claude-code-workflow 7.2.26 → 7.2.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (408) hide show
  1. package/.ccw/specs/architecture-constraints.md +5 -0
  2. package/.claude/skills/_shared/SKILL-DESIGN-SPEC.md +140 -0
  3. package/.claude/skills/investigate/SKILL.md +110 -0
  4. package/.claude/skills/investigate/phases/01-root-cause-investigation.md +132 -0
  5. package/.claude/skills/investigate/phases/02-pattern-analysis.md +126 -0
  6. package/.claude/skills/investigate/phases/03-hypothesis-testing.md +177 -0
  7. package/.claude/skills/investigate/phases/04-implementation.md +139 -0
  8. package/.claude/skills/investigate/phases/05-verification-report.md +153 -0
  9. package/.claude/skills/investigate/specs/debug-report-format.md +226 -0
  10. package/.claude/skills/investigate/specs/iron-law.md +101 -0
  11. package/.claude/skills/security-audit/SKILL.md +125 -0
  12. package/.claude/skills/security-audit/phases/01-supply-chain-scan.md +139 -0
  13. package/.claude/skills/security-audit/phases/02-owasp-review.md +156 -0
  14. package/.claude/skills/security-audit/phases/03-threat-modeling.md +180 -0
  15. package/.claude/skills/security-audit/phases/04-report-tracking.md +177 -0
  16. package/.claude/skills/security-audit/specs/owasp-checklist.md +442 -0
  17. package/.claude/skills/security-audit/specs/scoring-gates.md +141 -0
  18. package/.claude/skills/ship/SKILL.md +105 -0
  19. package/.claude/skills/ship/phases/01-preflight-checks.md +121 -0
  20. package/.claude/skills/ship/phases/02-code-review.md +137 -0
  21. package/.claude/skills/ship/phases/03-version-bump.md +171 -0
  22. package/.claude/skills/ship/phases/04-changelog-commit.md +167 -0
  23. package/.claude/skills/ship/phases/05-pr-creation.md +163 -0
  24. package/.claude/skills/skill-generator/templates/sequential-phase.md +10 -0
  25. package/.claude/skills/skill-generator/templates/skill-md.md +4 -0
  26. package/.claude/skills/team-arch-opt/SKILL.md +1 -1
  27. package/.claude/skills/team-arch-opt/roles/coordinator/commands/monitor.md +3 -1
  28. package/.claude/skills/team-arch-opt/roles/refactorer/role.md +3 -1
  29. package/.claude/skills/team-arch-opt/specs/team-config.json +2 -2
  30. package/.claude/skills/team-coordinate/SKILL.md +4 -3
  31. package/.claude/skills/team-coordinate/roles/coordinator/commands/analyze-task.md +1 -1
  32. package/.claude/skills/team-coordinate/roles/coordinator/commands/dispatch.md +3 -2
  33. package/.claude/skills/team-coordinate/roles/coordinator/commands/monitor.md +3 -2
  34. package/.claude/skills/team-coordinate/roles/coordinator/role.md +16 -15
  35. package/.claude/skills/team-coordinate/specs/pipelines.md +7 -4
  36. package/.claude/skills/team-coordinate/specs/role-spec-template.md +1 -0
  37. package/.claude/skills/team-interactive-craft/SKILL.md +127 -0
  38. package/.claude/skills/team-interactive-craft/roles/a11y-tester/role.md +159 -0
  39. package/.claude/skills/team-interactive-craft/roles/builder/role.md +216 -0
  40. package/.claude/skills/team-interactive-craft/roles/coordinator/commands/analyze.md +71 -0
  41. package/.claude/skills/team-interactive-craft/roles/coordinator/commands/dispatch.md +192 -0
  42. package/.claude/skills/team-interactive-craft/roles/coordinator/commands/monitor.md +183 -0
  43. package/.claude/skills/team-interactive-craft/roles/coordinator/role.md +166 -0
  44. package/.claude/skills/team-interactive-craft/roles/interaction-designer/role.md +144 -0
  45. package/.claude/skills/team-interactive-craft/roles/researcher/role.md +131 -0
  46. package/.claude/skills/team-interactive-craft/specs/interaction-patterns.md +362 -0
  47. package/.claude/skills/team-interactive-craft/specs/pipelines.md +85 -0
  48. package/.claude/skills/team-interactive-craft/specs/team-config.json +105 -0
  49. package/.claude/skills/team-interactive-craft/specs/vanilla-constraints.md +83 -0
  50. package/.claude/skills/team-lifecycle-v4/SKILL.md +1 -1
  51. package/.claude/skills/team-lifecycle-v4/roles/coordinator/commands/dispatch.md +14 -2
  52. package/.claude/skills/team-lifecycle-v4/roles/coordinator/commands/monitor.md +24 -2
  53. package/.claude/skills/team-lifecycle-v4/roles/executor/role.md +3 -1
  54. package/.claude/skills/team-motion-design/SKILL.md +129 -0
  55. package/.claude/skills/team-motion-design/roles/animator/role.md +194 -0
  56. package/.claude/skills/team-motion-design/roles/choreographer/role.md +164 -0
  57. package/.claude/skills/team-motion-design/roles/coordinator/commands/analyze.md +64 -0
  58. package/.claude/skills/team-motion-design/roles/coordinator/commands/dispatch.md +203 -0
  59. package/.claude/skills/team-motion-design/roles/coordinator/commands/monitor.md +184 -0
  60. package/.claude/skills/team-motion-design/roles/coordinator/role.md +167 -0
  61. package/.claude/skills/team-motion-design/roles/motion-researcher/role.md +115 -0
  62. package/.claude/skills/team-motion-design/roles/motion-tester/role.md +175 -0
  63. package/.claude/skills/team-motion-design/specs/gpu-constraints.md +114 -0
  64. package/.claude/skills/team-motion-design/specs/motion-tokens.md +128 -0
  65. package/.claude/skills/team-motion-design/specs/pipelines.md +74 -0
  66. package/.claude/skills/team-motion-design/specs/reduced-motion.md +129 -0
  67. package/.claude/skills/team-motion-design/specs/team-config.json +99 -0
  68. package/.claude/skills/team-perf-opt/SKILL.md +1 -1
  69. package/.claude/skills/team-perf-opt/roles/optimizer/role.md +3 -1
  70. package/.claude/skills/team-perf-opt/specs/team-config.json +2 -2
  71. package/.claude/skills/team-quality-assurance/SKILL.md +1 -1
  72. package/.claude/skills/team-quality-assurance/roles/coordinator/commands/dispatch.md +4 -2
  73. package/.claude/skills/team-quality-assurance/roles/coordinator/commands/monitor.md +4 -2
  74. package/.claude/skills/team-quality-assurance/roles/executor/role.md +3 -1
  75. package/.claude/skills/team-testing/SKILL.md +1 -1
  76. package/.claude/skills/team-testing/roles/coordinator/commands/dispatch.md +5 -2
  77. package/.claude/skills/team-testing/roles/coordinator/commands/monitor.md +4 -2
  78. package/.claude/skills/team-testing/roles/executor/role.md +3 -1
  79. package/.claude/skills/team-ui-polish/SKILL.md +127 -0
  80. package/.claude/skills/team-ui-polish/roles/coordinator/commands/analyze.md +77 -0
  81. package/.claude/skills/team-ui-polish/roles/coordinator/commands/dispatch.md +194 -0
  82. package/.claude/skills/team-ui-polish/roles/coordinator/commands/monitor.md +180 -0
  83. package/.claude/skills/team-ui-polish/roles/coordinator/role.md +170 -0
  84. package/.claude/skills/team-ui-polish/roles/diagnostician/role.md +160 -0
  85. package/.claude/skills/team-ui-polish/roles/optimizer/role.md +225 -0
  86. package/.claude/skills/team-ui-polish/roles/scanner/role.md +356 -0
  87. package/.claude/skills/team-ui-polish/roles/verifier/role.md +142 -0
  88. package/.claude/skills/team-ui-polish/specs/anti-patterns.md +141 -0
  89. package/.claude/skills/team-ui-polish/specs/design-standards.md +356 -0
  90. package/.claude/skills/team-ui-polish/specs/fix-strategies.md +235 -0
  91. package/.claude/skills/team-ui-polish/specs/pipelines.md +81 -0
  92. package/.claude/skills/team-ui-polish/specs/scoring-guide.md +162 -0
  93. package/.claude/skills/team-ui-polish/specs/team-config.json +73 -0
  94. package/.claude/skills/team-uidesign/SKILL.md +6 -1
  95. package/.claude/skills/team-uidesign/roles/designer/role.md +28 -4
  96. package/.claude/skills/team-uidesign/roles/implementer/role.md +25 -3
  97. package/.claude/skills/team-uidesign/roles/researcher/role.md +21 -2
  98. package/.claude/skills/team-uidesign/roles/reviewer/role.md +19 -17
  99. package/.claude/skills/team-uidesign/specs/anti-patterns.md +211 -0
  100. package/.claude/skills/team-uidesign/specs/design-standards.md +329 -0
  101. package/.claude/skills/team-uidesign/specs/scoring-guide.md +114 -0
  102. package/.claude/skills/team-uidesign/specs/team-config.json +1 -1
  103. package/.claude/skills/team-uidesign/specs/ux-writing.md +86 -0
  104. package/.claude/skills/team-ux-improve/SKILL.md +3 -0
  105. package/.claude/skills/team-ux-improve/roles/designer/role.md +30 -0
  106. package/.claude/skills/team-ux-improve/roles/diagnoser/role.md +16 -1
  107. package/.claude/skills/team-ux-improve/roles/scanner/role.md +43 -1
  108. package/.claude/skills/team-ux-improve/specs/anti-patterns.md +103 -0
  109. package/.claude/skills/team-ux-improve/specs/design-standards.md +54 -0
  110. package/.claude/skills/team-ux-improve/specs/heuristics.md +88 -0
  111. package/.claude/skills/team-ux-improve/wisdom/anti-patterns/common-ux-pitfalls.md +40 -8
  112. package/.claude/skills/team-ux-improve/wisdom/patterns/state-management.md +32 -12
  113. package/.claude/skills/team-ux-improve/wisdom/patterns/ui-feedback.md +35 -11
  114. package/.claude/skills/team-ux-improve/wisdom/principles/general-ux.md +36 -9
  115. package/.claude/skills/team-visual-a11y/SKILL.md +143 -0
  116. package/.claude/skills/team-visual-a11y/roles/color-auditor/role.md +178 -0
  117. package/.claude/skills/team-visual-a11y/roles/coordinator/commands/analyze.md +72 -0
  118. package/.claude/skills/team-visual-a11y/roles/coordinator/commands/dispatch.md +250 -0
  119. package/.claude/skills/team-visual-a11y/roles/coordinator/commands/monitor.md +204 -0
  120. package/.claude/skills/team-visual-a11y/roles/coordinator/role.md +169 -0
  121. package/.claude/skills/team-visual-a11y/roles/fix-implementer/role.md +246 -0
  122. package/.claude/skills/team-visual-a11y/roles/focus-auditor/role.md +222 -0
  123. package/.claude/skills/team-visual-a11y/roles/remediation-planner/role.md +206 -0
  124. package/.claude/skills/team-visual-a11y/roles/typo-auditor/role.md +185 -0
  125. package/.claude/skills/team-visual-a11y/specs/focus-patterns.md +325 -0
  126. package/.claude/skills/team-visual-a11y/specs/oklch-standards.md +130 -0
  127. package/.claude/skills/team-visual-a11y/specs/pipelines.md +98 -0
  128. package/.claude/skills/team-visual-a11y/specs/team-config.json +109 -0
  129. package/.claude/skills/team-visual-a11y/specs/typography-scale.md +165 -0
  130. package/.claude/skills/team-visual-a11y/specs/wcag-matrix.md +133 -0
  131. package/.codex/skills/investigate/agents/investigator.md +392 -0
  132. package/.codex/skills/investigate/orchestrator.md +362 -0
  133. package/.codex/skills/investigate/phases/01-root-cause-investigation.md +212 -0
  134. package/.codex/skills/investigate/phases/02-pattern-analysis.md +181 -0
  135. package/.codex/skills/investigate/phases/03-hypothesis-testing.md +214 -0
  136. package/.codex/skills/investigate/phases/04-implementation.md +195 -0
  137. package/.codex/skills/investigate/phases/05-verification-report.md +240 -0
  138. package/.codex/skills/security-audit/agents/security-auditor.md +341 -0
  139. package/.codex/skills/security-audit/orchestrator.md +384 -0
  140. package/.codex/skills/security-audit/phases/01-supply-chain-scan.md +226 -0
  141. package/.codex/skills/security-audit/phases/02-owasp-review.md +232 -0
  142. package/.codex/skills/security-audit/phases/03-threat-modeling.md +249 -0
  143. package/.codex/skills/security-audit/phases/04-report-tracking.md +300 -0
  144. package/.codex/skills/ship/agents/ship-operator.md +318 -0
  145. package/.codex/skills/ship/orchestrator.md +426 -0
  146. package/.codex/skills/ship/phases/01-preflight-checks.md +198 -0
  147. package/.codex/skills/ship/phases/02-code-review.md +228 -0
  148. package/.codex/skills/ship/phases/03-version-bump.md +259 -0
  149. package/.codex/skills/ship/phases/04-changelog-commit.md +263 -0
  150. package/.codex/skills/ship/phases/05-pr-creation.md +280 -0
  151. package/.codex/skills/team-interactive-craft/SKILL.md +220 -0
  152. package/.codex/skills/team-interactive-craft/roles/a11y-tester/role.md +159 -0
  153. package/.codex/skills/team-interactive-craft/roles/builder/role.md +216 -0
  154. package/.codex/skills/team-interactive-craft/roles/coordinator/commands/analyze.md +71 -0
  155. package/.codex/skills/team-interactive-craft/roles/coordinator/commands/dispatch.md +162 -0
  156. package/.codex/skills/team-interactive-craft/roles/coordinator/commands/monitor.md +233 -0
  157. package/.codex/skills/team-interactive-craft/roles/coordinator/role.md +209 -0
  158. package/.codex/skills/team-interactive-craft/roles/interaction-designer/role.md +144 -0
  159. package/.codex/skills/team-interactive-craft/roles/researcher/role.md +131 -0
  160. package/.codex/skills/team-interactive-craft/specs/interaction-patterns.md +362 -0
  161. package/.codex/skills/team-interactive-craft/specs/pipelines.md +85 -0
  162. package/.codex/skills/team-interactive-craft/specs/team-config.json +105 -0
  163. package/.codex/skills/team-interactive-craft/specs/vanilla-constraints.md +83 -0
  164. package/.codex/skills/team-motion-design/SKILL.md +222 -0
  165. package/.codex/skills/team-motion-design/roles/animator/role.md +194 -0
  166. package/.codex/skills/team-motion-design/roles/choreographer/role.md +164 -0
  167. package/.codex/skills/team-motion-design/roles/coordinator/commands/analyze.md +64 -0
  168. package/.codex/skills/team-motion-design/roles/coordinator/commands/dispatch.md +168 -0
  169. package/.codex/skills/team-motion-design/roles/coordinator/commands/monitor.md +242 -0
  170. package/.codex/skills/team-motion-design/roles/coordinator/role.md +210 -0
  171. package/.codex/skills/team-motion-design/roles/motion-researcher/role.md +115 -0
  172. package/.codex/skills/team-motion-design/roles/motion-tester/role.md +175 -0
  173. package/.codex/skills/team-motion-design/specs/gpu-constraints.md +114 -0
  174. package/.codex/skills/team-motion-design/specs/motion-tokens.md +128 -0
  175. package/.codex/skills/team-motion-design/specs/pipelines.md +74 -0
  176. package/.codex/skills/team-motion-design/specs/reduced-motion.md +129 -0
  177. package/.codex/skills/team-motion-design/specs/team-config.json +99 -0
  178. package/.codex/skills/team-ui-polish/SKILL.md +218 -0
  179. package/.codex/skills/team-ui-polish/roles/coordinator/commands/analyze.md +77 -0
  180. package/.codex/skills/team-ui-polish/roles/coordinator/commands/dispatch.md +167 -0
  181. package/.codex/skills/team-ui-polish/roles/coordinator/commands/monitor.md +230 -0
  182. package/.codex/skills/team-ui-polish/roles/coordinator/role.md +213 -0
  183. package/.codex/skills/team-ui-polish/roles/diagnostician/role.md +164 -0
  184. package/.codex/skills/team-ui-polish/roles/optimizer/role.md +229 -0
  185. package/.codex/skills/team-ui-polish/roles/scanner/role.md +360 -0
  186. package/.codex/skills/team-ui-polish/roles/verifier/role.md +142 -0
  187. package/.codex/skills/team-ui-polish/specs/anti-patterns.md +141 -0
  188. package/.codex/skills/team-ui-polish/specs/design-standards.md +356 -0
  189. package/.codex/skills/team-ui-polish/specs/fix-strategies.md +235 -0
  190. package/.codex/skills/team-ui-polish/specs/pipelines.md +81 -0
  191. package/.codex/skills/team-ui-polish/specs/scoring-guide.md +162 -0
  192. package/.codex/skills/team-ui-polish/specs/team-config.json +73 -0
  193. package/.codex/skills/team-visual-a11y/SKILL.md +319 -0
  194. package/.codex/skills/team-visual-a11y/roles/color-auditor/role.md +178 -0
  195. package/.codex/skills/team-visual-a11y/roles/coordinator/commands/analyze.md +72 -0
  196. package/.codex/skills/team-visual-a11y/roles/coordinator/commands/dispatch.md +188 -0
  197. package/.codex/skills/team-visual-a11y/roles/coordinator/commands/monitor.md +281 -0
  198. package/.codex/skills/team-visual-a11y/roles/coordinator/role.md +213 -0
  199. package/.codex/skills/team-visual-a11y/roles/fix-implementer/role.md +246 -0
  200. package/.codex/skills/team-visual-a11y/roles/focus-auditor/role.md +222 -0
  201. package/.codex/skills/team-visual-a11y/roles/remediation-planner/role.md +206 -0
  202. package/.codex/skills/team-visual-a11y/roles/typo-auditor/role.md +185 -0
  203. package/.codex/skills/team-visual-a11y/specs/focus-patterns.md +325 -0
  204. package/.codex/skills/team-visual-a11y/specs/oklch-standards.md +130 -0
  205. package/.codex/skills/team-visual-a11y/specs/pipelines.md +98 -0
  206. package/.codex/skills/team-visual-a11y/specs/team-config.json +109 -0
  207. package/.codex/skills/team-visual-a11y/specs/typography-scale.md +165 -0
  208. package/.codex/skills/team-visual-a11y/specs/wcag-matrix.md +133 -0
  209. package/README.md +8 -0
  210. package/ccw/dist/core/hooks/hook-templates.d.ts.map +1 -1
  211. package/ccw/dist/core/hooks/hook-templates.js +114 -1
  212. package/ccw/dist/core/hooks/hook-templates.js.map +1 -1
  213. package/ccw/dist/core/routes/cli-routes.d.ts.map +1 -1
  214. package/ccw/dist/core/routes/cli-routes.js +34 -0
  215. package/ccw/dist/core/routes/cli-routes.js.map +1 -1
  216. package/ccw/dist/core/routes/system-routes.js +2 -2
  217. package/ccw/dist/core/routes/system-routes.js.map +1 -1
  218. package/ccw/frontend/dist/assets/{AlertDialog-Bf1jdqax.js → AlertDialog-BjP1ydDR.js} +2 -2
  219. package/ccw/frontend/dist/assets/{AlertDialog-Bf1jdqax.js.map → AlertDialog-BjP1ydDR.js.map} +1 -1
  220. package/ccw/frontend/dist/assets/{AnalysisPage-C8niKdp4.js → AnalysisPage-CAX3xqMf.js} +2 -2
  221. package/ccw/frontend/dist/assets/{AnalysisPage-C8niKdp4.js.map → AnalysisPage-CAX3xqMf.js.map} +1 -1
  222. package/ccw/frontend/dist/assets/{ApiSettingsPage-BL2c3UNS.js → ApiSettingsPage-CtWlmztq.js} +2 -2
  223. package/ccw/frontend/dist/assets/{ApiSettingsPage-BL2c3UNS.js.map → ApiSettingsPage-CtWlmztq.js.map} +1 -1
  224. package/ccw/frontend/dist/assets/{CliModeToggle-BePBFynD.js → CliModeToggle-hR4a-eLX.js} +2 -2
  225. package/ccw/frontend/dist/assets/{CliModeToggle-BePBFynD.js.map → CliModeToggle-hR4a-eLX.js.map} +1 -1
  226. package/ccw/frontend/dist/assets/{CliSessionSharePage-7cYtX6FT.js → CliSessionSharePage-DzNPkFN9.js} +2 -2
  227. package/ccw/frontend/dist/assets/{CliSessionSharePage-7cYtX6FT.js.map → CliSessionSharePage-DzNPkFN9.js.map} +1 -1
  228. package/ccw/frontend/dist/assets/{CliViewerPage-CBwg1mPL.js → CliViewerPage-BPEGN4TT.js} +2 -2
  229. package/ccw/frontend/dist/assets/{CliViewerPage-CBwg1mPL.js.map → CliViewerPage-BPEGN4TT.js.map} +1 -1
  230. package/ccw/frontend/dist/assets/{CodexLensPage-Bt74xORP.js → CodexLensPage-Cf0r2RHY.js} +2 -2
  231. package/ccw/frontend/dist/assets/{CodexLensPage-Bt74xORP.js.map → CodexLensPage-Cf0r2RHY.js.map} +1 -1
  232. package/ccw/frontend/dist/assets/{Collapsible-Wrs87QT7.js → Collapsible-DEm1rJ4h.js} +2 -2
  233. package/ccw/frontend/dist/assets/{Collapsible-Wrs87QT7.js.map → Collapsible-DEm1rJ4h.js.map} +1 -1
  234. package/ccw/frontend/dist/assets/{CommandsManagerPage-ChQjmPWZ.js → CommandsManagerPage-BpeWw8HO.js} +2 -2
  235. package/ccw/frontend/dist/assets/{CommandsManagerPage-ChQjmPWZ.js.map → CommandsManagerPage-BpeWw8HO.js.map} +1 -1
  236. package/ccw/frontend/dist/assets/{DeepWikiPage-dEO5wi6X.js → DeepWikiPage-BEsmh2vF.js} +2 -2
  237. package/ccw/frontend/dist/assets/{DeepWikiPage-dEO5wi6X.js.map → DeepWikiPage-BEsmh2vF.js.map} +1 -1
  238. package/ccw/frontend/dist/assets/{EndpointsPage-4zq269xY.js → EndpointsPage-B30SFdtU.js} +2 -2
  239. package/ccw/frontend/dist/assets/{EndpointsPage-4zq269xY.js.map → EndpointsPage-B30SFdtU.js.map} +1 -1
  240. package/ccw/frontend/dist/assets/{ExplorerPage-B0YTENhA.js → ExplorerPage-BVvMpg1O.js} +2 -2
  241. package/ccw/frontend/dist/assets/{ExplorerPage-B0YTENhA.js.map → ExplorerPage-BVvMpg1O.js.map} +1 -1
  242. package/ccw/frontend/dist/assets/{FixSessionPage-CwGs6dhz.js → FixSessionPage-CL73dHbh.js} +2 -2
  243. package/ccw/frontend/dist/assets/{FixSessionPage-CwGs6dhz.js.map → FixSessionPage-CL73dHbh.js.map} +1 -1
  244. package/ccw/frontend/dist/assets/{FloatingFileBrowser-COZRBslc.js → FloatingFileBrowser-BL-28lMZ.js} +2 -2
  245. package/ccw/frontend/dist/assets/{FloatingFileBrowser-COZRBslc.js.map → FloatingFileBrowser-BL-28lMZ.js.map} +1 -1
  246. package/ccw/frontend/dist/assets/{FloatingPanel-DYvgQZRD.js → FloatingPanel-BzZDciHZ.js} +2 -2
  247. package/ccw/frontend/dist/assets/{FloatingPanel-DYvgQZRD.js.map → FloatingPanel-BzZDciHZ.js.map} +1 -1
  248. package/ccw/frontend/dist/assets/{GraphExplorerPage-ewMHQGem.js → GraphExplorerPage-CDp6-d8P.js} +2 -2
  249. package/ccw/frontend/dist/assets/{GraphExplorerPage-ewMHQGem.js.map → GraphExplorerPage-CDp6-d8P.js.map} +1 -1
  250. package/ccw/frontend/dist/assets/{HistoryPage-BMeR0PrK.js → HistoryPage-fZY_7O9n.js} +2 -2
  251. package/ccw/frontend/dist/assets/{HistoryPage-BMeR0PrK.js.map → HistoryPage-fZY_7O9n.js.map} +1 -1
  252. package/ccw/frontend/dist/assets/{HookManagerPage-DBW2LnRm.js → HookManagerPage-4LJeC9bq.js} +2 -2
  253. package/ccw/frontend/dist/assets/{HookManagerPage-DBW2LnRm.js.map → HookManagerPage-4LJeC9bq.js.map} +1 -1
  254. package/ccw/frontend/dist/assets/{InstallationsPage--pMj0QEH.js → InstallationsPage-Bpigrbhw.js} +2 -2
  255. package/ccw/frontend/dist/assets/{InstallationsPage--pMj0QEH.js.map → InstallationsPage-Bpigrbhw.js.map} +1 -1
  256. package/ccw/frontend/dist/assets/{IssueHubPage-C_QMpQSR.js → IssueHubPage-BP0zJc1R.js} +2 -2
  257. package/ccw/frontend/dist/assets/{IssueHubPage-C_QMpQSR.js.map → IssueHubPage-BP0zJc1R.js.map} +1 -1
  258. package/ccw/frontend/dist/assets/{LiteTasksPage-CSWFdQ2-.js → LiteTasksPage-CSt2oVKQ.js} +2 -2
  259. package/ccw/frontend/dist/assets/{LiteTasksPage-CSWFdQ2-.js.map → LiteTasksPage-CSt2oVKQ.js.map} +1 -1
  260. package/ccw/frontend/dist/assets/{McpManagerPage-Dvv8NtGy.js → McpManagerPage-B-xaMA0w.js} +2 -2
  261. package/ccw/frontend/dist/assets/{McpManagerPage-Dvv8NtGy.js.map → McpManagerPage-B-xaMA0w.js.map} +1 -1
  262. package/ccw/frontend/dist/assets/{MemoryPage-YO8WZzZO.js → MemoryPage-CJqo_7DY.js} +2 -2
  263. package/ccw/frontend/dist/assets/{MemoryPage-YO8WZzZO.js.map → MemoryPage-CJqo_7DY.js.map} +1 -1
  264. package/ccw/frontend/dist/assets/{NotFoundPage-quUJw0CD.js → NotFoundPage-ibZeQA-Y.js} +2 -2
  265. package/ccw/frontend/dist/assets/{NotFoundPage-quUJw0CD.js.map → NotFoundPage-ibZeQA-Y.js.map} +1 -1
  266. package/ccw/frontend/dist/assets/{OrchestratorPage-tuThWPID.js → OrchestratorPage-DgJ4ctPQ.js} +2 -2
  267. package/ccw/frontend/dist/assets/{OrchestratorPage-tuThWPID.js.map → OrchestratorPage-DgJ4ctPQ.js.map} +1 -1
  268. package/ccw/frontend/dist/assets/{ProjectOverviewPage-shTilwiT.js → ProjectOverviewPage-Cit0Yq0D.js} +2 -2
  269. package/ccw/frontend/dist/assets/{ProjectOverviewPage-shTilwiT.js.map → ProjectOverviewPage-Cit0Yq0D.js.map} +1 -1
  270. package/ccw/frontend/dist/assets/{PromptHistoryPage-6rQnsI8l.js → PromptHistoryPage-Ce1HDIK0.js} +2 -2
  271. package/ccw/frontend/dist/assets/{PromptHistoryPage-6rQnsI8l.js.map → PromptHistoryPage-Ce1HDIK0.js.map} +1 -1
  272. package/ccw/frontend/dist/assets/{ReviewSessionPage-JOmzjVbT.js → ReviewSessionPage-J1KikNrk.js} +2 -2
  273. package/ccw/frontend/dist/assets/{ReviewSessionPage-JOmzjVbT.js.map → ReviewSessionPage-J1KikNrk.js.map} +1 -1
  274. package/ccw/frontend/dist/assets/{RulesManagerPage-Cayfywqi.js → RulesManagerPage-CdBjTmth.js} +2 -2
  275. package/ccw/frontend/dist/assets/{RulesManagerPage-Cayfywqi.js.map → RulesManagerPage-CdBjTmth.js.map} +1 -1
  276. package/ccw/frontend/dist/assets/{SessionDetailPage-iMn0k84i.js → SessionDetailPage-B9ZK7LvX.js} +2 -2
  277. package/ccw/frontend/dist/assets/{SessionDetailPage-iMn0k84i.js.map → SessionDetailPage-B9ZK7LvX.js.map} +1 -1
  278. package/ccw/frontend/dist/assets/{SessionsPage-Ciqjy9kz.js → SessionsPage-CW_nS5UR.js} +2 -2
  279. package/ccw/frontend/dist/assets/{SessionsPage-Ciqjy9kz.js.map → SessionsPage-CW_nS5UR.js.map} +1 -1
  280. package/ccw/frontend/dist/assets/{SettingsPage-BPDbXPSM.js → SettingsPage-B2PYzSoO.js} +35 -35
  281. package/ccw/frontend/dist/assets/SettingsPage-B2PYzSoO.js.map +1 -0
  282. package/ccw/frontend/dist/assets/{SkillsManagerPage-D3LzbpJY.js → SkillsManagerPage-CTnWrrwp.js} +2 -2
  283. package/ccw/frontend/dist/assets/{SkillsManagerPage-D3LzbpJY.js.map → SkillsManagerPage-CTnWrrwp.js.map} +1 -1
  284. package/ccw/frontend/dist/assets/{SpecsSettingsPage-BpkJctzo.js → SpecsSettingsPage-DJpi9XQL.js} +2 -2
  285. package/ccw/frontend/dist/assets/{SpecsSettingsPage-BpkJctzo.js.map → SpecsSettingsPage-DJpi9XQL.js.map} +1 -1
  286. package/ccw/frontend/dist/assets/{Switch-BpB9h__9.js → Switch-Ac6Ov7uy.js} +2 -2
  287. package/ccw/frontend/dist/assets/{Switch-BpB9h__9.js.map → Switch-Ac6Ov7uy.js.map} +1 -1
  288. package/ccw/frontend/dist/assets/{TabsNavigation-BGsKy7DO.js → TabsNavigation-DZAAspqR.js} +2 -2
  289. package/ccw/frontend/dist/assets/{TabsNavigation-BGsKy7DO.js.map → TabsNavigation-DZAAspqR.js.map} +1 -1
  290. package/ccw/frontend/dist/assets/{TaskDrawer-bYIlbM0Q.js → TaskDrawer-BJkwfhIZ.js} +2 -2
  291. package/ccw/frontend/dist/assets/{TaskDrawer-bYIlbM0Q.js.map → TaskDrawer-BJkwfhIZ.js.map} +1 -1
  292. package/ccw/frontend/dist/assets/{TeamPage-CihtQ6LQ.js → TeamPage-BJgjxBgb.js} +2 -2
  293. package/ccw/frontend/dist/assets/{TeamPage-CihtQ6LQ.js.map → TeamPage-BJgjxBgb.js.map} +1 -1
  294. package/ccw/frontend/dist/assets/{TerminalDashboardPage-BDnNF_ud.js → TerminalDashboardPage-D1WekoOy.js} +2 -2
  295. package/ccw/frontend/dist/assets/{TerminalDashboardPage-BDnNF_ud.js.map → TerminalDashboardPage-D1WekoOy.js.map} +1 -1
  296. package/ccw/frontend/dist/assets/{archive-CQJ86bQp.js → archive-DxemgIhF.js} +2 -2
  297. package/ccw/frontend/dist/assets/{archive-CQJ86bQp.js.map → archive-DxemgIhF.js.map} +1 -1
  298. package/ccw/frontend/dist/assets/{archive-restore-BhTfDbPU.js → archive-restore-CjS83f1V.js} +2 -2
  299. package/ccw/frontend/dist/assets/{archive-restore-BhTfDbPU.js.map → archive-restore-CjS83f1V.js.map} +1 -1
  300. package/ccw/frontend/dist/assets/{arrow-right-eUAZnT9C.js → arrow-right-B5PUcn8I.js} +2 -2
  301. package/ccw/frontend/dist/assets/{arrow-right-eUAZnT9C.js.map → arrow-right-B5PUcn8I.js.map} +1 -1
  302. package/ccw/frontend/dist/assets/{bookmark-plus-ilF5-V-k.js → bookmark-plus-DCc9aPbb.js} +2 -2
  303. package/ccw/frontend/dist/assets/{bookmark-plus-ilF5-V-k.js.map → bookmark-plus-DCc9aPbb.js.map} +1 -1
  304. package/ccw/frontend/dist/assets/{bot-BLkaQscs.js → bot-DOwFtzak.js} +2 -2
  305. package/ccw/frontend/dist/assets/{bot-BLkaQscs.js.map → bot-DOwFtzak.js.map} +1 -1
  306. package/ccw/frontend/dist/assets/{braces-D9HdgsO6.js → braces-96qH3aFh.js} +2 -2
  307. package/ccw/frontend/dist/assets/{braces-D9HdgsO6.js.map → braces-96qH3aFh.js.map} +1 -1
  308. package/ccw/frontend/dist/assets/{circle-stop-C3ZF1okQ.js → circle-stop-CCxSuil1.js} +2 -2
  309. package/ccw/frontend/dist/assets/{circle-stop-C3ZF1okQ.js.map → circle-stop-CCxSuil1.js.map} +1 -1
  310. package/ccw/frontend/dist/assets/{cpu-B-QjaSjm.js → cpu-CZNSJFdq.js} +2 -2
  311. package/ccw/frontend/dist/assets/{cpu-B-QjaSjm.js.map → cpu-CZNSJFdq.js.map} +1 -1
  312. package/ccw/frontend/dist/assets/{ellipsis-vertical-CbNlw2gS.js → ellipsis-vertical-h8xtvw2_.js} +2 -2
  313. package/ccw/frontend/dist/assets/{ellipsis-vertical-CbNlw2gS.js.map → ellipsis-vertical-h8xtvw2_.js.map} +1 -1
  314. package/ccw/frontend/dist/assets/{eye-yAy69Cnn.js → eye-D3NY0bm6.js} +2 -2
  315. package/ccw/frontend/dist/assets/{eye-yAy69Cnn.js.map → eye-D3NY0bm6.js.map} +1 -1
  316. package/ccw/frontend/dist/assets/{eye-off-D5uzLZyP.js → eye-off-Cy2vkc8p.js} +2 -2
  317. package/ccw/frontend/dist/assets/{eye-off-D5uzLZyP.js.map → eye-off-Cy2vkc8p.js.map} +1 -1
  318. package/ccw/frontend/dist/assets/{file-json-rwo1NowL.js → file-json-Bzq3U1Mx.js} +2 -2
  319. package/ccw/frontend/dist/assets/{file-json-rwo1NowL.js.map → file-json-Bzq3U1Mx.js.map} +1 -1
  320. package/ccw/frontend/dist/assets/{file-text-DRkrjie9.js → file-text-DwuwPDPi.js} +2 -2
  321. package/ccw/frontend/dist/assets/{file-text-DRkrjie9.js.map → file-text-DwuwPDPi.js.map} +1 -1
  322. package/ccw/frontend/dist/assets/{filter-BOe-OTu1.js → filter-q9g-bknU.js} +2 -2
  323. package/ccw/frontend/dist/assets/{filter-BOe-OTu1.js.map → filter-q9g-bknU.js.map} +1 -1
  324. package/ccw/frontend/dist/assets/{folder-BaWZWn_r.js → folder-CL6vb42J.js} +2 -2
  325. package/ccw/frontend/dist/assets/{folder-BaWZWn_r.js.map → folder-CL6vb42J.js.map} +1 -1
  326. package/ccw/frontend/dist/assets/{gauge-kazFexTr.js → gauge-BkrcQBly.js} +2 -2
  327. package/ccw/frontend/dist/assets/{gauge-kazFexTr.js.map → gauge-BkrcQBly.js.map} +1 -1
  328. package/ccw/frontend/dist/assets/{globe-BuHeEjxd.js → globe-BQbwyNeV.js} +2 -2
  329. package/ccw/frontend/dist/assets/{globe-BuHeEjxd.js.map → globe-BQbwyNeV.js.map} +1 -1
  330. package/ccw/frontend/dist/assets/{grid-3x3-DbhuUu4V.js → grid-3x3-x5_7DrN7.js} +2 -2
  331. package/ccw/frontend/dist/assets/{grid-3x3-DbhuUu4V.js.map → grid-3x3-x5_7DrN7.js.map} +1 -1
  332. package/ccw/frontend/dist/assets/{hard-drive-AoLGL0z4.js → hard-drive-DTyWXwzf.js} +2 -2
  333. package/ccw/frontend/dist/assets/{hard-drive-AoLGL0z4.js.map → hard-drive-DTyWXwzf.js.map} +1 -1
  334. package/ccw/frontend/dist/assets/{hash-Dpo1exMB.js → hash-80O0kJO7.js} +2 -2
  335. package/ccw/frontend/dist/assets/{hash-Dpo1exMB.js.map → hash-80O0kJO7.js.map} +1 -1
  336. package/ccw/frontend/dist/assets/{history-ujQnmMC9.js → history-DDlN2Bwa.js} +2 -2
  337. package/ccw/frontend/dist/assets/{history-ujQnmMC9.js.map → history-DDlN2Bwa.js.map} +1 -1
  338. package/ccw/frontend/dist/assets/{index-CxzXz6o1.js → index-B9A3Hnrk.js} +2 -2
  339. package/ccw/frontend/dist/assets/{index-CxzXz6o1.js.map → index-B9A3Hnrk.js.map} +1 -1
  340. package/ccw/frontend/dist/assets/{index-B76AGix5.js → index-Bs80iCX0.js} +2 -2
  341. package/ccw/frontend/dist/assets/{index-B76AGix5.js.map → index-Bs80iCX0.js.map} +1 -1
  342. package/ccw/frontend/dist/assets/{index-C_Yf5fZ4.js → index-mbeo62f8.js} +2 -2
  343. package/ccw/frontend/dist/assets/{index-C_Yf5fZ4.js.map → index-mbeo62f8.js.map} +1 -1
  344. package/ccw/frontend/dist/assets/{index-Dff4bg3u.js → index-rLgoBCfV.js} +3 -3
  345. package/ccw/frontend/dist/assets/{index-Dff4bg3u.js.map → index-rLgoBCfV.js.map} +1 -1
  346. package/ccw/frontend/dist/assets/{layout-grid-CBdE4K8h.js → layout-grid-C1niOWJx.js} +2 -2
  347. package/ccw/frontend/dist/assets/{layout-grid-CBdE4K8h.js.map → layout-grid-C1niOWJx.js.map} +1 -1
  348. package/ccw/frontend/dist/assets/{lightbulb-B9K6ZgRp.js → lightbulb-BTmI7SUg.js} +2 -2
  349. package/ccw/frontend/dist/assets/{lightbulb-B9K6ZgRp.js.map → lightbulb-BTmI7SUg.js.map} +1 -1
  350. package/ccw/frontend/dist/assets/{link-2-Oea4xHJl.js → link-2-CB9HKeuZ.js} +2 -2
  351. package/ccw/frontend/dist/assets/{link-2-Oea4xHJl.js.map → link-2-CB9HKeuZ.js.map} +1 -1
  352. package/ccw/frontend/dist/assets/{link-5yXdZBch.js → link-koEYiemK.js} +2 -2
  353. package/ccw/frontend/dist/assets/{link-5yXdZBch.js.map → link-koEYiemK.js.map} +1 -1
  354. package/ccw/frontend/dist/assets/{list-9lHhC_U_.js → list-v2_GaLdC.js} +2 -2
  355. package/ccw/frontend/dist/assets/{list-9lHhC_U_.js.map → list-v2_GaLdC.js.map} +1 -1
  356. package/ccw/frontend/dist/assets/{map-pin-B6Io5kmB.js → map-pin-BQNfAqG_.js} +2 -2
  357. package/ccw/frontend/dist/assets/{map-pin-B6Io5kmB.js.map → map-pin-BQNfAqG_.js.map} +1 -1
  358. package/ccw/frontend/dist/assets/{messages-square-BT000aD3.js → messages-square-Dzq5LGg9.js} +2 -2
  359. package/ccw/frontend/dist/assets/{messages-square-BT000aD3.js.map → messages-square-Dzq5LGg9.js.map} +1 -1
  360. package/ccw/frontend/dist/assets/{minimize-2-DO-zbT3a.js → minimize-2-CtkoJXcz.js} +2 -2
  361. package/ccw/frontend/dist/assets/{minimize-2-DO-zbT3a.js.map → minimize-2-CtkoJXcz.js.map} +1 -1
  362. package/ccw/frontend/dist/assets/{package-BjOw1ldU.js → package-CH3smL37.js} +2 -2
  363. package/ccw/frontend/dist/assets/{package-BjOw1ldU.js.map → package-CH3smL37.js.map} +1 -1
  364. package/ccw/frontend/dist/assets/{plug-9dAARpE1.js → plug-CZ0aL_yF.js} +2 -2
  365. package/ccw/frontend/dist/assets/{plug-9dAARpE1.js.map → plug-CZ0aL_yF.js.map} +1 -1
  366. package/ccw/frontend/dist/assets/{power-K2S39x7f.js → power-F2A_J4l6.js} +2 -2
  367. package/ccw/frontend/dist/assets/{power-K2S39x7f.js.map → power-F2A_J4l6.js.map} +1 -1
  368. package/ccw/frontend/dist/assets/{save-D9-CoT3x.js → save-Byxot0YU.js} +2 -2
  369. package/ccw/frontend/dist/assets/{save-D9-CoT3x.js.map → save-Byxot0YU.js.map} +1 -1
  370. package/ccw/frontend/dist/assets/{send-Bunw9NtC.js → send-JjqhUkpw.js} +2 -2
  371. package/ccw/frontend/dist/assets/{send-Bunw9NtC.js.map → send-JjqhUkpw.js.map} +1 -1
  372. package/ccw/frontend/dist/assets/{settings-2-osl4EXFf.js → settings-2--SuN9rAt.js} +2 -2
  373. package/ccw/frontend/dist/assets/{settings-2-osl4EXFf.js.map → settings-2--SuN9rAt.js.map} +1 -1
  374. package/ccw/frontend/dist/assets/{square-check-big-Dl5gYkjR.js → square-check-big-BbngGB2h.js} +2 -2
  375. package/ccw/frontend/dist/assets/{square-check-big-Dl5gYkjR.js.map → square-check-big-BbngGB2h.js.map} +1 -1
  376. package/ccw/frontend/dist/assets/{square-pen-Bue1chJR.js → square-pen-CgrHgZSl.js} +2 -2
  377. package/ccw/frontend/dist/assets/{square-pen-Bue1chJR.js.map → square-pen-CgrHgZSl.js.map} +1 -1
  378. package/ccw/frontend/dist/assets/{star-Bk7EC7FB.js → star-BU3TQr7Z.js} +2 -2
  379. package/ccw/frontend/dist/assets/{star-Bk7EC7FB.js.map → star-BU3TQr7Z.js.map} +1 -1
  380. package/ccw/frontend/dist/assets/{style-BbREPmRj.js → style-CKs7nnn3.js} +2 -2
  381. package/ccw/frontend/dist/assets/{style-BbREPmRj.js.map → style-CKs7nnn3.js.map} +1 -1
  382. package/ccw/frontend/dist/assets/{target-CElrCVhR.js → target-DW5tsDW6.js} +2 -2
  383. package/ccw/frontend/dist/assets/{target-CElrCVhR.js.map → target-DW5tsDW6.js.map} +1 -1
  384. package/ccw/frontend/dist/assets/{test-tube-wciJaoas.js → test-tube-BHm7w3ON.js} +2 -2
  385. package/ccw/frontend/dist/assets/{test-tube-wciJaoas.js.map → test-tube-BHm7w3ON.js.map} +1 -1
  386. package/ccw/frontend/dist/assets/{upload-BD1F07wG.js → upload-DYR7PWwt.js} +2 -2
  387. package/ccw/frontend/dist/assets/{upload-BD1F07wG.js.map → upload-DYR7PWwt.js.map} +1 -1
  388. package/ccw/frontend/dist/assets/{useApiSettings-D23HVEt8.js → useApiSettings-D0TVgQD_.js} +2 -2
  389. package/ccw/frontend/dist/assets/{useApiSettings-D23HVEt8.js.map → useApiSettings-D0TVgQD_.js.map} +1 -1
  390. package/ccw/frontend/dist/assets/{useCli-BGDd_lXD.js → useCli-DfY8mAP8.js} +2 -2
  391. package/ccw/frontend/dist/assets/{useCli-BGDd_lXD.js.map → useCli-DfY8mAP8.js.map} +1 -1
  392. package/ccw/frontend/dist/assets/{useCommands-B-m_HxPB.js → useCommands-CGusDp0F.js} +2 -2
  393. package/ccw/frontend/dist/assets/{useCommands-B-m_HxPB.js.map → useCommands-CGusDp0F.js.map} +1 -1
  394. package/ccw/frontend/dist/assets/{useDebounce-Z18-PHZr.js → useDebounce-CIwh0fF1.js} +2 -2
  395. package/ccw/frontend/dist/assets/{useDebounce-Z18-PHZr.js.map → useDebounce-CIwh0fF1.js.map} +1 -1
  396. package/ccw/frontend/dist/assets/{useFileExplorer-D4gPp-LB.js → useFileExplorer-FMyFv39K.js} +2 -2
  397. package/ccw/frontend/dist/assets/{useFileExplorer-D4gPp-LB.js.map → useFileExplorer-FMyFv39K.js.map} +1 -1
  398. package/ccw/frontend/dist/assets/{useLocale-DJ62jjFa.js → useLocale-B2qhsoTb.js} +2 -2
  399. package/ccw/frontend/dist/assets/{useLocale-DJ62jjFa.js.map → useLocale-B2qhsoTb.js.map} +1 -1
  400. package/ccw/frontend/dist/assets/{useSkills-B8NPs9__.js → useSkills-cxKXMBm3.js} +3 -3
  401. package/ccw/frontend/dist/assets/{useSkills-B8NPs9__.js.map → useSkills-cxKXMBm3.js.map} +1 -1
  402. package/ccw/frontend/dist/assets/{useSystemSettings-CVi7nKGJ.js → useSystemSettings-B-xUT_z-.js} +2 -2
  403. package/ccw/frontend/dist/assets/{useSystemSettings-CVi7nKGJ.js.map → useSystemSettings-B-xUT_z-.js.map} +1 -1
  404. package/ccw/frontend/dist/assets/{wand-sparkles-CLjPiU5w.js → wand-sparkles-DZV_3lPr.js} +2 -2
  405. package/ccw/frontend/dist/assets/{wand-sparkles-CLjPiU5w.js.map → wand-sparkles-DZV_3lPr.js.map} +1 -1
  406. package/ccw/frontend/dist/index.html +1 -1
  407. package/package.json +105 -105
  408. package/ccw/frontend/dist/assets/SettingsPage-BPDbXPSM.js.map +0 -1
package/.codex/skills/security-audit/phases/02-owasp-review.md ADDED
@@ -0,0 +1,232 @@
1
+ # Phase 2: OWASP Review
2
+
3
+ > **COMPACT PROTECTION**: This is a core execution phase. If context compression has occurred and this file is only a summary, **MUST `Read` this file again before executing any Step**. Do not execute from memory.
4
+
5
+ Systematic code-level review against OWASP Top 10 2021 categories using inline subagent analysis and targeted pattern scanning.
6
+
7
+ ## Objective
8
+
9
+ - Review codebase against all 10 OWASP Top 10 2021 categories
10
+ - Use inline subagent multi-model analysis for comprehensive coverage
11
+ - Produce structured findings with file:line references and remediation steps
12
+
13
+ ## Input
14
+
15
+ | Source | Required | Description |
16
+ |--------|----------|-------------|
17
+ | `~/.codex/skills/security-audit/specs/owasp-checklist.md` | Yes | Detection patterns per OWASP category |
18
+ | `.workflow/.security/supply-chain-report.json` | Yes | Phase 1 findings for dependency context |
19
+ | Project source files | Yes | `.ts`, `.js`, `.py`, `.go`, `.java` excluding deps/build |
20
+
21
+ ## Execution Steps
22
+
23
+ ### Step 1: Identify Target Scope
24
+
25
+ Discover source files, excluding generated and dependency directories.
26
+
27
+ **Decision Table**:
28
+
29
+ | Condition | Action |
30
+ |-----------|--------|
31
+ | Source files found | Proceed to Step 2 |
32
+ | No source files found | Report as BLOCKED with path note; do not proceed |
33
+ | Files > 500 | Prioritize routes/, auth/, api/, handlers/ first |
34
+
35
+ **Execution**:
36
+
37
+ ```bash
38
+ # Identify source directories (exclude deps, build, test fixtures)
39
+ # Focus on: API routes, auth modules, data access, input handlers
40
+ find . -type f \( -name '*.ts' -o -name '*.js' -o -name '*.py' -o -name '*.go' -o -name '*.java' \) \
41
+ ! -path '*/node_modules/*' ! -path '*/dist/*' ! -path '*/.git/*' \
42
+ ! -path '*/build/*' ! -path '*/__pycache__/*' ! -path '*/vendor/*' \
43
+ | head -200
44
+ ```
45
+
46
+ ---
47
+
48
+ ### Step 2: Inline Subagent OWASP Analysis
49
+
50
+ Spawn inline subagent using `cli-explore-agent` role to perform systematic OWASP analysis.
51
+
52
+ **Decision Table**:
53
+
54
+ | Condition | Action |
55
+ |-----------|--------|
56
+ | Subagent completes successfully | Integrate findings into Step 4 consolidation |
57
+ | Subagent times out | Continue with manual pattern scan (Step 3) only; log warning |
58
+ | Subagent errors | Continue with manual pattern scan only; log warning |
59
+
60
+ ```
61
+ spawn_agent({
62
+ task_name: "inline-owasp-analysis",
63
+ fork_context: false,
64
+ model: "haiku",
65
+ reasoning_effort: "medium",
66
+ message: `### MANDATORY FIRST STEPS
67
+ 1. Read: ~/.codex/agents/cli-explore-agent.md
68
+
69
+ Goal: OWASP Top 10 2021 security audit of this codebase.
70
+ Systematically check each OWASP category:
71
+ A01 Broken Access Control | A02 Cryptographic Failures | A03 Injection |
72
+ A04 Insecure Design | A05 Security Misconfiguration | A06 Vulnerable Components |
73
+ A07 Identification/Auth Failures | A08 Software/Data Integrity Failures |
74
+ A09 Security Logging/Monitoring Failures | A10 SSRF
75
+
76
+ TASK: For each OWASP category, scan relevant code patterns, identify vulnerabilities with file:line references, classify severity, provide remediation.
77
+
78
+ MODE: analysis
79
+
80
+ CONTEXT: @src/**/* @**/*.config.* @**/*.env.example
81
+
82
+ EXPECTED: JSON-structured findings per OWASP category with severity, file:line, evidence, remediation.
83
+
84
+ CONSTRAINTS: Code-level analysis only | Every finding must have file:line reference | Focus on real vulnerabilities not theoretical risks`
85
+ })
86
+ const result = wait_agent({ targets: ["inline-owasp-analysis"], timeout_ms: 300000 })
87
+ close_agent({ target: "inline-owasp-analysis" })
88
+ ```
89
+
90
+ ---
91
+
92
+ ### Step 3: Manual Pattern Scanning
93
+
94
+ Supplement inline subagent analysis with targeted grep patterns per OWASP category. Reference `~/.codex/skills/security-audit/specs/owasp-checklist.md` for full pattern list.
95
+
96
+ **A01 — Broken Access Control**:
97
+
98
+ ```bash
99
+ # Missing auth middleware on routes
100
+ grep -rn 'app\.\(get\|post\|put\|delete\|patch\)(' --include='*.ts' --include='*.js' . | grep -v 'auth\|middleware\|protect'
101
+ # Direct object references without ownership check
102
+ grep -rn 'params\.id\|req\.params\.' --include='*.ts' --include='*.js' . || true
103
+ ```
104
+
105
+ **A03 — Injection**:
106
+
107
+ ```bash
108
+ # SQL string concatenation
109
+ grep -rniE '(query|execute|raw)\s*\(\s*[`"'\'']\s*SELECT.*\+\s*|f".*SELECT.*{' --include='*.ts' --include='*.js' --include='*.py' . || true
110
+ # Command injection
111
+ grep -rniE '(exec|spawn|system|popen|subprocess)\s*\(' --include='*.ts' --include='*.js' --include='*.py' . || true
112
+ ```
113
+
114
+ **A05 — Security Misconfiguration**:
115
+
116
+ ```bash
117
+ # Debug mode enabled
118
+ grep -rniE '(DEBUG|debug)\s*[:=]\s*(true|True|1|"true")' --include='*.env' --include='*.py' --include='*.ts' --include='*.json' . || true
119
+ # CORS wildcard
120
+ grep -rniE "cors.*\*|Access-Control-Allow-Origin.*\*" --include='*.ts' --include='*.js' --include='*.py' . || true
121
+ ```
122
+
123
+ **A07 — Identification and Authentication Failures**:
124
+
125
+ ```bash
126
+ # Weak password patterns
127
+ grep -rniE 'password.*length.*[0-5][^0-9]|minlength.*[0-5][^0-9]' --include='*.ts' --include='*.js' --include='*.py' . || true
128
+ # Hardcoded credentials
129
+ grep -rniE '(password|passwd|pwd)\s*[:=]\s*["\x27][^"\x27]{3,}' --include='*.ts' --include='*.js' --include='*.py' --include='*.env' . || true
130
+ ```
131
+
132
+ ---
133
+
134
+ ### Step 4: Consolidate Findings
135
+
136
+ Merge inline subagent results and manual pattern scan results. Deduplicate and classify by OWASP category.
137
+
138
+ **Decision Table**:
139
+
140
+ | Condition | Action |
141
+ |-----------|--------|
142
+ | Same finding in both sources | Keep highest severity; merge evidence; note both sources |
143
+ | Finding lacks file:line reference | Attempt to resolve via grep; if not resolvable, mark evidence as "pattern match — no line ref" |
144
+ | Category has no findings | Set coverage to `checked` with 0 findings |
145
+ | Category not applicable to project stack | Set coverage to `not_applicable` with reason |
146
+
147
+ ---
148
+
149
+ ## OWASP Top 10 2021 Coverage
150
+
151
+ | ID | Category | Key Checks |
152
+ |----|----------|------------|
153
+ | A01 | Broken Access Control | Missing auth, IDOR, path traversal, CORS |
154
+ | A02 | Cryptographic Failures | Weak algorithms, plaintext storage, missing TLS |
155
+ | A03 | Injection | SQL, NoSQL, OS command, LDAP, XPath injection |
156
+ | A04 | Insecure Design | Missing threat modeling, insecure business logic |
157
+ | A05 | Security Misconfiguration | Debug enabled, default creds, verbose errors |
158
+ | A06 | Vulnerable and Outdated Components | Known CVEs in dependencies (from Phase 1) |
159
+ | A07 | Identification and Authentication Failures | Weak passwords, missing MFA, session issues |
160
+ | A08 | Software and Data Integrity Failures | Unsigned updates, insecure deserialization, CI/CD |
161
+ | A09 | Security Logging and Monitoring Failures | Missing audit logs, no alerting, insufficient logging |
162
+ | A10 | Server-Side Request Forgery (SSRF) | Unvalidated URLs, internal resource access |
163
+
164
+ ---
165
+
166
+ ## Output
167
+
168
+ | Artifact | Format | Description |
169
+ |----------|--------|-------------|
170
+ | `.workflow/.security/owasp-findings.json` | JSON | Findings per OWASP category with coverage map |
171
+
172
+ ```json
173
+ {
174
+ "phase": "owasp-review",
175
+ "timestamp": "ISO-8601",
176
+ "owasp_version": "2021",
177
+ "findings": [
178
+ {
179
+ "owasp_id": "A01",
180
+ "owasp_category": "Broken Access Control",
181
+ "severity": "critical|high|medium|low",
182
+ "title": "Finding title",
183
+ "description": "Detailed description",
184
+ "file": "path/to/file",
185
+ "line": 42,
186
+ "evidence": "code snippet or pattern match",
187
+ "remediation": "Specific fix recommendation",
188
+ "cwe": "CWE-XXX"
189
+ }
190
+ ],
191
+ "coverage": {
192
+ "A01": "checked|not_applicable",
193
+ "A02": "checked|not_applicable",
194
+ "A03": "checked|not_applicable",
195
+ "A04": "checked|not_applicable",
196
+ "A05": "checked|not_applicable",
197
+ "A06": "checked|not_applicable",
198
+ "A07": "checked|not_applicable",
199
+ "A08": "checked|not_applicable",
200
+ "A09": "checked|not_applicable",
201
+ "A10": "checked|not_applicable"
202
+ },
203
+ "summary": {
204
+ "total": 0,
205
+ "by_severity": { "critical": 0, "high": 0, "medium": 0, "low": 0 },
206
+ "categories_checked": 10,
207
+ "categories_with_findings": 0
208
+ }
209
+ }
210
+ ```
211
+
212
+ ## Success Criteria
213
+
214
+ | Criterion | Validation Method |
215
+ |-----------|-------------------|
216
+ | All 10 OWASP categories have coverage entry | JSON coverage map has all A01–A10 keys |
217
+ | All findings have owasp_id, severity, file, evidence, remediation | JSON schema check |
218
+ | `owasp-findings.json` written to `.workflow/.security/` | File exists and is valid JSON |
219
+ | Inline subagent result integrated (or skip logged) | Summary includes source note |
220
+
221
+ ## Error Handling
222
+
223
+ | Scenario | Resolution |
224
+ |----------|------------|
225
+ | Inline subagent timeout | Continue with manual grep results; log "inline-owasp-analysis timed out" in summary |
226
+ | OWASP checklist spec not found | Use built-in patterns from this file; note missing spec |
227
+ | No source files in scope | Report BLOCKED with path; set all categories to not_applicable |
228
+ | Grep produces no matches for a category | Set that category coverage to `checked` with 0 findings |
229
+
230
+ ## Next Phase
231
+
232
+ -> [Phase 3: Threat Modeling](03-threat-modeling.md)
package/.codex/skills/security-audit/phases/03-threat-modeling.md ADDED
@@ -0,0 +1,249 @@
1
+ # Phase 3: Threat Modeling
2
+
3
+ > **COMPACT PROTECTION**: This is a core execution phase. If context compression has occurred and this file is only a summary, **MUST `Read` this file again before executing any Step**. Do not execute from memory.
4
+
5
+ Map STRIDE threat categories to architecture components, identify trust boundaries, and assess attack surface.
6
+
7
+ ## Objective
8
+
9
+ - Apply the STRIDE threat model to the project architecture
10
+ - Identify trust boundaries between system components
11
+ - Assess attack surface area per component
12
+ - Cross-reference with Phase 1 and Phase 2 findings
13
+
14
+ ## Input
15
+
16
+ | Source | Required | Description |
17
+ |--------|----------|-------------|
18
+ | `.workflow/.security/supply-chain-report.json` | Yes | Phase 1 findings for dependency/CI context |
19
+ | `.workflow/.security/owasp-findings.json` | Yes | Phase 2 findings to cross-reference in STRIDE gaps |
20
+ | Project source files | Yes | Route handlers, data stores, external service clients, auth modules |
21
+
22
+ ## Execution Steps
23
+
24
+ ### Step 1: Architecture Component Discovery
25
+
26
+ Identify major system components by scanning project structure.
27
+
28
+ **Decision Table**:
29
+
30
+ | Component Pattern Found | component.type |
31
+ |------------------------|----------------|
32
+ | `app.get/post/put/delete/patch`, `router.`, `@app.route`, `@router.` | api_endpoint |
33
+ | `createConnection`, `mongoose.connect`, `sqlite`, `redis`, `S3`, `createClient` | data_store |
34
+ | `fetch`, `axios`, `http.request`, `requests.get/post`, `urllib` | external_service |
35
+ | `jwt`, `passport`, `session`, `oauth`, `bcrypt`, `argon2`, `crypto` | auth_module |
36
+ | `worker`, `subprocess`, `child_process`, `celery`, `queue` | worker |
37
+
38
+ **Execution**:
39
+
40
+ ```bash
41
+ # Identify entry points (API routes, CLI commands, event handlers)
42
+ grep -rlE '(app\.(get|post|put|delete|patch|use)|router\.|@app\.route|@router\.)' \
43
+ --include='*.ts' --include='*.js' --include='*.py' . || true
44
+
45
+ # Identify data stores (database connections, file storage)
46
+ grep -rlE '(createConnection|mongoose\.connect|sqlite|redis|S3|createClient)' \
47
+ --include='*.ts' --include='*.js' --include='*.py' . || true
48
+
49
+ # Identify external service integrations
50
+ grep -rlE '(fetch|axios|http\.request|requests\.(get|post)|urllib)' \
51
+ --include='*.ts' --include='*.js' --include='*.py' . || true
52
+
53
+ # Identify auth/session components
54
+ grep -rlE '(jwt|passport|session|oauth|bcrypt|argon2|crypto)' \
55
+ --include='*.ts' --include='*.js' --include='*.py' . || true
56
+ ```
57
+
58
+ ---
59
+
60
+ ### Step 2: Trust Boundary Identification
61
+
62
+ Map the 5 standard trust boundary types. For each boundary: document what data crosses it, how it is enforced, and what happens when enforcement fails.
63
+
64
+ **Trust Boundary Types**:
65
+
66
+ | Boundary | From | To | Key Data Crossing |
67
+ |----------|------|----|------------------|
68
+ | External boundary | User/browser | Application server | User input, credentials, session tokens |
69
+ | Service boundary | Application | External APIs/services | API keys, request bodies, response data |
70
+ | Data boundary | Application | Database/storage | Query parameters, credentials, PII |
71
+ | Internal boundary | Public routes | Authenticated/admin routes | Auth tokens, role claims |
72
+ | Process boundary | Main process | Worker/subprocess | Job parameters, environment variables |
73
+
74
+ For each boundary, document:
75
+ - What crosses the boundary (data types, credentials)
76
+ - How the boundary is enforced (middleware, TLS, auth)
77
+ - What happens when enforcement fails
78
+
79
+ ---
80
+
81
+ ### Step 3: STRIDE per Component
82
+
83
+ For each discovered component, evaluate all 6 STRIDE categories systematically.
84
+
85
+ **STRIDE Category Definitions**:
86
+
87
+ | Category | Threat | Key Question |
88
+ |----------|--------|-------------|
89
+ | S — Spoofing | Identity impersonation | Can an attacker pretend to be someone else? |
90
+ | T — Tampering | Data modification | Can data be modified in transit or at rest? |
91
+ | R — Repudiation | Deniable actions | Can a user deny performing an action? |
92
+ | I — Information Disclosure | Data leakage | Can sensitive data be exposed? |
93
+ | D — Denial of Service | Availability disruption | Can the system be made unavailable? |
94
+ | E — Elevation of Privilege | Unauthorized access | Can a user gain higher privileges? |
95
+
96
+ **Spoofing Analysis Checks**:
97
+ - Are authentication mechanisms in place at all entry points?
98
+ - Can API keys or tokens be forged or replayed?
99
+ - Are session tokens properly validated and rotated?
100
+
101
+ **Tampering Analysis Checks**:
102
+ - Is input validation applied before processing?
103
+ - Are database queries parameterized?
104
+ - Can request bodies or headers be manipulated to alter behavior?
105
+ - Are file uploads validated for type and content?
106
+
107
+ **Repudiation Analysis Checks**:
108
+ - Are user actions logged with sufficient detail (who, what, when)?
109
+ - Are logs tamper-proof or centralized?
110
+ - Can critical operations (payments, deletions) be traced to a user?
111
+
112
+ **Information Disclosure Analysis Checks**:
113
+ - Do error responses leak stack traces or internal paths?
114
+ - Are sensitive fields (passwords, tokens) excluded from logs and API responses?
115
+ - Is PII properly handled (encryption at rest, masking in logs)?
116
+ - Do debug endpoints or verbose modes expose internals?
117
+
118
+ **Denial of Service Analysis Checks**:
119
+ - Are rate limits applied to public endpoints?
120
+ - Can resource-intensive operations be triggered without limits?
121
+ - Are file upload sizes bounded?
122
+ - Are database queries bounded (pagination, timeouts)?
123
+
124
+ **Elevation of Privilege Analysis Checks**:
125
+ - Are role/permission checks applied consistently?
126
+ - Can horizontal privilege escalation occur (accessing other users' data)?
127
+ - Can vertical escalation occur (user -> admin)?
128
+ - Are admin/debug routes properly protected?
129
+
130
+ **Component Exposure Rating**:
131
+
132
+ | Rating | Criteria |
133
+ |--------|----------|
134
+ | High | Public-facing, handles sensitive data, complex logic |
135
+ | Medium | Authenticated access, moderate data sensitivity |
136
+ | Low | Internal only, no sensitive data, simple operations |
137
+
138
+ ---
139
+
140
+ ### Step 4: Attack Surface Assessment
141
+
142
+ Quantify the attack surface across the entire system.
143
+
144
+ **Attack Surface Components**:
145
+
146
+ ```
147
+ Attack Surface = Sum of:
148
+ - Number of public API endpoints
149
+ - Number of external service integrations
150
+ - Number of user-controllable input points
151
+ - Number of privileged operations
152
+ - Number of data stores with sensitive content
153
+ ```
154
+
155
+ **Decision Table — Attack Surface Rating**:
156
+
157
+ | Total Score | Interpretation |
158
+ |-------------|---------------|
159
+ | 0–5 | Low attack surface |
160
+ | 6–15 | Moderate attack surface |
161
+ | 16–30 | High attack surface |
162
+ | > 30 | Very high attack surface — prioritize hardening |
163
+
164
+ Cross-reference Phase 1 and Phase 2 findings when populating `gaps` arrays for each STRIDE category. A finding in Phase 2 (e.g., A03 injection) maps to STRIDE T (Tampering) for the relevant component.
165
+
166
+ ---
167
+
168
+ ## Output
169
+
170
+ | Artifact | Format | Description |
171
+ |----------|--------|-------------|
172
+ | `.workflow/.security/threat-model.json` | JSON | STRIDE model with components, trust boundaries, attack surface |
173
+
174
+ ```json
175
+ {
176
+ "phase": "threat-modeling",
177
+ "timestamp": "ISO-8601",
178
+ "framework": "STRIDE",
179
+ "components": [
180
+ {
181
+ "name": "Component name",
182
+ "type": "api_endpoint|data_store|external_service|auth_module|worker",
183
+ "files": ["path/to/file.ts"],
184
+ "exposure": "high|medium|low",
185
+ "trust_boundaries": ["external", "data"],
186
+ "threats": {
187
+ "spoofing": {
188
+ "applicable": true,
189
+ "findings": ["Description of threat"],
190
+ "mitigations": ["Existing mitigation"],
191
+ "gaps": ["Missing mitigation"]
192
+ },
193
+ "tampering": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
194
+ "repudiation": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
195
+ "information_disclosure": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
196
+ "denial_of_service": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
197
+ "elevation_of_privilege": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] }
198
+ }
199
+ }
200
+ ],
201
+ "trust_boundaries": [
202
+ {
203
+ "name": "Boundary name",
204
+ "from": "Component A",
205
+ "to": "Component B",
206
+ "enforcement": "TLS|auth_middleware|API_key",
207
+ "data_crossing": ["request bodies", "credentials"],
208
+ "risk_level": "high|medium|low"
209
+ }
210
+ ],
211
+ "attack_surface": {
212
+ "public_endpoints": 0,
213
+ "external_integrations": 0,
214
+ "input_points": 0,
215
+ "privileged_operations": 0,
216
+ "sensitive_data_stores": 0,
217
+ "total_score": 0
218
+ },
219
+ "summary": {
220
+ "components_analyzed": 0,
221
+ "threats_identified": 0,
222
+ "by_stride": { "S": 0, "T": 0, "R": 0, "I": 0, "D": 0, "E": 0 },
223
+ "high_exposure_components": 0
224
+ }
225
+ }
226
+ ```
227
+
228
+ ## Success Criteria
229
+
230
+ | Criterion | Validation Method |
231
+ |-----------|-------------------|
232
+ | At least one component analyzed | `components` array has at least 1 entry |
233
+ | All 6 STRIDE categories evaluated per component | Each component.threats has all 6 keys |
234
+ | Trust boundaries mapped | `trust_boundaries` array populated |
235
+ | Attack surface quantified | `attack_surface.total_score` calculated |
236
+ | `threat-model.json` written to `.workflow/.security/` | File exists and is valid JSON |
237
+
238
+ ## Error Handling
239
+
240
+ | Scenario | Resolution |
241
+ |----------|------------|
242
+ | No components discovered via grep | Analyze project structure manually (README, package.json); note uncertainty |
243
+ | Phase 2 findings not available for cross-reference | Proceed with grep-only; note missing OWASP context |
244
+ | Ambiguous architecture (monolith vs microservices) | Document assumption in summary; note for user review |
245
+ | No `.github/workflows/` for CI boundary | Mark process boundary as not_applicable |
246
+
247
+ ## Next Phase
248
+
249
+ -> [Phase 4: Report & Tracking](04-report-tracking.md)