@qazuor/claude-code-config 0.1.0

package/templates/skills/testing/performance-testing.md

@@ -0,0 +1,275 @@
+---
+name: performance-testing
+category: testing
+description: Performance testing methodology for database, API, and frontend with benchmarks and optimization
+usage: Use to identify bottlenecks, validate performance targets, and optimize operations
+input: Application components, performance budgets, baseline metrics
+output: Performance reports, bottleneck analysis, optimization recommendations
+config_required:
+  - DB_QUERY_TARGET: "Maximum acceptable query time (e.g., 100ms)"
+  - API_RESPONSE_TARGET: "Maximum API response time p95 (e.g., 200ms)"
+  - FRONTEND_LCP_TARGET: "Largest Contentful Paint target (e.g., 2.5s)"
+  - BUNDLE_SIZE_TARGET: "Maximum bundle size (e.g., 500KB gzipped)"
+  - THROUGHPUT_TARGET: "Minimum requests per second (e.g., 1000 req/s)"
+---
+
+# Performance Testing
+
+## ⚙️ Configuration
+
+| Setting | Description | Example |
+|---------|-------------|---------|
+| DB_QUERY_TARGET | Max query time (p95) | `100ms` |
+| API_RESPONSE_TARGET | Max API response (p95) | `200ms` |
+| FRONTEND_LCP_TARGET | Largest Contentful Paint | `2.5s` |
+| FRONTEND_FID_TARGET | First Input Delay | `100ms` |
+| FRONTEND_CLS_TARGET | Cumulative Layout Shift | `0.1` |
+| BUNDLE_SIZE_TARGET | Max bundle size (gzipped) | `500KB` |
+| THROUGHPUT_TARGET | Min requests/second | `1000 req/s` |
+| ERROR_RATE_TARGET | Max error rate | `0.1%` |
+
+## Purpose
+
+Systematic performance testing and optimization across database, API, and frontend layers.
+
+## Capabilities
+
+- Identify slow database queries
+- Test API response times under load
+- Measure Core Web Vitals
+- Analyze bundle sizes
+- Detect N+1 query problems
+- Test rendering performance
+- Generate performance reports
+
+## Workflow
+
+### 1. Database Performance Testing
+
+**Actions:**
+1. Enable query logging
+2. Identify slow queries (> {{DB_QUERY_TARGET}})
+3. Run EXPLAIN on slow queries
+4. Check for:
+   - N+1 query problems
+   - Missing indexes
+   - Full table scans
+   - Unnecessary SELECT *
+5. Optimize:
+   - Add indexes
+   - Use eager loading
+   - Implement pagination
+   - Select specific columns
+
+**Validation:**
+- [ ] All queries < {{DB_QUERY_TARGET}} (p95)
+- [ ] No N+1 patterns
+- [ ] Indexes used effectively
+- [ ] Pagination on large datasets
+
+**Example Test:**
+
+```typescript
+import { describe, it, expect } from 'your-test-framework';
+import { db } from '@/db';
+
+describe('Database Performance', () => {
+  it('should fetch items in < {{DB_QUERY_TARGET}}', async () => {
+    const startTime = performance.now();
+
+    await db.items.findMany({
+      limit: 100,
+      with: { relations: true }
+    });
+
+    const duration = performance.now() - startTime;
+    expect(duration).toBeLessThan(100);
+  });
+});
+```
+
+### 2. API Performance Testing
+
+**Actions:**
+1. Test API response times
+2. Test under load:
+   - Concurrent requests
+   - Sustained load
+   - Spike testing
+3. Monitor:
+   - Response time (p50, p95, p99)
+   - Throughput (req/s)
+   - Error rate
+   - Resource usage
+
+**Validation:**
+- [ ] API response < {{API_RESPONSE_TARGET}} (p95)
+- [ ] Throughput > {{THROUGHPUT_TARGET}}
+- [ ] Error rate < {{ERROR_RATE_TARGET}}
+- [ ] No memory leaks
+
+**Load Test Example:**
+
+```yaml
+# Using Artillery
+config:
+  target: 'http://localhost:3000'
+  phases:
+    - duration: 60
+      arrivalRate: 20
+    - duration: 120
+      arrivalRate: 50
+  ensure:
+    p95: {{API_RESPONSE_TARGET}}
+```
+
+### 3. Frontend Performance Testing
+
+**Core Web Vitals:**
+- LCP (Largest Contentful Paint) < {{FRONTEND_LCP_TARGET}}
+- FID (First Input Delay) < {{FRONTEND_FID_TARGET}}
+- CLS (Cumulative Layout Shift) < {{FRONTEND_CLS_TARGET}}
+- INP (Interaction to Next Paint) < 200ms
+
+**Page Load Metrics:**
+- TTFB (Time to First Byte) < 600ms
+- FCP (First Contentful Paint) < 1.8s
+- TTI (Time to Interactive) < 3.5s
+
+**Bundle Analysis:**
+- Main bundle < {{BUNDLE_SIZE_TARGET}}
+- Code splitting implemented
+- Lazy loading for routes
+
+**Validation:**
+- [ ] Core Web Vitals met
+- [ ] Bundle sizes within budget
+- [ ] Component render < 16ms (60fps)
+
+### 4. Bottleneck Identification
+
+**Categories:**
+- **Database**: Slow queries, N+1 problems
+- **API**: Blocking operations, inefficient algorithms
+- **Frontend**: Large bundles, unnecessary re-renders
+- **Network**: Large payloads, missing caching
+
+**Prioritization:**
+- High: Affects >50% users, >1s delay
+- Medium: Affects 20-50% users, 500ms-1s delay
+- Low: <20% users, <500ms delay
+
+**Validation:**
+- [ ] All bottlenecks identified
+- [ ] Impact assessed
+- [ ] Priority assigned
+
+### 5. Optimization Implementation
+
+**Database Optimizations:**
+- Add indexes
+- Optimize queries
+- Implement caching
+- Add pagination
+
+**API Optimizations:**
+- Enable compression
+- Implement caching
+- Use async operations
+- Optimize algorithms
+
+**Frontend Optimizations:**
+- Code splitting
+- Lazy loading
+- Image optimization
+- Tree shaking
+- Memoization
+
+**Validation:**
+- [ ] Optimizations implemented
+- [ ] Tests passing
+- [ ] Performance improved
+
+### 6. Regression Testing
+
+**Actions:**
+1. Run full test suite
+2. Re-measure performance
+3. Compare before/after metrics
+4. Document improvements
+
+**Validation:**
+- [ ] All tests passing
+- [ ] Performance improved
+- [ ] No regressions
+- [ ] Gains documented
+
+## Performance Budgets
+
+```json
+{
+  "database": {
+    "queryTime": { "p95": "{{DB_QUERY_TARGET}}", "unit": "ms" },
+    "n1Queries": 0
+  },
+  "api": {
+    "responseTime": { "p95": "{{API_RESPONSE_TARGET}}", "unit": "ms" },
+    "throughput": { "min": "{{THROUGHPUT_TARGET}}", "unit": "req/s" }
+  },
+  "frontend": {
+    "lcp": { "max": "{{FRONTEND_LCP_TARGET}}", "unit": "ms" },
+    "fid": { "max": "{{FRONTEND_FID_TARGET}}", "unit": "ms" },
+    "cls": { "max": "{{FRONTEND_CLS_TARGET}}" },
+    "bundleSize": { "max": "{{BUNDLE_SIZE_TARGET}}", "unit": "KB" }
+  }
+}
+```
+
+## Tools
+
+**Database:**
+- Query logging
+- EXPLAIN / EXPLAIN ANALYZE
+- Database profiling tools
+
+**API:**
+- Artillery (load testing)
+- K6 (performance testing)
+- autocannon (HTTP benchmarking)
+
+**Frontend:**
+- Lighthouse
+- Chrome DevTools Performance
+- WebPageTest
+- Bundle Analyzer
+
+## Best Practices
+
+1. **Establish Baselines**: Measure before optimizing
+2. **Set Budgets**: Define acceptable performance levels
+3. **Test Regularly**: Include in CI/CD pipeline
+4. **Optimize Strategically**: Focus on high-impact areas
+5. **Measure Impact**: Quantify improvements
+6. **Avoid Premature Optimization**: Profile first
+7. **Test Realistically**: Use production-like data
+8. **Monitor Trends**: Track over time
+
+## Output
+
+**Produces:**
+- Performance test reports
+- Bottleneck analysis with priorities
+- Optimization recommendations
+- Before/after comparisons
+- Performance budget validation
+
+**Success Criteria:**
+- All performance targets met
+- Bottlenecks identified and prioritized
+- Optimizations validated
+- Performance budgets enforced
+
+## Related Skills
+
+- `api-app-testing` - API integration testing
+- `security-testing` - Security performance impact

package/templates/skills/testing/security-testing.md

@@ -0,0 +1,348 @@
+---
+name: security-testing
+category: testing
+description: Security testing covering authentication, authorization, input validation, and OWASP Top 10
+usage: Use to validate security measures and identify vulnerabilities before deployment
+input: Application components, authentication system, validation logic
+output: Security test suite, vulnerability report, remediation recommendations
+config_required:
+  - AUTH_MECHANISM: "Authentication system used (e.g., JWT, OAuth, Session)"
+  - VALIDATION_LIBRARY: "Validation library (e.g., Zod, Joi, Yup)"
+  - ORM_TOOL: "ORM/Query builder for SQL injection prevention"
+  - SECURITY_HEADERS: "Required security headers to validate"
+---
+
+# Security Testing
+
+## ⚙️ Configuration
+
+| Setting | Description | Example |
+|---------|-------------|---------|
+| AUTH_MECHANISM | Authentication method | `JWT`, `OAuth`, `Session-based` |
+| VALIDATION_LIBRARY | Input validation library | `Zod`, `Joi`, `Yup` |
+| ORM_TOOL | Database access method | `Drizzle`, `Prisma`, `TypeORM` |
+| PASSWORD_POLICY | Password requirements | `8+ chars, uppercase, number` |
+| RATE_LIMIT | Request rate limit | `100 req/15min` |
+| SESSION_TIMEOUT | Session expiration | `30 minutes` |
+| MFA_ENABLED | Multi-factor auth enabled | `true`, `false` |
+
+## Purpose
+
+Comprehensive security testing to identify and prevent vulnerabilities across the application stack.
+
+## Capabilities
+
+- Test authentication mechanisms
+- Validate authorization controls
+- Prevent injection attacks
+- Test data protection
+- Validate API security
+- Check dependency vulnerabilities
+- Test error handling security
+
+## Workflow
+
+### 1. Authentication Testing
+
+**Test scenarios:**
+- Valid/invalid credentials
+- Brute force protection
+- Session management
+- Token expiration
+- Password policies
+- MFA (if applicable)
+- OAuth flows
+- Logout functionality
+
+**Validation:**
+- [ ] Strong passwords enforced
+- [ ] Failed login attempts limited
+- [ ] Sessions expire appropriately
+- [ ] Tokens validated properly
+- [ ] Logout invalidates sessions
+
+**Example Test:**
+
+```typescript
+import { describe, it, expect } from 'test-framework';
+
+describe('Authentication Security', () => {
+  it('should reject invalid credentials', async () => {
+    const response = await app.request('/api/auth/login', {
+      method: 'POST',
+      body: JSON.stringify({
+        email: 'user@example.com',
+        password: 'wrongpassword'
+      })
+    });
+
+    expect(response.status).toBe(401);
+  });
+
+  it('should rate limit failed attempts', async () => {
+    // Attempt multiple failed logins
+    for (let i = 0; i < 10; i++) {
+      await app.request('/api/auth/login', {
+        method: 'POST',
+        body: JSON.stringify({
+          email: 'user@example.com',
+          password: 'wrong'
+        })
+      });
+    }
+
+    const response = await app.request('/api/auth/login', {
+      method: 'POST',
+      body: JSON.stringify({
+        email: 'user@example.com',
+        password: 'wrong'
+      })
+    });
+
+    expect(response.status).toBe(429);
+  });
+});
+```
+
+### 2. Authorization Testing
+
+**Test scenarios:**
+- Role-based access control (RBAC)
+- Resource ownership validation
+- Privilege escalation attempts
+- Horizontal access control
+- Vertical access control
+- Admin vs user permissions
+
+**Validation:**
+- [ ] Users can only access own resources
+- [ ] Admin-only endpoints protected
+- [ ] No privilege escalation possible
+- [ ] Permissions checked on all operations
+
+**Example Test:**
+
+```typescript
+describe('Authorization Security', () => {
+  it('should prevent access to other users resources', async () => {
+    const userAToken = await getUserToken('user-a');
+
+    const response = await app.request('/api/resources/user-b-id', {
+      headers: { Authorization: `Bearer ${userAToken}` }
+    });
+
+    expect(response.status).toBe(403);
+  });
+});
+```
+
+### 3. Input Validation Testing
+
+**Test injection attacks:**
+
+**SQL Injection:**
+- Test with SQL injection payloads
+- Verify parameterized queries/ORM used
+
+**XSS (Cross-Site Scripting):**
+- Test with XSS payloads
+- Verify output encoding
+- Test reflected and stored XSS
+
+**Command Injection:**
+- Test system command inputs
+- Verify safe execution
+
+**Path Traversal:**
+- Test file path inputs
+- Verify path sanitization
+
+**Validation Bypass:**
+- Test client-side only validation
+- Test type confusion
+- Test boundary values
+
+**Validation:**
+- [ ] All inputs validated server-side
+- [ ] SQL injection prevented (ORM usage)
+- [ ] XSS prevented (output escaping)
+- [ ] No command injection possible
+- [ ] Path traversal blocked
+
+**Example Test:**
+
+```typescript
+describe('Input Validation Security', () => {
+  it('should prevent SQL injection', async () => {
+    const maliciousInput = "'; DROP TABLE users; --";
+
+    const response = await app.request(
+      `/api/search?q=${encodeURIComponent(maliciousInput)}`
+    );
+
+    expect(response.status).toBe(200);
+
+    // Verify database intact
+    const usersCount = await db.users.count();
+    expect(usersCount).toBeGreaterThan(0);
+  });
+
+  it('should prevent XSS attacks', async () => {
+    const xssPayload = '<script>alert("XSS")</script>';
+
+    const response = await app.request('/api/comments', {
+      method: 'POST',
+      body: JSON.stringify({ content: xssPayload })
+    });
+
+    const comment = await response.json();
+    expect(comment.content).not.toContain('<script>');
+  });
+});
+```
+
+### 4. Data Protection Testing
+
+**Test scenarios:**
+- Encryption at rest
+- Encryption in transit (HTTPS)
+- Sensitive data exposure
+- Logging (no secrets)
+- Error messages (no data leakage)
+- Data deletion (proper cleanup)
+
+**Validation:**
+- [ ] HTTPS enforced
+- [ ] Sensitive fields encrypted
+- [ ] No secrets in logs
+- [ ] No PII in error messages
+- [ ] Secure data deletion
+
+**Example Test:**
+
+```typescript
+describe('Data Protection Security', () => {
+  it('should not expose sensitive data', async () => {
+    const response = await app.request('/api/users/profile');
+    const user = await response.json();
+
+    expect(user).not.toHaveProperty('password');
+    expect(user).not.toHaveProperty('passwordHash');
+  });
+
+  it('should not leak data in errors', async () => {
+    const response = await app.request('/api/users/invalid-id');
+    const error = await response.json();
+
+    expect(error.message).not.toContain('database');
+    expect(error).not.toHaveProperty('stack');
+  });
+});
+```
+
+### 5. API Security Testing
+
+**Test scenarios:**
+- Rate limiting
+- CORS configuration
+- Request size limits
+- Content-type validation
+- Security headers
+
+**Validation:**
+- [ ] Rate limiting active
+- [ ] CORS properly configured
+- [ ] Request size limited
+- [ ] Security headers set
+
+**Example Test:**
+
+```typescript
+describe('API Security', () => {
+  it('should have security headers', async () => {
+    const response = await app.request('/api/users');
+
+    expect(response.headers.get('X-Content-Type-Options')).toBe('nosniff');
+    expect(response.headers.get('X-Frame-Options')).toBe('DENY');
+    expect(response.headers.get('Content-Security-Policy')).toBeTruthy();
+  });
+
+  it('should enforce CORS policy', async () => {
+    const response = await app.request('/api/users', {
+      headers: { Origin: 'https://untrusted-site.com' }
+    });
+
+    expect(response.headers.get('Access-Control-Allow-Origin'))
+      .not.toBe('*');
+  });
+});
+```
+
+### 6. Dependency Security Testing
+
+**Actions:**
+1. Run dependency audit
+2. Check for outdated packages
+3. Review security advisories
+4. Monitor for new vulnerabilities
+
+**Validation:**
+- [ ] No critical vulnerabilities
+- [ ] No high vulnerabilities
+- [ ] Medium vulnerabilities documented
+- [ ] Dependencies up to date
+
+**Command:**
+
+```bash
+# Run dependency audit
+{{PACKAGE_MANAGER}} audit --audit-level moderate
+```
+
+## OWASP Top 10 Coverage
+
+| Risk | Covered |
+|------|---------|
+| Broken Access Control | Authorization tests |
+| Cryptographic Failures | HTTPS, encryption tests |
+| Injection | SQL, XSS, command injection tests |
+| Insecure Design | Security by design validation |
+| Security Misconfiguration | Headers, defaults tests |
+| Vulnerable Components | Dependency scanning |
+| Authentication Failures | Auth mechanism tests |
+| Data Integrity Failures | Input validation tests |
+| Logging Failures | Log security validation |
+| SSRF | URL validation |
+
+## Best Practices
+
+1. **Defense in Depth**: Multiple security layers
+2. **Fail Securely**: Default to deny access
+3. **Least Privilege**: Minimal required permissions
+4. **Input Validation**: Validate all inputs server-side
+5. **Output Encoding**: Prevent XSS
+6. **Parameterized Queries**: Prevent SQL injection
+7. **Security Headers**: Set all recommended headers
+8. **Regular Audits**: Continuous security testing
+9. **Update Dependencies**: Keep packages current
+10. **Log Security Events**: Monitor for attacks
+
+## Output
+
+**Produces:**
+- Security test suite
+- Vulnerability report
+- Remediation recommendations
+- OWASP Top 10 compliance checklist
+
+**Success Criteria:**
+- All security tests passing
+- No critical vulnerabilities
+- Authentication/authorization secure
+- Input validation comprehensive
+- Data protection adequate
+
+## Related Skills
+
+- `api-app-testing` - API functionality testing
+- `performance-testing` - Security performance impact