beth-copilot 1.0.0

package/templates/.github/skills/security-analysis/SKILL.md

@@ -0,0 +1,799 @@
+````skill
+---
+name: security-analysis
+description: 'Enterprise security analysis using Azure Well-Architected Framework and OWASP standards. Use for security audits, threat modeling, vulnerability assessment, compliance verification, and secure code review. Triggers on: security review, security audit, threat model, vulnerability scan, OWASP, penetration test, compliance check, secure code review, WAF security.'
+---
+
+# Enterprise Security Analysis Skill
+
+Comprehensive security analysis framework combining Azure Well-Architected Framework Security Pillar and OWASP standards for enterprise-grade application security.
+
+## When to Use This Skill
+
+- User asks for "security review", "security audit", or "penetration test"
+- User mentions "OWASP", "threat model", or "vulnerability"
+- User wants "compliance check" or "secure code review"
+- User asks about "authentication", "authorization", or "encryption"
+- User mentions "Azure security", "WAF security", or "Zero Trust"
+
+## The Job
+
+1. Identify the scope and applicable standards
+2. Perform systematic security analysis
+3. Document findings with severity ratings
+4. Provide actionable remediation guidance
+5. Generate compliance verification checklist
+
+---
+
+## Azure Well-Architected Framework: Security Pillar
+
+The Security pillar ensures confidentiality, integrity, and availability (CIA triad) through Zero Trust principles.
+
+### Zero Trust Principles
+
+| Principle | Implementation |
+|-----------|---------------|
+| **Verify explicitly** | Always authenticate and authorize based on all available data points |
+| **Least privilege** | Limit access with Just-In-Time (JIT) and Just-Enough-Access (JEA) |
+| **Assume breach** | Minimize blast radius, segment access, verify end-to-end encryption |
+
+### Security Design Checklist (SE:01 - SE:12)
+
+#### SE:01: Security Baseline
+Establish a security baseline aligned with compliance requirements, industry standards, and platform recommendations.
+
+**What to verify:**
+- [ ] Security baseline documented
+- [ ] Compliance requirements identified (SOC2, HIPAA, GDPR, PCI-DSS)
+- [ ] Regular baseline reviews scheduled
+- [ ] Deviations tracked and justified
+
+**React/Next.js considerations:**
+- Document security requirements in README
+- Use security-focused ESLint rules
+- Configure CSP headers in middleware
+
+---
+
+#### SE:02: Secure Development Lifecycle
+Maintain a secure development lifecycle with hardened, automated, and auditable software supply chain.
+
+**What to verify:**
+- [ ] Threat modeling performed for new features
+- [ ] Security requirements in user stories
+- [ ] Code review includes security checks
+- [ ] Dependency scanning enabled
+- [ ] SAST/DAST tools integrated
+
+**Implementation:**
+```typescript
+// package.json - Security-focused scripts
+{
+  "scripts": {
+    "security:audit": "npm audit --audit-level=high",
+    "security:deps": "npx depcheck && npx npm-check-updates",
+    "lint:security": "eslint --plugin security ."
+  }
+}
+```
+
+---
+
+#### SE:03: Data Classification
+Classify and consistently apply sensitivity labels on all workload data.
+
+**Classification levels:**
+| Level | Examples | Protection |
+|-------|----------|------------|
+| **Public** | Marketing content | Integrity protection |
+| **Internal** | Documentation | Access control |
+| **Confidential** | User emails, names | Encryption + access control |
+| **Restricted** | Passwords, PII, financial | Strong encryption + audit + strict access |
+
+**What to verify:**
+- [ ] Data inventory maintained
+- [ ] Classification labels applied
+- [ ] Handling procedures documented
+- [ ] Retention policies defined
+
+---
+
+#### SE:04: Segmentation
+Create intentional segmentation and perimeters in architecture design.
+
+**What to verify:**
+- [ ] Network segmentation implemented
+- [ ] Role-based access boundaries defined
+- [ ] Service isolation configured
+- [ ] Workload identity separation
+
+**Next.js patterns:**
+```typescript
+// Segment by route group permissions
+// app/(public)/          - No auth required
+// app/(authenticated)/   - Login required
+// app/(admin)/           - Admin role required
+
+// middleware.ts
+import { auth } from '@/lib/auth';
+
+export async function middleware(request: NextRequest) {
+  const session = await auth();
+  const isAdminRoute = request.nextUrl.pathname.startsWith('/admin');
+  
+  if (isAdminRoute && session?.user?.role !== 'admin') {
+    return NextResponse.redirect(new URL('/unauthorized', request.url));
+  }
+}
+
+export const config = {
+  matcher: ['/admin/:path*', '/dashboard/:path*'],
+};
+```
+
+---
+
+#### SE:05: Identity and Access Management
+Implement strict, conditional, and auditable IAM across all workload users and components.
+
+**What to verify:**
+- [ ] Authentication required for protected resources
+- [ ] Authorization checked at every access point
+- [ ] MFA enabled for sensitive operations
+- [ ] Session management secure
+- [ ] Service accounts use managed identities
+
+**Secure authentication pattern:**
+```typescript
+// lib/auth.ts
+import NextAuth from 'next-auth';
+import { PrismaAdapter } from '@auth/prisma-adapter';
+
+export const { handlers, auth, signIn, signOut } = NextAuth({
+  adapter: PrismaAdapter(prisma),
+  session: {
+    strategy: 'jwt',
+    maxAge: 24 * 60 * 60, // 24 hours
+  },
+  callbacks: {
+    async jwt({ token, user }) {
+      if (user) {
+        token.role = user.role;
+        token.permissions = user.permissions;
+      }
+      return token;
+    },
+    async session({ session, token }) {
+      session.user.role = token.role;
+      session.user.permissions = token.permissions;
+      return session;
+    },
+  },
+});
+```
+
+**Authorization pattern:**
+```typescript
+// lib/auth/permissions.ts
+export function canAccess(
+  user: User | null,
+  resource: string,
+  action: 'read' | 'write' | 'delete'
+): boolean {
+  if (!user) return false;
+  
+  const permissions = {
+    admin: ['read', 'write', 'delete'],
+    editor: ['read', 'write'],
+    viewer: ['read'],
+  };
+  
+  return permissions[user.role]?.includes(action) ?? false;
+}
+
+// Usage in Server Action
+'use server';
+
+export async function updatePost(postId: string, data: FormData) {
+  const session = await auth();
+  
+  if (!canAccess(session?.user, 'posts', 'write')) {
+    throw new Error('Forbidden');
+  }
+  
+  // Proceed with update...
+}
+```
+
+---
+
+#### SE:06: Network Security
+Isolate, filter, and control network traffic across ingress and egress flows.
+
+**What to verify:**
+- [ ] HTTPS enforced everywhere
+- [ ] API endpoints protected
+- [ ] CORS properly configured
+- [ ] Rate limiting implemented
+- [ ] DDoS protection enabled
+
+**Next.js security headers:**
+```typescript
+// next.config.js
+const securityHeaders = [
+  {
+    key: 'Strict-Transport-Security',
+    value: 'max-age=63072000; includeSubDomains; preload',
+  },
+  {
+    key: 'X-Content-Type-Options',
+    value: 'nosniff',
+  },
+  {
+    key: 'X-Frame-Options',
+    value: 'DENY',
+  },
+  {
+    key: 'X-XSS-Protection',
+    value: '1; mode=block',
+  },
+  {
+    key: 'Referrer-Policy',
+    value: 'strict-origin-when-cross-origin',
+  },
+  {
+    key: 'Content-Security-Policy',
+    value: "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';",
+  },
+];
+
+module.exports = {
+  async headers() {
+    return [{ source: '/:path*', headers: securityHeaders }];
+  },
+};
+```
+
+**Rate limiting:**
+```typescript
+// lib/rate-limit.ts
+import { Ratelimit } from '@upstash/ratelimit';
+import { Redis } from '@upstash/redis';
+
+const ratelimit = new Ratelimit({
+  redis: Redis.fromEnv(),
+  limiter: Ratelimit.slidingWindow(10, '10 s'),
+  analytics: true,
+});
+
+export async function checkRateLimit(identifier: string) {
+  const { success, limit, remaining, reset } = await ratelimit.limit(identifier);
+  return { allowed: success, limit, remaining, retryAfter: Math.ceil((reset - Date.now()) / 1000) };
+}
+```
+
+---
+
+#### SE:07: Encryption
+Encrypt data using modern, industry-standard methods.
+
+**What to verify:**
+- [ ] TLS 1.2+ for all connections
+- [ ] Database encryption at rest
+- [ ] Sensitive fields encrypted (PII, credentials)
+- [ ] Key rotation policy defined
+- [ ] No secrets in client code
+
+**Encryption patterns:**
+```typescript
+// lib/crypto.ts
+import { createCipheriv, createDecipheriv, randomBytes, scrypt } from 'crypto';
+import { promisify } from 'util';
+
+const scryptAsync = promisify(scrypt);
+const ALGORITHM = 'aes-256-gcm';
+
+export async function encrypt(text: string): Promise<string> {
+  const key = await scryptAsync(process.env.ENCRYPTION_KEY!, 'salt', 32) as Buffer;
+  const iv = randomBytes(16);
+  const cipher = createCipheriv(ALGORITHM, key, iv);
+  
+  let encrypted = cipher.update(text, 'utf8', 'hex');
+  encrypted += cipher.final('hex');
+  
+  const authTag = cipher.getAuthTag();
+  return `${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted}`;
+}
+
+export async function decrypt(encryptedText: string): Promise<string> {
+  const [ivHex, authTagHex, encrypted] = encryptedText.split(':');
+  const key = await scryptAsync(process.env.ENCRYPTION_KEY!, 'salt', 32) as Buffer;
+  const iv = Buffer.from(ivHex, 'hex');
+  const authTag = Buffer.from(authTagHex, 'hex');
+  
+  const decipher = createDecipheriv(ALGORITHM, key, iv);
+  decipher.setAuthTag(authTag);
+  
+  let decrypted = decipher.update(encrypted, 'hex', 'utf8');
+  decrypted += decipher.final('utf8');
+  return decrypted;
+}
+```
+
+---
+
+#### SE:08: Resource Hardening
+Harden all workload components by reducing attack surface.
+
+**What to verify:**
+- [ ] Unused features disabled
+- [ ] Default credentials changed
+- [ ] Debug mode disabled in production
+- [ ] Error messages don't leak information
+- [ ] Dependencies minimized
+
+**Production hardening:**
+```typescript
+// app/api/[...]/route.ts
+export async function GET(request: Request) {
+  try {
+    // Business logic...
+  } catch (error) {
+    // Log full error server-side
+    console.error('API Error:', error);
+    
+    // Return generic message to client
+    return NextResponse.json(
+      { error: 'An error occurred' },
+      { status: 500 }
+    );
+  }
+}
+
+// next.config.js
+module.exports = {
+  productionBrowserSourceMaps: false,
+  poweredByHeader: false,
+};
+```
+
+---
+
+#### SE:09: Secret Management
+Protect application secrets by hardening storage and restricting access.
+
+**What to verify:**
+- [ ] Secrets in environment variables (never in code)
+- [ ] Different secrets per environment
+- [ ] Secret rotation automated
+- [ ] Access audited
+- [ ] No secrets in client-side code
+
+**Secret management patterns:**
+```typescript
+// ❌ NEVER do this
+const API_KEY = 'sk_live_123...';  // Hardcoded
+export const secret = process.env.NEXT_PUBLIC_SECRET;  // Client-exposed
+
+// ✅ Correct patterns
+// .env.local (never committed)
+DATABASE_URL="postgresql://user:pass@host/db"
+API_SECRET="sk_live_..."
+
+// Validate at startup
+const requiredEnvVars = ['DATABASE_URL', 'API_SECRET', 'NEXTAUTH_SECRET'];
+
+for (const envVar of requiredEnvVars) {
+  if (!process.env[envVar]) {
+    throw new Error(`Missing required environment variable: ${envVar}`);
+  }
+}
+```
+
+---
+
+#### SE:10: Threat Detection & Monitoring
+Implement holistic monitoring with modern threat detection.
+
+**What to verify:**
+- [ ] Security events logged
+- [ ] Alerting configured
+- [ ] Log retention policy defined
+- [ ] Anomaly detection enabled
+- [ ] Incident correlation possible
+
+**Audit logging pattern:**
+```typescript
+// lib/audit.ts
+type AuditEvent = {
+  action: string;
+  actor: string;
+  resource: string;
+  resourceId?: string;
+  outcome: 'success' | 'failure';
+  metadata?: Record<string, unknown>;
+  ip?: string;
+  userAgent?: string;
+  timestamp: Date;
+};
+
+export async function auditLog(event: AuditEvent) {
+  await db.auditLog.create({
+    data: {
+      ...event,
+      timestamp: new Date(),
+    },
+  });
+  
+  // For critical events, also send to SIEM
+  if (event.action.startsWith('auth.') || event.outcome === 'failure') {
+    await sendToSIEM(event);
+  }
+}
+
+// Usage
+await auditLog({
+  action: 'user.delete',
+  actor: session.user.id,
+  resource: 'user',
+  resourceId: targetUserId,
+  outcome: 'success',
+  ip: request.headers.get('x-forwarded-for'),
+});
+```
+
+---
+
+#### SE:11: Security Testing
+Establish comprehensive testing regimen combining multiple approaches.
+
+**What to verify:**
+- [ ] SAST integrated in CI/CD
+- [ ] DAST scheduled regularly
+- [ ] Penetration testing annual
+- [ ] Dependency scanning automated
+- [ ] Security unit tests exist
+
+**Security testing setup:**
+```typescript
+// vitest.config.ts - Include security tests
+export default defineConfig({
+  test: {
+    include: ['**/*.test.ts', '**/*.security.test.ts'],
+  },
+});
+
+// auth.security.test.ts
+describe('Authentication Security', () => {
+  it('rejects requests without valid session', async () => {
+    const response = await fetch('/api/admin/users');
+    expect(response.status).toBe(401);
+  });
+  
+  it('prevents IDOR attacks', async () => {
+    // Login as user A
+    const sessionA = await loginAs('userA');
+    
+    // Try to access user B's data
+    const response = await fetch('/api/users/userB/profile', {
+      headers: { Authorization: `Bearer ${sessionA.token}` },
+    });
+    
+    expect(response.status).toBe(403);
+  });
+  
+  it('rate limits failed login attempts', async () => {
+    for (let i = 0; i < 10; i++) {
+      await fetch('/api/auth/login', {
+        method: 'POST',
+        body: JSON.stringify({ email: 'test@test.com', password: 'wrong' }),
+      });
+    }
+    
+    const response = await fetch('/api/auth/login', {
+      method: 'POST',
+      body: JSON.stringify({ email: 'test@test.com', password: 'wrong' }),
+    });
+    
+    expect(response.status).toBe(429);
+  });
+});
+```
+
+---
+
+#### SE:12: Incident Response
+Define and test effective incident response procedures.
+
+**What to verify:**
+- [ ] Incident response plan documented
+- [ ] Roles and responsibilities defined
+- [ ] Communication channels established
+- [ ] Recovery procedures tested
+- [ ] Post-incident review process
+
+---
+
+## OWASP Top 10:2025
+
+### A01: Broken Access Control
+
+**What it is:** Failures in enforcing policies where users should only act within their intended permissions.
+
+**What to check:**
+- [ ] Authorization checked on every request
+- [ ] No direct object references exposed
+- [ ] URL manipulation prevented
+- [ ] CORS properly configured
+- [ ] Token validation on all protected routes
+
+**Vulnerable pattern:**
+```typescript
+// ❌ Vulnerable: No authorization check
+export async function getOrder(orderId: string) {
+  return db.order.findUnique({ where: { id: orderId } });
+}
+
+// ✅ Secure: Verify ownership
+export async function getOrder(orderId: string, userId: string) {
+  const order = await db.order.findUnique({ 
+    where: { id: orderId, userId }  // Ensure user owns this order
+  });
+  if (!order) throw new Error('Order not found');
+  return order;
+}
+```
+
+---
+
+### A02: Security Misconfiguration
+
+**What it is:** Missing security hardening, unnecessary features enabled, default credentials.
+
+**What to check:**
+- [ ] Security headers configured
+- [ ] Debug mode disabled in production
+- [ ] Default accounts/passwords changed
+- [ ] Error messages don't leak info
+- [ ] Unnecessary features disabled
+
+---
+
+### A03: Software Supply Chain Failures
+
+**What it is:** Vulnerabilities from third-party dependencies or compromised CI/CD pipelines.
+
+**What to check:**
+- [ ] All dependencies audited (`npm audit`)
+- [ ] Lock file committed
+- [ ] Dependency updates automated
+- [ ] Build integrity verified
+- [ ] Signed commits (optional but recommended)
+
+**Setup:**
+```bash
+# .github/workflows/security.yml
+name: Security Scan
+on: [push, pull_request]
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm ci
+      - run: npm audit --audit-level=high
+```
+
+---
+
+### A04: Cryptographic Failures
+
+**What it is:** Failures in protecting data in transit or at rest through proper cryptography.
+
+**What to check:**
+- [ ] TLS 1.2+ enforced
+- [ ] Passwords properly hashed (bcrypt, argon2)
+- [ ] Sensitive data encrypted at rest
+- [ ] No weak algorithms (MD5, SHA1)
+- [ ] Keys properly managed
+
+---
+
+### A05: Injection
+
+**What it is:** Hostile data sent to interpreters (SQL, NoSQL, OS, LDAP).
+
+**What to check:**
+- [ ] All input validated with schemas
+- [ ] Parameterized queries used
+- [ ] Output encoded for context
+- [ ] No dynamic query construction
+
+**Prevention:**
+```typescript
+// ❌ Vulnerable: String interpolation
+const users = await db.$queryRaw`SELECT * FROM users WHERE name = '${name}'`;
+
+// ✅ Secure: Parameterized query
+const users = await db.$queryRaw`SELECT * FROM users WHERE name = ${name}`;
+
+// ✅ Better: Use ORM with validation
+const nameSchema = z.string().min(1).max(100);
+const parsed = nameSchema.parse(name);
+const users = await db.user.findMany({ where: { name: parsed } });
+```
+
+---
+
+### A06: Insecure Design
+
+**What it is:** Missing or ineffective security controls and patterns in design.
+
+**What to check:**
+- [ ] Threat modeling performed
+- [ ] Security requirements defined
+- [ ] Defense in depth implemented
+- [ ] Fail-safe defaults configured
+- [ ] Least privilege enforced
+
+---
+
+### A07: Authentication Failures
+
+**What it is:** Confirmation of user identity, authentication, and session management weaknesses.
+
+**What to check:**
+- [ ] Credential stuffing protection
+- [ ] Brute force protection
+- [ ] Session fixation prevention
+- [ ] Secure password storage
+- [ ] MFA available
+
+---
+
+### A08: Software or Data Integrity Failures
+
+**What it is:** Code and infrastructure that doesn't protect against integrity violations.
+
+**What to check:**
+- [ ] CI/CD pipeline secured
+- [ ] Updates from verified sources
+- [ ] Serialized data validated
+- [ ] Dependencies verified
+
+---
+
+### A09: Security Logging and Alerting Failures
+
+**What it is:** Insufficient logging, detection, monitoring, and response.
+
+**What to check:**
+- [ ] Login attempts logged
+- [ ] Access control failures logged
+- [ ] Input validation failures logged
+- [ ] Alerts configured for anomalies
+- [ ] Logs tamper-proof
+
+---
+
+### A10: Mishandling of Exceptional Conditions
+
+**What it is:** Server-side request forgery allowing attackers to send crafted requests.
+
+**What to check:**
+- [ ] URL validation for user input
+- [ ] Allow-list for external requests
+- [ ] Split DNS prevented
+- [ ] Network segmentation
+
+---
+
+## Security Review Checklist
+
+### Quick Review (15 min)
+- [ ] Authentication on protected routes
+- [ ] Authorization checks in Server Actions
+- [ ] Input validation with Zod
+- [ ] No secrets in client code
+- [ ] Security headers configured
+
+### Standard Review (1-2 hours)
+All of quick review, plus:
+- [ ] OWASP Top 10 categories assessed
+- [ ] Session management reviewed
+- [ ] Error handling verified
+- [ ] Audit logging present
+- [ ] Dependencies audited
+
+### Comprehensive Audit (1+ days)
+All of standard review, plus:
+- [ ] Full WAF SE:01-SE:12 checklist
+- [ ] Threat model created/updated
+- [ ] Penetration testing
+- [ ] Compliance verification
+- [ ] Architecture security review
+
+## Severity Ratings
+
+| Rating | Description | SLA |
+|--------|-------------|-----|
+| **Critical** | Actively exploitable, data breach risk | Fix immediately |
+| **High** | Significant vulnerability, exploitation possible | 24-48 hours |
+| **Medium** | Moderate risk, requires conditions | 1 week |
+| **Low** | Minor issue, defense in depth | Next release |
+| **Informational** | Best practice recommendation | Backlog |
+
+## Report Template
+
+```markdown
+# Security Assessment Report
+
+**Target:** [Application/Component]
+**Date:** [Date]
+**Assessor:** Security Reviewer Agent
+**Classification:** [Confidential/Internal]
+
+## Executive Summary
+
+Overall risk level: [Critical/High/Medium/Low]
+
+| Severity | Count |
+|----------|-------|
+| Critical | X |
+| High | X |
+| Medium | X |
+| Low | X |
+
+## Findings
+
+### [CRITICAL-001] Finding Title
+**Category:** OWASP A0X / WAF SE:XX
+**CVSS:** X.X
+**Location:** [file:line]
+
+**Description:**
+[What the vulnerability is]
+
+**Impact:**
+[What could happen if exploited]
+
+**Evidence:**
+\`\`\`typescript
+// Vulnerable code
+\`\`\`
+
+**Remediation:**
+[How to fix it with code example]
+
+**References:**
+- [OWASP Link]
+- [Azure WAF Link]
+
+---
+
+## Compliance Status
+
+### Azure WAF Security Pillar
+| Control | Status | Notes |
+|---------|--------|-------|
+| SE:01 Baseline | ✅/⚠️/❌ | |
+| SE:02 SDL | ✅/⚠️/❌ | |
+...
+
+### OWASP Top 10:2025
+| Category | Status | Notes |
+|----------|--------|-------|
+| A01 Access Control | ✅/⚠️/❌ | |
+| A02 Misconfiguration | ✅/⚠️/❌ | |
+...
+
+## Recommendations
+
+1. **Immediate:** [Critical fixes]
+2. **Short-term:** [High priority items]
+3. **Medium-term:** [Medium priority items]
+4. **Long-term:** [Architecture improvements]
+```
+
+````