claude-code-workflow 6.3.18 → 6.3.20

package/.claude/skills/code-reviewer/phases/01-code-discovery.md

@@ -0,0 +1,246 @@
+# Phase 1: Code Discovery & Scoping
+
+## Objective
+
+Discover and categorize all code files within the specified scope, preparing them for security analysis and best practices review.
+
+## Input
+
+- **User Arguments**:
+  - `--scope`: Directory or file patterns (default: entire project)
+  - `--languages`: Specific languages to review (e.g., typescript, python, java)
+  - `--exclude`: Patterns to exclude (e.g., test files, node_modules)
+
+- **Configuration**: `.code-reviewer.json` (if exists)
+
+## Process
+
+### Step 1: Load Configuration
+
+```javascript
+// Check for project-level configuration
+const configPath = path.join(projectRoot, '.code-reviewer.json');
+const config = fileExists(configPath)
+  ? JSON.parse(readFile(configPath))
+  : getDefaultConfig();
+
+// Merge user arguments with config
+const scope = args.scope || config.scope.include;
+const exclude = args.exclude || config.scope.exclude;
+const languages = args.languages || config.languages || 'auto';
+```
+
+### Step 2: Discover Files
+
+Use MCP tools for efficient file discovery:
+
+```javascript
+// Use smart_search for file discovery
+const files = await mcp__ccw_tools__smart_search({
+  action: "find_files",
+  pattern: scope,
+  includeHidden: false
+});
+
+// Apply exclusion patterns
+const filteredFiles = files.filter(file => {
+  return !exclude.some(pattern => minimatch(file, pattern));
+});
+```
+
+### Step 3: Categorize Files
+
+Categorize files by:
+- **Language/Framework**: TypeScript, Python, Java, Go, etc.
+- **File Type**: Source, config, test, build
+- **Priority**: Critical (auth, payment), High (API), Medium (utils), Low (docs)
+
+```javascript
+const inventory = {
+  critical: {
+    auth: ['src/auth/login.ts', 'src/auth/jwt.ts'],
+    payment: ['src/payment/stripe.ts'],
+  },
+  high: {
+    api: ['src/api/users.ts', 'src/api/orders.ts'],
+    database: ['src/db/queries.ts'],
+  },
+  medium: {
+    utils: ['src/utils/validator.ts'],
+    services: ['src/services/*.ts'],
+  },
+  low: {
+    types: ['src/types/*.ts'],
+  }
+};
+```
+
+### Step 4: Extract Metadata
+
+For each file, extract:
+- **Lines of Code (LOC)**
+- **Complexity Indicators**: Function count, class count
+- **Dependencies**: Import statements
+- **Framework Detection**: Express, React, Django, etc.
+
+```javascript
+const metadata = files.map(file => ({
+  path: file,
+  language: detectLanguage(file),
+  loc: countLines(file),
+  complexity: estimateComplexity(file),
+  framework: detectFramework(file),
+  priority: categorizePriority(file)
+}));
+```
+
+## Output
+
+### File Inventory
+
+Save to `.code-review/inventory.json`:
+
+```json
+{
+  "scan_date": "2024-01-15T10:30:00Z",
+  "total_files": 247,
+  "by_language": {
+    "typescript": 185,
+    "python": 42,
+    "javascript": 15,
+    "go": 5
+  },
+  "by_priority": {
+    "critical": 12,
+    "high": 45,
+    "medium": 120,
+    "low": 70
+  },
+  "files": [
+    {
+      "path": "src/auth/login.ts",
+      "language": "typescript",
+      "loc": 245,
+      "functions": 8,
+      "classes": 2,
+      "priority": "critical",
+      "framework": "express",
+      "dependencies": ["bcrypt", "jsonwebtoken", "express"]
+    }
+  ]
+}
+```
+
+### Summary Report
+
+```markdown
+## Code Discovery Summary
+
+**Scope**: src/**/*
+**Total Files**: 247
+**Languages**: TypeScript (75%), Python (17%), JavaScript (6%), Go (2%)
+
+### Priority Distribution
+- Critical: 12 files (authentication, payment processing)
+- High: 45 files (API endpoints, database queries)
+- Medium: 120 files (utilities, services)
+- Low: 70 files (types, configs)
+
+### Key Areas Identified
+1. **Authentication Module** (src/auth/) - 12 files, 2,400 LOC
+2. **Payment Processing** (src/payment/) - 5 files, 1,200 LOC
+3. **API Layer** (src/api/) - 35 files, 5,600 LOC
+4. **Database Layer** (src/db/) - 8 files, 1,800 LOC
+
+**Next Phase**: Security Analysis on Critical + High priority files
+```
+
+## State Management
+
+Save phase state for potential resume:
+
+```json
+{
+  "phase": "01-code-discovery",
+  "status": "completed",
+  "timestamp": "2024-01-15T10:35:00Z",
+  "output": {
+    "inventory_path": ".code-review/inventory.json",
+    "total_files": 247,
+    "critical_files": 12,
+    "high_files": 45
+  }
+}
+```
+
+## Agent Instructions
+
+```markdown
+You are in Phase 1 of the Code Review workflow. Your task is to discover and categorize code files.
+
+**Instructions**:
+1. Use mcp__ccw_tools__smart_search with action="find_files" to discover files
+2. Apply exclusion patterns from config or arguments
+3. Categorize files by language, type, and priority
+4. Extract basic metadata (LOC, complexity indicators)
+5. Save inventory to .code-review/inventory.json
+6. Generate summary report
+7. Proceed to Phase 2 with critical + high priority files
+
+**Tools Available**:
+- mcp__ccw_tools__smart_search (file discovery)
+- Read (read configuration and sample files)
+- Write (save inventory and reports)
+
+**Output Requirements**:
+- inventory.json with complete file list and metadata
+- Summary markdown report
+- State file for phase tracking
+```
+
+## Error Handling
+
+### No Files Found
+
+```javascript
+if (filteredFiles.length === 0) {
+  throw new Error(`No files found matching scope: ${scope}
+
+  Suggestions:
+  - Check if scope pattern is correct
+  - Verify exclude patterns are not too broad
+  - Ensure project has code files in specified scope
+  `);
+}
+```
+
+### Large Codebase
+
+```javascript
+if (filteredFiles.length > 1000) {
+  console.warn(`⚠️ Large codebase detected (${filteredFiles.length} files)`);
+  console.log(`Consider using --scope to review in batches`);
+
+  // Offer to focus on critical/high priority only
+  const answer = await askUser("Review critical/high priority files only?");
+  if (answer === 'yes') {
+    filteredFiles = filteredFiles.filter(f =>
+      f.priority === 'critical' || f.priority === 'high'
+    );
+  }
+}
+```
+
+## Validation
+
+Before proceeding to Phase 2:
+
+- ✅ Inventory file created
+- ✅ At least one file categorized as critical or high priority
+- ✅ Metadata extracted for all files
+- ✅ Summary report generated
+- ✅ State saved for resume capability
+
+## Next Phase
+
+**Phase 2: Security Analysis** - Analyze critical and high priority files for security vulnerabilities using OWASP Top 10 and CWE Top 25 checks.

package/.claude/skills/code-reviewer/phases/02-security-analysis.md

@@ -0,0 +1,442 @@
+# Phase 2: Security Analysis
+
+## Objective
+
+Analyze code files for security vulnerabilities based on OWASP Top 10, CWE Top 25, and language-specific security patterns.
+
+## Input
+
+- **File Inventory**: From Phase 1 (`.code-review/inventory.json`)
+- **Priority Focus**: Critical and High priority files (unless `--scope all`)
+- **User Arguments**:
+  - `--focus security`: Security-only mode
+  - `--severity critical,high,medium,low`: Minimum severity to report
+  - `--checks`: Specific security checks to run (e.g., sql-injection, xss)
+
+## Process
+
+### Step 1: Load Security Rules
+
+```javascript
+// Load security check definitions
+const securityRules = {
+  owasp_top_10: [
+    'injection',
+    'broken_authentication',
+    'sensitive_data_exposure',
+    'xxe',
+    'broken_access_control',
+    'security_misconfiguration',
+    'xss',
+    'insecure_deserialization',
+    'vulnerable_components',
+    'insufficient_logging'
+  ],
+  cwe_top_25: [
+    'cwe-79',  // XSS
+    'cwe-89',  // SQL Injection
+    'cwe-20',  // Improper Input Validation
+    'cwe-78',  // OS Command Injection
+    'cwe-190', // Integer Overflow
+    // ... more CWE checks
+  ]
+};
+
+// Load language-specific rules
+const languageRules = {
+  typescript: require('./rules/typescript-security.json'),
+  python: require('./rules/python-security.json'),
+  java: require('./rules/java-security.json'),
+  go: require('./rules/go-security.json'),
+};
+```
+
+### Step 2: Analyze Files for Vulnerabilities
+
+For each file in the inventory, perform security analysis:
+
+```javascript
+const findings = [];
+
+for (const file of inventory.files) {
+  if (file.priority !== 'critical' && file.priority !== 'high') continue;
+
+  // Read file content
+  const content = await Read({ file_path: file.path });
+
+  // Run security checks
+  const fileFindings = await runSecurityChecks(content, file, {
+    rules: securityRules,
+    languageRules: languageRules[file.language],
+    severity: args.severity || 'medium'
+  });
+
+  findings.push(...fileFindings);
+}
+```
+
+### Step 3: Security Check Patterns
+
+#### A. Injection Vulnerabilities
+
+**SQL Injection**:
+```javascript
+// Pattern: String concatenation in SQL queries
+const sqlInjectionPatterns = [
+  /\$\{.*\}.*SELECT/,                    // Template literal with SELECT
+  /"SELECT.*\+\s*\w+/,                   // String concatenation
+  /execute\([`'"].*\$\{.*\}.*[`'"]\)/,   // Parameterized query bypass
+  /query\(.*\+.*\)/,                     // Query concatenation
+];
+
+// Check code
+for (const pattern of sqlInjectionPatterns) {
+  const matches = content.matchAll(new RegExp(pattern, 'g'));
+  for (const match of matches) {
+    findings.push({
+      type: 'sql-injection',
+      severity: 'critical',
+      line: getLineNumber(content, match.index),
+      code: match[0],
+      file: file.path,
+      message: 'Potential SQL injection vulnerability',
+      recommendation: 'Use parameterized queries or ORM methods',
+      cwe: 'CWE-89',
+      owasp: 'A03:2021 - Injection'
+    });
+  }
+}
+```
+
+**Command Injection**:
+```javascript
+// Pattern: Unsanitized input in exec/spawn
+const commandInjectionPatterns = [
+  /exec\(.*\$\{.*\}/,                    // exec with template literal
+  /spawn\(.*,\s*\[.*\$\{.*\}.*\]\)/,    // spawn with unsanitized args
+  /execSync\(.*\+.*\)/,                  // execSync with concatenation
+];
+```
+
+**XSS (Cross-Site Scripting)**:
+```javascript
+// Pattern: Unsanitized user input in DOM/HTML
+const xssPatterns = [
+  /innerHTML\s*=.*\$\{.*\}/,             // innerHTML with template literal
+  /dangerouslySetInnerHTML/,             // React dangerous prop
+  /document\.write\(.*\)/,               // document.write
+  /<\w+.*\$\{.*\}.*>/,                   // JSX with unsanitized data
+];
+```
+
+#### B. Authentication & Authorization
+
+```javascript
+// Pattern: Weak authentication
+const authPatterns = [
+  /password\s*===?\s*['"]/,              // Hardcoded password comparison
+  /jwt\.sign\(.*,\s*['"][^'"]{1,16}['"]\)/, // Weak JWT secret
+  /bcrypt\.hash\(.*,\s*[1-9]\s*\)/,      // Low bcrypt rounds
+  /md5\(.*password.*\)/,                 // MD5 for passwords
+  /if\s*\(\s*user\s*\)\s*\{/,            // Missing auth check
+];
+
+// Check for missing authorization
+const authzPatterns = [
+  /router\.(get|post|put|delete)\(.*\)\s*=>/,  // No middleware
+  /app\.use\([^)]*\)\s*;(?!.*auth)/,           // Missing auth middleware
+];
+```
+
+#### C. Sensitive Data Exposure
+
+```javascript
+// Pattern: Sensitive data in logs/responses
+const sensitiveDataPatterns = [
+  /(password|secret|token|key)\s*:/i,    // Sensitive keys in objects
+  /console\.log\(.*password.*\)/i,       // Password in logs
+  /res\.send\(.*user.*password.*\)/,     // Password in response
+  /(api_key|apikey)\s*=\s*['"]/i,        // Hardcoded API keys
+];
+```
+
+#### D. Security Misconfiguration
+
+```javascript
+// Pattern: Insecure configurations
+const misconfigPatterns = [
+  /cors\(\{.*origin:\s*['"]?\*['"]?.*\}\)/, // CORS wildcard
+  /https?\s*:\s*false/,                   // HTTPS disabled
+  /helmet\(\)/,                            // Missing helmet config
+  /strictMode\s*:\s*false/,               // Strict mode disabled
+];
+```
+
+### Step 4: Language-Specific Checks
+
+**TypeScript/JavaScript**:
+```javascript
+const jsFindings = [
+  checkPrototypePollution(content),
+  checkEvalUsage(content),
+  checkUnsafeRegex(content),
+  checkWeakCrypto(content),
+];
+```
+
+**Python**:
+```javascript
+const pythonFindings = [
+  checkPickleVulnerabilities(content),
+  checkYamlUnsafeLoad(content),
+  checkSqlAlchemy(content),
+  checkFlaskSecurityHeaders(content),
+];
+```
+
+**Java**:
+```javascript
+const javaFindings = [
+  checkDeserialization(content),
+  checkXXE(content),
+  checkPathTraversal(content),
+  checkSQLInjection(content),
+];
+```
+
+**Go**:
+```javascript
+const goFindings = [
+  checkRaceConditions(content),
+  checkSQLInjection(content),
+  checkPathTraversal(content),
+  checkCryptoWeakness(content),
+];
+```
+
+## Output
+
+### Security Findings File
+
+Save to `.code-review/security-findings.json`:
+
+```json
+{
+  "scan_date": "2024-01-15T11:00:00Z",
+  "total_findings": 24,
+  "by_severity": {
+    "critical": 3,
+    "high": 8,
+    "medium": 10,
+    "low": 3
+  },
+  "by_category": {
+    "injection": 5,
+    "authentication": 3,
+    "data_exposure": 4,
+    "misconfiguration": 6,
+    "xss": 3,
+    "other": 3
+  },
+  "findings": [
+    {
+      "id": "SEC-001",
+      "type": "sql-injection",
+      "severity": "critical",
+      "file": "src/auth/user-service.ts",
+      "line": 145,
+      "column": 12,
+      "code": "const query = `SELECT * FROM users WHERE username = '${username}'`;",
+      "message": "SQL Injection vulnerability: User input directly concatenated in SQL query",
+      "cwe": "CWE-89",
+      "owasp": "A03:2021 - Injection",
+      "recommendation": {
+        "description": "Use parameterized queries to prevent SQL injection",
+        "fix_example": "const query = 'SELECT * FROM users WHERE username = ?';\ndb.execute(query, [username]);"
+      },
+      "references": [
+        "https://owasp.org/www-community/attacks/SQL_Injection",
+        "https://cwe.mitre.org/data/definitions/89.html"
+      ]
+    }
+  ]
+}
+```
+
+### Security Report
+
+Generate markdown report:
+
+```markdown
+# Security Analysis Report
+
+**Scan Date**: 2024-01-15 11:00:00
+**Files Analyzed**: 57 (Critical + High priority)
+**Total Findings**: 24
+
+## Severity Summary
+
+| Severity | Count | Percentage |
+|----------|-------|------------|
+| Critical | 3     | 12.5%      |
+| High     | 8     | 33.3%      |
+| Medium   | 10    | 41.7%      |
+| Low      | 3     | 12.5%      |
+
+## Critical Findings (Requires Immediate Action)
+
+### 🔴 [SEC-001] SQL Injection in User Authentication
+
+**File**: `src/auth/user-service.ts:145`
+**CWE**: CWE-89 | **OWASP**: A03:2021 - Injection
+
+**Vulnerable Code**:
+\`\`\`typescript
+const query = \`SELECT * FROM users WHERE username = '\${username}'\`;
+const user = await db.execute(query);
+\`\`\`
+
+**Issue**: User input (`username`) is directly concatenated into SQL query, allowing attackers to inject malicious SQL commands.
+
+**Attack Example**:
+\`\`\`
+username: ' OR '1'='1' --
+Result: SELECT * FROM users WHERE username = '' OR '1'='1' --'
+Effect: Bypasses authentication, returns all users
+\`\`\`
+
+**Recommended Fix**:
+\`\`\`typescript
+// Use parameterized queries
+const query = 'SELECT * FROM users WHERE username = ?';
+const user = await db.execute(query, [username]);
+
+// Or use ORM
+const user = await User.findOne({ where: { username } });
+\`\`\`
+
+**References**:
+- [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
+- [CWE-89](https://cwe.mitre.org/data/definitions/89.html)
+
+---
+
+### 🔴 [SEC-002] Hardcoded JWT Secret
+
+**File**: `src/auth/jwt.ts:23`
+**CWE**: CWE-798 | **OWASP**: A07:2021 - Identification and Authentication Failures
+
+**Vulnerable Code**:
+\`\`\`typescript
+const token = jwt.sign(payload, 'mysecret123', { expiresIn: '1h' });
+\`\`\`
+
+**Issue**: JWT secret is hardcoded and weak (only 11 characters).
+
+**Recommended Fix**:
+\`\`\`typescript
+// Use environment variable with strong secret
+const token = jwt.sign(payload, process.env.JWT_SECRET, {
+  expiresIn: '1h',
+  algorithm: 'HS256'
+});
+
+// Generate strong secret (32+ bytes):
+// node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+\`\`\`
+
+---
+
+## High Findings
+
+### 🟠 [SEC-003] Missing Input Validation
+
+**File**: `src/api/users.ts:67`
+**CWE**: CWE-20 | **OWASP**: A03:2021 - Injection
+
+...
+
+## Medium Findings
+
+...
+
+## Remediation Priority
+
+1. **Critical (3)**: Fix within 24 hours
+2. **High (8)**: Fix within 1 week
+3. **Medium (10)**: Fix within 1 month
+4. **Low (3)**: Fix in next release
+
+## Compliance Impact
+
+- **PCI DSS**: 4 findings affect compliance (SEC-001, SEC-002, SEC-008, SEC-011)
+- **HIPAA**: 2 findings affect compliance (SEC-005, SEC-009)
+- **GDPR**: 3 findings affect compliance (SEC-002, SEC-005, SEC-007)
+```
+
+## State Management
+
+```json
+{
+  "phase": "02-security-analysis",
+  "status": "completed",
+  "timestamp": "2024-01-15T11:15:00Z",
+  "input": {
+    "inventory_path": ".code-review/inventory.json",
+    "files_analyzed": 57
+  },
+  "output": {
+    "findings_path": ".code-review/security-findings.json",
+    "total_findings": 24,
+    "critical_count": 3,
+    "high_count": 8
+  }
+}
+```
+
+## Agent Instructions
+
+```markdown
+You are in Phase 2 of the Code Review workflow. Your task is to analyze code for security vulnerabilities.
+
+**Instructions**:
+1. Load file inventory from Phase 1
+2. Focus on Critical + High priority files
+3. Run security checks for:
+   - OWASP Top 10 vulnerabilities
+   - CWE Top 25 weaknesses
+   - Language-specific security patterns
+4. Use smart_search with mode="ripgrep" for pattern matching
+5. Use mcp__ace-tool__search_context for semantic security pattern discovery
+6. Classify findings by severity (Critical/High/Medium/Low)
+7. Generate security-findings.json and markdown report
+8. Proceed to Phase 3 (Best Practices Review)
+
+**Tools Available**:
+- mcp__ccw_tools__smart_search (pattern search)
+- mcp__ace-tool__search_context (semantic search)
+- Read (read file content)
+- Write (save findings and reports)
+- Grep (targeted pattern matching)
+
+**Output Requirements**:
+- security-findings.json with detailed findings
+- Security report in markdown format
+- Each finding must include: file, line, severity, CWE, OWASP, fix recommendation
+- State file for phase tracking
+```
+
+## Validation
+
+Before proceeding to Phase 3:
+
+- ✅ All Critical + High priority files analyzed
+- ✅ Findings categorized by severity
+- ✅ Each finding has fix recommendation
+- ✅ CWE and OWASP mappings included
+- ✅ Security report generated
+- ✅ State saved
+
+## Next Phase
+
+**Phase 3: Best Practices Review** - Analyze code quality, performance, and maintainability issues.