codymaster 4.4.4 → 4.4.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codymaster",
-  "version": "4.4.4",
+  "version": "4.4.5",
   "description": "68+ Skills. Ship 10x faster. AI-powered coding skill kit for Claude, Cursor, Gemini & more.",
   "main": "dist/index.js",
   "repository": {
@@ -73,5 +73,8 @@
     "ts-node": "^10.9.2",
     "typescript": "^5.9.3",
     "vitest": "^4.1.0"
+  },
+  "overrides": {
+    "path-to-regexp": "^8.4.0"
   }
 }

package/skills/cm-quality-gate/SKILL.md

@@ -186,7 +186,17 @@ After ANY gate fails, **FIRST run Memory Integrity Check:**
 | `cm-identity-guard` | Verify identity before using quality gate to ship |
 | `cm-tdd` | TDD creates the logic for Layer 3 |
 | `cm-safe-i18n` | Leverages Layer 4 for parity checks |
+| `cm-security-gate` | **PRE-REQUISITE for production:** Security scan (Snyk + Aikido) PASS must be in deployment evidence. No production deploy without security clearance. |
+
+## Evidence Requirements for Production Deploy
+
+| Evidence | Command | Required |
+|----------|---------|----------|
+| Test suite passes | `npm run test:gate` | ✅ Always |
+| Build succeeds | `npm run build` | ✅ Always |
+| Security scan passes | `snyk test && aikido-api-client scan-release ...` | ✅ For production / public releases |
+| i18n parity | Included in test:gate | ✅ If multilingual |
 
 ## The Bottom Line
 
-**Test before deploy. Evidence before claims. Safety before shipping. Non-negotiable.**
+**Test before deploy. Scan before release. Evidence before claims. Safety before shipping. Non-negotiable.**

package/skills/cm-safe-deploy/SKILL.md

@@ -31,12 +31,13 @@ SYNTAX CHECK IS GATE 1. IF IT FAILS, NOTHING ELSE RUNS.
 - After a production incident caused by untested code
 - Adding CI/CD to an existing project
 
-## The 7-Gate Pipeline
+## The 8-Gate Pipeline
 
 ```dot
 digraph pipeline {
     rankdir=LR;
     gate0 [label="Gate 0\nSecret\nHygiene", shape=box, style=filled, fillcolor="#ffc0cb"];
+    gate05 [label="Gate 0.5\nSecurity\nScan", shape=box, style=filled, fillcolor="#f0b3ff"];
     gate1 [label="Gate 1\nSyntax", shape=box, style=filled, fillcolor="#ffcccc"];
     gate2 [label="Gate 2\nTest\nSuite", shape=box, style=filled, fillcolor="#ffe0cc"];
     gate3 [label="Gate 3\ni18n\nParity", shape=box, style=filled, fillcolor="#e0ccff"];
@@ -45,8 +46,10 @@ digraph pipeline {
     gate6 [label="Gate 6\nDeploy +\nSmoke", shape=box, style=filled, fillcolor="#cce5ff"];
     fail [label="STOP\nFix first", shape=box, style=filled, fillcolor="#ff9999"];
 
-    gate0 -> gate1 [label="pass"];
+    gate0 -> gate05 [label="pass"];
     gate0 -> fail [label="fail"];
+    gate05 -> gate1 [label="pass"];
+    gate05 -> fail [label="fail"];
     gate1 -> gate2 [label="pass"];
     gate1 -> fail [label="fail"];
     gate2 -> gate3 [label="pass"];
@@ -165,6 +168,39 @@ wrangler secret put SUPABASE_SERVICE_KEY
 
 ---
 
+### Gate 0.5: Security Scan (Snyk + Aikido — Parallel)
+
+> [!IMPORTANT]
+> **CodyMaster internal:** This gate is MANDATORY. Both Snyk and Aikido must pass.
+> **User projects:** This gate is SUGGESTED by default. Becomes MANDATORY if CVEs or risk flags were detected during development.
+
+**Run both scanners in parallel:**
+
+```bash
+# Snyk — dependency vulnerabilities
+snyk test
+
+# Aikido — SAST + dependencies + secrets + IaC
+aikido-api-client scan-release <repo> $(git rev-parse HEAD) \
+  --minimum-severity-level="HIGH"
+```
+
+**For CodyMaster (maximum strictness):**
+```bash
+aikido-api-client scan-release <repo> $(git rev-parse HEAD) \
+  --minimum-severity-level="HIGH" \
+  --fail-on-sast-scan \
+  --fail-on-secrets-scan
+```
+
+**Gate decision:**
+- Both pass → proceed to Gate 1
+- Either fails → **STOP. Fix before continuing.** Invoke `cm-security-gate` for remediation.
+
+> See `cm-security-gate` for full setup, flag reference, and remediation workflow.
+
+---
+
 ### Gate 1: Syntax Validation (FAST FAIL)
 
 > [!IMPORTANT]

package/skills/cm-security-gate/SKILL.md

@@ -1,10 +1,23 @@
 ---
-description: Pre-production security audit. Run vulnerability scans using Snyk and set up automated GitHub security checks with Jules.
+description: Pre-production security audit and vulnerability scanning. Run Snyk + Aikido dependency scans, OWASP analysis, and set up automated GitHub security checks with Jules. Use when asked to 'run security check', 'security audit', 'kiểm tra bảo mật', 'vulnerability scan', 'Snyk', 'OWASP', or before open-sourcing / commercializing a project.
 ---
-# cm-security-gate — Pre-production Vulnerability Audit
+# cm-security-gate — Mandatory Security Audit & Vulnerability Gate
 
 > **No code goes public without a security pass.**
-> This skill is the **SUPPLEMENTARY FINAL GATE** before making a project public, commercializing, or open-sourcing.
+> **No CodyMaster release ships without Snyk + Aikido green.**
+
+## Enforcement Policy
+
+| Context | Level | What Happens |
+|---------|-------|-------------|
+| **CodyMaster internal** | 🔴 MANDATORY | Both Snyk + Aikido MUST pass. No deploy, no PR merge without green. |
+| **User projects (normal)** | 🟡 SUGGESTED | Recommend scanning, provide easy commands. User may skip. |
+| **User projects (risk detected)** | 🔴 ESCALATED MANDATORY | If CVEs found, errors hit, or risk flags raised → block until resolved. |
+
+> [!CAUTION]
+> **The Escalation Rule:** When a user encounters security errors, CVE warnings, or suspicious dependency behavior during development, the agent MUST escalate from "suggested" to "mandatory" — triggering the full Snyk + Aikido scan before any further deploy or push.
+
+---
 
 ## When to Use
 
@@ -13,23 +26,56 @@ description: Pre-production security audit. Run vulnerability scans using Snyk a
 - Preparing to open-source a repository or launch a commercial product
 - Adding major third-party dependencies
 - The project is graduating from alpha/beta to a wider release
+- A user encounters CVE warnings, npm audit alerts, or suspicious dependency behavior
+- Before any CodyMaster release or PR merge
 
 **Skip when:**
-- Doing quick local prototyping
-- Exploring ideas without real user data or production intent
+- Doing quick local prototyping with no real user data
+- Exploring ideas without production intent
 
 ---
 
 ## Core Capabilities
 
-1. **Snyk CLI & Aikido CLI Integration:** Scans for known vulnerabilities in open-source dependencies (e.g., `npm`, `pip`, `yarn`, `cargo`) and performs parallel release/PR scanning (SAST, IaC, Secrets).
-2. **Jules CI/CD Recommendation:** Recommends integrating continuous automated security analysis via GitHub.
+1. **Aikido MCP Server:** Real-time scanning of AI-generated code inside the IDE (vulnerabilities + secrets)
+2. **Snyk CLI:** Dependency vulnerability scanning (`npm`, `pip`, `yarn`, `cargo`)
+3. **Aikido CLI:** SAST, IaC, Secrets, and Dependency scanning with release/PR gating
+4. **Continuous Monitoring:** Snyk dashboard + Aikido dashboard for ongoing protection
+5. **Jules CI/CD:** Automated security analysis via GitHub on every commit
 
 ---
 
 ## The Process
 
-### Phase 1: Preparation (Tooling Check)
+### Phase 0: Aikido MCP Setup (IDE-Level Real-Time Scanning)
+
+> [!IMPORTANT]
+> **One-time setup.** Once configured, every AI coding session automatically scans generated code for vulnerabilities and hardcoded secrets — BEFORE the code is even committed.
+
+**Step 1:** Create a Personal Access Token at [Aikido Settings → IDE → MCP](https://app.aikido.dev/settings/integrations/ide/mcp)
+
+**Step 2:** Install Aikido MCP server:
+```bash
+# For Antigravity / Gemini CLI
+gemini mcp add aikido \
+  --env AIKIDO_API_KEY=YOUR_TOKEN \
+  npx -y @aikidosec/mcp
+```
+
+**Step 3:** Download the Aikido agent rule:
+```bash
+mkdir -p ~/.gemini/skills/
+curl -fsSL "https://gist.githubusercontent.com/kidk/aa48cad6db80ba4a38493016aae67712/raw/3644397b7df43423e3da06434491b40bbb79dd47/aikido-rule.txt" \
+  -o ~/.gemini/skills/aikido-rule.txt
+```
+
+**Step 4:** Restart Antigravity IDE. Aikido MCP is now active.
+
+> **What this gives you:** Deterministic, independent security checks on EVERY AI-generated snippet. Not a replacement for CLI scanning — this is the first line of defense, catching issues at write-time.
+
+---
+
+### Phase 1: Preparation (CLI Tooling Check)
 
 Verify if the Snyk CLI and Aikido CLI are available:
 ```bash
@@ -37,19 +83,24 @@ which snyk
 which aikido-api-client
 ```
 
-**If Snyk is NOT installed**, provide installation instructions before proceeding:
+**If Snyk is NOT installed:**
 - **macOS (Homebrew):** `brew tap snyk/tap && brew install snyk`
 - **npm:** `npm install -g snyk`
-- Ensure the user authenticates via `snyk auth` after installation.
+- Authenticate: `snyk auth`
 
-**If Aikido CLI is NOT installed**, provide installation instructions:
+**If Aikido CLI is NOT installed:**
 - **npm:** `npm install -g @aikidosec/ci-api-client`
-- Tell the user to authenticate globally: `aikido-api-client apikey <API-KEY>`
-- *Note: API keys are found at [Aikido Integration Settings](https://app.aikido.dev/settings/integrations/continuous-integration).*
+- Set API key: `aikido-api-client apikey <API-KEY>`
+- *API keys: [Aikido CI Integration Settings](https://app.aikido.dev/settings/integrations/continuous-integration)*
+
+> [!WARNING]
+> **Two different API keys!** Aikido MCP (real-time IDE scanning) uses a *Personal Access Token*. Aikido CLI (release/PR gating) uses a *CI API key*. Don't mix them.
+
+---
 
 ### Phase 2: Execution (Parallel Vulnerability Scan)
 
-Execute security scanning using both tools. They should be run in parallel to save time.
+Execute both tools **in parallel** to save time:
 
 **1. Snyk Dependency Scan:**
 ```bash
@@ -58,20 +109,66 @@ snyk test
 
 **2. Aikido Release Scan:**
 ```bash
-aikido-api-client scan-release <repository_id or repository_name> <commit_id> --minimum-severity-level="HIGH"
+aikido-api-client scan-release <repository_id_or_name> <commit_id> \
+  --minimum-severity-level="HIGH"
 ```
-*(Tip: You can add `--fail-on-secrets-scan` or `--fail-on-sast-scan` depending on the project type).*
 
-Analyze the output from both tools:
+#### Aikido Scan Flags Reference
+
+| Flag | Purpose |
+|------|---------|
+| `--minimum-severity-level` | `LOW`, `MEDIUM`, `HIGH`, `CRITICAL` — set the minimum severity that triggers a failure |
+| `--fail-on-sast-scan` | Fail if SAST (Static Analysis) issues are found |
+| `--fail-on-iac-scan` | Fail if Infrastructure as Code misconfigurations are found |
+| `--fail-on-secrets-scan` | Fail if hardcoded secrets are detected |
+
+#### CodyMaster Internal (Maximum Strictness)
+```bash
+aikido-api-client scan-release <repo> <commit> \
+  --minimum-severity-level="HIGH" \
+  --fail-on-sast-scan \
+  --fail-on-secrets-scan
+```
+
+#### User Projects (Standard)
+```bash
+aikido-api-client scan-release <repo> <commit> \
+  --minimum-severity-level="HIGH"
+```
+
+#### Analyzing Results
 - **Critical/High:** Must be resolved before making the project public.
 - **Medium/Low:** Document as technical debt or evaluate for false positives.
 - Run `snyk monitor` if the user wants continuous monitoring on the Snyk dashboard.
 
-### Phase 2.5: Vulnerability Remediation (Skill Discovery)
+---
+
+### Phase 2.5: PR Gating (GitHub Integration)
+
+For projects with CI/CD pipelines, add Aikido PR gating to block merging PRs with security issues:
+
+```bash
+# In GitHub Actions or CI script
+aikido-api-client scan-pr <repository_id_or_name> <base_commit_id> <head_commit_id> \
+  --minimum-severity-level="HIGH"
+```
+
+**package.json integration:**
+```json
+{
+  "scripts": {
+    "test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH",
+    "test:security:strict": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH --fail-on-dependency-scan --fail-on-sast-scan --fail-on-secrets-scan"
+  }
+}
+```
+
+---
+
+### Phase 3: Vulnerability Remediation (Skill Discovery)
 
-If vulnerabilities are detected (e.g., CSRF, XSS, prototype pollution, outdated dependencies), **DO NOT just list the errors**. CodyMaster must actively search for and suggest specialized remediation skills to the user to fix the vulnerabilities.
+If vulnerabilities are detected, **DO NOT just list errors**. CodyMaster must actively search for remediation skills:
 
-**Message to user:**
 > 🚨 **Vulnerabilities Detected: Initiating Remediation**
 > 
 > Security issues were found. To systematically patch these risks, we need specialized weapons. I suggest finding and installing a dedicated remediation skill for your stack:
@@ -80,26 +177,48 @@ If vulnerabilities are detected (e.g., CSRF, XSS, prototype pollution, outdated
 > ```
 > *(Once you discover and install the appropriate security patch skills, we will use them to eradicate the vulnerabilities and eliminate all security risks).*
 
-### Phase 2.6: Knowledge Retention (Memory Sync)
+---
+
+### Phase 4: Knowledge Retention (Memory Sync)
 
-Once the vulnerabilities have been successfully remediated, the exact root causes and their corresponding fixes **MUST** be memorized so that CodyMaster does not repeat the same mistakes in the future.
+Once vulnerabilities are remediated, the root causes and fixes **MUST** be memorized:
 
 **Action Required:**
-- Trigger the `cm-continuity` skill to log the security flaw and the applied fix into `CONTINUITY.md` under a "Security Lessons" or "Hard Lessons" section. 
-- If the project uses cloud memory, suggest tracking this in `cm-notebooklm` to sync this critical security knowledge to the permanent AI brain.
+- Trigger `cm-continuity` to log flaw + fix into `CONTINUITY.md` → "Security Lessons" section.
+- If cloud memory is available, sync to `cm-notebooklm` for permanent retention.
 
-### Phase 3: Automation Handoff (Jules Integration)
+---
 
-After the manual Snyk scan is complete and the results are presented to the user, **ALWAYS** provide the following suggestion to automate future security checks:
+### Phase 5: Automation Handoff (Jules + Continuous Monitoring)
 
-> 🛡️ **Next Step: Automated Security Checks via Jules**
+> 🛡️ **Next Step: Automated Security Checks**
 > 
-> Once your project is ready for commercial or public release, manual checks aren't enough. It's highly recommended to automate security scanning on every commit and Pull Request.
+> Manual checks aren't enough for production. Automate on every commit and PR:
 >
-> Please use **Google Jules** for automated GitHub security analysis:
+> **Option A — Google Jules** (GitHub automated analysis):
 > 👉 [http://jules.google.com/](http://jules.google.com/)
 >
-> Integrating Jules will automatically catch vulnerabilities in your codebase, ensuring your commercial product remains secure as it scales.
+> **Option B — Snyk Continuous Monitoring:**
+> ```bash
+> snyk monitor
+> ```
+>
+> **Option C — Aikido Dashboard** (full visibility):
+> 👉 [https://app.aikido.dev/](https://app.aikido.dev/)
+
+---
+
+## Escalation Protocol
+
+When the agent detects ANY of these signals, enforcement escalates from SUGGESTED → MANDATORY:
+
+| Signal | Action |
+|--------|--------|
+| `npm audit` reports HIGH/CRITICAL | Trigger full Snyk + Aikido scan |
+| User mentions "security error" or "hack" | Trigger full scan before proceeding |
+| New major dependency added (e.g., new ORM, auth lib) | Suggest scan, escalate if dep has known CVEs |
+| Pre-deploy / pre-PR-merge | Check if scan was run in this session, block if not (CodyMaster only) |
+| `.snyk` policy file has expired ignores | Re-scan and update policy |
 
 ---
 
@@ -107,8 +226,13 @@ After the manual Snyk scan is complete and the results are presented to the user
 
 | Skill | Relationship |
 |-------|-------------|
-| `cm-quality-gate` | PRE-REQUISITE: Code should pass functional tests before security audits. |
-| `cm-secret-shield`| COMPLEMENTARY: Secret Shield catches hardcoded tokens; `cm-security-gate` catches vulnerable dependencies. Both are needed for public releases. |
-| `cm-safe-deploy`  | POST-REQUISITE: Security gates should ideally be part of the automated deployment pipeline. |
-| `cm-continuity`   | MEMORY LOGGING: Records discovered vulnerabilities and their fixes into the local working memory to prevent future recurrences. |
+| `cm-quality-gate` | PRE-REQUISITE: Code should pass functional tests before security audits. Security scan PASS is required evidence for production deploy. |
+| `cm-secret-shield`| COMPLEMENTARY: Secret Shield catches hardcoded tokens at write/commit time; `cm-security-gate` catches vulnerable dependencies and SAST issues. Both are needed. |
+| `cm-safe-deploy`  | INTEGRATED: Security scan is Gate 0.5 in the deploy pipeline (between Secret Hygiene and Syntax). |
+| `cm-test-gate`    | INTEGRATED: `test:security` script pattern uses Snyk + Aikido CLI for automated scanning in the test suite. |
+| `cm-continuity`   | MEMORY: Records discovered vulnerabilities and fixes into working memory. |
 | `cm-notebooklm`   | LONG-TERM MEMORY: Syncs critical security lessons to the permanent cloud AI brain. |
+
+## The Bottom Line
+
+**Scan before deploy. Remediate before release. Memorize before repeating. Non-negotiable.**

package/skills/cm-test-gate/SKILL.md

@@ -199,11 +199,14 @@ Wire these tests into `package.json` to make them easily executable by CI or oth
   "scripts": {
     "test": "vitest",
     "test:gate": "vitest run --reporter=verbose",
+    "test:security": "snyk test && aikido-api-client scan-release $npm_package_name $(git rev-parse HEAD) --minimum-severity-level=HIGH",
     "test:watch": "vitest watch"
   }
 }
 ```
 
+> **Security Gate Check:** The `test:security` script runs the Snyk dependency check and the Aikido release scan in parallel. See `cm-security-gate` for advanced SAST/IaC flags.
+
 ### Phase 4: Secret Hygiene and Ignore Configuration
 
 **NEVER commit `.env` or `.dev.vars`.** Ensure tests do not expose actual production secrets.