claude-autopm 2.8.1 → 2.8.3

package/packages/plugin-core/rules/security-checklist.md

@@ -0,0 +1,318 @@
+# 🔒 Security Checklist
+
+> **Security is not optional. Every deployment must pass ALL security checks.**
+
+## Pre-Deployment Security Checklist
+
+### 🔑 Authentication & Authorization
+
+- [ ] Multi-factor authentication available
+- [ ] Password complexity requirements enforced
+- [ ] Session management secure (timeout, invalidation)
+- [ ] JWT tokens properly validated and not expired
+- [ ] API keys rotated regularly
+- [ ] OAuth implementation follows best practices
+- [ ] Role-based access control (RBAC) implemented
+- [ ] Principle of least privilege applied
+
+### 🔐 Data Protection
+
+- [ ] All sensitive data encrypted at rest (AES-256)
+- [ ] All sensitive data encrypted in transit (TLS 1.2+)
+- [ ] PII data identified and protected
+- [ ] Database connections use SSL
+- [ ] Secrets stored in secure vault (not in code)
+- [ ] Environment variables for configuration
+- [ ] No sensitive data in logs
+- [ ] Data retention policies implemented
+
+### 🛡️ Input Validation & Sanitization
+
+- [ ] All user inputs validated on server-side
+- [ ] SQL injection prevention (parameterized queries)
+- [ ] XSS protection (output encoding)
+- [ ] XXE prevention (XML parsing secured)
+- [ ] Command injection prevention
+- [ ] Path traversal prevention
+- [ ] File upload restrictions (type, size)
+- [ ] CSRF tokens for state-changing operations
+
+### 🌐 Network Security
+
+- [ ] HTTPS enforced (HSTS enabled)
+- [ ] Security headers configured:
+  - [ ] Content-Security-Policy
+  - [ ] X-Frame-Options
+  - [ ] X-Content-Type-Options
+  - [ ] Referrer-Policy
+  - [ ] Permissions-Policy
+- [ ] CORS properly configured
+- [ ] Rate limiting implemented
+- [ ] DDoS protection in place
+- [ ] Firewall rules configured
+
+### 📦 Dependencies & Supply Chain
+
+- [ ] All dependencies scanned for vulnerabilities
+- [ ] No critical or high vulnerabilities
+- [ ] Dependencies up-to-date
+- [ ] License compliance verified
+- [ ] SBOM (Software Bill of Materials) generated
+- [ ] Container images scanned
+- [ ] Base images from trusted sources
+- [ ] No unnecessary packages installed
+
+### 🔍 Monitoring & Logging
+
+- [ ] Security events logged
+- [ ] Failed authentication attempts tracked
+- [ ] Suspicious activity alerts configured
+- [ ] Log integrity protected
+- [ ] Sensitive data not logged
+- [ ] Centralized logging implemented
+- [ ] Log retention policy defined
+- [ ] Incident response plan documented
+
+### 🔧 API Security
+
+- [ ] API authentication required
+- [ ] API rate limiting per user/IP
+- [ ] API versioning implemented
+- [ ] GraphQL query depth limiting
+- [ ] API documentation doesn't expose sensitive info
+- [ ] Webhooks use signature verification
+- [ ] API keys not exposed in client-side code
+
+### 🐳 Container & Infrastructure
+
+- [ ] Containers run as non-root user
+- [ ] Read-only root filesystem
+- [ ] Security policies (AppArmor/SELinux)
+- [ ] Resource limits defined
+- [ ] Network policies configured
+- [ ] Secrets mounted securely
+- [ ] Image signing enabled
+- [ ] Vulnerability scanning in CI/CD
+
+### 📱 Frontend Security
+
+- [ ] No sensitive data in localStorage
+- [ ] Secure cookie flags (HttpOnly, Secure, SameSite)
+- [ ] Content Security Policy implemented
+- [ ] Subresource Integrity (SRI) for CDN resources
+- [ ] No inline scripts or styles
+- [ ] API keys not exposed in source
+- [ ] Service Worker scope limited
+
+### 🧪 Testing & Validation
+
+- [ ] Security unit tests written
+- [ ] Penetration testing performed
+- [ ] SAST (Static Analysis) passing
+- [ ] DAST (Dynamic Analysis) passing
+- [ ] Dependency check passing
+- [ ] Security regression tests
+- [ ] Fuzzing performed (if applicable)
+
+## Security by Feature Type
+
+### Database Operations
+
+```sql
+-- ✅ SECURE: Parameterized query
+SELECT * FROM users WHERE id = $1;
+
+-- ❌ INSECURE: String concatenation
+SELECT * FROM users WHERE id = '${userId}';
+```
+
+### File Uploads
+
+```javascript
+// Security checks required:
+- [ ] File type validation (whitelist)
+- [ ] File size limits
+- [ ] Filename sanitization
+- [ ] Virus scanning
+- [ ] Store outside web root
+- [ ] Generate new filename
+- [ ] Check magic numbers
+```
+
+### Password Handling
+
+```javascript
+// Requirements:
+- [ ] Minimum 12 characters
+- [ ] Complexity requirements
+- [ ] Password history check
+- [ ] Bcrypt/Argon2 hashing
+- [ ] Salt rounds >= 10
+- [ ] No password in logs
+- [ ] Secure reset flow
+```
+
+### Session Management
+
+```javascript
+// Secure session configuration:
+- [ ] Secure cookie flag
+- [ ] HttpOnly flag
+- [ ] SameSite attribute
+- [ ] Session timeout
+- [ ] Regenerate on login
+- [ ] Invalidate on logout
+- [ ] CSRF protection
+```
+
+## Incident Response Plan
+
+### If Security Breach Detected
+
+1. **Immediate Actions**
+   - [ ] Isolate affected systems
+   - [ ] Preserve evidence
+   - [ ] Activate incident response team
+   - [ ] Begin investigation
+
+2. **Within 1 Hour**
+   - [ ] Assess scope of breach
+   - [ ] Implement containment measures
+   - [ ] Notify security team
+   - [ ] Start incident log
+
+3. **Within 24 Hours**
+   - [ ] Complete initial assessment
+   - [ ] Implement fixes
+   - [ ] Notify stakeholders (if required)
+   - [ ] Prepare communication plan
+
+4. **Post-Incident**
+   - [ ] Complete investigation
+   - [ ] Document lessons learned
+   - [ ] Update security measures
+   - [ ] Conduct security training
+
+## Security Tools Integration
+
+### Required in CI/CD
+
+```yaml
+# Security scanning pipeline
+pipeline:
+  - stage: security
+    jobs:
+      - sast:
+          tool: [Semgrep/SonarQube]
+      - dependency-check:
+          tool: [Snyk/OWASP]
+      - container-scan:
+          tool: [Trivy/Clair]
+      - secrets-scan:
+          tool: [GitLeaks/TruffleHog]
+```
+
+### Development Environment
+
+```bash
+# Pre-commit hooks
+- gitleaks (secret detection)
+- bandit (Python security)
+- npm audit (Node dependencies)
+- safety (Python dependencies)
+```
+
+## Compliance Requirements
+
+### GDPR (if applicable)
+
+- [ ] Privacy policy updated
+- [ ] Data processing agreements
+- [ ] Right to erasure implemented
+- [ ] Data portability available
+- [ ] Consent mechanisms in place
+
+### PCI DSS (if handling cards)
+
+- [ ] Cardholder data encrypted
+- [ ] Network segmentation
+- [ ] Access controls implemented
+- [ ] Regular security testing
+- [ ] Compliance scanning
+
+### HIPAA (if healthcare)
+
+- [ ] PHI encryption
+- [ ] Access controls
+- [ ] Audit logging
+- [ ] Business Associate Agreements
+
+## Security Review Gates
+
+### Before Code Review
+
+- [ ] Self-assessment complete
+- [ ] SAST scan clean
+- [ ] No hardcoded secrets
+
+### Before Merge
+
+- [ ] Security review approved
+- [ ] All security tests passing
+- [ ] Dependencies checked
+
+### Before Deployment
+
+- [ ] Security checklist complete
+- [ ] Penetration test passed (major releases)
+- [ ] Security documentation updated
+
+## Quick Security Reference
+
+```bash
+# NEVER DO THIS:
+❌ Store passwords in plain text
+❌ Commit secrets to git
+❌ Trust user input
+❌ Use HTTP for sensitive data
+❌ Log sensitive information
+❌ Ignore security warnings
+❌ Deploy with known vulnerabilities
+
+# ALWAYS DO THIS:
+✅ Validate all inputs
+✅ Encrypt sensitive data
+✅ Use parameterized queries
+✅ Implement rate limiting
+✅ Keep dependencies updated
+✅ Follow principle of least privilege
+✅ Security test before deployment
+```
+
+## Security Contacts
+
+```markdown
+# Security Team
+Email: security@company.com
+Slack: #security-team
+
+# Incident Response
+Hotline: +1-XXX-XXX-XXXX
+On-call: PagerDuty
+
+# Bug Bounty
+Program: hackerone.com/company
+Email: security-bounty@company.com
+```
+
+## Remember
+
+**Security is everyone's responsibility.**
+
+- Developers: Write secure code
+- Reviewers: Check for vulnerabilities
+- DevOps: Secure infrastructure
+- Product: Prioritize security fixes
+- Users: Report security issues
+
+**When in doubt, choose the more secure option.**

package/packages/plugin-core/rules/standard-patterns.md

@@ -0,0 +1,197 @@
+# Standard Patterns for Commands
+
+This file defines common patterns that all commands should follow to maintain consistency and simplicity.
+
+## Core Principles
+
+1. **Fail Fast** - Check critical prerequisites, then proceed
+2. **Trust the System** - Don't over-validate things that rarely fail
+3. **Clear Errors** - When something fails, say exactly what and how to fix it
+4. **Minimal Output** - Show what matters, skip decoration
+
+## Standard Validations
+
+### Minimal Preflight
+
+Only check what's absolutely necessary:
+
+```markdown
+## Quick Check
+1. If command needs specific directory/file:
+   - Check it exists: `test -f {file} || echo "❌ {file} not found"`
+   - If missing, tell user exact command to fix it
+2. If command needs GitHub:
+   - Assume `gh` is authenticated (it usually is)
+   - Only check on actual failure
+```
+
+### DateTime Handling
+
+```markdown
+Get current datetime: `date -u +"%Y-%m-%dT%H:%M:%SZ"`
+```
+
+Don't repeat full instructions - just reference `/rules/datetime.md` once.
+
+### Error Messages
+
+Keep them short and actionable:
+
+```markdown
+❌ {What failed}: {Exact solution}
+Example: "❌ Epic not found: Run /pm:prd-parse feature-name"
+```
+
+## Standard Output Formats
+
+### Success Output
+
+```markdown
+✅ {Action} complete
+  - {Key result 1}
+  - {Key result 2}
+Next: {Single suggested action}
+```
+
+### List Output
+
+```markdown
+{Count} {items} found:
+- {item 1}: {key detail}
+- {item 2}: {key detail}
+```
+
+### Progress Output
+
+```markdown
+{Action}... {current}/{total}
+```
+
+## File Operations
+
+### Check and Create
+
+```markdown
+# Don't ask permission, just create what's needed
+mkdir -p .claude/{directory} 2>/dev/null
+```
+
+### Read with Fallback
+
+```markdown
+# Try to read, continue if missing
+if [ -f {file} ]; then
+  # Read and use file
+else
+  # Use sensible default
+fi
+```
+
+## GitHub Operations
+
+### Trust gh CLI
+
+```markdown
+# Don't pre-check auth, just try the operation
+gh {command} || echo "❌ GitHub CLI failed. Run: gh auth login"
+```
+
+### Simple Issue Operations
+
+```markdown
+# Get what you need in one call
+gh issue view {number} --json state,title,body
+```
+
+## Common Patterns to Avoid
+
+### DON'T: Over-validate
+
+```markdown
+# Bad - too many checks
+1. Check directory exists
+2. Check permissions
+3. Check git status
+4. Check GitHub auth
+5. Check rate limits
+6. Validate every field
+```
+
+### DO: Check essentials
+
+```markdown
+# Good - just what's needed
+1. Check target exists
+2. Try the operation
+3. Handle failure clearly
+```
+
+### DON'T: Verbose output
+
+```markdown
+# Bad - too much information
+🎯 Starting operation...
+📋 Validating prerequisites...
+✅ Step 1 complete
+✅ Step 2 complete
+📊 Statistics: ...
+💡 Tips: ...
+```
+
+### DO: Concise output
+
+```markdown
+# Good - just results
+✅ Done: 3 files created
+Failed: auth.test.js (syntax error - line 42)
+```
+
+### DON'T: Ask too many questions
+
+```markdown
+# Bad - too interactive
+"Continue? (yes/no)"
+"Overwrite? (yes/no)"
+"Are you sure? (yes/no)"
+```
+
+### DO: Smart defaults
+
+```markdown
+# Good - proceed with sensible defaults
+# Only ask when destructive or ambiguous
+"This will delete 10 files. Continue? (yes/no)"
+```
+
+## Quick Reference
+
+### Essential Tools Only
+
+- Read/List operations: `Read, LS`
+- File creation: `Read, Write, LS`
+- GitHub operations: Add `Bash`
+- Complex analysis: Add `Task` (sparingly)
+
+### Status Indicators
+
+- ✅ Success (use sparingly)
+- ❌ Error (always with solution)
+- ⚠️ Warning (only if action needed)
+- No emoji for normal output
+
+### Exit Strategies
+
+- Success: Brief confirmation
+- Failure: Clear error + exact fix
+- Partial: Show what worked, what didn't
+
+## Remember
+
+**Simple is not simplistic** - We still handle errors properly, we just don't try to prevent every possible edge case. We trust that:
+
+- The file system usually works
+- GitHub CLI is usually authenticated  
+- Git repositories are usually valid
+- Users know what they're doing
+
+Focus on the happy path, fail gracefully when things go wrong.

package/packages/plugin-core/rules/strip-frontmatter.md

@@ -0,0 +1,85 @@
+# Strip Frontmatter
+
+Standard approach for removing YAML frontmatter before sending content to GitHub.
+
+## The Problem
+
+YAML frontmatter contains internal metadata that should not appear in GitHub issues:
+
+- status, created, updated fields
+- Internal references and IDs
+- Local file paths
+
+## The Solution
+
+Use sed to strip frontmatter from any markdown file:
+
+```bash
+# Strip frontmatter (everything between first two --- lines)
+sed '1,/^---$/d; 1,/^---$/d' input.md > output.md
+```
+
+This removes:
+
+1. The opening `---` line
+2. All YAML content
+3. The closing `---` line
+
+## When to Strip Frontmatter
+
+Always strip frontmatter when:
+
+- Creating GitHub issues from markdown files
+- Posting file content as comments
+- Displaying content to external users
+- Syncing to any external system
+
+## Examples
+
+### Creating an issue from a file
+
+```bash
+# Bad - includes frontmatter
+gh issue create --body-file task.md
+
+# Good - strips frontmatter
+sed '1,/^---$/d; 1,/^---$/d' task.md > /tmp/clean.md
+gh issue create --body-file /tmp/clean.md
+```
+
+### Posting a comment
+
+```bash
+# Strip frontmatter before posting
+sed '1,/^---$/d; 1,/^---$/d' progress.md > /tmp/comment.md
+gh issue comment 123 --body-file /tmp/comment.md
+```
+
+### In a loop
+
+```bash
+for file in *.md; do
+  # Strip frontmatter from each file
+  sed '1,/^---$/d; 1,/^---$/d' "$file" > "/tmp/$(basename $file)"
+  # Use the clean version
+done
+```
+
+## Alternative Approaches
+
+If sed is not available or you need more control:
+
+```bash
+# Using awk
+awk 'BEGIN{fm=0} /^---$/{fm++; next} fm==2{print}' input.md > output.md
+
+# Using grep with line numbers
+grep -n "^---$" input.md | head -2 | tail -1 | cut -d: -f1 | xargs -I {} tail -n +$(({}+1)) input.md
+```
+
+## Important Notes
+
+- Always test with a sample file first
+- Keep original files intact
+- Use temporary files for cleaned content
+- Some files may not have frontmatter - the command handles this gracefully

package/packages/plugin-core/rules/tdd.enforcement.md

@@ -0,0 +1,103 @@
+# TDD (Test-Driven Development) Enforcement
+
+> **CRITICAL**: This rule has HIGHEST PRIORITY. All code changes MUST follow TDD cycle.
+
+## Core TDD Philosophy
+
+**Prime Directive**: Follow Test-Driven Development (Red-Green-Refactor) for ALL implementations.
+**Zero Tolerance**: No code without tests. No partial implementations. No shortcuts.
+
+## The TDD Cycle
+
+### 1. RED Phase (Test First)
+
+- Write test that describes desired behavior
+- Test MUST fail initially
+- Test must be meaningful (no trivial assertions)
+- Test must be verbose for debugging
+- Never proceed until test is red
+
+### 2. GREEN Phase (Make It Pass)
+
+- Write MINIMUM code to pass test
+- Don't add features not required by test
+- Focus on making test green, not perfection
+- Resist temptation to over-engineer
+
+### 3. REFACTOR Phase (Clean Up)
+
+- Improve code structure
+- Remove duplication
+- Enhance readability
+- All tests must remain green
+- Never skip this phase
+
+## Enforcement Rules
+
+### ABSOLUTE REQUIREMENTS
+
+- Every new function requires a test FIRST
+- Every bug fix starts with a failing test that reproduces it
+- Every feature begins with failing acceptance tests
+- No code commits without passing tests
+
+### PROHIBITED PRACTICES
+
+- ❌ Writing implementation before test
+- ❌ Writing "simplified" or "partial" implementations
+- ❌ Leaving TODO comments without test coverage
+- ❌ Skipping refactor phase "for later"
+- ❌ Writing trivial tests just to satisfy coverage
+
+## Test Quality Standards
+
+### Test Design Requirements
+
+- Tests must reflect real usage patterns
+- Tests must be designed to reveal flaws
+- Tests must be verbose for debugging
+- No mock services - use real implementations
+- Each test should test ONE thing
+
+### Coverage Requirements
+
+- 100% test coverage for new code
+- Regression tests for all bug fixes
+- Integration tests for feature interactions
+- Edge case coverage mandatory
+
+## Integration with Agents
+
+### MANDATORY Agent Usage
+
+- **test-runner agent**: For ALL test execution
+- **code-analyzer agent**: Review test coverage
+- **parallel-worker agent**: Run tests in parallel streams
+
+### Pipeline Integration
+
+```
+Feature Implementation:
+1. Write failing test (RED) → test-runner confirms failure
+2. Implement minimum code (GREEN) → test-runner confirms pass
+3. Refactor (REFACTOR) → test-runner maintains green
+4. code-analyzer → Verify test quality and coverage
+```
+
+## Violation Consequences
+
+If TDD is violated:
+
+1. STOP immediately
+2. Delete non-TDD code
+3. Start over with test first
+4. Document violation in CLAUDE.md
+5. No exceptions, no excuses
+
+## Success Metrics
+
+- ✅ 100% of new code has tests written first
+- ✅ Zero commits without test coverage
+- ✅ All tests meaningful and verbose
+- ✅ Refactor phase completed for all code
+- ✅ No mock services in test suite