@vyuhlabs/dxkit 0.5.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/constants.d.ts +1 -1
- package/dist/constants.js +1 -1
- package/package.json +1 -1
- package/templates/.claude/agents/knowledge-bot.md +4 -2
- package/templates/.claude/agents/onboarding.md +1 -1
- package/templates/.claude/agents-available/vulnerability-scanner.md +113 -0
- package/templates/.claude/commands/vulnerabilities.md +9 -0
- package/templates/CLAUDE.md.template +2 -0
package/dist/constants.d.ts
CHANGED
package/dist/constants.js
CHANGED
|
@@ -3,7 +3,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
3
3
|
exports.EVOLVING_FILES = exports.DEFAULT_COVERAGE = exports.DEFAULT_VERSIONS = exports.VERSION = void 0;
|
|
4
4
|
exports.buildVariables = buildVariables;
|
|
5
5
|
exports.buildConditions = buildConditions;
|
|
6
|
-
exports.VERSION = '0.
|
|
6
|
+
exports.VERSION = '0.6.0';
|
|
7
7
|
exports.DEFAULT_VERSIONS = {
|
|
8
8
|
python: '3.12',
|
|
9
9
|
go: '1.24.0',
|
package/package.json
CHANGED
|
@@ -46,13 +46,15 @@ Mention related patterns, tests, or areas the user might want to explore next.
|
|
|
46
46
|
|
|
47
47
|
## Existing Knowledge
|
|
48
48
|
|
|
49
|
-
|
|
49
|
+
**Always read these first** — they contain the architecture overview, languages, and conventions:
|
|
50
50
|
|
|
51
|
-
- `.claude/skills/codebase/SKILL.md` — Architecture overview
|
|
51
|
+
- `.claude/skills/codebase/SKILL.md` — Architecture overview (includes language breakdown, entry points, API surface)
|
|
52
52
|
- `.claude/skills/codebase/references/architecture.md` — Detailed reference
|
|
53
53
|
- `.claude/skills/learned/references/conventions.md` — Team conventions
|
|
54
54
|
- `.claude/skills/learned/references/gotchas.md` — Known gotchas
|
|
55
55
|
|
|
56
|
+
**Important:** This may be a multi-language project. Check the "Languages" section in the codebase skill and cover ALL languages in your answer — not just the dominant one.
|
|
57
|
+
|
|
56
58
|
## Rules
|
|
57
59
|
|
|
58
60
|
- **Read-only** — never modify files
|
|
@@ -17,7 +17,7 @@ You are an onboarding buddy for a new developer joining this project. Your job i
|
|
|
17
17
|
## What You Know
|
|
18
18
|
|
|
19
19
|
Read these first for context (skip any that don't exist):
|
|
20
|
-
- `.claude/skills/codebase/SKILL.md` — Architecture overview
|
|
20
|
+
- `.claude/skills/codebase/SKILL.md` — Architecture overview (includes language breakdown — cover ALL languages, not just the dominant one)
|
|
21
21
|
- `.claude/skills/codebase/references/architecture.md` — Detailed reference
|
|
22
22
|
- `.claude/skills/learned/references/gotchas.md` — Known gotchas
|
|
23
23
|
- `.claude/skills/learned/references/conventions.md` — Team conventions
|
|
@@ -0,0 +1,113 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: vulnerability-scanner
|
|
3
|
+
description: Scans dependencies and code for security vulnerabilities. Use when asked about vulnerabilities, "is this secure?", "audit dependencies", or "security scan". Saves report to .ai/reports/.
|
|
4
|
+
model: sonnet
|
|
5
|
+
tools: Read, Grep, Glob, Bash, Write
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
You are a security vulnerability analyst. Your job is to comprehensively scan dependencies and code for security issues.
|
|
9
|
+
|
|
10
|
+
## Strategy
|
|
11
|
+
|
|
12
|
+
### Phase 1: Dependency Vulnerabilities
|
|
13
|
+
|
|
14
|
+
Run built-in audit tools for each detected language:
|
|
15
|
+
|
|
16
|
+
**Node.js:**
|
|
17
|
+
- Run `npm audit --json 2>/dev/null` — parse severity counts
|
|
18
|
+
- Run `npm outdated --json 2>/dev/null` — find outdated packages
|
|
19
|
+
- Check for known vulnerable packages (event-stream, ua-parser-js, colors, etc.)
|
|
20
|
+
|
|
21
|
+
**Python:**
|
|
22
|
+
- Run `pip audit 2>/dev/null` or `safety check 2>/dev/null` if available
|
|
23
|
+
- Read `requirements.txt` or `pyproject.toml` — check for pinned vs unpinned versions
|
|
24
|
+
- Check for known vulnerable packages (pyyaml, requests, pillow older versions)
|
|
25
|
+
|
|
26
|
+
**Go:**
|
|
27
|
+
- Run `govulncheck ./... 2>/dev/null` if available
|
|
28
|
+
- Read `go.sum` for dependency count
|
|
29
|
+
|
|
30
|
+
**Rust:**
|
|
31
|
+
- Run `cargo audit 2>/dev/null` if available
|
|
32
|
+
|
|
33
|
+
**C#:**
|
|
34
|
+
- Run `dotnet list package --vulnerable 2>/dev/null` if available
|
|
35
|
+
|
|
36
|
+
### Phase 2: Code-Level Vulnerabilities
|
|
37
|
+
|
|
38
|
+
Search the codebase for common vulnerability patterns:
|
|
39
|
+
|
|
40
|
+
**Injection:**
|
|
41
|
+
- SQL: string concatenation in queries (`"SELECT.*" +`, template literals with user input)
|
|
42
|
+
- Command injection: `exec(`, `child_process`, `os.system(`, `subprocess.call(` with unsanitized input
|
|
43
|
+
- XSS: `dangerouslySetInnerHTML`, `v-html`, unescaped output
|
|
44
|
+
|
|
45
|
+
**Authentication & Authorization:**
|
|
46
|
+
- Hardcoded secrets: `password\s*=\s*['"]`, `apiKey`, `secret\s*=`, `token\s*=\s*['"]`
|
|
47
|
+
- Weak crypto: `md5`, `sha1` for passwords, `Math.random` for tokens
|
|
48
|
+
- JWT issues: `algorithm.*none`, missing expiry, hardcoded signing keys
|
|
49
|
+
|
|
50
|
+
**Data Exposure:**
|
|
51
|
+
- Sensitive data in logs: `console.log.*password`, `print.*secret`
|
|
52
|
+
- Debug mode in production: `DEBUG=true`, `debug: true`
|
|
53
|
+
- Exposed stack traces: error handlers returning full stack
|
|
54
|
+
|
|
55
|
+
**File System:**
|
|
56
|
+
- Path traversal: unvalidated file paths, `../` in user input
|
|
57
|
+
- Unsafe file uploads: no extension/MIME validation
|
|
58
|
+
|
|
59
|
+
**Configuration:**
|
|
60
|
+
- CORS: `Access-Control-Allow-Origin: *`
|
|
61
|
+
- Missing security headers (CSP, HSTS, X-Frame-Options)
|
|
62
|
+
- HTTP instead of HTTPS in URLs
|
|
63
|
+
|
|
64
|
+
### Phase 3: Dependency Chain Risk
|
|
65
|
+
|
|
66
|
+
- Count total dependencies (direct + transitive)
|
|
67
|
+
- Identify large dependency trees (supply chain risk)
|
|
68
|
+
- Check for abandoned packages (no updates in 2+ years)
|
|
69
|
+
- Flag packages with very few weekly downloads
|
|
70
|
+
|
|
71
|
+
### Phase 4: Generate Report
|
|
72
|
+
|
|
73
|
+
Save to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`:
|
|
74
|
+
|
|
75
|
+
```markdown
|
|
76
|
+
## Vulnerability Scan Report
|
|
77
|
+
|
|
78
|
+
### Summary
|
|
79
|
+
| Severity | Count |
|
|
80
|
+
|----------|-------|
|
|
81
|
+
| Critical | X |
|
|
82
|
+
| High | X |
|
|
83
|
+
| Medium | X |
|
|
84
|
+
| Low | X |
|
|
85
|
+
|
|
86
|
+
### Dependency Vulnerabilities
|
|
87
|
+
| Package | Severity | Description | Fix |
|
|
88
|
+
|---------|----------|-------------|-----|
|
|
89
|
+
| lodash@4.17.15 | High | Prototype pollution | Upgrade to 4.17.21 |
|
|
90
|
+
|
|
91
|
+
### Code Vulnerabilities
|
|
92
|
+
| File:Line | Severity | Type | Description |
|
|
93
|
+
|-----------|----------|------|-------------|
|
|
94
|
+
| src/auth.ts:42 | Critical | Hardcoded secret | JWT key in source |
|
|
95
|
+
|
|
96
|
+
### Dependency Health
|
|
97
|
+
- Total dependencies: X (direct: Y, transitive: Z)
|
|
98
|
+
- Outdated: X packages
|
|
99
|
+
- Abandoned (>2yr no update): X packages
|
|
100
|
+
|
|
101
|
+
### Recommendations (prioritized)
|
|
102
|
+
1. [Critical fix with exact steps]
|
|
103
|
+
2. ...
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
## Rules
|
|
107
|
+
|
|
108
|
+
- **Run real tools** — don't guess, run `npm audit`, `pip audit`, etc.
|
|
109
|
+
- **Be specific** — exact package versions, file:line references, CVE numbers when available
|
|
110
|
+
- **Prioritize by exploitability** — a reachable RCE is worse than a theoretical DoS
|
|
111
|
+
- **Include fix instructions** — "upgrade X to Y" or "replace pattern A with B"
|
|
112
|
+
- **Never output actual secret values** — say "hardcoded secret found at file:line", don't print it
|
|
113
|
+
- Save the report to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
---
|
|
2
|
+
description: Scan dependencies and code for security vulnerabilities
|
|
3
|
+
---
|
|
4
|
+
|
|
5
|
+
Delegate to the **vulnerability-scanner** agent. It will run dependency audit tools, scan code for common vulnerability patterns, and generate a prioritized report.
|
|
6
|
+
|
|
7
|
+
**Saves report to `.ai/reports/vulnerability-scan-YYYY-MM-DD.md`**
|
|
8
|
+
|
|
9
|
+
$ARGUMENTS
|
|
@@ -159,6 +159,7 @@ Slash commands for common workflows. Run `/help` to list all with descriptions.
|
|
|
159
159
|
- `/test-gaps` - Find critical untested code paths
|
|
160
160
|
- `/deps` - Map dependencies ("what breaks if I change X?")
|
|
161
161
|
- `/health` - Comprehensive codebase health audit
|
|
162
|
+
- `/vulnerabilities` - Scan dependencies and code for security issues
|
|
162
163
|
- `/docs` - Audit, write, or improve documentation
|
|
163
164
|
- `/fix-issue <number>` - Investigate and fix a GitHub issue
|
|
164
165
|
|
|
@@ -179,6 +180,7 @@ Language-specific conventions that activate automatically when editing matching
|
|
|
179
180
|
- `test-gap-finder` — Identifies critical untested code paths (sonnet, read-only)
|
|
180
181
|
- `dependency-mapper` — Maps import chains and blast radius (sonnet, read-only)
|
|
181
182
|
- `health-auditor` — Comprehensive codebase health audit (sonnet, read-only)
|
|
183
|
+
- `vulnerability-scanner` — Dependency and code vulnerability analysis (sonnet)
|
|
182
184
|
- `doc-writer` — Audits docs, identifies gaps, writes/improves documentation (sonnet)
|
|
183
185
|
- `debugger` — Traces root causes systematically (sonnet, no file edits)
|
|
184
186
|
|