npm - @wazir-dev/cli - Versions diffs - 1.0.0 - Mend

@wazir-dev/cli 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (629) hide show

package/AGENTS.md +111 -0
package/CHANGELOG.md +14 -0
package/CONTRIBUTING.md +101 -0
package/LICENSE +21 -0
package/README.md +314 -0
package/assets/composition-engine.mmd +34 -0
package/assets/demo-script.sh +17 -0
package/assets/logo-dark.svg +14 -0
package/assets/logo.svg +14 -0
package/assets/pipeline.mmd +39 -0
package/assets/record-demo.sh +51 -0
package/docs/README.md +51 -0
package/docs/adapters/context-mode.md +60 -0
package/docs/concepts/architecture.md +87 -0
package/docs/concepts/artifact-model.md +60 -0
package/docs/concepts/composition-engine.md +36 -0
package/docs/concepts/indexing-and-recall.md +160 -0
package/docs/concepts/observability.md +41 -0
package/docs/concepts/roles-and-workflows.md +59 -0
package/docs/concepts/terminology-policy.md +27 -0
package/docs/getting-started/01-installation.md +78 -0
package/docs/getting-started/02-first-run.md +102 -0
package/docs/getting-started/03-adding-to-project.md +15 -0
package/docs/getting-started/04-host-setup.md +15 -0
package/docs/guides/ci-integration.md +15 -0
package/docs/guides/creating-skills.md +15 -0
package/docs/guides/expertise-module-authoring.md +15 -0
package/docs/guides/hook-development.md +15 -0
package/docs/guides/memory-and-learnings.md +34 -0
package/docs/guides/multi-host-export.md +15 -0
package/docs/guides/troubleshooting.md +101 -0
package/docs/guides/writing-custom-roles.md +15 -0
package/docs/plans/2026-03-15-cli-pipeline-integration-design.md +592 -0
package/docs/plans/2026-03-15-cli-pipeline-integration-plan.md +598 -0
package/docs/plans/2026-03-15-docs-enforcement-plan.md +238 -0
package/docs/readmes/INDEX.md +99 -0
package/docs/readmes/features/expertise/README.md +171 -0
package/docs/readmes/features/exports/README.md +222 -0
package/docs/readmes/features/hooks/README.md +103 -0
package/docs/readmes/features/hooks/loop-cap-guard.md +133 -0
package/docs/readmes/features/hooks/post-tool-capture.md +121 -0
package/docs/readmes/features/hooks/post-tool-lint.md +130 -0
package/docs/readmes/features/hooks/pre-compact-summary.md +122 -0
package/docs/readmes/features/hooks/pre-tool-capture-route.md +100 -0
package/docs/readmes/features/hooks/protected-path-write-guard.md +128 -0
package/docs/readmes/features/hooks/session-start.md +119 -0
package/docs/readmes/features/hooks/stop-handoff-harvest.md +125 -0
package/docs/readmes/features/roles/README.md +157 -0
package/docs/readmes/features/roles/clarifier.md +152 -0
package/docs/readmes/features/roles/content-author.md +190 -0
package/docs/readmes/features/roles/designer.md +193 -0
package/docs/readmes/features/roles/executor.md +184 -0
package/docs/readmes/features/roles/learner.md +210 -0
package/docs/readmes/features/roles/planner.md +182 -0
package/docs/readmes/features/roles/researcher.md +164 -0
package/docs/readmes/features/roles/reviewer.md +184 -0
package/docs/readmes/features/roles/specifier.md +162 -0
package/docs/readmes/features/roles/verifier.md +215 -0
package/docs/readmes/features/schemas/README.md +178 -0
package/docs/readmes/features/skills/README.md +63 -0
package/docs/readmes/features/skills/brainstorming.md +96 -0
package/docs/readmes/features/skills/debugging.md +148 -0
package/docs/readmes/features/skills/design.md +120 -0
package/docs/readmes/features/skills/prepare-next.md +109 -0
package/docs/readmes/features/skills/run-audit.md +159 -0
package/docs/readmes/features/skills/scan-project.md +109 -0
package/docs/readmes/features/skills/self-audit.md +176 -0
package/docs/readmes/features/skills/tdd.md +137 -0
package/docs/readmes/features/skills/using-skills.md +92 -0
package/docs/readmes/features/skills/verification.md +120 -0
package/docs/readmes/features/skills/writing-plans.md +104 -0
package/docs/readmes/features/tooling/README.md +320 -0
package/docs/readmes/features/workflows/README.md +186 -0
package/docs/readmes/features/workflows/author.md +181 -0
package/docs/readmes/features/workflows/clarify.md +154 -0
package/docs/readmes/features/workflows/design-review.md +171 -0
package/docs/readmes/features/workflows/design.md +169 -0
package/docs/readmes/features/workflows/discover.md +162 -0
package/docs/readmes/features/workflows/execute.md +173 -0
package/docs/readmes/features/workflows/learn.md +167 -0
package/docs/readmes/features/workflows/plan-review.md +165 -0
package/docs/readmes/features/workflows/plan.md +170 -0
package/docs/readmes/features/workflows/prepare-next.md +167 -0
package/docs/readmes/features/workflows/review.md +169 -0
package/docs/readmes/features/workflows/run-audit.md +191 -0
package/docs/readmes/features/workflows/spec-challenge.md +159 -0
package/docs/readmes/features/workflows/specify.md +160 -0
package/docs/readmes/features/workflows/verify.md +177 -0
package/docs/readmes/packages/README.md +50 -0
package/docs/readmes/packages/ajv.md +117 -0
package/docs/readmes/packages/context-mode.md +118 -0
package/docs/readmes/packages/gray-matter.md +116 -0
package/docs/readmes/packages/node-test.md +137 -0
package/docs/readmes/packages/yaml.md +112 -0
package/docs/reference/configuration-reference.md +159 -0
package/docs/reference/expertise-index.md +52 -0
package/docs/reference/git-flow.md +43 -0
package/docs/reference/hooks.md +87 -0
package/docs/reference/host-exports.md +50 -0
package/docs/reference/launch-checklist.md +172 -0
package/docs/reference/marketplace-listings.md +76 -0
package/docs/reference/release-process.md +34 -0
package/docs/reference/roles-reference.md +77 -0
package/docs/reference/skills.md +33 -0
package/docs/reference/templates.md +29 -0
package/docs/reference/tooling-cli.md +94 -0
package/docs/truth-claims.yaml +222 -0
package/expertise/PROGRESS.md +63 -0
package/expertise/README.md +18 -0
package/expertise/antipatterns/PROGRESS.md +56 -0
package/expertise/antipatterns/backend/api-design-antipatterns.md +1271 -0
package/expertise/antipatterns/backend/auth-antipatterns.md +1195 -0
package/expertise/antipatterns/backend/caching-antipatterns.md +622 -0
package/expertise/antipatterns/backend/database-antipatterns.md +1038 -0
package/expertise/antipatterns/backend/index.md +24 -0
package/expertise/antipatterns/backend/microservices-antipatterns.md +850 -0
package/expertise/antipatterns/code/architecture-antipatterns.md +919 -0
package/expertise/antipatterns/code/async-antipatterns.md +622 -0
package/expertise/antipatterns/code/code-smells.md +1186 -0
package/expertise/antipatterns/code/dependency-antipatterns.md +1209 -0
package/expertise/antipatterns/code/error-handling-antipatterns.md +1360 -0
package/expertise/antipatterns/code/index.md +27 -0
package/expertise/antipatterns/code/naming-and-abstraction.md +1118 -0
package/expertise/antipatterns/code/state-management-antipatterns.md +1076 -0
package/expertise/antipatterns/code/testing-antipatterns.md +1053 -0
package/expertise/antipatterns/design/accessibility-antipatterns.md +1136 -0
package/expertise/antipatterns/design/dark-patterns.md +1121 -0
package/expertise/antipatterns/design/index.md +22 -0
package/expertise/antipatterns/design/ui-antipatterns.md +1202 -0
package/expertise/antipatterns/design/ux-antipatterns.md +680 -0
package/expertise/antipatterns/frontend/css-layout-antipatterns.md +691 -0
package/expertise/antipatterns/frontend/flutter-antipatterns.md +1827 -0
package/expertise/antipatterns/frontend/index.md +23 -0
package/expertise/antipatterns/frontend/mobile-antipatterns.md +573 -0
package/expertise/antipatterns/frontend/react-antipatterns.md +1128 -0
package/expertise/antipatterns/frontend/spa-antipatterns.md +1235 -0
package/expertise/antipatterns/index.md +31 -0
package/expertise/antipatterns/performance/index.md +20 -0
package/expertise/antipatterns/performance/performance-antipatterns.md +1013 -0
package/expertise/antipatterns/performance/premature-optimization.md +623 -0
package/expertise/antipatterns/performance/scaling-antipatterns.md +785 -0
package/expertise/antipatterns/process/ai-coding-antipatterns.md +853 -0
package/expertise/antipatterns/process/code-review-antipatterns.md +656 -0
package/expertise/antipatterns/process/deployment-antipatterns.md +920 -0
package/expertise/antipatterns/process/index.md +23 -0
package/expertise/antipatterns/process/technical-debt-antipatterns.md +647 -0
package/expertise/antipatterns/security/index.md +20 -0
package/expertise/antipatterns/security/secrets-antipatterns.md +849 -0
package/expertise/antipatterns/security/security-theater.md +843 -0
package/expertise/antipatterns/security/vulnerability-patterns.md +801 -0
package/expertise/architecture/PROGRESS.md +70 -0
package/expertise/architecture/data/caching-architecture.md +671 -0
package/expertise/architecture/data/data-consistency.md +574 -0
package/expertise/architecture/data/data-modeling.md +536 -0
package/expertise/architecture/data/event-streams-and-queues.md +634 -0
package/expertise/architecture/data/index.md +25 -0
package/expertise/architecture/data/search-architecture.md +663 -0
package/expertise/architecture/data/sql-vs-nosql.md +708 -0
package/expertise/architecture/decisions/architecture-decision-records.md +640 -0
package/expertise/architecture/decisions/build-vs-buy.md +616 -0
package/expertise/architecture/decisions/index.md +23 -0
package/expertise/architecture/decisions/monolith-to-microservices.md +790 -0
package/expertise/architecture/decisions/technology-selection.md +616 -0
package/expertise/architecture/distributed/cap-theorem-and-tradeoffs.md +800 -0
package/expertise/architecture/distributed/circuit-breaker-bulkhead.md +741 -0
package/expertise/architecture/distributed/consensus-and-coordination.md +796 -0
package/expertise/architecture/distributed/distributed-systems-fundamentals.md +564 -0
package/expertise/architecture/distributed/idempotency-and-retry.md +796 -0
package/expertise/architecture/distributed/index.md +25 -0
package/expertise/architecture/distributed/saga-pattern.md +797 -0
package/expertise/architecture/foundations/architectural-thinking.md +460 -0
package/expertise/architecture/foundations/coupling-and-cohesion.md +770 -0
package/expertise/architecture/foundations/design-principles-solid.md +649 -0
package/expertise/architecture/foundations/domain-driven-design.md +719 -0
package/expertise/architecture/foundations/index.md +25 -0
package/expertise/architecture/foundations/separation-of-concerns.md +472 -0
package/expertise/architecture/foundations/twelve-factor-app.md +797 -0
package/expertise/architecture/index.md +34 -0
package/expertise/architecture/integration/api-design-graphql.md +638 -0
package/expertise/architecture/integration/api-design-grpc.md +804 -0
package/expertise/architecture/integration/api-design-rest.md +892 -0
package/expertise/architecture/integration/index.md +25 -0
package/expertise/architecture/integration/third-party-integration.md +795 -0
package/expertise/architecture/integration/webhooks-and-callbacks.md +1152 -0
package/expertise/architecture/integration/websockets-realtime.md +791 -0
package/expertise/architecture/mobile-architecture/index.md +22 -0
package/expertise/architecture/mobile-architecture/mobile-app-architecture.md +780 -0
package/expertise/architecture/mobile-architecture/mobile-backend-for-frontend.md +670 -0
package/expertise/architecture/mobile-architecture/offline-first.md +719 -0
package/expertise/architecture/mobile-architecture/push-and-sync.md +782 -0
package/expertise/architecture/patterns/cqrs-event-sourcing.md +717 -0
package/expertise/architecture/patterns/event-driven.md +797 -0
package/expertise/architecture/patterns/hexagonal-clean-architecture.md +870 -0
package/expertise/architecture/patterns/index.md +27 -0
package/expertise/architecture/patterns/layered-architecture.md +736 -0
package/expertise/architecture/patterns/microservices.md +753 -0
package/expertise/architecture/patterns/modular-monolith.md +692 -0
package/expertise/architecture/patterns/monolith.md +626 -0
package/expertise/architecture/patterns/plugin-architecture.md +735 -0
package/expertise/architecture/patterns/serverless.md +780 -0
package/expertise/architecture/scaling/database-scaling.md +615 -0
package/expertise/architecture/scaling/feature-flags-and-rollouts.md +757 -0
package/expertise/architecture/scaling/horizontal-vs-vertical.md +606 -0
package/expertise/architecture/scaling/index.md +24 -0
package/expertise/architecture/scaling/multi-tenancy.md +800 -0
package/expertise/architecture/scaling/stateless-design.md +787 -0
package/expertise/backend/embedded-firmware.md +625 -0
package/expertise/backend/go.md +853 -0
package/expertise/backend/index.md +24 -0
package/expertise/backend/java-spring.md +448 -0
package/expertise/backend/node-typescript.md +625 -0
package/expertise/backend/python-fastapi.md +724 -0
package/expertise/backend/rust.md +458 -0
package/expertise/backend/solidity.md +711 -0
package/expertise/composition-map.yaml +443 -0
package/expertise/content/foundations/content-modeling.md +395 -0
package/expertise/content/foundations/editorial-standards.md +449 -0
package/expertise/content/foundations/index.md +24 -0
package/expertise/content/foundations/microcopy.md +455 -0
package/expertise/content/foundations/terminology-governance.md +509 -0
package/expertise/content/index.md +34 -0
package/expertise/content/patterns/accessibility-copy.md +518 -0
package/expertise/content/patterns/index.md +24 -0
package/expertise/content/patterns/notification-content.md +433 -0
package/expertise/content/patterns/sample-content.md +486 -0
package/expertise/content/patterns/state-copy.md +439 -0
package/expertise/design/PROGRESS.md +58 -0
package/expertise/design/disciplines/dark-mode-theming.md +577 -0
package/expertise/design/disciplines/design-systems.md +595 -0
package/expertise/design/disciplines/index.md +25 -0
package/expertise/design/disciplines/information-architecture.md +800 -0
package/expertise/design/disciplines/interaction-design.md +788 -0
package/expertise/design/disciplines/responsive-design.md +552 -0
package/expertise/design/disciplines/usability-testing.md +516 -0
package/expertise/design/disciplines/user-research.md +792 -0
package/expertise/design/foundations/accessibility-design.md +796 -0
package/expertise/design/foundations/color-theory.md +797 -0
package/expertise/design/foundations/iconography.md +795 -0
package/expertise/design/foundations/index.md +26 -0
package/expertise/design/foundations/motion-and-animation.md +653 -0
package/expertise/design/foundations/rtl-design.md +585 -0
package/expertise/design/foundations/spacing-and-layout.md +607 -0
package/expertise/design/foundations/typography.md +800 -0
package/expertise/design/foundations/visual-hierarchy.md +761 -0
package/expertise/design/index.md +32 -0
package/expertise/design/patterns/authentication-flows.md +474 -0
package/expertise/design/patterns/content-consumption.md +789 -0
package/expertise/design/patterns/data-display.md +618 -0
package/expertise/design/patterns/e-commerce.md +1494 -0
package/expertise/design/patterns/feedback-and-states.md +642 -0
package/expertise/design/patterns/forms-and-input.md +819 -0
package/expertise/design/patterns/gamification.md +801 -0
package/expertise/design/patterns/index.md +31 -0
package/expertise/design/patterns/microinteractions.md +449 -0
package/expertise/design/patterns/navigation.md +800 -0
package/expertise/design/patterns/notifications.md +705 -0
package/expertise/design/patterns/onboarding.md +700 -0
package/expertise/design/patterns/search-and-filter.md +601 -0
package/expertise/design/patterns/settings-and-preferences.md +768 -0
package/expertise/design/patterns/social-and-community.md +748 -0
package/expertise/design/platforms/desktop-native.md +612 -0
package/expertise/design/platforms/index.md +25 -0
package/expertise/design/platforms/mobile-android.md +825 -0
package/expertise/design/platforms/mobile-cross-platform.md +983 -0
package/expertise/design/platforms/mobile-ios.md +699 -0
package/expertise/design/platforms/tablet.md +794 -0
package/expertise/design/platforms/web-dashboard.md +790 -0
package/expertise/design/platforms/web-responsive.md +550 -0
package/expertise/design/psychology/behavioral-nudges.md +449 -0
package/expertise/design/psychology/cognitive-load.md +1191 -0
package/expertise/design/psychology/error-psychology.md +778 -0
package/expertise/design/psychology/index.md +22 -0
package/expertise/design/psychology/persuasive-design.md +736 -0
package/expertise/design/psychology/user-mental-models.md +623 -0
package/expertise/design/tooling/open-pencil.md +266 -0
package/expertise/frontend/angular.md +1073 -0
package/expertise/frontend/desktop-electron.md +546 -0
package/expertise/frontend/flutter.md +782 -0
package/expertise/frontend/index.md +27 -0
package/expertise/frontend/native-android.md +409 -0
package/expertise/frontend/native-ios.md +490 -0
package/expertise/frontend/react-native.md +1160 -0
package/expertise/frontend/react.md +808 -0
package/expertise/frontend/vue.md +1089 -0
package/expertise/humanize/domain-rules-code.md +79 -0
package/expertise/humanize/domain-rules-content.md +67 -0
package/expertise/humanize/domain-rules-technical-docs.md +56 -0
package/expertise/humanize/index.md +35 -0
package/expertise/humanize/self-audit-checklist.md +87 -0
package/expertise/humanize/sentence-patterns.md +218 -0
package/expertise/humanize/vocabulary-blacklist.md +105 -0
package/expertise/i18n/PROGRESS.md +65 -0
package/expertise/i18n/advanced/accessibility-and-i18n.md +28 -0
package/expertise/i18n/advanced/bidirectional-text-algorithm.md +38 -0
package/expertise/i18n/advanced/complex-scripts.md +30 -0
package/expertise/i18n/advanced/performance-and-i18n.md +27 -0
package/expertise/i18n/advanced/testing-i18n.md +28 -0
package/expertise/i18n/content/content-adaptation.md +23 -0
package/expertise/i18n/content/locale-specific-formatting.md +23 -0
package/expertise/i18n/content/machine-translation-integration.md +28 -0
package/expertise/i18n/content/translation-management.md +29 -0
package/expertise/i18n/foundations/date-time-calendars.md +67 -0
package/expertise/i18n/foundations/i18n-architecture.md +272 -0
package/expertise/i18n/foundations/locale-and-language-tags.md +79 -0
package/expertise/i18n/foundations/numbers-currency-units.md +61 -0
package/expertise/i18n/foundations/pluralization-and-gender.md +109 -0
package/expertise/i18n/foundations/string-externalization.md +236 -0
package/expertise/i18n/foundations/text-direction-bidi.md +241 -0
package/expertise/i18n/foundations/unicode-and-encoding.md +86 -0
package/expertise/i18n/index.md +38 -0
package/expertise/i18n/platform/backend-i18n.md +31 -0
package/expertise/i18n/platform/flutter-i18n.md +148 -0
package/expertise/i18n/platform/native-android-i18n.md +36 -0
package/expertise/i18n/platform/native-ios-i18n.md +36 -0
package/expertise/i18n/platform/react-i18n.md +103 -0
package/expertise/i18n/platform/web-css-i18n.md +81 -0
package/expertise/i18n/rtl/arabic-specific.md +175 -0
package/expertise/i18n/rtl/hebrew-specific.md +149 -0
package/expertise/i18n/rtl/rtl-animations-and-transitions.md +111 -0
package/expertise/i18n/rtl/rtl-forms-and-input.md +161 -0
package/expertise/i18n/rtl/rtl-fundamentals.md +211 -0
package/expertise/i18n/rtl/rtl-icons-and-images.md +181 -0
package/expertise/i18n/rtl/rtl-layout-mirroring.md +252 -0
package/expertise/i18n/rtl/rtl-navigation-and-gestures.md +107 -0
package/expertise/i18n/rtl/rtl-testing-and-qa.md +147 -0
package/expertise/i18n/rtl/rtl-typography.md +160 -0
package/expertise/index.md +113 -0
package/expertise/index.yaml +216 -0
package/expertise/infrastructure/cloud-aws.md +597 -0
package/expertise/infrastructure/cloud-gcp.md +599 -0
package/expertise/infrastructure/cybersecurity.md +816 -0
package/expertise/infrastructure/database-mongodb.md +447 -0
package/expertise/infrastructure/database-postgres.md +400 -0
package/expertise/infrastructure/devops-cicd.md +787 -0
package/expertise/infrastructure/index.md +27 -0
package/expertise/performance/PROGRESS.md +50 -0
package/expertise/performance/backend/api-latency.md +1204 -0
package/expertise/performance/backend/background-jobs.md +506 -0
package/expertise/performance/backend/connection-pooling.md +1209 -0
package/expertise/performance/backend/database-query-optimization.md +515 -0
package/expertise/performance/backend/index.md +23 -0
package/expertise/performance/backend/rate-limiting-and-throttling.md +971 -0
package/expertise/performance/foundations/algorithmic-complexity.md +954 -0
package/expertise/performance/foundations/caching-strategies.md +489 -0
package/expertise/performance/foundations/concurrency-and-parallelism.md +847 -0
package/expertise/performance/foundations/index.md +24 -0
package/expertise/performance/foundations/measuring-and-profiling.md +440 -0
package/expertise/performance/foundations/memory-management.md +964 -0
package/expertise/performance/foundations/performance-budgets.md +1314 -0
package/expertise/performance/index.md +31 -0
package/expertise/performance/infrastructure/auto-scaling.md +1059 -0
package/expertise/performance/infrastructure/cdn-and-edge.md +1081 -0
package/expertise/performance/infrastructure/index.md +22 -0
package/expertise/performance/infrastructure/load-balancing.md +1081 -0
package/expertise/performance/infrastructure/observability.md +1079 -0
package/expertise/performance/mobile/index.md +23 -0
package/expertise/performance/mobile/mobile-animations.md +544 -0
package/expertise/performance/mobile/mobile-memory-battery.md +416 -0
package/expertise/performance/mobile/mobile-network.md +452 -0
package/expertise/performance/mobile/mobile-rendering.md +599 -0
package/expertise/performance/mobile/mobile-startup-time.md +505 -0
package/expertise/performance/platform-specific/flutter-performance.md +647 -0
package/expertise/performance/platform-specific/index.md +22 -0
package/expertise/performance/platform-specific/node-performance.md +1307 -0
package/expertise/performance/platform-specific/postgres-performance.md +1366 -0
package/expertise/performance/platform-specific/react-performance.md +1403 -0
package/expertise/performance/web/bundle-optimization.md +1239 -0
package/expertise/performance/web/image-and-media.md +636 -0
package/expertise/performance/web/index.md +24 -0
package/expertise/performance/web/network-optimization.md +1133 -0
package/expertise/performance/web/rendering-performance.md +1098 -0
package/expertise/performance/web/ssr-and-hydration.md +918 -0
package/expertise/performance/web/web-vitals.md +1374 -0
package/expertise/quality/accessibility.md +985 -0
package/expertise/quality/evidence-based-verification.md +499 -0
package/expertise/quality/index.md +24 -0
package/expertise/quality/ml-model-audit.md +614 -0
package/expertise/quality/performance.md +600 -0
package/expertise/quality/testing-api.md +891 -0
package/expertise/quality/testing-mobile.md +496 -0
package/expertise/quality/testing-web.md +849 -0
package/expertise/security/PROGRESS.md +54 -0
package/expertise/security/agentic-identity.md +540 -0
package/expertise/security/compliance-frameworks.md +601 -0
package/expertise/security/data/data-encryption.md +364 -0
package/expertise/security/data/data-privacy-gdpr.md +692 -0
package/expertise/security/data/database-security.md +1171 -0
package/expertise/security/data/index.md +22 -0
package/expertise/security/data/pii-handling.md +531 -0
package/expertise/security/foundations/authentication.md +1041 -0
package/expertise/security/foundations/authorization.md +603 -0
package/expertise/security/foundations/cryptography.md +1001 -0
package/expertise/security/foundations/index.md +25 -0
package/expertise/security/foundations/owasp-top-10.md +1354 -0
package/expertise/security/foundations/secrets-management.md +1217 -0
package/expertise/security/foundations/secure-sdlc.md +700 -0
package/expertise/security/foundations/supply-chain-security.md +698 -0
package/expertise/security/index.md +31 -0
package/expertise/security/infrastructure/cloud-security-aws.md +1296 -0
package/expertise/security/infrastructure/cloud-security-gcp.md +1376 -0
package/expertise/security/infrastructure/container-security.md +721 -0
package/expertise/security/infrastructure/incident-response.md +1295 -0
package/expertise/security/infrastructure/index.md +24 -0
package/expertise/security/infrastructure/logging-and-monitoring.md +1618 -0
package/expertise/security/infrastructure/network-security.md +1337 -0
package/expertise/security/mobile/index.md +23 -0
package/expertise/security/mobile/mobile-android-security.md +1218 -0
package/expertise/security/mobile/mobile-binary-protection.md +1229 -0
package/expertise/security/mobile/mobile-data-storage.md +1265 -0
package/expertise/security/mobile/mobile-ios-security.md +1401 -0
package/expertise/security/mobile/mobile-network-security.md +1520 -0
package/expertise/security/smart-contract-security.md +594 -0
package/expertise/security/testing/index.md +22 -0
package/expertise/security/testing/penetration-testing.md +1258 -0
package/expertise/security/testing/security-code-review.md +1765 -0
package/expertise/security/testing/threat-modeling.md +1074 -0
package/expertise/security/testing/vulnerability-scanning.md +1062 -0
package/expertise/security/web/api-security.md +586 -0
package/expertise/security/web/cors-and-headers.md +433 -0
package/expertise/security/web/csrf.md +562 -0
package/expertise/security/web/file-upload.md +1477 -0
package/expertise/security/web/index.md +25 -0
package/expertise/security/web/injection.md +1375 -0
package/expertise/security/web/session-management.md +1101 -0
package/expertise/security/web/xss.md +1158 -0
package/exports/README.md +17 -0
package/exports/hosts/claude/.claude/agents/clarifier.md +42 -0
package/exports/hosts/claude/.claude/agents/content-author.md +63 -0
package/exports/hosts/claude/.claude/agents/designer.md +55 -0
package/exports/hosts/claude/.claude/agents/executor.md +55 -0
package/exports/hosts/claude/.claude/agents/learner.md +51 -0
package/exports/hosts/claude/.claude/agents/planner.md +53 -0
package/exports/hosts/claude/.claude/agents/researcher.md +43 -0
package/exports/hosts/claude/.claude/agents/reviewer.md +54 -0
package/exports/hosts/claude/.claude/agents/specifier.md +47 -0
package/exports/hosts/claude/.claude/agents/verifier.md +71 -0
package/exports/hosts/claude/.claude/commands/author.md +42 -0
package/exports/hosts/claude/.claude/commands/clarify.md +38 -0
package/exports/hosts/claude/.claude/commands/design-review.md +46 -0
package/exports/hosts/claude/.claude/commands/design.md +44 -0
package/exports/hosts/claude/.claude/commands/discover.md +37 -0
package/exports/hosts/claude/.claude/commands/execute.md +48 -0
package/exports/hosts/claude/.claude/commands/learn.md +38 -0
package/exports/hosts/claude/.claude/commands/plan-review.md +42 -0
package/exports/hosts/claude/.claude/commands/plan.md +39 -0
package/exports/hosts/claude/.claude/commands/prepare-next.md +37 -0
package/exports/hosts/claude/.claude/commands/review.md +40 -0
package/exports/hosts/claude/.claude/commands/run-audit.md +41 -0
package/exports/hosts/claude/.claude/commands/spec-challenge.md +41 -0
package/exports/hosts/claude/.claude/commands/specify.md +38 -0
package/exports/hosts/claude/.claude/commands/verify.md +37 -0
package/exports/hosts/claude/.claude/settings.json +34 -0
package/exports/hosts/claude/CLAUDE.md +19 -0
package/exports/hosts/claude/export.manifest.json +38 -0
package/exports/hosts/claude/host-package.json +67 -0
package/exports/hosts/codex/AGENTS.md +19 -0
package/exports/hosts/codex/export.manifest.json +38 -0
package/exports/hosts/codex/host-package.json +41 -0
package/exports/hosts/cursor/.cursor/hooks.json +16 -0
package/exports/hosts/cursor/.cursor/rules/wazir-core.mdc +19 -0
package/exports/hosts/cursor/export.manifest.json +38 -0
package/exports/hosts/cursor/host-package.json +42 -0
package/exports/hosts/gemini/GEMINI.md +19 -0
package/exports/hosts/gemini/export.manifest.json +38 -0
package/exports/hosts/gemini/host-package.json +41 -0
package/hooks/README.md +18 -0
package/hooks/definitions/loop_cap_guard.yaml +21 -0
package/hooks/definitions/post_tool_capture.yaml +24 -0
package/hooks/definitions/pre_compact_summary.yaml +19 -0
package/hooks/definitions/pre_tool_capture_route.yaml +19 -0
package/hooks/definitions/protected_path_write_guard.yaml +19 -0
package/hooks/definitions/session_start.yaml +19 -0
package/hooks/definitions/stop_handoff_harvest.yaml +20 -0
package/hooks/loop-cap-guard +17 -0
package/hooks/post-tool-lint +36 -0
package/hooks/protected-path-write-guard +17 -0
package/hooks/session-start +41 -0
package/llms-full.txt +2355 -0
package/llms.txt +43 -0
package/package.json +79 -0
package/roles/README.md +20 -0
package/roles/clarifier.md +42 -0
package/roles/content-author.md +63 -0
package/roles/designer.md +55 -0
package/roles/executor.md +55 -0
package/roles/learner.md +51 -0
package/roles/planner.md +53 -0
package/roles/researcher.md +43 -0
package/roles/reviewer.md +54 -0
package/roles/specifier.md +47 -0
package/roles/verifier.md +71 -0
package/schemas/README.md +24 -0
package/schemas/accepted-learning.schema.json +20 -0
package/schemas/author-artifact.schema.json +156 -0
package/schemas/clarification.schema.json +19 -0
package/schemas/design-artifact.schema.json +80 -0
package/schemas/docs-claim.schema.json +18 -0
package/schemas/export-manifest.schema.json +20 -0
package/schemas/hook.schema.json +67 -0
package/schemas/host-export-package.schema.json +18 -0
package/schemas/implementation-plan.schema.json +19 -0
package/schemas/proposed-learning.schema.json +19 -0
package/schemas/research.schema.json +18 -0
package/schemas/review.schema.json +29 -0
package/schemas/run-manifest.schema.json +18 -0
package/schemas/spec-challenge.schema.json +18 -0
package/schemas/spec.schema.json +20 -0
package/schemas/usage.schema.json +102 -0
package/schemas/verification-proof.schema.json +29 -0
package/schemas/wazir-manifest.schema.json +173 -0
package/skills/README.md +40 -0
package/skills/brainstorming/SKILL.md +77 -0
package/skills/debugging/SKILL.md +50 -0
package/skills/design/SKILL.md +61 -0
package/skills/dispatching-parallel-agents/SKILL.md +128 -0
package/skills/executing-plans/SKILL.md +70 -0
package/skills/finishing-a-development-branch/SKILL.md +169 -0
package/skills/humanize/SKILL.md +123 -0
package/skills/init-pipeline/SKILL.md +124 -0
package/skills/prepare-next/SKILL.md +20 -0
package/skills/receiving-code-review/SKILL.md +123 -0
package/skills/requesting-code-review/SKILL.md +105 -0
package/skills/requesting-code-review/code-reviewer.md +108 -0
package/skills/run-audit/SKILL.md +197 -0
package/skills/scan-project/SKILL.md +41 -0
package/skills/self-audit/SKILL.md +153 -0
package/skills/subagent-driven-development/SKILL.md +154 -0
package/skills/subagent-driven-development/code-quality-reviewer-prompt.md +26 -0
package/skills/subagent-driven-development/implementer-prompt.md +102 -0
package/skills/subagent-driven-development/spec-reviewer-prompt.md +61 -0
package/skills/tdd/SKILL.md +23 -0
package/skills/using-git-worktrees/SKILL.md +163 -0
package/skills/using-skills/SKILL.md +95 -0
package/skills/verification/SKILL.md +22 -0
package/skills/wazir/SKILL.md +463 -0
package/skills/writing-plans/SKILL.md +30 -0
package/skills/writing-skills/SKILL.md +157 -0
package/skills/writing-skills/anthropic-best-practices.md +122 -0
package/skills/writing-skills/persuasion-principles.md +50 -0
package/templates/README.md +20 -0
package/templates/artifacts/README.md +10 -0
package/templates/artifacts/accepted-learning.md +19 -0
package/templates/artifacts/accepted-learning.template.json +12 -0
package/templates/artifacts/author.md +74 -0
package/templates/artifacts/author.template.json +19 -0
package/templates/artifacts/clarification.md +21 -0
package/templates/artifacts/clarification.template.json +12 -0
package/templates/artifacts/execute-notes.md +19 -0
package/templates/artifacts/implementation-plan.md +21 -0
package/templates/artifacts/implementation-plan.template.json +11 -0
package/templates/artifacts/learning-proposal.md +19 -0
package/templates/artifacts/next-run-handoff.md +21 -0
package/templates/artifacts/plan-review.md +19 -0
package/templates/artifacts/proposed-learning.template.json +12 -0
package/templates/artifacts/research.md +21 -0
package/templates/artifacts/research.template.json +12 -0
package/templates/artifacts/review-findings.md +19 -0
package/templates/artifacts/review.template.json +11 -0
package/templates/artifacts/run-manifest.template.json +8 -0
package/templates/artifacts/spec-challenge.md +19 -0
package/templates/artifacts/spec-challenge.template.json +11 -0
package/templates/artifacts/spec.md +21 -0
package/templates/artifacts/spec.template.json +12 -0
package/templates/artifacts/verification-proof.md +19 -0
package/templates/artifacts/verification-proof.template.json +11 -0
package/templates/examples/accepted-learning.example.json +14 -0
package/templates/examples/author.example.json +152 -0
package/templates/examples/clarification.example.json +15 -0
package/templates/examples/docs-claim.example.json +8 -0
package/templates/examples/export-manifest.example.json +7 -0
package/templates/examples/host-export-package.example.json +11 -0
package/templates/examples/implementation-plan.example.json +17 -0
package/templates/examples/proposed-learning.example.json +13 -0
package/templates/examples/research.example.json +15 -0
package/templates/examples/research.example.md +6 -0
package/templates/examples/review.example.json +17 -0
package/templates/examples/run-manifest.example.json +9 -0
package/templates/examples/spec-challenge.example.json +14 -0
package/templates/examples/spec.example.json +21 -0
package/templates/examples/verification-proof.example.json +21 -0
package/templates/examples/wazir-manifest.example.yaml +65 -0
package/templates/task-definition-schema.md +99 -0
package/tooling/README.md +20 -0
package/tooling/src/adapters/context-mode.js +50 -0
package/tooling/src/capture/command.js +376 -0
package/tooling/src/capture/store.js +99 -0
package/tooling/src/capture/usage.js +270 -0
package/tooling/src/checks/branches.js +50 -0
package/tooling/src/checks/brand-truth.js +110 -0
package/tooling/src/checks/changelog.js +231 -0
package/tooling/src/checks/command-registry.js +36 -0
package/tooling/src/checks/commits.js +102 -0
package/tooling/src/checks/docs-drift.js +103 -0
package/tooling/src/checks/docs-truth.js +201 -0
package/tooling/src/checks/runtime-surface.js +156 -0
package/tooling/src/cli.js +116 -0
package/tooling/src/command-options.js +56 -0
package/tooling/src/commands/validate.js +320 -0
package/tooling/src/doctor/command.js +91 -0
package/tooling/src/export/command.js +77 -0
package/tooling/src/export/compiler.js +498 -0
package/tooling/src/guards/loop-cap-guard.js +52 -0
package/tooling/src/guards/protected-path-write-guard.js +67 -0
package/tooling/src/index/command.js +152 -0
package/tooling/src/index/storage.js +1061 -0
package/tooling/src/index/summarizers.js +261 -0
package/tooling/src/loaders.js +18 -0
package/tooling/src/project-root.js +22 -0
package/tooling/src/recall/command.js +225 -0
package/tooling/src/schema-validator.js +30 -0
package/tooling/src/state-root.js +40 -0
package/tooling/src/status/command.js +71 -0
package/wazir.manifest.yaml +135 -0
package/workflows/README.md +19 -0
package/workflows/author.md +42 -0
package/workflows/clarify.md +38 -0
package/workflows/design-review.md +46 -0
package/workflows/design.md +44 -0
package/workflows/discover.md +37 -0
package/workflows/execute.md +48 -0
package/workflows/learn.md +38 -0
package/workflows/plan-review.md +42 -0
package/workflows/plan.md +39 -0
package/workflows/prepare-next.md +37 -0
package/workflows/review.md +40 -0
package/workflows/run-audit.md +41 -0
package/workflows/spec-challenge.md +41 -0
package/workflows/specify.md +38 -0
package/workflows/verify.md +37 -0

package/expertise/security/data/data-encryption.md ADDED Viewed

@@ -0,0 +1,364 @@
+# Data Encryption Security Expertise
+> **Purpose:** Reference for AI agents implementing proper encryption at rest and in transit.
+> **Last updated:** 2026-03-08 | **Sources:** NIST SP 800-111, FIPS 203/204/205, PCI-DSS v4.0.1, GDPR Art. 32, HIPAA, AWS/GCP docs, OWASP
+---
+## 1. Threat Landscape
+### Attack Vectors
+| Vector | Description | Impact |
+|---|---|---|
+| Unencrypted storage | PII/PHI stored plaintext in databases | Full exposure on any breach |
+| Man-in-the-middle | Interception of unencrypted network traffic | Credential theft, session hijacking |
+| Stolen backups | Backup media exfiltrated without encryption | Offline data exposure |
+| Cloud misconfiguration | S3 buckets, databases exposed unencrypted | Mass data exfiltration |
+| Key co-location | Keys stored alongside encrypted data | Encryption rendered useless |
+| Weak algorithms | MD5, SHA-1, DES, RC4, TLS 1.0/1.1 | Feasible brute-force or known attacks |
+### Real-World Breaches
+**Capital One (2019) -- 106M Records.** SSRF vulnerability in a misconfigured WAF let an attacker obtain IAM credentials from AWS metadata service. ~30 GB of data (SSNs, bank accounts, credit scores) was accessed -- much stored unencrypted in S3. The IAM role had decrypt permissions, so encryption provided no defense once credentials were compromised. Undetected March-July 2019.
+- **Lesson:** Encryption without proper key access controls is insufficient. Use envelope encryption with separate policies per data classification. Enforce IMDSv2 for SSRF protection.
+**Marriott/Starwood (2018) -- 383M Records.** Starwood's network was compromised in 2014 (before Marriott's acquisition). 5.25 million passport numbers were stored completely unencrypted. Encrypted credit card keys were stored on the same system.
+- **Lesson:** Encrypt all sensitive fields, especially government IDs. Never co-locate keys with data. M&A due diligence must include security posture assessment.
+**National Public Data (2023-2024) -- 2.9B Records.** Background check firm breach exposed SSNs, names, addresses. Unencrypted records were freely leaked in a 4TB dump on cybercrime forums.
+- **Lesson:** Data aggregators are high-value targets. Field-level encryption of SSNs and government IDs is essential.
+---
+## 2. Core Security Principles
+### Encryption at Rest
+- **Full Disk Encryption (FDE):** BitLocker, FileVault, dm-crypt/LUKS -- encrypts entire volumes
+- **Database Encryption:** TDE (whole-database) or column/field-level for targeted protection
+- **Object Storage:** AWS S3 SSE, GCP Cloud Storage default encryption
+### Encryption in Transit
+- **TLS 1.3** (RFC 8446) is the current standard. TLS 1.2 acceptable with proper ciphers. TLS 1.0/1.1 deprecated (RFC 8996).
+- **mTLS:** Both client and server authenticate -- required for zero-trust service-to-service.
+- **VPN/WireGuard/IPsec:** Network-level encrypted tunnels.
+### Envelope Encryption
+Two-tier key hierarchy: KMS manages a Key Encryption Key (KEK) that encrypts locally-generated Data Encryption Keys (DEKs). DEKs encrypt the actual data. Only the small DEK goes to KMS, reducing API calls by up to 99% (AWS). Each data object gets its own DEK, limiting blast radius. The KEK never leaves the HSM.
+### Key Management Lifecycle
+| Phase | Requirements |
+|---|---|
+| Generation | CSPRNG, minimum AES-256 |
+| Storage | HSMs or managed KMS -- never alongside data |
+| Rotation | Annually minimum, immediately after suspected compromise |
+| Destruction | Cryptographic erasure, eliminate all copies |
+### Crypto Agility
+Ability to swap algorithms without major changes. Critical for post-quantum transition (NIST targets 2035). Abstract crypto behind interfaces, store algorithm identifiers with encrypted data, version encryption schemas.
+---
+## 3. Implementation Patterns
+### 3.1 TLS 1.3 Configuration (Nginx)
+```nginx
+server {
+    listen 443 ssl http2;
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305';
+    ssl_prefer_server_ciphers off;  # Let clients optimize for their hardware
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off;
+    # HSTS (1 year, subdomains, preload-ready)
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    # Note: Let's Encrypt discontinued OCSP in 2025 -- stapling has no effect with LE certs
+}
+server { listen 80; return 301 https://$host$request_uri; }  # Force HTTPS
+```
+### 3.2 Field-Level Encryption (TypeScript)
+```typescript
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
+interface EncryptedField {
+  v: number; iv: string; ct: string; tag: string;
+}
+export function encryptField(plaintext: string, key: Buffer): EncryptedField {
+  if (key.length !== 32) throw new Error('Key must be 32 bytes (AES-256)');
+  const iv = randomBytes(12); // 96-bit IV per NIST
+  const cipher = createCipheriv('aes-256-gcm', key, iv, { authTagLength: 16 });
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  return {
+    v: 1, iv: iv.toString('base64'),
+    ct: encrypted.toString('base64'), tag: cipher.getAuthTag().toString('base64'),
+  };
+}
+export function decryptField(field: EncryptedField, key: Buffer): string {
+  const decipher = createDecipheriv('aes-256-gcm', key,
+    Buffer.from(field.iv, 'base64'), { authTagLength: 16 });
+  decipher.setAuthTag(Buffer.from(field.tag, 'base64'));
+  return Buffer.concat([
+    decipher.update(Buffer.from(field.ct, 'base64')), decipher.final()
+  ]).toString('utf8');
+}
+// Key from KMS: const key = await fetchKeyFromKMS('alias/user-pii-key');
+```
+### 3.3 Envelope Encryption (TypeScript + AWS KMS)
+```typescript
+import { KMSClient, GenerateDataKeyCommand, DecryptCommand } from '@aws-sdk/client-kms';
+import { createCipheriv, createDecipheriv, randomBytes } from 'crypto';
+const kms = new KMSClient({ region: 'us-east-1' });
+export async function envelopeEncrypt(plaintext: Buffer) {
+  const { Plaintext: dek, CiphertextBlob: encDek } = await kms.send(
+    new GenerateDataKeyCommand({ KeyId: 'alias/my-key', KeySpec: 'AES_256' }));
+  try {
+    const iv = randomBytes(12);
+    const cipher = createCipheriv('aes-256-gcm', dek!, iv);
+    const ct = Buffer.concat([cipher.update(plaintext), cipher.final()]);
+    return { encryptedDEK: Buffer.from(encDek!).toString('base64'),
+      iv: iv.toString('base64'), ciphertext: ct.toString('base64'),
+      tag: cipher.getAuthTag().toString('base64') };
+  } finally { (dek as Buffer).fill(0); } // Clear plaintext DEK from memory
+}
+export async function envelopeDecrypt(envelope: any): Promise<Buffer> {
+  const { Plaintext: dek } = await kms.send(
+    new DecryptCommand({ CiphertextBlob: Buffer.from(envelope.encryptedDEK, 'base64') }));
+  try {
+    const decipher = createDecipheriv('aes-256-gcm', dek!,
+      Buffer.from(envelope.iv, 'base64'));
+    decipher.setAuthTag(Buffer.from(envelope.tag, 'base64'));
+    return Buffer.concat([
+      decipher.update(Buffer.from(envelope.ciphertext, 'base64')), decipher.final()]);
+  } finally { (dek as Buffer).fill(0); }
+}
+```
+### 3.4 Database Column Encryption (PostgreSQL pgcrypto)
+```sql
+CREATE EXTENSION IF NOT EXISTS pgcrypto;
+-- VULNERABLE: plaintext SSN
+CREATE TABLE users_bad (id SERIAL, ssn TEXT, credit_card TEXT);
+-- SECURE: encrypted columns
+CREATE TABLE users_secure (id SERIAL PRIMARY KEY, name TEXT,
+    ssn_enc BYTEA, credit_card_enc BYTEA);
+INSERT INTO users_secure (name, ssn_enc, credit_card_enc) VALUES ('Jane Doe',
+    pgp_sym_encrypt('123-45-6789', current_setting('app.encryption_key')),
+    pgp_sym_encrypt('4111111111111111', current_setting('app.encryption_key')));
+-- Key loaded from KMS at connection time via: SET app.encryption_key = '...';
+```
+---
+## 4. Vulnerability Catalog
+| ID | Vulnerability | Risk | Remediation |
+|---|---|---|---|
+| V-ENC-01 | Unencrypted PII in database | CRITICAL | Field-level AES-256-GCM encryption before storage |
+| V-ENC-02 | TLS 1.0/1.1 enabled | HIGH | Disable; use TLS 1.2+ only (`ssl_protocols TLSv1.2 TLSv1.3`) |
+| V-ENC-03 | Self-signed certs in production | HIGH | Use trusted CA (Let's Encrypt). Automate renewal with Certbot |
+| V-ENC-04 | Unencrypted backups | CRITICAL | Encrypt pipelines (GPG/KMS). Never write plaintext to disk |
+| V-ENC-05 | Key stored next to data | CRITICAL | Store keys in KMS/HSM with separate access policies |
+| V-ENC-06 | Weak cipher suites (RC4, DES, CBC) | HIGH | Allow only AEAD suites (AES-GCM, ChaCha20-Poly1305) |
+| V-ENC-07 | Missing HSTS header | MEDIUM | Set `Strict-Transport-Security: max-age=31536000; includeSubDomains` |
+| V-ENC-08 | Hardcoded encryption keys | CRITICAL | Use KMS/Vault/env vars. Scan with truffleHog/gitleaks |
+| V-ENC-09 | Plaintext internal service comms | HIGH | Enforce mTLS between services (Istio, Linkerd) |
+| V-ENC-10 | ECB mode encryption | HIGH | Use GCM (preferred) or CCM. ECB preserves data patterns |
+| V-ENC-11 | IV/nonce reuse in GCM | CRITICAL | Random 96-bit IV per operation. Rotate key before 2^32 ops |
+| V-ENC-12 | Missing cert pinning (mobile) | HIGH | Pin certificates or public keys with backup pins |
+| V-ENC-13 | Unencrypted data in logs | HIGH | Sanitize/mask sensitive fields before logging |
+| V-ENC-14 | MD5/SHA-1 for integrity | MEDIUM | Use SHA-256 or SHA-3. HMAC-SHA-256 for authentication |
+| V-ENC-15 | Encryption key in browser storage | HIGH | Use Web Crypto API with non-extractable keys |
+### Vulnerable vs. Secure Code Pairs
+```typescript
+// V-ENC-01: VULNERABLE -- plaintext PII
+await db.query('INSERT INTO users (ssn) VALUES ($1)', [ssn]);
+// SECURE -- encrypted
+const enc = encryptField(ssn, await getKeyFromKMS('alias/pii-key'));
+await db.query('INSERT INTO users (ssn_enc) VALUES ($1)', [JSON.stringify(enc)]);
+// V-ENC-08: VULNERABLE -- hardcoded key
+const KEY = Buffer.from('a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6');
+// SECURE -- from KMS
+const KEY = Buffer.from(process.env.ENCRYPTION_KEY!, 'base64');
+// V-ENC-02: VULNERABLE Nginx
+// ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+// SECURE
+// ssl_protocols TLSv1.2 TLSv1.3;
+```
+---
+## 5. Security Checklist
+### Data at Rest (8 items)
+- [ ] All PII/PHI fields use field-level encryption (AES-256-GCM)
+- [ ] Database backups encrypted before written to disk
+- [ ] Full-disk encryption on all servers and workstations
+- [ ] Cloud storage uses SSE-KMS (preferred over SSE-S3)
+- [ ] Keys stored in KMS/HSM, never alongside data
+- [ ] Key rotation automated (minimum annually)
+- [ ] Decommissioned media undergoes cryptographic erasure
+- [ ] Log files contain no plaintext sensitive data
+### Data in Transit (8 items)
+- [ ] TLS 1.2+ enforced; TLS 1.0/1.1 disabled
+- [ ] Only AEAD cipher suites allowed
+- [ ] HSTS headers set (min 1-year max-age)
+- [ ] Certificate automation (Certbot/cert-manager)
+- [ ] Internal service traffic uses mTLS
+- [ ] Certificate expiration monitoring with alerts
+- [ ] No self-signed certificates in production
+- [ ] HTTP-to-HTTPS redirect on all endpoints
+### Key Management (7 items)
+- [ ] Keys generated with CSPRNG, AES-256 minimum
+- [ ] Separate keys per data classification (PII, financial, general)
+- [ ] Key access audit logging enabled (CloudTrail for AWS KMS)
+- [ ] Emergency key revocation procedure documented and tested
+- [ ] Keys never in source code, logs, or error messages
+- [ ] Envelope encryption for large data volumes
+- [ ] Post-quantum migration plan documented (target: 2035)
+### Application Layer (6 items)
+- [ ] Crypto abstracted behind interfaces (crypto agility)
+- [ ] Encryption version stored with encrypted data
+- [ ] No deprecated algorithms (MD5, SHA-1, DES, RC4, ECB)
+- [ ] IV/nonce uniqueness enforced; key rotation before 2^32 ops
+- [ ] Auth tags verified before processing decrypted data
+- [ ] Sensitive data zeroed from memory after use
+---
+## 6. Tools and Automation
+| Category | Tool | Purpose |
+|---|---|---|
+| TLS Testing | **SSL Labs** (ssllabs.com) | Online TLS grading (target A+) |
+| TLS Testing | **testssl.sh** | Offline scanner: `./testssl.sh --severity HIGH example.com` |
+| Certs | **Certbot** | Let's Encrypt automation (90-day certs) |
+| Certs | **cert-manager** | Kubernetes certificate lifecycle |
+| Config | **Mozilla SSL Config Generator** | Secure configs for Nginx/Apache/HAProxy |
+| KMS | **AWS KMS** | HSM-backed, CloudTrail audit, auto-rotation |
+| KMS | **GCP Cloud KMS** | CMEK, envelope encryption, EKM |
+| KMS | **HashiCorp Vault** | Multi-cloud secrets, transit encryption, PKI |
+| Secrets Scan | **truffleHog / gitleaks** | Detect hardcoded keys in git repos |
+| Cloud Audit | **Prowler / ScoutSuite** | Check encryption configs across cloud |
+| IaC Scan | **tfsec / trivy** | Flag encryption misconfigs in Terraform |
+| DB Encryption | **pgcrypto** (PostgreSQL) | Column-level SQL encryption |
+| DB Encryption | **MongoDB CSFLE** | Client-side field-level encryption |
+---
+## 7. Platform-Specific Guidance
+### AWS Encryption
+**S3 SSE options:** SSE-S3 (AWS-managed, free, default), SSE-KMS (audit trails, granular control, $1/key/month), SSE-C (customer-provided keys, full ownership).
+```json
+{ "Statement": [{ "Effect": "Deny", "Principal": "*", "Action": "s3:PutObject",
+    "Resource": "arn:aws:s3:::my-bucket/*",
+    "Condition": { "StringNotEquals": { "s3:x-amz-server-side-encryption": "aws:kms" }}}]}
+```
+Best practices: default encryption on all buckets, KMS key policies restricting IAM roles, CloudTrail for KMS calls, VPC endpoints for KMS, EBS encryption by default.
+### GCP Encryption
+Default: all data AES-256 at rest. CMEK for key control/audit. CSEK for customer-supplied keys. EKM for keys outside Google. Use Tink library for envelope encryption.
+### MongoDB CSFLE
+Encrypts fields before they leave the application -- DBAs cannot see plaintext.
+- **Deterministic** encryption: same plaintext = same ciphertext. Allows equality queries. Use for searchable fields (email, SSN).
+- **Random** encryption: more secure, no query support. Use for read-only fields (medical records, notes).
+### Mobile Encryption
+**iOS Data Protection:** Hardware-backed AES-256. Use `NSFileProtectionComplete` for sensitive files (accessible only when unlocked). Store secrets in Keychain with `kSecAttrAccessibleWhenUnlockedThisDeviceOnly`.
+**Android:** Use `EncryptedSharedPreferences` (AES256-SIV keys, AES256-GCM values). Store secrets via Android Keystore. Use hardware-backed StrongBox when available.
+**Both platforms:** Enable cert pinning, encrypt local databases (SQLCipher), never store keys in app code.
+---
+## 8. Incident Patterns
+### Unencrypted Data Exposure
+**Detect:** Cloud scanner flags (Prowler, ScoutSuite), schema audit finds TEXT columns for SSN/credit card, network inspection reveals plaintext in HTTP.
+**Respond:** Enable encryption immediately, rotate exposed credentials, assess access logs for exposure window, determine notification obligations (GDPR 72h, HIPAA 60d).
+### Certificate Issues
+**Detect:** Monitoring alerts for expiring certs, browser warnings, service failures.
+**Respond:** Renew immediately, verify complete chain, test with SSL Labs, review automation.
+### Key Compromise
+**Respond:** (1) Disable/revoke key in KMS immediately, (2) identify all data encrypted with key, (3) generate new keys and re-encrypt affected data, (4) rotate dependent credentials, (5) investigate root cause, (6) post-mortem and update procedures, (7) determine notification requirements.
+---
+## 9. Compliance and Standards
+### PCI-DSS v4.0.1 (Requirements 3-4)
+- **Req 3:** Protect stored account data. PAN rendered unreadable (AES-256, hash, truncation, tokenization). Keys managed by fewest custodians; split knowledge/dual control.
+- **Req 4:** Protect cardholder data in transit with TLS 1.2+ and strong ciphers.
+- **Minimum:** AES-128 (AES-256 recommended).
+### GDPR Article 32
+Explicitly names encryption as an appropriate safeguard. Encrypted data breached without key compromise may not require notification (Recital 83). DPIAs should evaluate encryption measures.
+### HIPAA
+- **At rest (164.312(a)):** Encrypt ePHI per NIST SP 800-111. "Addressable" specification.
+- **In transit (164.312(e)):** TLS 1.2+ with strong ciphers.
+- **Safe Harbor:** Encrypted ePHI breach with uncompromised keys is NOT reportable.
+### NIST Standards Reference
+| Standard | Scope |
+|---|---|
+| SP 800-111 | Storage encryption for end-user devices |
+| SP 800-52 Rev. 2 | TLS implementation (TLS 1.2+ required) |
+| SP 800-57 | Key management lifecycle |
+| FIPS 140-3 | Cryptographic module validation (HSMs) |
+| FIPS 197 | AES specification (128/192/256-bit) |
+| FIPS 203 (2024) | Post-quantum key encapsulation (ML-KEM, from CRYSTALS-KYBER) |
+| FIPS 204 (2024) | Post-quantum signatures (ML-DSA, from CRYSTALS-Dilithium) |
+| FIPS 205 (2024) | Post-quantum signatures (SLH-DSA, from SPHINCS+) |
+**Post-quantum timeline:** NIST targets widespread PQC adoption by 2035. HQC selected March 2025. FALCON forthcoming as FIPS 206. Begin crypto inventory, implement agility, test hybrid approaches now.
+---
+## References
+- NIST SP 800-111: https://csrc.nist.gov/pubs/sp/800/111/final
+- NIST PQC Standards (Aug 2024): https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards
+- PCI-DSS v4.0.1: https://www.thoropass.com/blog/pci-dss-encryption-requirements
+- AWS KMS Best Practices: https://docs.aws.amazon.com/prescriptive-guidance/latest/encryption-best-practices/general-encryption-best-practices.html
+- GCP Envelope Encryption: https://cloud.google.com/kms/docs/envelope-encryption
+- Capital One Breach: https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
+- Marriott Breach: https://www.nbcnews.com/tech/tech-news/marriott-reveals-5-million-unencrypted-passport-numbers-were-leaked-2018-n954791
+- MongoDB CSFLE: https://www.mongodb.com/docs/manual/core/csfle/
+- PostgreSQL pgcrypto: https://www.postgresql.org/docs/current/pgcrypto.html
+- HIPAA Encryption: https://www.hipaajournal.com/hipaa-encryption-requirements/
+- SSL Labs: https://www.ssllabs.com/ssltest/