agcel 1.0.1

package/package.json

@@ -0,0 +1,54 @@
+{
+    "name": "agcel",
+    "version": "1.0.1",
+    "description": "Antigravity Context Engineering Library is a local MCP (Model Context Protocol) Server containing multiple skills, rules and workflows for end to end software development",
+    "main": "dist/index.js",
+    "bin": {
+        "agc": "./dist/index.js"
+    },
+    "files": [
+        "dist",
+        "skills",
+        ".agent",
+        "README.md",
+        "LICENSE"
+    ],
+    "scripts": {
+        "build": "tsc",
+        "start": "node dist/server/index.js",
+        "test": "echo \"Error: no test specified\" && exit 1"
+    },
+    "keywords": [
+        "mcp",
+        "cli",
+        "agent",
+        "skills"
+    ],
+    "author": "Bennie Ng <bennie.ng@agcel.io>",
+    "license": "MIT",
+    "repository": {
+        "type": "git",
+        "url": "https://github.com/bennie-ng/AgCel.git"
+    },
+    "homepage": "https://bennie-ng.github.io/AgCel",
+    "bugs": {
+        "url": "https://github.com/bennie-ng/AgCel/issues"
+    },
+    "dependencies": {
+        "@modelcontextprotocol/sdk": "^0.6.0",
+        "chalk": "^4.1.2",
+        "commander": "^11.1.0",
+        "cors": "^2.8.5",
+        "express": "^4.18.2",
+        "inquirer": "^8.2.6",
+        "zod": "^3.22.4"
+    },
+    "devDependencies": {
+        "@types/chalk": "^2.2.0",
+        "@types/cors": "^2.8.17",
+        "@types/express": "^4.17.21",
+        "@types/inquirer": "^9.0.7",
+        "@types/node": "^20.11.19",
+        "typescript": "^5.3.3"
+    }
+}

package/skills/api-security-best-practices/SKILL.md

@@ -0,0 +1,291 @@
+---
+name: api-security-best-practices
+description: "Implement secure API design patterns including authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities"
+---
+
+# API Security Best Practices
+
+## Overview
+
+Guide developers in building secure APIs by implementing authentication, authorization, input validation, rate limiting, and protection against common vulnerabilities. This skill covers security patterns for REST, GraphQL, and WebSocket APIs.
+
+## When to Use This Skill
+
+- Use when designing new API endpoints
+- Use when securing existing APIs
+- Use when implementing authentication and authorization
+- Use when protecting against API attacks (injection, DDoS, etc.)
+- Use when conducting API security reviews
+- Use when preparing for security audits
+- Use when implementing rate limiting and throttling
+- Use when handling sensitive data in APIs
+
+## How It Works
+
+### Step 1: Authentication & Authorization
+
+I'll help you implement secure authentication:
+- Choose authentication method (JWT, OAuth 2.0, API keys)
+- Implement token-based authentication
+- Set up role-based access control (RBAC)
+- Secure session management
+- Implement multi-factor authentication (MFA)
+
+### Step 2: Input Validation & Sanitization
+
+Protect against injection attacks:
+- Validate all input data
+- Sanitize user inputs
+- Use parameterized queries
+- Implement request schema validation
+- Prevent SQL injection, XSS, and command injection
+
+### Step 3: Rate Limiting & Throttling
+
+Prevent abuse and DDoS attacks:
+- Implement rate limiting per user/IP
+- Set up API throttling
+- Configure request quotas
+- Handle rate limit errors gracefully
+- Monitor for suspicious activity
+
+### Step 4: Data Protection
+
+Secure sensitive data:
+- Encrypt data in transit (HTTPS/TLS)
+- Encrypt sensitive data at rest
+- Implement proper error handling (no data leaks)
+- Sanitize error messages
+- Use secure headers
+
+### Step 5: API Security Testing
+
+Verify security implementation:
+- Test authentication and authorization
+- Perform penetration testing
+- Check for common vulnerabilities (OWASP API Top 10)
+- Validate input handling
+- Test rate limiting
+
+
+
+## Examples
+
+detailed code examples for **JWT Authentication**, **SQL Injection Prevention**, and **Rate Limiting** are available in the references:
+
+[View Code Examples](references/examples.md)
+
+## Best Practices
+
+### ✅ Do This
+
+- **Use HTTPS Everywhere** - Never send sensitive data over HTTP
+- **Implement Authentication** - Require authentication for protected endpoints
+- **Validate All Inputs** - Never trust user input
+- **Use Parameterized Queries** - Prevent SQL injection
+- **Implement Rate Limiting** - Protect against brute force and DDoS
+- **Hash Passwords** - Use bcrypt with salt rounds >= 10
+- **Use Short-Lived Tokens** - JWT access tokens should expire quickly
+- **Implement CORS Properly** - Only allow trusted origins
+- **Log Security Events** - Monitor for suspicious activity
+- **Keep Dependencies Updated** - Regularly update packages
+- **Use Security Headers** - Implement Helmet.js
+- **Sanitize Error Messages** - Don't leak sensitive information
+
+### ❌ Don't Do This
+
+- **Don't Store Passwords in Plain Text** - Always hash passwords
+- **Don't Use Weak Secrets** - Use strong, random JWT secrets
+- **Don't Trust User Input** - Always validate and sanitize
+- **Don't Expose Stack Traces** - Hide error details in production
+- **Don't Use String Concatenation for SQL** - Use parameterized queries
+- **Don't Store Sensitive Data in JWT** - JWTs are not encrypted
+- **Don't Ignore Security Updates** - Update dependencies regularly
+- **Don't Use Default Credentials** - Change all default passwords
+- **Don't Disable CORS Completely** - Configure it properly instead
+- **Don't Log Sensitive Data** - Sanitize logs
+
+## Anti-Patterns
+
+### Problem: JWT Secret Exposed in Code
+**Symptoms:** JWT secret hardcoded or committed to Git
+**Solution:**
+\`\`\`javascript
+// ❌ Bad
+const JWT_SECRET = 'my-secret-key';
+
+// ✅ Good
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET) {
+  throw new Error('JWT_SECRET environment variable is required');
+}
+
+// Generate strong secret
+// node -e "console.log(require('crypto').randomBytes(64).toString('hex'))"
+\`\`\`
+
+### Problem: Weak Password Requirements
+**Symptoms:** Users can set weak passwords like "password123"
+**Solution:**
+\`\`\`javascript
+const passwordSchema = z.string()
+  .min(12, 'Password must be at least 12 characters')
+  .regex(/[A-Z]/, 'Must contain uppercase letter')
+  .regex(/[a-z]/, 'Must contain lowercase letter')
+  .regex(/[0-9]/, 'Must contain number')
+  .regex(/[^A-Za-z0-9]/, 'Must contain special character');
+
+// Or use a password strength library
+const zxcvbn = require('zxcvbn');
+const result = zxcvbn(password);
+if (result.score < 3) {
+  return res.status(400).json({
+    error: 'Password too weak',
+    suggestions: result.feedback.suggestions
+  });
+}
+\`\`\`
+
+### Problem: Missing Authorization Checks
+**Symptoms:** Users can access resources they shouldn't
+**Solution:**
+\`\`\`javascript
+// ❌ Bad: Only checks authentication
+app.delete('/api/posts/:id', authenticateToken, async (req, res) => {
+  await prisma.post.delete({ where: { id: req.params.id } });
+  res.json({ success: true });
+});
+
+// ✅ Good: Checks both authentication and authorization
+app.delete('/api/posts/:id', authenticateToken, async (req, res) => {
+  const post = await prisma.post.findUnique({
+    where: { id: req.params.id }
+  });
+  
+  if (!post) {
+    return res.status(404).json({ error: 'Post not found' });
+  }
+  
+  // Check if user owns the post or is admin
+  if (post.userId !== req.user.userId && req.user.role !== 'admin') {
+    return res.status(403).json({ 
+      error: 'Not authorized to delete this post' 
+    });
+  }
+  
+  await prisma.post.delete({ where: { id: req.params.id } });
+  res.json({ success: true });
+});
+\`\`\`
+
+### Problem: Verbose Error Messages
+**Symptoms:** Error messages reveal system details
+**Solution:**
+\`\`\`javascript
+// ❌ Bad: Exposes database details
+app.post('/api/users', async (req, res) => {
+  try {
+    const user = await prisma.user.create({ data: req.body });
+    res.json(user);
+  } catch (error) {
+    res.status(500).json({ error: error.message });
+    // Error: "Unique constraint failed on the fields: (`email`)"
+  }
+});
+
+// ✅ Good: Generic error message
+app.post('/api/users', async (req, res) => {
+  try {
+    const user = await prisma.user.create({ data: req.body });
+    res.json(user);
+  } catch (error) {
+    console.error('User creation error:', error); // Log full error
+    
+    if (error.code === 'P2002') {
+      return res.status(400).json({ 
+        error: 'Email already exists' 
+      });
+    }
+    
+    res.status(500).json({ 
+      error: 'An error occurred while creating user' 
+    });
+  }
+});
+\`\`\`
+
+## Security Checklist
+
+### Authentication & Authorization
+- [ ] Implement strong authentication (JWT, OAuth 2.0)
+- [ ] Use HTTPS for all endpoints
+- [ ] Hash passwords with bcrypt (salt rounds >= 10)
+- [ ] Implement token expiration
+- [ ] Add refresh token mechanism
+- [ ] Verify user authorization for each request
+- [ ] Implement role-based access control (RBAC)
+
+### Input Validation
+- [ ] Validate all user inputs
+- [ ] Use parameterized queries or ORM
+- [ ] Sanitize HTML content
+- [ ] Validate file uploads
+- [ ] Implement request schema validation
+- [ ] Use allowlists, not blocklists
+
+### Rate Limiting & DDoS Protection
+- [ ] Implement rate limiting per user/IP
+- [ ] Add stricter limits for auth endpoints
+- [ ] Use Redis for distributed rate limiting
+- [ ] Return proper rate limit headers
+- [ ] Implement request throttling
+
+### Data Protection
+- [ ] Use HTTPS/TLS for all traffic
+- [ ] Encrypt sensitive data at rest
+- [ ] Don't store sensitive data in JWT
+- [ ] Sanitize error messages
+- [ ] Implement proper CORS configuration
+- [ ] Use security headers (Helmet.js)
+
+### Monitoring & Logging
+- [ ] Log security events
+- [ ] Monitor for suspicious activity
+- [ ] Set up alerts for failed auth attempts
+- [ ] Track API usage patterns
+- [ ] Don't log sensitive data
+
+## OWASP API Security Top 10
+
+1. **Broken Object Level Authorization** - Always verify user can access resource
+2. **Broken Authentication** - Implement strong authentication mechanisms
+3. **Broken Object Property Level Authorization** - Validate which properties user can access
+4. **Unrestricted Resource Consumption** - Implement rate limiting and quotas
+5. **Broken Function Level Authorization** - Verify user role for each function
+6. **Unrestricted Access to Sensitive Business Flows** - Protect critical workflows
+7. **Server Side Request Forgery (SSRF)** - Validate and sanitize URLs
+8. **Security Misconfiguration** - Use security best practices and headers
+9. **Improper Inventory Management** - Document and secure all API endpoints
+10. **Unsafe Consumption of APIs** - Validate data from third-party APIs
+
+## Related Skills
+
+- [vulnerability-scanner](../vulnerability-scanner/SKILL.md) - Security testing perspective
+- [sql-injection-testing](../sql-injection-testing/SKILL.md) - Testing for SQL injection
+- [secure-refactoring](../secure-refactoring/SKILL.md) - Fixing security issues
+
+## Additional Resources
+
+- [OWASP API Security Top 10](https://owasp.org/www-project-api-security/)
+- [JWT Best Practices](https://tools.ietf.org/html/rfc8725)
+- [Express Security Best Practices](https://expressjs.com/en/advanced/best-practice-security.html)
+- [Node.js Security Checklist](https://blog.risingstack.com/node-js-security-checklist/)
+- [API Security Checklist](https://github.com/shieldfy/API-Security-Checklist)
+
+---
+
+**Pro Tip:** Security is not a one-time task - regularly audit your APIs, keep dependencies updated, and stay informed about new vulnerabilities!
+
+
+## Gap Analysis Rule
+Always identify gaps and suggest next steps to users. In case there is no gaps anymore, then AI should clearly state that there is no gap left.