@tenantegroup/ai-rules-mcp 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (67) hide show
  1. package/INSTALLATION.md +52 -0
  2. package/README.md +57 -0
  3. package/USAGE.md +46 -0
  4. package/package.json +57 -0
  5. package/rules/cloudflare/api-services.md +80 -0
  6. package/rules/cloudflare/cicd-deployment.md +56 -0
  7. package/rules/cloudflare/database-orm.md +28 -0
  8. package/rules/cloudflare/edge-parity.md +24 -0
  9. package/rules/cloudflare/kv-usage.md +31 -0
  10. package/rules/cloudflare/logging-observability.md +66 -0
  11. package/rules/cloudflare/performance.md +44 -0
  12. package/rules/cloudflare/realtime-background.md +58 -0
  13. package/rules/cloudflare/security.md +162 -0
  14. package/rules/cloudflare/seeding.md +27 -0
  15. package/rules/cloudflare/workflows.md +593 -0
  16. package/rules/dotnet/api.md +26 -0
  17. package/rules/dotnet/architecture.md +27 -0
  18. package/rules/dotnet/cli.md +26 -0
  19. package/rules/dotnet/configuration.md +26 -0
  20. package/rules/dotnet/logging.md +25 -0
  21. package/rules/dotnet/maui.md +26 -0
  22. package/rules/dotnet/mvvm.md +26 -0
  23. package/rules/dotnet/packaging.md +24 -0
  24. package/rules/dotnet/project-structure.md +26 -0
  25. package/rules/dotnet/sqlite.md +29 -0
  26. package/rules/dotnet/testing.md +24 -0
  27. package/rules/flutter/api.md +29 -0
  28. package/rules/flutter/architecture.md +34 -0
  29. package/rules/flutter/auth.md +27 -0
  30. package/rules/flutter/configuration.md +24 -0
  31. package/rules/flutter/database.md +30 -0
  32. package/rules/flutter/logging.md +27 -0
  33. package/rules/flutter/navigation.md +28 -0
  34. package/rules/flutter/offline-sync.md +26 -0
  35. package/rules/flutter/platform.md +30 -0
  36. package/rules/flutter/project-structure.md +32 -0
  37. package/rules/flutter/riverpod.md +32 -0
  38. package/rules/flutter/testing.md +31 -0
  39. package/rules/nuxt/architecture-principles.md +31 -0
  40. package/rules/nuxt/authentication.md +35 -0
  41. package/rules/nuxt/code-quality.md +71 -0
  42. package/rules/nuxt/configuration.md +31 -0
  43. package/rules/nuxt/core-directives.md +12 -0
  44. package/rules/nuxt/project-initialization.md +53 -0
  45. package/rules/nuxt/project-structure.md +44 -0
  46. package/rules/nuxt/testing.md +48 -0
  47. package/src/index.js +757 -0
  48. package/templates/cloudflare/compile-context.js +43 -0
  49. package/templates/cloudflare/hooks/post-checkout +5 -0
  50. package/templates/cloudflare/hooks/pre-commit +14 -0
  51. package/templates/cloudflare/install-hooks.js +34 -0
  52. package/templates/cloudflare/validate-code.js +57 -0
  53. package/templates/dotnet/compile-context.js +43 -0
  54. package/templates/dotnet/hooks/post-checkout +5 -0
  55. package/templates/dotnet/hooks/pre-commit +14 -0
  56. package/templates/dotnet/install-hooks.js +34 -0
  57. package/templates/dotnet/validate-code.js +84 -0
  58. package/templates/flutter/compile-context.js +43 -0
  59. package/templates/flutter/hooks/post-checkout +5 -0
  60. package/templates/flutter/hooks/pre-commit +14 -0
  61. package/templates/flutter/install-hooks.js +34 -0
  62. package/templates/flutter/validate-code.js +64 -0
  63. package/templates/nuxt/compile-context.js +43 -0
  64. package/templates/nuxt/hooks/post-checkout +5 -0
  65. package/templates/nuxt/hooks/pre-commit +14 -0
  66. package/templates/nuxt/install-hooks.js +34 -0
  67. package/templates/nuxt/validate-code.js +57 -0
@@ -0,0 +1,162 @@
1
+ # Security Standards
2
+
3
+ ## Minimum Security Baseline for Production
4
+ Implement these before launching:
5
+ - [ ] HTTP-only cookies for session management
6
+ - [ ] Secure cookies in production environment
7
+ - [ ] CSRF protection for all forms (`SameSite=Strict` or explicit CSRF token on state-changing endpoints)
8
+ - [ ] Input validation using Zod at every API boundary
9
+ - [ ] Rate limiting on authentication endpoints (KV-backed, IP-based, applied before session exists)
10
+ - [ ] Role-based access control (RBAC) enforced server-side
11
+ - [ ] Sanitized error responses (no internal details, stack traces, or third-party API responses leaked)
12
+ - [ ] Dependency updates via Dependabot + CI audit step (`pnpm audit` / `npm audit`) on every push
13
+ - [ ] Migration review process before production deployment (no auto-apply on deploy)
14
+ - [ ] Removal of development seed data
15
+ - [ ] `workers_dev = false` on any Worker not intended to be publicly reachable
16
+ - [ ] `Content-Disposition: attachment` on all endpoints returning binary files (Excel, R2 downloads)
17
+ - [ ] CORS posture explicitly documented and locked to specific trusted origin(s)
18
+
19
+ ---
20
+
21
+ ## Authentication & Session Management *(OWASP A07)*
22
+
23
+ - Delegate authentication to an Identity Provider (Entra ID, Google, GitHub) — do not store passwords locally
24
+ - Use sealed encrypted session cookies, not just signed cookies — sealed sessions cannot be forged or tampered with
25
+ - Set `HttpOnly` and `Secure` on all session cookies; enforce `SameSite=Lax` at minimum
26
+ - Destroy sessions server-side on logout; do not rely on client-side cookie deletion alone
27
+ - Rate-limit the OAuth callback endpoint by client IP **before** any session or user lookup exists
28
+ - Deploy internal-only Workers with `workers_dev = false` — no `.workers.dev` public URL; access only through Service Bindings
29
+
30
+
31
+ ## Authorization & Access Control *(OWASP A01)*
32
+
33
+ - Enforce all authorization checks server-side — no role logic in frontend code
34
+ - Use `requirePermission()` / `requireAdmin()` helpers called at the top of every protected API handler — no ad-hoc conditional checks buried inside business logic
35
+ - Apply least-privilege to OAuth app registrations: scope each registration to only the permissions it actually needs; a leaked credential for one registration must not grant access to another service's capabilities
36
+ - Admin impersonation (if implemented): attribute audit log entries to the real admin's identity, not the impersonated user
37
+
38
+
39
+ ## Input Validation & Injection Prevention *(OWASP A03)*
40
+
41
+ - Validate all request bodies and query params with Zod schemas at the API boundary before any processing; reject malformed payloads immediately with safe error messages
42
+ - Use Drizzle ORM parameterized queries only — no raw SQL string interpolation anywhere
43
+ - Escape and `encodeURIComponent`-encode external API query values before forwarding (e.g., OData `$search` params in Microsoft Graph calls)
44
+ - Spreadsheet/Excel output: write cells with explicit type (`t: 's'` string or `t: 'n'` number); never derive the formula property (`f`) from external input — `=CMD`-style payloads must render as plain text
45
+ - HTML from user input: sanitize at write time server-side (strip `<script>`, event handler attributes, `javascript:` URIs); apply a second client-side DOMPurify pass on any `v-html` render
46
+
47
+
48
+ ## File Upload Security *(OWASP A08)*
49
+
50
+ - Validate file magic bytes before passing a buffer to any parser — file extension and MIME type alone are insufficient:
51
+ - OOXML / `.xlsx`: `PK\x03\x04` (ZIP local file header)
52
+ - Legacy OLE2 / `.xls`: `\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1`
53
+ - Reject files that fail magic-byte validation at the API boundary, before reaching SheetJS or any other file parser
54
+ - Encapsulate validation in a dedicated utility (e.g., `server/utils/fileValidation.ts`) reused across all upload endpoints
55
+
56
+
57
+ ## Security Headers *(OWASP A05)*
58
+
59
+ **Nuxt applications:**
60
+ - Use the `nuxt-security` module as the single source of truth for all response headers — remove any conflicting `public/_headers` definitions
61
+ - CSP: set a per-request cryptographic nonce on `script-src` using `'nonce-{{nonce}}'` + `'strict-dynamic'`; remove `'unsafe-inline'` and `'unsafe-eval'` from script sources
62
+ - `style-src 'unsafe-inline'` may only be retained when a UI component library sets dynamic inline `style=""` attributes that cannot carry nonces; document the tradeoff explicitly
63
+
64
+ **All surfaces (Nuxt and API-only Workers):**
65
+ - `Strict-Transport-Security: max-age=31536000; includeSubDomains`
66
+ - `X-Frame-Options: DENY`
67
+ - `X-Content-Type-Options: nosniff`
68
+ - `Referrer-Policy: strict-origin-when-cross-origin`
69
+ - `Permissions-Policy` — disable camera, microphone, geolocation, and payment APIs
70
+ - `form-action: 'self'`
71
+
72
+ **API-only Workers:**
73
+ - Use Nitro middleware (`server/middleware/00-security-headers.ts`) — not `_headers`
74
+ - Add `default-src 'none'; frame-ancestors 'none'` appropriate for headless services
75
+
76
+
77
+ ## Secrets & Credentials Management *(OWASP A02)*
78
+
79
+ - Store all secrets as Cloudflare encrypted secrets — never in `[vars]` (plaintext) or committed to the repository
80
+ - Exclude `.dev.vars` and `.env` files from git
81
+ - Service-to-service secrets: fail closed — if a required secret is unset in production, throw immediately rather than silently falling back to an unauthenticated request; log a startup `console.warn` when the Worker detects its own secret is missing
82
+ - Externalize all environment-specific values (email recipients, org IDs, fleet IDs) to env config or D1 `app_settings` — no hardcoded constants in source code
83
+
84
+
85
+ ## Rate Limiting *(OWASP A07)*
86
+
87
+ - Use KV-backed distributed rate limiting — in-memory counters reset per isolate and are trivially bypassed in a multi-instance Workers environment
88
+ - Define named tiers with explicit request limits in a single utility (`server/utils/rateLimit.ts`); examples: AUTH (pre-auth, IP-based), STRICT (post-auth sensitive endpoints), MODERATE (general API)
89
+ - Apply the strictest tier to the OAuth/auth callback endpoint **before** any session exists
90
+ - For internal-only tools on constrained plans: fail open on KV unavailability — availability outweighs protection when the blast radius is limited to internal users
91
+
92
+
93
+ ## Audit Logging *(OWASP A09)*
94
+
95
+ - Centralize all audit writes in a single `logAuditAction()` utility writing to a dedicated D1 `audit_logs` table — no ad-hoc logging to separate stores
96
+ - Required fields per entry: actor identity (email or user ID), action type (machine-readable slug), timestamp, target resource ID
97
+ - For state-changing operations: capture before and after values
98
+ - Minimum event taxonomy:
99
+ - `auth.login_success`, `auth.login_failure`, `auth.logout`
100
+ - `<resource>.create`, `<resource>.update`, `<resource>.delete` for all sensitive resources
101
+ - `admin.impersonate_start`, `admin.impersonate_end` (if applicable)
102
+ - Permission escalation and feature flag changes
103
+ - Define and enforce a retention period for the `audit_logs` table (e.g., 1 year minimum)
104
+ - If `logAuditAction()` throws: emit `console.error` at minimum — never silently swallow audit failures
105
+
106
+
107
+ ## Error Handling & Information Disclosure *(OWASP A04)*
108
+
109
+ - Never serialize internal error details, stack traces, or third-party API error responses into client-facing responses
110
+ - Log full error detail server-side; return only a generic safe message to callers
111
+ - Zod parse failures: return structured field-level validation messages — not raw Zod output with internal type paths
112
+ - Queue message parse failures: log full detail server-side and ack the message immediately — do not burn retry attempts on a payload that is guaranteed to fail
113
+
114
+
115
+ ## Service-to-Service Authentication
116
+
117
+ - Apply dual-layer authentication on every cross-service boundary:
118
+ - **Outer layer**: Cloudflare Access service token or Service Binding (edge-level; no public URL exposed)
119
+ - **Inner layer**: Application-level bearer token validated in the Worker handler
120
+ - Neither credential alone should be sufficient
121
+ - Workers not intended for public access: deploy with `workers_dev = false`; route all traffic through Service Bindings
122
+ - API key comparison: use constant-time comparison (XOR-accumulator over `TextEncoder`-encoded bytes) — never `!==` — to eliminate timing side-channel attacks
123
+
124
+
125
+ ## Data Integrity & Sensitive Data Lifecycle *(OWASP A08)*
126
+
127
+ - Validate queue message payloads at the handler boundary using a Zod discriminated-union schema; ack malformed messages immediately rather than retrying guaranteed-to-fail payloads
128
+ - Implement idempotency guards to prevent duplicate side effects on queue retries (e.g., check a flag in D1 before sending an email or triggering a workflow)
129
+ - Auto-purge sensitive short-lived credentials (e.g., generated passwords, temporary tokens) immediately on workflow completion or cancellation — do not retain them in backups
130
+ - Define explicit retention limits for any stored user-generated content; enforce via scheduled cleanup jobs
131
+
132
+
133
+ ## CORS & Content Security
134
+
135
+ - Workers do not add CORS headers by default — treat this as secure-by-default; do not add permissive CORS without a specific requirement
136
+ - When CORS is required, lock `Access-Control-Allow-Origin` to specific trusted origin(s); never emit `*` on authenticated endpoints
137
+ - Document CORS posture explicitly in every API-only service — even when the answer is "no CORS headers needed"
138
+ - Set `Content-Disposition: attachment` on all endpoints that return binary file content to prevent inline browser rendering
139
+
140
+
141
+ ## Dependency & Supply Chain Security *(OWASP A06)*
142
+
143
+ - Configure Dependabot (`.github/dependabot.yml`) for weekly PRs covering npm packages and GitHub Actions in all projects
144
+ - Add `pnpm audit` / `npm audit` as a required CI step on every push; surface known vulnerabilities before merge
145
+ - Review D1 migrations before every production apply — no auto-apply on deploy
146
+
147
+
148
+ ## Advanced Security (When Scaling)
149
+
150
+ Add these as the project matures:
151
+ - [ ] Cloudflare WAF Managed Rules — Pro+ plan enables OWASP Core Rule Set coverage at the edge
152
+ - [ ] Bot Protection — Cloudflare Bot Fight Mode (free) or Bot Management (paid); low priority while internal-only, higher if any public-facing surface is added
153
+ - [ ] Subresource Integrity (SRI) — add `integrity=` hashes on any scripts or stylesheets loaded from external CDNs
154
+ - [ ] SSRF prevention — if any endpoint begins accepting a user-supplied URL to fetch, blocklist private IP ranges (`10.x`, `172.16.x`, `192.168.x`, `169.254.x`, `::1`) before making the outbound `fetch()`
155
+ - [ ] Workers Logpush — ship Worker logs to an external destination (R2, Datadog, Splunk) for long-term retention and forensic capability; Cloudflare live log tail is ephemeral
156
+ - [ ] `/.well-known/security.txt` — define a responsible disclosure contact; minimal effort, signals security posture to external researchers
157
+ - [ ] Quarterly access review — audit which users hold which permissions and which app registrations are still active and correctly scoped
158
+ - [ ] Incident response playbook — documented procedures for: suspected credential leak, unauthorized access in audit logs, pipeline breach, IdP account compromise
159
+
160
+
161
+ ## Security Philosophy
162
+ Ship MVPs fast, but never ship carelessly. Security is non-negotiable. The baseline checklist above is the minimum gate for every production deployment; the sections above it are the depth and reasoning behind each control.
@@ -0,0 +1,27 @@
1
+ # Seeding Policy
2
+
3
+ ## Seeding Standards
4
+ - Create seed file at `/server/db/seed.ts`
5
+ - Seed only essential baseline data required for application function
6
+ - Implement idempotent insert logic (check before inserting)
7
+ - Run seeds in development and staging environments only
8
+ - Never seed large dummy datasets
9
+ - Never run seeds in production unless explicitly required for initial setup
10
+
11
+ ## What to Seed
12
+ Seed only:
13
+ - Default user roles
14
+ - Initial admin accounts
15
+ - Required configuration data
16
+ - Essential lookup tables
17
+
18
+ ## What NOT to Seed
19
+ - Test data (belongs in test setup)
20
+ - Large sample datasets
21
+ - User-generated content
22
+ - Environment-specific production data
23
+
24
+ ## Execution
25
+ - Ensure seeds can be run multiple times safely
26
+ - Log seed operations for visibility
27
+ - Keep seed scripts minimal and maintainable