@rubix0270/arboris 1.0.1 → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +8 -19
- package/run.mjs +10 -0
- package/dist/cli.mjs +0 -382
- package/manifest.json +0 -323
- package/prisma/skills/accessibility/SKILL.md +0 -147
- package/prisma/skills/agent-architecture-audit/SKILL.md +0 -257
- package/prisma/skills/agent-eval/SKILL.md +0 -146
- package/prisma/skills/agent-harness-construction/SKILL.md +0 -74
- package/prisma/skills/agent-introspection-debugging/SKILL.md +0 -154
- package/prisma/skills/agent-payment-x402/SKILL.md +0 -225
- package/prisma/skills/agent-self-evaluation/SKILL.md +0 -182
- package/prisma/skills/agent-self-evaluation/examples/high-score-example.md +0 -87
- package/prisma/skills/agent-self-evaluation/examples/low-score-example.md +0 -86
- package/prisma/skills/agent-self-evaluation/references/evaluation-criteria.md +0 -71
- package/prisma/skills/agent-self-evaluation/references/hook-integration.md +0 -64
- package/prisma/skills/agent-self-evaluation/scripts/evaluate.py +0 -408
- package/prisma/skills/agent-self-evaluation/templates/evaluation-report.md +0 -86
- package/prisma/skills/agent-sort/SKILL.md +0 -216
- package/prisma/skills/agentic-engineering/SKILL.md +0 -64
- package/prisma/skills/agentic-os/SKILL.md +0 -388
- package/prisma/skills/ai-first-engineering/SKILL.md +0 -52
- package/prisma/skills/ai-regression-testing/SKILL.md +0 -386
- package/prisma/skills/android-clean-architecture/SKILL.md +0 -340
- package/prisma/skills/angular-developer/SKILL.md +0 -155
- package/prisma/skills/angular-developer/references/angular-animations.md +0 -160
- package/prisma/skills/angular-developer/references/angular-aria.md +0 -410
- package/prisma/skills/angular-developer/references/cli.md +0 -86
- package/prisma/skills/angular-developer/references/component-harnesses.md +0 -59
- package/prisma/skills/angular-developer/references/component-styling.md +0 -91
- package/prisma/skills/angular-developer/references/components.md +0 -117
- package/prisma/skills/angular-developer/references/creating-services.md +0 -97
- package/prisma/skills/angular-developer/references/data-resolvers.md +0 -69
- package/prisma/skills/angular-developer/references/define-routes.md +0 -67
- package/prisma/skills/angular-developer/references/defining-providers.md +0 -72
- package/prisma/skills/angular-developer/references/di-fundamentals.md +0 -120
- package/prisma/skills/angular-developer/references/e2e-testing.md +0 -56
- package/prisma/skills/angular-developer/references/effects.md +0 -83
- package/prisma/skills/angular-developer/references/hierarchical-injectors.md +0 -43
- package/prisma/skills/angular-developer/references/host-elements.md +0 -80
- package/prisma/skills/angular-developer/references/injection-context.md +0 -63
- package/prisma/skills/angular-developer/references/inputs.md +0 -101
- package/prisma/skills/angular-developer/references/linked-signal.md +0 -59
- package/prisma/skills/angular-developer/references/loading-strategies.md +0 -61
- package/prisma/skills/angular-developer/references/mcp.md +0 -108
- package/prisma/skills/angular-developer/references/navigate-to-routes.md +0 -69
- package/prisma/skills/angular-developer/references/outputs.md +0 -86
- package/prisma/skills/angular-developer/references/reactive-forms.md +0 -122
- package/prisma/skills/angular-developer/references/rendering-strategies.md +0 -44
- package/prisma/skills/angular-developer/references/resource.md +0 -77
- package/prisma/skills/angular-developer/references/route-animations.md +0 -56
- package/prisma/skills/angular-developer/references/route-guards.md +0 -52
- package/prisma/skills/angular-developer/references/router-lifecycle.md +0 -45
- package/prisma/skills/angular-developer/references/router-testing.md +0 -87
- package/prisma/skills/angular-developer/references/show-routes-with-outlets.md +0 -68
- package/prisma/skills/angular-developer/references/signal-forms.md +0 -795
- package/prisma/skills/angular-developer/references/signals-overview.md +0 -94
- package/prisma/skills/angular-developer/references/tailwind-css.md +0 -69
- package/prisma/skills/angular-developer/references/template-driven-forms.md +0 -114
- package/prisma/skills/angular-developer/references/testing-fundamentals.md +0 -65
- package/prisma/skills/api-connector-builder/SKILL.md +0 -121
- package/prisma/skills/api-design/SKILL.md +0 -524
- package/prisma/skills/architecture-decision-records/SKILL.md +0 -180
- package/prisma/skills/article-writing/SKILL.md +0 -80
- package/prisma/skills/automation-audit-ops/SKILL.md +0 -143
- package/prisma/skills/autonomous-agent-harness/SKILL.md +0 -274
- package/prisma/skills/autonomous-loops/SKILL.md +0 -611
- package/prisma/skills/backend-patterns/SKILL.md +0 -562
- package/prisma/skills/benchmark/SKILL.md +0 -94
- package/prisma/skills/benchmark-methodology/SKILL.md +0 -190
- package/prisma/skills/benchmark-optimization-loop/SKILL.md +0 -70
- package/prisma/skills/blender-motion-state-inspection/SKILL.md +0 -165
- package/prisma/skills/blueprint/SKILL.md +0 -106
- package/prisma/skills/brand-discovery/SKILL.md +0 -145
- package/prisma/skills/brand-discovery/references/10_purpose-why.md +0 -40
- package/prisma/skills/brand-discovery/references/20_positioning.md +0 -44
- package/prisma/skills/brand-discovery/references/30_audience-niche.md +0 -52
- package/prisma/skills/brand-discovery/references/40_personality-archetype.md +0 -57
- package/prisma/skills/brand-discovery/references/50_voice-tone.md +0 -59
- package/prisma/skills/brand-discovery/references/60_narrative-story.md +0 -50
- package/prisma/skills/brand-discovery/references/70_founder-tension.md +0 -49
- package/prisma/skills/brand-discovery/references/90_SYNTHESIS.md +0 -133
- package/prisma/skills/brand-voice/SKILL.md +0 -98
- package/prisma/skills/brand-voice/references/voice-profile-schema.md +0 -55
- package/prisma/skills/browser-qa/SKILL.md +0 -105
- package/prisma/skills/bun-runtime/SKILL.md +0 -85
- package/prisma/skills/canary-watch/SKILL.md +0 -108
- package/prisma/skills/carrier-relationship-management/SKILL.md +0 -212
- package/prisma/skills/cisco-ios-patterns/SKILL.md +0 -164
- package/prisma/skills/ck/SKILL.md +0 -148
- package/prisma/skills/ck/commands/forget.mjs +0 -44
- package/prisma/skills/ck/commands/info.mjs +0 -24
- package/prisma/skills/ck/commands/init.mjs +0 -143
- package/prisma/skills/ck/commands/list.mjs +0 -40
- package/prisma/skills/ck/commands/migrate.mjs +0 -202
- package/prisma/skills/ck/commands/resume.mjs +0 -36
- package/prisma/skills/ck/commands/save.mjs +0 -210
- package/prisma/skills/ck/commands/shared.mjs +0 -387
- package/prisma/skills/ck/hooks/session-start.mjs +0 -224
- package/prisma/skills/claude-devfleet/SKILL.md +0 -112
- package/prisma/skills/click-path-audit/SKILL.md +0 -245
- package/prisma/skills/clickhouse-io/SKILL.md +0 -440
- package/prisma/skills/code-tour/SKILL.md +0 -254
- package/prisma/skills/codebase-onboarding/SKILL.md +0 -234
- package/prisma/skills/codehealth-mcp/SKILL.md +0 -167
- package/prisma/skills/coding-standards/SKILL.md +0 -551
- package/prisma/skills/competitive-platform-analysis/SKILL.md +0 -214
- package/prisma/skills/competitive-report-structure/SKILL.md +0 -162
- package/prisma/skills/compose-multiplatform-patterns/SKILL.md +0 -300
- package/prisma/skills/config-gc/SKILL.md +0 -120
- package/prisma/skills/configure-ecc/SKILL.md +0 -385
- package/prisma/skills/connections-optimizer/SKILL.md +0 -190
- package/prisma/skills/content-engine/SKILL.md +0 -132
- package/prisma/skills/content-hash-cache-pattern/SKILL.md +0 -162
- package/prisma/skills/context-budget/SKILL.md +0 -136
- package/prisma/skills/continuous-agent-loop/SKILL.md +0 -46
- package/prisma/skills/continuous-learning/SKILL.md +0 -132
- package/prisma/skills/continuous-learning/config.json +0 -18
- package/prisma/skills/continuous-learning/evaluate-session.sh +0 -69
- package/prisma/skills/continuous-learning-v2/SKILL.md +0 -361
- package/prisma/skills/continuous-learning-v2/agents/observer-loop.sh +0 -359
- package/prisma/skills/continuous-learning-v2/agents/observer.md +0 -189
- package/prisma/skills/continuous-learning-v2/agents/session-guardian.sh +0 -150
- package/prisma/skills/continuous-learning-v2/agents/start-observer.sh +0 -248
- package/prisma/skills/continuous-learning-v2/config.json +0 -8
- package/prisma/skills/continuous-learning-v2/hooks/observe.sh +0 -585
- package/prisma/skills/continuous-learning-v2/scripts/detect-project.sh +0 -322
- package/prisma/skills/continuous-learning-v2/scripts/instinct-cli.py +0 -1956
- package/prisma/skills/continuous-learning-v2/scripts/lib/homunculus-dir.sh +0 -31
- package/prisma/skills/continuous-learning-v2/scripts/migrate-homunculus.sh +0 -68
- package/prisma/skills/continuous-learning-v2/scripts/test_parse_instinct.py +0 -1421
- package/prisma/skills/cost-aware-llm-pipeline/SKILL.md +0 -184
- package/prisma/skills/cost-tracking/SKILL.md +0 -97
- package/prisma/skills/council/SKILL.md +0 -204
- package/prisma/skills/cpp-coding-standards/SKILL.md +0 -724
- package/prisma/skills/cpp-testing/SKILL.md +0 -325
- package/prisma/skills/crosspost/SKILL.md +0 -112
- package/prisma/skills/csharp-testing/SKILL.md +0 -322
- package/prisma/skills/customer-billing-ops/SKILL.md +0 -141
- package/prisma/skills/customs-trade-compliance/SKILL.md +0 -263
- package/prisma/skills/dart-flutter-patterns/SKILL.md +0 -564
- package/prisma/skills/dashboard-builder/SKILL.md +0 -109
- package/prisma/skills/data-scraper-agent/SKILL.md +0 -765
- package/prisma/skills/data-throughput-accelerator/SKILL.md +0 -73
- package/prisma/skills/database-migrations/SKILL.md +0 -430
- package/prisma/skills/deep-research/SKILL.md +0 -160
- package/prisma/skills/defi-amm-security/SKILL.md +0 -167
- package/prisma/skills/delivery-gate/SKILL.md +0 -126
- package/prisma/skills/delivery-gate/hooks/quality-gate.py +0 -220
- package/prisma/skills/deployment-patterns/SKILL.md +0 -428
- package/prisma/skills/design-system/SKILL.md +0 -83
- package/prisma/skills/django-celery/SKILL.md +0 -458
- package/prisma/skills/django-patterns/SKILL.md +0 -735
- package/prisma/skills/django-security/SKILL.md +0 -644
- package/prisma/skills/django-tdd/SKILL.md +0 -730
- package/prisma/skills/django-verification/SKILL.md +0 -470
- package/prisma/skills/dmux-workflows/SKILL.md +0 -192
- package/prisma/skills/docker-patterns/SKILL.md +0 -365
- package/prisma/skills/documentation-lookup/SKILL.md +0 -91
- package/prisma/skills/dotnet-patterns/SKILL.md +0 -322
- package/prisma/skills/dynamic-workflow-mode/SKILL.md +0 -124
- package/prisma/skills/e2e-testing/SKILL.md +0 -327
- package/prisma/skills/ecc-guide/SKILL.md +0 -190
- package/prisma/skills/ecc-recipes/SKILL.md +0 -149
- package/prisma/skills/ecc-tools-cost-audit/SKILL.md +0 -161
- package/prisma/skills/email-ops/SKILL.md +0 -122
- package/prisma/skills/energy-procurement/SKILL.md +0 -228
- package/prisma/skills/enterprise-agent-ops/SKILL.md +0 -51
- package/prisma/skills/error-handling/SKILL.md +0 -377
- package/prisma/skills/eval-harness/SKILL.md +0 -271
- package/prisma/skills/evm-token-decimals/SKILL.md +0 -131
- package/prisma/skills/exa-search/SKILL.md +0 -108
- package/prisma/skills/fal-ai-media/SKILL.md +0 -289
- package/prisma/skills/fastapi-patterns/SKILL.md +0 -514
- package/prisma/skills/finance-billing-ops/SKILL.md +0 -128
- package/prisma/skills/flox-environments/SKILL.md +0 -497
- package/prisma/skills/flutter-dart-code-review/SKILL.md +0 -436
- package/prisma/skills/foundation-models-on-device/SKILL.md +0 -243
- package/prisma/skills/frontend-a11y/SKILL.md +0 -446
- package/prisma/skills/frontend-design-direction/SKILL.md +0 -93
- package/prisma/skills/frontend-patterns/SKILL.md +0 -657
- package/prisma/skills/frontend-slides/SKILL.md +0 -185
- package/prisma/skills/frontend-slides/STYLE_PRESETS.md +0 -330
- package/prisma/skills/frontend-slides/animation-patterns.md +0 -122
- package/prisma/skills/frontend-slides/html-template.md +0 -419
- package/prisma/skills/frontend-slides/scripts/export-pdf.sh +0 -418
- package/prisma/skills/frontend-slides/scripts/extract-pptx.py +0 -96
- package/prisma/skills/frontend-slides/viewport-base.css +0 -153
- package/prisma/skills/fsharp-testing/SKILL.md +0 -281
- package/prisma/skills/gan-style-harness/SKILL.md +0 -279
- package/prisma/skills/gateguard/SKILL.md +0 -133
- package/prisma/skills/generating-python-installer/SKILL.md +0 -820
- package/prisma/skills/git-workflow/SKILL.md +0 -716
- package/prisma/skills/github-ops/SKILL.md +0 -145
- package/prisma/skills/golang-patterns/SKILL.md +0 -675
- package/prisma/skills/golang-testing/SKILL.md +0 -721
- package/prisma/skills/google-workspace-ops/SKILL.md +0 -96
- package/prisma/skills/growth-log/SKILL.md +0 -128
- package/prisma/skills/healthcare-cdss-patterns/SKILL.md +0 -246
- package/prisma/skills/healthcare-emr-patterns/SKILL.md +0 -160
- package/prisma/skills/healthcare-eval-harness/SKILL.md +0 -208
- package/prisma/skills/healthcare-phi-compliance/SKILL.md +0 -146
- package/prisma/skills/hermes-imports/SKILL.md +0 -89
- package/prisma/skills/hexagonal-architecture/SKILL.md +0 -277
- package/prisma/skills/hipaa-compliance/SKILL.md +0 -79
- package/prisma/skills/homelab-network-readiness/SKILL.md +0 -170
- package/prisma/skills/homelab-network-setup/SKILL.md +0 -130
- package/prisma/skills/homelab-pihole-dns/SKILL.md +0 -275
- package/prisma/skills/homelab-vlan-segmentation/SKILL.md +0 -312
- package/prisma/skills/homelab-wireguard-vpn/SKILL.md +0 -306
- package/prisma/skills/hookify-rules/SKILL.md +0 -128
- package/prisma/skills/inherit-legacy-style/SKILL.md +0 -157
- package/prisma/skills/intent-driven-development/SKILL.md +0 -360
- package/prisma/skills/inventory-demand-planning/SKILL.md +0 -247
- package/prisma/skills/investor-materials/SKILL.md +0 -97
- package/prisma/skills/investor-outreach/SKILL.md +0 -92
- package/prisma/skills/ios-icon-gen/SKILL.md +0 -158
- package/prisma/skills/ios-icon-gen/scripts/generate_icons.swift +0 -258
- package/prisma/skills/ios-icon-gen/scripts/iconify_gen.sh +0 -235
- package/prisma/skills/iterative-retrieval/SKILL.md +0 -212
- package/prisma/skills/ito-basket-compare/SKILL.md +0 -64
- package/prisma/skills/ito-data-atlas-agent/SKILL.md +0 -64
- package/prisma/skills/ito-market-intelligence/SKILL.md +0 -61
- package/prisma/skills/ito-trade-planner/SKILL.md +0 -68
- package/prisma/skills/java-coding-standards/SKILL.md +0 -384
- package/prisma/skills/jira-integration/SKILL.md +0 -303
- package/prisma/skills/jpa-patterns/SKILL.md +0 -152
- package/prisma/skills/knowledge-ops/SKILL.md +0 -155
- package/prisma/skills/kotlin-coroutines-flows/SKILL.md +0 -285
- package/prisma/skills/kotlin-exposed-patterns/SKILL.md +0 -720
- package/prisma/skills/kotlin-ktor-patterns/SKILL.md +0 -690
- package/prisma/skills/kotlin-patterns/SKILL.md +0 -712
- package/prisma/skills/kotlin-testing/SKILL.md +0 -825
- package/prisma/skills/kubernetes-patterns/SKILL.md +0 -756
- package/prisma/skills/laravel-patterns/SKILL.md +0 -416
- package/prisma/skills/laravel-plugin-discovery/SKILL.md +0 -230
- package/prisma/skills/laravel-security/SKILL.md +0 -948
- package/prisma/skills/laravel-tdd/SKILL.md +0 -675
- package/prisma/skills/laravel-verification/SKILL.md +0 -180
- package/prisma/skills/latency-critical-systems/SKILL.md +0 -74
- package/prisma/skills/lead-intelligence/SKILL.md +0 -322
- package/prisma/skills/lead-intelligence/agents/enrichment-agent.md +0 -85
- package/prisma/skills/lead-intelligence/agents/mutual-mapper.md +0 -75
- package/prisma/skills/lead-intelligence/agents/outreach-drafter.md +0 -98
- package/prisma/skills/lead-intelligence/agents/signal-scorer.md +0 -60
- package/prisma/skills/liquid-glass-design/SKILL.md +0 -279
- package/prisma/skills/llm-trading-agent-security/SKILL.md +0 -147
- package/prisma/skills/logistics-exception-management/SKILL.md +0 -222
- package/prisma/skills/loop-design-check/SKILL.md +0 -143
- package/prisma/skills/mailtrap-email-integration/SKILL.md +0 -77
- package/prisma/skills/make-interfaces-feel-better/SKILL.md +0 -152
- package/prisma/skills/manim-video/SKILL.md +0 -90
- package/prisma/skills/manim-video/assets/network_graph_scene.py +0 -52
- package/prisma/skills/market-research/SKILL.md +0 -76
- package/prisma/skills/marketing-campaign/SKILL.md +0 -114
- package/prisma/skills/mcp-server-patterns/SKILL.md +0 -70
- package/prisma/skills/messages-ops/SKILL.md +0 -105
- package/prisma/skills/ml-adoption-playbook/SKILL.md +0 -57
- package/prisma/skills/mle-workflow/SKILL.md +0 -347
- package/prisma/skills/motion-advanced/SKILL.md +0 -596
- package/prisma/skills/motion-foundations/SKILL.md +0 -299
- package/prisma/skills/motion-patterns/SKILL.md +0 -434
- package/prisma/skills/motion-ui/SKILL.md +0 -576
- package/prisma/skills/mysql-patterns/SKILL.md +0 -413
- package/prisma/skills/nanoclaw-repl/SKILL.md +0 -34
- package/prisma/skills/nestjs-patterns/SKILL.md +0 -231
- package/prisma/skills/netmiko-ssh-automation/SKILL.md +0 -174
- package/prisma/skills/network-bgp-diagnostics/SKILL.md +0 -168
- package/prisma/skills/network-config-validation/SKILL.md +0 -211
- package/prisma/skills/network-interface-health/SKILL.md +0 -153
- package/prisma/skills/nextjs-turbopack/SKILL.md +0 -58
- package/prisma/skills/nodejs-keccak256/SKILL.md +0 -103
- package/prisma/skills/nutrient-document-processing/SKILL.md +0 -168
- package/prisma/skills/nuxt4-patterns/SKILL.md +0 -101
- package/prisma/skills/openclaw-persona-forge/SKILL.md +0 -289
- package/prisma/skills/openclaw-persona-forge/gacha.py +0 -224
- package/prisma/skills/openclaw-persona-forge/gacha.sh +0 -5
- package/prisma/skills/openclaw-persona-forge/references/avatar-style.md +0 -124
- package/prisma/skills/openclaw-persona-forge/references/boundary-rules.md +0 -53
- package/prisma/skills/openclaw-persona-forge/references/error-handling.md +0 -53
- package/prisma/skills/openclaw-persona-forge/references/identity-tension.md +0 -48
- package/prisma/skills/openclaw-persona-forge/references/naming-system.md +0 -39
- package/prisma/skills/openclaw-persona-forge/references/output-template.md +0 -166
- package/prisma/skills/opensource-pipeline/SKILL.md +0 -256
- package/prisma/skills/orch-add-feature/SKILL.md +0 -45
- package/prisma/skills/orch-build-mvp/SKILL.md +0 -49
- package/prisma/skills/orch-change-feature/SKILL.md +0 -43
- package/prisma/skills/orch-fix-defect/SKILL.md +0 -43
- package/prisma/skills/orch-pipeline/SKILL.md +0 -121
- package/prisma/skills/orch-refine-code/SKILL.md +0 -44
- package/prisma/skills/parallel-execution-optimizer/SKILL.md +0 -73
- package/prisma/skills/perl-patterns/SKILL.md +0 -505
- package/prisma/skills/perl-security/SKILL.md +0 -504
- package/prisma/skills/perl-testing/SKILL.md +0 -476
- package/prisma/skills/plan-orchestrate/SKILL.md +0 -263
- package/prisma/skills/plankton-code-quality/SKILL.md +0 -237
- package/prisma/skills/postgres-patterns/SKILL.md +0 -148
- package/prisma/skills/prediction-market-oracle-research/SKILL.md +0 -64
- package/prisma/skills/prediction-market-risk-review/SKILL.md +0 -61
- package/prisma/skills/prisma-patterns/SKILL.md +0 -401
- package/prisma/skills/product-capability/SKILL.md +0 -142
- package/prisma/skills/product-lens/SKILL.md +0 -93
- package/prisma/skills/production-audit/SKILL.md +0 -207
- package/prisma/skills/production-scheduling/SKILL.md +0 -238
- package/prisma/skills/project-flow-ops/SKILL.md +0 -112
- package/prisma/skills/prompt-optimizer/SKILL.md +0 -398
- package/prisma/skills/python-patterns/SKILL.md +0 -751
- package/prisma/skills/python-testing/SKILL.md +0 -817
- package/prisma/skills/pytorch-patterns/SKILL.md +0 -397
- package/prisma/skills/quality-nonconformance/SKILL.md +0 -260
- package/prisma/skills/quarkus-patterns/SKILL.md +0 -723
- package/prisma/skills/quarkus-security/SKILL.md +0 -468
- package/prisma/skills/quarkus-tdd/SKILL.md +0 -812
- package/prisma/skills/quarkus-verification/SKILL.md +0 -480
- package/prisma/skills/ralphinho-rfc-pipeline/SKILL.md +0 -68
- package/prisma/skills/react-native-patterns/SKILL.md +0 -326
- package/prisma/skills/react-patterns/SKILL.md +0 -342
- package/prisma/skills/react-performance/SKILL.md +0 -575
- package/prisma/skills/react-testing/SKILL.md +0 -424
- package/prisma/skills/recsys-pipeline-architect/SKILL.md +0 -115
- package/prisma/skills/recursive-decision-ledger/SKILL.md +0 -80
- package/prisma/skills/redis-patterns/SKILL.md +0 -404
- package/prisma/skills/regex-vs-llm-structured-text/SKILL.md +0 -221
- package/prisma/skills/remotion-video-creation/SKILL.md +0 -43
- package/prisma/skills/remotion-video-creation/rules/3d.md +0 -86
- package/prisma/skills/remotion-video-creation/rules/animations.md +0 -29
- package/prisma/skills/remotion-video-creation/rules/assets/charts-bar-chart.tsx +0 -173
- package/prisma/skills/remotion-video-creation/rules/assets/text-animations-typewriter.tsx +0 -100
- package/prisma/skills/remotion-video-creation/rules/assets/text-animations-word-highlight.tsx +0 -108
- package/prisma/skills/remotion-video-creation/rules/assets.md +0 -78
- package/prisma/skills/remotion-video-creation/rules/audio.md +0 -172
- package/prisma/skills/remotion-video-creation/rules/calculate-metadata.md +0 -104
- package/prisma/skills/remotion-video-creation/rules/can-decode.md +0 -75
- package/prisma/skills/remotion-video-creation/rules/charts.md +0 -58
- package/prisma/skills/remotion-video-creation/rules/compositions.md +0 -146
- package/prisma/skills/remotion-video-creation/rules/display-captions.md +0 -126
- package/prisma/skills/remotion-video-creation/rules/extract-frames.md +0 -229
- package/prisma/skills/remotion-video-creation/rules/fonts.md +0 -152
- package/prisma/skills/remotion-video-creation/rules/get-audio-duration.md +0 -58
- package/prisma/skills/remotion-video-creation/rules/get-video-dimensions.md +0 -68
- package/prisma/skills/remotion-video-creation/rules/get-video-duration.md +0 -58
- package/prisma/skills/remotion-video-creation/rules/gifs.md +0 -138
- package/prisma/skills/remotion-video-creation/rules/images.md +0 -130
- package/prisma/skills/remotion-video-creation/rules/import-srt-captions.md +0 -67
- package/prisma/skills/remotion-video-creation/rules/lottie.md +0 -67
- package/prisma/skills/remotion-video-creation/rules/measuring-dom-nodes.md +0 -34
- package/prisma/skills/remotion-video-creation/rules/measuring-text.md +0 -143
- package/prisma/skills/remotion-video-creation/rules/sequencing.md +0 -106
- package/prisma/skills/remotion-video-creation/rules/tailwind.md +0 -11
- package/prisma/skills/remotion-video-creation/rules/text-animations.md +0 -20
- package/prisma/skills/remotion-video-creation/rules/timing.md +0 -179
- package/prisma/skills/remotion-video-creation/rules/transcribe-captions.md +0 -19
- package/prisma/skills/remotion-video-creation/rules/transitions.md +0 -122
- package/prisma/skills/remotion-video-creation/rules/trimming.md +0 -52
- package/prisma/skills/remotion-video-creation/rules/videos.md +0 -171
- package/prisma/skills/repo-scan/SKILL.md +0 -79
- package/prisma/skills/research-ops/SKILL.md +0 -113
- package/prisma/skills/returns-reverse-logistics/SKILL.md +0 -240
- package/prisma/skills/rules-distill/SKILL.md +0 -265
- package/prisma/skills/rules-distill/scripts/scan-rules.sh +0 -58
- package/prisma/skills/rules-distill/scripts/scan-skills.sh +0 -129
- package/prisma/skills/rust-patterns/SKILL.md +0 -500
- package/prisma/skills/rust-testing/SKILL.md +0 -501
- package/prisma/skills/safety-guard/SKILL.md +0 -76
- package/prisma/skills/santa-method/SKILL.md +0 -307
- package/prisma/skills/scientific-db-pubmed-database/SKILL.md +0 -176
- package/prisma/skills/scientific-db-uspto-database/SKILL.md +0 -178
- package/prisma/skills/scientific-pkg-gget/SKILL.md +0 -167
- package/prisma/skills/scientific-thinking-literature-review/SKILL.md +0 -193
- package/prisma/skills/scientific-thinking-scholar-evaluation/SKILL.md +0 -161
- package/prisma/skills/search-first/SKILL.md +0 -183
- package/prisma/skills/security-bounty-hunter/SKILL.md +0 -100
- package/prisma/skills/security-review/SKILL.md +0 -504
- package/prisma/skills/security-review/cloud-infrastructure-security.md +0 -361
- package/prisma/skills/security-scan/SKILL.md +0 -166
- package/prisma/skills/seo/SKILL.md +0 -155
- package/prisma/skills/skill-comply/SKILL.md +0 -59
- package/prisma/skills/skill-comply/fixtures/compliant_trace.jsonl +0 -5
- package/prisma/skills/skill-comply/fixtures/noncompliant_trace.jsonl +0 -3
- package/prisma/skills/skill-comply/fixtures/tdd_spec.yaml +0 -44
- package/prisma/skills/skill-comply/prompts/classifier.md +0 -24
- package/prisma/skills/skill-comply/prompts/scenario_generator.md +0 -62
- package/prisma/skills/skill-comply/prompts/spec_generator.md +0 -42
- package/prisma/skills/skill-comply/pyproject.toml +0 -15
- package/prisma/skills/skill-comply/scripts/__init__.py +0 -0
- package/prisma/skills/skill-comply/scripts/classifier.py +0 -85
- package/prisma/skills/skill-comply/scripts/grader.py +0 -124
- package/prisma/skills/skill-comply/scripts/parser.py +0 -107
- package/prisma/skills/skill-comply/scripts/report.py +0 -170
- package/prisma/skills/skill-comply/scripts/run.py +0 -127
- package/prisma/skills/skill-comply/scripts/runner.py +0 -194
- package/prisma/skills/skill-comply/scripts/scenario_generator.py +0 -70
- package/prisma/skills/skill-comply/scripts/spec_generator.py +0 -72
- package/prisma/skills/skill-comply/scripts/utils.py +0 -13
- package/prisma/skills/skill-comply/tests/test_grader.py +0 -197
- package/prisma/skills/skill-comply/tests/test_parser.py +0 -90
- package/prisma/skills/skill-comply/tests/test_runner.py +0 -172
- package/prisma/skills/skill-scout/SKILL.md +0 -141
- package/prisma/skills/skill-stocktake/SKILL.md +0 -195
- package/prisma/skills/skill-stocktake/scripts/quick-diff.sh +0 -87
- package/prisma/skills/skill-stocktake/scripts/save-results.sh +0 -56
- package/prisma/skills/skill-stocktake/scripts/scan.sh +0 -170
- package/prisma/skills/social-graph-ranker/SKILL.md +0 -155
- package/prisma/skills/social-publisher/SKILL.md +0 -130
- package/prisma/skills/springboot-patterns/SKILL.md +0 -315
- package/prisma/skills/springboot-security/SKILL.md +0 -273
- package/prisma/skills/springboot-tdd/SKILL.md +0 -159
- package/prisma/skills/springboot-verification/SKILL.md +0 -232
- package/prisma/skills/strategic-compact/SKILL.md +0 -136
- package/prisma/skills/swift-actor-persistence/SKILL.md +0 -144
- package/prisma/skills/swift-concurrency-6-2/SKILL.md +0 -216
- package/prisma/skills/swift-protocol-di-testing/SKILL.md +0 -191
- package/prisma/skills/swiftui-patterns/SKILL.md +0 -259
- package/prisma/skills/taste/SKILL.md +0 -264
- package/prisma/skills/taste/references/genre-taxonomy.md +0 -87
- package/prisma/skills/tdd-workflow/SKILL.md +0 -583
- package/prisma/skills/team-agent-orchestration/SKILL.md +0 -111
- package/prisma/skills/team-builder/SKILL.md +0 -169
- package/prisma/skills/terminal-ops/SKILL.md +0 -110
- package/prisma/skills/tinystruct-patterns/SKILL.md +0 -279
- package/prisma/skills/tinystruct-patterns/references/architecture.md +0 -90
- package/prisma/skills/tinystruct-patterns/references/data-handling.md +0 -60
- package/prisma/skills/tinystruct-patterns/references/database.md +0 -99
- package/prisma/skills/tinystruct-patterns/references/routing.md +0 -64
- package/prisma/skills/tinystruct-patterns/references/system-usage.md +0 -97
- package/prisma/skills/tinystruct-patterns/references/testing.md +0 -72
- package/prisma/skills/token-budget-advisor/SKILL.md +0 -134
- package/prisma/skills/ui-demo/SKILL.md +0 -466
- package/prisma/skills/ui-to-vue/SKILL.md +0 -135
- package/prisma/skills/uncloud/SKILL.md +0 -344
- package/prisma/skills/unified-notifications-ops/SKILL.md +0 -188
- package/prisma/skills/verification-loop/SKILL.md +0 -127
- package/prisma/skills/video-editing/SKILL.md +0 -311
- package/prisma/skills/videodb/SKILL.md +0 -375
- package/prisma/skills/videodb/reference/api-reference.md +0 -550
- package/prisma/skills/videodb/reference/capture-reference.md +0 -407
- package/prisma/skills/videodb/reference/capture.md +0 -101
- package/prisma/skills/videodb/reference/editor.md +0 -443
- package/prisma/skills/videodb/reference/generative.md +0 -331
- package/prisma/skills/videodb/reference/rtstream-reference.md +0 -564
- package/prisma/skills/videodb/reference/rtstream.md +0 -65
- package/prisma/skills/videodb/reference/search.md +0 -230
- package/prisma/skills/videodb/reference/streaming.md +0 -406
- package/prisma/skills/videodb/reference/use-cases.md +0 -118
- package/prisma/skills/videodb/scripts/ws_listener.py +0 -282
- package/prisma/skills/visa-doc-translate/README.md +0 -86
- package/prisma/skills/visa-doc-translate/SKILL.md +0 -117
- package/prisma/skills/vite-patterns/SKILL.md +0 -450
- package/prisma/skills/vue-patterns/SKILL.md +0 -471
- package/prisma/skills/windows-desktop-e2e/SKILL.md +0 -888
- package/prisma/skills/workspace-surface-audit/SKILL.md +0 -126
- package/prisma/skills/x-api/SKILL.md +0 -235
|
@@ -1,948 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: laravel-security
|
|
3
|
-
description: Laravel security best practices — authentication, authorization, Eloquent safety, CSRF, XSS prevention, API security, and secure deployment configurations.
|
|
4
|
-
metadata:
|
|
5
|
-
origin: ECC
|
|
6
|
-
---
|
|
7
|
-
|
|
8
|
-
# Laravel Security Best Practices
|
|
9
|
-
|
|
10
|
-
Comprehensive security guidelines for Laravel applications to protect against common vulnerabilities.
|
|
11
|
-
|
|
12
|
-
## When to Activate
|
|
13
|
-
|
|
14
|
-
- Setting up Laravel authentication and authorization (Sanctum, Passport, Jetstream, Breeze)
|
|
15
|
-
- Implementing user roles, permissions, and policies
|
|
16
|
-
- Configuring production security settings and environment variables
|
|
17
|
-
- Reviewing Laravel applications for security vulnerabilities
|
|
18
|
-
- Deploying Laravel applications to production
|
|
19
|
-
- Writing secure Eloquent queries and migrations
|
|
20
|
-
|
|
21
|
-
## Production Configuration
|
|
22
|
-
|
|
23
|
-
### Essential Production Settings
|
|
24
|
-
|
|
25
|
-
```php
|
|
26
|
-
// config/app.php
|
|
27
|
-
'env' => env('APP_ENV', 'production'),
|
|
28
|
-
'debug' => (bool) env('APP_DEBUG', false), // CRITICAL: Never true in production
|
|
29
|
-
'key' => env('APP_KEY'), // Must be set: php artisan key:generate
|
|
30
|
-
|
|
31
|
-
// config/session.php
|
|
32
|
-
'secure' => env('SESSION_SECURE_COOKIE', true),
|
|
33
|
-
'http_only' => true,
|
|
34
|
-
'same_site' => 'lax',
|
|
35
|
-
|
|
36
|
-
// Verify APP_KEY is set at boot
|
|
37
|
-
// bootstrap/app.php or a service provider
|
|
38
|
-
if (empty(config('app.key'))) {
|
|
39
|
-
throw new RuntimeException('APP_KEY is not set. Run: php artisan key:generate');
|
|
40
|
-
}
|
|
41
|
-
```
|
|
42
|
-
|
|
43
|
-
### Environment File Security
|
|
44
|
-
|
|
45
|
-
```bash
|
|
46
|
-
# NEVER commit .env to version control
|
|
47
|
-
# .gitignore already includes .env by default
|
|
48
|
-
|
|
49
|
-
# Use .env.example with placeholders instead
|
|
50
|
-
DB_PASSWORD=
|
|
51
|
-
APP_KEY=
|
|
52
|
-
SANCTUM_TOKEN_PREFIX=
|
|
53
|
-
|
|
54
|
-
# Validate required variables at boot
|
|
55
|
-
// In AppServiceProvider::boot()
|
|
56
|
-
$requiredKeys = ['app.key', 'database.connections.mysql.database', 'database.connections.mysql.username'];
|
|
57
|
-
foreach ($requiredKeys as $key) {
|
|
58
|
-
if (empty(config($key))) {
|
|
59
|
-
throw new RuntimeException("Missing required config key: {$key}");
|
|
60
|
-
}
|
|
61
|
-
}
|
|
62
|
-
```
|
|
63
|
-
|
|
64
|
-
### HTTPS Enforcement
|
|
65
|
-
|
|
66
|
-
```php
|
|
67
|
-
// AppServiceProvider::boot() or middleware
|
|
68
|
-
if (app()->environment('production')) {
|
|
69
|
-
URL::forceScheme('https');
|
|
70
|
-
request()->server->set('HTTPS', 'on');
|
|
71
|
-
}
|
|
72
|
-
|
|
73
|
-
// config/app.php for trusted proxies (load balancers)
|
|
74
|
-
// Use specific IP ranges — * trusts all, allowing X-Forwarded-* spoofing
|
|
75
|
-
// AWS: '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'
|
|
76
|
-
'trusted_proxies' => ['10.0.0.0/8', '172.16.0.0/12'],
|
|
77
|
-
|
|
78
|
-
// Force HTTPS in production via middleware
|
|
79
|
-
// app/Http/Middleware/ForceHttps.php
|
|
80
|
-
public function handle($request, Closure $next)
|
|
81
|
-
{
|
|
82
|
-
if (!$request->secure() && app()->environment('production')) {
|
|
83
|
-
return redirect()->secure($request->getRequestUri());
|
|
84
|
-
}
|
|
85
|
-
return $next($request);
|
|
86
|
-
}
|
|
87
|
-
```
|
|
88
|
-
|
|
89
|
-
## Authentication
|
|
90
|
-
|
|
91
|
-
### Sanctum (API Token Authentication)
|
|
92
|
-
|
|
93
|
-
```php
|
|
94
|
-
// config/sanctum.php
|
|
95
|
-
'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
|
|
96
|
-
'%s%s',
|
|
97
|
-
'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
|
|
98
|
-
env('APP_URL') ? ',' . parse_url(env('APP_URL'), PHP_URL_HOST) : ''
|
|
99
|
-
)));
|
|
100
|
-
|
|
101
|
-
'expiration' => 60 * 24, // Token expiration in minutes (null = never)
|
|
102
|
-
'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),
|
|
103
|
-
|
|
104
|
-
// Issuing tokens with abilities
|
|
105
|
-
$token = $user->createToken('api-token', ['read', 'write'])->plainTextToken;
|
|
106
|
-
|
|
107
|
-
// Validate abilities on routes
|
|
108
|
-
Route::middleware('auth:sanctum')->group(function () {
|
|
109
|
-
Route::get('/orders', function () {
|
|
110
|
-
// User must have 'read' ability
|
|
111
|
-
abort_unless(Auth::user()->tokenCan('read'), 403);
|
|
112
|
-
// ...
|
|
113
|
-
})->middleware('abilities:read');
|
|
114
|
-
|
|
115
|
-
Route::post('/orders', function () {
|
|
116
|
-
// User must have 'write' ability
|
|
117
|
-
abort_unless(Auth::user()->tokenCan('write'), 403);
|
|
118
|
-
// ...
|
|
119
|
-
})->middleware('abilities:write');
|
|
120
|
-
});
|
|
121
|
-
```
|
|
122
|
-
|
|
123
|
-
### Password Security
|
|
124
|
-
|
|
125
|
-
```php
|
|
126
|
-
// config/hashing.php
|
|
127
|
-
// Default is bcrypt. Argon2id is stronger.
|
|
128
|
-
'bcrypt' => [
|
|
129
|
-
'rounds' => env('BCRYPT_ROUNDS', 12), // Increase for stronger hashing
|
|
130
|
-
],
|
|
131
|
-
|
|
132
|
-
'argon' => [
|
|
133
|
-
'memory' => 65536,
|
|
134
|
-
'threads' => 4,
|
|
135
|
-
'time' => 4,
|
|
136
|
-
],
|
|
137
|
-
|
|
138
|
-
// Password validation in RegisterRequest
|
|
139
|
-
public function rules(): array
|
|
140
|
-
{
|
|
141
|
-
return [
|
|
142
|
-
'password' => [
|
|
143
|
-
'required',
|
|
144
|
-
'confirmed',
|
|
145
|
-
Password::min(12)
|
|
146
|
-
->letters()
|
|
147
|
-
->mixedCase()
|
|
148
|
-
->numbers()
|
|
149
|
-
->symbols()
|
|
150
|
-
->uncompromised(), // Checks haveibeenpwned
|
|
151
|
-
],
|
|
152
|
-
];
|
|
153
|
-
}
|
|
154
|
-
|
|
155
|
-
// Rate limit login attempts
|
|
156
|
-
// App\Http\Controllers\Auth\AuthenticatedSessionController
|
|
157
|
-
protected function authenticated(Request $request, $user)
|
|
158
|
-
{
|
|
159
|
-
if ($user->wasRecentlyLockedOut()) {
|
|
160
|
-
// Notify user of suspicious login
|
|
161
|
-
$user->notify(new SuspiciousLoginNotification($request->ip()));
|
|
162
|
-
}
|
|
163
|
-
}
|
|
164
|
-
```
|
|
165
|
-
|
|
166
|
-
### Session Management
|
|
167
|
-
|
|
168
|
-
```php
|
|
169
|
-
// config/session.php
|
|
170
|
-
'driver' => env('SESSION_DRIVER', 'database'), // database/redis > file
|
|
171
|
-
'lifetime' => env('SESSION_LIFETIME', 120),
|
|
172
|
-
'expire_on_close' => env('SESSION_EXPIRE_ON_CLOSE', false),
|
|
173
|
-
'encrypt' => env('SESSION_ENCRYPT', false),
|
|
174
|
-
|
|
175
|
-
// Regenerate session on login
|
|
176
|
-
// App\Http\Controllers\Auth\AuthenticatedSessionController
|
|
177
|
-
public function store(LoginRequest $request): RedirectResponse
|
|
178
|
-
{
|
|
179
|
-
$request->authenticate();
|
|
180
|
-
$request->session()->regenerate(); // CRITICAL: prevents session fixation
|
|
181
|
-
return redirect()->intended(RouteServiceProvider::HOME);
|
|
182
|
-
}
|
|
183
|
-
|
|
184
|
-
// Invalidate session on logout
|
|
185
|
-
public function destroy(Request $request): RedirectResponse
|
|
186
|
-
{
|
|
187
|
-
Auth::guard('web')->logout();
|
|
188
|
-
$request->session()->invalidate();
|
|
189
|
-
$request->session()->regenerateToken();
|
|
190
|
-
return redirect('/');
|
|
191
|
-
}
|
|
192
|
-
```
|
|
193
|
-
|
|
194
|
-
## Authorization
|
|
195
|
-
|
|
196
|
-
### Gates
|
|
197
|
-
|
|
198
|
-
```php
|
|
199
|
-
// App\Providers\AuthServiceProvider
|
|
200
|
-
use App\Models\Post;
|
|
201
|
-
use App\Models\User;
|
|
202
|
-
use Illuminate\Support\Facades\Gate;
|
|
203
|
-
|
|
204
|
-
public function boot(): void
|
|
205
|
-
{
|
|
206
|
-
Gate::define('update-post', function (User $user, Post $post): bool {
|
|
207
|
-
return $user->id === $post->user_id;
|
|
208
|
-
});
|
|
209
|
-
|
|
210
|
-
Gate::define('publish-post', function (User $user): bool {
|
|
211
|
-
return $user->role === 'editor' || $user->role === 'admin';
|
|
212
|
-
});
|
|
213
|
-
|
|
214
|
-
// Using before() for super-admin override
|
|
215
|
-
Gate::before(function (User $user, string $ability): ?bool {
|
|
216
|
-
if ($user->role === 'super-admin') {
|
|
217
|
-
return true; // Grants all abilities
|
|
218
|
-
}
|
|
219
|
-
return null; // Fall through to normal checks
|
|
220
|
-
});
|
|
221
|
-
}
|
|
222
|
-
|
|
223
|
-
// Usage in controllers
|
|
224
|
-
public function update(Request $request, Post $post): RedirectResponse
|
|
225
|
-
{
|
|
226
|
-
Gate::authorize('update-post', $post);
|
|
227
|
-
// Or: $this->authorize('update-post', $post);
|
|
228
|
-
// Or: abort_unless(Auth::user()->can('update-post', $post), 403);
|
|
229
|
-
// ...
|
|
230
|
-
}
|
|
231
|
-
```
|
|
232
|
-
|
|
233
|
-
### Policies
|
|
234
|
-
|
|
235
|
-
```php
|
|
236
|
-
// App\Policies\PostPolicy
|
|
237
|
-
class PostPolicy
|
|
238
|
-
{
|
|
239
|
-
use HandlesAuthorization;
|
|
240
|
-
|
|
241
|
-
public function viewAny(?User $user): bool
|
|
242
|
-
{
|
|
243
|
-
return true; // Public listing
|
|
244
|
-
}
|
|
245
|
-
|
|
246
|
-
public function view(?User $user, Post $post): bool
|
|
247
|
-
{
|
|
248
|
-
return $post->is_published || ($user && $user->id === $post->user_id);
|
|
249
|
-
}
|
|
250
|
-
|
|
251
|
-
public function create(User $user): bool
|
|
252
|
-
{
|
|
253
|
-
return $user->hasVerifiedEmail(); // Must verify email first
|
|
254
|
-
}
|
|
255
|
-
|
|
256
|
-
public function update(User $user, Post $post): bool
|
|
257
|
-
{
|
|
258
|
-
return $user->id === $post->user_id;
|
|
259
|
-
}
|
|
260
|
-
|
|
261
|
-
public function delete(User $user, Post $post): bool
|
|
262
|
-
{
|
|
263
|
-
return $user->id === $post->user_id && $post->created_at->diffInDays(now()) <= 30;
|
|
264
|
-
}
|
|
265
|
-
|
|
266
|
-
public function restore(User $user, Post $post): bool
|
|
267
|
-
{
|
|
268
|
-
return $user->role === 'admin';
|
|
269
|
-
}
|
|
270
|
-
|
|
271
|
-
public function forceDelete(User $user, Post $post): bool
|
|
272
|
-
{
|
|
273
|
-
return $user->role === 'super-admin';
|
|
274
|
-
}
|
|
275
|
-
}
|
|
276
|
-
|
|
277
|
-
// Register in AuthServiceProvider
|
|
278
|
-
protected $policies = [
|
|
279
|
-
Post::class => PostPolicy::class,
|
|
280
|
-
];
|
|
281
|
-
|
|
282
|
-
// Controller usage
|
|
283
|
-
public function show(Post $post): View
|
|
284
|
-
{
|
|
285
|
-
$this->authorize('view', $post);
|
|
286
|
-
return view('posts.show', compact('post'));
|
|
287
|
-
}
|
|
288
|
-
|
|
289
|
-
// Blade usage
|
|
290
|
-
@can('update', $post)
|
|
291
|
-
<a href="{{ route('posts.edit', $post) }}">Edit</a>
|
|
292
|
-
@endcan
|
|
293
|
-
|
|
294
|
-
@cannot('update', $post)
|
|
295
|
-
<span>You cannot edit this post</span>
|
|
296
|
-
@endcannot
|
|
297
|
-
```
|
|
298
|
-
|
|
299
|
-
### Middleware Authorization
|
|
300
|
-
|
|
301
|
-
```php
|
|
302
|
-
// Using middleware in routes
|
|
303
|
-
Route::put('/posts/{post}', [PostController::class, 'update'])
|
|
304
|
-
->middleware('can:update,post');
|
|
305
|
-
|
|
306
|
-
Route::get('/posts/create', [PostController::class, 'create'])
|
|
307
|
-
->middleware('can:create,App\Models\Post');
|
|
308
|
-
|
|
309
|
-
// Custom authorization middleware
|
|
310
|
-
// app/Http/Middleware/CheckRole.php
|
|
311
|
-
class CheckRole
|
|
312
|
-
{
|
|
313
|
-
public function handle(Request $request, Closure $next, string $role): mixed
|
|
314
|
-
{
|
|
315
|
-
if (!$request->user() || $request->user()->role !== $role) {
|
|
316
|
-
abort(403, 'Unauthorized. This area requires role: ' . $role);
|
|
317
|
-
}
|
|
318
|
-
return $next($request);
|
|
319
|
-
}
|
|
320
|
-
}
|
|
321
|
-
|
|
322
|
-
// Register in Kernel
|
|
323
|
-
protected $routeMiddleware = [
|
|
324
|
-
'role' => \App\Http\Middleware\CheckRole::class,
|
|
325
|
-
];
|
|
326
|
-
|
|
327
|
-
// Route usage
|
|
328
|
-
Route::middleware(['auth', 'role:admin'])->group(function () {
|
|
329
|
-
Route::get('/admin', [AdminController::class, 'index']);
|
|
330
|
-
});
|
|
331
|
-
```
|
|
332
|
-
|
|
333
|
-
## Eloquent Security
|
|
334
|
-
|
|
335
|
-
### Mass Assignment Protection
|
|
336
|
-
|
|
337
|
-
```php
|
|
338
|
-
// BAD: $guarded = [] allows ALL columns to be mass-assigned
|
|
339
|
-
// NEVER use $guarded = [] in production
|
|
340
|
-
|
|
341
|
-
// GOOD: Whitelist fillable attributes
|
|
342
|
-
final class User extends Authenticatable
|
|
343
|
-
{
|
|
344
|
-
protected $fillable = [
|
|
345
|
-
'name',
|
|
346
|
-
'email',
|
|
347
|
-
'phone',
|
|
348
|
-
'avatar',
|
|
349
|
-
];
|
|
350
|
-
// NEVER add 'role', 'is_admin', 'is_verified' here
|
|
351
|
-
}
|
|
352
|
-
|
|
353
|
-
// GOOD: Explicitly control which fields can be filled in requests
|
|
354
|
-
public function store(StoreUserRequest $request): RedirectResponse
|
|
355
|
-
{
|
|
356
|
-
$user = User::create($request->safe()->only([
|
|
357
|
-
'name', 'email', 'phone', 'avatar'
|
|
358
|
-
]));
|
|
359
|
-
// $request->safe() uses validated data only
|
|
360
|
-
// $request->only() is NOT safe on its own without validation rules
|
|
361
|
-
}
|
|
362
|
-
|
|
363
|
-
// BAD: Creating a user with request data directly
|
|
364
|
-
User::create($request->all()); // VULNERABLE to mass assignment!
|
|
365
|
-
|
|
366
|
-
// BETTER: Use DTOs for creation
|
|
367
|
-
$user = User::create($request->validated()); // Only validated fields
|
|
368
|
-
```
|
|
369
|
-
|
|
370
|
-
### SQL Injection Prevention
|
|
371
|
-
|
|
372
|
-
```php
|
|
373
|
-
// GOOD: Eloquent automatically parameterizes queries
|
|
374
|
-
User::where('email', $userInput)->first();
|
|
375
|
-
User::whereRaw('email = ?', [$userInput])->first();
|
|
376
|
-
|
|
377
|
-
// GOOD: Query Builder also parameterizes
|
|
378
|
-
DB::table('users')->where('email', $userInput)->first();
|
|
379
|
-
DB::select('SELECT * FROM users WHERE email = ?', [$userInput]);
|
|
380
|
-
|
|
381
|
-
// BAD: Raw string interpolation
|
|
382
|
-
DB::select("SELECT * FROM users WHERE email = '{$userInput}'"); // VULNERABLE!
|
|
383
|
-
User::whereRaw("email = '{$userInput}'")->first(); // VULNERABLE!
|
|
384
|
-
|
|
385
|
-
// BAD: whereRaw/orderByRaw with unescaped input
|
|
386
|
-
User::orderByRaw($userInput); // VULNERABLE!
|
|
387
|
-
User::groupByRaw($userInput); // VULNERABLE!
|
|
388
|
-
|
|
389
|
-
// BAD: DB::statement with concatenation
|
|
390
|
-
DB::statement("INSERT INTO users (email) VALUES ('{$userInput}')"); // VULNERABLE!
|
|
391
|
-
```
|
|
392
|
-
|
|
393
|
-
### Attribute Casting
|
|
394
|
-
|
|
395
|
-
```php
|
|
396
|
-
final class User extends Authenticatable
|
|
397
|
-
{
|
|
398
|
-
protected $casts = [
|
|
399
|
-
'email_verified_at' => 'datetime',
|
|
400
|
-
'is_admin' => 'boolean', // Cast to boolean prevents string injection
|
|
401
|
-
'settings' => 'array', // Automatically json_encode/json_decode
|
|
402
|
-
'metadata' => 'encrypted:array', // Laravel 11+ encrypted casting
|
|
403
|
-
'password' => 'hashed', // Laravel 10+ auto-hashes on set
|
|
404
|
-
];
|
|
405
|
-
}
|
|
406
|
-
```
|
|
407
|
-
|
|
408
|
-
### Model Security
|
|
409
|
-
|
|
410
|
-
```php
|
|
411
|
-
final class User extends Authenticatable
|
|
412
|
-
{
|
|
413
|
-
// Hide sensitive attributes from JSON/API responses
|
|
414
|
-
protected $hidden = [
|
|
415
|
-
'password',
|
|
416
|
-
'remember_token',
|
|
417
|
-
'two_factor_secret',
|
|
418
|
-
'two_factor_recovery_codes',
|
|
419
|
-
];
|
|
420
|
-
|
|
421
|
-
// Append only safe computed attributes
|
|
422
|
-
protected $appends = ['full_name']; // safe
|
|
423
|
-
// NEVER append sensitive computed data
|
|
424
|
-
}
|
|
425
|
-
|
|
426
|
-
final class Post extends Model
|
|
427
|
-
{
|
|
428
|
-
// Global scope to filter soft deleted records
|
|
429
|
-
use SoftDeletes;
|
|
430
|
-
|
|
431
|
-
// Prevent N+1 by restricting lazy loading (optional strict mode)
|
|
432
|
-
// AppServiceProvider::boot()
|
|
433
|
-
// Model::preventLazyLoading(!app()->isProduction());
|
|
434
|
-
}
|
|
435
|
-
```
|
|
436
|
-
|
|
437
|
-
## CSRF Protection
|
|
438
|
-
|
|
439
|
-
### Default Protection
|
|
440
|
-
|
|
441
|
-
```php
|
|
442
|
-
// Laravel CSRF is enabled by default via VerifyCsrfToken middleware
|
|
443
|
-
// app/Http/Kernel.php (protected $middlewareGroups['web'])
|
|
444
|
-
|
|
445
|
-
// All POST/PUT/PATCH/DELETE forms must include @csrf
|
|
446
|
-
<form method="POST" action="/posts">
|
|
447
|
-
@csrf
|
|
448
|
-
<input type="text" name="title">
|
|
449
|
-
<button type="submit">Create</button>
|
|
450
|
-
</form>
|
|
451
|
-
```
|
|
452
|
-
|
|
453
|
-
### Excluding Routes (Carefully)
|
|
454
|
-
|
|
455
|
-
```php
|
|
456
|
-
// app/Http/Middleware/VerifyCsrfToken.php
|
|
457
|
-
class VerifyCsrfToken extends Middleware
|
|
458
|
-
{
|
|
459
|
-
// Only exclude routes that have external CSRF protection (webhooks, etc.)
|
|
460
|
-
protected $except = [
|
|
461
|
-
'stripe/*', // Stripe webhooks use their own signature verification
|
|
462
|
-
// Avoid blanket 'api/*' — stateful Sanctum routes need CSRF.
|
|
463
|
-
// Exclude only specific stateless webhook/endpoint routes.
|
|
464
|
-
];
|
|
465
|
-
}
|
|
466
|
-
```
|
|
467
|
-
|
|
468
|
-
### CSRF with JavaScript
|
|
469
|
-
|
|
470
|
-
```html
|
|
471
|
-
<meta name="csrf-token" content="{{ csrf_token() }}">
|
|
472
|
-
|
|
473
|
-
<script>
|
|
474
|
-
// Axios example (Laravel ships with Axios)
|
|
475
|
-
axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector(
|
|
476
|
-
'meta[name="csrf-token"]'
|
|
477
|
-
).getAttribute('content');
|
|
478
|
-
|
|
479
|
-
// Fetch example
|
|
480
|
-
fetch('/posts', {
|
|
481
|
-
method: 'POST',
|
|
482
|
-
headers: {
|
|
483
|
-
'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').getAttribute('content'),
|
|
484
|
-
'Content-Type': 'application/json',
|
|
485
|
-
},
|
|
486
|
-
body: JSON.stringify(data),
|
|
487
|
-
});
|
|
488
|
-
</script>
|
|
489
|
-
```
|
|
490
|
-
|
|
491
|
-
## XSS Prevention
|
|
492
|
-
|
|
493
|
-
### Blade Templating Security
|
|
494
|
-
|
|
495
|
-
```blade
|
|
496
|
-
{{-- SAFE: Auto-escaped by Blade --}}
|
|
497
|
-
{{ $userInput }}
|
|
498
|
-
|
|
499
|
-
{{-- DANGEROUS: Raw output — NEVER use with user input --}}
|
|
500
|
-
{!! $userInput !!}
|
|
501
|
-
|
|
502
|
-
{{-- SAFE: Only use {!! !!} with trusted content you control --}}
|
|
503
|
-
{!! $trustedHtmlFromYourServer !!}
|
|
504
|
-
|
|
505
|
-
{{-- GOOD: Use specific escaping directives --}}
|
|
506
|
-
@js($data) {{-- JSON encode for JavaScript --}}
|
|
507
|
-
@json($data) {{-- JSON encode in templates --}}
|
|
508
|
-
|
|
509
|
-
{{-- BAD: Direct user input in raw HTML --}}
|
|
510
|
-
<div>{!! $user->bio !!}</div> {{-- VULNERABLE if user provides bio --}}
|
|
511
|
-
```
|
|
512
|
-
|
|
513
|
-
### Safe HTML Handling
|
|
514
|
-
|
|
515
|
-
```php
|
|
516
|
-
// When you must allow some HTML, use a whitelist approach
|
|
517
|
-
use HTMLPurifier; // Requires: composer require ezyang/htmlpurifier
|
|
518
|
-
|
|
519
|
-
public function sanitizeHtml(string $dirty): string
|
|
520
|
-
{
|
|
521
|
-
$config = \HTMLPurifier_Config::createDefault();
|
|
522
|
-
$config->set('HTML.Allowed', 'p,b,i,a[href],ul,ol,li,br');
|
|
523
|
-
$config->set('URI.AllowedSchemes', ['http', 'https', 'mailto']);
|
|
524
|
-
$purifier = new \HTMLPurifier($config);
|
|
525
|
-
return $purifier->purify($dirty);
|
|
526
|
-
}
|
|
527
|
-
|
|
528
|
-
// In blade:
|
|
529
|
-
<div>{!! $sanitizedContent !!}</div> {{-- Safe after purification --}}
|
|
530
|
-
```
|
|
531
|
-
|
|
532
|
-
### JavaScript Context Escaping
|
|
533
|
-
|
|
534
|
-
```blade
|
|
535
|
-
{{-- SAFE: Blade @js escapes for JavaScript context --}}
|
|
536
|
-
<script>
|
|
537
|
-
const user = @js($user); // JSON + escaped for JS context
|
|
538
|
-
const settings = @json($settings); // Direct JSON encode
|
|
539
|
-
</script>
|
|
540
|
-
|
|
541
|
-
{{-- DANGEROUS: Manual JSON in JS context --}}
|
|
542
|
-
<script>
|
|
543
|
-
const user = {{ json_encode($user) }}; // NOT escaped for JS!
|
|
544
|
-
</script>
|
|
545
|
-
```
|
|
546
|
-
|
|
547
|
-
### HTTP Headers for XSS Protection
|
|
548
|
-
|
|
549
|
-
```php
|
|
550
|
-
// App\Http\Middleware\SecurityHeaders.php
|
|
551
|
-
class SecurityHeaders
|
|
552
|
-
{
|
|
553
|
-
public function handle(Request $request, Closure $next): mixed
|
|
554
|
-
{
|
|
555
|
-
$response = $next($request);
|
|
556
|
-
|
|
557
|
-
$response->headers->set('X-Content-Type-Options', 'nosniff');
|
|
558
|
-
$response->headers->set('X-Frame-Options', 'DENY');
|
|
559
|
-
$response->headers->set('X-XSS-Protection', '1; mode=block');
|
|
560
|
-
$response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
|
|
561
|
-
$response->headers->set(
|
|
562
|
-
'Content-Security-Policy',
|
|
563
|
-
"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
|
|
564
|
-
);
|
|
565
|
-
|
|
566
|
-
return $response;
|
|
567
|
-
}
|
|
568
|
-
}
|
|
569
|
-
|
|
570
|
-
// Register in kernel
|
|
571
|
-
protected $middleware = [
|
|
572
|
-
\App\Http\Middleware\SecurityHeaders::class,
|
|
573
|
-
];
|
|
574
|
-
```
|
|
575
|
-
|
|
576
|
-
## Input Validation
|
|
577
|
-
|
|
578
|
-
### Form Request Validation
|
|
579
|
-
|
|
580
|
-
```php
|
|
581
|
-
final class StorePostRequest extends FormRequest
|
|
582
|
-
{
|
|
583
|
-
public function authorize(): bool
|
|
584
|
-
{
|
|
585
|
-
return $this->user()?->can('create', Post::class) ?? false;
|
|
586
|
-
}
|
|
587
|
-
|
|
588
|
-
public function rules(): array
|
|
589
|
-
{
|
|
590
|
-
return [
|
|
591
|
-
'title' => ['required', 'string', 'max:255', 'sanitize_html'],
|
|
592
|
-
'content' => ['required', 'string', 'max:10000'],
|
|
593
|
-
'image' => [
|
|
594
|
-
'required',
|
|
595
|
-
'image',
|
|
596
|
-
'mimes:jpg,jpeg,png,gif,webp', // Whitelist specific types
|
|
597
|
-
'max:2048', // 2MB max
|
|
598
|
-
],
|
|
599
|
-
'tags' => ['array'],
|
|
600
|
-
'tags.*' => ['integer', 'exists:tags,id'],
|
|
601
|
-
];
|
|
602
|
-
}
|
|
603
|
-
|
|
604
|
-
public function messages(): array
|
|
605
|
-
{
|
|
606
|
-
return [
|
|
607
|
-
'title.max' => 'Post title must not exceed 255 characters.',
|
|
608
|
-
'image.max' => 'Image must be under 2MB.',
|
|
609
|
-
];
|
|
610
|
-
}
|
|
611
|
-
|
|
612
|
-
// Sanitize input after validation
|
|
613
|
-
public function validated($key = null, $default = null): mixed
|
|
614
|
-
{
|
|
615
|
-
$validated = parent::validated();
|
|
616
|
-
$validated['title'] = strip_tags($validated['title']);
|
|
617
|
-
return $key ? ($validated[$key] ?? $default) : $validated;
|
|
618
|
-
}
|
|
619
|
-
}
|
|
620
|
-
```
|
|
621
|
-
|
|
622
|
-
### Custom Validation Rules
|
|
623
|
-
|
|
624
|
-
```php
|
|
625
|
-
// app/Rules/StrongPassword.php
|
|
626
|
-
class StrongPassword implements Rule
|
|
627
|
-
{
|
|
628
|
-
public function passes($attribute, $value): bool
|
|
629
|
-
{
|
|
630
|
-
return preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&#^()_\-+=])[A-Za-z\d@$!%*?&#^()_\-+=]{12,}$/', $value);
|
|
631
|
-
}
|
|
632
|
-
|
|
633
|
-
public function message(): string
|
|
634
|
-
{
|
|
635
|
-
return 'The :attribute must be at least 12 characters with uppercase, lowercase, number, and symbol.';
|
|
636
|
-
}
|
|
637
|
-
}
|
|
638
|
-
|
|
639
|
-
// app/Rules/NotBlacklistedDomain.php
|
|
640
|
-
class NotBlacklistedDomain implements Rule
|
|
641
|
-
{
|
|
642
|
-
private array $blacklisted = ['mailinator.com', 'guerrillamail.com'];
|
|
643
|
-
|
|
644
|
-
public function passes($attribute, $value): bool
|
|
645
|
-
{
|
|
646
|
-
$domain = substr(strrchr($value, '@'), 1);
|
|
647
|
-
return !in_array(strtolower($domain), $this->blacklisted);
|
|
648
|
-
}
|
|
649
|
-
|
|
650
|
-
public function message(): string
|
|
651
|
-
{
|
|
652
|
-
return 'Email from disposable domains is not allowed.';
|
|
653
|
-
}
|
|
654
|
-
}
|
|
655
|
-
```
|
|
656
|
-
|
|
657
|
-
## API Security
|
|
658
|
-
|
|
659
|
-
### Rate Limiting
|
|
660
|
-
|
|
661
|
-
```php
|
|
662
|
-
// App/Providers/RouteServiceProvider
|
|
663
|
-
protected function configureRateLimiting(): void
|
|
664
|
-
{
|
|
665
|
-
RateLimiter::for('api', function (Request $request) {
|
|
666
|
-
return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
|
|
667
|
-
});
|
|
668
|
-
|
|
669
|
-
RateLimiter::for('auth', function (Request $request) {
|
|
670
|
-
return Limit::perMinute(5)->by($request->ip())
|
|
671
|
-
->response(function () {
|
|
672
|
-
return response()->json([
|
|
673
|
-
'message' => 'Too many login attempts. Try again in 1 minute.',
|
|
674
|
-
], 429);
|
|
675
|
-
});
|
|
676
|
-
});
|
|
677
|
-
|
|
678
|
-
RateLimiter::for('uploads', function (Request $request) {
|
|
679
|
-
return Limit::perHour(10)->by($request->user()?->id ?? $request->ip())
|
|
680
|
-
->response(function () {
|
|
681
|
-
return response()->json([
|
|
682
|
-
'message' => 'Upload limit reached. Try again later.',
|
|
683
|
-
], 429);
|
|
684
|
-
});
|
|
685
|
-
});
|
|
686
|
-
}
|
|
687
|
-
|
|
688
|
-
// Route usage
|
|
689
|
-
Route::middleware(['auth:sanctum', 'throttle:api'])->group(function () {
|
|
690
|
-
Route::apiResource('posts', PostController::class);
|
|
691
|
-
});
|
|
692
|
-
|
|
693
|
-
Route::post('/login', [AuthController::class, 'login'])
|
|
694
|
-
->middleware('throttle:auth');
|
|
695
|
-
```
|
|
696
|
-
|
|
697
|
-
### API Authentication — Sanctum vs Passport
|
|
698
|
-
|
|
699
|
-
```php
|
|
700
|
-
// Sanctum (recommended for most apps — simple, first-party, SPA)
|
|
701
|
-
// config/sanctum.php
|
|
702
|
-
'expiration' => 60 * 24, // Tokens expire after 24 hours
|
|
703
|
-
'model' => User::class,
|
|
704
|
-
|
|
705
|
-
// Issuing scoped tokens
|
|
706
|
-
$token = $user->createToken('client-name', [
|
|
707
|
-
'posts:read',
|
|
708
|
-
'posts:write',
|
|
709
|
-
])->plainTextToken;
|
|
710
|
-
|
|
711
|
-
// Middleware scoping
|
|
712
|
-
Route::middleware('auth:sanctum')->group(function () {
|
|
713
|
-
Route::get('/posts', [PostController::class, 'index'])
|
|
714
|
-
->middleware('abilities:posts:read');
|
|
715
|
-
|
|
716
|
-
Route::post('/posts', [PostController::class, 'store'])
|
|
717
|
-
->middleware('abilities:posts:write');
|
|
718
|
-
});
|
|
719
|
-
|
|
720
|
-
// Passport (OAuth2 — for third-party clients or complex auth flows)
|
|
721
|
-
// Install: composer require laravel/passport
|
|
722
|
-
Passport::tokensExpireIn(now()->addDays(15));
|
|
723
|
-
Passport::refreshTokensExpireIn(now()->addDays(30));
|
|
724
|
-
Passport::personalAccessTokensExpireIn(now()->addMonths(6));
|
|
725
|
-
```
|
|
726
|
-
|
|
727
|
-
### CORS Configuration
|
|
728
|
-
|
|
729
|
-
```php
|
|
730
|
-
// config/cors.php
|
|
731
|
-
return [
|
|
732
|
-
'paths' => ['api/*', 'sanctum/csrf-cookie'],
|
|
733
|
-
'allowed_methods' => ['*'],
|
|
734
|
-
'allowed_origins' => explode(',', env('CORS_ALLOWED_ORIGINS', '')), // Whitelist specific origins
|
|
735
|
-
'allowed_origins_patterns' => [],
|
|
736
|
-
'allowed_headers' => ['*'],
|
|
737
|
-
'exposed_headers' => ['X-Total-Count', 'X-Pagination-Page'],
|
|
738
|
-
'max_age' => 0,
|
|
739
|
-
'supports_credentials' => true, // Required for Sanctum SPA auth
|
|
740
|
-
];
|
|
741
|
-
|
|
742
|
-
// NEVER: Allow all origins in production unless absolutely necessary
|
|
743
|
-
// 'allowed_origins' => ['*'], // Only for truly public APIs
|
|
744
|
-
```
|
|
745
|
-
|
|
746
|
-
## File Upload Security
|
|
747
|
-
|
|
748
|
-
### Validation
|
|
749
|
-
|
|
750
|
-
```php
|
|
751
|
-
public function rules(): array
|
|
752
|
-
{
|
|
753
|
-
return [
|
|
754
|
-
'document' => [
|
|
755
|
-
'required',
|
|
756
|
-
'file',
|
|
757
|
-
'mimes:pdf,doc,docx,xls,xlsx', // Whitelist specific MIME types
|
|
758
|
-
'max:10240', // 10MB
|
|
759
|
-
'extensions:pdf,doc,docx,xls,xlsx', // Verify extension matches MIME
|
|
760
|
-
],
|
|
761
|
-
'avatar' => [
|
|
762
|
-
'nullable',
|
|
763
|
-
'image', // Ensures it's a valid image
|
|
764
|
-
'mimes:jpg,jpeg,png,webp',
|
|
765
|
-
'max:2048',
|
|
766
|
-
'dimensions:min_width=100,min_height=100,max_width=2000,max_height=2000',
|
|
767
|
-
],
|
|
768
|
-
];
|
|
769
|
-
}
|
|
770
|
-
```
|
|
771
|
-
|
|
772
|
-
### Secure Storage
|
|
773
|
-
|
|
774
|
-
```php
|
|
775
|
-
// Store files outside public directory
|
|
776
|
-
$path = $request->file('document')->store('documents', 'local');
|
|
777
|
-
// Never use 'public' disk for sensitive documents
|
|
778
|
-
|
|
779
|
-
// Use signed URLs for temporary file access
|
|
780
|
-
use Illuminate\Support\Facades\Storage;
|
|
781
|
-
|
|
782
|
-
public function download(Request $request, string $path)
|
|
783
|
-
{
|
|
784
|
-
// Generate temporary signed URL (expires in 15 minutes)
|
|
785
|
-
$url = Storage::temporaryUrl($path, now()->addMinutes(15));
|
|
786
|
-
|
|
787
|
-
// Validate user has permission
|
|
788
|
-
$this->authorize('download', $path);
|
|
789
|
-
|
|
790
|
-
return redirect($url);
|
|
791
|
-
}
|
|
792
|
-
|
|
793
|
-
// Storage configuration for cloud with encryption
|
|
794
|
-
// config/filesystems.php
|
|
795
|
-
's3' => [
|
|
796
|
-
'driver' => 's3',
|
|
797
|
-
'key' => env('AWS_ACCESS_KEY_ID'),
|
|
798
|
-
'secret' => env('AWS_SECRET_ACCESS_KEY'),
|
|
799
|
-
'region' => env('AWS_DEFAULT_REGION'),
|
|
800
|
-
'bucket' => env('AWS_BUCKET'),
|
|
801
|
-
'url' => env('AWS_URL'),
|
|
802
|
-
'endpoint' => env('AWS_ENDPOINT'),
|
|
803
|
-
'use_path_style_endpoint' => env('AWS_USE_PATH_STYLE_ENDPOINT', false),
|
|
804
|
-
'throw' => false,
|
|
805
|
-
'server_side_encryption' => 'AES256', // Encrypt at rest
|
|
806
|
-
],
|
|
807
|
-
```
|
|
808
|
-
|
|
809
|
-
## Dependencies and Secrets
|
|
810
|
-
|
|
811
|
-
### Composer Security
|
|
812
|
-
|
|
813
|
-
```bash
|
|
814
|
-
# Always audit dependencies in CI
|
|
815
|
-
composer audit
|
|
816
|
-
|
|
817
|
-
# Pin major versions in composer.json
|
|
818
|
-
"laravel/framework": "^11.0",
|
|
819
|
-
"spatie/laravel-permission": "^6.0"
|
|
820
|
-
|
|
821
|
-
# Check for abandoned packages
|
|
822
|
-
composer why-not
|
|
823
|
-
|
|
824
|
-
# Keep lock file in version control (it pins exact versions)
|
|
825
|
-
# Run `composer update` deliberately, never in CI/CD
|
|
826
|
-
```
|
|
827
|
-
|
|
828
|
-
### Secret Management
|
|
829
|
-
|
|
830
|
-
```bash
|
|
831
|
-
# .env file (NEVER commit)
|
|
832
|
-
# .gitignore includes .env by default
|
|
833
|
-
|
|
834
|
-
APP_KEY=base64:abc123...
|
|
835
|
-
DB_PASSWORD=secure_password
|
|
836
|
-
STRIPE_KEY=sk_live_...
|
|
837
|
-
SANCTUM_TOKEN_PREFIX=myapp_
|
|
838
|
-
|
|
839
|
-
# For production: Use a secret manager
|
|
840
|
-
# Deploy with: env $(aws secretsmanager get-secret-value --secret-id prod/db | jq ...) php artisan serve
|
|
841
|
-
|
|
842
|
-
# Validate secrets at boot (AppServiceProvider::boot)
|
|
843
|
-
$secrets = ['services.stripe.key', 'services.stripe.webhook_secret'];
|
|
844
|
-
foreach ($secrets as $key) {
|
|
845
|
-
if (empty(config($key))) {
|
|
846
|
-
Log::critical("Missing secret: {$key}");
|
|
847
|
-
}
|
|
848
|
-
}
|
|
849
|
-
```
|
|
850
|
-
|
|
851
|
-
## Queue Security
|
|
852
|
-
|
|
853
|
-
```php
|
|
854
|
-
// Define a named rate limiter (typically in AppServiceProvider::boot())
|
|
855
|
-
RateLimiter::for('payments', fn () => Limit::perMinute(5));
|
|
856
|
-
```
|
|
857
|
-
|
|
858
|
-
```php
|
|
859
|
-
// Encrypt sensitive job data by implementing the interface
|
|
860
|
-
final class ProcessPaymentJob implements ShouldQueue, ShouldBeEncrypted
|
|
861
|
-
{
|
|
862
|
-
use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
|
|
863
|
-
|
|
864
|
-
public function __construct(
|
|
865
|
-
private readonly string $paymentIntentId, // Public IDs are fine
|
|
866
|
-
private readonly string $cardFingerprint, // Encrypted via ShouldBeEncrypted
|
|
867
|
-
) {}
|
|
868
|
-
|
|
869
|
-
public function handle(): void
|
|
870
|
-
{
|
|
871
|
-
// Process payment
|
|
872
|
-
}
|
|
873
|
-
|
|
874
|
-
// Limit retries and delay between attempts
|
|
875
|
-
public function retryUntil(): Carbon
|
|
876
|
-
{
|
|
877
|
-
return now()->addMinutes(5);
|
|
878
|
-
}
|
|
879
|
-
|
|
880
|
-
// Rate limit how many jobs of this type can run
|
|
881
|
-
public function middleware(): array
|
|
882
|
-
{
|
|
883
|
-
return [
|
|
884
|
-
new RateLimited('payments'),
|
|
885
|
-
];
|
|
886
|
-
}
|
|
887
|
-
}
|
|
888
|
-
```
|
|
889
|
-
|
|
890
|
-
## Logging Security Events
|
|
891
|
-
|
|
892
|
-
```php
|
|
893
|
-
// config/logging.php
|
|
894
|
-
'channels' => [
|
|
895
|
-
'security' => [
|
|
896
|
-
'driver' => 'single',
|
|
897
|
-
'path' => storage_path('logs/security.log'),
|
|
898
|
-
'level' => 'warning',
|
|
899
|
-
],
|
|
900
|
-
],
|
|
901
|
-
|
|
902
|
-
// Audit log helper
|
|
903
|
-
final class SecurityLogger
|
|
904
|
-
{
|
|
905
|
-
public static function log(string $event, array $context = []): void
|
|
906
|
-
{
|
|
907
|
-
Log::channel('security')->warning($event, array_merge([
|
|
908
|
-
'user_id' => Auth::id(),
|
|
909
|
-
'ip' => request()->ip(),
|
|
910
|
-
'user_agent' => request()->userAgent(),
|
|
911
|
-
'url' => request()->fullUrl(),
|
|
912
|
-
'timestamp' => now()->toIso8601String(),
|
|
913
|
-
], $context));
|
|
914
|
-
}
|
|
915
|
-
}
|
|
916
|
-
|
|
917
|
-
// Usage
|
|
918
|
-
SecurityLogger::log('failed_login_attempt', ['email' => $email]);
|
|
919
|
-
SecurityLogger::log('password_change');
|
|
920
|
-
SecurityLogger::log('role_change', ['target_user' => $targetId, 'new_role' => 'admin']);
|
|
921
|
-
SecurityLogger::log('suspicious_activity', ['reason' => 'multiple_attempts_from_different_ips']);
|
|
922
|
-
```
|
|
923
|
-
|
|
924
|
-
## Quick Security Checklist
|
|
925
|
-
|
|
926
|
-
| Check | Description |
|
|
927
|
-
|-------|-------------|
|
|
928
|
-
| `APP_DEBUG=false` | Never run with debug enabled in production |
|
|
929
|
-
| `APP_KEY` set | Always run `php artisan key:generate` |
|
|
930
|
-
| HTTPS enforced | Force HTTPS in production via middleware or proxy |
|
|
931
|
-
| `$fillable` whitelisted | Never use `$guarded = []` |
|
|
932
|
-
| CSRF active | `@csrf` on all state-changing forms |
|
|
933
|
-
| Sanctum/Passport configured | API authentication with token abilities/scopes |
|
|
934
|
-
| Rate limiting applied | Throttle API and auth endpoints |
|
|
935
|
-
| Input validation | FormRequest with specific rules, never `$request->all()` |
|
|
936
|
-
| File upload restrictions | Validate MIME types, size, dimensions |
|
|
937
|
-
| `composer audit` in CI | Check dependencies for known vulnerabilities |
|
|
938
|
-
| `password_hash` / `password_verify` | Use Laravel's built-in hashing (bcrypt/Argon2) |
|
|
939
|
-
| Session regeneration on login | Call `$request->session()->regenerate()` |
|
|
940
|
-
| Security headers middleware | CSP, X-Frame-Options, X-Content-Type-Options |
|
|
941
|
-
| Logged security events | Audit log for auth failures, role changes, suspicious activity |
|
|
942
|
-
| `.env` not committed | Verify `.gitignore` includes `.env` |
|
|
943
|
-
|
|
944
|
-
## Related Skills
|
|
945
|
-
|
|
946
|
-
- `laravel-patterns` — Laravel architecture, routing, Eloquent, and API patterns
|
|
947
|
-
- `backend-patterns` — General backend API and database patterns
|
|
948
|
-
- `laravel-tdd` — Laravel testing with PHPUnit and Pest
|