npm - bros-harness - Versions diffs - 0.1.0 - Mend

bros-harness 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (187) hide show

package/assets/opencode/skills/search-first/SKILL.md ADDED Viewed

@@ -0,0 +1,181 @@
+---
+name: search-first
+description: Research-before-coding workflow. Search for existing tools, libraries, and patterns before writing custom code. Invokes the bro-explore agent.
+origin: ECC
+---
+# /search-first — Research Before You Code
+Systematizes the "search for existing solutions before implementing" workflow.
+## Trigger
+Use this skill when:
+- Starting a new feature that likely has existing solutions
+- Adding a dependency or integration
+- The user asks "add X functionality" and you're about to write code
+- Before creating a new utility, helper, or abstraction
+## Workflow
+```
+┌─────────────────────────────────────────────┐
+│  0. TOOL AVAILABILITY PREFLIGHT             │
+│     Check search channels before relying on │
+│     them; report skipped channels honestly   │
+├─────────────────────────────────────────────┤
+│  1. NEED ANALYSIS                           │
+│     Define what functionality is needed      │
+│     Identify language/framework constraints  │
+├─────────────────────────────────────────────┤
+│  2. PARALLEL SEARCH (bro-explore agent)     │
+│     ┌──────────┐ ┌──────────┐ ┌──────────┐  │
+│     │  npm /   │ │  MCP /   │ │  GitHub / │  │
+│     │  PyPI    │ │  Skills  │ │  Web      │  │
+│     └──────────┘ └──────────┘ └──────────┘  │
+├─────────────────────────────────────────────┤
+│  3. EVALUATE                                │
+│     Score candidates (functionality, maint, │
+│     community, docs, license, deps)         │
+├─────────────────────────────────────────────┤
+│  4. DECIDE                                  │
+│     ┌─────────┐  ┌──────────┐  ┌─────────┐  │
+│     │  Adopt  │  │  Extend  │  │  Build   │  │
+│     │ as-is   │  │  /Wrap   │  │  Custom  │  │
+│     └─────────┘  └──────────┘  └─────────┘  │
+├─────────────────────────────────────────────┤
+│  5. IMPLEMENT                               │
+│     Install package / Configure MCP /       │
+│     Write minimal custom code               │
+└─────────────────────────────────────────────┘
+```
+## Decision Matrix
+| Signal | Action |
+|--------|--------|
+| Exact match, well-maintained, MIT/Apache | **Adopt** — install and use directly |
+| Partial match, good foundation | **Extend** — install + write thin wrapper |
+| Multiple weak matches | **Compose** — combine 2-3 small packages |
+| Nothing suitable found | **Build** — write custom, but informed by research |
+## How to Use
+### Step 0: Tool Availability Preflight
+This is agent guidance, not an executable setup script. Check only the channels
+that are relevant to the task and project in front of you.
+| Channel | Check | If missing |
+|---------|-------|------------|
+| Repository search | `rg --files` and targeted `rg` queries | State that only visible files were inspected |
+| Package registry | `npm --version`, `python -m pip --version`, or project package manager | Use web/docs search and avoid claiming registry coverage |
+| GitHub CLI | `gh auth status` | Use public web or local git history only |
+| MCP/docs tools | Available tool list or local MCP config | Fall back to official docs/web search |
+| Skills directory | Inspect `bundled BROS skill pack` and `user-added OpenCode skills directory` | Say no local OpenCode skill catalog was available |
+### Quick Mode (inline)
+Before writing a utility or adding functionality, mentally run through:
+0. Does this already exist in the repo? → `rg` through relevant modules/tests first
+1. Is this a common problem? → Search npm/PyPI
+2. Is there an MCP for this? → Check active OpenCode tool availability and search
+3. Is there a skill for this? → Check `bundled BROS skill pack` and `user-added OpenCode skills directory`
+4. Is there a GitHub implementation/template? → Run GitHub code search for maintained OSS before writing net-new code
+### Full Mode (agent)
+For non-trivial functionality, launch the canonical BROS Explorer agent (`bro-explore`):
+```
+Agent(subagent_type="bro-explore", prompt="
+  Research existing tools for: [DESCRIPTION]
+  Language/framework: [LANG]
+  Constraints: [ANY]
+  Search: npm/PyPI, MCP servers, OpenCode skills, GitHub
+  Return: Evidence packet with citations, limitations, and options; do not decide or implement
+")
+```
+Use the current agent/subagent tool name exposed by the active harness.
+## Search Shortcuts by Category
+### Development Tooling
+- Linting → `eslint`, `ruff`, `textlint`, `markdownlint`
+- Formatting → `prettier`, `black`, `gofmt`
+- Testing → `jest`, `pytest`, `go test`
+- Pre-commit → `husky`, `lint-staged`, `pre-commit`
+### AI/LLM Integration
+- Claude SDK → Context7 for latest docs
+- Prompt management → Check MCP servers
+- Document processing → `unstructured`, `pdfplumber`, `mammoth`
+### Data & APIs
+- HTTP clients → `httpx` (Python), `ky`/`undici` (Node)
+- Validation → `zod` (TS), `pydantic` (Python)
+- Database → Check for MCP servers first
+### Content & Publishing
+- Markdown processing → `remark`, `unified`, `markdown-it`
+- Image optimization → `sharp`, `imagemin`
+## Integration Points
+### With Orchestrator agent
+The Orchestrator should invoke `bro-explore` before Phase 1 (Architecture Review):
+- `bro-explore` identifies available tools
+- Orchestrator incorporates them into the implementation plan
+- Avoids "reinventing the wheel" in the plan
+### With architect agent
+The architect should consult `bro-explore` for:
+- Technology stack decisions
+- Integration pattern discovery
+- Existing reference architectures
+### With iterative-retrieval skill
+Combine for progressive discovery:
+- Cycle 1: Broad search (npm, PyPI, MCP)
+- Cycle 2: Evaluate top candidates in detail
+- Cycle 3: Test fit with project constraints
+## Examples
+### Example 1: "Add dead link checking"
+```
+Need: Check markdown files for broken links
+Search: npm "markdown dead link checker"
+Found: textlint-rule-no-dead-link (score: 9/10)
+Action: ADOPT — npm install textlint-rule-no-dead-link
+Result: Zero custom code, battle-tested solution
+```
+### Example 2: "Add HTTP client wrapper"
+```
+Need: Resilient HTTP client with retries and timeout handling
+Search: npm "http client retry", PyPI "httpx retry"
+Found: got (Node) with retry plugin, httpx (Python) with built-in retry
+Action: ADOPT — use got/httpx directly with retry config
+Result: Zero custom code, production-proven libraries
+```
+### Example 3: "Add config file linter"
+```
+Need: Validate project config files against a schema
+Search: npm "config linter schema", "json schema validator cli"
+Found: ajv-cli (score: 8/10)
+Action: ADOPT + EXTEND — install ajv-cli, write project-specific schema
+Result: 1 package + 1 schema file, no custom validation logic
+```
+## Anti-Patterns
+- **Jumping to code**: Writing a utility without checking if one exists
+- **Ignoring MCP**: Not checking if an MCP server already provides the capability
+- **Silent skipping**: Reporting "nothing found" when a search channel was unavailable
+- **Over-customizing**: Wrapping a library so heavily it loses its benefits
+- **Dependency bloat**: Installing a massive package for one small feature

package/assets/opencode/skills/security-review/.openskills.json ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "source": "affaan-m/everything-claude-code",
+  "sourceType": "git",
+  "repoUrl": "https://github.com/affaan-m/everything-claude-code",
+  "subpath": "skills/security-review",
+  "installedAt": "2026-04-16T03:02:35.610Z"
+}

package/assets/opencode/skills/security-review/agents/openai.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+interface:
+  display_name: "Security Review"
+  short_description: "Comprehensive security checklist and vulnerability detection"
+  brand_color: "#EF4444"
+  default_prompt: "Run security checklist: secrets, input validation, injection prevention"
+policy:
+  allow_implicit_invocation: true

package/assets/opencode/skills/security-review/cloud-infrastructure-security.md ADDED Viewed

@@ -0,0 +1,361 @@
+| name | description |
+|------|-------------|
+| cloud-infrastructure-security | Use this skill when deploying to cloud platforms, configuring infrastructure, managing IAM policies, setting up logging/monitoring, or implementing CI/CD pipelines. Provides cloud security checklist aligned with best practices. |
+# Cloud & Infrastructure Security Skill
+This skill ensures cloud infrastructure, CI/CD pipelines, and deployment configurations follow security best practices and comply with industry standards.
+## When to Activate
+- Deploying applications to cloud platforms (AWS, Vercel, Railway, Cloudflare)
+- Configuring IAM roles and permissions
+- Setting up CI/CD pipelines
+- Implementing infrastructure as code (Terraform, CloudFormation)
+- Configuring logging and monitoring
+- Managing secrets in cloud environments
+- Setting up CDN and edge security
+- Implementing disaster recovery and backup strategies
+## Cloud Security Checklist
+### 1. IAM & Access Control
+#### Principle of Least Privilege
+```yaml
+# PASS: CORRECT: Minimal permissions
+iam_role:
+  permissions:
+    - s3:GetObject  # Only read access
+    - s3:ListBucket
+  resources:
+    - arn:aws:s3:::my-bucket/*  # Specific bucket only
+# FAIL: WRONG: Overly broad permissions
+iam_role:
+  permissions:
+    - s3:*  # All S3 actions
+  resources:
+    - "*"  # All resources
+```
+#### Multi-Factor Authentication (MFA)
+```bash
+# ALWAYS enable MFA for root/admin accounts
+aws iam enable-mfa-device \
+  --user-name admin \
+  --serial-number arn:aws:iam::123456789:mfa/admin \
+  --authentication-code1 123456 \
+  --authentication-code2 789012
+```
+#### Verification Steps
+- [ ] No root account usage in production
+- [ ] MFA enabled for all privileged accounts
+- [ ] Service accounts use roles, not long-lived credentials
+- [ ] IAM policies follow least privilege
+- [ ] Regular access reviews conducted
+- [ ] Unused credentials rotated or removed
+### 2. Secrets Management
+#### Cloud Secrets Managers
+```typescript
+// PASS: CORRECT: Use cloud secrets manager
+import { SecretsManager } from '@aws-sdk/client-secrets-manager';
+const client = new SecretsManager({ region: 'us-east-1' });
+const secret = await client.getSecretValue({ SecretId: 'prod/api-key' });
+const apiKey = JSON.parse(secret.SecretString).key;
+// FAIL: WRONG: Hardcoded or in environment variables only
+const apiKey = process.env.API_KEY; // Not rotated, not audited
+```
+#### Secrets Rotation
+```bash
+# Set up automatic rotation for database credentials
+aws secretsmanager rotate-secret \
+  --secret-id prod/db-password \
+  --rotation-lambda-arn arn:aws:lambda:region:account:function:rotate \
+  --rotation-rules AutomaticallyAfterDays=30
+```
+#### Verification Steps
+- [ ] All secrets stored in cloud secrets manager (AWS Secrets Manager, Vercel Secrets)
+- [ ] Automatic rotation enabled for database credentials
+- [ ] API keys rotated at least quarterly
+- [ ] No secrets in code, logs, or error messages
+- [ ] Audit logging enabled for secret access
+### 3. Network Security
+#### VPC and Firewall Configuration
+```terraform
+# PASS: CORRECT: Restricted security group
+resource "aws_security_group" "app" {
+  name = "app-sg"
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["10.0.0.0/16"]  # Internal VPC only
+  }
+  egress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]  # Only HTTPS outbound
+  }
+}
+# FAIL: WRONG: Open to the internet
+resource "aws_security_group" "bad" {
+  ingress {
+    from_port   = 0
+    to_port     = 65535
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]  # All ports, all IPs!
+  }
+}
+```
+#### Verification Steps
+- [ ] Database not publicly accessible
+- [ ] SSH/RDP ports restricted to VPN/bastion only
+- [ ] Security groups follow least privilege
+- [ ] Network ACLs configured
+- [ ] VPC flow logs enabled
+### 4. Logging & Monitoring
+#### CloudWatch/Logging Configuration
+```typescript
+// PASS: CORRECT: Comprehensive logging
+import { CloudWatchLogsClient, CreateLogStreamCommand } from '@aws-sdk/client-cloudwatch-logs';
+const logSecurityEvent = async (event: SecurityEvent) => {
+  await cloudwatch.putLogEvents({
+    logGroupName: '/aws/security/events',
+    logStreamName: 'authentication',
+    logEvents: [{
+      timestamp: Date.now(),
+      message: JSON.stringify({
+        type: event.type,
+        userId: event.userId,
+        ip: event.ip,
+        result: event.result,
+        // Never log sensitive data
+      })
+    }]
+  });
+};
+```
+#### Verification Steps
+- [ ] CloudWatch/logging enabled for all services
+- [ ] Failed authentication attempts logged
+- [ ] Admin actions audited
+- [ ] Log retention configured (90+ days for compliance)
+- [ ] Alerts configured for suspicious activity
+- [ ] Logs centralized and tamper-proof
+### 5. CI/CD Pipeline Security
+#### Secure Pipeline Configuration
+```yaml
+# PASS: CORRECT: Secure GitHub Actions workflow
+name: Deploy
+on:
+  push:
+    branches: [main]
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read  # Minimal permissions
+    steps:
+      - uses: actions/checkout@v4
+      # Scan for secrets
+      - name: Secret scanning
+        uses: trufflesecurity/trufflehog@main
+      # Dependency audit
+      - name: Audit dependencies
+        run: npm audit --audit-level=high
+      # Use OIDC, not long-lived tokens
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: arn:aws:iam::123456789:role/GitHubActionsRole
+          aws-region: us-east-1
+```
+#### Supply Chain Security
+```json
+// package.json - Use lock files and integrity checks
+{
+  "scripts": {
+    "install": "npm ci",  // Use ci for reproducible builds
+    "audit": "npm audit --audit-level=moderate",
+    "check": "npm outdated"
+  }
+}
+```
+#### Verification Steps
+- [ ] OIDC used instead of long-lived credentials
+- [ ] Secrets scanning in pipeline
+- [ ] Dependency vulnerability scanning
+- [ ] Container image scanning (if applicable)
+- [ ] Branch protection rules enforced
+- [ ] Code review required before merge
+- [ ] Signed commits enforced
+### 6. Cloudflare & CDN Security
+#### Cloudflare Security Configuration
+```typescript
+// PASS: CORRECT: Cloudflare Workers with security headers
+export default {
+  async fetch(request: Request): Promise<Response> {
+    const response = await fetch(request);
+    // Add security headers
+    const headers = new Headers(response.headers);
+    headers.set('X-Frame-Options', 'DENY');
+    headers.set('X-Content-Type-Options', 'nosniff');
+    headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
+    headers.set('Permissions-Policy', 'geolocation=(), microphone=()');
+    return new Response(response.body, {
+      status: response.status,
+      headers
+    });
+  }
+};
+```
+#### WAF Rules
+```bash
+# Enable Cloudflare WAF managed rules
+# - OWASP Core Ruleset
+# - Cloudflare Managed Ruleset
+# - Rate limiting rules
+# - Bot protection
+```
+#### Verification Steps
+- [ ] WAF enabled with OWASP rules
+- [ ] Rate limiting configured
+- [ ] Bot protection active
+- [ ] DDoS protection enabled
+- [ ] Security headers configured
+- [ ] SSL/TLS strict mode enabled
+### 7. Backup & Disaster Recovery
+#### Automated Backups
+```terraform
+# PASS: CORRECT: Automated RDS backups
+resource "aws_db_instance" "main" {
+  allocated_storage     = 20
+  engine               = "postgres"
+  backup_retention_period = 30  # 30 days retention
+  backup_window          = "03:00-04:00"
+  maintenance_window     = "mon:04:00-mon:05:00"
+  enabled_cloudwatch_logs_exports = ["postgresql"]
+  deletion_protection = true  # Prevent accidental deletion
+}
+```
+#### Verification Steps
+- [ ] Automated daily backups configured
+- [ ] Backup retention meets compliance requirements
+- [ ] Point-in-time recovery enabled
+- [ ] Backup testing performed quarterly
+- [ ] Disaster recovery plan documented
+- [ ] RPO and RTO defined and tested
+## Pre-Deployment Cloud Security Checklist
+Before ANY production cloud deployment:
+- [ ] **IAM**: Root account not used, MFA enabled, least privilege policies
+- [ ] **Secrets**: All secrets in cloud secrets manager with rotation
+- [ ] **Network**: Security groups restricted, no public databases
+- [ ] **Logging**: CloudWatch/logging enabled with retention
+- [ ] **Monitoring**: Alerts configured for anomalies
+- [ ] **CI/CD**: OIDC auth, secrets scanning, dependency audits
+- [ ] **CDN/WAF**: Cloudflare WAF enabled with OWASP rules
+- [ ] **Encryption**: Data encrypted at rest and in transit
+- [ ] **Backups**: Automated backups with tested recovery
+- [ ] **Compliance**: GDPR/HIPAA requirements met (if applicable)
+- [ ] **Documentation**: Infrastructure documented, runbooks created
+- [ ] **Incident Response**: Security incident plan in place
+## Common Cloud Security Misconfigurations
+### S3 Bucket Exposure
+```bash
+# FAIL: WRONG: Public bucket
+aws s3api put-bucket-acl --bucket my-bucket --acl public-read
+# PASS: CORRECT: Private bucket with specific access
+aws s3api put-bucket-acl --bucket my-bucket --acl private
+aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json
+```
+### RDS Public Access
+```terraform
+# FAIL: WRONG
+resource "aws_db_instance" "bad" {
+  publicly_accessible = true  # NEVER do this!
+}
+# PASS: CORRECT
+resource "aws_db_instance" "good" {
+  publicly_accessible = false
+  vpc_security_group_ids = [aws_security_group.db.id]
+}
+```
+## Resources
+- [AWS Security Best Practices](https://aws.amazon.com/security/best-practices/)
+- [CIS AWS Foundations Benchmark](https://www.cisecurity.org/benchmark/amazon_web_services)
+- [Cloudflare Security Documentation](https://developers.cloudflare.com/security/)
+- [OWASP Cloud Security](https://owasp.org/www-project-cloud-security/)
+- [Terraform Security Best Practices](https://www.terraform.io/docs/cloud/guides/recommended-practices/)
+**Remember**: Cloud misconfigurations are the leading cause of data breaches. A single exposed S3 bucket or overly permissive IAM policy can compromise your entire infrastructure. Always follow the principle of least privilege and defense in depth.

package/assets/opencode/skills/security-scan/.openskills.json ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "source": "affaan-m/everything-claude-code",
+  "sourceType": "git",
+  "repoUrl": "https://github.com/affaan-m/everything-claude-code",
+  "subpath": "skills/security-scan",
+  "installedAt": "2026-04-16T03:02:35.848Z"
+}