cokit-cli 1.2.6 → 1.3.0

package/skills/security/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: security
+description: "STRIDE + OWASP-based security audit with optional auto-fix. Scans code for vulnerabilities, categorizes by severity, and can iteratively fix findings using ck:autoresearch pattern."
+argument-hint: "<scope glob or 'full'> [--fix] [--iterations N]"
+---
+
+# ck:security — Security Audit
+
+Runs a structured STRIDE + OWASP security audit on a given scope. Produces a severity-ranked findings report. With `--fix`, applies fixes iteratively using the ck:autoresearch guard pattern.
+
+## When to Use
+
+- Before a release or major deployment
+- After adding auth, payment, or data-handling features
+- Periodic security review (monthly/quarterly)
+- Compliance check (SOC 2, GDPR, PCI-DSS prep)
+
+## When NOT to Use
+
+- Purely cosmetic changes (CSS, copy edits)
+- No user-facing code or data handling involved
+
+---
+
+## Modes
+
+| Mode | Invocation | Behavior |
+|------|-----------|----------|
+| Audit only | `/ck-security <scope>` | Scan → categorize → report |
+| Audit + Fix | `/ck-security <scope> --fix` | Scan → categorize → fix iteratively |
+| Bounded fix | `/ck-security <scope> --fix --iterations N` | Limit fix iterations to N |
+
+---
+
+## Audit Methodology
+
+### 1. Scope Resolution
+Expand the provided glob or `full` keyword into a file list. Read all in-scope files before analysis.
+
+### 2. STRIDE Analysis
+Evaluate each threat category systematically:
+- **S**poofing — identity/authentication weaknesses
+- **T**ampering — input validation, integrity controls
+- **R**epudiation — audit logging gaps
+- **I**nformation Disclosure — data leakage, secret exposure
+- **D**enial of Service — rate limits, resource exhaustion
+- **E**levation of Privilege — broken access control, RBAC gaps
+
+### 3. OWASP Top 10 Check
+Map findings to OWASP categories (A01–A10). See `references/stride-owasp-checklist.md` for per-category checks.
+
+### 4. Dependency Audit
+Run the appropriate package audit tool for the detected stack:
+- Node.js: `npm audit`
+- Python: `pip-audit`
+- Go: `govulncheck`
+- Ruby: `bundle audit`
+
+### 5. Secret Detection
+Scan for hardcoded API keys, passwords, tokens, and private keys using regex patterns. See `references/stride-owasp-checklist.md` → Secret Patterns.
+
+### 6. Finding Categorization
+Assign each finding a severity level (see Severity Definitions below).
+
+---
+
+## Output Format
+
+```
+## Security Audit Report
+
+### Summary
+- Files scanned: N
+- Findings: X critical, Y high, Z medium, W low, V info
+
+### Findings
+
+| # | Severity | Category | File:Line | Description | Fix Recommendation |
+|---|----------|----------|-----------|-------------|-------------------|
+| 1 | Critical  | Injection | api/users.ts:45 | SQL string concatenation | Use parameterized queries |
+| 2 | High      | Auth      | auth/login.ts:12 | No rate limiting | Add express-rate-limit |
+```
+
+---
+
+## Fix Mode (--fix)
+
+When `--fix` is provided, apply fixes iteratively after the audit:
+
+1. Sort all findings by severity (Critical → High → Medium → Low)
+2. For each finding:
+   a. Apply one targeted fix
+   b. Run guard (tests or lint) to verify no regression
+   c. Commit: `security(fix-N): <short description>`
+   d. Advance to next finding
+3. Stop early if guard fails — report the failure instead of proceeding
+4. Uses `autoresearch` guard pattern for regression prevention
+
+> Tip: Use `--iterations N` to cap total fix iterations when scope is large.
+
+---
+
+## Severity Definitions
+
+| Severity | Description | Fix Priority |
+|----------|-------------|-------------|
+| Critical | Exploitable now, data breach or RCE risk | Immediate — block release |
+| High | Exploitable with moderate effort, significant impact | This sprint |
+| Medium | Limited exploitability or impact | Next sprint |
+| Low | Theoretical risk, defense-in-depth improvement | Backlog |
+| Info | Best practice suggestion, no direct risk | Optional |
+
+---
+
+## Integration with Other Skills
+
+- Run after `predict` when the security persona flags concerns
+- Feed Critical/High findings into `ck:autoresearch --fix` for automated remediation
+- Use `scenario` with `--focus authorization` for deeper auth flow testing
+- Pair with `plan` to schedule Medium/Low findings as sprint tasks
+
+---
+
+## Example Invocations
+
+```bash
+# Audit API layer only
+/ck-security src/api/**/*.ts
+
+# Audit entire src/ and auto-fix, max 15 iterations
+/ck-security src/ --fix --iterations 15
+
+# Full codebase audit (no fix)
+/ck-security full
+```
+
+---
+
+See `references/stride-owasp-checklist.md` for the detailed per-category checklist and secret detection regex patterns.

package/skills/security/references/stride-owasp-checklist.md

@@ -0,0 +1,128 @@
+# STRIDE + OWASP Security Checklist
+
+Reference checklist for `security` audits. Use during Step 2 (STRIDE Analysis) and Step 3 (OWASP Top 10 Check).
+
+---
+
+## STRIDE Checklist
+
+### Spoofing (Authentication)
+- [ ] All endpoints require authentication (unless intentionally public)
+- [ ] Passwords hashed with bcrypt/argon2 — not MD5 or SHA1
+- [ ] JWT tokens have expiration (`exp`) and are validated server-side
+- [ ] Session management uses `Secure`, `HttpOnly`, `SameSite` cookie flags
+- [ ] Multi-factor auth available for sensitive operations
+- [ ] OAuth/OIDC flows use `state` parameter to prevent CSRF
+- [ ] Default credentials removed from all services and dependencies
+
+### Tampering (Integrity)
+- [ ] Input validation on all user-supplied data (type, length, format)
+- [ ] Parameterized queries used — no string concatenation for SQL/NoSQL
+- [ ] CSRF tokens present on all state-changing forms
+- [ ] Request signing for API-to-API calls (HMAC or mTLS)
+- [ ] File uploads validated for type (magic bytes), size, and content
+- [ ] Deserialization of untrusted data avoided or sandboxed
+- [ ] HTTP methods restricted per endpoint (no GET for mutations)
+
+### Repudiation (Logging)
+- [ ] Authentication events logged: login, logout, failures
+- [ ] Authorization failures logged with user/resource context
+- [ ] Data modification events logged with actor and timestamp
+- [ ] Logs do not contain sensitive data (passwords, tokens, PII)
+- [ ] Log integrity protected — append-only storage or centralized sink
+- [ ] Logs retained per compliance requirements (90 days minimum)
+
+### Information Disclosure
+- [ ] Error messages do not leak stack traces in production
+- [ ] API responses exclude internal IDs, system paths, or version strings
+- [ ] Sensitive data encrypted at rest (AES-256 or equivalent)
+- [ ] All transport uses TLS 1.2+ — no HTTP for sensitive endpoints
+- [ ] No hardcoded secrets in source code (see Secret Patterns below)
+- [ ] `.env` files and credential files listed in `.gitignore`
+- [ ] API responses filtered to minimum necessary fields (no over-fetching)
+
+### Denial of Service
+- [ ] Rate limiting on authentication and sensitive endpoints
+- [ ] Request body size limits configured at server/gateway level
+- [ ] Pagination enforced on all list endpoints (no unbounded queries)
+- [ ] Timeouts set on all external API and database calls
+- [ ] Connection pools sized and cleaned up properly
+- [ ] Regex patterns reviewed for catastrophic backtracking (ReDoS)
+- [ ] Background jobs have concurrency limits and dead-letter queues
+
+### Elevation of Privilege
+- [ ] Role-based access control (RBAC) enforced server-side, not client-side
+- [ ] Horizontal privilege checks: user A cannot access user B's resources (IDOR)
+- [ ] Admin endpoints have separate, stricter auth middleware
+- [ ] Privilege escalation paths require re-authentication
+- [ ] Service accounts use principle of least privilege
+- [ ] Third-party integrations scoped to minimum required permissions
+
+---
+
+## OWASP Top 10 Quick Reference
+
+| # | Category | What to Check |
+|---|----------|---------------|
+| A01 | Broken Access Control | Missing auth checks, IDOR vulnerabilities, CORS misconfiguration, path traversal |
+| A02 | Cryptographic Failures | Weak hashing (MD5/SHA1), plaintext storage, missing TLS, weak cipher suites |
+| A03 | Injection | SQL, NoSQL, OS command, LDAP, template injection via unsanitized input |
+| A04 | Insecure Design | Missing threat model, business logic flaws, no abuse-case testing |
+| A05 | Security Misconfiguration | Default credentials, verbose error pages, unnecessary features/ports enabled |
+| A06 | Vulnerable Components | Outdated dependencies, known CVEs, unpatched libraries |
+| A07 | Auth Failures | Brute force possible, credential stuffing, session fixation, weak tokens |
+| A08 | Data Integrity Failures | Unsigned updates, unverified deserialization, CI/CD pipeline compromise |
+| A09 | Logging Failures | Missing security event logs, no alerting, insufficient monitoring coverage |
+| A10 | SSRF | Unvalidated user-supplied URLs, internal service access via fetch/curl |
+
+---
+
+## Secret Patterns to Detect
+
+Scan source files for the following regex patterns. Any match is a Critical finding.
+
+```regex
+# Generic API keys
+(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][A-Za-z0-9\-_]{20,}['"]
+
+# AWS access key IDs
+AKIA[0-9A-Z]{16}
+
+# AWS secret access keys
+(?i)aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*['"][A-Za-z0-9/+]{40}['"]
+
+# JSON Web Tokens
+eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+
+
+# Generic passwords in config/code
+(?i)(password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]
+
+# Private keys (PEM format)
+-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
+
+# GitHub personal access tokens
+ghp_[A-Za-z0-9]{36}
+
+# Stripe secret keys
+sk_(live|test)_[A-Za-z0-9]{24,}
+
+# Generic bearer tokens
+(?i)bearer\s+[A-Za-z0-9\-._~+/]{20,}
+```
+
+> False positive reduction: skip matches inside `*.test.*`, `*.spec.*`, `*.example`, and `*.md` files when the value is clearly a placeholder (e.g., `YOUR_KEY_HERE`, `<your-token>`).
+
+---
+
+## Dependency Audit Commands
+
+Run the appropriate command for the detected stack and include output in the findings report:
+
+| Stack | Command |
+|-------|---------|
+| Node.js | `npm audit --json` |
+| Python | `pip-audit --format json` |
+| Go | `govulncheck ./...` |
+| Ruby | `bundle audit check --update` |
+| Java/Maven | `mvn dependency-check:check` |
+| Rust | `cargo audit` |

package/skills/sequential-thinking/README.md

@@ -4,7 +4,7 @@ Structured, reflective problem-solving methodology converted from the sequential
 
 ## Overview
 
-This skill teaches the AI agent to apply systematic sequential thinking methodology for complex problem-solving, without relying on external MCP tools. It enables:
+This skill teaches the AI to apply systematic sequential thinking methodology for complex problem-solving, without relying on external MCP tools. It enables:
 - Breaking down complex problems into manageable thought sequences
 - Dynamic adjustment of thought count as understanding evolves
 - Revision of previous thoughts when new insights emerge
@@ -91,7 +91,7 @@ Thought 2/5: [Further analysis]
 
 **Implicit Mode**: Apply methodology internally without cluttering output
 
-## When the Agent Should Use This Skill
+## When AI Should Use This Skill
 
 Automatically activated for:
 - Complex problem decomposition
@@ -176,7 +176,7 @@ Scripts are **optional tooling** - the methodology can be applied without them.
 
 Converted from: https://github.com/modelcontextprotocol/servers/tree/main/src/sequentialthinking
 
-Original MCP server (MIT License).
+Original MCP server by Anthropic (MIT License).
 Skill conversion:
 - Extracts methodology as instructions
 - Adds executable scripts for deterministic validation

package/skills/sequential-thinking/SKILL.md

@@ -1,6 +1,8 @@
 ---
 name: sequential-thinking
 description: Apply step-by-step analysis for complex problems with revision capability. Use for multi-step reasoning, hypothesis verification, adaptive planning, problem decomposition, course correction.
+license: MIT
+argument-hint: "[problem to analyze step-by-step]"
 ---
 
 # Sequential Thinking

package/skills/sequential-thinking/package.json

@@ -13,7 +13,7 @@
     "problem-solving",
     "agent-skill"
   ],
-  "author": "Converted from MCP Server",
+  "author": "CoKit",
   "license": "MIT",
   "devDependencies": {
     "jest": "^29.7.0"

package/skills/ship/SKILL.md

@@ -0,0 +1,116 @@
+---
+name: ship
+description: "Ship pipeline: merge main, test, review, commit, push, PR. Single command from feature branch to PR URL. Use for shipping official releases to main/master or beta releases to dev/beta branches."
+argument-hint: "[official|beta] [--skip-tests] [--skip-review] [--skip-journal] [--skip-docs] [--dry-run]"
+license: MIT
+---
+
+# Ship: Unified Ship Pipeline
+
+Single command to ship a feature branch. Fully automated — only stops for test failures, critical review issues, or major version bumps.
+
+**Inspired by:** gstack `/ship` by Garry Tan. Adapted for framework-agnostic, multi-language support.
+
+## Arguments
+
+| Flag | Effect |
+|------|--------|
+| `official` | Ship to default branch (main/master). Full pipeline with docs + journal |
+| `beta` | Ship to dev/beta branch. Lighter pipeline, skip docs update |
+| (none) | Auto-detect: if base branch is main/master → official, else → beta |
+| `--skip-tests` | Skip test step (use when tests already passed) |
+| `--skip-review` | Skip pre-landing review step |
+| `--skip-journal` | Skip journal writing step |
+| `--skip-docs` | Skip docs update step |
+| `--dry-run` | Show what would happen without executing |
+
+## Ship Mode Detection
+
+```
+If argument = "official" → target = main/master (auto-detect default branch)
+If argument = "beta"     → target = dev/beta (auto-detect dev branch)
+If no argument           → infer from current branch naming:
+  - feature/* hotfix/* bugfix/* → official (target main)
+  - dev/* beta/* experiment/*  → beta (target dev/beta)
+  - unclear                    → asking the user
+```
+
+## When to Stop (blocking)
+
+- On target branch already → abort
+- Merge conflicts that can't be auto-resolved → stop, show conflicts
+- Test failures → stop, show failures
+- Critical review issues → asking the user per issue
+- Major/minor version bump needed → asking the user
+
+## When NOT to Stop
+
+- Uncommitted changes → always include them
+- Patch version bump → auto-decide
+- Changelog content → auto-generate
+- Commit message → auto-compose
+- No version file → skip version step silently
+- No changelog → skip changelog step silently
+
+## Pipeline
+
+```
+Step 1:  Pre-flight      → Branch check, mode detection, status, diff analysis
+Step 2:  Link Issues      → Find/create related GitHub issues
+Step 3:  Merge target     → Fetch + merge origin/<target-branch>
+Step 4:  Run tests        → Auto-detect test runner, run, check results
+Step 5:  Review           → Two-pass checklist review (critical + informational)
+Step 6:  Version bump     → Auto-detect version file, bump patch/minor
+Step 7:  Changelog        → Auto-generate from commits + diff
+Step 8:  Journal          → Write technical journal via /ck-journal
+Step 9:  Docs update      → Update project docs via /ck-docs update (official only)
+Step 10: Commit           → Conventional commit with version/changelog
+Step 11: Push             → git push -u origin <branch>
+Step 12: Create PR        → gh pr create with structured body + linked issues
+```
+
+**Detailed steps:** Load `references/ship-workflow.md`
+**Auto-detection:** Load `references/auto-detect.md`
+**PR template:** Load `references/pr-template.md`
+
+## Token Efficiency Rules
+
+- Steps 4 (tests) and 5 (review): delegate to `tester` and `code-reviewer` subagents — don't inline
+- Steps 8 (journal) and 9 (docs): run in **background** — don't block pipeline
+- Step 2 (issues): use single `gh` command batch — avoid multiple API calls
+- Skip steps early via flags to save tokens on unnecessary work
+- Beta mode auto-skips: docs update (Step 9)
+- Capture step outputs inline — don't re-read files already in context
+
+## Quick Start
+
+User says `/ck-ship` → run full pipeline → output PR URL.
+User says `/ck-ship beta` → ship to dev branch with lighter pipeline.
+User says `/ck-ship official` → ship to main with full docs + journal.
+
+## Output Format
+
+```
+✓ Pre-flight: branch feature/foo, 5 commits, +200/-50 lines (mode: official)
+✓ Issues: linked #42, created #43
+✓ Merged: origin/main (up to date)
+✓ Tests: 42 passed, 0 failed
+✓ Review: 0 critical, 2 informational
+✓ Version: 1.2.3 → 1.2.4
+✓ Changelog: updated
+✓ Journal: written (background)
+✓ Docs: updated (background)
+✓ Committed: feat(auth): add OAuth2 login flow
+✓ Pushed: origin/feature/foo
+✓ PR: https://github.com/org/repo/pull/123 (linked: #42, #43)
+```
+
+## Important Rules
+
+- **Never skip tests** (unless `--skip-tests`). If tests fail, stop.
+- **Never force push.** Regular `git push` only.
+- **Never ask for confirmation** except for critical review issues and major/minor version bumps.
+- **Auto-detect everything.** Test runner, version file, changelog format, target branch — detect from project files.
+- **Framework-agnostic.** Works for Node, Python, Rust, Go, Ruby, Java, or any project with a test command.
+- **Subagent delegation.** Use `tester` for tests, `code-reviewer` for review, `journal-writer` for journal, `docs-manager` for docs. Don't inline.
+- **Background tasks.** Journal and docs run in background to not block the pipeline.

package/skills/ship/references/auto-detect.md

@@ -0,0 +1,103 @@
+# Auto-Detection Logic
+
+Detect test runner, version file, and changelog format from project files.
+
+## Test Runner Detection
+
+Check in order (first match wins):
+
+| Check | Test Command |
+|-------|-------------|
+| `package.json` → `scripts.test` exists | `npm test` |
+| `Makefile` → has `test:` target | `make test` |
+| `pytest.ini` OR `pyproject.toml` has `[tool.pytest]` | `pytest` |
+| `Cargo.toml` exists | `cargo test` |
+| `go.mod` exists | `go test ./...` |
+| `Gemfile` + `Rakefile` with test task | `bundle exec rake test` |
+| `build.gradle` or `build.gradle.kts` | `./gradlew test` |
+| `pom.xml` | `mvn test` |
+| `mix.exs` | `mix test` |
+| `deno.json` | `deno test` |
+
+**Detection script:**
+```bash
+if [ -f package.json ] && grep -q '"test"' package.json 2>/dev/null; then
+  echo "npm test"
+elif [ -f Makefile ] && grep -q '^test:' Makefile 2>/dev/null; then
+  echo "make test"
+elif [ -f pytest.ini ] || ([ -f pyproject.toml ] && grep -q '\[tool.pytest' pyproject.toml 2>/dev/null); then
+  echo "pytest"
+elif [ -f Cargo.toml ]; then
+  echo "cargo test"
+elif [ -f go.mod ]; then
+  echo "go test ./..."
+else
+  echo "NONE"
+fi
+```
+
+**If NONE:** Use asking the user — "No test runner detected. Options: A) Skip tests, B) Provide test command"
+
+## Version File Detection
+
+Check in order:
+
+| Check | Read Pattern |
+|-------|-------------|
+| `VERSION` file | Read as semver string |
+| `package.json` → `version` field | `jq -r .version package.json` |
+| `pyproject.toml` → `version` | grep `version = "..."` |
+| `Cargo.toml` → `version` | grep `version = "..."` |
+| `mix.exs` → `@version` | grep `@version "..."` |
+
+**If none found:** Skip version bump silently. Not all projects use versioning.
+
+**Bump logic:**
+```
+Lines changed < 50  → patch (X.Y.Z → X.Y.Z+1)
+Lines changed >= 50 → patch (safe default)
+User explicitly says "breaking" or "major feature" → asking the user for minor/major
+```
+
+## Changelog Detection
+
+| Check | Format |
+|-------|--------|
+| `CHANGELOG.md` | Keep-a-changelog format |
+| `CHANGES.md` | Same |
+| `HISTORY.md` | Same |
+
+**If none found:** Skip changelog silently.
+
+**Entry format:**
+```markdown
+## [X.Y.Z] - YYYY-MM-DD
+
+### Added
+- New features from commits with `feat:` prefix
+
+### Changed
+- Changes from commits with `refactor:`, `perf:` prefix
+
+### Fixed
+- Bug fixes from commits with `fix:` prefix
+
+### Removed
+- Removals mentioned in commit messages
+```
+
+**Infer categories from:**
+1. Conventional commit prefixes in `git log main..HEAD --oneline`
+2. File types changed (test files → test improvements, docs → documentation)
+3. Diff content (new functions = Added, modified functions = Changed)
+
+## Main Branch Detection
+
+```bash
+git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@'
+```
+
+Fallback: check if `main` or `master` exists:
+```bash
+git rev-parse --verify origin/main 2>/dev/null && echo "main" || echo "master"
+```

package/skills/ship/references/pr-template.md

@@ -0,0 +1,90 @@
+# PR Body Template
+
+Use this template when creating PRs via `gh pr create`.
+
+## Template
+
+```markdown
+## Summary
+<bullet points — infer from changelog entry or commit messages>
+
+## Linked Issues
+<list issues from Step 2>
+- Closes #XX — <issue title>
+- Relates to #YY — <issue title>
+<or "No linked issues.">
+
+## Pre-Landing Review
+<findings from review step>
+<format: "N issues (X critical, Y informational)" or "No issues found.">
+
+<if informational issues exist, list them:>
+- [file:line] Issue description
+
+## Test Results
+- [x] All tests pass (<count> tests, 0 failures)
+<or>
+- [x] Tests skipped (--skip-tests)
+
+## Changes
+<output of git diff --stat, trimmed to key files>
+
+## Ship Mode
+- Mode: <official|beta>
+- Target: <target-branch>
+```
+
+## PR Title Format
+
+```
+type(scope): brief description
+```
+
+Infer type from changes:
+- `feat`: new feature or capability
+- `fix`: bug fix
+- `refactor`: code restructuring without behavior change
+- `perf`: performance improvement
+- `chore`: maintenance, dependencies, config
+
+## Example
+
+```markdown
+## Summary
+- Add OAuth2 login flow with Google and GitHub providers
+- Implement session management with secure cookie storage
+- Add logout endpoint with token revocation
+
+## Linked Issues
+- Closes #42 — Add OAuth2 authentication support
+- Relates to #38 — Security audit for auth module
+
+## Pre-Landing Review
+Pre-Landing Review: 1 issue (0 critical, 1 informational)
+
+- [src/auth/session.ts:42] Magic number 3600 for session TTL
+  Fix: Extract to named constant SESSION_TTL_SECONDS
+
+## Test Results
+- [x] All tests pass (127 tests, 0 failures)
+
+## Changes
+ src/auth/oauth.ts      | 89 +++++++++
+ src/auth/session.ts    | 45 +++++
+ src/routes/auth.ts     | 32 ++++
+ tests/auth.test.ts     | 67 +++++++
+ 4 files changed, 233 insertions(+)
+
+## Ship Mode
+- Mode: official
+- Target: main
+```
+
+## Notes
+
+- Keep summary bullets concise — one line per change
+- Include review findings even if "No issues found" — shows review happened
+- Test counts should match actual output, not estimates
+- If PR already exists, use `gh pr edit` instead of `gh pr create`
+- Always include linked issues section — traceability is critical
+- For beta PRs, target the dev/beta branch, not main