buildanything 1.7.1 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +3 -3
- package/.claude-plugin/plugin.json +9 -3
- package/CHANGELOG.md +112 -0
- package/README.md +2 -2
- package/agents/a11y-architect.md +166 -0
- package/agents/business-model.md +80 -29
- package/agents/code-architect.md +75 -0
- package/agents/code-reviewer.md +255 -0
- package/agents/code-simplifier.md +64 -0
- package/agents/design-brand-guardian.md +293 -53
- package/agents/design-critic.md +139 -0
- package/agents/design-inclusive-visuals-specialist.md +6 -19
- package/agents/design-ui-designer.md +335 -56
- package/agents/design-ux-architect.md +403 -55
- package/agents/design-ux-researcher.md +264 -49
- package/agents/engineering-ai-engineer.md +26 -36
- package/agents/engineering-backend-architect.md +185 -36
- package/agents/engineering-data-engineer.md +225 -43
- package/agents/engineering-devops-automator.md +227 -74
- package/agents/engineering-frontend-developer.md +210 -34
- package/agents/engineering-mobile-app-builder.md +6 -1
- package/agents/engineering-rapid-prototyper.md +30 -9
- package/agents/engineering-security-engineer.md +263 -61
- package/agents/engineering-senior-developer.md +128 -19
- package/agents/engineering-sre.md +84 -0
- package/agents/engineering-technical-writer.md +285 -41
- package/agents/feature-intel.md +110 -0
- package/agents/ios-app-review-guardian.md +66 -0
- package/agents/ios-foundation-models-specialist.md +64 -0
- package/agents/ios-storekit-specialist.md +59 -0
- package/agents/ios-swift-architect.md +129 -0
- package/agents/ios-swift-search.md +137 -0
- package/agents/ios-swift-ui-design.md +136 -0
- package/agents/marketing-app-store-optimizer.md +246 -64
- package/agents/planner.md +216 -0
- package/agents/pr-test-analyzer.md +63 -0
- package/agents/product-feedback-synthesizer.md +8 -2
- package/agents/refactor-cleaner.md +102 -0
- package/agents/security-reviewer.md +128 -0
- package/agents/silent-failure-hunter.md +54 -0
- package/agents/swift-build-resolver.md +119 -0
- package/agents/swift-reviewer.md +112 -0
- package/agents/tech-feasibility.md +21 -1
- package/agents/testing-api-tester.md +236 -59
- package/agents/testing-evidence-collector.md +26 -1
- package/agents/testing-performance-benchmarker.md +21 -1
- package/agents/testing-reality-checker.md +6 -1
- package/agents/visual-research.md +116 -0
- package/bin/adapters/cycle-counter-tool.ts +155 -0
- package/bin/adapters/scribe-tool.ts +71 -0
- package/bin/adapters/state-save-tool.ts +130 -0
- package/bin/adapters/write-lease-tool.ts +127 -0
- package/bin/buildanything-runtime.js +15 -0
- package/bin/buildanything-runtime.ts +328 -0
- package/bin/setup.js +83 -8
- package/commands/add-feature.md +2 -0
- package/commands/build.md +752 -332
- package/commands/fix.md +65 -0
- package/commands/self-check.md +121 -0
- package/commands/setup.md +114 -0
- package/commands/ux-review.md +63 -0
- package/commands/verify.md +69 -0
- package/docs/migration/agents.yaml +729 -0
- package/docs/migration/phase-graph.yaml +1088 -0
- package/docs/migration/sdk-host-compat.md +18 -0
- package/hooks/compile-writer-owner-cache.ts +171 -0
- package/hooks/hooks.json +36 -0
- package/hooks/pre-tool-use +19 -0
- package/hooks/pre-tool-use.ts +776 -0
- package/hooks/record-mode-transitions.ts +178 -0
- package/hooks/session-start +89 -2
- package/hooks/subagent-start +17 -0
- package/hooks/subagent-start.ts +471 -0
- package/hooks/subagent-stop +17 -0
- package/hooks/subagent-stop.ts +153 -0
- package/package.json +28 -5
- package/protocols/architecture-schema.md +171 -0
- package/protocols/build-fix.md +52 -0
- package/protocols/cleanup.md +54 -0
- package/protocols/decision-log.md +131 -0
- package/protocols/eval-harness.md +61 -0
- package/protocols/fake-data-detector.md +64 -0
- package/protocols/ios-context.md +234 -0
- package/protocols/ios-frameworks-map.md +323 -0
- package/protocols/ios-phase-branches.md +337 -0
- package/protocols/ios-preflight.md +27 -0
- package/protocols/launch-readiness.md +258 -0
- package/protocols/metric-loop.md +153 -0
- package/protocols/smoke-test.md +118 -0
- package/protocols/state-schema.json +388 -0
- package/protocols/state-schema.md +172 -0
- package/protocols/verify.md +127 -0
- package/protocols/visual-dna.md +185 -0
- package/protocols/web-phase-branches.md +351 -0
- package/skills/ios/_VENDORED.md +62 -0
- package/skills/ios/activitykit/LICENSE +131 -0
- package/skills/ios/activitykit/SKILL.md +505 -0
- package/skills/ios/activitykit/references/activitykit-patterns.md +868 -0
- package/skills/ios/app-intents/LICENSE +131 -0
- package/skills/ios/app-intents/SKILL.md +494 -0
- package/skills/ios/app-intents/references/appintents-advanced.md +1076 -0
- package/skills/ios/app-store-connect-metadata/SKILL.md +148 -0
- package/skills/ios/apple-on-device-ai/LICENSE +131 -0
- package/skills/ios/apple-on-device-ai/SKILL.md +505 -0
- package/skills/ios/apple-on-device-ai/references/coreml-conversion.md +425 -0
- package/skills/ios/apple-on-device-ai/references/coreml-optimization.md +344 -0
- package/skills/ios/apple-on-device-ai/references/foundation-models.md +508 -0
- package/skills/ios/apple-on-device-ai/references/mlx-swift.md +285 -0
- package/skills/ios/asc-privacy-manifest/SKILL.md +350 -0
- package/skills/ios/hig-components-content/SKILL.md +86 -0
- package/skills/ios/hig-components-content/references/activity-views.md +79 -0
- package/skills/ios/hig-components-content/references/charts.md +180 -0
- package/skills/ios/hig-components-content/references/collections.md +48 -0
- package/skills/ios/hig-components-content/references/color-wells.md +42 -0
- package/skills/ios/hig-components-content/references/image-views.md +82 -0
- package/skills/ios/hig-components-content/references/image-wells.md +34 -0
- package/skills/ios/hig-components-content/references/lockups.md +78 -0
- package/skills/ios/hig-components-content/references/web-views.md +36 -0
- package/skills/ios/hig-components-controls/SKILL.md +88 -0
- package/skills/ios/hig-components-controls/references/combo-boxes.md +40 -0
- package/skills/ios/hig-components-controls/references/controls.md +112 -0
- package/skills/ios/hig-components-controls/references/gauges.md +74 -0
- package/skills/ios/hig-components-controls/references/labels.md +92 -0
- package/skills/ios/hig-components-controls/references/pickers.md +128 -0
- package/skills/ios/hig-components-controls/references/rating-indicators.md +38 -0
- package/skills/ios/hig-components-controls/references/segmented-controls.md +94 -0
- package/skills/ios/hig-components-controls/references/sliders.md +92 -0
- package/skills/ios/hig-components-controls/references/steppers.md +40 -0
- package/skills/ios/hig-components-controls/references/text-fields.md +88 -0
- package/skills/ios/hig-components-controls/references/text-views.md +56 -0
- package/skills/ios/hig-components-controls/references/toggles.md +127 -0
- package/skills/ios/hig-components-controls/references/token-fields.md +48 -0
- package/skills/ios/hig-components-controls/references/virtual-keyboards.md +156 -0
- package/skills/ios/hig-components-dialogs/SKILL.md +76 -0
- package/skills/ios/hig-components-dialogs/references/action-sheets.md +74 -0
- package/skills/ios/hig-components-dialogs/references/alerts.md +158 -0
- package/skills/ios/hig-components-dialogs/references/digit-entry-views.md +32 -0
- package/skills/ios/hig-components-dialogs/references/popovers.md +81 -0
- package/skills/ios/hig-components-dialogs/references/sheets.md +157 -0
- package/skills/ios/hig-components-layout/SKILL.md +99 -0
- package/skills/ios/hig-components-layout/references/boxes.md +48 -0
- package/skills/ios/hig-components-layout/references/column-views.md +44 -0
- package/skills/ios/hig-components-layout/references/lists-and-tables.md +99 -0
- package/skills/ios/hig-components-layout/references/ornaments.md +56 -0
- package/skills/ios/hig-components-layout/references/outline-views.md +64 -0
- package/skills/ios/hig-components-layout/references/panels.md +75 -0
- package/skills/ios/hig-components-layout/references/scroll-views.md +123 -0
- package/skills/ios/hig-components-layout/references/sidebars.md +109 -0
- package/skills/ios/hig-components-layout/references/split-views.md +110 -0
- package/skills/ios/hig-components-layout/references/tab-bars.md +173 -0
- package/skills/ios/hig-components-layout/references/tab-views.md +68 -0
- package/skills/ios/hig-components-layout/references/windows.md +188 -0
- package/skills/ios/hig-components-menus/SKILL.md +81 -0
- package/skills/ios/hig-components-menus/references/action-button.md +61 -0
- package/skills/ios/hig-components-menus/references/buttons.md +261 -0
- package/skills/ios/hig-components-menus/references/context-menus.md +105 -0
- package/skills/ios/hig-components-menus/references/disclosure-controls.md +84 -0
- package/skills/ios/hig-components-menus/references/dock-menus.md +40 -0
- package/skills/ios/hig-components-menus/references/edit-menus.md +88 -0
- package/skills/ios/hig-components-menus/references/menus.md +171 -0
- package/skills/ios/hig-components-menus/references/pop-up-buttons.md +70 -0
- package/skills/ios/hig-components-menus/references/pull-down-buttons.md +77 -0
- package/skills/ios/hig-components-menus/references/the-menu-bar.md +303 -0
- package/skills/ios/hig-components-menus/references/toolbars.md +256 -0
- package/skills/ios/hig-components-search/SKILL.md +68 -0
- package/skills/ios/hig-components-search/references/page-controls.md +120 -0
- package/skills/ios/hig-components-search/references/path-controls.md +40 -0
- package/skills/ios/hig-components-search/references/search-fields.md +189 -0
- package/skills/ios/hig-components-status/SKILL.md +80 -0
- package/skills/ios/hig-components-status/references/activity-rings.md +105 -0
- package/skills/ios/hig-components-status/references/progress-indicators.md +116 -0
- package/skills/ios/hig-components-status/references/status-bars.md +38 -0
- package/skills/ios/hig-components-system/SKILL.md +88 -0
- package/skills/ios/hig-components-system/references/app-clips.md +387 -0
- package/skills/ios/hig-components-system/references/app-shortcuts.md +114 -0
- package/skills/ios/hig-components-system/references/complications.md +425 -0
- package/skills/ios/hig-components-system/references/home-screen-quick-actions.md +42 -0
- package/skills/ios/hig-components-system/references/live-activities.md +442 -0
- package/skills/ios/hig-components-system/references/notifications.md +153 -0
- package/skills/ios/hig-components-system/references/top-shelf.md +135 -0
- package/skills/ios/hig-components-system/references/watch-faces.md +40 -0
- package/skills/ios/hig-components-system/references/widgets.md +517 -0
- package/skills/ios/hig-foundations/SKILL.md +98 -0
- package/skills/ios/hig-foundations/references/accessibility.md +291 -0
- package/skills/ios/hig-foundations/references/app-icons.md +210 -0
- package/skills/ios/hig-foundations/references/branding.md +44 -0
- package/skills/ios/hig-foundations/references/color.md +274 -0
- package/skills/ios/hig-foundations/references/dark-mode.md +116 -0
- package/skills/ios/hig-foundations/references/icons.md +263 -0
- package/skills/ios/hig-foundations/references/images.md +176 -0
- package/skills/ios/hig-foundations/references/immersive-experiences.md +174 -0
- package/skills/ios/hig-foundations/references/inclusion.md +189 -0
- package/skills/ios/hig-foundations/references/layout.md +425 -0
- package/skills/ios/hig-foundations/references/materials.md +238 -0
- package/skills/ios/hig-foundations/references/motion.md +103 -0
- package/skills/ios/hig-foundations/references/privacy.md +231 -0
- package/skills/ios/hig-foundations/references/right-to-left.md +206 -0
- package/skills/ios/hig-foundations/references/sf-symbols.md +310 -0
- package/skills/ios/hig-foundations/references/spatial-layout.md +142 -0
- package/skills/ios/hig-foundations/references/typography.md +1146 -0
- package/skills/ios/hig-foundations/references/writing.md +91 -0
- package/skills/ios/hig-inputs/SKILL.md +94 -0
- package/skills/ios/hig-inputs/references/apple-pencil-and-scribble.md +148 -0
- package/skills/ios/hig-inputs/references/camera-control.md +107 -0
- package/skills/ios/hig-inputs/references/digital-crown.md +83 -0
- package/skills/ios/hig-inputs/references/eyes.md +120 -0
- package/skills/ios/hig-inputs/references/focus-and-selection.md +120 -0
- package/skills/ios/hig-inputs/references/game-controls.md +156 -0
- package/skills/ios/hig-inputs/references/gestures.md +208 -0
- package/skills/ios/hig-inputs/references/gyro-and-accelerometer.md +40 -0
- package/skills/ios/hig-inputs/references/keyboards.md +234 -0
- package/skills/ios/hig-inputs/references/nearby-interactions.md +70 -0
- package/skills/ios/hig-inputs/references/pointing-devices.md +237 -0
- package/skills/ios/hig-inputs/references/remotes.md +67 -0
- package/skills/ios/hig-inputs/references/spatial-interactions.md +70 -0
- package/skills/ios/hig-patterns/SKILL.md +104 -0
- package/skills/ios/hig-patterns/references/charting-data.md +81 -0
- package/skills/ios/hig-patterns/references/collaboration-and-sharing.md +86 -0
- package/skills/ios/hig-patterns/references/drag-and-drop.md +134 -0
- package/skills/ios/hig-patterns/references/entering-data.md +69 -0
- package/skills/ios/hig-patterns/references/feedback.md +67 -0
- package/skills/ios/hig-patterns/references/file-management.md +135 -0
- package/skills/ios/hig-patterns/references/going-full-screen.md +79 -0
- package/skills/ios/hig-patterns/references/launching.md +81 -0
- package/skills/ios/hig-patterns/references/live-viewing-apps.md +79 -0
- package/skills/ios/hig-patterns/references/loading.md +59 -0
- package/skills/ios/hig-patterns/references/managing-accounts.md +107 -0
- package/skills/ios/hig-patterns/references/managing-notifications.md +99 -0
- package/skills/ios/hig-patterns/references/modality.md +82 -0
- package/skills/ios/hig-patterns/references/multitasking.md +131 -0
- package/skills/ios/hig-patterns/references/offering-help.md +117 -0
- package/skills/ios/hig-patterns/references/onboarding.md +69 -0
- package/skills/ios/hig-patterns/references/playing-audio.md +124 -0
- package/skills/ios/hig-patterns/references/playing-haptics.md +280 -0
- package/skills/ios/hig-patterns/references/playing-video.md +180 -0
- package/skills/ios/hig-patterns/references/printing.md +50 -0
- package/skills/ios/hig-patterns/references/ratings-and-reviews.md +48 -0
- package/skills/ios/hig-patterns/references/searching.md +70 -0
- package/skills/ios/hig-patterns/references/settings.md +84 -0
- package/skills/ios/hig-patterns/references/undo-and-redo.md +58 -0
- package/skills/ios/hig-patterns/references/workouts.md +76 -0
- package/skills/ios/hig-platforms/SKILL.md +84 -0
- package/skills/ios/hig-platforms/references/designing-for-games.md +159 -0
- package/skills/ios/hig-platforms/references/designing-for-ios.md +66 -0
- package/skills/ios/hig-platforms/references/designing-for-ipados.md +64 -0
- package/skills/ios/hig-platforms/references/designing-for-macos.md +70 -0
- package/skills/ios/hig-platforms/references/designing-for-tvos.md +68 -0
- package/skills/ios/hig-platforms/references/designing-for-visionos.md +85 -0
- package/skills/ios/hig-platforms/references/designing-for-watchos.md +74 -0
- package/skills/ios/hig-project-context/SKILL.md +133 -0
- package/skills/ios/hig-technologies/SKILL.md +107 -0
- package/skills/ios/hig-technologies/references/airplay.md +125 -0
- package/skills/ios/hig-technologies/references/always-on.md +62 -0
- package/skills/ios/hig-technologies/references/apple-pay.md +441 -0
- package/skills/ios/hig-technologies/references/augmented-reality.md +247 -0
- package/skills/ios/hig-technologies/references/carekit.md +224 -0
- package/skills/ios/hig-technologies/references/carplay.md +119 -0
- package/skills/ios/hig-technologies/references/game-center.md +343 -0
- package/skills/ios/hig-technologies/references/generative-ai.md +110 -0
- package/skills/ios/hig-technologies/references/healthkit.md +120 -0
- package/skills/ios/hig-technologies/references/homekit.md +343 -0
- package/skills/ios/hig-technologies/references/icloud.md +52 -0
- package/skills/ios/hig-technologies/references/id-verifier.md +73 -0
- package/skills/ios/hig-technologies/references/imessage-apps-and-stickers.md +105 -0
- package/skills/ios/hig-technologies/references/in-app-purchase.md +263 -0
- package/skills/ios/hig-technologies/references/live-photos.md +54 -0
- package/skills/ios/hig-technologies/references/mac-catalyst.md +216 -0
- package/skills/ios/hig-technologies/references/machine-learning.md +394 -0
- package/skills/ios/hig-technologies/references/maps.md +221 -0
- package/skills/ios/hig-technologies/references/nfc.md +51 -0
- package/skills/ios/hig-technologies/references/photo-editing.md +40 -0
- package/skills/ios/hig-technologies/references/researchkit.md +134 -0
- package/skills/ios/hig-technologies/references/shareplay.md +142 -0
- package/skills/ios/hig-technologies/references/shazamkit.md +47 -0
- package/skills/ios/hig-technologies/references/sign-in-with-apple.md +288 -0
- package/skills/ios/hig-technologies/references/siri.md +523 -0
- package/skills/ios/hig-technologies/references/tap-to-pay-on-iphone.md +208 -0
- package/skills/ios/hig-technologies/references/voiceover.md +90 -0
- package/skills/ios/hig-technologies/references/wallet.md +420 -0
- package/skills/ios/ios-26-platform/SKILL.md +53 -0
- package/skills/ios/ios-26-platform/references/automatic-adoption.md +161 -0
- package/skills/ios/ios-26-platform/references/backward-compat.md +238 -0
- package/skills/ios/ios-26-platform/references/liquid-glass.md +255 -0
- package/skills/ios/ios-26-platform/references/swiftui-apis.md +277 -0
- package/skills/ios/ios-26-platform/references/toolbar-navigation.md +250 -0
- package/skills/ios/ios-bootstrap/SKILL.md +107 -0
- package/skills/ios/ios-bootstrap/references/apple-docs-mcp-config.md +28 -0
- package/skills/ios/ios-bootstrap/references/new-project-dialog.md +41 -0
- package/skills/ios/ios-bootstrap/references/xcode-mcp-config.md +29 -0
- package/skills/ios/ios-debugger-agent/LICENSE +21 -0
- package/skills/ios/ios-debugger-agent/SKILL.md +58 -0
- package/skills/ios/ios-debugger-agent/agents/openai.yaml +4 -0
- package/skills/ios/ios-entitlements-generator/SKILL.md +47 -0
- package/skills/ios/ios-info-plist-hardening/SKILL.md +130 -0
- package/skills/ios/ios-maestro-flow-author/SKILL.md +68 -0
- package/skills/ios/ios-maestro-flow-author/references/input-and-scroll.yaml +17 -0
- package/skills/ios/ios-maestro-flow-author/references/modal-and-dismiss.yaml +14 -0
- package/skills/ios/ios-maestro-flow-author/references/onboarding-flow.yaml +16 -0
- package/skills/ios/ios-maestro-flow-author/references/tab-navigation.yaml +13 -0
- package/skills/ios/ios-maestro-flow-author/references/tap-and-assert.yaml +9 -0
- package/skills/ios/swift-accessibility/LICENSE +21 -0
- package/skills/ios/swift-accessibility/SKILL.md +371 -0
- package/skills/ios/swift-accessibility/examples/before-after-appkit.md +446 -0
- package/skills/ios/swift-accessibility/examples/before-after-swiftui.md +441 -0
- package/skills/ios/swift-accessibility/examples/before-after-uikit.md +464 -0
- package/skills/ios/swift-accessibility/references/assistive-access.md +441 -0
- package/skills/ios/swift-accessibility/references/display-settings.md +491 -0
- package/skills/ios/swift-accessibility/references/dynamic-type.md +420 -0
- package/skills/ios/swift-accessibility/references/media-accessibility.md +421 -0
- package/skills/ios/swift-accessibility/references/motor-input.md +393 -0
- package/skills/ios/swift-accessibility/references/nutrition-labels.md +362 -0
- package/skills/ios/swift-accessibility/references/platform-specifics.md +515 -0
- package/skills/ios/swift-accessibility/references/semantic-structure.md +585 -0
- package/skills/ios/swift-accessibility/references/testing-auditing.md +507 -0
- package/skills/ios/swift-accessibility/references/voice-control.md +317 -0
- package/skills/ios/swift-accessibility/references/voiceover-swiftui.md +584 -0
- package/skills/ios/swift-accessibility/references/voiceover-uikit.md +519 -0
- package/skills/ios/swift-accessibility/references/wcag-mapping.md +167 -0
- package/skills/ios/swift-accessibility/resources/audit-template.swift +128 -0
- package/skills/ios/swift-accessibility/resources/qa-checklist.md +258 -0
- package/skills/ios/swift-actor-persistence/SKILL.md +143 -0
- package/skills/ios/swift-concurrency/LICENSE +21 -0
- package/skills/ios/swift-concurrency/SKILL.md +171 -0
- package/skills/ios/swift-concurrency/references/_index.md +50 -0
- package/skills/ios/swift-concurrency/references/actors.md +660 -0
- package/skills/ios/swift-concurrency/references/async-algorithms.md +847 -0
- package/skills/ios/swift-concurrency/references/async-await-basics.md +266 -0
- package/skills/ios/swift-concurrency/references/async-sequences.md +710 -0
- package/skills/ios/swift-concurrency/references/core-data.md +560 -0
- package/skills/ios/swift-concurrency/references/glossary.md +135 -0
- package/skills/ios/swift-concurrency/references/linting.md +155 -0
- package/skills/ios/swift-concurrency/references/memory-management.md +569 -0
- package/skills/ios/swift-concurrency/references/migration.md +1104 -0
- package/skills/ios/swift-concurrency/references/performance.md +593 -0
- package/skills/ios/swift-concurrency/references/sendable.md +598 -0
- package/skills/ios/swift-concurrency/references/tasks.md +636 -0
- package/skills/ios/swift-concurrency/references/testing.md +592 -0
- package/skills/ios/swift-concurrency/references/threading.md +495 -0
- package/skills/ios/swift-concurrency-6-2/SKILL.md +216 -0
- package/skills/ios/swift-protocol-di-testing/SKILL.md +190 -0
- package/skills/ios/swift-security-expert/LICENSE +21 -0
- package/skills/ios/swift-security-expert/SKILL.md +470 -0
- package/skills/ios/swift-security-expert/references/biometric-authentication.md +565 -0
- package/skills/ios/swift-security-expert/references/certificate-trust.md +592 -0
- package/skills/ios/swift-security-expert/references/common-anti-patterns.md +690 -0
- package/skills/ios/swift-security-expert/references/compliance-owasp-mapping.md +537 -0
- package/skills/ios/swift-security-expert/references/credential-storage-patterns.md +721 -0
- package/skills/ios/swift-security-expert/references/cryptokit-public-key.md +505 -0
- package/skills/ios/swift-security-expert/references/cryptokit-symmetric.md +497 -0
- package/skills/ios/swift-security-expert/references/keychain-access-control.md +508 -0
- package/skills/ios/swift-security-expert/references/keychain-fundamentals.md +596 -0
- package/skills/ios/swift-security-expert/references/keychain-item-classes.md +476 -0
- package/skills/ios/swift-security-expert/references/keychain-sharing.md +458 -0
- package/skills/ios/swift-security-expert/references/migration-legacy-stores.md +727 -0
- package/skills/ios/swift-security-expert/references/secure-enclave.md +539 -0
- package/skills/ios/swift-security-expert/references/testing-security-code.md +781 -0
- package/skills/ios/swift-testing-expert/LICENSE +21 -0
- package/skills/ios/swift-testing-expert/SKILL.md +79 -0
- package/skills/ios/swift-testing-expert/references/_index.md +12 -0
- package/skills/ios/swift-testing-expert/references/async-testing-and-waiting.md +127 -0
- package/skills/ios/swift-testing-expert/references/expectations.md +145 -0
- package/skills/ios/swift-testing-expert/references/fundamentals.md +141 -0
- package/skills/ios/swift-testing-expert/references/migration-from-xctest.md +127 -0
- package/skills/ios/swift-testing-expert/references/parallelization-and-isolation.md +95 -0
- package/skills/ios/swift-testing-expert/references/parameterized-testing.md +284 -0
- package/skills/ios/swift-testing-expert/references/performance-and-best-practices.md +187 -0
- package/skills/ios/swift-testing-expert/references/traits-and-tags.md +114 -0
- package/skills/ios/swift-testing-expert/references/xcode-workflows.md +70 -0
- package/skills/ios/swiftdata-pro/LICENSE +21 -0
- package/skills/ios/swiftdata-pro/SKILL.md +102 -0
- package/skills/ios/swiftdata-pro/agents/openai.yaml +10 -0
- package/skills/ios/swiftdata-pro/assets/swiftdata-pro-icon.png +0 -0
- package/skills/ios/swiftdata-pro/assets/swiftdata-pro-icon.svg +29 -0
- package/skills/ios/swiftdata-pro/references/class-inheritance.md +104 -0
- package/skills/ios/swiftdata-pro/references/cloudkit.md +10 -0
- package/skills/ios/swiftdata-pro/references/core-rules.md +20 -0
- package/skills/ios/swiftdata-pro/references/indexing.md +27 -0
- package/skills/ios/swiftdata-pro/references/predicates.md +73 -0
- package/skills/ios/swiftui-design-principles/AGENTS.md +21 -0
- package/skills/ios/swiftui-design-principles/LICENSE +21 -0
- package/skills/ios/swiftui-design-principles/README.md +41 -0
- package/skills/ios/swiftui-design-principles/SKILL.md +605 -0
- package/skills/ios/swiftui-design-principles/metadata.json +10 -0
- package/skills/ios/swiftui-design-tokens/SKILL.md +475 -0
- package/skills/ios/swiftui-liquid-glass/LICENSE +21 -0
- package/skills/ios/swiftui-liquid-glass/SKILL.md +95 -0
- package/skills/ios/swiftui-liquid-glass/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-liquid-glass/references/liquid-glass.md +280 -0
- package/skills/ios/swiftui-performance-audit/LICENSE +21 -0
- package/skills/ios/swiftui-performance-audit/SKILL.md +111 -0
- package/skills/ios/swiftui-performance-audit/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-performance-audit/references/code-smells.md +150 -0
- package/skills/ios/swiftui-performance-audit/references/demystify-swiftui-performance-wwdc23.md +46 -0
- package/skills/ios/swiftui-performance-audit/references/optimizing-swiftui-performance-instruments.md +29 -0
- package/skills/ios/swiftui-performance-audit/references/profiling-intake.md +44 -0
- package/skills/ios/swiftui-performance-audit/references/report-template.md +47 -0
- package/skills/ios/swiftui-performance-audit/references/understanding-hangs-in-your-app.md +33 -0
- package/skills/ios/swiftui-performance-audit/references/understanding-improving-swiftui-performance.md +52 -0
- package/skills/ios/swiftui-pro/LICENSE +21 -0
- package/skills/ios/swiftui-pro/SKILL.md +108 -0
- package/skills/ios/swiftui-pro/agents/openai.yaml +10 -0
- package/skills/ios/swiftui-pro/assets/swiftui-pro-icon.png +0 -0
- package/skills/ios/swiftui-pro/assets/swiftui-pro-icon.svg +29 -0
- package/skills/ios/swiftui-pro/references/accessibility.md +13 -0
- package/skills/ios/swiftui-pro/references/api.md +39 -0
- package/skills/ios/swiftui-pro/references/data.md +43 -0
- package/skills/ios/swiftui-pro/references/design.md +31 -0
- package/skills/ios/swiftui-pro/references/hygiene.md +9 -0
- package/skills/ios/swiftui-pro/references/navigation.md +14 -0
- package/skills/ios/swiftui-pro/references/performance.md +46 -0
- package/skills/ios/swiftui-pro/references/swift.md +56 -0
- package/skills/ios/swiftui-pro/references/views.md +35 -0
- package/skills/ios/swiftui-ui-patterns/LICENSE +21 -0
- package/skills/ios/swiftui-ui-patterns/SKILL.md +100 -0
- package/skills/ios/swiftui-ui-patterns/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-ui-patterns/references/app-wiring.md +201 -0
- package/skills/ios/swiftui-ui-patterns/references/async-state.md +96 -0
- package/skills/ios/swiftui-ui-patterns/references/components-index.md +50 -0
- package/skills/ios/swiftui-ui-patterns/references/controls.md +57 -0
- package/skills/ios/swiftui-ui-patterns/references/deeplinks.md +66 -0
- package/skills/ios/swiftui-ui-patterns/references/focus.md +90 -0
- package/skills/ios/swiftui-ui-patterns/references/form.md +97 -0
- package/skills/ios/swiftui-ui-patterns/references/grids.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/haptics.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/input-toolbar.md +51 -0
- package/skills/ios/swiftui-ui-patterns/references/lightweight-clients.md +93 -0
- package/skills/ios/swiftui-ui-patterns/references/list.md +86 -0
- package/skills/ios/swiftui-ui-patterns/references/loading-placeholders.md +38 -0
- package/skills/ios/swiftui-ui-patterns/references/macos-settings.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/matched-transitions.md +59 -0
- package/skills/ios/swiftui-ui-patterns/references/media.md +73 -0
- package/skills/ios/swiftui-ui-patterns/references/menu-bar.md +101 -0
- package/skills/ios/swiftui-ui-patterns/references/navigationstack.md +159 -0
- package/skills/ios/swiftui-ui-patterns/references/overlay.md +45 -0
- package/skills/ios/swiftui-ui-patterns/references/performance.md +62 -0
- package/skills/ios/swiftui-ui-patterns/references/previews.md +48 -0
- package/skills/ios/swiftui-ui-patterns/references/scroll-reveal.md +133 -0
- package/skills/ios/swiftui-ui-patterns/references/scrollview.md +87 -0
- package/skills/ios/swiftui-ui-patterns/references/searchable.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/sheets.md +155 -0
- package/skills/ios/swiftui-ui-patterns/references/split-views.md +72 -0
- package/skills/ios/swiftui-ui-patterns/references/tabview.md +114 -0
- package/skills/ios/swiftui-ui-patterns/references/theming.md +71 -0
- package/skills/ios/swiftui-ui-patterns/references/title-menus.md +93 -0
- package/skills/ios/swiftui-ui-patterns/references/top-bar.md +49 -0
- package/skills/ios/swiftui-view-refactor/LICENSE +21 -0
- package/skills/ios/swiftui-view-refactor/SKILL.md +207 -0
- package/skills/ios/swiftui-view-refactor/agents/openai.yaml +4 -0
- package/skills/ios/swiftui-view-refactor/references/mv-patterns.md +161 -0
- package/skills/ios/widgetkit/LICENSE +131 -0
- package/skills/ios/widgetkit/SKILL.md +502 -0
- package/skills/ios/widgetkit/references/widgetkit-advanced.md +871 -0
- package/skills/ios/writing-for-interfaces/SKILL.md +75 -0
- package/skills/web/accessibility/SKILL.md +146 -0
- package/skills/web/aceternity-ui/SKILL.md +719 -0
- package/skills/web/aceternity-ui/metadata.json +10 -0
- package/skills/web/api-design/SKILL.md +523 -0
- package/skills/web/chart-accessibility/SKILL.md +332 -0
- package/skills/web/composition-patterns/AGENTS.md +946 -0
- package/skills/web/composition-patterns/README.md +60 -0
- package/skills/web/composition-patterns/SKILL.md +89 -0
- package/skills/web/composition-patterns/metadata.json +11 -0
- package/skills/web/composition-patterns/rules/_sections.md +29 -0
- package/skills/web/composition-patterns/rules/_template.md +24 -0
- package/skills/web/composition-patterns/rules/architecture-avoid-boolean-props.md +100 -0
- package/skills/web/composition-patterns/rules/architecture-compound-components.md +112 -0
- package/skills/web/composition-patterns/rules/patterns-children-over-render-props.md +87 -0
- package/skills/web/composition-patterns/rules/patterns-explicit-variants.md +100 -0
- package/skills/web/composition-patterns/rules/react19-no-forwardref.md +42 -0
- package/skills/web/composition-patterns/rules/state-context-interface.md +191 -0
- package/skills/web/composition-patterns/rules/state-decouple-implementation.md +113 -0
- package/skills/web/composition-patterns/rules/state-lift-state.md +125 -0
- package/skills/web/cost-aware-llm-pipeline/SKILL.md +183 -0
- package/skills/web/database-migrations/SKILL.md +429 -0
- package/skills/web/deployment-patterns/SKILL.md +427 -0
- package/skills/web/docker-patterns/SKILL.md +364 -0
- package/skills/web/e2e-testing/SKILL.md +326 -0
- package/skills/web/lighthouse-ci/SKILL.md +361 -0
- package/skills/web/mcp-server-patterns/SKILL.md +69 -0
- package/skills/web/next-best-practices/SKILL.md +153 -0
- package/skills/web/next-best-practices/async-patterns.md +87 -0
- package/skills/web/next-best-practices/bundling.md +180 -0
- package/skills/web/next-best-practices/data-patterns.md +297 -0
- package/skills/web/next-best-practices/debug-tricks.md +105 -0
- package/skills/web/next-best-practices/directives.md +73 -0
- package/skills/web/next-best-practices/error-handling.md +227 -0
- package/skills/web/next-best-practices/file-conventions.md +140 -0
- package/skills/web/next-best-practices/font.md +245 -0
- package/skills/web/next-best-practices/functions.md +108 -0
- package/skills/web/next-best-practices/hydration-error.md +91 -0
- package/skills/web/next-best-practices/image.md +173 -0
- package/skills/web/next-best-practices/metadata.md +301 -0
- package/skills/web/next-best-practices/parallel-routes.md +287 -0
- package/skills/web/next-best-practices/route-handlers.md +146 -0
- package/skills/web/next-best-practices/rsc-boundaries.md +159 -0
- package/skills/web/next-best-practices/runtime-selection.md +39 -0
- package/skills/web/next-best-practices/scripts.md +141 -0
- package/skills/web/next-best-practices/self-hosting.md +371 -0
- package/skills/web/next-best-practices/suspense-boundaries.md +67 -0
- package/skills/web/next-cache-components/SKILL.md +411 -0
- package/skills/web/postgres-best-practices/SKILL.md +14 -0
- package/skills/web/postgres-best-practices/references/schema-design.md +9 -0
- package/skills/web/react-best-practices/AGENTS.md +3810 -0
- package/skills/web/react-best-practices/README.md +123 -0
- package/skills/web/react-best-practices/SKILL.md +149 -0
- package/skills/web/react-best-practices/metadata.json +15 -0
- package/skills/web/react-best-practices/rules/_sections.md +46 -0
- package/skills/web/react-best-practices/rules/_template.md +28 -0
- package/skills/web/react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/skills/web/react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/skills/web/react-best-practices/rules/advanced-init-once.md +42 -0
- package/skills/web/react-best-practices/rules/advanced-use-latest.md +39 -0
- package/skills/web/react-best-practices/rules/async-api-routes.md +38 -0
- package/skills/web/react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/skills/web/react-best-practices/rules/async-defer-await.md +82 -0
- package/skills/web/react-best-practices/rules/async-dependencies.md +51 -0
- package/skills/web/react-best-practices/rules/async-parallel.md +28 -0
- package/skills/web/react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/skills/web/react-best-practices/rules/bundle-analyzable-paths.md +63 -0
- package/skills/web/react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/skills/web/react-best-practices/rules/bundle-conditional.md +31 -0
- package/skills/web/react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/skills/web/react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/skills/web/react-best-practices/rules/bundle-preload.md +50 -0
- package/skills/web/react-best-practices/rules/client-event-listeners.md +74 -0
- package/skills/web/react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/skills/web/react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/skills/web/react-best-practices/rules/client-swr-dedup.md +56 -0
- package/skills/web/react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/skills/web/react-best-practices/rules/js-cache-function-results.md +80 -0
- package/skills/web/react-best-practices/rules/js-cache-property-access.md +28 -0
- package/skills/web/react-best-practices/rules/js-cache-storage.md +70 -0
- package/skills/web/react-best-practices/rules/js-combine-iterations.md +32 -0
- package/skills/web/react-best-practices/rules/js-early-exit.md +50 -0
- package/skills/web/react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/skills/web/react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/skills/web/react-best-practices/rules/js-index-maps.md +37 -0
- package/skills/web/react-best-practices/rules/js-length-check-first.md +49 -0
- package/skills/web/react-best-practices/rules/js-min-max-loop.md +82 -0
- package/skills/web/react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/skills/web/react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/skills/web/react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/skills/web/react-best-practices/rules/rendering-activity.md +26 -0
- package/skills/web/react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/skills/web/react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/skills/web/react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/skills/web/react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/skills/web/react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/skills/web/react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/skills/web/react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/skills/web/react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/skills/web/react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/skills/web/react-best-practices/rules/rerender-dependencies.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state.md +29 -0
- package/skills/web/react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/skills/web/react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/skills/web/react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/skills/web/react-best-practices/rules/rerender-memo.md +44 -0
- package/skills/web/react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/skills/web/react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/skills/web/react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/skills/web/react-best-practices/rules/rerender-transitions.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/skills/web/react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/skills/web/react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/skills/web/react-best-practices/rules/server-auth-actions.md +96 -0
- package/skills/web/react-best-practices/rules/server-cache-lru.md +41 -0
- package/skills/web/react-best-practices/rules/server-cache-react.md +76 -0
- package/skills/web/react-best-practices/rules/server-dedup-props.md +65 -0
- package/skills/web/react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/skills/web/react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/skills/web/react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/skills/web/react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/skills/web/react-best-practices/rules/server-serialization.md +38 -0
- package/skills/web/seo/SKILL.md +154 -0
- package/skills/web/web-design-guidelines/SKILL.md +39 -0
- package/skills/web/zap-scan-config/SKILL.md +444 -0
- package/skills/web/zap-scan-config/assets/.gitkeep +9 -0
- package/skills/web/zap-scan-config/assets/github_action.yml +207 -0
- package/skills/web/zap-scan-config/assets/gitlab_ci.yml +226 -0
- package/skills/web/zap-scan-config/assets/zap_automation.yaml +196 -0
- package/skills/web/zap-scan-config/assets/zap_context.xml +192 -0
- package/skills/web/zap-scan-config/references/EXAMPLE.md +40 -0
- package/skills/web/zap-scan-config/references/api_testing_guide.md +475 -0
- package/skills/web/zap-scan-config/references/authentication_guide.md +431 -0
- package/skills/web/zap-scan-config/references/false_positive_handling.md +427 -0
- package/skills/web/zap-scan-config/references/owasp_mapping.md +255 -0
- package/src/lrr/aggregator.ts +80 -0
- package/src/orchestrator/hooks/context-header.ts +95 -0
- package/src/orchestrator/hooks/token-accounting-emitter.ts +77 -0
- package/src/orchestrator/hooks/token-accounting.ts +101 -0
- package/src/orchestrator/mcp/cycle-counter.ts +129 -0
- package/src/orchestrator/mcp/scribe.ts +283 -0
- package/src/orchestrator/mcp/state-save.ts +149 -0
- package/src/orchestrator/mcp/write-lease.ts +167 -0
- package/src/orchestrator/phase4-shared-context.ts +41 -0
- package/src/orchestrator/schemas/backward-edge.ts +46 -0
- package/agents/agentic-identity-trust.md +0 -121
- package/agents/data-consolidation-agent.md +0 -39
- package/agents/design-image-prompt-engineer.md +0 -105
- package/agents/design-visual-storyteller.md +0 -147
- package/agents/design-whimsy-injector.md +0 -89
- package/agents/engineering-autonomous-optimization-architect.md +0 -105
- package/agents/market-intel.md +0 -35
- package/agents/marketing-instagram-curator.md +0 -111
- package/agents/marketing-reddit-community-builder.md +0 -121
- package/agents/marketing-social-media-strategist.md +0 -74
- package/agents/marketing-tiktok-strategist.md +0 -123
- package/agents/marketing-twitter-engager.md +0 -124
- package/agents/marketing-wechat-official-account.md +0 -143
- package/agents/marketing-xiaohongshu-specialist.md +0 -136
- package/agents/marketing-zhihu-strategist.md +0 -160
- package/agents/product-behavioral-nudge-engine.md +0 -78
- package/agents/project-management-experiment-tracker.md +0 -102
- package/agents/report-distribution-agent.md +0 -43
- package/agents/risk-analysis.md +0 -45
- package/agents/sales-data-extraction-agent.md +0 -46
- package/agents/specialized-cultural-intelligence-strategist.md +0 -65
- package/agents/specialized-developer-advocate.md +0 -146
- package/agents/support-analytics-reporter.md +0 -133
- package/agents/support-executive-summary-generator.md +0 -64
- package/agents/support-finance-tracker.md +0 -145
- package/agents/support-legal-compliance-checker.md +0 -129
- package/agents/support-support-responder.md +0 -91
- package/agents/testing-accessibility-auditor.md +0 -110
- package/agents/testing-test-results-analyzer.md +0 -97
- package/agents/testing-tool-evaluator.md +0 -76
- package/agents/testing-workflow-optimizer.md +0 -99
- package/agents/user-research.md +0 -40
|
@@ -0,0 +1,431 @@
|
|
|
1
|
+
# ZAP Authentication Configuration Guide
|
|
2
|
+
|
|
3
|
+
Comprehensive guide for configuring authenticated scanning in OWASP ZAP for form-based, token-based, and OAuth authentication.
|
|
4
|
+
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
Authenticated scanning is critical for testing protected application areas that require login. ZAP supports multiple authentication methods:
|
|
8
|
+
|
|
9
|
+
- **Form-Based Authentication** - Traditional username/password login forms
|
|
10
|
+
- **HTTP Authentication** - Basic, Digest, NTLM authentication
|
|
11
|
+
- **Script-Based Authentication** - Custom authentication flows (OAuth, SAML)
|
|
12
|
+
- **Token-Based Authentication** - Bearer tokens, API keys, JWT
|
|
13
|
+
|
|
14
|
+
## Form-Based Authentication
|
|
15
|
+
|
|
16
|
+
### Configuration Steps
|
|
17
|
+
|
|
18
|
+
1. **Identify Login Parameters**
|
|
19
|
+
- Login URL
|
|
20
|
+
- Username field name
|
|
21
|
+
- Password field name
|
|
22
|
+
- Submit button/action
|
|
23
|
+
|
|
24
|
+
2. **Create Authentication Context**
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
# Use bundled script
|
|
28
|
+
python3 scripts/zap_auth_scanner.py \
|
|
29
|
+
--target https://app.example.com \
|
|
30
|
+
--auth-type form \
|
|
31
|
+
--login-url https://app.example.com/login \
|
|
32
|
+
--username testuser \
|
|
33
|
+
--password-env APP_PASSWORD \
|
|
34
|
+
--verification-url https://app.example.com/dashboard \
|
|
35
|
+
--output authenticated-scan-report.html
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
3. **Configure Logged-In Indicator**
|
|
39
|
+
|
|
40
|
+
Specify a regex pattern that appears only when logged in:
|
|
41
|
+
- Example: `Welcome, testuser`
|
|
42
|
+
- Example: `<a href="/logout">Logout</a>`
|
|
43
|
+
- Example: Check for presence of dashboard elements
|
|
44
|
+
|
|
45
|
+
### Manual Context Configuration
|
|
46
|
+
|
|
47
|
+
Create `auth-context.xml`:
|
|
48
|
+
|
|
49
|
+
```xml
|
|
50
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
51
|
+
<configuration>
|
|
52
|
+
<context>
|
|
53
|
+
<name>WebAppAuth</name>
|
|
54
|
+
<desc>Authenticated scanning context</desc>
|
|
55
|
+
<inscope>true</inscope>
|
|
56
|
+
<incregexes>https://app\.example\.com/.*</incregexes>
|
|
57
|
+
|
|
58
|
+
<authentication>
|
|
59
|
+
<type>formBasedAuthentication</type>
|
|
60
|
+
<form>
|
|
61
|
+
<loginurl>https://app.example.com/login</loginurl>
|
|
62
|
+
<loginbody>username={%username%}&password={%password%}</loginbody>
|
|
63
|
+
<loginpageurl>https://app.example.com/login</loginpageurl>
|
|
64
|
+
</form>
|
|
65
|
+
<loggedin>\QWelcome,\E</loggedin>
|
|
66
|
+
<loggedout>\QYou are not logged in\E</loggedout>
|
|
67
|
+
</authentication>
|
|
68
|
+
|
|
69
|
+
<users>
|
|
70
|
+
<user>
|
|
71
|
+
<name>testuser</name>
|
|
72
|
+
<credentials>
|
|
73
|
+
<credential>
|
|
74
|
+
<name>username</name>
|
|
75
|
+
<value>testuser</value>
|
|
76
|
+
</credential>
|
|
77
|
+
<credential>
|
|
78
|
+
<name>password</name>
|
|
79
|
+
<value>SecureP@ssw0rd</value>
|
|
80
|
+
</credential>
|
|
81
|
+
</credentials>
|
|
82
|
+
<enabled>true</enabled>
|
|
83
|
+
</user>
|
|
84
|
+
</users>
|
|
85
|
+
|
|
86
|
+
<sessionManagement>
|
|
87
|
+
<type>cookieBasedSessionManagement</type>
|
|
88
|
+
</sessionManagement>
|
|
89
|
+
</context>
|
|
90
|
+
</configuration>
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
Run scan with context:
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
docker run --rm \
|
|
97
|
+
-v $(pwd):/zap/wrk/:rw \
|
|
98
|
+
-t zaproxy/zap-stable \
|
|
99
|
+
zap-full-scan.py \
|
|
100
|
+
-t https://app.example.com \
|
|
101
|
+
-n /zap/wrk/auth-context.xml \
|
|
102
|
+
-r /zap/wrk/auth-report.html
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
## Token-Based Authentication (Bearer Tokens)
|
|
106
|
+
|
|
107
|
+
### JWT/Bearer Token Configuration
|
|
108
|
+
|
|
109
|
+
1. **Obtain Authentication Token**
|
|
110
|
+
|
|
111
|
+
```bash
|
|
112
|
+
# Example: Login to get token
|
|
113
|
+
TOKEN=$(curl -X POST https://api.example.com/auth/login \
|
|
114
|
+
-H "Content-Type: application/json" \
|
|
115
|
+
-d '{"username":"testuser","password":"password"}' \
|
|
116
|
+
| jq -r '.token')
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
2. **Configure ZAP to Include Token**
|
|
120
|
+
|
|
121
|
+
Use ZAP Replacer to add Authorization header:
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
python3 scripts/zap_auth_scanner.py \
|
|
125
|
+
--target https://api.example.com \
|
|
126
|
+
--auth-type bearer \
|
|
127
|
+
--token-env API_TOKEN \
|
|
128
|
+
--output api-auth-scan.html
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
### Manual Token Configuration
|
|
132
|
+
|
|
133
|
+
Using ZAP automation framework (`zap_automation.yaml`):
|
|
134
|
+
|
|
135
|
+
```yaml
|
|
136
|
+
env:
|
|
137
|
+
contexts:
|
|
138
|
+
- name: API-Context
|
|
139
|
+
urls:
|
|
140
|
+
- https://api.example.com
|
|
141
|
+
authentication:
|
|
142
|
+
method: header
|
|
143
|
+
parameters:
|
|
144
|
+
header: Authorization
|
|
145
|
+
value: "Bearer ${API_TOKEN}"
|
|
146
|
+
sessionManagement:
|
|
147
|
+
method: cookie
|
|
148
|
+
|
|
149
|
+
jobs:
|
|
150
|
+
- type: spider
|
|
151
|
+
parameters:
|
|
152
|
+
context: API-Context
|
|
153
|
+
user: api-user
|
|
154
|
+
|
|
155
|
+
- type: activeScan
|
|
156
|
+
parameters:
|
|
157
|
+
context: API-Context
|
|
158
|
+
user: api-user
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
## OAuth 2.0 Authentication
|
|
162
|
+
|
|
163
|
+
### Authorization Code Flow
|
|
164
|
+
|
|
165
|
+
1. **Manual Browser-Based Token Acquisition**
|
|
166
|
+
|
|
167
|
+
```bash
|
|
168
|
+
# Step 1: Get authorization code (open in browser)
|
|
169
|
+
https://oauth.example.com/authorize?
|
|
170
|
+
client_id=YOUR_CLIENT_ID&
|
|
171
|
+
redirect_uri=http://localhost:8080/callback&
|
|
172
|
+
response_type=code&
|
|
173
|
+
scope=openid profile
|
|
174
|
+
|
|
175
|
+
# Step 2: Exchange code for token
|
|
176
|
+
TOKEN=$(curl -X POST https://oauth.example.com/token \
|
|
177
|
+
-d "grant_type=authorization_code" \
|
|
178
|
+
-d "code=AUTH_CODE_FROM_STEP_1" \
|
|
179
|
+
-d "client_id=YOUR_CLIENT_ID" \
|
|
180
|
+
-d "client_secret=YOUR_CLIENT_SECRET" \
|
|
181
|
+
-d "redirect_uri=http://localhost:8080/callback" \
|
|
182
|
+
| jq -r '.access_token')
|
|
183
|
+
|
|
184
|
+
# Step 3: Use token in ZAP scan
|
|
185
|
+
export API_TOKEN="$TOKEN"
|
|
186
|
+
python3 scripts/zap_auth_scanner.py \
|
|
187
|
+
--target https://api.example.com \
|
|
188
|
+
--auth-type bearer \
|
|
189
|
+
--token-env API_TOKEN
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
### Client Credentials Flow (Service-to-Service)
|
|
193
|
+
|
|
194
|
+
```bash
|
|
195
|
+
# Obtain token using client credentials
|
|
196
|
+
TOKEN=$(curl -X POST https://oauth.example.com/token \
|
|
197
|
+
-d "grant_type=client_credentials" \
|
|
198
|
+
-d "client_id=YOUR_CLIENT_ID" \
|
|
199
|
+
-d "client_secret=YOUR_CLIENT_SECRET" \
|
|
200
|
+
-d "scope=api.read api.write" \
|
|
201
|
+
| jq -r '.access_token')
|
|
202
|
+
|
|
203
|
+
export API_TOKEN="$TOKEN"
|
|
204
|
+
|
|
205
|
+
# Run authenticated scan
|
|
206
|
+
python3 scripts/zap_auth_scanner.py \
|
|
207
|
+
--target https://api.example.com \
|
|
208
|
+
--auth-type bearer \
|
|
209
|
+
--token-env API_TOKEN
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
## HTTP Basic/Digest Authentication
|
|
213
|
+
|
|
214
|
+
### Basic Authentication
|
|
215
|
+
|
|
216
|
+
```bash
|
|
217
|
+
# Option 1: Using environment variable
|
|
218
|
+
export BASIC_AUTH="dGVzdHVzZXI6cGFzc3dvcmQ=" # base64(testuser:password)
|
|
219
|
+
|
|
220
|
+
# Option 2: Using script
|
|
221
|
+
python3 scripts/zap_auth_scanner.py \
|
|
222
|
+
--target https://app.example.com \
|
|
223
|
+
--auth-type http \
|
|
224
|
+
--username testuser \
|
|
225
|
+
--password-env HTTP_PASSWORD
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
### Digest Authentication
|
|
229
|
+
|
|
230
|
+
Similar to Basic, but ZAP automatically handles the challenge-response:
|
|
231
|
+
|
|
232
|
+
```bash
|
|
233
|
+
docker run --rm \
|
|
234
|
+
-v $(pwd):/zap/wrk/:rw \
|
|
235
|
+
-t zaproxy/zap-stable \
|
|
236
|
+
zap-full-scan.py \
|
|
237
|
+
-t https://app.example.com \
|
|
238
|
+
-n /zap/wrk/digest-auth-context.xml \
|
|
239
|
+
-r /zap/wrk/digest-auth-report.html
|
|
240
|
+
```
|
|
241
|
+
|
|
242
|
+
## Session Management
|
|
243
|
+
|
|
244
|
+
### Cookie-Based Sessions
|
|
245
|
+
|
|
246
|
+
**Default Behavior:** ZAP automatically manages cookies.
|
|
247
|
+
|
|
248
|
+
**Custom Configuration:**
|
|
249
|
+
- Set session cookie name in context
|
|
250
|
+
- Configure session timeout
|
|
251
|
+
- Define re-authentication triggers
|
|
252
|
+
|
|
253
|
+
### Token Refresh Handling
|
|
254
|
+
|
|
255
|
+
For tokens that expire during scan:
|
|
256
|
+
|
|
257
|
+
```yaml
|
|
258
|
+
# zap_automation.yaml
|
|
259
|
+
env:
|
|
260
|
+
contexts:
|
|
261
|
+
- name: API-Context
|
|
262
|
+
authentication:
|
|
263
|
+
method: script
|
|
264
|
+
parameters:
|
|
265
|
+
script: |
|
|
266
|
+
// JavaScript to refresh token
|
|
267
|
+
function authenticate(helper, paramsValues, credentials) {
|
|
268
|
+
var loginUrl = "https://api.example.com/auth/login";
|
|
269
|
+
var postData = '{"username":"' + credentials.getParam("username") +
|
|
270
|
+
'","password":"' + credentials.getParam("password") + '"}';
|
|
271
|
+
|
|
272
|
+
var msg = helper.prepareMessage();
|
|
273
|
+
msg.setRequestHeader("POST " + loginUrl + " HTTP/1.1");
|
|
274
|
+
msg.setRequestBody(postData);
|
|
275
|
+
helper.sendAndReceive(msg);
|
|
276
|
+
|
|
277
|
+
var response = msg.getResponseBody().toString();
|
|
278
|
+
var token = JSON.parse(response).token;
|
|
279
|
+
|
|
280
|
+
// Store token for use in requests
|
|
281
|
+
helper.getHttpSender().setRequestHeader("Authorization", "Bearer " + token);
|
|
282
|
+
return msg;
|
|
283
|
+
}
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
## Verification and Troubleshooting
|
|
287
|
+
|
|
288
|
+
### Verify Authentication is Working
|
|
289
|
+
|
|
290
|
+
1. **Check Logged-In Indicator**
|
|
291
|
+
|
|
292
|
+
Run a spider scan and verify protected pages are accessed:
|
|
293
|
+
|
|
294
|
+
```bash
|
|
295
|
+
# Look for dashboard, profile, or other authenticated pages in spider results
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
2. **Monitor Authentication Requests**
|
|
299
|
+
|
|
300
|
+
Enable ZAP logging to see authentication attempts:
|
|
301
|
+
|
|
302
|
+
```bash
|
|
303
|
+
docker run --rm \
|
|
304
|
+
-v $(pwd):/zap/wrk/:rw \
|
|
305
|
+
-e ZAP_LOG_LEVEL=DEBUG \
|
|
306
|
+
-t zaproxy/zap-stable \
|
|
307
|
+
zap-full-scan.py -t https://app.example.com -n /zap/wrk/context.xml
|
|
308
|
+
```
|
|
309
|
+
|
|
310
|
+
3. **Test with Manual Request**
|
|
311
|
+
|
|
312
|
+
Send a manual authenticated request via ZAP GUI or API to verify credentials work.
|
|
313
|
+
|
|
314
|
+
### Common Authentication Issues
|
|
315
|
+
|
|
316
|
+
#### Issue: Session Expires During Scan
|
|
317
|
+
|
|
318
|
+
**Solution:** Configure re-authentication:
|
|
319
|
+
|
|
320
|
+
```python
|
|
321
|
+
# In zap_auth_scanner.py, add re-authentication trigger
|
|
322
|
+
--re-authenticate-on 401,403 \
|
|
323
|
+
--verification-interval 300 # Check every 5 minutes
|
|
324
|
+
```
|
|
325
|
+
|
|
326
|
+
#### Issue: CSRF Tokens Required
|
|
327
|
+
|
|
328
|
+
**Solution:** Use anti-CSRF token handling:
|
|
329
|
+
|
|
330
|
+
```yaml
|
|
331
|
+
# zap_automation.yaml
|
|
332
|
+
env:
|
|
333
|
+
contexts:
|
|
334
|
+
- name: WebApp
|
|
335
|
+
authentication:
|
|
336
|
+
verification:
|
|
337
|
+
method: response
|
|
338
|
+
loggedInRegex: "\\QWelcome\\E"
|
|
339
|
+
sessionManagement:
|
|
340
|
+
method: cookie
|
|
341
|
+
parameters:
|
|
342
|
+
antiCsrfTokens: true
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
#### Issue: Rate Limiting Blocking Authentication
|
|
346
|
+
|
|
347
|
+
**Solution:** Slow down scan:
|
|
348
|
+
|
|
349
|
+
```bash
|
|
350
|
+
docker run -t zaproxy/zap-stable zap-full-scan.py \
|
|
351
|
+
-t https://app.example.com \
|
|
352
|
+
-z "-config scanner.delayInMs=2000 -config scanner.threadPerHost=1"
|
|
353
|
+
```
|
|
354
|
+
|
|
355
|
+
#### Issue: Multi-Step Login (MFA)
|
|
356
|
+
|
|
357
|
+
**Solution:** Use script-based authentication with Selenium or manual token acquisition.
|
|
358
|
+
|
|
359
|
+
## Security Best Practices
|
|
360
|
+
|
|
361
|
+
1. **Never Hardcode Credentials**
|
|
362
|
+
- Use environment variables
|
|
363
|
+
- Use secrets management tools (Vault, AWS Secrets Manager)
|
|
364
|
+
|
|
365
|
+
2. **Use Dedicated Test Accounts**
|
|
366
|
+
- Create accounts specifically for security testing
|
|
367
|
+
- Limit permissions to test data only
|
|
368
|
+
- Monitor for abuse
|
|
369
|
+
|
|
370
|
+
3. **Rotate Credentials Regularly**
|
|
371
|
+
- Change test account passwords after each scan
|
|
372
|
+
- Rotate API tokens frequently
|
|
373
|
+
|
|
374
|
+
4. **Log Authentication Attempts**
|
|
375
|
+
- Monitor for failed authentication attempts
|
|
376
|
+
- Alert on unusual patterns
|
|
377
|
+
|
|
378
|
+
5. **Secure Context Files**
|
|
379
|
+
- Never commit context files with credentials to version control
|
|
380
|
+
- Use `.gitignore` to exclude `*.context` files
|
|
381
|
+
- Encrypt context files at rest
|
|
382
|
+
|
|
383
|
+
## Examples by Framework
|
|
384
|
+
|
|
385
|
+
### Django Application
|
|
386
|
+
|
|
387
|
+
```bash
|
|
388
|
+
# Django CSRF token handling
|
|
389
|
+
python3 scripts/zap_auth_scanner.py \
|
|
390
|
+
--target https://django-app.example.com \
|
|
391
|
+
--auth-type form \
|
|
392
|
+
--login-url https://django-app.example.com/accounts/login/ \
|
|
393
|
+
--username testuser \
|
|
394
|
+
--password-env DJANGO_PASSWORD \
|
|
395
|
+
--verification-url https://django-app.example.com/dashboard/
|
|
396
|
+
```
|
|
397
|
+
|
|
398
|
+
### Spring Boot Application
|
|
399
|
+
|
|
400
|
+
```bash
|
|
401
|
+
# Spring Security form login
|
|
402
|
+
python3 scripts/zap_auth_scanner.py \
|
|
403
|
+
--target https://spring-app.example.com \
|
|
404
|
+
--auth-type form \
|
|
405
|
+
--login-url https://spring-app.example.com/login \
|
|
406
|
+
--username testuser \
|
|
407
|
+
--password-env SPRING_PASSWORD
|
|
408
|
+
```
|
|
409
|
+
|
|
410
|
+
### React SPA with JWT
|
|
411
|
+
|
|
412
|
+
```bash
|
|
413
|
+
# Get JWT from API, then scan
|
|
414
|
+
TOKEN=$(curl -X POST https://api.example.com/auth/login \
|
|
415
|
+
-H "Content-Type: application/json" \
|
|
416
|
+
-d '{"email":"test@example.com","password":"password"}' \
|
|
417
|
+
| jq -r '.token')
|
|
418
|
+
|
|
419
|
+
export API_TOKEN="$TOKEN"
|
|
420
|
+
|
|
421
|
+
python3 scripts/zap_auth_scanner.py \
|
|
422
|
+
--target https://spa.example.com \
|
|
423
|
+
--auth-type bearer \
|
|
424
|
+
--token-env API_TOKEN
|
|
425
|
+
```
|
|
426
|
+
|
|
427
|
+
## Additional Resources
|
|
428
|
+
|
|
429
|
+
- [ZAP Authentication Documentation](https://www.zaproxy.org/docs/desktop/start/features/authentication/)
|
|
430
|
+
- [ZAP Session Management](https://www.zaproxy.org/docs/desktop/start/features/sessionmanagement/)
|
|
431
|
+
- [OAuth 2.0 RFC 6749](https://tools.ietf.org/html/rfc6749)
|