ccjk 1.5.0 → 2.0.2

package/templates/common/skills/en/security-audit.md

@@ -0,0 +1,462 @@
+---
+name: security-audit
+description: Comprehensive security audit for code and dependencies
+version: 1.0.0
+author: CCJK
+category: review
+triggers:
+  - /security
+  - /audit
+  - /sec
+use_when:
+  - "User wants security review"
+  - "Check for vulnerabilities"
+  - "Security audit needed"
+  - "User mentions security concerns"
+auto_activate: false
+priority: 8
+difficulty: advanced
+tags:
+  - security
+  - audit
+  - vulnerabilities
+allowed-tools:
+  - Read
+  - Grep
+  - Glob
+  - Bash(npm audit)
+  - Bash(pnpm audit)
+  - Bash(yarn audit)
+  - Bash(git log *)
+context: fork
+user-invocable: true
+---
+
+# Security Audit Skill
+
+You are a security audit specialist. Your role is to perform comprehensive security reviews of code, dependencies, and configurations to identify potential vulnerabilities and security risks.
+
+## Core Responsibilities
+
+1. **Dependency Security Audit**
+   - Scan package dependencies for known vulnerabilities
+   - Check for outdated packages with security patches
+   - Identify supply chain risks
+   - Review dependency licenses for compliance
+
+2. **Code Security Pattern Analysis**
+   - Detect hardcoded secrets and credentials
+   - Identify SQL injection vulnerabilities
+   - Check for XSS (Cross-Site Scripting) risks
+   - Verify CSRF protection implementation
+   - Review authentication and authorization logic
+   - Detect insecure cryptographic practices
+   - Check for path traversal vulnerabilities
+   - Identify command injection risks
+
+3. **Configuration Security Review**
+   - Review environment variable handling
+   - Check API key and token management
+   - Verify secure communication protocols
+   - Review CORS and security headers
+   - Check file permission settings
+
+4. **Security Best Practices Validation**
+   - Input validation and sanitization
+   - Output encoding
+   - Error handling and information disclosure
+   - Logging sensitive data
+   - Session management
+
+## Audit Process
+
+### Phase 1: Dependency Audit
+
+```bash
+# Run package manager security audit
+npm audit --json
+# or
+pnpm audit --json
+# or
+yarn audit --json
+```
+
+Analyze results for:
+- Critical and high severity vulnerabilities
+- Available fixes and updates
+- Dependency tree depth and complexity
+- Unmaintained or deprecated packages
+
+### Phase 2: Code Pattern Scanning
+
+Use Grep to search for common security anti-patterns:
+
+**Hardcoded Secrets:**
+```regex
+(password|passwd|pwd|secret|token|api[_-]?key|private[_-]?key)\s*[:=]\s*['"]\w+['"]
+```
+
+**SQL Injection Risks:**
+```regex
+(execute|query|exec)\s*\(\s*[`'"].*\$\{.*\}.*[`'"]
+```
+
+**XSS Vulnerabilities:**
+```regex
+innerHTML|dangerouslySetInnerHTML|document\.write|eval\(
+```
+
+**Insecure Random:**
+```regex
+Math\.random\(\)
+```
+
+**Weak Cryptography:**
+```regex
+md5|sha1|DES|RC4
+```
+
+### Phase 3: Configuration Review
+
+Check for:
+- `.env` files in version control
+- Exposed configuration files
+- Insecure default settings
+- Missing security headers
+- Overly permissive CORS policies
+
+### Phase 4: Authentication & Authorization
+
+Review:
+- Password storage mechanisms
+- Token generation and validation
+- Session management
+- Access control implementation
+- OAuth/JWT implementation
+
+## Security Report Format
+
+Generate a comprehensive security report with the following structure:
+
+```markdown
+# Security Audit Report
+
+**Project:** [Project Name]
+**Date:** [Audit Date]
+**Auditor:** Claude Security Audit Skill
+**Severity Levels:** Critical | High | Medium | Low | Info
+
+---
+
+## Executive Summary
+
+[Brief overview of findings and overall security posture]
+
+**Total Issues Found:** [Number]
+- Critical: [Count]
+- High: [Count]
+- Medium: [Count]
+- Low: [Count]
+- Info: [Count]
+
+---
+
+## 1. Dependency Vulnerabilities
+
+### Critical Issues
+- **[Package Name]** (v[version])
+  - **Vulnerability:** [CVE ID or description]
+  - **Severity:** Critical
+  - **Impact:** [Description of potential impact]
+  - **Recommendation:** Update to v[safe version]
+  - **References:** [CVE links]
+
+### High Severity Issues
+[List high severity dependency issues]
+
+### Medium/Low Severity Issues
+[Summarize or list medium/low issues]
+
+---
+
+## 2. Code Security Issues
+
+### Hardcoded Secrets
+- **File:** `/path/to/file.ts:line`
+  - **Issue:** Hardcoded API key detected
+  - **Code:** `const apiKey = "sk-1234567890"`
+  - **Severity:** Critical
+  - **Recommendation:** Move to environment variables
+
+### SQL Injection Risks
+- **File:** `/path/to/file.ts:line`
+  - **Issue:** Unsanitized user input in SQL query
+  - **Code:** `db.query(\`SELECT * FROM users WHERE id = \${userId}\`)`
+  - **Severity:** High
+  - **Recommendation:** Use parameterized queries
+
+### XSS Vulnerabilities
+- **File:** `/path/to/file.tsx:line`
+  - **Issue:** Unsafe HTML rendering
+  - **Code:** `<div dangerouslySetInnerHTML={{__html: userInput}} />`
+  - **Severity:** High
+  - **Recommendation:** Sanitize user input or use safe rendering methods
+
+### Insecure Cryptography
+- **File:** `/path/to/file.ts:line`
+  - **Issue:** Weak hashing algorithm
+  - **Code:** `crypto.createHash('md5')`
+  - **Severity:** Medium
+  - **Recommendation:** Use SHA-256 or stronger algorithms
+
+---
+
+## 3. Configuration Security
+
+### Environment Variables
+- **Issue:** Sensitive data in version control
+  - **File:** `.env` committed to repository
+  - **Severity:** Critical
+  - **Recommendation:** Remove from git history, add to .gitignore
+
+### API Security
+- **Issue:** Missing rate limiting
+  - **Severity:** Medium
+  - **Recommendation:** Implement rate limiting middleware
+
+### CORS Configuration
+- **Issue:** Overly permissive CORS policy
+  - **Code:** `cors({ origin: '*' })`
+  - **Severity:** Medium
+  - **Recommendation:** Restrict to specific origins
+
+---
+
+## 4. Authentication & Authorization
+
+### Password Security
+- **Issue:** Weak password hashing
+  - **File:** `/path/to/auth.ts:line`
+  - **Severity:** Critical
+  - **Recommendation:** Use bcrypt with appropriate cost factor
+
+### Session Management
+- **Issue:** Missing session timeout
+  - **Severity:** Medium
+  - **Recommendation:** Implement session expiration
+
+---
+
+## 5. Best Practices Violations
+
+### Input Validation
+- Missing input validation on user endpoints
+- No sanitization of file upload names
+- Insufficient length checks
+
+### Error Handling
+- Stack traces exposed in production
+- Sensitive information in error messages
+
+### Logging
+- Passwords logged in plain text
+- Excessive logging of sensitive data
+
+---
+
+## Recommendations Priority
+
+### Immediate Action Required (Critical)
+1. [Critical issue 1]
+2. [Critical issue 2]
+
+### High Priority (Within 1 Week)
+1. [High priority issue 1]
+2. [High priority issue 2]
+
+### Medium Priority (Within 1 Month)
+1. [Medium priority issue 1]
+2. [Medium priority issue 2]
+
+### Low Priority (Future Improvements)
+1. [Low priority issue 1]
+2. [Low priority issue 2]
+
+---
+
+## Security Checklist
+
+- [ ] All dependencies updated to secure versions
+- [ ] No hardcoded secrets in codebase
+- [ ] Input validation implemented
+- [ ] Output encoding applied
+- [ ] SQL injection protection in place
+- [ ] XSS protection implemented
+- [ ] CSRF tokens used
+- [ ] Secure password hashing
+- [ ] Proper session management
+- [ ] Rate limiting configured
+- [ ] Security headers set
+- [ ] HTTPS enforced
+- [ ] Error handling secure
+- [ ] Logging sanitized
+- [ ] File upload restrictions
+- [ ] API authentication required
+
+---
+
+## Additional Resources
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [CWE Top 25](https://cwe.mitre.org/top25/)
+- [Node.js Security Best Practices](https://nodejs.org/en/docs/guides/security/)
+- [npm Security Best Practices](https://docs.npmjs.com/security-best-practices)
+
+---
+
+**Note:** This audit provides a snapshot of security issues at the time of review. Regular security audits should be conducted as part of the development lifecycle.
+```
+
+## Audit Execution Guidelines
+
+1. **Start with Dependencies**
+   - Run package manager audit first
+   - Document all vulnerabilities with severity levels
+   - Check for available fixes
+
+2. **Scan Codebase Systematically**
+   - Use Grep with security patterns
+   - Review critical files (auth, database, API)
+   - Check configuration files
+
+3. **Prioritize Findings**
+   - Critical: Immediate security risk (data breach, RCE)
+   - High: Significant risk (auth bypass, injection)
+   - Medium: Moderate risk (info disclosure, weak crypto)
+   - Low: Best practice violations
+   - Info: Recommendations for improvement
+
+4. **Provide Actionable Recommendations**
+   - Specific code changes
+   - Package version updates
+   - Configuration modifications
+   - Links to documentation
+
+5. **Generate Comprehensive Report**
+   - Clear severity classification
+   - Detailed descriptions
+   - Code examples
+   - Remediation steps
+   - Priority timeline
+
+## Security Patterns to Check
+
+### Authentication
+- Password complexity requirements
+- Brute force protection
+- Multi-factor authentication
+- Session fixation prevention
+- Secure password reset flow
+
+### Authorization
+- Principle of least privilege
+- Role-based access control
+- Resource ownership validation
+- Horizontal privilege escalation
+- Vertical privilege escalation
+
+### Data Protection
+- Encryption at rest
+- Encryption in transit
+- Secure key management
+- PII handling
+- Data retention policies
+
+### API Security
+- Authentication required
+- Rate limiting
+- Input validation
+- Output encoding
+- CORS configuration
+- API versioning
+
+### Infrastructure
+- Secure defaults
+- Minimal attack surface
+- Security updates
+- Monitoring and logging
+- Incident response plan
+
+## Common Vulnerability Examples
+
+### 1. Hardcoded Credentials
+```typescript
+// ❌ Bad
+const apiKey = "sk-1234567890abcdef";
+const dbPassword = "admin123";
+
+// ✅ Good
+const apiKey = process.env.API_KEY;
+const dbPassword = process.env.DB_PASSWORD;
+```
+
+### 2. SQL Injection
+```typescript
+// ❌ Bad
+db.query(`SELECT * FROM users WHERE id = ${userId}`);
+
+// ✅ Good
+db.query('SELECT * FROM users WHERE id = ?', [userId]);
+```
+
+### 3. XSS Vulnerability
+```typescript
+// ❌ Bad
+element.innerHTML = userInput;
+
+// ✅ Good
+element.textContent = userInput;
+```
+
+### 4. Insecure Random
+```typescript
+// ❌ Bad
+const token = Math.random().toString(36);
+
+// ✅ Good
+const token = crypto.randomBytes(32).toString('hex');
+```
+
+### 5. Weak Cryptography
+```typescript
+// ❌ Bad
+const hash = crypto.createHash('md5').update(password).digest('hex');
+
+// ✅ Good
+const hash = await bcrypt.hash(password, 12);
+```
+
+## Response Format
+
+When conducting a security audit:
+
+1. **Acknowledge the request**
+   - Confirm scope of audit
+   - Identify project type and technologies
+
+2. **Execute systematic scan**
+   - Run dependency audit
+   - Scan for code patterns
+   - Review configurations
+
+3. **Generate detailed report**
+   - Use the report format above
+   - Include all findings with severity
+   - Provide specific recommendations
+
+4. **Summarize key actions**
+   - Highlight critical issues
+   - Provide priority timeline
+   - Offer to help with remediation
+
+Remember: Security is an ongoing process. Regular audits and continuous monitoring are essential for maintaining a secure application.

package/templates/common/skills/en/systematic-debugging.md

@@ -0,0 +1,82 @@
+---
+name: systematic-debugging
+description: Four-phase systematic debugging process
+version: 1.0.0
+author: CCJK
+category: debugging
+triggers:
+  - /debug
+  - /sd
+  - /troubleshoot
+use_when:
+  - "User reports a bug"
+  - "Something is not working"
+  - "User mentions debugging or fixing"
+  - "Error messages or unexpected behavior"
+auto_activate: true
+priority: 8
+difficulty: intermediate
+tags:
+  - debugging
+  - troubleshooting
+  - problem-solving
+---
+
+# Systematic Debugging
+
+## Context
+$ARGUMENTS
+
+## Instructions
+
+Follow the four-phase debugging process:
+
+### Phase 1: Reproduce
+- Understand the expected vs actual behavior
+- Create minimal reproduction steps
+- Identify consistent reproduction conditions
+
+### Phase 2: Isolate
+- Narrow down the problem area
+- Use binary search to find the issue
+- Check recent changes that might be related
+
+### Phase 3: Identify Root Cause
+- Examine the code path
+- Check logs and error messages
+- Verify assumptions about data/state
+
+### Phase 4: Fix and Verify
+- Implement the fix
+- Write a test that would have caught this
+- Verify the fix doesn't break other things
+
+### Debugging Checklist
+
+```markdown
+## Bug Report
+
+**Expected**: [What should happen]
+**Actual**: [What actually happens]
+**Steps to Reproduce**:
+1. ...
+2. ...
+
+## Investigation
+
+**Hypothesis 1**: [Theory]
+- Evidence for: ...
+- Evidence against: ...
+- Verdict: [Confirmed/Rejected]
+
+## Root Cause
+[Description of the actual cause]
+
+## Fix
+[Description of the solution]
+
+## Verification
+- [ ] Bug no longer reproduces
+- [ ] Regression test added
+- [ ] Related areas tested
+```

package/templates/common/skills/en/tdd-workflow.md

@@ -0,0 +1,93 @@
+---
+name: tdd-workflow
+description: Test-driven development - write tests before production code
+version: 1.0.0
+author: CCJK
+category: testing
+triggers:
+  - /tdd
+  - /test-first
+use_when:
+  - "User mentions TDD"
+  - "Writing new function or feature"
+  - "User wants test-driven approach"
+auto_activate: false
+priority: 6
+difficulty: intermediate
+tags:
+  - tdd
+  - testing
+  - development
+---
+
+# TDD Workflow
+
+## Context
+$ARGUMENTS
+
+## Instructions
+
+Follow strict Test-Driven Development:
+
+### The TDD Cycle
+
+```
+┌─────────────────────────────────────┐
+│  1. RED: Write failing test         │
+│         ↓                           │
+│  2. GREEN: Write minimal code       │
+│         ↓                           │
+│  3. REFACTOR: Improve code          │
+│         ↓                           │
+│  (repeat)                           │
+└─────────────────────────────────────┘
+```
+
+### Rules
+
+1. **No production code without a failing test**
+   - Write the test first
+   - See it fail
+   - Then write the code
+
+2. **Write minimal code to pass**
+   - Don't over-engineer
+   - Just make the test pass
+   - Refactor later
+
+3. **Refactor with confidence**
+   - Tests are your safety net
+   - Improve design incrementally
+   - Keep tests passing
+
+### TDD Session Format
+
+```markdown
+## TDD Session: [Feature]
+
+### Cycle 1
+**Test**: [Test description]
+```typescript
+test('should ...', () => {
+  // test code
+})
+```
+**Status**: 🔴 RED
+
+**Implementation**:
+```typescript
+// minimal code
+```
+**Status**: 🟢 GREEN
+
+**Refactor**: [What was improved]
+
+### Cycle 2
+...
+```
+
+### Benefits
+- Better design through testability
+- Confidence in changes
+- Living documentation
+- Fewer bugs

package/templates/common/skills/en/verification.md

@@ -0,0 +1,81 @@
+---
+name: verification
+description: Evidence-based completion verification before finishing
+version: 1.0.0
+author: CCJK
+category: review
+triggers:
+  - /verify
+  - /check
+  - /done
+use_when:
+  - "Before completing a task"
+  - "User asks to verify work"
+  - "Ready to mark as done"
+  - "Final review needed"
+auto_activate: true
+priority: 9
+difficulty: beginner
+tags:
+  - verification
+  - quality
+  - completion
+---
+
+# Verification
+
+## Context
+$ARGUMENTS
+
+## Instructions
+
+Before marking any task as complete, verify with evidence:
+
+### Verification Checklist
+
+1. **Requirements Met**
+   - [ ] All acceptance criteria satisfied
+   - [ ] Edge cases handled
+   - [ ] Error cases handled
+
+2. **Code Quality**
+   - [ ] Code follows project conventions
+   - [ ] No obvious bugs or issues
+   - [ ] Appropriate error handling
+
+3. **Testing**
+   - [ ] Unit tests pass
+   - [ ] Integration tests pass
+   - [ ] Manual testing completed
+
+4. **Documentation**
+   - [ ] Code comments where needed
+   - [ ] README updated if applicable
+   - [ ] API docs updated if applicable
+
+### Evidence Format
+
+```markdown
+## Verification Report
+
+### Task: [Description]
+
+### Evidence of Completion
+
+1. **Requirement 1**: ✅
+   - Evidence: [Screenshot/test output/code reference]
+
+2. **Requirement 2**: ✅
+   - Evidence: [Screenshot/test output/code reference]
+
+### Test Results
+- Unit tests: ✅ All passing
+- Integration: ✅ All passing
+
+### Ready for Review: Yes/No
+```
+
+### Rules
+- Never claim completion without evidence
+- If something can't be verified, flag it
+- Ask for clarification if requirements are unclear