buildanything 1.8.0 → 2.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude-plugin/marketplace.json +3 -3
- package/.claude-plugin/plugin.json +9 -3
- package/CHANGELOG.md +57 -0
- package/README.md +2 -2
- package/agents/a11y-architect.md +166 -0
- package/agents/business-model.md +80 -29
- package/agents/code-architect.md +75 -0
- package/agents/code-reviewer.md +255 -0
- package/agents/code-simplifier.md +64 -0
- package/agents/design-brand-guardian.md +293 -53
- package/agents/design-critic.md +139 -0
- package/agents/design-inclusive-visuals-specialist.md +6 -19
- package/agents/design-ui-designer.md +335 -56
- package/agents/design-ux-architect.md +403 -55
- package/agents/design-ux-researcher.md +264 -49
- package/agents/engineering-ai-engineer.md +26 -36
- package/agents/engineering-backend-architect.md +185 -36
- package/agents/engineering-data-engineer.md +225 -43
- package/agents/engineering-devops-automator.md +227 -74
- package/agents/engineering-frontend-developer.md +210 -34
- package/agents/engineering-mobile-app-builder.md +6 -1
- package/agents/engineering-rapid-prototyper.md +30 -9
- package/agents/engineering-security-engineer.md +263 -61
- package/agents/engineering-senior-developer.md +128 -19
- package/agents/engineering-sre.md +84 -0
- package/agents/engineering-technical-writer.md +285 -41
- package/agents/feature-intel.md +110 -0
- package/agents/ios-app-review-guardian.md +19 -2
- package/agents/ios-foundation-models-specialist.md +20 -2
- package/agents/ios-storekit-specialist.md +9 -2
- package/agents/ios-swift-architect.md +28 -1
- package/agents/ios-swift-search.md +8 -1
- package/agents/ios-swift-ui-design.md +33 -1
- package/agents/marketing-app-store-optimizer.md +246 -64
- package/agents/planner.md +216 -0
- package/agents/pr-test-analyzer.md +63 -0
- package/agents/product-feedback-synthesizer.md +8 -2
- package/agents/refactor-cleaner.md +102 -0
- package/agents/security-reviewer.md +128 -0
- package/agents/silent-failure-hunter.md +54 -0
- package/agents/swift-build-resolver.md +119 -0
- package/agents/swift-reviewer.md +112 -0
- package/agents/tech-feasibility.md +21 -1
- package/agents/testing-api-tester.md +236 -59
- package/agents/testing-evidence-collector.md +26 -1
- package/agents/testing-performance-benchmarker.md +21 -1
- package/agents/testing-reality-checker.md +6 -1
- package/agents/visual-research.md +116 -0
- package/bin/adapters/cycle-counter-tool.ts +155 -0
- package/bin/adapters/scribe-tool.ts +71 -0
- package/bin/adapters/state-save-tool.ts +130 -0
- package/bin/adapters/write-lease-tool.ts +127 -0
- package/bin/buildanything-runtime.js +15 -0
- package/bin/buildanything-runtime.ts +328 -0
- package/bin/setup.js +83 -8
- package/commands/add-feature.md +2 -0
- package/commands/build.md +782 -266
- package/commands/fix.md +1 -1
- package/commands/self-check.md +121 -0
- package/commands/setup.md +50 -9
- package/commands/ux-review.md +2 -2
- package/commands/verify.md +6 -9
- package/docs/migration/agents.yaml +729 -0
- package/docs/migration/phase-graph.yaml +1088 -0
- package/docs/migration/sdk-host-compat.md +18 -0
- package/hooks/compile-writer-owner-cache.ts +171 -0
- package/hooks/hooks.json +36 -0
- package/hooks/pre-tool-use +19 -0
- package/hooks/pre-tool-use.ts +776 -0
- package/hooks/record-mode-transitions.ts +178 -0
- package/hooks/session-start +71 -1
- package/hooks/subagent-start +17 -0
- package/hooks/subagent-start.ts +471 -0
- package/hooks/subagent-stop +17 -0
- package/hooks/subagent-stop.ts +153 -0
- package/package.json +24 -4
- package/protocols/architecture-schema.md +171 -0
- package/protocols/decision-log.md +131 -0
- package/protocols/ios-context.md +10 -11
- package/protocols/ios-phase-branches.md +208 -33
- package/protocols/launch-readiness.md +258 -0
- package/protocols/metric-loop.md +62 -2
- package/protocols/smoke-test.md +9 -1
- package/protocols/state-schema.json +388 -0
- package/protocols/state-schema.md +172 -0
- package/protocols/verify.md +62 -2
- package/protocols/visual-dna.md +185 -0
- package/protocols/web-phase-branches.md +222 -72
- package/skills/ios/_VENDORED.md +2 -0
- package/skills/ios/app-store-connect-metadata/SKILL.md +148 -0
- package/skills/ios/asc-privacy-manifest/SKILL.md +350 -0
- package/skills/ios/hig-components-content/SKILL.md +86 -0
- package/skills/ios/hig-components-content/references/activity-views.md +79 -0
- package/skills/ios/hig-components-content/references/charts.md +180 -0
- package/skills/ios/hig-components-content/references/collections.md +48 -0
- package/skills/ios/hig-components-content/references/color-wells.md +42 -0
- package/skills/ios/hig-components-content/references/image-views.md +82 -0
- package/skills/ios/hig-components-content/references/image-wells.md +34 -0
- package/skills/ios/hig-components-content/references/lockups.md +78 -0
- package/skills/ios/hig-components-content/references/web-views.md +36 -0
- package/skills/ios/hig-components-controls/SKILL.md +88 -0
- package/skills/ios/hig-components-controls/references/combo-boxes.md +40 -0
- package/skills/ios/hig-components-controls/references/controls.md +112 -0
- package/skills/ios/hig-components-controls/references/gauges.md +74 -0
- package/skills/ios/hig-components-controls/references/labels.md +92 -0
- package/skills/ios/hig-components-controls/references/pickers.md +128 -0
- package/skills/ios/hig-components-controls/references/rating-indicators.md +38 -0
- package/skills/ios/hig-components-controls/references/segmented-controls.md +94 -0
- package/skills/ios/hig-components-controls/references/sliders.md +92 -0
- package/skills/ios/hig-components-controls/references/steppers.md +40 -0
- package/skills/ios/hig-components-controls/references/text-fields.md +88 -0
- package/skills/ios/hig-components-controls/references/text-views.md +56 -0
- package/skills/ios/hig-components-controls/references/toggles.md +127 -0
- package/skills/ios/hig-components-controls/references/token-fields.md +48 -0
- package/skills/ios/hig-components-controls/references/virtual-keyboards.md +156 -0
- package/skills/ios/hig-components-dialogs/SKILL.md +76 -0
- package/skills/ios/hig-components-dialogs/references/action-sheets.md +74 -0
- package/skills/ios/hig-components-dialogs/references/alerts.md +158 -0
- package/skills/ios/hig-components-dialogs/references/digit-entry-views.md +32 -0
- package/skills/ios/hig-components-dialogs/references/popovers.md +81 -0
- package/skills/ios/hig-components-dialogs/references/sheets.md +157 -0
- package/skills/ios/hig-components-layout/SKILL.md +99 -0
- package/skills/ios/hig-components-layout/references/boxes.md +48 -0
- package/skills/ios/hig-components-layout/references/column-views.md +44 -0
- package/skills/ios/hig-components-layout/references/lists-and-tables.md +99 -0
- package/skills/ios/hig-components-layout/references/ornaments.md +56 -0
- package/skills/ios/hig-components-layout/references/outline-views.md +64 -0
- package/skills/ios/hig-components-layout/references/panels.md +75 -0
- package/skills/ios/hig-components-layout/references/scroll-views.md +123 -0
- package/skills/ios/hig-components-layout/references/sidebars.md +109 -0
- package/skills/ios/hig-components-layout/references/split-views.md +110 -0
- package/skills/ios/hig-components-layout/references/tab-bars.md +173 -0
- package/skills/ios/hig-components-layout/references/tab-views.md +68 -0
- package/skills/ios/hig-components-layout/references/windows.md +188 -0
- package/skills/ios/hig-components-menus/SKILL.md +81 -0
- package/skills/ios/hig-components-menus/references/action-button.md +61 -0
- package/skills/ios/hig-components-menus/references/buttons.md +261 -0
- package/skills/ios/hig-components-menus/references/context-menus.md +105 -0
- package/skills/ios/hig-components-menus/references/disclosure-controls.md +84 -0
- package/skills/ios/hig-components-menus/references/dock-menus.md +40 -0
- package/skills/ios/hig-components-menus/references/edit-menus.md +88 -0
- package/skills/ios/hig-components-menus/references/menus.md +171 -0
- package/skills/ios/hig-components-menus/references/pop-up-buttons.md +70 -0
- package/skills/ios/hig-components-menus/references/pull-down-buttons.md +77 -0
- package/skills/ios/hig-components-menus/references/the-menu-bar.md +303 -0
- package/skills/ios/hig-components-menus/references/toolbars.md +256 -0
- package/skills/ios/hig-components-search/SKILL.md +68 -0
- package/skills/ios/hig-components-search/references/page-controls.md +120 -0
- package/skills/ios/hig-components-search/references/path-controls.md +40 -0
- package/skills/ios/hig-components-search/references/search-fields.md +189 -0
- package/skills/ios/hig-components-status/SKILL.md +80 -0
- package/skills/ios/hig-components-status/references/activity-rings.md +105 -0
- package/skills/ios/hig-components-status/references/progress-indicators.md +116 -0
- package/skills/ios/hig-components-status/references/status-bars.md +38 -0
- package/skills/ios/hig-components-system/SKILL.md +88 -0
- package/skills/ios/hig-components-system/references/app-clips.md +387 -0
- package/skills/ios/hig-components-system/references/app-shortcuts.md +114 -0
- package/skills/ios/hig-components-system/references/complications.md +425 -0
- package/skills/ios/hig-components-system/references/home-screen-quick-actions.md +42 -0
- package/skills/ios/hig-components-system/references/live-activities.md +442 -0
- package/skills/ios/hig-components-system/references/notifications.md +153 -0
- package/skills/ios/hig-components-system/references/top-shelf.md +135 -0
- package/skills/ios/hig-components-system/references/watch-faces.md +40 -0
- package/skills/ios/hig-components-system/references/widgets.md +517 -0
- package/skills/ios/hig-foundations/SKILL.md +98 -0
- package/skills/ios/hig-foundations/references/accessibility.md +291 -0
- package/skills/ios/hig-foundations/references/app-icons.md +210 -0
- package/skills/ios/hig-foundations/references/branding.md +44 -0
- package/skills/ios/hig-foundations/references/color.md +274 -0
- package/skills/ios/hig-foundations/references/dark-mode.md +116 -0
- package/skills/ios/hig-foundations/references/icons.md +263 -0
- package/skills/ios/hig-foundations/references/images.md +176 -0
- package/skills/ios/hig-foundations/references/immersive-experiences.md +174 -0
- package/skills/ios/hig-foundations/references/inclusion.md +189 -0
- package/skills/ios/hig-foundations/references/layout.md +425 -0
- package/skills/ios/hig-foundations/references/materials.md +238 -0
- package/skills/ios/hig-foundations/references/motion.md +103 -0
- package/skills/ios/hig-foundations/references/privacy.md +231 -0
- package/skills/ios/hig-foundations/references/right-to-left.md +206 -0
- package/skills/ios/hig-foundations/references/sf-symbols.md +310 -0
- package/skills/ios/hig-foundations/references/spatial-layout.md +142 -0
- package/skills/ios/hig-foundations/references/typography.md +1146 -0
- package/skills/ios/hig-foundations/references/writing.md +91 -0
- package/skills/ios/hig-inputs/SKILL.md +94 -0
- package/skills/ios/hig-inputs/references/apple-pencil-and-scribble.md +148 -0
- package/skills/ios/hig-inputs/references/camera-control.md +107 -0
- package/skills/ios/hig-inputs/references/digital-crown.md +83 -0
- package/skills/ios/hig-inputs/references/eyes.md +120 -0
- package/skills/ios/hig-inputs/references/focus-and-selection.md +120 -0
- package/skills/ios/hig-inputs/references/game-controls.md +156 -0
- package/skills/ios/hig-inputs/references/gestures.md +208 -0
- package/skills/ios/hig-inputs/references/gyro-and-accelerometer.md +40 -0
- package/skills/ios/hig-inputs/references/keyboards.md +234 -0
- package/skills/ios/hig-inputs/references/nearby-interactions.md +70 -0
- package/skills/ios/hig-inputs/references/pointing-devices.md +237 -0
- package/skills/ios/hig-inputs/references/remotes.md +67 -0
- package/skills/ios/hig-inputs/references/spatial-interactions.md +70 -0
- package/skills/ios/hig-patterns/SKILL.md +104 -0
- package/skills/ios/hig-patterns/references/charting-data.md +81 -0
- package/skills/ios/hig-patterns/references/collaboration-and-sharing.md +86 -0
- package/skills/ios/hig-patterns/references/drag-and-drop.md +134 -0
- package/skills/ios/hig-patterns/references/entering-data.md +69 -0
- package/skills/ios/hig-patterns/references/feedback.md +67 -0
- package/skills/ios/hig-patterns/references/file-management.md +135 -0
- package/skills/ios/hig-patterns/references/going-full-screen.md +79 -0
- package/skills/ios/hig-patterns/references/launching.md +81 -0
- package/skills/ios/hig-patterns/references/live-viewing-apps.md +79 -0
- package/skills/ios/hig-patterns/references/loading.md +59 -0
- package/skills/ios/hig-patterns/references/managing-accounts.md +107 -0
- package/skills/ios/hig-patterns/references/managing-notifications.md +99 -0
- package/skills/ios/hig-patterns/references/modality.md +82 -0
- package/skills/ios/hig-patterns/references/multitasking.md +131 -0
- package/skills/ios/hig-patterns/references/offering-help.md +117 -0
- package/skills/ios/hig-patterns/references/onboarding.md +69 -0
- package/skills/ios/hig-patterns/references/playing-audio.md +124 -0
- package/skills/ios/hig-patterns/references/playing-haptics.md +280 -0
- package/skills/ios/hig-patterns/references/playing-video.md +180 -0
- package/skills/ios/hig-patterns/references/printing.md +50 -0
- package/skills/ios/hig-patterns/references/ratings-and-reviews.md +48 -0
- package/skills/ios/hig-patterns/references/searching.md +70 -0
- package/skills/ios/hig-patterns/references/settings.md +84 -0
- package/skills/ios/hig-patterns/references/undo-and-redo.md +58 -0
- package/skills/ios/hig-patterns/references/workouts.md +76 -0
- package/skills/ios/hig-platforms/SKILL.md +84 -0
- package/skills/ios/hig-platforms/references/designing-for-games.md +159 -0
- package/skills/ios/hig-platforms/references/designing-for-ios.md +66 -0
- package/skills/ios/hig-platforms/references/designing-for-ipados.md +64 -0
- package/skills/ios/hig-platforms/references/designing-for-macos.md +70 -0
- package/skills/ios/hig-platforms/references/designing-for-tvos.md +68 -0
- package/skills/ios/hig-platforms/references/designing-for-visionos.md +85 -0
- package/skills/ios/hig-platforms/references/designing-for-watchos.md +74 -0
- package/skills/ios/hig-project-context/SKILL.md +133 -0
- package/skills/ios/hig-technologies/SKILL.md +107 -0
- package/skills/ios/hig-technologies/references/airplay.md +125 -0
- package/skills/ios/hig-technologies/references/always-on.md +62 -0
- package/skills/ios/hig-technologies/references/apple-pay.md +441 -0
- package/skills/ios/hig-technologies/references/augmented-reality.md +247 -0
- package/skills/ios/hig-technologies/references/carekit.md +224 -0
- package/skills/ios/hig-technologies/references/carplay.md +119 -0
- package/skills/ios/hig-technologies/references/game-center.md +343 -0
- package/skills/ios/hig-technologies/references/generative-ai.md +110 -0
- package/skills/ios/hig-technologies/references/healthkit.md +120 -0
- package/skills/ios/hig-technologies/references/homekit.md +343 -0
- package/skills/ios/hig-technologies/references/icloud.md +52 -0
- package/skills/ios/hig-technologies/references/id-verifier.md +73 -0
- package/skills/ios/hig-technologies/references/imessage-apps-and-stickers.md +105 -0
- package/skills/ios/hig-technologies/references/in-app-purchase.md +263 -0
- package/skills/ios/hig-technologies/references/live-photos.md +54 -0
- package/skills/ios/hig-technologies/references/mac-catalyst.md +216 -0
- package/skills/ios/hig-technologies/references/machine-learning.md +394 -0
- package/skills/ios/hig-technologies/references/maps.md +221 -0
- package/skills/ios/hig-technologies/references/nfc.md +51 -0
- package/skills/ios/hig-technologies/references/photo-editing.md +40 -0
- package/skills/ios/hig-technologies/references/researchkit.md +134 -0
- package/skills/ios/hig-technologies/references/shareplay.md +142 -0
- package/skills/ios/hig-technologies/references/shazamkit.md +47 -0
- package/skills/ios/hig-technologies/references/sign-in-with-apple.md +288 -0
- package/skills/ios/hig-technologies/references/siri.md +523 -0
- package/skills/ios/hig-technologies/references/tap-to-pay-on-iphone.md +208 -0
- package/skills/ios/hig-technologies/references/voiceover.md +90 -0
- package/skills/ios/hig-technologies/references/wallet.md +420 -0
- package/skills/ios/ios-bootstrap/SKILL.md +16 -7
- package/skills/ios/swift-actor-persistence/SKILL.md +143 -0
- package/skills/ios/swift-concurrency-6-2/SKILL.md +216 -0
- package/skills/ios/swift-protocol-di-testing/SKILL.md +190 -0
- package/skills/ios/swiftui-design-tokens/SKILL.md +475 -0
- package/skills/ios/writing-for-interfaces/SKILL.md +75 -0
- package/skills/web/accessibility/SKILL.md +146 -0
- package/skills/web/aceternity-ui/SKILL.md +719 -0
- package/skills/web/aceternity-ui/metadata.json +10 -0
- package/skills/web/api-design/SKILL.md +523 -0
- package/skills/web/chart-accessibility/SKILL.md +332 -0
- package/skills/web/composition-patterns/AGENTS.md +946 -0
- package/skills/web/composition-patterns/README.md +60 -0
- package/skills/web/composition-patterns/SKILL.md +89 -0
- package/skills/web/composition-patterns/metadata.json +11 -0
- package/skills/web/composition-patterns/rules/_sections.md +29 -0
- package/skills/web/composition-patterns/rules/_template.md +24 -0
- package/skills/web/composition-patterns/rules/architecture-avoid-boolean-props.md +100 -0
- package/skills/web/composition-patterns/rules/architecture-compound-components.md +112 -0
- package/skills/web/composition-patterns/rules/patterns-children-over-render-props.md +87 -0
- package/skills/web/composition-patterns/rules/patterns-explicit-variants.md +100 -0
- package/skills/web/composition-patterns/rules/react19-no-forwardref.md +42 -0
- package/skills/web/composition-patterns/rules/state-context-interface.md +191 -0
- package/skills/web/composition-patterns/rules/state-decouple-implementation.md +113 -0
- package/skills/web/composition-patterns/rules/state-lift-state.md +125 -0
- package/skills/web/cost-aware-llm-pipeline/SKILL.md +183 -0
- package/skills/web/database-migrations/SKILL.md +429 -0
- package/skills/web/deployment-patterns/SKILL.md +427 -0
- package/skills/web/docker-patterns/SKILL.md +364 -0
- package/skills/web/e2e-testing/SKILL.md +326 -0
- package/skills/web/lighthouse-ci/SKILL.md +361 -0
- package/skills/web/mcp-server-patterns/SKILL.md +69 -0
- package/skills/web/next-best-practices/SKILL.md +153 -0
- package/skills/web/next-best-practices/async-patterns.md +87 -0
- package/skills/web/next-best-practices/bundling.md +180 -0
- package/skills/web/next-best-practices/data-patterns.md +297 -0
- package/skills/web/next-best-practices/debug-tricks.md +105 -0
- package/skills/web/next-best-practices/directives.md +73 -0
- package/skills/web/next-best-practices/error-handling.md +227 -0
- package/skills/web/next-best-practices/file-conventions.md +140 -0
- package/skills/web/next-best-practices/font.md +245 -0
- package/skills/web/next-best-practices/functions.md +108 -0
- package/skills/web/next-best-practices/hydration-error.md +91 -0
- package/skills/web/next-best-practices/image.md +173 -0
- package/skills/web/next-best-practices/metadata.md +301 -0
- package/skills/web/next-best-practices/parallel-routes.md +287 -0
- package/skills/web/next-best-practices/route-handlers.md +146 -0
- package/skills/web/next-best-practices/rsc-boundaries.md +159 -0
- package/skills/web/next-best-practices/runtime-selection.md +39 -0
- package/skills/web/next-best-practices/scripts.md +141 -0
- package/skills/web/next-best-practices/self-hosting.md +371 -0
- package/skills/web/next-best-practices/suspense-boundaries.md +67 -0
- package/skills/web/next-cache-components/SKILL.md +411 -0
- package/skills/web/postgres-best-practices/SKILL.md +14 -0
- package/skills/web/postgres-best-practices/references/schema-design.md +9 -0
- package/skills/web/react-best-practices/AGENTS.md +3810 -0
- package/skills/web/react-best-practices/README.md +123 -0
- package/skills/web/react-best-practices/SKILL.md +149 -0
- package/skills/web/react-best-practices/metadata.json +15 -0
- package/skills/web/react-best-practices/rules/_sections.md +46 -0
- package/skills/web/react-best-practices/rules/_template.md +28 -0
- package/skills/web/react-best-practices/rules/advanced-effect-event-deps.md +56 -0
- package/skills/web/react-best-practices/rules/advanced-event-handler-refs.md +55 -0
- package/skills/web/react-best-practices/rules/advanced-init-once.md +42 -0
- package/skills/web/react-best-practices/rules/advanced-use-latest.md +39 -0
- package/skills/web/react-best-practices/rules/async-api-routes.md +38 -0
- package/skills/web/react-best-practices/rules/async-cheap-condition-before-await.md +37 -0
- package/skills/web/react-best-practices/rules/async-defer-await.md +82 -0
- package/skills/web/react-best-practices/rules/async-dependencies.md +51 -0
- package/skills/web/react-best-practices/rules/async-parallel.md +28 -0
- package/skills/web/react-best-practices/rules/async-suspense-boundaries.md +99 -0
- package/skills/web/react-best-practices/rules/bundle-analyzable-paths.md +63 -0
- package/skills/web/react-best-practices/rules/bundle-barrel-imports.md +60 -0
- package/skills/web/react-best-practices/rules/bundle-conditional.md +31 -0
- package/skills/web/react-best-practices/rules/bundle-defer-third-party.md +49 -0
- package/skills/web/react-best-practices/rules/bundle-dynamic-imports.md +35 -0
- package/skills/web/react-best-practices/rules/bundle-preload.md +50 -0
- package/skills/web/react-best-practices/rules/client-event-listeners.md +74 -0
- package/skills/web/react-best-practices/rules/client-localstorage-schema.md +71 -0
- package/skills/web/react-best-practices/rules/client-passive-event-listeners.md +48 -0
- package/skills/web/react-best-practices/rules/client-swr-dedup.md +56 -0
- package/skills/web/react-best-practices/rules/js-batch-dom-css.md +107 -0
- package/skills/web/react-best-practices/rules/js-cache-function-results.md +80 -0
- package/skills/web/react-best-practices/rules/js-cache-property-access.md +28 -0
- package/skills/web/react-best-practices/rules/js-cache-storage.md +70 -0
- package/skills/web/react-best-practices/rules/js-combine-iterations.md +32 -0
- package/skills/web/react-best-practices/rules/js-early-exit.md +50 -0
- package/skills/web/react-best-practices/rules/js-flatmap-filter.md +60 -0
- package/skills/web/react-best-practices/rules/js-hoist-regexp.md +45 -0
- package/skills/web/react-best-practices/rules/js-index-maps.md +37 -0
- package/skills/web/react-best-practices/rules/js-length-check-first.md +49 -0
- package/skills/web/react-best-practices/rules/js-min-max-loop.md +82 -0
- package/skills/web/react-best-practices/rules/js-request-idle-callback.md +105 -0
- package/skills/web/react-best-practices/rules/js-set-map-lookups.md +24 -0
- package/skills/web/react-best-practices/rules/js-tosorted-immutable.md +57 -0
- package/skills/web/react-best-practices/rules/rendering-activity.md +26 -0
- package/skills/web/react-best-practices/rules/rendering-animate-svg-wrapper.md +47 -0
- package/skills/web/react-best-practices/rules/rendering-conditional-render.md +40 -0
- package/skills/web/react-best-practices/rules/rendering-content-visibility.md +38 -0
- package/skills/web/react-best-practices/rules/rendering-hoist-jsx.md +46 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-no-flicker.md +82 -0
- package/skills/web/react-best-practices/rules/rendering-hydration-suppress-warning.md +30 -0
- package/skills/web/react-best-practices/rules/rendering-resource-hints.md +85 -0
- package/skills/web/react-best-practices/rules/rendering-script-defer-async.md +68 -0
- package/skills/web/react-best-practices/rules/rendering-svg-precision.md +28 -0
- package/skills/web/react-best-practices/rules/rendering-usetransition-loading.md +75 -0
- package/skills/web/react-best-practices/rules/rerender-defer-reads.md +39 -0
- package/skills/web/react-best-practices/rules/rerender-dependencies.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state-no-effect.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-derived-state.md +29 -0
- package/skills/web/react-best-practices/rules/rerender-functional-setstate.md +74 -0
- package/skills/web/react-best-practices/rules/rerender-lazy-state-init.md +58 -0
- package/skills/web/react-best-practices/rules/rerender-memo-with-default-value.md +38 -0
- package/skills/web/react-best-practices/rules/rerender-memo.md +44 -0
- package/skills/web/react-best-practices/rules/rerender-move-effect-to-event.md +45 -0
- package/skills/web/react-best-practices/rules/rerender-no-inline-components.md +82 -0
- package/skills/web/react-best-practices/rules/rerender-simple-expression-in-memo.md +35 -0
- package/skills/web/react-best-practices/rules/rerender-split-combined-hooks.md +64 -0
- package/skills/web/react-best-practices/rules/rerender-transitions.md +40 -0
- package/skills/web/react-best-practices/rules/rerender-use-deferred-value.md +59 -0
- package/skills/web/react-best-practices/rules/rerender-use-ref-transient-values.md +73 -0
- package/skills/web/react-best-practices/rules/server-after-nonblocking.md +73 -0
- package/skills/web/react-best-practices/rules/server-auth-actions.md +96 -0
- package/skills/web/react-best-practices/rules/server-cache-lru.md +41 -0
- package/skills/web/react-best-practices/rules/server-cache-react.md +76 -0
- package/skills/web/react-best-practices/rules/server-dedup-props.md +65 -0
- package/skills/web/react-best-practices/rules/server-hoist-static-io.md +149 -0
- package/skills/web/react-best-practices/rules/server-no-shared-module-state.md +50 -0
- package/skills/web/react-best-practices/rules/server-parallel-fetching.md +83 -0
- package/skills/web/react-best-practices/rules/server-parallel-nested-fetching.md +34 -0
- package/skills/web/react-best-practices/rules/server-serialization.md +38 -0
- package/skills/web/seo/SKILL.md +154 -0
- package/skills/web/web-design-guidelines/SKILL.md +39 -0
- package/skills/web/zap-scan-config/SKILL.md +444 -0
- package/skills/web/zap-scan-config/assets/.gitkeep +9 -0
- package/skills/web/zap-scan-config/assets/github_action.yml +207 -0
- package/skills/web/zap-scan-config/assets/gitlab_ci.yml +226 -0
- package/skills/web/zap-scan-config/assets/zap_automation.yaml +196 -0
- package/skills/web/zap-scan-config/assets/zap_context.xml +192 -0
- package/skills/web/zap-scan-config/references/EXAMPLE.md +40 -0
- package/skills/web/zap-scan-config/references/api_testing_guide.md +475 -0
- package/skills/web/zap-scan-config/references/authentication_guide.md +431 -0
- package/skills/web/zap-scan-config/references/false_positive_handling.md +427 -0
- package/skills/web/zap-scan-config/references/owasp_mapping.md +255 -0
- package/src/lrr/aggregator.ts +80 -0
- package/src/orchestrator/hooks/context-header.ts +95 -0
- package/src/orchestrator/hooks/token-accounting-emitter.ts +77 -0
- package/src/orchestrator/hooks/token-accounting.ts +101 -0
- package/src/orchestrator/mcp/cycle-counter.ts +129 -0
- package/src/orchestrator/mcp/scribe.ts +283 -0
- package/src/orchestrator/mcp/state-save.ts +149 -0
- package/src/orchestrator/mcp/write-lease.ts +167 -0
- package/src/orchestrator/phase4-shared-context.ts +41 -0
- package/src/orchestrator/schemas/backward-edge.ts +46 -0
- package/agents/agentic-identity-trust.md +0 -121
- package/agents/data-consolidation-agent.md +0 -39
- package/agents/design-image-prompt-engineer.md +0 -105
- package/agents/design-visual-storyteller.md +0 -147
- package/agents/design-whimsy-injector.md +0 -89
- package/agents/engineering-autonomous-optimization-architect.md +0 -105
- package/agents/market-intel.md +0 -35
- package/agents/marketing-instagram-curator.md +0 -111
- package/agents/marketing-reddit-community-builder.md +0 -121
- package/agents/marketing-social-media-strategist.md +0 -74
- package/agents/marketing-tiktok-strategist.md +0 -123
- package/agents/marketing-twitter-engager.md +0 -124
- package/agents/marketing-wechat-official-account.md +0 -143
- package/agents/marketing-xiaohongshu-specialist.md +0 -136
- package/agents/marketing-zhihu-strategist.md +0 -160
- package/agents/product-behavioral-nudge-engine.md +0 -78
- package/agents/project-management-experiment-tracker.md +0 -102
- package/agents/report-distribution-agent.md +0 -43
- package/agents/risk-analysis.md +0 -45
- package/agents/sales-data-extraction-agent.md +0 -46
- package/agents/specialized-cultural-intelligence-strategist.md +0 -65
- package/agents/specialized-developer-advocate.md +0 -146
- package/agents/support-analytics-reporter.md +0 -133
- package/agents/support-executive-summary-generator.md +0 -64
- package/agents/support-finance-tracker.md +0 -145
- package/agents/support-legal-compliance-checker.md +0 -129
- package/agents/support-support-responder.md +0 -91
- package/agents/testing-accessibility-auditor.md +0 -110
- package/agents/testing-test-results-analyzer.md +0 -97
- package/agents/testing-tool-evaluator.md +0 -76
- package/agents/testing-workflow-optimizer.md +0 -99
- package/agents/user-research.md +0 -40
- package/protocols/brainstorm.md +0 -99
- package/protocols/design.md +0 -269
- package/protocols/planning.md +0 -87
- package/skills/ios/ios-hig/SKILL.md +0 -41
- package/skills/ios/ios-hig/references/accessibility.md +0 -81
- package/skills/ios/ios-hig/references/content.md +0 -142
- package/skills/ios/ios-hig/references/feedback.md +0 -123
- package/skills/ios/ios-hig/references/interaction.md +0 -199
- package/skills/ios/ios-hig/references/performance-platform.md +0 -129
- package/skills/ios/ios-hig/references/privacy-permissions.md +0 -181
- package/skills/ios/ios-hig/references/visual-design.md +0 -84
|
@@ -0,0 +1,431 @@
|
|
|
1
|
+
# ZAP Authentication Configuration Guide
|
|
2
|
+
|
|
3
|
+
Comprehensive guide for configuring authenticated scanning in OWASP ZAP for form-based, token-based, and OAuth authentication.
|
|
4
|
+
|
|
5
|
+
## Overview
|
|
6
|
+
|
|
7
|
+
Authenticated scanning is critical for testing protected application areas that require login. ZAP supports multiple authentication methods:
|
|
8
|
+
|
|
9
|
+
- **Form-Based Authentication** - Traditional username/password login forms
|
|
10
|
+
- **HTTP Authentication** - Basic, Digest, NTLM authentication
|
|
11
|
+
- **Script-Based Authentication** - Custom authentication flows (OAuth, SAML)
|
|
12
|
+
- **Token-Based Authentication** - Bearer tokens, API keys, JWT
|
|
13
|
+
|
|
14
|
+
## Form-Based Authentication
|
|
15
|
+
|
|
16
|
+
### Configuration Steps
|
|
17
|
+
|
|
18
|
+
1. **Identify Login Parameters**
|
|
19
|
+
- Login URL
|
|
20
|
+
- Username field name
|
|
21
|
+
- Password field name
|
|
22
|
+
- Submit button/action
|
|
23
|
+
|
|
24
|
+
2. **Create Authentication Context**
|
|
25
|
+
|
|
26
|
+
```bash
|
|
27
|
+
# Use bundled script
|
|
28
|
+
python3 scripts/zap_auth_scanner.py \
|
|
29
|
+
--target https://app.example.com \
|
|
30
|
+
--auth-type form \
|
|
31
|
+
--login-url https://app.example.com/login \
|
|
32
|
+
--username testuser \
|
|
33
|
+
--password-env APP_PASSWORD \
|
|
34
|
+
--verification-url https://app.example.com/dashboard \
|
|
35
|
+
--output authenticated-scan-report.html
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
3. **Configure Logged-In Indicator**
|
|
39
|
+
|
|
40
|
+
Specify a regex pattern that appears only when logged in:
|
|
41
|
+
- Example: `Welcome, testuser`
|
|
42
|
+
- Example: `<a href="/logout">Logout</a>`
|
|
43
|
+
- Example: Check for presence of dashboard elements
|
|
44
|
+
|
|
45
|
+
### Manual Context Configuration
|
|
46
|
+
|
|
47
|
+
Create `auth-context.xml`:
|
|
48
|
+
|
|
49
|
+
```xml
|
|
50
|
+
<?xml version="1.0" encoding="UTF-8"?>
|
|
51
|
+
<configuration>
|
|
52
|
+
<context>
|
|
53
|
+
<name>WebAppAuth</name>
|
|
54
|
+
<desc>Authenticated scanning context</desc>
|
|
55
|
+
<inscope>true</inscope>
|
|
56
|
+
<incregexes>https://app\.example\.com/.*</incregexes>
|
|
57
|
+
|
|
58
|
+
<authentication>
|
|
59
|
+
<type>formBasedAuthentication</type>
|
|
60
|
+
<form>
|
|
61
|
+
<loginurl>https://app.example.com/login</loginurl>
|
|
62
|
+
<loginbody>username={%username%}&password={%password%}</loginbody>
|
|
63
|
+
<loginpageurl>https://app.example.com/login</loginpageurl>
|
|
64
|
+
</form>
|
|
65
|
+
<loggedin>\QWelcome,\E</loggedin>
|
|
66
|
+
<loggedout>\QYou are not logged in\E</loggedout>
|
|
67
|
+
</authentication>
|
|
68
|
+
|
|
69
|
+
<users>
|
|
70
|
+
<user>
|
|
71
|
+
<name>testuser</name>
|
|
72
|
+
<credentials>
|
|
73
|
+
<credential>
|
|
74
|
+
<name>username</name>
|
|
75
|
+
<value>testuser</value>
|
|
76
|
+
</credential>
|
|
77
|
+
<credential>
|
|
78
|
+
<name>password</name>
|
|
79
|
+
<value>SecureP@ssw0rd</value>
|
|
80
|
+
</credential>
|
|
81
|
+
</credentials>
|
|
82
|
+
<enabled>true</enabled>
|
|
83
|
+
</user>
|
|
84
|
+
</users>
|
|
85
|
+
|
|
86
|
+
<sessionManagement>
|
|
87
|
+
<type>cookieBasedSessionManagement</type>
|
|
88
|
+
</sessionManagement>
|
|
89
|
+
</context>
|
|
90
|
+
</configuration>
|
|
91
|
+
```
|
|
92
|
+
|
|
93
|
+
Run scan with context:
|
|
94
|
+
|
|
95
|
+
```bash
|
|
96
|
+
docker run --rm \
|
|
97
|
+
-v $(pwd):/zap/wrk/:rw \
|
|
98
|
+
-t zaproxy/zap-stable \
|
|
99
|
+
zap-full-scan.py \
|
|
100
|
+
-t https://app.example.com \
|
|
101
|
+
-n /zap/wrk/auth-context.xml \
|
|
102
|
+
-r /zap/wrk/auth-report.html
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
## Token-Based Authentication (Bearer Tokens)
|
|
106
|
+
|
|
107
|
+
### JWT/Bearer Token Configuration
|
|
108
|
+
|
|
109
|
+
1. **Obtain Authentication Token**
|
|
110
|
+
|
|
111
|
+
```bash
|
|
112
|
+
# Example: Login to get token
|
|
113
|
+
TOKEN=$(curl -X POST https://api.example.com/auth/login \
|
|
114
|
+
-H "Content-Type: application/json" \
|
|
115
|
+
-d '{"username":"testuser","password":"password"}' \
|
|
116
|
+
| jq -r '.token')
|
|
117
|
+
```
|
|
118
|
+
|
|
119
|
+
2. **Configure ZAP to Include Token**
|
|
120
|
+
|
|
121
|
+
Use ZAP Replacer to add Authorization header:
|
|
122
|
+
|
|
123
|
+
```bash
|
|
124
|
+
python3 scripts/zap_auth_scanner.py \
|
|
125
|
+
--target https://api.example.com \
|
|
126
|
+
--auth-type bearer \
|
|
127
|
+
--token-env API_TOKEN \
|
|
128
|
+
--output api-auth-scan.html
|
|
129
|
+
```
|
|
130
|
+
|
|
131
|
+
### Manual Token Configuration
|
|
132
|
+
|
|
133
|
+
Using ZAP automation framework (`zap_automation.yaml`):
|
|
134
|
+
|
|
135
|
+
```yaml
|
|
136
|
+
env:
|
|
137
|
+
contexts:
|
|
138
|
+
- name: API-Context
|
|
139
|
+
urls:
|
|
140
|
+
- https://api.example.com
|
|
141
|
+
authentication:
|
|
142
|
+
method: header
|
|
143
|
+
parameters:
|
|
144
|
+
header: Authorization
|
|
145
|
+
value: "Bearer ${API_TOKEN}"
|
|
146
|
+
sessionManagement:
|
|
147
|
+
method: cookie
|
|
148
|
+
|
|
149
|
+
jobs:
|
|
150
|
+
- type: spider
|
|
151
|
+
parameters:
|
|
152
|
+
context: API-Context
|
|
153
|
+
user: api-user
|
|
154
|
+
|
|
155
|
+
- type: activeScan
|
|
156
|
+
parameters:
|
|
157
|
+
context: API-Context
|
|
158
|
+
user: api-user
|
|
159
|
+
```
|
|
160
|
+
|
|
161
|
+
## OAuth 2.0 Authentication
|
|
162
|
+
|
|
163
|
+
### Authorization Code Flow
|
|
164
|
+
|
|
165
|
+
1. **Manual Browser-Based Token Acquisition**
|
|
166
|
+
|
|
167
|
+
```bash
|
|
168
|
+
# Step 1: Get authorization code (open in browser)
|
|
169
|
+
https://oauth.example.com/authorize?
|
|
170
|
+
client_id=YOUR_CLIENT_ID&
|
|
171
|
+
redirect_uri=http://localhost:8080/callback&
|
|
172
|
+
response_type=code&
|
|
173
|
+
scope=openid profile
|
|
174
|
+
|
|
175
|
+
# Step 2: Exchange code for token
|
|
176
|
+
TOKEN=$(curl -X POST https://oauth.example.com/token \
|
|
177
|
+
-d "grant_type=authorization_code" \
|
|
178
|
+
-d "code=AUTH_CODE_FROM_STEP_1" \
|
|
179
|
+
-d "client_id=YOUR_CLIENT_ID" \
|
|
180
|
+
-d "client_secret=YOUR_CLIENT_SECRET" \
|
|
181
|
+
-d "redirect_uri=http://localhost:8080/callback" \
|
|
182
|
+
| jq -r '.access_token')
|
|
183
|
+
|
|
184
|
+
# Step 3: Use token in ZAP scan
|
|
185
|
+
export API_TOKEN="$TOKEN"
|
|
186
|
+
python3 scripts/zap_auth_scanner.py \
|
|
187
|
+
--target https://api.example.com \
|
|
188
|
+
--auth-type bearer \
|
|
189
|
+
--token-env API_TOKEN
|
|
190
|
+
```
|
|
191
|
+
|
|
192
|
+
### Client Credentials Flow (Service-to-Service)
|
|
193
|
+
|
|
194
|
+
```bash
|
|
195
|
+
# Obtain token using client credentials
|
|
196
|
+
TOKEN=$(curl -X POST https://oauth.example.com/token \
|
|
197
|
+
-d "grant_type=client_credentials" \
|
|
198
|
+
-d "client_id=YOUR_CLIENT_ID" \
|
|
199
|
+
-d "client_secret=YOUR_CLIENT_SECRET" \
|
|
200
|
+
-d "scope=api.read api.write" \
|
|
201
|
+
| jq -r '.access_token')
|
|
202
|
+
|
|
203
|
+
export API_TOKEN="$TOKEN"
|
|
204
|
+
|
|
205
|
+
# Run authenticated scan
|
|
206
|
+
python3 scripts/zap_auth_scanner.py \
|
|
207
|
+
--target https://api.example.com \
|
|
208
|
+
--auth-type bearer \
|
|
209
|
+
--token-env API_TOKEN
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
## HTTP Basic/Digest Authentication
|
|
213
|
+
|
|
214
|
+
### Basic Authentication
|
|
215
|
+
|
|
216
|
+
```bash
|
|
217
|
+
# Option 1: Using environment variable
|
|
218
|
+
export BASIC_AUTH="dGVzdHVzZXI6cGFzc3dvcmQ=" # base64(testuser:password)
|
|
219
|
+
|
|
220
|
+
# Option 2: Using script
|
|
221
|
+
python3 scripts/zap_auth_scanner.py \
|
|
222
|
+
--target https://app.example.com \
|
|
223
|
+
--auth-type http \
|
|
224
|
+
--username testuser \
|
|
225
|
+
--password-env HTTP_PASSWORD
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
### Digest Authentication
|
|
229
|
+
|
|
230
|
+
Similar to Basic, but ZAP automatically handles the challenge-response:
|
|
231
|
+
|
|
232
|
+
```bash
|
|
233
|
+
docker run --rm \
|
|
234
|
+
-v $(pwd):/zap/wrk/:rw \
|
|
235
|
+
-t zaproxy/zap-stable \
|
|
236
|
+
zap-full-scan.py \
|
|
237
|
+
-t https://app.example.com \
|
|
238
|
+
-n /zap/wrk/digest-auth-context.xml \
|
|
239
|
+
-r /zap/wrk/digest-auth-report.html
|
|
240
|
+
```
|
|
241
|
+
|
|
242
|
+
## Session Management
|
|
243
|
+
|
|
244
|
+
### Cookie-Based Sessions
|
|
245
|
+
|
|
246
|
+
**Default Behavior:** ZAP automatically manages cookies.
|
|
247
|
+
|
|
248
|
+
**Custom Configuration:**
|
|
249
|
+
- Set session cookie name in context
|
|
250
|
+
- Configure session timeout
|
|
251
|
+
- Define re-authentication triggers
|
|
252
|
+
|
|
253
|
+
### Token Refresh Handling
|
|
254
|
+
|
|
255
|
+
For tokens that expire during scan:
|
|
256
|
+
|
|
257
|
+
```yaml
|
|
258
|
+
# zap_automation.yaml
|
|
259
|
+
env:
|
|
260
|
+
contexts:
|
|
261
|
+
- name: API-Context
|
|
262
|
+
authentication:
|
|
263
|
+
method: script
|
|
264
|
+
parameters:
|
|
265
|
+
script: |
|
|
266
|
+
// JavaScript to refresh token
|
|
267
|
+
function authenticate(helper, paramsValues, credentials) {
|
|
268
|
+
var loginUrl = "https://api.example.com/auth/login";
|
|
269
|
+
var postData = '{"username":"' + credentials.getParam("username") +
|
|
270
|
+
'","password":"' + credentials.getParam("password") + '"}';
|
|
271
|
+
|
|
272
|
+
var msg = helper.prepareMessage();
|
|
273
|
+
msg.setRequestHeader("POST " + loginUrl + " HTTP/1.1");
|
|
274
|
+
msg.setRequestBody(postData);
|
|
275
|
+
helper.sendAndReceive(msg);
|
|
276
|
+
|
|
277
|
+
var response = msg.getResponseBody().toString();
|
|
278
|
+
var token = JSON.parse(response).token;
|
|
279
|
+
|
|
280
|
+
// Store token for use in requests
|
|
281
|
+
helper.getHttpSender().setRequestHeader("Authorization", "Bearer " + token);
|
|
282
|
+
return msg;
|
|
283
|
+
}
|
|
284
|
+
```
|
|
285
|
+
|
|
286
|
+
## Verification and Troubleshooting
|
|
287
|
+
|
|
288
|
+
### Verify Authentication is Working
|
|
289
|
+
|
|
290
|
+
1. **Check Logged-In Indicator**
|
|
291
|
+
|
|
292
|
+
Run a spider scan and verify protected pages are accessed:
|
|
293
|
+
|
|
294
|
+
```bash
|
|
295
|
+
# Look for dashboard, profile, or other authenticated pages in spider results
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
2. **Monitor Authentication Requests**
|
|
299
|
+
|
|
300
|
+
Enable ZAP logging to see authentication attempts:
|
|
301
|
+
|
|
302
|
+
```bash
|
|
303
|
+
docker run --rm \
|
|
304
|
+
-v $(pwd):/zap/wrk/:rw \
|
|
305
|
+
-e ZAP_LOG_LEVEL=DEBUG \
|
|
306
|
+
-t zaproxy/zap-stable \
|
|
307
|
+
zap-full-scan.py -t https://app.example.com -n /zap/wrk/context.xml
|
|
308
|
+
```
|
|
309
|
+
|
|
310
|
+
3. **Test with Manual Request**
|
|
311
|
+
|
|
312
|
+
Send a manual authenticated request via ZAP GUI or API to verify credentials work.
|
|
313
|
+
|
|
314
|
+
### Common Authentication Issues
|
|
315
|
+
|
|
316
|
+
#### Issue: Session Expires During Scan
|
|
317
|
+
|
|
318
|
+
**Solution:** Configure re-authentication:
|
|
319
|
+
|
|
320
|
+
```python
|
|
321
|
+
# In zap_auth_scanner.py, add re-authentication trigger
|
|
322
|
+
--re-authenticate-on 401,403 \
|
|
323
|
+
--verification-interval 300 # Check every 5 minutes
|
|
324
|
+
```
|
|
325
|
+
|
|
326
|
+
#### Issue: CSRF Tokens Required
|
|
327
|
+
|
|
328
|
+
**Solution:** Use anti-CSRF token handling:
|
|
329
|
+
|
|
330
|
+
```yaml
|
|
331
|
+
# zap_automation.yaml
|
|
332
|
+
env:
|
|
333
|
+
contexts:
|
|
334
|
+
- name: WebApp
|
|
335
|
+
authentication:
|
|
336
|
+
verification:
|
|
337
|
+
method: response
|
|
338
|
+
loggedInRegex: "\\QWelcome\\E"
|
|
339
|
+
sessionManagement:
|
|
340
|
+
method: cookie
|
|
341
|
+
parameters:
|
|
342
|
+
antiCsrfTokens: true
|
|
343
|
+
```
|
|
344
|
+
|
|
345
|
+
#### Issue: Rate Limiting Blocking Authentication
|
|
346
|
+
|
|
347
|
+
**Solution:** Slow down scan:
|
|
348
|
+
|
|
349
|
+
```bash
|
|
350
|
+
docker run -t zaproxy/zap-stable zap-full-scan.py \
|
|
351
|
+
-t https://app.example.com \
|
|
352
|
+
-z "-config scanner.delayInMs=2000 -config scanner.threadPerHost=1"
|
|
353
|
+
```
|
|
354
|
+
|
|
355
|
+
#### Issue: Multi-Step Login (MFA)
|
|
356
|
+
|
|
357
|
+
**Solution:** Use script-based authentication with Selenium or manual token acquisition.
|
|
358
|
+
|
|
359
|
+
## Security Best Practices
|
|
360
|
+
|
|
361
|
+
1. **Never Hardcode Credentials**
|
|
362
|
+
- Use environment variables
|
|
363
|
+
- Use secrets management tools (Vault, AWS Secrets Manager)
|
|
364
|
+
|
|
365
|
+
2. **Use Dedicated Test Accounts**
|
|
366
|
+
- Create accounts specifically for security testing
|
|
367
|
+
- Limit permissions to test data only
|
|
368
|
+
- Monitor for abuse
|
|
369
|
+
|
|
370
|
+
3. **Rotate Credentials Regularly**
|
|
371
|
+
- Change test account passwords after each scan
|
|
372
|
+
- Rotate API tokens frequently
|
|
373
|
+
|
|
374
|
+
4. **Log Authentication Attempts**
|
|
375
|
+
- Monitor for failed authentication attempts
|
|
376
|
+
- Alert on unusual patterns
|
|
377
|
+
|
|
378
|
+
5. **Secure Context Files**
|
|
379
|
+
- Never commit context files with credentials to version control
|
|
380
|
+
- Use `.gitignore` to exclude `*.context` files
|
|
381
|
+
- Encrypt context files at rest
|
|
382
|
+
|
|
383
|
+
## Examples by Framework
|
|
384
|
+
|
|
385
|
+
### Django Application
|
|
386
|
+
|
|
387
|
+
```bash
|
|
388
|
+
# Django CSRF token handling
|
|
389
|
+
python3 scripts/zap_auth_scanner.py \
|
|
390
|
+
--target https://django-app.example.com \
|
|
391
|
+
--auth-type form \
|
|
392
|
+
--login-url https://django-app.example.com/accounts/login/ \
|
|
393
|
+
--username testuser \
|
|
394
|
+
--password-env DJANGO_PASSWORD \
|
|
395
|
+
--verification-url https://django-app.example.com/dashboard/
|
|
396
|
+
```
|
|
397
|
+
|
|
398
|
+
### Spring Boot Application
|
|
399
|
+
|
|
400
|
+
```bash
|
|
401
|
+
# Spring Security form login
|
|
402
|
+
python3 scripts/zap_auth_scanner.py \
|
|
403
|
+
--target https://spring-app.example.com \
|
|
404
|
+
--auth-type form \
|
|
405
|
+
--login-url https://spring-app.example.com/login \
|
|
406
|
+
--username testuser \
|
|
407
|
+
--password-env SPRING_PASSWORD
|
|
408
|
+
```
|
|
409
|
+
|
|
410
|
+
### React SPA with JWT
|
|
411
|
+
|
|
412
|
+
```bash
|
|
413
|
+
# Get JWT from API, then scan
|
|
414
|
+
TOKEN=$(curl -X POST https://api.example.com/auth/login \
|
|
415
|
+
-H "Content-Type: application/json" \
|
|
416
|
+
-d '{"email":"test@example.com","password":"password"}' \
|
|
417
|
+
| jq -r '.token')
|
|
418
|
+
|
|
419
|
+
export API_TOKEN="$TOKEN"
|
|
420
|
+
|
|
421
|
+
python3 scripts/zap_auth_scanner.py \
|
|
422
|
+
--target https://spa.example.com \
|
|
423
|
+
--auth-type bearer \
|
|
424
|
+
--token-env API_TOKEN
|
|
425
|
+
```
|
|
426
|
+
|
|
427
|
+
## Additional Resources
|
|
428
|
+
|
|
429
|
+
- [ZAP Authentication Documentation](https://www.zaproxy.org/docs/desktop/start/features/authentication/)
|
|
430
|
+
- [ZAP Session Management](https://www.zaproxy.org/docs/desktop/start/features/sessionmanagement/)
|
|
431
|
+
- [OAuth 2.0 RFC 6749](https://tools.ietf.org/html/rfc6749)
|