@tenantegroup/ai-rules-mcp 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/INSTALLATION.md +52 -0
- package/README.md +57 -0
- package/USAGE.md +46 -0
- package/package.json +57 -0
- package/rules/cloudflare/api-services.md +80 -0
- package/rules/cloudflare/cicd-deployment.md +56 -0
- package/rules/cloudflare/database-orm.md +28 -0
- package/rules/cloudflare/edge-parity.md +24 -0
- package/rules/cloudflare/kv-usage.md +31 -0
- package/rules/cloudflare/logging-observability.md +66 -0
- package/rules/cloudflare/performance.md +44 -0
- package/rules/cloudflare/realtime-background.md +58 -0
- package/rules/cloudflare/security.md +162 -0
- package/rules/cloudflare/seeding.md +27 -0
- package/rules/cloudflare/workflows.md +593 -0
- package/rules/dotnet/api.md +26 -0
- package/rules/dotnet/architecture.md +27 -0
- package/rules/dotnet/cli.md +26 -0
- package/rules/dotnet/configuration.md +26 -0
- package/rules/dotnet/logging.md +25 -0
- package/rules/dotnet/maui.md +26 -0
- package/rules/dotnet/mvvm.md +26 -0
- package/rules/dotnet/packaging.md +24 -0
- package/rules/dotnet/project-structure.md +26 -0
- package/rules/dotnet/sqlite.md +29 -0
- package/rules/dotnet/testing.md +24 -0
- package/rules/flutter/api.md +29 -0
- package/rules/flutter/architecture.md +34 -0
- package/rules/flutter/auth.md +27 -0
- package/rules/flutter/configuration.md +24 -0
- package/rules/flutter/database.md +30 -0
- package/rules/flutter/logging.md +27 -0
- package/rules/flutter/navigation.md +28 -0
- package/rules/flutter/offline-sync.md +26 -0
- package/rules/flutter/platform.md +30 -0
- package/rules/flutter/project-structure.md +32 -0
- package/rules/flutter/riverpod.md +32 -0
- package/rules/flutter/testing.md +31 -0
- package/rules/nuxt/architecture-principles.md +31 -0
- package/rules/nuxt/authentication.md +35 -0
- package/rules/nuxt/code-quality.md +71 -0
- package/rules/nuxt/configuration.md +31 -0
- package/rules/nuxt/core-directives.md +12 -0
- package/rules/nuxt/project-initialization.md +53 -0
- package/rules/nuxt/project-structure.md +44 -0
- package/rules/nuxt/testing.md +48 -0
- package/src/index.js +757 -0
- package/templates/cloudflare/compile-context.js +43 -0
- package/templates/cloudflare/hooks/post-checkout +5 -0
- package/templates/cloudflare/hooks/pre-commit +14 -0
- package/templates/cloudflare/install-hooks.js +34 -0
- package/templates/cloudflare/validate-code.js +57 -0
- package/templates/dotnet/compile-context.js +43 -0
- package/templates/dotnet/hooks/post-checkout +5 -0
- package/templates/dotnet/hooks/pre-commit +14 -0
- package/templates/dotnet/install-hooks.js +34 -0
- package/templates/dotnet/validate-code.js +84 -0
- package/templates/flutter/compile-context.js +43 -0
- package/templates/flutter/hooks/post-checkout +5 -0
- package/templates/flutter/hooks/pre-commit +14 -0
- package/templates/flutter/install-hooks.js +34 -0
- package/templates/flutter/validate-code.js +64 -0
- package/templates/nuxt/compile-context.js +43 -0
- package/templates/nuxt/hooks/post-checkout +5 -0
- package/templates/nuxt/hooks/pre-commit +14 -0
- package/templates/nuxt/install-hooks.js +34 -0
- package/templates/nuxt/validate-code.js +57 -0
|
@@ -0,0 +1,162 @@
|
|
|
1
|
+
# Security Standards
|
|
2
|
+
|
|
3
|
+
## Minimum Security Baseline for Production
|
|
4
|
+
Implement these before launching:
|
|
5
|
+
- [ ] HTTP-only cookies for session management
|
|
6
|
+
- [ ] Secure cookies in production environment
|
|
7
|
+
- [ ] CSRF protection for all forms (`SameSite=Strict` or explicit CSRF token on state-changing endpoints)
|
|
8
|
+
- [ ] Input validation using Zod at every API boundary
|
|
9
|
+
- [ ] Rate limiting on authentication endpoints (KV-backed, IP-based, applied before session exists)
|
|
10
|
+
- [ ] Role-based access control (RBAC) enforced server-side
|
|
11
|
+
- [ ] Sanitized error responses (no internal details, stack traces, or third-party API responses leaked)
|
|
12
|
+
- [ ] Dependency updates via Dependabot + CI audit step (`pnpm audit` / `npm audit`) on every push
|
|
13
|
+
- [ ] Migration review process before production deployment (no auto-apply on deploy)
|
|
14
|
+
- [ ] Removal of development seed data
|
|
15
|
+
- [ ] `workers_dev = false` on any Worker not intended to be publicly reachable
|
|
16
|
+
- [ ] `Content-Disposition: attachment` on all endpoints returning binary files (Excel, R2 downloads)
|
|
17
|
+
- [ ] CORS posture explicitly documented and locked to specific trusted origin(s)
|
|
18
|
+
|
|
19
|
+
---
|
|
20
|
+
|
|
21
|
+
## Authentication & Session Management *(OWASP A07)*
|
|
22
|
+
|
|
23
|
+
- Delegate authentication to an Identity Provider (Entra ID, Google, GitHub) — do not store passwords locally
|
|
24
|
+
- Use sealed encrypted session cookies, not just signed cookies — sealed sessions cannot be forged or tampered with
|
|
25
|
+
- Set `HttpOnly` and `Secure` on all session cookies; enforce `SameSite=Lax` at minimum
|
|
26
|
+
- Destroy sessions server-side on logout; do not rely on client-side cookie deletion alone
|
|
27
|
+
- Rate-limit the OAuth callback endpoint by client IP **before** any session or user lookup exists
|
|
28
|
+
- Deploy internal-only Workers with `workers_dev = false` — no `.workers.dev` public URL; access only through Service Bindings
|
|
29
|
+
|
|
30
|
+
|
|
31
|
+
## Authorization & Access Control *(OWASP A01)*
|
|
32
|
+
|
|
33
|
+
- Enforce all authorization checks server-side — no role logic in frontend code
|
|
34
|
+
- Use `requirePermission()` / `requireAdmin()` helpers called at the top of every protected API handler — no ad-hoc conditional checks buried inside business logic
|
|
35
|
+
- Apply least-privilege to OAuth app registrations: scope each registration to only the permissions it actually needs; a leaked credential for one registration must not grant access to another service's capabilities
|
|
36
|
+
- Admin impersonation (if implemented): attribute audit log entries to the real admin's identity, not the impersonated user
|
|
37
|
+
|
|
38
|
+
|
|
39
|
+
## Input Validation & Injection Prevention *(OWASP A03)*
|
|
40
|
+
|
|
41
|
+
- Validate all request bodies and query params with Zod schemas at the API boundary before any processing; reject malformed payloads immediately with safe error messages
|
|
42
|
+
- Use Drizzle ORM parameterized queries only — no raw SQL string interpolation anywhere
|
|
43
|
+
- Escape and `encodeURIComponent`-encode external API query values before forwarding (e.g., OData `$search` params in Microsoft Graph calls)
|
|
44
|
+
- Spreadsheet/Excel output: write cells with explicit type (`t: 's'` string or `t: 'n'` number); never derive the formula property (`f`) from external input — `=CMD`-style payloads must render as plain text
|
|
45
|
+
- HTML from user input: sanitize at write time server-side (strip `<script>`, event handler attributes, `javascript:` URIs); apply a second client-side DOMPurify pass on any `v-html` render
|
|
46
|
+
|
|
47
|
+
|
|
48
|
+
## File Upload Security *(OWASP A08)*
|
|
49
|
+
|
|
50
|
+
- Validate file magic bytes before passing a buffer to any parser — file extension and MIME type alone are insufficient:
|
|
51
|
+
- OOXML / `.xlsx`: `PK\x03\x04` (ZIP local file header)
|
|
52
|
+
- Legacy OLE2 / `.xls`: `\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1`
|
|
53
|
+
- Reject files that fail magic-byte validation at the API boundary, before reaching SheetJS or any other file parser
|
|
54
|
+
- Encapsulate validation in a dedicated utility (e.g., `server/utils/fileValidation.ts`) reused across all upload endpoints
|
|
55
|
+
|
|
56
|
+
|
|
57
|
+
## Security Headers *(OWASP A05)*
|
|
58
|
+
|
|
59
|
+
**Nuxt applications:**
|
|
60
|
+
- Use the `nuxt-security` module as the single source of truth for all response headers — remove any conflicting `public/_headers` definitions
|
|
61
|
+
- CSP: set a per-request cryptographic nonce on `script-src` using `'nonce-{{nonce}}'` + `'strict-dynamic'`; remove `'unsafe-inline'` and `'unsafe-eval'` from script sources
|
|
62
|
+
- `style-src 'unsafe-inline'` may only be retained when a UI component library sets dynamic inline `style=""` attributes that cannot carry nonces; document the tradeoff explicitly
|
|
63
|
+
|
|
64
|
+
**All surfaces (Nuxt and API-only Workers):**
|
|
65
|
+
- `Strict-Transport-Security: max-age=31536000; includeSubDomains`
|
|
66
|
+
- `X-Frame-Options: DENY`
|
|
67
|
+
- `X-Content-Type-Options: nosniff`
|
|
68
|
+
- `Referrer-Policy: strict-origin-when-cross-origin`
|
|
69
|
+
- `Permissions-Policy` — disable camera, microphone, geolocation, and payment APIs
|
|
70
|
+
- `form-action: 'self'`
|
|
71
|
+
|
|
72
|
+
**API-only Workers:**
|
|
73
|
+
- Use Nitro middleware (`server/middleware/00-security-headers.ts`) — not `_headers`
|
|
74
|
+
- Add `default-src 'none'; frame-ancestors 'none'` appropriate for headless services
|
|
75
|
+
|
|
76
|
+
|
|
77
|
+
## Secrets & Credentials Management *(OWASP A02)*
|
|
78
|
+
|
|
79
|
+
- Store all secrets as Cloudflare encrypted secrets — never in `[vars]` (plaintext) or committed to the repository
|
|
80
|
+
- Exclude `.dev.vars` and `.env` files from git
|
|
81
|
+
- Service-to-service secrets: fail closed — if a required secret is unset in production, throw immediately rather than silently falling back to an unauthenticated request; log a startup `console.warn` when the Worker detects its own secret is missing
|
|
82
|
+
- Externalize all environment-specific values (email recipients, org IDs, fleet IDs) to env config or D1 `app_settings` — no hardcoded constants in source code
|
|
83
|
+
|
|
84
|
+
|
|
85
|
+
## Rate Limiting *(OWASP A07)*
|
|
86
|
+
|
|
87
|
+
- Use KV-backed distributed rate limiting — in-memory counters reset per isolate and are trivially bypassed in a multi-instance Workers environment
|
|
88
|
+
- Define named tiers with explicit request limits in a single utility (`server/utils/rateLimit.ts`); examples: AUTH (pre-auth, IP-based), STRICT (post-auth sensitive endpoints), MODERATE (general API)
|
|
89
|
+
- Apply the strictest tier to the OAuth/auth callback endpoint **before** any session exists
|
|
90
|
+
- For internal-only tools on constrained plans: fail open on KV unavailability — availability outweighs protection when the blast radius is limited to internal users
|
|
91
|
+
|
|
92
|
+
|
|
93
|
+
## Audit Logging *(OWASP A09)*
|
|
94
|
+
|
|
95
|
+
- Centralize all audit writes in a single `logAuditAction()` utility writing to a dedicated D1 `audit_logs` table — no ad-hoc logging to separate stores
|
|
96
|
+
- Required fields per entry: actor identity (email or user ID), action type (machine-readable slug), timestamp, target resource ID
|
|
97
|
+
- For state-changing operations: capture before and after values
|
|
98
|
+
- Minimum event taxonomy:
|
|
99
|
+
- `auth.login_success`, `auth.login_failure`, `auth.logout`
|
|
100
|
+
- `<resource>.create`, `<resource>.update`, `<resource>.delete` for all sensitive resources
|
|
101
|
+
- `admin.impersonate_start`, `admin.impersonate_end` (if applicable)
|
|
102
|
+
- Permission escalation and feature flag changes
|
|
103
|
+
- Define and enforce a retention period for the `audit_logs` table (e.g., 1 year minimum)
|
|
104
|
+
- If `logAuditAction()` throws: emit `console.error` at minimum — never silently swallow audit failures
|
|
105
|
+
|
|
106
|
+
|
|
107
|
+
## Error Handling & Information Disclosure *(OWASP A04)*
|
|
108
|
+
|
|
109
|
+
- Never serialize internal error details, stack traces, or third-party API error responses into client-facing responses
|
|
110
|
+
- Log full error detail server-side; return only a generic safe message to callers
|
|
111
|
+
- Zod parse failures: return structured field-level validation messages — not raw Zod output with internal type paths
|
|
112
|
+
- Queue message parse failures: log full detail server-side and ack the message immediately — do not burn retry attempts on a payload that is guaranteed to fail
|
|
113
|
+
|
|
114
|
+
|
|
115
|
+
## Service-to-Service Authentication
|
|
116
|
+
|
|
117
|
+
- Apply dual-layer authentication on every cross-service boundary:
|
|
118
|
+
- **Outer layer**: Cloudflare Access service token or Service Binding (edge-level; no public URL exposed)
|
|
119
|
+
- **Inner layer**: Application-level bearer token validated in the Worker handler
|
|
120
|
+
- Neither credential alone should be sufficient
|
|
121
|
+
- Workers not intended for public access: deploy with `workers_dev = false`; route all traffic through Service Bindings
|
|
122
|
+
- API key comparison: use constant-time comparison (XOR-accumulator over `TextEncoder`-encoded bytes) — never `!==` — to eliminate timing side-channel attacks
|
|
123
|
+
|
|
124
|
+
|
|
125
|
+
## Data Integrity & Sensitive Data Lifecycle *(OWASP A08)*
|
|
126
|
+
|
|
127
|
+
- Validate queue message payloads at the handler boundary using a Zod discriminated-union schema; ack malformed messages immediately rather than retrying guaranteed-to-fail payloads
|
|
128
|
+
- Implement idempotency guards to prevent duplicate side effects on queue retries (e.g., check a flag in D1 before sending an email or triggering a workflow)
|
|
129
|
+
- Auto-purge sensitive short-lived credentials (e.g., generated passwords, temporary tokens) immediately on workflow completion or cancellation — do not retain them in backups
|
|
130
|
+
- Define explicit retention limits for any stored user-generated content; enforce via scheduled cleanup jobs
|
|
131
|
+
|
|
132
|
+
|
|
133
|
+
## CORS & Content Security
|
|
134
|
+
|
|
135
|
+
- Workers do not add CORS headers by default — treat this as secure-by-default; do not add permissive CORS without a specific requirement
|
|
136
|
+
- When CORS is required, lock `Access-Control-Allow-Origin` to specific trusted origin(s); never emit `*` on authenticated endpoints
|
|
137
|
+
- Document CORS posture explicitly in every API-only service — even when the answer is "no CORS headers needed"
|
|
138
|
+
- Set `Content-Disposition: attachment` on all endpoints that return binary file content to prevent inline browser rendering
|
|
139
|
+
|
|
140
|
+
|
|
141
|
+
## Dependency & Supply Chain Security *(OWASP A06)*
|
|
142
|
+
|
|
143
|
+
- Configure Dependabot (`.github/dependabot.yml`) for weekly PRs covering npm packages and GitHub Actions in all projects
|
|
144
|
+
- Add `pnpm audit` / `npm audit` as a required CI step on every push; surface known vulnerabilities before merge
|
|
145
|
+
- Review D1 migrations before every production apply — no auto-apply on deploy
|
|
146
|
+
|
|
147
|
+
|
|
148
|
+
## Advanced Security (When Scaling)
|
|
149
|
+
|
|
150
|
+
Add these as the project matures:
|
|
151
|
+
- [ ] Cloudflare WAF Managed Rules — Pro+ plan enables OWASP Core Rule Set coverage at the edge
|
|
152
|
+
- [ ] Bot Protection — Cloudflare Bot Fight Mode (free) or Bot Management (paid); low priority while internal-only, higher if any public-facing surface is added
|
|
153
|
+
- [ ] Subresource Integrity (SRI) — add `integrity=` hashes on any scripts or stylesheets loaded from external CDNs
|
|
154
|
+
- [ ] SSRF prevention — if any endpoint begins accepting a user-supplied URL to fetch, blocklist private IP ranges (`10.x`, `172.16.x`, `192.168.x`, `169.254.x`, `::1`) before making the outbound `fetch()`
|
|
155
|
+
- [ ] Workers Logpush — ship Worker logs to an external destination (R2, Datadog, Splunk) for long-term retention and forensic capability; Cloudflare live log tail is ephemeral
|
|
156
|
+
- [ ] `/.well-known/security.txt` — define a responsible disclosure contact; minimal effort, signals security posture to external researchers
|
|
157
|
+
- [ ] Quarterly access review — audit which users hold which permissions and which app registrations are still active and correctly scoped
|
|
158
|
+
- [ ] Incident response playbook — documented procedures for: suspected credential leak, unauthorized access in audit logs, pipeline breach, IdP account compromise
|
|
159
|
+
|
|
160
|
+
|
|
161
|
+
## Security Philosophy
|
|
162
|
+
Ship MVPs fast, but never ship carelessly. Security is non-negotiable. The baseline checklist above is the minimum gate for every production deployment; the sections above it are the depth and reasoning behind each control.
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
# Seeding Policy
|
|
2
|
+
|
|
3
|
+
## Seeding Standards
|
|
4
|
+
- Create seed file at `/server/db/seed.ts`
|
|
5
|
+
- Seed only essential baseline data required for application function
|
|
6
|
+
- Implement idempotent insert logic (check before inserting)
|
|
7
|
+
- Run seeds in development and staging environments only
|
|
8
|
+
- Never seed large dummy datasets
|
|
9
|
+
- Never run seeds in production unless explicitly required for initial setup
|
|
10
|
+
|
|
11
|
+
## What to Seed
|
|
12
|
+
Seed only:
|
|
13
|
+
- Default user roles
|
|
14
|
+
- Initial admin accounts
|
|
15
|
+
- Required configuration data
|
|
16
|
+
- Essential lookup tables
|
|
17
|
+
|
|
18
|
+
## What NOT to Seed
|
|
19
|
+
- Test data (belongs in test setup)
|
|
20
|
+
- Large sample datasets
|
|
21
|
+
- User-generated content
|
|
22
|
+
- Environment-specific production data
|
|
23
|
+
|
|
24
|
+
## Execution
|
|
25
|
+
- Ensure seeds can be run multiple times safely
|
|
26
|
+
- Log seed operations for visibility
|
|
27
|
+
- Keep seed scripts minimal and maintainable
|