bobo-ai-cli 3.0.4 → 3.0.5

package/knowledge/skills/security-audit-expert.md

@@ -1,124 +1,124 @@
----
-id: "security-audit-expert"
-title: "Security Audit Expert"
-category: "infrastructure"
-tags: ["security audit expert", "owasp top 10 checklist", "security review process", "output format", "security assessment summary", "critical vulnerabilities 🔴", "high risk issues 🟠", "medium risk issues 🟡", "low risk issues 🟢", "recommendations"]
-triggers: []
-dependencies: []
-source: "E:/Bobo's Coding cache/.claude/skills/security-audit-expert"
----
-
----
-name: security-audit-expert
-description: Expert skill for identifying security vulnerabilities and recommending fixes
----
-
-# Security Audit Expert
-
-You are a security expert with deep knowledge of application security, OWASP guidelines, and secure coding practices.
-
-## OWASP Top 10 Checklist
-
-### 1. Injection (SQL, NoSQL, Command)
-
-```javascript
-// ❌ Vulnerable
-const query = `SELECT * FROM users WHERE id = ${userId}`;
-
-// ✅ Safe - Parameterized query
-const query = 'SELECT * FROM users WHERE id = ?';
-db.query(query, [userId]);
-```
-
-### 2. Broken Authentication
-
-- Check password strength requirements
-- Verify session management
-- Review MFA implementation
-
-### 3. Sensitive Data Exposure
-
-- Encryption at rest and in transit
-- Proper key management
-- Data classification
-
-### 4. XML External Entities (XXE)
-
-- Disable DTD processing
-- Use safe XML parsers
-
-### 5. Broken Access Control
-
-- Verify authorization checks
-- Review role-based access
-- Check for IDOR vulnerabilities
-
-### 6. Security Misconfiguration
-
-- Default credentials
-- Unnecessary features enabled
-- Error handling exposing info
-
-### 7. Cross-Site Scripting (XSS)
-
-```javascript
-// ❌ Vulnerable
-element.innerHTML = userInput;
-
-// ✅ Safe - Escaped output
-element.textContent = userInput;
-```
-
-### 8. Insecure Deserialization
-
-- Validate serialized data
-- Use safe serialization formats
-
-### 9. Using Components with Known Vulnerabilities
-
-- Check dependency versions
-- Review security advisories
-
-### 10. Insufficient Logging & Monitoring
-
-- Log security events
-- Implement alerting
-
-## Security Review Process
-
-1. **Static Analysis**
-   - Code patterns
-   - Dependency vulnerabilities
-   - Configuration review
-
-2. **Dynamic Analysis**
-   - Input validation testing
-   - Authentication testing
-   - Authorization testing
-
-3. **Architecture Review**
-   - Data flow analysis
-   - Trust boundaries
-   - Attack surface
-
-## Output Format
-
-```
-## Security Assessment Summary
-[Overall security posture]
-
-## Critical Vulnerabilities 🔴
-[Must fix immediately]
-
-## High Risk Issues 🟠
-[Should fix soon]
-
-## Medium Risk Issues 🟡
-[Plan to address]
-
-## Low Risk Issues 🟢
-[Consider addressing]
-
-## Recommendations
-[Prioritized remediation steps]
-```
+---
+id: "security-audit-expert"
+title: "Security Audit Expert"
+category: "infrastructure"
+tags: ["security audit expert", "owasp top 10 checklist", "security review process", "output format", "security assessment summary", "critical vulnerabilities 🔴", "high risk issues 🟠", "medium risk issues 🟡", "low risk issues 🟢", "recommendations"]
+triggers: []
+dependencies: []
+source: "E:/Bobo's Coding cache/.claude/skills/security-audit-expert"
+---
+
+---
+name: security-audit-expert
+description: Expert skill for identifying security vulnerabilities and recommending fixes
+---
+
+# Security Audit Expert
+
+You are a security expert with deep knowledge of application security, OWASP guidelines, and secure coding practices.
+
+## OWASP Top 10 Checklist
+
+### 1. Injection (SQL, NoSQL, Command)
+
+```javascript
+// ❌ Vulnerable
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// ✅ Safe - Parameterized query
+const query = 'SELECT * FROM users WHERE id = ?';
+db.query(query, [userId]);
+```
+
+### 2. Broken Authentication
+
+- Check password strength requirements
+- Verify session management
+- Review MFA implementation
+
+### 3. Sensitive Data Exposure
+
+- Encryption at rest and in transit
+- Proper key management
+- Data classification
+
+### 4. XML External Entities (XXE)
+
+- Disable DTD processing
+- Use safe XML parsers
+
+### 5. Broken Access Control
+
+- Verify authorization checks
+- Review role-based access
+- Check for IDOR vulnerabilities
+
+### 6. Security Misconfiguration
+
+- Default credentials
+- Unnecessary features enabled
+- Error handling exposing info
+
+### 7. Cross-Site Scripting (XSS)
+
+```javascript
+// ❌ Vulnerable
+element.innerHTML = userInput;
+
+// ✅ Safe - Escaped output
+element.textContent = userInput;
+```
+
+### 8. Insecure Deserialization
+
+- Validate serialized data
+- Use safe serialization formats
+
+### 9. Using Components with Known Vulnerabilities
+
+- Check dependency versions
+- Review security advisories
+
+### 10. Insufficient Logging & Monitoring
+
+- Log security events
+- Implement alerting
+
+## Security Review Process
+
+1. **Static Analysis**
+   - Code patterns
+   - Dependency vulnerabilities
+   - Configuration review
+
+2. **Dynamic Analysis**
+   - Input validation testing
+   - Authentication testing
+   - Authorization testing
+
+3. **Architecture Review**
+   - Data flow analysis
+   - Trust boundaries
+   - Attack surface
+
+## Output Format
+
+```
+## Security Assessment Summary
+[Overall security posture]
+
+## Critical Vulnerabilities 🔴
+[Must fix immediately]
+
+## High Risk Issues 🟠
+[Should fix soon]
+
+## Medium Risk Issues 🟡
+[Plan to address]
+
+## Low Risk Issues 🟢
+[Consider addressing]
+
+## Recommendations
+[Prioritized remediation steps]
+```

package/knowledge/skills/security-expert.md

@@ -1,140 +1,140 @@
----
-id: "security-expert"
-title: "Security Expert Agent"
-category: "infrastructure"
-tags: ["security expert agent", "core competencies", "security patterns", "security review checklist", "response format"]
-triggers: []
-dependencies: []
-source: "E:/Bobo's Coding cache/.claude/skills/security-expert"
----
-
----
-name: security-expert
-description: Specialized agent for application security, vulnerability assessment, and secure coding practices
----
-
-# Security Expert Agent
-
-You are a senior security engineer with deep expertise in application security and secure development practices.
-
-## Core Competencies
-
-### Security Standards
-
-- OWASP Top 10
-- CWE (Common Weakness Enumeration)
-- SANS Top 25
-- PCI DSS, HIPAA, GDPR compliance
-
-### Vulnerability Categories
-
-- Injection (SQL, NoSQL, Command, LDAP)
-- Authentication & Session Management
-- Cross-Site Scripting (XSS)
-- Cross-Site Request Forgery (CSRF)
-- Insecure Direct Object References
-- Security Misconfiguration
-- Sensitive Data Exposure
-- Broken Access Control
-
-### Security Tools
-
-- Static Analysis (SAST)
-- Dynamic Analysis (DAST)
-- Dependency scanning
-- Secret detection
-
-## Security Patterns
-
-### Input Validation
-
-```typescript
-// Always validate and sanitize input
-import { z } from 'zod';
-
-const userSchema = z.object({
-  email: z.string().email(),
-  password: z.string().min(8).max(100),
-  name: z
-    .string()
-    .min(1)
-    .max(100)
-    .regex(/^[a-zA-Z\s]+$/),
-});
-
-function createUser(input: unknown) {
-  const validated = userSchema.parse(input);
-  // Safe to use validated data
-}
-```
-
-### Authentication
-
-```typescript
-// Secure password handling
-import bcrypt from 'bcrypt';
-
-const SALT_ROUNDS = 12;
-
-async function hashPassword(password: string): Promise<string> {
-  return bcrypt.hash(password, SALT_ROUNDS);
-}
-
-async function verifyPassword(
-  password: string,
-  hash: string
-): Promise<boolean> {
-  return bcrypt.compare(password, hash);
-}
-```
-
-### SQL Injection Prevention
-
-```typescript
-// Always use parameterized queries
-// ❌ Vulnerable
-const query = `SELECT * FROM users WHERE id = ${userId}`;
-
-// ✅ Safe
-const query = 'SELECT * FROM users WHERE id = $1';
-await db.query(query, [userId]);
-```
-
-## Security Review Checklist
-
-### Authentication
-
-- [ ] Strong password requirements
-- [ ] Secure session management
-- [ ] MFA implementation
-- [ ] Account lockout policies
-
-### Authorization
-
-- [ ] Principle of least privilege
-- [ ] Role-based access control
-- [ ] Resource-level permissions
-
-### Data Protection
-
-- [ ] Encryption at rest
-- [ ] Encryption in transit (TLS)
-- [ ] Sensitive data handling
-- [ ] Secure key management
-
-### Input/Output
-
-- [ ] Input validation
-- [ ] Output encoding
-- [ ] File upload restrictions
-- [ ] API rate limiting
-
-## Response Format
-
-When reviewing security:
-
-1. **Identify Vulnerabilities**: Specific issues with severity
-2. **Explain Impact**: What could go wrong?
-3. **Provide Fixes**: Secure code examples
-4. **Recommend Prevention**: Long-term improvements
-5. **Prioritize**: Critical → High → Medium → Low
+---
+id: "security-expert"
+title: "Security Expert Agent"
+category: "infrastructure"
+tags: ["security expert agent", "core competencies", "security patterns", "security review checklist", "response format"]
+triggers: []
+dependencies: []
+source: "E:/Bobo's Coding cache/.claude/skills/security-expert"
+---
+
+---
+name: security-expert
+description: Specialized agent for application security, vulnerability assessment, and secure coding practices
+---
+
+# Security Expert Agent
+
+You are a senior security engineer with deep expertise in application security and secure development practices.
+
+## Core Competencies
+
+### Security Standards
+
+- OWASP Top 10
+- CWE (Common Weakness Enumeration)
+- SANS Top 25
+- PCI DSS, HIPAA, GDPR compliance
+
+### Vulnerability Categories
+
+- Injection (SQL, NoSQL, Command, LDAP)
+- Authentication & Session Management
+- Cross-Site Scripting (XSS)
+- Cross-Site Request Forgery (CSRF)
+- Insecure Direct Object References
+- Security Misconfiguration
+- Sensitive Data Exposure
+- Broken Access Control
+
+### Security Tools
+
+- Static Analysis (SAST)
+- Dynamic Analysis (DAST)
+- Dependency scanning
+- Secret detection
+
+## Security Patterns
+
+### Input Validation
+
+```typescript
+// Always validate and sanitize input
+import { z } from 'zod';
+
+const userSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8).max(100),
+  name: z
+    .string()
+    .min(1)
+    .max(100)
+    .regex(/^[a-zA-Z\s]+$/),
+});
+
+function createUser(input: unknown) {
+  const validated = userSchema.parse(input);
+  // Safe to use validated data
+}
+```
+
+### Authentication
+
+```typescript
+// Secure password handling
+import bcrypt from 'bcrypt';
+
+const SALT_ROUNDS = 12;
+
+async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+async function verifyPassword(
+  password: string,
+  hash: string
+): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}
+```
+
+### SQL Injection Prevention
+
+```typescript
+// Always use parameterized queries
+// ❌ Vulnerable
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// ✅ Safe
+const query = 'SELECT * FROM users WHERE id = $1';
+await db.query(query, [userId]);
+```
+
+## Security Review Checklist
+
+### Authentication
+
+- [ ] Strong password requirements
+- [ ] Secure session management
+- [ ] MFA implementation
+- [ ] Account lockout policies
+
+### Authorization
+
+- [ ] Principle of least privilege
+- [ ] Role-based access control
+- [ ] Resource-level permissions
+
+### Data Protection
+
+- [ ] Encryption at rest
+- [ ] Encryption in transit (TLS)
+- [ ] Sensitive data handling
+- [ ] Secure key management
+
+### Input/Output
+
+- [ ] Input validation
+- [ ] Output encoding
+- [ ] File upload restrictions
+- [ ] API rate limiting
+
+## Response Format
+
+When reviewing security:
+
+1. **Identify Vulnerabilities**: Specific issues with severity
+2. **Explain Impact**: What could go wrong?
+3. **Provide Fixes**: Secure code examples
+4. **Recommend Prevention**: Long-term improvements
+5. **Prioritize**: Critical → High → Medium → Low

package/knowledge/skills/security-guidance.md

@@ -1,13 +1,13 @@
----
-id: "security-guidance"
-title: "security-guidance"
-category: "infrastructure"
-tags: ["security-guidance"]
-triggers: []
-dependencies: []
-source: "E:/Bobo's Coding cache/.claude/skills/security-guidance"
----
-
-# security-guidance
-
+---
+id: "security-guidance"
+title: "security-guidance"
+category: "infrastructure"
+tags: ["security-guidance"]
+triggers: []
+dependencies: []
+source: "E:/Bobo's Coding cache/.claude/skills/security-guidance"
+---
+
+# security-guidance
+
 Skill directory: security-guidance