npm - anchi-kit - Versions diffs - 1.2.0 → 1.2.1 - Mend

anchi-kit 1.2.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/.antigravity/skills/security-audit/SKILL.md ADDED Viewed

@@ -0,0 +1,263 @@
+# Security Audit Skill
+> Domain knowledge for writing secure code and preventing vulnerabilities.
+---
+## 🔐 OWASP Top 10 Prevention
+### 1. Injection (SQL, NoSQL, Command)
+**❌ Vulnerable:**
+```typescript
+// SQL Injection
+const user = await db.query(`SELECT * FROM users WHERE id = ${id}`);
+// Command Injection
+exec(`ls ${userInput}`);
+```
+**✅ Secure:**
+```typescript
+// Parameterized queries
+const user = await prisma.user.findUnique({ where: { id } });
+// Avoid shell commands, use libraries
+import { readdir } from "fs/promises";
+const files = await readdir(safeDirectory);
+```
+---
+### 2. Broken Authentication
+**Checklist:**
+- [ ] Passwords hashed with bcrypt/argon2 (cost ≥ 10)
+- [ ] Session tokens are random and long (≥ 32 bytes)
+- [ ] Sessions expire (max 24h for sensitive, 30d for remember-me)
+- [ ] Rate limiting on login (5 attempts/minute)
+- [ ] Account lockout after repeated failures
+- [ ] MFA available for sensitive accounts
+```typescript
+// Password hashing
+import bcrypt from "bcrypt";
+const hash = await bcrypt.hash(password, 12);
+const valid = await bcrypt.compare(password, hash);
+// Secure session
+import { randomBytes } from "crypto";
+const sessionToken = randomBytes(32).toString("hex");
+```
+---
+### 3. Sensitive Data Exposure
+**Checklist:**
+- [ ] HTTPS everywhere (no HTTP)
+- [ ] Sensitive data encrypted at rest
+- [ ] API keys in environment variables, never in code
+- [ ] Passwords never logged
+- [ ] PII masked in logs
+```typescript
+// Never log sensitive data
+console.log(`User login: ${email}`); // ❌
+console.log(`User login: ${maskEmail(email)}`); // ✅
+// Environment variables
+const apiKey = process.env.STRIPE_SECRET_KEY; // ✅
+const apiKey = "sk_live_abc123"; // ❌ NEVER
+```
+---
+### 4. Cross-Site Scripting (XSS)
+**❌ Vulnerable:**
+```typescript
+// React dangerouslySetInnerHTML
+<div dangerouslySetInnerHTML={{ __html: userContent }} />;
+// Direct DOM manipulation
+document.getElementById("output").innerHTML = userInput;
+```
+**✅ Secure:**
+```typescript
+// React auto-escapes
+<div>{userContent}</div>;
+// Sanitize HTML if needed
+import DOMPurify from "dompurify";
+<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userContent) }} />;
+// CSP Headers
+res.setHeader("Content-Security-Policy", "default-src 'self'");
+```
+---
+### 5. Cross-Site Request Forgery (CSRF)
+**Protection:**
+```typescript
+// 1. CSRF Token (forms)
+<input type="hidden" name="_csrf" value={csrfToken} />;
+// 2. SameSite cookies
+res.cookie("session", token, {
+  httpOnly: true,
+  secure: true,
+  sameSite: "lax", // or 'strict' for sensitive
+});
+// 3. Verify origin header
+const origin = req.headers.origin;
+if (!allowedOrigins.includes(origin)) {
+  return res.status(403).json({ error: "Forbidden" });
+}
+```
+---
+### 6. Security Misconfiguration
+**Checklist:**
+- [ ] Debug mode OFF in production
+- [ ] Default credentials changed
+- [ ] Unnecessary features disabled
+- [ ] Error messages don't leak stack traces
+- [ ] Security headers configured
+```typescript
+// Security headers (Helmet.js)
+import helmet from "helmet";
+app.use(helmet());
+// Custom error handler
+app.use((err, req, res, next) => {
+  console.error(err); // Log full error
+  res.status(500).json({
+    error: "Internal Server Error", // Generic message to user
+  });
+});
+```
+---
+## 🛡️ API Security
+### Rate Limiting
+```typescript
+import rateLimit from "express-rate-limit";
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // 100 requests per window
+  message: "Too many requests",
+});
+app.use("/api/", limiter);
+// Stricter for auth endpoints
+const authLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 5,
+});
+app.use("/api/auth/", authLimiter);
+```
+---
+### Input Validation
+```typescript
+import { z } from "zod";
+const UserSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8).max(128),
+  age: z.number().int().min(13).max(120).optional(),
+});
+// Validate
+const result = UserSchema.safeParse(req.body);
+if (!result.success) {
+  return res.status(400).json({ errors: result.error.issues });
+}
+```
+---
+### Authorization
+```typescript
+// Role-based access
+const requireRole = (roles: string[]) => {
+  return (req, res, next) => {
+    if (!roles.includes(req.user.role)) {
+      return res.status(403).json({ error: "Forbidden" });
+    }
+    next();
+  };
+};
+app.delete("/api/users/:id", requireRole(["admin"]), deleteUser);
+// Resource ownership
+app.put("/api/posts/:id", async (req, res) => {
+  const post = await prisma.post.findUnique({ where: { id: req.params.id } });
+  if (post.authorId !== req.user.id && req.user.role !== "admin") {
+    return res.status(403).json({ error: "Forbidden" });
+  }
+  // proceed with update
+});
+```
+---
+## 🔑 Secrets Management
+```typescript
+// ✅ Environment variables
+DATABASE_URL=postgresql://...
+STRIPE_SECRET_KEY=sk_live_...
+// ✅ .env files (gitignored)
+// .env.local, .env.production
+// ✅ Secret managers (production)
+// AWS Secrets Manager, HashiCorp Vault, Doppler
+// ❌ NEVER commit secrets
+// ❌ NEVER log secrets
+// ❌ NEVER hardcode in source
+```
+---
+## 📋 Quick Security Checklist
+Before any implementation:
+- [ ] All inputs validated and sanitized
+- [ ] Authentication on protected routes
+- [ ] Authorization checks (ownership, roles)
+- [ ] No SQL/command injection
+- [ ] XSS prevention (escape output)
+- [ ] CSRF tokens for forms
+- [ ] Rate limiting on sensitive endpoints
+- [ ] Secrets in env vars, not code
+- [ ] HTTPS enforced
+- [ ] Security headers configured

package/.antigravity/skills/software-architecture/SKILL.md ADDED Viewed

@@ -0,0 +1,91 @@
+---
+name: software-architecture
+description: Clean Architecture, SOLID principles, and design patterns for building maintainable software. Use when designing system architecture, refactoring codebases, conducting code reviews, or implementing complex features that require architectural decisions.
+---
+# Software Architecture
+Comprehensive guide to software architecture principles, patterns, and best practices.
+## When to Use
+- Designing system architecture
+- Refactoring existing codebase
+- Code reviews focusing on architecture
+- Implementing complex features
+- Making architectural decisions
+- Solving scalability challenges
+## Core Principles
+### SOLID Principles
+See [references/solid-principles.md](references/solid-principles.md) for detailed explanations and examples.
+**Quick Reference:**
+- **S**ingle Responsibility - One class, one reason to change
+- **O**pen/Closed - Open for extension, closed for modification
+- **L**iskov Substitution - Subclasses should be substitutable
+- **I**nterface Segregation - Many specific interfaces over one general
+- **D**ependency Inversion - Depend on abstractions, not concretions
+### Clean Architecture
+See [references/clean-architecture.md](references/clean-architecture.md) for layer-by-layer guide.
+**Layers (outer to inner):**
+1. Frameworks & Drivers (UI, DB, External APIs)
+2. Interface Adapters (Controllers, Presenters, Gateways)
+3. Application Business Rules (Use Cases)
+4. Enterprise Business Rules (Entities)
+**Rule:** Dependencies point inward only
+## Common Design Patterns
+See [references/design-patterns.md](references/design-patterns.md) for full catalog.
+### Creational Patterns
+- Factory Pattern - Object creation
+- Builder Pattern - Complex object construction
+- Singleton Pattern - Single instance
+### Structural Patterns
+- Adapter Pattern - Interface compatibility
+- Decorator Pattern - Add behavior dynamically
+- Repository Pattern - Data access abstraction
+### Behavioral Patterns
+- Strategy Pattern - Interchangeable algorithms
+- Observer Pattern - Event notification
+- Command Pattern - Encapsulate requests
+## Architecture Best Practices
+1. **Separation of Concerns** - Each module has distinct responsibility
+2. **Dependency Injection** - Inject dependencies, don't create them
+3. **Interface Programming** - Code to interfaces, not implementations
+4. **Single Source of Truth** - One canonical source for each data type
+5. **Test-Driven Design** - Design for testability from the start
+6. **Incremental Refactoring** - Improve architecture continuously
+## Code Organization
+```
+src/
+├── domain/           # Business logic (entities, use cases)
+├── infrastructure/   # External concerns (DB, API clients)
+├── application/      # Application services
+└── presentation/     # UI, controllers, views
+```
+## References
+- [SOLID Principles](references/solid-principles.md) - Detailed examples
+- [Clean Architecture](references/clean-architecture.md) - Layer guide
+- [Design Patterns](references/design-patterns.md) - Pattern catalog

package/.antigravity/skills/software-architecture/references/solid-principles.md ADDED Viewed

@@ -0,0 +1,293 @@
+# SOLID Principles
+## S - Single Responsibility Principle (SRP)
+**A class should have only one reason to change.**
+### ❌ Violation
+```javascript
+class User {
+  constructor(name, email) {
+    this.name = name;
+    this.email = email;
+  }
+  // Database logic - reason #1 to change
+  save() {
+    database.insert("users", this);
+  }
+  // Email logic - reason #2 to change
+  sendWelcomeEmail() {
+    emailService.send(this.email, "Welcome!");
+  }
+  // Validation - reason #3 to change
+  validate() {
+    return this.email.includes("@");
+  }
+}
+```
+### ✅ Solution
+```javascript
+class User {
+  constructor(name, email) {
+    this.name = name;
+    this.email = email;
+  }
+}
+class UserRepository {
+  save(user) {
+    database.insert("users", user);
+  }
+}
+class UserNotification {
+  sendWelcome(user) {
+    emailService.send(user.email, "Welcome!");
+  }
+}
+class UserValidator {
+  validate(user) {
+    return user.email.includes("@");
+  }
+}
+```
+## O - Open/Closed Principle (OCP)
+**Open for extension, closed for modification.**
+### ❌ Violation
+```javascript
+class PaymentProcessor {
+  process(payment) {
+    if (payment.type === "credit-card") {
+      // Process credit card
+    } else if (payment.type === "paypal") {
+      // Process PayPal
+    }
+    // Adding new payment type requires modifying this class
+  }
+}
+```
+### ✅ Solution
+```javascript
+class PaymentProcessor {
+  constructor(strategy) {
+    this.strategy = strategy;
+  }
+  process(payment) {
+    return this.strategy.process(payment);
+  }
+}
+class CreditCardStrategy {
+  process(payment) {
+    // Process credit card
+  }
+}
+class PayPalStrategy {
+  process(payment) {
+    // Process PayPal
+  }
+}
+// Usage - extend without modification
+const processor = new PaymentProcessor(new CreditCardStrategy());
+```
+## L - Liskov Substitution Principle (LSP)
+**Subclasses should be substitutable for their base classes.**
+### ❌ Violation
+```javascript
+class Rectangle {
+  setWidth(width) {
+    this.width = width;
+  }
+  setHeight(height) {
+    this.height = height;
+  }
+  getArea() {
+    return this.width * this.height;
+  }
+}
+class Square extends Rectangle {
+  setWidth(width) {
+    this.width = width;
+    this.height = width; // Breaks expectation
+  }
+  setHeight(height) {
+    this.width = height;
+    this.height = height;
+  }
+}
+```
+### ✅ Solution
+```javascript
+class Shape {
+  getArea() {
+    throw new Error("Must implement getArea");
+  }
+}
+class Rectangle extends Shape {
+  constructor(width, height) {
+    super();
+    this.width = width;
+    this.height = height;
+  }
+  getArea() {
+    return this.width * this.height;
+  }
+}
+class Square extends Shape {
+  constructor(side) {
+    super();
+    this.side = side;
+  }
+  getArea() {
+    return this.side * this.side;
+  }
+}
+```
+## I - Interface Segregation Principle (ISP)
+**Many specific interfaces are better than one general interface.**
+### ❌ Violation
+```javascript
+class Worker {
+  work() {}
+  eat() {}
+  sleep() {}
+}
+class Robot extends Worker {
+  work() {
+    /* OK */
+  }
+  eat() {
+    throw new Error("Robots don't eat");
+  }
+  sleep() {
+    throw new Error("Robots don't sleep");
+  }
+}
+```
+### ✅ Solution
+```javascript
+class Workable {
+  work() {}
+}
+class Eatable {
+  eat() {}
+}
+class Sleepable {
+  sleep() {}
+}
+class Human extends Workable {
+  work() {
+    /* ... */
+  }
+  eat() {
+    /* via Eatable */
+  }
+  sleep() {
+    /* via Sleepable */
+  }
+}
+class Robot extends Workable {
+  work() {
+    /* ... */
+  }
+  // Doesn't implement eat/sleep
+}
+```
+## D - Dependency Inversion Principle (DIP)
+**Depend on abstractions, not concretions.**
+### ❌ Violation
+```javascript
+class EmailService {
+  send(to, message) {
+    /* Send email */
+  }
+}
+class UserService {
+  constructor() {
+    this.emailService = new EmailService(); // Tight coupling
+  }
+  register(user) {
+    this.emailService.send(user.email, "Welcome");
+  }
+}
+```
+### ✅ Solution
+```javascript
+// Abstraction
+class NotificationService {
+  send(to, message) {
+    throw new Error("Must implement");
+  }
+}
+// Implementations
+class EmailService extends NotificationService {
+  send(to, message) {
+    /* Send email */
+  }
+}
+class SMSService extends NotificationService {
+  send(to, message) {
+    /* Send SMS */
+  }
+}
+// Depend on abstraction
+class UserService {
+  constructor(notificationService) {
+    this.notificationService = notificationService;
+  }
+  register(user) {
+    this.notificationService.send(user.email, "Welcome");
+  }
+}
+// Usage - easily swap implementations
+const userService = new UserService(new EmailService());
+```