claude-code-workflow 6.3.22 → 6.3.24

package/.claude/skills/code-reviewer/phases/02-security-analysis.md

@@ -1,442 +0,0 @@
-# Phase 2: Security Analysis
-
-## Objective
-
-Analyze code files for security vulnerabilities based on OWASP Top 10, CWE Top 25, and language-specific security patterns.
-
-## Input
-
-- **File Inventory**: From Phase 1 (`.code-review/inventory.json`)
-- **Priority Focus**: Critical and High priority files (unless `--scope all`)
-- **User Arguments**:
-  - `--focus security`: Security-only mode
-  - `--severity critical,high,medium,low`: Minimum severity to report
-  - `--checks`: Specific security checks to run (e.g., sql-injection, xss)
-
-## Process
-
-### Step 1: Load Security Rules
-
-```javascript
-// Load security check definitions
-const securityRules = {
-  owasp_top_10: [
-    'injection',
-    'broken_authentication',
-    'sensitive_data_exposure',
-    'xxe',
-    'broken_access_control',
-    'security_misconfiguration',
-    'xss',
-    'insecure_deserialization',
-    'vulnerable_components',
-    'insufficient_logging'
-  ],
-  cwe_top_25: [
-    'cwe-79',  // XSS
-    'cwe-89',  // SQL Injection
-    'cwe-20',  // Improper Input Validation
-    'cwe-78',  // OS Command Injection
-    'cwe-190', // Integer Overflow
-    // ... more CWE checks
-  ]
-};
-
-// Load language-specific rules
-const languageRules = {
-  typescript: require('./rules/typescript-security.json'),
-  python: require('./rules/python-security.json'),
-  java: require('./rules/java-security.json'),
-  go: require('./rules/go-security.json'),
-};
-```
-
-### Step 2: Analyze Files for Vulnerabilities
-
-For each file in the inventory, perform security analysis:
-
-```javascript
-const findings = [];
-
-for (const file of inventory.files) {
-  if (file.priority !== 'critical' && file.priority !== 'high') continue;
-
-  // Read file content
-  const content = await Read({ file_path: file.path });
-
-  // Run security checks
-  const fileFindings = await runSecurityChecks(content, file, {
-    rules: securityRules,
-    languageRules: languageRules[file.language],
-    severity: args.severity || 'medium'
-  });
-
-  findings.push(...fileFindings);
-}
-```
-
-### Step 3: Security Check Patterns
-
-#### A. Injection Vulnerabilities
-
-**SQL Injection**:
-```javascript
-// Pattern: String concatenation in SQL queries
-const sqlInjectionPatterns = [
-  /\$\{.*\}.*SELECT/,                    // Template literal with SELECT
-  /"SELECT.*\+\s*\w+/,                   // String concatenation
-  /execute\([`'"].*\$\{.*\}.*[`'"]\)/,   // Parameterized query bypass
-  /query\(.*\+.*\)/,                     // Query concatenation
-];
-
-// Check code
-for (const pattern of sqlInjectionPatterns) {
-  const matches = content.matchAll(new RegExp(pattern, 'g'));
-  for (const match of matches) {
-    findings.push({
-      type: 'sql-injection',
-      severity: 'critical',
-      line: getLineNumber(content, match.index),
-      code: match[0],
-      file: file.path,
-      message: 'Potential SQL injection vulnerability',
-      recommendation: 'Use parameterized queries or ORM methods',
-      cwe: 'CWE-89',
-      owasp: 'A03:2021 - Injection'
-    });
-  }
-}
-```
-
-**Command Injection**:
-```javascript
-// Pattern: Unsanitized input in exec/spawn
-const commandInjectionPatterns = [
-  /exec\(.*\$\{.*\}/,                    // exec with template literal
-  /spawn\(.*,\s*\[.*\$\{.*\}.*\]\)/,    // spawn with unsanitized args
-  /execSync\(.*\+.*\)/,                  // execSync with concatenation
-];
-```
-
-**XSS (Cross-Site Scripting)**:
-```javascript
-// Pattern: Unsanitized user input in DOM/HTML
-const xssPatterns = [
-  /innerHTML\s*=.*\$\{.*\}/,             // innerHTML with template literal
-  /dangerouslySetInnerHTML/,             // React dangerous prop
-  /document\.write\(.*\)/,               // document.write
-  /<\w+.*\$\{.*\}.*>/,                   // JSX with unsanitized data
-];
-```
-
-#### B. Authentication & Authorization
-
-```javascript
-// Pattern: Weak authentication
-const authPatterns = [
-  /password\s*===?\s*['"]/,              // Hardcoded password comparison
-  /jwt\.sign\(.*,\s*['"][^'"]{1,16}['"]\)/, // Weak JWT secret
-  /bcrypt\.hash\(.*,\s*[1-9]\s*\)/,      // Low bcrypt rounds
-  /md5\(.*password.*\)/,                 // MD5 for passwords
-  /if\s*\(\s*user\s*\)\s*\{/,            // Missing auth check
-];
-
-// Check for missing authorization
-const authzPatterns = [
-  /router\.(get|post|put|delete)\(.*\)\s*=>/,  // No middleware
-  /app\.use\([^)]*\)\s*;(?!.*auth)/,           // Missing auth middleware
-];
-```
-
-#### C. Sensitive Data Exposure
-
-```javascript
-// Pattern: Sensitive data in logs/responses
-const sensitiveDataPatterns = [
-  /(password|secret|token|key)\s*:/i,    // Sensitive keys in objects
-  /console\.log\(.*password.*\)/i,       // Password in logs
-  /res\.send\(.*user.*password.*\)/,     // Password in response
-  /(api_key|apikey)\s*=\s*['"]/i,        // Hardcoded API keys
-];
-```
-
-#### D. Security Misconfiguration
-
-```javascript
-// Pattern: Insecure configurations
-const misconfigPatterns = [
-  /cors\(\{.*origin:\s*['"]?\*['"]?.*\}\)/, // CORS wildcard
-  /https?\s*:\s*false/,                   // HTTPS disabled
-  /helmet\(\)/,                            // Missing helmet config
-  /strictMode\s*:\s*false/,               // Strict mode disabled
-];
-```
-
-### Step 4: Language-Specific Checks
-
-**TypeScript/JavaScript**:
-```javascript
-const jsFindings = [
-  checkPrototypePollution(content),
-  checkEvalUsage(content),
-  checkUnsafeRegex(content),
-  checkWeakCrypto(content),
-];
-```
-
-**Python**:
-```javascript
-const pythonFindings = [
-  checkPickleVulnerabilities(content),
-  checkYamlUnsafeLoad(content),
-  checkSqlAlchemy(content),
-  checkFlaskSecurityHeaders(content),
-];
-```
-
-**Java**:
-```javascript
-const javaFindings = [
-  checkDeserialization(content),
-  checkXXE(content),
-  checkPathTraversal(content),
-  checkSQLInjection(content),
-];
-```
-
-**Go**:
-```javascript
-const goFindings = [
-  checkRaceConditions(content),
-  checkSQLInjection(content),
-  checkPathTraversal(content),
-  checkCryptoWeakness(content),
-];
-```
-
-## Output
-
-### Security Findings File
-
-Save to `.code-review/security-findings.json`:
-
-```json
-{
-  "scan_date": "2024-01-15T11:00:00Z",
-  "total_findings": 24,
-  "by_severity": {
-    "critical": 3,
-    "high": 8,
-    "medium": 10,
-    "low": 3
-  },
-  "by_category": {
-    "injection": 5,
-    "authentication": 3,
-    "data_exposure": 4,
-    "misconfiguration": 6,
-    "xss": 3,
-    "other": 3
-  },
-  "findings": [
-    {
-      "id": "SEC-001",
-      "type": "sql-injection",
-      "severity": "critical",
-      "file": "src/auth/user-service.ts",
-      "line": 145,
-      "column": 12,
-      "code": "const query = `SELECT * FROM users WHERE username = '${username}'`;",
-      "message": "SQL Injection vulnerability: User input directly concatenated in SQL query",
-      "cwe": "CWE-89",
-      "owasp": "A03:2021 - Injection",
-      "recommendation": {
-        "description": "Use parameterized queries to prevent SQL injection",
-        "fix_example": "const query = 'SELECT * FROM users WHERE username = ?';\ndb.execute(query, [username]);"
-      },
-      "references": [
-        "https://owasp.org/www-community/attacks/SQL_Injection",
-        "https://cwe.mitre.org/data/definitions/89.html"
-      ]
-    }
-  ]
-}
-```
-
-### Security Report
-
-Generate markdown report:
-
-```markdown
-# Security Analysis Report
-
-**Scan Date**: 2024-01-15 11:00:00
-**Files Analyzed**: 57 (Critical + High priority)
-**Total Findings**: 24
-
-## Severity Summary
-
-| Severity | Count | Percentage |
-|----------|-------|------------|
-| Critical | 3     | 12.5%      |
-| High     | 8     | 33.3%      |
-| Medium   | 10    | 41.7%      |
-| Low      | 3     | 12.5%      |
-
-## Critical Findings (Requires Immediate Action)
-
-### 🔴 [SEC-001] SQL Injection in User Authentication
-
-**File**: `src/auth/user-service.ts:145`
-**CWE**: CWE-89 | **OWASP**: A03:2021 - Injection
-
-**Vulnerable Code**:
-\`\`\`typescript
-const query = \`SELECT * FROM users WHERE username = '\${username}'\`;
-const user = await db.execute(query);
-\`\`\`
-
-**Issue**: User input (`username`) is directly concatenated into SQL query, allowing attackers to inject malicious SQL commands.
-
-**Attack Example**:
-\`\`\`
-username: ' OR '1'='1' --
-Result: SELECT * FROM users WHERE username = '' OR '1'='1' --'
-Effect: Bypasses authentication, returns all users
-\`\`\`
-
-**Recommended Fix**:
-\`\`\`typescript
-// Use parameterized queries
-const query = 'SELECT * FROM users WHERE username = ?';
-const user = await db.execute(query, [username]);
-
-// Or use ORM
-const user = await User.findOne({ where: { username } });
-\`\`\`
-
-**References**:
-- [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
-- [CWE-89](https://cwe.mitre.org/data/definitions/89.html)
-
----
-
-### 🔴 [SEC-002] Hardcoded JWT Secret
-
-**File**: `src/auth/jwt.ts:23`
-**CWE**: CWE-798 | **OWASP**: A07:2021 - Identification and Authentication Failures
-
-**Vulnerable Code**:
-\`\`\`typescript
-const token = jwt.sign(payload, 'mysecret123', { expiresIn: '1h' });
-\`\`\`
-
-**Issue**: JWT secret is hardcoded and weak (only 11 characters).
-
-**Recommended Fix**:
-\`\`\`typescript
-// Use environment variable with strong secret
-const token = jwt.sign(payload, process.env.JWT_SECRET, {
-  expiresIn: '1h',
-  algorithm: 'HS256'
-});
-
-// Generate strong secret (32+ bytes):
-// node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
-\`\`\`
-
----
-
-## High Findings
-
-### 🟠 [SEC-003] Missing Input Validation
-
-**File**: `src/api/users.ts:67`
-**CWE**: CWE-20 | **OWASP**: A03:2021 - Injection
-
-...
-
-## Medium Findings
-
-...
-
-## Remediation Priority
-
-1. **Critical (3)**: Fix within 24 hours
-2. **High (8)**: Fix within 1 week
-3. **Medium (10)**: Fix within 1 month
-4. **Low (3)**: Fix in next release
-
-## Compliance Impact
-
-- **PCI DSS**: 4 findings affect compliance (SEC-001, SEC-002, SEC-008, SEC-011)
-- **HIPAA**: 2 findings affect compliance (SEC-005, SEC-009)
-- **GDPR**: 3 findings affect compliance (SEC-002, SEC-005, SEC-007)
-```
-
-## State Management
-
-```json
-{
-  "phase": "02-security-analysis",
-  "status": "completed",
-  "timestamp": "2024-01-15T11:15:00Z",
-  "input": {
-    "inventory_path": ".code-review/inventory.json",
-    "files_analyzed": 57
-  },
-  "output": {
-    "findings_path": ".code-review/security-findings.json",
-    "total_findings": 24,
-    "critical_count": 3,
-    "high_count": 8
-  }
-}
-```
-
-## Agent Instructions
-
-```markdown
-You are in Phase 2 of the Code Review workflow. Your task is to analyze code for security vulnerabilities.
-
-**Instructions**:
-1. Load file inventory from Phase 1
-2. Focus on Critical + High priority files
-3. Run security checks for:
-   - OWASP Top 10 vulnerabilities
-   - CWE Top 25 weaknesses
-   - Language-specific security patterns
-4. Use smart_search with mode="ripgrep" for pattern matching
-5. Use mcp__ace-tool__search_context for semantic security pattern discovery
-6. Classify findings by severity (Critical/High/Medium/Low)
-7. Generate security-findings.json and markdown report
-8. Proceed to Phase 3 (Best Practices Review)
-
-**Tools Available**:
-- mcp__ccw_tools__smart_search (pattern search)
-- mcp__ace-tool__search_context (semantic search)
-- Read (read file content)
-- Write (save findings and reports)
-- Grep (targeted pattern matching)
-
-**Output Requirements**:
-- security-findings.json with detailed findings
-- Security report in markdown format
-- Each finding must include: file, line, severity, CWE, OWASP, fix recommendation
-- State file for phase tracking
-```
-
-## Validation
-
-Before proceeding to Phase 3:
-
-- ✅ All Critical + High priority files analyzed
-- ✅ Findings categorized by severity
-- ✅ Each finding has fix recommendation
-- ✅ CWE and OWASP mappings included
-- ✅ Security report generated
-- ✅ State saved
-
-## Next Phase
-
-**Phase 3: Best Practices Review** - Analyze code quality, performance, and maintainability issues.

package/.claude/skills/code-reviewer/phases/03-best-practices-review.md

@@ -1,36 +0,0 @@
-# Phase 3: Best Practices Review
-
-## Objective
-
-Analyze code for best practices violations including code quality, performance issues, and maintainability concerns.
-
-## Input
-
-- **File Inventory**: From Phase 1 (`.code-review/inventory.json`)
-- **Security Findings**: From Phase 2 (`.code-review/security-findings.json`)
-- **User Arguments**:
-  - `--focus best-practices`: Best practices only mode
-  - `--check quality,performance,maintainability`: Specific areas to check
-
-## Process
-
-### Step 1: Code Quality Analysis
-
-Check naming conventions, function complexity, code duplication, and dead code detection.
-
-### Step 2: Performance Analysis
-
-Detect N+1 queries, inefficient algorithms, and memory leaks.
-
-### Step 3: Maintainability Analysis
-
-Check documentation coverage, test coverage, and dependency management.
-
-## Output
-
-- best-practices-findings.json
-- Markdown report with recommendations
-
-## Next Phase
-
-**Phase 4: Report Generation**