@qball-inc/the-bulwark 1.0.0

package/skills/code-review/frameworks/vue.md

@@ -0,0 +1,244 @@
+# Vue Framework Patterns
+
+Security and quality patterns specific to Vue.js applications.
+
+---
+
+## Security Patterns
+
+### XSS Prevention
+
+| Pattern | Risk | Detection |
+|---------|------|-----------|
+| `v-html` directive | High | `v-html="userInput"` |
+| Dynamic component rendering | Medium | `:is="userComponent"` |
+| Template compilation | Critical | `Vue.compile(userTemplate)` |
+
+**Safe Pattern:**
+```vue
+<!-- BAD -->
+<div v-html="userComment"></div>
+
+<!-- GOOD - Vue escapes by default -->
+<div>{{ userComment }}</div>
+
+<!-- If HTML needed, sanitize first -->
+<script setup>
+import DOMPurify from 'dompurify';
+
+const sanitizedHtml = computed(() =>
+  DOMPurify.sanitize(props.htmlContent)
+);
+</script>
+
+<template>
+  <div v-html="sanitizedHtml"></div>
+</template>
+```
+
+### URL Safety
+
+```vue
+<!-- BAD -->
+<a :href="userUrl">Link</a>
+
+<!-- GOOD -->
+<script setup>
+const safeUrl = computed(() => {
+  try {
+    const url = new URL(props.userUrl);
+    if (['http:', 'https:'].includes(url.protocol)) {
+      return props.userUrl;
+    }
+  } catch {}
+  return '#';
+});
+</script>
+
+<template>
+  <a :href="safeUrl">Link</a>
+</template>
+```
+
+### Dynamic Components
+
+```vue
+<!-- BAD - User can inject any component -->
+<component :is="userSelectedComponent" />
+
+<!-- GOOD - Allowlist of components -->
+<script setup>
+const allowedComponents = {
+  'profile': ProfileComponent,
+  'settings': SettingsComponent
+};
+
+const safeComponent = computed(() =>
+  allowedComponents[props.componentName] || DefaultComponent
+);
+</script>
+
+<template>
+  <component :is="safeComponent" />
+</template>
+```
+
+---
+
+## Type Safety Patterns
+
+### Props Typing (Vue 3 + TypeScript)
+
+```vue
+<!-- BAD -->
+<script setup>
+const props = defineProps(['title', 'count']);
+</script>
+
+<!-- GOOD -->
+<script setup lang="ts">
+interface Props {
+  title: string;
+  count: number;
+  optional?: string;
+}
+
+const props = defineProps<Props>();
+</script>
+```
+
+### Emits Typing
+
+```vue
+<!-- BAD -->
+<script setup>
+const emit = defineEmits(['update', 'delete']);
+</script>
+
+<!-- GOOD -->
+<script setup lang="ts">
+interface Emits {
+  (e: 'update', value: string): void;
+  (e: 'delete', id: number): void;
+}
+
+const emit = defineEmits<Emits>();
+</script>
+```
+
+### Ref Typing
+
+```typescript
+// BAD
+const count = ref(0);  // Ref<number> inferred but not explicit
+const user = ref(null);  // Ref<null>
+
+// GOOD
+const count = ref<number>(0);
+const user = ref<User | null>(null);
+```
+
+### Composable Return Types
+
+```typescript
+// BAD
+function useUser() {
+  const user = ref(null);
+  return { user };
+}
+
+// GOOD
+interface UseUserReturn {
+  user: Ref<User | null>;
+  loading: Ref<boolean>;
+  error: Ref<string | null>;
+  fetchUser: (id: string) => Promise<void>;
+}
+
+function useUser(): UseUserReturn {
+  const user = ref<User | null>(null);
+  const loading = ref(false);
+  const error = ref<string | null>(null);
+
+  async function fetchUser(id: string) {
+    // ...
+  }
+
+  return { user, loading, error, fetchUser };
+}
+```
+
+---
+
+## Linting Patterns
+
+### Component Size
+
+| Metric | Threshold | Action |
+|--------|-----------|--------|
+| Template lines | >100 | Extract child components |
+| Script lines | >200 | Extract composables |
+| Props count | >7 | Consider refactoring |
+
+### Reactivity
+
+```typescript
+// BAD - Reactivity lost
+const { user } = toRefs(props);
+const name = user.value.name;  // Not reactive
+
+// GOOD
+const { user } = toRefs(props);
+const name = computed(() => user.value.name);
+```
+
+### Memory Management
+
+```vue
+<script setup>
+import { onUnmounted } from 'vue';
+
+// Clean up subscriptions
+const unsubscribe = store.subscribe((mutation) => {});
+onUnmounted(() => unsubscribe());
+
+// Clean up intervals/timeouts
+const interval = setInterval(() => {}, 1000);
+onUnmounted(() => clearInterval(interval));
+</script>
+```
+
+---
+
+## Coding Standards
+
+### Naming Conventions
+
+| Element | Convention | Example |
+|---------|------------|---------|
+| Component | PascalCase | `UserProfile.vue` |
+| Composable | camelCase with `use` prefix | `useUserProfile` |
+| Props | camelCase | `userName` |
+| Events | kebab-case | `@update-user` |
+
+### File Organization
+
+```
+components/
+  UserProfile/
+    UserProfile.vue
+    UserProfileHeader.vue
+    UserProfileStats.vue
+composables/
+  useUser.ts
+  useAuth.ts
+```
+
+---
+
+## What to Skip
+
+- Vite/Vue CLI configuration
+- Pinia/Vuex store boilerplate
+- Router configuration
+- Test utility setup

package/skills/code-review/references/linting-patterns.md

@@ -0,0 +1,221 @@
+# Linting Patterns Reference
+
+Patterns for the Linting section of code-review skill.
+
+---
+
+## Complexity Patterns
+
+### Cyclomatic Complexity
+
+| Level | Threshold | Severity | Guidance |
+|-------|-----------|----------|----------|
+| Low | 1-10 | OK | Simple, testable |
+| Moderate | 11-20 | Suggestion | Consider refactoring |
+| High | 21-50 | Important | Should refactor |
+| Very High | 50+ | Important | Must refactor |
+
+**Detection:**
+- Count decision points: if, else, case, &&, ||, ?:, catch
+- Each decision point adds 1 to complexity
+- Nested conditions multiply cognitive load
+
+### Nesting Depth
+
+| Level | Threshold | Severity |
+|-------|-----------|----------|
+| Acceptable | 1-3 levels | OK |
+| Warning | 4 levels | Suggestion |
+| Problem | 5+ levels | Important |
+
+**Detection:**
+```typescript
+// 5 levels of nesting - IMPORTANT
+if (a) {
+  if (b) {
+    for (const x of items) {
+      if (x.valid) {
+        try {
+          // deeply nested logic
+        }
+      }
+    }
+  }
+}
+```
+
+**Remediation:**
+- Early returns to flatten conditionals
+- Extract to helper functions
+- Use guard clauses
+
+### Function Length
+
+| Lines | Severity | Guidance |
+|-------|----------|----------|
+| <25 | OK | Ideal |
+| 25-50 | Suggestion | Consider splitting |
+| 50-100 | Important | Should split |
+| 100+ | Important | Must split |
+
+**Exceptions:**
+- Configuration objects/arrays (long but simple)
+- Generated code
+- Test setup with many assertions
+
+---
+
+## Naming Patterns
+
+### Generic Names (Avoid)
+
+| Pattern | Example | Problem |
+|---------|---------|---------|
+| Single letter | `d`, `x`, `t` | No semantic meaning |
+| Generic nouns | `data`, `info`, `temp`, `result` | Doesn't describe content |
+| Type-as-name | `string`, `array`, `object` | Redundant with type system |
+| Abbreviated | `usr`, `cfg`, `mgr` | Reduces readability |
+
+**Exceptions:**
+- Loop indices: `i`, `j`, `k` are acceptable
+- Lambda parameters: `x => x * 2` for simple transforms
+- Coordinates: `x`, `y`, `z` for geometry
+
+### Misleading Names
+
+| Pattern | Example | Problem |
+|---------|---------|---------|
+| Wrong plurality | `user` for array, `users` for single | Confuses data shape |
+| Wrong type hint | `isValid` returning non-boolean | Breaks expectations |
+| Outdated name | `tempFix` that's been permanent | Misleading history |
+| Wrong scope | `globalUser` that's local | Suggests wrong lifetime |
+
+### Good Naming
+
+| Context | Pattern | Example |
+|---------|---------|---------|
+| Boolean | `is`, `has`, `can`, `should` prefix | `isActive`, `hasPermission` |
+| Function | Verb phrase | `calculateTotal`, `fetchUser` |
+| Handler | `handle` or `on` prefix | `handleClick`, `onSubmit` |
+| Collection | Plural noun | `users`, `orderItems` |
+| Singular | Singular noun | `user`, `currentOrder` |
+
+---
+
+## Structure Patterns
+
+### God Function
+
+A function that does too many things.
+
+**Indicators:**
+- Multiple unrelated operations
+- Comments separating "phases"
+- Many parameters (>5)
+- Mixed abstraction levels
+
+**Example:**
+```typescript
+// GOD FUNCTION - does validation, transformation, persistence, notification
+async function processOrder(order: Order) {
+  // Validate
+  if (!order.items.length) throw new Error('Empty order');
+  if (!order.customer) throw new Error('No customer');
+
+  // Calculate totals
+  const subtotal = order.items.reduce((sum, i) => sum + i.price, 0);
+  const tax = subtotal * 0.1;
+  const total = subtotal + tax;
+
+  // Save to database
+  await db.orders.insert({ ...order, total });
+
+  // Send notifications
+  await email.send(order.customer.email, 'Order confirmed');
+  await slack.notify('#orders', `New order: ${order.id}`);
+
+  return { success: true };
+}
+```
+
+**Remediation:** Extract to `validateOrder`, `calculateTotals`, `saveOrder`, `notifyOrder`.
+
+### Mixed Concerns
+
+| Pattern | Example | Problem |
+|---------|---------|---------|
+| UI logic in data layer | Formatting in repository | Coupling |
+| Business logic in controller | Validation in route handler | Testability |
+| Side effects in pure function | Logging in calculator | Unpredictability |
+
+### Duplicate Code
+
+**Detection:**
+- Near-identical blocks (>10 lines)
+- Copy-paste with minor modifications
+- Same pattern repeated 3+ times
+
+**Severity:** Suggestion (unless bugs have diverged)
+
+---
+
+## Control Flow
+
+### Early Return Missing
+
+```typescript
+// BEFORE: Deep nesting
+function process(user: User) {
+  if (user) {
+    if (user.active) {
+      if (user.verified) {
+        return doWork(user);
+      }
+    }
+  }
+  return null;
+}
+
+// AFTER: Guard clauses
+function process(user: User) {
+  if (!user) return null;
+  if (!user.active) return null;
+  if (!user.verified) return null;
+  return doWork(user);
+}
+```
+
+### Complex Conditionals
+
+```typescript
+// BEFORE: Hard to understand
+if (user.role === 'admin' || (user.role === 'manager' && user.department === 'sales') || user.permissions.includes('override')) {
+  // ...
+}
+
+// AFTER: Named condition
+const canAccess = isAdmin(user) || isSalesManager(user) || hasOverride(user);
+if (canAccess) {
+  // ...
+}
+```
+
+---
+
+## Detection Priority
+
+1. **Nesting depth**: Visual inspection, count indent levels
+2. **Function length**: Line count
+3. **Generic names**: Pattern matching on common words
+4. **Complex conditionals**: Count operators in single expression
+
+---
+
+## False Positive Prevention
+
+**Skip these patterns:**
+- Intentionally complex algorithms with explanatory comments
+- Generated code (migrations, schemas)
+- Configuration objects with many properties
+- Test files with verbose setup
+- Legacy code with explicit TODO/FIXME markers

package/skills/code-review/references/security-patterns.md

@@ -0,0 +1,125 @@
+# Security Patterns Reference
+
+Patterns for the Security section of code-review skill.
+
+---
+
+## OWASP Top 10 (2021) Checklist
+
+### A01:2021 - Broken Access Control
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Missing authorization check | Route/function accesses resource without verifying user permissions | Critical |
+| IDOR vulnerability | User-supplied ID used directly to fetch resources without ownership check | Critical |
+| Path traversal | User input in file paths without sanitization (`../` patterns) | Critical |
+| CORS misconfiguration | `Access-Control-Allow-Origin: *` with credentials | Important |
+
+**Detection Approach:**
+- Look for database queries/file access without preceding auth check
+- Check if user-supplied IDs are validated against session user
+- Verify CORS headers in response configuration
+
+### A02:2021 - Cryptographic Failures
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Hardcoded secrets | API keys, passwords, tokens in source code | Critical |
+| Weak hashing | MD5, SHA1 for passwords | Critical |
+| Missing encryption | Sensitive data stored/transmitted in plaintext | Critical |
+| Insecure random | `Math.random()` for security-sensitive operations | Important |
+
+**Detection Approach:**
+- Regex for common secret patterns (API_KEY, PASSWORD, SECRET)
+- Check crypto library usage (bcrypt vs md5)
+- Verify TLS usage for sensitive data
+
+### A03:2021 - Injection
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| SQL injection | String concatenation in SQL queries | Critical |
+| NoSQL injection | User input in MongoDB queries without sanitization | Critical |
+| Command injection | User input in exec/spawn without escaping | Critical |
+| XSS | User input rendered without escaping | Critical |
+| Template injection | User input in template strings | Important |
+
+**Detection Approach:**
+- Trace user input (req.query, req.body, req.params) to dangerous sinks
+- Check for parameterized queries vs string concatenation
+- Verify output encoding in templates
+
+### A04:2021 - Insecure Design
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Missing rate limiting | Auth endpoints without throttling | Important |
+| No account lockout | Unlimited login attempts | Important |
+| Predictable tokens | Sequential/timestamp-based tokens | Critical |
+
+### A05:2021 - Security Misconfiguration
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Debug mode in production | DEBUG=true, verbose error messages | Important |
+| Default credentials | admin/admin, test/test in code | Critical |
+| Unnecessary features | Unused endpoints exposed | Suggestion |
+
+### A06:2021 - Vulnerable Components
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Known vulnerable packages | Outdated dependencies with CVEs | Varies |
+| Unmaintained dependencies | No updates in 2+ years | Suggestion |
+
+**Note:** Defer to `npm audit` / `pip-audit` for detailed analysis.
+
+### A07:2021 - Auth Failures
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Session fixation | Session ID not regenerated after login | Critical |
+| Weak password policy | No length/complexity requirements | Important |
+| Missing MFA | Sensitive operations without 2FA | Suggestion |
+
+### A08:2021 - Data Integrity Failures
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Unsigned data | CI/CD pipelines without artifact verification | Important |
+| Insecure deserialization | Deserializing untrusted data | Critical |
+
+### A09:2021 - Logging Failures
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Sensitive data in logs | Passwords, tokens logged | Critical |
+| Missing audit logs | No logging for security events | Important |
+| Log injection | User input in log messages without sanitization | Important |
+
+### A10:2021 - SSRF
+
+| Pattern | Detection Criteria | Severity |
+|---------|-------------------|----------|
+| Unvalidated URL fetch | User-supplied URL in fetch/axios without allowlist | Critical |
+| Internal network access | User-controlled URLs that could access internal services | Critical |
+
+---
+
+## Detection Priority
+
+1. **Trace user input**: req.query, req.body, req.params, URL params
+2. **Identify dangerous sinks**: db.query, exec, eval, innerHTML, render
+3. **Check for sanitization**: Between source and sink
+4. **Verify context**: Is this test code? Is there upstream validation?
+
+---
+
+## False Positive Prevention
+
+**Skip these patterns:**
+- Parameterized queries (even with nearby concatenation)
+- Test fixtures with intentional vulnerabilities
+- Comments containing example code
+- Sanitization applied before dangerous sink
+- Internal-only endpoints with network-level protection