agim-cli 1.2.147 → 1.2.148

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (347) hide show
  1. package/CHANGELOG.md +58 -0
  2. package/dist/core/skills/builtin/ECC_LICENSE +21 -0
  3. package/dist/core/skills/builtin/ECC_NOTICE.md +22 -0
  4. package/dist/core/skills/builtin/accessibility/SKILL.md +146 -0
  5. package/dist/core/skills/builtin/agent-eval/SKILL.md +145 -0
  6. package/dist/core/skills/builtin/agent-harness-construction/SKILL.md +73 -0
  7. package/dist/core/skills/builtin/agent-introspection-debugging/SKILL.md +153 -0
  8. package/dist/core/skills/builtin/agentic-engineering/SKILL.md +63 -0
  9. package/dist/core/skills/builtin/ai-first-engineering/SKILL.md +51 -0
  10. package/dist/core/skills/builtin/ai-regression-testing/SKILL.md +385 -0
  11. package/dist/core/skills/builtin/android-clean-architecture/SKILL.md +339 -0
  12. package/dist/core/skills/builtin/angular-developer/SKILL.md +154 -0
  13. package/dist/core/skills/builtin/angular-developer/references/angular-animations.md +160 -0
  14. package/dist/core/skills/builtin/angular-developer/references/angular-aria.md +410 -0
  15. package/dist/core/skills/builtin/angular-developer/references/cli.md +86 -0
  16. package/dist/core/skills/builtin/angular-developer/references/component-harnesses.md +59 -0
  17. package/dist/core/skills/builtin/angular-developer/references/component-styling.md +91 -0
  18. package/dist/core/skills/builtin/angular-developer/references/components.md +117 -0
  19. package/dist/core/skills/builtin/angular-developer/references/creating-services.md +97 -0
  20. package/dist/core/skills/builtin/angular-developer/references/data-resolvers.md +69 -0
  21. package/dist/core/skills/builtin/angular-developer/references/define-routes.md +67 -0
  22. package/dist/core/skills/builtin/angular-developer/references/defining-providers.md +72 -0
  23. package/dist/core/skills/builtin/angular-developer/references/di-fundamentals.md +120 -0
  24. package/dist/core/skills/builtin/angular-developer/references/e2e-testing.md +56 -0
  25. package/dist/core/skills/builtin/angular-developer/references/effects.md +83 -0
  26. package/dist/core/skills/builtin/angular-developer/references/hierarchical-injectors.md +43 -0
  27. package/dist/core/skills/builtin/angular-developer/references/host-elements.md +80 -0
  28. package/dist/core/skills/builtin/angular-developer/references/injection-context.md +63 -0
  29. package/dist/core/skills/builtin/angular-developer/references/inputs.md +101 -0
  30. package/dist/core/skills/builtin/angular-developer/references/linked-signal.md +59 -0
  31. package/dist/core/skills/builtin/angular-developer/references/loading-strategies.md +61 -0
  32. package/dist/core/skills/builtin/angular-developer/references/mcp.md +108 -0
  33. package/dist/core/skills/builtin/angular-developer/references/navigate-to-routes.md +69 -0
  34. package/dist/core/skills/builtin/angular-developer/references/outputs.md +86 -0
  35. package/dist/core/skills/builtin/angular-developer/references/reactive-forms.md +122 -0
  36. package/dist/core/skills/builtin/angular-developer/references/rendering-strategies.md +44 -0
  37. package/dist/core/skills/builtin/angular-developer/references/resource.md +77 -0
  38. package/dist/core/skills/builtin/angular-developer/references/route-animations.md +56 -0
  39. package/dist/core/skills/builtin/angular-developer/references/route-guards.md +52 -0
  40. package/dist/core/skills/builtin/angular-developer/references/router-lifecycle.md +45 -0
  41. package/dist/core/skills/builtin/angular-developer/references/router-testing.md +87 -0
  42. package/dist/core/skills/builtin/angular-developer/references/show-routes-with-outlets.md +68 -0
  43. package/dist/core/skills/builtin/angular-developer/references/signal-forms.md +795 -0
  44. package/dist/core/skills/builtin/angular-developer/references/signals-overview.md +94 -0
  45. package/dist/core/skills/builtin/angular-developer/references/tailwind-css.md +69 -0
  46. package/dist/core/skills/builtin/angular-developer/references/template-driven-forms.md +114 -0
  47. package/dist/core/skills/builtin/angular-developer/references/testing-fundamentals.md +65 -0
  48. package/dist/core/skills/builtin/api-connector-builder/SKILL.md +120 -0
  49. package/dist/core/skills/builtin/api-design/SKILL.md +523 -0
  50. package/dist/core/skills/builtin/architecture-decision-records/SKILL.md +179 -0
  51. package/dist/core/skills/builtin/article-writing/SKILL.md +79 -0
  52. package/dist/core/skills/builtin/automation-audit-ops/SKILL.md +142 -0
  53. package/dist/core/skills/builtin/autonomous-agent-harness/SKILL.md +273 -0
  54. package/dist/core/skills/builtin/autonomous-loops/SKILL.md +610 -0
  55. package/dist/core/skills/builtin/backend-patterns/SKILL.md +561 -0
  56. package/dist/core/skills/builtin/benchmark/SKILL.md +93 -0
  57. package/dist/core/skills/builtin/benchmark-optimization-loop/SKILL.md +69 -0
  58. package/dist/core/skills/builtin/blueprint/SKILL.md +105 -0
  59. package/dist/core/skills/builtin/browser-qa/SKILL.md +87 -0
  60. package/dist/core/skills/builtin/bun-runtime/SKILL.md +84 -0
  61. package/dist/core/skills/builtin/cisco-ios-patterns/SKILL.md +163 -0
  62. package/dist/core/skills/builtin/claude-devfleet/SKILL.md +111 -0
  63. package/dist/core/skills/builtin/click-path-audit/SKILL.md +244 -0
  64. package/dist/core/skills/builtin/clickhouse-io/SKILL.md +439 -0
  65. package/dist/core/skills/builtin/code-tour/SKILL.md +236 -0
  66. package/dist/core/skills/builtin/codebase-onboarding/SKILL.md +233 -0
  67. package/dist/core/skills/builtin/codehealth-mcp/SKILL.md +166 -0
  68. package/dist/core/skills/builtin/coding-standards/SKILL.md +550 -0
  69. package/dist/core/skills/builtin/compose-multiplatform-patterns/SKILL.md +299 -0
  70. package/dist/core/skills/builtin/config-gc/SKILL.md +119 -0
  71. package/dist/core/skills/builtin/content-hash-cache-pattern/SKILL.md +161 -0
  72. package/dist/core/skills/builtin/context-budget/SKILL.md +135 -0
  73. package/dist/core/skills/builtin/continuous-agent-loop/SKILL.md +45 -0
  74. package/dist/core/skills/builtin/continuous-learning/SKILL.md +131 -0
  75. package/dist/core/skills/builtin/continuous-learning/config.json +18 -0
  76. package/dist/core/skills/builtin/continuous-learning/evaluate-session.sh +69 -0
  77. package/dist/core/skills/builtin/continuous-learning-v2/SKILL.md +360 -0
  78. package/dist/core/skills/builtin/continuous-learning-v2/agents/observer-loop.sh +335 -0
  79. package/dist/core/skills/builtin/continuous-learning-v2/agents/observer.md +198 -0
  80. package/dist/core/skills/builtin/continuous-learning-v2/agents/session-guardian.sh +150 -0
  81. package/dist/core/skills/builtin/continuous-learning-v2/agents/start-observer.sh +248 -0
  82. package/dist/core/skills/builtin/continuous-learning-v2/config.json +8 -0
  83. package/dist/core/skills/builtin/continuous-learning-v2/hooks/observe.sh +498 -0
  84. package/dist/core/skills/builtin/continuous-learning-v2/scripts/detect-project.sh +322 -0
  85. package/dist/core/skills/builtin/continuous-learning-v2/scripts/instinct-cli.py +1914 -0
  86. package/dist/core/skills/builtin/continuous-learning-v2/scripts/lib/homunculus-dir.sh +31 -0
  87. package/dist/core/skills/builtin/continuous-learning-v2/scripts/migrate-homunculus.sh +62 -0
  88. package/dist/core/skills/builtin/continuous-learning-v2/scripts/test_parse_instinct.py +1045 -0
  89. package/dist/core/skills/builtin/cost-aware-llm-pipeline/SKILL.md +183 -0
  90. package/dist/core/skills/builtin/cost-tracking/SKILL.md +147 -0
  91. package/dist/core/skills/builtin/council/SKILL.md +203 -0
  92. package/dist/core/skills/builtin/cpp-coding-standards/SKILL.md +723 -0
  93. package/dist/core/skills/builtin/cpp-testing/SKILL.md +324 -0
  94. package/dist/core/skills/builtin/crosspost/SKILL.md +111 -0
  95. package/dist/core/skills/builtin/csharp-testing/SKILL.md +321 -0
  96. package/dist/core/skills/builtin/customs-trade-compliance/SKILL.md +263 -0
  97. package/dist/core/skills/builtin/dart-flutter-patterns/SKILL.md +563 -0
  98. package/dist/core/skills/builtin/dashboard-builder/SKILL.md +108 -0
  99. package/dist/core/skills/builtin/data-scraper-agent/SKILL.md +764 -0
  100. package/dist/core/skills/builtin/data-throughput-accelerator/SKILL.md +72 -0
  101. package/dist/core/skills/builtin/database-migrations/SKILL.md +429 -0
  102. package/dist/core/skills/builtin/deep-research/SKILL.md +159 -0
  103. package/dist/core/skills/builtin/defi-amm-security/SKILL.md +166 -0
  104. package/dist/core/skills/builtin/deployment-patterns/SKILL.md +427 -0
  105. package/dist/core/skills/builtin/design-system/SKILL.md +82 -0
  106. package/dist/core/skills/builtin/django-celery/SKILL.md +457 -0
  107. package/dist/core/skills/builtin/django-patterns/SKILL.md +734 -0
  108. package/dist/core/skills/builtin/django-security/SKILL.md +593 -0
  109. package/dist/core/skills/builtin/django-tdd/SKILL.md +729 -0
  110. package/dist/core/skills/builtin/django-verification/SKILL.md +469 -0
  111. package/dist/core/skills/builtin/dmux-workflows/SKILL.md +191 -0
  112. package/dist/core/skills/builtin/docker-patterns/SKILL.md +364 -0
  113. package/dist/core/skills/builtin/documentation-lookup/SKILL.md +90 -0
  114. package/dist/core/skills/builtin/dotnet-patterns/SKILL.md +321 -0
  115. package/dist/core/skills/builtin/dynamic-workflow-mode/SKILL.md +123 -0
  116. package/dist/core/skills/builtin/e2e-testing/SKILL.md +326 -0
  117. package/dist/core/skills/builtin/email-ops/SKILL.md +121 -0
  118. package/dist/core/skills/builtin/energy-procurement/SKILL.md +228 -0
  119. package/dist/core/skills/builtin/enterprise-agent-ops/SKILL.md +50 -0
  120. package/dist/core/skills/builtin/error-handling/SKILL.md +376 -0
  121. package/dist/core/skills/builtin/eval-harness/SKILL.md +270 -0
  122. package/dist/core/skills/builtin/evm-token-decimals/SKILL.md +130 -0
  123. package/dist/core/skills/builtin/exa-search/SKILL.md +107 -0
  124. package/dist/core/skills/builtin/fal-ai-media/SKILL.md +288 -0
  125. package/dist/core/skills/builtin/fastapi-patterns/SKILL.md +513 -0
  126. package/dist/core/skills/builtin/finance-billing-ops/SKILL.md +127 -0
  127. package/dist/core/skills/builtin/flox-environments/SKILL.md +496 -0
  128. package/dist/core/skills/builtin/flutter-dart-code-review/SKILL.md +435 -0
  129. package/dist/core/skills/builtin/foundation-models-on-device/SKILL.md +243 -0
  130. package/dist/core/skills/builtin/frontend-a11y/SKILL.md +445 -0
  131. package/dist/core/skills/builtin/frontend-design-direction/SKILL.md +92 -0
  132. package/dist/core/skills/builtin/frontend-patterns/SKILL.md +656 -0
  133. package/dist/core/skills/builtin/frontend-slides/SKILL.md +184 -0
  134. package/dist/core/skills/builtin/frontend-slides/STYLE_PRESETS.md +330 -0
  135. package/dist/core/skills/builtin/frontend-slides/animation-patterns.md +122 -0
  136. package/dist/core/skills/builtin/frontend-slides/html-template.md +419 -0
  137. package/dist/core/skills/builtin/frontend-slides/scripts/export-pdf.sh +418 -0
  138. package/dist/core/skills/builtin/frontend-slides/scripts/extract-pptx.py +96 -0
  139. package/dist/core/skills/builtin/frontend-slides/viewport-base.css +153 -0
  140. package/dist/core/skills/builtin/fsharp-testing/SKILL.md +280 -0
  141. package/dist/core/skills/builtin/gan-style-harness/SKILL.md +278 -0
  142. package/dist/core/skills/builtin/gateguard/SKILL.md +132 -0
  143. package/dist/core/skills/builtin/git-workflow/SKILL.md +715 -0
  144. package/dist/core/skills/builtin/github-ops/SKILL.md +144 -0
  145. package/dist/core/skills/builtin/golang-patterns/SKILL.md +674 -0
  146. package/dist/core/skills/builtin/golang-testing/SKILL.md +720 -0
  147. package/dist/core/skills/builtin/healthcare-cdss-patterns/SKILL.md +245 -0
  148. package/dist/core/skills/builtin/healthcare-emr-patterns/SKILL.md +159 -0
  149. package/dist/core/skills/builtin/healthcare-eval-harness/SKILL.md +207 -0
  150. package/dist/core/skills/builtin/healthcare-phi-compliance/SKILL.md +145 -0
  151. package/dist/core/skills/builtin/hermes-imports/SKILL.md +88 -0
  152. package/dist/core/skills/builtin/hexagonal-architecture/SKILL.md +276 -0
  153. package/dist/core/skills/builtin/hipaa-compliance/SKILL.md +78 -0
  154. package/dist/core/skills/builtin/hookify-rules/SKILL.md +128 -0
  155. package/dist/core/skills/builtin/inherit-legacy-style/SKILL.md +156 -0
  156. package/dist/core/skills/builtin/intent-driven-development/SKILL.md +360 -0
  157. package/dist/core/skills/builtin/inventory-demand-planning/SKILL.md +247 -0
  158. package/dist/core/skills/builtin/ios-icon-gen/SKILL.md +157 -0
  159. package/dist/core/skills/builtin/ios-icon-gen/scripts/generate_icons.swift +258 -0
  160. package/dist/core/skills/builtin/ios-icon-gen/scripts/iconify_gen.sh +235 -0
  161. package/dist/core/skills/builtin/iterative-retrieval/SKILL.md +211 -0
  162. package/dist/core/skills/builtin/java-coding-standards/SKILL.md +383 -0
  163. package/dist/core/skills/builtin/jira-integration/SKILL.md +302 -0
  164. package/dist/core/skills/builtin/jpa-patterns/SKILL.md +151 -0
  165. package/dist/core/skills/builtin/knowledge-ops/SKILL.md +154 -0
  166. package/dist/core/skills/builtin/kotlin-coroutines-flows/SKILL.md +284 -0
  167. package/dist/core/skills/builtin/kotlin-exposed-patterns/SKILL.md +719 -0
  168. package/dist/core/skills/builtin/kotlin-ktor-patterns/SKILL.md +689 -0
  169. package/dist/core/skills/builtin/kotlin-patterns/SKILL.md +711 -0
  170. package/dist/core/skills/builtin/kotlin-testing/SKILL.md +824 -0
  171. package/dist/core/skills/builtin/kubernetes-patterns/SKILL.md +755 -0
  172. package/dist/core/skills/builtin/laravel-patterns/SKILL.md +415 -0
  173. package/dist/core/skills/builtin/laravel-plugin-discovery/SKILL.md +229 -0
  174. package/dist/core/skills/builtin/laravel-security/SKILL.md +947 -0
  175. package/dist/core/skills/builtin/laravel-tdd/SKILL.md +674 -0
  176. package/dist/core/skills/builtin/laravel-verification/SKILL.md +179 -0
  177. package/dist/core/skills/builtin/latency-critical-systems/SKILL.md +73 -0
  178. package/dist/core/skills/builtin/lead-intelligence/SKILL.md +321 -0
  179. package/dist/core/skills/builtin/lead-intelligence/agents/enrichment-agent.md +85 -0
  180. package/dist/core/skills/builtin/lead-intelligence/agents/mutual-mapper.md +75 -0
  181. package/dist/core/skills/builtin/lead-intelligence/agents/outreach-drafter.md +98 -0
  182. package/dist/core/skills/builtin/lead-intelligence/agents/signal-scorer.md +60 -0
  183. package/dist/core/skills/builtin/liquid-glass-design/SKILL.md +279 -0
  184. package/dist/core/skills/builtin/llm-trading-agent-security/SKILL.md +146 -0
  185. package/dist/core/skills/builtin/logistics-exception-management/SKILL.md +222 -0
  186. package/dist/core/skills/builtin/make-interfaces-feel-better/SKILL.md +151 -0
  187. package/dist/core/skills/builtin/market-research/SKILL.md +75 -0
  188. package/dist/core/skills/builtin/marketing-campaign/SKILL.md +113 -0
  189. package/dist/core/skills/builtin/mcp-server-patterns/SKILL.md +69 -0
  190. package/dist/core/skills/builtin/messages-ops/SKILL.md +104 -0
  191. package/dist/core/skills/builtin/mle-workflow/SKILL.md +346 -0
  192. package/dist/core/skills/builtin/motion-advanced/SKILL.md +596 -0
  193. package/dist/core/skills/builtin/motion-foundations/SKILL.md +299 -0
  194. package/dist/core/skills/builtin/motion-patterns/SKILL.md +434 -0
  195. package/dist/core/skills/builtin/motion-ui/SKILL.md +575 -0
  196. package/dist/core/skills/builtin/mysql-patterns/SKILL.md +412 -0
  197. package/dist/core/skills/builtin/nanoclaw-repl/SKILL.md +33 -0
  198. package/dist/core/skills/builtin/nestjs-patterns/SKILL.md +230 -0
  199. package/dist/core/skills/builtin/netmiko-ssh-automation/SKILL.md +173 -0
  200. package/dist/core/skills/builtin/network-bgp-diagnostics/SKILL.md +167 -0
  201. package/dist/core/skills/builtin/network-config-validation/SKILL.md +210 -0
  202. package/dist/core/skills/builtin/network-interface-health/SKILL.md +152 -0
  203. package/dist/core/skills/builtin/nextjs-turbopack/SKILL.md +57 -0
  204. package/dist/core/skills/builtin/nodejs-keccak256/SKILL.md +102 -0
  205. package/dist/core/skills/builtin/nutrient-document-processing/SKILL.md +167 -0
  206. package/dist/core/skills/builtin/nuxt4-patterns/SKILL.md +100 -0
  207. package/dist/core/skills/builtin/openclaw-persona-forge/SKILL.md +288 -0
  208. package/dist/core/skills/builtin/openclaw-persona-forge/gacha.py +224 -0
  209. package/dist/core/skills/builtin/openclaw-persona-forge/gacha.sh +5 -0
  210. package/dist/core/skills/builtin/openclaw-persona-forge/references/avatar-style.md +124 -0
  211. package/dist/core/skills/builtin/openclaw-persona-forge/references/boundary-rules.md +53 -0
  212. package/dist/core/skills/builtin/openclaw-persona-forge/references/error-handling.md +53 -0
  213. package/dist/core/skills/builtin/openclaw-persona-forge/references/identity-tension.md +48 -0
  214. package/dist/core/skills/builtin/openclaw-persona-forge/references/naming-system.md +39 -0
  215. package/dist/core/skills/builtin/openclaw-persona-forge/references/output-template.md +166 -0
  216. package/dist/core/skills/builtin/opensource-pipeline/SKILL.md +255 -0
  217. package/dist/core/skills/builtin/orch-add-feature/SKILL.md +44 -0
  218. package/dist/core/skills/builtin/orch-build-mvp/SKILL.md +48 -0
  219. package/dist/core/skills/builtin/orch-change-feature/SKILL.md +42 -0
  220. package/dist/core/skills/builtin/orch-fix-defect/SKILL.md +42 -0
  221. package/dist/core/skills/builtin/orch-pipeline/SKILL.md +120 -0
  222. package/dist/core/skills/builtin/orch-refine-code/SKILL.md +43 -0
  223. package/dist/core/skills/builtin/parallel-execution-optimizer/SKILL.md +72 -0
  224. package/dist/core/skills/builtin/perl-patterns/SKILL.md +504 -0
  225. package/dist/core/skills/builtin/perl-security/SKILL.md +503 -0
  226. package/dist/core/skills/builtin/perl-testing/SKILL.md +475 -0
  227. package/dist/core/skills/builtin/plan-orchestrate/SKILL.md +262 -0
  228. package/dist/core/skills/builtin/plankton-code-quality/SKILL.md +236 -0
  229. package/dist/core/skills/builtin/postgres-patterns/SKILL.md +147 -0
  230. package/dist/core/skills/builtin/prediction-market-oracle-research/SKILL.md +63 -0
  231. package/dist/core/skills/builtin/prediction-market-risk-review/SKILL.md +60 -0
  232. package/dist/core/skills/builtin/prisma-patterns/SKILL.md +371 -0
  233. package/dist/core/skills/builtin/product-capability/SKILL.md +141 -0
  234. package/dist/core/skills/builtin/product-lens/SKILL.md +92 -0
  235. package/dist/core/skills/builtin/production-audit/SKILL.md +206 -0
  236. package/dist/core/skills/builtin/production-scheduling/SKILL.md +238 -0
  237. package/dist/core/skills/builtin/prompt-optimizer/SKILL.md +398 -0
  238. package/dist/core/skills/builtin/python-patterns/SKILL.md +750 -0
  239. package/dist/core/skills/builtin/python-testing/SKILL.md +816 -0
  240. package/dist/core/skills/builtin/pytorch-patterns/SKILL.md +396 -0
  241. package/dist/core/skills/builtin/quality-nonconformance/SKILL.md +260 -0
  242. package/dist/core/skills/builtin/quarkus-patterns/SKILL.md +722 -0
  243. package/dist/core/skills/builtin/quarkus-security/SKILL.md +467 -0
  244. package/dist/core/skills/builtin/quarkus-tdd/SKILL.md +811 -0
  245. package/dist/core/skills/builtin/quarkus-verification/SKILL.md +479 -0
  246. package/dist/core/skills/builtin/ralphinho-rfc-pipeline/SKILL.md +67 -0
  247. package/dist/core/skills/builtin/react-patterns/SKILL.md +341 -0
  248. package/dist/core/skills/builtin/react-performance/SKILL.md +574 -0
  249. package/dist/core/skills/builtin/react-testing/SKILL.md +423 -0
  250. package/dist/core/skills/builtin/recsys-pipeline-architect/SKILL.md +114 -0
  251. package/dist/core/skills/builtin/recursive-decision-ledger/SKILL.md +79 -0
  252. package/dist/core/skills/builtin/redis-patterns/SKILL.md +403 -0
  253. package/dist/core/skills/builtin/regex-vs-llm-structured-text/SKILL.md +220 -0
  254. package/dist/core/skills/builtin/repo-scan/SKILL.md +78 -0
  255. package/dist/core/skills/builtin/research-ops/SKILL.md +112 -0
  256. package/dist/core/skills/builtin/returns-reverse-logistics/SKILL.md +240 -0
  257. package/dist/core/skills/builtin/rules-distill/SKILL.md +264 -0
  258. package/dist/core/skills/builtin/rules-distill/scripts/scan-rules.sh +58 -0
  259. package/dist/core/skills/builtin/rules-distill/scripts/scan-skills.sh +129 -0
  260. package/dist/core/skills/builtin/rust-patterns/SKILL.md +499 -0
  261. package/dist/core/skills/builtin/rust-testing/SKILL.md +500 -0
  262. package/dist/core/skills/builtin/safety-guard/SKILL.md +75 -0
  263. package/dist/core/skills/builtin/santa-method/SKILL.md +306 -0
  264. package/dist/core/skills/builtin/scientific-db-pubmed-database/SKILL.md +175 -0
  265. package/dist/core/skills/builtin/scientific-db-uspto-database/SKILL.md +177 -0
  266. package/dist/core/skills/builtin/scientific-pkg-gget/SKILL.md +166 -0
  267. package/dist/core/skills/builtin/scientific-thinking-literature-review/SKILL.md +192 -0
  268. package/dist/core/skills/builtin/scientific-thinking-scholar-evaluation/SKILL.md +160 -0
  269. package/dist/core/skills/builtin/search-first/SKILL.md +182 -0
  270. package/dist/core/skills/builtin/security-bounty-hunter/SKILL.md +99 -0
  271. package/dist/core/skills/builtin/security-review/SKILL.md +503 -0
  272. package/dist/core/skills/builtin/security-review/cloud-infrastructure-security.md +361 -0
  273. package/dist/core/skills/builtin/security-scan/SKILL.md +165 -0
  274. package/dist/core/skills/builtin/seo/SKILL.md +154 -0
  275. package/dist/core/skills/builtin/skill-comply/SKILL.md +58 -0
  276. package/dist/core/skills/builtin/skill-comply/fixtures/compliant_trace.jsonl +5 -0
  277. package/dist/core/skills/builtin/skill-comply/fixtures/noncompliant_trace.jsonl +3 -0
  278. package/dist/core/skills/builtin/skill-comply/fixtures/tdd_spec.yaml +44 -0
  279. package/dist/core/skills/builtin/skill-comply/prompts/classifier.md +24 -0
  280. package/dist/core/skills/builtin/skill-comply/prompts/scenario_generator.md +62 -0
  281. package/dist/core/skills/builtin/skill-comply/prompts/spec_generator.md +42 -0
  282. package/dist/core/skills/builtin/skill-comply/pyproject.toml +15 -0
  283. package/dist/core/skills/builtin/skill-comply/scripts/__init__.py +0 -0
  284. package/dist/core/skills/builtin/skill-comply/scripts/classifier.py +85 -0
  285. package/dist/core/skills/builtin/skill-comply/scripts/grader.py +124 -0
  286. package/dist/core/skills/builtin/skill-comply/scripts/parser.py +107 -0
  287. package/dist/core/skills/builtin/skill-comply/scripts/report.py +170 -0
  288. package/dist/core/skills/builtin/skill-comply/scripts/run.py +127 -0
  289. package/dist/core/skills/builtin/skill-comply/scripts/runner.py +186 -0
  290. package/dist/core/skills/builtin/skill-comply/scripts/scenario_generator.py +70 -0
  291. package/dist/core/skills/builtin/skill-comply/scripts/spec_generator.py +72 -0
  292. package/dist/core/skills/builtin/skill-comply/scripts/utils.py +13 -0
  293. package/dist/core/skills/builtin/skill-comply/tests/test_grader.py +197 -0
  294. package/dist/core/skills/builtin/skill-comply/tests/test_parser.py +90 -0
  295. package/dist/core/skills/builtin/skill-comply/tests/test_runner.py +172 -0
  296. package/dist/core/skills/builtin/skill-scout/SKILL.md +140 -0
  297. package/dist/core/skills/builtin/skill-stocktake/SKILL.md +194 -0
  298. package/dist/core/skills/builtin/skill-stocktake/scripts/quick-diff.sh +87 -0
  299. package/dist/core/skills/builtin/skill-stocktake/scripts/save-results.sh +56 -0
  300. package/dist/core/skills/builtin/skill-stocktake/scripts/scan.sh +170 -0
  301. package/dist/core/skills/builtin/springboot-patterns/SKILL.md +314 -0
  302. package/dist/core/skills/builtin/springboot-security/SKILL.md +272 -0
  303. package/dist/core/skills/builtin/springboot-tdd/SKILL.md +158 -0
  304. package/dist/core/skills/builtin/springboot-verification/SKILL.md +231 -0
  305. package/dist/core/skills/builtin/strategic-compact/SKILL.md +135 -0
  306. package/dist/core/skills/builtin/swift-actor-persistence/SKILL.md +143 -0
  307. package/dist/core/skills/builtin/swift-concurrency-6-2/SKILL.md +216 -0
  308. package/dist/core/skills/builtin/swift-protocol-di-testing/SKILL.md +190 -0
  309. package/dist/core/skills/builtin/swiftui-patterns/SKILL.md +259 -0
  310. package/dist/core/skills/builtin/tdd-workflow/SKILL.md +463 -0
  311. package/dist/core/skills/builtin/team-agent-orchestration/SKILL.md +110 -0
  312. package/dist/core/skills/builtin/team-builder/SKILL.md +168 -0
  313. package/dist/core/skills/builtin/terminal-ops/SKILL.md +109 -0
  314. package/dist/core/skills/builtin/tinystruct-patterns/SKILL.md +203 -0
  315. package/dist/core/skills/builtin/tinystruct-patterns/references/architecture.md +90 -0
  316. package/dist/core/skills/builtin/tinystruct-patterns/references/data-handling.md +60 -0
  317. package/dist/core/skills/builtin/tinystruct-patterns/references/database.md +99 -0
  318. package/dist/core/skills/builtin/tinystruct-patterns/references/routing.md +64 -0
  319. package/dist/core/skills/builtin/tinystruct-patterns/references/system-usage.md +97 -0
  320. package/dist/core/skills/builtin/tinystruct-patterns/references/testing.md +72 -0
  321. package/dist/core/skills/builtin/token-budget-advisor/SKILL.md +133 -0
  322. package/dist/core/skills/builtin/ui-demo/SKILL.md +465 -0
  323. package/dist/core/skills/builtin/ui-to-vue/SKILL.md +134 -0
  324. package/dist/core/skills/builtin/uncloud/SKILL.md +343 -0
  325. package/dist/core/skills/builtin/unified-notifications-ops/SKILL.md +187 -0
  326. package/dist/core/skills/builtin/verification-loop/SKILL.md +126 -0
  327. package/dist/core/skills/builtin/video-editing/SKILL.md +310 -0
  328. package/dist/core/skills/builtin/videodb/SKILL.md +374 -0
  329. package/dist/core/skills/builtin/videodb/reference/api-reference.md +550 -0
  330. package/dist/core/skills/builtin/videodb/reference/capture-reference.md +407 -0
  331. package/dist/core/skills/builtin/videodb/reference/capture.md +101 -0
  332. package/dist/core/skills/builtin/videodb/reference/editor.md +443 -0
  333. package/dist/core/skills/builtin/videodb/reference/generative.md +331 -0
  334. package/dist/core/skills/builtin/videodb/reference/rtstream-reference.md +564 -0
  335. package/dist/core/skills/builtin/videodb/reference/rtstream.md +65 -0
  336. package/dist/core/skills/builtin/videodb/reference/search.md +230 -0
  337. package/dist/core/skills/builtin/videodb/reference/streaming.md +406 -0
  338. package/dist/core/skills/builtin/videodb/reference/use-cases.md +118 -0
  339. package/dist/core/skills/builtin/videodb/scripts/ws_listener.py +282 -0
  340. package/dist/core/skills/builtin/visa-doc-translate/README.md +86 -0
  341. package/dist/core/skills/builtin/visa-doc-translate/SKILL.md +117 -0
  342. package/dist/core/skills/builtin/vite-patterns/SKILL.md +449 -0
  343. package/dist/core/skills/builtin/windows-desktop-e2e/SKILL.md +887 -0
  344. package/dist/core/skills/builtin/x-api/SKILL.md +234 -0
  345. package/dist/core/skills/loader.js +11 -0
  346. package/dist/core/skills/loader.js.map +1 -1
  347. package/package.json +1 -1
@@ -0,0 +1,947 @@
1
+ ---
2
+ name: laravel-security
3
+ description: [ECC] Laravel security best practices — authentication, authorization, Eloquent safety, CSRF, XSS prevention, API security, and secure deployment configurations.
4
+ origin: ECC
5
+ ---
6
+
7
+ # Laravel Security Best Practices
8
+
9
+ Comprehensive security guidelines for Laravel applications to protect against common vulnerabilities.
10
+
11
+ ## When to Activate
12
+
13
+ - Setting up Laravel authentication and authorization (Sanctum, Passport, Jetstream, Breeze)
14
+ - Implementing user roles, permissions, and policies
15
+ - Configuring production security settings and environment variables
16
+ - Reviewing Laravel applications for security vulnerabilities
17
+ - Deploying Laravel applications to production
18
+ - Writing secure Eloquent queries and migrations
19
+
20
+ ## Production Configuration
21
+
22
+ ### Essential Production Settings
23
+
24
+ ```php
25
+ // config/app.php
26
+ 'env' => env('APP_ENV', 'production'),
27
+ 'debug' => (bool) env('APP_DEBUG', false), // CRITICAL: Never true in production
28
+ 'key' => env('APP_KEY'), // Must be set: php artisan key:generate
29
+
30
+ // config/session.php
31
+ 'secure' => env('SESSION_SECURE_COOKIE', true),
32
+ 'http_only' => true,
33
+ 'same_site' => 'lax',
34
+
35
+ // Verify APP_KEY is set at boot
36
+ // bootstrap/app.php or a service provider
37
+ if (empty(config('app.key'))) {
38
+ throw new RuntimeException('APP_KEY is not set. Run: php artisan key:generate');
39
+ }
40
+ ```
41
+
42
+ ### Environment File Security
43
+
44
+ ```bash
45
+ # NEVER commit .env to version control
46
+ # .gitignore already includes .env by default
47
+
48
+ # Use .env.example with placeholders instead
49
+ DB_PASSWORD=
50
+ APP_KEY=
51
+ SANCTUM_TOKEN_PREFIX=
52
+
53
+ # Validate required variables at boot
54
+ // In AppServiceProvider::boot()
55
+ $requiredKeys = ['app.key', 'database.connections.mysql.database', 'database.connections.mysql.username'];
56
+ foreach ($requiredKeys as $key) {
57
+ if (empty(config($key))) {
58
+ throw new RuntimeException("Missing required config key: {$key}");
59
+ }
60
+ }
61
+ ```
62
+
63
+ ### HTTPS Enforcement
64
+
65
+ ```php
66
+ // AppServiceProvider::boot() or middleware
67
+ if (app()->environment('production')) {
68
+ URL::forceScheme('https');
69
+ request()->server->set('HTTPS', 'on');
70
+ }
71
+
72
+ // config/app.php for trusted proxies (load balancers)
73
+ // Use specific IP ranges — * trusts all, allowing X-Forwarded-* spoofing
74
+ // AWS: '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'
75
+ 'trusted_proxies' => ['10.0.0.0/8', '172.16.0.0/12'],
76
+
77
+ // Force HTTPS in production via middleware
78
+ // app/Http/Middleware/ForceHttps.php
79
+ public function handle($request, Closure $next)
80
+ {
81
+ if (!$request->secure() && app()->environment('production')) {
82
+ return redirect()->secure($request->getRequestUri());
83
+ }
84
+ return $next($request);
85
+ }
86
+ ```
87
+
88
+ ## Authentication
89
+
90
+ ### Sanctum (API Token Authentication)
91
+
92
+ ```php
93
+ // config/sanctum.php
94
+ 'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
95
+ '%s%s',
96
+ 'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
97
+ env('APP_URL') ? ',' . parse_url(env('APP_URL'), PHP_URL_HOST) : ''
98
+ )));
99
+
100
+ 'expiration' => 60 * 24, // Token expiration in minutes (null = never)
101
+ 'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),
102
+
103
+ // Issuing tokens with abilities
104
+ $token = $user->createToken('api-token', ['read', 'write'])->plainTextToken;
105
+
106
+ // Validate abilities on routes
107
+ Route::middleware('auth:sanctum')->group(function () {
108
+ Route::get('/orders', function () {
109
+ // User must have 'read' ability
110
+ abort_unless(Auth::user()->tokenCan('read'), 403);
111
+ // ...
112
+ })->middleware('abilities:read');
113
+
114
+ Route::post('/orders', function () {
115
+ // User must have 'write' ability
116
+ abort_unless(Auth::user()->tokenCan('write'), 403);
117
+ // ...
118
+ })->middleware('abilities:write');
119
+ });
120
+ ```
121
+
122
+ ### Password Security
123
+
124
+ ```php
125
+ // config/hashing.php
126
+ // Default is bcrypt. Argon2id is stronger.
127
+ 'bcrypt' => [
128
+ 'rounds' => env('BCRYPT_ROUNDS', 12), // Increase for stronger hashing
129
+ ],
130
+
131
+ 'argon' => [
132
+ 'memory' => 65536,
133
+ 'threads' => 4,
134
+ 'time' => 4,
135
+ ],
136
+
137
+ // Password validation in RegisterRequest
138
+ public function rules(): array
139
+ {
140
+ return [
141
+ 'password' => [
142
+ 'required',
143
+ 'confirmed',
144
+ Password::min(12)
145
+ ->letters()
146
+ ->mixedCase()
147
+ ->numbers()
148
+ ->symbols()
149
+ ->uncompromised(), // Checks haveibeenpwned
150
+ ],
151
+ ];
152
+ }
153
+
154
+ // Rate limit login attempts
155
+ // App\Http\Controllers\Auth\AuthenticatedSessionController
156
+ protected function authenticated(Request $request, $user)
157
+ {
158
+ if ($user->wasRecentlyLockedOut()) {
159
+ // Notify user of suspicious login
160
+ $user->notify(new SuspiciousLoginNotification($request->ip()));
161
+ }
162
+ }
163
+ ```
164
+
165
+ ### Session Management
166
+
167
+ ```php
168
+ // config/session.php
169
+ 'driver' => env('SESSION_DRIVER', 'database'), // database/redis > file
170
+ 'lifetime' => env('SESSION_LIFETIME', 120),
171
+ 'expire_on_close' => env('SESSION_EXPIRE_ON_CLOSE', false),
172
+ 'encrypt' => env('SESSION_ENCRYPT', false),
173
+
174
+ // Regenerate session on login
175
+ // App\Http\Controllers\Auth\AuthenticatedSessionController
176
+ public function store(LoginRequest $request): RedirectResponse
177
+ {
178
+ $request->authenticate();
179
+ $request->session()->regenerate(); // CRITICAL: prevents session fixation
180
+ return redirect()->intended(RouteServiceProvider::HOME);
181
+ }
182
+
183
+ // Invalidate session on logout
184
+ public function destroy(Request $request): RedirectResponse
185
+ {
186
+ Auth::guard('web')->logout();
187
+ $request->session()->invalidate();
188
+ $request->session()->regenerateToken();
189
+ return redirect('/');
190
+ }
191
+ ```
192
+
193
+ ## Authorization
194
+
195
+ ### Gates
196
+
197
+ ```php
198
+ // App\Providers\AuthServiceProvider
199
+ use App\Models\Post;
200
+ use App\Models\User;
201
+ use Illuminate\Support\Facades\Gate;
202
+
203
+ public function boot(): void
204
+ {
205
+ Gate::define('update-post', function (User $user, Post $post): bool {
206
+ return $user->id === $post->user_id;
207
+ });
208
+
209
+ Gate::define('publish-post', function (User $user): bool {
210
+ return $user->role === 'editor' || $user->role === 'admin';
211
+ });
212
+
213
+ // Using before() for super-admin override
214
+ Gate::before(function (User $user, string $ability): ?bool {
215
+ if ($user->role === 'super-admin') {
216
+ return true; // Grants all abilities
217
+ }
218
+ return null; // Fall through to normal checks
219
+ });
220
+ }
221
+
222
+ // Usage in controllers
223
+ public function update(Request $request, Post $post): RedirectResponse
224
+ {
225
+ Gate::authorize('update-post', $post);
226
+ // Or: $this->authorize('update-post', $post);
227
+ // Or: abort_unless(Auth::user()->can('update-post', $post), 403);
228
+ // ...
229
+ }
230
+ ```
231
+
232
+ ### Policies
233
+
234
+ ```php
235
+ // App\Policies\PostPolicy
236
+ class PostPolicy
237
+ {
238
+ use HandlesAuthorization;
239
+
240
+ public function viewAny(?User $user): bool
241
+ {
242
+ return true; // Public listing
243
+ }
244
+
245
+ public function view(?User $user, Post $post): bool
246
+ {
247
+ return $post->is_published || ($user && $user->id === $post->user_id);
248
+ }
249
+
250
+ public function create(User $user): bool
251
+ {
252
+ return $user->hasVerifiedEmail(); // Must verify email first
253
+ }
254
+
255
+ public function update(User $user, Post $post): bool
256
+ {
257
+ return $user->id === $post->user_id;
258
+ }
259
+
260
+ public function delete(User $user, Post $post): bool
261
+ {
262
+ return $user->id === $post->user_id && $post->created_at->diffInDays(now()) <= 30;
263
+ }
264
+
265
+ public function restore(User $user, Post $post): bool
266
+ {
267
+ return $user->role === 'admin';
268
+ }
269
+
270
+ public function forceDelete(User $user, Post $post): bool
271
+ {
272
+ return $user->role === 'super-admin';
273
+ }
274
+ }
275
+
276
+ // Register in AuthServiceProvider
277
+ protected $policies = [
278
+ Post::class => PostPolicy::class,
279
+ ];
280
+
281
+ // Controller usage
282
+ public function show(Post $post): View
283
+ {
284
+ $this->authorize('view', $post);
285
+ return view('posts.show', compact('post'));
286
+ }
287
+
288
+ // Blade usage
289
+ @can('update', $post)
290
+ <a href="{{ route('posts.edit', $post) }}">Edit</a>
291
+ @endcan
292
+
293
+ @cannot('update', $post)
294
+ <span>You cannot edit this post</span>
295
+ @endcannot
296
+ ```
297
+
298
+ ### Middleware Authorization
299
+
300
+ ```php
301
+ // Using middleware in routes
302
+ Route::put('/posts/{post}', [PostController::class, 'update'])
303
+ ->middleware('can:update,post');
304
+
305
+ Route::get('/posts/create', [PostController::class, 'create'])
306
+ ->middleware('can:create,App\Models\Post');
307
+
308
+ // Custom authorization middleware
309
+ // app/Http/Middleware/CheckRole.php
310
+ class CheckRole
311
+ {
312
+ public function handle(Request $request, Closure $next, string $role): mixed
313
+ {
314
+ if (!$request->user() || $request->user()->role !== $role) {
315
+ abort(403, 'Unauthorized. This area requires role: ' . $role);
316
+ }
317
+ return $next($request);
318
+ }
319
+ }
320
+
321
+ // Register in Kernel
322
+ protected $routeMiddleware = [
323
+ 'role' => \App\Http\Middleware\CheckRole::class,
324
+ ];
325
+
326
+ // Route usage
327
+ Route::middleware(['auth', 'role:admin'])->group(function () {
328
+ Route::get('/admin', [AdminController::class, 'index']);
329
+ });
330
+ ```
331
+
332
+ ## Eloquent Security
333
+
334
+ ### Mass Assignment Protection
335
+
336
+ ```php
337
+ // BAD: $guarded = [] allows ALL columns to be mass-assigned
338
+ // NEVER use $guarded = [] in production
339
+
340
+ // GOOD: Whitelist fillable attributes
341
+ final class User extends Authenticatable
342
+ {
343
+ protected $fillable = [
344
+ 'name',
345
+ 'email',
346
+ 'phone',
347
+ 'avatar',
348
+ ];
349
+ // NEVER add 'role', 'is_admin', 'is_verified' here
350
+ }
351
+
352
+ // GOOD: Explicitly control which fields can be filled in requests
353
+ public function store(StoreUserRequest $request): RedirectResponse
354
+ {
355
+ $user = User::create($request->safe()->only([
356
+ 'name', 'email', 'phone', 'avatar'
357
+ ]));
358
+ // $request->safe() uses validated data only
359
+ // $request->only() is NOT safe on its own without validation rules
360
+ }
361
+
362
+ // BAD: Creating a user with request data directly
363
+ User::create($request->all()); // VULNERABLE to mass assignment!
364
+
365
+ // BETTER: Use DTOs for creation
366
+ $user = User::create($request->validated()); // Only validated fields
367
+ ```
368
+
369
+ ### SQL Injection Prevention
370
+
371
+ ```php
372
+ // GOOD: Eloquent automatically parameterizes queries
373
+ User::where('email', $userInput)->first();
374
+ User::whereRaw('email = ?', [$userInput])->first();
375
+
376
+ // GOOD: Query Builder also parameterizes
377
+ DB::table('users')->where('email', $userInput)->first();
378
+ DB::select('SELECT * FROM users WHERE email = ?', [$userInput]);
379
+
380
+ // BAD: Raw string interpolation
381
+ DB::select("SELECT * FROM users WHERE email = '{$userInput}'"); // VULNERABLE!
382
+ User::whereRaw("email = '{$userInput}'")->first(); // VULNERABLE!
383
+
384
+ // BAD: whereRaw/orderByRaw with unescaped input
385
+ User::orderByRaw($userInput); // VULNERABLE!
386
+ User::groupByRaw($userInput); // VULNERABLE!
387
+
388
+ // BAD: DB::statement with concatenation
389
+ DB::statement("INSERT INTO users (email) VALUES ('{$userInput}')"); // VULNERABLE!
390
+ ```
391
+
392
+ ### Attribute Casting
393
+
394
+ ```php
395
+ final class User extends Authenticatable
396
+ {
397
+ protected $casts = [
398
+ 'email_verified_at' => 'datetime',
399
+ 'is_admin' => 'boolean', // Cast to boolean prevents string injection
400
+ 'settings' => 'array', // Automatically json_encode/json_decode
401
+ 'metadata' => 'encrypted:array', // Laravel 11+ encrypted casting
402
+ 'password' => 'hashed', // Laravel 10+ auto-hashes on set
403
+ ];
404
+ }
405
+ ```
406
+
407
+ ### Model Security
408
+
409
+ ```php
410
+ final class User extends Authenticatable
411
+ {
412
+ // Hide sensitive attributes from JSON/API responses
413
+ protected $hidden = [
414
+ 'password',
415
+ 'remember_token',
416
+ 'two_factor_secret',
417
+ 'two_factor_recovery_codes',
418
+ ];
419
+
420
+ // Append only safe computed attributes
421
+ protected $appends = ['full_name']; // safe
422
+ // NEVER append sensitive computed data
423
+ }
424
+
425
+ final class Post extends Model
426
+ {
427
+ // Global scope to filter soft deleted records
428
+ use SoftDeletes;
429
+
430
+ // Prevent N+1 by restricting lazy loading (optional strict mode)
431
+ // AppServiceProvider::boot()
432
+ // Model::preventLazyLoading(!app()->isProduction());
433
+ }
434
+ ```
435
+
436
+ ## CSRF Protection
437
+
438
+ ### Default Protection
439
+
440
+ ```php
441
+ // Laravel CSRF is enabled by default via VerifyCsrfToken middleware
442
+ // app/Http/Kernel.php (protected $middlewareGroups['web'])
443
+
444
+ // All POST/PUT/PATCH/DELETE forms must include @csrf
445
+ <form method="POST" action="/posts">
446
+ @csrf
447
+ <input type="text" name="title">
448
+ <button type="submit">Create</button>
449
+ </form>
450
+ ```
451
+
452
+ ### Excluding Routes (Carefully)
453
+
454
+ ```php
455
+ // app/Http/Middleware/VerifyCsrfToken.php
456
+ class VerifyCsrfToken extends Middleware
457
+ {
458
+ // Only exclude routes that have external CSRF protection (webhooks, etc.)
459
+ protected $except = [
460
+ 'stripe/*', // Stripe webhooks use their own signature verification
461
+ // Avoid blanket 'api/*' — stateful Sanctum routes need CSRF.
462
+ // Exclude only specific stateless webhook/endpoint routes.
463
+ ];
464
+ }
465
+ ```
466
+
467
+ ### CSRF with JavaScript
468
+
469
+ ```html
470
+ <meta name="csrf-token" content="{{ csrf_token() }}">
471
+
472
+ <script>
473
+ // Axios example (Laravel ships with Axios)
474
+ axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector(
475
+ 'meta[name="csrf-token"]'
476
+ ).getAttribute('content');
477
+
478
+ // Fetch example
479
+ fetch('/posts', {
480
+ method: 'POST',
481
+ headers: {
482
+ 'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').getAttribute('content'),
483
+ 'Content-Type': 'application/json',
484
+ },
485
+ body: JSON.stringify(data),
486
+ });
487
+ </script>
488
+ ```
489
+
490
+ ## XSS Prevention
491
+
492
+ ### Blade Templating Security
493
+
494
+ ```blade
495
+ {{-- SAFE: Auto-escaped by Blade --}}
496
+ {{ $userInput }}
497
+
498
+ {{-- DANGEROUS: Raw output — NEVER use with user input --}}
499
+ {!! $userInput !!}
500
+
501
+ {{-- SAFE: Only use {!! !!} with trusted content you control --}}
502
+ {!! $trustedHtmlFromYourServer !!}
503
+
504
+ {{-- GOOD: Use specific escaping directives --}}
505
+ @js($data) {{-- JSON encode for JavaScript --}}
506
+ @json($data) {{-- JSON encode in templates --}}
507
+
508
+ {{-- BAD: Direct user input in raw HTML --}}
509
+ <div>{!! $user->bio !!}</div> {{-- VULNERABLE if user provides bio --}}
510
+ ```
511
+
512
+ ### Safe HTML Handling
513
+
514
+ ```php
515
+ // When you must allow some HTML, use a whitelist approach
516
+ use HTMLPurifier; // Requires: composer require ezyang/htmlpurifier
517
+
518
+ public function sanitizeHtml(string $dirty): string
519
+ {
520
+ $config = \HTMLPurifier_Config::createDefault();
521
+ $config->set('HTML.Allowed', 'p,b,i,a[href],ul,ol,li,br');
522
+ $config->set('URI.AllowedSchemes', ['http', 'https', 'mailto']);
523
+ $purifier = new \HTMLPurifier($config);
524
+ return $purifier->purify($dirty);
525
+ }
526
+
527
+ // In blade:
528
+ <div>{!! $sanitizedContent !!}</div> {{-- Safe after purification --}}
529
+ ```
530
+
531
+ ### JavaScript Context Escaping
532
+
533
+ ```blade
534
+ {{-- SAFE: Blade @js escapes for JavaScript context --}}
535
+ <script>
536
+ const user = @js($user); // JSON + escaped for JS context
537
+ const settings = @json($settings); // Direct JSON encode
538
+ </script>
539
+
540
+ {{-- DANGEROUS: Manual JSON in JS context --}}
541
+ <script>
542
+ const user = {{ json_encode($user) }}; // NOT escaped for JS!
543
+ </script>
544
+ ```
545
+
546
+ ### HTTP Headers for XSS Protection
547
+
548
+ ```php
549
+ // App\Http\Middleware\SecurityHeaders.php
550
+ class SecurityHeaders
551
+ {
552
+ public function handle(Request $request, Closure $next): mixed
553
+ {
554
+ $response = $next($request);
555
+
556
+ $response->headers->set('X-Content-Type-Options', 'nosniff');
557
+ $response->headers->set('X-Frame-Options', 'DENY');
558
+ $response->headers->set('X-XSS-Protection', '1; mode=block');
559
+ $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
560
+ $response->headers->set(
561
+ 'Content-Security-Policy',
562
+ "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
563
+ );
564
+
565
+ return $response;
566
+ }
567
+ }
568
+
569
+ // Register in kernel
570
+ protected $middleware = [
571
+ \App\Http\Middleware\SecurityHeaders::class,
572
+ ];
573
+ ```
574
+
575
+ ## Input Validation
576
+
577
+ ### Form Request Validation
578
+
579
+ ```php
580
+ final class StorePostRequest extends FormRequest
581
+ {
582
+ public function authorize(): bool
583
+ {
584
+ return $this->user()?->can('create', Post::class) ?? false;
585
+ }
586
+
587
+ public function rules(): array
588
+ {
589
+ return [
590
+ 'title' => ['required', 'string', 'max:255', 'sanitize_html'],
591
+ 'content' => ['required', 'string', 'max:10000'],
592
+ 'image' => [
593
+ 'required',
594
+ 'image',
595
+ 'mimes:jpg,jpeg,png,gif,webp', // Whitelist specific types
596
+ 'max:2048', // 2MB max
597
+ ],
598
+ 'tags' => ['array'],
599
+ 'tags.*' => ['integer', 'exists:tags,id'],
600
+ ];
601
+ }
602
+
603
+ public function messages(): array
604
+ {
605
+ return [
606
+ 'title.max' => 'Post title must not exceed 255 characters.',
607
+ 'image.max' => 'Image must be under 2MB.',
608
+ ];
609
+ }
610
+
611
+ // Sanitize input after validation
612
+ public function validated($key = null, $default = null): mixed
613
+ {
614
+ $validated = parent::validated();
615
+ $validated['title'] = strip_tags($validated['title']);
616
+ return $key ? ($validated[$key] ?? $default) : $validated;
617
+ }
618
+ }
619
+ ```
620
+
621
+ ### Custom Validation Rules
622
+
623
+ ```php
624
+ // app/Rules/StrongPassword.php
625
+ class StrongPassword implements Rule
626
+ {
627
+ public function passes($attribute, $value): bool
628
+ {
629
+ return preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&#^()_\-+=])[A-Za-z\d@$!%*?&#^()_\-+=]{12,}$/', $value);
630
+ }
631
+
632
+ public function message(): string
633
+ {
634
+ return 'The :attribute must be at least 12 characters with uppercase, lowercase, number, and symbol.';
635
+ }
636
+ }
637
+
638
+ // app/Rules/NotBlacklistedDomain.php
639
+ class NotBlacklistedDomain implements Rule
640
+ {
641
+ private array $blacklisted = ['mailinator.com', 'guerrillamail.com'];
642
+
643
+ public function passes($attribute, $value): bool
644
+ {
645
+ $domain = substr(strrchr($value, '@'), 1);
646
+ return !in_array(strtolower($domain), $this->blacklisted);
647
+ }
648
+
649
+ public function message(): string
650
+ {
651
+ return 'Email from disposable domains is not allowed.';
652
+ }
653
+ }
654
+ ```
655
+
656
+ ## API Security
657
+
658
+ ### Rate Limiting
659
+
660
+ ```php
661
+ // App/Providers/RouteServiceProvider
662
+ protected function configureRateLimiting(): void
663
+ {
664
+ RateLimiter::for('api', function (Request $request) {
665
+ return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
666
+ });
667
+
668
+ RateLimiter::for('auth', function (Request $request) {
669
+ return Limit::perMinute(5)->by($request->ip())
670
+ ->response(function () {
671
+ return response()->json([
672
+ 'message' => 'Too many login attempts. Try again in 1 minute.',
673
+ ], 429);
674
+ });
675
+ });
676
+
677
+ RateLimiter::for('uploads', function (Request $request) {
678
+ return Limit::perHour(10)->by($request->user()?->id ?? $request->ip())
679
+ ->response(function () {
680
+ return response()->json([
681
+ 'message' => 'Upload limit reached. Try again later.',
682
+ ], 429);
683
+ });
684
+ });
685
+ }
686
+
687
+ // Route usage
688
+ Route::middleware(['auth:sanctum', 'throttle:api'])->group(function () {
689
+ Route::apiResource('posts', PostController::class);
690
+ });
691
+
692
+ Route::post('/login', [AuthController::class, 'login'])
693
+ ->middleware('throttle:auth');
694
+ ```
695
+
696
+ ### API Authentication — Sanctum vs Passport
697
+
698
+ ```php
699
+ // Sanctum (recommended for most apps — simple, first-party, SPA)
700
+ // config/sanctum.php
701
+ 'expiration' => 60 * 24, // Tokens expire after 24 hours
702
+ 'model' => User::class,
703
+
704
+ // Issuing scoped tokens
705
+ $token = $user->createToken('client-name', [
706
+ 'posts:read',
707
+ 'posts:write',
708
+ ])->plainTextToken;
709
+
710
+ // Middleware scoping
711
+ Route::middleware('auth:sanctum')->group(function () {
712
+ Route::get('/posts', [PostController::class, 'index'])
713
+ ->middleware('abilities:posts:read');
714
+
715
+ Route::post('/posts', [PostController::class, 'store'])
716
+ ->middleware('abilities:posts:write');
717
+ });
718
+
719
+ // Passport (OAuth2 — for third-party clients or complex auth flows)
720
+ // Install: composer require laravel/passport
721
+ Passport::tokensExpireIn(now()->addDays(15));
722
+ Passport::refreshTokensExpireIn(now()->addDays(30));
723
+ Passport::personalAccessTokensExpireIn(now()->addMonths(6));
724
+ ```
725
+
726
+ ### CORS Configuration
727
+
728
+ ```php
729
+ // config/cors.php
730
+ return [
731
+ 'paths' => ['api/*', 'sanctum/csrf-cookie'],
732
+ 'allowed_methods' => ['*'],
733
+ 'allowed_origins' => explode(',', env('CORS_ALLOWED_ORIGINS', '')), // Whitelist specific origins
734
+ 'allowed_origins_patterns' => [],
735
+ 'allowed_headers' => ['*'],
736
+ 'exposed_headers' => ['X-Total-Count', 'X-Pagination-Page'],
737
+ 'max_age' => 0,
738
+ 'supports_credentials' => true, // Required for Sanctum SPA auth
739
+ ];
740
+
741
+ // NEVER: Allow all origins in production unless absolutely necessary
742
+ // 'allowed_origins' => ['*'], // Only for truly public APIs
743
+ ```
744
+
745
+ ## File Upload Security
746
+
747
+ ### Validation
748
+
749
+ ```php
750
+ public function rules(): array
751
+ {
752
+ return [
753
+ 'document' => [
754
+ 'required',
755
+ 'file',
756
+ 'mimes:pdf,doc,docx,xls,xlsx', // Whitelist specific MIME types
757
+ 'max:10240', // 10MB
758
+ 'extensions:pdf,doc,docx,xls,xlsx', // Verify extension matches MIME
759
+ ],
760
+ 'avatar' => [
761
+ 'nullable',
762
+ 'image', // Ensures it's a valid image
763
+ 'mimes:jpg,jpeg,png,webp',
764
+ 'max:2048',
765
+ 'dimensions:min_width=100,min_height=100,max_width=2000,max_height=2000',
766
+ ],
767
+ ];
768
+ }
769
+ ```
770
+
771
+ ### Secure Storage
772
+
773
+ ```php
774
+ // Store files outside public directory
775
+ $path = $request->file('document')->store('documents', 'local');
776
+ // Never use 'public' disk for sensitive documents
777
+
778
+ // Use signed URLs for temporary file access
779
+ use Illuminate\Support\Facades\Storage;
780
+
781
+ public function download(Request $request, string $path)
782
+ {
783
+ // Generate temporary signed URL (expires in 15 minutes)
784
+ $url = Storage::temporaryUrl($path, now()->addMinutes(15));
785
+
786
+ // Validate user has permission
787
+ $this->authorize('download', $path);
788
+
789
+ return redirect($url);
790
+ }
791
+
792
+ // Storage configuration for cloud with encryption
793
+ // config/filesystems.php
794
+ 's3' => [
795
+ 'driver' => 's3',
796
+ 'key' => env('AWS_ACCESS_KEY_ID'),
797
+ 'secret' => env('AWS_SECRET_ACCESS_KEY'),
798
+ 'region' => env('AWS_DEFAULT_REGION'),
799
+ 'bucket' => env('AWS_BUCKET'),
800
+ 'url' => env('AWS_URL'),
801
+ 'endpoint' => env('AWS_ENDPOINT'),
802
+ 'use_path_style_endpoint' => env('AWS_USE_PATH_STYLE_ENDPOINT', false),
803
+ 'throw' => false,
804
+ 'server_side_encryption' => 'AES256', // Encrypt at rest
805
+ ],
806
+ ```
807
+
808
+ ## Dependencies and Secrets
809
+
810
+ ### Composer Security
811
+
812
+ ```bash
813
+ # Always audit dependencies in CI
814
+ composer audit
815
+
816
+ # Pin major versions in composer.json
817
+ "laravel/framework": "^11.0",
818
+ "spatie/laravel-permission": "^6.0"
819
+
820
+ # Check for abandoned packages
821
+ composer why-not
822
+
823
+ # Keep lock file in version control (it pins exact versions)
824
+ # Run `composer update` deliberately, never in CI/CD
825
+ ```
826
+
827
+ ### Secret Management
828
+
829
+ ```bash
830
+ # .env file (NEVER commit)
831
+ # .gitignore includes .env by default
832
+
833
+ APP_KEY=base64:abc123...
834
+ DB_PASSWORD=secure_password
835
+ STRIPE_KEY=sk_live_...
836
+ SANCTUM_TOKEN_PREFIX=myapp_
837
+
838
+ # For production: Use a secret manager
839
+ # Deploy with: env $(aws secretsmanager get-secret-value --secret-id prod/db | jq ...) php artisan serve
840
+
841
+ # Validate secrets at boot (AppServiceProvider::boot)
842
+ $secrets = ['services.stripe.key', 'services.stripe.webhook_secret'];
843
+ foreach ($secrets as $key) {
844
+ if (empty(config($key))) {
845
+ Log::critical("Missing secret: {$key}");
846
+ }
847
+ }
848
+ ```
849
+
850
+ ## Queue Security
851
+
852
+ ```php
853
+ // Define a named rate limiter (typically in AppServiceProvider::boot())
854
+ RateLimiter::for('payments', fn () => Limit::perMinute(5));
855
+ ```
856
+
857
+ ```php
858
+ // Encrypt sensitive job data by implementing the interface
859
+ final class ProcessPaymentJob implements ShouldQueue, ShouldBeEncrypted
860
+ {
861
+ use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
862
+
863
+ public function __construct(
864
+ private readonly string $paymentIntentId, // Public IDs are fine
865
+ private readonly string $cardFingerprint, // Encrypted via ShouldBeEncrypted
866
+ ) {}
867
+
868
+ public function handle(): void
869
+ {
870
+ // Process payment
871
+ }
872
+
873
+ // Limit retries and delay between attempts
874
+ public function retryUntil(): Carbon
875
+ {
876
+ return now()->addMinutes(5);
877
+ }
878
+
879
+ // Rate limit how many jobs of this type can run
880
+ public function middleware(): array
881
+ {
882
+ return [
883
+ new RateLimited('payments'),
884
+ ];
885
+ }
886
+ }
887
+ ```
888
+
889
+ ## Logging Security Events
890
+
891
+ ```php
892
+ // config/logging.php
893
+ 'channels' => [
894
+ 'security' => [
895
+ 'driver' => 'single',
896
+ 'path' => storage_path('logs/security.log'),
897
+ 'level' => 'warning',
898
+ ],
899
+ ],
900
+
901
+ // Audit log helper
902
+ final class SecurityLogger
903
+ {
904
+ public static function log(string $event, array $context = []): void
905
+ {
906
+ Log::channel('security')->warning($event, array_merge([
907
+ 'user_id' => Auth::id(),
908
+ 'ip' => request()->ip(),
909
+ 'user_agent' => request()->userAgent(),
910
+ 'url' => request()->fullUrl(),
911
+ 'timestamp' => now()->toIso8601String(),
912
+ ], $context));
913
+ }
914
+ }
915
+
916
+ // Usage
917
+ SecurityLogger::log('failed_login_attempt', ['email' => $email]);
918
+ SecurityLogger::log('password_change');
919
+ SecurityLogger::log('role_change', ['target_user' => $targetId, 'new_role' => 'admin']);
920
+ SecurityLogger::log('suspicious_activity', ['reason' => 'multiple_attempts_from_different_ips']);
921
+ ```
922
+
923
+ ## Quick Security Checklist
924
+
925
+ | Check | Description |
926
+ |-------|-------------|
927
+ | `APP_DEBUG=false` | Never run with debug enabled in production |
928
+ | `APP_KEY` set | Always run `php artisan key:generate` |
929
+ | HTTPS enforced | Force HTTPS in production via middleware or proxy |
930
+ | `$fillable` whitelisted | Never use `$guarded = []` |
931
+ | CSRF active | `@csrf` on all state-changing forms |
932
+ | Sanctum/Passport configured | API authentication with token abilities/scopes |
933
+ | Rate limiting applied | Throttle API and auth endpoints |
934
+ | Input validation | FormRequest with specific rules, never `$request->all()` |
935
+ | File upload restrictions | Validate MIME types, size, dimensions |
936
+ | `composer audit` in CI | Check dependencies for known vulnerabilities |
937
+ | `password_hash` / `password_verify` | Use Laravel's built-in hashing (bcrypt/Argon2) |
938
+ | Session regeneration on login | Call `$request->session()->regenerate()` |
939
+ | Security headers middleware | CSP, X-Frame-Options, X-Content-Type-Options |
940
+ | Logged security events | Audit log for auth failures, role changes, suspicious activity |
941
+ | `.env` not committed | Verify `.gitignore` includes `.env` |
942
+
943
+ ## Related Skills
944
+
945
+ - `laravel-patterns` — Laravel architecture, routing, Eloquent, and API patterns
946
+ - `backend-patterns` — General backend API and database patterns
947
+ - `laravel-tdd` — Laravel testing with PHPUnit and Pest