blockmine 1.20.0 → 1.22.0

package/.claude/skills/database-engineering/SKILL.md

@@ -0,0 +1,61 @@
+# Database Engineering
+
+Guide to PostgreSQL/MySQL administration, query optimization, indexing, replication, and database best practices.
+
+**Note:** This is a foundational version. Community contributions welcome to expand coverage!
+
+## Purpose
+
+Enable teams to effectively manage, optimize, and scale relational databases.
+
+## When to Use This Skill
+
+Automatically activates when working on:
+- Database administration
+- Query optimization and EXPLAIN plans
+- Index design and tuning
+- Database replication setup
+- Backup and restore procedures
+- Database migrations
+- PostgreSQL or MySQL configuration
+
+## Quick Start Checklist
+
+- [ ] Set up database monitoring
+- [ ] Configure automated backups
+- [ ] Create indexes for slow queries
+- [ ] Set up replication (if needed)
+- [ ] Configure connection pooling
+- [ ] Review query performance regularly
+- [ ] Plan migration strategy
+
+## Resource Files
+
+- **[postgresql-fundamentals.md](resources/postgresql-fundamentals.md)** - PostgreSQL basics, configuration, extensions
+- **[query-optimization.md](resources/query-optimization.md)** - EXPLAIN, indexing strategies, query tuning
+- **[database-replication.md](resources/database-replication.md)** - Streaming, logical replication, conflict resolution
+- **[backup-and-recovery.md](resources/backup-and-recovery.md)** - pg_dump, point-in-time recovery, backup strategies
+
+## Best Practices
+
+✅ Monitor slow queries
+✅ Index strategically
+✅ Use connection pooling
+✅ Regular backups with testing
+✅ Replication for high availability
+✅ Optimize for read vs write patterns
+
+## Integration Points
+
+- **backend-dev-guidelines**: ORM usage (Prisma)
+- **sre**: Database monitoring
+- **cloud-engineering**: Managed databases (RDS, Aurora)
+
+---
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🎯 SKILL ACTIVATED: database-engineering
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+
+**Total Resources:** 4 foundational guides (community can expand!)
+**Status:** Basic coverage - contributions welcome

package/.claude/skills/database-engineering/resources/backup-and-recovery.md

@@ -0,0 +1,72 @@
+# Backup and Recovery
+
+Guide to PostgreSQL backup strategies and disaster recovery procedures.
+
+## pg_dump (Logical Backup)
+
+```bash
+# Full database backup
+pg_dump -h localhost -U postgres myapp > backup.sql
+
+# Compressed backup
+pg_dump -h localhost -U postgres myapp | gzip > backup.sql.gz
+
+# Restore
+psql -h localhost -U postgres myapp < backup.sql
+
+# Backup specific tables
+pg_dump -h localhost -U postgres -t users -t orders myapp > tables_backup.sql
+```
+
+## Automated Backups
+
+```bash
+#!/bin/bash
+# daily-backup.sh
+
+DATE=$(date +%Y-%m-%d)
+BACKUP_DIR="/backups"
+DATABASE="myapp"
+
+# Create backup
+pg_dump -h localhost -U postgres $DATABASE | gzip > "$BACKUP_DIR/backup-$DATE.sql.gz"
+
+# Delete backups older than 30 days
+find $BACKUP_DIR -name "backup-*.sql.gz" -mtime +30 -delete
+
+# Upload to S3
+aws s3 cp "$BACKUP_DIR/backup-$DATE.sql.gz" s3://my-backups/
+```
+
+## Point-in-Time Recovery
+
+```ini
+# postgresql.conf
+wal_level = replica
+archive_mode = on
+archive_command = 'cp %p /archive/%f'
+```
+
+```bash
+# Restore to specific point in time
+pg_basebackup -D /var/lib/postgresql/data
+
+# recovery.conf
+restore_command = 'cp /archive/%f %p'
+recovery_target_time = '2024-01-15 14:30:00'
+```
+
+## Best Practices
+
+✅ Automated daily backups
+✅ Test restore procedure regularly
+✅ Store backups off-site (S3, etc.)
+✅ Retain backups for 30+ days
+✅ Monitor backup success
+✅ Document recovery procedures
+
+---
+
+**Related Resources:**
+- postgresql-fundamentals.md - PostgreSQL basics
+- database-replication.md - Replication for HA

package/.claude/skills/database-engineering/resources/database-replication.md

@@ -0,0 +1,63 @@
+# Database Replication
+
+Guide to setting up PostgreSQL replication for high availability and read scaling.
+
+## Streaming Replication
+
+```bash
+# Primary server
+# postgresql.conf
+wal_level = replica
+max_wal_senders = 3
+
+# Replica server
+# Create replication slot on primary
+SELECT * FROM pg_create_physical_replication_slot('replica_1');
+
+# Start replica
+pg_basebackup -h primary -D /var/lib/postgresql/data -U replicator -v -P
+
+# standby.signal file indicates replica mode
+touch /var/lib/postgresql/data/standby.signal
+```
+
+## Read Replicas
+
+```typescript
+// Application code
+import { PrismaClient } from '@prisma/client';
+
+const primary = new PrismaClient({
+  datasources: { db: { url: process.env.DATABASE_PRIMARY_URL } }
+});
+
+const replica = new PrismaClient({
+  datasources: { db: { url: process.env.DATABASE_REPLICA_URL } }
+});
+
+// Writes go to primary
+await primary.users.create({ data: { email: 'user@example.com' } });
+
+// Reads can use replica
+const users = await replica.users.findMany();
+```
+
+## Monitoring Replication
+
+```sql
+-- Check replication lag
+SELECT
+  client_addr,
+  state,
+  sent_lsn,
+  write_lsn,
+  replay_lsn,
+  sync_state
+FROM pg_stat_replication;
+```
+
+---
+
+**Related Resources:**
+- postgresql-fundamentals.md - PostgreSQL basics
+- backup-and-recovery.md - Backup strategies

package/.claude/skills/database-engineering/resources/postgresql-fundamentals.md

@@ -0,0 +1,70 @@
+# PostgreSQL Fundamentals
+
+Basic PostgreSQL administration, configuration, and common operations.
+
+## Installation
+
+```bash
+# Docker
+docker run --name postgres \
+  -e POSTGRES_PASSWORD=mysecretpassword \
+  -p 5432:5432 \
+  -d postgres:15
+
+# Connect
+psql -h localhost -U postgres
+```
+
+## Common Operations
+
+```sql
+-- Create database
+CREATE DATABASE myapp;
+
+-- Create user
+CREATE USER myapp_user WITH PASSWORD 'secure_password';
+GRANT ALL PRIVILEGES ON DATABASE myapp TO myapp_user;
+
+-- Create table
+CREATE TABLE users (
+  id SERIAL PRIMARY KEY,
+  email VARCHAR(255) UNIQUE NOT NULL,
+  created_at TIMESTAMP DEFAULT NOW()
+);
+
+-- Create index
+CREATE INDEX idx_users_email ON users(email);
+
+-- Vacuum (cleanup)
+VACUUM ANALYZE users;
+```
+
+## Configuration
+
+```ini
+# postgresql.conf
+max_connections = 100
+shared_buffers = 256MB
+effective_cache_size = 1GB
+maintenance_work_mem = 64MB
+work_mem = 4MB
+```
+
+## Extensions
+
+```sql
+-- Enable UUID
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+
+-- Full-text search
+CREATE EXTENSION IF NOT EXISTS pg_trgm;
+
+-- PostGIS (geospatial)
+CREATE EXTENSION IF NOT EXISTS postgis;
+```
+
+---
+
+**Related Resources:**
+- query-optimization.md - Performance tuning
+- backup-and-recovery.md - Data protection

package/.claude/skills/database-engineering/resources/query-optimization.md

@@ -0,0 +1,68 @@
+# Query Optimization
+
+Guide to optimizing database queries with EXPLAIN, indexing, and query tuning.
+
+## EXPLAIN ANALYZE
+
+```sql
+-- See query plan
+EXPLAIN ANALYZE
+SELECT * FROM users
+WHERE email = 'user@example.com';
+
+-- Output shows:
+-- Seq Scan on users (cost=0.00..1.25 rows=1) (actual time=0.025..0.026 rows=1)
+--   Filter: (email = 'user@example.com')
+
+-- After adding index:
+-- Index Scan using idx_users_email (cost=0.15..8.17 rows=1) (actual time=0.010..0.011 rows=1)
+```
+
+## Index Strategies
+
+```sql
+-- Single column index
+CREATE INDEX idx_users_email ON users(email);
+
+-- Composite index
+CREATE INDEX idx_orders_user_date ON orders(user_id, created_at);
+
+-- Partial index
+CREATE INDEX idx_active_users ON users(email)
+WHERE is_active = true;
+
+-- GIN index for JSON
+CREATE INDEX idx_metadata ON users USING GIN (metadata);
+```
+
+## Query Tuning
+
+```sql
+-- ❌ Bad: SELECT *
+SELECT * FROM orders WHERE user_id = 123;
+
+-- ✅ Good: Select only needed columns
+SELECT id, total, created_at FROM orders WHERE user_id = 123;
+
+-- ❌ Bad: N+1 queries
+SELECT * FROM users;
+-- Then for each user: SELECT * FROM orders WHERE user_id = ?
+
+-- ✅ Good: JOIN
+SELECT u.*, o.* FROM users u
+LEFT JOIN orders o ON o.user_id = u.id;
+```
+
+## Best Practices
+
+✅ Use EXPLAIN ANALYZE for slow queries
+✅ Index foreign keys
+✅ Avoid SELECT *
+✅ Use LIMIT for large result sets
+✅ Consider query caching
+✅ Monitor slow query logs
+
+---
+
+**Related Resources:**
+- postgresql-fundamentals.md - Database basics

package/.claude/skills/devsecops/SKILL.md

@@ -0,0 +1,374 @@
+# DevSecOps - Security Integration in Development
+
+Comprehensive guide for integrating security throughout the software development lifecycle. Covers security scanning (SAST, DAST, SCA), container security, secrets management, compliance as code, policy enforcement, vulnerability management, and shift-left security practices.
+
+## Purpose
+
+Enable teams to build secure applications by integrating security practices into every phase of development, from code commit to production deployment.
+
+## When to Use This Skill
+
+Automatically activates when working on:
+- Security scanning and vulnerability assessment
+- Container and image security
+- Secrets management and encryption
+- Policy enforcement and compliance
+- Security automation in CI/CD
+- Threat modeling and security architecture
+- Incident response and security monitoring
+
+## Quick Start Checklist
+
+When implementing DevSecOps practices:
+
+- [ ] Integrate SAST/DAST scanning in CI/CD pipeline
+- [ ] Implement container image scanning
+- [ ] Set up secrets management (never commit secrets)
+- [ ] Define security policies as code (OPA, Kyverno)
+- [ ] Enable dependency scanning (SCA)
+- [ ] Implement runtime security monitoring
+- [ ] Configure security gates in deployment pipeline
+- [ ] Document security requirements and controls
+- [ ] Set up security alerting and incident response
+- [ ] Conduct regular security reviews
+
+## Core Concepts
+
+### Shift-Left Security
+
+**Traditional (Security at End):**
+```
+Develop → Build → Test → Security Review → Deploy
+                              ↑
+                       Found Issues Late!
+```
+
+**DevSecOps (Security Throughout):**
+```
+Develop (IDE security) →
+Build (SAST, secrets scan) →
+Test (DAST, dependency scan) →
+Deploy (policy enforcement, runtime protection)
+    ↓
+Continuous Security Monitoring
+```
+
+### Security as Code
+
+```yaml
+# Security policies defined as code
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: security-baseline
+spec:
+  validationFailureAction: enforce
+  rules:
+  - name: no-privileged-containers
+    match:
+      resources:
+        kinds:
+        - Pod
+    validate:
+      message: "Privileged containers not allowed"
+      pattern:
+        spec:
+          containers:
+          - securityContext:
+              privileged: false
+```
+
+### Security Scanning Types
+
+```
+SAST (Static Application Security Testing):
+  - Analyzes source code
+  - Finds coding vulnerabilities
+  - Tools: SonarQube, Semgrep, CodeQL
+
+DAST (Dynamic Application Security Testing):
+  - Tests running application
+  - Finds runtime vulnerabilities
+  - Tools: OWASP ZAP, Burp Suite
+
+SCA (Software Composition Analysis):
+  - Scans dependencies
+  - Finds known vulnerabilities
+  - Tools: Snyk, Dependabot, Trivy
+
+Container Security:
+  - Scans container images
+  - Base image vulnerabilities
+  - Tools: Trivy, Grype, Clair
+
+Secrets Scanning:
+  - Detects hardcoded secrets
+  - Prevents secret leaks
+  - Tools: GitGuardian, TruffleHog
+```
+
+## Common Patterns
+
+### Pattern 1: CI/CD Security Pipeline
+
+```yaml
+# .github/workflows/security.yaml
+name: Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  secret-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: TruffleHog Secret Scan
+      uses: trufflesecurity/trufflehog@main
+      with:
+        path: ./
+        base: main
+        head: HEAD
+
+  sast:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Run Semgrep
+      uses: returntocorp/semgrep-action@v1
+      with:
+        config: >-
+          p/security-audit
+          p/secrets
+          p/owasp-top-ten
+
+  dependency-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Run Snyk
+      uses: snyk/actions/node@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        args: --severity-threshold=high
+
+  container-scan:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Build image
+      run: docker build -t ${{ github.repository }}:${{ github.sha }} .
+
+    - name: Run Trivy
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ github.repository }}:${{ github.sha }}
+        format: 'sarif'
+        severity: 'CRITICAL,HIGH'
+        exit-code: '1'
+
+  security-gate:
+    needs: [secret-scan, sast, dependency-scan, container-scan]
+    runs-on: ubuntu-latest
+    steps:
+    - name: Security gate passed
+      run: echo "All security checks passed"
+```
+
+### Pattern 2: Policy as Code
+
+```yaml
+# OPA/Gatekeeper policy
+apiVersion: templates.gatekeeper.sh/v1
+kind: ConstraintTemplate
+metadata:
+  name: k8sblockprivileged
+spec:
+  crd:
+    spec:
+      names:
+        kind: K8sBlockPrivileged
+  targets:
+  - target: admission.k8s.gatekeeper.sh
+    rego: |
+      package k8sblockprivileged
+
+      violation[{"msg": msg}] {
+        container := input.review.object.spec.containers[_]
+        container.securityContext.privileged
+        msg := sprintf("Privileged container not allowed: %v", [container.name])
+      }
+```
+
+### Pattern 3: Secrets Management
+
+```yaml
+# External Secrets Operator
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: app-secrets
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend
+    kind: SecretStore
+  target:
+    name: app-secrets
+  data:
+  - secretKey: api-key
+    remoteRef:
+      key: secret/data/app
+      property: api-key
+  - secretKey: db-password
+    remoteRef:
+      key: secret/data/database
+      property: password
+```
+
+## Resource Files
+
+For detailed guidance on specific topics, see:
+
+### Security Scanning & Testing
+- **[security-scanning.md](resources/security-scanning.md)** - SAST, DAST, SCA implementation, tool comparisons, CI/CD integration
+- **[container-security.md](resources/container-security.md)** - Image scanning, base image selection, vulnerability remediation, registry security
+- **[supply-chain-security.md](resources/supply-chain-security.md)** - SCA tools, SBOM, dependency security, software supply chain attacks
+- **[vulnerability-management.md](resources/vulnerability-management.md)** - Vulnerability scanning, tracking, prioritization, remediation workflows
+- **[security-testing.md](resources/security-testing.md)** - Security testing in CI/CD, penetration testing, security test automation
+
+### Access Control & Secrets
+- **[secrets-management.md](resources/secrets-management.md)** - Vault, AWS Secrets Manager, External Secrets Operator, rotation strategies, encryption
+- **[zero-trust-architecture.md](resources/zero-trust-architecture.md)** - Zero trust principles, identity-based security, service mesh, mTLS
+
+### Policy & Compliance
+- **[policy-enforcement.md](resources/policy-enforcement.md)** - OPA, Gatekeeper, Kyverno, admission controllers, policy testing
+- **[compliance-automation.md](resources/compliance-automation.md)** - Compliance frameworks (SOC2, PCI-DSS, HIPAA), automated audits
+- **[compliance-frameworks.md](resources/compliance-frameworks.md)** - FedRAMP, CMMC, NIST 800-53/800-171, ITAR, CJIS, PCI-DSS, HIPAA, SOC 2, implementation checklists, audit preparation
+- **[cspm-integration.md](resources/cspm-integration.md)** - CSPM tool integration (Prisma Cloud, Wiz, Aqua, Trend Micro), CI/CD pipeline security scanning, policy as code, shift-left security
+
+### CI/CD & Monitoring
+- **[ci-cd-security.md](resources/ci-cd-security.md)** - Secure pipeline design, build security, deployment security, supply chain protection
+- **[security-monitoring.md](resources/security-monitoring.md)** - SIEM, security analytics, threat detection, incident response
+
+## Best Practices
+
+### 1. Never Commit Secrets
+
+```bash
+# Use pre-commit hooks
+# .pre-commit-config.yaml
+repos:
+- repo: https://github.com/trufflesecurity/trufflehog
+  rev: v3.63.0
+  hooks:
+  - id: trufflehog
+    name: TruffleHog
+    entry: bash -c 'trufflehog git file://. --since-commit HEAD --only-verified --fail'
+```
+
+### 2. Scan Everything
+
+- Source code (SAST)
+- Dependencies (SCA)
+- Container images
+- Infrastructure as code
+- Runtime behavior
+
+### 3. Automate Security Testing
+
+Integrate into CI/CD, fail fast on critical issues.
+
+### 4. Least Privilege Access
+
+Grant minimum necessary permissions.
+
+### 5. Defense in Depth
+
+Multiple layers of security controls.
+
+### 6. Regular Updates
+
+Keep dependencies and base images updated.
+
+### 7. Security Monitoring
+
+Continuous monitoring and alerting.
+
+### 8. Incident Response Plan
+
+Documented procedures for security incidents.
+
+## Anti-Patterns to Avoid
+
+❌ Security only at the end (too late, too expensive)
+❌ Committing secrets to Git
+❌ Ignoring vulnerability scan results
+❌ Using outdated dependencies
+❌ No runtime security monitoring
+❌ Manual security processes
+❌ Privileged containers in production
+❌ Disabled security policies for convenience
+❌ No security training for developers
+❌ Security as blocker instead of enabler
+
+## Common Tasks
+
+### Task: Add Security Scanning to CI/CD
+
+1. Choose scanning tools (SAST, SCA, container)
+2. Add security jobs to CI/CD pipeline
+3. Set severity thresholds
+4. Configure notifications
+5. Document remediation process
+
+### Task: Implement Secrets Management
+
+1. Choose secrets backend (Vault, AWS SM, etc.)
+2. Migrate existing secrets
+3. Implement External Secrets Operator
+4. Set up rotation policies
+5. Remove hardcoded secrets
+
+### Task: Enforce Security Policies
+
+1. Define security requirements
+2. Write policies as code (OPA/Kyverno)
+3. Test policies in non-production
+4. Deploy to production clusters
+5. Monitor policy violations
+
+## Integration Points
+
+This skill integrates with:
+- **platform-engineering**: Infrastructure security, Kubernetes security
+- **sre**: Incident response, monitoring, reliability
+- **release-engineering**: Secure CI/CD pipelines, deployment gates
+- **cloud-engineering**: Cloud security, IAM, encryption
+- **systems-engineering**: OS hardening, network security
+
+## Triggers and Activation
+
+This skill activates when you:
+- Work with security scanning tools
+- Implement secrets management
+- Define security policies
+- Configure compliance frameworks
+- Investigate security vulnerabilities
+- Set up security monitoring
+
+---
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+🎯 SKILL ACTIVATED: devsecops
+━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+
+**Total Resources:** 11 detailed guides covering all aspects of DevSecOps
+**Focus:** Shift-left security, automation, continuous improvement
+**Maintained by:** Security team based on industry best practices and real-world implementations