npm - code-ai-installer - Versions diffs - 1.2.0 → 1.3.0 - Mend

code-ai-installer 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (925) hide show

package/locales/en/.agents/security_review/SKILL.md CHANGED Viewed

@@ -1,55 +1,277 @@
----
-name: security_review
-description: AppSec review for endpoints/authorization/input/secrets/sensitive features. Checklist + patterns (OWASP baseline).
----
-# Skill: Security Review (AppSec)
-## When to activate
-- New API endpoints
-- AuthN/AuthZ
-- User input / file uploads
-- Secrets/credentials
-- Payments/PII/sensitive data
-- Third-party integrations
-## Checklist (minimum)
-1) Secrets management
-- No hardcode, no secrets in logs/errors
-- Secrets live in env/secret manager, there is a check for availability
-2) Input validation
-- Border schemes (whitelist validation)
-- Bugs don't reveal the insides
-3) Injection
-- SQL/NoSQL/command: no concatenations, only parameterization/ORM
-4) AuthN/AuthZ
-- Tokens not in localStorage (if applicable), preferably httpOnly cookies
-- AuthZ checks before critical operations
-- RLS/data policies (if you use Supabase/analogue)
-5) XSS/CSP
-- Sanitize custom HTML (if any)
-- CSP/headers if required by the architecture
-6) CSRF (if cookie-based sessions)
-- CSRF tokens / SameSite=Strict, double-submit pattern if necessary
-7) Rate limiting
-- Basic limits on API, stricter for expensive endpoints
-8) Sensitive data exposure
-- No PII/secrets in logs
-- No stack trace for user
-9) Dependency security
-- audit/lockfile/reproducible install
-## Exit
-- Findings P0/P1/P2 + specific fixes
-- What to add to security tests (auth/authz/validation/rate limiting)
-## See also
-- Examples and anti-examples: $review_reference_snippets
+---
+name: security_review
+description: AppSec review for endpoints/authorization/input/secrets/sensitive features. Checklist + patterns (OWASP baseline).
+---
+# Skill: Security Review (AppSec)
+Deep review security code: from secrets to injection.
+**Sections:**
+1. [When to activate](#1-when)
+2. [Checklist](#2-checklist)
+3. [DO / DON'T Examples](#3-examples)
+4. [Automated Scans](#4-automated)
+5. [Output Template](#5-output)
+---
+## 1. When to activate
+| Trigger | Depth |
+|---------|-------|
+| New API endpoint | Full review |
+| AuthN/AuthZ changes | Focus: auth section |
+| User input / file uploads | Focus: injection, XSS |
+| Secrets/credentials touched | Focus: secrets |
+| Payments / PII / sensitive data | Full review + GDPR check |
+| Third-party integration | Focus: SSRF, secrets, injection |
+| Webhook handler | Focus: auth, injection, idempotency |
+---
+## 2. Checklist
+### 2.1 Secrets Management
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-01 | No hardcoded secrets (passwords, API keys, tokens) | 🔴 P0 | ☐ |
+| SEC-02 | Secrets in env vars only, `.env.example` committed (no values) | 🔴 P0 | ☐ |
+| SEC-03 | pino redact configured for `password`, `token`, `authorization`, `cookie` | 🟠 P1 | ☐ |
+| SEC-04 | `.gitignore` includes `.env`, `*.pem`, `*.key` | 🔴 P0 | ☐ |
+| SEC-05 | Secrets validated at startup (fail fast if missing) | 🟠 P1 | ☐ |
+### 2.2 Input Validation
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-06 | Zod schema on every endpoint (whitelist approach) | 🔴 P0 | ☐ |
+| SEC-07 | Validation in middleware, before business logic | 🟠 P1 | ☐ |
+| SEC-08 | Error response doesn't expose internals (no Mongoose, no stack) | 🔴 P0 | ☐ |
+| SEC-09 | Numeric/string limits enforced (max length, min/max value) | 🟠 P1 | ☐ |
+### 2.3 Injection
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-10 | No string concatenation for queries (`Model.find(req.query)` = P0) | 🔴 P0 | ☐ |
+| SEC-11 | Safe filter builder for MongoDB (no `$where`, no user `$` operators) | 🔴 P0 | ☐ |
+| SEC-12 | No `eval()`, `Function()`, `child_process.exec(userInput)` | 🔴 P0 | ☐ |
+| SEC-13 | Mongoose `strictQuery: true` | 🟠 P1 | ☐ |
+### 2.4 Auth & AuthZ
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-14 | Auth check on every protected endpoint | 🔴 P0 | ☐ |
+| SEC-15 | IDOR prevention: verify ownership before data access | 🔴 P0 | ☐ |
+| SEC-16 | Tokens not in localStorage (prefer httpOnly cookies or server-side) | 🟠 P1 | ☐ |
+| SEC-17 | JWT expiration enforced, refresh flow defined | 🟠 P1 | ☐ |
+### 2.5 XSS & CSP
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-18 | No `dangerouslySetInnerHTML` without DOMPurify | 🔴 P0 | ☐ |
+| SEC-19 | User-generated content sanitized before rendering | 🔴 P0 | ☐ |
+| SEC-20 | Helmet configured with CSP (if applicable) | 🟠 P1 | ☐ |
+### 2.6 CSRF
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-21 | Cookie-based auth: `SameSite=Strict/Lax` | 🟠 P1 | ☐ |
+| SEC-22 | CSRF token for state-changing operations (if cookie auth) | 🟠 P1 | ☐ |
+### 2.7 Rate Limiting
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-23 | Rate limiting on public endpoints | 🟠 P1 | ☐ |
+| SEC-24 | Stricter limits on auth endpoints (login, register) | 🟠 P1 | ☐ |
+| SEC-25 | Rate limiting on expensive operations (file upload, search) | 🟡 P2 | ☐ |
+### 2.8 Data Exposure
+| # | Check | Severity | Status |
+|---|-------|----------|--------|
+| SEC-26 | No stack trace in production error responses | 🔴 P0 | ☐ |
+| SEC-27 | No PII/secrets in logs | 🔴 P0 | ☐ |
+| SEC-28 | `.select()` on queries — don't return unnecessary fields | 🟠 P1 | ☐ |
+| SEC-29 | Response doesn't include internal IDs unnecessarily | 🟡 P2 | ☐ |
+---
+## 3. DO / DON'T Examples
+### Input Validation
+```javascript
+// ❌ DON'T: No validation, raw body to DB
+router.post('/coupons', async (req, res) => {
+  const coupon = await Coupon.create(req.body); // NoSQL injection risk!
+  res.json(coupon);
+});
+// ✅ DO: Zod validation middleware, safe create
+router.post('/coupons', validate(createCouponSchema), async (req, res) => {
+  const coupon = await couponService.create(req.validated);
+  res.status(201).json({ data: coupon });
+});
+```
+### NoSQL Injection
+```javascript
+// ❌ DON'T: User input directly in query
+const user = await User.findOne({ email: req.query.email }); // $gt injection
+// Attack: ?email[$gt]= → matches ALL documents
+// ✅ DO: Safe filter builder
+const email = String(req.query.email); // Force string, strip operators
+const user = await User.findOne({ email });
+```
+### IDOR (Insecure Direct Object Reference)
+```javascript
+// ❌ DON'T: No ownership check
+router.get('/settings/:id', async (req, res) => {
+  const settings = await Settings.findById(req.params.id);
+  res.json(settings); // Any user can read ANY settings!
+});
+// ✅ DO: Verify ownership
+router.get('/settings/:id', auth, async (req, res) => {
+  const settings = await Settings.findOne({
+    _id: req.params.id,
+    appInstanceId: req.appInstanceId  // Only own data
+  });
+  if (!settings) return res.status(404).json({ error: { code: 'NOT_FOUND' } });
+  res.json({ data: settings });
+});
+```
+### Error Exposure
+```javascript
+// ❌ DON'T: Expose internals
+app.use((err, req, res, next) => {
+  res.status(500).json({
+    error: err.message,    // Mongoose error with field names
+    stack: err.stack,      // Full stack trace!
+    query: err.query       // DB query details!
+  });
+});
+// ✅ DO: Safe error handler
+app.use((err, req, res, next) => {
+  req.log.error({ err, requestId: req.id }, 'Unhandled error');
+  res.status(500).json({
+    error: { code: 'INTERNAL_ERROR', message: 'Something went wrong' }
+  });
+});
+```
+### Secrets in Code
+```javascript
+// ❌ DON'T
+const API_KEY = 'sk-live-abc123xyz';  // Hardcoded!
+console.log('Token:', user.refreshToken); // PII in logs!
+// ✅ DO
+const API_KEY = process.env.WIX_APP_SECRET;
+if (!API_KEY) throw new Error('WIX_APP_SECRET is required');
+logger.info({ userId: user.id }, 'User authenticated'); // No token
+```
+---
+## 4. Automated Scans
+### Grep patterns
+```bash
+# 🔴 P0 — Immediate action
+grep_search: Query="eval("                         → Code injection
+grep_search: Query="dangerouslySetInnerHTML"        → XSS risk
+grep_search: Query="password.*=.*['\"]"             → Hardcoded secret
+grep_search: Query="apiKey.*=.*['\"]"               → Hardcoded secret
+grep_search: Query="Model.find(req."               → NoSQL injection
+grep_search: Query="child_process"                  → Command injection risk
+grep_search: Query="\\$where"                       → MongoDB $where injection
+# 🟠 P1 — Review needed
+grep_search: Query="console.log"                    → Replace with pino
+grep_search: Query="localStorage.setItem.*token"    → Token in storage
+grep_search: Query="res.status(500).json.*err"      → Error exposure
+grep_search: Query="cors({ origin: '*'"             → Open CORS
+```
+### CLI commands
+```bash
+# Dependency audit
+npm audit --audit-level=high
+# Secret scanning
+npx secretlint "**/*"
+# Outdated packages
+npm outdated
+```
+---
+## 5. Output Template
+```markdown
+# Security Review Report
+**Scope:** <PR/feature/module>
+**Reviewer:** Reviewer Agent
+**Date:** YYYY-MM-DD
+**OWASP categories checked:** 8/10
+## Findings
+| # | Severity | Category | File:Line | Finding | Fix |
+|---|----------|----------|-----------|---------|-----|
+| 1 | 🔴 P0 | Injection | `routes/settings.js:32` | Raw `req.body` passed to `Model.create()` | Add Zod validation middleware |
+| 2 | 🔴 P0 | IDOR | `controllers/coupon.js:18` | No ownership check on DELETE | Verify `appInstanceId` match |
+| 3 | 🟠 P1 | Headers | `server.js` | No Helmet middleware | Add `app.use(helmet())` |
+## Automated Scan Results
+| Scan | Result |
+|------|--------|
+| npm audit | ✅ No high/critical |
+| secretlint | ✅ Clean |
+| grep: eval/exec | ✅ Clean |
+| grep: hardcoded secrets | ⚠️ 1 finding (SEC-01) |
+## Checklist Summary
+- P0: X findings (must fix)
+- P1: Y findings (should fix)
+- P2: Z findings (optional)
+## Security Test Recommendations
+- [ ] Test: invalid input → 400 (not 500)
+- [ ] Test: wrong appInstanceId → 403
+- [ ] Test: duplicate create → 409
+- [ ] Test: missing auth → 401
+## Verdict
+- ✅ SECURE — no P0/P1
+- ⚠️ CONDITIONAL — fix P0 before merge
+- ❌ BLOCKED — critical vulnerabilities found
+```
+---
+## See also
+- `$security_baseline_dev` — implementation patterns (Zod, Helmet, safe filter)
+- `$threat_model_baseline` — architecture-level threat model
+- `$code_review_checklist` — general code review
+- `$review_reference_snippets` — more DO/DON'T examples

package/locales/en/.agents/security_review_baseline/SKILL.md CHANGED Viewed

@@ -1,25 +1,119 @@
 ---
 name: security_review_baseline
-description: Security review based on baseline: OWASP risks, authz, validation, SSRF/XSS/CSRF, secrets, secure logs/errors, least privilege.
+description: Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege.
 ---
 # Skill: Security Review Baseline
-## Check (minimum)
-- Input validation on boundaries (API/forms)
-- AuthN/AuthZ: server checks rights, client is not trusted
-- Errors: no leak stacktrace/SQL/configs/PII
-- Secrets: no keys/tokens in repo and logs
-- SSRF: if there is a fetch of external URLs → allowlist/block of internal addresses
-- XSS: escaping/sanitizing (if there is custom HTML)
-- CSRF: if cookie-based sessions → protection (tokens/sameSite)
-- Rate limiting / brute force for sensitive endpoints (if needed)
-- Audit trail for critical operations (if threat model is required)
-## Exit
-- P0 security blockers
-- P1 security issues
-- Recommended measures (specifically)
+Quick security-review by the baseline checklist. For deep review → `$security_review`.
+> **When use:** Quick baseline with each review (5-10 min).
+> **For deep review** specific areas → `$security_review`.
+**Sections:**
+1. [Quick Checklist](#1-checklist)
+2. [Automated Scan](#2-scan)
+3. [Quick Reference](#3-reference)
+4. [Output Template](#4-output)
+---
+## 1. Quick Checklist
+| # | Category | Check | Severity | Status |
+|---|----------|-------|----------|--------|
+| SB-01 | **Secrets** | No hardcoded passwords/tokens/API keys in code | 🔴 P0 | ☐ |
+| SB-02 | **Secrets** | No secrets in logs or error responses | 🔴 P0 | ☐ |
+| SB-03 | **Secrets** | `.env` in `.gitignore`, `.env.example` committed | 🔴 P0 | ☐ |
+| SB-04 | **Validation** | Zod/schema validation on every API endpoint | 🔴 P0 | ☐ |
+| SB-05 | **Validation** | Error responses don't expose internals (no stack, no DB errors) | 🔴 P0 | ☐ |
+| SB-06 | **Auth** | Server-side auth check on protected endpoints | 🔴 P0 | ☐ |
+| SB-07 | **Auth** | IDOR prevention (ownership verification before data access) | 🔴 P0 | ☐ |
+| SB-08 | **Injection** | No `eval()`, `Function()`, `child_process.exec(userInput)` | 🔴 P0 | ☐ |
+| SB-09 | **Injection** | No raw user input in DB queries (NoSQL injection) | 🔴 P0 | ☐ |
+| SB-10 | **XSS** | No `dangerouslySetInnerHTML` without sanitize | 🔴 P0 | ☐ |
+| SB-11 | **CSRF** | Cookie auth → `SameSite=Strict/Lax` + CSRF token | 🟠 P1 | ☐ |
+| SB-12 | **SSRF** | User-controlled URL fetch → allowlist + block internal ranges | 🔴 P0 | ☐ |
+| SB-13 | **Rate Limit** | Rate limiting on public/expensive endpoints | 🟠 P1 | ☐ |
+| SB-14 | **Logging** | No PII in logs (email masked, no passwords/tokens) | 🔴 P0 | ☐ |
+| SB-15 | **Logging** | Audit trail for critical operations | 🟠 P1 | ☐ |
+| SB-16 | **Deps** | `npm audit` — no high/critical vulnerabilities | 🟠 P1 | ☐ |
+| SB-17 | **Headers** | Helmet configured (or security headers set) | 🟠 P1 | ☐ |
+---
+## 2. Automated Scan
+Run these during every review:
+```bash
+# 🔴 P0 checks
+grep_search: Query="eval("                          → Code injection
+grep_search: Query="dangerouslySetInnerHTML"         → XSS risk
+grep_search: Query="password.*=.*['\"]"              → Hardcoded secret
+grep_search: Query="apiKey.*=.*['\"]"                → Hardcoded secret
+grep_search: Query="token.*=.*['\"]"                 → Hardcoded secret
+grep_search: Query="Model.find(req."                → NoSQL injection
+grep_search: Query="child_process"                   → Command injection
+grep_search: Query="\\$where"                        → MongoDB injection
+# 🟠 P1 checks
+grep_search: Query="console.log"                     → Replace with pino
+grep_search: Query="cors({ origin: '*'"              → Open CORS
+grep_search: Query="eslint-disable"                  → Rule bypass
+# CLI
+npm audit --audit-level=high
+```
+---
+## 3. Quick Reference
+For DO/DON'T examples → see `$review_reference_snippets`:
+- Secrets: sections A, B
+- Validation: section C
+- Errors: section D
+- Injection: sections E, E2
+- Auth: section G
+- XSS: section I
+- SSRF: section J
+- CSRF: section H
+---
+## 4. Output Template
+```markdown
+# Security Baseline Check
+**Scope:** <PR/module>
+**Date:** YYYY-MM-DD
+## Quick Scan Results
+| Check | Result |
+|-------|--------|
+| Hardcoded secrets | ✅ Clean |
+| eval/exec | ✅ Clean |
+| npm audit | ⚠️ 1 moderate |
+| XSS risk | ✅ Clean |
+## Findings
+| # | Severity | Check | File:Line | Finding | Fix |
+|---|----------|-------|-----------|---------|-----|
+| 1 | 🔴 P0 | SB-07 | `routes/settings.js:25` | No ownership check | Add appInstanceId verification |
+## Summary
+- P0: X findings → must fix
+- P1: Y findings → should fix
+## Need deeper review?
+→ Activate `$security_review` for: [auth / injection / SSRF / etc.]
+```
+---
 ## See also
-- Examples and anti-examples: $review_reference_snippets
+- `$security_review` — deep AppSec review (29 checks)
+- `$review_reference_snippets` — DO/DON'T code examples (A-V)
+- `$threat_model_baseline` — architecture-level threats

package/locales/en/.agents/security_review_baseline/agents/claude.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
   "name": "security_review_baseline",
   "display_name": "Security Review Baseline",
-  "description": "Security review based on baseline: OWASP risks, authz, validation, SSRF/XSS/CSRF, secrets, secure logs/errors, least privilege.",
+  "description": "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege.",
   "default_prompt": "Use $security_review_baseline when the task matches the \"Security Review Baseline\" skill.",
   "triggers": [
     "security_review_baseline",
     "security review baseline",
-    "Security review based on baseline"
+    "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege"
   ],
   "capabilities": [
     "security",

package/locales/en/.agents/security_review_baseline/agents/copilot.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
   "name": "security_review_baseline",
   "display_name": "Security Review Baseline",
-  "description": "Security review based on baseline: OWASP risks, authz, validation, SSRF/XSS/CSRF, secrets, secure logs/errors, least privilege.",
+  "description": "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege.",
   "default_prompt": "Use $security_review_baseline when the task matches the \"Security Review Baseline\" skill.",
   "triggers": [
     "security_review_baseline",
     "security review baseline",
-    "Security review based on baseline"
+    "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege"
   ],
   "capabilities": [
     "security",

package/locales/en/.agents/security_review_baseline/agents/gemini.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
   "name": "security_review_baseline",
   "display_name": "Security Review Baseline",
-  "description": "Security review based on baseline: OWASP risks, authz, validation, SSRF/XSS/CSRF, secrets, secure logs/errors, least privilege.",
+  "description": "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege.",
   "default_prompt": "Use $security_review_baseline when the task matches the \"Security Review Baseline\" skill.",
   "triggers": [
     "security_review_baseline",
     "security review baseline",
-    "Security review based on baseline"
+    "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege"
   ],
   "capabilities": [
     "security",

package/locales/en/.agents/security_review_baseline/agents/openai.yaml CHANGED Viewed

@@ -1,6 +1,6 @@
 interface:
   display_name: "Security Review Baseline"
-  short_description: "Security review based on baseline: OWASP risks, authz, validation, SSRF/XSS/CSRF, secrets, secu…"
+  short_description: "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs…"
   default_prompt: "Use $security_review_baseline when the task matches the \"Security Review Baseline\" skill."
 dependencies:
   tools: []

package/locales/en/.agents/security_review_baseline/agents/qwen.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
   "name": "security_review_baseline",
   "display_name": "Security Review Baseline",
-  "description": "Security review based on baseline: OWASP risks, authz, validation, SSRF/XSS/CSRF, secrets, secure logs/errors, least privilege.",
+  "description": "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege.",
   "default_prompt": "Use $security_review_baseline when the task matches the \"Security Review Baseline\" skill.",
   "triggers": [
     "security_review_baseline",
     "security review baseline",
-    "Security review based on baseline"
+    "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege"
   ],
   "capabilities": [
     "security",

package/locales/en/.agents/security_review_baseline/agents/skill.yaml CHANGED Viewed

@@ -1,12 +1,12 @@
 version: 1
 name: "security_review_baseline"
 display_name: "Security Review Baseline"
-description: "Security review based on baseline: OWASP risks, authz, validation, SSRF/XSS/CSRF, secrets, secure logs/errors, least privilege."
+description: "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege."
 default_prompt: "Use $security_review_baseline when the task matches the \"Security Review Baseline\" skill."
 triggers:
   - "security_review_baseline"
   - "security review baseline"
-  - "Security review based on baseline"
+  - "Security review by baseline — OWASP-risks, authz, validation, SSRF/XSS/CSRF, secrets, safe logs/errors, least privilege"
 capabilities:
   - "security"
   - "review"