@rune-kit/rune 2.1.1

package/skills/sentinel/SKILL.md

@@ -0,0 +1,320 @@
+---
+name: sentinel
+description: Automated security gatekeeper. Blocks unsafe code before commit — secret scanning, OWASP top 10, dependency audit, permission checks. A GATE, not a suggestion.
+metadata:
+  author: runedev
+  version: "0.2.0"
+  layer: L2
+  model: sonnet
+  group: quality
+  tools: "Read, Bash, Glob, Grep"
+---
+
+# sentinel
+
+## Purpose
+
+Automated security gatekeeper that blocks unsafe code BEFORE commit. Unlike `review` which suggests improvements, sentinel is a hard gate — it BLOCKS on critical findings. Runs secret scanning, OWASP top 10 pattern detection, dependency auditing, and destructive command checks. Escalates to opus for deep security audit when critical patterns detected.
+
+<HARD-GATE>
+If status is BLOCK, output the report and STOP. Do not hand off to commit. The calling skill (`cook`, `preflight`, `deploy`) must halt until the developer fixes all BLOCK findings and re-runs sentinel.
+</HARD-GATE>
+
+## Triggers
+
+- Called automatically by `cook` before commit phase
+- Called by `preflight` as security sub-check
+- Called by `deploy` before deployment
+- `/rune sentinel` — manual security scan
+- Auto-trigger: when `.env`, auth files, or security-critical code is modified
+
+## Calls (outbound)
+
+- `scout` (L2): scan changed files to identify security-relevant code
+- `verification` (L3): run security tools (npm audit, pip audit, cargo audit)
+- `integrity-check` (L3): agentic security validation of .rune/ state files
+- `sast` (L3): deep static analysis with Semgrep, Bandit, ESLint security rules
+
+## Called By (inbound)
+
+- `cook` (L1): auto-trigger before commit phase
+- `review` (L2): when security-critical code detected
+- `deploy` (L2): pre-deployment security check
+- `preflight` (L2): security sub-check in quality gate
+- `audit` (L2): Phase 2 full security audit
+- `incident` (L2): security dimension check during incident response
+- `review-intake` (L2): security scan on code submitted for structured review
+
+## Severity Levels
+
+```
+BLOCK    — commit MUST NOT proceed (secrets found, critical CVE, SQL injection)
+WARN     — commit can proceed but developer must acknowledge (medium CVE, missing validation)
+INFO     — informational finding, no action required (best practice suggestion)
+```
+
+## Security Patterns (built-in)
+
+```
+# Secret patterns (regex)
+AWS_KEY:        AKIA[0-9A-Z]{16}
+GITHUB_TOKEN:   gh[ps]_[A-Za-z0-9_]{36,}
+GENERIC_SECRET: (?i)(api[_-]?key|secret|password|token)\s*[:=]\s*["'][^"']{8,}
+HIGH_ENTROPY:   [A-Za-z0-9+/=]{40,}  (entropy > 4.5)
+
+# OWASP patterns
+SQL_INJECTION:  string concat/interpolation in SQL context
+XSS:            innerHTML, dangerouslySetInnerHTML, document.write
+CSRF:           form without CSRF token, missing SameSite cookie
+```
+
+## Executable Steps
+
+### Step 1 — Secret Scan (Gitleaks-Enhanced)
+
+Use `Grep` to search all changed files (or full codebase if no diff available) for secret patterns.
+
+**1a. Current file scan:**
+- Patterns: `sk-`, `AKIA`, `ghp_`, `ghs_`, `-----BEGIN`, `password\s*=\s*["']`, `secret\s*=\s*["']`, `api_key\s*=\s*["']`, `token\s*=\s*["']`
+- Also scan for `.env` file contents committed directly (grep for lines matching `KEY=value` outside `.env` files)
+- Flag any string with entropy > 4.5 and length > 40 characters as HIGH_ENTROPY candidate
+
+**1b. Extended gitleaks patterns:**
+```
+SLACK_TOKEN:      xox[bpors]-[0-9a-zA-Z]{10,}
+STRIPE_KEY:       [sr]k_(live|test)_[0-9a-zA-Z]{24,}
+SENDGRID:         SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}
+TWILIO:           SK[0-9a-fA-F]{32}
+FIREBASE:         AIza[0-9A-Za-z_-]{35}
+PRIVATE_KEY:      -----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
+JWT:              eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}
+GENERIC_API_KEY:  (?i)(apikey|api_key|api-key)\s*[:=]\s*["'][A-Za-z0-9_-]{16,}
+```
+
+**1c. Git history scan (first run only):**
+If this is the first sentinel scan on this repo (no `.rune/sentinel-baseline.md` exists):
+```
+Bash: git log --all --diff-filter=A -- '*.env*' '*.key' '*.pem' '*.p12' '*credentials*' '*secret*'
+→ If any results: WARN — historical secret files detected. Recommend BFG/git-filter-repo cleanup.
+```
+
+For subsequent runs, scan only the current diff (incremental).
+
+Any match = **BLOCK**. Do not proceed to later steps if BLOCK findings exist — report immediately.
+
+### Step 2 — Dependency Audit
+Use `Bash` to run the appropriate audit command for the detected package manager:
+- npm/pnpm/yarn: `npm audit --json` (parse JSON, extract critical + high severity)
+- Python: `pip-audit --format=json` (if installed) or `safety check`
+- Rust: `cargo audit --json`
+- Go: `govulncheck ./...`
+
+Critical CVE (CVSS >= 9.0) = **BLOCK**. High CVE (CVSS 7.0–8.9) = **WARN**. Medium/Low = **INFO**.
+
+If audit tool is not installed, log **INFO**: "audit tool not found, skipping dependency check" — do NOT block on missing tooling.
+
+### Step 3 — OWASP Check
+Use `Read` to scan changed files for:
+- **SQL Injection**: string concatenation or interpolation inside SQL query strings (e.g., `"SELECT * FROM users WHERE id = " + userId`, f-strings with SQL). Flag = **BLOCK**
+- **XSS**: `innerHTML =`, `dangerouslySetInnerHTML`, `document.write(` with non-static content. Flag = **BLOCK**
+- **CSRF**: HTML `<form>` elements without CSRF token fields; `Set-Cookie` headers without `SameSite`. Flag = **WARN**
+- **Missing input validation**: new route handlers or API endpoints that directly pass `req.body` / `request.json()` to a database call without a validation schema. Flag = **WARN**
+
+**SQL Injection examples:**
+```python
+# BAD — string interpolation in SQL → BLOCK
+cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+query = "SELECT * FROM users WHERE name = '" + name + "'"
+# GOOD — parameterized query
+cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))
+```
+
+**XSS examples:**
+```typescript
+// BAD — renders raw user content → BLOCK
+element.innerHTML = userComment;
+<div dangerouslySetInnerHTML={{ __html: userInput }} />
+// GOOD — safe alternatives
+element.textContent = userComment;
+<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userInput) }} />
+```
+
+**Input validation examples:**
+```typescript
+// BAD — raw body to DB → WARN
+app.post('/users', async (req, res) => { await db.users.create(req.body); });
+// GOOD — validate at boundary
+app.post('/users', async (req, res) => {
+  const validated = CreateUserSchema.parse(req.body);
+  await db.users.create(validated);
+});
+```
+
+### Step 4 — Permission Check
+Use `Grep` to scan for:
+- Destructive shell commands in scripts: `rm -rf /`, `DROP TABLE`, `DELETE FROM` without `WHERE`, `TRUNCATE`
+- File operations using absolute paths outside the project root (e.g., `/etc/`, `/usr/`, `C:\Windows\`)
+- Direct production database connection strings (e.g., `prod`, `production` in DB host names)
+
+Destructive command on production path = **BLOCK**. Suspicious path = **WARN**.
+
+### Step 4.5 — Framework-Specific Security Patterns
+
+Apply only if the framework is detected in changed files:
+
+**Django** (detect: `django` in requirements or imports)
+- `DEBUG = True` in non-development settings → **BLOCK**
+- Missing `permission_classes` on ModelViewSet → **WARN**
+- CSRF middleware removed from `MIDDLEWARE` list → **BLOCK**
+
+**React / Next.js** (detect: `.tsx` / `.jsx` files)
+- JWT stored in `localStorage` instead of `httpOnly` cookie → **WARN**
+- `dangerouslySetInnerHTML` without `DOMPurify.sanitize()` → **BLOCK**
+
+**Node.js / Express / Fastify** (detect: `express`, `fastify` imports)
+- CORS set to `origin: '*'` on authenticated endpoints → **WARN**
+- Missing `helmet` middleware for HTTP security headers → **WARN**
+
+**Python** (detect: `.py` files)
+- `pickle.loads(user_input)` or `eval(user_expression)` → **BLOCK**
+- `yaml.load()` without `Loader` arg (uses unsafe loader) → **WARN**
+
+### Step 4.6 — Config Protection (3-Layer Defense)
+
+Detect attempts to weaken code quality or security configurations. Agents and developers sometimes disable checks to "fix" build errors — sentinel blocks this.
+
+**Layer 1 — Linter/Formatter Config Drift:**
+Scan diff for changes to these files:
+- `.eslintrc*`, `eslint.config.*`, `biome.json` → rules disabled or removed
+- `tsconfig.json` → `strict` changed to `false`, `any` allowed, `skipLibCheck` added
+- `ruff.toml`, `.ruff.toml`, `pyproject.toml [tool.ruff]` → rules removed from select list
+- `.prettierrc*` → significant format changes without team discussion
+
+Detection patterns:
+```
+# ESLint rule disable
+"off" or 0 in rule config (compare with previous)
+// eslint-disable added to >3 lines in same file
+
+# TypeScript strictness weakening
+"strict": false
+"noImplicitAny": false
+"skipLibCheck": true (added, not already present)
+
+# Ruff rule removal
+select = [...] with fewer rules than before
+```
+
+Match = **WARN** with message: "Config change weakens code quality — verify this is intentional."
+
+**Layer 2 — Security Middleware Removal:**
+Scan for removal of security-critical middleware/imports:
+- `helmet` removed from Express/Fastify middleware chain
+- `csrf` middleware removed or commented out
+- `cors` configuration changed to `origin: '*'`
+- `SecurityMiddleware` removed from Django `MIDDLEWARE`
+- `@csrf_protect` decorator removed from Django views
+
+Match = **BLOCK** with message: "Security middleware removed — this must be explicitly justified."
+
+**Layer 3 — CI/CD Safety Bypass:**
+Scan for weakening of CI/CD safety checks:
+- `--no-verify` added to git commands in scripts
+- `--force` added to deployment scripts
+- Test steps removed or marked `continue-on-error: true`
+- Coverage thresholds lowered
+
+Match = **WARN** with message: "CI safety check weakened — verify this is intentional."
+
+### Step 4.7 — Agentic Security Scan
+
+If `.rune/` directory exists in the project, invoke `integrity-check` (L3) to scan for adversarial content:
+
+```
+REQUIRED SUB-SKILL: rune:integrity-check
+→ Invoke integrity-check on all .rune/*.md files + any state files in the commit diff.
+→ Capture: status (CLEAN | SUSPICIOUS | TAINTED), findings list.
+```
+
+Map integrity-check results to sentinel severity:
+- `TAINTED` → sentinel **BLOCK** (adversarial content in state files)
+- `SUSPICIOUS` → sentinel **WARN** (review recommended before commit)
+- `CLEAN` → no additional findings
+
+If `.rune/` directory does not exist, skip this step (log INFO: "no .rune/ state files, agentic scan skipped").
+
+### Step 5 — Report
+Aggregate all findings. Apply the verdict rule:
+- Any **BLOCK** finding → overall status = **BLOCK**. List all BLOCK items first.
+- No BLOCK but any **WARN** → overall status = **WARN**. Developer must acknowledge each WARN.
+- Only **INFO** → overall status = **PASS**.
+
+If status is BLOCK, output the report and STOP. Do not hand off to commit. The calling skill (`cook`, `preflight`, `deploy`) must halt until the developer fixes all BLOCK findings and re-runs sentinel.
+
+### WARN Acknowledgment Protocol
+
+WARN findings do not block the commit but MUST be explicitly acknowledged:
+
+```
+For each WARN item, developer must respond with one of:
+  - "ack" — acknowledged, will fix later (logged to .rune/decisions.md)
+  - "fix" — fixing now (sentinel re-runs after fix)
+  - "wontfix [reason]" — intentional, with documented reason
+
+Silent continuation past WARN = VIOLATION.
+The calling skill (cook) must present WARNs and wait for acknowledgment.
+```
+
+## Output Format
+
+```
+## Sentinel Report
+- **Status**: PASS | WARN | BLOCK
+- **Files Scanned**: [count]
+- **Findings**: [count by severity]
+
+### BLOCK (must fix before commit)
+- `path/to/file.ts:42` — Hardcoded API key detected (pattern: sk-...)
+- `path/to/api.ts:15` — SQL injection: string concatenation in query
+
+### WARN (must acknowledge)
+- `package.json` — lodash@4.17.20 has known prototype pollution (CVE-2021-23337, CVSS 7.4)
+
+### INFO
+- `auth.ts:30` — Consider adding rate limiting to login endpoint
+
+### Verdict
+BLOCKED — 2 critical findings must be resolved before commit.
+```
+
+## Constraints
+
+1. MUST scan ALL files in scope — not just the file the user pointed at
+2. MUST check: hardcoded secrets, SQL injection, XSS, CSRF, auth bypass, path traversal
+3. MUST list every file checked in the report — "no issues found" requires proof of what was examined
+4. MUST NOT say "the framework handles security" as justification for skipping checks
+5. MUST NOT say "this is an internal tool" as justification for reduced security
+6. MUST flag any .env, credentials, or key files found in git-tracked directories
+7. MUST use opus model for security-critical code (auth, crypto, payments)
+
+## Sharp Edges
+
+| Failure Mode | Severity | Mitigation |
+|---|---|---|
+| False positive on test fixtures with fake secrets | MEDIUM | Verify file path — `test/`, `fixtures/`, `__mocks__/` patterns; check string entropy |
+| Skipping framework checks because "the framework handles it" | HIGH | CONSTRAINT blocks this rationalization — apply checks regardless |
+| Dependency audit tool missing → silently skipped | LOW | Report INFO "tool not found, skipping" — never skip silently |
+| Stopping after first BLOCK without aggregating all findings | MEDIUM | Complete ALL steps, aggregate ALL findings, then report — developer needs the full list |
+| Missing agentic security scan when .rune/ exists | HIGH | Step 4.7 is mandatory when .rune/ directory detected — never skip |
+
+## Done When
+
+- All files in scope scanned for secret patterns
+- OWASP checks applied (SQL injection, XSS, CSRF, input validation)
+- Dependency audit ran (or "tool not found" reported as INFO)
+- Framework-specific checks applied for every detected framework
+- Structured report emitted with PASS / WARN / BLOCK verdict and all files scanned listed
+
+## Cost Profile
+
+~1000-3000 tokens input, ~500-1000 tokens output. Sonnet default, opus for deep audit on critical findings.

package/skills/sentinel-env/SKILL.md

@@ -0,0 +1,226 @@
+---
+name: sentinel-env
+description: Environment-aware pre-flight check. Validates OS, runtime versions, installed tools, port availability, env vars, and disk space BEFORE coding starts. Prevents "works on my machine" failures. Like sentinel but for the environment, not the code.
+metadata:
+  author: runedev
+  version: "0.1.0"
+  layer: L3
+  model: haiku
+  group: validation
+  tools: "Bash, Read, Glob, Grep"
+---
+
+# sentinel-env
+
+## Purpose
+
+Catch environment mismatches before they waste debugging time. Validates that the developer's machine has the right runtime versions, tools, ports, and configuration to run the project. Prevents the entire class of "works on my machine" failures that masquerade as code bugs.
+
+This is the environment counterpart to `sentinel` (which checks code security) and `preflight` (which checks code quality). sentinel-env checks the MACHINE, not the code.
+
+## Triggers
+
+- Called by `cook` Phase 0.5 — before planning, after resume check (first run in a new project only)
+- Called by `scaffold` — after project bootstrap, verify environment matches generated config
+- Called by `onboard` — during project onboarding, verify developer can run the project
+- `/rune env-check` — manual environment validation
+- Auto-trigger: when `npm install`, `pip install`, or similar fails during cook
+
+## Calls (outbound)
+
+None — sentinel-env is a pure read-only utility. It checks and reports, never modifies.
+
+## Called By (inbound)
+
+- `cook` (L1): Phase 0.5 — first run detection (no `.rune/` directory exists)
+- `scaffold` (L1): post-bootstrap environment validation
+- `onboard` (L2): developer onboarding verification
+- User: `/rune env-check` direct invocation
+
+## Execution
+
+### Step 1: Detect Project Type
+
+Read project configuration files to determine what environment is needed:
+
+1. Use `Glob` to check for project config files:
+   - `package.json` → Node.js project
+   - `pyproject.toml` / `setup.py` / `requirements.txt` → Python project
+   - `Cargo.toml` → Rust project
+   - `go.mod` → Go project
+   - `Gemfile` → Ruby project
+   - `docker-compose.yml` / `Dockerfile` → Docker project
+   - `.nvmrc` / `.node-version` → specific Node version required
+   - `.python-version` → specific Python version required
+
+2. Read each detected config file to extract version constraints:
+   - `package.json` → `engines.node`, `engines.npm`, dependency versions
+   - `pyproject.toml` → `requires-python`, dependency versions
+   - `Cargo.toml` → `rust-version`
+   - `go.mod` → `go` directive version
+
+3. Build an environment requirements checklist from the detected configs.
+
+### Step 2: Runtime Version Check
+
+For each detected runtime, verify the installed version matches constraints:
+
+```bash
+# Node.js
+node --version    # Compare against package.json engines.node or .nvmrc
+npm --version     # Compare against package.json engines.npm
+# or pnpm/yarn/bun depending on lockfile present
+
+# Python
+python --version  # Compare against pyproject.toml requires-python
+pip --version
+
+# Rust
+rustc --version   # Compare against Cargo.toml rust-version
+cargo --version
+
+# Go
+go version        # Compare against go.mod go directive
+
+# Docker
+docker --version
+docker compose version
+```
+
+**Version comparison logic:**
+- If the constraint is `>=18.0.0` and installed is `20.11.1` → PASS
+- If the constraint is `>=18.0.0` and installed is `16.20.2` → BLOCK (wrong major version)
+- If the runtime is not installed at all → BLOCK
+- If no version constraint exists in config → WARN (version unconstrained)
+
+### Step 3: Required Tools Check
+
+Detect and verify tools the project depends on:
+
+1. **Package manager**: Check which lockfile exists and verify the matching tool is installed
+   - `package-lock.json` → npm
+   - `pnpm-lock.yaml` → pnpm
+   - `yarn.lock` → yarn
+   - `bun.lockb` → bun
+   - `poetry.lock` → poetry
+   - `uv.lock` → uv
+   - Mismatched lockfile + installed tool → WARN (e.g., yarn.lock exists but only npm installed)
+
+2. **Git**: `git --version` — required for all projects
+3. **Docker**: Check only if `Dockerfile` or `docker-compose.yml` exists
+4. **Database tools**: Check if `prisma`, `drizzle`, `alembic`, `django` migrations exist → verify DB client installed
+5. **Build tools**: Check for `turbo.json` (turborepo), `nx.json` (Nx), `Makefile`, etc.
+
+### Step 4: Port Availability Check
+
+Detect which ports the project needs and check if they're available:
+
+1. Parse port information from:
+   - `package.json` scripts (look for `--port`, `-p`, `PORT=` patterns)
+   - `.env` / `.env.example` (look for `PORT=`, `DATABASE_URL` with port)
+   - `docker-compose.yml` (ports section)
+   - Common defaults: 3000 (Next.js/React), 5173 (Vite), 8000 (Django/FastAPI), 5432 (PostgreSQL), 6379 (Redis)
+
+2. Check each port:
+   ```bash
+   # Cross-platform port check
+   # Windows: netstat -ano | findstr :PORT
+   # Unix: lsof -i :PORT or ss -tlnp | grep :PORT
+   ```
+
+3. If port is in use → WARN with the process name using it
+
+### Step 5: Environment Variables Check
+
+Compare required env vars against actual configuration:
+
+1. Read `.env.example` or `.env.template` if it exists
+2. Read `.env` if it exists (DO NOT log values — only check key presence)
+3. For each key in `.env.example`:
+   - Present in `.env` → PASS
+   - Missing from `.env` → WARN (with the key name, never the expected value)
+4. Check for dangerous patterns:
+   - `.env` committed to git (check `.gitignore`) → BLOCK (security risk)
+   - Placeholder values still present (`your-api-key-here`, `changeme`, `xxx`) → WARN
+
+### Step 6: Disk Space and System Resources
+
+Quick system health check:
+
+1. **Disk space**: Check available space on the project drive
+   - < 1 GB → WARN
+   - < 500 MB → BLOCK (npm install / docker build will fail)
+
+2. **Platform-specific checks**:
+   - **Windows**: Check for long path support (`git config core.longpaths` for node_modules)
+   - **macOS**: Check Xcode CLI tools if native modules detected (`node-gyp` in dependencies)
+   - **Linux**: Check file watcher limit if large project (`fs.inotify.max_user_watches`)
+
+### Step 7: Report
+
+Produce a structured environment report:
+
+**Verdict logic:**
+- Any BLOCK finding → **BLOCKED** (environment cannot run this project)
+- Any WARN finding → **READY WITH WARNINGS** (can run but may hit issues)
+- All checks pass → **READY** (environment is correctly configured)
+
+For each finding, include a specific remediation command the developer can copy-paste.
+
+## Output Format
+
+```
+## Environment Check: [project name]
+- **Project type**: [Node.js / Python / Rust / Go / Multi]
+- **Checks run**: [count]
+- **Verdict**: READY | READY WITH WARNINGS | BLOCKED
+
+### BLOCKED
+- [ENV-001] Node.js 16.20.2 installed but >=18.0.0 required
+  → Fix: `nvm install 18 && nvm use 18`
+
+### WARNINGS
+- [ENV-002] Port 3000 in use by process "node" (PID 12345)
+  → Fix: `kill 12345` or change PORT in .env
+- [ENV-003] Missing env var: DATABASE_URL (required by .env.example)
+  → Fix: Copy from .env.example and fill in your database connection string
+
+### PASSED
+- [ENV-004] pnpm 9.1.0 ✓ (matches pnpm-lock.yaml)
+- [ENV-005] Git 2.44.0 ✓
+- [ENV-006] Docker 25.0.3 ✓
+- [ENV-007] Disk space: 42 GB available ✓
+```
+
+## Constraints
+
+1. MUST be read-only — never install, update, or modify anything on the developer's machine
+2. MUST NOT log environment variable VALUES — only check key presence (security)
+3. MUST provide copy-paste remediation commands for every BLOCK and WARN finding
+4. MUST handle cross-platform differences (Windows/macOS/Linux) gracefully
+5. MUST complete in under 10 seconds — use parallel Bash calls where possible
+6. MUST NOT block on WARN findings — only BLOCK findings prevent proceeding
+
+## Sharp Edges
+
+| Failure Mode | Severity | Mitigation |
+|---|---|---|
+| False BLOCK on version — semver parsing error | HIGH | Use simple major.minor comparison, not full semver regex |
+| Slowness on Windows — netstat/port checks are slower | MEDIUM | Timeout port checks at 3s, skip if slow |
+| .env file contains secrets — accidentally logged | CRITICAL | NEVER read .env values, only check key existence via grep for key names |
+| Platform detection wrong — WSL vs native Windows | MEDIUM | Check for WSL explicitly (`uname -r` contains "microsoft") |
+| Over-checking — flagging optional tools as required | MEDIUM | Only check tools evidenced by config files, not speculative |
+
+## Done When
+
+- All detected project runtimes version-checked against constraints
+- Package manager matches lockfile type
+- Required ports checked for availability
+- Environment variables compared against .env.example (keys only)
+- Disk space verified adequate
+- Structured report with READY / READY WITH WARNINGS / BLOCKED verdict
+- Every BLOCK/WARN finding has a copy-paste remediation command
+
+## Cost Profile
+
+~500-1000 tokens input, ~500-1000 tokens output. Haiku model — this is fast, cheap, read-only scanning. Runs once per new project (or on manual invoke). Sub-10-second execution target.