@wipal/agent-team 1.0.0

package/.claude/skills/domain/architecture/performance-engineering/references/optimization.md

@@ -0,0 +1,298 @@
+# Optimization Techniques
+
+## Optimization Process
+
+### 1. Measure First
+```
+"Premature optimization is the root of all evil" - Donald Knuth
+
+Steps:
+1. Establish baseline metrics
+2. Identify bottlenecks
+3. Profile to find root causes
+4. Optimize
+5. Measure improvement
+6. Document
+```
+
+### 2. Identify Bottlenecks
+```
+Common Bottlenecks (in order):
+1. Database (most common)
+2. Network I/O
+3. Disk I/O
+4. CPU
+5. Memory
+
+Tools:
+- APM: DataDog, New Relic, Dynatrace
+- Profilers: pprof, py-spy, JProfiler
+- Database: EXPLAIN, slow query log
+```
+
+## Database Optimization
+
+### Query Optimization
+```
+1. Use EXPLAIN
+   EXPLAIN ANALYZE SELECT * FROM orders WHERE user_id = 123;
+
+   Look for:
+   - Sequential scans (should use index)
+   - High row estimates
+   - Nested loops with many iterations
+
+2. Index Strategy
+   - Index columns in WHERE clauses
+   - Composite indexes for multiple conditions
+   - Covering indexes to avoid table access
+   - Don't over-index (write performance)
+
+3. Avoid N+1 Queries
+   # Bad
+   users = db.query("SELECT * FROM users")
+   for user in users:
+       orders = db.query("SELECT * FROM orders WHERE user_id = ?", user.id)
+
+   # Good
+   users = db.query("""
+       SELECT u.*, o.id as order_id
+       FROM users u
+       LEFT JOIN orders o ON u.id = o.user_id
+   """)
+
+4. Pagination
+   # Bad (offset gets slower with large offset)
+   SELECT * FROM posts ORDER BY created_at LIMIT 10 OFFSET 10000
+
+   # Good (keyset pagination)
+   SELECT * FROM posts
+   WHERE created_at < '2024-01-01'
+   ORDER BY created_at DESC
+   LIMIT 10
+```
+
+### Connection Pooling
+```
+Problem: Opening DB connections is expensive
+
+Solution: Connection Pool
+
+┌─────────────────────────────────────────────┐
+│            Connection Pool                   │
+│  ┌───┐ ┌───┐ ┌───┐ ┌───┐ ┌───┐ ┌───┐      │
+│  │ C │ │ C │ │ C │ │ C │ │ C │ │ C │      │
+│  └───┘ └───┘ └───┘ └───┘ └───┘ └───┘      │
+└─────────────────────────────────────────────┘
+        │
+        ▼
+   ┌─────────┐
+   │Database │
+   └─────────┘
+
+Configuration:
+pool_size = cpu_cores * 2 + disk_spindles
+max_overflow = pool_size
+pool_timeout = 30
+```
+
+## Application Optimization
+
+### Algorithmic Optimization
+```
+Time Complexity Matters:
+
+O(n²) for n=10,000 = 100,000,000 operations
+O(n log n) for n=10,000 = 133,000 operations
+
+Common Improvements:
+- Nested loop → Hash map lookup
+- Linear search → Binary search
+- Repeated calculation → Memoization
+```
+
+### Memory Optimization
+```
+1. Object Pooling
+   # Bad: Create new object each time
+   def process():
+       buffer = bytearray(1024*1024)  # 1MB allocation
+       ...
+
+   # Good: Reuse buffer
+   buffer_pool = Pool(bytearray, args=(1024*1024,), maxsize=10)
+
+   def process():
+       buffer = buffer_pool.get()
+       try:
+           ...
+       finally:
+           buffer_pool.put(buffer)
+
+2. Streaming
+   # Bad: Load entire file
+   data = file.read()  # OOM for large files
+
+   # Good: Stream processing
+   for line in file:
+       process(line)
+
+3. Lazy Loading
+   class User:
+       @property
+       def orders(self):
+           if not hasattr(self, '_orders'):
+               self._orders = Order.query.filter_by(user_id=self.id)
+           return self._orders
+```
+
+### Concurrency Optimization
+```
+1. Async I/O
+   # Sync (blocking)
+   result1 = api.call1()  # Wait 100ms
+   result2 = api.call2()  # Wait 100ms
+   # Total: 200ms
+
+   # Async (concurrent)
+   result1, result2 = await asyncio.gather(
+       api.call1(),
+       api.call2()
+   )
+   # Total: 100ms
+
+2. Thread Pools
+   with ThreadPoolExecutor(max_workers=10) as executor:
+       futures = [executor.submit(process, item) for item in items]
+       results = [f.result() for f in futures]
+
+3. Connection Reuse
+   # Bad: New connection per request
+   def call_api():
+       conn = http.client.HTTPSConnection("api.example.com")
+       conn.request("GET", "/data")
+       ...
+
+   # Good: Connection pool
+   session = requests.Session()  # Reuse connections
+   def call_api():
+       return session.get("https://api.example.com/data")
+```
+
+## Network Optimization
+
+### HTTP Optimization
+```
+1. Keep-Alive
+   Connection: keep-alive
+   Reuse TCP connections
+
+2. Compression
+   Accept-Encoding: gzip, br
+   Brotli > Gzip for compression ratio
+
+3. HTTP/2
+   - Multiplexing (multiple requests per connection)
+   - Header compression
+   - Server push
+
+4. HTTP/3 (QUIC)
+   - UDP-based
+   - Faster connection establishment
+   - Better on unreliable networks
+```
+
+### API Optimization
+```
+1. Batching
+   # Bad: Multiple requests
+   GET /users/1
+   GET /users/2
+   GET /users/3
+
+   # Good: Batch request
+   GET /users?ids=1,2,3
+
+2. Field Selection
+   # Bad: Return all fields
+   GET /users/1
+   {id, name, email, address, phone, created_at, updated_at, ...}
+
+   # Good: Request needed fields
+   GET /users/1?fields=id,name
+
+3. Pagination
+   GET /posts?page=1&limit=20
+   Headers: X-Total-Count: 1000
+            Link: <...page=2>; rel="next"
+
+4. GraphQL (for complex needs)
+   query {
+     user(id: 1) {
+       name
+       email
+       posts(first: 10) {
+         title
+       }
+     }
+   }
+```
+
+## Frontend Optimization
+
+### Critical Rendering Path
+```
+1. Eliminate render-blocking resources
+   - Async/defer scripts
+   - Inline critical CSS
+
+2. Minimize main thread work
+   - Code splitting
+   - Tree shaking
+
+3. Optimize images
+   - WebP/AVIF formats
+   - Responsive images
+   - Lazy loading
+```
+
+### Bundle Optimization
+```
+1. Code Splitting
+   const LazyComponent = React.lazy(() => import('./Heavy'))
+
+2. Tree Shaking
+   // Bad
+   import _ from 'lodash'
+   // Good
+   import debounce from 'lodash/debounce'
+
+3. Minification
+   - Terser for JS
+   - cssnano for CSS
+   - ImageOptim for images
+```
+
+## Cost-Benefit Analysis
+
+### Optimization ROI
+```
+Before optimizing, consider:
+1. How much time will this save?
+2. How many users affected?
+3. What's the development cost?
+4. What's the maintenance cost?
+
+Formula:
+ROI = (Time_saved × Users × Value_per_second) / Development_cost
+
+Example:
+- Optimization saves 100ms
+- 1M requests/day
+- $0.001 per second of user time
+- 2 days development
+
+ROI = (0.1s × 1M × $0.001) / (16h × $100/h)
+    = $100/day / $1600
+    = 16 days to break even
+```

package/.claude/skills/domain/architecture/security-architecture/SKILL.md

@@ -0,0 +1,206 @@
+---
+name: security-architecture
+description: |
+  Use when designing security architecture, threat modeling, or ensuring
+  compliance. Covers authentication patterns, authorization models,
+  threat modeling (STRIDE), and compliance frameworks.
+version: 1.0.0
+category: security
+tags:
+  - security
+  - threat-modeling
+  - authentication
+  - compliance
+dependencies: []
+references:
+  - references/threat-modeling.md
+  - references/auth-patterns.md
+  - references/compliance.md
+---
+
+# Security Architecture
+
+## Core Principle
+**Security by design, defense in depth, least privilege.**
+
+## When to Use This Skill
+
+### Trigger Conditions
+- Designing authentication/authorization system
+- Conducting threat modeling
+- Planning security controls
+- Addressing compliance requirements
+- Reviewing architecture for security
+
+### Keywords
+- "security architecture"
+- "authentication"
+- "authorization"
+- "threat model"
+- "compliance"
+- "encryption"
+
+## Security Principles
+
+### 1. Defense in Depth
+```
+Multiple layers of security:
+
+┌─────────────────────────────────────────┐
+│ Layer 1: Network Security (Firewall)    │
+├─────────────────────────────────────────┤
+│ Layer 2: Application Security (WAF)     │
+├─────────────────────────────────────────┤
+│ Layer 3: Authentication (Identity)      │
+├─────────────────────────────────────────┤
+│ Layer 4: Authorization (RBAC/ABAC)      │
+├─────────────────────────────────────────┤
+│ Layer 5: Data Security (Encryption)     │
+├─────────────────────────────────────────┤
+│ Layer 6: Audit Logging                  │
+└─────────────────────────────────────────┘
+```
+
+### 2. Least Privilege
+```
+Grant minimum permissions needed:
+- Users: Only access their data
+- Services: Only permissions for their function
+- Admins: Limited scope, time-bound elevation
+```
+
+### 3. Zero Trust
+```
+Never trust, always verify:
+- Verify every request
+- Authenticate every service
+- Encrypt all communication
+- Assume breach
+```
+
+## Authentication Patterns
+
+### OAuth 2.0 / OIDC
+```
+┌─────────┐     ┌─────────┐     ┌─────────┐
+│  User   │────▶│  Auth   │────▶│  App    │
+│         │     │ Server  │     │         │
+└─────────┘     └────┬────┘     └─────────┘
+                     │
+                Access Token
+                     │
+                     ▼
+               ┌─────────┐
+               │   API   │
+               └─────────┘
+
+Flows:
+- Authorization Code (web apps)
+- PKCE (mobile/SPA)
+- Client Credentials (service-to-service)
+```
+
+### JWT Pattern
+```
+JWT Structure:
+Header.Payload.Signature
+
+Best Practices:
+- Short expiration (15-60 min)
+- Refresh tokens for longevity
+- Validate signature always
+- Check claims (iss, aud, exp)
+- Don't store sensitive data
+```
+
+## Authorization Models
+
+### RBAC (Role-Based)
+```
+Roles → Permissions
+
+Admin → [read:*, write:*, delete:*]
+Editor → [read:*, write:*]
+Viewer → [read:*]
+
+User → Role → Permissions
+```
+
+### ABAC (Attribute-Based)
+```
+Attributes determine access:
+
+User: department=HR, level=manager
+Resource: type=salary_data
+Policy: department=HR AND level>employee
+
+More flexible, more complex
+```
+
+## Threat Modeling (STRIDE)
+
+| Threat | Description | Mitigation |
+|--------|-------------|------------|
+| **S**poofing | Impersonation | Authentication |
+| **T**ampering | Data modification | Integrity checks |
+| **R**epudiation | Deny actions | Audit logs |
+| **I**nfo Disclosure | Data leak | Encryption |
+| **D**enial of Service | Availability | Rate limiting |
+| **E**levation of Privilege | Unauthorized access | Authorization |
+
+## Security Checklist
+
+### Authentication
+- [ ] Strong password policy
+- [ ] Multi-factor authentication
+- [ ] Secure password recovery
+- [ ] Session management
+- [ ] Token revocation
+
+### Authorization
+- [ ] Role-based access control
+- [ ] Resource-level permissions
+- [ ] API authorization
+- [ ] Admin access controls
+
+### Data Protection
+- [ ] Encryption at rest
+- [ ] Encryption in transit (TLS)
+- [ ] Key management
+- [ ] Data classification
+
+### API Security
+- [ ] Input validation
+- [ ] Rate limiting
+- [ ] API keys/tokens
+- [ ] CORS configuration
+
+### Infrastructure
+- [ ] Network segmentation
+- [ ] Firewall rules
+- [ ] VPN/Bastion hosts
+- [ ] Patch management
+
+## Output
+
+When designing security:
+1. **Threat Model** - STRIDE analysis
+2. **Security Architecture** - Diagram with controls
+3. **Security ADR** - Key decisions
+4. **Compliance Checklist** - Requirements mapped
+
+## Rules
+
+### DO
+- ✅ Threat model every design
+- ✅ Encrypt sensitive data
+- ✅ Log security events
+- ✅ Validate all input
+- ✅ Use proven libraries
+
+### DON'T
+- ❌ Roll your own crypto
+- ❌ Store secrets in code
+- ❌ Trust user input
+- ❌ Skip security review
+- ❌ Ignore compliance

package/.claude/skills/domain/architecture/security-architecture/references/auth-patterns.md

@@ -0,0 +1,209 @@
+# Authentication & Authorization Patterns
+
+## Authentication Patterns
+
+### Session-Based Auth
+```
+┌─────────┐                      ┌─────────┐
+│  Client │──── Login ──────────▶│ Server  │
+│         │                      │         │
+│         │◀─── Set-Cookie ──────│         │
+│         │    (session_id)      │         │
+│         │                      │         │
+│         │──── Request + ──────▶│         │
+│         │    Cookie            │         │
+│         │                      │         │
+│         │◀─── Response ────────│         │
+└─────────┘                      └─────────┘
+
+Pros: Simple, server-controlled
+Cons: Server state, scaling challenges
+```
+
+### Token-Based Auth (JWT)
+```
+┌─────────┐                      ┌─────────┐
+│  Client │──── Login ──────────▶│  Auth   │
+│         │                      │ Server  │
+│         │◀─── JWT Token ───────│         │
+│         │                      └─────────┘
+│         │
+│         │──── Request + ──────▶┌─────────┐
+│         │    Bearer Token      │   API   │
+│         │                      │ Server  │
+│         │◀─── Response ────────│         │
+└─────────┘                      └─────────┘
+
+Pros: Stateless, scalable
+Cons: Token revocation complex
+```
+
+### OAuth 2.0 Flows
+
+#### Authorization Code Flow (Web Apps)
+```
+1. User → App: Click "Login with Google"
+2. App → User: Redirect to Google
+3. User → Google: Authenticate
+4. Google → User: Redirect with auth code
+5. User → App: Auth code
+6. App → Google: Exchange code for token
+7. Google → App: Access token + Refresh token
+8. App → API: Request with token
+```
+
+#### PKCE Flow (Mobile/SPA)
+```
+Adds code_verifier to Authorization Code:
+1. Generate code_verifier (random string)
+2. Create code_challenge = SHA256(verifier)
+3. Send challenge with auth request
+4. Exchange code + verifier for token
+5. Server verifies challenge matches
+```
+
+#### Client Credentials Flow (Service-to-Service)
+```
+┌─────────────┐                    ┌─────────────┐
+│   Service   │─── client_id/secret─▶│    Auth    │
+│     A       │                      │   Server   │
+│             │◀──── access_token ───│            │
+│             │                      └─────────────┘
+│             │
+│             │──── Request + ──────▶┌─────────────┐
+│             │    Bearer Token      │   Service   │
+│             │                      │      B      │
+└─────────────┘                      └─────────────┘
+```
+
+### OIDC (OpenID Connect)
+```
+Adds identity layer to OAuth 2.0:
+
+Standard Claims:
+- sub: Subject (user ID)
+- name: Full name
+- email: Email address
+- picture: Profile picture
+
+ID Token (JWT):
+{
+  "iss": "https://auth.example.com",
+  "sub": "user123",
+  "aud": "client_id",
+  "exp": 1234567890,
+  "iat": 1234560000,
+  "name": "John Doe",
+  "email": "john@example.com"
+}
+```
+
+## Authorization Patterns
+
+### Role-Based Access Control (RBAC)
+```
+┌─────────┐     ┌─────────┐     ┌─────────────┐
+│  User   │────▶│  Role   │────▶│ Permission  │
+└─────────┘     └─────────┘     └─────────────┘
+
+Example:
+User: alice
+Roles: [admin, developer]
+Permissions:
+  admin → [users:read, users:write, system:config]
+  developer → [code:read, code:write, deploy:staging]
+
+Implementation:
+def check_permission(user, action, resource):
+    for role in user.roles:
+        if action in role.permissions:
+            return True
+    return False
+```
+
+### Attribute-Based Access Control (ABAC)
+```
+Policy-based authorization:
+
+Policy:
+ALLOW IF user.department == resource.department
+      AND user.clearance >= resource.classification
+
+Attributes:
+- User: department, clearance, role
+- Resource: department, classification, owner
+- Environment: time, location, device
+
+Implementation:
+def evaluate_policy(user, resource, action, env):
+    policy = get_policy(action, resource.type)
+    return policy.evaluate(user, resource, env)
+```
+
+### Resource-Based Authorization
+```
+Check access to specific resource:
+
+def can_access_document(user, document):
+    if user.is_admin:
+        return True
+    if document.owner_id == user.id:
+        return True
+    if user.id in document.shared_with:
+        return True
+    return False
+```
+
+## Best Practices
+
+### Password Storage
+```
+✅ Use strong hashing:
+- bcrypt (cost factor 12+)
+- argon2id (preferred)
+- scrypt
+
+❌ Never use:
+- MD5, SHA1 (broken)
+- Plain text
+- Reversible encryption
+```
+
+### Session Management
+```
+- Generate cryptographically random session IDs
+- Set secure cookie flags: HttpOnly, Secure, SameSite
+- Implement session timeout
+- Regenerate session after login
+- Store minimal session data
+```
+
+### Token Security
+```
+JWT Best Practices:
+- Short expiration (15-60 min)
+- Use refresh tokens for longer sessions
+- Validate signature on every request
+- Check all claims (iss, aud, exp, iat)
+- Implement token revocation list
+- Don't store sensitive data in JWT
+```
+
+### MFA Implementation
+```
+Factors:
+1. Something you know (password)
+2. Something you have (phone, token)
+3. Something you are (biometric)
+
+Common Methods:
+- TOTP (Time-based OTP)
+- SMS OTP (less secure)
+- Push notifications
+- Hardware keys (YubiKey)
+
+Implementation:
+- Require MFA for sensitive operations
+- Offer backup codes
+- Handle device loss gracefully
+```