codingbuddy-rules 4.3.0 → 4.4.0

package/.ai-rules/skills/security-audit/SKILL.md

@@ -0,0 +1,241 @@
+---
+name: security-audit
+description: Use when reviewing code for security vulnerabilities, before shipping features, or conducting security assessments. Covers OWASP Top 10, secrets exposure, authentication, and authorization flaws.
+---
+
+# Security Audit
+
+## Overview
+
+Security vulnerabilities are invisible until exploited. This skill provides a systematic approach to finding them before attackers do.
+
+**Core principle:** ASSUME BREACH. Review every input, every output, every boundary.
+
+**Iron Law:**
+```
+NO SECURITY REVIEW WITHOUT THREAT MODELING FIRST
+```
+
+## When to Use
+
+- Before merging any authentication or authorization code
+- Before shipping features that handle user data
+- When adding third-party dependencies
+- After environment variable / secrets changes
+- Periodic security sweeps on production code
+- Reviewing MCP server endpoints (especially SSE/HTTP transport)
+
+## The Four Phases
+
+### Phase 1: Threat Modeling
+
+**Before reviewing any code:**
+
+1. **Identify Assets** — What are we protecting? (user data, tokens, credentials, business logic)
+2. **Identify Attack Surfaces** — HTTP endpoints, file uploads, environment vars, third-party integrations
+3. **Identify Threat Actors** — External attackers, malicious insiders, compromised dependencies
+4. **Map Data Flow** — Where does sensitive data enter, travel, and exit?
+
+### Phase 2: OWASP Top 10 Checklist
+
+Work through each category systematically:
+
+#### A01: Broken Access Control
+```
+- [ ] Every endpoint checks authentication
+- [ ] Authorization verified per-resource, not just per-route
+- [ ] IDOR: Can user A access user B's data by changing ID?
+- [ ] Admin routes protected from regular users
+- [ ] CORS policy restricts allowed origins
+```
+
+#### A02: Cryptographic Failures
+```
+- [ ] No plaintext passwords stored
+- [ ] Sensitive data encrypted at rest (PII, tokens, keys)
+- [ ] TLS enforced for all connections
+- [ ] Weak algorithms absent (MD5, SHA1 for passwords, DES)
+- [ ] Secrets not in code, logs, or URLs
+```
+
+#### A03: Injection
+```sql
+-- ❌ SQL Injection vulnerable
+db.query(`SELECT * FROM users WHERE id = ${userId}`);
+
+-- ✅ Parameterized
+db.query('SELECT * FROM users WHERE id = ?', [userId]);
+```
+
+```typescript
+// ❌ Command Injection
+exec(`ls ${userInput}`);
+
+// ✅ Safe
+execFile('ls', [userInput]);
+```
+
+```typescript
+// ❌ XSS
+element.innerHTML = userInput;
+
+// ✅ Safe
+element.textContent = userInput;
+```
+
+#### A04: Insecure Design
+```
+- [ ] Rate limiting on sensitive endpoints (login, password reset)
+- [ ] Account lockout after failed attempts
+- [ ] Password reset tokens expire (< 15 minutes)
+- [ ] Sensitive operations require re-authentication
+```
+
+#### A05: Security Misconfiguration
+```
+- [ ] Debug mode disabled in production
+- [ ] Default credentials changed
+- [ ] Unnecessary features/endpoints disabled
+- [ ] Security headers present (CSP, HSTS, X-Frame-Options)
+- [ ] Error messages don't expose stack traces to users
+```
+
+#### A06: Vulnerable Components
+```bash
+# Check for known CVEs
+npm audit
+yarn audit
+
+# Check for outdated packages with vulnerabilities
+npx audit-ci --moderate
+```
+
+#### A07: Authentication Failures
+```
+- [ ] Session IDs invalidated on logout
+- [ ] JWT secrets sufficiently random (>= 256 bits)
+- [ ] JWT expiry set appropriately (access: minutes, refresh: days)
+- [ ] Brute force protection on login
+- [ ] Multi-factor authentication available for sensitive actions
+```
+
+#### A08: Software Integrity Failures
+```
+- [ ] Dependencies pinned to exact versions
+- [ ] Subresource integrity (SRI) for CDN assets
+- [ ] CI/CD pipeline secured (no untrusted code execution)
+- [ ] Package signatures verified where possible
+```
+
+#### A09: Logging Failures
+```
+- [ ] Authentication events logged (success + failure)
+- [ ] Authorization failures logged
+- [ ] No sensitive data (passwords, tokens, PII) in logs
+- [ ] Log tampering prevented
+- [ ] Alerts set for suspicious patterns
+```
+
+#### A10: Server-Side Request Forgery (SSRF)
+```
+- [ ] User-supplied URLs validated against allowlist
+- [ ] Internal network addresses blocked from user input
+- [ ] DNS rebinding protection
+```
+
+### Phase 3: Secrets & Credentials Scan
+
+```bash
+# Scan for hardcoded secrets
+grep -rn "password\|secret\|token\|api_key\|apikey\|private_key" \
+  --include="*.ts" --include="*.js" --include="*.env*" \
+  --exclude-dir=node_modules .
+
+# Check .gitignore covers sensitive files
+cat .gitignore | grep -E "\.env|\.key|credentials"
+
+# Verify no secrets in git history
+git log --all --full-history -- "*.env" "*.key" "credentials*"
+```
+
+**Common secret patterns to find:**
+```
+❌ const API_KEY = "sk-abc123..."
+❌ password: "admin123"
+❌ Authorization: "Bearer eyJ..."  (hardcoded)
+❌ connectionString = "mongodb://user:pass@host"
+
+✅ const API_KEY = process.env.API_KEY
+✅ password: process.env.DB_PASSWORD
+```
+
+### Phase 4: MCP Server Specific (codingbuddy)
+
+For MCP servers using SSE/HTTP transport:
+
+```typescript
+// ❌ No authentication
+app.use('/sse', sseHandler);
+
+// ✅ Bearer token validation
+app.use('/sse', (req, res, next) => {
+  const token = req.headers.authorization?.replace('Bearer ', '');
+  if (process.env.MCP_SSE_TOKEN && token !== process.env.MCP_SSE_TOKEN) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+  next();
+});
+```
+
+```
+- [ ] SSE endpoint authenticates when MCP_SSE_TOKEN is set
+- [ ] CORS configured for trusted origins only
+- [ ] Rate limiting on MCP tool calls
+- [ ] Input validation on all tool parameters
+- [ ] No sensitive data in MCP resource URIs
+```
+
+## Red Flags — STOP
+
+| Thought | Reality |
+|---------|---------|
+| "We're not a target" | Every internet-facing system is a target |
+| "This is internal only" | Insider threats are real; internal ≠ trusted |
+| "The framework handles it" | Frameworks have defaults that must be configured |
+| "We'll add security later" | Retrofitting security costs 10× more |
+| "Tests don't cover security" | Security requires dedicated review, not just tests |
+
+## Quick Reference
+
+| Category | Check | Tool |
+|----------|-------|------|
+| Dependencies | CVE scan | `npm audit` |
+| Secrets | Hardcoded creds | grep + git-secrets |
+| Injection | SQL, XSS, Command | Manual + ESLint |
+| Auth | JWT, sessions | Manual review |
+| Headers | CSP, HSTS | securityheaders.com |
+| OWASP | Top 10 | ZAP, Burp Suite |
+
+## Output Format
+
+Document findings as:
+
+```markdown
+## Security Audit Report — YYYY-MM-DD
+
+### Critical (fix before deploy)
+- [ ] SQL injection in /api/users endpoint (line 42, users.service.ts)
+
+### High (fix within 24h)
+- [ ] JWT secret too short (< 256 bits)
+
+### Medium (fix this sprint)
+- [ ] Missing rate limiting on /auth/login
+
+### Low (backlog)
+- [ ] Verbose error messages in development mode
+
+### Passed Checks
+- [x] No hardcoded secrets found
+- [x] All endpoints require authentication
+```

package/.ai-rules/skills/tech-debt/SKILL.md

@@ -0,0 +1,224 @@
+---
+name: tech-debt
+description: Use when identifying, prioritizing, and planning resolution of technical debt. Provides structured assessment, ROI-based prioritization, and incremental paydown strategies.
+---
+
+# Tech Debt
+
+## Overview
+
+Technical debt is borrowed time — the gap between the code you have and the code you need. Left unmanaged, it compounds interest: every new feature costs more, every bug takes longer to fix.
+
+**Core principle:** Not all debt is equal. Pay down debt that blocks you, not debt that merely annoys you.
+
+**Iron Law:**
+```
+MEASURE DEBT BEFORE PAYING IT. PRIORITIZE BY IMPACT, NOT BY DISCOMFORT.
+```
+
+## When to Use
+
+- Sprint planning (decide which debt to pay down)
+- Before major feature work (assess what debt will slow you down)
+- After incidents (identify debt that contributed)
+- Quarterly tech health reviews
+- Before refactoring (use the refactoring skill after this one)
+
+## Types of Technical Debt
+
+| Type | Example | Urgency |
+|------|---------|---------|
+| **Critical** | Security vulnerability, data loss risk | Fix now |
+| **Architectural** | God class, circular dependencies | Fix before next major feature |
+| **Code quality** | Duplicated logic, magic numbers | Fix this quarter |
+| **Test debt** | Missing tests, brittle tests | Fix this sprint |
+| **Documentation debt** | Outdated docs, missing docs | Fix when touching code |
+| **Dependency debt** | Outdated packages, EOL dependencies | Fix on cadence |
+| **Performance debt** | N+1 queries, memory leaks | Fix when it hurts |
+
+## The Assessment Process
+
+### Phase 1: Discover
+
+**Automated discovery:**
+```bash
+# Code complexity
+npx ts-complexity src/ --threshold 10
+
+# Duplicate code
+npx jscpd src/ --min-lines 5 --reporters console
+
+# Test coverage gaps
+npx jest --coverage
+
+# Dependency age and CVEs
+npm outdated
+npm audit
+
+# TODO/FIXME/HACK markers
+grep -rn "TODO\|FIXME\|HACK\|XXX\|TEMP\|WORKAROUND" \
+  --include="*.ts" --include="*.js" src/ | wc -l
+```
+
+**Manual discovery checklist:**
+```
+Architecture smells:
+- [ ] Classes > 300 lines (God class)
+- [ ] Functions > 30 lines (God function)
+- [ ] Files with > 10 imports (high coupling)
+- [ ] Circular dependencies
+- [ ] Global mutable state
+
+Code quality smells:
+- [ ] Duplicate code blocks (> 5 lines, 2+ occurrences)
+- [ ] Magic numbers/strings without constants
+- [ ] Deep nesting (> 3 levels)
+- [ ] Long parameter lists (> 4 params)
+- [ ] Boolean traps (function(true, false, false))
+
+Test smells:
+- [ ] Test coverage < 80%
+- [ ] Tests that always pass (no assertions)
+- [ ] Tests that mock everything
+- [ ] No integration tests
+- [ ] Flaky tests
+```
+
+### Phase 2: Catalog
+
+Create a tech debt register:
+
+```markdown
+## Tech Debt Register — [Date]
+
+| ID | Type | Description | File | Discovered | Owner |
+|----|------|-------------|------|------------|-------|
+| TD-001 | Architecture | McpService is a God class (450 lines) | mcp.service.ts | 2024-01-15 | — |
+| TD-002 | Test | RulesService has 45% coverage | rules.service.ts | 2024-01-15 | — |
+| TD-003 | Dependency | NestJS 9 → 10 migration pending | package.json | 2024-01-15 | — |
+| TD-004 | Code quality | searchRules logic duplicated 3 times | *.service.ts | 2024-01-15 | — |
+```
+
+### Phase 3: Prioritize
+
+**Priority formula:**
+```
+Priority Score = (Velocity Impact × Bug Risk) / Effort
+
+Scale: 1-5 for each factor
+- Velocity Impact: How much does this slow down development?
+- Bug Risk: How likely is this to cause bugs?
+- Effort: How hard is this to fix?
+```
+
+**Prioritization matrix:**
+```markdown
+| ID | Description | Velocity | Bug Risk | Effort | Score |
+|----|-------------|----------|----------|--------|-------|
+| TD-001 | God class McpService | 4 | 3 | 4 | (4×3)/4 = 3.0 |
+| TD-002 | Low test coverage | 3 | 5 | 2 | (3×5)/2 = 7.5 ← Fix first |
+| TD-003 | NestJS upgrade | 2 | 3 | 3 | (2×3)/3 = 2.0 |
+| TD-004 | Duplicate logic | 3 | 3 | 1 | (3×3)/1 = 9.0 ← Fix first |
+```
+
+**Priority tiers:**
+- **Score ≥ 7**: Fix this sprint (blocks progress)
+- **Score 4-7**: Fix this quarter (accumulating interest)
+- **Score < 4**: Backlog (low ROI)
+
+### Phase 4: Plan Resolution
+
+For each high-priority item, create a paydown plan:
+
+```markdown
+## Paydown Plan: TD-004 (Duplicate searchRules logic)
+
+**Goal:** Extract shared search logic into reusable utility
+
+**Approach:** Refactoring skill (not a rewrite)
+
+**Steps:**
+1. Write tests covering all three duplicate sites (2h)
+2. Extract to `src/shared/search.utils.ts` (1h)
+3. Replace all three call sites (1h)
+4. Verify tests pass (30m)
+
+**Risk:** Low — covered by tests before and after
+**Estimate:** 4.5h
+**Assigned to:** —
+
+**Definition of Done:**
+- [ ] Tests cover all search scenarios
+- [ ] Single implementation in search.utils.ts
+- [ ] All three call sites use shared utility
+- [ ] Coverage increased to > 90% for search logic
+```
+
+### Phase 5: Track Progress
+
+Update the debt register as items are resolved:
+
+```markdown
+| ID | Status | Resolution | Date |
+|----|--------|------------|------|
+| TD-004 | ✅ Done | Extracted to search.utils.ts | 2024-01-20 |
+| TD-002 | 🔄 In Progress | Coverage at 78%, target 90% | — |
+| TD-001 | 📋 Planned | Sprint 5 | — |
+| TD-003 | 🚫 Deferred | Low score, Q2 | — |
+```
+
+## Debt Prevention
+
+Good practices that prevent debt accumulation:
+
+```
+Definition of Done (add these):
+- [ ] New code has > 80% test coverage
+- [ ] No functions > 30 lines
+- [ ] No TODO/FIXME left in merged code
+- [ ] Dependencies not introducing CVEs
+- [ ] Architecture review for files > 200 lines
+```
+
+**The Boy Scout Rule:** Leave code cleaner than you found it.
+- Fix ONE small thing whenever you touch a file
+- 10 minutes per PR on adjacent debt
+- Over time: debt decreases without dedicated sprints
+
+## Talking About Debt
+
+**With product managers:**
+```
+❌ "We need a refactoring sprint"
+✅ "The authentication module is slowing every login feature
+   by 3x. A 2-day investment now saves 6 days in the next
+   quarter. Here's the ROI breakdown."
+```
+
+**In sprint planning:**
+```
+Rule of thumb:
+- 20% capacity on debt paydown (sustainable)
+- 0% = debt accumulates, velocity declines
+- 50%+ = not enough new value
+```
+
+## Quick Reference
+
+| Signal | Likely Debt Type | Action |
+|--------|-----------------|--------|
+| New features take 2× longer | Architectural debt | God class audit |
+| Same bug keeps appearing | Test debt | Coverage analysis |
+| Security alert | Dependency debt | `npm audit fix` |
+| "Nobody touches that file" | Code quality debt | Complexity analysis |
+| Onboarding takes weeks | Documentation debt | Codebase guide |
+
+## Red Flags — STOP
+
+| Thought | Reality |
+|---------|---------|
+| "We'll pay it back later" | Without a plan, later = never |
+| "All debt is bad" | Debt taken consciously is a tool |
+| "We need a big rewrite" | Incremental refactoring is safer |
+| "Let's fix it all this sprint" | Context switches kill velocity |
+| "The score is wrong for this item" | Trust the formula; bias skews perception |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codingbuddy-rules",
-  "version": "4.3.0",
+  "version": "4.4.0",
   "description": "AI coding rules for consistent practices across AI assistants",
   "main": "index.js",
   "types": "index.d.ts",