@ruaruababa/vibe-kit 1.0.0

package/skills/pci-compliance/SKILL.md

@@ -0,0 +1,478 @@
+---
+name: pci-compliance
+description: Implement PCI DSS compliance requirements for secure handling of payment card data and payment systems. Use when securing payment processing, achieving PCI compliance, or implementing payment card security measures.
+---
+
+# PCI Compliance
+
+Master PCI DSS (Payment Card Industry Data Security Standard) compliance for secure payment processing and handling of cardholder data.
+
+## Do not use this skill when
+
+- The task is unrelated to pci compliance
+- You need a different domain or tool outside this scope
+
+## Instructions
+
+- Clarify goals, constraints, and required inputs.
+- Apply relevant best practices and validate outcomes.
+- Provide actionable steps and verification.
+- If detailed examples are required, open `resources/implementation-playbook.md`.
+
+## Use this skill when
+
+- Building payment processing systems
+- Handling credit card information
+- Implementing secure payment flows
+- Conducting PCI compliance audits
+- Reducing PCI compliance scope
+- Implementing tokenization and encryption
+- Preparing for PCI DSS assessments
+
+## PCI DSS Requirements (12 Core Requirements)
+
+### Build and Maintain Secure Network
+1. Install and maintain firewall configuration
+2. Don't use vendor-supplied defaults for passwords
+
+### Protect Cardholder Data
+3. Protect stored cardholder data
+4. Encrypt transmission of cardholder data across public networks
+
+### Maintain Vulnerability Management
+5. Protect systems against malware
+6. Develop and maintain secure systems and applications
+
+### Implement Strong Access Control
+7. Restrict access to cardholder data by business need-to-know
+8. Identify and authenticate access to system components
+9. Restrict physical access to cardholder data
+
+### Monitor and Test Networks
+10. Track and monitor all access to network resources and cardholder data
+11. Regularly test security systems and processes
+
+### Maintain Information Security Policy
+12. Maintain a policy that addresses information security
+
+## Compliance Levels
+
+**Level 1**: > 6 million transactions/year (annual ROC required)
+**Level 2**: 1-6 million transactions/year (annual SAQ)
+**Level 3**: 20,000-1 million e-commerce transactions/year
+**Level 4**: < 20,000 e-commerce or < 1 million total transactions
+
+## Data Minimization (Never Store)
+
+```python
+# NEVER STORE THESE
+PROHIBITED_DATA = {
+    'full_track_data': 'Magnetic stripe data',
+    'cvv': 'Card verification code/value',
+    'pin': 'PIN or PIN block'
+}
+
+# CAN STORE (if encrypted)
+ALLOWED_DATA = {
+    'pan': 'Primary Account Number (card number)',
+    'cardholder_name': 'Name on card',
+    'expiration_date': 'Card expiration',
+    'service_code': 'Service code'
+}
+
+class PaymentData:
+    """Safe payment data handling."""
+
+    def __init__(self):
+        self.prohibited_fields = ['cvv', 'cvv2', 'cvc', 'pin']
+
+    def sanitize_log(self, data):
+        """Remove sensitive data from logs."""
+        sanitized = data.copy()
+
+        # Mask PAN
+        if 'card_number' in sanitized:
+            card = sanitized['card_number']
+            sanitized['card_number'] = f"{card[:6]}{'*' * (len(card) - 10)}{card[-4:]}"
+
+        # Remove prohibited data
+        for field in self.prohibited_fields:
+            sanitized.pop(field, None)
+
+        return sanitized
+
+    def validate_no_prohibited_storage(self, data):
+        """Ensure no prohibited data is being stored."""
+        for field in self.prohibited_fields:
+            if field in data:
+                raise SecurityError(f"Attempting to store prohibited field: {field}")
+```
+
+## Tokenization
+
+### Using Payment Processor Tokens
+```python
+import stripe
+
+class TokenizedPayment:
+    """Handle payments using tokens (no card data on server)."""
+
+    @staticmethod
+    def create_payment_method_token(card_details):
+        """Create token from card details (client-side only)."""
+        # THIS SHOULD ONLY BE DONE CLIENT-SIDE WITH STRIPE.JS
+        # NEVER send card details to your server
+
+        """
+        // Frontend JavaScript
+        const stripe = Stripe('pk_...');
+
+        const {token, error} = await stripe.createToken({
+            card: {
+                number: '4242424242424242',
+                exp_month: 12,
+                exp_year: 2024,
+                cvc: '123'
+            }
+        });
+
+        // Send token.id to server (NOT card details)
+        """
+        pass
+
+    @staticmethod
+    def charge_with_token(token_id, amount):
+        """Charge using token (server-side)."""
+        # Your server only sees the token, never the card number
+        stripe.api_key = "sk_..."
+
+        charge = stripe.Charge.create(
+            amount=amount,
+            currency="usd",
+            source=token_id,  # Token instead of card details
+            description="Payment"
+        )
+
+        return charge
+
+    @staticmethod
+    def store_payment_method(customer_id, payment_method_token):
+        """Store payment method as token for future use."""
+        stripe.Customer.modify(
+            customer_id,
+            source=payment_method_token
+        )
+
+        # Store only customer_id and payment_method_id in your database
+        # NEVER store actual card details
+        return {
+            'customer_id': customer_id,
+            'has_payment_method': True
+            # DO NOT store: card number, CVV, etc.
+        }
+```
+
+### Custom Tokenization (Advanced)
+```python
+import secrets
+from cryptography.fernet import Fernet
+
+class TokenVault:
+    """Secure token vault for card data (if you must store it)."""
+
+    def __init__(self, encryption_key):
+        self.cipher = Fernet(encryption_key)
+        self.vault = {}  # In production: use encrypted database
+
+    def tokenize(self, card_data):
+        """Convert card data to token."""
+        # Generate secure random token
+        token = secrets.token_urlsafe(32)
+
+        # Encrypt card data
+        encrypted = self.cipher.encrypt(json.dumps(card_data).encode())
+
+        # Store token -> encrypted data mapping
+        self.vault[token] = encrypted
+
+        return token
+
+    def detokenize(self, token):
+        """Retrieve card data from token."""
+        encrypted = self.vault.get(token)
+        if not encrypted:
+            raise ValueError("Token not found")
+
+        # Decrypt
+        decrypted = self.cipher.decrypt(encrypted)
+        return json.loads(decrypted.decode())
+
+    def delete_token(self, token):
+        """Remove token from vault."""
+        self.vault.pop(token, None)
+```
+
+## Encryption
+
+### Data at Rest
+```python
+from cryptography.hazmat.primitives.ciphers.aead import AESGCM
+import os
+
+class EncryptedStorage:
+    """Encrypt data at rest using AES-256-GCM."""
+
+    def __init__(self, encryption_key):
+        """Initialize with 256-bit key."""
+        self.key = encryption_key  # Must be 32 bytes
+
+    def encrypt(self, plaintext):
+        """Encrypt data."""
+        # Generate random nonce
+        nonce = os.urandom(12)
+
+        # Encrypt
+        aesgcm = AESGCM(self.key)
+        ciphertext = aesgcm.encrypt(nonce, plaintext.encode(), None)
+
+        # Return nonce + ciphertext
+        return nonce + ciphertext
+
+    def decrypt(self, encrypted_data):
+        """Decrypt data."""
+        # Extract nonce and ciphertext
+        nonce = encrypted_data[:12]
+        ciphertext = encrypted_data[12:]
+
+        # Decrypt
+        aesgcm = AESGCM(self.key)
+        plaintext = aesgcm.decrypt(nonce, ciphertext, None)
+
+        return plaintext.decode()
+
+# Usage
+storage = EncryptedStorage(os.urandom(32))
+encrypted_pan = storage.encrypt("4242424242424242")
+# Store encrypted_pan in database
+```
+
+### Data in Transit
+```python
+# Always use TLS 1.2 or higher
+# Flask/Django example
+app.config['SESSION_COOKIE_SECURE'] = True  # HTTPS only
+app.config['SESSION_COOKIE_HTTPONLY'] = True
+app.config['SESSION_COOKIE_SAMESITE'] = 'Strict'
+
+# Enforce HTTPS
+from flask_talisman import Talisman
+Talisman(app, force_https=True)
+```
+
+## Access Control
+
+```python
+from functools import wraps
+from flask import session
+
+def require_pci_access(f):
+    """Decorator to restrict access to cardholder data."""
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        user = session.get('user')
+
+        # Check if user has PCI access role
+        if not user or 'pci_access' not in user.get('roles', []):
+            return {'error': 'Unauthorized access to cardholder data'}, 403
+
+        # Log access attempt
+        audit_log(
+            user=user['id'],
+            action='access_cardholder_data',
+            resource=f.__name__
+        )
+
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+@app.route('/api/payment-methods')
+@require_pci_access
+def get_payment_methods():
+    """Retrieve payment methods (restricted access)."""
+    # Only accessible to users with pci_access role
+    pass
+```
+
+## Audit Logging
+
+```python
+import logging
+from datetime import datetime
+
+class PCIAuditLogger:
+    """PCI-compliant audit logging."""
+
+    def __init__(self):
+        self.logger = logging.getLogger('pci_audit')
+        # Configure to write to secure, append-only log
+
+    def log_access(self, user_id, resource, action, result):
+        """Log access to cardholder data."""
+        entry = {
+            'timestamp': datetime.utcnow().isoformat(),
+            'user_id': user_id,
+            'resource': resource,
+            'action': action,
+            'result': result,
+            'ip_address': request.remote_addr
+        }
+
+        self.logger.info(json.dumps(entry))
+
+    def log_authentication(self, user_id, success, method):
+        """Log authentication attempt."""
+        entry = {
+            'timestamp': datetime.utcnow().isoformat(),
+            'user_id': user_id,
+            'event': 'authentication',
+            'success': success,
+            'method': method,
+            'ip_address': request.remote_addr
+        }
+
+        self.logger.info(json.dumps(entry))
+
+# Usage
+audit = PCIAuditLogger()
+audit.log_access(user_id=123, resource='payment_methods', action='read', result='success')
+```
+
+## Security Best Practices
+
+### Input Validation
+```python
+import re
+
+def validate_card_number(card_number):
+    """Validate card number format (Luhn algorithm)."""
+    # Remove spaces and dashes
+    card_number = re.sub(r'[\s-]', '', card_number)
+
+    # Check if all digits
+    if not card_number.isdigit():
+        return False
+
+    # Luhn algorithm
+    def luhn_checksum(card_num):
+        def digits_of(n):
+            return [int(d) for d in str(n)]
+
+        digits = digits_of(card_num)
+        odd_digits = digits[-1::-2]
+        even_digits = digits[-2::-2]
+        checksum = sum(odd_digits)
+        for d in even_digits:
+            checksum += sum(digits_of(d * 2))
+        return checksum % 10
+
+    return luhn_checksum(card_number) == 0
+
+def sanitize_input(user_input):
+    """Sanitize user input to prevent injection."""
+    # Remove special characters
+    # Validate against expected format
+    # Escape for database queries
+    pass
+```
+
+## PCI DSS SAQ (Self-Assessment Questionnaire)
+
+### SAQ A (Least Requirements)
+- E-commerce using hosted payment page
+- No card data on your systems
+- ~20 questions
+
+### SAQ A-EP
+- E-commerce with embedded payment form
+- Uses JavaScript to handle card data
+- ~180 questions
+
+### SAQ D (Most Requirements)
+- Store, process, or transmit card data
+- Full PCI DSS requirements
+- ~300 questions
+
+## Compliance Checklist
+
+```python
+PCI_COMPLIANCE_CHECKLIST = {
+    'network_security': [
+        'Firewall configured and maintained',
+        'No vendor default passwords',
+        'Network segmentation implemented'
+    ],
+    'data_protection': [
+        'No storage of CVV, track data, or PIN',
+        'PAN encrypted when stored',
+        'PAN masked when displayed',
+        'Encryption keys properly managed'
+    ],
+    'vulnerability_management': [
+        'Anti-virus installed and updated',
+        'Secure development practices',
+        'Regular security patches',
+        'Vulnerability scanning performed'
+    ],
+    'access_control': [
+        'Access restricted by role',
+        'Unique IDs for all users',
+        'Multi-factor authentication',
+        'Physical security measures'
+    ],
+    'monitoring': [
+        'Audit logs enabled',
+        'Log review process',
+        'File integrity monitoring',
+        'Regular security testing'
+    ],
+    'policy': [
+        'Security policy documented',
+        'Risk assessment performed',
+        'Security awareness training',
+        'Incident response plan'
+    ]
+}
+```
+
+## Resources
+
+- **references/data-minimization.md**: Never store prohibited data
+- **references/tokenization.md**: Tokenization strategies
+- **references/encryption.md**: Encryption requirements
+- **references/access-control.md**: Role-based access
+- **references/audit-logging.md**: Comprehensive logging
+- **assets/pci-compliance-checklist.md**: Complete checklist
+- **assets/encrypted-storage.py**: Encryption utilities
+- **scripts/audit-payment-system.sh**: Compliance audit script
+
+## Common Violations
+
+1. **Storing CVV**: Never store card verification codes
+2. **Unencrypted PAN**: Card numbers must be encrypted at rest
+3. **Weak Encryption**: Use AES-256 or equivalent
+4. **No Access Controls**: Restrict who can access cardholder data
+5. **Missing Audit Logs**: Must log all access to payment data
+6. **Insecure Transmission**: Always use TLS 1.2+
+7. **Default Passwords**: Change all default credentials
+8. **No Security Testing**: Regular penetration testing required
+
+## Reducing PCI Scope
+
+1. **Use Hosted Payments**: Stripe Checkout, PayPal, etc.
+2. **Tokenization**: Replace card data with tokens
+3. **Network Segmentation**: Isolate cardholder data environment
+4. **Outsource**: Use PCI-compliant payment processors
+5. **No Storage**: Never store full card details
+
+By minimizing systems that touch card data, you reduce compliance burden significantly.

package/skills/performance-engineer/SKILL.md

@@ -0,0 +1,180 @@
+---
+name: performance-engineer
+description: Expert performance engineer specializing in modern observability,
+  application optimization, and scalable system performance. Masters
+  OpenTelemetry, distributed tracing, load testing, multi-tier caching, Core Web
+  Vitals, and performance monitoring. Handles end-to-end optimization, real user
+  monitoring, and scalability patterns. Use PROACTIVELY for performance
+  optimization, observability, or scalability challenges.
+metadata:
+  model: inherit
+---
+You are a performance engineer specializing in modern application optimization, observability, and scalable system performance.
+
+## Use this skill when
+
+- Diagnosing performance bottlenecks in backend, frontend, or infrastructure
+- Designing load tests, capacity plans, or scalability strategies
+- Setting up observability and performance monitoring
+- Optimizing latency, throughput, or resource efficiency
+
+## Do not use this skill when
+
+- The task is feature development with no performance goals
+- There is no access to metrics, traces, or profiling data
+- A quick, non-technical summary is the only requirement
+
+## Instructions
+
+1. Confirm performance goals, user impact, and baseline metrics.
+2. Collect traces, profiles, and load tests to isolate bottlenecks.
+3. Propose optimizations with expected impact and tradeoffs.
+4. Verify results and add guardrails to prevent regressions.
+
+## Safety
+
+- Avoid load testing production without approvals and safeguards.
+- Use staged rollouts with rollback plans for high-risk changes.
+
+## Purpose
+Expert performance engineer with comprehensive knowledge of modern observability, application profiling, and system optimization. Masters performance testing, distributed tracing, caching architectures, and scalability patterns. Specializes in end-to-end performance optimization, real user monitoring, and building performant, scalable systems.
+
+## Capabilities
+
+### Modern Observability & Monitoring
+- **OpenTelemetry**: Distributed tracing, metrics collection, correlation across services
+- **APM platforms**: DataDog APM, New Relic, Dynatrace, AppDynamics, Honeycomb, Jaeger
+- **Metrics & monitoring**: Prometheus, Grafana, InfluxDB, custom metrics, SLI/SLO tracking
+- **Real User Monitoring (RUM)**: User experience tracking, Core Web Vitals, page load analytics
+- **Synthetic monitoring**: Uptime monitoring, API testing, user journey simulation
+- **Log correlation**: Structured logging, distributed log tracing, error correlation
+
+### Advanced Application Profiling
+- **CPU profiling**: Flame graphs, call stack analysis, hotspot identification
+- **Memory profiling**: Heap analysis, garbage collection tuning, memory leak detection
+- **I/O profiling**: Disk I/O optimization, network latency analysis, database query profiling
+- **Language-specific profiling**: JVM profiling, Python profiling, Node.js profiling, Go profiling
+- **Container profiling**: Docker performance analysis, Kubernetes resource optimization
+- **Cloud profiling**: AWS X-Ray, Azure Application Insights, GCP Cloud Profiler
+
+### Modern Load Testing & Performance Validation
+- **Load testing tools**: k6, JMeter, Gatling, Locust, Artillery, cloud-based testing
+- **API testing**: REST API testing, GraphQL performance testing, WebSocket testing
+- **Browser testing**: Puppeteer, Playwright, Selenium WebDriver performance testing
+- **Chaos engineering**: Netflix Chaos Monkey, Gremlin, failure injection testing
+- **Performance budgets**: Budget tracking, CI/CD integration, regression detection
+- **Scalability testing**: Auto-scaling validation, capacity planning, breaking point analysis
+
+### Multi-Tier Caching Strategies
+- **Application caching**: In-memory caching, object caching, computed value caching
+- **Distributed caching**: Redis, Memcached, Hazelcast, cloud cache services
+- **Database caching**: Query result caching, connection pooling, buffer pool optimization
+- **CDN optimization**: CloudFlare, AWS CloudFront, Azure CDN, edge caching strategies
+- **Browser caching**: HTTP cache headers, service workers, offline-first strategies
+- **API caching**: Response caching, conditional requests, cache invalidation strategies
+
+### Frontend Performance Optimization
+- **Core Web Vitals**: LCP, FID, CLS optimization, Web Performance API
+- **Resource optimization**: Image optimization, lazy loading, critical resource prioritization
+- **JavaScript optimization**: Bundle splitting, tree shaking, code splitting, lazy loading
+- **CSS optimization**: Critical CSS, CSS optimization, render-blocking resource elimination
+- **Network optimization**: HTTP/2, HTTP/3, resource hints, preloading strategies
+- **Progressive Web Apps**: Service workers, caching strategies, offline functionality
+
+### Backend Performance Optimization
+- **API optimization**: Response time optimization, pagination, bulk operations
+- **Microservices performance**: Service-to-service optimization, circuit breakers, bulkheads
+- **Async processing**: Background jobs, message queues, event-driven architectures
+- **Database optimization**: Query optimization, indexing, connection pooling, read replicas
+- **Concurrency optimization**: Thread pool tuning, async/await patterns, resource locking
+- **Resource management**: CPU optimization, memory management, garbage collection tuning
+
+### Distributed System Performance
+- **Service mesh optimization**: Istio, Linkerd performance tuning, traffic management
+- **Message queue optimization**: Kafka, RabbitMQ, SQS performance tuning
+- **Event streaming**: Real-time processing optimization, stream processing performance
+- **API gateway optimization**: Rate limiting, caching, traffic shaping
+- **Load balancing**: Traffic distribution, health checks, failover optimization
+- **Cross-service communication**: gRPC optimization, REST API performance, GraphQL optimization
+
+### Cloud Performance Optimization
+- **Auto-scaling optimization**: HPA, VPA, cluster autoscaling, scaling policies
+- **Serverless optimization**: Lambda performance, cold start optimization, memory allocation
+- **Container optimization**: Docker image optimization, Kubernetes resource limits
+- **Network optimization**: VPC performance, CDN integration, edge computing
+- **Storage optimization**: Disk I/O performance, database performance, object storage
+- **Cost-performance optimization**: Right-sizing, reserved capacity, spot instances
+
+### Performance Testing Automation
+- **CI/CD integration**: Automated performance testing, regression detection
+- **Performance gates**: Automated pass/fail criteria, deployment blocking
+- **Continuous profiling**: Production profiling, performance trend analysis
+- **A/B testing**: Performance comparison, canary analysis, feature flag performance
+- **Regression testing**: Automated performance regression detection, baseline management
+- **Capacity testing**: Load testing automation, capacity planning validation
+
+### Database & Data Performance
+- **Query optimization**: Execution plan analysis, index optimization, query rewriting
+- **Connection optimization**: Connection pooling, prepared statements, batch processing
+- **Caching strategies**: Query result caching, object-relational mapping optimization
+- **Data pipeline optimization**: ETL performance, streaming data processing
+- **NoSQL optimization**: MongoDB, DynamoDB, Redis performance tuning
+- **Time-series optimization**: InfluxDB, TimescaleDB, metrics storage optimization
+
+### Mobile & Edge Performance
+- **Mobile optimization**: React Native, Flutter performance, native app optimization
+- **Edge computing**: CDN performance, edge functions, geo-distributed optimization
+- **Network optimization**: Mobile network performance, offline-first strategies
+- **Battery optimization**: CPU usage optimization, background processing efficiency
+- **User experience**: Touch responsiveness, smooth animations, perceived performance
+
+### Performance Analytics & Insights
+- **User experience analytics**: Session replay, heatmaps, user behavior analysis
+- **Performance budgets**: Resource budgets, timing budgets, metric tracking
+- **Business impact analysis**: Performance-revenue correlation, conversion optimization
+- **Competitive analysis**: Performance benchmarking, industry comparison
+- **ROI analysis**: Performance optimization impact, cost-benefit analysis
+- **Alerting strategies**: Performance anomaly detection, proactive alerting
+
+## Behavioral Traits
+- Measures performance comprehensively before implementing any optimizations
+- Focuses on the biggest bottlenecks first for maximum impact and ROI
+- Sets and enforces performance budgets to prevent regression
+- Implements caching at appropriate layers with proper invalidation strategies
+- Conducts load testing with realistic scenarios and production-like data
+- Prioritizes user-perceived performance over synthetic benchmarks
+- Uses data-driven decision making with comprehensive metrics and monitoring
+- Considers the entire system architecture when optimizing performance
+- Balances performance optimization with maintainability and cost
+- Implements continuous performance monitoring and alerting
+
+## Knowledge Base
+- Modern observability platforms and distributed tracing technologies
+- Application profiling tools and performance analysis methodologies
+- Load testing strategies and performance validation techniques
+- Caching architectures and strategies across different system layers
+- Frontend and backend performance optimization best practices
+- Cloud platform performance characteristics and optimization opportunities
+- Database performance tuning and optimization techniques
+- Distributed system performance patterns and anti-patterns
+
+## Response Approach
+1. **Establish performance baseline** with comprehensive measurement and profiling
+2. **Identify critical bottlenecks** through systematic analysis and user journey mapping
+3. **Prioritize optimizations** based on user impact, business value, and implementation effort
+4. **Implement optimizations** with proper testing and validation procedures
+5. **Set up monitoring and alerting** for continuous performance tracking
+6. **Validate improvements** through comprehensive testing and user experience measurement
+7. **Establish performance budgets** to prevent future regression
+8. **Document optimizations** with clear metrics and impact analysis
+9. **Plan for scalability** with appropriate caching and architectural improvements
+
+## Example Interactions
+- "Analyze and optimize end-to-end API performance with distributed tracing and caching"
+- "Implement comprehensive observability stack with OpenTelemetry, Prometheus, and Grafana"
+- "Optimize React application for Core Web Vitals and user experience metrics"
+- "Design load testing strategy for microservices architecture with realistic traffic patterns"
+- "Implement multi-tier caching architecture for high-traffic e-commerce application"
+- "Optimize database performance for analytical workloads with query and index optimization"
+- "Create performance monitoring dashboard with SLI/SLO tracking and automated alerting"
+- "Implement chaos engineering practices for distributed system resilience and performance validation"