arboris-cli 1.0.0 → 1.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (451) hide show
  1. package/dist/cli.mjs +420 -0
  2. package/manifest.json +602 -0
  3. package/package.json +22 -10
  4. package/prisma/skills/accessibility/SKILL.md +147 -0
  5. package/prisma/skills/agent-architecture-audit/SKILL.md +257 -0
  6. package/prisma/skills/agent-eval/SKILL.md +146 -0
  7. package/prisma/skills/agent-harness-construction/SKILL.md +74 -0
  8. package/prisma/skills/agent-introspection-debugging/SKILL.md +154 -0
  9. package/prisma/skills/agent-payment-x402/SKILL.md +225 -0
  10. package/prisma/skills/agent-self-evaluation/SKILL.md +182 -0
  11. package/prisma/skills/agent-self-evaluation/examples/high-score-example.md +87 -0
  12. package/prisma/skills/agent-self-evaluation/examples/low-score-example.md +86 -0
  13. package/prisma/skills/agent-self-evaluation/references/evaluation-criteria.md +71 -0
  14. package/prisma/skills/agent-self-evaluation/references/hook-integration.md +64 -0
  15. package/prisma/skills/agent-self-evaluation/scripts/evaluate.py +408 -0
  16. package/prisma/skills/agent-self-evaluation/templates/evaluation-report.md +86 -0
  17. package/prisma/skills/agent-sort/SKILL.md +216 -0
  18. package/prisma/skills/agentic-engineering/SKILL.md +64 -0
  19. package/prisma/skills/agentic-os/SKILL.md +388 -0
  20. package/prisma/skills/ai-first-engineering/SKILL.md +52 -0
  21. package/prisma/skills/ai-regression-testing/SKILL.md +386 -0
  22. package/prisma/skills/android-clean-architecture/SKILL.md +340 -0
  23. package/prisma/skills/angular-developer/SKILL.md +155 -0
  24. package/prisma/skills/angular-developer/references/angular-animations.md +160 -0
  25. package/prisma/skills/angular-developer/references/angular-aria.md +410 -0
  26. package/prisma/skills/angular-developer/references/cli.md +86 -0
  27. package/prisma/skills/angular-developer/references/component-harnesses.md +59 -0
  28. package/prisma/skills/angular-developer/references/component-styling.md +91 -0
  29. package/prisma/skills/angular-developer/references/components.md +117 -0
  30. package/prisma/skills/angular-developer/references/creating-services.md +97 -0
  31. package/prisma/skills/angular-developer/references/data-resolvers.md +69 -0
  32. package/prisma/skills/angular-developer/references/define-routes.md +67 -0
  33. package/prisma/skills/angular-developer/references/defining-providers.md +72 -0
  34. package/prisma/skills/angular-developer/references/di-fundamentals.md +120 -0
  35. package/prisma/skills/angular-developer/references/e2e-testing.md +56 -0
  36. package/prisma/skills/angular-developer/references/effects.md +83 -0
  37. package/prisma/skills/angular-developer/references/hierarchical-injectors.md +43 -0
  38. package/prisma/skills/angular-developer/references/host-elements.md +80 -0
  39. package/prisma/skills/angular-developer/references/injection-context.md +63 -0
  40. package/prisma/skills/angular-developer/references/inputs.md +101 -0
  41. package/prisma/skills/angular-developer/references/linked-signal.md +59 -0
  42. package/prisma/skills/angular-developer/references/loading-strategies.md +61 -0
  43. package/prisma/skills/angular-developer/references/mcp.md +108 -0
  44. package/prisma/skills/angular-developer/references/navigate-to-routes.md +69 -0
  45. package/prisma/skills/angular-developer/references/outputs.md +86 -0
  46. package/prisma/skills/angular-developer/references/reactive-forms.md +122 -0
  47. package/prisma/skills/angular-developer/references/rendering-strategies.md +44 -0
  48. package/prisma/skills/angular-developer/references/resource.md +77 -0
  49. package/prisma/skills/angular-developer/references/route-animations.md +56 -0
  50. package/prisma/skills/angular-developer/references/route-guards.md +52 -0
  51. package/prisma/skills/angular-developer/references/router-lifecycle.md +45 -0
  52. package/prisma/skills/angular-developer/references/router-testing.md +87 -0
  53. package/prisma/skills/angular-developer/references/show-routes-with-outlets.md +68 -0
  54. package/prisma/skills/angular-developer/references/signal-forms.md +795 -0
  55. package/prisma/skills/angular-developer/references/signals-overview.md +94 -0
  56. package/prisma/skills/angular-developer/references/tailwind-css.md +69 -0
  57. package/prisma/skills/angular-developer/references/template-driven-forms.md +114 -0
  58. package/prisma/skills/angular-developer/references/testing-fundamentals.md +65 -0
  59. package/prisma/skills/api-connector-builder/SKILL.md +121 -0
  60. package/prisma/skills/api-design/SKILL.md +524 -0
  61. package/prisma/skills/architecture-decision-records/SKILL.md +180 -0
  62. package/prisma/skills/article-writing/SKILL.md +80 -0
  63. package/prisma/skills/automation-audit-ops/SKILL.md +143 -0
  64. package/prisma/skills/autonomous-agent-harness/SKILL.md +274 -0
  65. package/prisma/skills/autonomous-loops/SKILL.md +611 -0
  66. package/prisma/skills/backend-patterns/SKILL.md +562 -0
  67. package/prisma/skills/benchmark/SKILL.md +94 -0
  68. package/prisma/skills/benchmark-methodology/SKILL.md +190 -0
  69. package/prisma/skills/benchmark-optimization-loop/SKILL.md +70 -0
  70. package/prisma/skills/blender-motion-state-inspection/SKILL.md +165 -0
  71. package/prisma/skills/blueprint/SKILL.md +106 -0
  72. package/prisma/skills/brand-discovery/SKILL.md +145 -0
  73. package/prisma/skills/brand-discovery/references/10_purpose-why.md +40 -0
  74. package/prisma/skills/brand-discovery/references/20_positioning.md +44 -0
  75. package/prisma/skills/brand-discovery/references/30_audience-niche.md +52 -0
  76. package/prisma/skills/brand-discovery/references/40_personality-archetype.md +57 -0
  77. package/prisma/skills/brand-discovery/references/50_voice-tone.md +59 -0
  78. package/prisma/skills/brand-discovery/references/60_narrative-story.md +50 -0
  79. package/prisma/skills/brand-discovery/references/70_founder-tension.md +49 -0
  80. package/prisma/skills/brand-discovery/references/90_SYNTHESIS.md +133 -0
  81. package/prisma/skills/brand-voice/SKILL.md +98 -0
  82. package/prisma/skills/brand-voice/references/voice-profile-schema.md +55 -0
  83. package/prisma/skills/browser-qa/SKILL.md +105 -0
  84. package/prisma/skills/bun-runtime/SKILL.md +85 -0
  85. package/prisma/skills/canary-watch/SKILL.md +108 -0
  86. package/prisma/skills/carrier-relationship-management/SKILL.md +212 -0
  87. package/prisma/skills/cisco-ios-patterns/SKILL.md +164 -0
  88. package/prisma/skills/ck/SKILL.md +148 -0
  89. package/prisma/skills/ck/commands/forget.mjs +44 -0
  90. package/prisma/skills/ck/commands/info.mjs +24 -0
  91. package/prisma/skills/ck/commands/init.mjs +143 -0
  92. package/prisma/skills/ck/commands/list.mjs +40 -0
  93. package/prisma/skills/ck/commands/migrate.mjs +202 -0
  94. package/prisma/skills/ck/commands/resume.mjs +36 -0
  95. package/prisma/skills/ck/commands/save.mjs +210 -0
  96. package/prisma/skills/ck/commands/shared.mjs +387 -0
  97. package/prisma/skills/ck/hooks/session-start.mjs +224 -0
  98. package/prisma/skills/claude-devfleet/SKILL.md +112 -0
  99. package/prisma/skills/click-path-audit/SKILL.md +245 -0
  100. package/prisma/skills/clickhouse-io/SKILL.md +440 -0
  101. package/prisma/skills/code-tour/SKILL.md +254 -0
  102. package/prisma/skills/codebase-onboarding/SKILL.md +234 -0
  103. package/prisma/skills/codehealth-mcp/SKILL.md +167 -0
  104. package/prisma/skills/coding-standards/SKILL.md +551 -0
  105. package/prisma/skills/competitive-platform-analysis/SKILL.md +214 -0
  106. package/prisma/skills/competitive-report-structure/SKILL.md +162 -0
  107. package/prisma/skills/compose-multiplatform-patterns/SKILL.md +300 -0
  108. package/prisma/skills/config-gc/SKILL.md +120 -0
  109. package/prisma/skills/configure-ecc/SKILL.md +385 -0
  110. package/prisma/skills/connections-optimizer/SKILL.md +190 -0
  111. package/prisma/skills/content-engine/SKILL.md +132 -0
  112. package/prisma/skills/content-hash-cache-pattern/SKILL.md +162 -0
  113. package/prisma/skills/context-budget/SKILL.md +136 -0
  114. package/prisma/skills/continuous-agent-loop/SKILL.md +46 -0
  115. package/prisma/skills/continuous-learning/SKILL.md +132 -0
  116. package/prisma/skills/continuous-learning/config.json +18 -0
  117. package/prisma/skills/continuous-learning/evaluate-session.sh +69 -0
  118. package/prisma/skills/continuous-learning-v2/SKILL.md +361 -0
  119. package/prisma/skills/continuous-learning-v2/agents/observer-loop.sh +359 -0
  120. package/prisma/skills/continuous-learning-v2/agents/observer.md +189 -0
  121. package/prisma/skills/continuous-learning-v2/agents/session-guardian.sh +150 -0
  122. package/prisma/skills/continuous-learning-v2/agents/start-observer.sh +248 -0
  123. package/prisma/skills/continuous-learning-v2/config.json +8 -0
  124. package/prisma/skills/continuous-learning-v2/hooks/observe.sh +585 -0
  125. package/prisma/skills/continuous-learning-v2/scripts/detect-project.sh +322 -0
  126. package/prisma/skills/continuous-learning-v2/scripts/instinct-cli.py +1956 -0
  127. package/prisma/skills/continuous-learning-v2/scripts/lib/homunculus-dir.sh +31 -0
  128. package/prisma/skills/continuous-learning-v2/scripts/migrate-homunculus.sh +68 -0
  129. package/prisma/skills/continuous-learning-v2/scripts/test_parse_instinct.py +1421 -0
  130. package/prisma/skills/cost-aware-llm-pipeline/SKILL.md +184 -0
  131. package/prisma/skills/cost-tracking/SKILL.md +97 -0
  132. package/prisma/skills/council/SKILL.md +204 -0
  133. package/prisma/skills/cpp-coding-standards/SKILL.md +724 -0
  134. package/prisma/skills/cpp-testing/SKILL.md +325 -0
  135. package/prisma/skills/crosspost/SKILL.md +112 -0
  136. package/prisma/skills/csharp-testing/SKILL.md +322 -0
  137. package/prisma/skills/customer-billing-ops/SKILL.md +141 -0
  138. package/prisma/skills/customs-trade-compliance/SKILL.md +263 -0
  139. package/prisma/skills/dart-flutter-patterns/SKILL.md +564 -0
  140. package/prisma/skills/dashboard-builder/SKILL.md +109 -0
  141. package/prisma/skills/data-scraper-agent/SKILL.md +765 -0
  142. package/prisma/skills/data-throughput-accelerator/SKILL.md +73 -0
  143. package/prisma/skills/database-migrations/SKILL.md +430 -0
  144. package/prisma/skills/deep-research/SKILL.md +160 -0
  145. package/prisma/skills/defi-amm-security/SKILL.md +167 -0
  146. package/prisma/skills/delivery-gate/SKILL.md +126 -0
  147. package/prisma/skills/delivery-gate/hooks/quality-gate.py +220 -0
  148. package/prisma/skills/deployment-patterns/SKILL.md +428 -0
  149. package/prisma/skills/design-system/SKILL.md +83 -0
  150. package/prisma/skills/django-celery/SKILL.md +458 -0
  151. package/prisma/skills/django-patterns/SKILL.md +735 -0
  152. package/prisma/skills/django-security/SKILL.md +644 -0
  153. package/prisma/skills/django-tdd/SKILL.md +730 -0
  154. package/prisma/skills/django-verification/SKILL.md +470 -0
  155. package/prisma/skills/dmux-workflows/SKILL.md +192 -0
  156. package/prisma/skills/docker-patterns/SKILL.md +365 -0
  157. package/prisma/skills/documentation-lookup/SKILL.md +91 -0
  158. package/prisma/skills/dotnet-patterns/SKILL.md +322 -0
  159. package/prisma/skills/dynamic-workflow-mode/SKILL.md +124 -0
  160. package/prisma/skills/e2e-testing/SKILL.md +327 -0
  161. package/prisma/skills/ecc-guide/SKILL.md +190 -0
  162. package/prisma/skills/ecc-recipes/SKILL.md +149 -0
  163. package/prisma/skills/ecc-tools-cost-audit/SKILL.md +161 -0
  164. package/prisma/skills/email-ops/SKILL.md +122 -0
  165. package/prisma/skills/energy-procurement/SKILL.md +228 -0
  166. package/prisma/skills/enterprise-agent-ops/SKILL.md +51 -0
  167. package/prisma/skills/error-handling/SKILL.md +377 -0
  168. package/prisma/skills/eval-harness/SKILL.md +271 -0
  169. package/prisma/skills/evm-token-decimals/SKILL.md +131 -0
  170. package/prisma/skills/exa-search/SKILL.md +108 -0
  171. package/prisma/skills/fal-ai-media/SKILL.md +289 -0
  172. package/prisma/skills/fastapi-patterns/SKILL.md +514 -0
  173. package/prisma/skills/finance-billing-ops/SKILL.md +128 -0
  174. package/prisma/skills/flox-environments/SKILL.md +497 -0
  175. package/prisma/skills/flutter-dart-code-review/SKILL.md +436 -0
  176. package/prisma/skills/foundation-models-on-device/SKILL.md +243 -0
  177. package/prisma/skills/frontend-a11y/SKILL.md +446 -0
  178. package/prisma/skills/frontend-design-direction/SKILL.md +93 -0
  179. package/prisma/skills/frontend-patterns/SKILL.md +657 -0
  180. package/prisma/skills/frontend-slides/SKILL.md +185 -0
  181. package/prisma/skills/frontend-slides/STYLE_PRESETS.md +330 -0
  182. package/prisma/skills/frontend-slides/animation-patterns.md +122 -0
  183. package/prisma/skills/frontend-slides/html-template.md +419 -0
  184. package/prisma/skills/frontend-slides/scripts/export-pdf.sh +418 -0
  185. package/prisma/skills/frontend-slides/scripts/extract-pptx.py +96 -0
  186. package/prisma/skills/frontend-slides/viewport-base.css +153 -0
  187. package/prisma/skills/fsharp-testing/SKILL.md +281 -0
  188. package/prisma/skills/gan-style-harness/SKILL.md +279 -0
  189. package/prisma/skills/gateguard/SKILL.md +133 -0
  190. package/prisma/skills/generating-python-installer/SKILL.md +820 -0
  191. package/prisma/skills/git-workflow/SKILL.md +716 -0
  192. package/prisma/skills/github-ops/SKILL.md +145 -0
  193. package/prisma/skills/golang-patterns/SKILL.md +675 -0
  194. package/prisma/skills/golang-testing/SKILL.md +721 -0
  195. package/prisma/skills/google-workspace-ops/SKILL.md +96 -0
  196. package/prisma/skills/growth-log/SKILL.md +128 -0
  197. package/prisma/skills/healthcare-cdss-patterns/SKILL.md +246 -0
  198. package/prisma/skills/healthcare-emr-patterns/SKILL.md +160 -0
  199. package/prisma/skills/healthcare-eval-harness/SKILL.md +208 -0
  200. package/prisma/skills/healthcare-phi-compliance/SKILL.md +146 -0
  201. package/prisma/skills/hermes-imports/SKILL.md +89 -0
  202. package/prisma/skills/hexagonal-architecture/SKILL.md +277 -0
  203. package/prisma/skills/hipaa-compliance/SKILL.md +79 -0
  204. package/prisma/skills/homelab-network-readiness/SKILL.md +170 -0
  205. package/prisma/skills/homelab-network-setup/SKILL.md +130 -0
  206. package/prisma/skills/homelab-pihole-dns/SKILL.md +275 -0
  207. package/prisma/skills/homelab-vlan-segmentation/SKILL.md +312 -0
  208. package/prisma/skills/homelab-wireguard-vpn/SKILL.md +306 -0
  209. package/prisma/skills/hookify-rules/SKILL.md +128 -0
  210. package/prisma/skills/inherit-legacy-style/SKILL.md +157 -0
  211. package/prisma/skills/intent-driven-development/SKILL.md +360 -0
  212. package/prisma/skills/inventory-demand-planning/SKILL.md +247 -0
  213. package/prisma/skills/investor-materials/SKILL.md +97 -0
  214. package/prisma/skills/investor-outreach/SKILL.md +92 -0
  215. package/prisma/skills/ios-icon-gen/SKILL.md +158 -0
  216. package/prisma/skills/ios-icon-gen/scripts/generate_icons.swift +258 -0
  217. package/prisma/skills/ios-icon-gen/scripts/iconify_gen.sh +235 -0
  218. package/prisma/skills/iterative-retrieval/SKILL.md +212 -0
  219. package/prisma/skills/ito-basket-compare/SKILL.md +64 -0
  220. package/prisma/skills/ito-data-atlas-agent/SKILL.md +64 -0
  221. package/prisma/skills/ito-market-intelligence/SKILL.md +61 -0
  222. package/prisma/skills/ito-trade-planner/SKILL.md +68 -0
  223. package/prisma/skills/java-coding-standards/SKILL.md +384 -0
  224. package/prisma/skills/jira-integration/SKILL.md +303 -0
  225. package/prisma/skills/jpa-patterns/SKILL.md +152 -0
  226. package/prisma/skills/knowledge-ops/SKILL.md +155 -0
  227. package/prisma/skills/kotlin-coroutines-flows/SKILL.md +285 -0
  228. package/prisma/skills/kotlin-exposed-patterns/SKILL.md +720 -0
  229. package/prisma/skills/kotlin-ktor-patterns/SKILL.md +690 -0
  230. package/prisma/skills/kotlin-patterns/SKILL.md +712 -0
  231. package/prisma/skills/kotlin-testing/SKILL.md +825 -0
  232. package/prisma/skills/kubernetes-patterns/SKILL.md +756 -0
  233. package/prisma/skills/laravel-patterns/SKILL.md +416 -0
  234. package/prisma/skills/laravel-plugin-discovery/SKILL.md +230 -0
  235. package/prisma/skills/laravel-security/SKILL.md +948 -0
  236. package/prisma/skills/laravel-tdd/SKILL.md +675 -0
  237. package/prisma/skills/laravel-verification/SKILL.md +180 -0
  238. package/prisma/skills/latency-critical-systems/SKILL.md +74 -0
  239. package/prisma/skills/lead-intelligence/SKILL.md +322 -0
  240. package/prisma/skills/lead-intelligence/agents/enrichment-agent.md +85 -0
  241. package/prisma/skills/lead-intelligence/agents/mutual-mapper.md +75 -0
  242. package/prisma/skills/lead-intelligence/agents/outreach-drafter.md +98 -0
  243. package/prisma/skills/lead-intelligence/agents/signal-scorer.md +60 -0
  244. package/prisma/skills/liquid-glass-design/SKILL.md +279 -0
  245. package/prisma/skills/llm-trading-agent-security/SKILL.md +147 -0
  246. package/prisma/skills/logistics-exception-management/SKILL.md +222 -0
  247. package/prisma/skills/loop-design-check/SKILL.md +143 -0
  248. package/prisma/skills/mailtrap-email-integration/SKILL.md +77 -0
  249. package/prisma/skills/make-interfaces-feel-better/SKILL.md +152 -0
  250. package/prisma/skills/manim-video/SKILL.md +90 -0
  251. package/prisma/skills/manim-video/assets/network_graph_scene.py +52 -0
  252. package/prisma/skills/market-research/SKILL.md +76 -0
  253. package/prisma/skills/marketing-campaign/SKILL.md +114 -0
  254. package/prisma/skills/mcp-server-patterns/SKILL.md +70 -0
  255. package/prisma/skills/messages-ops/SKILL.md +105 -0
  256. package/prisma/skills/ml-adoption-playbook/SKILL.md +57 -0
  257. package/prisma/skills/mle-workflow/SKILL.md +347 -0
  258. package/prisma/skills/motion-advanced/SKILL.md +596 -0
  259. package/prisma/skills/motion-foundations/SKILL.md +299 -0
  260. package/prisma/skills/motion-patterns/SKILL.md +434 -0
  261. package/prisma/skills/motion-ui/SKILL.md +576 -0
  262. package/prisma/skills/mysql-patterns/SKILL.md +413 -0
  263. package/prisma/skills/nanoclaw-repl/SKILL.md +34 -0
  264. package/prisma/skills/nestjs-patterns/SKILL.md +231 -0
  265. package/prisma/skills/netmiko-ssh-automation/SKILL.md +174 -0
  266. package/prisma/skills/network-bgp-diagnostics/SKILL.md +168 -0
  267. package/prisma/skills/network-config-validation/SKILL.md +211 -0
  268. package/prisma/skills/network-interface-health/SKILL.md +153 -0
  269. package/prisma/skills/nextjs-turbopack/SKILL.md +58 -0
  270. package/prisma/skills/nodejs-keccak256/SKILL.md +103 -0
  271. package/prisma/skills/nutrient-document-processing/SKILL.md +168 -0
  272. package/prisma/skills/nuxt4-patterns/SKILL.md +101 -0
  273. package/prisma/skills/openclaw-persona-forge/SKILL.md +289 -0
  274. package/prisma/skills/openclaw-persona-forge/gacha.py +224 -0
  275. package/prisma/skills/openclaw-persona-forge/gacha.sh +5 -0
  276. package/prisma/skills/openclaw-persona-forge/references/avatar-style.md +124 -0
  277. package/prisma/skills/openclaw-persona-forge/references/boundary-rules.md +53 -0
  278. package/prisma/skills/openclaw-persona-forge/references/error-handling.md +53 -0
  279. package/prisma/skills/openclaw-persona-forge/references/identity-tension.md +48 -0
  280. package/prisma/skills/openclaw-persona-forge/references/naming-system.md +39 -0
  281. package/prisma/skills/openclaw-persona-forge/references/output-template.md +166 -0
  282. package/prisma/skills/opensource-pipeline/SKILL.md +256 -0
  283. package/prisma/skills/orch-add-feature/SKILL.md +45 -0
  284. package/prisma/skills/orch-build-mvp/SKILL.md +49 -0
  285. package/prisma/skills/orch-change-feature/SKILL.md +43 -0
  286. package/prisma/skills/orch-fix-defect/SKILL.md +43 -0
  287. package/prisma/skills/orch-pipeline/SKILL.md +121 -0
  288. package/prisma/skills/orch-refine-code/SKILL.md +44 -0
  289. package/prisma/skills/parallel-execution-optimizer/SKILL.md +73 -0
  290. package/prisma/skills/perl-patterns/SKILL.md +505 -0
  291. package/prisma/skills/perl-security/SKILL.md +504 -0
  292. package/prisma/skills/perl-testing/SKILL.md +476 -0
  293. package/prisma/skills/plan-orchestrate/SKILL.md +263 -0
  294. package/prisma/skills/plankton-code-quality/SKILL.md +237 -0
  295. package/prisma/skills/postgres-patterns/SKILL.md +148 -0
  296. package/prisma/skills/prediction-market-oracle-research/SKILL.md +64 -0
  297. package/prisma/skills/prediction-market-risk-review/SKILL.md +61 -0
  298. package/prisma/skills/prisma-patterns/SKILL.md +401 -0
  299. package/prisma/skills/product-capability/SKILL.md +142 -0
  300. package/prisma/skills/product-lens/SKILL.md +93 -0
  301. package/prisma/skills/production-audit/SKILL.md +207 -0
  302. package/prisma/skills/production-scheduling/SKILL.md +238 -0
  303. package/prisma/skills/project-flow-ops/SKILL.md +112 -0
  304. package/prisma/skills/prompt-optimizer/SKILL.md +398 -0
  305. package/prisma/skills/python-patterns/SKILL.md +751 -0
  306. package/prisma/skills/python-testing/SKILL.md +817 -0
  307. package/prisma/skills/pytorch-patterns/SKILL.md +397 -0
  308. package/prisma/skills/quality-nonconformance/SKILL.md +260 -0
  309. package/prisma/skills/quarkus-patterns/SKILL.md +723 -0
  310. package/prisma/skills/quarkus-security/SKILL.md +468 -0
  311. package/prisma/skills/quarkus-tdd/SKILL.md +812 -0
  312. package/prisma/skills/quarkus-verification/SKILL.md +480 -0
  313. package/prisma/skills/ralphinho-rfc-pipeline/SKILL.md +68 -0
  314. package/prisma/skills/react-native-patterns/SKILL.md +326 -0
  315. package/prisma/skills/react-patterns/SKILL.md +342 -0
  316. package/prisma/skills/react-performance/SKILL.md +575 -0
  317. package/prisma/skills/react-testing/SKILL.md +424 -0
  318. package/prisma/skills/recsys-pipeline-architect/SKILL.md +115 -0
  319. package/prisma/skills/recursive-decision-ledger/SKILL.md +80 -0
  320. package/prisma/skills/redis-patterns/SKILL.md +404 -0
  321. package/prisma/skills/regex-vs-llm-structured-text/SKILL.md +221 -0
  322. package/prisma/skills/remotion-video-creation/SKILL.md +43 -0
  323. package/prisma/skills/remotion-video-creation/rules/3d.md +86 -0
  324. package/prisma/skills/remotion-video-creation/rules/animations.md +29 -0
  325. package/prisma/skills/remotion-video-creation/rules/assets/charts-bar-chart.tsx +173 -0
  326. package/prisma/skills/remotion-video-creation/rules/assets/text-animations-typewriter.tsx +100 -0
  327. package/prisma/skills/remotion-video-creation/rules/assets/text-animations-word-highlight.tsx +108 -0
  328. package/prisma/skills/remotion-video-creation/rules/assets.md +78 -0
  329. package/prisma/skills/remotion-video-creation/rules/audio.md +172 -0
  330. package/prisma/skills/remotion-video-creation/rules/calculate-metadata.md +104 -0
  331. package/prisma/skills/remotion-video-creation/rules/can-decode.md +75 -0
  332. package/prisma/skills/remotion-video-creation/rules/charts.md +58 -0
  333. package/prisma/skills/remotion-video-creation/rules/compositions.md +146 -0
  334. package/prisma/skills/remotion-video-creation/rules/display-captions.md +126 -0
  335. package/prisma/skills/remotion-video-creation/rules/extract-frames.md +229 -0
  336. package/prisma/skills/remotion-video-creation/rules/fonts.md +152 -0
  337. package/prisma/skills/remotion-video-creation/rules/get-audio-duration.md +58 -0
  338. package/prisma/skills/remotion-video-creation/rules/get-video-dimensions.md +68 -0
  339. package/prisma/skills/remotion-video-creation/rules/get-video-duration.md +58 -0
  340. package/prisma/skills/remotion-video-creation/rules/gifs.md +138 -0
  341. package/prisma/skills/remotion-video-creation/rules/images.md +130 -0
  342. package/prisma/skills/remotion-video-creation/rules/import-srt-captions.md +67 -0
  343. package/prisma/skills/remotion-video-creation/rules/lottie.md +67 -0
  344. package/prisma/skills/remotion-video-creation/rules/measuring-dom-nodes.md +34 -0
  345. package/prisma/skills/remotion-video-creation/rules/measuring-text.md +143 -0
  346. package/prisma/skills/remotion-video-creation/rules/sequencing.md +106 -0
  347. package/prisma/skills/remotion-video-creation/rules/tailwind.md +11 -0
  348. package/prisma/skills/remotion-video-creation/rules/text-animations.md +20 -0
  349. package/prisma/skills/remotion-video-creation/rules/timing.md +179 -0
  350. package/prisma/skills/remotion-video-creation/rules/transcribe-captions.md +19 -0
  351. package/prisma/skills/remotion-video-creation/rules/transitions.md +122 -0
  352. package/prisma/skills/remotion-video-creation/rules/trimming.md +52 -0
  353. package/prisma/skills/remotion-video-creation/rules/videos.md +171 -0
  354. package/prisma/skills/repo-scan/SKILL.md +79 -0
  355. package/prisma/skills/research-ops/SKILL.md +113 -0
  356. package/prisma/skills/returns-reverse-logistics/SKILL.md +240 -0
  357. package/prisma/skills/rules-distill/SKILL.md +265 -0
  358. package/prisma/skills/rules-distill/scripts/scan-rules.sh +58 -0
  359. package/prisma/skills/rules-distill/scripts/scan-skills.sh +129 -0
  360. package/prisma/skills/rust-patterns/SKILL.md +500 -0
  361. package/prisma/skills/rust-testing/SKILL.md +501 -0
  362. package/prisma/skills/safety-guard/SKILL.md +76 -0
  363. package/prisma/skills/santa-method/SKILL.md +307 -0
  364. package/prisma/skills/scientific-db-pubmed-database/SKILL.md +176 -0
  365. package/prisma/skills/scientific-db-uspto-database/SKILL.md +178 -0
  366. package/prisma/skills/scientific-pkg-gget/SKILL.md +167 -0
  367. package/prisma/skills/scientific-thinking-literature-review/SKILL.md +193 -0
  368. package/prisma/skills/scientific-thinking-scholar-evaluation/SKILL.md +161 -0
  369. package/prisma/skills/search-first/SKILL.md +183 -0
  370. package/prisma/skills/security-bounty-hunter/SKILL.md +100 -0
  371. package/prisma/skills/security-review/SKILL.md +504 -0
  372. package/prisma/skills/security-review/cloud-infrastructure-security.md +361 -0
  373. package/prisma/skills/security-scan/SKILL.md +166 -0
  374. package/prisma/skills/seo/SKILL.md +155 -0
  375. package/prisma/skills/skill-comply/SKILL.md +59 -0
  376. package/prisma/skills/skill-comply/fixtures/compliant_trace.jsonl +5 -0
  377. package/prisma/skills/skill-comply/fixtures/noncompliant_trace.jsonl +3 -0
  378. package/prisma/skills/skill-comply/fixtures/tdd_spec.yaml +44 -0
  379. package/prisma/skills/skill-comply/prompts/classifier.md +24 -0
  380. package/prisma/skills/skill-comply/prompts/scenario_generator.md +62 -0
  381. package/prisma/skills/skill-comply/prompts/spec_generator.md +42 -0
  382. package/prisma/skills/skill-comply/pyproject.toml +15 -0
  383. package/prisma/skills/skill-comply/scripts/__init__.py +0 -0
  384. package/prisma/skills/skill-comply/scripts/classifier.py +85 -0
  385. package/prisma/skills/skill-comply/scripts/grader.py +124 -0
  386. package/prisma/skills/skill-comply/scripts/parser.py +107 -0
  387. package/prisma/skills/skill-comply/scripts/report.py +170 -0
  388. package/prisma/skills/skill-comply/scripts/run.py +127 -0
  389. package/prisma/skills/skill-comply/scripts/runner.py +194 -0
  390. package/prisma/skills/skill-comply/scripts/scenario_generator.py +70 -0
  391. package/prisma/skills/skill-comply/scripts/spec_generator.py +72 -0
  392. package/prisma/skills/skill-comply/scripts/utils.py +13 -0
  393. package/prisma/skills/skill-comply/tests/test_grader.py +197 -0
  394. package/prisma/skills/skill-comply/tests/test_parser.py +90 -0
  395. package/prisma/skills/skill-comply/tests/test_runner.py +172 -0
  396. package/prisma/skills/skill-scout/SKILL.md +141 -0
  397. package/prisma/skills/skill-stocktake/SKILL.md +195 -0
  398. package/prisma/skills/skill-stocktake/scripts/quick-diff.sh +87 -0
  399. package/prisma/skills/skill-stocktake/scripts/save-results.sh +56 -0
  400. package/prisma/skills/skill-stocktake/scripts/scan.sh +170 -0
  401. package/prisma/skills/social-graph-ranker/SKILL.md +155 -0
  402. package/prisma/skills/social-publisher/SKILL.md +130 -0
  403. package/prisma/skills/springboot-patterns/SKILL.md +315 -0
  404. package/prisma/skills/springboot-security/SKILL.md +273 -0
  405. package/prisma/skills/springboot-tdd/SKILL.md +159 -0
  406. package/prisma/skills/springboot-verification/SKILL.md +232 -0
  407. package/prisma/skills/strategic-compact/SKILL.md +136 -0
  408. package/prisma/skills/swift-actor-persistence/SKILL.md +144 -0
  409. package/prisma/skills/swift-concurrency-6-2/SKILL.md +216 -0
  410. package/prisma/skills/swift-protocol-di-testing/SKILL.md +191 -0
  411. package/prisma/skills/swiftui-patterns/SKILL.md +259 -0
  412. package/prisma/skills/taste/SKILL.md +264 -0
  413. package/prisma/skills/taste/references/genre-taxonomy.md +87 -0
  414. package/prisma/skills/tdd-workflow/SKILL.md +583 -0
  415. package/prisma/skills/team-agent-orchestration/SKILL.md +111 -0
  416. package/prisma/skills/team-builder/SKILL.md +169 -0
  417. package/prisma/skills/terminal-ops/SKILL.md +110 -0
  418. package/prisma/skills/tinystruct-patterns/SKILL.md +279 -0
  419. package/prisma/skills/tinystruct-patterns/references/architecture.md +90 -0
  420. package/prisma/skills/tinystruct-patterns/references/data-handling.md +60 -0
  421. package/prisma/skills/tinystruct-patterns/references/database.md +99 -0
  422. package/prisma/skills/tinystruct-patterns/references/routing.md +64 -0
  423. package/prisma/skills/tinystruct-patterns/references/system-usage.md +97 -0
  424. package/prisma/skills/tinystruct-patterns/references/testing.md +72 -0
  425. package/prisma/skills/token-budget-advisor/SKILL.md +134 -0
  426. package/prisma/skills/ui-demo/SKILL.md +466 -0
  427. package/prisma/skills/ui-to-vue/SKILL.md +135 -0
  428. package/prisma/skills/uncloud/SKILL.md +344 -0
  429. package/prisma/skills/unified-notifications-ops/SKILL.md +188 -0
  430. package/prisma/skills/verification-loop/SKILL.md +127 -0
  431. package/prisma/skills/video-editing/SKILL.md +311 -0
  432. package/prisma/skills/videodb/SKILL.md +375 -0
  433. package/prisma/skills/videodb/reference/api-reference.md +550 -0
  434. package/prisma/skills/videodb/reference/capture-reference.md +407 -0
  435. package/prisma/skills/videodb/reference/capture.md +101 -0
  436. package/prisma/skills/videodb/reference/editor.md +443 -0
  437. package/prisma/skills/videodb/reference/generative.md +331 -0
  438. package/prisma/skills/videodb/reference/rtstream-reference.md +564 -0
  439. package/prisma/skills/videodb/reference/rtstream.md +65 -0
  440. package/prisma/skills/videodb/reference/search.md +230 -0
  441. package/prisma/skills/videodb/reference/streaming.md +406 -0
  442. package/prisma/skills/videodb/reference/use-cases.md +118 -0
  443. package/prisma/skills/videodb/scripts/ws_listener.py +282 -0
  444. package/prisma/skills/visa-doc-translate/README.md +86 -0
  445. package/prisma/skills/visa-doc-translate/SKILL.md +117 -0
  446. package/prisma/skills/vite-patterns/SKILL.md +450 -0
  447. package/prisma/skills/vue-patterns/SKILL.md +471 -0
  448. package/prisma/skills/windows-desktop-e2e/SKILL.md +888 -0
  449. package/prisma/skills/workspace-surface-audit/SKILL.md +126 -0
  450. package/prisma/skills/x-api/SKILL.md +235 -0
  451. package/run.mjs +0 -10
@@ -0,0 +1,948 @@
1
+ ---
2
+ name: laravel-security
3
+ description: Laravel security best practices — authentication, authorization, Eloquent safety, CSRF, XSS prevention, API security, and secure deployment configurations.
4
+ metadata:
5
+ origin: ECC
6
+ ---
7
+
8
+ # Laravel Security Best Practices
9
+
10
+ Comprehensive security guidelines for Laravel applications to protect against common vulnerabilities.
11
+
12
+ ## When to Activate
13
+
14
+ - Setting up Laravel authentication and authorization (Sanctum, Passport, Jetstream, Breeze)
15
+ - Implementing user roles, permissions, and policies
16
+ - Configuring production security settings and environment variables
17
+ - Reviewing Laravel applications for security vulnerabilities
18
+ - Deploying Laravel applications to production
19
+ - Writing secure Eloquent queries and migrations
20
+
21
+ ## Production Configuration
22
+
23
+ ### Essential Production Settings
24
+
25
+ ```php
26
+ // config/app.php
27
+ 'env' => env('APP_ENV', 'production'),
28
+ 'debug' => (bool) env('APP_DEBUG', false), // CRITICAL: Never true in production
29
+ 'key' => env('APP_KEY'), // Must be set: php artisan key:generate
30
+
31
+ // config/session.php
32
+ 'secure' => env('SESSION_SECURE_COOKIE', true),
33
+ 'http_only' => true,
34
+ 'same_site' => 'lax',
35
+
36
+ // Verify APP_KEY is set at boot
37
+ // bootstrap/app.php or a service provider
38
+ if (empty(config('app.key'))) {
39
+ throw new RuntimeException('APP_KEY is not set. Run: php artisan key:generate');
40
+ }
41
+ ```
42
+
43
+ ### Environment File Security
44
+
45
+ ```bash
46
+ # NEVER commit .env to version control
47
+ # .gitignore already includes .env by default
48
+
49
+ # Use .env.example with placeholders instead
50
+ DB_PASSWORD=
51
+ APP_KEY=
52
+ SANCTUM_TOKEN_PREFIX=
53
+
54
+ # Validate required variables at boot
55
+ // In AppServiceProvider::boot()
56
+ $requiredKeys = ['app.key', 'database.connections.mysql.database', 'database.connections.mysql.username'];
57
+ foreach ($requiredKeys as $key) {
58
+ if (empty(config($key))) {
59
+ throw new RuntimeException("Missing required config key: {$key}");
60
+ }
61
+ }
62
+ ```
63
+
64
+ ### HTTPS Enforcement
65
+
66
+ ```php
67
+ // AppServiceProvider::boot() or middleware
68
+ if (app()->environment('production')) {
69
+ URL::forceScheme('https');
70
+ request()->server->set('HTTPS', 'on');
71
+ }
72
+
73
+ // config/app.php for trusted proxies (load balancers)
74
+ // Use specific IP ranges — * trusts all, allowing X-Forwarded-* spoofing
75
+ // AWS: '10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'
76
+ 'trusted_proxies' => ['10.0.0.0/8', '172.16.0.0/12'],
77
+
78
+ // Force HTTPS in production via middleware
79
+ // app/Http/Middleware/ForceHttps.php
80
+ public function handle($request, Closure $next)
81
+ {
82
+ if (!$request->secure() && app()->environment('production')) {
83
+ return redirect()->secure($request->getRequestUri());
84
+ }
85
+ return $next($request);
86
+ }
87
+ ```
88
+
89
+ ## Authentication
90
+
91
+ ### Sanctum (API Token Authentication)
92
+
93
+ ```php
94
+ // config/sanctum.php
95
+ 'stateful' => explode(',', env('SANCTUM_STATEFUL_DOMAINS', sprintf(
96
+ '%s%s',
97
+ 'localhost,localhost:3000,127.0.0.1,127.0.0.1:8000,::1',
98
+ env('APP_URL') ? ',' . parse_url(env('APP_URL'), PHP_URL_HOST) : ''
99
+ )));
100
+
101
+ 'expiration' => 60 * 24, // Token expiration in minutes (null = never)
102
+ 'token_prefix' => env('SANCTUM_TOKEN_PREFIX', ''),
103
+
104
+ // Issuing tokens with abilities
105
+ $token = $user->createToken('api-token', ['read', 'write'])->plainTextToken;
106
+
107
+ // Validate abilities on routes
108
+ Route::middleware('auth:sanctum')->group(function () {
109
+ Route::get('/orders', function () {
110
+ // User must have 'read' ability
111
+ abort_unless(Auth::user()->tokenCan('read'), 403);
112
+ // ...
113
+ })->middleware('abilities:read');
114
+
115
+ Route::post('/orders', function () {
116
+ // User must have 'write' ability
117
+ abort_unless(Auth::user()->tokenCan('write'), 403);
118
+ // ...
119
+ })->middleware('abilities:write');
120
+ });
121
+ ```
122
+
123
+ ### Password Security
124
+
125
+ ```php
126
+ // config/hashing.php
127
+ // Default is bcrypt. Argon2id is stronger.
128
+ 'bcrypt' => [
129
+ 'rounds' => env('BCRYPT_ROUNDS', 12), // Increase for stronger hashing
130
+ ],
131
+
132
+ 'argon' => [
133
+ 'memory' => 65536,
134
+ 'threads' => 4,
135
+ 'time' => 4,
136
+ ],
137
+
138
+ // Password validation in RegisterRequest
139
+ public function rules(): array
140
+ {
141
+ return [
142
+ 'password' => [
143
+ 'required',
144
+ 'confirmed',
145
+ Password::min(12)
146
+ ->letters()
147
+ ->mixedCase()
148
+ ->numbers()
149
+ ->symbols()
150
+ ->uncompromised(), // Checks haveibeenpwned
151
+ ],
152
+ ];
153
+ }
154
+
155
+ // Rate limit login attempts
156
+ // App\Http\Controllers\Auth\AuthenticatedSessionController
157
+ protected function authenticated(Request $request, $user)
158
+ {
159
+ if ($user->wasRecentlyLockedOut()) {
160
+ // Notify user of suspicious login
161
+ $user->notify(new SuspiciousLoginNotification($request->ip()));
162
+ }
163
+ }
164
+ ```
165
+
166
+ ### Session Management
167
+
168
+ ```php
169
+ // config/session.php
170
+ 'driver' => env('SESSION_DRIVER', 'database'), // database/redis > file
171
+ 'lifetime' => env('SESSION_LIFETIME', 120),
172
+ 'expire_on_close' => env('SESSION_EXPIRE_ON_CLOSE', false),
173
+ 'encrypt' => env('SESSION_ENCRYPT', false),
174
+
175
+ // Regenerate session on login
176
+ // App\Http\Controllers\Auth\AuthenticatedSessionController
177
+ public function store(LoginRequest $request): RedirectResponse
178
+ {
179
+ $request->authenticate();
180
+ $request->session()->regenerate(); // CRITICAL: prevents session fixation
181
+ return redirect()->intended(RouteServiceProvider::HOME);
182
+ }
183
+
184
+ // Invalidate session on logout
185
+ public function destroy(Request $request): RedirectResponse
186
+ {
187
+ Auth::guard('web')->logout();
188
+ $request->session()->invalidate();
189
+ $request->session()->regenerateToken();
190
+ return redirect('/');
191
+ }
192
+ ```
193
+
194
+ ## Authorization
195
+
196
+ ### Gates
197
+
198
+ ```php
199
+ // App\Providers\AuthServiceProvider
200
+ use App\Models\Post;
201
+ use App\Models\User;
202
+ use Illuminate\Support\Facades\Gate;
203
+
204
+ public function boot(): void
205
+ {
206
+ Gate::define('update-post', function (User $user, Post $post): bool {
207
+ return $user->id === $post->user_id;
208
+ });
209
+
210
+ Gate::define('publish-post', function (User $user): bool {
211
+ return $user->role === 'editor' || $user->role === 'admin';
212
+ });
213
+
214
+ // Using before() for super-admin override
215
+ Gate::before(function (User $user, string $ability): ?bool {
216
+ if ($user->role === 'super-admin') {
217
+ return true; // Grants all abilities
218
+ }
219
+ return null; // Fall through to normal checks
220
+ });
221
+ }
222
+
223
+ // Usage in controllers
224
+ public function update(Request $request, Post $post): RedirectResponse
225
+ {
226
+ Gate::authorize('update-post', $post);
227
+ // Or: $this->authorize('update-post', $post);
228
+ // Or: abort_unless(Auth::user()->can('update-post', $post), 403);
229
+ // ...
230
+ }
231
+ ```
232
+
233
+ ### Policies
234
+
235
+ ```php
236
+ // App\Policies\PostPolicy
237
+ class PostPolicy
238
+ {
239
+ use HandlesAuthorization;
240
+
241
+ public function viewAny(?User $user): bool
242
+ {
243
+ return true; // Public listing
244
+ }
245
+
246
+ public function view(?User $user, Post $post): bool
247
+ {
248
+ return $post->is_published || ($user && $user->id === $post->user_id);
249
+ }
250
+
251
+ public function create(User $user): bool
252
+ {
253
+ return $user->hasVerifiedEmail(); // Must verify email first
254
+ }
255
+
256
+ public function update(User $user, Post $post): bool
257
+ {
258
+ return $user->id === $post->user_id;
259
+ }
260
+
261
+ public function delete(User $user, Post $post): bool
262
+ {
263
+ return $user->id === $post->user_id && $post->created_at->diffInDays(now()) <= 30;
264
+ }
265
+
266
+ public function restore(User $user, Post $post): bool
267
+ {
268
+ return $user->role === 'admin';
269
+ }
270
+
271
+ public function forceDelete(User $user, Post $post): bool
272
+ {
273
+ return $user->role === 'super-admin';
274
+ }
275
+ }
276
+
277
+ // Register in AuthServiceProvider
278
+ protected $policies = [
279
+ Post::class => PostPolicy::class,
280
+ ];
281
+
282
+ // Controller usage
283
+ public function show(Post $post): View
284
+ {
285
+ $this->authorize('view', $post);
286
+ return view('posts.show', compact('post'));
287
+ }
288
+
289
+ // Blade usage
290
+ @can('update', $post)
291
+ <a href="{{ route('posts.edit', $post) }}">Edit</a>
292
+ @endcan
293
+
294
+ @cannot('update', $post)
295
+ <span>You cannot edit this post</span>
296
+ @endcannot
297
+ ```
298
+
299
+ ### Middleware Authorization
300
+
301
+ ```php
302
+ // Using middleware in routes
303
+ Route::put('/posts/{post}', [PostController::class, 'update'])
304
+ ->middleware('can:update,post');
305
+
306
+ Route::get('/posts/create', [PostController::class, 'create'])
307
+ ->middleware('can:create,App\Models\Post');
308
+
309
+ // Custom authorization middleware
310
+ // app/Http/Middleware/CheckRole.php
311
+ class CheckRole
312
+ {
313
+ public function handle(Request $request, Closure $next, string $role): mixed
314
+ {
315
+ if (!$request->user() || $request->user()->role !== $role) {
316
+ abort(403, 'Unauthorized. This area requires role: ' . $role);
317
+ }
318
+ return $next($request);
319
+ }
320
+ }
321
+
322
+ // Register in Kernel
323
+ protected $routeMiddleware = [
324
+ 'role' => \App\Http\Middleware\CheckRole::class,
325
+ ];
326
+
327
+ // Route usage
328
+ Route::middleware(['auth', 'role:admin'])->group(function () {
329
+ Route::get('/admin', [AdminController::class, 'index']);
330
+ });
331
+ ```
332
+
333
+ ## Eloquent Security
334
+
335
+ ### Mass Assignment Protection
336
+
337
+ ```php
338
+ // BAD: $guarded = [] allows ALL columns to be mass-assigned
339
+ // NEVER use $guarded = [] in production
340
+
341
+ // GOOD: Whitelist fillable attributes
342
+ final class User extends Authenticatable
343
+ {
344
+ protected $fillable = [
345
+ 'name',
346
+ 'email',
347
+ 'phone',
348
+ 'avatar',
349
+ ];
350
+ // NEVER add 'role', 'is_admin', 'is_verified' here
351
+ }
352
+
353
+ // GOOD: Explicitly control which fields can be filled in requests
354
+ public function store(StoreUserRequest $request): RedirectResponse
355
+ {
356
+ $user = User::create($request->safe()->only([
357
+ 'name', 'email', 'phone', 'avatar'
358
+ ]));
359
+ // $request->safe() uses validated data only
360
+ // $request->only() is NOT safe on its own without validation rules
361
+ }
362
+
363
+ // BAD: Creating a user with request data directly
364
+ User::create($request->all()); // VULNERABLE to mass assignment!
365
+
366
+ // BETTER: Use DTOs for creation
367
+ $user = User::create($request->validated()); // Only validated fields
368
+ ```
369
+
370
+ ### SQL Injection Prevention
371
+
372
+ ```php
373
+ // GOOD: Eloquent automatically parameterizes queries
374
+ User::where('email', $userInput)->first();
375
+ User::whereRaw('email = ?', [$userInput])->first();
376
+
377
+ // GOOD: Query Builder also parameterizes
378
+ DB::table('users')->where('email', $userInput)->first();
379
+ DB::select('SELECT * FROM users WHERE email = ?', [$userInput]);
380
+
381
+ // BAD: Raw string interpolation
382
+ DB::select("SELECT * FROM users WHERE email = '{$userInput}'"); // VULNERABLE!
383
+ User::whereRaw("email = '{$userInput}'")->first(); // VULNERABLE!
384
+
385
+ // BAD: whereRaw/orderByRaw with unescaped input
386
+ User::orderByRaw($userInput); // VULNERABLE!
387
+ User::groupByRaw($userInput); // VULNERABLE!
388
+
389
+ // BAD: DB::statement with concatenation
390
+ DB::statement("INSERT INTO users (email) VALUES ('{$userInput}')"); // VULNERABLE!
391
+ ```
392
+
393
+ ### Attribute Casting
394
+
395
+ ```php
396
+ final class User extends Authenticatable
397
+ {
398
+ protected $casts = [
399
+ 'email_verified_at' => 'datetime',
400
+ 'is_admin' => 'boolean', // Cast to boolean prevents string injection
401
+ 'settings' => 'array', // Automatically json_encode/json_decode
402
+ 'metadata' => 'encrypted:array', // Laravel 11+ encrypted casting
403
+ 'password' => 'hashed', // Laravel 10+ auto-hashes on set
404
+ ];
405
+ }
406
+ ```
407
+
408
+ ### Model Security
409
+
410
+ ```php
411
+ final class User extends Authenticatable
412
+ {
413
+ // Hide sensitive attributes from JSON/API responses
414
+ protected $hidden = [
415
+ 'password',
416
+ 'remember_token',
417
+ 'two_factor_secret',
418
+ 'two_factor_recovery_codes',
419
+ ];
420
+
421
+ // Append only safe computed attributes
422
+ protected $appends = ['full_name']; // safe
423
+ // NEVER append sensitive computed data
424
+ }
425
+
426
+ final class Post extends Model
427
+ {
428
+ // Global scope to filter soft deleted records
429
+ use SoftDeletes;
430
+
431
+ // Prevent N+1 by restricting lazy loading (optional strict mode)
432
+ // AppServiceProvider::boot()
433
+ // Model::preventLazyLoading(!app()->isProduction());
434
+ }
435
+ ```
436
+
437
+ ## CSRF Protection
438
+
439
+ ### Default Protection
440
+
441
+ ```php
442
+ // Laravel CSRF is enabled by default via VerifyCsrfToken middleware
443
+ // app/Http/Kernel.php (protected $middlewareGroups['web'])
444
+
445
+ // All POST/PUT/PATCH/DELETE forms must include @csrf
446
+ <form method="POST" action="/posts">
447
+ @csrf
448
+ <input type="text" name="title">
449
+ <button type="submit">Create</button>
450
+ </form>
451
+ ```
452
+
453
+ ### Excluding Routes (Carefully)
454
+
455
+ ```php
456
+ // app/Http/Middleware/VerifyCsrfToken.php
457
+ class VerifyCsrfToken extends Middleware
458
+ {
459
+ // Only exclude routes that have external CSRF protection (webhooks, etc.)
460
+ protected $except = [
461
+ 'stripe/*', // Stripe webhooks use their own signature verification
462
+ // Avoid blanket 'api/*' — stateful Sanctum routes need CSRF.
463
+ // Exclude only specific stateless webhook/endpoint routes.
464
+ ];
465
+ }
466
+ ```
467
+
468
+ ### CSRF with JavaScript
469
+
470
+ ```html
471
+ <meta name="csrf-token" content="{{ csrf_token() }}">
472
+
473
+ <script>
474
+ // Axios example (Laravel ships with Axios)
475
+ axios.defaults.headers.common['X-CSRF-TOKEN'] = document.querySelector(
476
+ 'meta[name="csrf-token"]'
477
+ ).getAttribute('content');
478
+
479
+ // Fetch example
480
+ fetch('/posts', {
481
+ method: 'POST',
482
+ headers: {
483
+ 'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').getAttribute('content'),
484
+ 'Content-Type': 'application/json',
485
+ },
486
+ body: JSON.stringify(data),
487
+ });
488
+ </script>
489
+ ```
490
+
491
+ ## XSS Prevention
492
+
493
+ ### Blade Templating Security
494
+
495
+ ```blade
496
+ {{-- SAFE: Auto-escaped by Blade --}}
497
+ {{ $userInput }}
498
+
499
+ {{-- DANGEROUS: Raw output — NEVER use with user input --}}
500
+ {!! $userInput !!}
501
+
502
+ {{-- SAFE: Only use {!! !!} with trusted content you control --}}
503
+ {!! $trustedHtmlFromYourServer !!}
504
+
505
+ {{-- GOOD: Use specific escaping directives --}}
506
+ @js($data) {{-- JSON encode for JavaScript --}}
507
+ @json($data) {{-- JSON encode in templates --}}
508
+
509
+ {{-- BAD: Direct user input in raw HTML --}}
510
+ <div>{!! $user->bio !!}</div> {{-- VULNERABLE if user provides bio --}}
511
+ ```
512
+
513
+ ### Safe HTML Handling
514
+
515
+ ```php
516
+ // When you must allow some HTML, use a whitelist approach
517
+ use HTMLPurifier; // Requires: composer require ezyang/htmlpurifier
518
+
519
+ public function sanitizeHtml(string $dirty): string
520
+ {
521
+ $config = \HTMLPurifier_Config::createDefault();
522
+ $config->set('HTML.Allowed', 'p,b,i,a[href],ul,ol,li,br');
523
+ $config->set('URI.AllowedSchemes', ['http', 'https', 'mailto']);
524
+ $purifier = new \HTMLPurifier($config);
525
+ return $purifier->purify($dirty);
526
+ }
527
+
528
+ // In blade:
529
+ <div>{!! $sanitizedContent !!}</div> {{-- Safe after purification --}}
530
+ ```
531
+
532
+ ### JavaScript Context Escaping
533
+
534
+ ```blade
535
+ {{-- SAFE: Blade @js escapes for JavaScript context --}}
536
+ <script>
537
+ const user = @js($user); // JSON + escaped for JS context
538
+ const settings = @json($settings); // Direct JSON encode
539
+ </script>
540
+
541
+ {{-- DANGEROUS: Manual JSON in JS context --}}
542
+ <script>
543
+ const user = {{ json_encode($user) }}; // NOT escaped for JS!
544
+ </script>
545
+ ```
546
+
547
+ ### HTTP Headers for XSS Protection
548
+
549
+ ```php
550
+ // App\Http\Middleware\SecurityHeaders.php
551
+ class SecurityHeaders
552
+ {
553
+ public function handle(Request $request, Closure $next): mixed
554
+ {
555
+ $response = $next($request);
556
+
557
+ $response->headers->set('X-Content-Type-Options', 'nosniff');
558
+ $response->headers->set('X-Frame-Options', 'DENY');
559
+ $response->headers->set('X-XSS-Protection', '1; mode=block');
560
+ $response->headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
561
+ $response->headers->set(
562
+ 'Content-Security-Policy',
563
+ "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'"
564
+ );
565
+
566
+ return $response;
567
+ }
568
+ }
569
+
570
+ // Register in kernel
571
+ protected $middleware = [
572
+ \App\Http\Middleware\SecurityHeaders::class,
573
+ ];
574
+ ```
575
+
576
+ ## Input Validation
577
+
578
+ ### Form Request Validation
579
+
580
+ ```php
581
+ final class StorePostRequest extends FormRequest
582
+ {
583
+ public function authorize(): bool
584
+ {
585
+ return $this->user()?->can('create', Post::class) ?? false;
586
+ }
587
+
588
+ public function rules(): array
589
+ {
590
+ return [
591
+ 'title' => ['required', 'string', 'max:255', 'sanitize_html'],
592
+ 'content' => ['required', 'string', 'max:10000'],
593
+ 'image' => [
594
+ 'required',
595
+ 'image',
596
+ 'mimes:jpg,jpeg,png,gif,webp', // Whitelist specific types
597
+ 'max:2048', // 2MB max
598
+ ],
599
+ 'tags' => ['array'],
600
+ 'tags.*' => ['integer', 'exists:tags,id'],
601
+ ];
602
+ }
603
+
604
+ public function messages(): array
605
+ {
606
+ return [
607
+ 'title.max' => 'Post title must not exceed 255 characters.',
608
+ 'image.max' => 'Image must be under 2MB.',
609
+ ];
610
+ }
611
+
612
+ // Sanitize input after validation
613
+ public function validated($key = null, $default = null): mixed
614
+ {
615
+ $validated = parent::validated();
616
+ $validated['title'] = strip_tags($validated['title']);
617
+ return $key ? ($validated[$key] ?? $default) : $validated;
618
+ }
619
+ }
620
+ ```
621
+
622
+ ### Custom Validation Rules
623
+
624
+ ```php
625
+ // app/Rules/StrongPassword.php
626
+ class StrongPassword implements Rule
627
+ {
628
+ public function passes($attribute, $value): bool
629
+ {
630
+ return preg_match('/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&#^()_\-+=])[A-Za-z\d@$!%*?&#^()_\-+=]{12,}$/', $value);
631
+ }
632
+
633
+ public function message(): string
634
+ {
635
+ return 'The :attribute must be at least 12 characters with uppercase, lowercase, number, and symbol.';
636
+ }
637
+ }
638
+
639
+ // app/Rules/NotBlacklistedDomain.php
640
+ class NotBlacklistedDomain implements Rule
641
+ {
642
+ private array $blacklisted = ['mailinator.com', 'guerrillamail.com'];
643
+
644
+ public function passes($attribute, $value): bool
645
+ {
646
+ $domain = substr(strrchr($value, '@'), 1);
647
+ return !in_array(strtolower($domain), $this->blacklisted);
648
+ }
649
+
650
+ public function message(): string
651
+ {
652
+ return 'Email from disposable domains is not allowed.';
653
+ }
654
+ }
655
+ ```
656
+
657
+ ## API Security
658
+
659
+ ### Rate Limiting
660
+
661
+ ```php
662
+ // App/Providers/RouteServiceProvider
663
+ protected function configureRateLimiting(): void
664
+ {
665
+ RateLimiter::for('api', function (Request $request) {
666
+ return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
667
+ });
668
+
669
+ RateLimiter::for('auth', function (Request $request) {
670
+ return Limit::perMinute(5)->by($request->ip())
671
+ ->response(function () {
672
+ return response()->json([
673
+ 'message' => 'Too many login attempts. Try again in 1 minute.',
674
+ ], 429);
675
+ });
676
+ });
677
+
678
+ RateLimiter::for('uploads', function (Request $request) {
679
+ return Limit::perHour(10)->by($request->user()?->id ?? $request->ip())
680
+ ->response(function () {
681
+ return response()->json([
682
+ 'message' => 'Upload limit reached. Try again later.',
683
+ ], 429);
684
+ });
685
+ });
686
+ }
687
+
688
+ // Route usage
689
+ Route::middleware(['auth:sanctum', 'throttle:api'])->group(function () {
690
+ Route::apiResource('posts', PostController::class);
691
+ });
692
+
693
+ Route::post('/login', [AuthController::class, 'login'])
694
+ ->middleware('throttle:auth');
695
+ ```
696
+
697
+ ### API Authentication — Sanctum vs Passport
698
+
699
+ ```php
700
+ // Sanctum (recommended for most apps — simple, first-party, SPA)
701
+ // config/sanctum.php
702
+ 'expiration' => 60 * 24, // Tokens expire after 24 hours
703
+ 'model' => User::class,
704
+
705
+ // Issuing scoped tokens
706
+ $token = $user->createToken('client-name', [
707
+ 'posts:read',
708
+ 'posts:write',
709
+ ])->plainTextToken;
710
+
711
+ // Middleware scoping
712
+ Route::middleware('auth:sanctum')->group(function () {
713
+ Route::get('/posts', [PostController::class, 'index'])
714
+ ->middleware('abilities:posts:read');
715
+
716
+ Route::post('/posts', [PostController::class, 'store'])
717
+ ->middleware('abilities:posts:write');
718
+ });
719
+
720
+ // Passport (OAuth2 — for third-party clients or complex auth flows)
721
+ // Install: composer require laravel/passport
722
+ Passport::tokensExpireIn(now()->addDays(15));
723
+ Passport::refreshTokensExpireIn(now()->addDays(30));
724
+ Passport::personalAccessTokensExpireIn(now()->addMonths(6));
725
+ ```
726
+
727
+ ### CORS Configuration
728
+
729
+ ```php
730
+ // config/cors.php
731
+ return [
732
+ 'paths' => ['api/*', 'sanctum/csrf-cookie'],
733
+ 'allowed_methods' => ['*'],
734
+ 'allowed_origins' => explode(',', env('CORS_ALLOWED_ORIGINS', '')), // Whitelist specific origins
735
+ 'allowed_origins_patterns' => [],
736
+ 'allowed_headers' => ['*'],
737
+ 'exposed_headers' => ['X-Total-Count', 'X-Pagination-Page'],
738
+ 'max_age' => 0,
739
+ 'supports_credentials' => true, // Required for Sanctum SPA auth
740
+ ];
741
+
742
+ // NEVER: Allow all origins in production unless absolutely necessary
743
+ // 'allowed_origins' => ['*'], // Only for truly public APIs
744
+ ```
745
+
746
+ ## File Upload Security
747
+
748
+ ### Validation
749
+
750
+ ```php
751
+ public function rules(): array
752
+ {
753
+ return [
754
+ 'document' => [
755
+ 'required',
756
+ 'file',
757
+ 'mimes:pdf,doc,docx,xls,xlsx', // Whitelist specific MIME types
758
+ 'max:10240', // 10MB
759
+ 'extensions:pdf,doc,docx,xls,xlsx', // Verify extension matches MIME
760
+ ],
761
+ 'avatar' => [
762
+ 'nullable',
763
+ 'image', // Ensures it's a valid image
764
+ 'mimes:jpg,jpeg,png,webp',
765
+ 'max:2048',
766
+ 'dimensions:min_width=100,min_height=100,max_width=2000,max_height=2000',
767
+ ],
768
+ ];
769
+ }
770
+ ```
771
+
772
+ ### Secure Storage
773
+
774
+ ```php
775
+ // Store files outside public directory
776
+ $path = $request->file('document')->store('documents', 'local');
777
+ // Never use 'public' disk for sensitive documents
778
+
779
+ // Use signed URLs for temporary file access
780
+ use Illuminate\Support\Facades\Storage;
781
+
782
+ public function download(Request $request, string $path)
783
+ {
784
+ // Generate temporary signed URL (expires in 15 minutes)
785
+ $url = Storage::temporaryUrl($path, now()->addMinutes(15));
786
+
787
+ // Validate user has permission
788
+ $this->authorize('download', $path);
789
+
790
+ return redirect($url);
791
+ }
792
+
793
+ // Storage configuration for cloud with encryption
794
+ // config/filesystems.php
795
+ 's3' => [
796
+ 'driver' => 's3',
797
+ 'key' => env('AWS_ACCESS_KEY_ID'),
798
+ 'secret' => env('AWS_SECRET_ACCESS_KEY'),
799
+ 'region' => env('AWS_DEFAULT_REGION'),
800
+ 'bucket' => env('AWS_BUCKET'),
801
+ 'url' => env('AWS_URL'),
802
+ 'endpoint' => env('AWS_ENDPOINT'),
803
+ 'use_path_style_endpoint' => env('AWS_USE_PATH_STYLE_ENDPOINT', false),
804
+ 'throw' => false,
805
+ 'server_side_encryption' => 'AES256', // Encrypt at rest
806
+ ],
807
+ ```
808
+
809
+ ## Dependencies and Secrets
810
+
811
+ ### Composer Security
812
+
813
+ ```bash
814
+ # Always audit dependencies in CI
815
+ composer audit
816
+
817
+ # Pin major versions in composer.json
818
+ "laravel/framework": "^11.0",
819
+ "spatie/laravel-permission": "^6.0"
820
+
821
+ # Check for abandoned packages
822
+ composer why-not
823
+
824
+ # Keep lock file in version control (it pins exact versions)
825
+ # Run `composer update` deliberately, never in CI/CD
826
+ ```
827
+
828
+ ### Secret Management
829
+
830
+ ```bash
831
+ # .env file (NEVER commit)
832
+ # .gitignore includes .env by default
833
+
834
+ APP_KEY=base64:abc123...
835
+ DB_PASSWORD=secure_password
836
+ STRIPE_KEY=sk_live_...
837
+ SANCTUM_TOKEN_PREFIX=myapp_
838
+
839
+ # For production: Use a secret manager
840
+ # Deploy with: env $(aws secretsmanager get-secret-value --secret-id prod/db | jq ...) php artisan serve
841
+
842
+ # Validate secrets at boot (AppServiceProvider::boot)
843
+ $secrets = ['services.stripe.key', 'services.stripe.webhook_secret'];
844
+ foreach ($secrets as $key) {
845
+ if (empty(config($key))) {
846
+ Log::critical("Missing secret: {$key}");
847
+ }
848
+ }
849
+ ```
850
+
851
+ ## Queue Security
852
+
853
+ ```php
854
+ // Define a named rate limiter (typically in AppServiceProvider::boot())
855
+ RateLimiter::for('payments', fn () => Limit::perMinute(5));
856
+ ```
857
+
858
+ ```php
859
+ // Encrypt sensitive job data by implementing the interface
860
+ final class ProcessPaymentJob implements ShouldQueue, ShouldBeEncrypted
861
+ {
862
+ use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
863
+
864
+ public function __construct(
865
+ private readonly string $paymentIntentId, // Public IDs are fine
866
+ private readonly string $cardFingerprint, // Encrypted via ShouldBeEncrypted
867
+ ) {}
868
+
869
+ public function handle(): void
870
+ {
871
+ // Process payment
872
+ }
873
+
874
+ // Limit retries and delay between attempts
875
+ public function retryUntil(): Carbon
876
+ {
877
+ return now()->addMinutes(5);
878
+ }
879
+
880
+ // Rate limit how many jobs of this type can run
881
+ public function middleware(): array
882
+ {
883
+ return [
884
+ new RateLimited('payments'),
885
+ ];
886
+ }
887
+ }
888
+ ```
889
+
890
+ ## Logging Security Events
891
+
892
+ ```php
893
+ // config/logging.php
894
+ 'channels' => [
895
+ 'security' => [
896
+ 'driver' => 'single',
897
+ 'path' => storage_path('logs/security.log'),
898
+ 'level' => 'warning',
899
+ ],
900
+ ],
901
+
902
+ // Audit log helper
903
+ final class SecurityLogger
904
+ {
905
+ public static function log(string $event, array $context = []): void
906
+ {
907
+ Log::channel('security')->warning($event, array_merge([
908
+ 'user_id' => Auth::id(),
909
+ 'ip' => request()->ip(),
910
+ 'user_agent' => request()->userAgent(),
911
+ 'url' => request()->fullUrl(),
912
+ 'timestamp' => now()->toIso8601String(),
913
+ ], $context));
914
+ }
915
+ }
916
+
917
+ // Usage
918
+ SecurityLogger::log('failed_login_attempt', ['email' => $email]);
919
+ SecurityLogger::log('password_change');
920
+ SecurityLogger::log('role_change', ['target_user' => $targetId, 'new_role' => 'admin']);
921
+ SecurityLogger::log('suspicious_activity', ['reason' => 'multiple_attempts_from_different_ips']);
922
+ ```
923
+
924
+ ## Quick Security Checklist
925
+
926
+ | Check | Description |
927
+ |-------|-------------|
928
+ | `APP_DEBUG=false` | Never run with debug enabled in production |
929
+ | `APP_KEY` set | Always run `php artisan key:generate` |
930
+ | HTTPS enforced | Force HTTPS in production via middleware or proxy |
931
+ | `$fillable` whitelisted | Never use `$guarded = []` |
932
+ | CSRF active | `@csrf` on all state-changing forms |
933
+ | Sanctum/Passport configured | API authentication with token abilities/scopes |
934
+ | Rate limiting applied | Throttle API and auth endpoints |
935
+ | Input validation | FormRequest with specific rules, never `$request->all()` |
936
+ | File upload restrictions | Validate MIME types, size, dimensions |
937
+ | `composer audit` in CI | Check dependencies for known vulnerabilities |
938
+ | `password_hash` / `password_verify` | Use Laravel's built-in hashing (bcrypt/Argon2) |
939
+ | Session regeneration on login | Call `$request->session()->regenerate()` |
940
+ | Security headers middleware | CSP, X-Frame-Options, X-Content-Type-Options |
941
+ | Logged security events | Audit log for auth failures, role changes, suspicious activity |
942
+ | `.env` not committed | Verify `.gitignore` includes `.env` |
943
+
944
+ ## Related Skills
945
+
946
+ - `laravel-patterns` — Laravel architecture, routing, Eloquent, and API patterns
947
+ - `backend-patterns` — General backend API and database patterns
948
+ - `laravel-tdd` — Laravel testing with PHPUnit and Pest