claude-code-workflow 7.2.27 → 7.2.28
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.ccw/specs/architecture-constraints.md +5 -0
- package/.claude/skills/_shared/SKILL-DESIGN-SPEC.md +140 -0
- package/.claude/skills/investigate/SKILL.md +110 -0
- package/.claude/skills/investigate/phases/01-root-cause-investigation.md +132 -0
- package/.claude/skills/investigate/phases/02-pattern-analysis.md +126 -0
- package/.claude/skills/investigate/phases/03-hypothesis-testing.md +177 -0
- package/.claude/skills/investigate/phases/04-implementation.md +139 -0
- package/.claude/skills/investigate/phases/05-verification-report.md +153 -0
- package/.claude/skills/investigate/specs/debug-report-format.md +226 -0
- package/.claude/skills/investigate/specs/iron-law.md +101 -0
- package/.claude/skills/security-audit/SKILL.md +125 -0
- package/.claude/skills/security-audit/phases/01-supply-chain-scan.md +139 -0
- package/.claude/skills/security-audit/phases/02-owasp-review.md +156 -0
- package/.claude/skills/security-audit/phases/03-threat-modeling.md +180 -0
- package/.claude/skills/security-audit/phases/04-report-tracking.md +177 -0
- package/.claude/skills/security-audit/specs/owasp-checklist.md +442 -0
- package/.claude/skills/security-audit/specs/scoring-gates.md +141 -0
- package/.claude/skills/ship/SKILL.md +105 -0
- package/.claude/skills/ship/phases/01-preflight-checks.md +121 -0
- package/.claude/skills/ship/phases/02-code-review.md +137 -0
- package/.claude/skills/ship/phases/03-version-bump.md +171 -0
- package/.claude/skills/ship/phases/04-changelog-commit.md +167 -0
- package/.claude/skills/ship/phases/05-pr-creation.md +163 -0
- package/.claude/skills/skill-generator/templates/sequential-phase.md +10 -0
- package/.claude/skills/skill-generator/templates/skill-md.md +4 -0
- package/.claude/skills/team-interactive-craft/SKILL.md +127 -0
- package/.claude/skills/team-interactive-craft/roles/a11y-tester/role.md +159 -0
- package/.claude/skills/team-interactive-craft/roles/builder/role.md +216 -0
- package/.claude/skills/team-interactive-craft/roles/coordinator/commands/analyze.md +71 -0
- package/.claude/skills/team-interactive-craft/roles/coordinator/commands/dispatch.md +192 -0
- package/.claude/skills/team-interactive-craft/roles/coordinator/commands/monitor.md +183 -0
- package/.claude/skills/team-interactive-craft/roles/coordinator/role.md +166 -0
- package/.claude/skills/team-interactive-craft/roles/interaction-designer/role.md +144 -0
- package/.claude/skills/team-interactive-craft/roles/researcher/role.md +131 -0
- package/.claude/skills/team-interactive-craft/specs/interaction-patterns.md +362 -0
- package/.claude/skills/team-interactive-craft/specs/pipelines.md +85 -0
- package/.claude/skills/team-interactive-craft/specs/team-config.json +105 -0
- package/.claude/skills/team-interactive-craft/specs/vanilla-constraints.md +83 -0
- package/.claude/skills/team-motion-design/SKILL.md +129 -0
- package/.claude/skills/team-motion-design/roles/animator/role.md +194 -0
- package/.claude/skills/team-motion-design/roles/choreographer/role.md +164 -0
- package/.claude/skills/team-motion-design/roles/coordinator/commands/analyze.md +64 -0
- package/.claude/skills/team-motion-design/roles/coordinator/commands/dispatch.md +203 -0
- package/.claude/skills/team-motion-design/roles/coordinator/commands/monitor.md +184 -0
- package/.claude/skills/team-motion-design/roles/coordinator/role.md +167 -0
- package/.claude/skills/team-motion-design/roles/motion-researcher/role.md +115 -0
- package/.claude/skills/team-motion-design/roles/motion-tester/role.md +175 -0
- package/.claude/skills/team-motion-design/specs/gpu-constraints.md +114 -0
- package/.claude/skills/team-motion-design/specs/motion-tokens.md +128 -0
- package/.claude/skills/team-motion-design/specs/pipelines.md +74 -0
- package/.claude/skills/team-motion-design/specs/reduced-motion.md +129 -0
- package/.claude/skills/team-motion-design/specs/team-config.json +99 -0
- package/.claude/skills/team-ui-polish/SKILL.md +127 -0
- package/.claude/skills/team-ui-polish/roles/coordinator/commands/analyze.md +77 -0
- package/.claude/skills/team-ui-polish/roles/coordinator/commands/dispatch.md +194 -0
- package/.claude/skills/team-ui-polish/roles/coordinator/commands/monitor.md +180 -0
- package/.claude/skills/team-ui-polish/roles/coordinator/role.md +170 -0
- package/.claude/skills/team-ui-polish/roles/diagnostician/role.md +160 -0
- package/.claude/skills/team-ui-polish/roles/optimizer/role.md +225 -0
- package/.claude/skills/team-ui-polish/roles/scanner/role.md +356 -0
- package/.claude/skills/team-ui-polish/roles/verifier/role.md +142 -0
- package/.claude/skills/team-ui-polish/specs/anti-patterns.md +141 -0
- package/.claude/skills/team-ui-polish/specs/design-standards.md +356 -0
- package/.claude/skills/team-ui-polish/specs/fix-strategies.md +235 -0
- package/.claude/skills/team-ui-polish/specs/pipelines.md +81 -0
- package/.claude/skills/team-ui-polish/specs/scoring-guide.md +162 -0
- package/.claude/skills/team-ui-polish/specs/team-config.json +73 -0
- package/.claude/skills/team-uidesign/SKILL.md +6 -1
- package/.claude/skills/team-uidesign/roles/designer/role.md +28 -4
- package/.claude/skills/team-uidesign/roles/implementer/role.md +25 -3
- package/.claude/skills/team-uidesign/roles/researcher/role.md +21 -2
- package/.claude/skills/team-uidesign/roles/reviewer/role.md +19 -17
- package/.claude/skills/team-uidesign/specs/anti-patterns.md +211 -0
- package/.claude/skills/team-uidesign/specs/design-standards.md +329 -0
- package/.claude/skills/team-uidesign/specs/scoring-guide.md +114 -0
- package/.claude/skills/team-uidesign/specs/team-config.json +1 -1
- package/.claude/skills/team-uidesign/specs/ux-writing.md +86 -0
- package/.claude/skills/team-ux-improve/SKILL.md +3 -0
- package/.claude/skills/team-ux-improve/roles/designer/role.md +30 -0
- package/.claude/skills/team-ux-improve/roles/diagnoser/role.md +16 -1
- package/.claude/skills/team-ux-improve/roles/scanner/role.md +43 -1
- package/.claude/skills/team-ux-improve/specs/anti-patterns.md +103 -0
- package/.claude/skills/team-ux-improve/specs/design-standards.md +54 -0
- package/.claude/skills/team-ux-improve/specs/heuristics.md +88 -0
- package/.claude/skills/team-ux-improve/wisdom/anti-patterns/common-ux-pitfalls.md +40 -8
- package/.claude/skills/team-ux-improve/wisdom/patterns/state-management.md +32 -12
- package/.claude/skills/team-ux-improve/wisdom/patterns/ui-feedback.md +35 -11
- package/.claude/skills/team-ux-improve/wisdom/principles/general-ux.md +36 -9
- package/.claude/skills/team-visual-a11y/SKILL.md +143 -0
- package/.claude/skills/team-visual-a11y/roles/color-auditor/role.md +178 -0
- package/.claude/skills/team-visual-a11y/roles/coordinator/commands/analyze.md +72 -0
- package/.claude/skills/team-visual-a11y/roles/coordinator/commands/dispatch.md +250 -0
- package/.claude/skills/team-visual-a11y/roles/coordinator/commands/monitor.md +204 -0
- package/.claude/skills/team-visual-a11y/roles/coordinator/role.md +169 -0
- package/.claude/skills/team-visual-a11y/roles/fix-implementer/role.md +246 -0
- package/.claude/skills/team-visual-a11y/roles/focus-auditor/role.md +222 -0
- package/.claude/skills/team-visual-a11y/roles/remediation-planner/role.md +206 -0
- package/.claude/skills/team-visual-a11y/roles/typo-auditor/role.md +185 -0
- package/.claude/skills/team-visual-a11y/specs/focus-patterns.md +325 -0
- package/.claude/skills/team-visual-a11y/specs/oklch-standards.md +130 -0
- package/.claude/skills/team-visual-a11y/specs/pipelines.md +98 -0
- package/.claude/skills/team-visual-a11y/specs/team-config.json +109 -0
- package/.claude/skills/team-visual-a11y/specs/typography-scale.md +165 -0
- package/.claude/skills/team-visual-a11y/specs/wcag-matrix.md +133 -0
- package/.codex/skills/investigate/agents/investigator.md +392 -0
- package/.codex/skills/investigate/orchestrator.md +362 -0
- package/.codex/skills/investigate/phases/01-root-cause-investigation.md +212 -0
- package/.codex/skills/investigate/phases/02-pattern-analysis.md +181 -0
- package/.codex/skills/investigate/phases/03-hypothesis-testing.md +214 -0
- package/.codex/skills/investigate/phases/04-implementation.md +195 -0
- package/.codex/skills/investigate/phases/05-verification-report.md +240 -0
- package/.codex/skills/security-audit/agents/security-auditor.md +341 -0
- package/.codex/skills/security-audit/orchestrator.md +384 -0
- package/.codex/skills/security-audit/phases/01-supply-chain-scan.md +226 -0
- package/.codex/skills/security-audit/phases/02-owasp-review.md +232 -0
- package/.codex/skills/security-audit/phases/03-threat-modeling.md +249 -0
- package/.codex/skills/security-audit/phases/04-report-tracking.md +300 -0
- package/.codex/skills/ship/agents/ship-operator.md +318 -0
- package/.codex/skills/ship/orchestrator.md +426 -0
- package/.codex/skills/ship/phases/01-preflight-checks.md +198 -0
- package/.codex/skills/ship/phases/02-code-review.md +228 -0
- package/.codex/skills/ship/phases/03-version-bump.md +259 -0
- package/.codex/skills/ship/phases/04-changelog-commit.md +263 -0
- package/.codex/skills/ship/phases/05-pr-creation.md +280 -0
- package/.codex/skills/team-interactive-craft/SKILL.md +220 -0
- package/.codex/skills/team-interactive-craft/roles/a11y-tester/role.md +159 -0
- package/.codex/skills/team-interactive-craft/roles/builder/role.md +216 -0
- package/.codex/skills/team-interactive-craft/roles/coordinator/commands/analyze.md +71 -0
- package/.codex/skills/team-interactive-craft/roles/coordinator/commands/dispatch.md +162 -0
- package/.codex/skills/team-interactive-craft/roles/coordinator/commands/monitor.md +233 -0
- package/.codex/skills/team-interactive-craft/roles/coordinator/role.md +209 -0
- package/.codex/skills/team-interactive-craft/roles/interaction-designer/role.md +144 -0
- package/.codex/skills/team-interactive-craft/roles/researcher/role.md +131 -0
- package/.codex/skills/team-interactive-craft/specs/interaction-patterns.md +362 -0
- package/.codex/skills/team-interactive-craft/specs/pipelines.md +85 -0
- package/.codex/skills/team-interactive-craft/specs/team-config.json +105 -0
- package/.codex/skills/team-interactive-craft/specs/vanilla-constraints.md +83 -0
- package/.codex/skills/team-motion-design/SKILL.md +222 -0
- package/.codex/skills/team-motion-design/roles/animator/role.md +194 -0
- package/.codex/skills/team-motion-design/roles/choreographer/role.md +164 -0
- package/.codex/skills/team-motion-design/roles/coordinator/commands/analyze.md +64 -0
- package/.codex/skills/team-motion-design/roles/coordinator/commands/dispatch.md +168 -0
- package/.codex/skills/team-motion-design/roles/coordinator/commands/monitor.md +242 -0
- package/.codex/skills/team-motion-design/roles/coordinator/role.md +210 -0
- package/.codex/skills/team-motion-design/roles/motion-researcher/role.md +115 -0
- package/.codex/skills/team-motion-design/roles/motion-tester/role.md +175 -0
- package/.codex/skills/team-motion-design/specs/gpu-constraints.md +114 -0
- package/.codex/skills/team-motion-design/specs/motion-tokens.md +128 -0
- package/.codex/skills/team-motion-design/specs/pipelines.md +74 -0
- package/.codex/skills/team-motion-design/specs/reduced-motion.md +129 -0
- package/.codex/skills/team-motion-design/specs/team-config.json +99 -0
- package/.codex/skills/team-ui-polish/SKILL.md +218 -0
- package/.codex/skills/team-ui-polish/roles/coordinator/commands/analyze.md +77 -0
- package/.codex/skills/team-ui-polish/roles/coordinator/commands/dispatch.md +167 -0
- package/.codex/skills/team-ui-polish/roles/coordinator/commands/monitor.md +230 -0
- package/.codex/skills/team-ui-polish/roles/coordinator/role.md +213 -0
- package/.codex/skills/team-ui-polish/roles/diagnostician/role.md +164 -0
- package/.codex/skills/team-ui-polish/roles/optimizer/role.md +229 -0
- package/.codex/skills/team-ui-polish/roles/scanner/role.md +360 -0
- package/.codex/skills/team-ui-polish/roles/verifier/role.md +142 -0
- package/.codex/skills/team-ui-polish/specs/anti-patterns.md +141 -0
- package/.codex/skills/team-ui-polish/specs/design-standards.md +356 -0
- package/.codex/skills/team-ui-polish/specs/fix-strategies.md +235 -0
- package/.codex/skills/team-ui-polish/specs/pipelines.md +81 -0
- package/.codex/skills/team-ui-polish/specs/scoring-guide.md +162 -0
- package/.codex/skills/team-ui-polish/specs/team-config.json +73 -0
- package/.codex/skills/team-visual-a11y/SKILL.md +319 -0
- package/.codex/skills/team-visual-a11y/roles/color-auditor/role.md +178 -0
- package/.codex/skills/team-visual-a11y/roles/coordinator/commands/analyze.md +72 -0
- package/.codex/skills/team-visual-a11y/roles/coordinator/commands/dispatch.md +188 -0
- package/.codex/skills/team-visual-a11y/roles/coordinator/commands/monitor.md +281 -0
- package/.codex/skills/team-visual-a11y/roles/coordinator/role.md +213 -0
- package/.codex/skills/team-visual-a11y/roles/fix-implementer/role.md +246 -0
- package/.codex/skills/team-visual-a11y/roles/focus-auditor/role.md +222 -0
- package/.codex/skills/team-visual-a11y/roles/remediation-planner/role.md +206 -0
- package/.codex/skills/team-visual-a11y/roles/typo-auditor/role.md +185 -0
- package/.codex/skills/team-visual-a11y/specs/focus-patterns.md +325 -0
- package/.codex/skills/team-visual-a11y/specs/oklch-standards.md +130 -0
- package/.codex/skills/team-visual-a11y/specs/pipelines.md +98 -0
- package/.codex/skills/team-visual-a11y/specs/team-config.json +109 -0
- package/.codex/skills/team-visual-a11y/specs/typography-scale.md +165 -0
- package/.codex/skills/team-visual-a11y/specs/wcag-matrix.md +133 -0
- package/README.md +8 -0
- package/ccw/dist/core/hooks/hook-templates.d.ts.map +1 -1
- package/ccw/dist/core/hooks/hook-templates.js +114 -1
- package/ccw/dist/core/hooks/hook-templates.js.map +1 -1
- package/ccw/dist/core/routes/cli-routes.d.ts.map +1 -1
- package/ccw/dist/core/routes/cli-routes.js +34 -0
- package/ccw/dist/core/routes/cli-routes.js.map +1 -1
- package/ccw/dist/core/routes/system-routes.js +2 -2
- package/ccw/dist/core/routes/system-routes.js.map +1 -1
- package/ccw/frontend/dist/assets/{AlertDialog-Bf1jdqax.js → AlertDialog-BjP1ydDR.js} +2 -2
- package/ccw/frontend/dist/assets/{AlertDialog-Bf1jdqax.js.map → AlertDialog-BjP1ydDR.js.map} +1 -1
- package/ccw/frontend/dist/assets/{AnalysisPage-C8niKdp4.js → AnalysisPage-CAX3xqMf.js} +2 -2
- package/ccw/frontend/dist/assets/{AnalysisPage-C8niKdp4.js.map → AnalysisPage-CAX3xqMf.js.map} +1 -1
- package/ccw/frontend/dist/assets/{ApiSettingsPage-BL2c3UNS.js → ApiSettingsPage-CtWlmztq.js} +2 -2
- package/ccw/frontend/dist/assets/{ApiSettingsPage-BL2c3UNS.js.map → ApiSettingsPage-CtWlmztq.js.map} +1 -1
- package/ccw/frontend/dist/assets/{CliModeToggle-BePBFynD.js → CliModeToggle-hR4a-eLX.js} +2 -2
- package/ccw/frontend/dist/assets/{CliModeToggle-BePBFynD.js.map → CliModeToggle-hR4a-eLX.js.map} +1 -1
- package/ccw/frontend/dist/assets/{CliSessionSharePage-7cYtX6FT.js → CliSessionSharePage-DzNPkFN9.js} +2 -2
- package/ccw/frontend/dist/assets/{CliSessionSharePage-7cYtX6FT.js.map → CliSessionSharePage-DzNPkFN9.js.map} +1 -1
- package/ccw/frontend/dist/assets/{CliViewerPage-CBwg1mPL.js → CliViewerPage-BPEGN4TT.js} +2 -2
- package/ccw/frontend/dist/assets/{CliViewerPage-CBwg1mPL.js.map → CliViewerPage-BPEGN4TT.js.map} +1 -1
- package/ccw/frontend/dist/assets/{CodexLensPage-Bt74xORP.js → CodexLensPage-Cf0r2RHY.js} +2 -2
- package/ccw/frontend/dist/assets/{CodexLensPage-Bt74xORP.js.map → CodexLensPage-Cf0r2RHY.js.map} +1 -1
- package/ccw/frontend/dist/assets/{Collapsible-Wrs87QT7.js → Collapsible-DEm1rJ4h.js} +2 -2
- package/ccw/frontend/dist/assets/{Collapsible-Wrs87QT7.js.map → Collapsible-DEm1rJ4h.js.map} +1 -1
- package/ccw/frontend/dist/assets/{CommandsManagerPage-ChQjmPWZ.js → CommandsManagerPage-BpeWw8HO.js} +2 -2
- package/ccw/frontend/dist/assets/{CommandsManagerPage-ChQjmPWZ.js.map → CommandsManagerPage-BpeWw8HO.js.map} +1 -1
- package/ccw/frontend/dist/assets/{DeepWikiPage-dEO5wi6X.js → DeepWikiPage-BEsmh2vF.js} +2 -2
- package/ccw/frontend/dist/assets/{DeepWikiPage-dEO5wi6X.js.map → DeepWikiPage-BEsmh2vF.js.map} +1 -1
- package/ccw/frontend/dist/assets/{EndpointsPage-4zq269xY.js → EndpointsPage-B30SFdtU.js} +2 -2
- package/ccw/frontend/dist/assets/{EndpointsPage-4zq269xY.js.map → EndpointsPage-B30SFdtU.js.map} +1 -1
- package/ccw/frontend/dist/assets/{ExplorerPage-B0YTENhA.js → ExplorerPage-BVvMpg1O.js} +2 -2
- package/ccw/frontend/dist/assets/{ExplorerPage-B0YTENhA.js.map → ExplorerPage-BVvMpg1O.js.map} +1 -1
- package/ccw/frontend/dist/assets/{FixSessionPage-CwGs6dhz.js → FixSessionPage-CL73dHbh.js} +2 -2
- package/ccw/frontend/dist/assets/{FixSessionPage-CwGs6dhz.js.map → FixSessionPage-CL73dHbh.js.map} +1 -1
- package/ccw/frontend/dist/assets/{FloatingFileBrowser-COZRBslc.js → FloatingFileBrowser-BL-28lMZ.js} +2 -2
- package/ccw/frontend/dist/assets/{FloatingFileBrowser-COZRBslc.js.map → FloatingFileBrowser-BL-28lMZ.js.map} +1 -1
- package/ccw/frontend/dist/assets/{FloatingPanel-DYvgQZRD.js → FloatingPanel-BzZDciHZ.js} +2 -2
- package/ccw/frontend/dist/assets/{FloatingPanel-DYvgQZRD.js.map → FloatingPanel-BzZDciHZ.js.map} +1 -1
- package/ccw/frontend/dist/assets/{GraphExplorerPage-ewMHQGem.js → GraphExplorerPage-CDp6-d8P.js} +2 -2
- package/ccw/frontend/dist/assets/{GraphExplorerPage-ewMHQGem.js.map → GraphExplorerPage-CDp6-d8P.js.map} +1 -1
- package/ccw/frontend/dist/assets/{HistoryPage-BMeR0PrK.js → HistoryPage-fZY_7O9n.js} +2 -2
- package/ccw/frontend/dist/assets/{HistoryPage-BMeR0PrK.js.map → HistoryPage-fZY_7O9n.js.map} +1 -1
- package/ccw/frontend/dist/assets/{HookManagerPage-DBW2LnRm.js → HookManagerPage-4LJeC9bq.js} +2 -2
- package/ccw/frontend/dist/assets/{HookManagerPage-DBW2LnRm.js.map → HookManagerPage-4LJeC9bq.js.map} +1 -1
- package/ccw/frontend/dist/assets/{InstallationsPage--pMj0QEH.js → InstallationsPage-Bpigrbhw.js} +2 -2
- package/ccw/frontend/dist/assets/{InstallationsPage--pMj0QEH.js.map → InstallationsPage-Bpigrbhw.js.map} +1 -1
- package/ccw/frontend/dist/assets/{IssueHubPage-C_QMpQSR.js → IssueHubPage-BP0zJc1R.js} +2 -2
- package/ccw/frontend/dist/assets/{IssueHubPage-C_QMpQSR.js.map → IssueHubPage-BP0zJc1R.js.map} +1 -1
- package/ccw/frontend/dist/assets/{LiteTasksPage-CSWFdQ2-.js → LiteTasksPage-CSt2oVKQ.js} +2 -2
- package/ccw/frontend/dist/assets/{LiteTasksPage-CSWFdQ2-.js.map → LiteTasksPage-CSt2oVKQ.js.map} +1 -1
- package/ccw/frontend/dist/assets/{McpManagerPage-Dvv8NtGy.js → McpManagerPage-B-xaMA0w.js} +2 -2
- package/ccw/frontend/dist/assets/{McpManagerPage-Dvv8NtGy.js.map → McpManagerPage-B-xaMA0w.js.map} +1 -1
- package/ccw/frontend/dist/assets/{MemoryPage-YO8WZzZO.js → MemoryPage-CJqo_7DY.js} +2 -2
- package/ccw/frontend/dist/assets/{MemoryPage-YO8WZzZO.js.map → MemoryPage-CJqo_7DY.js.map} +1 -1
- package/ccw/frontend/dist/assets/{NotFoundPage-quUJw0CD.js → NotFoundPage-ibZeQA-Y.js} +2 -2
- package/ccw/frontend/dist/assets/{NotFoundPage-quUJw0CD.js.map → NotFoundPage-ibZeQA-Y.js.map} +1 -1
- package/ccw/frontend/dist/assets/{OrchestratorPage-tuThWPID.js → OrchestratorPage-DgJ4ctPQ.js} +2 -2
- package/ccw/frontend/dist/assets/{OrchestratorPage-tuThWPID.js.map → OrchestratorPage-DgJ4ctPQ.js.map} +1 -1
- package/ccw/frontend/dist/assets/{ProjectOverviewPage-shTilwiT.js → ProjectOverviewPage-Cit0Yq0D.js} +2 -2
- package/ccw/frontend/dist/assets/{ProjectOverviewPage-shTilwiT.js.map → ProjectOverviewPage-Cit0Yq0D.js.map} +1 -1
- package/ccw/frontend/dist/assets/{PromptHistoryPage-6rQnsI8l.js → PromptHistoryPage-Ce1HDIK0.js} +2 -2
- package/ccw/frontend/dist/assets/{PromptHistoryPage-6rQnsI8l.js.map → PromptHistoryPage-Ce1HDIK0.js.map} +1 -1
- package/ccw/frontend/dist/assets/{ReviewSessionPage-JOmzjVbT.js → ReviewSessionPage-J1KikNrk.js} +2 -2
- package/ccw/frontend/dist/assets/{ReviewSessionPage-JOmzjVbT.js.map → ReviewSessionPage-J1KikNrk.js.map} +1 -1
- package/ccw/frontend/dist/assets/{RulesManagerPage-Cayfywqi.js → RulesManagerPage-CdBjTmth.js} +2 -2
- package/ccw/frontend/dist/assets/{RulesManagerPage-Cayfywqi.js.map → RulesManagerPage-CdBjTmth.js.map} +1 -1
- package/ccw/frontend/dist/assets/{SessionDetailPage-iMn0k84i.js → SessionDetailPage-B9ZK7LvX.js} +2 -2
- package/ccw/frontend/dist/assets/{SessionDetailPage-iMn0k84i.js.map → SessionDetailPage-B9ZK7LvX.js.map} +1 -1
- package/ccw/frontend/dist/assets/{SessionsPage-Ciqjy9kz.js → SessionsPage-CW_nS5UR.js} +2 -2
- package/ccw/frontend/dist/assets/{SessionsPage-Ciqjy9kz.js.map → SessionsPage-CW_nS5UR.js.map} +1 -1
- package/ccw/frontend/dist/assets/{SettingsPage-BPDbXPSM.js → SettingsPage-B2PYzSoO.js} +35 -35
- package/ccw/frontend/dist/assets/SettingsPage-B2PYzSoO.js.map +1 -0
- package/ccw/frontend/dist/assets/{SkillsManagerPage-D3LzbpJY.js → SkillsManagerPage-CTnWrrwp.js} +2 -2
- package/ccw/frontend/dist/assets/{SkillsManagerPage-D3LzbpJY.js.map → SkillsManagerPage-CTnWrrwp.js.map} +1 -1
- package/ccw/frontend/dist/assets/{SpecsSettingsPage-BpkJctzo.js → SpecsSettingsPage-DJpi9XQL.js} +2 -2
- package/ccw/frontend/dist/assets/{SpecsSettingsPage-BpkJctzo.js.map → SpecsSettingsPage-DJpi9XQL.js.map} +1 -1
- package/ccw/frontend/dist/assets/{Switch-BpB9h__9.js → Switch-Ac6Ov7uy.js} +2 -2
- package/ccw/frontend/dist/assets/{Switch-BpB9h__9.js.map → Switch-Ac6Ov7uy.js.map} +1 -1
- package/ccw/frontend/dist/assets/{TabsNavigation-BGsKy7DO.js → TabsNavigation-DZAAspqR.js} +2 -2
- package/ccw/frontend/dist/assets/{TabsNavigation-BGsKy7DO.js.map → TabsNavigation-DZAAspqR.js.map} +1 -1
- package/ccw/frontend/dist/assets/{TaskDrawer-bYIlbM0Q.js → TaskDrawer-BJkwfhIZ.js} +2 -2
- package/ccw/frontend/dist/assets/{TaskDrawer-bYIlbM0Q.js.map → TaskDrawer-BJkwfhIZ.js.map} +1 -1
- package/ccw/frontend/dist/assets/{TeamPage-CihtQ6LQ.js → TeamPage-BJgjxBgb.js} +2 -2
- package/ccw/frontend/dist/assets/{TeamPage-CihtQ6LQ.js.map → TeamPage-BJgjxBgb.js.map} +1 -1
- package/ccw/frontend/dist/assets/{TerminalDashboardPage-BDnNF_ud.js → TerminalDashboardPage-D1WekoOy.js} +2 -2
- package/ccw/frontend/dist/assets/{TerminalDashboardPage-BDnNF_ud.js.map → TerminalDashboardPage-D1WekoOy.js.map} +1 -1
- package/ccw/frontend/dist/assets/{archive-CQJ86bQp.js → archive-DxemgIhF.js} +2 -2
- package/ccw/frontend/dist/assets/{archive-CQJ86bQp.js.map → archive-DxemgIhF.js.map} +1 -1
- package/ccw/frontend/dist/assets/{archive-restore-BhTfDbPU.js → archive-restore-CjS83f1V.js} +2 -2
- package/ccw/frontend/dist/assets/{archive-restore-BhTfDbPU.js.map → archive-restore-CjS83f1V.js.map} +1 -1
- package/ccw/frontend/dist/assets/{arrow-right-eUAZnT9C.js → arrow-right-B5PUcn8I.js} +2 -2
- package/ccw/frontend/dist/assets/{arrow-right-eUAZnT9C.js.map → arrow-right-B5PUcn8I.js.map} +1 -1
- package/ccw/frontend/dist/assets/{bookmark-plus-ilF5-V-k.js → bookmark-plus-DCc9aPbb.js} +2 -2
- package/ccw/frontend/dist/assets/{bookmark-plus-ilF5-V-k.js.map → bookmark-plus-DCc9aPbb.js.map} +1 -1
- package/ccw/frontend/dist/assets/{bot-BLkaQscs.js → bot-DOwFtzak.js} +2 -2
- package/ccw/frontend/dist/assets/{bot-BLkaQscs.js.map → bot-DOwFtzak.js.map} +1 -1
- package/ccw/frontend/dist/assets/{braces-D9HdgsO6.js → braces-96qH3aFh.js} +2 -2
- package/ccw/frontend/dist/assets/{braces-D9HdgsO6.js.map → braces-96qH3aFh.js.map} +1 -1
- package/ccw/frontend/dist/assets/{circle-stop-C3ZF1okQ.js → circle-stop-CCxSuil1.js} +2 -2
- package/ccw/frontend/dist/assets/{circle-stop-C3ZF1okQ.js.map → circle-stop-CCxSuil1.js.map} +1 -1
- package/ccw/frontend/dist/assets/{cpu-B-QjaSjm.js → cpu-CZNSJFdq.js} +2 -2
- package/ccw/frontend/dist/assets/{cpu-B-QjaSjm.js.map → cpu-CZNSJFdq.js.map} +1 -1
- package/ccw/frontend/dist/assets/{ellipsis-vertical-CbNlw2gS.js → ellipsis-vertical-h8xtvw2_.js} +2 -2
- package/ccw/frontend/dist/assets/{ellipsis-vertical-CbNlw2gS.js.map → ellipsis-vertical-h8xtvw2_.js.map} +1 -1
- package/ccw/frontend/dist/assets/{eye-yAy69Cnn.js → eye-D3NY0bm6.js} +2 -2
- package/ccw/frontend/dist/assets/{eye-yAy69Cnn.js.map → eye-D3NY0bm6.js.map} +1 -1
- package/ccw/frontend/dist/assets/{eye-off-D5uzLZyP.js → eye-off-Cy2vkc8p.js} +2 -2
- package/ccw/frontend/dist/assets/{eye-off-D5uzLZyP.js.map → eye-off-Cy2vkc8p.js.map} +1 -1
- package/ccw/frontend/dist/assets/{file-json-rwo1NowL.js → file-json-Bzq3U1Mx.js} +2 -2
- package/ccw/frontend/dist/assets/{file-json-rwo1NowL.js.map → file-json-Bzq3U1Mx.js.map} +1 -1
- package/ccw/frontend/dist/assets/{file-text-DRkrjie9.js → file-text-DwuwPDPi.js} +2 -2
- package/ccw/frontend/dist/assets/{file-text-DRkrjie9.js.map → file-text-DwuwPDPi.js.map} +1 -1
- package/ccw/frontend/dist/assets/{filter-BOe-OTu1.js → filter-q9g-bknU.js} +2 -2
- package/ccw/frontend/dist/assets/{filter-BOe-OTu1.js.map → filter-q9g-bknU.js.map} +1 -1
- package/ccw/frontend/dist/assets/{folder-BaWZWn_r.js → folder-CL6vb42J.js} +2 -2
- package/ccw/frontend/dist/assets/{folder-BaWZWn_r.js.map → folder-CL6vb42J.js.map} +1 -1
- package/ccw/frontend/dist/assets/{gauge-kazFexTr.js → gauge-BkrcQBly.js} +2 -2
- package/ccw/frontend/dist/assets/{gauge-kazFexTr.js.map → gauge-BkrcQBly.js.map} +1 -1
- package/ccw/frontend/dist/assets/{globe-BuHeEjxd.js → globe-BQbwyNeV.js} +2 -2
- package/ccw/frontend/dist/assets/{globe-BuHeEjxd.js.map → globe-BQbwyNeV.js.map} +1 -1
- package/ccw/frontend/dist/assets/{grid-3x3-DbhuUu4V.js → grid-3x3-x5_7DrN7.js} +2 -2
- package/ccw/frontend/dist/assets/{grid-3x3-DbhuUu4V.js.map → grid-3x3-x5_7DrN7.js.map} +1 -1
- package/ccw/frontend/dist/assets/{hard-drive-AoLGL0z4.js → hard-drive-DTyWXwzf.js} +2 -2
- package/ccw/frontend/dist/assets/{hard-drive-AoLGL0z4.js.map → hard-drive-DTyWXwzf.js.map} +1 -1
- package/ccw/frontend/dist/assets/{hash-Dpo1exMB.js → hash-80O0kJO7.js} +2 -2
- package/ccw/frontend/dist/assets/{hash-Dpo1exMB.js.map → hash-80O0kJO7.js.map} +1 -1
- package/ccw/frontend/dist/assets/{history-ujQnmMC9.js → history-DDlN2Bwa.js} +2 -2
- package/ccw/frontend/dist/assets/{history-ujQnmMC9.js.map → history-DDlN2Bwa.js.map} +1 -1
- package/ccw/frontend/dist/assets/{index-CxzXz6o1.js → index-B9A3Hnrk.js} +2 -2
- package/ccw/frontend/dist/assets/{index-CxzXz6o1.js.map → index-B9A3Hnrk.js.map} +1 -1
- package/ccw/frontend/dist/assets/{index-B76AGix5.js → index-Bs80iCX0.js} +2 -2
- package/ccw/frontend/dist/assets/{index-B76AGix5.js.map → index-Bs80iCX0.js.map} +1 -1
- package/ccw/frontend/dist/assets/{index-C_Yf5fZ4.js → index-mbeo62f8.js} +2 -2
- package/ccw/frontend/dist/assets/{index-C_Yf5fZ4.js.map → index-mbeo62f8.js.map} +1 -1
- package/ccw/frontend/dist/assets/{index-Dff4bg3u.js → index-rLgoBCfV.js} +3 -3
- package/ccw/frontend/dist/assets/{index-Dff4bg3u.js.map → index-rLgoBCfV.js.map} +1 -1
- package/ccw/frontend/dist/assets/{layout-grid-CBdE4K8h.js → layout-grid-C1niOWJx.js} +2 -2
- package/ccw/frontend/dist/assets/{layout-grid-CBdE4K8h.js.map → layout-grid-C1niOWJx.js.map} +1 -1
- package/ccw/frontend/dist/assets/{lightbulb-B9K6ZgRp.js → lightbulb-BTmI7SUg.js} +2 -2
- package/ccw/frontend/dist/assets/{lightbulb-B9K6ZgRp.js.map → lightbulb-BTmI7SUg.js.map} +1 -1
- package/ccw/frontend/dist/assets/{link-2-Oea4xHJl.js → link-2-CB9HKeuZ.js} +2 -2
- package/ccw/frontend/dist/assets/{link-2-Oea4xHJl.js.map → link-2-CB9HKeuZ.js.map} +1 -1
- package/ccw/frontend/dist/assets/{link-5yXdZBch.js → link-koEYiemK.js} +2 -2
- package/ccw/frontend/dist/assets/{link-5yXdZBch.js.map → link-koEYiemK.js.map} +1 -1
- package/ccw/frontend/dist/assets/{list-9lHhC_U_.js → list-v2_GaLdC.js} +2 -2
- package/ccw/frontend/dist/assets/{list-9lHhC_U_.js.map → list-v2_GaLdC.js.map} +1 -1
- package/ccw/frontend/dist/assets/{map-pin-B6Io5kmB.js → map-pin-BQNfAqG_.js} +2 -2
- package/ccw/frontend/dist/assets/{map-pin-B6Io5kmB.js.map → map-pin-BQNfAqG_.js.map} +1 -1
- package/ccw/frontend/dist/assets/{messages-square-BT000aD3.js → messages-square-Dzq5LGg9.js} +2 -2
- package/ccw/frontend/dist/assets/{messages-square-BT000aD3.js.map → messages-square-Dzq5LGg9.js.map} +1 -1
- package/ccw/frontend/dist/assets/{minimize-2-DO-zbT3a.js → minimize-2-CtkoJXcz.js} +2 -2
- package/ccw/frontend/dist/assets/{minimize-2-DO-zbT3a.js.map → minimize-2-CtkoJXcz.js.map} +1 -1
- package/ccw/frontend/dist/assets/{package-BjOw1ldU.js → package-CH3smL37.js} +2 -2
- package/ccw/frontend/dist/assets/{package-BjOw1ldU.js.map → package-CH3smL37.js.map} +1 -1
- package/ccw/frontend/dist/assets/{plug-9dAARpE1.js → plug-CZ0aL_yF.js} +2 -2
- package/ccw/frontend/dist/assets/{plug-9dAARpE1.js.map → plug-CZ0aL_yF.js.map} +1 -1
- package/ccw/frontend/dist/assets/{power-K2S39x7f.js → power-F2A_J4l6.js} +2 -2
- package/ccw/frontend/dist/assets/{power-K2S39x7f.js.map → power-F2A_J4l6.js.map} +1 -1
- package/ccw/frontend/dist/assets/{save-D9-CoT3x.js → save-Byxot0YU.js} +2 -2
- package/ccw/frontend/dist/assets/{save-D9-CoT3x.js.map → save-Byxot0YU.js.map} +1 -1
- package/ccw/frontend/dist/assets/{send-Bunw9NtC.js → send-JjqhUkpw.js} +2 -2
- package/ccw/frontend/dist/assets/{send-Bunw9NtC.js.map → send-JjqhUkpw.js.map} +1 -1
- package/ccw/frontend/dist/assets/{settings-2-osl4EXFf.js → settings-2--SuN9rAt.js} +2 -2
- package/ccw/frontend/dist/assets/{settings-2-osl4EXFf.js.map → settings-2--SuN9rAt.js.map} +1 -1
- package/ccw/frontend/dist/assets/{square-check-big-Dl5gYkjR.js → square-check-big-BbngGB2h.js} +2 -2
- package/ccw/frontend/dist/assets/{square-check-big-Dl5gYkjR.js.map → square-check-big-BbngGB2h.js.map} +1 -1
- package/ccw/frontend/dist/assets/{square-pen-Bue1chJR.js → square-pen-CgrHgZSl.js} +2 -2
- package/ccw/frontend/dist/assets/{square-pen-Bue1chJR.js.map → square-pen-CgrHgZSl.js.map} +1 -1
- package/ccw/frontend/dist/assets/{star-Bk7EC7FB.js → star-BU3TQr7Z.js} +2 -2
- package/ccw/frontend/dist/assets/{star-Bk7EC7FB.js.map → star-BU3TQr7Z.js.map} +1 -1
- package/ccw/frontend/dist/assets/{style-BbREPmRj.js → style-CKs7nnn3.js} +2 -2
- package/ccw/frontend/dist/assets/{style-BbREPmRj.js.map → style-CKs7nnn3.js.map} +1 -1
- package/ccw/frontend/dist/assets/{target-CElrCVhR.js → target-DW5tsDW6.js} +2 -2
- package/ccw/frontend/dist/assets/{target-CElrCVhR.js.map → target-DW5tsDW6.js.map} +1 -1
- package/ccw/frontend/dist/assets/{test-tube-wciJaoas.js → test-tube-BHm7w3ON.js} +2 -2
- package/ccw/frontend/dist/assets/{test-tube-wciJaoas.js.map → test-tube-BHm7w3ON.js.map} +1 -1
- package/ccw/frontend/dist/assets/{upload-BD1F07wG.js → upload-DYR7PWwt.js} +2 -2
- package/ccw/frontend/dist/assets/{upload-BD1F07wG.js.map → upload-DYR7PWwt.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useApiSettings-D23HVEt8.js → useApiSettings-D0TVgQD_.js} +2 -2
- package/ccw/frontend/dist/assets/{useApiSettings-D23HVEt8.js.map → useApiSettings-D0TVgQD_.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useCli-BGDd_lXD.js → useCli-DfY8mAP8.js} +2 -2
- package/ccw/frontend/dist/assets/{useCli-BGDd_lXD.js.map → useCli-DfY8mAP8.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useCommands-B-m_HxPB.js → useCommands-CGusDp0F.js} +2 -2
- package/ccw/frontend/dist/assets/{useCommands-B-m_HxPB.js.map → useCommands-CGusDp0F.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useDebounce-Z18-PHZr.js → useDebounce-CIwh0fF1.js} +2 -2
- package/ccw/frontend/dist/assets/{useDebounce-Z18-PHZr.js.map → useDebounce-CIwh0fF1.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useFileExplorer-D4gPp-LB.js → useFileExplorer-FMyFv39K.js} +2 -2
- package/ccw/frontend/dist/assets/{useFileExplorer-D4gPp-LB.js.map → useFileExplorer-FMyFv39K.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useLocale-DJ62jjFa.js → useLocale-B2qhsoTb.js} +2 -2
- package/ccw/frontend/dist/assets/{useLocale-DJ62jjFa.js.map → useLocale-B2qhsoTb.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useSkills-B8NPs9__.js → useSkills-cxKXMBm3.js} +3 -3
- package/ccw/frontend/dist/assets/{useSkills-B8NPs9__.js.map → useSkills-cxKXMBm3.js.map} +1 -1
- package/ccw/frontend/dist/assets/{useSystemSettings-CVi7nKGJ.js → useSystemSettings-B-xUT_z-.js} +2 -2
- package/ccw/frontend/dist/assets/{useSystemSettings-CVi7nKGJ.js.map → useSystemSettings-B-xUT_z-.js.map} +1 -1
- package/ccw/frontend/dist/assets/{wand-sparkles-CLjPiU5w.js → wand-sparkles-DZV_3lPr.js} +2 -2
- package/ccw/frontend/dist/assets/{wand-sparkles-CLjPiU5w.js.map → wand-sparkles-DZV_3lPr.js.map} +1 -1
- package/ccw/frontend/dist/index.html +1 -1
- package/package.json +105 -105
- package/ccw/frontend/dist/assets/SettingsPage-BPDbXPSM.js.map +0 -1
|
@@ -0,0 +1,232 @@
|
|
|
1
|
+
# Phase 2: OWASP Review
|
|
2
|
+
|
|
3
|
+
> **COMPACT PROTECTION**: This is a core execution phase. If context compression has occurred and this file is only a summary, **MUST `Read` this file again before executing any Step**. Do not execute from memory.
|
|
4
|
+
|
|
5
|
+
Systematic code-level review against OWASP Top 10 2021 categories using inline subagent analysis and targeted pattern scanning.
|
|
6
|
+
|
|
7
|
+
## Objective
|
|
8
|
+
|
|
9
|
+
- Review codebase against all 10 OWASP Top 10 2021 categories
|
|
10
|
+
- Use inline subagent multi-model analysis for comprehensive coverage
|
|
11
|
+
- Produce structured findings with file:line references and remediation steps
|
|
12
|
+
|
|
13
|
+
## Input
|
|
14
|
+
|
|
15
|
+
| Source | Required | Description |
|
|
16
|
+
|--------|----------|-------------|
|
|
17
|
+
| `~/.codex/skills/security-audit/specs/owasp-checklist.md` | Yes | Detection patterns per OWASP category |
|
|
18
|
+
| `.workflow/.security/supply-chain-report.json` | Yes | Phase 1 findings for dependency context |
|
|
19
|
+
| Project source files | Yes | `.ts`, `.js`, `.py`, `.go`, `.java` excluding deps/build |
|
|
20
|
+
|
|
21
|
+
## Execution Steps
|
|
22
|
+
|
|
23
|
+
### Step 1: Identify Target Scope
|
|
24
|
+
|
|
25
|
+
Discover source files, excluding generated and dependency directories.
|
|
26
|
+
|
|
27
|
+
**Decision Table**:
|
|
28
|
+
|
|
29
|
+
| Condition | Action |
|
|
30
|
+
|-----------|--------|
|
|
31
|
+
| Source files found | Proceed to Step 2 |
|
|
32
|
+
| No source files found | Report as BLOCKED with path note; do not proceed |
|
|
33
|
+
| Files > 500 | Prioritize routes/, auth/, api/, handlers/ first |
|
|
34
|
+
|
|
35
|
+
**Execution**:
|
|
36
|
+
|
|
37
|
+
```bash
|
|
38
|
+
# Identify source directories (exclude deps, build, test fixtures)
|
|
39
|
+
# Focus on: API routes, auth modules, data access, input handlers
|
|
40
|
+
find . -type f \( -name '*.ts' -o -name '*.js' -o -name '*.py' -o -name '*.go' -o -name '*.java' \) \
|
|
41
|
+
! -path '*/node_modules/*' ! -path '*/dist/*' ! -path '*/.git/*' \
|
|
42
|
+
! -path '*/build/*' ! -path '*/__pycache__/*' ! -path '*/vendor/*' \
|
|
43
|
+
| head -200
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
---
|
|
47
|
+
|
|
48
|
+
### Step 2: Inline Subagent OWASP Analysis
|
|
49
|
+
|
|
50
|
+
Spawn inline subagent using `cli-explore-agent` role to perform systematic OWASP analysis.
|
|
51
|
+
|
|
52
|
+
**Decision Table**:
|
|
53
|
+
|
|
54
|
+
| Condition | Action |
|
|
55
|
+
|-----------|--------|
|
|
56
|
+
| Subagent completes successfully | Integrate findings into Step 4 consolidation |
|
|
57
|
+
| Subagent times out | Continue with manual pattern scan (Step 3) only; log warning |
|
|
58
|
+
| Subagent errors | Continue with manual pattern scan only; log warning |
|
|
59
|
+
|
|
60
|
+
```
|
|
61
|
+
spawn_agent({
|
|
62
|
+
task_name: "inline-owasp-analysis",
|
|
63
|
+
fork_context: false,
|
|
64
|
+
model: "haiku",
|
|
65
|
+
reasoning_effort: "medium",
|
|
66
|
+
message: `### MANDATORY FIRST STEPS
|
|
67
|
+
1. Read: ~/.codex/agents/cli-explore-agent.md
|
|
68
|
+
|
|
69
|
+
Goal: OWASP Top 10 2021 security audit of this codebase.
|
|
70
|
+
Systematically check each OWASP category:
|
|
71
|
+
A01 Broken Access Control | A02 Cryptographic Failures | A03 Injection |
|
|
72
|
+
A04 Insecure Design | A05 Security Misconfiguration | A06 Vulnerable Components |
|
|
73
|
+
A07 Identification/Auth Failures | A08 Software/Data Integrity Failures |
|
|
74
|
+
A09 Security Logging/Monitoring Failures | A10 SSRF
|
|
75
|
+
|
|
76
|
+
TASK: For each OWASP category, scan relevant code patterns, identify vulnerabilities with file:line references, classify severity, provide remediation.
|
|
77
|
+
|
|
78
|
+
MODE: analysis
|
|
79
|
+
|
|
80
|
+
CONTEXT: @src/**/* @**/*.config.* @**/*.env.example
|
|
81
|
+
|
|
82
|
+
EXPECTED: JSON-structured findings per OWASP category with severity, file:line, evidence, remediation.
|
|
83
|
+
|
|
84
|
+
CONSTRAINTS: Code-level analysis only | Every finding must have file:line reference | Focus on real vulnerabilities not theoretical risks`
|
|
85
|
+
})
|
|
86
|
+
const result = wait_agent({ targets: ["inline-owasp-analysis"], timeout_ms: 300000 })
|
|
87
|
+
close_agent({ target: "inline-owasp-analysis" })
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
---
|
|
91
|
+
|
|
92
|
+
### Step 3: Manual Pattern Scanning
|
|
93
|
+
|
|
94
|
+
Supplement inline subagent analysis with targeted grep patterns per OWASP category. Reference `~/.codex/skills/security-audit/specs/owasp-checklist.md` for full pattern list.
|
|
95
|
+
|
|
96
|
+
**A01 — Broken Access Control**:
|
|
97
|
+
|
|
98
|
+
```bash
|
|
99
|
+
# Missing auth middleware on routes
|
|
100
|
+
grep -rn 'app\.\(get\|post\|put\|delete\|patch\)(' --include='*.ts' --include='*.js' . | grep -v 'auth\|middleware\|protect'
|
|
101
|
+
# Direct object references without ownership check
|
|
102
|
+
grep -rn 'params\.id\|req\.params\.' --include='*.ts' --include='*.js' . || true
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
**A03 — Injection**:
|
|
106
|
+
|
|
107
|
+
```bash
|
|
108
|
+
# SQL string concatenation
|
|
109
|
+
grep -rniE '(query|execute|raw)\s*\(\s*[`"'\'']\s*SELECT.*\+\s*|f".*SELECT.*{' --include='*.ts' --include='*.js' --include='*.py' . || true
|
|
110
|
+
# Command injection
|
|
111
|
+
grep -rniE '(exec|spawn|system|popen|subprocess)\s*\(' --include='*.ts' --include='*.js' --include='*.py' . || true
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
**A05 — Security Misconfiguration**:
|
|
115
|
+
|
|
116
|
+
```bash
|
|
117
|
+
# Debug mode enabled
|
|
118
|
+
grep -rniE '(DEBUG|debug)\s*[:=]\s*(true|True|1|"true")' --include='*.env' --include='*.py' --include='*.ts' --include='*.json' . || true
|
|
119
|
+
# CORS wildcard
|
|
120
|
+
grep -rniE "cors.*\*|Access-Control-Allow-Origin.*\*" --include='*.ts' --include='*.js' --include='*.py' . || true
|
|
121
|
+
```
|
|
122
|
+
|
|
123
|
+
**A07 — Identification and Authentication Failures**:
|
|
124
|
+
|
|
125
|
+
```bash
|
|
126
|
+
# Weak password patterns
|
|
127
|
+
grep -rniE 'password.*length.*[0-5][^0-9]|minlength.*[0-5][^0-9]' --include='*.ts' --include='*.js' --include='*.py' . || true
|
|
128
|
+
# Hardcoded credentials
|
|
129
|
+
grep -rniE '(password|passwd|pwd)\s*[:=]\s*["\x27][^"\x27]{3,}' --include='*.ts' --include='*.js' --include='*.py' --include='*.env' . || true
|
|
130
|
+
```
|
|
131
|
+
|
|
132
|
+
---
|
|
133
|
+
|
|
134
|
+
### Step 4: Consolidate Findings
|
|
135
|
+
|
|
136
|
+
Merge inline subagent results and manual pattern scan results. Deduplicate and classify by OWASP category.
|
|
137
|
+
|
|
138
|
+
**Decision Table**:
|
|
139
|
+
|
|
140
|
+
| Condition | Action |
|
|
141
|
+
|-----------|--------|
|
|
142
|
+
| Same finding in both sources | Keep highest severity; merge evidence; note both sources |
|
|
143
|
+
| Finding lacks file:line reference | Attempt to resolve via grep; if not resolvable, mark evidence as "pattern match — no line ref" |
|
|
144
|
+
| Category has no findings | Set coverage to `checked` with 0 findings |
|
|
145
|
+
| Category not applicable to project stack | Set coverage to `not_applicable` with reason |
|
|
146
|
+
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
## OWASP Top 10 2021 Coverage
|
|
150
|
+
|
|
151
|
+
| ID | Category | Key Checks |
|
|
152
|
+
|----|----------|------------|
|
|
153
|
+
| A01 | Broken Access Control | Missing auth, IDOR, path traversal, CORS |
|
|
154
|
+
| A02 | Cryptographic Failures | Weak algorithms, plaintext storage, missing TLS |
|
|
155
|
+
| A03 | Injection | SQL, NoSQL, OS command, LDAP, XPath injection |
|
|
156
|
+
| A04 | Insecure Design | Missing threat modeling, insecure business logic |
|
|
157
|
+
| A05 | Security Misconfiguration | Debug enabled, default creds, verbose errors |
|
|
158
|
+
| A06 | Vulnerable and Outdated Components | Known CVEs in dependencies (from Phase 1) |
|
|
159
|
+
| A07 | Identification and Authentication Failures | Weak passwords, missing MFA, session issues |
|
|
160
|
+
| A08 | Software and Data Integrity Failures | Unsigned updates, insecure deserialization, CI/CD |
|
|
161
|
+
| A09 | Security Logging and Monitoring Failures | Missing audit logs, no alerting, insufficient logging |
|
|
162
|
+
| A10 | Server-Side Request Forgery (SSRF) | Unvalidated URLs, internal resource access |
|
|
163
|
+
|
|
164
|
+
---
|
|
165
|
+
|
|
166
|
+
## Output
|
|
167
|
+
|
|
168
|
+
| Artifact | Format | Description |
|
|
169
|
+
|----------|--------|-------------|
|
|
170
|
+
| `.workflow/.security/owasp-findings.json` | JSON | Findings per OWASP category with coverage map |
|
|
171
|
+
|
|
172
|
+
```json
|
|
173
|
+
{
|
|
174
|
+
"phase": "owasp-review",
|
|
175
|
+
"timestamp": "ISO-8601",
|
|
176
|
+
"owasp_version": "2021",
|
|
177
|
+
"findings": [
|
|
178
|
+
{
|
|
179
|
+
"owasp_id": "A01",
|
|
180
|
+
"owasp_category": "Broken Access Control",
|
|
181
|
+
"severity": "critical|high|medium|low",
|
|
182
|
+
"title": "Finding title",
|
|
183
|
+
"description": "Detailed description",
|
|
184
|
+
"file": "path/to/file",
|
|
185
|
+
"line": 42,
|
|
186
|
+
"evidence": "code snippet or pattern match",
|
|
187
|
+
"remediation": "Specific fix recommendation",
|
|
188
|
+
"cwe": "CWE-XXX"
|
|
189
|
+
}
|
|
190
|
+
],
|
|
191
|
+
"coverage": {
|
|
192
|
+
"A01": "checked|not_applicable",
|
|
193
|
+
"A02": "checked|not_applicable",
|
|
194
|
+
"A03": "checked|not_applicable",
|
|
195
|
+
"A04": "checked|not_applicable",
|
|
196
|
+
"A05": "checked|not_applicable",
|
|
197
|
+
"A06": "checked|not_applicable",
|
|
198
|
+
"A07": "checked|not_applicable",
|
|
199
|
+
"A08": "checked|not_applicable",
|
|
200
|
+
"A09": "checked|not_applicable",
|
|
201
|
+
"A10": "checked|not_applicable"
|
|
202
|
+
},
|
|
203
|
+
"summary": {
|
|
204
|
+
"total": 0,
|
|
205
|
+
"by_severity": { "critical": 0, "high": 0, "medium": 0, "low": 0 },
|
|
206
|
+
"categories_checked": 10,
|
|
207
|
+
"categories_with_findings": 0
|
|
208
|
+
}
|
|
209
|
+
}
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
## Success Criteria
|
|
213
|
+
|
|
214
|
+
| Criterion | Validation Method |
|
|
215
|
+
|-----------|-------------------|
|
|
216
|
+
| All 10 OWASP categories have coverage entry | JSON coverage map has all A01–A10 keys |
|
|
217
|
+
| All findings have owasp_id, severity, file, evidence, remediation | JSON schema check |
|
|
218
|
+
| `owasp-findings.json` written to `.workflow/.security/` | File exists and is valid JSON |
|
|
219
|
+
| Inline subagent result integrated (or skip logged) | Summary includes source note |
|
|
220
|
+
|
|
221
|
+
## Error Handling
|
|
222
|
+
|
|
223
|
+
| Scenario | Resolution |
|
|
224
|
+
|----------|------------|
|
|
225
|
+
| Inline subagent timeout | Continue with manual grep results; log "inline-owasp-analysis timed out" in summary |
|
|
226
|
+
| OWASP checklist spec not found | Use built-in patterns from this file; note missing spec |
|
|
227
|
+
| No source files in scope | Report BLOCKED with path; set all categories to not_applicable |
|
|
228
|
+
| Grep produces no matches for a category | Set that category coverage to `checked` with 0 findings |
|
|
229
|
+
|
|
230
|
+
## Next Phase
|
|
231
|
+
|
|
232
|
+
-> [Phase 3: Threat Modeling](03-threat-modeling.md)
|
|
@@ -0,0 +1,249 @@
|
|
|
1
|
+
# Phase 3: Threat Modeling
|
|
2
|
+
|
|
3
|
+
> **COMPACT PROTECTION**: This is a core execution phase. If context compression has occurred and this file is only a summary, **MUST `Read` this file again before executing any Step**. Do not execute from memory.
|
|
4
|
+
|
|
5
|
+
Map STRIDE threat categories to architecture components, identify trust boundaries, and assess attack surface.
|
|
6
|
+
|
|
7
|
+
## Objective
|
|
8
|
+
|
|
9
|
+
- Apply the STRIDE threat model to the project architecture
|
|
10
|
+
- Identify trust boundaries between system components
|
|
11
|
+
- Assess attack surface area per component
|
|
12
|
+
- Cross-reference with Phase 1 and Phase 2 findings
|
|
13
|
+
|
|
14
|
+
## Input
|
|
15
|
+
|
|
16
|
+
| Source | Required | Description |
|
|
17
|
+
|--------|----------|-------------|
|
|
18
|
+
| `.workflow/.security/supply-chain-report.json` | Yes | Phase 1 findings for dependency/CI context |
|
|
19
|
+
| `.workflow/.security/owasp-findings.json` | Yes | Phase 2 findings to cross-reference in STRIDE gaps |
|
|
20
|
+
| Project source files | Yes | Route handlers, data stores, external service clients, auth modules |
|
|
21
|
+
|
|
22
|
+
## Execution Steps
|
|
23
|
+
|
|
24
|
+
### Step 1: Architecture Component Discovery
|
|
25
|
+
|
|
26
|
+
Identify major system components by scanning project structure.
|
|
27
|
+
|
|
28
|
+
**Decision Table**:
|
|
29
|
+
|
|
30
|
+
| Component Pattern Found | component.type |
|
|
31
|
+
|------------------------|----------------|
|
|
32
|
+
| `app.get/post/put/delete/patch`, `router.`, `@app.route`, `@router.` | api_endpoint |
|
|
33
|
+
| `createConnection`, `mongoose.connect`, `sqlite`, `redis`, `S3`, `createClient` | data_store |
|
|
34
|
+
| `fetch`, `axios`, `http.request`, `requests.get/post`, `urllib` | external_service |
|
|
35
|
+
| `jwt`, `passport`, `session`, `oauth`, `bcrypt`, `argon2`, `crypto` | auth_module |
|
|
36
|
+
| `worker`, `subprocess`, `child_process`, `celery`, `queue` | worker |
|
|
37
|
+
|
|
38
|
+
**Execution**:
|
|
39
|
+
|
|
40
|
+
```bash
|
|
41
|
+
# Identify entry points (API routes, CLI commands, event handlers)
|
|
42
|
+
grep -rlE '(app\.(get|post|put|delete|patch|use)|router\.|@app\.route|@router\.)' \
|
|
43
|
+
--include='*.ts' --include='*.js' --include='*.py' . || true
|
|
44
|
+
|
|
45
|
+
# Identify data stores (database connections, file storage)
|
|
46
|
+
grep -rlE '(createConnection|mongoose\.connect|sqlite|redis|S3|createClient)' \
|
|
47
|
+
--include='*.ts' --include='*.js' --include='*.py' . || true
|
|
48
|
+
|
|
49
|
+
# Identify external service integrations
|
|
50
|
+
grep -rlE '(fetch|axios|http\.request|requests\.(get|post)|urllib)' \
|
|
51
|
+
--include='*.ts' --include='*.js' --include='*.py' . || true
|
|
52
|
+
|
|
53
|
+
# Identify auth/session components
|
|
54
|
+
grep -rlE '(jwt|passport|session|oauth|bcrypt|argon2|crypto)' \
|
|
55
|
+
--include='*.ts' --include='*.js' --include='*.py' . || true
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
---
|
|
59
|
+
|
|
60
|
+
### Step 2: Trust Boundary Identification
|
|
61
|
+
|
|
62
|
+
Map the 5 standard trust boundary types. For each boundary: document what data crosses it, how it is enforced, and what happens when enforcement fails.
|
|
63
|
+
|
|
64
|
+
**Trust Boundary Types**:
|
|
65
|
+
|
|
66
|
+
| Boundary | From | To | Key Data Crossing |
|
|
67
|
+
|----------|------|----|------------------|
|
|
68
|
+
| External boundary | User/browser | Application server | User input, credentials, session tokens |
|
|
69
|
+
| Service boundary | Application | External APIs/services | API keys, request bodies, response data |
|
|
70
|
+
| Data boundary | Application | Database/storage | Query parameters, credentials, PII |
|
|
71
|
+
| Internal boundary | Public routes | Authenticated/admin routes | Auth tokens, role claims |
|
|
72
|
+
| Process boundary | Main process | Worker/subprocess | Job parameters, environment variables |
|
|
73
|
+
|
|
74
|
+
For each boundary, document:
|
|
75
|
+
- What crosses the boundary (data types, credentials)
|
|
76
|
+
- How the boundary is enforced (middleware, TLS, auth)
|
|
77
|
+
- What happens when enforcement fails
|
|
78
|
+
|
|
79
|
+
---
|
|
80
|
+
|
|
81
|
+
### Step 3: STRIDE per Component
|
|
82
|
+
|
|
83
|
+
For each discovered component, evaluate all 6 STRIDE categories systematically.
|
|
84
|
+
|
|
85
|
+
**STRIDE Category Definitions**:
|
|
86
|
+
|
|
87
|
+
| Category | Threat | Key Question |
|
|
88
|
+
|----------|--------|-------------|
|
|
89
|
+
| S — Spoofing | Identity impersonation | Can an attacker pretend to be someone else? |
|
|
90
|
+
| T — Tampering | Data modification | Can data be modified in transit or at rest? |
|
|
91
|
+
| R — Repudiation | Deniable actions | Can a user deny performing an action? |
|
|
92
|
+
| I — Information Disclosure | Data leakage | Can sensitive data be exposed? |
|
|
93
|
+
| D — Denial of Service | Availability disruption | Can the system be made unavailable? |
|
|
94
|
+
| E — Elevation of Privilege | Unauthorized access | Can a user gain higher privileges? |
|
|
95
|
+
|
|
96
|
+
**Spoofing Analysis Checks**:
|
|
97
|
+
- Are authentication mechanisms in place at all entry points?
|
|
98
|
+
- Can API keys or tokens be forged or replayed?
|
|
99
|
+
- Are session tokens properly validated and rotated?
|
|
100
|
+
|
|
101
|
+
**Tampering Analysis Checks**:
|
|
102
|
+
- Is input validation applied before processing?
|
|
103
|
+
- Are database queries parameterized?
|
|
104
|
+
- Can request bodies or headers be manipulated to alter behavior?
|
|
105
|
+
- Are file uploads validated for type and content?
|
|
106
|
+
|
|
107
|
+
**Repudiation Analysis Checks**:
|
|
108
|
+
- Are user actions logged with sufficient detail (who, what, when)?
|
|
109
|
+
- Are logs tamper-proof or centralized?
|
|
110
|
+
- Can critical operations (payments, deletions) be traced to a user?
|
|
111
|
+
|
|
112
|
+
**Information Disclosure Analysis Checks**:
|
|
113
|
+
- Do error responses leak stack traces or internal paths?
|
|
114
|
+
- Are sensitive fields (passwords, tokens) excluded from logs and API responses?
|
|
115
|
+
- Is PII properly handled (encryption at rest, masking in logs)?
|
|
116
|
+
- Do debug endpoints or verbose modes expose internals?
|
|
117
|
+
|
|
118
|
+
**Denial of Service Analysis Checks**:
|
|
119
|
+
- Are rate limits applied to public endpoints?
|
|
120
|
+
- Can resource-intensive operations be triggered without limits?
|
|
121
|
+
- Are file upload sizes bounded?
|
|
122
|
+
- Are database queries bounded (pagination, timeouts)?
|
|
123
|
+
|
|
124
|
+
**Elevation of Privilege Analysis Checks**:
|
|
125
|
+
- Are role/permission checks applied consistently?
|
|
126
|
+
- Can horizontal privilege escalation occur (accessing other users' data)?
|
|
127
|
+
- Can vertical escalation occur (user -> admin)?
|
|
128
|
+
- Are admin/debug routes properly protected?
|
|
129
|
+
|
|
130
|
+
**Component Exposure Rating**:
|
|
131
|
+
|
|
132
|
+
| Rating | Criteria |
|
|
133
|
+
|--------|----------|
|
|
134
|
+
| High | Public-facing, handles sensitive data, complex logic |
|
|
135
|
+
| Medium | Authenticated access, moderate data sensitivity |
|
|
136
|
+
| Low | Internal only, no sensitive data, simple operations |
|
|
137
|
+
|
|
138
|
+
---
|
|
139
|
+
|
|
140
|
+
### Step 4: Attack Surface Assessment
|
|
141
|
+
|
|
142
|
+
Quantify the attack surface across the entire system.
|
|
143
|
+
|
|
144
|
+
**Attack Surface Components**:
|
|
145
|
+
|
|
146
|
+
```
|
|
147
|
+
Attack Surface = Sum of:
|
|
148
|
+
- Number of public API endpoints
|
|
149
|
+
- Number of external service integrations
|
|
150
|
+
- Number of user-controllable input points
|
|
151
|
+
- Number of privileged operations
|
|
152
|
+
- Number of data stores with sensitive content
|
|
153
|
+
```
|
|
154
|
+
|
|
155
|
+
**Decision Table — Attack Surface Rating**:
|
|
156
|
+
|
|
157
|
+
| Total Score | Interpretation |
|
|
158
|
+
|-------------|---------------|
|
|
159
|
+
| 0–5 | Low attack surface |
|
|
160
|
+
| 6–15 | Moderate attack surface |
|
|
161
|
+
| 16–30 | High attack surface |
|
|
162
|
+
| > 30 | Very high attack surface — prioritize hardening |
|
|
163
|
+
|
|
164
|
+
Cross-reference Phase 1 and Phase 2 findings when populating `gaps` arrays for each STRIDE category. A finding in Phase 2 (e.g., A03 injection) maps to STRIDE T (Tampering) for the relevant component.
|
|
165
|
+
|
|
166
|
+
---
|
|
167
|
+
|
|
168
|
+
## Output
|
|
169
|
+
|
|
170
|
+
| Artifact | Format | Description |
|
|
171
|
+
|----------|--------|-------------|
|
|
172
|
+
| `.workflow/.security/threat-model.json` | JSON | STRIDE model with components, trust boundaries, attack surface |
|
|
173
|
+
|
|
174
|
+
```json
|
|
175
|
+
{
|
|
176
|
+
"phase": "threat-modeling",
|
|
177
|
+
"timestamp": "ISO-8601",
|
|
178
|
+
"framework": "STRIDE",
|
|
179
|
+
"components": [
|
|
180
|
+
{
|
|
181
|
+
"name": "Component name",
|
|
182
|
+
"type": "api_endpoint|data_store|external_service|auth_module|worker",
|
|
183
|
+
"files": ["path/to/file.ts"],
|
|
184
|
+
"exposure": "high|medium|low",
|
|
185
|
+
"trust_boundaries": ["external", "data"],
|
|
186
|
+
"threats": {
|
|
187
|
+
"spoofing": {
|
|
188
|
+
"applicable": true,
|
|
189
|
+
"findings": ["Description of threat"],
|
|
190
|
+
"mitigations": ["Existing mitigation"],
|
|
191
|
+
"gaps": ["Missing mitigation"]
|
|
192
|
+
},
|
|
193
|
+
"tampering": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
|
|
194
|
+
"repudiation": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
|
|
195
|
+
"information_disclosure": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
|
|
196
|
+
"denial_of_service": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
|
|
197
|
+
"elevation_of_privilege": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] }
|
|
198
|
+
}
|
|
199
|
+
}
|
|
200
|
+
],
|
|
201
|
+
"trust_boundaries": [
|
|
202
|
+
{
|
|
203
|
+
"name": "Boundary name",
|
|
204
|
+
"from": "Component A",
|
|
205
|
+
"to": "Component B",
|
|
206
|
+
"enforcement": "TLS|auth_middleware|API_key",
|
|
207
|
+
"data_crossing": ["request bodies", "credentials"],
|
|
208
|
+
"risk_level": "high|medium|low"
|
|
209
|
+
}
|
|
210
|
+
],
|
|
211
|
+
"attack_surface": {
|
|
212
|
+
"public_endpoints": 0,
|
|
213
|
+
"external_integrations": 0,
|
|
214
|
+
"input_points": 0,
|
|
215
|
+
"privileged_operations": 0,
|
|
216
|
+
"sensitive_data_stores": 0,
|
|
217
|
+
"total_score": 0
|
|
218
|
+
},
|
|
219
|
+
"summary": {
|
|
220
|
+
"components_analyzed": 0,
|
|
221
|
+
"threats_identified": 0,
|
|
222
|
+
"by_stride": { "S": 0, "T": 0, "R": 0, "I": 0, "D": 0, "E": 0 },
|
|
223
|
+
"high_exposure_components": 0
|
|
224
|
+
}
|
|
225
|
+
}
|
|
226
|
+
```
|
|
227
|
+
|
|
228
|
+
## Success Criteria
|
|
229
|
+
|
|
230
|
+
| Criterion | Validation Method |
|
|
231
|
+
|-----------|-------------------|
|
|
232
|
+
| At least one component analyzed | `components` array has at least 1 entry |
|
|
233
|
+
| All 6 STRIDE categories evaluated per component | Each component.threats has all 6 keys |
|
|
234
|
+
| Trust boundaries mapped | `trust_boundaries` array populated |
|
|
235
|
+
| Attack surface quantified | `attack_surface.total_score` calculated |
|
|
236
|
+
| `threat-model.json` written to `.workflow/.security/` | File exists and is valid JSON |
|
|
237
|
+
|
|
238
|
+
## Error Handling
|
|
239
|
+
|
|
240
|
+
| Scenario | Resolution |
|
|
241
|
+
|----------|------------|
|
|
242
|
+
| No components discovered via grep | Analyze project structure manually (README, package.json); note uncertainty |
|
|
243
|
+
| Phase 2 findings not available for cross-reference | Proceed with grep-only; note missing OWASP context |
|
|
244
|
+
| Ambiguous architecture (monolith vs microservices) | Document assumption in summary; note for user review |
|
|
245
|
+
| No `.github/workflows/` for CI boundary | Mark process boundary as not_applicable |
|
|
246
|
+
|
|
247
|
+
## Next Phase
|
|
248
|
+
|
|
249
|
+
-> [Phase 4: Report & Tracking](04-report-tracking.md)
|