blockmine 1.21.0 → 1.23.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (492) hide show
  1. package/.claude/agents/README.md +469 -0
  2. package/.claude/agents/auth-route-debugger.md +118 -0
  3. package/.claude/agents/auth-route-tester.md +93 -0
  4. package/.claude/agents/auto-error-resolver.md +97 -0
  5. package/.claude/agents/build-optimizer.md +236 -0
  6. package/.claude/agents/code-architecture-reviewer.md +83 -0
  7. package/.claude/agents/code-refactor-master.md +94 -0
  8. package/.claude/agents/cost-optimizer.md +134 -0
  9. package/.claude/agents/deployment-orchestrator.md +113 -0
  10. package/.claude/agents/documentation-architect.md +82 -0
  11. package/.claude/agents/frontend-error-fixer.md +77 -0
  12. package/.claude/agents/iac-code-generator.md +71 -0
  13. package/.claude/agents/incident-responder.md +346 -0
  14. package/.claude/agents/infrastructure-architect.md +31 -0
  15. package/.claude/agents/kubernetes-specialist.md +56 -0
  16. package/.claude/agents/migration-planner.md +181 -0
  17. package/.claude/agents/network-architect.md +196 -0
  18. package/.claude/agents/plan-reviewer.md +52 -0
  19. package/.claude/agents/refactor-planner.md +63 -0
  20. package/.claude/agents/security-scanner.md +102 -0
  21. package/.claude/agents/web-research-specialist.md +78 -0
  22. package/.claude/commands/cost-analysis.md +315 -0
  23. package/.claude/commands/dev-docs-update.md +55 -0
  24. package/.claude/commands/dev-docs.md +51 -0
  25. package/.claude/commands/incident-debug.md +247 -0
  26. package/.claude/commands/infra-plan.md +81 -0
  27. package/.claude/commands/migration-plan.md +478 -0
  28. package/.claude/commands/route-research-for-testing.md +37 -0
  29. package/.claude/commands/security-review.md +66 -0
  30. package/.claude/hooks/CONFIG.md +448 -0
  31. package/.claude/hooks/README.md +163 -0
  32. package/.claude/hooks/SKILL_ACTIVATION_COMPLETE.md +226 -0
  33. package/.claude/hooks/WINDOWS_HOOKS_README.md +151 -0
  34. package/.claude/hooks/add-skill-activation-banners.ts +132 -0
  35. package/.claude/hooks/comprehensive-skill-test.ts +1315 -0
  36. package/.claude/hooks/error-handling-reminder.sh +12 -0
  37. package/.claude/hooks/error-handling-reminder.ts +222 -0
  38. package/.claude/hooks/k8s-manifest-validator.sh +56 -0
  39. package/.claude/hooks/package-lock.json +556 -0
  40. package/.claude/hooks/package.json +16 -0
  41. package/.claude/hooks/post-tool-use-tracker.ps1 +174 -0
  42. package/.claude/hooks/post-tool-use-tracker.sh +183 -0
  43. package/.claude/hooks/security-policy-check.sh +247 -0
  44. package/.claude/hooks/skill-activation-prompt.ps1 +10 -0
  45. package/.claude/hooks/skill-activation-prompt.sh +10 -0
  46. package/.claude/hooks/skill-activation-prompt.ts +141 -0
  47. package/.claude/hooks/stop-build-check-enhanced.sh +130 -0
  48. package/.claude/hooks/terraform-validator.sh +53 -0
  49. package/.claude/hooks/test-input.json +7 -0
  50. package/.claude/hooks/test-skill-activation.ts +427 -0
  51. package/.claude/hooks/trigger-build-resolver.sh +79 -0
  52. package/.claude/hooks/tsc-check.sh +173 -0
  53. package/.claude/hooks/tsconfig.json +19 -0
  54. package/.claude/settings.json +59 -0
  55. package/.claude/settings.local.json +36 -14
  56. package/.claude/skills/README.md +507 -0
  57. package/.claude/skills/api-engineering/SKILL.md +63 -0
  58. package/.claude/skills/api-engineering/resources/api-versioning.md +88 -0
  59. package/.claude/skills/api-engineering/resources/graphql-patterns.md +106 -0
  60. package/.claude/skills/api-engineering/resources/rate-limiting.md +118 -0
  61. package/.claude/skills/api-engineering/resources/rest-api-design.md +105 -0
  62. package/.claude/skills/backend-dev-guidelines/SKILL.md +306 -0
  63. package/.claude/skills/backend-dev-guidelines/resources/architecture-overview.md +451 -0
  64. package/.claude/skills/backend-dev-guidelines/resources/async-and-errors.md +307 -0
  65. package/.claude/skills/backend-dev-guidelines/resources/complete-examples.md +638 -0
  66. package/.claude/skills/backend-dev-guidelines/resources/configuration.md +275 -0
  67. package/.claude/skills/backend-dev-guidelines/resources/database-patterns.md +224 -0
  68. package/.claude/skills/backend-dev-guidelines/resources/middleware-guide.md +213 -0
  69. package/.claude/skills/backend-dev-guidelines/resources/routing-and-controllers.md +756 -0
  70. package/.claude/skills/backend-dev-guidelines/resources/sentry-and-monitoring.md +336 -0
  71. package/.claude/skills/backend-dev-guidelines/resources/services-and-repositories.md +789 -0
  72. package/.claude/skills/backend-dev-guidelines/resources/testing-guide.md +235 -0
  73. package/.claude/skills/backend-dev-guidelines/resources/validation-patterns.md +754 -0
  74. package/.claude/skills/budget-and-cost-management/SKILL.md +850 -0
  75. package/.claude/skills/build-engineering/SKILL.md +431 -0
  76. package/.claude/skills/build-engineering/resources/artifact-repositories.md +72 -0
  77. package/.claude/skills/build-engineering/resources/build-caching.md +96 -0
  78. package/.claude/skills/build-engineering/resources/build-pipelines.md +105 -0
  79. package/.claude/skills/build-engineering/resources/build-security.md +95 -0
  80. package/.claude/skills/build-engineering/resources/build-systems.md +389 -0
  81. package/.claude/skills/build-engineering/resources/compilation-optimization.md +201 -0
  82. package/.claude/skills/build-engineering/resources/dependency-management.md +73 -0
  83. package/.claude/skills/build-engineering/resources/monorepo-builds.md +110 -0
  84. package/.claude/skills/build-engineering/resources/performance-optimization.md +113 -0
  85. package/.claude/skills/build-engineering/resources/reproducible-builds.md +82 -0
  86. package/.claude/skills/cloud-engineering/SKILL.md +675 -0
  87. package/.claude/skills/cloud-engineering/resources/aws-patterns.md +742 -0
  88. package/.claude/skills/cloud-engineering/resources/azure-patterns.md +714 -0
  89. package/.claude/skills/cloud-engineering/resources/cleared-cloud-environments.md +987 -0
  90. package/.claude/skills/cloud-engineering/resources/cloud-cost-optimization.md +757 -0
  91. package/.claude/skills/cloud-engineering/resources/cloud-networking.md +1058 -0
  92. package/.claude/skills/cloud-engineering/resources/cloud-security-tools.md +1530 -0
  93. package/.claude/skills/cloud-engineering/resources/cloud-security.md +990 -0
  94. package/.claude/skills/cloud-engineering/resources/gcp-patterns.md +758 -0
  95. package/.claude/skills/cloud-engineering/resources/migration-strategies.md +820 -0
  96. package/.claude/skills/cloud-engineering/resources/multi-cloud-strategies.md +670 -0
  97. package/.claude/skills/cloud-engineering/resources/oci-patterns.md +1198 -0
  98. package/.claude/skills/cloud-engineering/resources/serverless-patterns.md +795 -0
  99. package/.claude/skills/cloud-engineering/resources/well-architected-frameworks.md +966 -0
  100. package/.claude/skills/cybersecurity/SKILL.md +409 -0
  101. package/.claude/skills/cybersecurity/resources/security-architecture.md +266 -0
  102. package/.claude/skills/database-engineering/SKILL.md +61 -0
  103. package/.claude/skills/database-engineering/resources/backup-and-recovery.md +72 -0
  104. package/.claude/skills/database-engineering/resources/database-replication.md +63 -0
  105. package/.claude/skills/database-engineering/resources/postgresql-fundamentals.md +70 -0
  106. package/.claude/skills/database-engineering/resources/query-optimization.md +68 -0
  107. package/.claude/skills/devsecops/SKILL.md +374 -0
  108. package/.claude/skills/devsecops/resources/ci-cd-security.md +204 -0
  109. package/.claude/skills/devsecops/resources/compliance-automation.md +530 -0
  110. package/.claude/skills/devsecops/resources/compliance-frameworks.md +2322 -0
  111. package/.claude/skills/devsecops/resources/container-security.md +915 -0
  112. package/.claude/skills/devsecops/resources/cspm-integration.md +1440 -0
  113. package/.claude/skills/devsecops/resources/policy-enforcement.md +619 -0
  114. package/.claude/skills/devsecops/resources/secrets-management.md +755 -0
  115. package/.claude/skills/devsecops/resources/security-monitoring.md +146 -0
  116. package/.claude/skills/devsecops/resources/security-scanning.md +887 -0
  117. package/.claude/skills/devsecops/resources/security-testing.md +203 -0
  118. package/.claude/skills/devsecops/resources/supply-chain-security.md +518 -0
  119. package/.claude/skills/devsecops/resources/vulnerability-management.md +481 -0
  120. package/.claude/skills/devsecops/resources/zero-trust-architecture.md +177 -0
  121. package/.claude/skills/documentation-as-code/SKILL.md +323 -0
  122. package/.claude/skills/documentation-as-code/resources/api-documentation.md +90 -0
  123. package/.claude/skills/documentation-as-code/resources/changelog-management.md +79 -0
  124. package/.claude/skills/documentation-as-code/resources/diagram-generation.md +44 -0
  125. package/.claude/skills/documentation-as-code/resources/docs-as-code-workflow.md +99 -0
  126. package/.claude/skills/documentation-as-code/resources/documentation-automation.md +68 -0
  127. package/.claude/skills/documentation-as-code/resources/documentation-sites.md +79 -0
  128. package/.claude/skills/documentation-as-code/resources/markdown-best-practices.md +162 -0
  129. package/.claude/skills/documentation-as-code/resources/openapi-specification.md +77 -0
  130. package/.claude/skills/documentation-as-code/resources/readme-engineering.md +60 -0
  131. package/.claude/skills/documentation-as-code/resources/technical-writing-guide.md +202 -0
  132. package/.claude/skills/engineering-management/SKILL.md +356 -0
  133. package/.claude/skills/engineering-management/resources/career-ladders.md +609 -0
  134. package/.claude/skills/engineering-management/resources/hiring-and-assessment.md +555 -0
  135. package/.claude/skills/engineering-management/resources/one-on-one-guides.md +609 -0
  136. package/.claude/skills/engineering-management/resources/resource-planning.md +557 -0
  137. package/.claude/skills/engineering-management/resources/team-organization-patterns.md +491 -0
  138. package/.claude/skills/engineering-management/resources/technical-interviews.md +474 -0
  139. package/.claude/skills/engineering-operations-management/SKILL.md +817 -0
  140. package/.claude/skills/error-tracking/SKILL.md +379 -0
  141. package/.claude/skills/frontend-dev-guidelines/SKILL.md +403 -0
  142. package/.claude/skills/frontend-dev-guidelines/resources/common-patterns.md +331 -0
  143. package/.claude/skills/frontend-dev-guidelines/resources/complete-examples.md +872 -0
  144. package/.claude/skills/frontend-dev-guidelines/resources/component-patterns.md +502 -0
  145. package/.claude/skills/frontend-dev-guidelines/resources/data-fetching.md +767 -0
  146. package/.claude/skills/frontend-dev-guidelines/resources/file-organization.md +502 -0
  147. package/.claude/skills/frontend-dev-guidelines/resources/loading-and-error-states.md +501 -0
  148. package/.claude/skills/frontend-dev-guidelines/resources/performance.md +406 -0
  149. package/.claude/skills/frontend-dev-guidelines/resources/routing-guide.md +364 -0
  150. package/.claude/skills/frontend-dev-guidelines/resources/styling-guide.md +428 -0
  151. package/.claude/skills/frontend-dev-guidelines/resources/typescript-standards.md +418 -0
  152. package/.claude/skills/general-it-engineering/SKILL.md +393 -0
  153. package/.claude/skills/general-it-engineering/resources/asset-management.md +712 -0
  154. package/.claude/skills/general-it-engineering/resources/automation-orchestration.md +817 -0
  155. package/.claude/skills/general-it-engineering/resources/business-continuity.md +786 -0
  156. package/.claude/skills/general-it-engineering/resources/change-management.md +715 -0
  157. package/.claude/skills/general-it-engineering/resources/enterprise-monitoring.md +729 -0
  158. package/.claude/skills/general-it-engineering/resources/help-desk-operations.md +738 -0
  159. package/.claude/skills/general-it-engineering/resources/incident-service-management.md +834 -0
  160. package/.claude/skills/general-it-engineering/resources/it-governance.md +753 -0
  161. package/.claude/skills/general-it-engineering/resources/itil-framework.md +503 -0
  162. package/.claude/skills/general-it-engineering/resources/service-management.md +669 -0
  163. package/.claude/skills/infrastructure-architecture/SKILL.md +328 -0
  164. package/.claude/skills/infrastructure-architecture/resources/architecture-decision-records.md +505 -0
  165. package/.claude/skills/infrastructure-architecture/resources/architecture-patterns.md +528 -0
  166. package/.claude/skills/infrastructure-architecture/resources/capacity-planning.md +453 -0
  167. package/.claude/skills/infrastructure-architecture/resources/cleared-environment-architecture.md +773 -0
  168. package/.claude/skills/infrastructure-architecture/resources/cost-architecture.md +499 -0
  169. package/.claude/skills/infrastructure-architecture/resources/data-architecture.md +501 -0
  170. package/.claude/skills/infrastructure-architecture/resources/disaster-recovery.md +535 -0
  171. package/.claude/skills/infrastructure-architecture/resources/migration-architecture.md +512 -0
  172. package/.claude/skills/infrastructure-architecture/resources/multi-region-design.md +608 -0
  173. package/.claude/skills/infrastructure-architecture/resources/reference-architectures.md +562 -0
  174. package/.claude/skills/infrastructure-architecture/resources/security-architecture.md +538 -0
  175. package/.claude/skills/infrastructure-architecture/resources/system-design-principles.md +489 -0
  176. package/.claude/skills/infrastructure-architecture/resources/workload-classification.md +1000 -0
  177. package/.claude/skills/infrastructure-strategy/SKILL.md +924 -0
  178. package/.claude/skills/network-engineering/SKILL.md +385 -0
  179. package/.claude/skills/network-engineering/resources/dns-management.md +738 -0
  180. package/.claude/skills/network-engineering/resources/load-balancing.md +820 -0
  181. package/.claude/skills/network-engineering/resources/network-architecture.md +546 -0
  182. package/.claude/skills/network-engineering/resources/network-security.md +921 -0
  183. package/.claude/skills/network-engineering/resources/network-troubleshooting.md +749 -0
  184. package/.claude/skills/network-engineering/resources/routing-switching.md +373 -0
  185. package/.claude/skills/network-engineering/resources/sdn-networking.md +695 -0
  186. package/.claude/skills/network-engineering/resources/service-mesh-networking.md +777 -0
  187. package/.claude/skills/network-engineering/resources/tcp-ip-protocols.md +444 -0
  188. package/.claude/skills/network-engineering/resources/vpn-connectivity.md +672 -0
  189. package/.claude/skills/observability-engineering/SKILL.md +101 -0
  190. package/.claude/skills/observability-engineering/resources/apm-tools.md +97 -0
  191. package/.claude/skills/observability-engineering/resources/correlation-strategies.md +87 -0
  192. package/.claude/skills/observability-engineering/resources/distributed-tracing.md +98 -0
  193. package/.claude/skills/observability-engineering/resources/logs-aggregation.md +118 -0
  194. package/.claude/skills/observability-engineering/resources/observability-cost-optimization.md +141 -0
  195. package/.claude/skills/observability-engineering/resources/opentelemetry.md +110 -0
  196. package/.claude/skills/platform-engineering/SKILL.md +555 -0
  197. package/.claude/skills/platform-engineering/resources/architecture-overview.md +600 -0
  198. package/.claude/skills/platform-engineering/resources/container-orchestration.md +916 -0
  199. package/.claude/skills/platform-engineering/resources/cost-optimization.md +634 -0
  200. package/.claude/skills/platform-engineering/resources/developer-platforms.md +670 -0
  201. package/.claude/skills/platform-engineering/resources/gitops-automation.md +650 -0
  202. package/.claude/skills/platform-engineering/resources/infrastructure-as-code.md +778 -0
  203. package/.claude/skills/platform-engineering/resources/infrastructure-standards.md +708 -0
  204. package/.claude/skills/platform-engineering/resources/multi-tenancy.md +602 -0
  205. package/.claude/skills/platform-engineering/resources/platform-security.md +711 -0
  206. package/.claude/skills/platform-engineering/resources/resource-management.md +592 -0
  207. package/.claude/skills/platform-engineering/resources/service-mesh.md +628 -0
  208. package/.claude/skills/release-engineering/SKILL.md +393 -0
  209. package/.claude/skills/release-engineering/resources/artifact-management.md +108 -0
  210. package/.claude/skills/release-engineering/resources/build-optimization.md +84 -0
  211. package/.claude/skills/release-engineering/resources/ci-cd-pipelines.md +411 -0
  212. package/.claude/skills/release-engineering/resources/deployment-strategies.md +197 -0
  213. package/.claude/skills/release-engineering/resources/pipeline-security.md +62 -0
  214. package/.claude/skills/release-engineering/resources/progressive-delivery.md +83 -0
  215. package/.claude/skills/release-engineering/resources/release-automation.md +68 -0
  216. package/.claude/skills/release-engineering/resources/release-orchestration.md +77 -0
  217. package/.claude/skills/release-engineering/resources/rollback-strategies.md +66 -0
  218. package/.claude/skills/release-engineering/resources/versioning-strategies.md +59 -0
  219. package/.claude/skills/route-tester/SKILL.md +392 -0
  220. package/.claude/skills/skill-developer/ADVANCED.md +197 -0
  221. package/.claude/skills/skill-developer/HOOK_MECHANISMS.md +306 -0
  222. package/.claude/skills/skill-developer/PATTERNS_LIBRARY.md +152 -0
  223. package/.claude/skills/skill-developer/SKILL.md +430 -0
  224. package/.claude/skills/skill-developer/SKILL_RULES_REFERENCE.md +315 -0
  225. package/.claude/skills/skill-developer/TRIGGER_TYPES.md +305 -0
  226. package/.claude/skills/skill-developer/TROUBLESHOOTING.md +514 -0
  227. package/.claude/skills/skill-rules.json +2940 -0
  228. package/.claude/skills/sre/SKILL.md +464 -0
  229. package/.claude/skills/sre/resources/alerting-best-practices.md +282 -0
  230. package/.claude/skills/sre/resources/capacity-planning.md +226 -0
  231. package/.claude/skills/sre/resources/chaos-engineering.md +193 -0
  232. package/.claude/skills/sre/resources/disaster-recovery.md +232 -0
  233. package/.claude/skills/sre/resources/incident-management.md +436 -0
  234. package/.claude/skills/sre/resources/observability-stack.md +240 -0
  235. package/.claude/skills/sre/resources/on-call-runbooks.md +167 -0
  236. package/.claude/skills/sre/resources/performance-optimization.md +108 -0
  237. package/.claude/skills/sre/resources/reliability-patterns.md +183 -0
  238. package/.claude/skills/sre/resources/slo-sli-sla.md +464 -0
  239. package/.claude/skills/sre/resources/toil-reduction.md +145 -0
  240. package/.claude/skills/systems-engineering/SKILL.md +648 -0
  241. package/.claude/skills/systems-engineering/resources/automation-patterns.md +771 -0
  242. package/.claude/skills/systems-engineering/resources/configuration-management.md +998 -0
  243. package/.claude/skills/systems-engineering/resources/linux-administration.md +672 -0
  244. package/.claude/skills/systems-engineering/resources/networking-fundamentals.md +982 -0
  245. package/.claude/skills/systems-engineering/resources/performance-tuning.md +871 -0
  246. package/.claude/skills/systems-engineering/resources/powershell-scripting.md +482 -0
  247. package/.claude/skills/systems-engineering/resources/security-hardening.md +739 -0
  248. package/.claude/skills/systems-engineering/resources/shell-scripting.md +915 -0
  249. package/.claude/skills/systems-engineering/resources/storage-management.md +628 -0
  250. package/.claude/skills/systems-engineering/resources/system-monitoring.md +787 -0
  251. package/.claude/skills/systems-engineering/resources/troubleshooting-guide.md +753 -0
  252. package/.claude/skills/systems-engineering/resources/windows-administration.md +738 -0
  253. package/.claude/skills/technical-leadership/SKILL.md +728 -0
  254. package/CHANGELOG.md +102 -42
  255. package/CLAUDE.md +284 -0
  256. package/README.md +315 -71
  257. package/backend/docs/SECRETS_DOCUMENTATION.md +327 -0
  258. package/backend/jest.config.js +59 -0
  259. package/backend/package-lock.json +6801 -0
  260. package/backend/package.json +24 -4
  261. package/backend/prisma/migrations/20251026104609_add_websocket_api/migration.sql +33 -0
  262. package/backend/prisma/migrations/20251116111851_add_execution_trace/migration.sql +22 -0
  263. package/backend/prisma/migrations/20251120154914_add_panel_api_keys/migration.sql +21 -0
  264. package/backend/prisma/migrations/20251121110241_add_proxy_table/migration.sql +45 -0
  265. package/backend/prisma/migrations/migration_lock.toml +2 -2
  266. package/backend/prisma/schema.prisma +103 -1
  267. package/backend/src/__tests__/core/DependencyService.test.js +336 -0
  268. package/backend/src/__tests__/core/UserService.test.js +875 -0
  269. package/backend/src/__tests__/repositories/BaseRepository.test.js +146 -0
  270. package/backend/src/__tests__/repositories/BotRepository.test.js +118 -0
  271. package/backend/src/__tests__/repositories/CommandRepository.test.js +132 -0
  272. package/backend/src/__tests__/repositories/EventGraphRepository.test.js +93 -0
  273. package/backend/src/__tests__/repositories/GroupRepository.test.js +155 -0
  274. package/backend/src/__tests__/repositories/PermissionRepository.test.js +130 -0
  275. package/backend/src/__tests__/repositories/PluginRepository.test.js +107 -0
  276. package/backend/src/__tests__/repositories/ServerRepository.test.js +80 -0
  277. package/backend/src/__tests__/repositories/UserRepository.test.js +128 -0
  278. package/backend/src/__tests__/secretsFilter.test.js +425 -0
  279. package/backend/src/__tests__/services/BotLifecycleService.test.js +416 -0
  280. package/backend/src/__tests__/services/BotProcessManager.test.js +285 -0
  281. package/backend/src/__tests__/services/CacheManager.test.js +125 -0
  282. package/backend/src/__tests__/services/CommandExecutionService.test.js +460 -0
  283. package/backend/src/__tests__/services/ResourceMonitorService.test.js +207 -0
  284. package/backend/src/__tests__/services/TelemetryService.test.js +291 -0
  285. package/backend/src/__tests__/setup.js +25 -0
  286. package/backend/src/ai/plugin-assistant-system-prompt.md +788 -0
  287. package/backend/src/api/middleware/auth.js +27 -0
  288. package/backend/src/api/middleware/botAccess.js +7 -3
  289. package/backend/src/api/middleware/panelApiAuth.js +135 -0
  290. package/backend/src/api/routes/aiAssistant.js +995 -0
  291. package/backend/src/api/routes/apiKeys.js +181 -0
  292. package/backend/src/api/routes/auth.js +669 -633
  293. package/backend/src/api/routes/botCommands.js +107 -0
  294. package/backend/src/api/routes/botGroups.js +165 -0
  295. package/backend/src/api/routes/botHistory.js +108 -0
  296. package/backend/src/api/routes/botPermissions.js +99 -0
  297. package/backend/src/api/routes/botStatus.js +36 -0
  298. package/backend/src/api/routes/botUsers.js +162 -0
  299. package/backend/src/api/routes/bots.js +2451 -2360
  300. package/backend/src/api/routes/eventGraphs.js +4 -1
  301. package/backend/src/api/routes/logs.js +13 -3
  302. package/backend/src/api/routes/panel.js +66 -66
  303. package/backend/src/api/routes/panelApiKeys.js +179 -0
  304. package/backend/src/api/routes/pluginIde.js +1715 -135
  305. package/backend/src/api/routes/plugins.js +376 -218
  306. package/backend/src/api/routes/proxies.js +130 -0
  307. package/backend/src/api/routes/search.js +4 -0
  308. package/backend/src/api/routes/servers.js +20 -3
  309. package/backend/src/api/routes/settings.js +5 -0
  310. package/backend/src/api/routes/system.js +174 -0
  311. package/backend/src/api/routes/traces.js +131 -0
  312. package/backend/src/config/debug.config.js +36 -0
  313. package/backend/src/container.js +82 -0
  314. package/backend/src/core/BotHistoryStore.js +180 -0
  315. package/backend/src/core/BotManager.js +149 -868
  316. package/backend/src/core/BotManager.old.js +1093 -0
  317. package/backend/src/core/BotProcess.js +850 -191
  318. package/backend/src/core/EventGraphManager.js +194 -198
  319. package/backend/src/core/GraphExecutionEngine.js +709 -57
  320. package/backend/src/core/MessageQueue.js +39 -12
  321. package/backend/src/core/NodeRegistry.js +37 -1134
  322. package/backend/src/core/PluginLoader.js +99 -5
  323. package/backend/src/core/PluginManager.js +126 -15
  324. package/backend/src/core/PrismaService.js +32 -0
  325. package/backend/src/core/TaskScheduler.js +1 -1
  326. package/backend/src/core/UserService.js +3 -3
  327. package/backend/src/core/__tests__/PrismaService.test.js +24 -0
  328. package/backend/src/core/commands/README.md +305 -0
  329. package/backend/src/core/commands/dev.js +13 -7
  330. package/backend/src/core/commands/ping.js +10 -4
  331. package/backend/src/core/commands/whois.js +63 -0
  332. package/backend/src/core/config/validation.js +27 -0
  333. package/backend/src/core/constants/graphTypes.js +21 -0
  334. package/backend/src/core/node-registries/actions.js +202 -0
  335. package/backend/src/core/node-registries/arrays.js +155 -0
  336. package/backend/src/core/node-registries/bot.js +23 -0
  337. package/backend/src/core/node-registries/data.js +290 -0
  338. package/backend/src/core/node-registries/debug.js +26 -0
  339. package/backend/src/core/node-registries/events.js +201 -0
  340. package/backend/src/core/node-registries/flow.js +139 -0
  341. package/backend/src/core/node-registries/logic.js +62 -0
  342. package/backend/src/core/node-registries/math.js +42 -0
  343. package/backend/src/core/node-registries/objects.js +98 -0
  344. package/backend/src/core/node-registries/strings.js +187 -0
  345. package/backend/src/core/node-registries/time.js +113 -0
  346. package/backend/src/core/node-registries/type.js +25 -0
  347. package/backend/src/core/node-registries/users.js +79 -0
  348. package/backend/src/core/nodes/{action_bot_look_at.js → actions/bot_look_at.js} +36 -36
  349. package/backend/src/core/nodes/{action_bot_set_variable.js → actions/bot_set_variable.js} +32 -32
  350. package/backend/src/core/nodes/actions/create_command.js +189 -0
  351. package/backend/src/core/nodes/actions/delete_command.js +92 -0
  352. package/backend/src/core/nodes/{action_send_log.js → actions/send_log.js} +28 -23
  353. package/backend/src/core/nodes/{action_send_message.js → actions/send_message.js} +32 -32
  354. package/backend/src/core/nodes/actions/send_websocket_response.js +33 -0
  355. package/backend/src/core/nodes/actions/update_command.js +133 -0
  356. package/backend/src/core/nodes/arrays/get_next.js +35 -0
  357. package/backend/src/core/nodes/arrays/join.js +28 -0
  358. package/backend/src/core/nodes/{data_cast.js → data/cast.js} +10 -1
  359. package/backend/src/core/nodes/data/datetime_literal.js +27 -0
  360. package/backend/src/core/nodes/data/entity_info.js +69 -0
  361. package/backend/src/core/nodes/data/get_nearby_entities.js +32 -0
  362. package/backend/src/core/nodes/data/get_nearby_players.js +64 -0
  363. package/backend/src/core/nodes/{data_get_user_field.js → data/get_user_field.js} +1 -1
  364. package/backend/src/core/nodes/data/type_check.js +53 -0
  365. package/backend/src/core/nodes/{debug_log.js → debug/log.js} +16 -16
  366. package/backend/src/core/nodes/{flow_branch.js → flow/branch.js} +15 -15
  367. package/backend/src/core/nodes/{flow_break.js → flow/break.js} +14 -14
  368. package/backend/src/core/nodes/flow/delay.js +43 -0
  369. package/backend/src/core/nodes/{flow_for_each.js → flow/for_each.js} +39 -39
  370. package/backend/src/core/nodes/{flow_sequence.js → flow/sequence.js} +16 -16
  371. package/backend/src/core/nodes/{flow_switch.js → flow/switch.js} +47 -47
  372. package/backend/src/core/nodes/{flow_while.js → flow/while.js} +1 -1
  373. package/backend/src/core/nodes/logic/__tests__/compare.test.js +83 -0
  374. package/backend/src/core/nodes/logic/not.js +22 -0
  375. package/backend/src/core/nodes/math/__tests__/operation.test.js +65 -0
  376. package/backend/src/core/nodes/strings/__tests__/concat.test.js +89 -0
  377. package/backend/src/core/nodes/{string_starts_with.js → strings/starts_with.js} +1 -1
  378. package/backend/src/core/nodes/strings/to_lower.js +22 -0
  379. package/backend/src/core/nodes/strings/to_upper.js +22 -0
  380. package/backend/src/core/nodes/time/__tests__/now.test.js +24 -0
  381. package/backend/src/core/nodes/time/add.js +33 -0
  382. package/backend/src/core/nodes/time/compare.js +35 -0
  383. package/backend/src/core/nodes/time/diff.js +29 -0
  384. package/backend/src/core/nodes/time/format.js +32 -0
  385. package/backend/src/core/nodes/time/now.js +18 -0
  386. package/backend/src/core/nodes/type/to_string.js +32 -0
  387. package/backend/src/core/nodes/{user_check_blacklist.js → users/check_blacklist.js} +37 -37
  388. package/backend/src/core/nodes/{user_get_groups.js → users/get_groups.js} +36 -36
  389. package/backend/src/core/nodes/{user_get_permissions.js → users/get_permissions.js} +36 -36
  390. package/backend/src/core/nodes/{user_set_blacklist.js → users/set_blacklist.js} +37 -37
  391. package/backend/src/core/services/BotLifecycleService.js +835 -0
  392. package/backend/src/core/services/BotProcessManager.js +163 -0
  393. package/backend/src/core/services/CacheManager.js +111 -0
  394. package/backend/src/core/services/CommandExecutionService.js +430 -0
  395. package/backend/src/core/services/DebugSessionManager.js +347 -0
  396. package/backend/src/core/services/GraphCollaborationManager.js +501 -0
  397. package/backend/src/core/services/MinecraftBotManager.js +259 -0
  398. package/backend/src/core/services/MinecraftViewerService.js +216 -0
  399. package/backend/src/core/services/ResourceMonitorService.js +90 -0
  400. package/backend/src/core/services/TelemetryService.js +124 -0
  401. package/backend/src/core/services/TraceCollectorService.js +545 -0
  402. package/backend/src/core/services/ValidationService.js +132 -0
  403. package/backend/src/core/services/__tests__/ValidationService.test.js +148 -0
  404. package/backend/src/core/services.js +20 -5
  405. package/backend/src/core/system/CommandContext.js +84 -0
  406. package/backend/src/core/system/RuntimeCommandRegistry.js +116 -0
  407. package/backend/src/core/system/Transport.js +74 -0
  408. package/backend/src/core/utils/__tests__/jsonParser.test.js +44 -0
  409. package/backend/src/core/utils/jsonParser.js +18 -0
  410. package/backend/src/core/utils/secretsFilter.js +262 -0
  411. package/backend/src/core/utils/variableParser.js +89 -0
  412. package/backend/src/core/validation/__tests__/nodeSchemas.test.js +175 -0
  413. package/backend/src/core/validation/nodeSchemas.js +112 -0
  414. package/backend/src/lib/prisma.js +2 -4
  415. package/backend/src/real-time/botApi/handlers/commandHandlers.js +28 -0
  416. package/backend/src/real-time/botApi/handlers/graphHandlers.js +99 -0
  417. package/backend/src/real-time/botApi/handlers/graphWebSocketHandlers.js +147 -0
  418. package/backend/src/real-time/botApi/handlers/index.js +43 -0
  419. package/backend/src/real-time/botApi/handlers/messageHandlers.js +66 -0
  420. package/backend/src/real-time/botApi/handlers/statusHandlers.js +17 -0
  421. package/backend/src/real-time/botApi/handlers/userHandlers.js +141 -0
  422. package/backend/src/real-time/botApi/index.js +40 -0
  423. package/backend/src/real-time/botApi/middleware.js +79 -0
  424. package/backend/src/real-time/botApi/utils.js +65 -0
  425. package/backend/src/real-time/panelNamespace.js +387 -0
  426. package/backend/src/real-time/presence.js +7 -2
  427. package/backend/src/real-time/socketHandler.js +400 -5
  428. package/backend/src/repositories/BaseRepository.js +43 -0
  429. package/backend/src/repositories/BotRepository.js +42 -0
  430. package/backend/src/repositories/CommandRepository.js +53 -0
  431. package/backend/src/repositories/EventGraphRepository.js +40 -0
  432. package/backend/src/repositories/GroupRepository.js +69 -0
  433. package/backend/src/repositories/PermissionRepository.js +48 -0
  434. package/backend/src/repositories/PluginRepository.js +42 -0
  435. package/backend/src/repositories/ServerRepository.js +27 -0
  436. package/backend/src/repositories/UserRepository.js +48 -0
  437. package/backend/src/server.js +21 -0
  438. package/backend/src/test-refactor.js +85 -0
  439. package/frontend/dist/assets/index-B1serztM.js +11210 -0
  440. package/frontend/dist/assets/index-t6K1u4OV.css +32 -0
  441. package/frontend/dist/index.html +2 -2
  442. package/frontend/package-lock.json +9437 -0
  443. package/frontend/package.json +8 -5
  444. package/package.json +3 -2
  445. package/screen/console.png +0 -0
  446. package/screen/dashboard.png +0 -0
  447. package/screen/graph_collabe.png +0 -0
  448. package/screen/graph_live_debug.png +0 -0
  449. package/screen/management_command.png +0 -0
  450. package/screen/node_debug_trace.png +0 -0
  451. package/screen/plugin_/320/276/320/261/320/267/320/276/321/200.png +0 -0
  452. package/screen/websocket.png +0 -0
  453. package/screen//320/275/320/260/321/201/321/202/321/200/320/276/320/271/320/272/320/270_/320/276/321/202/320/264/320/265/320/273/321/214/320/275/321/213/321/205_/320/272/320/276/320/274/320/260/320/275/320/264_/320/272/320/260/320/266/320/264/321/203_/320/272/320/276/320/274/320/260/320/275/320/273/320/264/321/203_/320/274/320/276/320/266/320/275/320/276_/320/275/320/260/321/201/321/202/321/200/320/260/320/270/320/262/320/260/321/202/321/214.png +0 -0
  454. package/screen//320/277/320/273/320/260/320/275/320/270/321/200/320/276/320/262/321/211/320/270/320/272_/320/274/320/276/320/266/320/275/320/276_/320/267/320/260/320/264/320/260/320/262/320/260/321/202/321/214_/320/264/320/265/320/271/321/201/321/202/320/262/320/270/321/217_/320/277/320/276_/320/262/321/200/320/265/320/274/320/265/320/275/320/270.png +0 -0
  455. package/frontend/dist/assets/index-B9GedHEa.js +0 -8352
  456. package/frontend/dist/assets/index-zLiy9MDx.css +0 -1
  457. package/nul +0 -0
  458. /package/backend/src/core/nodes/{action_http_request.js → actions/http_request.js} +0 -0
  459. /package/backend/src/core/nodes/{array_add_element.js → arrays/add_element.js} +0 -0
  460. /package/backend/src/core/nodes/{array_contains.js → arrays/contains.js} +0 -0
  461. /package/backend/src/core/nodes/{array_find_index.js → arrays/find_index.js} +0 -0
  462. /package/backend/src/core/nodes/{array_get_by_index.js → arrays/get_by_index.js} +0 -0
  463. /package/backend/src/core/nodes/{array_get_random_element.js → arrays/get_random_element.js} +0 -0
  464. /package/backend/src/core/nodes/{array_remove_by_index.js → arrays/remove_by_index.js} +0 -0
  465. /package/backend/src/core/nodes/{bot_get_position.js → bot/get_position.js} +0 -0
  466. /package/backend/src/core/nodes/{data_array_literal.js → data/array_literal.js} +0 -0
  467. /package/backend/src/core/nodes/{data_boolean_literal.js → data/boolean_literal.js} +0 -0
  468. /package/backend/src/core/nodes/{data_get_argument.js → data/get_argument.js} +0 -0
  469. /package/backend/src/core/nodes/{data_get_bot_look.js → data/get_bot_look.js} +0 -0
  470. /package/backend/src/core/nodes/{data_get_entity_field.js → data/get_entity_field.js} +0 -0
  471. /package/backend/src/core/nodes/{data_get_server_players.js → data/get_server_players.js} +0 -0
  472. /package/backend/src/core/nodes/{data_get_variable.js → data/get_variable.js} +0 -0
  473. /package/backend/src/core/nodes/{data_length.js → data/length.js} +0 -0
  474. /package/backend/src/core/nodes/{data_make_object.js → data/make_object.js} +0 -0
  475. /package/backend/src/core/nodes/{data_number_literal.js → data/number_literal.js} +0 -0
  476. /package/backend/src/core/nodes/{data_string_literal.js → data/string_literal.js} +0 -0
  477. /package/backend/src/core/nodes/{logic_compare.js → logic/compare.js} +0 -0
  478. /package/backend/src/core/nodes/{logic_operation.js → logic/operation.js} +0 -0
  479. /package/backend/src/core/nodes/{math_operation.js → math/operation.js} +0 -0
  480. /package/backend/src/core/nodes/{math_random_number.js → math/random_number.js} +0 -0
  481. /package/backend/src/core/nodes/{object_create.js → objects/create.js} +0 -0
  482. /package/backend/src/core/nodes/{object_delete.js → objects/delete.js} +0 -0
  483. /package/backend/src/core/nodes/{object_get.js → objects/get.js} +0 -0
  484. /package/backend/src/core/nodes/{object_has_key.js → objects/has_key.js} +0 -0
  485. /package/backend/src/core/nodes/{object_set.js → objects/set.js} +0 -0
  486. /package/backend/src/core/nodes/{string_concat.js → strings/concat.js} +0 -0
  487. /package/backend/src/core/nodes/{string_contains.js → strings/contains.js} +0 -0
  488. /package/backend/src/core/nodes/{string_ends_with.js → strings/ends_with.js} +0 -0
  489. /package/backend/src/core/nodes/{string_equals.js → strings/equals.js} +0 -0
  490. /package/backend/src/core/nodes/{string_length.js → strings/length.js} +0 -0
  491. /package/backend/src/core/nodes/{string_matches.js → strings/matches.js} +0 -0
  492. /package/backend/src/core/nodes/{string_split.js → strings/split.js} +0 -0
package/.claude/skills/platform-engineering/resources/platform-security.md ADDED
@@ -0,0 +1,711 @@
1
+ # Platform Security
2
+
3
+ Pod security standards, network policies, secrets management, vulnerability scanning, runtime security, and security best practices for Kubernetes platforms.
4
+
5
+ ## Table of Contents
6
+
7
+ - [Pod Security Standards](#pod-security-standards)
8
+ - [Network Security](#network-security)
9
+ - [Secrets Management](#secrets-management)
10
+ - [Image Security](#image-security)
11
+ - [Runtime Security](#runtime-security)
12
+ - [Access Control](#access-control)
13
+ - [Security Monitoring](#security-monitoring)
14
+ - [Best Practices](#best-practices)
15
+
16
+ ## Pod Security Standards
17
+
18
+ ### Privileged Policy (Least Restrictive)
19
+
20
+ ```yaml
21
+ # Allow all - NOT RECOMMENDED for production
22
+ apiVersion: v1
23
+ kind: Namespace
24
+ metadata:
25
+ name: system
26
+ labels:
27
+ pod-security.kubernetes.io/enforce: privileged
28
+ ```
29
+
30
+ ### Baseline Policy (Minimally Restrictive)
31
+
32
+ ```yaml
33
+ # Prevent known privilege escalations
34
+ apiVersion: v1
35
+ kind: Namespace
36
+ metadata:
37
+ name: staging
38
+ labels:
39
+ pod-security.kubernetes.io/enforce: baseline
40
+ pod-security.kubernetes.io/audit: restricted
41
+ pod-security.kubernetes.io/warn: restricted
42
+ ```
43
+
44
+ ### Restricted Policy (Most Secure - Production)
45
+
46
+ ```yaml
47
+ # Enforce hardening best practices
48
+ apiVersion: v1
49
+ kind: Namespace
50
+ metadata:
51
+ name: production
52
+ labels:
53
+ pod-security.kubernetes.io/enforce: restricted
54
+ pod-security.kubernetes.io/audit: restricted
55
+ pod-security.kubernetes.io/warn: restricted
56
+ ```
57
+
58
+ **Compliant Pod:**
59
+ ```yaml
60
+ apiVersion: v1
61
+ kind: Pod
62
+ metadata:
63
+ name: secure-app
64
+ namespace: production
65
+ spec:
66
+ # Pod-level security
67
+ securityContext:
68
+ runAsNonRoot: true
69
+ runAsUser: 1000
70
+ runAsGroup: 1000
71
+ fsGroup: 1000
72
+ seccompProfile:
73
+ type: RuntimeDefault
74
+ supplementalGroups: [1000]
75
+
76
+ # Service account (not default)
77
+ serviceAccountName: app-service-account
78
+ automountServiceAccountToken: false
79
+
80
+ containers:
81
+ - name: app
82
+ image: app:1.0
83
+ imagePullPolicy: Always
84
+
85
+ # Container-level security
86
+ securityContext:
87
+ allowPrivilegeEscalation: false
88
+ readOnlyRootFilesystem: true
89
+ runAsNonRoot: true
90
+ runAsUser: 1000
91
+ capabilities:
92
+ drop:
93
+ - ALL
94
+
95
+ # Resource limits (required)
96
+ resources:
97
+ requests:
98
+ memory: "128Mi"
99
+ cpu: "100m"
100
+ limits:
101
+ memory: "256Mi"
102
+ cpu: "500m"
103
+
104
+ # Writable volumes
105
+ volumeMounts:
106
+ - name: tmp
107
+ mountPath: /tmp
108
+ - name: cache
109
+ mountPath: /app/cache
110
+
111
+ volumes:
112
+ - name: tmp
113
+ emptyDir: {}
114
+ - name: cache
115
+ emptyDir: {}
116
+ ```
117
+
118
+ ## Network Security
119
+
120
+ ### Default Deny All Traffic
121
+
122
+ ```yaml
123
+ # Block all ingress and egress by default
124
+ apiVersion: networking.k8s.io/v1
125
+ kind: NetworkPolicy
126
+ metadata:
127
+ name: default-deny-all
128
+ namespace: production
129
+ spec:
130
+ podSelector: {}
131
+ policyTypes:
132
+ - Ingress
133
+ - Egress
134
+ ```
135
+
136
+ ### Allow DNS Only
137
+
138
+ ```yaml
139
+ apiVersion: networking.k8s.io/v1
140
+ kind: NetworkPolicy
141
+ metadata:
142
+ name: allow-dns-access
143
+ namespace: production
144
+ spec:
145
+ podSelector: {}
146
+ policyTypes:
147
+ - Egress
148
+ egress:
149
+ # Allow DNS queries
150
+ - to:
151
+ - namespaceSelector:
152
+ matchLabels:
153
+ name: kube-system
154
+ ports:
155
+ - protocol: UDP
156
+ port: 53
157
+ - protocol: TCP
158
+ port: 53
159
+ ```
160
+
161
+ ### Microsegmentation
162
+
163
+ ```yaml
164
+ # API service can only talk to database
165
+ apiVersion: networking.k8s.io/v1
166
+ kind: NetworkPolicy
167
+ metadata:
168
+ name: api-to-database
169
+ namespace: production
170
+ spec:
171
+ podSelector:
172
+ matchLabels:
173
+ app: api-service
174
+ policyTypes:
175
+ - Egress
176
+ egress:
177
+ # Allow DNS
178
+ - to:
179
+ - namespaceSelector:
180
+ matchLabels:
181
+ name: kube-system
182
+ ports:
183
+ - protocol: UDP
184
+ port: 53
185
+
186
+ # Allow database access
187
+ - to:
188
+ - podSelector:
189
+ matchLabels:
190
+ app: postgres
191
+ ports:
192
+ - protocol: TCP
193
+ port: 5432
194
+
195
+ # Allow external HTTPS (if needed)
196
+ - to:
197
+ - namespaceSelector: {}
198
+ ports:
199
+ - protocol: TCP
200
+ port: 443
201
+ ```
202
+
203
+ ### Ingress Controls
204
+
205
+ ```yaml
206
+ # Only allow traffic from ingress controller
207
+ apiVersion: networking.k8s.io/v1
208
+ kind: NetworkPolicy
209
+ metadata:
210
+ name: allow-from-ingress
211
+ namespace: production
212
+ spec:
213
+ podSelector:
214
+ matchLabels:
215
+ app: frontend
216
+ policyTypes:
217
+ - Ingress
218
+ ingress:
219
+ - from:
220
+ - namespaceSelector:
221
+ matchLabels:
222
+ name: ingress-nginx
223
+ - podSelector:
224
+ matchLabels:
225
+ app.kubernetes.io/name: ingress-nginx
226
+ ports:
227
+ - protocol: TCP
228
+ port: 8080
229
+ ```
230
+
231
+ ## Secrets Management
232
+
233
+ ### Kubernetes Secrets (Encrypted at Rest)
234
+
235
+ ```yaml
236
+ # Enable encryption at rest (kube-apiserver flag)
237
+ --encryption-provider-config=/etc/kubernetes/encryption-config.yaml
238
+
239
+ # encryption-config.yaml
240
+ apiVersion: apiserver.config.k8s.io/v1
241
+ kind: EncryptionConfiguration
242
+ resources:
243
+ - resources:
244
+ - secrets
245
+ providers:
246
+ - aescbc:
247
+ keys:
248
+ - name: key1
249
+ secret: <base64-encoded-32-byte-key>
250
+ - identity: {} # Fallback to plaintext
251
+ ```
252
+
253
+ **Create Secret:**
254
+ ```bash
255
+ kubectl create secret generic db-credentials \
256
+ --from-literal=username=admin \
257
+ --from-literal=password='super-secret-password' \
258
+ --namespace=production
259
+ ```
260
+
261
+ ### External Secrets Operator
262
+
263
+ **Install:**
264
+ ```bash
265
+ helm repo add external-secrets https://charts.external-secrets.io
266
+ helm install external-secrets \
267
+ external-secrets/external-secrets \
268
+ -n external-secrets-system \
269
+ --create-namespace
270
+ ```
271
+
272
+ **AWS Secrets Manager Integration:**
273
+ ```yaml
274
+ # SecretStore for AWS Secrets Manager
275
+ apiVersion: external-secrets.io/v1beta1
276
+ kind: SecretStore
277
+ metadata:
278
+ name: aws-secrets-manager
279
+ namespace: production
280
+ spec:
281
+ provider:
282
+ aws:
283
+ service: SecretsManager
284
+ region: us-east-1
285
+ auth:
286
+ jwt:
287
+ serviceAccountRef:
288
+ name: external-secrets-sa
289
+
290
+ ---
291
+ # External Secret
292
+ apiVersion: external-secrets.io/v1beta1
293
+ kind: ExternalSecret
294
+ metadata:
295
+ name: database-credentials
296
+ namespace: production
297
+ spec:
298
+ refreshInterval: 1h
299
+ secretStoreRef:
300
+ name: aws-secrets-manager
301
+ kind: SecretStore
302
+
303
+ target:
304
+ name: database-credentials
305
+ creationPolicy: Owner
306
+
307
+ data:
308
+ - secretKey: username
309
+ remoteRef:
310
+ key: prod/database/username
311
+
312
+ - secretKey: password
313
+ remoteRef:
314
+ key: prod/database/password
315
+
316
+ - secretKey: connection-string
317
+ remoteRef:
318
+ key: prod/database/connection-string
319
+ ```
320
+
321
+ **HashiCorp Vault Integration:**
322
+ ```yaml
323
+ apiVersion: external-secrets.io/v1beta1
324
+ kind: SecretStore
325
+ metadata:
326
+ name: vault-backend
327
+ namespace: production
328
+ spec:
329
+ provider:
330
+ vault:
331
+ server: "https://vault.company.com"
332
+ path: "secret"
333
+ version: "v2"
334
+ auth:
335
+ kubernetes:
336
+ mountPath: "kubernetes"
337
+ role: "external-secrets"
338
+ serviceAccountRef:
339
+ name: external-secrets-sa
340
+ ```
341
+
342
+ ### Sealed Secrets
343
+
344
+ ```bash
345
+ # Install sealed-secrets controller
346
+ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
347
+
348
+ # Install kubeseal CLI
349
+ brew install kubeseal
350
+
351
+ # Create sealed secret
352
+ echo -n 'super-secret' | kubectl create secret generic db-password \
353
+ --dry-run=client \
354
+ --from-file=password=/dev/stdin \
355
+ -o yaml | \
356
+ kubeseal -o yaml > sealed-secret.yaml
357
+
358
+ # Commit sealed secret to Git (safe to do)
359
+ git add sealed-secret.yaml
360
+ git commit -m "Add database password"
361
+ ```
362
+
363
+ ## Image Security
364
+
365
+ ### Image Scanning with Trivy
366
+
367
+ ```yaml
368
+ # Scan image before deployment
369
+ apiVersion: batch/v1
370
+ kind: Job
371
+ metadata:
372
+ name: trivy-scan
373
+ spec:
374
+ template:
375
+ spec:
376
+ containers:
377
+ - name: trivy
378
+ image: aquasec/trivy:latest
379
+ command:
380
+ - trivy
381
+ - image
382
+ - --exit-code
383
+ - "1" # Fail on vulnerabilities
384
+ - --severity
385
+ - CRITICAL,HIGH
386
+ - --no-progress
387
+ - company/api-service:v1.2.3
388
+ restartPolicy: Never
389
+ ```
390
+
391
+ **CI/CD Integration:**
392
+ ```yaml
393
+ # .github/workflows/security-scan.yaml
394
+ name: Security Scan
395
+
396
+ on: [push]
397
+
398
+ jobs:
399
+ trivy:
400
+ runs-on: ubuntu-latest
401
+ steps:
402
+ - uses: actions/checkout@v3
403
+
404
+ - name: Build image
405
+ run: docker build -t ${{ github.repository }}:${{ github.sha }} .
406
+
407
+ - name: Run Trivy scan
408
+ uses: aquasecurity/trivy-action@master
409
+ with:
410
+ image-ref: ${{ github.repository }}:${{ github.sha }}
411
+ format: 'sarif'
412
+ output: 'trivy-results.sarif'
413
+ severity: 'CRITICAL,HIGH'
414
+
415
+ - name: Upload results
416
+ uses: github/codeql-action/upload-sarif@v2
417
+ with:
418
+ sarif_file: 'trivy-results.sarif'
419
+ ```
420
+
421
+ ### Image Policy (Kyverno)
422
+
423
+ ```yaml
424
+ # Only allow images from trusted registries
425
+ apiVersion: kyverno.io/v1
426
+ kind: ClusterPolicy
427
+ metadata:
428
+ name: restrict-image-registries
429
+ spec:
430
+ validationFailureAction: enforce
431
+ background: false
432
+ rules:
433
+ - name: validate-registries
434
+ match:
435
+ any:
436
+ - resources:
437
+ kinds:
438
+ - Pod
439
+ validate:
440
+ message: "Images must be from approved registries"
441
+ pattern:
442
+ spec:
443
+ containers:
444
+ - image: "registry.company.com/* | ghcr.io/company/*"
445
+
446
+ ---
447
+ # Require image digest (not tags)
448
+ apiVersion: kyverno.io/v1
449
+ kind: ClusterPolicy
450
+ metadata:
451
+ name: require-image-digest
452
+ spec:
453
+ validationFailureAction: enforce
454
+ rules:
455
+ - name: check-image-digest
456
+ match:
457
+ any:
458
+ - resources:
459
+ kinds:
460
+ - Pod
461
+ validate:
462
+ message: "Images must use digest (not tags)"
463
+ pattern:
464
+ spec:
465
+ containers:
466
+ - image: "*@sha256:*"
467
+ ```
468
+
469
+ ### Vulnerability Admission Controller
470
+
471
+ ```yaml
472
+ # ImagePolicyWebhook admission controller
473
+ apiVersion: imagepolicy.k8s.io/v1alpha1
474
+ kind: ImageReview
475
+ spec:
476
+ containers:
477
+ - image: company/api-service:v1.2.3
478
+ annotations:
479
+ imagepolicy.k8s.io/policy: restricted
480
+ namespace: production
481
+ ```
482
+
483
+ ## Runtime Security
484
+
485
+ ### Falco Rules
486
+
487
+ ```yaml
488
+ # Install Falco
489
+ helm repo add falcosecurity https://falcosecurity.github.io/charts
490
+ helm install falco falcosecurity/falco \
491
+ --namespace falco-system \
492
+ --create-namespace \
493
+ --set driver.kind=ebpf
494
+
495
+ # Custom rules
496
+ # /etc/falco/falco_rules.local.yaml
497
+ - rule: Unauthorized Process in Container
498
+ desc: Detect unexpected process spawned in container
499
+ condition: >
500
+ spawned_process and
501
+ container and
502
+ not proc.name in (node, npm, python, java)
503
+ output: >
504
+ Unexpected process spawned in container
505
+ (user=%user.name command=%proc.cmdline container=%container.name)
506
+ priority: WARNING
507
+ tags: [container, process]
508
+
509
+ - rule: Write to Non-Temp Directory
510
+ desc: Detect writes to non-temporary directories
511
+ condition: >
512
+ open_write and
513
+ container and
514
+ not fd.name pmatch (/tmp/*, /var/tmp/*)
515
+ output: >
516
+ Write to non-temp directory in container
517
+ (user=%user.name file=%fd.name container=%container.name)
518
+ priority: WARNING
519
+ ```
520
+
521
+ ### AppArmor
522
+
523
+ ```yaml
524
+ # Load AppArmor profile
525
+ apiVersion: v1
526
+ kind: Pod
527
+ metadata:
528
+ name: secure-app
529
+ annotations:
530
+ container.apparmor.security.beta.kubernetes.io/app: localhost/k8s-apparmor-example
531
+ spec:
532
+ containers:
533
+ - name: app
534
+ image: app:1.0
535
+ ```
536
+
537
+ **AppArmor Profile:**
538
+ ```
539
+ #include <tunables/global>
540
+
541
+ profile k8s-apparmor-example flags=(attach_disconnected) {
542
+ #include <abstractions/base>
543
+
544
+ # Allow network access
545
+ network,
546
+
547
+ # Allow reading from /tmp
548
+ /tmp/** r,
549
+
550
+ # Deny everything else by default
551
+ deny /** w,
552
+ }
553
+ ```
554
+
555
+ ## Access Control
556
+
557
+ ### RBAC Least Privilege
558
+
559
+ ```yaml
560
+ # Read-only access to pods
561
+ apiVersion: rbac.authorization.k8s.io/v1
562
+ kind: Role
563
+ metadata:
564
+ name: pod-reader
565
+ namespace: production
566
+ rules:
567
+ - apiGroups: [""]
568
+ resources: ["pods", "pods/log"]
569
+ verbs: ["get", "list", "watch"]
570
+
571
+ ---
572
+ # Deploy-only access
573
+ apiVersion: rbac.authorization.k8s.io/v1
574
+ kind: Role
575
+ metadata:
576
+ name: deployment-manager
577
+ namespace: production
578
+ rules:
579
+ - apiGroups: ["apps"]
580
+ resources: ["deployments"]
581
+ verbs: ["get", "list", "watch", "update", "patch"]
582
+ - apiGroups: [""]
583
+ resources: ["pods"]
584
+ verbs: ["get", "list"]
585
+
586
+ ---
587
+ # Bind to service account
588
+ apiVersion: rbac.authorization.k8s.io/v1
589
+ kind: RoleBinding
590
+ metadata:
591
+ name: ci-deployer
592
+ namespace: production
593
+ subjects:
594
+ - kind: ServiceAccount
595
+ name: github-actions
596
+ namespace: production
597
+ roleRef:
598
+ kind: Role
599
+ name: deployment-manager
600
+ apiGroup: rbac.authorization.k8s.io
601
+ ```
602
+
603
+ ### Audit Logging
604
+
605
+ ```yaml
606
+ # Audit policy
607
+ apiVersion: audit.k8s.io/v1
608
+ kind: Policy
609
+ rules:
610
+ # Log all requests at RequestResponse level
611
+ - level: RequestResponse
612
+ omitStages:
613
+ - RequestReceived
614
+ verbs: ["create", "update", "patch", "delete"]
615
+
616
+ # Log metadata for reads
617
+ - level: Metadata
618
+ verbs: ["get", "list", "watch"]
619
+
620
+ # Don't log these
621
+ - level: None
622
+ users: ["system:kube-proxy"]
623
+ verbs: ["watch"]
624
+ resources:
625
+ - group: ""
626
+ resources: ["endpoints", "services"]
627
+ ```
628
+
629
+ ## Security Monitoring
630
+
631
+ ### Prometheus Alerts
632
+
633
+ ```yaml
634
+ # alerts.yaml
635
+ groups:
636
+ - name: security
637
+ interval: 30s
638
+ rules:
639
+ # Alert on privileged pods
640
+ - alert: PrivilegedPodDetected
641
+ expr: |
642
+ kube_pod_container_status_running == 1
643
+ and
644
+ kube_pod_security_context_privileged == 1
645
+ for: 5m
646
+ annotations:
647
+ summary: "Privileged pod detected: {{ $labels.pod }}"
648
+
649
+ # Alert on excessive RBAC permissions
650
+ - alert: ExcessiveRBACPermissions
651
+ expr: |
652
+ kube_role_rules{verb="*"} > 0
653
+ annotations:
654
+ summary: "Role with wildcard permissions: {{ $labels.role }}"
655
+
656
+ # Alert on failed auth attempts
657
+ - alert: AuthenticationFailures
658
+ expr: |
659
+ rate(apiserver_audit_event_total{verb="create",objectRef_resource="serviceaccounts/token",responseStatus_code="401"}[5m]) > 5
660
+ annotations:
661
+ summary: "High rate of authentication failures"
662
+ ```
663
+
664
+ ## Best Practices
665
+
666
+ ### 1. Defense in Depth
667
+
668
+ Implement multiple layers of security controls.
669
+
670
+ ### 2. Least Privilege
671
+
672
+ Grant minimum necessary permissions.
673
+
674
+ ### 3. Network Segmentation
675
+
676
+ Use network policies to restrict traffic.
677
+
678
+ ### 4. Secrets Management
679
+
680
+ Never commit secrets to Git, use external secrets.
681
+
682
+ ### 5. Image Security
683
+
684
+ Scan images, use trusted registries, require digests.
685
+
686
+ ### 6. Runtime Protection
687
+
688
+ Monitor and detect anomalous behavior.
689
+
690
+ ### 7. Regular Updates
691
+
692
+ Keep Kubernetes and all components updated.
693
+
694
+ ### 8. Audit Everything
695
+
696
+ Enable comprehensive audit logging.
697
+
698
+ ### 9. Immutable Infrastructure
699
+
700
+ Use read-only root filesystems.
701
+
702
+ ### 10. Security as Code
703
+
704
+ Automate security testing in CI/CD.
705
+
706
+ ---
707
+
708
+ **Related Resources:**
709
+ - [infrastructure-standards.md](infrastructure-standards.md) - Security baselines
710
+ - [container-orchestration.md](container-orchestration.md) - Pod security
711
+ - [multi-tenancy.md](multi-tenancy.md) - Isolation and RBAC