@qazuor/claude-code-config 0.1.0

package/templates/skills/audit/security-audit.md

@@ -0,0 +1,217 @@
+---
+name: security-audit
+category: audit
+description: Comprehensive security audit covering OWASP Top 10, authentication, authorization, data protection, and penetration testing
+usage: Use for comprehensive security review before deployment, after major changes, or as part of regular security assessments
+input: Codebase, API endpoints, authentication system, database schema, infrastructure configuration
+output: Security audit report with severity-categorized findings, remediation steps, and compliance status
+config_required:
+  - target_environment: "Environment to audit (dev/staging/production)"
+  - compliance_requirements: "GDPR, PCI-DSS, HIPAA, SOC2, etc."
+  - security_tools: "OWASP ZAP, Snyk, npm audit, etc."
+  - authentication_system: "JWT, OAuth, Session-based, etc."
+  - scan_depth: "quick (30min), standard (60min), comprehensive (90min)"
+---
+
+# Security Audit
+
+## Purpose
+
+Comprehensive security audit combining vulnerability assessment, code review, and penetration testing simulation.
+
+**Category**: Audit
+**Primary Users**: tech-lead
+**Coordinates**: Security reviews and vulnerability assessments
+
+## When to Use
+
+- Before production deployment
+- After implementing security-critical features
+- Regular security assessments (quarterly recommended)
+- After security incidents or breaches
+- Before handling sensitive data (PII, payments)
+- When compliance requirements mandate audits
+
+## Configuration
+
+| Setting | Description | Example |
+|---------|-------------|---------|
+| target_environment | Environment to audit | `production`, `staging` |
+| compliance_requirements | Required compliance standards | `GDPR, PCI-DSS, HIPAA` |
+| security_tools | Tools available for scanning | `npm audit, Snyk, OWASP ZAP` |
+| authentication_system | Auth implementation type | `JWT, OAuth2, session-based` |
+| scan_depth | Audit thoroughness level | `quick`, `standard`, `comprehensive` |
+| previous_audit_date | Last audit date for comparison | `2024-09-15` |
+
+## Audit Areas
+
+| Area | Key Checks | Output |
+|------|------------|--------|
+| **Authentication & Authorization** | Password hashing, session management, token security, RBAC, MFA, brute-force protection | Auth security score, vulnerabilities, recommendations |
+| **Input Validation** | Schema validation, SQL injection prevention, XSS prevention, CSRF protection, file upload validation | Coverage %, vulnerabilities, gaps |
+| **Data Protection** | Encryption at rest/transit, secrets management, PII handling, GDPR compliance, secure deletion | Compliance %, privacy issues, encryption gaps |
+| **API Security** | Rate limiting, authentication, CORS, versioning, error messages, security headers | API security score, exposed endpoints |
+| **Infrastructure** | Environment variables, secrets management, container security, dependency vulnerabilities, TLS/SSL | Configuration issues, dependencies audit |
+| **Code Security** | Error handling, hardcoded secrets, secure patterns, type safety, safe deserialization | Code security score, pattern violations |
+| **Frontend Security** | XSS prevention, CSP, SRI, third-party scripts, cookie security, clickjacking protection | Frontend security score, browser vulnerabilities |
+| **Penetration Testing** | Auth bypass, privilege escalation, injection probes, CSRF simulation, session hijacking | Exploitable vulnerabilities, risk assessment |
+
+## Workflow
+
+### 1. Preparation (10min)
+
+- Review codebase structure and critical endpoints
+- Map authentication flows
+- List third-party integrations
+- Configure security scanners
+
+### 2. Automated Scanning (15min)
+
+```bash
+# Dependency audit
+npm audit --audit-level moderate
+pnpm audit --audit-level moderate
+
+# Code scanning
+# Run ESLint security rules
+# Check for hardcoded secrets
+# Analyze dependencies
+```
+
+### 3. Manual Review (30min)
+
+**Authentication Review:**
+- Inspect password hashing
+- Review session management
+- Validate RBAC implementation
+
+**API Security Review:**
+- Check rate limiting and CORS
+- Validate input validation
+- Test error handling
+
+**Data Protection Review:**
+- Verify encryption usage
+- Check secrets management
+- Review logging practices
+
+### 4. Penetration Testing (20min)
+
+**Authentication Tests:**
+- Try common passwords, session fixation, token manipulation
+
+**Injection Tests:**
+- SQL injection, XSS payloads, command injection
+
+**Authorization Tests:**
+- Privilege escalation, direct object reference, path traversal
+
+### 5. Reporting (15min)
+
+**Categorize Findings:**
+- **Critical:** Immediate fix required (RCE, SQLi, auth bypass)
+- **High:** Fix before deployment (XSS, sensitive data leak)
+- **Medium:** Fix soon (weak encryption, missing headers)
+- **Low:** Best practice improvements
+
+## Report Template
+
+```markdown
+# Security Audit Report
+
+**Date:** YYYY-MM-DD
+**Environment:** [environment]
+**OWASP Compliance Target:** Top 10 2021
+
+## Executive Summary
+
+- Overall Security Score: X/100
+- Critical Issues: X
+- High Issues: X
+- Medium Issues: X
+- Low Issues: X
+
+## Findings by Severity
+
+### Critical (Immediate Action Required)
+
+1. **[Finding Title]**
+   - Severity: Critical
+   - Location: [File/Endpoint]
+   - Description: [Details]
+   - Impact: [Security risk]
+   - Remediation: [Fix steps]
+   - References: [OWASP/CVE links]
+
+## OWASP Top 10 Compliance
+
+- [ ] A01:2021 - Broken Access Control
+- [ ] A02:2021 - Cryptographic Failures
+- [ ] A03:2021 - Injection
+- [ ] A04:2021 - Insecure Design
+- [ ] A05:2021 - Security Misconfiguration
+- [ ] A06:2021 - Vulnerable Components
+- [ ] A07:2021 - Identification & Authentication Failures
+- [ ] A08:2021 - Software & Data Integrity Failures
+- [ ] A09:2021 - Security Logging & Monitoring Failures
+- [ ] A10:2021 - Server-Side Request Forgery
+
+## Recommendations
+
+1. **Immediate Actions** (Critical/High)
+2. **Short-term Improvements** (Medium)
+3. **Long-term Enhancements** (Low)
+
+## Next Steps
+
+1. Address critical issues immediately
+2. Schedule high-priority fixes
+3. Create issues for medium/low items
+4. Re-audit after fixes
+5. Schedule next audit (quarterly)
+```
+
+## Severity Definitions
+
+| Severity | Definition | Examples | Timeframe |
+|----------|------------|----------|-----------|
+| **Critical** | Allows unauthorized access or data breach | RCE, SQL injection, auth bypass | Immediate |
+| **High** | Significant security impact | XSS, sensitive data leak, broken access control | Before deployment |
+| **Medium** | Moderate security risk | Weak encryption, missing headers, info disclosure | Next sprint |
+| **Low** | Best practice violation | Logging issues, monitoring gaps, hardening | Backlog |
+
+## OWASP Top 10 Checklist
+
+1. **Broken Access Control** - RBAC enforcement, direct object references
+2. **Cryptographic Failures** - Strong encryption, secure key management
+3. **Injection** - Input validation, parameterized queries, output encoding
+4. **Insecure Design** - Threat modeling, secure architecture patterns
+5. **Security Misconfiguration** - Secure defaults, minimal features enabled
+6. **Vulnerable Components** - Dependency updates, CVE monitoring
+7. **Authentication Failures** - Strong passwords, session security, MFA
+8. **Data Integrity Failures** - Secure deserialization, signed updates
+9. **Logging Failures** - Comprehensive logging, tamper-proof logs
+10. **SSRF** - URL validation, network segmentation
+
+## Success Criteria
+
+- All critical and high-severity issues identified
+- OWASP Top 10 compliance validated
+- Remediation steps provided for all findings
+- Security score calculated and documented
+- Report delivered in actionable format
+
+## Best Practices
+
+1. Run audits regularly, not just before deployment
+2. Track remediation with issues/tickets
+3. Compare with previous audits for trend analysis
+4. Automate security scans in CI/CD
+5. Document accepted risks and exceptions
+6. Re-audit after fixes to verify effectiveness
+
+## Related Skills
+
+- [security-testing](../testing/security-testing.md) - Development testing
+- [qa-criteria-validator](../qa/qa-criteria-validator.md) - Acceptance validation
+- [tdd-methodology](../patterns/tdd-methodology.md) - Secure development

package/templates/skills/auth/nextauth-patterns.md

@@ -0,0 +1,308 @@
+---
+name: auth-patterns
+category: auth
+description: Authentication patterns for Next.js and React applications
+usage: Use when implementing authentication with OAuth, credentials, or session management
+input: Auth provider, session strategy, protected routes
+output: Auth configuration, middleware, hooks, components
+config_required:
+  auth_library: "Authentication library being used"
+  auth_providers: "OAuth providers (GitHub, Google, etc.) or credentials"
+  session_strategy: "Session strategy (JWT, database, etc.)"
+  protected_routes: "Routes requiring authentication"
+  database_adapter: "Database adapter if using database sessions"
+---
+
+# Auth Patterns
+
+## ⚙️ Configuration
+
+| Setting | Description | Example |
+|---------|-------------|---------|
+| `auth_library` | Authentication library | NextAuth.js, Auth0, Clerk, Supabase Auth |
+| `auth_providers` | OAuth providers or credentials | GitHub, Google, Credentials |
+| `session_strategy` | How sessions are stored | JWT, database |
+| `protected_routes` | Routes requiring auth | `/dashboard`, `/admin/*` |
+| `database_adapter` | Database adapter for sessions | Prisma, Drizzle, none |
+
+## Purpose
+
+Implement secure authentication with:
+- Multiple authentication providers
+- Protected routes and middleware
+- Role-based access control
+- Type-safe session management
+
+## Core Setup
+
+### Auth Configuration
+
+```typescript
+// lib/auth.ts
+import NextAuth from 'next-auth';
+import GitHub from 'next-auth/providers/github';
+import Credentials from 'next-auth/providers/credentials';
+import { PrismaAdapter } from '@auth/prisma-adapter';
+import { db } from '@/lib/db';
+
+export const { handlers, signIn, signOut, auth } = NextAuth({
+  adapter: PrismaAdapter(db),
+  session: { strategy: 'jwt' }, // or 'database'
+  pages: {
+    signIn: '/login',
+    error: '/auth/error',
+  },
+  providers: [
+    GitHub({
+      clientId: process.env.GITHUB_ID!,
+      clientSecret: process.env.GITHUB_SECRET!,
+    }),
+    Credentials({
+      credentials: {
+        email: { type: 'email' },
+        password: { type: 'password' },
+      },
+      async authorize(credentials) {
+        const user = await validateCredentials(credentials);
+        return user ?? null;
+      },
+    }),
+  ],
+  callbacks: {
+    async jwt({ token, user }) {
+      if (user) {
+        token.id = user.id;
+        token.role = user.role;
+      }
+      return token;
+    },
+    async session({ session, token }) {
+      if (session.user) {
+        session.user.id = token.id as string;
+        session.user.role = token.role as string;
+      }
+      return session;
+    },
+  },
+});
+```
+
+### Type Extensions
+
+```typescript
+// types/auth.d.ts
+declare module 'next-auth' {
+  interface Session {
+    user: {
+      id: string;
+      role: string;
+    } & DefaultSession['user'];
+  }
+}
+```
+
+## Route Protection
+
+### Middleware
+
+```typescript
+// middleware.ts
+import { auth } from '@/lib/auth';
+import { NextResponse } from 'next/server';
+
+export default auth((req) => {
+  const { pathname } = req.nextUrl;
+  const isLoggedIn = !!req.auth;
+  const isAdmin = req.auth?.user?.role === 'admin';
+
+  // Public routes
+  const publicRoutes = ['/', '/login', '/register'];
+  if (publicRoutes.some((route) => pathname.startsWith(route))) {
+    return NextResponse.next();
+  }
+
+  // Redirect unauthenticated users
+  if (!isLoggedIn) {
+    const url = new URL('/login', req.url);
+    url.searchParams.set('callbackUrl', pathname);
+    return NextResponse.redirect(url);
+  }
+
+  // Admin-only routes
+  if (pathname.startsWith('/admin') && !isAdmin) {
+    return NextResponse.redirect(new URL('/unauthorized', req.url));
+  }
+
+  return NextResponse.next();
+});
+```
+
+### Server Components
+
+```typescript
+// app/dashboard/page.tsx
+import { auth } from '@/lib/auth';
+import { redirect } from 'next/navigation';
+
+export default async function DashboardPage() {
+  const session = await auth();
+  if (!session) redirect('/login');
+
+  return <div>Welcome, {session.user.name}</div>;
+}
+```
+
+## Client Components
+
+### Session Provider
+
+```typescript
+// app/providers.tsx
+'use client';
+import { SessionProvider } from 'next-auth/react';
+
+export function Providers({ children }: { children: React.ReactNode }) {
+  return <SessionProvider>{children}</SessionProvider>;
+}
+```
+
+### Login Form
+
+```typescript
+'use client';
+import { signIn } from 'next-auth/react';
+import { useRouter } from 'next/navigation';
+
+export function LoginForm() {
+  const router = useRouter();
+  const [error, setError] = useState<string | null>(null);
+
+  const handleSubmit = async (e: React.FormEvent<HTMLFormElement>) => {
+    e.preventDefault();
+    const formData = new FormData(e.currentTarget);
+
+    const result = await signIn('credentials', {
+      email: formData.get('email'),
+      password: formData.get('password'),
+      redirect: false,
+    });
+
+    if (result?.error) {
+      setError('Invalid credentials');
+      return;
+    }
+
+    router.push('/dashboard');
+    router.refresh();
+  };
+
+  return (
+    <form onSubmit={handleSubmit}>
+      {error && <div className="error">{error}</div>}
+      <input name="email" type="email" required />
+      <input name="password" type="password" required />
+      <button type="submit">Sign in</button>
+      <button type="button" onClick={() => signIn('github')}>
+        GitHub
+      </button>
+    </form>
+  );
+}
+```
+
+## Role-Based Access
+
+### Permission Check
+
+```typescript
+// lib/permissions.ts
+export async function checkPermission(permission: string): Promise<boolean> {
+  const session = await auth();
+  if (!session) return false;
+
+  const rolePermissions: Record<string, string[]> = {
+    admin: ['read', 'write', 'delete', 'manage_users'],
+    moderator: ['read', 'write', 'delete'],
+    user: ['read', 'write'],
+  };
+
+  return rolePermissions[session.user.role]?.includes(permission) ?? false;
+}
+
+// Usage
+export default async function ManageUsersPage() {
+  const canManage = await checkPermission('manage_users');
+  if (!canManage) redirect('/unauthorized');
+  // ...
+}
+```
+
+### Higher-Order Component
+
+```typescript
+export function withAuth<P extends object>(
+  Component: ComponentType<P>,
+  allowedRoles?: string[]
+) {
+  return async function AuthenticatedComponent(props: P) {
+    const session = await auth();
+    if (!session) redirect('/login');
+    if (allowedRoles && !allowedRoles.includes(session.user.role)) {
+      redirect('/unauthorized');
+    }
+    return <Component {...props} session={session} />;
+  };
+}
+
+// Usage
+const AdminPage = withAuth(AdminDashboard, ['admin']);
+```
+
+## Server Actions
+
+```typescript
+'use server';
+import { signIn, signOut } from '@/lib/auth';
+import { AuthError } from 'next-auth';
+
+export async function authenticate(formData: FormData) {
+  try {
+    await signIn('credentials', formData);
+  } catch (error) {
+    if (error instanceof AuthError) {
+      return error.type === 'CredentialsSignin'
+        ? 'Invalid credentials'
+        : 'Something went wrong';
+    }
+    throw error;
+  }
+}
+
+export async function handleSignOut() {
+  await signOut({ redirectTo: '/' });
+}
+```
+
+## Best Practices
+
+| Practice | Description |
+|----------|-------------|
+| **JWT for Stateless** | Use JWT for stateless auth, database sessions for revocable sessions |
+| **Type Safety** | Extend auth types for custom properties |
+| **Middleware Protection** | Use middleware for route-level protection |
+| **Environment Variables** | Store secrets securely in env vars |
+| **Callbacks** | Customize tokens and sessions via callbacks |
+| **Error Handling** | Handle auth errors gracefully with user feedback |
+
+## When to Use
+
+- Next.js applications requiring authentication
+- OAuth integration (GitHub, Google, etc.)
+- Role-based access control
+- Multi-tenant applications
+- Session management
+
+## Related Skills
+
+- `error-handling-patterns` - Handle auth errors
+- `web-app-testing` - Test auth flows