buildanything 1.7.1 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +3 -3
- package/.claude-plugin/plugin.json +9 -3
- package/CHANGELOG.md +112 -0
- package/README.md +2 -2
- package/agents/a11y-architect.md +166 -0
- package/agents/business-model.md +80 -29
- package/agents/code-architect.md +75 -0
- package/agents/code-reviewer.md +255 -0
- package/agents/code-simplifier.md +64 -0
- package/agents/design-brand-guardian.md +293 -53
- package/agents/design-critic.md +139 -0
- package/agents/design-inclusive-visuals-specialist.md +6 -19
- package/agents/design-ui-designer.md +335 -56
- package/agents/design-ux-architect.md +403 -55
- package/agents/design-ux-researcher.md +264 -49
- package/agents/engineering-ai-engineer.md +26 -36
- package/agents/engineering-backend-architect.md +185 -36
- package/agents/engineering-data-engineer.md +225 -43
- package/agents/engineering-devops-automator.md +227 -74
- package/agents/engineering-frontend-developer.md +210 -34
- package/agents/engineering-mobile-app-builder.md +6 -1
- package/agents/engineering-rapid-prototyper.md +30 -9
- package/agents/engineering-security-engineer.md +263 -61
- package/agents/engineering-senior-developer.md +128 -19
- package/agents/engineering-sre.md +84 -0
- package/agents/engineering-technical-writer.md +285 -41
- package/agents/feature-intel.md +110 -0
- package/agents/ios-app-review-guardian.md +66 -0
- package/agents/ios-foundation-models-specialist.md +64 -0
- package/agents/ios-storekit-specialist.md +59 -0
- package/agents/ios-swift-architect.md +129 -0
- package/agents/ios-swift-search.md +137 -0
- package/agents/ios-swift-ui-design.md +136 -0
- package/agents/marketing-app-store-optimizer.md +246 -64
- package/agents/planner.md +216 -0
- package/agents/pr-test-analyzer.md +63 -0
- package/agents/product-feedback-synthesizer.md +8 -2
- package/agents/refactor-cleaner.md +102 -0
- package/agents/security-reviewer.md +128 -0
- package/agents/silent-failure-hunter.md +54 -0
- package/agents/swift-build-resolver.md +119 -0
- package/agents/swift-reviewer.md +112 -0
- package/agents/tech-feasibility.md +21 -1
- package/agents/testing-api-tester.md +236 -59
- package/agents/testing-evidence-collector.md +26 -1
- package/agents/testing-performance-benchmarker.md +21 -1
- package/agents/testing-reality-checker.md +6 -1
- package/agents/visual-research.md +116 -0
- package/bin/adapters/cycle-counter-tool.ts +155 -0
- package/bin/adapters/scribe-tool.ts +71 -0
- package/bin/adapters/state-save-tool.ts +130 -0
- package/bin/adapters/write-lease-tool.ts +127 -0
- package/bin/buildanything-runtime.js +15 -0
- package/bin/buildanything-runtime.ts +328 -0
- package/bin/setup.js +83 -8
- package/commands/add-feature.md +2 -0
- package/commands/build.md +752 -332
- package/commands/fix.md +65 -0
- package/commands/self-check.md +121 -0
- package/commands/setup.md +114 -0
- package/commands/ux-review.md +63 -0
- package/commands/verify.md +69 -0
- package/docs/migration/agents.yaml +729 -0
- package/docs/migration/phase-graph.yaml +1088 -0
- package/docs/migration/sdk-host-compat.md +18 -0
- package/hooks/compile-writer-owner-cache.ts +171 -0
- package/hooks/hooks.json +36 -0
- package/hooks/pre-tool-use +19 -0
- package/hooks/pre-tool-use.ts +776 -0
- package/hooks/record-mode-transitions.ts +178 -0
- package/hooks/session-start +89 -2
- package/hooks/subagent-start +17 -0
- package/hooks/subagent-start.ts +471 -0
- package/hooks/subagent-stop +17 -0
- package/hooks/subagent-stop.ts +153 -0
- package/package.json +28 -5
- package/protocols/architecture-schema.md +171 -0
- package/protocols/build-fix.md +52 -0
- package/protocols/cleanup.md +54 -0
- package/protocols/decision-log.md +131 -0
- package/protocols/eval-harness.md +61 -0
- package/protocols/fake-data-detector.md +64 -0
- package/protocols/ios-context.md +234 -0
- package/protocols/ios-frameworks-map.md +323 -0
- package/protocols/ios-phase-branches.md +337 -0
- package/protocols/ios-preflight.md +27 -0
- package/protocols/launch-readiness.md +258 -0
- package/protocols/metric-loop.md +153 -0
- package/protocols/smoke-test.md +118 -0
- package/protocols/state-schema.json +388 -0
- package/protocols/state-schema.md +172 -0
- package/protocols/verify.md +127 -0
- package/protocols/visual-dna.md +185 -0
- package/protocols/web-phase-branches.md +351 -0
- package/skills/ios/_VENDORED.md +62 -0
- package/skills/ios/activitykit/LICENSE +131 -0
- package/skills/ios/activitykit/SKILL.md +505 -0
- package/skills/ios/activitykit/references/activitykit-patterns.md +868 -0
- package/skills/ios/app-intents/LICENSE +131 -0
- package/skills/ios/app-intents/SKILL.md +494 -0
- package/skills/ios/app-intents/references/appintents-advanced.md +1076 -0
- package/skills/ios/app-store-connect-metadata/SKILL.md +148 -0
- package/skills/ios/apple-on-device-ai/LICENSE +131 -0
- package/skills/ios/apple-on-device-ai/SKILL.md +505 -0
- package/skills/ios/apple-on-device-ai/references/coreml-conversion.md +425 -0
- package/skills/ios/apple-on-device-ai/references/coreml-optimization.md +344 -0
- package/skills/ios/apple-on-device-ai/references/foundation-models.md +508 -0
- package/skills/ios/apple-on-device-ai/references/mlx-swift.md +285 -0
- package/skills/ios/asc-privacy-manifest/SKILL.md +350 -0
- package/skills/ios/hig-components-content/SKILL.md +86 -0
- package/skills/ios/hig-components-content/references/activity-views.md +79 -0
- package/skills/ios/hig-components-content/references/charts.md +180 -0
- package/skills/ios/hig-components-content/references/collections.md +48 -0
- package/skills/ios/hig-components-content/references/color-wells.md +42 -0
- package/skills/ios/hig-components-content/references/image-views.md +82 -0
- package/skills/ios/hig-components-content/references/image-wells.md +34 -0
- package/skills/ios/hig-components-content/references/lockups.md +78 -0
- package/skills/ios/hig-components-content/references/web-views.md +36 -0
- package/skills/ios/hig-components-controls/SKILL.md +88 -0
- package/skills/ios/hig-components-controls/references/combo-boxes.md +40 -0
- package/skills/ios/hig-components-controls/references/controls.md +112 -0
- package/skills/ios/hig-components-controls/references/gauges.md +74 -0
- package/skills/ios/hig-components-controls/references/labels.md +92 -0
- package/skills/ios/hig-components-controls/references/pickers.md +128 -0
- package/skills/ios/hig-components-controls/references/rating-indicators.md +38 -0
- package/skills/ios/hig-components-controls/references/segmented-controls.md +94 -0
- package/skills/ios/hig-components-controls/references/sliders.md +92 -0
- package/skills/ios/hig-components-controls/references/steppers.md +40 -0
- package/skills/ios/hig-components-controls/references/text-fields.md +88 -0
- package/skills/ios/hig-components-controls/references/text-views.md +56 -0
- package/skills/ios/hig-components-controls/references/toggles.md +127 -0
- package/skills/ios/hig-components-controls/references/token-fields.md +48 -0
- package/skills/ios/hig-components-controls/references/virtual-keyboards.md +156 -0
- package/skills/ios/hig-components-dialogs/SKILL.md +76 -0
- package/skills/ios/hig-components-dialogs/references/action-sheets.md +74 -0
- package/skills/ios/hig-components-dialogs/references/alerts.md +158 -0
- package/skills/ios/hig-components-dialogs/references/digit-entry-views.md +32 -0
- package/skills/ios/hig-components-dialogs/references/popovers.md +81 -0
- package/skills/ios/hig-components-dialogs/references/sheets.md +157 -0
- package/skills/ios/hig-components-layout/SKILL.md +99 -0
- package/skills/ios/hig-components-layout/references/boxes.md +48 -0
- package/skills/ios/hig-components-layout/references/column-views.md +44 -0
- package/skills/ios/hig-components-layout/references/lists-and-tables.md +99 -0
- package/skills/ios/hig-components-layout/references/ornaments.md +56 -0
- package/skills/ios/hig-components-layout/references/outline-views.md +64 -0
- package/skills/ios/hig-components-layout/references/panels.md +75 -0
- package/skills/ios/hig-components-layout/references/scroll-views.md +123 -0
- package/skills/ios/hig-components-layout/references/sidebars.md +109 -0
- package/skills/ios/hig-components-layout/references/split-views.md +110 -0
- package/skills/ios/hig-components-layout/references/tab-bars.md +173 -0
- package/skills/ios/hig-components-layout/references/tab-views.md +68 -0
- package/skills/ios/hig-components-layout/references/windows.md +188 -0
- package/skills/ios/hig-components-menus/SKILL.md +81 -0
- package/skills/ios/hig-components-menus/references/action-button.md +61 -0
- package/skills/ios/hig-components-menus/references/buttons.md +261 -0
- package/skills/ios/hig-components-menus/references/context-menus.md +105 -0
- package/skills/ios/hig-components-menus/references/disclosure-controls.md +84 -0
- package/skills/ios/hig-components-menus/references/dock-menus.md +40 -0
- package/skills/ios/hig-components-menus/references/edit-menus.md +88 -0
- package/skills/ios/hig-components-menus/references/menus.md +171 -0
- package/skills/ios/hig-components-menus/references/pop-up-buttons.md +70 -0
- package/skills/ios/hig-components-menus/references/pull-down-buttons.md +77 -0
- package/skills/ios/hig-components-menus/references/the-menu-bar.md +303 -0
- package/skills/ios/hig-components-menus/references/toolbars.md +256 -0
- package/skills/ios/hig-components-search/SKILL.md +68 -0
- package/skills/ios/hig-components-search/references/page-controls.md +120 -0
- package/skills/ios/hig-components-search/references/path-controls.md +40 -0
- package/skills/ios/hig-components-search/references/search-fields.md +189 -0
- package/skills/ios/hig-components-status/SKILL.md +80 -0
- package/skills/ios/hig-components-status/references/activity-rings.md +105 -0
- package/skills/ios/hig-components-status/references/progress-indicators.md +116 -0
- package/skills/ios/hig-components-status/references/status-bars.md +38 -0
- package/skills/ios/hig-components-system/SKILL.md +88 -0
- package/skills/ios/hig-components-system/references/app-clips.md +387 -0
- package/skills/ios/hig-components-system/references/app-shortcuts.md +114 -0
- package/skills/ios/hig-components-system/references/complications.md +425 -0
- package/skills/ios/hig-components-system/references/home-screen-quick-actions.md +42 -0
- package/skills/ios/hig-components-system/references/live-activities.md +442 -0
- package/skills/ios/hig-components-system/references/notifications.md +153 -0
- package/skills/ios/hig-components-system/references/top-shelf.md +135 -0
- package/skills/ios/hig-components-system/references/watch-faces.md +40 -0
- package/skills/ios/hig-components-system/references/widgets.md +517 -0
- package/skills/ios/hig-foundations/SKILL.md +98 -0
- package/skills/ios/hig-foundations/references/accessibility.md +291 -0
- package/skills/ios/hig-foundations/references/app-icons.md +210 -0
- package/skills/ios/hig-foundations/references/branding.md +44 -0
- package/skills/ios/hig-foundations/references/color.md +274 -0
- package/skills/ios/hig-foundations/references/dark-mode.md +116 -0
- package/skills/ios/hig-foundations/references/icons.md +263 -0
- package/skills/ios/hig-foundations/references/images.md +176 -0
- package/skills/ios/hig-foundations/references/immersive-experiences.md +174 -0
- package/skills/ios/hig-foundations/references/inclusion.md +189 -0
- package/skills/ios/hig-foundations/references/layout.md +425 -0
- package/skills/ios/hig-foundations/references/materials.md +238 -0
- package/skills/ios/hig-foundations/references/motion.md +103 -0
- package/skills/ios/hig-foundations/references/privacy.md +231 -0
- package/skills/ios/hig-foundations/references/right-to-left.md +206 -0
- package/skills/ios/hig-foundations/references/sf-symbols.md +310 -0
- package/skills/ios/hig-foundations/references/spatial-layout.md +142 -0
- package/skills/ios/hig-foundations/references/typography.md +1146 -0
- package/skills/ios/hig-foundations/references/writing.md +91 -0
- package/skills/ios/hig-inputs/SKILL.md +94 -0
- package/skills/ios/hig-inputs/references/apple-pencil-and-scribble.md +148 -0
- package/skills/ios/hig-inputs/references/camera-control.md +107 -0
- package/skills/ios/hig-inputs/references/digital-crown.md +83 -0
- package/skills/ios/hig-inputs/references/eyes.md +120 -0
- package/skills/ios/hig-inputs/references/focus-and-selection.md +120 -0
- package/skills/ios/hig-inputs/references/game-controls.md +156 -0
- package/skills/ios/hig-inputs/references/gestures.md +208 -0
- package/skills/ios/hig-inputs/references/gyro-and-accelerometer.md +40 -0
- package/skills/ios/hig-inputs/references/keyboards.md +234 -0
- package/skills/ios/hig-inputs/references/nearby-interactions.md +70 -0
- package/skills/ios/hig-inputs/references/pointing-devices.md +237 -0
- package/skills/ios/hig-inputs/references/remotes.md +67 -0
- package/skills/ios/hig-inputs/references/spatial-interactions.md +70 -0
- package/skills/ios/hig-patterns/SKILL.md +104 -0
- package/skills/ios/hig-patterns/references/charting-data.md +81 -0
- package/skills/ios/hig-patterns/references/collaboration-and-sharing.md +86 -0
- package/skills/ios/hig-patterns/references/drag-and-drop.md +134 -0
- package/skills/ios/hig-patterns/references/entering-data.md +69 -0
- package/skills/ios/hig-patterns/references/feedback.md +67 -0
- package/skills/ios/hig-patterns/references/file-management.md +135 -0
- package/skills/ios/hig-patterns/references/going-full-screen.md +79 -0
- package/skills/ios/hig-patterns/references/launching.md +81 -0
- package/skills/ios/hig-patterns/references/live-viewing-apps.md +79 -0
- package/skills/ios/hig-patterns/references/loading.md +59 -0
- package/skills/ios/hig-patterns/references/managing-accounts.md +107 -0
- package/skills/ios/hig-patterns/references/managing-notifications.md +99 -0
- package/skills/ios/hig-patterns/references/modality.md +82 -0
- package/skills/ios/hig-patterns/references/multitasking.md +131 -0
- package/skills/ios/hig-patterns/references/offering-help.md +117 -0
- package/skills/ios/hig-patterns/references/onboarding.md +69 -0
- package/skills/ios/hig-patterns/references/playing-audio.md +124 -0
- package/skills/ios/hig-patterns/references/playing-haptics.md +280 -0
- package/skills/ios/hig-patterns/references/playing-video.md +180 -0
- package/skills/ios/hig-patterns/references/printing.md +50 -0
- package/skills/ios/hig-patterns/references/ratings-and-reviews.md +48 -0
- package/skills/ios/hig-patterns/references/searching.md +70 -0
- package/skills/ios/hig-patterns/references/settings.md +84 -0
- package/skills/ios/hig-patterns/references/undo-and-redo.md +58 -0
- package/skills/ios/hig-patterns/references/workouts.md +76 -0
- package/skills/ios/hig-platforms/SKILL.md +84 -0
- package/skills/ios/hig-platforms/references/designing-for-games.md +159 -0
- package/skills/ios/hig-platforms/references/designing-for-ios.md +66 -0
- package/skills/ios/hig-platforms/references/designing-for-ipados.md +64 -0
- package/skills/ios/hig-platforms/references/designing-for-macos.md +70 -0
- package/skills/ios/hig-platforms/references/designing-for-tvos.md +68 -0
- package/skills/ios/hig-platforms/references/designing-for-visionos.md +85 -0
- package/skills/ios/hig-platforms/references/designing-for-watchos.md +74 -0
- package/skills/ios/hig-project-context/SKILL.md +133 -0
- package/skills/ios/hig-technologies/SKILL.md +107 -0
- package/skills/ios/hig-technologies/references/airplay.md +125 -0
- package/skills/ios/hig-technologies/references/always-on.md +62 -0
- package/skills/ios/hig-technologies/references/apple-pay.md +441 -0
- package/skills/ios/hig-technologies/references/augmented-reality.md +247 -0
- package/skills/ios/hig-technologies/references/carekit.md +224 -0
- package/skills/ios/hig-technologies/references/carplay.md +119 -0
- package/skills/ios/hig-technologies/references/game-center.md +343 -0
- package/skills/ios/hig-technologies/references/generative-ai.md +110 -0
- package/skills/ios/hig-technologies/references/healthkit.md +120 -0
- package/skills/ios/hig-technologies/references/homekit.md +343 -0
- package/skills/ios/hig-technologies/references/icloud.md +52 -0
- package/skills/ios/hig-technologies/references/id-verifier.md +73 -0
- package/skills/ios/hig-technologies/references/imessage-apps-and-stickers.md +105 -0
- package/skills/ios/hig-technologies/references/in-app-purchase.md +263 -0
- package/skills/ios/hig-technologies/references/live-photos.md +54 -0
- package/skills/ios/hig-technologies/references/mac-catalyst.md +216 -0
- package/skills/ios/hig-technologies/references/machine-learning.md +394 -0
- package/skills/ios/hig-technologies/references/maps.md +221 -0
- package/skills/ios/hig-technologies/references/nfc.md +51 -0
- package/skills/ios/hig-technologies/references/photo-editing.md +40 -0
- package/skills/ios/hig-technologies/references/researchkit.md +134 -0
- package/skills/ios/hig-technologies/references/shareplay.md +142 -0
- package/skills/ios/hig-technologies/references/shazamkit.md +47 -0
- package/skills/ios/hig-technologies/references/sign-in-with-apple.md +288 -0
- package/skills/ios/hig-technologies/references/siri.md +523 -0
- package/skills/ios/hig-technologies/references/tap-to-pay-on-iphone.md +208 -0
- package/skills/ios/hig-technologies/references/voiceover.md +90 -0
- package/skills/ios/hig-technologies/references/wallet.md +420 -0
- package/skills/ios/ios-26-platform/SKILL.md +53 -0
- package/skills/ios/ios-26-platform/references/automatic-adoption.md +161 -0
- package/skills/ios/ios-26-platform/references/backward-compat.md +238 -0
- package/skills/ios/ios-26-platform/references/liquid-glass.md +255 -0
- package/skills/ios/ios-26-platform/references/swiftui-apis.md +277 -0
- package/skills/ios/ios-26-platform/references/toolbar-navigation.md +250 -0
- package/skills/ios/ios-bootstrap/SKILL.md +107 -0
- package/skills/ios/ios-bootstrap/references/apple-docs-mcp-config.md +28 -0
- package/skills/ios/ios-bootstrap/references/new-project-dialog.md +41 -0
- package/skills/ios/ios-bootstrap/references/xcode-mcp-config.md +29 -0
- package/skills/ios/ios-debugger-agent/LICENSE +21 -0
- package/skills/ios/ios-debugger-agent/SKILL.md +58 -0
- package/skills/ios/ios-debugger-agent/agents/openai.yaml +4 -0
- package/skills/ios/ios-entitlements-generator/SKILL.md +47 -0
- package/skills/ios/ios-info-plist-hardening/SKILL.md +130 -0
- package/skills/ios/ios-maestro-flow-author/SKILL.md +68 -0
- package/skills/ios/ios-maestro-flow-author/references/input-and-scroll.yaml +17 -0
- package/skills/ios/ios-maestro-flow-author/references/modal-and-dismiss.yaml +14 -0
- package/skills/ios/ios-maestro-flow-author/references/onboarding-flow.yaml +16 -0
- package/skills/ios/ios-maestro-flow-author/references/tab-navigation.yaml +13 -0
- package/skills/ios/ios-maestro-flow-author/references/tap-and-assert.yaml +9 -0
- package/skills/ios/swift-accessibility/LICENSE +21 -0
- package/skills/ios/swift-accessibility/SKILL.md +371 -0
- package/skills/ios/swift-accessibility/examples/before-after-appkit.md +446 -0
- package/skills/ios/swift-accessibility/examples/before-after-swiftui.md +441 -0
- package/skills/ios/swift-accessibility/examples/before-after-uikit.md +464 -0
- package/skills/ios/swift-accessibility/references/assistive-access.md +441 -0
- package/skills/ios/swift-accessibility/references/display-settings.md +491 -0
- package/skills/ios/swift-accessibility/references/dynamic-type.md +420 -0
- package/skills/ios/swift-accessibility/references/media-accessibility.md +421 -0
- package/skills/ios/swift-accessibility/references/motor-input.md +393 -0
- package/skills/ios/swift-accessibility/references/nutrition-labels.md +362 -0
- package/skills/ios/swift-accessibility/references/platform-specifics.md +515 -0
- package/skills/ios/swift-accessibility/references/semantic-structure.md +585 -0
- package/skills/ios/swift-accessibility/references/testing-auditing.md +507 -0
- package/skills/ios/swift-accessibility/references/voice-control.md +317 -0
- package/skills/ios/swift-accessibility/references/voiceover-swiftui.md +584 -0
- package/skills/ios/swift-accessibility/references/voiceover-uikit.md +519 -0
- package/skills/ios/swift-accessibility/references/wcag-mapping.md +167 -0
- package/skills/ios/swift-accessibility/resources/audit-template.swift +128 -0
- package/skills/ios/swift-accessibility/resources/qa-checklist.md +258 -0
- package/skills/ios/swift-actor-persistence/SKILL.md +143 -0
- package/skills/ios/swift-concurrency/LICENSE +21 -0
- package/skills/ios/swift-concurrency/SKILL.md +171 -0
- package/skills/ios/swift-concurrency/references/_index.md +50 -0
- package/skills/ios/swift-concurrency/references/actors.md +660 -0
- package/skills/ios/swift-concurrency/references/async-algorithms.md +847 -0
- package/skills/ios/swift-concurrency/references/async-await-basics.md +266 -0
- package/skills/ios/swift-concurrency/references/async-sequences.md +710 -0
- package/skills/ios/swift-concurrency/references/core-data.md +560 -0
- package/skills/ios/swift-concurrency/references/glossary.md +135 -0
- package/skills/ios/swift-concurrency/references/linting.md +155 -0
- package/skills/ios/swift-concurrency/references/memory-management.md +569 -0
- package/skills/ios/swift-concurrency/references/migration.md +1104 -0
- package/skills/ios/swift-concurrency/references/performance.md +593 -0
- package/skills/ios/swift-concurrency/references/sendable.md +598 -0
- package/skills/ios/swift-concurrency/references/tasks.md +636 -0
- package/skills/ios/swift-concurrency/references/testing.md +592 -0
- package/skills/ios/swift-concurrency/references/threading.md +495 -0
- package/skills/ios/swift-concurrency-6-2/SKILL.md +216 -0
- package/skills/ios/swift-protocol-di-testing/SKILL.md +190 -0
- package/skills/ios/swift-security-expert/LICENSE +21 -0
- package/skills/ios/swift-security-expert/SKILL.md +470 -0
- package/skills/ios/swift-security-expert/references/biometric-authentication.md +565 -0
- package/skills/ios/swift-security-expert/references/certificate-trust.md +592 -0
- package/skills/ios/swift-security-expert/references/common-anti-patterns.md +690 -0
- package/skills/ios/swift-security-expert/references/compliance-owasp-mapping.md +537 -0
- package/skills/ios/swift-security-expert/references/credential-storage-patterns.md +721 -0
- package/skills/ios/swift-security-expert/references/cryptokit-public-key.md +505 -0
- package/skills/ios/swift-security-expert/references/cryptokit-symmetric.md +497 -0
- package/skills/ios/swift-security-expert/references/keychain-access-control.md +508 -0
- package/skills/ios/swift-security-expert/references/keychain-fundamentals.md +596 -0
- package/skills/ios/swift-security-expert/references/keychain-item-classes.md +476 -0
- package/skills/ios/swift-security-expert/references/keychain-sharing.md +458 -0
- package/skills/ios/swift-security-expert/references/migration-legacy-stores.md +727 -0
- package/skills/ios/swift-security-expert/references/secure-enclave.md +539 -0
- package/skills/ios/swift-security-expert/references/testing-security-code.md +781 -0
- package/skills/ios/swift-testing-expert/LICENSE +21 -0
- package/skills/ios/swift-testing-expert/SKILL.md +79 -0
- package/skills/ios/swift-testing-expert/references/_index.md +12 -0
- package/skills/ios/swift-testing-expert/references/async-testing-and-waiting.md +127 -0
- package/skills/ios/swift-testing-expert/references/expectations.md +145 -0
- package/skills/ios/swift-testing-expert/references/fundamentals.md +141 -0
- package/skills/ios/swift-testing-expert/references/migration-from-xctest.md +127 -0
- package/skills/ios/swift-testing-expert/references/parallelization-and-isolation.md +95 -0
- package/skills/ios/swift-testing-expert/references/parameterized-testing.md +284 -0
- package/skills/ios/swift-testing-expert/references/performance-and-best-practices.md +187 -0
- package/skills/ios/swift-testing-expert/references/traits-and-tags.md +114 -0
- package/skills/ios/swift-testing-expert/references/xcode-workflows.md +70 -0
- package/skills/ios/swiftdata-pro/LICENSE +21 -0
- package/skills/ios/swiftdata-pro/SKILL.md +102 -0
- package/skills/ios/swiftdata-pro/agents/openai.yaml +10 -0
- package/skills/ios/swiftdata-pro/assets/swiftdata-pro-icon.png +0 -0
- package/skills/ios/swiftdata-pro/assets/swiftdata-pro-icon.svg +29 -0
- package/skills/ios/swiftdata-pro/references/class-inheritance.md +104 -0
- package/skills/ios/swiftdata-pro/references/cloudkit.md +10 -0
- package/skills/ios/swiftdata-pro/references/core-rules.md +20 -0
- package/skills/ios/swiftdata-pro/references/indexing.md +27 -0
- package/skills/ios/swiftdata-pro/references/predicates.md +73 -0
- package/skills/ios/swiftui-design-principles/AGENTS.md +21 -0
- package/skills/ios/swiftui-design-principles/LICENSE +21 -0
- package/skills/ios/swiftui-design-principles/README.md +41 -0
- package/skills/ios/swiftui-design-principles/SKILL.md +605 -0
- package/skills/ios/swiftui-design-principles/metadata.json +10 -0
- package/skills/ios/swiftui-design-tokens/SKILL.md +475 -0
- package/skills/ios/swiftui-liquid-glass/LICENSE +21 -0
- package/skills/ios/swiftui-liquid-glass/SKILL.md +95 -0
- package/skills/ios/swiftui-liquid-glass/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-liquid-glass/references/liquid-glass.md +280 -0
- package/skills/ios/swiftui-performance-audit/LICENSE +21 -0
- package/skills/ios/swiftui-performance-audit/SKILL.md +111 -0
- package/skills/ios/swiftui-performance-audit/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-performance-audit/references/code-smells.md +150 -0
- package/skills/ios/swiftui-performance-audit/references/demystify-swiftui-performance-wwdc23.md +46 -0
- package/skills/ios/swiftui-performance-audit/references/optimizing-swiftui-performance-instruments.md +29 -0
- package/skills/ios/swiftui-performance-audit/references/profiling-intake.md +44 -0
- package/skills/ios/swiftui-performance-audit/references/report-template.md +47 -0
- package/skills/ios/swiftui-performance-audit/references/understanding-hangs-in-your-app.md +33 -0
- package/skills/ios/swiftui-performance-audit/references/understanding-improving-swiftui-performance.md +52 -0
- package/skills/ios/swiftui-pro/LICENSE +21 -0
- package/skills/ios/swiftui-pro/SKILL.md +108 -0
- package/skills/ios/swiftui-pro/agents/openai.yaml +10 -0
- package/skills/ios/swiftui-pro/assets/swiftui-pro-icon.png +0 -0
- package/skills/ios/swiftui-pro/assets/swiftui-pro-icon.svg +29 -0
- package/skills/ios/swiftui-pro/references/accessibility.md +13 -0
- package/skills/ios/swiftui-pro/references/api.md +39 -0
- package/skills/ios/swiftui-pro/references/data.md +43 -0
- package/skills/ios/swiftui-pro/references/design.md +31 -0
- package/skills/ios/swiftui-pro/references/hygiene.md +9 -0
- package/skills/ios/swiftui-pro/references/navigation.md +14 -0
- package/skills/ios/swiftui-pro/references/performance.md +46 -0
- package/skills/ios/swiftui-pro/references/swift.md +56 -0
- package/skills/ios/swiftui-pro/references/views.md +35 -0
- package/skills/ios/swiftui-ui-patterns/LICENSE +21 -0
- package/skills/ios/swiftui-ui-patterns/SKILL.md +100 -0
- package/skills/ios/swiftui-ui-patterns/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-ui-patterns/references/app-wiring.md +201 -0
- package/skills/ios/swiftui-ui-patterns/references/async-state.md +96 -0
- package/skills/ios/swiftui-ui-patterns/references/components-index.md +50 -0
- package/skills/ios/swiftui-ui-patterns/references/controls.md +57 -0
- package/skills/ios/swiftui-ui-patterns/references/deeplinks.md +66 -0
- package/skills/ios/swiftui-ui-patterns/references/focus.md +90 -0
- package/skills/ios/swiftui-ui-patterns/references/form.md +97 -0
- package/skills/ios/swiftui-ui-patterns/references/grids.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/haptics.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/input-toolbar.md +51 -0
- package/skills/ios/swiftui-ui-patterns/references/lightweight-clients.md +93 -0
- package/skills/ios/swiftui-ui-patterns/references/list.md +86 -0
- package/skills/ios/swiftui-ui-patterns/references/loading-placeholders.md +38 -0
- package/skills/ios/swiftui-ui-patterns/references/macos-settings.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/matched-transitions.md +59 -0
- package/skills/ios/swiftui-ui-patterns/references/media.md +73 -0
- package/skills/ios/swiftui-ui-patterns/references/menu-bar.md +101 -0
- package/skills/ios/swiftui-ui-patterns/references/navigationstack.md +159 -0
- package/skills/ios/swiftui-ui-patterns/references/overlay.md +45 -0
- package/skills/ios/swiftui-ui-patterns/references/performance.md +62 -0
- package/skills/ios/swiftui-ui-patterns/references/previews.md +48 -0
- package/skills/ios/swiftui-ui-patterns/references/scroll-reveal.md +133 -0
- package/skills/ios/swiftui-ui-patterns/references/scrollview.md +87 -0
- package/skills/ios/swiftui-ui-patterns/references/searchable.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/sheets.md +155 -0
- package/skills/ios/swiftui-ui-patterns/references/split-views.md +72 -0
- package/skills/ios/swiftui-ui-patterns/references/tabview.md +114 -0
- package/skills/ios/swiftui-ui-patterns/references/theming.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/title-menus.md +93 -0
- package/skills/ios/swiftui-ui-patterns/references/top-bar.md +49 -0
- package/skills/ios/swiftui-view-refactor/LICENSE +21 -0
- package/skills/ios/swiftui-view-refactor/SKILL.md +207 -0
- package/skills/ios/swiftui-view-refactor/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-view-refactor/references/mv-patterns.md +161 -0
- package/skills/ios/widgetkit/LICENSE +131 -0
- package/skills/ios/widgetkit/SKILL.md +502 -0
- package/skills/ios/widgetkit/references/widgetkit-advanced.md +871 -0
- package/skills/ios/writing-for-interfaces/SKILL.md +75 -0
- package/skills/web/accessibility/SKILL.md +146 -0
- package/skills/web/aceternity-ui/SKILL.md +719 -0
- package/skills/web/aceternity-ui/metadata.json +10 -0
- package/skills/web/api-design/SKILL.md +523 -0
- package/skills/web/chart-accessibility/SKILL.md +332 -0
- package/skills/web/composition-patterns/AGENTS.md +946 -0
- package/skills/web/composition-patterns/README.md +60 -0
- package/skills/web/composition-patterns/SKILL.md +89 -0
- package/skills/web/composition-patterns/metadata.json +11 -0
- package/skills/web/composition-patterns/rules/_sections.md +29 -0
- package/skills/web/composition-patterns/rules/_template.md +24 -0
- package/skills/web/composition-patterns/rules/architecture-avoid-boolean-props.md +100 -0
- package/skills/web/composition-patterns/rules/architecture-compound-components.md +112 -0
- package/skills/web/composition-patterns/rules/patterns-children-over-render-props.md +87 -0
- package/skills/web/composition-patterns/rules/patterns-explicit-variants.md +100 -0
- package/skills/web/composition-patterns/rules/react19-no-forwardref.md +42 -0
- package/skills/web/composition-patterns/rules/state-context-interface.md +191 -0
- package/skills/web/composition-patterns/rules/state-decouple-implementation.md +113 -0
- package/skills/web/composition-patterns/rules/state-lift-state.md +125 -0
- package/skills/web/cost-aware-llm-pipeline/SKILL.md +183 -0
- package/skills/web/database-migrations/SKILL.md +429 -0
- package/skills/web/deployment-patterns/SKILL.md +427 -0
- package/skills/web/docker-patterns/SKILL.md +364 -0
- package/skills/web/e2e-testing/SKILL.md +326 -0
- package/skills/web/lighthouse-ci/SKILL.md +361 -0
- package/skills/web/mcp-server-patterns/SKILL.md +69 -0
- package/skills/web/next-best-practices/SKILL.md +153 -0
- package/skills/web/next-best-practices/async-patterns.md +87 -0
- package/skills/web/next-best-practices/bundling.md +180 -0
- package/skills/web/next-best-practices/data-patterns.md +297 -0
- package/skills/web/next-best-practices/debug-tricks.md +105 -0
- package/skills/web/next-best-practices/directives.md +73 -0
- package/skills/web/next-best-practices/error-handling.md +227 -0
- package/skills/web/next-best-practices/file-conventions.md +140 -0
- package/skills/web/next-best-practices/font.md +245 -0
- package/skills/web/next-best-practices/functions.md +108 -0
- package/skills/web/next-best-practices/hydration-error.md +91 -0
- package/skills/web/next-best-practices/image.md +173 -0
- package/skills/web/next-best-practices/metadata.md +301 -0
- package/skills/web/next-best-practices/parallel-routes.md +287 -0
- package/skills/web/next-best-practices/route-handlers.md +146 -0
- package/skills/web/next-best-practices/rsc-boundaries.md +159 -0
- package/skills/web/next-best-practices/runtime-selection.md +39 -0
- package/skills/web/next-best-practices/scripts.md +141 -0
- package/skills/web/next-best-practices/self-hosting.md +371 -0
- package/skills/web/next-best-practices/suspense-boundaries.md +67 -0
- package/skills/web/next-cache-components/SKILL.md +411 -0
- package/skills/web/postgres-best-practices/SKILL.md +14 -0
- package/skills/web/postgres-best-practices/references/schema-design.md +9 -0
- package/skills/web/react-best-practices/AGENTS.md +3810 -0
- package/skills/web/react-best-practices/README.md +123 -0
- package/skills/web/react-best-practices/SKILL.md +149 -0
- package/skills/web/react-best-practices/metadata.json +15 -0
- package/skills/web/react-best-practices/rules/_sections.md +46 -0
- package/skills/web/react-best-practices/rules/_template.md +28 -0
- package/skills/web/react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/skills/web/react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/skills/web/react-best-practices/rules/advanced-init-once.md +42 -0
- package/skills/web/react-best-practices/rules/advanced-use-latest.md +39 -0
- package/skills/web/react-best-practices/rules/async-api-routes.md +38 -0
- package/skills/web/react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/skills/web/react-best-practices/rules/async-defer-await.md +82 -0
- package/skills/web/react-best-practices/rules/async-dependencies.md +51 -0
- package/skills/web/react-best-practices/rules/async-parallel.md +28 -0
- package/skills/web/react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/skills/web/react-best-practices/rules/bundle-analyzable-paths.md +63 -0
- package/skills/web/react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/skills/web/react-best-practices/rules/bundle-conditional.md +31 -0
- package/skills/web/react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/skills/web/react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/skills/web/react-best-practices/rules/bundle-preload.md +50 -0
- package/skills/web/react-best-practices/rules/client-event-listeners.md +74 -0
- package/skills/web/react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/skills/web/react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/skills/web/react-best-practices/rules/client-swr-dedup.md +56 -0
- package/skills/web/react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/skills/web/react-best-practices/rules/js-cache-function-results.md +80 -0
- package/skills/web/react-best-practices/rules/js-cache-property-access.md +28 -0
- package/skills/web/react-best-practices/rules/js-cache-storage.md +70 -0
- package/skills/web/react-best-practices/rules/js-combine-iterations.md +32 -0
- package/skills/web/react-best-practices/rules/js-early-exit.md +50 -0
- package/skills/web/react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/skills/web/react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/skills/web/react-best-practices/rules/js-index-maps.md +37 -0
- package/skills/web/react-best-practices/rules/js-length-check-first.md +49 -0
- package/skills/web/react-best-practices/rules/js-min-max-loop.md +82 -0
- package/skills/web/react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/skills/web/react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/skills/web/react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/skills/web/react-best-practices/rules/rendering-activity.md +26 -0
- package/skills/web/react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/skills/web/react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/skills/web/react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/skills/web/react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/skills/web/react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/skills/web/react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/skills/web/react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/skills/web/react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/skills/web/react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/skills/web/react-best-practices/rules/rerender-dependencies.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state.md +29 -0
- package/skills/web/react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/skills/web/react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/skills/web/react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/skills/web/react-best-practices/rules/rerender-memo.md +44 -0
- package/skills/web/react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/skills/web/react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/skills/web/react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/skills/web/react-best-practices/rules/rerender-transitions.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/skills/web/react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/skills/web/react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/skills/web/react-best-practices/rules/server-auth-actions.md +96 -0
- package/skills/web/react-best-practices/rules/server-cache-lru.md +41 -0
- package/skills/web/react-best-practices/rules/server-cache-react.md +76 -0
- package/skills/web/react-best-practices/rules/server-dedup-props.md +65 -0
- package/skills/web/react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/skills/web/react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/skills/web/react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/skills/web/react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/skills/web/react-best-practices/rules/server-serialization.md +38 -0
- package/skills/web/seo/SKILL.md +154 -0
- package/skills/web/web-design-guidelines/SKILL.md +39 -0
- package/skills/web/zap-scan-config/SKILL.md +444 -0
- package/skills/web/zap-scan-config/assets/.gitkeep +9 -0
- package/skills/web/zap-scan-config/assets/github_action.yml +207 -0
- package/skills/web/zap-scan-config/assets/gitlab_ci.yml +226 -0
- package/skills/web/zap-scan-config/assets/zap_automation.yaml +196 -0
- package/skills/web/zap-scan-config/assets/zap_context.xml +192 -0
- package/skills/web/zap-scan-config/references/EXAMPLE.md +40 -0
- package/skills/web/zap-scan-config/references/api_testing_guide.md +475 -0
- package/skills/web/zap-scan-config/references/authentication_guide.md +431 -0
- package/skills/web/zap-scan-config/references/false_positive_handling.md +427 -0
- package/skills/web/zap-scan-config/references/owasp_mapping.md +255 -0
- package/src/lrr/aggregator.ts +80 -0
- package/src/orchestrator/hooks/context-header.ts +95 -0
- package/src/orchestrator/hooks/token-accounting-emitter.ts +77 -0
- package/src/orchestrator/hooks/token-accounting.ts +101 -0
- package/src/orchestrator/mcp/cycle-counter.ts +129 -0
- package/src/orchestrator/mcp/scribe.ts +283 -0
- package/src/orchestrator/mcp/state-save.ts +149 -0
- package/src/orchestrator/mcp/write-lease.ts +167 -0
- package/src/orchestrator/phase4-shared-context.ts +41 -0
- package/src/orchestrator/schemas/backward-edge.ts +46 -0
- package/agents/agentic-identity-trust.md +0 -121
- package/agents/data-consolidation-agent.md +0 -39
- package/agents/design-image-prompt-engineer.md +0 -105
- package/agents/design-visual-storyteller.md +0 -147
- package/agents/design-whimsy-injector.md +0 -89
- package/agents/engineering-autonomous-optimization-architect.md +0 -105
- package/agents/market-intel.md +0 -35
- package/agents/marketing-instagram-curator.md +0 -111
- package/agents/marketing-reddit-community-builder.md +0 -121
- package/agents/marketing-social-media-strategist.md +0 -74
- package/agents/marketing-tiktok-strategist.md +0 -123
- package/agents/marketing-twitter-engager.md +0 -124
- package/agents/marketing-wechat-official-account.md +0 -143
- package/agents/marketing-xiaohongshu-specialist.md +0 -136
- package/agents/marketing-zhihu-strategist.md +0 -160
- package/agents/product-behavioral-nudge-engine.md +0 -78
- package/agents/project-management-experiment-tracker.md +0 -102
- package/agents/report-distribution-agent.md +0 -43
- package/agents/risk-analysis.md +0 -45
- package/agents/sales-data-extraction-agent.md +0 -46
- package/agents/specialized-cultural-intelligence-strategist.md +0 -65
- package/agents/specialized-developer-advocate.md +0 -146
- package/agents/support-analytics-reporter.md +0 -133
- package/agents/support-executive-summary-generator.md +0 -64
- package/agents/support-finance-tracker.md +0 -145
- package/agents/support-legal-compliance-checker.md +0 -129
- package/agents/support-support-responder.md +0 -91
- package/agents/testing-accessibility-auditor.md +0 -110
- package/agents/testing-test-results-analyzer.md +0 -97
- package/agents/testing-tool-evaluator.md +0 -76
- package/agents/testing-workflow-optimizer.md +0 -99
- package/agents/user-research.md +0 -40
|
@@ -0,0 +1,226 @@
|
|
|
1
|
+
# GitLab CI/CD Pipeline for OWASP ZAP Security Scanning
|
|
2
|
+
# Add this to your .gitlab-ci.yml file
|
|
3
|
+
|
|
4
|
+
stages:
|
|
5
|
+
- security
|
|
6
|
+
- report
|
|
7
|
+
|
|
8
|
+
variables:
|
|
9
|
+
ZAP_IMAGE: "zaproxy/zap-stable:latest"
|
|
10
|
+
STAGING_URL: "https://staging.example.com"
|
|
11
|
+
REPORTS_DIR: "security-reports"
|
|
12
|
+
|
|
13
|
+
# Baseline scan for all merge requests
|
|
14
|
+
zap_baseline_scan:
|
|
15
|
+
stage: security
|
|
16
|
+
image: docker:latest
|
|
17
|
+
services:
|
|
18
|
+
- docker:dind
|
|
19
|
+
script:
|
|
20
|
+
- mkdir -p $REPORTS_DIR
|
|
21
|
+
- |
|
|
22
|
+
docker run --rm \
|
|
23
|
+
-v $(pwd)/$REPORTS_DIR:/zap/wrk/:rw \
|
|
24
|
+
$ZAP_IMAGE \
|
|
25
|
+
zap-baseline.py \
|
|
26
|
+
-t $STAGING_URL \
|
|
27
|
+
-r /zap/wrk/baseline-report.html \
|
|
28
|
+
-J /zap/wrk/baseline-report.json \
|
|
29
|
+
-w /zap/wrk/baseline-report.md \
|
|
30
|
+
|| true
|
|
31
|
+
- echo "Baseline scan completed"
|
|
32
|
+
artifacts:
|
|
33
|
+
when: always
|
|
34
|
+
paths:
|
|
35
|
+
- $REPORTS_DIR/
|
|
36
|
+
reports:
|
|
37
|
+
junit: $REPORTS_DIR/baseline-report.xml
|
|
38
|
+
expire_in: 1 week
|
|
39
|
+
only:
|
|
40
|
+
- merge_requests
|
|
41
|
+
- develop
|
|
42
|
+
- main
|
|
43
|
+
tags:
|
|
44
|
+
- docker
|
|
45
|
+
|
|
46
|
+
# Full active scan (manual trigger for staging)
|
|
47
|
+
zap_full_scan:
|
|
48
|
+
stage: security
|
|
49
|
+
image: docker:latest
|
|
50
|
+
services:
|
|
51
|
+
- docker:dind
|
|
52
|
+
script:
|
|
53
|
+
- mkdir -p $REPORTS_DIR
|
|
54
|
+
- |
|
|
55
|
+
docker run --rm \
|
|
56
|
+
-v $(pwd)/$REPORTS_DIR:/zap/wrk/:rw \
|
|
57
|
+
-v $(pwd)/.zap:/zap/config/:ro \
|
|
58
|
+
$ZAP_IMAGE \
|
|
59
|
+
zap-full-scan.py \
|
|
60
|
+
-t $STAGING_URL \
|
|
61
|
+
-c /zap/config/rules.tsv \
|
|
62
|
+
-r /zap/wrk/full-scan-report.html \
|
|
63
|
+
-J /zap/wrk/full-scan-report.json \
|
|
64
|
+
-x /zap/wrk/full-scan-report.xml \
|
|
65
|
+
|| true
|
|
66
|
+
# Check for high-risk findings
|
|
67
|
+
- |
|
|
68
|
+
if command -v jq &> /dev/null; then
|
|
69
|
+
HIGH_COUNT=$(jq '[.site[].alerts[] | select(.risk == "High")] | length' $REPORTS_DIR/full-scan-report.json)
|
|
70
|
+
echo "High risk findings: $HIGH_COUNT"
|
|
71
|
+
if [ "$HIGH_COUNT" -gt 0 ]; then
|
|
72
|
+
echo "❌ Security scan failed: $HIGH_COUNT high-risk vulnerabilities"
|
|
73
|
+
exit 1
|
|
74
|
+
fi
|
|
75
|
+
fi
|
|
76
|
+
artifacts:
|
|
77
|
+
when: always
|
|
78
|
+
paths:
|
|
79
|
+
- $REPORTS_DIR/
|
|
80
|
+
expire_in: 4 weeks
|
|
81
|
+
only:
|
|
82
|
+
- develop
|
|
83
|
+
when: manual
|
|
84
|
+
allow_failure: false
|
|
85
|
+
tags:
|
|
86
|
+
- docker
|
|
87
|
+
|
|
88
|
+
# API security scan
|
|
89
|
+
zap_api_scan:
|
|
90
|
+
stage: security
|
|
91
|
+
image: docker:latest
|
|
92
|
+
services:
|
|
93
|
+
- docker:dind
|
|
94
|
+
script:
|
|
95
|
+
- mkdir -p $REPORTS_DIR
|
|
96
|
+
- |
|
|
97
|
+
if [ -f "openapi.yaml" ]; then
|
|
98
|
+
docker run --rm \
|
|
99
|
+
-v $(pwd)/$REPORTS_DIR:/zap/wrk/:rw \
|
|
100
|
+
-v $(pwd):/zap/specs/:ro \
|
|
101
|
+
$ZAP_IMAGE \
|
|
102
|
+
zap-api-scan.py \
|
|
103
|
+
-t $STAGING_URL \
|
|
104
|
+
-f openapi \
|
|
105
|
+
-d /zap/specs/openapi.yaml \
|
|
106
|
+
-r /zap/wrk/api-scan-report.html \
|
|
107
|
+
-J /zap/wrk/api-scan-report.json \
|
|
108
|
+
|| true
|
|
109
|
+
else
|
|
110
|
+
echo "OpenAPI specification not found, skipping API scan"
|
|
111
|
+
fi
|
|
112
|
+
artifacts:
|
|
113
|
+
when: always
|
|
114
|
+
paths:
|
|
115
|
+
- $REPORTS_DIR/
|
|
116
|
+
expire_in: 1 week
|
|
117
|
+
only:
|
|
118
|
+
- merge_requests
|
|
119
|
+
- develop
|
|
120
|
+
allow_failure: true
|
|
121
|
+
tags:
|
|
122
|
+
- docker
|
|
123
|
+
|
|
124
|
+
# Authenticated scan (requires test credentials)
|
|
125
|
+
zap_authenticated_scan:
|
|
126
|
+
stage: security
|
|
127
|
+
image: python:3.11-slim
|
|
128
|
+
before_script:
|
|
129
|
+
- apt-get update && apt-get install -y docker.io
|
|
130
|
+
script:
|
|
131
|
+
- mkdir -p $REPORTS_DIR
|
|
132
|
+
- |
|
|
133
|
+
python3 scripts/zap_auth_scanner.py \
|
|
134
|
+
--target $STAGING_URL \
|
|
135
|
+
--auth-type form \
|
|
136
|
+
--login-url $STAGING_URL/login \
|
|
137
|
+
--username $TEST_USERNAME \
|
|
138
|
+
--password-env TEST_PASSWORD \
|
|
139
|
+
--output $REPORTS_DIR/authenticated-scan-report.html
|
|
140
|
+
artifacts:
|
|
141
|
+
when: always
|
|
142
|
+
paths:
|
|
143
|
+
- $REPORTS_DIR/
|
|
144
|
+
expire_in: 4 weeks
|
|
145
|
+
only:
|
|
146
|
+
- develop
|
|
147
|
+
when: manual
|
|
148
|
+
tags:
|
|
149
|
+
- docker
|
|
150
|
+
|
|
151
|
+
# Security gate - check thresholds
|
|
152
|
+
security_gate:
|
|
153
|
+
stage: report
|
|
154
|
+
image: alpine:latest
|
|
155
|
+
before_script:
|
|
156
|
+
- apk add --no-cache jq
|
|
157
|
+
script:
|
|
158
|
+
- |
|
|
159
|
+
if [ -f "$REPORTS_DIR/baseline-report.json" ]; then
|
|
160
|
+
HIGH_COUNT=$(jq '[.site[].alerts[] | select(.risk == "High")] | length' $REPORTS_DIR/baseline-report.json)
|
|
161
|
+
MEDIUM_COUNT=$(jq '[.site[].alerts[] | select(.risk == "Medium")] | length' $REPORTS_DIR/baseline-report.json)
|
|
162
|
+
|
|
163
|
+
echo "==================================="
|
|
164
|
+
echo "Security Scan Results"
|
|
165
|
+
echo "==================================="
|
|
166
|
+
echo "High risk findings: $HIGH_COUNT"
|
|
167
|
+
echo "Medium risk findings: $MEDIUM_COUNT"
|
|
168
|
+
echo "==================================="
|
|
169
|
+
|
|
170
|
+
# Fail on high-risk findings
|
|
171
|
+
if [ "$HIGH_COUNT" -gt 0 ]; then
|
|
172
|
+
echo "❌ Build failed: High-risk vulnerabilities detected"
|
|
173
|
+
exit 1
|
|
174
|
+
fi
|
|
175
|
+
|
|
176
|
+
# Warn on medium-risk findings above threshold
|
|
177
|
+
if [ "$MEDIUM_COUNT" -gt 10 ]; then
|
|
178
|
+
echo "⚠️ Warning: $MEDIUM_COUNT medium-risk findings (threshold: 10)"
|
|
179
|
+
fi
|
|
180
|
+
|
|
181
|
+
echo "✅ Security gate passed"
|
|
182
|
+
else
|
|
183
|
+
echo "No scan report found, skipping security gate"
|
|
184
|
+
fi
|
|
185
|
+
dependencies:
|
|
186
|
+
- zap_baseline_scan
|
|
187
|
+
only:
|
|
188
|
+
- merge_requests
|
|
189
|
+
- develop
|
|
190
|
+
- main
|
|
191
|
+
|
|
192
|
+
# Generate consolidated report
|
|
193
|
+
generate_report:
|
|
194
|
+
stage: report
|
|
195
|
+
image: alpine:latest
|
|
196
|
+
before_script:
|
|
197
|
+
- apk add --no-cache jq curl
|
|
198
|
+
script:
|
|
199
|
+
- |
|
|
200
|
+
echo "# Security Scan Report" > $REPORTS_DIR/summary.md
|
|
201
|
+
echo "" >> $REPORTS_DIR/summary.md
|
|
202
|
+
echo "**Scan Date:** $(date)" >> $REPORTS_DIR/summary.md
|
|
203
|
+
echo "**Target:** $STAGING_URL" >> $REPORTS_DIR/summary.md
|
|
204
|
+
echo "" >> $REPORTS_DIR/summary.md
|
|
205
|
+
echo "## Findings Summary" >> $REPORTS_DIR/summary.md
|
|
206
|
+
echo "" >> $REPORTS_DIR/summary.md
|
|
207
|
+
|
|
208
|
+
if [ -f "$REPORTS_DIR/baseline-report.json" ]; then
|
|
209
|
+
echo "| Risk Level | Count |" >> $REPORTS_DIR/summary.md
|
|
210
|
+
echo "|------------|-------|" >> $REPORTS_DIR/summary.md
|
|
211
|
+
jq -r '.site[].alerts[] | .risk' $REPORTS_DIR/baseline-report.json | \
|
|
212
|
+
sort | uniq -c | awk '{print "| " $2 " | " $1 " |"}' >> $REPORTS_DIR/summary.md
|
|
213
|
+
fi
|
|
214
|
+
|
|
215
|
+
cat $REPORTS_DIR/summary.md
|
|
216
|
+
artifacts:
|
|
217
|
+
when: always
|
|
218
|
+
paths:
|
|
219
|
+
- $REPORTS_DIR/summary.md
|
|
220
|
+
expire_in: 4 weeks
|
|
221
|
+
dependencies:
|
|
222
|
+
- zap_baseline_scan
|
|
223
|
+
only:
|
|
224
|
+
- merge_requests
|
|
225
|
+
- develop
|
|
226
|
+
- main
|
|
@@ -0,0 +1,196 @@
|
|
|
1
|
+
# OWASP ZAP Automation Framework Configuration
|
|
2
|
+
# Complete automation workflow for web application security testing
|
|
3
|
+
|
|
4
|
+
env:
|
|
5
|
+
contexts:
|
|
6
|
+
- name: WebApp-Security-Scan
|
|
7
|
+
urls:
|
|
8
|
+
- ${TARGET_URL}
|
|
9
|
+
includePaths:
|
|
10
|
+
- ${TARGET_URL}.*
|
|
11
|
+
excludePaths:
|
|
12
|
+
- .*logout.*
|
|
13
|
+
- .*signout.*
|
|
14
|
+
- .*\\.css
|
|
15
|
+
- .*\\.js
|
|
16
|
+
- .*\\.png
|
|
17
|
+
- .*\\.jpg
|
|
18
|
+
- .*\\.gif
|
|
19
|
+
- .*\\.svg
|
|
20
|
+
authentication:
|
|
21
|
+
method: form
|
|
22
|
+
parameters:
|
|
23
|
+
loginUrl: ${LOGIN_URL}
|
|
24
|
+
loginRequestData: username={%username%}&password={%password%}
|
|
25
|
+
verification:
|
|
26
|
+
method: response
|
|
27
|
+
loggedInRegex: "\\QWelcome\\E"
|
|
28
|
+
loggedOutRegex: "\\QLogin\\E"
|
|
29
|
+
sessionManagement:
|
|
30
|
+
method: cookie
|
|
31
|
+
parameters:
|
|
32
|
+
sessionCookieName: JSESSIONID
|
|
33
|
+
users:
|
|
34
|
+
- name: test-user
|
|
35
|
+
credentials:
|
|
36
|
+
username: ${TEST_USERNAME}
|
|
37
|
+
password: ${TEST_PASSWORD}
|
|
38
|
+
|
|
39
|
+
parameters:
|
|
40
|
+
failOnError: true
|
|
41
|
+
failOnWarning: false
|
|
42
|
+
progressToStdout: true
|
|
43
|
+
|
|
44
|
+
vars:
|
|
45
|
+
target_url: ${TARGET_URL}
|
|
46
|
+
api_key: ${ZAP_API_KEY}
|
|
47
|
+
|
|
48
|
+
jobs:
|
|
49
|
+
# Environment setup
|
|
50
|
+
- type: environment
|
|
51
|
+
parameters:
|
|
52
|
+
deleteGlobalAlerts: true
|
|
53
|
+
updateAddOns: true
|
|
54
|
+
|
|
55
|
+
# Import OpenAPI specification (if available)
|
|
56
|
+
- type: openapi
|
|
57
|
+
parameters:
|
|
58
|
+
apiFile: ${OPENAPI_SPEC_FILE}
|
|
59
|
+
apiUrl: ${TARGET_URL}
|
|
60
|
+
targetUrl: ${TARGET_URL}
|
|
61
|
+
context: WebApp-Security-Scan
|
|
62
|
+
optional: true
|
|
63
|
+
|
|
64
|
+
# Spider crawling
|
|
65
|
+
- type: spider
|
|
66
|
+
parameters:
|
|
67
|
+
context: WebApp-Security-Scan
|
|
68
|
+
user: test-user
|
|
69
|
+
maxDuration: 10
|
|
70
|
+
maxDepth: 5
|
|
71
|
+
maxChildren: 10
|
|
72
|
+
acceptCookies: true
|
|
73
|
+
handleODataParametersVisited: true
|
|
74
|
+
parseComments: true
|
|
75
|
+
parseRobotsTxt: true
|
|
76
|
+
parseSitemapXml: true
|
|
77
|
+
parseSVNEntries: true
|
|
78
|
+
parseGit: true
|
|
79
|
+
postForm: true
|
|
80
|
+
processForm: true
|
|
81
|
+
requestWaitTime: 200
|
|
82
|
+
|
|
83
|
+
# AJAX Spider for JavaScript-heavy applications
|
|
84
|
+
- type: spiderAjax
|
|
85
|
+
parameters:
|
|
86
|
+
context: WebApp-Security-Scan
|
|
87
|
+
user: test-user
|
|
88
|
+
maxDuration: 10
|
|
89
|
+
maxCrawlDepth: 5
|
|
90
|
+
numberOfBrowsers: 2
|
|
91
|
+
browserId: firefox-headless
|
|
92
|
+
clickDefaultElems: true
|
|
93
|
+
clickElemsOnce: true
|
|
94
|
+
eventWait: 1000
|
|
95
|
+
reloadWait: 1000
|
|
96
|
+
optional: true
|
|
97
|
+
|
|
98
|
+
# Wait for passive scanning to complete
|
|
99
|
+
- type: passiveScan-wait
|
|
100
|
+
parameters:
|
|
101
|
+
maxDuration: 5
|
|
102
|
+
|
|
103
|
+
# Configure passive scan rules
|
|
104
|
+
- type: passiveScan-config
|
|
105
|
+
parameters:
|
|
106
|
+
maxAlertsPerRule: 10
|
|
107
|
+
scanOnlyInScope: true
|
|
108
|
+
enableTags: true
|
|
109
|
+
disableRules:
|
|
110
|
+
- 10096 # Timestamp Disclosure (informational)
|
|
111
|
+
|
|
112
|
+
# Active scanning
|
|
113
|
+
- type: activeScan
|
|
114
|
+
parameters:
|
|
115
|
+
context: WebApp-Security-Scan
|
|
116
|
+
user: test-user
|
|
117
|
+
policy: Default Policy
|
|
118
|
+
maxRuleDurationInMins: 5
|
|
119
|
+
maxScanDurationInMins: 30
|
|
120
|
+
addQueryParam: false
|
|
121
|
+
defaultPolicy: Default Policy
|
|
122
|
+
delayInMs: 0
|
|
123
|
+
handleAntiCSRFTokens: true
|
|
124
|
+
injectPluginIdInHeader: false
|
|
125
|
+
scanHeadersAllRequests: false
|
|
126
|
+
threadPerHost: 2
|
|
127
|
+
|
|
128
|
+
# Wait for active scanning to complete
|
|
129
|
+
- type: activeScan-wait
|
|
130
|
+
|
|
131
|
+
# Generate reports
|
|
132
|
+
- type: report
|
|
133
|
+
parameters:
|
|
134
|
+
template: traditional-html
|
|
135
|
+
reportDir: ${REPORT_DIR}
|
|
136
|
+
reportFile: security-report.html
|
|
137
|
+
reportTitle: Web Application Security Assessment
|
|
138
|
+
reportDescription: Automated DAST scan using OWASP ZAP
|
|
139
|
+
displayReport: false
|
|
140
|
+
|
|
141
|
+
- type: report
|
|
142
|
+
parameters:
|
|
143
|
+
template: traditional-json
|
|
144
|
+
reportDir: ${REPORT_DIR}
|
|
145
|
+
reportFile: security-report.json
|
|
146
|
+
reportTitle: Web Application Security Assessment
|
|
147
|
+
|
|
148
|
+
- type: report
|
|
149
|
+
parameters:
|
|
150
|
+
template: traditional-xml
|
|
151
|
+
reportDir: ${REPORT_DIR}
|
|
152
|
+
reportFile: security-report.xml
|
|
153
|
+
reportTitle: Web Application Security Assessment
|
|
154
|
+
|
|
155
|
+
- type: report
|
|
156
|
+
parameters:
|
|
157
|
+
template: sarif-json
|
|
158
|
+
reportDir: ${REPORT_DIR}
|
|
159
|
+
reportFile: security-report.sarif
|
|
160
|
+
reportTitle: Web Application Security Assessment (SARIF)
|
|
161
|
+
optional: true
|
|
162
|
+
|
|
163
|
+
# Alert filters (false positive suppression)
|
|
164
|
+
alertFilters:
|
|
165
|
+
- ruleId: 10021
|
|
166
|
+
newRisk: Info
|
|
167
|
+
url: ".*\\.css|.*\\.js|.*cdn\\..*"
|
|
168
|
+
context: WebApp-Security-Scan
|
|
169
|
+
|
|
170
|
+
- ruleId: 10096
|
|
171
|
+
newRisk: Info
|
|
172
|
+
url: ".*api\\..*"
|
|
173
|
+
parameter: "created_at|updated_at|timestamp"
|
|
174
|
+
context: WebApp-Security-Scan
|
|
175
|
+
|
|
176
|
+
# Scan policies
|
|
177
|
+
policies:
|
|
178
|
+
- name: Default Policy
|
|
179
|
+
defaultStrength: Medium
|
|
180
|
+
defaultThreshold: Medium
|
|
181
|
+
rules:
|
|
182
|
+
- id: 40018 # SQL Injection
|
|
183
|
+
strength: High
|
|
184
|
+
threshold: Low
|
|
185
|
+
- id: 40012 # Cross-Site Scripting (Reflected)
|
|
186
|
+
strength: High
|
|
187
|
+
threshold: Low
|
|
188
|
+
- id: 40014 # Cross-Site Scripting (Persistent)
|
|
189
|
+
strength: High
|
|
190
|
+
threshold: Low
|
|
191
|
+
- id: 90019 # Server-Side Code Injection
|
|
192
|
+
strength: High
|
|
193
|
+
threshold: Low
|
|
194
|
+
- id: 90020 # Remote OS Command Injection
|
|
195
|
+
strength: High
|
|
196
|
+
threshold: Low
|
|
@@ -0,0 +1,192 @@
|
|
|
1
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
2
|
+
<!--
|
|
3
|
+
OWASP ZAP Authentication Context Template
|
|
4
|
+
Configure this file for form-based, HTTP, or script-based authentication
|
|
5
|
+
-->
|
|
6
|
+
<configuration>
|
|
7
|
+
<context>
|
|
8
|
+
<!-- Context Name -->
|
|
9
|
+
<name>WebApp-Auth-Context</name>
|
|
10
|
+
<desc>Authentication context for web application security testing</desc>
|
|
11
|
+
|
|
12
|
+
<!-- Enable context -->
|
|
13
|
+
<inscope>true</inscope>
|
|
14
|
+
|
|
15
|
+
<!-- URL Scope Definition -->
|
|
16
|
+
<!-- Include all URLs under target domain -->
|
|
17
|
+
<incregexes>https://app\.example\.com/.*</incregexes>
|
|
18
|
+
|
|
19
|
+
<!-- Exclude logout and static content -->
|
|
20
|
+
<excregexes>https://app\.example\.com/logout</excregexes>
|
|
21
|
+
<excregexes>https://app\.example\.com/signout</excregexes>
|
|
22
|
+
<excregexes>https://app\.example\.com/static/.*</excregexes>
|
|
23
|
+
<excregexes>.*\.css</excregexes>
|
|
24
|
+
<excregexes>.*\.js</excregexes>
|
|
25
|
+
<excregexes>.*\.png|.*\.jpg|.*\.gif</excregexes>
|
|
26
|
+
|
|
27
|
+
<!-- Technology Detection -->
|
|
28
|
+
<tech>
|
|
29
|
+
<include>Language</include>
|
|
30
|
+
<include>Language.JavaScript</include>
|
|
31
|
+
<include>OS</include>
|
|
32
|
+
<include>OS.Linux</include>
|
|
33
|
+
<include>WS</include>
|
|
34
|
+
</tech>
|
|
35
|
+
|
|
36
|
+
<!-- Authentication Configuration -->
|
|
37
|
+
<authentication>
|
|
38
|
+
<!--
|
|
39
|
+
Authentication Types:
|
|
40
|
+
- formBasedAuthentication: Traditional login forms
|
|
41
|
+
- httpAuthentication: HTTP Basic/Digest/NTLM
|
|
42
|
+
- scriptBasedAuthentication: Custom authentication via script
|
|
43
|
+
-->
|
|
44
|
+
<type>formBasedAuthentication</type>
|
|
45
|
+
|
|
46
|
+
<!-- Form-Based Authentication -->
|
|
47
|
+
<form>
|
|
48
|
+
<!-- Login URL -->
|
|
49
|
+
<loginurl>https://app.example.com/login</loginurl>
|
|
50
|
+
|
|
51
|
+
<!-- Login Request Body (POST parameters) -->
|
|
52
|
+
<!-- Use {%username%} and {%password%} as placeholders -->
|
|
53
|
+
<loginbody>username={%username%}&password={%password%}&csrf_token={%csrf_token%}</loginbody>
|
|
54
|
+
|
|
55
|
+
<!-- Login Page URL (where login form is displayed) -->
|
|
56
|
+
<loginpageurl>https://app.example.com/login</loginpageurl>
|
|
57
|
+
</form>
|
|
58
|
+
|
|
59
|
+
<!-- HTTP Authentication (uncomment if using) -->
|
|
60
|
+
<!--
|
|
61
|
+
<http>
|
|
62
|
+
<realm>Protected Area</realm>
|
|
63
|
+
<hostname>app.example.com</hostname>
|
|
64
|
+
<port>443</port>
|
|
65
|
+
</http>
|
|
66
|
+
-->
|
|
67
|
+
|
|
68
|
+
<!-- Logged-In Indicator (regex pattern that appears when logged in) -->
|
|
69
|
+
<!-- This helps ZAP determine if authentication succeeded -->
|
|
70
|
+
<loggedin>\QWelcome,\E</loggedin>
|
|
71
|
+
<!-- Alternative patterns:
|
|
72
|
+
<loggedin>\QLogout\E</loggedin>
|
|
73
|
+
<loggedin>\Qdashboard\E</loggedin>
|
|
74
|
+
<loggedin>class="user-menu"</loggedin>
|
|
75
|
+
-->
|
|
76
|
+
|
|
77
|
+
<!-- Logged-Out Indicator (regex pattern that appears when logged out) -->
|
|
78
|
+
<loggedout>\QYou are not logged in\E</loggedout>
|
|
79
|
+
<!-- Alternative patterns:
|
|
80
|
+
<loggedout>\QLogin\E</loggedout>
|
|
81
|
+
<loggedout>\QSign In\E</loggedout>
|
|
82
|
+
-->
|
|
83
|
+
|
|
84
|
+
<!-- Poll URL for verification (optional) -->
|
|
85
|
+
<pollurl>https://app.example.com/api/session/verify</pollurl>
|
|
86
|
+
<polldata></polldata>
|
|
87
|
+
<pollfreq>60</pollfreq>
|
|
88
|
+
</authentication>
|
|
89
|
+
|
|
90
|
+
<!-- Session Management -->
|
|
91
|
+
<sessionManagement>
|
|
92
|
+
<!--
|
|
93
|
+
Session Management Types:
|
|
94
|
+
- cookieBasedSessionManagement: Session via cookies (most common)
|
|
95
|
+
- httpAuthSessionManagement: HTTP authentication
|
|
96
|
+
- scriptBasedSessionManagement: Custom session handling
|
|
97
|
+
-->
|
|
98
|
+
<type>cookieBasedSessionManagement</type>
|
|
99
|
+
|
|
100
|
+
<!-- Session cookies to monitor -->
|
|
101
|
+
<sessioncookies>
|
|
102
|
+
<cookie>JSESSIONID</cookie>
|
|
103
|
+
<cookie>PHPSESSID</cookie>
|
|
104
|
+
<cookie>sessionid</cookie>
|
|
105
|
+
<cookie>session_token</cookie>
|
|
106
|
+
</sessioncookies>
|
|
107
|
+
</sessionManagement>
|
|
108
|
+
|
|
109
|
+
<!-- Test Users -->
|
|
110
|
+
<users>
|
|
111
|
+
<!-- User 1: Standard test user -->
|
|
112
|
+
<user>
|
|
113
|
+
<name>testuser</name>
|
|
114
|
+
<enabled>true</enabled>
|
|
115
|
+
<credentials>
|
|
116
|
+
<credential>
|
|
117
|
+
<name>username</name>
|
|
118
|
+
<value>testuser</value>
|
|
119
|
+
</credential>
|
|
120
|
+
<credential>
|
|
121
|
+
<name>password</name>
|
|
122
|
+
<value>TestPassword123!</value>
|
|
123
|
+
</credential>
|
|
124
|
+
<!-- CSRF token (if needed) -->
|
|
125
|
+
<!--
|
|
126
|
+
<credential>
|
|
127
|
+
<name>csrf_token</name>
|
|
128
|
+
<value></value>
|
|
129
|
+
</credential>
|
|
130
|
+
-->
|
|
131
|
+
</credentials>
|
|
132
|
+
</user>
|
|
133
|
+
|
|
134
|
+
<!-- User 2: Admin user (if testing authorization) -->
|
|
135
|
+
<user>
|
|
136
|
+
<name>adminuser</name>
|
|
137
|
+
<enabled>false</enabled>
|
|
138
|
+
<credentials>
|
|
139
|
+
<credential>
|
|
140
|
+
<name>username</name>
|
|
141
|
+
<value>adminuser</value>
|
|
142
|
+
</credential>
|
|
143
|
+
<credential>
|
|
144
|
+
<name>password</name>
|
|
145
|
+
<value>AdminPassword123!</value>
|
|
146
|
+
</credential>
|
|
147
|
+
</credentials>
|
|
148
|
+
</user>
|
|
149
|
+
</users>
|
|
150
|
+
|
|
151
|
+
<!-- Forced User Mode (for authorization testing) -->
|
|
152
|
+
<!--
|
|
153
|
+
Enables testing if authenticated user can access resources
|
|
154
|
+
they shouldn't have access to
|
|
155
|
+
-->
|
|
156
|
+
<forcedUserMode>false</forcedUserMode>
|
|
157
|
+
|
|
158
|
+
<!-- Data Driven Nodes -->
|
|
159
|
+
<!--
|
|
160
|
+
For testing parameters with different values
|
|
161
|
+
-->
|
|
162
|
+
<datadrivennodes>
|
|
163
|
+
<node>
|
|
164
|
+
<name>user_id</name>
|
|
165
|
+
<url>https://app.example.com/api/users/{user_id}</url>
|
|
166
|
+
</node>
|
|
167
|
+
</datadrivennodes>
|
|
168
|
+
</context>
|
|
169
|
+
|
|
170
|
+
<!-- Global Exclude URLs (applied to all contexts) -->
|
|
171
|
+
<globalexcludeurl>
|
|
172
|
+
<regex>https://.*\.googleapis\.com/.*</regex>
|
|
173
|
+
<regex>https://.*\.google-analytics\.com/.*</regex>
|
|
174
|
+
<regex>https://.*\.googletagmanager\.com/.*</regex>
|
|
175
|
+
<regex>https://cdn\..*</regex>
|
|
176
|
+
</globalexcludeurl>
|
|
177
|
+
|
|
178
|
+
<!-- Anti-CSRF Token Configuration -->
|
|
179
|
+
<anticsrf>
|
|
180
|
+
<!-- Enable anti-CSRF token handling -->
|
|
181
|
+
<enabled>true</enabled>
|
|
182
|
+
|
|
183
|
+
<!-- Token names to automatically detect and handle -->
|
|
184
|
+
<tokennames>
|
|
185
|
+
<tokenname>csrf_token</tokenname>
|
|
186
|
+
<tokenname>csrftoken</tokenname>
|
|
187
|
+
<tokenname>_csrf</tokenname>
|
|
188
|
+
<tokenname>authenticity_token</tokenname>
|
|
189
|
+
<tokenname>__RequestVerificationToken</tokenname>
|
|
190
|
+
</tokennames>
|
|
191
|
+
</anticsrf>
|
|
192
|
+
</configuration>
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
# Reference Document Template
|
|
2
|
+
|
|
3
|
+
This file contains detailed reference material that Claude should load only when needed.
|
|
4
|
+
|
|
5
|
+
## Table of Contents
|
|
6
|
+
|
|
7
|
+
- [Section 1](#section-1)
|
|
8
|
+
- [Section 2](#section-2)
|
|
9
|
+
- [Security Standards](#security-standards)
|
|
10
|
+
|
|
11
|
+
## Section 1
|
|
12
|
+
|
|
13
|
+
Detailed information, schemas, or examples that are too large for SKILL.md.
|
|
14
|
+
|
|
15
|
+
## Section 2
|
|
16
|
+
|
|
17
|
+
Additional reference material.
|
|
18
|
+
|
|
19
|
+
## Security Standards
|
|
20
|
+
|
|
21
|
+
### OWASP Top 10
|
|
22
|
+
|
|
23
|
+
Reference relevant OWASP categories:
|
|
24
|
+
- A01: Broken Access Control
|
|
25
|
+
- A02: Cryptographic Failures
|
|
26
|
+
- etc.
|
|
27
|
+
|
|
28
|
+
### CWE Mappings
|
|
29
|
+
|
|
30
|
+
Map to relevant Common Weakness Enumeration categories:
|
|
31
|
+
- CWE-79: Cross-site Scripting
|
|
32
|
+
- CWE-89: SQL Injection
|
|
33
|
+
- etc.
|
|
34
|
+
|
|
35
|
+
### MITRE ATT&CK
|
|
36
|
+
|
|
37
|
+
Reference relevant tactics and techniques if applicable:
|
|
38
|
+
- TA0001: Initial Access
|
|
39
|
+
- T1190: Exploit Public-Facing Application
|
|
40
|
+
- etc.
|