codecruise 0.1.0

package/config/agents/stack/fastify/rules/security.md

@@ -0,0 +1,384 @@
+# Security Rules - Fastify
+
+Authentication, authorization, and protection patterns.
+
+---
+
+## Authentication
+
+### SEC-001: Use secure token generation
+
+```typescript
+import { randomBytes, createHash } from 'crypto';
+
+// For refresh tokens, API keys
+function generateSecureToken(): string {
+  return randomBytes(32).toString('hex'); // 64 chars
+}
+
+// For password reset tokens (shorter-lived)
+function generateResetToken(): string {
+  return randomBytes(16).toString('hex'); // 32 chars
+}
+
+// Hash tokens before storing
+function hashToken(token: string): string {
+  return createHash('sha256').update(token).digest('hex');
+}
+```
+
+### SEC-002: Implement JWT correctly
+
+```typescript
+import jwt from 'jsonwebtoken';
+
+const ACCESS_TOKEN_EXPIRY = '15m';
+const REFRESH_TOKEN_EXPIRY = '7d';
+
+interface TokenPayload {
+  sub: string;      // User ID
+  role: string;
+  type: 'access' | 'refresh';
+}
+
+function signAccessToken(userId: string, role: string): string {
+  return jwt.sign(
+    { sub: userId, role, type: 'access' },
+    process.env.JWT_SECRET!,
+    { expiresIn: ACCESS_TOKEN_EXPIRY }
+  );
+}
+
+function signRefreshToken(userId: string): string {
+  return jwt.sign(
+    { sub: userId, type: 'refresh' },
+    process.env.JWT_REFRESH_SECRET!, // Different secret!
+    { expiresIn: REFRESH_TOKEN_EXPIRY }
+  );
+}
+```
+
+### SEC-003: Store passwords securely
+
+```typescript
+import bcrypt from 'bcrypt';
+
+const SALT_ROUNDS = 12;
+
+async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}
+
+// Never store plaintext passwords
+// Never log passwords
+// Never return password hash in API responses
+```
+
+### SEC-004: Implement account lockout
+
+```typescript
+const MAX_FAILED_ATTEMPTS = 5;
+const LOCKOUT_DURATION = 15 * 60 * 1000; // 15 minutes
+
+async function handleLogin(email: string, password: string) {
+  const user = await db.user.findUnique({ where: { email } });
+
+  if (!user) {
+    // Don't reveal if user exists
+    throw new AuthError('Invalid credentials');
+  }
+
+  if (user.lockedUntil && user.lockedUntil > new Date()) {
+    throw new AuthError('Account locked. Try again later.');
+  }
+
+  const valid = await verifyPassword(password, user.password);
+
+  if (!valid) {
+    const attempts = user.failedAttempts + 1;
+    const updates: any = { failedAttempts: attempts };
+
+    if (attempts >= MAX_FAILED_ATTEMPTS) {
+      updates.lockedUntil = new Date(Date.now() + LOCKOUT_DURATION);
+    }
+
+    await db.user.update({ where: { id: user.id }, data: updates });
+    throw new AuthError('Invalid credentials');
+  }
+
+  // Reset on success
+  await db.user.update({
+    where: { id: user.id },
+    data: { failedAttempts: 0, lockedUntil: null },
+  });
+
+  return user;
+}
+```
+
+---
+
+## Authorization
+
+### SEC-005: Implement RBAC
+
+```typescript
+type Role = 'USER' | 'ADMIN' | 'SUPER_ADMIN';
+
+const permissions: Record<Role, string[]> = {
+  USER: ['read:own', 'write:own'],
+  ADMIN: ['read:own', 'write:own', 'read:all', 'write:all'],
+  SUPER_ADMIN: ['read:own', 'write:own', 'read:all', 'write:all', 'manage:users'],
+};
+
+function hasPermission(role: Role, permission: string): boolean {
+  return permissions[role]?.includes(permission) ?? false;
+}
+
+// Middleware
+function requirePermission(permission: string) {
+  return async (request: FastifyRequest, reply: FastifyReply) => {
+    if (!hasPermission(request.user.role, permission)) {
+      return reply.status(403).send({
+        error: { code: 'FORBIDDEN', message: 'Insufficient permissions' }
+      });
+    }
+  };
+}
+```
+
+### SEC-006: Validate resource ownership
+
+```typescript
+async function getOrder(request: FastifyRequest<{ Params: { id: string } }>) {
+  const order = await db.order.findUnique({
+    where: { id: request.params.id },
+  });
+
+  if (!order) {
+    throw new NotFoundError('Order');
+  }
+
+  // Validate ownership (unless admin)
+  if (order.userId !== request.user.id && request.user.role !== 'ADMIN') {
+    throw new ForbiddenError('Not your order');
+  }
+
+  return { data: order };
+}
+```
+
+### SEC-007: Use scoped tokens for specific actions
+
+```typescript
+// Email verification token
+function generateVerificationToken(userId: string): string {
+  return jwt.sign(
+    { sub: userId, action: 'verify-email' },
+    process.env.JWT_SECRET!,
+    { expiresIn: '24h' }
+  );
+}
+
+// Password reset token
+function generatePasswordResetToken(userId: string): string {
+  return jwt.sign(
+    { sub: userId, action: 'reset-password' },
+    process.env.JWT_SECRET!,
+    { expiresIn: '1h' }
+  );
+}
+
+// Verify with action check
+function verifyActionToken(token: string, expectedAction: string) {
+  const payload = jwt.verify(token, process.env.JWT_SECRET!);
+
+  if (payload.action !== expectedAction) {
+    throw new AuthError('Invalid token');
+  }
+
+  return payload;
+}
+```
+
+---
+
+## Input Protection
+
+### SEC-008: Sanitize user input
+
+```typescript
+import DOMPurify from 'isomorphic-dompurify';
+
+// For HTML content (if allowed)
+function sanitizeHtml(input: string): string {
+  return DOMPurify.sanitize(input, {
+    ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'a', 'p'],
+    ALLOWED_ATTR: ['href'],
+  });
+}
+
+// For plain text - strip all HTML
+function sanitizePlainText(input: string): string {
+  return DOMPurify.sanitize(input, { ALLOWED_TAGS: [] });
+}
+```
+
+### SEC-009: Prevent NoSQL injection (if using MongoDB)
+
+```typescript
+// BAD - user can inject operators
+const user = await db.collection('users').findOne({
+  email: request.body.email, // { "$ne": null } would match all
+});
+
+// GOOD - validate type
+const emailSchema = z.string().email();
+const email = emailSchema.parse(request.body.email);
+
+// Or sanitize
+function sanitizeMongoInput(input: unknown): unknown {
+  if (typeof input === 'object' && input !== null) {
+    const keys = Object.keys(input);
+    if (keys.some(k => k.startsWith('$'))) {
+      throw new ValidationError('Invalid input');
+    }
+  }
+  return input;
+}
+```
+
+### SEC-010: Rate limit sensitive endpoints
+
+```typescript
+import rateLimit from '@fastify/rate-limit';
+
+// Global rate limit
+await fastify.register(rateLimit, {
+  max: 100,
+  timeWindow: '1 minute',
+});
+
+// Stricter for auth
+fastify.register(async (instance) => {
+  await instance.register(rateLimit, {
+    max: 5,
+    timeWindow: '15 minutes',
+    keyGenerator: (request) => request.ip,
+  });
+
+  instance.post('/auth/login', loginHandler);
+  instance.post('/auth/register', registerHandler);
+  instance.post('/auth/forgot-password', forgotPasswordHandler);
+});
+
+// Even stricter for password reset
+fastify.post('/auth/reset-password', {
+  config: {
+    rateLimit: {
+      max: 3,
+      timeWindow: '1 hour',
+    },
+  },
+}, resetPasswordHandler);
+```
+
+---
+
+## Headers & CORS
+
+### SEC-011: Set security headers
+
+```typescript
+import helmet from '@fastify/helmet';
+
+await fastify.register(helmet, {
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", 'data:', 'https:'],
+    },
+  },
+  hsts: {
+    maxAge: 31536000,
+    includeSubDomains: true,
+  },
+});
+```
+
+### SEC-012: Configure CORS properly
+
+```typescript
+import cors from '@fastify/cors';
+
+await fastify.register(cors, {
+  origin: (origin, cb) => {
+    const allowedOrigins = [
+      'https://app.example.com',
+      'https://admin.example.com',
+    ];
+
+    if (process.env.NODE_ENV === 'development') {
+      allowedOrigins.push('http://localhost:3000');
+    }
+
+    if (!origin || allowedOrigins.includes(origin)) {
+      cb(null, true);
+    } else {
+      cb(new Error('Not allowed by CORS'), false);
+    }
+  },
+  credentials: true,
+  methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE'],
+});
+```
+
+---
+
+## Audit & Logging
+
+### SEC-013: Log security events
+
+```typescript
+// Log authentication events
+logger.info('Login successful', { userId, ip: request.ip });
+logger.warn('Login failed', { email, ip: request.ip, reason: 'invalid_password' });
+logger.warn('Account locked', { userId, ip: request.ip });
+
+// Log authorization failures
+logger.warn('Access denied', {
+  userId: request.user?.id,
+  resource: request.url,
+  permission: 'write:all',
+});
+
+// Log sensitive operations
+logger.info('Password changed', { userId });
+logger.info('User deleted', { deletedUserId, deletedBy: request.user.id });
+```
+
+### SEC-014: Never log sensitive data
+
+```typescript
+// BAD
+logger.info('Login', { email, password });
+logger.info('Payment', { cardNumber, cvv });
+
+// GOOD
+logger.info('Login', { email });
+logger.info('Payment', { cardLast4: card.slice(-4), amount });
+
+// Redact in error serialization
+function serializeError(error: Error) {
+  return {
+    message: error.message,
+    // Never include: stack (in prod), request body, headers
+  };
+}
+```

package/config/agents/stack/index.yaml

@@ -0,0 +1,48 @@
+# Stack Agents Registry
+# Loaded at startup (~80 tokens)
+# Full agents loaded on-demand when workspace matches
+
+version: '1.0.0'
+
+agents:
+  shared-ts:
+    description: TypeScript foundation - strict mode, patterns, zod schemas
+    triggers: ['*.ts', '*.tsx', 'typescript', 'types', 'zod', 'schema']
+    dependencies: []
+    priority: 1  # Load first (foundation)
+    token_budget: 800
+
+  nextjs:
+    description: Next.js App Router, Tailwind, shadcn/ui patterns
+    triggers: ['next.config', 'app/', 'pages/', 'tailwind', 'shadcn', '@/components']
+    dependencies: [shared-ts]
+    priority: 2
+    token_budget: 800
+
+  expo:
+    description: React Native + Expo SDK, navigation, native modules
+    triggers: ['app.json', 'expo', 'react-native', 'navigation', 'native']
+    dependencies: [shared-ts]
+    priority: 2
+    token_budget: 800
+
+  fastify:
+    description: Fastify APIs, BullMQ queues, RabbitMQ messaging
+    triggers: ['fastify', 'bullmq', 'rabbitmq', 'api/', 'routes/', 'queue']
+    dependencies: [shared-ts]
+    priority: 2
+    token_budget: 800
+
+# Loading strategy:
+# 1. This index always loaded (~80 tokens)
+# 2. Orchestrator detects workspace agents from CLAUDE.md or package.json
+# 3. Load shared-ts first if any TypeScript workspace
+# 4. Load stack agents based on workspace triggers
+# 5. Load rules on-demand when applying patterns (~200 tokens each)
+
+# Token budget strategy:
+# - Orchestrator: 500 tokens (always)
+# - Per agent: 800 tokens (AGENT.md summary)
+# - Per rule: 200 tokens (on-demand)
+# - Max concurrent: 3 agents
+# - Total max: 500 + (3 x 800) + (5 x 200) = 3,900 tokens