aigroup-workflow 2.2.1 → 2.2.3

package/skills/quality/secure-code-guardian/SKILL.md

@@ -1,191 +1,191 @@
----
-name: secure-code-guardian
-description: Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities — including custom security implementations such as hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, and setting up JWT tokens. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention, secure session management, and security hardening. For pre-built OAuth/SSO integrations or standalone security audits, consider a more specialized skill.
-license: MIT
-metadata:
-  author: https://github.com/Jeffallan
-  version: "1.1.0"
-  domain: security
-  triggers: security, authentication, authorization, encryption, OWASP, vulnerability, secure coding, password, JWT, OAuth
-  role: specialist
-  scope: implementation
-  output-format: code
-  related-skills: fullstack-guardian, security-reviewer, architecture-designer
----
-
-# Secure Code Guardian
-
-## Core Workflow
-
-1. **Threat model** — Identify attack surface and threats
-2. **Design** — Plan security controls
-3. **Implement** — Write secure code with defense in depth; see code examples below
-4. **Validate** — Test security controls with explicit checkpoints (see below)
-5. **Document** — Record security decisions
-
-### Validation Checkpoints
-
-After each implementation step, verify:
-
-- **Authentication**: Test brute-force protection (lockout/rate limit triggers), session fixation resistance, token expiration, and invalid-credential error messages (must not leak user existence).
-- **Authorization**: Verify horizontal and vertical privilege escalation paths are blocked; test with tokens belonging to different roles/users.
-- **Input handling**: Confirm SQL injection payloads (`' OR 1=1--`) are rejected; confirm XSS payloads (`<script>alert(1)</script>`) are escaped or rejected.
-- **Headers/CORS**: Validate with a security scanner (e.g., `curl -I`, Mozilla Observatory) that security headers are present and CORS origin allowlist is correct.
-
-## Reference Guide
-
-Load detailed guidance based on context:
-
-| Topic | Reference | Load When |
-|-------|-----------|-----------|
-| OWASP | `references/owasp-prevention.md` | OWASP Top 10 patterns |
-| Authentication | `references/authentication.md` | Password hashing, JWT |
-| Input Validation | `references/input-validation.md` | Zod, SQL injection |
-| XSS/CSRF | `references/xss-csrf.md` | XSS prevention, CSRF |
-| Headers | `references/security-headers.md` | Helmet, rate limiting |
-
-## Constraints
-
-### MUST DO
-- Hash passwords with bcrypt/argon2 (never MD5/SHA-1/unsalted hashes)
-- Use parameterized queries (never string-interpolated SQL)
-- Validate and sanitize all user input before use
-- Implement rate limiting on auth endpoints
-- Set security headers (CSP, HSTS, X-Frame-Options)
-- Log security events (failed auth, privilege escalation attempts)
-- Store secrets in environment variables or secret managers (never in source code)
-
-### MUST NOT DO
-- Store passwords in plaintext or reversibly encrypted form
-- Trust user input without validation
-- Expose sensitive data in logs or error responses
-- Use weak or deprecated algorithms (MD5, SHA-1, DES, ECB mode)
-- Hardcode secrets or credentials in code
-
-## Code Examples
-
-### Password Hashing (bcrypt)
-
-```typescript
-import bcrypt from 'bcrypt';
-
-const SALT_ROUNDS = 12; // minimum 10; 12 balances security and performance
-
-export async function hashPassword(plaintext: string): Promise<string> {
-  return bcrypt.hash(plaintext, SALT_ROUNDS);
-}
-
-export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
-  return bcrypt.compare(plaintext, hash);
-}
-```
-
-### Parameterized SQL Query (Node.js / pg)
-
-```typescript
-// NEVER: `SELECT * FROM users WHERE email = '${email}'`
-// ALWAYS: use positional parameters
-import { Pool } from 'pg';
-const pool = new Pool();
-
-export async function getUserByEmail(email: string) {
-  const { rows } = await pool.query(
-    'SELECT id, email, role FROM users WHERE email = $1',
-    [email]  // value passed separately — never interpolated
-  );
-  return rows[0] ?? null;
-}
-```
-
-### Input Validation with Zod
-
-```typescript
-import { z } from 'zod';
-
-const LoginSchema = z.object({
-  email: z.string().email().max(254),
-  password: z.string().min(8).max(128),
-});
-
-export function validateLoginInput(raw: unknown) {
-  const result = LoginSchema.safeParse(raw);
-  if (!result.success) {
-    // Return generic error — never echo raw input back
-    throw new Error('Invalid credentials format');
-  }
-  return result.data;
-}
-```
-
-### JWT Validation
-
-```typescript
-import jwt from 'jsonwebtoken';
-
-const JWT_SECRET = process.env.JWT_SECRET!; // never hardcode
-
-export function verifyToken(token: string): jwt.JwtPayload {
-  // Throws if expired, tampered, or wrong algorithm
-  const payload = jwt.verify(token, JWT_SECRET, {
-    algorithms: ['HS256'],   // explicitly allowlist algorithm
-    issuer: 'your-app',
-    audience: 'your-app',
-  });
-  if (typeof payload === 'string') throw new Error('Invalid token payload');
-  return payload;
-}
-```
-
-### Securing an Endpoint — Full Flow
-
-```typescript
-import express from 'express';
-import rateLimit from 'express-rate-limit';
-import helmet from 'helmet';
-
-const app = express();
-app.use(helmet()); // sets CSP, HSTS, X-Frame-Options, etc.
-app.use(express.json({ limit: '10kb' })); // limit payload size
-
-const authLimiter = rateLimit({
-  windowMs: 15 * 60 * 1000, // 15 minutes
-  max: 10,                   // 10 attempts per window per IP
-  standardHeaders: true,
-  legacyHeaders: false,
-});
-
-app.post('/api/login', authLimiter, async (req, res) => {
-  // 1. Validate input
-  const { email, password } = validateLoginInput(req.body);
-
-  // 2. Authenticate — parameterized query, constant-time compare
-  const user = await getUserByEmail(email);
-  if (!user || !(await verifyPassword(password, user.passwordHash))) {
-    // Generic message — do not reveal whether email exists
-    return res.status(401).json({ error: 'Invalid credentials' });
-  }
-
-  // 3. Authorize — issue scoped, short-lived token
-  const token = jwt.sign(
-    { sub: user.id, role: user.role },
-    JWT_SECRET,
-    { algorithm: 'HS256', expiresIn: '15m', issuer: 'your-app', audience: 'your-app' }
-  );
-
-  // 4. Secure response — token in httpOnly cookie, not body
-  res.cookie('token', token, { httpOnly: true, secure: true, sameSite: 'strict' });
-  return res.json({ message: 'Authenticated' });
-});
-```
-
-## Output Templates
-
-When implementing security features, provide:
-1. Secure implementation code
-2. Security considerations noted
-3. Configuration requirements (env vars, headers)
-4. Testing recommendations
-
-## Knowledge Reference
-
-OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers
+---
+name: secure-code-guardian
+description: Use when implementing authentication/authorization, securing user input, or preventing OWASP Top 10 vulnerabilities — including custom security implementations such as hashing passwords with bcrypt/argon2, sanitizing SQL queries with parameterized statements, configuring CORS/CSP headers, validating input with Zod, and setting up JWT tokens. Invoke for authentication, authorization, input validation, encryption, OWASP Top 10 prevention, secure session management, and security hardening. For pre-built OAuth/SSO integrations or standalone security audits, consider a more specialized skill.
+license: MIT
+metadata:
+  author: https://github.com/Jeffallan
+  version: "1.1.0"
+  domain: security
+  triggers: security, authentication, authorization, encryption, OWASP, vulnerability, secure coding, password, JWT, OAuth
+  role: specialist
+  scope: implementation
+  output-format: code
+  related-skills: fullstack-guardian, security-reviewer, architecture-designer
+---
+
+# Secure Code Guardian
+
+## Core Workflow
+
+1. **Threat model** — Identify attack surface and threats
+2. **Design** — Plan security controls
+3. **Implement** — Write secure code with defense in depth; see code examples below
+4. **Validate** — Test security controls with explicit checkpoints (see below)
+5. **Document** — Record security decisions
+
+### Validation Checkpoints
+
+After each implementation step, verify:
+
+- **Authentication**: Test brute-force protection (lockout/rate limit triggers), session fixation resistance, token expiration, and invalid-credential error messages (must not leak user existence).
+- **Authorization**: Verify horizontal and vertical privilege escalation paths are blocked; test with tokens belonging to different roles/users.
+- **Input handling**: Confirm SQL injection payloads (`' OR 1=1--`) are rejected; confirm XSS payloads (`<script>alert(1)</script>`) are escaped or rejected.
+- **Headers/CORS**: Validate with a security scanner (e.g., `curl -I`, Mozilla Observatory) that security headers are present and CORS origin allowlist is correct.
+
+## Reference Guide
+
+Load detailed guidance based on context:
+
+| Topic | Reference | Load When |
+|-------|-----------|-----------|
+| OWASP | `references/owasp-prevention.md` | OWASP Top 10 patterns |
+| Authentication | `references/authentication.md` | Password hashing, JWT |
+| Input Validation | `references/input-validation.md` | Zod, SQL injection |
+| XSS/CSRF | `references/xss-csrf.md` | XSS prevention, CSRF |
+| Headers | `references/security-headers.md` | Helmet, rate limiting |
+
+## Constraints
+
+### MUST DO
+- Hash passwords with bcrypt/argon2 (never MD5/SHA-1/unsalted hashes)
+- Use parameterized queries (never string-interpolated SQL)
+- Validate and sanitize all user input before use
+- Implement rate limiting on auth endpoints
+- Set security headers (CSP, HSTS, X-Frame-Options)
+- Log security events (failed auth, privilege escalation attempts)
+- Store secrets in environment variables or secret managers (never in source code)
+
+### MUST NOT DO
+- Store passwords in plaintext or reversibly encrypted form
+- Trust user input without validation
+- Expose sensitive data in logs or error responses
+- Use weak or deprecated algorithms (MD5, SHA-1, DES, ECB mode)
+- Hardcode secrets or credentials in code
+
+## Code Examples
+
+### Password Hashing (bcrypt)
+
+```typescript
+import bcrypt from 'bcrypt';
+
+const SALT_ROUNDS = 12; // minimum 10; 12 balances security and performance
+
+export async function hashPassword(plaintext: string): Promise<string> {
+  return bcrypt.hash(plaintext, SALT_ROUNDS);
+}
+
+export async function verifyPassword(plaintext: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(plaintext, hash);
+}
+```
+
+### Parameterized SQL Query (Node.js / pg)
+
+```typescript
+// NEVER: `SELECT * FROM users WHERE email = '${email}'`
+// ALWAYS: use positional parameters
+import { Pool } from 'pg';
+const pool = new Pool();
+
+export async function getUserByEmail(email: string) {
+  const { rows } = await pool.query(
+    'SELECT id, email, role FROM users WHERE email = $1',
+    [email]  // value passed separately — never interpolated
+  );
+  return rows[0] ?? null;
+}
+```
+
+### Input Validation with Zod
+
+```typescript
+import { z } from 'zod';
+
+const LoginSchema = z.object({
+  email: z.string().email().max(254),
+  password: z.string().min(8).max(128),
+});
+
+export function validateLoginInput(raw: unknown) {
+  const result = LoginSchema.safeParse(raw);
+  if (!result.success) {
+    // Return generic error — never echo raw input back
+    throw new Error('Invalid credentials format');
+  }
+  return result.data;
+}
+```
+
+### JWT Validation
+
+```typescript
+import jwt from 'jsonwebtoken';
+
+const JWT_SECRET = process.env.JWT_SECRET!; // never hardcode
+
+export function verifyToken(token: string): jwt.JwtPayload {
+  // Throws if expired, tampered, or wrong algorithm
+  const payload = jwt.verify(token, JWT_SECRET, {
+    algorithms: ['HS256'],   // explicitly allowlist algorithm
+    issuer: 'your-app',
+    audience: 'your-app',
+  });
+  if (typeof payload === 'string') throw new Error('Invalid token payload');
+  return payload;
+}
+```
+
+### Securing an Endpoint — Full Flow
+
+```typescript
+import express from 'express';
+import rateLimit from 'express-rate-limit';
+import helmet from 'helmet';
+
+const app = express();
+app.use(helmet()); // sets CSP, HSTS, X-Frame-Options, etc.
+app.use(express.json({ limit: '10kb' })); // limit payload size
+
+const authLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 10,                   // 10 attempts per window per IP
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+app.post('/api/login', authLimiter, async (req, res) => {
+  // 1. Validate input
+  const { email, password } = validateLoginInput(req.body);
+
+  // 2. Authenticate — parameterized query, constant-time compare
+  const user = await getUserByEmail(email);
+  if (!user || !(await verifyPassword(password, user.passwordHash))) {
+    // Generic message — do not reveal whether email exists
+    return res.status(401).json({ error: 'Invalid credentials' });
+  }
+
+  // 3. Authorize — issue scoped, short-lived token
+  const token = jwt.sign(
+    { sub: user.id, role: user.role },
+    JWT_SECRET,
+    { algorithm: 'HS256', expiresIn: '15m', issuer: 'your-app', audience: 'your-app' }
+  );
+
+  // 4. Secure response — token in httpOnly cookie, not body
+  res.cookie('token', token, { httpOnly: true, secure: true, sameSite: 'strict' });
+  return res.json({ message: 'Authenticated' });
+});
+```
+
+## Output Templates
+
+When implementing security features, provide:
+1. Secure implementation code
+2. Security considerations noted
+3. Configuration requirements (env vars, headers)
+4. Testing recommendations
+
+## Knowledge Reference
+
+OWASP Top 10, bcrypt/argon2, JWT, OAuth 2.0, OIDC, CSP, CORS, rate limiting, input validation, output encoding, encryption (AES, RSA), TLS, security headers

package/skills/quality/secure-code-guardian/references/authentication.md

@@ -1,136 +1,136 @@
-# Authentication
-
-## Password Hashing
-
-```typescript
-import bcrypt from 'bcrypt';
-
-const SALT_ROUNDS = 12;
-
-async function hashPassword(password: string): Promise<string> {
-  return bcrypt.hash(password, SALT_ROUNDS);
-}
-
-async function verifyPassword(password: string, hash: string): Promise<boolean> {
-  return bcrypt.compare(password, hash);
-}
-
-// Password requirements
-const PASSWORD_REGEX = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$/;
-
-function validatePassword(password: string): { valid: boolean; errors: string[] } {
-  const errors: string[] = [];
-
-  if (password.length < 12) errors.push('Minimum 12 characters');
-  if (!/[a-z]/.test(password)) errors.push('Requires lowercase');
-  if (!/[A-Z]/.test(password)) errors.push('Requires uppercase');
-  if (!/\d/.test(password)) errors.push('Requires digit');
-  if (!/[@$!%*?&]/.test(password)) errors.push('Requires special character');
-
-  return { valid: errors.length === 0, errors };
-}
-```
-
-## JWT Implementation
-
-```typescript
-import jwt from 'jsonwebtoken';
-
-const JWT_SECRET = process.env.JWT_SECRET!;
-const ACCESS_TOKEN_EXPIRY = '15m';
-const REFRESH_TOKEN_EXPIRY = '7d';
-
-interface TokenPayload {
-  sub: string;
-  type: 'access' | 'refresh';
-}
-
-function generateAccessToken(userId: string): string {
-  return jwt.sign(
-    { sub: userId, type: 'access' },
-    JWT_SECRET,
-    { expiresIn: ACCESS_TOKEN_EXPIRY }
-  );
-}
-
-function generateRefreshToken(userId: string): string {
-  return jwt.sign(
-    { sub: userId, type: 'refresh' },
-    JWT_SECRET,
-    { expiresIn: REFRESH_TOKEN_EXPIRY }
-  );
-}
-
-function verifyToken(token: string): TokenPayload {
-  return jwt.verify(token, JWT_SECRET) as TokenPayload;
-}
-```
-
-## Auth Middleware
-
-```typescript
-function authMiddleware(req: Request, res: Response, next: NextFunction) {
-  const header = req.headers.authorization;
-
-  if (!header?.startsWith('Bearer ')) {
-    return res.status(401).json({ error: 'Missing token' });
-  }
-
-  try {
-    const token = header.slice(7);
-    const payload = verifyToken(token);
-
-    if (payload.type !== 'access') {
-      return res.status(401).json({ error: 'Invalid token type' });
-    }
-
-    req.userId = payload.sub;
-    next();
-  } catch (error) {
-    if (error instanceof jwt.TokenExpiredError) {
-      return res.status(401).json({ error: 'Token expired' });
-    }
-    return res.status(401).json({ error: 'Invalid token' });
-  }
-}
-```
-
-## Account Lockout
-
-```typescript
-const MAX_ATTEMPTS = 5;
-const LOCKOUT_DURATION = 15 * 60 * 1000; // 15 minutes
-
-async function handleLoginAttempt(email: string, success: boolean) {
-  const key = `login:attempts:${email}`;
-
-  if (success) {
-    await redis.del(key);
-    return;
-  }
-
-  const attempts = await redis.incr(key);
-  await redis.expire(key, LOCKOUT_DURATION / 1000);
-
-  if (attempts >= MAX_ATTEMPTS) {
-    await redis.set(`login:locked:${email}`, '1', 'PX', LOCKOUT_DURATION);
-    throw new Error('Account locked. Try again later.');
-  }
-}
-```
-
-## Quick Reference
-
-| Practice | Implementation |
-|----------|----------------|
-| Password hash | bcrypt (12+ rounds) |
-| Token expiry | Access: 15m, Refresh: 7d |
-| Lockout | 5 attempts, 15min lockout |
-| MFA | TOTP (authenticator apps) |
-
-| JWT Claim | Purpose |
-|-----------|---------|
-| `sub` | User ID |
-| `exp` | Expiration |
-| `iat` | Issued at |
-| `type` | access/refresh |
+# Authentication
+
+## Password Hashing
+
+```typescript
+import bcrypt from 'bcrypt';
+
+const SALT_ROUNDS = 12;
+
+async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}
+
+// Password requirements
+const PASSWORD_REGEX = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{12,}$/;
+
+function validatePassword(password: string): { valid: boolean; errors: string[] } {
+  const errors: string[] = [];
+
+  if (password.length < 12) errors.push('Minimum 12 characters');
+  if (!/[a-z]/.test(password)) errors.push('Requires lowercase');
+  if (!/[A-Z]/.test(password)) errors.push('Requires uppercase');
+  if (!/\d/.test(password)) errors.push('Requires digit');
+  if (!/[@$!%*?&]/.test(password)) errors.push('Requires special character');
+
+  return { valid: errors.length === 0, errors };
+}
+```
+
+## JWT Implementation
+
+```typescript
+import jwt from 'jsonwebtoken';
+
+const JWT_SECRET = process.env.JWT_SECRET!;
+const ACCESS_TOKEN_EXPIRY = '15m';
+const REFRESH_TOKEN_EXPIRY = '7d';
+
+interface TokenPayload {
+  sub: string;
+  type: 'access' | 'refresh';
+}
+
+function generateAccessToken(userId: string): string {
+  return jwt.sign(
+    { sub: userId, type: 'access' },
+    JWT_SECRET,
+    { expiresIn: ACCESS_TOKEN_EXPIRY }
+  );
+}
+
+function generateRefreshToken(userId: string): string {
+  return jwt.sign(
+    { sub: userId, type: 'refresh' },
+    JWT_SECRET,
+    { expiresIn: REFRESH_TOKEN_EXPIRY }
+  );
+}
+
+function verifyToken(token: string): TokenPayload {
+  return jwt.verify(token, JWT_SECRET) as TokenPayload;
+}
+```
+
+## Auth Middleware
+
+```typescript
+function authMiddleware(req: Request, res: Response, next: NextFunction) {
+  const header = req.headers.authorization;
+
+  if (!header?.startsWith('Bearer ')) {
+    return res.status(401).json({ error: 'Missing token' });
+  }
+
+  try {
+    const token = header.slice(7);
+    const payload = verifyToken(token);
+
+    if (payload.type !== 'access') {
+      return res.status(401).json({ error: 'Invalid token type' });
+    }
+
+    req.userId = payload.sub;
+    next();
+  } catch (error) {
+    if (error instanceof jwt.TokenExpiredError) {
+      return res.status(401).json({ error: 'Token expired' });
+    }
+    return res.status(401).json({ error: 'Invalid token' });
+  }
+}
+```
+
+## Account Lockout
+
+```typescript
+const MAX_ATTEMPTS = 5;
+const LOCKOUT_DURATION = 15 * 60 * 1000; // 15 minutes
+
+async function handleLoginAttempt(email: string, success: boolean) {
+  const key = `login:attempts:${email}`;
+
+  if (success) {
+    await redis.del(key);
+    return;
+  }
+
+  const attempts = await redis.incr(key);
+  await redis.expire(key, LOCKOUT_DURATION / 1000);
+
+  if (attempts >= MAX_ATTEMPTS) {
+    await redis.set(`login:locked:${email}`, '1', 'PX', LOCKOUT_DURATION);
+    throw new Error('Account locked. Try again later.');
+  }
+}
+```
+
+## Quick Reference
+
+| Practice | Implementation |
+|----------|----------------|
+| Password hash | bcrypt (12+ rounds) |
+| Token expiry | Access: 15m, Refresh: 7d |
+| Lockout | 5 attempts, 15min lockout |
+| MFA | TOTP (authenticator apps) |
+
+| JWT Claim | Purpose |
+|-----------|---------|
+| `sub` | User ID |
+| `exp` | Expiration |
+| `iat` | Issued at |
+| `type` | access/refresh |