cokit-cli 1.2.6 → 1.3.0

package/templates/repo/.github/skills/security/SKILL.md

@@ -0,0 +1,139 @@
+---
+name: security
+description: "STRIDE + OWASP-based security audit with optional auto-fix. Scans code for vulnerabilities, categorizes by severity, and can iteratively fix findings using ck:autoresearch pattern."
+argument-hint: "<scope glob or 'full'> [--fix] [--iterations N]"
+---
+
+# ck:security — Security Audit
+
+Runs a structured STRIDE + OWASP security audit on a given scope. Produces a severity-ranked findings report. With `--fix`, applies fixes iteratively using the ck:autoresearch guard pattern.
+
+## When to Use
+
+- Before a release or major deployment
+- After adding auth, payment, or data-handling features
+- Periodic security review (monthly/quarterly)
+- Compliance check (SOC 2, GDPR, PCI-DSS prep)
+
+## When NOT to Use
+
+- Purely cosmetic changes (CSS, copy edits)
+- No user-facing code or data handling involved
+
+---
+
+## Modes
+
+| Mode | Invocation | Behavior |
+|------|-----------|----------|
+| Audit only | `/ck-security <scope>` | Scan → categorize → report |
+| Audit + Fix | `/ck-security <scope> --fix` | Scan → categorize → fix iteratively |
+| Bounded fix | `/ck-security <scope> --fix --iterations N` | Limit fix iterations to N |
+
+---
+
+## Audit Methodology
+
+### 1. Scope Resolution
+Expand the provided glob or `full` keyword into a file list. Read all in-scope files before analysis.
+
+### 2. STRIDE Analysis
+Evaluate each threat category systematically:
+- **S**poofing — identity/authentication weaknesses
+- **T**ampering — input validation, integrity controls
+- **R**epudiation — audit logging gaps
+- **I**nformation Disclosure — data leakage, secret exposure
+- **D**enial of Service — rate limits, resource exhaustion
+- **E**levation of Privilege — broken access control, RBAC gaps
+
+### 3. OWASP Top 10 Check
+Map findings to OWASP categories (A01–A10). See `references/stride-owasp-checklist.md` for per-category checks.
+
+### 4. Dependency Audit
+Run the appropriate package audit tool for the detected stack:
+- Node.js: `npm audit`
+- Python: `pip-audit`
+- Go: `govulncheck`
+- Ruby: `bundle audit`
+
+### 5. Secret Detection
+Scan for hardcoded API keys, passwords, tokens, and private keys using regex patterns. See `references/stride-owasp-checklist.md` → Secret Patterns.
+
+### 6. Finding Categorization
+Assign each finding a severity level (see Severity Definitions below).
+
+---
+
+## Output Format
+
+```
+## Security Audit Report
+
+### Summary
+- Files scanned: N
+- Findings: X critical, Y high, Z medium, W low, V info
+
+### Findings
+
+| # | Severity | Category | File:Line | Description | Fix Recommendation |
+|---|----------|----------|-----------|-------------|-------------------|
+| 1 | Critical  | Injection | api/users.ts:45 | SQL string concatenation | Use parameterized queries |
+| 2 | High      | Auth      | auth/login.ts:12 | No rate limiting | Add express-rate-limit |
+```
+
+---
+
+## Fix Mode (--fix)
+
+When `--fix` is provided, apply fixes iteratively after the audit:
+
+1. Sort all findings by severity (Critical → High → Medium → Low)
+2. For each finding:
+   a. Apply one targeted fix
+   b. Run guard (tests or lint) to verify no regression
+   c. Commit: `security(fix-N): <short description>`
+   d. Advance to next finding
+3. Stop early if guard fails — report the failure instead of proceeding
+4. Uses `autoresearch` guard pattern for regression prevention
+
+> Tip: Use `--iterations N` to cap total fix iterations when scope is large.
+
+---
+
+## Severity Definitions
+
+| Severity | Description | Fix Priority |
+|----------|-------------|-------------|
+| Critical | Exploitable now, data breach or RCE risk | Immediate — block release |
+| High | Exploitable with moderate effort, significant impact | This sprint |
+| Medium | Limited exploitability or impact | Next sprint |
+| Low | Theoretical risk, defense-in-depth improvement | Backlog |
+| Info | Best practice suggestion, no direct risk | Optional |
+
+---
+
+## Integration with Other Skills
+
+- Run after `predict` when the security persona flags concerns
+- Feed Critical/High findings into `ck:autoresearch --fix` for automated remediation
+- Use `scenario` with `--focus authorization` for deeper auth flow testing
+- Pair with `plan` to schedule Medium/Low findings as sprint tasks
+
+---
+
+## Example Invocations
+
+```bash
+# Audit API layer only
+/ck-security src/api/**/*.ts
+
+# Audit entire src/ and auto-fix, max 15 iterations
+/ck-security src/ --fix --iterations 15
+
+# Full codebase audit (no fix)
+/ck-security full
+```
+
+---
+
+See `references/stride-owasp-checklist.md` for the detailed per-category checklist and secret detection regex patterns.

package/templates/repo/.github/skills/security/references/stride-owasp-checklist.md

@@ -0,0 +1,128 @@
+# STRIDE + OWASP Security Checklist
+
+Reference checklist for `security` audits. Use during Step 2 (STRIDE Analysis) and Step 3 (OWASP Top 10 Check).
+
+---
+
+## STRIDE Checklist
+
+### Spoofing (Authentication)
+- [ ] All endpoints require authentication (unless intentionally public)
+- [ ] Passwords hashed with bcrypt/argon2 — not MD5 or SHA1
+- [ ] JWT tokens have expiration (`exp`) and are validated server-side
+- [ ] Session management uses `Secure`, `HttpOnly`, `SameSite` cookie flags
+- [ ] Multi-factor auth available for sensitive operations
+- [ ] OAuth/OIDC flows use `state` parameter to prevent CSRF
+- [ ] Default credentials removed from all services and dependencies
+
+### Tampering (Integrity)
+- [ ] Input validation on all user-supplied data (type, length, format)
+- [ ] Parameterized queries used — no string concatenation for SQL/NoSQL
+- [ ] CSRF tokens present on all state-changing forms
+- [ ] Request signing for API-to-API calls (HMAC or mTLS)
+- [ ] File uploads validated for type (magic bytes), size, and content
+- [ ] Deserialization of untrusted data avoided or sandboxed
+- [ ] HTTP methods restricted per endpoint (no GET for mutations)
+
+### Repudiation (Logging)
+- [ ] Authentication events logged: login, logout, failures
+- [ ] Authorization failures logged with user/resource context
+- [ ] Data modification events logged with actor and timestamp
+- [ ] Logs do not contain sensitive data (passwords, tokens, PII)
+- [ ] Log integrity protected — append-only storage or centralized sink
+- [ ] Logs retained per compliance requirements (90 days minimum)
+
+### Information Disclosure
+- [ ] Error messages do not leak stack traces in production
+- [ ] API responses exclude internal IDs, system paths, or version strings
+- [ ] Sensitive data encrypted at rest (AES-256 or equivalent)
+- [ ] All transport uses TLS 1.2+ — no HTTP for sensitive endpoints
+- [ ] No hardcoded secrets in source code (see Secret Patterns below)
+- [ ] `.env` files and credential files listed in `.gitignore`
+- [ ] API responses filtered to minimum necessary fields (no over-fetching)
+
+### Denial of Service
+- [ ] Rate limiting on authentication and sensitive endpoints
+- [ ] Request body size limits configured at server/gateway level
+- [ ] Pagination enforced on all list endpoints (no unbounded queries)
+- [ ] Timeouts set on all external API and database calls
+- [ ] Connection pools sized and cleaned up properly
+- [ ] Regex patterns reviewed for catastrophic backtracking (ReDoS)
+- [ ] Background jobs have concurrency limits and dead-letter queues
+
+### Elevation of Privilege
+- [ ] Role-based access control (RBAC) enforced server-side, not client-side
+- [ ] Horizontal privilege checks: user A cannot access user B's resources (IDOR)
+- [ ] Admin endpoints have separate, stricter auth middleware
+- [ ] Privilege escalation paths require re-authentication
+- [ ] Service accounts use principle of least privilege
+- [ ] Third-party integrations scoped to minimum required permissions
+
+---
+
+## OWASP Top 10 Quick Reference
+
+| # | Category | What to Check |
+|---|----------|---------------|
+| A01 | Broken Access Control | Missing auth checks, IDOR vulnerabilities, CORS misconfiguration, path traversal |
+| A02 | Cryptographic Failures | Weak hashing (MD5/SHA1), plaintext storage, missing TLS, weak cipher suites |
+| A03 | Injection | SQL, NoSQL, OS command, LDAP, template injection via unsanitized input |
+| A04 | Insecure Design | Missing threat model, business logic flaws, no abuse-case testing |
+| A05 | Security Misconfiguration | Default credentials, verbose error pages, unnecessary features/ports enabled |
+| A06 | Vulnerable Components | Outdated dependencies, known CVEs, unpatched libraries |
+| A07 | Auth Failures | Brute force possible, credential stuffing, session fixation, weak tokens |
+| A08 | Data Integrity Failures | Unsigned updates, unverified deserialization, CI/CD pipeline compromise |
+| A09 | Logging Failures | Missing security event logs, no alerting, insufficient monitoring coverage |
+| A10 | SSRF | Unvalidated user-supplied URLs, internal service access via fetch/curl |
+
+---
+
+## Secret Patterns to Detect
+
+Scan source files for the following regex patterns. Any match is a Critical finding.
+
+```regex
+# Generic API keys
+(?i)(api[_-]?key|apikey)\s*[:=]\s*['"][A-Za-z0-9\-_]{20,}['"]
+
+# AWS access key IDs
+AKIA[0-9A-Z]{16}
+
+# AWS secret access keys
+(?i)aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*['"][A-Za-z0-9/+]{40}['"]
+
+# JSON Web Tokens
+eyJ[A-Za-z0-9_-]+\.eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+
+
+# Generic passwords in config/code
+(?i)(password|passwd|pwd)\s*[:=]\s*['"][^'"]{8,}['"]
+
+# Private keys (PEM format)
+-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----
+
+# GitHub personal access tokens
+ghp_[A-Za-z0-9]{36}
+
+# Stripe secret keys
+sk_(live|test)_[A-Za-z0-9]{24,}
+
+# Generic bearer tokens
+(?i)bearer\s+[A-Za-z0-9\-._~+/]{20,}
+```
+
+> False positive reduction: skip matches inside `*.test.*`, `*.spec.*`, `*.example`, and `*.md` files when the value is clearly a placeholder (e.g., `YOUR_KEY_HERE`, `<your-token>`).
+
+---
+
+## Dependency Audit Commands
+
+Run the appropriate command for the detected stack and include output in the findings report:
+
+| Stack | Command |
+|-------|---------|
+| Node.js | `npm audit --json` |
+| Python | `pip-audit --format json` |
+| Go | `govulncheck ./...` |
+| Ruby | `bundle audit check --update` |
+| Java/Maven | `mvn dependency-check:check` |
+| Rust | `cargo audit` |

package/templates/repo/.github/skills/sequential-thinking/README.md

@@ -4,7 +4,7 @@ Structured, reflective problem-solving methodology converted from the sequential
 
 ## Overview
 
-This skill teaches the AI agent to apply systematic sequential thinking methodology for complex problem-solving, without relying on external MCP tools. It enables:
+This skill teaches the AI to apply systematic sequential thinking methodology for complex problem-solving, without relying on external MCP tools. It enables:
 - Breaking down complex problems into manageable thought sequences
 - Dynamic adjustment of thought count as understanding evolves
 - Revision of previous thoughts when new insights emerge
@@ -91,7 +91,7 @@ Thought 2/5: [Further analysis]
 
 **Implicit Mode**: Apply methodology internally without cluttering output
 
-## When the Agent Should Use This Skill
+## When AI Should Use This Skill
 
 Automatically activated for:
 - Complex problem decomposition
@@ -176,7 +176,7 @@ Scripts are **optional tooling** - the methodology can be applied without them.
 
 Converted from: https://github.com/modelcontextprotocol/servers/tree/main/src/sequentialthinking
 
-Original MCP server (MIT License).
+Original MCP server by Anthropic (MIT License).
 Skill conversion:
 - Extracts methodology as instructions
 - Adds executable scripts for deterministic validation

package/templates/repo/.github/skills/sequential-thinking/SKILL.md

@@ -1,6 +1,8 @@
 ---
 name: sequential-thinking
 description: Apply step-by-step analysis for complex problems with revision capability. Use for multi-step reasoning, hypothesis verification, adaptive planning, problem decomposition, course correction.
+license: MIT
+argument-hint: "[problem to analyze step-by-step]"
 ---
 
 # Sequential Thinking