claude-code-workflow 7.2.27 → 7.2.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (382) hide show
  1. package/.ccw/specs/architecture-constraints.md +5 -0
  2. package/.claude/skills/_shared/SKILL-DESIGN-SPEC.md +140 -0
  3. package/.claude/skills/investigate/SKILL.md +110 -0
  4. package/.claude/skills/investigate/phases/01-root-cause-investigation.md +132 -0
  5. package/.claude/skills/investigate/phases/02-pattern-analysis.md +126 -0
  6. package/.claude/skills/investigate/phases/03-hypothesis-testing.md +177 -0
  7. package/.claude/skills/investigate/phases/04-implementation.md +139 -0
  8. package/.claude/skills/investigate/phases/05-verification-report.md +153 -0
  9. package/.claude/skills/investigate/specs/debug-report-format.md +226 -0
  10. package/.claude/skills/investigate/specs/iron-law.md +101 -0
  11. package/.claude/skills/security-audit/SKILL.md +125 -0
  12. package/.claude/skills/security-audit/phases/01-supply-chain-scan.md +139 -0
  13. package/.claude/skills/security-audit/phases/02-owasp-review.md +156 -0
  14. package/.claude/skills/security-audit/phases/03-threat-modeling.md +180 -0
  15. package/.claude/skills/security-audit/phases/04-report-tracking.md +177 -0
  16. package/.claude/skills/security-audit/specs/owasp-checklist.md +442 -0
  17. package/.claude/skills/security-audit/specs/scoring-gates.md +141 -0
  18. package/.claude/skills/ship/SKILL.md +105 -0
  19. package/.claude/skills/ship/phases/01-preflight-checks.md +121 -0
  20. package/.claude/skills/ship/phases/02-code-review.md +137 -0
  21. package/.claude/skills/ship/phases/03-version-bump.md +171 -0
  22. package/.claude/skills/ship/phases/04-changelog-commit.md +167 -0
  23. package/.claude/skills/ship/phases/05-pr-creation.md +163 -0
  24. package/.claude/skills/skill-generator/templates/sequential-phase.md +10 -0
  25. package/.claude/skills/skill-generator/templates/skill-md.md +4 -0
  26. package/.claude/skills/team-interactive-craft/SKILL.md +127 -0
  27. package/.claude/skills/team-interactive-craft/roles/a11y-tester/role.md +159 -0
  28. package/.claude/skills/team-interactive-craft/roles/builder/role.md +216 -0
  29. package/.claude/skills/team-interactive-craft/roles/coordinator/commands/analyze.md +71 -0
  30. package/.claude/skills/team-interactive-craft/roles/coordinator/commands/dispatch.md +192 -0
  31. package/.claude/skills/team-interactive-craft/roles/coordinator/commands/monitor.md +183 -0
  32. package/.claude/skills/team-interactive-craft/roles/coordinator/role.md +166 -0
  33. package/.claude/skills/team-interactive-craft/roles/interaction-designer/role.md +144 -0
  34. package/.claude/skills/team-interactive-craft/roles/researcher/role.md +131 -0
  35. package/.claude/skills/team-interactive-craft/specs/interaction-patterns.md +362 -0
  36. package/.claude/skills/team-interactive-craft/specs/pipelines.md +85 -0
  37. package/.claude/skills/team-interactive-craft/specs/team-config.json +105 -0
  38. package/.claude/skills/team-interactive-craft/specs/vanilla-constraints.md +83 -0
  39. package/.claude/skills/team-motion-design/SKILL.md +129 -0
  40. package/.claude/skills/team-motion-design/roles/animator/role.md +194 -0
  41. package/.claude/skills/team-motion-design/roles/choreographer/role.md +164 -0
  42. package/.claude/skills/team-motion-design/roles/coordinator/commands/analyze.md +64 -0
  43. package/.claude/skills/team-motion-design/roles/coordinator/commands/dispatch.md +203 -0
  44. package/.claude/skills/team-motion-design/roles/coordinator/commands/monitor.md +184 -0
  45. package/.claude/skills/team-motion-design/roles/coordinator/role.md +167 -0
  46. package/.claude/skills/team-motion-design/roles/motion-researcher/role.md +115 -0
  47. package/.claude/skills/team-motion-design/roles/motion-tester/role.md +175 -0
  48. package/.claude/skills/team-motion-design/specs/gpu-constraints.md +114 -0
  49. package/.claude/skills/team-motion-design/specs/motion-tokens.md +128 -0
  50. package/.claude/skills/team-motion-design/specs/pipelines.md +74 -0
  51. package/.claude/skills/team-motion-design/specs/reduced-motion.md +129 -0
  52. package/.claude/skills/team-motion-design/specs/team-config.json +99 -0
  53. package/.claude/skills/team-ui-polish/SKILL.md +127 -0
  54. package/.claude/skills/team-ui-polish/roles/coordinator/commands/analyze.md +77 -0
  55. package/.claude/skills/team-ui-polish/roles/coordinator/commands/dispatch.md +194 -0
  56. package/.claude/skills/team-ui-polish/roles/coordinator/commands/monitor.md +180 -0
  57. package/.claude/skills/team-ui-polish/roles/coordinator/role.md +170 -0
  58. package/.claude/skills/team-ui-polish/roles/diagnostician/role.md +160 -0
  59. package/.claude/skills/team-ui-polish/roles/optimizer/role.md +225 -0
  60. package/.claude/skills/team-ui-polish/roles/scanner/role.md +356 -0
  61. package/.claude/skills/team-ui-polish/roles/verifier/role.md +142 -0
  62. package/.claude/skills/team-ui-polish/specs/anti-patterns.md +141 -0
  63. package/.claude/skills/team-ui-polish/specs/design-standards.md +356 -0
  64. package/.claude/skills/team-ui-polish/specs/fix-strategies.md +235 -0
  65. package/.claude/skills/team-ui-polish/specs/pipelines.md +81 -0
  66. package/.claude/skills/team-ui-polish/specs/scoring-guide.md +162 -0
  67. package/.claude/skills/team-ui-polish/specs/team-config.json +73 -0
  68. package/.claude/skills/team-uidesign/SKILL.md +6 -1
  69. package/.claude/skills/team-uidesign/roles/designer/role.md +28 -4
  70. package/.claude/skills/team-uidesign/roles/implementer/role.md +25 -3
  71. package/.claude/skills/team-uidesign/roles/researcher/role.md +21 -2
  72. package/.claude/skills/team-uidesign/roles/reviewer/role.md +19 -17
  73. package/.claude/skills/team-uidesign/specs/anti-patterns.md +211 -0
  74. package/.claude/skills/team-uidesign/specs/design-standards.md +329 -0
  75. package/.claude/skills/team-uidesign/specs/scoring-guide.md +114 -0
  76. package/.claude/skills/team-uidesign/specs/team-config.json +1 -1
  77. package/.claude/skills/team-uidesign/specs/ux-writing.md +86 -0
  78. package/.claude/skills/team-ux-improve/SKILL.md +3 -0
  79. package/.claude/skills/team-ux-improve/roles/designer/role.md +30 -0
  80. package/.claude/skills/team-ux-improve/roles/diagnoser/role.md +16 -1
  81. package/.claude/skills/team-ux-improve/roles/scanner/role.md +43 -1
  82. package/.claude/skills/team-ux-improve/specs/anti-patterns.md +103 -0
  83. package/.claude/skills/team-ux-improve/specs/design-standards.md +54 -0
  84. package/.claude/skills/team-ux-improve/specs/heuristics.md +88 -0
  85. package/.claude/skills/team-ux-improve/wisdom/anti-patterns/common-ux-pitfalls.md +40 -8
  86. package/.claude/skills/team-ux-improve/wisdom/patterns/state-management.md +32 -12
  87. package/.claude/skills/team-ux-improve/wisdom/patterns/ui-feedback.md +35 -11
  88. package/.claude/skills/team-ux-improve/wisdom/principles/general-ux.md +36 -9
  89. package/.claude/skills/team-visual-a11y/SKILL.md +143 -0
  90. package/.claude/skills/team-visual-a11y/roles/color-auditor/role.md +178 -0
  91. package/.claude/skills/team-visual-a11y/roles/coordinator/commands/analyze.md +72 -0
  92. package/.claude/skills/team-visual-a11y/roles/coordinator/commands/dispatch.md +250 -0
  93. package/.claude/skills/team-visual-a11y/roles/coordinator/commands/monitor.md +204 -0
  94. package/.claude/skills/team-visual-a11y/roles/coordinator/role.md +169 -0
  95. package/.claude/skills/team-visual-a11y/roles/fix-implementer/role.md +246 -0
  96. package/.claude/skills/team-visual-a11y/roles/focus-auditor/role.md +222 -0
  97. package/.claude/skills/team-visual-a11y/roles/remediation-planner/role.md +206 -0
  98. package/.claude/skills/team-visual-a11y/roles/typo-auditor/role.md +185 -0
  99. package/.claude/skills/team-visual-a11y/specs/focus-patterns.md +325 -0
  100. package/.claude/skills/team-visual-a11y/specs/oklch-standards.md +130 -0
  101. package/.claude/skills/team-visual-a11y/specs/pipelines.md +98 -0
  102. package/.claude/skills/team-visual-a11y/specs/team-config.json +109 -0
  103. package/.claude/skills/team-visual-a11y/specs/typography-scale.md +165 -0
  104. package/.claude/skills/team-visual-a11y/specs/wcag-matrix.md +133 -0
  105. package/.codex/skills/investigate/agents/investigator.md +392 -0
  106. package/.codex/skills/investigate/orchestrator.md +362 -0
  107. package/.codex/skills/investigate/phases/01-root-cause-investigation.md +212 -0
  108. package/.codex/skills/investigate/phases/02-pattern-analysis.md +181 -0
  109. package/.codex/skills/investigate/phases/03-hypothesis-testing.md +214 -0
  110. package/.codex/skills/investigate/phases/04-implementation.md +195 -0
  111. package/.codex/skills/investigate/phases/05-verification-report.md +240 -0
  112. package/.codex/skills/security-audit/agents/security-auditor.md +341 -0
  113. package/.codex/skills/security-audit/orchestrator.md +384 -0
  114. package/.codex/skills/security-audit/phases/01-supply-chain-scan.md +226 -0
  115. package/.codex/skills/security-audit/phases/02-owasp-review.md +232 -0
  116. package/.codex/skills/security-audit/phases/03-threat-modeling.md +249 -0
  117. package/.codex/skills/security-audit/phases/04-report-tracking.md +300 -0
  118. package/.codex/skills/ship/agents/ship-operator.md +318 -0
  119. package/.codex/skills/ship/orchestrator.md +426 -0
  120. package/.codex/skills/ship/phases/01-preflight-checks.md +198 -0
  121. package/.codex/skills/ship/phases/02-code-review.md +228 -0
  122. package/.codex/skills/ship/phases/03-version-bump.md +259 -0
  123. package/.codex/skills/ship/phases/04-changelog-commit.md +263 -0
  124. package/.codex/skills/ship/phases/05-pr-creation.md +280 -0
  125. package/.codex/skills/team-interactive-craft/SKILL.md +220 -0
  126. package/.codex/skills/team-interactive-craft/roles/a11y-tester/role.md +159 -0
  127. package/.codex/skills/team-interactive-craft/roles/builder/role.md +216 -0
  128. package/.codex/skills/team-interactive-craft/roles/coordinator/commands/analyze.md +71 -0
  129. package/.codex/skills/team-interactive-craft/roles/coordinator/commands/dispatch.md +162 -0
  130. package/.codex/skills/team-interactive-craft/roles/coordinator/commands/monitor.md +233 -0
  131. package/.codex/skills/team-interactive-craft/roles/coordinator/role.md +209 -0
  132. package/.codex/skills/team-interactive-craft/roles/interaction-designer/role.md +144 -0
  133. package/.codex/skills/team-interactive-craft/roles/researcher/role.md +131 -0
  134. package/.codex/skills/team-interactive-craft/specs/interaction-patterns.md +362 -0
  135. package/.codex/skills/team-interactive-craft/specs/pipelines.md +85 -0
  136. package/.codex/skills/team-interactive-craft/specs/team-config.json +105 -0
  137. package/.codex/skills/team-interactive-craft/specs/vanilla-constraints.md +83 -0
  138. package/.codex/skills/team-motion-design/SKILL.md +222 -0
  139. package/.codex/skills/team-motion-design/roles/animator/role.md +194 -0
  140. package/.codex/skills/team-motion-design/roles/choreographer/role.md +164 -0
  141. package/.codex/skills/team-motion-design/roles/coordinator/commands/analyze.md +64 -0
  142. package/.codex/skills/team-motion-design/roles/coordinator/commands/dispatch.md +168 -0
  143. package/.codex/skills/team-motion-design/roles/coordinator/commands/monitor.md +242 -0
  144. package/.codex/skills/team-motion-design/roles/coordinator/role.md +210 -0
  145. package/.codex/skills/team-motion-design/roles/motion-researcher/role.md +115 -0
  146. package/.codex/skills/team-motion-design/roles/motion-tester/role.md +175 -0
  147. package/.codex/skills/team-motion-design/specs/gpu-constraints.md +114 -0
  148. package/.codex/skills/team-motion-design/specs/motion-tokens.md +128 -0
  149. package/.codex/skills/team-motion-design/specs/pipelines.md +74 -0
  150. package/.codex/skills/team-motion-design/specs/reduced-motion.md +129 -0
  151. package/.codex/skills/team-motion-design/specs/team-config.json +99 -0
  152. package/.codex/skills/team-ui-polish/SKILL.md +218 -0
  153. package/.codex/skills/team-ui-polish/roles/coordinator/commands/analyze.md +77 -0
  154. package/.codex/skills/team-ui-polish/roles/coordinator/commands/dispatch.md +167 -0
  155. package/.codex/skills/team-ui-polish/roles/coordinator/commands/monitor.md +230 -0
  156. package/.codex/skills/team-ui-polish/roles/coordinator/role.md +213 -0
  157. package/.codex/skills/team-ui-polish/roles/diagnostician/role.md +164 -0
  158. package/.codex/skills/team-ui-polish/roles/optimizer/role.md +229 -0
  159. package/.codex/skills/team-ui-polish/roles/scanner/role.md +360 -0
  160. package/.codex/skills/team-ui-polish/roles/verifier/role.md +142 -0
  161. package/.codex/skills/team-ui-polish/specs/anti-patterns.md +141 -0
  162. package/.codex/skills/team-ui-polish/specs/design-standards.md +356 -0
  163. package/.codex/skills/team-ui-polish/specs/fix-strategies.md +235 -0
  164. package/.codex/skills/team-ui-polish/specs/pipelines.md +81 -0
  165. package/.codex/skills/team-ui-polish/specs/scoring-guide.md +162 -0
  166. package/.codex/skills/team-ui-polish/specs/team-config.json +73 -0
  167. package/.codex/skills/team-visual-a11y/SKILL.md +319 -0
  168. package/.codex/skills/team-visual-a11y/roles/color-auditor/role.md +178 -0
  169. package/.codex/skills/team-visual-a11y/roles/coordinator/commands/analyze.md +72 -0
  170. package/.codex/skills/team-visual-a11y/roles/coordinator/commands/dispatch.md +188 -0
  171. package/.codex/skills/team-visual-a11y/roles/coordinator/commands/monitor.md +281 -0
  172. package/.codex/skills/team-visual-a11y/roles/coordinator/role.md +213 -0
  173. package/.codex/skills/team-visual-a11y/roles/fix-implementer/role.md +246 -0
  174. package/.codex/skills/team-visual-a11y/roles/focus-auditor/role.md +222 -0
  175. package/.codex/skills/team-visual-a11y/roles/remediation-planner/role.md +206 -0
  176. package/.codex/skills/team-visual-a11y/roles/typo-auditor/role.md +185 -0
  177. package/.codex/skills/team-visual-a11y/specs/focus-patterns.md +325 -0
  178. package/.codex/skills/team-visual-a11y/specs/oklch-standards.md +130 -0
  179. package/.codex/skills/team-visual-a11y/specs/pipelines.md +98 -0
  180. package/.codex/skills/team-visual-a11y/specs/team-config.json +109 -0
  181. package/.codex/skills/team-visual-a11y/specs/typography-scale.md +165 -0
  182. package/.codex/skills/team-visual-a11y/specs/wcag-matrix.md +133 -0
  183. package/README.md +8 -0
  184. package/ccw/dist/core/hooks/hook-templates.d.ts.map +1 -1
  185. package/ccw/dist/core/hooks/hook-templates.js +114 -1
  186. package/ccw/dist/core/hooks/hook-templates.js.map +1 -1
  187. package/ccw/dist/core/routes/cli-routes.d.ts.map +1 -1
  188. package/ccw/dist/core/routes/cli-routes.js +34 -0
  189. package/ccw/dist/core/routes/cli-routes.js.map +1 -1
  190. package/ccw/dist/core/routes/system-routes.js +2 -2
  191. package/ccw/dist/core/routes/system-routes.js.map +1 -1
  192. package/ccw/frontend/dist/assets/{AlertDialog-Bf1jdqax.js → AlertDialog-BjP1ydDR.js} +2 -2
  193. package/ccw/frontend/dist/assets/{AlertDialog-Bf1jdqax.js.map → AlertDialog-BjP1ydDR.js.map} +1 -1
  194. package/ccw/frontend/dist/assets/{AnalysisPage-C8niKdp4.js → AnalysisPage-CAX3xqMf.js} +2 -2
  195. package/ccw/frontend/dist/assets/{AnalysisPage-C8niKdp4.js.map → AnalysisPage-CAX3xqMf.js.map} +1 -1
  196. package/ccw/frontend/dist/assets/{ApiSettingsPage-BL2c3UNS.js → ApiSettingsPage-CtWlmztq.js} +2 -2
  197. package/ccw/frontend/dist/assets/{ApiSettingsPage-BL2c3UNS.js.map → ApiSettingsPage-CtWlmztq.js.map} +1 -1
  198. package/ccw/frontend/dist/assets/{CliModeToggle-BePBFynD.js → CliModeToggle-hR4a-eLX.js} +2 -2
  199. package/ccw/frontend/dist/assets/{CliModeToggle-BePBFynD.js.map → CliModeToggle-hR4a-eLX.js.map} +1 -1
  200. package/ccw/frontend/dist/assets/{CliSessionSharePage-7cYtX6FT.js → CliSessionSharePage-DzNPkFN9.js} +2 -2
  201. package/ccw/frontend/dist/assets/{CliSessionSharePage-7cYtX6FT.js.map → CliSessionSharePage-DzNPkFN9.js.map} +1 -1
  202. package/ccw/frontend/dist/assets/{CliViewerPage-CBwg1mPL.js → CliViewerPage-BPEGN4TT.js} +2 -2
  203. package/ccw/frontend/dist/assets/{CliViewerPage-CBwg1mPL.js.map → CliViewerPage-BPEGN4TT.js.map} +1 -1
  204. package/ccw/frontend/dist/assets/{CodexLensPage-Bt74xORP.js → CodexLensPage-Cf0r2RHY.js} +2 -2
  205. package/ccw/frontend/dist/assets/{CodexLensPage-Bt74xORP.js.map → CodexLensPage-Cf0r2RHY.js.map} +1 -1
  206. package/ccw/frontend/dist/assets/{Collapsible-Wrs87QT7.js → Collapsible-DEm1rJ4h.js} +2 -2
  207. package/ccw/frontend/dist/assets/{Collapsible-Wrs87QT7.js.map → Collapsible-DEm1rJ4h.js.map} +1 -1
  208. package/ccw/frontend/dist/assets/{CommandsManagerPage-ChQjmPWZ.js → CommandsManagerPage-BpeWw8HO.js} +2 -2
  209. package/ccw/frontend/dist/assets/{CommandsManagerPage-ChQjmPWZ.js.map → CommandsManagerPage-BpeWw8HO.js.map} +1 -1
  210. package/ccw/frontend/dist/assets/{DeepWikiPage-dEO5wi6X.js → DeepWikiPage-BEsmh2vF.js} +2 -2
  211. package/ccw/frontend/dist/assets/{DeepWikiPage-dEO5wi6X.js.map → DeepWikiPage-BEsmh2vF.js.map} +1 -1
  212. package/ccw/frontend/dist/assets/{EndpointsPage-4zq269xY.js → EndpointsPage-B30SFdtU.js} +2 -2
  213. package/ccw/frontend/dist/assets/{EndpointsPage-4zq269xY.js.map → EndpointsPage-B30SFdtU.js.map} +1 -1
  214. package/ccw/frontend/dist/assets/{ExplorerPage-B0YTENhA.js → ExplorerPage-BVvMpg1O.js} +2 -2
  215. package/ccw/frontend/dist/assets/{ExplorerPage-B0YTENhA.js.map → ExplorerPage-BVvMpg1O.js.map} +1 -1
  216. package/ccw/frontend/dist/assets/{FixSessionPage-CwGs6dhz.js → FixSessionPage-CL73dHbh.js} +2 -2
  217. package/ccw/frontend/dist/assets/{FixSessionPage-CwGs6dhz.js.map → FixSessionPage-CL73dHbh.js.map} +1 -1
  218. package/ccw/frontend/dist/assets/{FloatingFileBrowser-COZRBslc.js → FloatingFileBrowser-BL-28lMZ.js} +2 -2
  219. package/ccw/frontend/dist/assets/{FloatingFileBrowser-COZRBslc.js.map → FloatingFileBrowser-BL-28lMZ.js.map} +1 -1
  220. package/ccw/frontend/dist/assets/{FloatingPanel-DYvgQZRD.js → FloatingPanel-BzZDciHZ.js} +2 -2
  221. package/ccw/frontend/dist/assets/{FloatingPanel-DYvgQZRD.js.map → FloatingPanel-BzZDciHZ.js.map} +1 -1
  222. package/ccw/frontend/dist/assets/{GraphExplorerPage-ewMHQGem.js → GraphExplorerPage-CDp6-d8P.js} +2 -2
  223. package/ccw/frontend/dist/assets/{GraphExplorerPage-ewMHQGem.js.map → GraphExplorerPage-CDp6-d8P.js.map} +1 -1
  224. package/ccw/frontend/dist/assets/{HistoryPage-BMeR0PrK.js → HistoryPage-fZY_7O9n.js} +2 -2
  225. package/ccw/frontend/dist/assets/{HistoryPage-BMeR0PrK.js.map → HistoryPage-fZY_7O9n.js.map} +1 -1
  226. package/ccw/frontend/dist/assets/{HookManagerPage-DBW2LnRm.js → HookManagerPage-4LJeC9bq.js} +2 -2
  227. package/ccw/frontend/dist/assets/{HookManagerPage-DBW2LnRm.js.map → HookManagerPage-4LJeC9bq.js.map} +1 -1
  228. package/ccw/frontend/dist/assets/{InstallationsPage--pMj0QEH.js → InstallationsPage-Bpigrbhw.js} +2 -2
  229. package/ccw/frontend/dist/assets/{InstallationsPage--pMj0QEH.js.map → InstallationsPage-Bpigrbhw.js.map} +1 -1
  230. package/ccw/frontend/dist/assets/{IssueHubPage-C_QMpQSR.js → IssueHubPage-BP0zJc1R.js} +2 -2
  231. package/ccw/frontend/dist/assets/{IssueHubPage-C_QMpQSR.js.map → IssueHubPage-BP0zJc1R.js.map} +1 -1
  232. package/ccw/frontend/dist/assets/{LiteTasksPage-CSWFdQ2-.js → LiteTasksPage-CSt2oVKQ.js} +2 -2
  233. package/ccw/frontend/dist/assets/{LiteTasksPage-CSWFdQ2-.js.map → LiteTasksPage-CSt2oVKQ.js.map} +1 -1
  234. package/ccw/frontend/dist/assets/{McpManagerPage-Dvv8NtGy.js → McpManagerPage-B-xaMA0w.js} +2 -2
  235. package/ccw/frontend/dist/assets/{McpManagerPage-Dvv8NtGy.js.map → McpManagerPage-B-xaMA0w.js.map} +1 -1
  236. package/ccw/frontend/dist/assets/{MemoryPage-YO8WZzZO.js → MemoryPage-CJqo_7DY.js} +2 -2
  237. package/ccw/frontend/dist/assets/{MemoryPage-YO8WZzZO.js.map → MemoryPage-CJqo_7DY.js.map} +1 -1
  238. package/ccw/frontend/dist/assets/{NotFoundPage-quUJw0CD.js → NotFoundPage-ibZeQA-Y.js} +2 -2
  239. package/ccw/frontend/dist/assets/{NotFoundPage-quUJw0CD.js.map → NotFoundPage-ibZeQA-Y.js.map} +1 -1
  240. package/ccw/frontend/dist/assets/{OrchestratorPage-tuThWPID.js → OrchestratorPage-DgJ4ctPQ.js} +2 -2
  241. package/ccw/frontend/dist/assets/{OrchestratorPage-tuThWPID.js.map → OrchestratorPage-DgJ4ctPQ.js.map} +1 -1
  242. package/ccw/frontend/dist/assets/{ProjectOverviewPage-shTilwiT.js → ProjectOverviewPage-Cit0Yq0D.js} +2 -2
  243. package/ccw/frontend/dist/assets/{ProjectOverviewPage-shTilwiT.js.map → ProjectOverviewPage-Cit0Yq0D.js.map} +1 -1
  244. package/ccw/frontend/dist/assets/{PromptHistoryPage-6rQnsI8l.js → PromptHistoryPage-Ce1HDIK0.js} +2 -2
  245. package/ccw/frontend/dist/assets/{PromptHistoryPage-6rQnsI8l.js.map → PromptHistoryPage-Ce1HDIK0.js.map} +1 -1
  246. package/ccw/frontend/dist/assets/{ReviewSessionPage-JOmzjVbT.js → ReviewSessionPage-J1KikNrk.js} +2 -2
  247. package/ccw/frontend/dist/assets/{ReviewSessionPage-JOmzjVbT.js.map → ReviewSessionPage-J1KikNrk.js.map} +1 -1
  248. package/ccw/frontend/dist/assets/{RulesManagerPage-Cayfywqi.js → RulesManagerPage-CdBjTmth.js} +2 -2
  249. package/ccw/frontend/dist/assets/{RulesManagerPage-Cayfywqi.js.map → RulesManagerPage-CdBjTmth.js.map} +1 -1
  250. package/ccw/frontend/dist/assets/{SessionDetailPage-iMn0k84i.js → SessionDetailPage-B9ZK7LvX.js} +2 -2
  251. package/ccw/frontend/dist/assets/{SessionDetailPage-iMn0k84i.js.map → SessionDetailPage-B9ZK7LvX.js.map} +1 -1
  252. package/ccw/frontend/dist/assets/{SessionsPage-Ciqjy9kz.js → SessionsPage-CW_nS5UR.js} +2 -2
  253. package/ccw/frontend/dist/assets/{SessionsPage-Ciqjy9kz.js.map → SessionsPage-CW_nS5UR.js.map} +1 -1
  254. package/ccw/frontend/dist/assets/{SettingsPage-BPDbXPSM.js → SettingsPage-B2PYzSoO.js} +35 -35
  255. package/ccw/frontend/dist/assets/SettingsPage-B2PYzSoO.js.map +1 -0
  256. package/ccw/frontend/dist/assets/{SkillsManagerPage-D3LzbpJY.js → SkillsManagerPage-CTnWrrwp.js} +2 -2
  257. package/ccw/frontend/dist/assets/{SkillsManagerPage-D3LzbpJY.js.map → SkillsManagerPage-CTnWrrwp.js.map} +1 -1
  258. package/ccw/frontend/dist/assets/{SpecsSettingsPage-BpkJctzo.js → SpecsSettingsPage-DJpi9XQL.js} +2 -2
  259. package/ccw/frontend/dist/assets/{SpecsSettingsPage-BpkJctzo.js.map → SpecsSettingsPage-DJpi9XQL.js.map} +1 -1
  260. package/ccw/frontend/dist/assets/{Switch-BpB9h__9.js → Switch-Ac6Ov7uy.js} +2 -2
  261. package/ccw/frontend/dist/assets/{Switch-BpB9h__9.js.map → Switch-Ac6Ov7uy.js.map} +1 -1
  262. package/ccw/frontend/dist/assets/{TabsNavigation-BGsKy7DO.js → TabsNavigation-DZAAspqR.js} +2 -2
  263. package/ccw/frontend/dist/assets/{TabsNavigation-BGsKy7DO.js.map → TabsNavigation-DZAAspqR.js.map} +1 -1
  264. package/ccw/frontend/dist/assets/{TaskDrawer-bYIlbM0Q.js → TaskDrawer-BJkwfhIZ.js} +2 -2
  265. package/ccw/frontend/dist/assets/{TaskDrawer-bYIlbM0Q.js.map → TaskDrawer-BJkwfhIZ.js.map} +1 -1
  266. package/ccw/frontend/dist/assets/{TeamPage-CihtQ6LQ.js → TeamPage-BJgjxBgb.js} +2 -2
  267. package/ccw/frontend/dist/assets/{TeamPage-CihtQ6LQ.js.map → TeamPage-BJgjxBgb.js.map} +1 -1
  268. package/ccw/frontend/dist/assets/{TerminalDashboardPage-BDnNF_ud.js → TerminalDashboardPage-D1WekoOy.js} +2 -2
  269. package/ccw/frontend/dist/assets/{TerminalDashboardPage-BDnNF_ud.js.map → TerminalDashboardPage-D1WekoOy.js.map} +1 -1
  270. package/ccw/frontend/dist/assets/{archive-CQJ86bQp.js → archive-DxemgIhF.js} +2 -2
  271. package/ccw/frontend/dist/assets/{archive-CQJ86bQp.js.map → archive-DxemgIhF.js.map} +1 -1
  272. package/ccw/frontend/dist/assets/{archive-restore-BhTfDbPU.js → archive-restore-CjS83f1V.js} +2 -2
  273. package/ccw/frontend/dist/assets/{archive-restore-BhTfDbPU.js.map → archive-restore-CjS83f1V.js.map} +1 -1
  274. package/ccw/frontend/dist/assets/{arrow-right-eUAZnT9C.js → arrow-right-B5PUcn8I.js} +2 -2
  275. package/ccw/frontend/dist/assets/{arrow-right-eUAZnT9C.js.map → arrow-right-B5PUcn8I.js.map} +1 -1
  276. package/ccw/frontend/dist/assets/{bookmark-plus-ilF5-V-k.js → bookmark-plus-DCc9aPbb.js} +2 -2
  277. package/ccw/frontend/dist/assets/{bookmark-plus-ilF5-V-k.js.map → bookmark-plus-DCc9aPbb.js.map} +1 -1
  278. package/ccw/frontend/dist/assets/{bot-BLkaQscs.js → bot-DOwFtzak.js} +2 -2
  279. package/ccw/frontend/dist/assets/{bot-BLkaQscs.js.map → bot-DOwFtzak.js.map} +1 -1
  280. package/ccw/frontend/dist/assets/{braces-D9HdgsO6.js → braces-96qH3aFh.js} +2 -2
  281. package/ccw/frontend/dist/assets/{braces-D9HdgsO6.js.map → braces-96qH3aFh.js.map} +1 -1
  282. package/ccw/frontend/dist/assets/{circle-stop-C3ZF1okQ.js → circle-stop-CCxSuil1.js} +2 -2
  283. package/ccw/frontend/dist/assets/{circle-stop-C3ZF1okQ.js.map → circle-stop-CCxSuil1.js.map} +1 -1
  284. package/ccw/frontend/dist/assets/{cpu-B-QjaSjm.js → cpu-CZNSJFdq.js} +2 -2
  285. package/ccw/frontend/dist/assets/{cpu-B-QjaSjm.js.map → cpu-CZNSJFdq.js.map} +1 -1
  286. package/ccw/frontend/dist/assets/{ellipsis-vertical-CbNlw2gS.js → ellipsis-vertical-h8xtvw2_.js} +2 -2
  287. package/ccw/frontend/dist/assets/{ellipsis-vertical-CbNlw2gS.js.map → ellipsis-vertical-h8xtvw2_.js.map} +1 -1
  288. package/ccw/frontend/dist/assets/{eye-yAy69Cnn.js → eye-D3NY0bm6.js} +2 -2
  289. package/ccw/frontend/dist/assets/{eye-yAy69Cnn.js.map → eye-D3NY0bm6.js.map} +1 -1
  290. package/ccw/frontend/dist/assets/{eye-off-D5uzLZyP.js → eye-off-Cy2vkc8p.js} +2 -2
  291. package/ccw/frontend/dist/assets/{eye-off-D5uzLZyP.js.map → eye-off-Cy2vkc8p.js.map} +1 -1
  292. package/ccw/frontend/dist/assets/{file-json-rwo1NowL.js → file-json-Bzq3U1Mx.js} +2 -2
  293. package/ccw/frontend/dist/assets/{file-json-rwo1NowL.js.map → file-json-Bzq3U1Mx.js.map} +1 -1
  294. package/ccw/frontend/dist/assets/{file-text-DRkrjie9.js → file-text-DwuwPDPi.js} +2 -2
  295. package/ccw/frontend/dist/assets/{file-text-DRkrjie9.js.map → file-text-DwuwPDPi.js.map} +1 -1
  296. package/ccw/frontend/dist/assets/{filter-BOe-OTu1.js → filter-q9g-bknU.js} +2 -2
  297. package/ccw/frontend/dist/assets/{filter-BOe-OTu1.js.map → filter-q9g-bknU.js.map} +1 -1
  298. package/ccw/frontend/dist/assets/{folder-BaWZWn_r.js → folder-CL6vb42J.js} +2 -2
  299. package/ccw/frontend/dist/assets/{folder-BaWZWn_r.js.map → folder-CL6vb42J.js.map} +1 -1
  300. package/ccw/frontend/dist/assets/{gauge-kazFexTr.js → gauge-BkrcQBly.js} +2 -2
  301. package/ccw/frontend/dist/assets/{gauge-kazFexTr.js.map → gauge-BkrcQBly.js.map} +1 -1
  302. package/ccw/frontend/dist/assets/{globe-BuHeEjxd.js → globe-BQbwyNeV.js} +2 -2
  303. package/ccw/frontend/dist/assets/{globe-BuHeEjxd.js.map → globe-BQbwyNeV.js.map} +1 -1
  304. package/ccw/frontend/dist/assets/{grid-3x3-DbhuUu4V.js → grid-3x3-x5_7DrN7.js} +2 -2
  305. package/ccw/frontend/dist/assets/{grid-3x3-DbhuUu4V.js.map → grid-3x3-x5_7DrN7.js.map} +1 -1
  306. package/ccw/frontend/dist/assets/{hard-drive-AoLGL0z4.js → hard-drive-DTyWXwzf.js} +2 -2
  307. package/ccw/frontend/dist/assets/{hard-drive-AoLGL0z4.js.map → hard-drive-DTyWXwzf.js.map} +1 -1
  308. package/ccw/frontend/dist/assets/{hash-Dpo1exMB.js → hash-80O0kJO7.js} +2 -2
  309. package/ccw/frontend/dist/assets/{hash-Dpo1exMB.js.map → hash-80O0kJO7.js.map} +1 -1
  310. package/ccw/frontend/dist/assets/{history-ujQnmMC9.js → history-DDlN2Bwa.js} +2 -2
  311. package/ccw/frontend/dist/assets/{history-ujQnmMC9.js.map → history-DDlN2Bwa.js.map} +1 -1
  312. package/ccw/frontend/dist/assets/{index-CxzXz6o1.js → index-B9A3Hnrk.js} +2 -2
  313. package/ccw/frontend/dist/assets/{index-CxzXz6o1.js.map → index-B9A3Hnrk.js.map} +1 -1
  314. package/ccw/frontend/dist/assets/{index-B76AGix5.js → index-Bs80iCX0.js} +2 -2
  315. package/ccw/frontend/dist/assets/{index-B76AGix5.js.map → index-Bs80iCX0.js.map} +1 -1
  316. package/ccw/frontend/dist/assets/{index-C_Yf5fZ4.js → index-mbeo62f8.js} +2 -2
  317. package/ccw/frontend/dist/assets/{index-C_Yf5fZ4.js.map → index-mbeo62f8.js.map} +1 -1
  318. package/ccw/frontend/dist/assets/{index-Dff4bg3u.js → index-rLgoBCfV.js} +3 -3
  319. package/ccw/frontend/dist/assets/{index-Dff4bg3u.js.map → index-rLgoBCfV.js.map} +1 -1
  320. package/ccw/frontend/dist/assets/{layout-grid-CBdE4K8h.js → layout-grid-C1niOWJx.js} +2 -2
  321. package/ccw/frontend/dist/assets/{layout-grid-CBdE4K8h.js.map → layout-grid-C1niOWJx.js.map} +1 -1
  322. package/ccw/frontend/dist/assets/{lightbulb-B9K6ZgRp.js → lightbulb-BTmI7SUg.js} +2 -2
  323. package/ccw/frontend/dist/assets/{lightbulb-B9K6ZgRp.js.map → lightbulb-BTmI7SUg.js.map} +1 -1
  324. package/ccw/frontend/dist/assets/{link-2-Oea4xHJl.js → link-2-CB9HKeuZ.js} +2 -2
  325. package/ccw/frontend/dist/assets/{link-2-Oea4xHJl.js.map → link-2-CB9HKeuZ.js.map} +1 -1
  326. package/ccw/frontend/dist/assets/{link-5yXdZBch.js → link-koEYiemK.js} +2 -2
  327. package/ccw/frontend/dist/assets/{link-5yXdZBch.js.map → link-koEYiemK.js.map} +1 -1
  328. package/ccw/frontend/dist/assets/{list-9lHhC_U_.js → list-v2_GaLdC.js} +2 -2
  329. package/ccw/frontend/dist/assets/{list-9lHhC_U_.js.map → list-v2_GaLdC.js.map} +1 -1
  330. package/ccw/frontend/dist/assets/{map-pin-B6Io5kmB.js → map-pin-BQNfAqG_.js} +2 -2
  331. package/ccw/frontend/dist/assets/{map-pin-B6Io5kmB.js.map → map-pin-BQNfAqG_.js.map} +1 -1
  332. package/ccw/frontend/dist/assets/{messages-square-BT000aD3.js → messages-square-Dzq5LGg9.js} +2 -2
  333. package/ccw/frontend/dist/assets/{messages-square-BT000aD3.js.map → messages-square-Dzq5LGg9.js.map} +1 -1
  334. package/ccw/frontend/dist/assets/{minimize-2-DO-zbT3a.js → minimize-2-CtkoJXcz.js} +2 -2
  335. package/ccw/frontend/dist/assets/{minimize-2-DO-zbT3a.js.map → minimize-2-CtkoJXcz.js.map} +1 -1
  336. package/ccw/frontend/dist/assets/{package-BjOw1ldU.js → package-CH3smL37.js} +2 -2
  337. package/ccw/frontend/dist/assets/{package-BjOw1ldU.js.map → package-CH3smL37.js.map} +1 -1
  338. package/ccw/frontend/dist/assets/{plug-9dAARpE1.js → plug-CZ0aL_yF.js} +2 -2
  339. package/ccw/frontend/dist/assets/{plug-9dAARpE1.js.map → plug-CZ0aL_yF.js.map} +1 -1
  340. package/ccw/frontend/dist/assets/{power-K2S39x7f.js → power-F2A_J4l6.js} +2 -2
  341. package/ccw/frontend/dist/assets/{power-K2S39x7f.js.map → power-F2A_J4l6.js.map} +1 -1
  342. package/ccw/frontend/dist/assets/{save-D9-CoT3x.js → save-Byxot0YU.js} +2 -2
  343. package/ccw/frontend/dist/assets/{save-D9-CoT3x.js.map → save-Byxot0YU.js.map} +1 -1
  344. package/ccw/frontend/dist/assets/{send-Bunw9NtC.js → send-JjqhUkpw.js} +2 -2
  345. package/ccw/frontend/dist/assets/{send-Bunw9NtC.js.map → send-JjqhUkpw.js.map} +1 -1
  346. package/ccw/frontend/dist/assets/{settings-2-osl4EXFf.js → settings-2--SuN9rAt.js} +2 -2
  347. package/ccw/frontend/dist/assets/{settings-2-osl4EXFf.js.map → settings-2--SuN9rAt.js.map} +1 -1
  348. package/ccw/frontend/dist/assets/{square-check-big-Dl5gYkjR.js → square-check-big-BbngGB2h.js} +2 -2
  349. package/ccw/frontend/dist/assets/{square-check-big-Dl5gYkjR.js.map → square-check-big-BbngGB2h.js.map} +1 -1
  350. package/ccw/frontend/dist/assets/{square-pen-Bue1chJR.js → square-pen-CgrHgZSl.js} +2 -2
  351. package/ccw/frontend/dist/assets/{square-pen-Bue1chJR.js.map → square-pen-CgrHgZSl.js.map} +1 -1
  352. package/ccw/frontend/dist/assets/{star-Bk7EC7FB.js → star-BU3TQr7Z.js} +2 -2
  353. package/ccw/frontend/dist/assets/{star-Bk7EC7FB.js.map → star-BU3TQr7Z.js.map} +1 -1
  354. package/ccw/frontend/dist/assets/{style-BbREPmRj.js → style-CKs7nnn3.js} +2 -2
  355. package/ccw/frontend/dist/assets/{style-BbREPmRj.js.map → style-CKs7nnn3.js.map} +1 -1
  356. package/ccw/frontend/dist/assets/{target-CElrCVhR.js → target-DW5tsDW6.js} +2 -2
  357. package/ccw/frontend/dist/assets/{target-CElrCVhR.js.map → target-DW5tsDW6.js.map} +1 -1
  358. package/ccw/frontend/dist/assets/{test-tube-wciJaoas.js → test-tube-BHm7w3ON.js} +2 -2
  359. package/ccw/frontend/dist/assets/{test-tube-wciJaoas.js.map → test-tube-BHm7w3ON.js.map} +1 -1
  360. package/ccw/frontend/dist/assets/{upload-BD1F07wG.js → upload-DYR7PWwt.js} +2 -2
  361. package/ccw/frontend/dist/assets/{upload-BD1F07wG.js.map → upload-DYR7PWwt.js.map} +1 -1
  362. package/ccw/frontend/dist/assets/{useApiSettings-D23HVEt8.js → useApiSettings-D0TVgQD_.js} +2 -2
  363. package/ccw/frontend/dist/assets/{useApiSettings-D23HVEt8.js.map → useApiSettings-D0TVgQD_.js.map} +1 -1
  364. package/ccw/frontend/dist/assets/{useCli-BGDd_lXD.js → useCli-DfY8mAP8.js} +2 -2
  365. package/ccw/frontend/dist/assets/{useCli-BGDd_lXD.js.map → useCli-DfY8mAP8.js.map} +1 -1
  366. package/ccw/frontend/dist/assets/{useCommands-B-m_HxPB.js → useCommands-CGusDp0F.js} +2 -2
  367. package/ccw/frontend/dist/assets/{useCommands-B-m_HxPB.js.map → useCommands-CGusDp0F.js.map} +1 -1
  368. package/ccw/frontend/dist/assets/{useDebounce-Z18-PHZr.js → useDebounce-CIwh0fF1.js} +2 -2
  369. package/ccw/frontend/dist/assets/{useDebounce-Z18-PHZr.js.map → useDebounce-CIwh0fF1.js.map} +1 -1
  370. package/ccw/frontend/dist/assets/{useFileExplorer-D4gPp-LB.js → useFileExplorer-FMyFv39K.js} +2 -2
  371. package/ccw/frontend/dist/assets/{useFileExplorer-D4gPp-LB.js.map → useFileExplorer-FMyFv39K.js.map} +1 -1
  372. package/ccw/frontend/dist/assets/{useLocale-DJ62jjFa.js → useLocale-B2qhsoTb.js} +2 -2
  373. package/ccw/frontend/dist/assets/{useLocale-DJ62jjFa.js.map → useLocale-B2qhsoTb.js.map} +1 -1
  374. package/ccw/frontend/dist/assets/{useSkills-B8NPs9__.js → useSkills-cxKXMBm3.js} +3 -3
  375. package/ccw/frontend/dist/assets/{useSkills-B8NPs9__.js.map → useSkills-cxKXMBm3.js.map} +1 -1
  376. package/ccw/frontend/dist/assets/{useSystemSettings-CVi7nKGJ.js → useSystemSettings-B-xUT_z-.js} +2 -2
  377. package/ccw/frontend/dist/assets/{useSystemSettings-CVi7nKGJ.js.map → useSystemSettings-B-xUT_z-.js.map} +1 -1
  378. package/ccw/frontend/dist/assets/{wand-sparkles-CLjPiU5w.js → wand-sparkles-DZV_3lPr.js} +2 -2
  379. package/ccw/frontend/dist/assets/{wand-sparkles-CLjPiU5w.js.map → wand-sparkles-DZV_3lPr.js.map} +1 -1
  380. package/ccw/frontend/dist/index.html +1 -1
  381. package/package.json +105 -105
  382. package/ccw/frontend/dist/assets/SettingsPage-BPDbXPSM.js.map +0 -1
package/.claude/skills/security-audit/phases/03-threat-modeling.md ADDED
@@ -0,0 +1,180 @@
1
+ # Phase 3: Threat Modeling (STRIDE)
2
+
3
+ Map STRIDE threat categories to architecture components, identify trust boundaries, and assess attack surface.
4
+
5
+ ## Objective
6
+
7
+ - Apply the STRIDE threat model to the project architecture
8
+ - Identify trust boundaries between system components
9
+ - Assess attack surface area per component
10
+ - Cross-reference with Phase 1 and Phase 2 findings
11
+
12
+ ## STRIDE Categories
13
+
14
+ | Category | Threat | Question | Typical Targets |
15
+ |----------|--------|----------|-----------------|
16
+ | **S** - Spoofing | Identity impersonation | Can an attacker pretend to be someone else? | Auth endpoints, API keys, session tokens |
17
+ | **T** - Tampering | Data modification | Can data be modified in transit or at rest? | Request bodies, database records, config files |
18
+ | **R** - Repudiation | Deniable actions | Can a user deny performing an action? | Audit logs, transaction records, user actions |
19
+ | **I** - Information Disclosure | Data leakage | Can sensitive data be exposed? | Error messages, logs, API responses, storage |
20
+ | **D** - Denial of Service | Availability disruption | Can the system be made unavailable? | API endpoints, resource-intensive operations |
21
+ | **E** - Elevation of Privilege | Unauthorized access | Can a user gain higher privileges? | Role checks, admin routes, permission logic |
22
+
23
+ ## Execution Steps
24
+
25
+ ### Step 1: Architecture Component Discovery
26
+
27
+ Identify major system components by scanning project structure.
28
+
29
+ ```bash
30
+ # Identify entry points (API routes, CLI commands, event handlers)
31
+ grep -rlE '(app\.(get|post|put|delete|patch|use)|router\.|@app\.route|@router\.)' \
32
+ --include='*.ts' --include='*.js' --include='*.py' . || true
33
+
34
+ # Identify data stores (database connections, file storage)
35
+ grep -rlE '(createConnection|mongoose\.connect|sqlite|redis|S3|createClient)' \
36
+ --include='*.ts' --include='*.js' --include='*.py' . || true
37
+
38
+ # Identify external service integrations
39
+ grep -rlE '(fetch|axios|http\.request|requests\.(get|post)|urllib)' \
40
+ --include='*.ts' --include='*.js' --include='*.py' . || true
41
+
42
+ # Identify auth/session components
43
+ grep -rlE '(jwt|passport|session|oauth|bcrypt|argon2|crypto)' \
44
+ --include='*.ts' --include='*.js' --include='*.py' . || true
45
+ ```
46
+
47
+ ### Step 2: Trust Boundary Identification
48
+
49
+ Map trust boundaries in the system:
50
+
51
+ 1. **External boundary**: User/browser <-> Application server
52
+ 2. **Service boundary**: Application <-> External APIs/services
53
+ 3. **Data boundary**: Application <-> Database/storage
54
+ 4. **Internal boundary**: Public routes <-> Authenticated routes <-> Admin routes
55
+ 5. **Process boundary**: Main process <-> Worker/subprocess
56
+
57
+ For each boundary, document:
58
+ - What crosses the boundary (data types, credentials)
59
+ - How the boundary is enforced (middleware, TLS, auth)
60
+ - What happens when enforcement fails
61
+
62
+ ### Step 3: STRIDE per Component
63
+
64
+ For each discovered component, systematically evaluate all 6 STRIDE categories:
65
+
66
+ **Spoofing Analysis**:
67
+ - Are authentication mechanisms in place at all entry points?
68
+ - Can API keys or tokens be forged or replayed?
69
+ - Are session tokens properly validated and rotated?
70
+
71
+ **Tampering Analysis**:
72
+ - Is input validation applied before processing?
73
+ - Are database queries parameterized?
74
+ - Can request bodies or headers be manipulated to alter behavior?
75
+ - Are file uploads validated for type and content?
76
+
77
+ **Repudiation Analysis**:
78
+ - Are user actions logged with sufficient detail (who, what, when)?
79
+ - Are logs tamper-proof or centralized?
80
+ - Can critical operations (payments, deletions) be traced to a user?
81
+
82
+ **Information Disclosure Analysis**:
83
+ - Do error responses leak stack traces or internal paths?
84
+ - Are sensitive fields (passwords, tokens) excluded from logs and API responses?
85
+ - Is PII properly handled (encryption at rest, masking in logs)?
86
+ - Do debug endpoints or verbose modes expose internals?
87
+
88
+ **Denial of Service Analysis**:
89
+ - Are rate limits applied to public endpoints?
90
+ - Can resource-intensive operations be triggered without limits?
91
+ - Are file upload sizes bounded?
92
+ - Are database queries bounded (pagination, timeouts)?
93
+
94
+ **Elevation of Privilege Analysis**:
95
+ - Are role/permission checks applied consistently?
96
+ - Can horizontal privilege escalation occur (accessing other users' data)?
97
+ - Can vertical escalation occur (user -> admin)?
98
+ - Are admin/debug routes properly protected?
99
+
100
+ ### Step 4: Attack Surface Assessment
101
+
102
+ Quantify the attack surface:
103
+
104
+ ```
105
+ Attack Surface = Sum of:
106
+ - Number of public API endpoints
107
+ - Number of external service integrations
108
+ - Number of user-controllable input points
109
+ - Number of privileged operations
110
+ - Number of data stores with sensitive content
111
+ ```
112
+
113
+ Rate each component:
114
+ - **High exposure**: Public-facing, handles sensitive data, complex logic
115
+ - **Medium exposure**: Authenticated access, moderate data sensitivity
116
+ - **Low exposure**: Internal only, no sensitive data, simple operations
117
+
118
+ ## Output
119
+
120
+ - **File**: `threat-model.json`
121
+ - **Location**: `${WORK_DIR}/threat-model.json`
122
+ - **Format**: JSON
123
+
124
+ ```json
125
+ {
126
+ "phase": "threat-modeling",
127
+ "timestamp": "ISO-8601",
128
+ "framework": "STRIDE",
129
+ "components": [
130
+ {
131
+ "name": "Component name",
132
+ "type": "api_endpoint|data_store|external_service|auth_module|worker",
133
+ "files": ["path/to/file.ts"],
134
+ "exposure": "high|medium|low",
135
+ "trust_boundaries": ["external", "data"],
136
+ "threats": {
137
+ "spoofing": {
138
+ "applicable": true,
139
+ "findings": ["Description of threat"],
140
+ "mitigations": ["Existing mitigation"],
141
+ "gaps": ["Missing mitigation"]
142
+ },
143
+ "tampering": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
144
+ "repudiation": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
145
+ "information_disclosure": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
146
+ "denial_of_service": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] },
147
+ "elevation_of_privilege": { "applicable": true, "findings": [], "mitigations": [], "gaps": [] }
148
+ }
149
+ }
150
+ ],
151
+ "trust_boundaries": [
152
+ {
153
+ "name": "Boundary name",
154
+ "from": "Component A",
155
+ "to": "Component B",
156
+ "enforcement": "TLS|auth_middleware|API_key",
157
+ "data_crossing": ["request bodies", "credentials"],
158
+ "risk_level": "high|medium|low"
159
+ }
160
+ ],
161
+ "attack_surface": {
162
+ "public_endpoints": 0,
163
+ "external_integrations": 0,
164
+ "input_points": 0,
165
+ "privileged_operations": 0,
166
+ "sensitive_data_stores": 0,
167
+ "total_score": 0
168
+ },
169
+ "summary": {
170
+ "components_analyzed": 0,
171
+ "threats_identified": 0,
172
+ "by_stride": { "S": 0, "T": 0, "R": 0, "I": 0, "D": 0, "E": 0 },
173
+ "high_exposure_components": 0
174
+ }
175
+ }
176
+ ```
177
+
178
+ ## Next Phase
179
+
180
+ Proceed to [Phase 4: Report & Tracking](04-report-tracking.md) with the threat model to generate the final scored audit report.
package/.claude/skills/security-audit/phases/04-report-tracking.md ADDED
@@ -0,0 +1,177 @@
1
+ # Phase 4: Report & Tracking
2
+
3
+ Generate scored audit report, compare with previous audits, and track trends.
4
+
5
+ ## Objective
6
+
7
+ - Calculate security score from all phase findings
8
+ - Compare with previous audit results (if available)
9
+ - Generate date-stamped report in `.workflow/.security/`
10
+ - Track improvement or regression trends
11
+
12
+ ## Prerequisites
13
+
14
+ - Phase 1: `supply-chain-report.json`
15
+ - Phase 2: `owasp-findings.json`
16
+ - Phase 3: `threat-model.json`
17
+ - Previous audit: `.workflow/.security/audit-report-*.json` (optional)
18
+
19
+ ## Execution Steps
20
+
21
+ ### Step 1: Aggregate Findings
22
+
23
+ Collect all findings from phases 1-3 and classify by severity.
24
+
25
+ ```
26
+ All findings =
27
+ supply-chain-report.findings
28
+ + owasp-findings.findings
29
+ + threat-model threats (where gaps exist)
30
+ ```
31
+
32
+ ### Step 2: Calculate Score
33
+
34
+ Apply scoring formula from [specs/scoring-gates.md](../specs/scoring-gates.md):
35
+
36
+ ```
37
+ Base score = 10.0
38
+
39
+ For each finding:
40
+ penalty = severity_weight / total_files_scanned
41
+ - Critical: weight = 10 (each critical finding has outsized impact)
42
+ - High: weight = 7
43
+ - Medium: weight = 4
44
+ - Low: weight = 1
45
+
46
+ Weighted penalty = SUM(finding_weight * count_per_severity) / normalization_factor
47
+ Final score = max(0, 10.0 - weighted_penalty)
48
+
49
+ Normalization factor = max(10, total_files_scanned)
50
+ ```
51
+
52
+ **Score interpretation**:
53
+
54
+ | Score | Rating | Meaning |
55
+ |-------|--------|---------|
56
+ | 9-10 | Excellent | Minimal risk, production-ready |
57
+ | 7-8 | Good | Acceptable risk, minor improvements needed |
58
+ | 5-6 | Fair | Notable risks, remediation recommended |
59
+ | 3-4 | Poor | Significant risks, remediation required |
60
+ | 0-2 | Critical | Severe vulnerabilities, immediate action needed |
61
+
62
+ ### Step 3: Gate Evaluation
63
+
64
+ **Daily quick-scan gate** (Phase 1 only):
65
+ - PASS: score >= 8/10
66
+ - FAIL: score < 8/10 -- block deployment or flag for review
67
+
68
+ **Comprehensive audit gate** (all phases):
69
+ - For initial/baseline: PASS if score >= 2/10 (establishes baseline)
70
+ - For subsequent: PASS if score >= previous_score (no regression)
71
+ - Target: score >= 7/10 for production readiness
72
+
73
+ ### Step 4: Trend Comparison
74
+
75
+ ```bash
76
+ # Find previous audit reports
77
+ ls -t .workflow/.security/audit-report-*.json 2>/dev/null | head -5
78
+ ```
79
+
80
+ Compare current vs. previous:
81
+ - Delta per OWASP category
82
+ - Delta per STRIDE category
83
+ - New findings vs. resolved findings
84
+ - Overall score trend
85
+
86
+ ### Step 5: Generate Report
87
+
88
+ Write the final report with all consolidated data.
89
+
90
+ ## Output
91
+
92
+ - **File**: `audit-report-{YYYY-MM-DD}.json`
93
+ - **Location**: `.workflow/.security/audit-report-{YYYY-MM-DD}.json`
94
+ - **Format**: JSON
95
+
96
+ ```json
97
+ {
98
+ "report": "security-audit",
99
+ "version": "1.0",
100
+ "timestamp": "ISO-8601",
101
+ "date": "YYYY-MM-DD",
102
+ "mode": "comprehensive|quick-scan",
103
+ "score": {
104
+ "overall": 7.5,
105
+ "rating": "Good",
106
+ "gate": "PASS|FAIL",
107
+ "gate_threshold": 8
108
+ },
109
+ "findings_summary": {
110
+ "total": 0,
111
+ "by_severity": { "critical": 0, "high": 0, "medium": 0, "low": 0 },
112
+ "by_phase": {
113
+ "supply_chain": 0,
114
+ "owasp": 0,
115
+ "stride": 0
116
+ },
117
+ "by_owasp": {
118
+ "A01": 0, "A02": 0, "A03": 0, "A04": 0, "A05": 0,
119
+ "A06": 0, "A07": 0, "A08": 0, "A09": 0, "A10": 0
120
+ },
121
+ "by_stride": { "S": 0, "T": 0, "R": 0, "I": 0, "D": 0, "E": 0 }
122
+ },
123
+ "top_risks": [
124
+ {
125
+ "rank": 1,
126
+ "title": "Most critical finding",
127
+ "severity": "critical",
128
+ "source_phase": "owasp",
129
+ "remediation": "How to fix",
130
+ "effort": "low|medium|high"
131
+ }
132
+ ],
133
+ "trend": {
134
+ "previous_date": "YYYY-MM-DD or null",
135
+ "previous_score": 0,
136
+ "score_delta": 0,
137
+ "new_findings": 0,
138
+ "resolved_findings": 0,
139
+ "direction": "improving|stable|regressing|baseline"
140
+ },
141
+ "phases_completed": ["supply-chain-scan", "owasp-review", "threat-modeling", "report-tracking"],
142
+ "files_scanned": 0,
143
+ "remediation_priority": [
144
+ {
145
+ "priority": 1,
146
+ "finding": "Finding title",
147
+ "effort": "low",
148
+ "impact": "high",
149
+ "recommendation": "Specific action"
150
+ }
151
+ ]
152
+ }
153
+ ```
154
+
155
+ ## Report Storage
156
+
157
+ ```bash
158
+ # Ensure directory exists
159
+ mkdir -p .workflow/.security
160
+
161
+ # Write report with date stamp
162
+ DATE=$(date +%Y-%m-%d)
163
+ cp "${WORK_DIR}/audit-report.json" ".workflow/.security/audit-report-${DATE}.json"
164
+
165
+ # Also maintain latest copies of phase outputs
166
+ cp "${WORK_DIR}/supply-chain-report.json" ".workflow/.security/" 2>/dev/null || true
167
+ cp "${WORK_DIR}/owasp-findings.json" ".workflow/.security/" 2>/dev/null || true
168
+ cp "${WORK_DIR}/threat-model.json" ".workflow/.security/" 2>/dev/null || true
169
+ ```
170
+
171
+ ## Completion
172
+
173
+ After report generation, output skill completion status per the Completion Status Protocol:
174
+
175
+ - **DONE**: All phases completed, report generated, score calculated
176
+ - **DONE_WITH_CONCERNS**: Report generated but score below target or regression detected
177
+ - **BLOCKED**: Phase data missing or corrupted