@rubix0270/arboris 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (451) hide show
  1. package/package.json +8 -19
  2. package/run.mjs +10 -0
  3. package/dist/cli.mjs +0 -382
  4. package/manifest.json +0 -323
  5. package/prisma/skills/accessibility/SKILL.md +0 -147
  6. package/prisma/skills/agent-architecture-audit/SKILL.md +0 -257
  7. package/prisma/skills/agent-eval/SKILL.md +0 -146
  8. package/prisma/skills/agent-harness-construction/SKILL.md +0 -74
  9. package/prisma/skills/agent-introspection-debugging/SKILL.md +0 -154
  10. package/prisma/skills/agent-payment-x402/SKILL.md +0 -225
  11. package/prisma/skills/agent-self-evaluation/SKILL.md +0 -182
  12. package/prisma/skills/agent-self-evaluation/examples/high-score-example.md +0 -87
  13. package/prisma/skills/agent-self-evaluation/examples/low-score-example.md +0 -86
  14. package/prisma/skills/agent-self-evaluation/references/evaluation-criteria.md +0 -71
  15. package/prisma/skills/agent-self-evaluation/references/hook-integration.md +0 -64
  16. package/prisma/skills/agent-self-evaluation/scripts/evaluate.py +0 -408
  17. package/prisma/skills/agent-self-evaluation/templates/evaluation-report.md +0 -86
  18. package/prisma/skills/agent-sort/SKILL.md +0 -216
  19. package/prisma/skills/agentic-engineering/SKILL.md +0 -64
  20. package/prisma/skills/agentic-os/SKILL.md +0 -388
  21. package/prisma/skills/ai-first-engineering/SKILL.md +0 -52
  22. package/prisma/skills/ai-regression-testing/SKILL.md +0 -386
  23. package/prisma/skills/android-clean-architecture/SKILL.md +0 -340
  24. package/prisma/skills/angular-developer/SKILL.md +0 -155
  25. package/prisma/skills/angular-developer/references/angular-animations.md +0 -160
  26. package/prisma/skills/angular-developer/references/angular-aria.md +0 -410
  27. package/prisma/skills/angular-developer/references/cli.md +0 -86
  28. package/prisma/skills/angular-developer/references/component-harnesses.md +0 -59
  29. package/prisma/skills/angular-developer/references/component-styling.md +0 -91
  30. package/prisma/skills/angular-developer/references/components.md +0 -117
  31. package/prisma/skills/angular-developer/references/creating-services.md +0 -97
  32. package/prisma/skills/angular-developer/references/data-resolvers.md +0 -69
  33. package/prisma/skills/angular-developer/references/define-routes.md +0 -67
  34. package/prisma/skills/angular-developer/references/defining-providers.md +0 -72
  35. package/prisma/skills/angular-developer/references/di-fundamentals.md +0 -120
  36. package/prisma/skills/angular-developer/references/e2e-testing.md +0 -56
  37. package/prisma/skills/angular-developer/references/effects.md +0 -83
  38. package/prisma/skills/angular-developer/references/hierarchical-injectors.md +0 -43
  39. package/prisma/skills/angular-developer/references/host-elements.md +0 -80
  40. package/prisma/skills/angular-developer/references/injection-context.md +0 -63
  41. package/prisma/skills/angular-developer/references/inputs.md +0 -101
  42. package/prisma/skills/angular-developer/references/linked-signal.md +0 -59
  43. package/prisma/skills/angular-developer/references/loading-strategies.md +0 -61
  44. package/prisma/skills/angular-developer/references/mcp.md +0 -108
  45. package/prisma/skills/angular-developer/references/navigate-to-routes.md +0 -69
  46. package/prisma/skills/angular-developer/references/outputs.md +0 -86
  47. package/prisma/skills/angular-developer/references/reactive-forms.md +0 -122
  48. package/prisma/skills/angular-developer/references/rendering-strategies.md +0 -44
  49. package/prisma/skills/angular-developer/references/resource.md +0 -77
  50. package/prisma/skills/angular-developer/references/route-animations.md +0 -56
  51. package/prisma/skills/angular-developer/references/route-guards.md +0 -52
  52. package/prisma/skills/angular-developer/references/router-lifecycle.md +0 -45
  53. package/prisma/skills/angular-developer/references/router-testing.md +0 -87
  54. package/prisma/skills/angular-developer/references/show-routes-with-outlets.md +0 -68
  55. package/prisma/skills/angular-developer/references/signal-forms.md +0 -795
  56. package/prisma/skills/angular-developer/references/signals-overview.md +0 -94
  57. package/prisma/skills/angular-developer/references/tailwind-css.md +0 -69
  58. package/prisma/skills/angular-developer/references/template-driven-forms.md +0 -114
  59. package/prisma/skills/angular-developer/references/testing-fundamentals.md +0 -65
  60. package/prisma/skills/api-connector-builder/SKILL.md +0 -121
  61. package/prisma/skills/api-design/SKILL.md +0 -524
  62. package/prisma/skills/architecture-decision-records/SKILL.md +0 -180
  63. package/prisma/skills/article-writing/SKILL.md +0 -80
  64. package/prisma/skills/automation-audit-ops/SKILL.md +0 -143
  65. package/prisma/skills/autonomous-agent-harness/SKILL.md +0 -274
  66. package/prisma/skills/autonomous-loops/SKILL.md +0 -611
  67. package/prisma/skills/backend-patterns/SKILL.md +0 -562
  68. package/prisma/skills/benchmark/SKILL.md +0 -94
  69. package/prisma/skills/benchmark-methodology/SKILL.md +0 -190
  70. package/prisma/skills/benchmark-optimization-loop/SKILL.md +0 -70
  71. package/prisma/skills/blender-motion-state-inspection/SKILL.md +0 -165
  72. package/prisma/skills/blueprint/SKILL.md +0 -106
  73. package/prisma/skills/brand-discovery/SKILL.md +0 -145
  74. package/prisma/skills/brand-discovery/references/10_purpose-why.md +0 -40
  75. package/prisma/skills/brand-discovery/references/20_positioning.md +0 -44
  76. package/prisma/skills/brand-discovery/references/30_audience-niche.md +0 -52
  77. package/prisma/skills/brand-discovery/references/40_personality-archetype.md +0 -57
  78. package/prisma/skills/brand-discovery/references/50_voice-tone.md +0 -59
  79. package/prisma/skills/brand-discovery/references/60_narrative-story.md +0 -50
  80. package/prisma/skills/brand-discovery/references/70_founder-tension.md +0 -49
  81. package/prisma/skills/brand-discovery/references/90_SYNTHESIS.md +0 -133
  82. package/prisma/skills/brand-voice/SKILL.md +0 -98
  83. package/prisma/skills/brand-voice/references/voice-profile-schema.md +0 -55
  84. package/prisma/skills/browser-qa/SKILL.md +0 -105
  85. package/prisma/skills/bun-runtime/SKILL.md +0 -85
  86. package/prisma/skills/canary-watch/SKILL.md +0 -108
  87. package/prisma/skills/carrier-relationship-management/SKILL.md +0 -212
  88. package/prisma/skills/cisco-ios-patterns/SKILL.md +0 -164
  89. package/prisma/skills/ck/SKILL.md +0 -148
  90. package/prisma/skills/ck/commands/forget.mjs +0 -44
  91. package/prisma/skills/ck/commands/info.mjs +0 -24
  92. package/prisma/skills/ck/commands/init.mjs +0 -143
  93. package/prisma/skills/ck/commands/list.mjs +0 -40
  94. package/prisma/skills/ck/commands/migrate.mjs +0 -202
  95. package/prisma/skills/ck/commands/resume.mjs +0 -36
  96. package/prisma/skills/ck/commands/save.mjs +0 -210
  97. package/prisma/skills/ck/commands/shared.mjs +0 -387
  98. package/prisma/skills/ck/hooks/session-start.mjs +0 -224
  99. package/prisma/skills/claude-devfleet/SKILL.md +0 -112
  100. package/prisma/skills/click-path-audit/SKILL.md +0 -245
  101. package/prisma/skills/clickhouse-io/SKILL.md +0 -440
  102. package/prisma/skills/code-tour/SKILL.md +0 -254
  103. package/prisma/skills/codebase-onboarding/SKILL.md +0 -234
  104. package/prisma/skills/codehealth-mcp/SKILL.md +0 -167
  105. package/prisma/skills/coding-standards/SKILL.md +0 -551
  106. package/prisma/skills/competitive-platform-analysis/SKILL.md +0 -214
  107. package/prisma/skills/competitive-report-structure/SKILL.md +0 -162
  108. package/prisma/skills/compose-multiplatform-patterns/SKILL.md +0 -300
  109. package/prisma/skills/config-gc/SKILL.md +0 -120
  110. package/prisma/skills/configure-ecc/SKILL.md +0 -385
  111. package/prisma/skills/connections-optimizer/SKILL.md +0 -190
  112. package/prisma/skills/content-engine/SKILL.md +0 -132
  113. package/prisma/skills/content-hash-cache-pattern/SKILL.md +0 -162
  114. package/prisma/skills/context-budget/SKILL.md +0 -136
  115. package/prisma/skills/continuous-agent-loop/SKILL.md +0 -46
  116. package/prisma/skills/continuous-learning/SKILL.md +0 -132
  117. package/prisma/skills/continuous-learning/config.json +0 -18
  118. package/prisma/skills/continuous-learning/evaluate-session.sh +0 -69
  119. package/prisma/skills/continuous-learning-v2/SKILL.md +0 -361
  120. package/prisma/skills/continuous-learning-v2/agents/observer-loop.sh +0 -359
  121. package/prisma/skills/continuous-learning-v2/agents/observer.md +0 -189
  122. package/prisma/skills/continuous-learning-v2/agents/session-guardian.sh +0 -150
  123. package/prisma/skills/continuous-learning-v2/agents/start-observer.sh +0 -248
  124. package/prisma/skills/continuous-learning-v2/config.json +0 -8
  125. package/prisma/skills/continuous-learning-v2/hooks/observe.sh +0 -585
  126. package/prisma/skills/continuous-learning-v2/scripts/detect-project.sh +0 -322
  127. package/prisma/skills/continuous-learning-v2/scripts/instinct-cli.py +0 -1956
  128. package/prisma/skills/continuous-learning-v2/scripts/lib/homunculus-dir.sh +0 -31
  129. package/prisma/skills/continuous-learning-v2/scripts/migrate-homunculus.sh +0 -68
  130. package/prisma/skills/continuous-learning-v2/scripts/test_parse_instinct.py +0 -1421
  131. package/prisma/skills/cost-aware-llm-pipeline/SKILL.md +0 -184
  132. package/prisma/skills/cost-tracking/SKILL.md +0 -97
  133. package/prisma/skills/council/SKILL.md +0 -204
  134. package/prisma/skills/cpp-coding-standards/SKILL.md +0 -724
  135. package/prisma/skills/cpp-testing/SKILL.md +0 -325
  136. package/prisma/skills/crosspost/SKILL.md +0 -112
  137. package/prisma/skills/csharp-testing/SKILL.md +0 -322
  138. package/prisma/skills/customer-billing-ops/SKILL.md +0 -141
  139. package/prisma/skills/customs-trade-compliance/SKILL.md +0 -263
  140. package/prisma/skills/dart-flutter-patterns/SKILL.md +0 -564
  141. package/prisma/skills/dashboard-builder/SKILL.md +0 -109
  142. package/prisma/skills/data-scraper-agent/SKILL.md +0 -765
  143. package/prisma/skills/data-throughput-accelerator/SKILL.md +0 -73
  144. package/prisma/skills/database-migrations/SKILL.md +0 -430
  145. package/prisma/skills/deep-research/SKILL.md +0 -160
  146. package/prisma/skills/defi-amm-security/SKILL.md +0 -167
  147. package/prisma/skills/delivery-gate/SKILL.md +0 -126
  148. package/prisma/skills/delivery-gate/hooks/quality-gate.py +0 -220
  149. package/prisma/skills/deployment-patterns/SKILL.md +0 -428
  150. package/prisma/skills/design-system/SKILL.md +0 -83
  151. package/prisma/skills/django-celery/SKILL.md +0 -458
  152. package/prisma/skills/django-patterns/SKILL.md +0 -735
  153. package/prisma/skills/django-security/SKILL.md +0 -644
  154. package/prisma/skills/django-tdd/SKILL.md +0 -730
  155. package/prisma/skills/django-verification/SKILL.md +0 -470
  156. package/prisma/skills/dmux-workflows/SKILL.md +0 -192
  157. package/prisma/skills/docker-patterns/SKILL.md +0 -365
  158. package/prisma/skills/documentation-lookup/SKILL.md +0 -91
  159. package/prisma/skills/dotnet-patterns/SKILL.md +0 -322
  160. package/prisma/skills/dynamic-workflow-mode/SKILL.md +0 -124
  161. package/prisma/skills/e2e-testing/SKILL.md +0 -327
  162. package/prisma/skills/ecc-guide/SKILL.md +0 -190
  163. package/prisma/skills/ecc-recipes/SKILL.md +0 -149
  164. package/prisma/skills/ecc-tools-cost-audit/SKILL.md +0 -161
  165. package/prisma/skills/email-ops/SKILL.md +0 -122
  166. package/prisma/skills/energy-procurement/SKILL.md +0 -228
  167. package/prisma/skills/enterprise-agent-ops/SKILL.md +0 -51
  168. package/prisma/skills/error-handling/SKILL.md +0 -377
  169. package/prisma/skills/eval-harness/SKILL.md +0 -271
  170. package/prisma/skills/evm-token-decimals/SKILL.md +0 -131
  171. package/prisma/skills/exa-search/SKILL.md +0 -108
  172. package/prisma/skills/fal-ai-media/SKILL.md +0 -289
  173. package/prisma/skills/fastapi-patterns/SKILL.md +0 -514
  174. package/prisma/skills/finance-billing-ops/SKILL.md +0 -128
  175. package/prisma/skills/flox-environments/SKILL.md +0 -497
  176. package/prisma/skills/flutter-dart-code-review/SKILL.md +0 -436
  177. package/prisma/skills/foundation-models-on-device/SKILL.md +0 -243
  178. package/prisma/skills/frontend-a11y/SKILL.md +0 -446
  179. package/prisma/skills/frontend-design-direction/SKILL.md +0 -93
  180. package/prisma/skills/frontend-patterns/SKILL.md +0 -657
  181. package/prisma/skills/frontend-slides/SKILL.md +0 -185
  182. package/prisma/skills/frontend-slides/STYLE_PRESETS.md +0 -330
  183. package/prisma/skills/frontend-slides/animation-patterns.md +0 -122
  184. package/prisma/skills/frontend-slides/html-template.md +0 -419
  185. package/prisma/skills/frontend-slides/scripts/export-pdf.sh +0 -418
  186. package/prisma/skills/frontend-slides/scripts/extract-pptx.py +0 -96
  187. package/prisma/skills/frontend-slides/viewport-base.css +0 -153
  188. package/prisma/skills/fsharp-testing/SKILL.md +0 -281
  189. package/prisma/skills/gan-style-harness/SKILL.md +0 -279
  190. package/prisma/skills/gateguard/SKILL.md +0 -133
  191. package/prisma/skills/generating-python-installer/SKILL.md +0 -820
  192. package/prisma/skills/git-workflow/SKILL.md +0 -716
  193. package/prisma/skills/github-ops/SKILL.md +0 -145
  194. package/prisma/skills/golang-patterns/SKILL.md +0 -675
  195. package/prisma/skills/golang-testing/SKILL.md +0 -721
  196. package/prisma/skills/google-workspace-ops/SKILL.md +0 -96
  197. package/prisma/skills/growth-log/SKILL.md +0 -128
  198. package/prisma/skills/healthcare-cdss-patterns/SKILL.md +0 -246
  199. package/prisma/skills/healthcare-emr-patterns/SKILL.md +0 -160
  200. package/prisma/skills/healthcare-eval-harness/SKILL.md +0 -208
  201. package/prisma/skills/healthcare-phi-compliance/SKILL.md +0 -146
  202. package/prisma/skills/hermes-imports/SKILL.md +0 -89
  203. package/prisma/skills/hexagonal-architecture/SKILL.md +0 -277
  204. package/prisma/skills/hipaa-compliance/SKILL.md +0 -79
  205. package/prisma/skills/homelab-network-readiness/SKILL.md +0 -170
  206. package/prisma/skills/homelab-network-setup/SKILL.md +0 -130
  207. package/prisma/skills/homelab-pihole-dns/SKILL.md +0 -275
  208. package/prisma/skills/homelab-vlan-segmentation/SKILL.md +0 -312
  209. package/prisma/skills/homelab-wireguard-vpn/SKILL.md +0 -306
  210. package/prisma/skills/hookify-rules/SKILL.md +0 -128
  211. package/prisma/skills/inherit-legacy-style/SKILL.md +0 -157
  212. package/prisma/skills/intent-driven-development/SKILL.md +0 -360
  213. package/prisma/skills/inventory-demand-planning/SKILL.md +0 -247
  214. package/prisma/skills/investor-materials/SKILL.md +0 -97
  215. package/prisma/skills/investor-outreach/SKILL.md +0 -92
  216. package/prisma/skills/ios-icon-gen/SKILL.md +0 -158
  217. package/prisma/skills/ios-icon-gen/scripts/generate_icons.swift +0 -258
  218. package/prisma/skills/ios-icon-gen/scripts/iconify_gen.sh +0 -235
  219. package/prisma/skills/iterative-retrieval/SKILL.md +0 -212
  220. package/prisma/skills/ito-basket-compare/SKILL.md +0 -64
  221. package/prisma/skills/ito-data-atlas-agent/SKILL.md +0 -64
  222. package/prisma/skills/ito-market-intelligence/SKILL.md +0 -61
  223. package/prisma/skills/ito-trade-planner/SKILL.md +0 -68
  224. package/prisma/skills/java-coding-standards/SKILL.md +0 -384
  225. package/prisma/skills/jira-integration/SKILL.md +0 -303
  226. package/prisma/skills/jpa-patterns/SKILL.md +0 -152
  227. package/prisma/skills/knowledge-ops/SKILL.md +0 -155
  228. package/prisma/skills/kotlin-coroutines-flows/SKILL.md +0 -285
  229. package/prisma/skills/kotlin-exposed-patterns/SKILL.md +0 -720
  230. package/prisma/skills/kotlin-ktor-patterns/SKILL.md +0 -690
  231. package/prisma/skills/kotlin-patterns/SKILL.md +0 -712
  232. package/prisma/skills/kotlin-testing/SKILL.md +0 -825
  233. package/prisma/skills/kubernetes-patterns/SKILL.md +0 -756
  234. package/prisma/skills/laravel-patterns/SKILL.md +0 -416
  235. package/prisma/skills/laravel-plugin-discovery/SKILL.md +0 -230
  236. package/prisma/skills/laravel-security/SKILL.md +0 -948
  237. package/prisma/skills/laravel-tdd/SKILL.md +0 -675
  238. package/prisma/skills/laravel-verification/SKILL.md +0 -180
  239. package/prisma/skills/latency-critical-systems/SKILL.md +0 -74
  240. package/prisma/skills/lead-intelligence/SKILL.md +0 -322
  241. package/prisma/skills/lead-intelligence/agents/enrichment-agent.md +0 -85
  242. package/prisma/skills/lead-intelligence/agents/mutual-mapper.md +0 -75
  243. package/prisma/skills/lead-intelligence/agents/outreach-drafter.md +0 -98
  244. package/prisma/skills/lead-intelligence/agents/signal-scorer.md +0 -60
  245. package/prisma/skills/liquid-glass-design/SKILL.md +0 -279
  246. package/prisma/skills/llm-trading-agent-security/SKILL.md +0 -147
  247. package/prisma/skills/logistics-exception-management/SKILL.md +0 -222
  248. package/prisma/skills/loop-design-check/SKILL.md +0 -143
  249. package/prisma/skills/mailtrap-email-integration/SKILL.md +0 -77
  250. package/prisma/skills/make-interfaces-feel-better/SKILL.md +0 -152
  251. package/prisma/skills/manim-video/SKILL.md +0 -90
  252. package/prisma/skills/manim-video/assets/network_graph_scene.py +0 -52
  253. package/prisma/skills/market-research/SKILL.md +0 -76
  254. package/prisma/skills/marketing-campaign/SKILL.md +0 -114
  255. package/prisma/skills/mcp-server-patterns/SKILL.md +0 -70
  256. package/prisma/skills/messages-ops/SKILL.md +0 -105
  257. package/prisma/skills/ml-adoption-playbook/SKILL.md +0 -57
  258. package/prisma/skills/mle-workflow/SKILL.md +0 -347
  259. package/prisma/skills/motion-advanced/SKILL.md +0 -596
  260. package/prisma/skills/motion-foundations/SKILL.md +0 -299
  261. package/prisma/skills/motion-patterns/SKILL.md +0 -434
  262. package/prisma/skills/motion-ui/SKILL.md +0 -576
  263. package/prisma/skills/mysql-patterns/SKILL.md +0 -413
  264. package/prisma/skills/nanoclaw-repl/SKILL.md +0 -34
  265. package/prisma/skills/nestjs-patterns/SKILL.md +0 -231
  266. package/prisma/skills/netmiko-ssh-automation/SKILL.md +0 -174
  267. package/prisma/skills/network-bgp-diagnostics/SKILL.md +0 -168
  268. package/prisma/skills/network-config-validation/SKILL.md +0 -211
  269. package/prisma/skills/network-interface-health/SKILL.md +0 -153
  270. package/prisma/skills/nextjs-turbopack/SKILL.md +0 -58
  271. package/prisma/skills/nodejs-keccak256/SKILL.md +0 -103
  272. package/prisma/skills/nutrient-document-processing/SKILL.md +0 -168
  273. package/prisma/skills/nuxt4-patterns/SKILL.md +0 -101
  274. package/prisma/skills/openclaw-persona-forge/SKILL.md +0 -289
  275. package/prisma/skills/openclaw-persona-forge/gacha.py +0 -224
  276. package/prisma/skills/openclaw-persona-forge/gacha.sh +0 -5
  277. package/prisma/skills/openclaw-persona-forge/references/avatar-style.md +0 -124
  278. package/prisma/skills/openclaw-persona-forge/references/boundary-rules.md +0 -53
  279. package/prisma/skills/openclaw-persona-forge/references/error-handling.md +0 -53
  280. package/prisma/skills/openclaw-persona-forge/references/identity-tension.md +0 -48
  281. package/prisma/skills/openclaw-persona-forge/references/naming-system.md +0 -39
  282. package/prisma/skills/openclaw-persona-forge/references/output-template.md +0 -166
  283. package/prisma/skills/opensource-pipeline/SKILL.md +0 -256
  284. package/prisma/skills/orch-add-feature/SKILL.md +0 -45
  285. package/prisma/skills/orch-build-mvp/SKILL.md +0 -49
  286. package/prisma/skills/orch-change-feature/SKILL.md +0 -43
  287. package/prisma/skills/orch-fix-defect/SKILL.md +0 -43
  288. package/prisma/skills/orch-pipeline/SKILL.md +0 -121
  289. package/prisma/skills/orch-refine-code/SKILL.md +0 -44
  290. package/prisma/skills/parallel-execution-optimizer/SKILL.md +0 -73
  291. package/prisma/skills/perl-patterns/SKILL.md +0 -505
  292. package/prisma/skills/perl-security/SKILL.md +0 -504
  293. package/prisma/skills/perl-testing/SKILL.md +0 -476
  294. package/prisma/skills/plan-orchestrate/SKILL.md +0 -263
  295. package/prisma/skills/plankton-code-quality/SKILL.md +0 -237
  296. package/prisma/skills/postgres-patterns/SKILL.md +0 -148
  297. package/prisma/skills/prediction-market-oracle-research/SKILL.md +0 -64
  298. package/prisma/skills/prediction-market-risk-review/SKILL.md +0 -61
  299. package/prisma/skills/prisma-patterns/SKILL.md +0 -401
  300. package/prisma/skills/product-capability/SKILL.md +0 -142
  301. package/prisma/skills/product-lens/SKILL.md +0 -93
  302. package/prisma/skills/production-audit/SKILL.md +0 -207
  303. package/prisma/skills/production-scheduling/SKILL.md +0 -238
  304. package/prisma/skills/project-flow-ops/SKILL.md +0 -112
  305. package/prisma/skills/prompt-optimizer/SKILL.md +0 -398
  306. package/prisma/skills/python-patterns/SKILL.md +0 -751
  307. package/prisma/skills/python-testing/SKILL.md +0 -817
  308. package/prisma/skills/pytorch-patterns/SKILL.md +0 -397
  309. package/prisma/skills/quality-nonconformance/SKILL.md +0 -260
  310. package/prisma/skills/quarkus-patterns/SKILL.md +0 -723
  311. package/prisma/skills/quarkus-security/SKILL.md +0 -468
  312. package/prisma/skills/quarkus-tdd/SKILL.md +0 -812
  313. package/prisma/skills/quarkus-verification/SKILL.md +0 -480
  314. package/prisma/skills/ralphinho-rfc-pipeline/SKILL.md +0 -68
  315. package/prisma/skills/react-native-patterns/SKILL.md +0 -326
  316. package/prisma/skills/react-patterns/SKILL.md +0 -342
  317. package/prisma/skills/react-performance/SKILL.md +0 -575
  318. package/prisma/skills/react-testing/SKILL.md +0 -424
  319. package/prisma/skills/recsys-pipeline-architect/SKILL.md +0 -115
  320. package/prisma/skills/recursive-decision-ledger/SKILL.md +0 -80
  321. package/prisma/skills/redis-patterns/SKILL.md +0 -404
  322. package/prisma/skills/regex-vs-llm-structured-text/SKILL.md +0 -221
  323. package/prisma/skills/remotion-video-creation/SKILL.md +0 -43
  324. package/prisma/skills/remotion-video-creation/rules/3d.md +0 -86
  325. package/prisma/skills/remotion-video-creation/rules/animations.md +0 -29
  326. package/prisma/skills/remotion-video-creation/rules/assets/charts-bar-chart.tsx +0 -173
  327. package/prisma/skills/remotion-video-creation/rules/assets/text-animations-typewriter.tsx +0 -100
  328. package/prisma/skills/remotion-video-creation/rules/assets/text-animations-word-highlight.tsx +0 -108
  329. package/prisma/skills/remotion-video-creation/rules/assets.md +0 -78
  330. package/prisma/skills/remotion-video-creation/rules/audio.md +0 -172
  331. package/prisma/skills/remotion-video-creation/rules/calculate-metadata.md +0 -104
  332. package/prisma/skills/remotion-video-creation/rules/can-decode.md +0 -75
  333. package/prisma/skills/remotion-video-creation/rules/charts.md +0 -58
  334. package/prisma/skills/remotion-video-creation/rules/compositions.md +0 -146
  335. package/prisma/skills/remotion-video-creation/rules/display-captions.md +0 -126
  336. package/prisma/skills/remotion-video-creation/rules/extract-frames.md +0 -229
  337. package/prisma/skills/remotion-video-creation/rules/fonts.md +0 -152
  338. package/prisma/skills/remotion-video-creation/rules/get-audio-duration.md +0 -58
  339. package/prisma/skills/remotion-video-creation/rules/get-video-dimensions.md +0 -68
  340. package/prisma/skills/remotion-video-creation/rules/get-video-duration.md +0 -58
  341. package/prisma/skills/remotion-video-creation/rules/gifs.md +0 -138
  342. package/prisma/skills/remotion-video-creation/rules/images.md +0 -130
  343. package/prisma/skills/remotion-video-creation/rules/import-srt-captions.md +0 -67
  344. package/prisma/skills/remotion-video-creation/rules/lottie.md +0 -67
  345. package/prisma/skills/remotion-video-creation/rules/measuring-dom-nodes.md +0 -34
  346. package/prisma/skills/remotion-video-creation/rules/measuring-text.md +0 -143
  347. package/prisma/skills/remotion-video-creation/rules/sequencing.md +0 -106
  348. package/prisma/skills/remotion-video-creation/rules/tailwind.md +0 -11
  349. package/prisma/skills/remotion-video-creation/rules/text-animations.md +0 -20
  350. package/prisma/skills/remotion-video-creation/rules/timing.md +0 -179
  351. package/prisma/skills/remotion-video-creation/rules/transcribe-captions.md +0 -19
  352. package/prisma/skills/remotion-video-creation/rules/transitions.md +0 -122
  353. package/prisma/skills/remotion-video-creation/rules/trimming.md +0 -52
  354. package/prisma/skills/remotion-video-creation/rules/videos.md +0 -171
  355. package/prisma/skills/repo-scan/SKILL.md +0 -79
  356. package/prisma/skills/research-ops/SKILL.md +0 -113
  357. package/prisma/skills/returns-reverse-logistics/SKILL.md +0 -240
  358. package/prisma/skills/rules-distill/SKILL.md +0 -265
  359. package/prisma/skills/rules-distill/scripts/scan-rules.sh +0 -58
  360. package/prisma/skills/rules-distill/scripts/scan-skills.sh +0 -129
  361. package/prisma/skills/rust-patterns/SKILL.md +0 -500
  362. package/prisma/skills/rust-testing/SKILL.md +0 -501
  363. package/prisma/skills/safety-guard/SKILL.md +0 -76
  364. package/prisma/skills/santa-method/SKILL.md +0 -307
  365. package/prisma/skills/scientific-db-pubmed-database/SKILL.md +0 -176
  366. package/prisma/skills/scientific-db-uspto-database/SKILL.md +0 -178
  367. package/prisma/skills/scientific-pkg-gget/SKILL.md +0 -167
  368. package/prisma/skills/scientific-thinking-literature-review/SKILL.md +0 -193
  369. package/prisma/skills/scientific-thinking-scholar-evaluation/SKILL.md +0 -161
  370. package/prisma/skills/search-first/SKILL.md +0 -183
  371. package/prisma/skills/security-bounty-hunter/SKILL.md +0 -100
  372. package/prisma/skills/security-review/SKILL.md +0 -504
  373. package/prisma/skills/security-review/cloud-infrastructure-security.md +0 -361
  374. package/prisma/skills/security-scan/SKILL.md +0 -166
  375. package/prisma/skills/seo/SKILL.md +0 -155
  376. package/prisma/skills/skill-comply/SKILL.md +0 -59
  377. package/prisma/skills/skill-comply/fixtures/compliant_trace.jsonl +0 -5
  378. package/prisma/skills/skill-comply/fixtures/noncompliant_trace.jsonl +0 -3
  379. package/prisma/skills/skill-comply/fixtures/tdd_spec.yaml +0 -44
  380. package/prisma/skills/skill-comply/prompts/classifier.md +0 -24
  381. package/prisma/skills/skill-comply/prompts/scenario_generator.md +0 -62
  382. package/prisma/skills/skill-comply/prompts/spec_generator.md +0 -42
  383. package/prisma/skills/skill-comply/pyproject.toml +0 -15
  384. package/prisma/skills/skill-comply/scripts/__init__.py +0 -0
  385. package/prisma/skills/skill-comply/scripts/classifier.py +0 -85
  386. package/prisma/skills/skill-comply/scripts/grader.py +0 -124
  387. package/prisma/skills/skill-comply/scripts/parser.py +0 -107
  388. package/prisma/skills/skill-comply/scripts/report.py +0 -170
  389. package/prisma/skills/skill-comply/scripts/run.py +0 -127
  390. package/prisma/skills/skill-comply/scripts/runner.py +0 -194
  391. package/prisma/skills/skill-comply/scripts/scenario_generator.py +0 -70
  392. package/prisma/skills/skill-comply/scripts/spec_generator.py +0 -72
  393. package/prisma/skills/skill-comply/scripts/utils.py +0 -13
  394. package/prisma/skills/skill-comply/tests/test_grader.py +0 -197
  395. package/prisma/skills/skill-comply/tests/test_parser.py +0 -90
  396. package/prisma/skills/skill-comply/tests/test_runner.py +0 -172
  397. package/prisma/skills/skill-scout/SKILL.md +0 -141
  398. package/prisma/skills/skill-stocktake/SKILL.md +0 -195
  399. package/prisma/skills/skill-stocktake/scripts/quick-diff.sh +0 -87
  400. package/prisma/skills/skill-stocktake/scripts/save-results.sh +0 -56
  401. package/prisma/skills/skill-stocktake/scripts/scan.sh +0 -170
  402. package/prisma/skills/social-graph-ranker/SKILL.md +0 -155
  403. package/prisma/skills/social-publisher/SKILL.md +0 -130
  404. package/prisma/skills/springboot-patterns/SKILL.md +0 -315
  405. package/prisma/skills/springboot-security/SKILL.md +0 -273
  406. package/prisma/skills/springboot-tdd/SKILL.md +0 -159
  407. package/prisma/skills/springboot-verification/SKILL.md +0 -232
  408. package/prisma/skills/strategic-compact/SKILL.md +0 -136
  409. package/prisma/skills/swift-actor-persistence/SKILL.md +0 -144
  410. package/prisma/skills/swift-concurrency-6-2/SKILL.md +0 -216
  411. package/prisma/skills/swift-protocol-di-testing/SKILL.md +0 -191
  412. package/prisma/skills/swiftui-patterns/SKILL.md +0 -259
  413. package/prisma/skills/taste/SKILL.md +0 -264
  414. package/prisma/skills/taste/references/genre-taxonomy.md +0 -87
  415. package/prisma/skills/tdd-workflow/SKILL.md +0 -583
  416. package/prisma/skills/team-agent-orchestration/SKILL.md +0 -111
  417. package/prisma/skills/team-builder/SKILL.md +0 -169
  418. package/prisma/skills/terminal-ops/SKILL.md +0 -110
  419. package/prisma/skills/tinystruct-patterns/SKILL.md +0 -279
  420. package/prisma/skills/tinystruct-patterns/references/architecture.md +0 -90
  421. package/prisma/skills/tinystruct-patterns/references/data-handling.md +0 -60
  422. package/prisma/skills/tinystruct-patterns/references/database.md +0 -99
  423. package/prisma/skills/tinystruct-patterns/references/routing.md +0 -64
  424. package/prisma/skills/tinystruct-patterns/references/system-usage.md +0 -97
  425. package/prisma/skills/tinystruct-patterns/references/testing.md +0 -72
  426. package/prisma/skills/token-budget-advisor/SKILL.md +0 -134
  427. package/prisma/skills/ui-demo/SKILL.md +0 -466
  428. package/prisma/skills/ui-to-vue/SKILL.md +0 -135
  429. package/prisma/skills/uncloud/SKILL.md +0 -344
  430. package/prisma/skills/unified-notifications-ops/SKILL.md +0 -188
  431. package/prisma/skills/verification-loop/SKILL.md +0 -127
  432. package/prisma/skills/video-editing/SKILL.md +0 -311
  433. package/prisma/skills/videodb/SKILL.md +0 -375
  434. package/prisma/skills/videodb/reference/api-reference.md +0 -550
  435. package/prisma/skills/videodb/reference/capture-reference.md +0 -407
  436. package/prisma/skills/videodb/reference/capture.md +0 -101
  437. package/prisma/skills/videodb/reference/editor.md +0 -443
  438. package/prisma/skills/videodb/reference/generative.md +0 -331
  439. package/prisma/skills/videodb/reference/rtstream-reference.md +0 -564
  440. package/prisma/skills/videodb/reference/rtstream.md +0 -65
  441. package/prisma/skills/videodb/reference/search.md +0 -230
  442. package/prisma/skills/videodb/reference/streaming.md +0 -406
  443. package/prisma/skills/videodb/reference/use-cases.md +0 -118
  444. package/prisma/skills/videodb/scripts/ws_listener.py +0 -282
  445. package/prisma/skills/visa-doc-translate/README.md +0 -86
  446. package/prisma/skills/visa-doc-translate/SKILL.md +0 -117
  447. package/prisma/skills/vite-patterns/SKILL.md +0 -450
  448. package/prisma/skills/vue-patterns/SKILL.md +0 -471
  449. package/prisma/skills/windows-desktop-e2e/SKILL.md +0 -888
  450. package/prisma/skills/workspace-surface-audit/SKILL.md +0 -126
  451. package/prisma/skills/x-api/SKILL.md +0 -235
@@ -1,948 +0,0 @@
1
- ---
2
- name: laravel-security
3
- description: Laravel security best practices — authentication, authorization, Eloquent safety, CSRF, XSS prevention, API security, and secure deployment configurations.
4
- metadata:
5
- origin: ECC
6
- ---
7
-
8
- # Laravel Security Best Practices
9
-
10
- Comprehensive security guidelines for Laravel applications to protect against common vulnerabilities.
11
-
12
- ## When to Activate
13
-
14
- - Setting up Laravel authentication and authorization (Sanctum, Passport, Jetstream, Breeze)
15
- - Implementing user roles, permissions, and policies
16
- - Configuring production security settings and environment variables
17
- - Reviewing Laravel applications for security vulnerabilities
18
- - Deploying Laravel applications to production
19
- - Writing secure Eloquent queries and migrations
20
-
21
- ## Production Configuration
22
-
23
- ### Essential Production Settings
24
-
25
- ```php
26
- // config/app.php
27
- 'env' => env('APP_ENV', 'production'),
28
- 'debug' => (bool) env('APP_DEBUG', false), // CRITICAL: Never true in production
29
- 'key' => env('APP_KEY'), // Must be set: php artisan key:generate
30
-
31
- // config/session.php
32
- 'secure' => env('SESSION_SECURE_COOKIE', true),
33
- 'http_only' => true,
34
- 'same_site' => 'lax',
35
-
36
- // Verify APP_KEY is set at boot
37
- // bootstrap/app.php or a service provider
38
- if (empty(config('app.key'))) {
39
- throw new RuntimeException('APP_KEY is not set. Run: php artisan key:generate');
40
- }
41
- ```
42
-
43
- ### Environment File Security
44
-
45
- ```bash
46
- # NEVER commit .env to version control
47
- # .gitignore already includes .env by default
48
-
49
- # Use .env.example with placeholders instead
50
- DB_PASSWORD=
51
- APP_KEY=
52
- SANCTUM_TOKEN_PREFIX=
53
-
54
- # Validate required variables at boot
55
- // In AppServiceProvider::boot()
56
- $requiredKeys = ['app.key', 'database.connections.mysql.database', 'database.connections.mysql.username'];
57
- foreach ($requiredKeys as $key) {
58
- if (empty(config($key))) {
59
- throw new RuntimeException("Missing required config key: {$key}");
60
- }
61
- }
62
- ```
63
-
64
- ### HTTPS Enforcement
65
-
66
- ```php
67
- // AppServiceProvider::boot() or middleware
68
- if (app()->environment('production')) {
69
- URL::forceScheme('https');
70
- request()->server->set('HTTPS', 'on');
71
- }
72
-
73
- // config/app.php for trusted proxies (load balancers)
74
- // Use specific IP ranges — * trusts all, allowing X-Forwarded-* spoofing
75
- // AWS: '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'
76
- 'trusted_proxies' => ['10.0.0.0/8', '172.16.0.0/12'],
77
-
78
- // Force HTTPS in production via middleware
79
- // app/Http/Middleware/ForceHttps.php
80
- public function handle($request, Closure $next)
81
- {
82
- if (!$request->secure() && app()->environment('production')) {
83
- return redirect()->secure($request->getRequestUri());
84
- }
85
- return $next($request);
86
- }
87
- ```
88
-
89
- ## Authentication
90
-
91
- ### Sanctum (API Token Authentication)
92
-
93
- ```php
94
- // config/sanctum.php
95
- 'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
96
- '%s%s',
97
- 'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
98
- env('APP_URL') ? ',' . parse_url(env('APP_URL'), PHP_URL_HOST) : ''
99
- )));
100
-
101
- 'expiration' => 60 * 24, // Token expiration in minutes (null = never)
102
- 'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),
103
-
104
- // Issuing tokens with abilities
105
- $token = $user->createToken('api-token', ['read', 'write'])->plainTextToken;
106
-
107
- // Validate abilities on routes
108
- Route::middleware('auth:sanctum')->group(function () {
109
- Route::get('/orders', function () {
110
- // User must have 'read' ability
111
- abort_unless(Auth::user()->tokenCan('read'), 403);
112
- // ...
113
- })->middleware('abilities:read');
114
-
115
- Route::post('/orders', function () {
116
- // User must have 'write' ability
117
- abort_unless(Auth::user()->tokenCan('write'), 403);
118
- // ...
119
- })->middleware('abilities:write');
120
- });
121
- ```
122
-
123
- ### Password Security
124
-
125
- ```php
126
- // config/hashing.php
127
- // Default is bcrypt. Argon2id is stronger.
128
- 'bcrypt' => [
129
- 'rounds' => env('BCRYPT_ROUNDS', 12), // Increase for stronger hashing
130
- ],
131
-
132
- 'argon' => [
133
- 'memory' => 65536,
134
- 'threads' => 4,
135
- 'time' => 4,
136
- ],
137
-
138
- // Password validation in RegisterRequest
139
- public function rules(): array
140
- {
141
- return [
142
- 'password' => [
143
- 'required',
144
- 'confirmed',
145
- Password::min(12)
146
- ->letters()
147
- ->mixedCase()
148
- ->numbers()
149
- ->symbols()
150
- ->uncompromised(), // Checks haveibeenpwned
151
- ],
152
- ];
153
- }
154
-
155
- // Rate limit login attempts
156
- // App\Http\Controllers\Auth\AuthenticatedSessionController
157
- protected function authenticated(Request $request, $user)
158
- {
159
- if ($user->wasRecentlyLockedOut()) {
160
- // Notify user of suspicious login
161
- $user->notify(new SuspiciousLoginNotification($request->ip()));
162
- }
163
- }
164
- ```
165
-
166
- ### Session Management
167
-
168
- ```php
169
- // config/session.php
170
- 'driver' => env('SESSION_DRIVER', 'database'), // database/redis > file
171
- 'lifetime' => env('SESSION_LIFETIME', 120),
172
- 'expire_on_close' => env('SESSION_EXPIRE_ON_CLOSE', false),
173
- 'encrypt' => env('SESSION_ENCRYPT', false),
174
-
175
- // Regenerate session on login
176
- // App\Http\Controllers\Auth\AuthenticatedSessionController
177
- public function store(LoginRequest $request): RedirectResponse
178
- {
179
- $request->authenticate();
180
- $request->session()->regenerate(); // CRITICAL: prevents session fixation
181
- return redirect()->intended(RouteServiceProvider::HOME);
182
- }
183
-
184
- // Invalidate session on logout
185
- public function destroy(Request $request): RedirectResponse
186
- {
187
- Auth::guard('web')->logout();
188
- $request->session()->invalidate();
189
- $request->session()->regenerateToken();
190
- return redirect('/');
191
- }
192
- ```
193
-
194
- ## Authorization
195
-
196
- ### Gates
197
-
198
- ```php
199
- // App\Providers\AuthServiceProvider
200
- use App\Models\Post;
201
- use App\Models\User;
202
- use Illuminate\Support\Facades\Gate;
203
-
204
- public function boot(): void
205
- {
206
- Gate::define('update-post', function (User $user, Post $post): bool {
207
- return $user->id === $post->user_id;
208
- });
209
-
210
- Gate::define('publish-post', function (User $user): bool {
211
- return $user->role === 'editor' || $user->role === 'admin';
212
- });
213
-
214
- // Using before() for super-admin override
215
- Gate::before(function (User $user, string $ability): ?bool {
216
- if ($user->role === 'super-admin') {
217
- return true; // Grants all abilities
218
- }
219
- return null; // Fall through to normal checks
220
- });
221
- }
222
-
223
- // Usage in controllers
224
- public function update(Request $request, Post $post): RedirectResponse
225
- {
226
- Gate::authorize('update-post', $post);
227
- // Or: $this->authorize('update-post', $post);
228
- // Or: abort_unless(Auth::user()->can('update-post', $post), 403);
229
- // ...
230
- }
231
- ```
232
-
233
- ### Policies
234
-
235
- ```php
236
- // App\Policies\PostPolicy
237
- class PostPolicy
238
- {
239
- use HandlesAuthorization;
240
-
241
- public function viewAny(?User $user): bool
242
- {
243
- return true; // Public listing
244
- }
245
-
246
- public function view(?User $user, Post $post): bool
247
- {
248
- return $post->is_published || ($user && $user->id === $post->user_id);
249
- }
250
-
251
- public function create(User $user): bool
252
- {
253
- return $user->hasVerifiedEmail(); // Must verify email first
254
- }
255
-
256
- public function update(User $user, Post $post): bool
257
- {
258
- return $user->id === $post->user_id;
259
- }
260
-
261
- public function delete(User $user, Post $post): bool
262
- {
263
- return $user->id === $post->user_id && $post->created_at->diffInDays(now()) <= 30;
264
- }
265
-
266
- public function restore(User $user, Post $post): bool
267
- {
268
- return $user->role === 'admin';
269
- }
270
-
271
- public function forceDelete(User $user, Post $post): bool
272
- {
273
- return $user->role === 'super-admin';
274
- }
275
- }
276
-
277
- // Register in AuthServiceProvider
278
- protected $policies = [
279
- Post::class => PostPolicy::class,
280
- ];
281
-
282
- // Controller usage
283
- public function show(Post $post): View
284
- {
285
- $this->authorize('view', $post);
286
- return view('posts.show', compact('post'));
287
- }
288
-
289
- // Blade usage
290
- @can('update', $post)
291
- <a href="{{ route('posts.edit', $post) }}">Edit</a>
292
- @endcan
293
-
294
- @cannot('update', $post)
295
- <span>You cannot edit this post</span>
296
- @endcannot
297
- ```
298
-
299
- ### Middleware Authorization
300
-
301
- ```php
302
- // Using middleware in routes
303
- Route::put('/posts/{post}', [PostController::class, 'update'])
304
- ->middleware('can:update,post');
305
-
306
- Route::get('/posts/create', [PostController::class, 'create'])
307
- ->middleware('can:create,App\Models\Post');
308
-
309
- // Custom authorization middleware
310
- // app/Http/Middleware/CheckRole.php
311
- class CheckRole
312
- {
313
- public function handle(Request $request, Closure $next, string $role): mixed
314
- {
315
- if (!$request->user() || $request->user()->role !== $role) {
316
- abort(403, 'Unauthorized. This area requires role: ' . $role);
317
- }
318
- return $next($request);
319
- }
320
- }
321
-
322
- // Register in Kernel
323
- protected $routeMiddleware = [
324
- 'role' => \App\Http\Middleware\CheckRole::class,
325
- ];
326
-
327
- // Route usage
328
- Route::middleware(['auth', 'role:admin'])->group(function () {
329
- Route::get('/admin', [AdminController::class, 'index']);
330
- });
331
- ```
332
-
333
- ## Eloquent Security
334
-
335
- ### Mass Assignment Protection
336
-
337
- ```php
338
- // BAD: $guarded = [] allows ALL columns to be mass-assigned
339
- // NEVER use $guarded = [] in production
340
-
341
- // GOOD: Whitelist fillable attributes
342
- final class User extends Authenticatable
343
- {
344
- protected $fillable = [
345
- 'name',
346
- 'email',
347
- 'phone',
348
- 'avatar',
349
- ];
350
- // NEVER add 'role', 'is_admin', 'is_verified' here
351
- }
352
-
353
- // GOOD: Explicitly control which fields can be filled in requests
354
- public function store(StoreUserRequest $request): RedirectResponse
355
- {
356
- $user = User::create($request->safe()->only([
357
- 'name', 'email', 'phone', 'avatar'
358
- ]));
359
- // $request->safe() uses validated data only
360
- // $request->only() is NOT safe on its own without validation rules
361
- }
362
-
363
- // BAD: Creating a user with request data directly
364
- User::create($request->all()); // VULNERABLE to mass assignment!
365
-
366
- // BETTER: Use DTOs for creation
367
- $user = User::create($request->validated()); // Only validated fields
368
- ```
369
-
370
- ### SQL Injection Prevention
371
-
372
- ```php
373
- // GOOD: Eloquent automatically parameterizes queries
374
- User::where('email', $userInput)->first();
375
- User::whereRaw('email = ?', [$userInput])->first();
376
-
377
- // GOOD: Query Builder also parameterizes
378
- DB::table('users')->where('email', $userInput)->first();
379
- DB::select('SELECT * FROM users WHERE email = ?', [$userInput]);
380
-
381
- // BAD: Raw string interpolation
382
- DB::select("SELECT * FROM users WHERE email = '{$userInput}'"); // VULNERABLE!
383
- User::whereRaw("email = '{$userInput}'")->first(); // VULNERABLE!
384
-
385
- // BAD: whereRaw/orderByRaw with unescaped input
386
- User::orderByRaw($userInput); // VULNERABLE!
387
- User::groupByRaw($userInput); // VULNERABLE!
388
-
389
- // BAD: DB::statement with concatenation
390
- DB::statement("INSERT INTO users (email) VALUES ('{$userInput}')"); // VULNERABLE!
391
- ```
392
-
393
- ### Attribute Casting
394
-
395
- ```php
396
- final class User extends Authenticatable
397
- {
398
- protected $casts = [
399
- 'email_verified_at' => 'datetime',
400
- 'is_admin' => 'boolean', // Cast to boolean prevents string injection
401
- 'settings' => 'array', // Automatically json_encode/json_decode
402
- 'metadata' => 'encrypted:array', // Laravel 11+ encrypted casting
403
- 'password' => 'hashed', // Laravel 10+ auto-hashes on set
404
- ];
405
- }
406
- ```
407
-
408
- ### Model Security
409
-
410
- ```php
411
- final class User extends Authenticatable
412
- {
413
- // Hide sensitive attributes from JSON/API responses
414
- protected $hidden = [
415
- 'password',
416
- 'remember_token',
417
- 'two_factor_secret',
418
- 'two_factor_recovery_codes',
419
- ];
420
-
421
- // Append only safe computed attributes
422
- protected $appends = ['full_name']; // safe
423
- // NEVER append sensitive computed data
424
- }
425
-
426
- final class Post extends Model
427
- {
428
- // Global scope to filter soft deleted records
429
- use SoftDeletes;
430
-
431
- // Prevent N+1 by restricting lazy loading (optional strict mode)
432
- // AppServiceProvider::boot()
433
- // Model::preventLazyLoading(!app()->isProduction());
434
- }
435
- ```
436
-
437
- ## CSRF Protection
438
-
439
- ### Default Protection
440
-
441
- ```php
442
- // Laravel CSRF is enabled by default via VerifyCsrfToken middleware
443
- // app/Http/Kernel.php (protected $middlewareGroups['web'])
444
-
445
- // All POST/PUT/PATCH/DELETE forms must include @csrf
446
- <form method="POST" action="/posts">
447
- @csrf
448
- <input type="text" name="title">
449
- <button type="submit">Create</button>
450
- </form>
451
- ```
452
-
453
- ### Excluding Routes (Carefully)
454
-
455
- ```php
456
- // app/Http/Middleware/VerifyCsrfToken.php
457
- class VerifyCsrfToken extends Middleware
458
- {
459
- // Only exclude routes that have external CSRF protection (webhooks, etc.)
460
- protected $except = [
461
- 'stripe/*', // Stripe webhooks use their own signature verification
462
- // Avoid blanket 'api/*' — stateful Sanctum routes need CSRF.
463
- // Exclude only specific stateless webhook/endpoint routes.
464
- ];
465
- }
466
- ```
467
-
468
- ### CSRF with JavaScript
469
-
470
- ```html
471
- <meta name="csrf-token" content="{{ csrf_token() }}">
472
-
473
- <script>
474
- // Axios example (Laravel ships with Axios)
475
- axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector(
476
- 'meta[name="csrf-token"]'
477
- ).getAttribute('content');
478
-
479
- // Fetch example
480
- fetch('/posts', {
481
- method: 'POST',
482
- headers: {
483
- 'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').getAttribute('content'),
484
- 'Content-Type': 'application/json',
485
- },
486
- body: JSON.stringify(data),
487
- });
488
- </script>
489
- ```
490
-
491
- ## XSS Prevention
492
-
493
- ### Blade Templating Security
494
-
495
- ```blade
496
- {{-- SAFE: Auto-escaped by Blade --}}
497
- {{ $userInput }}
498
-
499
- {{-- DANGEROUS: Raw output — NEVER use with user input --}}
500
- {!! $userInput !!}
501
-
502
- {{-- SAFE: Only use {!! !!} with trusted content you control --}}
503
- {!! $trustedHtmlFromYourServer !!}
504
-
505
- {{-- GOOD: Use specific escaping directives --}}
506
- @js($data) {{-- JSON encode for JavaScript --}}
507
- @json($data) {{-- JSON encode in templates --}}
508
-
509
- {{-- BAD: Direct user input in raw HTML --}}
510
- <div>{!! $user->bio !!}</div> {{-- VULNERABLE if user provides bio --}}
511
- ```
512
-
513
- ### Safe HTML Handling
514
-
515
- ```php
516
- // When you must allow some HTML, use a whitelist approach
517
- use HTMLPurifier; // Requires: composer require ezyang/htmlpurifier
518
-
519
- public function sanitizeHtml(string $dirty): string
520
- {
521
- $config = \HTMLPurifier_Config::createDefault();
522
- $config->set('HTML.Allowed', 'p,b,i,a[href],ul,ol,li,br');
523
- $config->set('URI.AllowedSchemes', ['http', 'https', 'mailto']);
524
- $purifier = new \HTMLPurifier($config);
525
- return $purifier->purify($dirty);
526
- }
527
-
528
- // In blade:
529
- <div>{!! $sanitizedContent !!}</div> {{-- Safe after purification --}}
530
- ```
531
-
532
- ### JavaScript Context Escaping
533
-
534
- ```blade
535
- {{-- SAFE: Blade @js escapes for JavaScript context --}}
536
- <script>
537
- const user = @js($user); // JSON + escaped for JS context
538
- const settings = @json($settings); // Direct JSON encode
539
- </script>
540
-
541
- {{-- DANGEROUS: Manual JSON in JS context --}}
542
- <script>
543
- const user = {{ json_encode($user) }}; // NOT escaped for JS!
544
- </script>
545
- ```
546
-
547
- ### HTTP Headers for XSS Protection
548
-
549
- ```php
550
- // App\Http\Middleware\SecurityHeaders.php
551
- class SecurityHeaders
552
- {
553
- public function handle(Request $request, Closure $next): mixed
554
- {
555
- $response = $next($request);
556
-
557
- $response->headers->set('X-Content-Type-Options', 'nosniff');
558
- $response->headers->set('X-Frame-Options', 'DENY');
559
- $response->headers->set('X-XSS-Protection', '1; mode=block');
560
- $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
561
- $response->headers->set(
562
- 'Content-Security-Policy',
563
- "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
564
- );
565
-
566
- return $response;
567
- }
568
- }
569
-
570
- // Register in kernel
571
- protected $middleware = [
572
- \App\Http\Middleware\SecurityHeaders::class,
573
- ];
574
- ```
575
-
576
- ## Input Validation
577
-
578
- ### Form Request Validation
579
-
580
- ```php
581
- final class StorePostRequest extends FormRequest
582
- {
583
- public function authorize(): bool
584
- {
585
- return $this->user()?->can('create', Post::class) ?? false;
586
- }
587
-
588
- public function rules(): array
589
- {
590
- return [
591
- 'title' => ['required', 'string', 'max:255', 'sanitize_html'],
592
- 'content' => ['required', 'string', 'max:10000'],
593
- 'image' => [
594
- 'required',
595
- 'image',
596
- 'mimes:jpg,jpeg,png,gif,webp', // Whitelist specific types
597
- 'max:2048', // 2MB max
598
- ],
599
- 'tags' => ['array'],
600
- 'tags.*' => ['integer', 'exists:tags,id'],
601
- ];
602
- }
603
-
604
- public function messages(): array
605
- {
606
- return [
607
- 'title.max' => 'Post title must not exceed 255 characters.',
608
- 'image.max' => 'Image must be under 2MB.',
609
- ];
610
- }
611
-
612
- // Sanitize input after validation
613
- public function validated($key = null, $default = null): mixed
614
- {
615
- $validated = parent::validated();
616
- $validated['title'] = strip_tags($validated['title']);
617
- return $key ? ($validated[$key] ?? $default) : $validated;
618
- }
619
- }
620
- ```
621
-
622
- ### Custom Validation Rules
623
-
624
- ```php
625
- // app/Rules/StrongPassword.php
626
- class StrongPassword implements Rule
627
- {
628
- public function passes($attribute, $value): bool
629
- {
630
- return preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&#^()_\-+=])[A-Za-z\d@$!%*?&#^()_\-+=]{12,}$/', $value);
631
- }
632
-
633
- public function message(): string
634
- {
635
- return 'The :attribute must be at least 12 characters with uppercase, lowercase, number, and symbol.';
636
- }
637
- }
638
-
639
- // app/Rules/NotBlacklistedDomain.php
640
- class NotBlacklistedDomain implements Rule
641
- {
642
- private array $blacklisted = ['mailinator.com', 'guerrillamail.com'];
643
-
644
- public function passes($attribute, $value): bool
645
- {
646
- $domain = substr(strrchr($value, '@'), 1);
647
- return !in_array(strtolower($domain), $this->blacklisted);
648
- }
649
-
650
- public function message(): string
651
- {
652
- return 'Email from disposable domains is not allowed.';
653
- }
654
- }
655
- ```
656
-
657
- ## API Security
658
-
659
- ### Rate Limiting
660
-
661
- ```php
662
- // App/Providers/RouteServiceProvider
663
- protected function configureRateLimiting(): void
664
- {
665
- RateLimiter::for('api', function (Request $request) {
666
- return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
667
- });
668
-
669
- RateLimiter::for('auth', function (Request $request) {
670
- return Limit::perMinute(5)->by($request->ip())
671
- ->response(function () {
672
- return response()->json([
673
- 'message' => 'Too many login attempts. Try again in 1 minute.',
674
- ], 429);
675
- });
676
- });
677
-
678
- RateLimiter::for('uploads', function (Request $request) {
679
- return Limit::perHour(10)->by($request->user()?->id ?? $request->ip())
680
- ->response(function () {
681
- return response()->json([
682
- 'message' => 'Upload limit reached. Try again later.',
683
- ], 429);
684
- });
685
- });
686
- }
687
-
688
- // Route usage
689
- Route::middleware(['auth:sanctum', 'throttle:api'])->group(function () {
690
- Route::apiResource('posts', PostController::class);
691
- });
692
-
693
- Route::post('/login', [AuthController::class, 'login'])
694
- ->middleware('throttle:auth');
695
- ```
696
-
697
- ### API Authentication — Sanctum vs Passport
698
-
699
- ```php
700
- // Sanctum (recommended for most apps — simple, first-party, SPA)
701
- // config/sanctum.php
702
- 'expiration' => 60 * 24, // Tokens expire after 24 hours
703
- 'model' => User::class,
704
-
705
- // Issuing scoped tokens
706
- $token = $user->createToken('client-name', [
707
- 'posts:read',
708
- 'posts:write',
709
- ])->plainTextToken;
710
-
711
- // Middleware scoping
712
- Route::middleware('auth:sanctum')->group(function () {
713
- Route::get('/posts', [PostController::class, 'index'])
714
- ->middleware('abilities:posts:read');
715
-
716
- Route::post('/posts', [PostController::class, 'store'])
717
- ->middleware('abilities:posts:write');
718
- });
719
-
720
- // Passport (OAuth2 — for third-party clients or complex auth flows)
721
- // Install: composer require laravel/passport
722
- Passport::tokensExpireIn(now()->addDays(15));
723
- Passport::refreshTokensExpireIn(now()->addDays(30));
724
- Passport::personalAccessTokensExpireIn(now()->addMonths(6));
725
- ```
726
-
727
- ### CORS Configuration
728
-
729
- ```php
730
- // config/cors.php
731
- return [
732
- 'paths' => ['api/*', 'sanctum/csrf-cookie'],
733
- 'allowed_methods' => ['*'],
734
- 'allowed_origins' => explode(',', env('CORS_ALLOWED_ORIGINS', '')), // Whitelist specific origins
735
- 'allowed_origins_patterns' => [],
736
- 'allowed_headers' => ['*'],
737
- 'exposed_headers' => ['X-Total-Count', 'X-Pagination-Page'],
738
- 'max_age' => 0,
739
- 'supports_credentials' => true, // Required for Sanctum SPA auth
740
- ];
741
-
742
- // NEVER: Allow all origins in production unless absolutely necessary
743
- // 'allowed_origins' => ['*'], // Only for truly public APIs
744
- ```
745
-
746
- ## File Upload Security
747
-
748
- ### Validation
749
-
750
- ```php
751
- public function rules(): array
752
- {
753
- return [
754
- 'document' => [
755
- 'required',
756
- 'file',
757
- 'mimes:pdf,doc,docx,xls,xlsx', // Whitelist specific MIME types
758
- 'max:10240', // 10MB
759
- 'extensions:pdf,doc,docx,xls,xlsx', // Verify extension matches MIME
760
- ],
761
- 'avatar' => [
762
- 'nullable',
763
- 'image', // Ensures it's a valid image
764
- 'mimes:jpg,jpeg,png,webp',
765
- 'max:2048',
766
- 'dimensions:min_width=100,min_height=100,max_width=2000,max_height=2000',
767
- ],
768
- ];
769
- }
770
- ```
771
-
772
- ### Secure Storage
773
-
774
- ```php
775
- // Store files outside public directory
776
- $path = $request->file('document')->store('documents', 'local');
777
- // Never use 'public' disk for sensitive documents
778
-
779
- // Use signed URLs for temporary file access
780
- use Illuminate\Support\Facades\Storage;
781
-
782
- public function download(Request $request, string $path)
783
- {
784
- // Generate temporary signed URL (expires in 15 minutes)
785
- $url = Storage::temporaryUrl($path, now()->addMinutes(15));
786
-
787
- // Validate user has permission
788
- $this->authorize('download', $path);
789
-
790
- return redirect($url);
791
- }
792
-
793
- // Storage configuration for cloud with encryption
794
- // config/filesystems.php
795
- 's3' => [
796
- 'driver' => 's3',
797
- 'key' => env('AWS_ACCESS_KEY_ID'),
798
- 'secret' => env('AWS_SECRET_ACCESS_KEY'),
799
- 'region' => env('AWS_DEFAULT_REGION'),
800
- 'bucket' => env('AWS_BUCKET'),
801
- 'url' => env('AWS_URL'),
802
- 'endpoint' => env('AWS_ENDPOINT'),
803
- 'use_path_style_endpoint' => env('AWS_USE_PATH_STYLE_ENDPOINT', false),
804
- 'throw' => false,
805
- 'server_side_encryption' => 'AES256', // Encrypt at rest
806
- ],
807
- ```
808
-
809
- ## Dependencies and Secrets
810
-
811
- ### Composer Security
812
-
813
- ```bash
814
- # Always audit dependencies in CI
815
- composer audit
816
-
817
- # Pin major versions in composer.json
818
- "laravel/framework": "^11.0",
819
- "spatie/laravel-permission": "^6.0"
820
-
821
- # Check for abandoned packages
822
- composer why-not
823
-
824
- # Keep lock file in version control (it pins exact versions)
825
- # Run `composer update` deliberately, never in CI/CD
826
- ```
827
-
828
- ### Secret Management
829
-
830
- ```bash
831
- # .env file (NEVER commit)
832
- # .gitignore includes .env by default
833
-
834
- APP_KEY=base64:abc123...
835
- DB_PASSWORD=secure_password
836
- STRIPE_KEY=sk_live_...
837
- SANCTUM_TOKEN_PREFIX=myapp_
838
-
839
- # For production: Use a secret manager
840
- # Deploy with: env $(aws secretsmanager get-secret-value --secret-id prod/db | jq ...) php artisan serve
841
-
842
- # Validate secrets at boot (AppServiceProvider::boot)
843
- $secrets = ['services.stripe.key', 'services.stripe.webhook_secret'];
844
- foreach ($secrets as $key) {
845
- if (empty(config($key))) {
846
- Log::critical("Missing secret: {$key}");
847
- }
848
- }
849
- ```
850
-
851
- ## Queue Security
852
-
853
- ```php
854
- // Define a named rate limiter (typically in AppServiceProvider::boot())
855
- RateLimiter::for('payments', fn () => Limit::perMinute(5));
856
- ```
857
-
858
- ```php
859
- // Encrypt sensitive job data by implementing the interface
860
- final class ProcessPaymentJob implements ShouldQueue, ShouldBeEncrypted
861
- {
862
- use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
863
-
864
- public function __construct(
865
- private readonly string $paymentIntentId, // Public IDs are fine
866
- private readonly string $cardFingerprint, // Encrypted via ShouldBeEncrypted
867
- ) {}
868
-
869
- public function handle(): void
870
- {
871
- // Process payment
872
- }
873
-
874
- // Limit retries and delay between attempts
875
- public function retryUntil(): Carbon
876
- {
877
- return now()->addMinutes(5);
878
- }
879
-
880
- // Rate limit how many jobs of this type can run
881
- public function middleware(): array
882
- {
883
- return [
884
- new RateLimited('payments'),
885
- ];
886
- }
887
- }
888
- ```
889
-
890
- ## Logging Security Events
891
-
892
- ```php
893
- // config/logging.php
894
- 'channels' => [
895
- 'security' => [
896
- 'driver' => 'single',
897
- 'path' => storage_path('logs/security.log'),
898
- 'level' => 'warning',
899
- ],
900
- ],
901
-
902
- // Audit log helper
903
- final class SecurityLogger
904
- {
905
- public static function log(string $event, array $context = []): void
906
- {
907
- Log::channel('security')->warning($event, array_merge([
908
- 'user_id' => Auth::id(),
909
- 'ip' => request()->ip(),
910
- 'user_agent' => request()->userAgent(),
911
- 'url' => request()->fullUrl(),
912
- 'timestamp' => now()->toIso8601String(),
913
- ], $context));
914
- }
915
- }
916
-
917
- // Usage
918
- SecurityLogger::log('failed_login_attempt', ['email' => $email]);
919
- SecurityLogger::log('password_change');
920
- SecurityLogger::log('role_change', ['target_user' => $targetId, 'new_role' => 'admin']);
921
- SecurityLogger::log('suspicious_activity', ['reason' => 'multiple_attempts_from_different_ips']);
922
- ```
923
-
924
- ## Quick Security Checklist
925
-
926
- | Check | Description |
927
- |-------|-------------|
928
- | `APP_DEBUG=false` | Never run with debug enabled in production |
929
- | `APP_KEY` set | Always run `php artisan key:generate` |
930
- | HTTPS enforced | Force HTTPS in production via middleware or proxy |
931
- | `$fillable` whitelisted | Never use `$guarded = []` |
932
- | CSRF active | `@csrf` on all state-changing forms |
933
- | Sanctum/Passport configured | API authentication with token abilities/scopes |
934
- | Rate limiting applied | Throttle API and auth endpoints |
935
- | Input validation | FormRequest with specific rules, never `$request->all()` |
936
- | File upload restrictions | Validate MIME types, size, dimensions |
937
- | `composer audit` in CI | Check dependencies for known vulnerabilities |
938
- | `password_hash` / `password_verify` | Use Laravel's built-in hashing (bcrypt/Argon2) |
939
- | Session regeneration on login | Call `$request->session()->regenerate()` |
940
- | Security headers middleware | CSP, X-Frame-Options, X-Content-Type-Options |
941
- | Logged security events | Audit log for auth failures, role changes, suspicious activity |
942
- | `.env` not committed | Verify `.gitignore` includes `.env` |
943
-
944
- ## Related Skills
945
-
946
- - `laravel-patterns` — Laravel architecture, routing, Eloquent, and API patterns
947
- - `backend-patterns` — General backend API and database patterns
948
- - `laravel-tdd` — Laravel testing with PHPUnit and Pest