cfsa-antigravity 1.0.0

package/template/.agent/skills/rest-api-design/SKILL.md

@@ -0,0 +1,478 @@
+---
+name: rest-api-design
+description: Design RESTful APIs following best practices for resource modeling, HTTP methods, status codes, versioning, and documentation. Use when creating new APIs, designing endpoints, or improving existing API architecture.
+---
+
+# REST API Design
+
+## Overview
+
+Design REST APIs that are intuitive, consistent, and follow industry best practices for resource-oriented architecture.
+
+## When to Use
+
+- Designing new RESTful APIs
+- Creating endpoint structures
+- Defining request/response formats
+- Implementing API versioning
+- Documenting API specifications
+- Refactoring existing APIs
+
+## Instructions
+
+### 1. **Resource Naming**
+
+```
+✅ Good Resource Names (Nouns, Plural)
+GET    /api/users
+GET    /api/users/123
+GET    /api/users/123/orders
+POST   /api/products
+DELETE /api/products/456
+
+❌ Bad Resource Names (Verbs, Inconsistent)
+GET    /api/getUsers
+POST   /api/createProduct
+GET    /api/user/123  (inconsistent singular/plural)
+```
+
+### 2. **HTTP Methods & Operations**
+
+```http
+# CRUD Operations
+GET    /api/users          # List all users (Read collection)
+GET    /api/users/123      # Get specific user (Read single)
+POST   /api/users          # Create new user (Create)
+PUT    /api/users/123      # Replace user completely (Update)
+PATCH  /api/users/123      # Partial update user (Partial update)
+DELETE /api/users/123      # Delete user (Delete)
+
+# Nested Resources
+GET    /api/users/123/orders       # Get user's orders
+POST   /api/users/123/orders       # Create order for user
+GET    /api/users/123/orders/456   # Get specific order
+```
+
+### 3. **Request Examples**
+
+#### Creating a Resource
+```http
+POST /api/users
+Content-Type: application/json
+
+{
+  "email": "john@example.com",
+  "firstName": "John",
+  "lastName": "Doe",
+  "role": "admin"
+}
+
+Response: 201 Created
+Location: /api/users/789
+{
+  "id": "789",
+  "email": "john@example.com",
+  "firstName": "John",
+  "lastName": "Doe",
+  "role": "admin",
+  "createdAt": "2025-01-15T10:30:00Z",
+  "updatedAt": "2025-01-15T10:30:00Z"
+}
+```
+
+#### Updating a Resource
+```http
+PATCH /api/users/789
+Content-Type: application/json
+
+{
+  "firstName": "Jonathan"
+}
+
+Response: 200 OK
+{
+  "id": "789",
+  "email": "john@example.com",
+  "firstName": "Jonathan",
+  "lastName": "Doe",
+  "role": "admin",
+  "updatedAt": "2025-01-15T11:00:00Z"
+}
+```
+
+### 4. **Query Parameters**
+
+```http
+# Filtering
+GET /api/products?category=electronics&inStock=true
+
+# Sorting
+GET /api/users?sort=lastName,asc
+
+# Pagination
+GET /api/users?page=2&limit=20
+
+# Field Selection
+GET /api/users?fields=id,email,firstName
+
+# Search
+GET /api/products?q=laptop
+
+# Multiple filters combined
+GET /api/orders?status=pending&customer=123&sort=createdAt,desc&limit=50
+```
+
+### 5. **Response Formats**
+
+#### Success Response
+```json
+{
+  "data": {
+    "id": "123",
+    "email": "user@example.com",
+    "firstName": "John"
+  },
+  "meta": {
+    "timestamp": "2025-01-15T10:30:00Z",
+    "version": "1.0"
+  }
+}
+```
+
+#### Collection Response with Pagination
+```json
+{
+  "data": [
+    { "id": "1", "name": "Product 1" },
+    { "id": "2", "name": "Product 2" }
+  ],
+  "pagination": {
+    "page": 2,
+    "limit": 20,
+    "total": 145,
+    "totalPages": 8,
+    "hasNext": true,
+    "hasPrev": true
+  },
+  "links": {
+    "self": "/api/products?page=2&limit=20",
+    "first": "/api/products?page=1&limit=20",
+    "prev": "/api/products?page=1&limit=20",
+    "next": "/api/products?page=3&limit=20",
+    "last": "/api/products?page=8&limit=20"
+  }
+}
+```
+
+#### Error Response
+```json
+{
+  "error": {
+    "code": "VALIDATION_ERROR",
+    "message": "Invalid input data",
+    "details": [
+      {
+        "field": "email",
+        "message": "Email format is invalid"
+      },
+      {
+        "field": "age",
+        "message": "Must be at least 18"
+      }
+    ]
+  },
+  "meta": {
+    "timestamp": "2025-01-15T10:30:00Z",
+    "requestId": "abc-123-def"
+  }
+}
+```
+
+### 6. **HTTP Status Codes**
+
+```
+Success:
+200 OK              - Successful GET, PATCH, DELETE
+201 Created         - Successful POST (resource created)
+204 No Content      - Successful DELETE (no response body)
+
+Client Errors:
+400 Bad Request     - Invalid request format/data
+401 Unauthorized    - Missing or invalid authentication
+403 Forbidden       - Authenticated but not authorized
+404 Not Found       - Resource doesn't exist
+409 Conflict        - Resource conflict (e.g., duplicate email)
+422 Unprocessable   - Validation errors
+429 Too Many Requests - Rate limit exceeded
+
+Server Errors:
+500 Internal Server Error - Generic server error
+503 Service Unavailable   - Temporary unavailability
+```
+
+### 7. **API Versioning**
+
+```http
+# URL Path Versioning (Recommended)
+GET /api/v1/users
+GET /api/v2/users
+
+# Header Versioning
+GET /api/users
+Accept: application/vnd.myapi.v1+json
+
+# Query Parameter (Not recommended)
+GET /api/users?version=1
+```
+
+### 8. **Authentication & Security**
+
+```http
+# JWT Bearer Token
+GET /api/users
+Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
+
+# API Key
+GET /api/users
+X-API-Key: your-api-key-here
+
+# Always use HTTPS in production
+https://api.example.com/v1/users
+```
+
+### 9. **Rate Limiting Headers**
+
+```http
+HTTP/1.1 200 OK
+X-RateLimit-Limit: 1000
+X-RateLimit-Remaining: 995
+X-RateLimit-Reset: 1642262400
+```
+
+### 10. **OpenAPI Documentation**
+
+```yaml
+openapi: 3.0.0
+info:
+  title: User API
+  version: 1.0.0
+  description: User management API
+
+paths:
+  /users:
+    get:
+      summary: List all users
+      parameters:
+        - name: page
+          in: query
+          schema:
+            type: integer
+            default: 1
+        - name: limit
+          in: query
+          schema:
+            type: integer
+            default: 20
+      responses:
+        '200':
+          description: Successful response
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  data:
+                    type: array
+                    items:
+                      $ref: '#/components/schemas/User'
+
+    post:
+      summary: Create a new user
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UserInput'
+      responses:
+        '201':
+          description: User created
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/User'
+        '400':
+          description: Invalid input
+        '409':
+          description: Email already exists
+
+components:
+  schemas:
+    User:
+      type: object
+      properties:
+        id:
+          type: string
+        email:
+          type: string
+          format: email
+        firstName:
+          type: string
+        lastName:
+          type: string
+        createdAt:
+          type: string
+          format: date-time
+
+    UserInput:
+      type: object
+      required:
+        - email
+        - firstName
+        - lastName
+      properties:
+        email:
+          type: string
+          format: email
+        firstName:
+          type: string
+        lastName:
+          type: string
+```
+
+## Best Practices
+
+### ✅ DO
+- Use nouns for resources, not verbs
+- Use plural names for collections
+- Be consistent with naming conventions
+- Return appropriate HTTP status codes
+- Include pagination for collections
+- Provide filtering and sorting options
+- Version your API
+- Document thoroughly with OpenAPI
+- Use HTTPS
+- Implement rate limiting
+- Provide clear error messages
+- Use ISO 8601 for dates
+
+### ❌ DON'T
+- Use verbs in endpoint names
+- Return 200 for errors
+- Expose internal IDs unnecessarily
+- Over-nest resources (max 2 levels)
+- Use inconsistent naming
+- Forget authentication
+- Return sensitive data
+- Break backward compatibility without versioning
+
+## Complete Example: Express.js
+
+```javascript
+const express = require('express');
+const app = express();
+
+app.use(express.json());
+
+// List users with pagination
+app.get('/api/v1/users', async (req, res) => {
+  try {
+    const page = parseInt(req.query.page) || 1;
+    const limit = parseInt(req.query.limit) || 20;
+    const offset = (page - 1) * limit;
+
+    const users = await User.findAndCountAll({
+      limit,
+      offset,
+      attributes: ['id', 'email', 'firstName', 'lastName']
+    });
+
+    res.json({
+      data: users.rows,
+      pagination: {
+        page,
+        limit,
+        total: users.count,
+        totalPages: Math.ceil(users.count / limit)
+      }
+    });
+  } catch (error) {
+    res.status(500).json({
+      error: {
+        code: 'INTERNAL_ERROR',
+        message: 'An error occurred while fetching users'
+      }
+    });
+  }
+});
+
+// Get single user
+app.get('/api/v1/users/:id', async (req, res) => {
+  try {
+    const user = await User.findByPk(req.params.id);
+
+    if (!user) {
+      return res.status(404).json({
+        error: {
+          code: 'NOT_FOUND',
+          message: 'User not found'
+        }
+      });
+    }
+
+    res.json({ data: user });
+  } catch (error) {
+    res.status(500).json({
+      error: {
+        code: 'INTERNAL_ERROR',
+        message: 'An error occurred'
+      }
+    });
+  }
+});
+
+// Create user
+app.post('/api/v1/users', async (req, res) => {
+  try {
+    const { email, firstName, lastName } = req.body;
+
+    // Validation
+    if (!email || !firstName || !lastName) {
+      return res.status(400).json({
+        error: {
+          code: 'VALIDATION_ERROR',
+          message: 'Missing required fields',
+          details: [
+            !email && { field: 'email', message: 'Email is required' },
+            !firstName && { field: 'firstName', message: 'First name is required' },
+            !lastName && { field: 'lastName', message: 'Last name is required' }
+          ].filter(Boolean)
+        }
+      });
+    }
+
+    const user = await User.create({ email, firstName, lastName });
+
+    res.status(201)
+       .location(`/api/v1/users/${user.id}`)
+       .json({ data: user });
+  } catch (error) {
+    if (error.name === 'SequelizeUniqueConstraintError') {
+      return res.status(409).json({
+        error: {
+          code: 'CONFLICT',
+          message: 'Email already exists'
+        }
+      });
+    }
+    res.status(500).json({
+      error: {
+        code: 'INTERNAL_ERROR',
+        message: 'An error occurred'
+      }
+    });
+  }
+});
+
+app.listen(3000);
+```

package/template/.agent/skills/security-scanning-security-hardening/SKILL.md

@@ -0,0 +1,231 @@
+---
+name: security-scanning-security-hardening
+description: "Coordinate multi-layer security scanning and hardening across application, infrastructure, and compliance controls."
+---
+
+Implement comprehensive security hardening with defense-in-depth strategy through coordinated multi-agent orchestration:
+
+[Extended thinking: This workflow implements a defense-in-depth security strategy across all application layers. It coordinates specialized security agents to perform comprehensive assessments, implement layered security controls, and establish continuous security monitoring. The approach follows modern DevSecOps principles with shift-left security, automated scanning, and compliance validation. Each phase builds upon previous findings to create a resilient security posture that addresses both current vulnerabilities and future threats.]
+
+## Use this skill when
+
+- Running a coordinated security hardening program
+- Establishing defense-in-depth controls across app, infra, and CI/CD
+- Prioritizing remediation from scans and threat modeling
+
+## Do not use this skill when
+
+- You only need a quick scan without remediation work
+- You lack authorization for security testing or changes
+- The environment cannot tolerate invasive security controls
+
+## Instructions
+
+1. Execute Phase 1 to establish a security baseline.
+2. Apply Phase 2 remediations for high-risk issues.
+3. Implement Phase 3 controls and validate defenses.
+4. Complete Phase 4 validation and compliance checks.
+
+## Safety
+
+- Avoid intrusive testing in production without approval.
+- Ensure rollback plans exist before hardening changes.
+
+## Phase 1: Comprehensive Security Assessment
+
+### 1. Initial Vulnerability Scanning
+- Use Task tool with subagent_type="security-auditor"
+- Prompt: "Perform comprehensive security assessment on: $ARGUMENTS. Execute SAST analysis with Semgrep/SonarQube, DAST scanning with OWASP ZAP, dependency audit with Snyk/Trivy, secrets detection with GitLeaks/TruffleHog. Generate SBOM for supply chain analysis. Identify OWASP Top 10 vulnerabilities, CWE weaknesses, and CVE exposures."
+- Output: Detailed vulnerability report with CVSS scores, exploitability analysis, attack surface mapping, secrets exposure report, SBOM inventory
+- Context: Initial baseline for all remediation efforts
+
+### 2. Threat Modeling and Risk Analysis
+- Use Task tool with subagent_type="security-auditor"
+- Prompt: "Conduct threat modeling using STRIDE methodology for: $ARGUMENTS. Analyze attack vectors, create attack trees, assess business impact of identified vulnerabilities. Map threats to MITRE ATT&CK framework. Prioritize risks based on likelihood and impact."
+- Output: Threat model diagrams, risk matrix with prioritized vulnerabilities, attack scenario documentation, business impact analysis
+- Context: Uses vulnerability scan results to inform threat priorities
+
+### 3. Architecture Security Review
+- Use Task tool with subagent_type="backend-api-security::backend-architect"
+- Prompt: "Review architecture for security weaknesses in: $ARGUMENTS. Evaluate service boundaries, data flow security, authentication/authorization architecture, encryption implementation, network segmentation. Design zero-trust architecture patterns. Reference threat model and vulnerability findings."
+- Output: Security architecture assessment, zero-trust design recommendations, service mesh security requirements, data classification matrix
+- Context: Incorporates threat model to address architectural vulnerabilities
+
+## Phase 2: Vulnerability Remediation
+
+### 4. Critical Vulnerability Fixes
+- Use Task tool with subagent_type="security-auditor"
+- Prompt: "Coordinate immediate remediation of critical vulnerabilities (CVSS 7+) in: $ARGUMENTS. Fix SQL injections with parameterized queries, XSS with output encoding, authentication bypasses with secure session management, insecure deserialization with input validation. Apply security patches for CVEs."
+- Output: Patched code with vulnerability fixes, security patch documentation, regression test requirements
+- Context: Addresses high-priority items from vulnerability assessment
+
+### 5. Backend Security Hardening
+- Use Task tool with subagent_type="backend-api-security::backend-security-coder"
+- Prompt: "Implement comprehensive backend security controls for: $ARGUMENTS. Add input validation with OWASP ESAPI, implement rate limiting and DDoS protection, secure API endpoints with OAuth2/JWT validation, add encryption for data at rest/transit using AES-256/TLS 1.3. Implement secure logging without PII exposure."
+- Output: Hardened API endpoints, validation middleware, encryption implementation, secure configuration templates
+- Context: Builds upon vulnerability fixes with preventive controls
+
+### 6. Frontend Security Implementation
+- Use Task tool with subagent_type="frontend-mobile-security::frontend-security-coder"
+- Prompt: "Implement frontend security measures for: $ARGUMENTS. Configure CSP headers with nonce-based policies, implement XSS prevention with DOMPurify, secure authentication flows with PKCE OAuth2, add SRI for external resources, implement secure cookie handling with SameSite/HttpOnly/Secure flags."
+- Output: Secure frontend components, CSP policy configuration, authentication flow implementation, security headers configuration
+- Context: Complements backend security with client-side protections
+
+### 7. Mobile Security Hardening
+- Use Task tool with subagent_type="frontend-mobile-security::mobile-security-coder"
+- Prompt: "Implement mobile app security for: $ARGUMENTS. Add certificate pinning, implement biometric authentication, secure local storage with encryption, obfuscate code with ProGuard/R8, implement anti-tampering and root/jailbreak detection, secure IPC communications."
+- Output: Hardened mobile application, security configuration files, obfuscation rules, certificate pinning implementation
+- Context: Extends security to mobile platforms if applicable
+
+## Phase 3: Security Controls Implementation
+
+### 8. Authentication and Authorization Enhancement
+- Use Task tool with subagent_type="security-auditor"
+- Prompt: "Implement modern authentication system for: $ARGUMENTS. Deploy OAuth2/OIDC with PKCE, implement MFA with TOTP/WebAuthn/FIDO2, add risk-based authentication, implement RBAC/ABAC with principle of least privilege, add session management with secure token rotation."
+- Output: Authentication service configuration, MFA implementation, authorization policies, session management system
+- Context: Strengthens access controls based on architecture review
+
+### 9. Infrastructure Security Controls
+- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
+- Prompt: "Deploy infrastructure security controls for: $ARGUMENTS. Configure WAF rules for OWASP protection, implement network segmentation with micro-segmentation, deploy IDS/IPS systems, configure cloud security groups and NACLs, implement DDoS protection with rate limiting and geo-blocking."
+- Output: WAF configuration, network security policies, IDS/IPS rules, cloud security configurations
+- Context: Implements network-level defenses
+
+### 10. Secrets Management Implementation
+- Use Task tool with subagent_type="deployment-strategies::deployment-engineer"
+- Prompt: "Implement enterprise secrets management for: $ARGUMENTS. Deploy HashiCorp Vault or AWS Secrets Manager, implement secret rotation policies, remove hardcoded secrets, configure least-privilege IAM roles, implement encryption key management with HSM support."
+- Output: Secrets management configuration, rotation policies, IAM role definitions, key management procedures
+- Context: Eliminates secrets exposure vulnerabilities
+
+## Phase 4: Validation and Compliance
+
+### 11. Penetration Testing and Validation
+- Use Task tool with subagent_type="security-auditor"
+- Prompt: "Execute comprehensive penetration testing for: $ARGUMENTS. Perform authenticated and unauthenticated testing, API security testing, business logic testing, privilege escalation attempts. Use Burp Suite, Metasploit, and custom exploits. Validate all security controls effectiveness."
+- Output: Penetration test report, proof-of-concept exploits, remediation validation, security control effectiveness metrics
+- Context: Validates all implemented security measures
+
+### 12. Compliance and Standards Verification
+- Use Task tool with subagent_type="security-auditor"
+- Prompt: "Verify compliance with security frameworks for: $ARGUMENTS. Validate against OWASP ASVS Level 2, CIS Benchmarks, SOC2 Type II requirements, GDPR/CCPA privacy controls, HIPAA/PCI-DSS if applicable. Generate compliance attestation reports."
+- Output: Compliance assessment report, gap analysis, remediation requirements, audit evidence collection
+- Context: Ensures regulatory and industry standard compliance
+
+### 13. Security Monitoring and SIEM Integration
+- Use Task tool with subagent_type="incident-response::devops-troubleshooter"
+- Prompt: "Implement security monitoring and SIEM for: $ARGUMENTS. Deploy Splunk/ELK/Sentinel integration, configure security event correlation, implement behavioral analytics for anomaly detection, set up automated incident response playbooks, create security dashboards and alerting."
+- Output: SIEM configuration, correlation rules, incident response playbooks, security dashboards, alert definitions
+- Context: Establishes continuous security monitoring
+
+## Configuration Options
+- scanning_depth: "quick" | "standard" | "comprehensive" (default: comprehensive)
+- compliance_frameworks: ["OWASP", "CIS", "SOC2", "GDPR", "HIPAA", "PCI-DSS"]
+- remediation_priority: "cvss_score" | "exploitability" | "business_impact"
+- monitoring_integration: "splunk" | "elastic" | "sentinel" | "custom"
+- authentication_methods: ["oauth2", "saml", "mfa", "biometric", "passwordless"]
+
+## Success Criteria
+- All critical vulnerabilities (CVSS 7+) remediated
+- OWASP Top 10 vulnerabilities addressed
+- Zero high-risk findings in penetration testing
+- Compliance frameworks validation passed
+- Security monitoring detecting and alerting on threats
+- Incident response time < 15 minutes for critical alerts
+- SBOM generated and vulnerabilities tracked
+- All secrets managed through secure vault
+- Authentication implements MFA and secure session management
+- Security tests integrated into CI/CD pipeline
+
+## Coordination Notes
+- Each phase provides detailed findings that inform subsequent phases
+- Security-auditor agent coordinates with domain-specific agents for fixes
+- All code changes undergo security review before implementation
+- Continuous feedback loop between assessment and remediation
+- Security findings tracked in centralized vulnerability management system
+- Regular security reviews scheduled post-implementation
+
+Security hardening target: $ARGUMENTS
+
+## Attack Surface Review Protocol
+
+This protocol runs during `/create-prd-security`. Universal checks apply to all projects. Surface-specific checks are conditional — they run only if the corresponding surface has been confirmed during `/create-prd-stack`.
+
+### Universal Checks (All Projects)
+
+#### 1. Secret Management
+
+Where secrets are stored (env vars, vault, cloud secret manager), access policy, rotation cadence, CI injection method (environment variables, OIDC, sealed secrets).
+
+Document under `## Security — Attack Surface > Secret Management`.
+
+#### 2. Dependency Audit Cadence
+
+Scan frequency; CI gate behavior on critical CVE (block merge, warn, ignore); triage policy for high-severity CVEs (patch within N days) and medium-severity CVEs (patch within N days or accept-with-justification).
+
+Document under `## Security — Attack Surface > Dependency Auditing`.
+
+### Web Surface Checks (If Web Surface Confirmed)
+
+#### 1. OWASP Top 10 Review
+
+For each of the 10 categories, name the specific mechanism that mitigates it.
+
+**Rule:** "Handled by framework" is not acceptable — name the framework feature, the configuration, and the fallback if the framework is bypassed.
+
+Document under `## Security — Attack Surface > Web > OWASP Top 10`.
+
+#### 2. Security Headers
+
+Configured values for each of the following headers:
+
+- `Content-Security-Policy`
+- `Strict-Transport-Security`
+- `X-Content-Type-Options`
+- `X-Frame-Options`
+- `Referrer-Policy`
+- `Permissions-Policy`
+
+**Rule:** Each header must have a specific value, not just "enabled".
+
+Document under `## Security — Attack Surface > Web > Security Headers`.
+
+### API Surface Checks (If API Surface Confirmed)
+
+#### 1. OWASP API Security Top 10
+
+For each category, name the mechanism that mitigates it.
+
+**Special emphasis:** BOLA/IDOR requires a per-endpoint ownership check strategy — name how each endpoint verifies the requesting user owns the requested resource.
+
+Document under `## Security — Attack Surface > API > OWASP API Top 10`.
+
+### Desktop Surface Checks (If Desktop Surface Confirmed)
+
+#### 1. Sandboxing Model
+
+Sandboxing strategy, IPC security boundaries, auto-update verification, code signing chain.
+
+#### 2. Notarization
+
+Notarization workflow (macOS notarization, Windows SmartScreen signing), signing certificate source, CI step that performs notarization.
+
+#### 3. Local Data Encryption
+
+Strategy for encrypting sensitive data at rest (encryption library, key storage mechanism, what data is encrypted).
+
+Document all three under `## Security — Attack Surface > Desktop`.
+
+### Mobile Surface Checks (If Mobile Surface Confirmed)
+
+#### 1. Mobile-Specific Threats
+
+Certificate pinning strategy, secure storage approach, jailbreak/root detection policy, deep link validation.
+
+Document under `## Security — Attack Surface > Mobile`.
+
+### User Presentation Prompts
+
+Present these two questions to the user for confirmation:
+
+1. "Are there any attack vectors I've missed for your specific domain?"
+2. "Do the OWASP mechanisms look correct, or are any of them actually handled differently?"