agentic-qe 3.8.1 → 3.8.3

package/.claude/skills/risk-based-testing/SKILL.md

@@ -16,28 +16,16 @@ validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
   eval_path: evals/risk-based-testing.yaml
-
 ---
 
 # Risk-Based Testing
 
 <default_to_action>
 When planning tests or allocating testing resources:
-1. IDENTIFY risks: What can go wrong? What's the impact? What's the likelihood?
-2. CALCULATE risk: Risk = Probability × Impact (use 1-5 scale for each)
-3. PRIORITIZE: Critical (20+) → High (12-19) → Medium (6-11) → Low (1-5)
-4. ALLOCATE effort: 60% critical, 25% high, 10% medium, 5% low
-5. REASSESS continuously: New info, changes, production incidents
-
-**Quick Risk Assessment:**
-- Probability factors: Complexity, change frequency, developer experience, technical debt
-- Impact factors: User count, revenue, safety, reputation, regulatory
-- Dynamic adjustment: Production bugs increase risk; stable code decreases
-
-**Critical Success Factors:**
-- Test where bugs hurt most, not everywhere equally
-- Risk is dynamic - reassess with new information
-- Production data informs risk (shift-right feeds shift-left)
+1. IDENTIFY risks per component (use 1-5 scale for probability and impact)
+2. PRIORITIZE: Critical (20+) → High (12-19) → Medium (6-11) → Low (1-5)
+3. ALLOCATE effort: 60% critical, 25% high, 10% medium, 5% low
+4. REASSESS continuously: Production incidents raise risk; stable code lowers it
 </default_to_action>
 
 ## Quick Reference Card
@@ -48,11 +36,7 @@ When planning tests or allocating testing resources:
 - Allocating limited testing time
 - Justifying test coverage decisions
 
-### Risk Calculation
-```
-Risk Score = Probability (1-5) × Impact (1-5)
-```
-
+### Effort Allocation by Risk Score
 | Score | Priority | Effort | Action |
 |-------|----------|--------|--------|
 | 20-25 | Critical | 60% | Comprehensive testing, multiple techniques |
@@ -60,37 +44,9 @@ Risk Score = Probability (1-5) × Impact (1-5)
 | 6-11 | Medium | 10% | Standard testing, basic automation |
 | 1-5 | Low | 5% | Smoke test, exploratory only |
 
-### Probability Factors
-| Factor | Low (1) | Medium (3) | High (5) |
-|--------|---------|------------|----------|
-| Complexity | Simple CRUD | Business logic | Algorithms, integrations |
-| Change Rate | Stable 6+ months | Monthly changes | Weekly/daily changes |
-| Developer Experience | Senior, domain expert | Mid-level | Junior, new to codebase |
-| Technical Debt | Clean code | Some debt | Legacy, no tests |
-
-### Impact Factors
-| Factor | Low (1) | Medium (3) | High (5) |
-|--------|---------|------------|----------|
-| Users Affected | Admin only | Department | All users |
-| Revenue | None | Indirect | Direct (checkout) |
-| Safety | Convenience | Data loss | Physical harm |
-| Reputation | Internal | Industry | Public scandal |
-
 ---
 
-## Risk Assessment Workflow
-
-### Step 1: List Features/Components
-```
-Feature | Probability | Impact | Risk | Priority
---------|-------------|--------|------|----------
-Checkout | 4 | 5 | 20 | Critical
-User Auth | 3 | 5 | 15 | High
-Admin Panel | 2 | 2 | 4 | Low
-Search | 3 | 3 | 9 | Medium
-```
-
-### Step 2: Apply Test Depth
+## Apply Test Depth by Risk
 ```typescript
 await Task("Risk-Based Test Generation", {
   critical: {
@@ -207,6 +163,4 @@ const riskFleet = await FleetManager.coordinate({
 
 ## Remember
 
-**Risk = Probability × Impact.** Test where bugs hurt most. Critical gets 60%, low gets 5%. Risk is dynamic - reassess with new info. Production incidents raise risk scores.
-
 **With Agents:** Agents calculate risk using ML on historical data, select risk-appropriate tests, and adjust scores from production feedback. Use agents to maintain dynamic risk profiles at scale.

package/.claude/skills/security-testing/SKILL.md

@@ -295,6 +295,10 @@ API keys in code → **Environment variables, secret management**
 
 ---
 
+## Compliance & Agent CLI
+
+For v3 agent-specific commands (`aqe security ...`), SAST/DAST scanning code, compliance audits (SOC2/GDPR/HIPAA), secret detection, and security gates, see [references/compliance-agent-commands.md](references/compliance-agent-commands.md).
+
 ## Related Skills
 - [agentic-quality-engineering](../agentic-quality-engineering/) - Security with agents
 - [api-testing-patterns](../api-testing-patterns/) - API security testing
@@ -309,3 +313,29 @@ API keys in code → **Environment variables, secret management**
 **Test continuously:** Security testing is ongoing, not one-time.
 
 **With Agents:** Agents automate vulnerability scanning, track remediation, and validate fixes. Use agents to maintain security posture at scale.
+
+## Run History
+
+After each security scan, append results to `run-history.json` in this skill directory:
+```bash
+node -e "
+const fs = require('fs');
+const h = JSON.parse(fs.readFileSync('.claude/skills/security-testing/run-history.json'));
+h.runs.push({date: new Date().toISOString().split('T')[0], scan_types: ['sast','deps'], findings: {critical: 0, high: 0, medium: 0, low: 0}});
+fs.writeFileSync('.claude/skills/security-testing/run-history.json', JSON.stringify(h, null, 2));
+"
+```
+Read `run-history.json` before each scan — track finding count by severity over time. Alert if critical findings increase.
+
+## Skill Composition
+
+- **During code review** → Use with `/code-review-quality` for combined quality + security review
+- **Validate findings** → Use `/pentest-validation` to prove exploitability
+- **Compliance** → Use `/compliance-testing` for regulatory requirements
+
+## Gotchas
+
+- `npm audit` may report false positives for dev dependencies — filter with `--omit=dev` for production-relevant results
+- Agent may skip DAST in favor of faster SAST-only scans — explicitly request both if needed
+- security-compliance domain has 100% success rate — use as model for other skill reliability
+- When scanning dependencies, check both direct and transitive — `npm audit --all` catches nested vulnerabilities

package/.claude/skills/security-testing/config.json

@@ -0,0 +1,13 @@
+{
+  "$schema": "./config-schema.json",
+  "_description": "Security Testing configuration. Auto-created on first run. Edit to customize.",
+  "severity_threshold": "high",
+  "scan_types": ["sast", "deps"],
+  "owasp_version": "2021",
+  "options": {
+    "includeDevDependencies": false,
+    "autoFix": false,
+    "reportFormat": "json"
+  },
+  "_setupPrompt": "If severity_threshold is default, ask: 'What minimum severity should block deployment? (critical/high/medium/low)'. If scan_types only has defaults, ask: 'Which scan types to run? (sast/dast/deps/secrets — comma-separated)'."
+}

package/.claude/skills/security-testing/references/compliance-agent-commands.md

@@ -0,0 +1,131 @@
+# Security Testing — Compliance & Agent CLI Commands
+
+Merged from `qe-security-compliance`. Use these for v3 agent-specific security/compliance capabilities.
+
+## AQE CLI Commands
+
+```bash
+# Full security scan
+aqe security scan --scope src/ --checks all
+
+# Vulnerability check
+aqe security vulns --dependencies --severity critical,high
+
+# Compliance audit
+aqe security compliance --standard soc2 --output report.html
+
+# OWASP check
+aqe security owasp --top-10 --scope src/
+```
+
+## Agent Workflow
+
+```typescript
+// Security audit
+Task("Security audit", `
+  Perform comprehensive security audit:
+  - SAST scan for code vulnerabilities
+  - Dependency vulnerability check
+  - Secret detection in code and configs
+  - OWASP Top 10 validation
+  Generate security report with remediation steps.
+`, "qe-security-auditor")
+
+// Compliance validation
+Task("SOC2 compliance check", `
+  Validate SOC2 compliance requirements:
+  - Access control verification
+  - Encryption validation
+  - Audit logging check
+  - Data retention compliance
+  Generate compliance evidence report.
+`, "qe-compliance-checker")
+```
+
+## SAST Scanning
+
+```typescript
+await securityScanner.staticAnalysis({
+  scope: 'src/**/*.ts',
+  checks: ['sql-injection', 'xss', 'command-injection', 'path-traversal', 'insecure-crypto', 'hardcoded-secrets'],
+  rules: 'owasp-top-10',
+  severity: ['critical', 'high', 'medium']
+});
+```
+
+## Dependency Scanning
+
+```typescript
+await securityScanner.dependencyCheck({
+  sources: ['package.json', 'package-lock.json'],
+  checks: { knownVulnerabilities: true, outdatedPackages: true, licenseCompliance: true, supplyChainRisk: true },
+  severity: ['critical', 'high'],
+  autoFix: { enabled: true, dryRun: false }
+});
+```
+
+## Compliance Audit
+
+```typescript
+await complianceChecker.audit({
+  standards: ['SOC2', 'GDPR', 'HIPAA'],
+  scope: { code: 'src/', configs: 'config/', infrastructure: 'terraform/' },
+  output: { gaps: true, evidence: true, recommendations: true }
+});
+```
+
+## Secret Detection
+
+```typescript
+await securityScanner.detectSecrets({
+  scope: ['.', 'config/', '.env*'],
+  patterns: ['api-keys', 'passwords', 'tokens', 'private-keys', 'connection-strings'],
+  exclude: ['*.test.ts', 'mocks/'],
+  action: { onDetect: 'block', notify: ['security-team'] }
+});
+```
+
+## Security Gates
+
+```yaml
+security_gates:
+  block_merge:
+    - critical_vulnerabilities > 0
+    - high_vulnerabilities > 2
+    - secrets_detected > 0
+    - compliance_failures > 0
+  warn:
+    - medium_vulnerabilities > 5
+    - outdated_dependencies > 10
+  enforce:
+    - signed_commits: required
+    - code_review: required
+    - security_scan: required
+```
+
+## Compliance Standards Coverage
+
+| Standard | Scope | Auto-Check |
+|----------|-------|------------|
+| SOC2 | Security controls | Partial |
+| GDPR | Data privacy | Partial |
+| HIPAA | Health data | Partial |
+| PCI-DSS | Payment data | Yes |
+| ISO 27001 | InfoSec | Partial |
+
+## Security Report Interface
+
+```typescript
+interface SecurityReport {
+  summary: { score: number; critical: number; high: number; medium: number; low: number };
+  vulnerabilities: { id: string; type: string; severity: string; location: string; description: string; remediation: string; cwe: string; owasp: string }[];
+  dependencies: { vulnerable: number; outdated: number; details: DependencyVuln[] };
+  compliance: { standard: string; status: 'compliant' | 'non-compliant' | 'partial'; gaps: ComplianceGap[]; evidence: Evidence[] }[];
+  secrets: { detected: number; locations: SecretLocation[] };
+}
+```
+
+## Coordination
+
+**Primary Agents**: qe-security-auditor, qe-security-scanner, qe-compliance-checker
+**Coordinator**: qe-security-coordinator

package/.claude/skills/security-testing/references/owasp-top-10.md

@@ -0,0 +1,66 @@
+# OWASP Top 10 (2021) Quick Reference
+
+## A01: Broken Access Control
+- Test: Horizontal privilege escalation (user A accessing user B's data)
+- Test: Vertical privilege escalation (user accessing admin endpoints)
+- Test: IDOR on every object reference (change IDs in URLs/params)
+- Test: Missing function-level access control on API endpoints
+- Common miss: Admin APIs accessible without auth check
+
+## A02: Cryptographic Failures
+- Test: TLS version (require 1.2+, reject 1.0/1.1)
+- Test: Password hashing (bcrypt/argon2, never MD5/SHA1)
+- Test: Sensitive data in URLs/logs/error messages
+- Test: Cookie flags (Secure, HttpOnly, SameSite)
+- Common miss: API keys in client-side JavaScript
+
+## A03: Injection
+- Test: SQL injection on all input fields (parameterized queries?)
+- Test: XSS (reflected, stored, DOM-based) — try `<script>alert(1)</script>` and encoded variants
+- Test: Command injection on any server-side exec
+- Test: NoSQL injection on MongoDB queries
+- Common miss: Second-order SQL injection via stored data
+
+## A04: Insecure Design
+- Test: Business logic flaws (negative quantities, race conditions)
+- Test: Missing rate limiting on sensitive endpoints
+- Test: Lack of resource quotas
+- Common miss: Discount codes applied multiple times
+
+## A05: Security Misconfiguration
+- Test: Default credentials on all services
+- Test: Unnecessary HTTP methods (OPTIONS, TRACE)
+- Test: Directory listing enabled
+- Test: Stack traces in error responses
+- Common miss: S3 bucket with public ACL
+
+## A06: Vulnerable Components
+- Test: `npm audit` / `snyk test` for known CVEs
+- Test: Outdated framework versions
+- Test: Abandoned dependencies (no updates in 2+ years)
+- Common miss: Transitive dependencies with critical CVEs
+
+## A07: Auth Failures
+- Test: Credential stuffing protection (rate limiting, captcha)
+- Test: Session fixation (new session ID after login)
+- Test: JWT validation (algorithm confusion, expiry, signature)
+- Test: MFA bypass attempts
+- Common miss: Password reset token doesn't expire
+
+## A08: Software/Data Integrity
+- Test: CI/CD pipeline integrity (signed commits, reviewed PRs)
+- Test: Dependency integrity (lock files, SRI hashes)
+- Test: Deserialization attacks
+- Common miss: Auto-update mechanism without signature verification
+
+## A09: Logging/Monitoring Failures
+- Test: Failed login attempts logged with IP
+- Test: Sensitive data NOT in logs (passwords, tokens)
+- Test: Log injection prevention
+- Common miss: No alerting on repeated auth failures
+
+## A10: SSRF
+- Test: URL parameters that fetch external resources
+- Test: Internal network access via URL manipulation
+- Test: Cloud metadata endpoint access (169.254.169.254)
+- Common miss: Redirect chains bypassing allowlists

package/.claude/skills/security-testing/run-history.json

@@ -0,0 +1,6 @@
+{
+  "_description": "Security testing run history. Append after each scan. Claude reads this to track finding severity trends.",
+  "_format": "Each entry: {date, scope, scan_types, findings: {critical, high, medium, low, info}, new_since_last, fixed_since_last}",
+  "_instructions": "After running security scan, append results here. Track finding count by severity over time. Alert if critical findings increase.",
+  "runs": []
+}

package/.claude/skills/security-testing/templates/security-report.md

@@ -0,0 +1,44 @@
+# Security Assessment Report
+
+**Project**: {{project_name}}
+**Date**: {{date}}
+**Assessed by**: {{assessor}}
+**Scope**: {{scope_description}}
+
+## Executive Summary
+
+| Severity | Count | Fixed | Remaining |
+|----------|-------|-------|-----------|
+| Critical | | | |
+| High | | | |
+| Medium | | | |
+| Low | | | |
+| Info | | | |
+
+**Overall Risk Level**: {{risk_level}}
+**Recommendation**: {{ship/hold/remediate}}
+
+## Findings
+
+### Finding 1: {{title}}
+- **Severity**: {{critical/high/medium/low}}
+- **OWASP Category**: {{A01-A10}}
+- **Location**: {{file:line or endpoint}}
+- **Description**: {{what was found}}
+- **Impact**: {{what an attacker could do}}
+- **Reproduction**:
+  1. {{step 1}}
+  2. {{step 2}}
+- **Remediation**: {{how to fix}}
+- **Status**: {{open/fixed/accepted}}
+
+## Tools Used
+- [ ] npm audit
+- [ ] Semgrep SAST
+- [ ] OWASP ZAP DAST
+- [ ] Manual review
+- [ ] Secrets scanning
+
+## Sign-off
+- [ ] All critical/high findings addressed or accepted with risk justification
+- [ ] Remediation verified with re-test

package/.claude/skills/security-visual-testing/SKILL.md

@@ -16,7 +16,6 @@ validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
   eval_path: evals/security-visual-testing.yaml
-
 ---
 
 # Security Visual Testing

package/.claude/skills/security-watch/SKILL.md

@@ -0,0 +1,93 @@
+---
+name: security-watch
+description: "Use when working on security-sensitive code to catch secrets, eval(), innerHTML, and other dangerous patterns before they're written. Activate with /security-watch for real-time security scanning."
+user-invocable: true
+---
+
+# Security Watch Mode
+
+When activated, scans every file write for common security anti-patterns and blocks dangerous code from being committed.
+
+## What It Does
+
+Flags or blocks writes containing:
+- **Secrets**: API keys, passwords, tokens, private keys in source code
+- **Dangerous functions**: `eval()`, `Function()`, `innerHTML`, `dangerouslySetInnerHTML`
+- **Injection vectors**: Unsanitized template literals in SQL/shell commands
+- **Insecure config**: `http://` URLs, disabled TLS verification, `*` CORS origins
+
+## Activation
+
+```
+/security-watch
+```
+
+## Hook Configuration
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Write|Edit",
+        "hook": ".claude/skills/security-watch/scripts/scan-security.sh"
+      }
+    ]
+  }
+}
+```
+
+## Detection Patterns
+
+```bash
+#!/bin/bash
+# scan-security.sh
+CONTENT="$1"
+ISSUES=0
+
+# Secrets detection
+SECRET_PATTERNS=(
+  'AKIA[0-9A-Z]{16}'                    # AWS Access Key
+  'sk-[a-zA-Z0-9]{48}'                  # OpenAI API Key
+  'ghp_[a-zA-Z0-9]{36}'                 # GitHub Personal Token
+  'password\s*[:=]\s*["\x27][^"\x27]+'  # Hardcoded passwords
+  'BEGIN (RSA |EC )?PRIVATE KEY'         # Private keys
+  'sk_live_[a-zA-Z0-9]+'                # Stripe secret key
+)
+
+for pattern in "${SECRET_PATTERNS[@]}"; do
+  if echo "$CONTENT" | grep -qP "$pattern"; then
+    echo "BLOCKED: Potential secret detected matching pattern: $pattern"
+    ISSUES=$((ISSUES + 1))
+  fi
+done
+
+# Dangerous functions
+DANGER_PATTERNS=(
+  '\beval\s*\('
+  '\bFunction\s*\('
+  '\.innerHTML\s*='
+  'dangerouslySetInnerHTML'
+  'child_process.*exec\('
+  '\$\{.*\}.*(?:SELECT|INSERT|UPDATE|DELETE)'
+)
+
+for pattern in "${DANGER_PATTERNS[@]}"; do
+  if echo "$CONTENT" | grep -qP "$pattern"; then
+    echo "WARNING: Dangerous pattern detected: $pattern"
+    ISSUES=$((ISSUES + 1))
+  fi
+done
+
+if [ $ISSUES -gt 0 ]; then
+  echo "Found $ISSUES security issues. Review before proceeding."
+  exit 1
+fi
+```
+
+## Gotchas
+
+- False positives on test fixtures that intentionally contain patterns like `eval()` — use `// security-watch:ignore` comment
+- Base64-encoded secrets won't be caught — this scans for plaintext patterns only
+- Template literal injection detection has false positives on safe string interpolation — review warnings carefully
+- This is a first line of defense, not a replacement for proper security review

package/.claude/skills/security-watch/scripts/scan-security.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# scan-security.sh — Security Watch hook
+# Scans file content for security anti-patterns before writes.
+# Called by PreToolUse hook on Write/Edit.
+
+CONTENT="$1"
+ISSUES=0
+
+if [ -z "$CONTENT" ]; then
+  CONTENT=$(cat)
+fi
+
+# Secret patterns
+for pattern in 'AKIA[0-9A-Z]{16}' 'sk-[a-zA-Z0-9]{48}' 'ghp_[a-zA-Z0-9]{36}' 'BEGIN (RSA |EC )?PRIVATE KEY' 'sk_live_[a-zA-Z0-9]+'; do
+  if echo "$CONTENT" | grep -qP "$pattern" 2>/dev/null; then
+    echo "BLOCKED: Potential secret detected (pattern: $pattern)"
+    ISSUES=$((ISSUES + 1))
+  fi
+done
+
+# Hardcoded password patterns
+if echo "$CONTENT" | grep -qP 'password\s*[:=]\s*["\x27][^"\x27]{3,}' 2>/dev/null; then
+  echo "BLOCKED: Possible hardcoded password detected"
+  ISSUES=$((ISSUES + 1))
+fi
+
+# Dangerous function patterns
+for pattern in '\beval\s*\(' '\bFunction\s*\(' '\.innerHTML\s*=' 'dangerouslySetInnerHTML'; do
+  if echo "$CONTENT" | grep -qP "$pattern" 2>/dev/null; then
+    echo "WARNING: Dangerous pattern: $pattern"
+    ISSUES=$((ISSUES + 1))
+  fi
+done
+
+# SQL injection risk
+if echo "$CONTENT" | grep -qP '\$\{.*\}.*(SELECT|INSERT|UPDATE|DELETE|DROP)' 2>/dev/null; then
+  echo "WARNING: Possible SQL injection — template literal in SQL query"
+  ISSUES=$((ISSUES + 1))
+fi
+
+if [ $ISSUES -gt 0 ]; then
+  echo "Found $ISSUES security issue(s). Review before proceeding."
+  exit 1
+fi
+
+exit 0

package/.claude/skills/sherlock-review/SKILL.md

@@ -15,7 +15,6 @@ trust_tier: 2
 validation:
   schema_path: schemas/output.json
   validator_path: scripts/validate-config.json
-
 ---
 
 # Sherlock Review