agileflow 3.4.3 → 4.0.0-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (754) hide show
  1. package/CHANGELOG.md +235 -499
  2. package/README.md +22 -114
  3. package/bin/agileflow.js +15 -0
  4. package/bin/hooks/pre-bash.js +35 -0
  5. package/bin/hooks/pre-compact.js +34 -0
  6. package/bin/hooks/pre-edit.js +32 -0
  7. package/bin/hooks/pre-write.js +32 -0
  8. package/bin/hooks/session-start.js +42 -0
  9. package/bin/hooks/stop.js +34 -0
  10. package/content/plugins/ads/plugin.yaml +14 -0
  11. package/content/plugins/audit/plugin.yaml +14 -0
  12. package/content/plugins/core/hooks/session-welcome.js +19 -0
  13. package/content/plugins/core/plugin.yaml +34 -0
  14. package/content/plugins/core/skills/agileflow-adr/SKILL.md +179 -0
  15. package/content/plugins/core/skills/agileflow-babysit-mentor/SKILL.md +144 -0
  16. package/content/plugins/core/skills/agileflow-epic-planner/SKILL.md +179 -0
  17. package/content/plugins/core/skills/agileflow-status-updater/SKILL.md +132 -0
  18. package/content/plugins/core/skills/agileflow-story-writer/SKILL.md +200 -0
  19. package/content/plugins/council/plugin.yaml +14 -0
  20. package/content/plugins/seo/plugin.yaml +14 -0
  21. package/package.json +29 -49
  22. package/src/cli/commands/doctor.js +159 -0
  23. package/src/cli/commands/hook.js +80 -0
  24. package/src/cli/commands/setup.js +254 -0
  25. package/src/cli/commands/status.js +47 -0
  26. package/src/cli/commands/update.js +82 -0
  27. package/src/cli/index.js +73 -0
  28. package/src/cli/wizard/ide-picker.js +57 -0
  29. package/src/cli/wizard/personalization.js +64 -0
  30. package/src/cli/wizard/plugin-picker.js +106 -0
  31. package/src/lib/hash.js +41 -0
  32. package/src/runtime/config/defaults.js +45 -0
  33. package/src/runtime/config/loader.js +118 -0
  34. package/src/runtime/config/schema.json +76 -0
  35. package/src/runtime/config/writer.js +54 -0
  36. package/src/runtime/hooks/aggregator.js +133 -0
  37. package/src/runtime/hooks/chain.js +93 -0
  38. package/src/runtime/hooks/logger.js +68 -0
  39. package/src/runtime/hooks/manifest-loader.js +228 -0
  40. package/src/runtime/hooks/orchestrator.js +322 -0
  41. package/src/runtime/ide/capabilities.js +111 -0
  42. package/src/runtime/ide/claude-code-settings.js +234 -0
  43. package/src/runtime/ide/claude-code-skills.js +202 -0
  44. package/src/runtime/installer/file-index.js +112 -0
  45. package/src/runtime/installer/install.js +306 -0
  46. package/src/runtime/installer/stash.js +61 -0
  47. package/src/runtime/installer/sync-engine.js +205 -0
  48. package/src/runtime/plugins/registry.js +132 -0
  49. package/src/runtime/plugins/resolver.js +138 -0
  50. package/src/runtime/plugins/validator.js +196 -0
  51. package/src/runtime/skills/validator.js +335 -0
  52. package/lib/README.md +0 -178
  53. package/lib/api-routes.js +0 -625
  54. package/lib/api-server.js +0 -278
  55. package/lib/cache-provider.js +0 -155
  56. package/lib/codebase-indexer.js +0 -819
  57. package/lib/colors.generated.js +0 -117
  58. package/lib/colors.js +0 -341
  59. package/lib/consent.js +0 -232
  60. package/lib/content-sanitizer.js +0 -464
  61. package/lib/correlation.js +0 -277
  62. package/lib/drivers/claude-driver.ts +0 -312
  63. package/lib/drivers/codex-driver.ts +0 -464
  64. package/lib/drivers/driver-manager.ts +0 -159
  65. package/lib/drivers/gemini-driver.ts +0 -498
  66. package/lib/drivers/index.ts +0 -17
  67. package/lib/error-codes.js +0 -590
  68. package/lib/errors.js +0 -670
  69. package/lib/feature-flags.js +0 -171
  70. package/lib/feedback.js +0 -595
  71. package/lib/file-cache.js +0 -541
  72. package/lib/flag-detection.js +0 -344
  73. package/lib/format-error.js +0 -156
  74. package/lib/gate-runner.js +0 -282
  75. package/lib/generator-factory.js +0 -333
  76. package/lib/git-operations.js +0 -266
  77. package/lib/lazy-require.js +0 -59
  78. package/lib/lock-file.js +0 -144
  79. package/lib/logger.js +0 -106
  80. package/lib/merge-operations.js +0 -1006
  81. package/lib/path-resolver.js +0 -544
  82. package/lib/path-utils.js +0 -49
  83. package/lib/paths.js +0 -291
  84. package/lib/placeholder-registry.js +0 -822
  85. package/lib/process-executor.js +0 -214
  86. package/lib/progress.js +0 -334
  87. package/lib/protocol/driver.ts +0 -354
  88. package/lib/protocol/index.ts +0 -12
  89. package/lib/protocol/ir.ts +0 -271
  90. package/lib/registry-cache.js +0 -80
  91. package/lib/registry-di.js +0 -358
  92. package/lib/result-schema.js +0 -363
  93. package/lib/result.js +0 -210
  94. package/lib/session-display.js +0 -331
  95. package/lib/session-operations.js +0 -611
  96. package/lib/session-registry.js +0 -484
  97. package/lib/session-state-machine.js +0 -465
  98. package/lib/session-switching.js +0 -191
  99. package/lib/skill-loader.js +0 -213
  100. package/lib/smart-json-file.js +0 -682
  101. package/lib/state-machine.js +0 -286
  102. package/lib/table-formatter.js +0 -519
  103. package/lib/template-loader.js +0 -143
  104. package/lib/transient-status.js +0 -374
  105. package/lib/ui-manager.js +0 -612
  106. package/lib/validate-args.js +0 -213
  107. package/lib/validate-commands.js +0 -308
  108. package/lib/validate-names.js +0 -143
  109. package/lib/validate-paths.js +0 -434
  110. package/lib/validate.js +0 -134
  111. package/lib/worktree-operations.js +0 -201
  112. package/lib/yaml-utils.js +0 -164
  113. package/scripts/README.md +0 -267
  114. package/scripts/af +0 -34
  115. package/scripts/agent-loop.js +0 -879
  116. package/scripts/agileflow-configure.js +0 -368
  117. package/scripts/agileflow-statusline.sh +0 -857
  118. package/scripts/agileflow-welcome.js +0 -2246
  119. package/scripts/api-server-runner.js +0 -177
  120. package/scripts/archive-completed-stories.sh +0 -308
  121. package/scripts/auto-self-improve.js +0 -326
  122. package/scripts/automation-run-due.js +0 -128
  123. package/scripts/babysit-clear-restore.js +0 -154
  124. package/scripts/babysit-context-restore.js +0 -89
  125. package/scripts/backfill-ideation-status.js +0 -128
  126. package/scripts/batch-pmap-loop.js +0 -551
  127. package/scripts/check-sessions.js +0 -116
  128. package/scripts/check-update.js +0 -282
  129. package/scripts/ci-summary.js +0 -294
  130. package/scripts/claude-smart.sh +0 -85
  131. package/scripts/claude-tmux.sh +0 -737
  132. package/scripts/claude-watchdog.sh +0 -225
  133. package/scripts/clear-active-command.js +0 -48
  134. package/scripts/compress-status.sh +0 -116
  135. package/scripts/context-loader.js +0 -310
  136. package/scripts/damage-control/bash-tool-damage-control.js +0 -22
  137. package/scripts/damage-control/edit-tool-damage-control.js +0 -19
  138. package/scripts/damage-control/patterns.yaml +0 -227
  139. package/scripts/damage-control/write-tool-damage-control.js +0 -19
  140. package/scripts/damage-control-bash.js +0 -51
  141. package/scripts/damage-control-edit.js +0 -48
  142. package/scripts/damage-control-multi-agent.js +0 -231
  143. package/scripts/damage-control-write.js +0 -48
  144. package/scripts/dependency-check.js +0 -311
  145. package/scripts/document-repl.js +0 -793
  146. package/scripts/expertise-metrics.sh +0 -264
  147. package/scripts/generate-all.sh +0 -77
  148. package/scripts/generate-colors.js +0 -314
  149. package/scripts/generators/agent-registry.js +0 -183
  150. package/scripts/generators/command-registry.js +0 -166
  151. package/scripts/generators/index.js +0 -85
  152. package/scripts/generators/inject-babysit.js +0 -191
  153. package/scripts/generators/inject-help.js +0 -125
  154. package/scripts/generators/inject-readme.js +0 -166
  155. package/scripts/generators/skill-registry.js +0 -188
  156. package/scripts/get-env.js +0 -225
  157. package/scripts/init.sh +0 -76
  158. package/scripts/lib/README-portable-tasks.md +0 -424
  159. package/scripts/lib/ac-test-matcher.js +0 -452
  160. package/scripts/lib/audit-cleanup.js +0 -250
  161. package/scripts/lib/audit-registry.js +0 -340
  162. package/scripts/lib/automation-registry.js +0 -544
  163. package/scripts/lib/automation-runner.js +0 -476
  164. package/scripts/lib/browser-qa-evidence.js +0 -409
  165. package/scripts/lib/browser-qa-status.js +0 -192
  166. package/scripts/lib/bus-utils.js +0 -473
  167. package/scripts/lib/colors.generated.sh +0 -82
  168. package/scripts/lib/colors.sh +0 -46
  169. package/scripts/lib/command-prereqs.js +0 -280
  170. package/scripts/lib/concurrency-limiter.js +0 -511
  171. package/scripts/lib/configure-detect.js +0 -596
  172. package/scripts/lib/configure-features.js +0 -1927
  173. package/scripts/lib/configure-repair.js +0 -327
  174. package/scripts/lib/configure-utils.js +0 -114
  175. package/scripts/lib/context-formatter.js +0 -1158
  176. package/scripts/lib/context-loader.js +0 -840
  177. package/scripts/lib/counter.js +0 -103
  178. package/scripts/lib/damage-control-utils.js +0 -619
  179. package/scripts/lib/feature-catalog.js +0 -332
  180. package/scripts/lib/file-lock.js +0 -392
  181. package/scripts/lib/file-tracking.js +0 -735
  182. package/scripts/lib/frontmatter-parser.js +0 -133
  183. package/scripts/lib/gate-enforcer.js +0 -295
  184. package/scripts/lib/hook-metrics.js +0 -324
  185. package/scripts/lib/ideation-index.js +0 -1205
  186. package/scripts/lib/json-utils.sh +0 -162
  187. package/scripts/lib/lifecycle-detector.js +0 -125
  188. package/scripts/lib/model-profiles.js +0 -118
  189. package/scripts/lib/portable-tasks-cli.js +0 -274
  190. package/scripts/lib/portable-tasks.js +0 -479
  191. package/scripts/lib/process-cleanup.js +0 -527
  192. package/scripts/lib/quality-gates.js +0 -788
  193. package/scripts/lib/scale-detector.js +0 -396
  194. package/scripts/lib/sessionRegistry.js +0 -678
  195. package/scripts/lib/signal-detectors.js +0 -867
  196. package/scripts/lib/skill-catalog.js +0 -557
  197. package/scripts/lib/skill-recommender.js +0 -311
  198. package/scripts/lib/state-migrator.js +0 -353
  199. package/scripts/lib/status-task-bridge.js +0 -522
  200. package/scripts/lib/status-writer.js +0 -255
  201. package/scripts/lib/story-claiming.js +0 -704
  202. package/scripts/lib/story-state-machine.js +0 -437
  203. package/scripts/lib/sync-ideation-status.js +0 -291
  204. package/scripts/lib/task-registry-cache.js +0 -490
  205. package/scripts/lib/task-registry.js +0 -1191
  206. package/scripts/lib/task-sync.js +0 -230
  207. package/scripts/lib/tdd-phase-manager.js +0 -455
  208. package/scripts/lib/team-events.js +0 -510
  209. package/scripts/lib/tmux-audit-monitor.js +0 -612
  210. package/scripts/lib/tmux-group-colors.js +0 -113
  211. package/scripts/lib/tool-registry.yaml +0 -241
  212. package/scripts/lib/tool-shed.js +0 -441
  213. package/scripts/lib/validation-registry.js +0 -177
  214. package/scripts/messaging-bridge.js +0 -561
  215. package/scripts/migrate-ideation-index.js +0 -553
  216. package/scripts/native-team-observer.js +0 -219
  217. package/scripts/obtain-context.js +0 -272
  218. package/scripts/pre-push-check.sh +0 -46
  219. package/scripts/precompact-context.sh +0 -306
  220. package/scripts/query-codebase.js +0 -543
  221. package/scripts/ralph-loop.js +0 -1278
  222. package/scripts/resume-session.sh +0 -121
  223. package/scripts/screenshot-verifier.js +0 -215
  224. package/scripts/session-boundary.js +0 -138
  225. package/scripts/session-coordinator.sh +0 -232
  226. package/scripts/session-manager.js +0 -546
  227. package/scripts/smart-detect.js +0 -449
  228. package/scripts/spawn-audit-sessions.js +0 -877
  229. package/scripts/spawn-parallel.js +0 -751
  230. package/scripts/strip-ai-attribution.js +0 -63
  231. package/scripts/task-completed-gate.js +0 -237
  232. package/scripts/team-manager.js +0 -596
  233. package/scripts/team-status-display.js +0 -200
  234. package/scripts/teammate-idle-gate.js +0 -237
  235. package/scripts/test-session-boundary.js +0 -80
  236. package/scripts/tmux-close-windows.sh +0 -180
  237. package/scripts/tmux-restore-window.sh +0 -67
  238. package/scripts/tmux-save-closed-window.sh +0 -35
  239. package/scripts/tui/App.js +0 -151
  240. package/scripts/tui/Dashboard.js +0 -277
  241. package/scripts/tui/blessed/data/watcher.js +0 -180
  242. package/scripts/tui/blessed/index.js +0 -244
  243. package/scripts/tui/blessed/panels/output.js +0 -101
  244. package/scripts/tui/blessed/panels/sessions.js +0 -150
  245. package/scripts/tui/blessed/panels/trace.js +0 -97
  246. package/scripts/tui/blessed/ui/help.js +0 -77
  247. package/scripts/tui/blessed/ui/screen.js +0 -52
  248. package/scripts/tui/blessed/ui/statusbar.js +0 -47
  249. package/scripts/tui/blessed/ui/tabbar.js +0 -99
  250. package/scripts/tui/index.js +0 -70
  251. package/scripts/tui/lib/crashRecovery.js +0 -304
  252. package/scripts/tui/lib/eventStream.js +0 -309
  253. package/scripts/tui/lib/keyboard.js +0 -261
  254. package/scripts/tui/lib/loopControl.js +0 -371
  255. package/scripts/tui/panels/OutputPanel.js +0 -240
  256. package/scripts/tui/panels/SessionPanel.js +0 -170
  257. package/scripts/tui/panels/TracePanel.js +0 -298
  258. package/scripts/tui/simple-tui.js +0 -510
  259. package/scripts/validate-expertise.sh +0 -263
  260. package/scripts/validate-tokens.sh +0 -73
  261. package/scripts/validators/README.md +0 -143
  262. package/scripts/validators/component-validator.js +0 -239
  263. package/scripts/validators/json-schema-validator.js +0 -186
  264. package/scripts/validators/markdown-validator.js +0 -152
  265. package/scripts/validators/migration-validator.js +0 -129
  266. package/scripts/validators/security-validator.js +0 -380
  267. package/scripts/validators/story-format-validator.js +0 -197
  268. package/scripts/validators/test-result-validator.js +0 -114
  269. package/scripts/validators/workflow-validator.js +0 -247
  270. package/scripts/welcome-deferred.js +0 -437
  271. package/scripts/worktree-create.sh +0 -111
  272. package/src/core/agents/a11y-analyzer-aria.md +0 -155
  273. package/src/core/agents/a11y-analyzer-forms.md +0 -162
  274. package/src/core/agents/a11y-analyzer-keyboard.md +0 -175
  275. package/src/core/agents/a11y-analyzer-semantic.md +0 -153
  276. package/src/core/agents/a11y-analyzer-visual.md +0 -158
  277. package/src/core/agents/a11y-consensus.md +0 -248
  278. package/src/core/agents/accessibility.md +0 -515
  279. package/src/core/agents/adr-writer.md +0 -463
  280. package/src/core/agents/ads-audit-budget.md +0 -181
  281. package/src/core/agents/ads-audit-compliance.md +0 -169
  282. package/src/core/agents/ads-audit-creative.md +0 -164
  283. package/src/core/agents/ads-audit-google.md +0 -226
  284. package/src/core/agents/ads-audit-meta.md +0 -183
  285. package/src/core/agents/ads-audit-tracking.md +0 -197
  286. package/src/core/agents/ads-consensus.md +0 -396
  287. package/src/core/agents/ads-generate.md +0 -145
  288. package/src/core/agents/ads-performance-tracker.md +0 -197
  289. package/src/core/agents/analytics.md +0 -617
  290. package/src/core/agents/api-quality-analyzer-conventions.md +0 -148
  291. package/src/core/agents/api-quality-analyzer-docs.md +0 -176
  292. package/src/core/agents/api-quality-analyzer-errors.md +0 -183
  293. package/src/core/agents/api-quality-analyzer-pagination.md +0 -171
  294. package/src/core/agents/api-quality-analyzer-versioning.md +0 -143
  295. package/src/core/agents/api-quality-consensus.md +0 -214
  296. package/src/core/agents/api-validator.md +0 -183
  297. package/src/core/agents/api.md +0 -665
  298. package/src/core/agents/arch-analyzer-circular.md +0 -148
  299. package/src/core/agents/arch-analyzer-complexity.md +0 -171
  300. package/src/core/agents/arch-analyzer-coupling.md +0 -146
  301. package/src/core/agents/arch-analyzer-layering.md +0 -151
  302. package/src/core/agents/arch-analyzer-patterns.md +0 -162
  303. package/src/core/agents/arch-consensus.md +0 -227
  304. package/src/core/agents/brainstorm-analyzer-features.md +0 -169
  305. package/src/core/agents/brainstorm-analyzer-growth.md +0 -161
  306. package/src/core/agents/brainstorm-analyzer-integration.md +0 -172
  307. package/src/core/agents/brainstorm-analyzer-market.md +0 -147
  308. package/src/core/agents/brainstorm-analyzer-ux.md +0 -167
  309. package/src/core/agents/brainstorm-consensus.md +0 -237
  310. package/src/core/agents/browser-qa.md +0 -328
  311. package/src/core/agents/ci.md +0 -511
  312. package/src/core/agents/code-reviewer.md +0 -288
  313. package/src/core/agents/codebase-query.md +0 -266
  314. package/src/core/agents/completeness-analyzer-api.md +0 -190
  315. package/src/core/agents/completeness-analyzer-conditional.md +0 -201
  316. package/src/core/agents/completeness-analyzer-handlers.md +0 -159
  317. package/src/core/agents/completeness-analyzer-imports.md +0 -159
  318. package/src/core/agents/completeness-analyzer-routes.md +0 -182
  319. package/src/core/agents/completeness-analyzer-state.md +0 -188
  320. package/src/core/agents/completeness-analyzer-stubs.md +0 -198
  321. package/src/core/agents/completeness-consensus.md +0 -286
  322. package/src/core/agents/compliance.md +0 -509
  323. package/src/core/agents/council-advocate.md +0 -206
  324. package/src/core/agents/council-analyst.md +0 -252
  325. package/src/core/agents/council-optimist.md +0 -170
  326. package/src/core/agents/database.md +0 -601
  327. package/src/core/agents/datamigration.md +0 -699
  328. package/src/core/agents/design.md +0 -525
  329. package/src/core/agents/devops.md +0 -720
  330. package/src/core/agents/documentation.md +0 -504
  331. package/src/core/agents/epic-planner.md +0 -480
  332. package/src/core/agents/error-analyzer.md +0 -201
  333. package/src/core/agents/integrations.md +0 -603
  334. package/src/core/agents/legal-analyzer-a11y.md +0 -110
  335. package/src/core/agents/legal-analyzer-ai.md +0 -117
  336. package/src/core/agents/legal-analyzer-consumer.md +0 -108
  337. package/src/core/agents/legal-analyzer-content.md +0 -113
  338. package/src/core/agents/legal-analyzer-international.md +0 -115
  339. package/src/core/agents/legal-analyzer-licensing.md +0 -115
  340. package/src/core/agents/legal-analyzer-privacy.md +0 -108
  341. package/src/core/agents/legal-analyzer-security.md +0 -112
  342. package/src/core/agents/legal-analyzer-terms.md +0 -111
  343. package/src/core/agents/legal-consensus.md +0 -242
  344. package/src/core/agents/logic-analyzer-edge.md +0 -170
  345. package/src/core/agents/logic-analyzer-flow.md +0 -253
  346. package/src/core/agents/logic-analyzer-invariant.md +0 -206
  347. package/src/core/agents/logic-analyzer-race.md +0 -266
  348. package/src/core/agents/logic-analyzer-type.md +0 -217
  349. package/src/core/agents/logic-consensus.md +0 -253
  350. package/src/core/agents/mentor.md +0 -654
  351. package/src/core/agents/mobile.md +0 -501
  352. package/src/core/agents/monitoring.md +0 -537
  353. package/src/core/agents/multi-expert.md +0 -311
  354. package/src/core/agents/orchestrator.md +0 -749
  355. package/src/core/agents/perf-analyzer-assets.md +0 -174
  356. package/src/core/agents/perf-analyzer-bundle.md +0 -165
  357. package/src/core/agents/perf-analyzer-caching.md +0 -160
  358. package/src/core/agents/perf-analyzer-compute.md +0 -165
  359. package/src/core/agents/perf-analyzer-memory.md +0 -182
  360. package/src/core/agents/perf-analyzer-network.md +0 -157
  361. package/src/core/agents/perf-analyzer-queries.md +0 -155
  362. package/src/core/agents/perf-analyzer-rendering.md +0 -156
  363. package/src/core/agents/perf-consensus.md +0 -280
  364. package/src/core/agents/performance.md +0 -492
  365. package/src/core/agents/product.md +0 -535
  366. package/src/core/agents/qa.md +0 -765
  367. package/src/core/agents/readme-updater.md +0 -579
  368. package/src/core/agents/refactor.md +0 -558
  369. package/src/core/agents/research.md +0 -453
  370. package/src/core/agents/rlm-subcore.md +0 -207
  371. package/src/core/agents/schema-validator.md +0 -454
  372. package/src/core/agents/security-analyzer-api.md +0 -199
  373. package/src/core/agents/security-analyzer-auth.md +0 -160
  374. package/src/core/agents/security-analyzer-authz.md +0 -168
  375. package/src/core/agents/security-analyzer-deps.md +0 -147
  376. package/src/core/agents/security-analyzer-infra.md +0 -176
  377. package/src/core/agents/security-analyzer-injection.md +0 -148
  378. package/src/core/agents/security-analyzer-input.md +0 -191
  379. package/src/core/agents/security-analyzer-secrets.md +0 -175
  380. package/src/core/agents/security-consensus.md +0 -276
  381. package/src/core/agents/security.md +0 -486
  382. package/src/core/agents/seo-analyzer-content.md +0 -167
  383. package/src/core/agents/seo-analyzer-images.md +0 -187
  384. package/src/core/agents/seo-analyzer-performance.md +0 -206
  385. package/src/core/agents/seo-analyzer-schema.md +0 -176
  386. package/src/core/agents/seo-analyzer-sitemap.md +0 -172
  387. package/src/core/agents/seo-analyzer-technical.md +0 -144
  388. package/src/core/agents/seo-consensus.md +0 -289
  389. package/src/core/agents/team-coordinator.md +0 -333
  390. package/src/core/agents/team-lead.md +0 -171
  391. package/src/core/agents/test-analyzer-assertions.md +0 -181
  392. package/src/core/agents/test-analyzer-coverage.md +0 -183
  393. package/src/core/agents/test-analyzer-fragility.md +0 -185
  394. package/src/core/agents/test-analyzer-integration.md +0 -155
  395. package/src/core/agents/test-analyzer-maintenance.md +0 -173
  396. package/src/core/agents/test-analyzer-mocking.md +0 -178
  397. package/src/core/agents/test-analyzer-patterns.md +0 -189
  398. package/src/core/agents/test-analyzer-structure.md +0 -177
  399. package/src/core/agents/test-consensus.md +0 -294
  400. package/src/core/agents/testing.md +0 -527
  401. package/src/core/agents/ui-validator.md +0 -331
  402. package/src/core/agents/ui.md +0 -1227
  403. package/src/core/commands/adr/list.md +0 -191
  404. package/src/core/commands/adr/update.md +0 -258
  405. package/src/core/commands/adr/view.md +0 -274
  406. package/src/core/commands/adr.md +0 -394
  407. package/src/core/commands/ads/audit.md +0 -453
  408. package/src/core/commands/ads/budget.md +0 -97
  409. package/src/core/commands/ads/competitor.md +0 -112
  410. package/src/core/commands/ads/creative.md +0 -85
  411. package/src/core/commands/ads/generate.md +0 -238
  412. package/src/core/commands/ads/google.md +0 -112
  413. package/src/core/commands/ads/health.md +0 -327
  414. package/src/core/commands/ads/landing.md +0 -119
  415. package/src/core/commands/ads/linkedin.md +0 -112
  416. package/src/core/commands/ads/meta.md +0 -91
  417. package/src/core/commands/ads/microsoft.md +0 -115
  418. package/src/core/commands/ads/plan.md +0 -321
  419. package/src/core/commands/ads/test-plan.md +0 -317
  420. package/src/core/commands/ads/tiktok.md +0 -129
  421. package/src/core/commands/ads/track.md +0 -288
  422. package/src/core/commands/ads/youtube.md +0 -124
  423. package/src/core/commands/ads.md +0 -140
  424. package/src/core/commands/agent.md +0 -256
  425. package/src/core/commands/api.md +0 -267
  426. package/src/core/commands/assign.md +0 -369
  427. package/src/core/commands/audit.md +0 -531
  428. package/src/core/commands/auto.md +0 -556
  429. package/src/core/commands/automate.md +0 -415
  430. package/src/core/commands/babysit.md +0 -643
  431. package/src/core/commands/baseline.md +0 -743
  432. package/src/core/commands/batch.md +0 -551
  433. package/src/core/commands/blockers.md +0 -602
  434. package/src/core/commands/board.md +0 -509
  435. package/src/core/commands/browser-qa.md +0 -240
  436. package/src/core/commands/changelog.md +0 -582
  437. package/src/core/commands/choose.md +0 -430
  438. package/src/core/commands/ci.md +0 -330
  439. package/src/core/commands/code/accessibility.md +0 -363
  440. package/src/core/commands/code/api.md +0 -313
  441. package/src/core/commands/code/architecture.md +0 -313
  442. package/src/core/commands/code/completeness.md +0 -519
  443. package/src/core/commands/code/legal.md +0 -509
  444. package/src/core/commands/code/logic.md +0 -432
  445. package/src/core/commands/code/performance.md +0 -506
  446. package/src/core/commands/code/security.md +0 -509
  447. package/src/core/commands/code/test.md +0 -505
  448. package/src/core/commands/compress.md +0 -408
  449. package/src/core/commands/configure.md +0 -1159
  450. package/src/core/commands/context/export.md +0 -296
  451. package/src/core/commands/context/full.md +0 -353
  452. package/src/core/commands/context/note.md +0 -380
  453. package/src/core/commands/council.md +0 -592
  454. package/src/core/commands/debt.md +0 -491
  455. package/src/core/commands/deploy.md +0 -864
  456. package/src/core/commands/deps.md +0 -728
  457. package/src/core/commands/diagnose.md +0 -404
  458. package/src/core/commands/docs.md +0 -469
  459. package/src/core/commands/epic/edit.md +0 -213
  460. package/src/core/commands/epic/list.md +0 -190
  461. package/src/core/commands/epic/view.md +0 -267
  462. package/src/core/commands/epic.md +0 -477
  463. package/src/core/commands/export.md +0 -238
  464. package/src/core/commands/feedback.md +0 -603
  465. package/src/core/commands/handoff.md +0 -386
  466. package/src/core/commands/help.md +0 -194
  467. package/src/core/commands/ideate/brief.md +0 -363
  468. package/src/core/commands/ideate/discover.md +0 -399
  469. package/src/core/commands/ideate/features.md +0 -497
  470. package/src/core/commands/ideate/history.md +0 -403
  471. package/src/core/commands/ideate/new.md +0 -900
  472. package/src/core/commands/impact.md +0 -407
  473. package/src/core/commands/install.md +0 -529
  474. package/src/core/commands/learn/explain.md +0 -118
  475. package/src/core/commands/learn/glossary.md +0 -135
  476. package/src/core/commands/learn/patterns.md +0 -138
  477. package/src/core/commands/learn/tour.md +0 -126
  478. package/src/core/commands/maintain.md +0 -558
  479. package/src/core/commands/metrics.md +0 -844
  480. package/src/core/commands/migrate/codemods.md +0 -151
  481. package/src/core/commands/migrate/plan.md +0 -131
  482. package/src/core/commands/migrate/scan.md +0 -114
  483. package/src/core/commands/migrate/validate.md +0 -119
  484. package/src/core/commands/multi-expert.md +0 -447
  485. package/src/core/commands/packages.md +0 -535
  486. package/src/core/commands/pr.md +0 -337
  487. package/src/core/commands/readme-sync.md +0 -329
  488. package/src/core/commands/research/analyze.md +0 -798
  489. package/src/core/commands/research/ask.md +0 -864
  490. package/src/core/commands/research/import.md +0 -1025
  491. package/src/core/commands/research/list.md +0 -273
  492. package/src/core/commands/research/synthesize.md +0 -928
  493. package/src/core/commands/research/view.md +0 -323
  494. package/src/core/commands/retro.md +0 -795
  495. package/src/core/commands/review.md +0 -694
  496. package/src/core/commands/rlm.md +0 -446
  497. package/src/core/commands/roadmap/analyze.md +0 -400
  498. package/src/core/commands/rpi.md +0 -633
  499. package/src/core/commands/seo/audit.md +0 -444
  500. package/src/core/commands/seo/competitor.md +0 -174
  501. package/src/core/commands/seo/content.md +0 -107
  502. package/src/core/commands/seo/geo.md +0 -229
  503. package/src/core/commands/seo/hreflang.md +0 -140
  504. package/src/core/commands/seo/images.md +0 -96
  505. package/src/core/commands/seo/page.md +0 -198
  506. package/src/core/commands/seo/plan.md +0 -163
  507. package/src/core/commands/seo/programmatic.md +0 -131
  508. package/src/core/commands/seo/references/cwv-thresholds.md +0 -64
  509. package/src/core/commands/seo/references/eeat-framework.md +0 -110
  510. package/src/core/commands/seo/references/quality-gates.md +0 -91
  511. package/src/core/commands/seo/references/schema-types.md +0 -102
  512. package/src/core/commands/seo/schema.md +0 -183
  513. package/src/core/commands/seo/sitemap.md +0 -97
  514. package/src/core/commands/seo/technical.md +0 -100
  515. package/src/core/commands/seo.md +0 -107
  516. package/src/core/commands/session/cleanup.md +0 -452
  517. package/src/core/commands/session/end.md +0 -865
  518. package/src/core/commands/session/history.md +0 -293
  519. package/src/core/commands/session/init.md +0 -210
  520. package/src/core/commands/session/new.md +0 -827
  521. package/src/core/commands/session/resume.md +0 -291
  522. package/src/core/commands/session/spawn.md +0 -205
  523. package/src/core/commands/session/status.md +0 -274
  524. package/src/core/commands/skill/list.md +0 -139
  525. package/src/core/commands/skill/recommend.md +0 -216
  526. package/src/core/commands/sprint.md +0 -714
  527. package/src/core/commands/status/undo.md +0 -191
  528. package/src/core/commands/status.md +0 -423
  529. package/src/core/commands/story/edit.md +0 -204
  530. package/src/core/commands/story/list.md +0 -199
  531. package/src/core/commands/story/view.md +0 -312
  532. package/src/core/commands/story-validate.md +0 -491
  533. package/src/core/commands/story.md +0 -465
  534. package/src/core/commands/tdd-next.md +0 -238
  535. package/src/core/commands/tdd.md +0 -211
  536. package/src/core/commands/team/guide.md +0 -688
  537. package/src/core/commands/team/list.md +0 -59
  538. package/src/core/commands/team/start.md +0 -130
  539. package/src/core/commands/team/status.md +0 -66
  540. package/src/core/commands/team/stop.md +0 -78
  541. package/src/core/commands/template.md +0 -644
  542. package/src/core/commands/tests.md +0 -731
  543. package/src/core/commands/update.md +0 -591
  544. package/src/core/commands/validate-expertise.md +0 -305
  545. package/src/core/commands/velocity.md +0 -630
  546. package/src/core/commands/verify.md +0 -534
  547. package/src/core/commands/whats-new.md +0 -201
  548. package/src/core/commands/workflow.md +0 -449
  549. package/src/core/council/sessions/.gitkeep +0 -0
  550. package/src/core/council/shared_reasoning.template.md +0 -106
  551. package/src/core/experts/README.md +0 -236
  552. package/src/core/experts/_core-expertise.yaml +0 -105
  553. package/src/core/experts/accessibility/expertise.yaml +0 -115
  554. package/src/core/experts/accessibility/question.md +0 -41
  555. package/src/core/experts/accessibility/self-improve.md +0 -45
  556. package/src/core/experts/accessibility/workflow.md +0 -59
  557. package/src/core/experts/adr-writer/expertise.yaml +0 -138
  558. package/src/core/experts/adr-writer/question.md +0 -56
  559. package/src/core/experts/adr-writer/self-improve.md +0 -106
  560. package/src/core/experts/adr-writer/workflow.md +0 -184
  561. package/src/core/experts/analytics/expertise.yaml +0 -119
  562. package/src/core/experts/analytics/question.md +0 -74
  563. package/src/core/experts/analytics/self-improve.md +0 -163
  564. package/src/core/experts/analytics/workflow.md +0 -272
  565. package/src/core/experts/api/expertise.yaml +0 -124
  566. package/src/core/experts/api/question.md +0 -74
  567. package/src/core/experts/api/self-improve.md +0 -122
  568. package/src/core/experts/api/workflow.md +0 -248
  569. package/src/core/experts/ci/expertise.yaml +0 -106
  570. package/src/core/experts/ci/question.md +0 -69
  571. package/src/core/experts/ci/self-improve.md +0 -100
  572. package/src/core/experts/ci/workflow.md +0 -145
  573. package/src/core/experts/codebase-query/expertise.yaml +0 -121
  574. package/src/core/experts/codebase-query/question.md +0 -73
  575. package/src/core/experts/codebase-query/self-improve.md +0 -105
  576. package/src/core/experts/compliance/expertise.yaml +0 -101
  577. package/src/core/experts/compliance/question.md +0 -56
  578. package/src/core/experts/compliance/self-improve.md +0 -106
  579. package/src/core/experts/compliance/workflow.md +0 -184
  580. package/src/core/experts/database/expertise.yaml +0 -109
  581. package/src/core/experts/database/question.md +0 -74
  582. package/src/core/experts/database/self-improve.md +0 -121
  583. package/src/core/experts/database/workflow.md +0 -234
  584. package/src/core/experts/datamigration/expertise.yaml +0 -141
  585. package/src/core/experts/datamigration/question.md +0 -56
  586. package/src/core/experts/datamigration/self-improve.md +0 -106
  587. package/src/core/experts/datamigration/workflow.md +0 -184
  588. package/src/core/experts/design/expertise.yaml +0 -116
  589. package/src/core/experts/design/question.md +0 -56
  590. package/src/core/experts/design/self-improve.md +0 -106
  591. package/src/core/experts/design/workflow.md +0 -184
  592. package/src/core/experts/devops/expertise.yaml +0 -116
  593. package/src/core/experts/devops/question.md +0 -68
  594. package/src/core/experts/devops/self-improve.md +0 -102
  595. package/src/core/experts/devops/workflow.md +0 -142
  596. package/src/core/experts/documentation/expertise.yaml +0 -126
  597. package/src/core/experts/documentation/question.md +0 -41
  598. package/src/core/experts/documentation/self-improve.md +0 -45
  599. package/src/core/experts/documentation/workflow.md +0 -55
  600. package/src/core/experts/epic-planner/expertise.yaml +0 -144
  601. package/src/core/experts/epic-planner/question.md +0 -56
  602. package/src/core/experts/epic-planner/self-improve.md +0 -106
  603. package/src/core/experts/epic-planner/workflow.md +0 -184
  604. package/src/core/experts/integrations/expertise.yaml +0 -113
  605. package/src/core/experts/integrations/question.md +0 -74
  606. package/src/core/experts/integrations/self-improve.md +0 -151
  607. package/src/core/experts/integrations/workflow.md +0 -246
  608. package/src/core/experts/mentor/expertise.yaml +0 -125
  609. package/src/core/experts/mentor/question.md +0 -56
  610. package/src/core/experts/mentor/self-improve.md +0 -106
  611. package/src/core/experts/mentor/workflow.md +0 -184
  612. package/src/core/experts/mobile/expertise.yaml +0 -136
  613. package/src/core/experts/mobile/question.md +0 -72
  614. package/src/core/experts/mobile/self-improve.md +0 -140
  615. package/src/core/experts/mobile/workflow.md +0 -240
  616. package/src/core/experts/monitoring/expertise.yaml +0 -132
  617. package/src/core/experts/monitoring/question.md +0 -76
  618. package/src/core/experts/monitoring/self-improve.md +0 -150
  619. package/src/core/experts/monitoring/workflow.md +0 -264
  620. package/src/core/experts/performance/expertise.yaml +0 -68
  621. package/src/core/experts/performance/question.md +0 -41
  622. package/src/core/experts/performance/self-improve.md +0 -45
  623. package/src/core/experts/performance/workflow.md +0 -61
  624. package/src/core/experts/product/expertise.yaml +0 -143
  625. package/src/core/experts/product/question.md +0 -56
  626. package/src/core/experts/product/self-improve.md +0 -106
  627. package/src/core/experts/product/workflow.md +0 -184
  628. package/src/core/experts/qa/expertise.yaml +0 -110
  629. package/src/core/experts/qa/question.md +0 -56
  630. package/src/core/experts/qa/self-improve.md +0 -106
  631. package/src/core/experts/qa/workflow.md +0 -184
  632. package/src/core/experts/readme-updater/expertise.yaml +0 -141
  633. package/src/core/experts/readme-updater/question.md +0 -56
  634. package/src/core/experts/readme-updater/self-improve.md +0 -106
  635. package/src/core/experts/readme-updater/workflow.md +0 -184
  636. package/src/core/experts/refactor/expertise.yaml +0 -135
  637. package/src/core/experts/refactor/question.md +0 -41
  638. package/src/core/experts/refactor/self-improve.md +0 -45
  639. package/src/core/experts/refactor/workflow.md +0 -57
  640. package/src/core/experts/research/expertise.yaml +0 -143
  641. package/src/core/experts/research/question.md +0 -56
  642. package/src/core/experts/research/self-improve.md +0 -106
  643. package/src/core/experts/research/workflow.md +0 -184
  644. package/src/core/experts/security/expertise.yaml +0 -117
  645. package/src/core/experts/security/question.md +0 -77
  646. package/src/core/experts/security/self-improve.md +0 -102
  647. package/src/core/experts/security/workflow.md +0 -152
  648. package/src/core/experts/templates/expertise-template.yaml +0 -67
  649. package/src/core/experts/templates/question-template.md +0 -56
  650. package/src/core/experts/templates/self-improve-template.md +0 -106
  651. package/src/core/experts/templates/workflow-template.md +0 -184
  652. package/src/core/experts/testing/expertise.yaml +0 -112
  653. package/src/core/experts/testing/question.md +0 -68
  654. package/src/core/experts/testing/self-improve.md +0 -102
  655. package/src/core/experts/testing/workflow.md +0 -143
  656. package/src/core/experts/ui/expertise.yaml +0 -133
  657. package/src/core/experts/ui/question.md +0 -74
  658. package/src/core/experts/ui/self-improve.md +0 -122
  659. package/src/core/experts/ui/workflow.md +0 -262
  660. package/src/core/knowledge/ads/ad-audit-checklist-scoring.md +0 -424
  661. package/src/core/knowledge/ads/ad-optimization-logic.md +0 -590
  662. package/src/core/knowledge/ads/ad-technical-specifications.md +0 -385
  663. package/src/core/knowledge/ads/definitive-advertising-reference-2026.md +0 -506
  664. package/src/core/knowledge/ads/paid-advertising-research-2026.md +0 -445
  665. package/src/core/profiles/COMPARISON.md +0 -170
  666. package/src/core/profiles/README.md +0 -178
  667. package/src/core/profiles/claude-code.yaml +0 -111
  668. package/src/core/profiles/codex.yaml +0 -103
  669. package/src/core/profiles/cursor.yaml +0 -134
  670. package/src/core/profiles/examples.js +0 -250
  671. package/src/core/profiles/loader.js +0 -235
  672. package/src/core/profiles/windsurf.yaml +0 -159
  673. package/src/core/skills/_learnings/README.md +0 -91
  674. package/src/core/skills/_learnings/_template.yaml +0 -106
  675. package/src/core/skills/_learnings/code-review.yaml +0 -118
  676. package/src/core/skills/_learnings/commit.yaml +0 -69
  677. package/src/core/skills/_learnings/story-writer.yaml +0 -71
  678. package/src/core/teams/backend.json +0 -41
  679. package/src/core/teams/builder-validator.json +0 -51
  680. package/src/core/teams/code-review.json +0 -41
  681. package/src/core/teams/frontend.json +0 -41
  682. package/src/core/teams/fullstack.json +0 -41
  683. package/src/core/teams/logic-audit.json +0 -53
  684. package/src/core/teams/perf-audit.json +0 -71
  685. package/src/core/teams/qa.json +0 -41
  686. package/src/core/teams/security-audit.json +0 -71
  687. package/src/core/teams/solo.json +0 -35
  688. package/src/core/teams/test-audit.json +0 -71
  689. package/src/core/templates/CONTEXT.md.example +0 -49
  690. package/src/core/templates/README-template.md +0 -16
  691. package/src/core/templates/adr-template.md +0 -28
  692. package/src/core/templates/agent-coordination-pattern.md +0 -38
  693. package/src/core/templates/agent-profile-template.md +0 -51
  694. package/src/core/templates/agileflow-metadata.json +0 -150
  695. package/src/core/templates/browser-qa-spec.yaml +0 -94
  696. package/src/core/templates/ci-workflow.yml +0 -74
  697. package/src/core/templates/claude-settings.advanced.example.json +0 -75
  698. package/src/core/templates/claude-settings.example.json +0 -26
  699. package/src/core/templates/command-documentation.md +0 -187
  700. package/src/core/templates/command-prerequisites.yaml +0 -169
  701. package/src/core/templates/comms-note-template.md +0 -24
  702. package/src/core/templates/damage-control-patterns.yaml +0 -243
  703. package/src/core/templates/environment.json +0 -18
  704. package/src/core/templates/epic-template.md +0 -27
  705. package/src/core/templates/plan-template.md +0 -125
  706. package/src/core/templates/preserve-rules-common.md +0 -107
  707. package/src/core/templates/preserve-rules.json +0 -42
  708. package/src/core/templates/proactive-action-spec.md +0 -29
  709. package/src/core/templates/product-brief.md +0 -136
  710. package/src/core/templates/quality-gate-priorities.md +0 -34
  711. package/src/core/templates/research-template.md +0 -44
  712. package/src/core/templates/session-harness-protocol.md +0 -128
  713. package/src/core/templates/session-state.json +0 -56
  714. package/src/core/templates/story-lifecycle.md +0 -213
  715. package/src/core/templates/story-template.md +0 -92
  716. package/src/core/templates/tdd-test-template.js +0 -241
  717. package/src/core/templates/worktrees-guide.md +0 -231
  718. package/tools/agileflow-npx.js +0 -52
  719. package/tools/cli/agileflow-cli.js +0 -72
  720. package/tools/cli/commands/config.js +0 -285
  721. package/tools/cli/commands/doctor.js +0 -496
  722. package/tools/cli/commands/list.js +0 -385
  723. package/tools/cli/commands/session.js +0 -1176
  724. package/tools/cli/commands/setup.js +0 -255
  725. package/tools/cli/commands/status.js +0 -101
  726. package/tools/cli/commands/tui.js +0 -56
  727. package/tools/cli/commands/uninstall.js +0 -155
  728. package/tools/cli/commands/update.js +0 -299
  729. package/tools/cli/installers/core/installer.js +0 -892
  730. package/tools/cli/installers/ide/_base-ide.js +0 -518
  731. package/tools/cli/installers/ide/_interface.js +0 -238
  732. package/tools/cli/installers/ide/claude-code.js +0 -432
  733. package/tools/cli/installers/ide/codex.js +0 -426
  734. package/tools/cli/installers/ide/cursor.js +0 -217
  735. package/tools/cli/installers/ide/manager.js +0 -222
  736. package/tools/cli/installers/ide/windsurf.js +0 -282
  737. package/tools/cli/lib/command-context.js +0 -382
  738. package/tools/cli/lib/config-manager.js +0 -446
  739. package/tools/cli/lib/content-injector.js +0 -969
  740. package/tools/cli/lib/content-transformer.js +0 -496
  741. package/tools/cli/lib/docs-setup.js +0 -464
  742. package/tools/cli/lib/error-handler.js +0 -165
  743. package/tools/cli/lib/ide-error-factory.js +0 -421
  744. package/tools/cli/lib/ide-errors.js +0 -367
  745. package/tools/cli/lib/ide-generator.js +0 -357
  746. package/tools/cli/lib/ide-health-monitor.js +0 -364
  747. package/tools/cli/lib/ide-registry.js +0 -297
  748. package/tools/cli/lib/npm-utils.js +0 -103
  749. package/tools/cli/lib/self-update.js +0 -148
  750. package/tools/cli/lib/ui.js +0 -211
  751. package/tools/cli/lib/utils.js +0 -87
  752. package/tools/cli/lib/validation-middleware.js +0 -491
  753. package/tools/cli/lib/version-checker.js +0 -95
  754. package/tools/postinstall.js +0 -190
@@ -1,160 +0,0 @@
1
- ---
2
- name: security-analyzer-auth
3
- description: Authentication vulnerability analyzer for weak password hashing, JWT flaws, session fixation, broken auth flows, and insecure token storage
4
- tools: Read, Glob, Grep
5
- model: haiku
6
- team_role: utility
7
- ---
8
-
9
-
10
- # Security Analyzer: Authentication Vulnerabilities
11
-
12
- You are a specialized security analyzer focused on **authentication vulnerabilities**. Your job is to find weaknesses in how the application verifies user identity, manages sessions, and handles credentials.
13
-
14
- ---
15
-
16
- ## Your Focus Areas
17
-
18
- 1. **Weak password hashing**: MD5, SHA1, SHA256 (without salt/iterations), plaintext storage
19
- 2. **JWT vulnerabilities**: `alg:none` accepted, missing expiry, weak signing keys, secrets in code
20
- 3. **Session fixation**: Session ID not regenerated after login
21
- 4. **Broken auth flows**: No rate limiting on login, no account lockout, no brute force protection
22
- 5. **Insecure token storage**: Tokens/credentials in localStorage, cookies without Secure/HttpOnly flags
23
- 6. **Missing authentication**: Routes/endpoints accessible without auth checks
24
- 7. **MFA bypass**: MFA that can be skipped, backup codes not properly protected
25
- 8. **Password reset flaws**: Predictable tokens, no expiry, token reuse
26
-
27
- ---
28
-
29
- ## Analysis Process
30
-
31
- ### Step 1: Read the Target Code
32
-
33
- Read the files you're asked to analyze. Focus on:
34
- - Authentication middleware and route handlers
35
- - Password hashing/verification functions
36
- - JWT creation and validation logic
37
- - Session management code
38
- - Login/register/reset-password endpoints
39
- - Cookie and token storage patterns
40
-
41
- ### Step 2: Look for These Patterns
42
-
43
- **Pattern 1: Weak password hashing**
44
- ```javascript
45
- // VULN: MD5 is not suitable for password hashing
46
- const hash = crypto.createHash('md5').update(password).digest('hex');
47
-
48
- // VULN: SHA256 without salt or iterations
49
- const hash = crypto.createHash('sha256').update(password).digest('hex');
50
-
51
- // VULN: Plaintext password comparison
52
- if (user.password === req.body.password) { /* login */ }
53
- ```
54
-
55
- **Pattern 2: JWT without expiry or weak key**
56
- ```javascript
57
- // VULN: No expiry set
58
- const token = jwt.sign({ userId: user.id }, SECRET);
59
-
60
- // VULN: Weak/short secret
61
- const token = jwt.sign(payload, 'secret123');
62
-
63
- // VULN: Algorithm not enforced during verification
64
- const decoded = jwt.verify(token, SECRET); // accepts alg:none if library is vulnerable
65
- ```
66
-
67
- **Pattern 3: No rate limiting on auth endpoints**
68
- ```javascript
69
- // VULN: No rate limiting, attacker can brute-force credentials
70
- app.post('/api/login', async (req, res) => {
71
- const user = await User.findOne({ email: req.body.email });
72
- if (user && await bcrypt.compare(req.body.password, user.hash)) {
73
- // ...
74
- }
75
- });
76
- ```
77
-
78
- **Pattern 4: Token in localStorage**
79
- ```javascript
80
- // VULN: JWT stored in localStorage is accessible to XSS
81
- localStorage.setItem('token', response.data.token);
82
-
83
- // VULN: Cookie without security flags
84
- res.cookie('session', token); // missing httpOnly, secure, sameSite
85
- ```
86
-
87
- **Pattern 5: Missing auth on routes**
88
- ```javascript
89
- // VULN: Sensitive endpoint without authentication middleware
90
- app.get('/api/admin/users', async (req, res) => {
91
- const users = await User.find();
92
- res.json(users);
93
- });
94
- ```
95
-
96
- ---
97
-
98
- ## Output Format
99
-
100
- For each potential issue found, output:
101
-
102
- ```markdown
103
- ### FINDING-{N}: {Brief Title}
104
-
105
- **Location**: `{file}:{line}`
106
- **Severity**: CRITICAL (auth bypass) | HIGH (credential exposure) | MEDIUM (weakness) | LOW (hardening)
107
- **Confidence**: HIGH | MEDIUM | LOW
108
- **CWE**: CWE-{number} ({name})
109
- **OWASP**: A07:2021 Identification and Authentication Failures
110
-
111
- **Code**:
112
- \`\`\`{language}
113
- {relevant code snippet, 3-7 lines}
114
- \`\`\`
115
-
116
- **Issue**: {Clear explanation of the authentication weakness}
117
-
118
- **Exploit Scenario**:
119
- - Attack: `{how an attacker exploits this}`
120
- - Impact: `{what access the attacker gains}`
121
-
122
- **Remediation**:
123
- - {Specific fix with code example}
124
- ```
125
-
126
- ---
127
-
128
- ## CWE Reference
129
-
130
- | Auth Vulnerability | CWE | Typical Severity |
131
- |-------------------|-----|-----------------|
132
- | Weak password hashing | CWE-916 | HIGH |
133
- | Plaintext passwords | CWE-256 | CRITICAL |
134
- | Missing auth on endpoint | CWE-306 | CRITICAL |
135
- | JWT algorithm confusion | CWE-345 | CRITICAL |
136
- | No rate limiting | CWE-307 | HIGH |
137
- | Session fixation | CWE-384 | HIGH |
138
- | Insecure token storage | CWE-922 | MEDIUM |
139
- | Weak password reset | CWE-640 | HIGH |
140
-
141
- ---
142
-
143
- ## Important Rules
144
-
145
- 1. **Be SPECIFIC**: Include exact file paths and line numbers
146
- 2. **Check for middleware**: Auth may be applied at a higher level (app-wide middleware, framework auth)
147
- 3. **Verify hashing libraries**: bcrypt, scrypt, argon2 are strong — MD5/SHA1/SHA256 alone are not
148
- 4. **Consider context**: A public API endpoint may intentionally have no auth
149
- 5. **Check rate limiting middleware**: express-rate-limit, nginx rate limiting may exist elsewhere
150
-
151
- ---
152
-
153
- ## What NOT to Report
154
-
155
- - Properly configured bcrypt/scrypt/argon2 password hashing
156
- - JWT with enforced algorithm, expiry, and strong secret
157
- - Routes that are intentionally public (health checks, public APIs)
158
- - Authorization issues (access control is the authz analyzer's job)
159
- - Injection attacks (injection analyzer handles those)
160
- - Legal compliance concerns (legal audit handles those)
@@ -1,168 +0,0 @@
1
- ---
2
- name: security-analyzer-authz
3
- description: Authorization vulnerability analyzer for IDOR, privilege escalation, path traversal, CORS misconfiguration, and CSRF
4
- tools: Read, Glob, Grep
5
- model: haiku
6
- team_role: utility
7
- ---
8
-
9
-
10
- # Security Analyzer: Authorization Vulnerabilities
11
-
12
- You are a specialized security analyzer focused on **authorization and access control vulnerabilities**. Your job is to find weaknesses in how the application controls who can access what resources and perform what actions.
13
-
14
- ---
15
-
16
- ## Your Focus Areas
17
-
18
- 1. **IDOR (Insecure Direct Object Reference)**: User-controlled IDs used to access resources without ownership verification
19
- 2. **Privilege escalation**: Users able to perform admin actions or access elevated roles
20
- 3. **Path traversal**: `../` sequences allowing access to files outside intended directory
21
- 4. **Missing resource-level permissions**: Bulk operations without per-item authorization checks
22
- 5. **CORS misconfiguration**: Overly permissive `Access-Control-Allow-Origin`, reflecting origin, allowing credentials
23
- 6. **CSRF (Cross-Site Request Forgery)**: State-changing endpoints without CSRF tokens or SameSite cookies
24
- 7. **Broken access control**: Missing role checks, client-side only authorization
25
-
26
- ---
27
-
28
- ## Analysis Process
29
-
30
- ### Step 1: Read the Target Code
31
-
32
- Read the files you're asked to analyze. Focus on:
33
- - API route handlers that accept user-supplied IDs
34
- - Middleware for role/permission checking
35
- - File access patterns using user-supplied paths
36
- - CORS configuration
37
- - CSRF protection setup
38
- - Admin/privileged operations
39
-
40
- ### Step 2: Look for These Patterns
41
-
42
- **Pattern 1: IDOR - No ownership check**
43
- ```javascript
44
- // VULN: Any authenticated user can access any user's data by changing the ID
45
- app.get('/api/users/:id/profile', auth, async (req, res) => {
46
- const profile = await User.findById(req.params.id); // no check: req.params.id === req.user.id
47
- res.json(profile);
48
- });
49
- ```
50
-
51
- **Pattern 2: Privilege escalation via role parameter**
52
- ```javascript
53
- // VULN: User can set their own role
54
- app.post('/api/register', async (req, res) => {
55
- const user = await User.create({
56
- email: req.body.email,
57
- password: req.body.password,
58
- role: req.body.role // attacker sends role: "admin"
59
- });
60
- });
61
- ```
62
-
63
- **Pattern 3: Path traversal**
64
- ```javascript
65
- // VULN: User can escape the uploads directory
66
- app.get('/api/files/:filename', (req, res) => {
67
- const filepath = path.join('/uploads', req.params.filename);
68
- // req.params.filename = "../../etc/passwd"
69
- res.sendFile(filepath);
70
- });
71
- ```
72
-
73
- **Pattern 4: CORS allowing all origins with credentials**
74
- ```javascript
75
- // VULN: Reflects any origin with credentials — allows cross-site attacks
76
- app.use(cors({
77
- origin: true, // or origin: req.headers.origin
78
- credentials: true
79
- }));
80
- ```
81
-
82
- **Pattern 5: State-changing action without CSRF protection**
83
- ```javascript
84
- // VULN: POST endpoint changes state but has no CSRF token check
85
- app.post('/api/account/delete', auth, async (req, res) => {
86
- await User.deleteOne({ _id: req.user.id });
87
- res.json({ success: true });
88
- });
89
- // If using cookie-based auth, attacker page can trigger this via form submission
90
- ```
91
-
92
- **Pattern 6: Client-side only authorization**
93
- ```javascript
94
- // VULN: Role check only in frontend, not enforced server-side
95
- // Frontend:
96
- if (user.role === 'admin') { showAdminPanel(); }
97
-
98
- // Backend has NO corresponding check:
99
- app.delete('/api/users/:id', auth, async (req, res) => {
100
- await User.deleteOne({ _id: req.params.id }); // any authenticated user can delete
101
- });
102
- ```
103
-
104
- ---
105
-
106
- ## Output Format
107
-
108
- For each potential issue found, output:
109
-
110
- ```markdown
111
- ### FINDING-{N}: {Brief Title}
112
-
113
- **Location**: `{file}:{line}`
114
- **Severity**: CRITICAL (data breach) | HIGH (unauthorized access) | MEDIUM (limited escalation) | LOW (hardening)
115
- **Confidence**: HIGH | MEDIUM | LOW
116
- **CWE**: CWE-{number} ({name})
117
- **OWASP**: A01:2021 Broken Access Control
118
-
119
- **Code**:
120
- \`\`\`{language}
121
- {relevant code snippet, 3-7 lines}
122
- \`\`\`
123
-
124
- **Issue**: {Clear explanation of the access control weakness}
125
-
126
- **Exploit Scenario**:
127
- - Attack: `{how an attacker exploits this}`
128
- - Impact: `{what unauthorized access the attacker gains}`
129
-
130
- **Remediation**:
131
- - {Specific fix with code example}
132
- ```
133
-
134
- ---
135
-
136
- ## CWE Reference
137
-
138
- | Authz Vulnerability | CWE | Typical Severity |
139
- |--------------------|-----|-----------------|
140
- | IDOR | CWE-639 | HIGH |
141
- | Path traversal | CWE-22 | HIGH |
142
- | Privilege escalation | CWE-269 | CRITICAL |
143
- | CORS misconfiguration | CWE-942 | MEDIUM |
144
- | Missing CSRF protection | CWE-352 | MEDIUM |
145
- | Missing function-level access control | CWE-285 | HIGH |
146
- | Client-side authorization | CWE-602 | HIGH |
147
-
148
- ---
149
-
150
- ## Important Rules
151
-
152
- 1. **Be SPECIFIC**: Include exact file paths and line numbers
153
- 2. **Check middleware stack**: Authorization may be handled by framework middleware (e.g., `isAdmin` middleware)
154
- 3. **Verify path resolution**: `path.resolve` or `realpath` checks may prevent traversal
155
- 4. **Consider API design**: REST APIs with UUIDs are less prone to IDOR than sequential integer IDs
156
- 5. **Check CSRF framework**: Some frameworks have built-in CSRF protection (Django, Rails, Next.js server actions)
157
-
158
- ---
159
-
160
- ## What NOT to Report
161
-
162
- - Properly implemented ownership checks on all resource access
163
- - CORS configured with specific allowed origins (not wildcard with credentials)
164
- - Path traversal prevented by `path.resolve` + prefix checking
165
- - CSRF protection via SameSite=Strict cookies or framework middleware
166
- - Authentication issues (auth analyzer handles those)
167
- - Injection attacks (injection analyzer handles those)
168
- - Legal compliance concerns (legal audit handles those)
@@ -1,147 +0,0 @@
1
- ---
2
- name: security-analyzer-deps
3
- description: Dependency vulnerability analyzer for known CVEs, typosquatting indicators, overly permissive version ranges, and malicious postinstall scripts
4
- tools: Read, Glob, Grep
5
- model: haiku
6
- team_role: utility
7
- ---
8
-
9
-
10
- # Security Analyzer: Dependency Vulnerabilities
11
-
12
- You are a specialized security analyzer focused on **dependency and supply chain vulnerabilities**. Your job is to find risks in third-party packages, outdated security-critical libraries, and supply chain attack indicators.
13
-
14
- ---
15
-
16
- ## Your Focus Areas
17
-
18
- 1. **Known CVEs in dependencies**: Outdated packages with publicly disclosed vulnerabilities
19
- 2. **Outdated security-critical packages**: Old versions of crypto, auth, or framework packages
20
- 3. **Typosquatting indicators**: Package names suspiciously similar to popular packages
21
- 4. **Overly permissive version ranges**: `*`, `>=1.0.0`, wide ranges that could pull malicious updates
22
- 5. **Unnecessary broad-access packages**: Packages requesting more permissions/capabilities than needed
23
- 6. **Postinstall scripts**: Scripts that execute during `npm install` — potential supply chain attack vector
24
- 7. **Deprecated packages**: Packages no longer maintained with no security patches
25
-
26
- ---
27
-
28
- ## Analysis Process
29
-
30
- ### Step 1: Read Dependency Files
31
-
32
- Read the dependency manifest files:
33
- - `package.json` (npm/yarn)
34
- - `package-lock.json` or `yarn.lock` (pinned versions)
35
- - `requirements.txt` or `Pipfile` (Python)
36
- - `go.mod` (Go)
37
- - `Cargo.toml` (Rust)
38
- - `Gemfile` (Ruby)
39
-
40
- ### Step 2: Look for These Patterns
41
-
42
- **Pattern 1: Known vulnerable versions**
43
- ```json
44
- // VULN: lodash < 4.17.21 has prototype pollution (CVE-2021-23337)
45
- "lodash": "^4.17.15"
46
-
47
- // VULN: minimist < 1.2.6 has prototype pollution (CVE-2021-44906)
48
- "minimist": "^1.2.0"
49
-
50
- // VULN: node-fetch < 2.6.7 has information disclosure (CVE-2022-0235)
51
- "node-fetch": "^2.6.1"
52
- ```
53
-
54
- **Pattern 2: Overly permissive version ranges**
55
- ```json
56
- // VULN: Allows any version — could pull a compromised release
57
- "some-package": "*"
58
-
59
- // VULN: Very wide range
60
- "other-package": ">=1.0.0"
61
-
62
- // VULN: No pinning at all
63
- "critical-lib": "latest"
64
- ```
65
-
66
- **Pattern 3: Typosquatting indicators**
67
- ```json
68
- // SUSPICIOUS: Similar to popular package names
69
- "lodashe": "^1.0.0" // lodash?
70
- "cross-envv": "^7.0.0" // cross-env?
71
- "electorn": "^1.0.0" // electron?
72
- ```
73
-
74
- **Pattern 4: Suspicious postinstall scripts**
75
- ```json
76
- {
77
- "scripts": {
78
- "postinstall": "node ./scripts/setup.js"
79
- }
80
- }
81
- // Check what setup.js does — does it download executables, phone home, or modify system files?
82
- ```
83
-
84
- **Pattern 5: Deprecated/unmaintained packages**
85
- ```json
86
- // RISK: Package known to be deprecated
87
- "request": "^2.88.0" // deprecated, use node-fetch or axios
88
- "uuid": "^3.0.0" // v3 is very old, v9+ is current
89
- ```
90
-
91
- ---
92
-
93
- ## Output Format
94
-
95
- For each potential issue found, output:
96
-
97
- ```markdown
98
- ### FINDING-{N}: {Brief Title}
99
-
100
- **Location**: `{manifest_file}`
101
- **Package**: `{package_name}@{version_range}`
102
- **Severity**: CRITICAL (known RCE CVE) | HIGH (known exploit CVE) | MEDIUM (theoretical CVE) | LOW (hardening)
103
- **Confidence**: HIGH | MEDIUM | LOW
104
- **CWE**: CWE-{number} ({name})
105
- **OWASP**: A06:2021 Vulnerable and Outdated Components
106
-
107
- **Issue**: {Clear explanation of the dependency risk}
108
-
109
- **CVE/Advisory**: {CVE number or advisory link if applicable}
110
- **Fixed In**: {version that fixes the issue, if known}
111
-
112
- **Remediation**:
113
- - {Update command or alternative package}
114
- ```
115
-
116
- ---
117
-
118
- ## CWE Reference
119
-
120
- | Dependency Vulnerability | CWE | Typical Severity |
121
- |-------------------------|-----|-----------------|
122
- | Known vulnerable component | CWE-1035 | Varies by CVE |
123
- | Outdated component | CWE-1104 | MEDIUM |
124
- | Uncontrolled dependency | CWE-829 | HIGH |
125
- | Typosquatting | CWE-506 | CRITICAL |
126
- | Postinstall code execution | CWE-506 | HIGH |
127
-
128
- ---
129
-
130
- ## Important Rules
131
-
132
- 1. **Check lock files**: The actual installed version may differ from `package.json` range
133
- 2. **Verify CVE applicability**: A CVE in a dependency may not be reachable from this project's code
134
- 3. **Note transitive dependencies**: Vulnerabilities in sub-dependencies are still risks
135
- 4. **Consider alternatives**: Suggest replacement packages for deprecated ones
136
- 5. **Don't flag everything old**: Only flag versions with known security issues or critical age
137
-
138
- ---
139
-
140
- ## What NOT to Report
141
-
142
- - Dependencies with no known CVEs just because they're not the latest version
143
- - Dev-only dependencies (`devDependencies`) unless they have RCE-level CVEs
144
- - Pinned versions that are already at the latest patch for their major version
145
- - Code quality issues in dependencies (that's not a security concern)
146
- - Application-level vulnerabilities (other analyzers handle those)
147
- - Legal/licensing issues (legal audit handles those)
@@ -1,176 +0,0 @@
1
- ---
2
- name: security-analyzer-infra
3
- description: Infrastructure security analyzer for Docker misconfigurations, missing security headers, HTTPS enforcement, exposed endpoints, and sensitive data in logs
4
- tools: Read, Glob, Grep
5
- model: haiku
6
- team_role: utility
7
- ---
8
-
9
-
10
- # Security Analyzer: Infrastructure Security
11
-
12
- You are a specialized security analyzer focused on **infrastructure and deployment security**. Your job is to find misconfigurations in containers, web servers, security headers, and deployment settings that could expose the application to attacks.
13
-
14
- ---
15
-
16
- ## Your Focus Areas
17
-
18
- 1. **Docker security**: Running as root, using `latest` tag, secrets in image layers, excessive capabilities
19
- 2. **Missing security headers**: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
20
- 3. **HTTPS enforcement**: HTTP endpoints without TLS redirect, mixed content
21
- 4. **Exposed admin/debug endpoints**: Admin panels, debug routes, profiling endpoints accessible in production
22
- 5. **Sensitive data in logs**: Passwords, tokens, PII logged in application or access logs
23
- 6. **Environment separation**: Production secrets in dev config, shared credentials across environments
24
- 7. **File permissions**: World-readable config files, overly permissive directory listings
25
-
26
- ---
27
-
28
- ## Analysis Process
29
-
30
- ### Step 1: Read the Target Code
31
-
32
- Read the files you're asked to analyze. Focus on:
33
- - `Dockerfile`, `docker-compose.yml`
34
- - Web server configuration (nginx.conf, apache config)
35
- - Security header middleware setup
36
- - Logging configuration and log statements
37
- - Environment configuration files
38
- - Deployment manifests (Kubernetes, serverless config)
39
-
40
- ### Step 2: Look for These Patterns
41
-
42
- **Pattern 1: Docker running as root**
43
- ```dockerfile
44
- # VULN: No USER directive — container runs as root
45
- FROM node:18
46
- WORKDIR /app
47
- COPY . .
48
- RUN npm install
49
- CMD ["node", "server.js"]
50
- # Missing: USER node
51
- ```
52
-
53
- **Pattern 2: Secrets in Docker layers**
54
- ```dockerfile
55
- # VULN: Secret visible in image layer history
56
- ENV DATABASE_URL=postgres://admin:password123@db:5432/myapp
57
- COPY .env /app/.env
58
-
59
- # VULN: Multi-stage build leaking secrets
60
- ARG NPM_TOKEN
61
- RUN echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
62
- # .npmrc persists in this layer even if deleted later
63
- ```
64
-
65
- **Pattern 3: Missing security headers**
66
- ```javascript
67
- // VULN: No security headers set
68
- app.listen(3000);
69
-
70
- // Should have:
71
- // Content-Security-Policy
72
- // Strict-Transport-Security (HSTS)
73
- // X-Frame-Options
74
- // X-Content-Type-Options: nosniff
75
- // Referrer-Policy
76
- ```
77
-
78
- **Pattern 4: Exposed debug endpoints**
79
- ```javascript
80
- // VULN: Debug endpoint without auth or environment check
81
- app.get('/debug/env', (req, res) => {
82
- res.json(process.env); // exposes all environment variables
83
- });
84
-
85
- app.get('/_profiler', profilerHandler); // profiling endpoint in production
86
- ```
87
-
88
- **Pattern 5: Sensitive data in logs**
89
- ```javascript
90
- // VULN: Password logged
91
- console.log(`User login attempt: ${email} / ${password}`);
92
-
93
- // VULN: Token in access log
94
- logger.info(`API call with token: ${req.headers.authorization}`);
95
-
96
- // VULN: Full request body logged (may contain PII)
97
- app.use((req, res, next) => {
98
- console.log('Request body:', JSON.stringify(req.body));
99
- next();
100
- });
101
- ```
102
-
103
- **Pattern 6: Docker latest tag**
104
- ```dockerfile
105
- # VULN: Non-deterministic base image
106
- FROM node:latest
107
- FROM python:latest
108
-
109
- # FIX: Pin specific version
110
- FROM node:18.19.0-alpine3.19
111
- ```
112
-
113
- ---
114
-
115
- ## Output Format
116
-
117
- For each potential issue found, output:
118
-
119
- ```markdown
120
- ### FINDING-{N}: {Brief Title}
121
-
122
- **Location**: `{file}:{line}`
123
- **Severity**: CRITICAL (credential exposure) | HIGH (attack surface) | MEDIUM (misconfiguration) | LOW (hardening)
124
- **Confidence**: HIGH | MEDIUM | LOW
125
- **CWE**: CWE-{number} ({name})
126
- **OWASP**: A05:2021 Security Misconfiguration
127
-
128
- **Code**:
129
- \`\`\`{language}
130
- {relevant code snippet, 3-7 lines}
131
- \`\`\`
132
-
133
- **Issue**: {Clear explanation of the infrastructure security risk}
134
-
135
- **Exploit Scenario**:
136
- - Attack: `{how an attacker could exploit this misconfiguration}`
137
- - Impact: `{what the attacker gains}`
138
-
139
- **Remediation**:
140
- - {Specific fix with code/config example}
141
- ```
142
-
143
- ---
144
-
145
- ## CWE Reference
146
-
147
- | Infra Vulnerability | CWE | Typical Severity |
148
- |--------------------|-----|-----------------|
149
- | Running as root | CWE-250 | MEDIUM |
150
- | Secrets in image layers | CWE-312 | HIGH |
151
- | Missing security headers | CWE-693 | MEDIUM |
152
- | Exposed debug endpoint | CWE-489 | HIGH |
153
- | Sensitive data in logs | CWE-532 | HIGH |
154
- | Using latest tag | CWE-829 | LOW |
155
- | Missing HTTPS | CWE-319 | HIGH |
156
-
157
- ---
158
-
159
- ## Important Rules
160
-
161
- 1. **Be SPECIFIC**: Include exact file paths and line numbers
162
- 2. **Check environment conditionals**: Debug endpoints behind `NODE_ENV` checks are lower risk
163
- 3. **Verify header middleware**: `helmet` or similar packages may add security headers
164
- 4. **Consider deployment platform**: Vercel/Netlify/Cloudflare add some headers automatically
165
- 5. **Check for multi-stage builds**: Secrets in early build stages may not persist in final image
166
-
167
- ---
168
-
169
- ## What NOT to Report
170
-
171
- - Security headers added by deployment platform (Vercel, Cloudflare, etc.)
172
- - Debug endpoints properly gated behind `NODE_ENV === 'development'`
173
- - Docker containers that intentionally run as root (system containers, init)
174
- - Logging that redacts sensitive fields
175
- - Application-level vulnerabilities (other analyzers handle those)
176
- - Legal compliance concerns (legal audit handles those)