claude-code-workflow 7.2.27 → 7.2.28

package/.claude/skills/investigate/specs/iron-law.md

@@ -0,0 +1,101 @@
+# Iron Law of Debugging
+
+The Iron Law defines the non-negotiable rules that govern every investigation performed by this skill. These rules exist to prevent symptom-fixing and ensure durable, evidence-based solutions.
+
+## When to Use
+
+| Phase | Usage | Section |
+|-------|-------|---------|
+| Phase 3 | Hypothesis must produce confirmed root cause before proceeding | Rule 1 |
+| Phase 1 | Reproduction must produce observable evidence | Rule 2 |
+| Phase 4 | Fix scope must be minimal | Rule 3 |
+| Phase 4 | Regression test is mandatory | Rule 4 |
+| Phase 3 | 3 consecutive unproductive hypothesis failures trigger escalation | Rule 5 |
+
+---
+
+## Rules
+
+### Rule 1: Never Fix Without Confirmed Root Cause
+
+**Statement**: No code modification is permitted until a root cause has been confirmed through hypothesis testing with concrete evidence.
+
+**Enforcement**: Phase 4 begins with an Iron Law gate check. If `confirmed_root_cause` is absent from the investigation report, Phase 4 is blocked.
+
+**Rationale**: Fixing symptoms without understanding the cause leads to:
+- Incomplete fixes that break under different conditions
+- Masking of deeper issues
+- Wasted investigation time when the bug recurs
+
+### Rule 2: Evidence Must Be Reproducible
+
+**Statement**: The bug must be reproducible through documented steps, or if not reproducible, the evidence must be sufficient to identify the root cause through static analysis.
+
+**Enforcement**: Phase 1 documents reproduction steps and evidence. If reproduction fails, this is flagged as a concern but does not block investigation if sufficient static evidence exists.
+
+**Acceptable evidence types**:
+- Failing test case
+- Error message with stack trace
+- Log output showing the failure
+- Code path analysis showing the defect condition
+
+### Rule 3: Fix Must Be Minimal
+
+**Statement**: The fix must change only what is necessary to address the confirmed root cause. No refactoring, no feature additions, no style changes to unrelated code.
+
+**Enforcement**: Phase 4 requires a fix plan before implementation. Changes exceeding 3 files require written justification.
+
+**What counts as minimal**:
+- Adding a missing null check
+- Fixing an incorrect condition
+- Correcting a wrong variable reference
+- Adding a missing import or dependency
+
+**What is NOT minimal**:
+- Refactoring the function "while we're here"
+- Renaming variables for clarity
+- Adding error handling to unrelated code paths
+- Reformatting surrounding code
+
+### Rule 4: Regression Test Required
+
+**Statement**: Every fix must include a test that:
+1. Fails when the fix is reverted (proves it tests the bug)
+2. Passes when the fix is applied (proves the fix works)
+
+**Enforcement**: Phase 4 requires a regression test before the phase is marked complete.
+
+**Test requirements**:
+- Test name clearly references the bug scenario
+- Test exercises the exact code path of the root cause
+- Test is deterministic (no timing dependencies, no external services)
+- Test is placed in the appropriate test file for the affected module
+
+### Rule 5: 3-Strike Escalation on Hypothesis Failure
+
+**Statement**: If 3 consecutive hypothesis tests produce no actionable insight, the investigation must STOP and escalate with a full diagnostic dump.
+
+**Enforcement**: Phase 3 tracks a strike counter. On the 3rd consecutive unproductive failure, execution halts and outputs the escalation block.
+
+**What counts as a strike**:
+- Hypothesis rejected AND no new insight gained
+- Test was inconclusive AND no narrowing of search space
+
+**What does NOT count as a strike**:
+- Hypothesis rejected BUT new evidence narrows the search
+- Hypothesis rejected BUT reveals a different potential cause
+- Test inconclusive BUT identifies a new area to investigate
+
+**Post-escalation**: Status set to BLOCKED. No further automated investigation. Preserve all intermediate outputs for human review.
+
+---
+
+## Validation Checklist
+
+Before completing any investigation, verify:
+
+- [ ] Rule 1: Root cause confirmed before any fix was applied
+- [ ] Rule 2: Bug reproduction documented (or static evidence justified)
+- [ ] Rule 3: Fix changes only necessary code (file count, line count documented)
+- [ ] Rule 4: Regression test exists and passes
+- [ ] Rule 5: No more than 3 consecutive unproductive hypothesis tests (or escalation triggered)

package/.claude/skills/security-audit/SKILL.md

@@ -0,0 +1,125 @@
+---
+name: security-audit
+description: OWASP Top 10 and STRIDE security auditing with supply chain analysis. Triggers on "security audit", "security scan", "cso".
+allowed-tools: Read, Write, Bash, Glob, Grep
+---
+
+# Security Audit
+
+4-phase security audit covering supply chain risks, OWASP Top 10 code review, STRIDE threat modeling, and trend-tracked reporting. Produces structured JSON findings in `.workflow/.security/`.
+
+## Architecture Overview
+
+```
++-------------------------------------------------------------------+
+|  Phase 1: Supply Chain Scan                                       |
+|  -> Dependency audit, secrets detection, CI/CD review, LLM risks  |
+|  -> Output: supply-chain-report.json                              |
++-----------------------------------+-------------------------------+
+                                    |
++-----------------------------------v-------------------------------+
+|  Phase 2: OWASP Review                                           |
+|  -> OWASP Top 10 2021 code-level analysis via ccw cli            |
+|  -> Output: owasp-findings.json                                  |
++-----------------------------------+-------------------------------+
+                                    |
++-----------------------------------v-------------------------------+
+|  Phase 3: Threat Modeling (STRIDE)                                |
+|  -> 6 threat categories mapped to architecture components         |
+|  -> Output: threat-model.json                                    |
++-----------------------------------+-------------------------------+
+                                    |
++-----------------------------------v-------------------------------+
+|  Phase 4: Report & Tracking                                      |
+|  -> Score calculation, trend comparison, dated report             |
+|  -> Output: .workflow/.security/audit-report-{date}.json         |
++-------------------------------------------------------------------+
+```
+
+## Key Design Principles
+
+1. **Infrastructure-first**: Phase 1 catches low-hanging fruit (leaked secrets, vulnerable deps) before deeper analysis
+2. **Standards-based**: OWASP Top 10 2021 and STRIDE provide systematic coverage
+3. **Scoring gates**: Daily quick-scan must score 8/10; comprehensive audit minimum 2/10 for initial baseline
+4. **Trend tracking**: Each audit compares against prior results in `.workflow/.security/`
+
+## Execution Flow
+
+### Quick-Scan Mode (daily)
+
+Run Phase 1 only. Must score >= 8/10 to pass.
+
+### Comprehensive Mode (full audit)
+
+Run all 4 phases sequentially. Initial baseline minimum 2/10.
+
+### Phase Sequence
+
+1. **Phase 1: Supply Chain Scan** -- [phases/01-supply-chain-scan.md](phases/01-supply-chain-scan.md)
+   - Dependency audit (npm audit / pip-audit / safety check)
+   - Secrets detection (API keys, tokens, passwords in source)
+   - CI/CD config review (injection risks in workflow YAML)
+   - LLM/AI prompt injection check
+2. **Phase 2: OWASP Review** -- [phases/02-owasp-review.md](phases/02-owasp-review.md)
+   - Systematic OWASP Top 10 2021 code review
+   - Uses `ccw cli --tool gemini --mode analysis --rule analysis-assess-security-risks`
+3. **Phase 3: Threat Modeling** -- [phases/03-threat-modeling.md](phases/03-threat-modeling.md)
+   - STRIDE threat model mapped to architecture components
+   - Trust boundary identification and attack surface assessment
+4. **Phase 4: Report & Tracking** -- [phases/04-report-tracking.md](phases/04-report-tracking.md)
+   - Score calculation with severity weights
+   - Trend comparison with previous audits
+   - Date-stamped report to `.workflow/.security/`
+
+## Scoring Overview
+
+See [specs/scoring-gates.md](specs/scoring-gates.md) for full specification.
+
+| Severity | Weight | Example |
+|----------|--------|---------|
+| Critical | 10 | RCE, SQL injection, leaked credentials |
+| High | 7 | Broken auth, SSRF, privilege escalation |
+| Medium | 4 | XSS, CSRF, verbose error messages |
+| Low | 1 | Missing headers, informational disclosures |
+
+**Gates**: Daily quick-scan >= 8/10, Comprehensive initial >= 2/10.
+
+## Directory Setup
+
+```bash
+mkdir -p .workflow/.security
+WORK_DIR=".workflow/.security"
+```
+
+## Output Structure
+
+```
+.workflow/.security/
+  audit-report-{YYYY-MM-DD}.json    # Dated audit report
+  supply-chain-report.json           # Latest supply chain scan
+  owasp-findings.json                # Latest OWASP findings
+  threat-model.json                  # Latest STRIDE threat model
+```
+
+## Reference Documents
+
+| Document | Purpose |
+|----------|---------|
+| [phases/01-supply-chain-scan.md](phases/01-supply-chain-scan.md) | Dependency, secrets, CI/CD, LLM risk scan |
+| [phases/02-owasp-review.md](phases/02-owasp-review.md) | OWASP Top 10 2021 code review |
+| [phases/03-threat-modeling.md](phases/03-threat-modeling.md) | STRIDE threat modeling |
+| [phases/04-report-tracking.md](phases/04-report-tracking.md) | Report generation and trend tracking |
+| [specs/scoring-gates.md](specs/scoring-gates.md) | Scoring system and quality gates |
+| [specs/owasp-checklist.md](specs/owasp-checklist.md) | OWASP Top 10 detection patterns |
+
+## Completion Status Protocol
+
+This skill follows the Completion Status Protocol defined in `_shared/SKILL-DESIGN-SPEC.md` sections 13-14.
+
+Possible termination statuses:
+- **DONE**: All phases completed, score calculated, report generated
+- **DONE_WITH_CONCERNS**: Audit completed but findings exceed acceptable thresholds
+- **BLOCKED**: Required tools unavailable (e.g., npm/pip not installed), permission denied
+- **NEEDS_CONTEXT**: Ambiguous project scope, unclear trust boundaries
+
+Escalation follows the Three-Strike Rule (section 14) per step.

package/.claude/skills/security-audit/phases/01-supply-chain-scan.md

@@ -0,0 +1,139 @@
+# Phase 1: Supply Chain Scan
+
+Detect low-hanging security risks in dependencies, secrets, CI/CD pipelines, and LLM/AI integrations.
+
+## Objective
+
+- Audit third-party dependencies for known vulnerabilities
+- Scan source code for leaked secrets and credentials
+- Review CI/CD configuration for injection risks
+- Check for LLM/AI prompt injection vulnerabilities
+
+## Execution Steps
+
+### Step 1: Dependency Audit
+
+Detect package manager and run appropriate audit tool.
+
+```bash
+# Node.js projects
+if [ -f package-lock.json ] || [ -f yarn.lock ]; then
+  npm audit --json > "${WORK_DIR}/npm-audit-raw.json" 2>&1 || true
+fi
+
+# Python projects
+if [ -f requirements.txt ] || [ -f pyproject.toml ]; then
+  pip-audit --format json --output "${WORK_DIR}/pip-audit-raw.json" 2>&1 || true
+  # Fallback: safety check
+  safety check --json > "${WORK_DIR}/safety-raw.json" 2>&1 || true
+fi
+
+# Go projects
+if [ -f go.sum ]; then
+  govulncheck ./... 2>&1 | tee "${WORK_DIR}/govulncheck-raw.txt" || true
+fi
+```
+
+If audit tools are not installed, log as INFO finding and continue.
+
+### Step 2: Secrets Detection
+
+Scan source files for hardcoded secrets using regex patterns.
+
+```bash
+# High-confidence patterns (case-insensitive)
+grep -rniE \
+  '(api[_-]?key|api[_-]?secret|access[_-]?token|auth[_-]?token|secret[_-]?key)\s*[:=]\s*["\x27][A-Za-z0-9+/=_-]{16,}' \
+  --include='*.ts' --include='*.js' --include='*.py' --include='*.go' \
+  --include='*.java' --include='*.rb' --include='*.env' --include='*.yml' \
+  --include='*.yaml' --include='*.json' --include='*.toml' --include='*.cfg' \
+  . || true
+
+# AWS patterns
+grep -rniE '(AKIA[0-9A-Z]{16}|aws[_-]?secret[_-]?access[_-]?key)' . || true
+
+# Private keys
+grep -rniE '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' . || true
+
+# Connection strings with passwords
+grep -rniE '(mongodb|postgres|mysql|redis)://[^:]+:[^@]+@' . || true
+
+# JWT tokens (hardcoded)
+grep -rniE 'eyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}' . || true
+```
+
+Exclude: `node_modules/`, `.git/`, `dist/`, `build/`, `__pycache__/`, `*.lock`, `*.min.js`.
+
+### Step 3: CI/CD Config Review
+
+Check GitHub Actions and other CI/CD configs for injection risks.
+
+```bash
+# Find workflow files
+find .github/workflows -name '*.yml' -o -name '*.yaml' 2>/dev/null
+
+# Check for expression injection in run: blocks
+# Dangerous: ${{ github.event.pull_request.title }} in run:
+grep -rn '\${{.*github\.event\.' .github/workflows/ 2>/dev/null || true
+
+# Check for pull_request_target with checkout of PR code
+grep -rn 'pull_request_target' .github/workflows/ 2>/dev/null || true
+
+# Check for use of deprecated/vulnerable actions
+grep -rn 'actions/checkout@v1\|actions/checkout@v2' .github/workflows/ 2>/dev/null || true
+
+# Check for secrets passed to untrusted contexts
+grep -rn 'secrets\.' .github/workflows/ 2>/dev/null || true
+```
+
+### Step 4: LLM/AI Prompt Injection Check
+
+Scan for patterns indicating prompt injection risk in LLM integrations.
+
+```bash
+# User input concatenated directly into prompts
+grep -rniE '(prompt|system_message|messages)\s*[+=].*\b(user_input|request\.(body|query|params)|req\.)' \
+  --include='*.ts' --include='*.js' --include='*.py' . || true
+
+# Template strings with user data in LLM calls
+grep -rniE '(openai|anthropic|llm|chat|completion)\.' \
+  --include='*.ts' --include='*.js' --include='*.py' . || true
+
+# Check for missing input sanitization before LLM calls
+grep -rniE 'f".*{.*}.*".*\.(chat|complete|generate)' \
+  --include='*.py' . || true
+```
+
+## Output
+
+- **File**: `supply-chain-report.json`
+- **Location**: `${WORK_DIR}/supply-chain-report.json`
+- **Format**: JSON
+
+```json
+{
+  "phase": "supply-chain-scan",
+  "timestamp": "ISO-8601",
+  "findings": [
+    {
+      "category": "dependency|secret|cicd|llm",
+      "severity": "critical|high|medium|low",
+      "title": "Finding title",
+      "description": "Detailed description",
+      "file": "path/to/file",
+      "line": 42,
+      "evidence": "matched text or context",
+      "remediation": "How to fix"
+    }
+  ],
+  "summary": {
+    "total": 0,
+    "by_severity": { "critical": 0, "high": 0, "medium": 0, "low": 0 },
+    "by_category": { "dependency": 0, "secret": 0, "cicd": 0, "llm": 0 }
+  }
+}
+```
+
+## Next Phase
+
+Proceed to [Phase 2: OWASP Review](02-owasp-review.md) with supply chain findings as context.

package/.claude/skills/security-audit/phases/02-owasp-review.md

@@ -0,0 +1,156 @@
+# Phase 2: OWASP Review
+
+Systematic code-level review against OWASP Top 10 2021 categories.
+
+## Objective
+
+- Review codebase against all 10 OWASP Top 10 2021 categories
+- Use CCW CLI multi-model analysis for comprehensive coverage
+- Produce structured findings with file:line references and remediation steps
+
+## Prerequisites
+
+- Phase 1 supply-chain-report.json (provides dependency context)
+- Read [specs/owasp-checklist.md](../specs/owasp-checklist.md) for detection patterns
+
+## Execution Steps
+
+### Step 1: Identify Target Scope
+
+```bash
+# Identify source directories (exclude deps, build, test fixtures)
+# Focus on: API routes, auth modules, data access, input handlers
+find . -type f \( -name '*.ts' -o -name '*.js' -o -name '*.py' -o -name '*.go' -o -name '*.java' \) \
+  ! -path '*/node_modules/*' ! -path '*/dist/*' ! -path '*/.git/*' \
+  ! -path '*/build/*' ! -path '*/__pycache__/*' ! -path '*/vendor/*' \
+  | head -200
+```
+
+### Step 2: CCW CLI Analysis
+
+Run multi-model security analysis using the security risks rule template.
+
+```bash
+ccw cli -p "PURPOSE: OWASP Top 10 2021 security audit of this codebase.
+Systematically check each OWASP category:
+A01 Broken Access Control | A02 Cryptographic Failures | A03 Injection |
+A04 Insecure Design | A05 Security Misconfiguration | A06 Vulnerable Components |
+A07 Identification/Auth Failures | A08 Software/Data Integrity Failures |
+A09 Security Logging/Monitoring Failures | A10 SSRF
+
+TASK: For each OWASP category, scan relevant code patterns, identify vulnerabilities with file:line references, classify severity, provide remediation.
+
+MODE: analysis
+
+CONTEXT: @src/**/* @**/*.config.* @**/*.env.example
+
+EXPECTED: JSON-structured findings per OWASP category with severity, file:line, evidence, remediation.
+
+CONSTRAINTS: Code-level analysis only | Every finding must have file:line reference | Focus on real vulnerabilities not theoretical risks
+" --tool gemini --mode analysis --rule analysis-assess-security-risks
+```
+
+### Step 3: Manual Pattern Scanning
+
+Supplement CLI analysis with targeted pattern scans per OWASP category. Reference [specs/owasp-checklist.md](../specs/owasp-checklist.md) for full pattern list.
+
+**A01 - Broken Access Control**:
+```bash
+# Missing auth middleware on routes
+grep -rn 'app\.\(get\|post\|put\|delete\|patch\)(' --include='*.ts' --include='*.js' . | grep -v 'auth\|middleware\|protect'
+# Direct object references without ownership check
+grep -rn 'params\.id\|req\.params\.' --include='*.ts' --include='*.js' . || true
+```
+
+**A03 - Injection**:
+```bash
+# SQL string concatenation
+grep -rniE '(query|execute|raw)\s*\(\s*[`"'\'']\s*SELECT.*\+\s*|f".*SELECT.*{' --include='*.ts' --include='*.js' --include='*.py' . || true
+# Command injection
+grep -rniE '(exec|spawn|system|popen|subprocess)\s*\(' --include='*.ts' --include='*.js' --include='*.py' . || true
+```
+
+**A05 - Security Misconfiguration**:
+```bash
+# Debug mode enabled
+grep -rniE '(DEBUG|debug)\s*[:=]\s*(true|True|1|"true")' --include='*.env' --include='*.py' --include='*.ts' --include='*.json' . || true
+# CORS wildcard
+grep -rniE "cors.*\*|Access-Control-Allow-Origin.*\*" --include='*.ts' --include='*.js' --include='*.py' . || true
+```
+
+**A07 - Identification and Authentication Failures**:
+```bash
+# Weak password patterns
+grep -rniE 'password.*length.*[0-5][^0-9]|minlength.*[0-5][^0-9]' --include='*.ts' --include='*.js' --include='*.py' . || true
+# Hardcoded credentials
+grep -rniE '(password|passwd|pwd)\s*[:=]\s*["\x27][^"\x27]{3,}' --include='*.ts' --include='*.js' --include='*.py' --include='*.env' . || true
+```
+
+### Step 4: Consolidate Findings
+
+Merge CLI analysis results and manual pattern scan results. Deduplicate and classify by OWASP category.
+
+## OWASP Top 10 2021 Categories
+
+| ID | Category | Key Checks |
+|----|----------|------------|
+| A01 | Broken Access Control | Missing auth, IDOR, path traversal, CORS |
+| A02 | Cryptographic Failures | Weak algorithms, plaintext storage, missing TLS |
+| A03 | Injection | SQL, NoSQL, OS command, LDAP, XPath injection |
+| A04 | Insecure Design | Missing threat modeling, insecure business logic |
+| A05 | Security Misconfiguration | Debug enabled, default creds, verbose errors |
+| A06 | Vulnerable and Outdated Components | Known CVEs in dependencies (from Phase 1) |
+| A07 | Identification and Authentication Failures | Weak passwords, missing MFA, session issues |
+| A08 | Software and Data Integrity Failures | Unsigned updates, insecure deserialization, CI/CD |
+| A09 | Security Logging and Monitoring Failures | Missing audit logs, no alerting, insufficient logging |
+| A10 | Server-Side Request Forgery (SSRF) | Unvalidated URLs, internal resource access |
+
+## Output
+
+- **File**: `owasp-findings.json`
+- **Location**: `${WORK_DIR}/owasp-findings.json`
+- **Format**: JSON
+
+```json
+{
+  "phase": "owasp-review",
+  "timestamp": "ISO-8601",
+  "owasp_version": "2021",
+  "findings": [
+    {
+      "owasp_id": "A01",
+      "owasp_category": "Broken Access Control",
+      "severity": "critical|high|medium|low",
+      "title": "Finding title",
+      "description": "Detailed description",
+      "file": "path/to/file",
+      "line": 42,
+      "evidence": "code snippet or pattern match",
+      "remediation": "Specific fix recommendation",
+      "cwe": "CWE-XXX"
+    }
+  ],
+  "coverage": {
+    "A01": "checked|not_applicable",
+    "A02": "checked|not_applicable",
+    "A03": "checked|not_applicable",
+    "A04": "checked|not_applicable",
+    "A05": "checked|not_applicable",
+    "A06": "checked|not_applicable",
+    "A07": "checked|not_applicable",
+    "A08": "checked|not_applicable",
+    "A09": "checked|not_applicable",
+    "A10": "checked|not_applicable"
+  },
+  "summary": {
+    "total": 0,
+    "by_severity": { "critical": 0, "high": 0, "medium": 0, "low": 0 },
+    "categories_checked": 10,
+    "categories_with_findings": 0
+  }
+}
+```
+
+## Next Phase
+
+Proceed to [Phase 3: Threat Modeling](03-threat-modeling.md) with OWASP findings as input for STRIDE analysis.