|
458
|
-
PhishTank: Phishing URL feeds
|
|
459
|
-
|
|
460
|
-
Integration pattern:
|
|
461
|
-
Enrich every inbound IP in logs against threat intel feed (check reputation score)
|
|
462
|
-
Block known-bad IPs at WAF level automatically
|
|
463
|
-
Alert when traffic matches known malicious patterns (IoCs)
|
|
464
|
-
|
|
465
|
-
Tools: MISP (open source threat intel platform), OpenCTI, ThreatConnect
|
|
466
|
-
```
|
|
467
|
-
|
|
468
|
-
---
|
|
469
|
-
|
|
470
|
-
## CRYPTOGRAPHY STANDARDS
|
|
471
|
-
|
|
472
|
-
### What to Use (2024)
|
|
473
|
-
|
|
474
|
-
```
|
|
475
|
-
Symmetric encryption: AES-256-GCM (authenticated encryption — integrity + confidentiality)
|
|
476
|
-
ChaCha20-Poly1305 (faster on mobile/embedded, same security)
|
|
477
|
-
Never: DES, 3DES, AES-ECB, RC4
|
|
478
|
-
|
|
479
|
-
Asymmetric: RSA-4096 (key exchange/signing) — prefer Ed25519 for new systems
|
|
480
|
-
Ed25519 / ECDSA P-256 (digital signatures — faster, smaller keys)
|
|
481
|
-
ECDH P-256 (key agreement)
|
|
482
|
-
Never: RSA < 2048, DSA, MD5/SHA1 for signing
|
|
483
|
-
|
|
484
|
-
Hashing: SHA-256 / SHA-3 for data integrity
|
|
485
|
-
BLAKE3 for performance-critical hashing
|
|
486
|
-
argon2id for password storage (never SHA/MD5 for passwords)
|
|
487
|
-
Never: MD5, SHA1 for security purposes
|
|
488
|
-
|
|
489
|
-
TLS: TLS 1.3 required. TLS 1.2 acceptable with restricted ciphers.
|
|
490
|
-
Never: SSL, TLS 1.0, TLS 1.1
|
|
491
|
-
Cipher suites: ECDHE + AES-128-GCM, ECDHE + AES-256-GCM, ECDHE + ChaCha20
|
|
492
|
-
|
|
493
|
-
Key management: GCP Cloud KMS or AWS KMS or HashiCorp Vault
|
|
494
|
-
Rotate encryption keys annually
|
|
495
|
-
Key hierarchy: Master Key → Data Encryption Keys → Data
|
|
496
|
-
FIPS 140-2 Level 3 HSM for financial/regulated workloads
|
|
497
|
-
|
|
498
|
-
JWT signing: RS256 (RSA) or ES256 (ECDSA) — never HS256 in multi-service arch
|
|
499
|
-
Key rotation: quarterly, with overlap period
|
|
500
|
-
```
|
|
501
|
-
|
|
502
|
-
### Envelope Encryption Pattern
|
|
503
|
-
|
|
504
|
-
```python
|
|
505
|
-
# Google Cloud KMS envelope encryption
|
|
506
|
-
from google.cloud import kms
|
|
507
|
-
|
|
508
|
-
def encrypt_sensitive_field(plaintext: str, key_name: str) -> dict:
|
|
509
|
-
# 1. Generate a data encryption key (DEK) locally
|
|
510
|
-
import os
|
|
511
|
-
dek = os.urandom(32) # 256-bit AES key
|
|
512
|
-
|
|
513
|
-
# 2. Encrypt your data with the DEK
|
|
514
|
-
ciphertext = aes_gcm_encrypt(plaintext.encode(), dek)
|
|
515
|
-
|
|
516
|
-
# 3. Wrap (encrypt) the DEK with Cloud KMS master key
|
|
517
|
-
kms_client = kms.KeyManagementServiceClient()
|
|
518
|
-
wrapped_dek = kms_client.encrypt(name=key_name, plaintext=dek).ciphertext
|
|
519
|
-
|
|
520
|
-
# 4. Store: ciphertext + wrapped DEK (KMS key never leaves KMS)
|
|
521
|
-
return {"ciphertext": ciphertext.hex(), "wrapped_dek": wrapped_dek.hex()}
|
|
522
|
-
# Decrypt: unwrap DEK via KMS → decrypt ciphertext with DEK
|
|
523
|
-
```
|
|
524
|
-
|
|
525
|
-
---
|
|
526
|
-
|
|
527
|
-
## IDENTITY & ACCESS MANAGEMENT
|
|
528
|
-
|
|
529
|
-
### Privileged Access Management (PAM)
|
|
530
|
-
|
|
531
|
-
```
|
|
532
|
-
Just-In-Time (JIT) access:
|
|
533
|
-
Engineers request elevated access for specific task + timeframe
|
|
534
|
-
Auto-approved for standard ops, human approval for sensitive data access
|
|
535
|
-
Access expires automatically (1-8 hours, not permanent)
|
|
536
|
-
All actions logged with business justification
|
|
537
|
-
Tools: CyberArk, BeyondTrust, HashiCorp Boundary, GCP PAM (preview)
|
|
538
|
-
|
|
539
|
-
Service-to-service auth:
|
|
540
|
-
GCP: Workload Identity Federation (no service account keys)
|
|
541
|
-
AWS: IAM Roles for Service Accounts (IRSA)
|
|
542
|
-
On-prem: SPIFFE/SPIRE for workload identity
|
|
543
|
-
Never: long-lived service account keys stored in config
|
|
544
|
-
|
|
545
|
-
MFA Requirements (enforce in code, not just policy):
|
|
546
|
-
Admin access: FIDO2/Passkeys or hardware token (YubiKey) — TOTP not sufficient
|
|
547
|
-
Standard users: TOTP app minimum (Google Authenticator, Authy)
|
|
548
|
-
API access: API keys + IP allowlist + request signing
|
|
549
|
-
Never: SMS-based MFA for high-value accounts (SIM swap vulnerable)
|
|
550
|
-
```
|
|
551
|
-
|
|
552
|
-
### IAM Audit (Run Monthly)
|
|
553
|
-
|
|
554
|
-
```
|
|
555
|
-
Find over-privileged roles:
|
|
556
|
-
GCP: gcloud projects get-iam-policy PROJECT --format=json | analyze
|
|
557
|
-
AWS: IAM Access Analyzer + unused access findings
|
|
558
|
-
|
|
559
|
-
Check for:
|
|
560
|
-
□ Roles with * on resources (over-broad)
|
|
561
|
-
□ Service accounts with owner/editor (should be specific roles)
|
|
562
|
-
□ IAM access keys older than 90 days
|
|
563
|
-
□ Unused service accounts (no API activity >30 days → delete)
|
|
564
|
-
□ Users with direct permissions (should be via groups/roles)
|
|
565
|
-
□ Cross-account trust relationships (any unexpected?)
|
|
566
|
-
```
|
|
567
|
-
|
|
568
|
-
---
|
|
569
|
-
|
|
570
|
-
## INCIDENT RESPONSE
|
|
571
|
-
|
|
572
|
-
### Severity Classification
|
|
573
|
-
|
|
574
|
-
```
|
|
575
|
-
P0 — Critical: Active breach, data exfil in progress, ransomware, service down
|
|
576
|
-
Response: 5min. War room immediately. CEO + Legal notified.
|
|
577
|
-
|
|
578
|
-
P1 — High: Suspected breach, critical vuln exploited, auth system compromised
|
|
579
|
-
Response: 15min. Security lead + engineering lead.
|
|
580
|
-
|
|
581
|
-
P2 — Medium: Anomalous behavior, failed exploitation attempt, compliance gap found
|
|
582
|
-
Response: 1 hour. Security team + affected service owner.
|
|
583
|
-
|
|
584
|
-
P3 — Low: Policy violation, low-severity CVE, config drift
|
|
585
|
-
Response: Next business day. Assigned owner.
|
|
586
|
-
```
|
|
587
|
-
|
|
588
|
-
### NIST Incident Response Framework
|
|
589
|
-
|
|
590
|
-
```
|
|
591
|
-
1. PREPARE:
|
|
592
|
-
□ IR plan documented + tested quarterly
|
|
593
|
-
□ Contact list: security team, legal, PR, executives, regulators
|
|
594
|
-
□ Forensic tools pre-installed (not scrambling to install during incident)
|
|
595
|
-
□ Evidence preservation procedures known to all engineers
|
|
596
|
-
□ Cyber insurance policy in place
|
|
597
|
-
|
|
598
|
-
2. IDENTIFY:
|
|
599
|
-
□ What happened? When did it start? (look for earliest indicator)
|
|
600
|
-
□ What systems are affected? (blast radius assessment)
|
|
601
|
-
□ Is it still ongoing? (contain before investigating)
|
|
602
|
-
□ Log preservation: export logs to isolated read-only bucket immediately
|
|
603
|
-
|
|
604
|
-
3. CONTAIN:
|
|
605
|
-
Short-term: Block attacker (IP ban, revoke credentials, isolate instance)
|
|
606
|
-
Long-term: Patch, fix configuration, rebuild if necessary
|
|
607
|
-
Do NOT shut everything down immediately — preserve evidence first
|
|
608
|
-
|
|
609
|
-
4. ERADICATE:
|
|
610
|
-
Remove all attacker persistence (backdoors, new user accounts, cron jobs)
|
|
611
|
-
Scan ALL systems — attackers often pivot from initial compromise
|
|
612
|
-
Reset all credentials that may have been exposed
|
|
613
|
-
Rotate all secrets (assume all secrets compromised)
|
|
614
|
-
|
|
615
|
-
5. RECOVER:
|
|
616
|
-
Restore from clean backups (verify backups are clean — attackers may have been in months)
|
|
617
|
-
Deploy patched/clean systems
|
|
618
|
-
Monitor intensively for 30 days post-recovery
|
|
619
|
-
Gradual return to service — don't rush
|
|
620
|
-
|
|
621
|
-
6. LESSONS LEARNED:
|
|
622
|
-
Blameless post-mortem within 72 hours
|
|
623
|
-
Root cause analysis (5 Whys)
|
|
624
|
-
Detection gap: why didn't we catch this sooner?
|
|
625
|
-
Prevention: specific fixes with owners and deadlines
|
|
626
|
-
Update runbooks + detection rules
|
|
627
|
-
```
|
|
628
|
-
|
|
629
|
-
### Breach Notification Requirements
|
|
630
|
-
|
|
631
|
-
```
|
|
632
|
-
GDPR: 72 hours to supervisory authority if personal data affected
|
|
633
|
-
CCPA: Reasonable notice to affected California residents
|
|
634
|
-
PCI DSS: Immediate notification to card brands (Visa, Mastercard) + acquiring bank
|
|
635
|
-
HIPAA: 60 days to HHS, affected individuals, and media (if >500 in a state)
|
|
636
|
-
India PDPB: 72 hours to Data Protection Board (when enacted)
|
|
637
|
-
SEC (US): 4 business days for material cybersecurity incidents (Rule 8-K)
|
|
638
|
-
RBI (India): Immediate to RBI CSITE + NPCI for payment system incidents
|
|
639
|
-
|
|
640
|
-
Prepare breach notification templates in advance. Legal review annually.
|
|
641
|
-
```
|
|
642
|
-
|
|
643
|
-
---
|
|
644
|
-
|
|
645
|
-
## VULNERABILITY MANAGEMENT
|
|
646
|
-
|
|
647
|
-
### CVE Tracking & Patch SLAs
|
|
648
|
-
|
|
649
|
-
```
|
|
650
|
-
CVSS Score → Patch Timeline:
|
|
651
|
-
Critical (9.0-10.0): Patch within 24 hours. Emergency change if needed.
|
|
652
|
-
High (7.0-8.9): Patch within 7 days.
|
|
653
|
-
Medium (4.0-6.9): Patch within 30 days.
|
|
654
|
-
Low (0.1-3.9): Patch within 90 days.
|
|
655
|
-
|
|
656
|
-
CISA KEV overrides: Patch within 2 weeks regardless of CVSS (these are actively exploited).
|
|
657
|
-
|
|
658
|
-
Automation:
|
|
659
|
-
Renovate Bot: Auto-PRs for dependency updates (better than Dependabot — more flexible)
|
|
660
|
-
Trivy: Scan container images in CI, block critical CVEs
|
|
661
|
-
Snyk: Monitor production containers + code continuously
|
|
662
|
-
Grafeas: Artifact metadata and attestation (GCP-native)
|
|
663
|
-
```
|
|
664
|
-
|
|
665
|
-
### SBOM (Software Bill of Materials)
|
|
666
|
-
|
|
667
|
-
```
|
|
668
|
-
Generate on every release:
|
|
669
|
-
Node.js: cyclonedx-node-npm --output-file sbom.json
|
|
670
|
-
Python: cyclonedx-py -p -e -o sbom.json
|
|
671
|
-
Java: CycloneDX Maven/Gradle plugin
|
|
672
|
-
Docker: syft image:tag -o cyclonedx-json=sbom.json
|
|
673
|
-
|
|
674
|
-
Store in artifact registry alongside each release.
|
|
675
|
-
Required by: US Executive Order 14028, EU Cyber Resilience Act, PCI DSS 4.0.
|
|
676
|
-
Enables: rapid "do we use Log4j?" type queries during zero-day events.
|
|
677
|
-
```
|
|
678
|
-
|
|
679
|
-
---
|
|
680
|
-
|
|
681
|
-
## COMPLIANCE FRAMEWORKS
|
|
682
|
-
|
|
683
|
-
### SOC 2 Type II (Most Important for SaaS)
|
|
684
|
-
|
|
685
|
-
```
|
|
686
|
-
Trust Services Criteria:
|
|
687
|
-
Security: CC6 — Logical access, CC7 — System operations, CC8 — Change management
|
|
688
|
-
Availability: Uptime SLAs, disaster recovery, capacity planning
|
|
689
|
-
Confidentiality: Data classification, encryption, access controls
|
|
690
|
-
Processing Integrity: Complete, accurate, timely processing
|
|
691
|
-
Privacy: GDPR/CCPA alignment, consent management
|
|
692
|
-
|
|
693
|
-
Controls required (sample):
|
|
694
|
-
□ All access requires MFA
|
|
695
|
-
□ Background checks for all employees with system access
|
|
696
|
-
□ Annual security training for all staff
|
|
697
|
-
□ Penetration test annually
|
|
698
|
-
□ Business continuity plan tested annually
|
|
699
|
-
□ Incident response tested quarterly
|
|
700
|
-
□ Vendor security assessments for critical vendors
|
|
701
|
-
□ Encryption at rest and in transit
|
|
702
|
-
□ Change management process documented
|
|
703
|
-
□ Vulnerability management program with SLAs
|
|
704
|
-
|
|
705
|
-
Tools:
|
|
706
|
-
Vanta: Best automated SOC2 prep (<user> already using). ~$15K/yr. Gets to audit-ready fastest.
|
|
707
|
-
Drata: Vanta competitor, good integrations.
|
|
708
|
-
Secureframe: Strong for early-stage.
|
|
709
|
-
Manual: Feasible but 10x more work.
|
|
710
|
-
|
|
711
|
-
Timeline: SOC2 Type I in 3 months (controls exist). Type II in 12 months (controls operated for period).
|
|
712
|
-
```
|
|
713
|
-
|
|
714
|
-
### PCI DSS 4.0 (If Handling Card Data)
|
|
715
|
-
|
|
716
|
-
```
|
|
717
|
-
Key requirements for SaaS (Level 4 — <20K transactions):
|
|
718
|
-
□ Never store raw PANs, CVV, or full magnetic stripe
|
|
719
|
-
□ Tokenize: use Stripe.js/Elements — card data never touches your server
|
|
720
|
-
□ WAF protecting all web-facing systems
|
|
721
|
-
□ Vulnerability scanning quarterly (ASV scan)
|
|
722
|
-
□ Penetration test annually
|
|
723
|
-
□ Maintain audit logs 12 months
|
|
724
|
-
□ MFA for all non-consumer access
|
|
725
|
-
□ Encrypt cardholder data in transit (TLS 1.2+)
|
|
726
|
-
□ Self-Assessment Questionnaire (SAQ A or SAQ A-EP for most SaaS)
|
|
727
|
-
|
|
728
|
-
Best advice: Use Stripe.js + Stripe Elements. Never touch raw card data. Reduces scope to SAQ A.
|
|
729
|
-
```
|
|
730
|
-
|
|
731
|
-
### GDPR / Data Privacy
|
|
732
|
-
|
|
733
|
-
```
|
|
734
|
-
Core requirements:
|
|
735
|
-
□ Lawful basis for processing (consent, contract, legitimate interest, etc.)
|
|
736
|
-
□ Data subject rights: access, rectification, erasure ("right to be forgotten"), portability
|
|
737
|
-
□ Privacy by design: collect minimum data, purpose limitation
|
|
738
|
-
□ Data Processing Agreements (DPAs) with all sub-processors
|
|
739
|
-
□ Records of Processing Activities (ROPA) — document what you process and why
|
|
740
|
-
□ 72-hour breach notification to supervisory authority
|
|
741
|
-
□ DPIA (Data Protection Impact Assessment) for high-risk processing
|
|
742
|
-
□ Cookie consent — real consent, not dark patterns
|
|
743
|
-
|
|
744
|
-
Technical implementation:
|
|
745
|
-
Data inventory: Every field of every table — classify: PII / sensitive / public
|
|
746
|
-
Erasure: User delete → anonymize or delete all PII across all tables + backups
|
|
747
|
-
Portability: Export user data as machine-readable JSON/CSV on request
|
|
748
|
-
Data residency: EU personal data must stay in EU (or adequate third country)
|
|
749
|
-
Consent logging: Timestamp, IP, consent text version for every consent collected
|
|
750
|
-
```
|
|
751
|
-
|
|
752
|
-
---
|
|
753
|
-
|
|
754
|
-
## FRAUD DETECTION & FINANCIAL CRIME (<project>-Specific)
|
|
755
|
-
|
|
756
|
-
### Real-Time Fraud Signal Architecture
|
|
757
|
-
|
|
758
|
-
```
|
|
759
|
-
Transaction Event → Feature Extraction → Risk Scoring → Decision → Action
|
|
760
|
-
↓ ↓
|
|
761
|
-
[Feature Store] [ML Model + Rules]
|
|
762
|
-
↓
|
|
763
|
-
velocity, device, IP, behavior, history
|
|
764
|
-
|
|
765
|
-
Signal categories:
|
|
766
|
-
Velocity: transactions per hour/day, amount per period, new payee frequency
|
|
767
|
-
Device: device fingerprint, new device, rooted/jailbroken, emulator detected
|
|
768
|
-
Location: IP geolocation, distance from last transaction, impossible travel
|
|
769
|
-
Behavior: typing speed, session duration, navigation pattern (vs baseline)
|
|
770
|
-
Network: VPN/proxy/Tor detected, datacenter IP, known fraud IP
|
|
771
|
-
Identity: name/address/phone mismatch, synthetic identity signals
|
|
772
|
-
Transaction: unusual amount (vs history), unusual merchant, round amounts, split transactions
|
|
773
|
-
```
|
|
774
|
-
|
|
775
|
-
### Fraud Rule Engine Design
|
|
776
|
-
|
|
777
|
-
```
|
|
778
|
-
Priority execution:
|
|
779
|
-
P0 Hard Block: Stolen card list, OFAC sanctions match, known fraud device → instant deny
|
|
780
|
-
P1 Hard Block: Velocity limit exceeded, impossible travel, known fraud IP → instant deny
|
|
781
|
-
P2 Soft Block: ML score > 0.9 → step-up auth (OTP required)
|
|
782
|
-
P3 Review: ML score 0.7-0.9 → human review queue
|
|
783
|
-
P4 Monitor: ML score 0.4-0.7 → flag for pattern analysis
|
|
784
|
-
P5 Allow: ML score < 0.4 → approve (standard risk)
|
|
785
|
-
|
|
786
|
-
Rule governance:
|
|
787
|
-
Every rule: owner, creation date, last review date, hit rate, precision/recall
|
|
788
|
-
Rules reviewed monthly — prune low-precision rules, add new patterns
|
|
789
|
-
A/B test rule changes — never deploy blind
|
|
790
|
-
False positive rate target: <0.5% (every false positive = lost revenue + angry customer)
|
|
791
|
-
```
|
|
792
|
-
|
|
793
|
-
### AML (Anti-Money Laundering) Technical Controls
|
|
794
|
-
|
|
795
|
-
```
|
|
796
|
-
Structuring detection: Transactions just below reporting thresholds (e.g., $9,900)
|
|
797
|
-
Alert: 3+ transactions in 24h summing to >$10K per user
|
|
798
|
-
|
|
799
|
-
Layering detection: Rapid fund movement across multiple accounts
|
|
800
|
-
Alert: Money in → out to different account within 1 hour
|
|
801
|
-
|
|
802
|
-
Round-tripping: Funds leaving and returning to same source
|
|
803
|
-
Graph analysis: detect cycles in transaction graph
|
|
804
|
-
|
|
805
|
-
SAR filing: Automated SAR (Suspicious Activity Report) generation
|
|
806
|
-
File with FinCEN within 30 days of detection (US requirement)
|
|
807
|
-
Store SAR data with 5-year retention
|
|
808
|
-
|
|
809
|
-
KYC integration: Identity verification at onboarding (Jumio, Onfido, Persona)
|
|
810
|
-
Enhanced due diligence for high-risk users (PEPs, high-volume)
|
|
811
|
-
Ongoing monitoring: re-verify on behavior change triggers
|
|
812
|
-
```
|
|
813
|
-
|
|
814
|
-
---
|
|
815
|
-
|
|
816
|
-
## SECURITY METRICS (MEASURE THESE)
|
|
817
|
-
|
|
818
|
-
```
|
|
819
|
-
Detection:
|
|
820
|
-
MTTD: Mean Time to Detect — target <1 hour for critical events
|
|
821
|
-
Alert fidelity: True positive rate of security alerts — target >30% (tune to reduce noise)
|
|
822
|
-
Coverage: % of attack surface with detection rules
|
|
823
|
-
|
|
824
|
-
Response:
|
|
825
|
-
MTTR: Mean Time to Respond — target <4 hours for P0/P1
|
|
826
|
-
MTTC: Mean Time to Contain — stop ongoing attack — target <30 min for P0
|
|
827
|
-
|
|
828
|
-
Prevention:
|
|
829
|
-
Patch compliance: % of critical CVEs patched within SLA — target 100% for critical
|
|
830
|
-
Vuln backlog: Open vulnerabilities by severity — track weekly, trending down
|
|
831
|
-
Security debt: Security findings in code — track like technical debt
|
|
832
|
-
|
|
833
|
-
Posture:
|
|
834
|
-
Cloud compliance score: CSPM findings — target 0 critical, <10 high
|
|
835
|
-
Pen test findings: Track findings year-over-year — should decrease
|
|
836
|
-
Security training: % staff completed annual training — target 100%
|
|
837
|
-
|
|
838
|
-
Report to leadership: Monthly 1-page security scorecard. Executives must see these numbers.
|
|
839
|
-
```
|
|
1
|
+
# Cybersecurity Intelligence Reference
|
|
2
|
+
|
|
3
|
+
# Covers: AppSec, NetSec, CloudSec, DevSecOps, Threat Intel, SIEM, Compliance, Fraud, Incident Response
|
|
4
|
+
|
|
5
|
+
## DEFENSE IN DEPTH MODEL
|
|
6
|
+
|
|
7
|
+
Never rely on a single control. Layer security at every level:
|
|
8
|
+
|
|
9
|
+
```
|
|
10
|
+
Layer 1 — Perimeter: WAF, DDoS protection, CDN edge rules, geo-blocking
|
|
11
|
+
Layer 2 — Network: Firewall rules, VPC isolation, private subnets, VPN, zero-trust network access
|
|
12
|
+
Layer 3 — Identity: MFA, SSO, PAM, least privilege, just-in-time access
|
|
13
|
+
Layer 4 — Application: Input validation, auth/authz, CSRF, rate limiting, API security
|
|
14
|
+
Layer 5 — Data: Encryption at rest + transit, tokenization, masking, key management
|
|
15
|
+
Layer 6 — Endpoint: EDR, patch management, container hardening, OS baselines
|
|
16
|
+
Layer 7 — Detection: SIEM, anomaly detection, threat intel feeds, behavioral analytics
|
|
17
|
+
Layer 8 — Response: IR playbooks, forensics capability, backup/restore tested weekly
|
|
18
|
+
|
|
19
|
+
Principle: Assume every layer will eventually be breached. Design so that one breach ≠ catastrophe.
|
|
20
|
+
```
|
|
21
|
+
|
|
22
|
+
---
|
|
23
|
+
|
|
24
|
+
## OWASP TOP 10 — WEB (2021) — Fix Every One
|
|
25
|
+
|
|
26
|
+
### A01: Broken Access Control (Most Common)
|
|
27
|
+
|
|
28
|
+
```
|
|
29
|
+
Attack: Access /api/users/456 as user 123. Horizontal privilege escalation.
|
|
30
|
+
Fix: Always verify ownership: WHERE id = $1 AND org_id = $current_org
|
|
31
|
+
Row-Level Security in PostgreSQL enforces this at DB level.
|
|
32
|
+
Never trust user-supplied IDs without authorization check.
|
|
33
|
+
Test: Authenticated as User A, attempt all User B's resource endpoints.
|
|
34
|
+
|
|
35
|
+
Code fix:
|
|
36
|
+
// BAD:
|
|
37
|
+
const tx = await db.transaction.findUnique({ where: { id: req.params.id }})
|
|
38
|
+
|
|
39
|
+
// GOOD:
|
|
40
|
+
const tx = await db.transaction.findUnique({
|
|
41
|
+
where: { id: req.params.id, userId: req.user.id } // scope to authenticated user
|
|
42
|
+
})
|
|
43
|
+
if (!tx) throw new NotFoundError() // same error whether missing or unauthorized
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
### A02: Cryptographic Failures
|
|
47
|
+
|
|
48
|
+
```
|
|
49
|
+
Attack: Sensitive data in plaintext DB, MD5 passwords, HTTP traffic, weak keys.
|
|
50
|
+
Fix: TLS 1.3 everywhere. AES-256-GCM for data at rest.
|
|
51
|
+
Passwords: argon2id (winner of PHC). Never MD5/SHA1/bcrypt(cost<12).
|
|
52
|
+
PII fields: encrypt at application layer (not just disk encryption).
|
|
53
|
+
No secrets in logs. No PAN/SSN in URLs.
|
|
54
|
+
|
|
55
|
+
Password hashing:
|
|
56
|
+
import argon2 from 'argon2'
|
|
57
|
+
const hash = await argon2.hash(password, {
|
|
58
|
+
type: argon2.argon2id,
|
|
59
|
+
memoryCost: 65536, // 64MB
|
|
60
|
+
timeCost: 3, // 3 iterations
|
|
61
|
+
parallelism: 4 // 4 threads
|
|
62
|
+
})
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
### A03: Injection (SQL, NoSQL, LDAP, Command)
|
|
66
|
+
|
|
67
|
+
```
|
|
68
|
+
Attack: User inputs: ' OR '1'='1 → dumps entire table.
|
|
69
|
+
Fix: Parameterized queries. ALWAYS. No string concatenation in queries.
|
|
70
|
+
ORM query builders (Prisma, SQLAlchemy) are safe by default.
|
|
71
|
+
Command injection: never exec() user input. Use allowlists.
|
|
72
|
+
|
|
73
|
+
// NEVER:
|
|
74
|
+
db.query(`SELECT * FROM users WHERE email = '${email}'`)
|
|
75
|
+
|
|
76
|
+
// ALWAYS:
|
|
77
|
+
db.query('SELECT * FROM users WHERE email = $1', [email])
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
### A04: Insecure Design
|
|
81
|
+
|
|
82
|
+
```
|
|
83
|
+
Attack: Business logic flaws — buy item for $0, skip payment step, replay coupons.
|
|
84
|
+
Fix: Threat model every feature before coding.
|
|
85
|
+
State machine validation — enforce valid state transitions server-side.
|
|
86
|
+
Rate limit sensitive operations (password reset: 3/hour, not 1000/hour).
|
|
87
|
+
Never trust client-side price/discount calculation.
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
### A05: Security Misconfiguration
|
|
91
|
+
|
|
92
|
+
```
|
|
93
|
+
Common: Default credentials, directory listing, verbose error messages in prod,
|
|
94
|
+
open S3 buckets, unrestricted CORS, unused ports open, debug mode on.
|
|
95
|
+
Fix: Infrastructure as Code — configuration is reviewed, version-controlled.
|
|
96
|
+
CSPM tool (Wiz, Prisma Cloud, or free: CloudSploit) scans continuously.
|
|
97
|
+
Env diff check: prod config audited against security baseline weekly.
|
|
98
|
+
Error responses: generic in prod, never stack traces to client.
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
### A06: Vulnerable and Outdated Components
|
|
102
|
+
|
|
103
|
+
```
|
|
104
|
+
Fix: Renovate Bot or Dependabot — auto-PRs for dependency updates weekly.
|
|
105
|
+
Snyk or OWASP Dependency-Check in CI — block on critical CVEs.
|
|
106
|
+
Container base image scanning — Trivy on every Docker build.
|
|
107
|
+
SBOM (Software Bill of Materials) generated on every release.
|
|
108
|
+
Never use packages with 0 maintenance activity in past 12 months.
|
|
109
|
+
Pin exact versions in lockfiles (package-lock.json, requirements.txt).
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
### A07: Identification and Authentication Failures
|
|
113
|
+
|
|
114
|
+
```
|
|
115
|
+
Attack: Credential stuffing, brute force, session fixation, weak tokens.
|
|
116
|
+
Fix: MFA mandatory for admin, recommended for all users.
|
|
117
|
+
Account lockout: 5 failed attempts → 15min lockout + alert.
|
|
118
|
+
Secure session: HttpOnly, Secure, SameSite=Strict cookies.
|
|
119
|
+
Token storage: never localStorage (XSS), always HttpOnly cookies.
|
|
120
|
+
Password policy: min 12 chars, check against HaveIBeenPwned API.
|
|
121
|
+
JWT: RS256 (not HS256), short TTL (15min), rotate signing keys quarterly.
|
|
122
|
+
```
|
|
123
|
+
|
|
124
|
+
### A08: Software and Data Integrity Failures
|
|
125
|
+
|
|
126
|
+
```
|
|
127
|
+
Attack: Tampered auto-updates, unsigned packages, CI/CD pipeline compromise.
|
|
128
|
+
Fix: Verify checksums/signatures on all downloaded artifacts.
|
|
129
|
+
Sigstore/Cosign for container image signing.
|
|
130
|
+
SLSA framework for supply chain levels (target SLSA Level 3).
|
|
131
|
+
CI/CD: separate credentials per environment, audit pipeline configs.
|
|
132
|
+
npm: use --ignore-scripts flag, audit before install.
|
|
133
|
+
```
|
|
134
|
+
|
|
135
|
+
### A09: Security Logging and Monitoring Failures
|
|
136
|
+
|
|
137
|
+
```
|
|
138
|
+
Fix: Log: every auth event, admin action, failed access, data mutation.
|
|
139
|
+
Include: timestamp (UTC), user_id, org_id, IP, action, resource, result.
|
|
140
|
+
Never log: passwords, tokens, PAN, SSN, CVV, full credit card.
|
|
141
|
+
Alert within 15 minutes on: impossible travel, mass data export,
|
|
142
|
+
admin privilege escalation, >10 auth failures.
|
|
143
|
+
Log retention: 90 days hot, 1 year cold (PCI DSS requires 1 year).
|
|
144
|
+
SIEM: ingest all logs, alert on patterns, not just individual events.
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
### A10: Server-Side Request Forgery (SSRF)
|
|
148
|
+
|
|
149
|
+
```
|
|
150
|
+
Attack: User supplies URL → server fetches it → attacker reads internal metadata API.
|
|
151
|
+
AWS: http://169.254.169.254/latest/meta-data/iam/security-credentials/
|
|
152
|
+
Fix: Allowlist permitted URL destinations — never arbitrary user-supplied URLs.
|
|
153
|
+
Block RFC 1918 addresses (10.x, 172.16.x, 192.168.x) and 169.254.x.
|
|
154
|
+
Use DNS resolution + IP check BEFORE fetching.
|
|
155
|
+
Disable HTTP redirects or validate redirect target against allowlist.
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
---
|
|
159
|
+
|
|
160
|
+
## OWASP API SECURITY TOP 10 (2023)
|
|
161
|
+
|
|
162
|
+
```
|
|
163
|
+
API1: Broken Object Level Authorization → Scope every query to authenticated user/org
|
|
164
|
+
API2: Broken Authentication → Short-lived tokens, rotate refresh tokens
|
|
165
|
+
API3: Broken Object Property Auth → Allowlist response fields, never return full DB row
|
|
166
|
+
API4: Unrestricted Resource Consumption → Rate limit, payload size limits, pagination required
|
|
167
|
+
API5: Broken Function Level Auth → Admin endpoints on separate auth check, not just UI hide
|
|
168
|
+
API6: Unrestricted Access to Sensitive Business Flows → Bot detection, device fingerprinting
|
|
169
|
+
API7: Server-Side Request Forgery → Same as web SSRF above
|
|
170
|
+
API8: Security Misconfiguration → No CORS *, no debug headers, no default paths
|
|
171
|
+
API9: Improper Inventory Management → API versioning, decommission old versions with traffic
|
|
172
|
+
API10: Unsafe Consumption of APIs → Validate all third-party API responses before use
|
|
173
|
+
```
|
|
174
|
+
|
|
175
|
+
---
|
|
176
|
+
|
|
177
|
+
## THREAT MODELING
|
|
178
|
+
|
|
179
|
+
### STRIDE Framework (Apply to Every Feature)
|
|
180
|
+
|
|
181
|
+
```
|
|
182
|
+
S — Spoofing: Can an attacker impersonate a legitimate user or service?
|
|
183
|
+
Mitigate: Strong auth, mutual TLS, digital signatures
|
|
184
|
+
|
|
185
|
+
T — Tampering: Can data be modified in transit or at rest without detection?
|
|
186
|
+
Mitigate: Integrity checks, signed tokens, audit logs, TLS
|
|
187
|
+
|
|
188
|
+
R — Repudiation: Can someone deny performing an action?
|
|
189
|
+
Mitigate: Immutable audit logs, signed requests, non-repudiation tokens
|
|
190
|
+
|
|
191
|
+
I — Information Disclosure: Can sensitive data be exposed to unauthorized parties?
|
|
192
|
+
Mitigate: Least privilege, encryption, data classification, masking
|
|
193
|
+
|
|
194
|
+
D — Denial of Service: Can an attacker disrupt availability?
|
|
195
|
+
Mitigate: Rate limiting, auto-scaling, circuit breakers, DDoS protection
|
|
196
|
+
|
|
197
|
+
E — Elevation of Privilege: Can a user gain more access than they should have?
|
|
198
|
+
Mitigate: RBAC, least privilege, privilege validation server-side
|
|
199
|
+
```
|
|
200
|
+
|
|
201
|
+
### Threat Modeling Process (Per Feature)
|
|
202
|
+
|
|
203
|
+
```
|
|
204
|
+
Step 1: DECOMPOSE — Draw data flow diagram. Identify trust boundaries, entry points, data stores.
|
|
205
|
+
Step 2: THREATS — For each component, apply STRIDE. List all plausible attacks.
|
|
206
|
+
Step 3: RANK — Severity × Likelihood = Risk score (DREAD or CVSS)
|
|
207
|
+
Step 4: MITIGATE — For each threat: mitigate, transfer, accept, or avoid.
|
|
208
|
+
Step 5: VALIDATE — Write security test for each mitigated threat.
|
|
209
|
+
Step 6: REPEAT — Re-threat-model when architecture changes.
|
|
210
|
+
|
|
211
|
+
Time required: 2-4 hours per major feature. Non-negotiable for financial features.
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
---
|
|
215
|
+
|
|
216
|
+
## APPLICATION SECURITY (APPSEC) PIPELINE
|
|
217
|
+
|
|
218
|
+
### DevSecOps — Shift Left
|
|
219
|
+
|
|
220
|
+
```
|
|
221
|
+
Pre-commit: git-secrets / detect-secrets / Gitleaks — block secret commits
|
|
222
|
+
IDE plugins: Snyk IntelliJ, SonarLint VSCode (real-time SAST)
|
|
223
|
+
|
|
224
|
+
PR / CI: SAST — Static analysis (Semgrep, SonarQube, CodeQL)
|
|
225
|
+
SCA — Dependency check (Snyk, OWASP DC, npm audit)
|
|
226
|
+
Secrets scan — Gitleaks, TruffleHog
|
|
227
|
+
IaC scan — Checkov, tfsec (Terraform misconfigs)
|
|
228
|
+
Container scan — Trivy (image CVEs)
|
|
229
|
+
|
|
230
|
+
Pre-deploy: DAST — Dynamic scan against staging (OWASP ZAP, Burp Suite)
|
|
231
|
+
API fuzzing — Schemathesis, restler-fuzzer
|
|
232
|
+
|
|
233
|
+
Production: RASP — Runtime application self-protection (contrast, sqreen)
|
|
234
|
+
WAF — Cloudflare WAF / AWS WAF / Cloud Armor (rules updated weekly)
|
|
235
|
+
Dependency monitor — Snyk monitor / Dependabot alerts
|
|
236
|
+
```
|
|
237
|
+
|
|
238
|
+
### SAST Tool Selection
|
|
239
|
+
|
|
240
|
+
```
|
|
241
|
+
Semgrep: Fast, open source, custom rules, CI-native. Best first choice.
|
|
242
|
+
SonarQube: Comprehensive, CI integration, tracks debt over time. Self-hosted or cloud.
|
|
243
|
+
CodeQL: GitHub-native, deep semantic analysis, best for complex vulnerability patterns.
|
|
244
|
+
Checkmarx: Enterprise, expensive, deep analysis.
|
|
245
|
+
Veracode: Enterprise SaaS, compliance-oriented.
|
|
246
|
+
|
|
247
|
+
Run Semgrep + SonarQube minimum. CodeQL for GitHub repos (free for public).
|
|
248
|
+
```
|
|
249
|
+
|
|
250
|
+
### Penetration Testing Methodology
|
|
251
|
+
|
|
252
|
+
```
|
|
253
|
+
Phase 1 — Reconnaissance:
|
|
254
|
+
Passive: Shodan, Censys, Google dorks, LinkedIn (OSINT)
|
|
255
|
+
Active: nmap port scan, service fingerprinting, SSL/TLS scan (testssl.sh)
|
|
256
|
+
|
|
257
|
+
Phase 2 — Enumeration:
|
|
258
|
+
Web: Dirb/ffuf (directory brute-force), nikto (web scanner)
|
|
259
|
+
API: Postman collection analysis, OpenAPI spec review, parameter fuzzing
|
|
260
|
+
Auth: JWT inspection, session token analysis, OAuth flow review
|
|
261
|
+
|
|
262
|
+
Phase 3 — Exploitation:
|
|
263
|
+
Automated: OWASP ZAP active scan, SQLmap (SQL injection), Nuclei templates
|
|
264
|
+
Manual: Business logic testing, auth bypass, IDOR, race conditions
|
|
265
|
+
|
|
266
|
+
Phase 4 — Post-Exploitation:
|
|
267
|
+
Lateral movement (if scoped), privilege escalation, persistence mechanisms
|
|
268
|
+
|
|
269
|
+
Phase 5 — Reporting:
|
|
270
|
+
CVSS scores for each finding, reproduction steps, remediation guidance, risk rating
|
|
271
|
+
|
|
272
|
+
Cadence: Annual third-party pentest + quarterly internal. Before major releases.
|
|
273
|
+
Tools: Burp Suite Pro, OWASP ZAP, Metasploit, Nmap, Nikto, SQLmap, Nuclei, Amass
|
|
274
|
+
```
|
|
275
|
+
|
|
276
|
+
---
|
|
277
|
+
|
|
278
|
+
## ZERO TRUST ARCHITECTURE
|
|
279
|
+
|
|
280
|
+
```
|
|
281
|
+
Core Principles:
|
|
282
|
+
1. Never trust, always verify — network location grants zero trust
|
|
283
|
+
2. Least privilege access — time-limited, just enough, just-in-time
|
|
284
|
+
3. Assume breach — segment everything, monitor everything, limit blast radius
|
|
285
|
+
4. Verify explicitly — authenticate and authorize every request, every time
|
|
286
|
+
|
|
287
|
+
Implementation:
|
|
288
|
+
Identity: Every user + device verified before access (MFA + device health check)
|
|
289
|
+
Device: Managed devices only for admin access. MDM enrolled.
|
|
290
|
+
Network: Micro-segmentation. Services can't talk unless explicitly allowed.
|
|
291
|
+
Replace VPN with identity-aware proxy (Google BeyondCorp, Cloudflare Access)
|
|
292
|
+
Application: Each app verifies identity independently. No "trusted" internal networks.
|
|
293
|
+
Data: Classify data. Apply policy per classification. Encrypt in use.
|
|
294
|
+
|
|
295
|
+
GCP Implementation:
|
|
296
|
+
Identity-Aware Proxy (IAP) → protects internal apps without VPN
|
|
297
|
+
VPC Service Controls → data perimeter, prevents data exfil from GCP services
|
|
298
|
+
Organization Policy → org-wide guardrails (no public IPs, require CMEK, etc.)
|
|
299
|
+
Access Context Manager → attribute-based access (IP, device, user)
|
|
300
|
+
```
|
|
301
|
+
|
|
302
|
+
---
|
|
303
|
+
|
|
304
|
+
## CLOUD SECURITY (CSPM + CWPP)
|
|
305
|
+
|
|
306
|
+
### Cloud Security Posture Management (CSPM)
|
|
307
|
+
|
|
308
|
+
```
|
|
309
|
+
What it does: Continuously scans cloud config for misconfigurations and compliance violations
|
|
310
|
+
Tools:
|
|
311
|
+
Wiz: Best coverage, agentless, fast. $15K+/yr
|
|
312
|
+
Prisma Cloud: Palo Alto, comprehensive, expensive
|
|
313
|
+
Lacework: Behavioral analysis + CSPM combo
|
|
314
|
+
CloudSploit: Open source, GCP/AWS/Azure. Free.
|
|
315
|
+
ScoutSuite: Open source audit tool. Run quarterly.
|
|
316
|
+
|
|
317
|
+
Must-catch misconfigs:
|
|
318
|
+
□ Public S3/GCS buckets
|
|
319
|
+
□ Unrestricted security group rules (0.0.0.0/0 inbound)
|
|
320
|
+
□ Unencrypted database instances
|
|
321
|
+
□ MFA not enabled on root/admin accounts
|
|
322
|
+
□ Logging disabled (CloudTrail/Cloud Audit Logs)
|
|
323
|
+
□ Old IAM access keys (>90 days)
|
|
324
|
+
□ Public SSH/RDP ports exposed (22, 3389)
|
|
325
|
+
□ Default VPC in use for production
|
|
326
|
+
```
|
|
327
|
+
|
|
328
|
+
### Container & Kubernetes Security
|
|
329
|
+
|
|
330
|
+
```
|
|
331
|
+
Image security:
|
|
332
|
+
□ Base image: use distroless or alpine (minimal attack surface)
|
|
333
|
+
□ Never run as root (USER nobody in Dockerfile)
|
|
334
|
+
□ No secrets in image layers (check with Trivy --secret)
|
|
335
|
+
□ Sign images with Cosign (Sigstore)
|
|
336
|
+
□ Image pull policy: Always (never cached stale images in prod)
|
|
337
|
+
|
|
338
|
+
Kubernetes:
|
|
339
|
+
□ RBAC: no cluster-admin for workloads. Namespace-scoped roles only.
|
|
340
|
+
□ Network Policies: default deny all, explicit allow per service pair
|
|
341
|
+
□ Pod Security Standards: Restricted profile in production
|
|
342
|
+
□ Secrets: use External Secrets Operator (GCP Secret Manager → K8s Secret)
|
|
343
|
+
□ No privileged containers. No hostPID/hostNetwork.
|
|
344
|
+
□ Resource limits on every container (prevents noisy neighbor + DoS)
|
|
345
|
+
□ Admission controllers: OPA/Gatekeeper or Kyverno policy engine
|
|
346
|
+
□ Runtime: Falco (detects anomalous container behavior in real-time)
|
|
347
|
+
|
|
348
|
+
Runtime security:
|
|
349
|
+
Falco rules to alert on:
|
|
350
|
+
- Shell spawned in container (exec into running container)
|
|
351
|
+
- Unexpected outbound connections from container
|
|
352
|
+
- Sensitive file read (/etc/shadow, /proc/*/mem)
|
|
353
|
+
- Privilege escalation attempts
|
|
354
|
+
```
|
|
355
|
+
|
|
356
|
+
### GCP Security Hardening Checklist
|
|
357
|
+
|
|
358
|
+
```
|
|
359
|
+
Organization level:
|
|
360
|
+
□ Organization Policy: Restrict public IPs on Cloud SQL
|
|
361
|
+
□ Organization Policy: Require OS Login for Compute Engine
|
|
362
|
+
□ Organization Policy: Restrict allowed APIs per project
|
|
363
|
+
□ Cloud Audit Logs: DATA_READ + DATA_WRITE + ADMIN_WRITE on all services
|
|
364
|
+
□ SCC (Security Command Center) Premium enabled
|
|
365
|
+
|
|
366
|
+
Project level:
|
|
367
|
+
□ Default service accounts not used (create custom, least privilege)
|
|
368
|
+
□ Service account keys: rotate quarterly or use Workload Identity instead
|
|
369
|
+
□ Cloud SQL: private IP only, no public IP, SSL required
|
|
370
|
+
□ GCS: uniform bucket-level access, no legacy ACLs
|
|
371
|
+
□ Cloud Run: no unauthenticated invocations (except public endpoints)
|
|
372
|
+
□ Secret Manager: audit access log enabled, rotation schedule set
|
|
373
|
+
□ VPC: Private Google Access enabled, no default firewall rules
|
|
374
|
+
```
|
|
375
|
+
|
|
376
|
+
---
|
|
377
|
+
|
|
378
|
+
## SECURITY MONITORING & SIEM
|
|
379
|
+
|
|
380
|
+
### What to Log (Mandatory)
|
|
381
|
+
|
|
382
|
+
```
|
|
383
|
+
Authentication events:
|
|
384
|
+
login_success, login_failure, logout, mfa_challenge, mfa_success, mfa_failure,
|
|
385
|
+
password_reset_requested, password_changed, token_refreshed, token_revoked,
|
|
386
|
+
session_expired, account_locked, account_unlocked
|
|
387
|
+
|
|
388
|
+
Authorization events:
|
|
389
|
+
access_denied, privilege_escalation_attempt, role_assigned, role_revoked,
|
|
390
|
+
admin_action (any), api_key_created, api_key_deleted
|
|
391
|
+
|
|
392
|
+
Data events:
|
|
393
|
+
record_created, record_updated, record_deleted (with before/after for sensitive fields),
|
|
394
|
+
bulk_export, bulk_delete, pii_accessed (who accessed whose data)
|
|
395
|
+
|
|
396
|
+
Infrastructure events:
|
|
397
|
+
deploy_started, deploy_completed, deploy_failed, config_changed,
|
|
398
|
+
secret_accessed (who, when, which secret), IAM_policy_changed
|
|
399
|
+
|
|
400
|
+
Format (every log line must have all fields):
|
|
401
|
+
{
|
|
402
|
+
"timestamp": "2024-01-15T10:30:00.000Z", // UTC always
|
|
403
|
+
"trace_id": "abc-123", // correlate across services
|
|
404
|
+
"user_id": "usr_xyz", // who did it
|
|
405
|
+
"org_id": "org_abc", // tenant context
|
|
406
|
+
"ip": "1.2.3.4", // source IP
|
|
407
|
+
"user_agent": "...", // client context
|
|
408
|
+
"action": "transaction.created", // what happened
|
|
409
|
+
"resource_id": "tx_123", // on what
|
|
410
|
+
"result": "success", // success/failure/denied
|
|
411
|
+
"duration_ms": 45 // performance context
|
|
412
|
+
}
|
|
413
|
+
```
|
|
414
|
+
|
|
415
|
+
### SIEM Architecture
|
|
416
|
+
|
|
417
|
+
```
|
|
418
|
+
Sources: App logs, Cloud Audit Logs, WAF logs, VPC Flow Logs, DNS logs
|
|
419
|
+
Ingestion: Pub/Sub (GCP) or Kafka → log pipeline
|
|
420
|
+
Normalization: Parse into common schema (CEF or ECS — Elastic Common Schema)
|
|
421
|
+
Storage: BigQuery (GCP) or Elasticsearch — index for fast search
|
|
422
|
+
Correlation: Detection rules — alert on patterns, not single events
|
|
423
|
+
Alerting: PagerDuty / OpsGenie → on-call rotation
|
|
424
|
+
Response: SOAR (Security Orchestration) — auto-remediate known patterns
|
|
425
|
+
|
|
426
|
+
Tools:
|
|
427
|
+
Managed: Google Chronicle, Microsoft Sentinel, Splunk, Sumo Logic
|
|
428
|
+
Open source: ELK Stack (Elasticsearch + Logstash + Kibana) + Sigma rules
|
|
429
|
+
Lightweight: Grafana + Loki + alert rules (good for small teams, low cost)
|
|
430
|
+
GCP-native: Chronicle SIEM (Google's) — best GCP log integration
|
|
431
|
+
```
|
|
432
|
+
|
|
433
|
+
### Detection Rules (Critical Alerts — PagerDuty Immediately)
|
|
434
|
+
|
|
435
|
+
```
|
|
436
|
+
Brute force: >10 auth failures from same IP in 5 minutes
|
|
437
|
+
Credential stuffing: >5 failed logins across different accounts from same IP
|
|
438
|
+
Impossible travel: Login from country A, then country B within 2 hours
|
|
439
|
+
Mass data export: Single user exports >1000 records in 10 minutes
|
|
440
|
+
Privilege escalation: Role change granting admin-level access
|
|
441
|
+
New admin account: Any new user assigned admin/owner role
|
|
442
|
+
Off-hours admin: Admin action between 10PM-6AM (tune per org)
|
|
443
|
+
API key abuse: Single API key >10,000 requests in 1 hour
|
|
444
|
+
Secret access: Service accessing secrets it has never accessed before
|
|
445
|
+
Public resource: Cloud storage bucket or DB made publicly accessible
|
|
446
|
+
New external IP: Cloud Run service starts communicating with unknown external IP
|
|
447
|
+
```
|
|
448
|
+
|
|
449
|
+
### Threat Intelligence Integration
|
|
450
|
+
|
|
451
|
+
```
|
|
452
|
+
Feeds to consume:
|
|
453
|
+
MITRE ATT&CK: Adversary tactics, techniques, procedures (TTPs) — map detections to ATT&CK
|
|
454
|
+
CISA KEV: Known Exploited Vulnerabilities — patch these IMMEDIATELY (cisa.gov/kev)
|
|
455
|
+
NVD CVE: National Vulnerability Database — monitor for new critical CVEs
|
|
456
|
+
AlienVault OTX: Open threat intelligence — IP/domain/hash reputation
|
|
457
|
+
Shodan: Monitor your own external attack surface
|
|
458
|
+
PhishTank: Phishing URL feeds
|
|
459
|
+
|
|
460
|
+
Integration pattern:
|
|
461
|
+
Enrich every inbound IP in logs against threat intel feed (check reputation score)
|
|
462
|
+
Block known-bad IPs at WAF level automatically
|
|
463
|
+
Alert when traffic matches known malicious patterns (IoCs)
|
|
464
|
+
|
|
465
|
+
Tools: MISP (open source threat intel platform), OpenCTI, ThreatConnect
|
|
466
|
+
```
|
|
467
|
+
|
|
468
|
+
---
|
|
469
|
+
|
|
470
|
+
## CRYPTOGRAPHY STANDARDS
|
|
471
|
+
|
|
472
|
+
### What to Use (2024)
|
|
473
|
+
|
|
474
|
+
```
|
|
475
|
+
Symmetric encryption: AES-256-GCM (authenticated encryption — integrity + confidentiality)
|
|
476
|
+
ChaCha20-Poly1305 (faster on mobile/embedded, same security)
|
|
477
|
+
Never: DES, 3DES, AES-ECB, RC4
|
|
478
|
+
|
|
479
|
+
Asymmetric: RSA-4096 (key exchange/signing) — prefer Ed25519 for new systems
|
|
480
|
+
Ed25519 / ECDSA P-256 (digital signatures — faster, smaller keys)
|
|
481
|
+
ECDH P-256 (key agreement)
|
|
482
|
+
Never: RSA < 2048, DSA, MD5/SHA1 for signing
|
|
483
|
+
|
|
484
|
+
Hashing: SHA-256 / SHA-3 for data integrity
|
|
485
|
+
BLAKE3 for performance-critical hashing
|
|
486
|
+
argon2id for password storage (never SHA/MD5 for passwords)
|
|
487
|
+
Never: MD5, SHA1 for security purposes
|
|
488
|
+
|
|
489
|
+
TLS: TLS 1.3 required. TLS 1.2 acceptable with restricted ciphers.
|
|
490
|
+
Never: SSL, TLS 1.0, TLS 1.1
|
|
491
|
+
Cipher suites: ECDHE + AES-128-GCM, ECDHE + AES-256-GCM, ECDHE + ChaCha20
|
|
492
|
+
|
|
493
|
+
Key management: GCP Cloud KMS or AWS KMS or HashiCorp Vault
|
|
494
|
+
Rotate encryption keys annually
|
|
495
|
+
Key hierarchy: Master Key → Data Encryption Keys → Data
|
|
496
|
+
FIPS 140-2 Level 3 HSM for financial/regulated workloads
|
|
497
|
+
|
|
498
|
+
JWT signing: RS256 (RSA) or ES256 (ECDSA) — never HS256 in multi-service arch
|
|
499
|
+
Key rotation: quarterly, with overlap period
|
|
500
|
+
```
|
|
501
|
+
|
|
502
|
+
### Envelope Encryption Pattern
|
|
503
|
+
|
|
504
|
+
```python
|
|
505
|
+
# Google Cloud KMS envelope encryption
|
|
506
|
+
from google.cloud import kms
|
|
507
|
+
|
|
508
|
+
def encrypt_sensitive_field(plaintext: str, key_name: str) -> dict:
|
|
509
|
+
# 1. Generate a data encryption key (DEK) locally
|
|
510
|
+
import os
|
|
511
|
+
dek = os.urandom(32) # 256-bit AES key
|
|
512
|
+
|
|
513
|
+
# 2. Encrypt your data with the DEK
|
|
514
|
+
ciphertext = aes_gcm_encrypt(plaintext.encode(), dek)
|
|
515
|
+
|
|
516
|
+
# 3. Wrap (encrypt) the DEK with Cloud KMS master key
|
|
517
|
+
kms_client = kms.KeyManagementServiceClient()
|
|
518
|
+
wrapped_dek = kms_client.encrypt(name=key_name, plaintext=dek).ciphertext
|
|
519
|
+
|
|
520
|
+
# 4. Store: ciphertext + wrapped DEK (KMS key never leaves KMS)
|
|
521
|
+
return {"ciphertext": ciphertext.hex(), "wrapped_dek": wrapped_dek.hex()}
|
|
522
|
+
# Decrypt: unwrap DEK via KMS → decrypt ciphertext with DEK
|
|
523
|
+
```
|
|
524
|
+
|
|
525
|
+
---
|
|
526
|
+
|
|
527
|
+
## IDENTITY & ACCESS MANAGEMENT
|
|
528
|
+
|
|
529
|
+
### Privileged Access Management (PAM)
|
|
530
|
+
|
|
531
|
+
```
|
|
532
|
+
Just-In-Time (JIT) access:
|
|
533
|
+
Engineers request elevated access for specific task + timeframe
|
|
534
|
+
Auto-approved for standard ops, human approval for sensitive data access
|
|
535
|
+
Access expires automatically (1-8 hours, not permanent)
|
|
536
|
+
All actions logged with business justification
|
|
537
|
+
Tools: CyberArk, BeyondTrust, HashiCorp Boundary, GCP PAM (preview)
|
|
538
|
+
|
|
539
|
+
Service-to-service auth:
|
|
540
|
+
GCP: Workload Identity Federation (no service account keys)
|
|
541
|
+
AWS: IAM Roles for Service Accounts (IRSA)
|
|
542
|
+
On-prem: SPIFFE/SPIRE for workload identity
|
|
543
|
+
Never: long-lived service account keys stored in config
|
|
544
|
+
|
|
545
|
+
MFA Requirements (enforce in code, not just policy):
|
|
546
|
+
Admin access: FIDO2/Passkeys or hardware token (YubiKey) — TOTP not sufficient
|
|
547
|
+
Standard users: TOTP app minimum (Google Authenticator, Authy)
|
|
548
|
+
API access: API keys + IP allowlist + request signing
|
|
549
|
+
Never: SMS-based MFA for high-value accounts (SIM swap vulnerable)
|
|
550
|
+
```
|
|
551
|
+
|
|
552
|
+
### IAM Audit (Run Monthly)
|
|
553
|
+
|
|
554
|
+
```
|
|
555
|
+
Find over-privileged roles:
|
|
556
|
+
GCP: gcloud projects get-iam-policy PROJECT --format=json | analyze
|
|
557
|
+
AWS: IAM Access Analyzer + unused access findings
|
|
558
|
+
|
|
559
|
+
Check for:
|
|
560
|
+
□ Roles with * on resources (over-broad)
|
|
561
|
+
□ Service accounts with owner/editor (should be specific roles)
|
|
562
|
+
□ IAM access keys older than 90 days
|
|
563
|
+
□ Unused service accounts (no API activity >30 days → delete)
|
|
564
|
+
□ Users with direct permissions (should be via groups/roles)
|
|
565
|
+
□ Cross-account trust relationships (any unexpected?)
|
|
566
|
+
```
|
|
567
|
+
|
|
568
|
+
---
|
|
569
|
+
|
|
570
|
+
## INCIDENT RESPONSE
|
|
571
|
+
|
|
572
|
+
### Severity Classification
|
|
573
|
+
|
|
574
|
+
```
|
|
575
|
+
P0 — Critical: Active breach, data exfil in progress, ransomware, service down
|
|
576
|
+
Response: 5min. War room immediately. CEO + Legal notified.
|
|
577
|
+
|
|
578
|
+
P1 — High: Suspected breach, critical vuln exploited, auth system compromised
|
|
579
|
+
Response: 15min. Security lead + engineering lead.
|
|
580
|
+
|
|
581
|
+
P2 — Medium: Anomalous behavior, failed exploitation attempt, compliance gap found
|
|
582
|
+
Response: 1 hour. Security team + affected service owner.
|
|
583
|
+
|
|
584
|
+
P3 — Low: Policy violation, low-severity CVE, config drift
|
|
585
|
+
Response: Next business day. Assigned owner.
|
|
586
|
+
```
|
|
587
|
+
|
|
588
|
+
### NIST Incident Response Framework
|
|
589
|
+
|
|
590
|
+
```
|
|
591
|
+
1. PREPARE:
|
|
592
|
+
□ IR plan documented + tested quarterly
|
|
593
|
+
□ Contact list: security team, legal, PR, executives, regulators
|
|
594
|
+
□ Forensic tools pre-installed (not scrambling to install during incident)
|
|
595
|
+
□ Evidence preservation procedures known to all engineers
|
|
596
|
+
□ Cyber insurance policy in place
|
|
597
|
+
|
|
598
|
+
2. IDENTIFY:
|
|
599
|
+
□ What happened? When did it start? (look for earliest indicator)
|
|
600
|
+
□ What systems are affected? (blast radius assessment)
|
|
601
|
+
□ Is it still ongoing? (contain before investigating)
|
|
602
|
+
□ Log preservation: export logs to isolated read-only bucket immediately
|
|
603
|
+
|
|
604
|
+
3. CONTAIN:
|
|
605
|
+
Short-term: Block attacker (IP ban, revoke credentials, isolate instance)
|
|
606
|
+
Long-term: Patch, fix configuration, rebuild if necessary
|
|
607
|
+
Do NOT shut everything down immediately — preserve evidence first
|
|
608
|
+
|
|
609
|
+
4. ERADICATE:
|
|
610
|
+
Remove all attacker persistence (backdoors, new user accounts, cron jobs)
|
|
611
|
+
Scan ALL systems — attackers often pivot from initial compromise
|
|
612
|
+
Reset all credentials that may have been exposed
|
|
613
|
+
Rotate all secrets (assume all secrets compromised)
|
|
614
|
+
|
|
615
|
+
5. RECOVER:
|
|
616
|
+
Restore from clean backups (verify backups are clean — attackers may have been in months)
|
|
617
|
+
Deploy patched/clean systems
|
|
618
|
+
Monitor intensively for 30 days post-recovery
|
|
619
|
+
Gradual return to service — don't rush
|
|
620
|
+
|
|
621
|
+
6. LESSONS LEARNED:
|
|
622
|
+
Blameless post-mortem within 72 hours
|
|
623
|
+
Root cause analysis (5 Whys)
|
|
624
|
+
Detection gap: why didn't we catch this sooner?
|
|
625
|
+
Prevention: specific fixes with owners and deadlines
|
|
626
|
+
Update runbooks + detection rules
|
|
627
|
+
```
|
|
628
|
+
|
|
629
|
+
### Breach Notification Requirements
|
|
630
|
+
|
|
631
|
+
```
|
|
632
|
+
GDPR: 72 hours to supervisory authority if personal data affected
|
|
633
|
+
CCPA: Reasonable notice to affected California residents
|
|
634
|
+
PCI DSS: Immediate notification to card brands (Visa, Mastercard) + acquiring bank
|
|
635
|
+
HIPAA: 60 days to HHS, affected individuals, and media (if >500 in a state)
|
|
636
|
+
India PDPB: 72 hours to Data Protection Board (when enacted)
|
|
637
|
+
SEC (US): 4 business days for material cybersecurity incidents (Rule 8-K)
|
|
638
|
+
RBI (India): Immediate to RBI CSITE + NPCI for payment system incidents
|
|
639
|
+
|
|
640
|
+
Prepare breach notification templates in advance. Legal review annually.
|
|
641
|
+
```
|
|
642
|
+
|
|
643
|
+
---
|
|
644
|
+
|
|
645
|
+
## VULNERABILITY MANAGEMENT
|
|
646
|
+
|
|
647
|
+
### CVE Tracking & Patch SLAs
|
|
648
|
+
|
|
649
|
+
```
|
|
650
|
+
CVSS Score → Patch Timeline:
|
|
651
|
+
Critical (9.0-10.0): Patch within 24 hours. Emergency change if needed.
|
|
652
|
+
High (7.0-8.9): Patch within 7 days.
|
|
653
|
+
Medium (4.0-6.9): Patch within 30 days.
|
|
654
|
+
Low (0.1-3.9): Patch within 90 days.
|
|
655
|
+
|
|
656
|
+
CISA KEV overrides: Patch within 2 weeks regardless of CVSS (these are actively exploited).
|
|
657
|
+
|
|
658
|
+
Automation:
|
|
659
|
+
Renovate Bot: Auto-PRs for dependency updates (better than Dependabot — more flexible)
|
|
660
|
+
Trivy: Scan container images in CI, block critical CVEs
|
|
661
|
+
Snyk: Monitor production containers + code continuously
|
|
662
|
+
Grafeas: Artifact metadata and attestation (GCP-native)
|
|
663
|
+
```
|
|
664
|
+
|
|
665
|
+
### SBOM (Software Bill of Materials)
|
|
666
|
+
|
|
667
|
+
```
|
|
668
|
+
Generate on every release:
|
|
669
|
+
Node.js: cyclonedx-node-npm --output-file sbom.json
|
|
670
|
+
Python: cyclonedx-py -p -e -o sbom.json
|
|
671
|
+
Java: CycloneDX Maven/Gradle plugin
|
|
672
|
+
Docker: syft image:tag -o cyclonedx-json=sbom.json
|
|
673
|
+
|
|
674
|
+
Store in artifact registry alongside each release.
|
|
675
|
+
Required by: US Executive Order 14028, EU Cyber Resilience Act, PCI DSS 4.0.
|
|
676
|
+
Enables: rapid "do we use Log4j?" type queries during zero-day events.
|
|
677
|
+
```
|
|
678
|
+
|
|
679
|
+
---
|
|
680
|
+
|
|
681
|
+
## COMPLIANCE FRAMEWORKS
|
|
682
|
+
|
|
683
|
+
### SOC 2 Type II (Most Important for SaaS)
|
|
684
|
+
|
|
685
|
+
```
|
|
686
|
+
Trust Services Criteria:
|
|
687
|
+
Security: CC6 — Logical access, CC7 — System operations, CC8 — Change management
|
|
688
|
+
Availability: Uptime SLAs, disaster recovery, capacity planning
|
|
689
|
+
Confidentiality: Data classification, encryption, access controls
|
|
690
|
+
Processing Integrity: Complete, accurate, timely processing
|
|
691
|
+
Privacy: GDPR/CCPA alignment, consent management
|
|
692
|
+
|
|
693
|
+
Controls required (sample):
|
|
694
|
+
□ All access requires MFA
|
|
695
|
+
□ Background checks for all employees with system access
|
|
696
|
+
□ Annual security training for all staff
|
|
697
|
+
□ Penetration test annually
|
|
698
|
+
□ Business continuity plan tested annually
|
|
699
|
+
□ Incident response tested quarterly
|
|
700
|
+
□ Vendor security assessments for critical vendors
|
|
701
|
+
□ Encryption at rest and in transit
|
|
702
|
+
□ Change management process documented
|
|
703
|
+
□ Vulnerability management program with SLAs
|
|
704
|
+
|
|
705
|
+
Tools:
|
|
706
|
+
Vanta: Best automated SOC2 prep (<user> already using). ~$15K/yr. Gets to audit-ready fastest.
|
|
707
|
+
Drata: Vanta competitor, good integrations.
|
|
708
|
+
Secureframe: Strong for early-stage.
|
|
709
|
+
Manual: Feasible but 10x more work.
|
|
710
|
+
|
|
711
|
+
Timeline: SOC2 Type I in 3 months (controls exist). Type II in 12 months (controls operated for period).
|
|
712
|
+
```
|
|
713
|
+
|
|
714
|
+
### PCI DSS 4.0 (If Handling Card Data)
|
|
715
|
+
|
|
716
|
+
```
|
|
717
|
+
Key requirements for SaaS (Level 4 — <20K transactions):
|
|
718
|
+
□ Never store raw PANs, CVV, or full magnetic stripe
|
|
719
|
+
□ Tokenize: use Stripe.js/Elements — card data never touches your server
|
|
720
|
+
□ WAF protecting all web-facing systems
|
|
721
|
+
□ Vulnerability scanning quarterly (ASV scan)
|
|
722
|
+
□ Penetration test annually
|
|
723
|
+
□ Maintain audit logs 12 months
|
|
724
|
+
□ MFA for all non-consumer access
|
|
725
|
+
□ Encrypt cardholder data in transit (TLS 1.2+)
|
|
726
|
+
□ Self-Assessment Questionnaire (SAQ A or SAQ A-EP for most SaaS)
|
|
727
|
+
|
|
728
|
+
Best advice: Use Stripe.js + Stripe Elements. Never touch raw card data. Reduces scope to SAQ A.
|
|
729
|
+
```
|
|
730
|
+
|
|
731
|
+
### GDPR / Data Privacy
|
|
732
|
+
|
|
733
|
+
```
|
|
734
|
+
Core requirements:
|
|
735
|
+
□ Lawful basis for processing (consent, contract, legitimate interest, etc.)
|
|
736
|
+
□ Data subject rights: access, rectification, erasure ("right to be forgotten"), portability
|
|
737
|
+
□ Privacy by design: collect minimum data, purpose limitation
|
|
738
|
+
□ Data Processing Agreements (DPAs) with all sub-processors
|
|
739
|
+
□ Records of Processing Activities (ROPA) — document what you process and why
|
|
740
|
+
□ 72-hour breach notification to supervisory authority
|
|
741
|
+
□ DPIA (Data Protection Impact Assessment) for high-risk processing
|
|
742
|
+
□ Cookie consent — real consent, not dark patterns
|
|
743
|
+
|
|
744
|
+
Technical implementation:
|
|
745
|
+
Data inventory: Every field of every table — classify: PII / sensitive / public
|
|
746
|
+
Erasure: User delete → anonymize or delete all PII across all tables + backups
|
|
747
|
+
Portability: Export user data as machine-readable JSON/CSV on request
|
|
748
|
+
Data residency: EU personal data must stay in EU (or adequate third country)
|
|
749
|
+
Consent logging: Timestamp, IP, consent text version for every consent collected
|
|
750
|
+
```
|
|
751
|
+
|
|
752
|
+
---
|
|
753
|
+
|
|
754
|
+
## FRAUD DETECTION & FINANCIAL CRIME (<project>-Specific)
|
|
755
|
+
|
|
756
|
+
### Real-Time Fraud Signal Architecture
|
|
757
|
+
|
|
758
|
+
```
|
|
759
|
+
Transaction Event → Feature Extraction → Risk Scoring → Decision → Action
|
|
760
|
+
↓ ↓
|
|
761
|
+
[Feature Store] [ML Model + Rules]
|
|
762
|
+
↓
|
|
763
|
+
velocity, device, IP, behavior, history
|
|
764
|
+
|
|
765
|
+
Signal categories:
|
|
766
|
+
Velocity: transactions per hour/day, amount per period, new payee frequency
|
|
767
|
+
Device: device fingerprint, new device, rooted/jailbroken, emulator detected
|
|
768
|
+
Location: IP geolocation, distance from last transaction, impossible travel
|
|
769
|
+
Behavior: typing speed, session duration, navigation pattern (vs baseline)
|
|
770
|
+
Network: VPN/proxy/Tor detected, datacenter IP, known fraud IP
|
|
771
|
+
Identity: name/address/phone mismatch, synthetic identity signals
|
|
772
|
+
Transaction: unusual amount (vs history), unusual merchant, round amounts, split transactions
|
|
773
|
+
```
|
|
774
|
+
|
|
775
|
+
### Fraud Rule Engine Design
|
|
776
|
+
|
|
777
|
+
```
|
|
778
|
+
Priority execution:
|
|
779
|
+
P0 Hard Block: Stolen card list, OFAC sanctions match, known fraud device → instant deny
|
|
780
|
+
P1 Hard Block: Velocity limit exceeded, impossible travel, known fraud IP → instant deny
|
|
781
|
+
P2 Soft Block: ML score > 0.9 → step-up auth (OTP required)
|
|
782
|
+
P3 Review: ML score 0.7-0.9 → human review queue
|
|
783
|
+
P4 Monitor: ML score 0.4-0.7 → flag for pattern analysis
|
|
784
|
+
P5 Allow: ML score < 0.4 → approve (standard risk)
|
|
785
|
+
|
|
786
|
+
Rule governance:
|
|
787
|
+
Every rule: owner, creation date, last review date, hit rate, precision/recall
|
|
788
|
+
Rules reviewed monthly — prune low-precision rules, add new patterns
|
|
789
|
+
A/B test rule changes — never deploy blind
|
|
790
|
+
False positive rate target: <0.5% (every false positive = lost revenue + angry customer)
|
|
791
|
+
```
|
|
792
|
+
|
|
793
|
+
### AML (Anti-Money Laundering) Technical Controls
|
|
794
|
+
|
|
795
|
+
```
|
|
796
|
+
Structuring detection: Transactions just below reporting thresholds (e.g., $9,900)
|
|
797
|
+
Alert: 3+ transactions in 24h summing to >$10K per user
|
|
798
|
+
|
|
799
|
+
Layering detection: Rapid fund movement across multiple accounts
|
|
800
|
+
Alert: Money in → out to different account within 1 hour
|
|
801
|
+
|
|
802
|
+
Round-tripping: Funds leaving and returning to same source
|
|
803
|
+
Graph analysis: detect cycles in transaction graph
|
|
804
|
+
|
|
805
|
+
SAR filing: Automated SAR (Suspicious Activity Report) generation
|
|
806
|
+
File with FinCEN within 30 days of detection (US requirement)
|
|
807
|
+
Store SAR data with 5-year retention
|
|
808
|
+
|
|
809
|
+
KYC integration: Identity verification at onboarding (Jumio, Onfido, Persona)
|
|
810
|
+
Enhanced due diligence for high-risk users (PEPs, high-volume)
|
|
811
|
+
Ongoing monitoring: re-verify on behavior change triggers
|
|
812
|
+
```
|
|
813
|
+
|
|
814
|
+
---
|
|
815
|
+
|
|
816
|
+
## SECURITY METRICS (MEASURE THESE)
|
|
817
|
+
|
|
818
|
+
```
|
|
819
|
+
Detection:
|
|
820
|
+
MTTD: Mean Time to Detect — target <1 hour for critical events
|
|
821
|
+
Alert fidelity: True positive rate of security alerts — target >30% (tune to reduce noise)
|
|
822
|
+
Coverage: % of attack surface with detection rules
|
|
823
|
+
|
|
824
|
+
Response:
|
|
825
|
+
MTTR: Mean Time to Respond — target <4 hours for P0/P1
|
|
826
|
+
MTTC: Mean Time to Contain — stop ongoing attack — target <30 min for P0
|
|
827
|
+
|
|
828
|
+
Prevention:
|
|
829
|
+
Patch compliance: % of critical CVEs patched within SLA — target 100% for critical
|
|
830
|
+
Vuln backlog: Open vulnerabilities by severity — track weekly, trending down
|
|
831
|
+
Security debt: Security findings in code — track like technical debt
|
|
832
|
+
|
|
833
|
+
Posture:
|
|
834
|
+
Cloud compliance score: CSPM findings — target 0 critical, <10 high
|
|
835
|
+
Pen test findings: Track findings year-over-year — should decrease
|
|
836
|
+
Security training: % staff completed annual training — target 100%
|
|
837
|
+
|
|
838
|
+
Report to leadership: Monthly 1-page security scorecard. Executives must see these numbers.
|
|
839
|
+
```
|