cokit-cli 1.2.6 → 1.3.0

package/skills/code-review/references/adversarial-review.md

@@ -0,0 +1,223 @@
+---
+name: adversarial-review
+description: Stage 3 red-team review that actively tries to break code — finds security holes, false assumptions, failure modes, race conditions. Spawns adversarial reviewer subagent with destructive mindset. Includes scope gate for trivial changes.
+---
+
+# Adversarial Review (Stage 3)
+
+Runs after every Stage 2 (Code Quality) pass. Subject to scope gate below.
+
+## Scope Gate
+
+Skip adversarial review when ALL of these are true:
+- Changed files <= 2
+- Lines changed <= 30
+- No security-sensitive files touched (auth, crypto, input parsing, SQL, env)
+- No new dependencies added
+
+When skipped, note: `Adversarial: skipped (below threshold)` in review output.
+
+**NEVER skip when:**
+- Any file in: `auth/`, `middleware/`, `security/`, `crypto/`
+- `package.json`, `package-lock.json`, or lockfile changed
+- Environment variables added/changed
+- Database schema modified
+- API route added/changed
+
+## Mindset
+
+> "You are hired to tear apart the implementer's work. Your job is to find every way this code can fail, be exploited, or produce incorrect results. Assume the implementer made mistakes. Prove it."
+
+This is NOT a standard code review. Standard reviews check if code meets requirements. Adversarial review assumes requirements are met and asks: **"How can this still break?"**
+
+## What to Attack
+
+### Security Holes
+- Injection vectors (SQL, command, XSS, template)
+- Auth bypass paths (missing checks, privilege escalation)
+- Secrets exposure (logs, error messages, stack traces)
+- Input trust boundaries (user input treated as safe)
+- SSRF, path traversal, deserialization attacks
+
+### False Assumptions
+- "This will never be null" -- prove it can be
+- "This list always has elements" -- find the empty case
+- "Users always call A before B" -- find the out-of-order path
+- "This config value exists" -- find the missing env var
+- "This third-party API always returns 200" -- find the failure mode
+- "This API shape won't change" -- find the breaking caller
+
+### Failure Modes & Resource Exhaustion
+- What happens when disk is full?
+- What happens when network times out mid-operation?
+- What happens when the database connection drops during a transaction?
+- Unbounded allocations from user-controlled input
+- Missing timeouts on external calls
+- Event loop blocking (sync operations in async context)
+- Connection/handle leaks on error paths
+- Regex catastrophic backtracking (ReDoS)
+
+### Race Conditions
+- Shared mutable state without locks
+- Time-of-check-to-time-of-use (TOCTOU)
+- Async operations with implicit ordering assumptions
+- Cache invalidation during concurrent writes
+
+### Data Corruption
+- Partial writes on failure (no transaction/rollback)
+- Type coercion surprises (string "0" as falsy)
+- Floating point comparison for equality
+- Timezone-naive datetime operations
+
+### Supply Chain & Dependencies
+- New dependencies: postinstall scripts, maintainer reputation, bundle size
+- Lockfile changes: version drift, removed integrity hashes
+- Transitive deps pulling in known-vulnerable packages
+
+### Observability Blind Spots
+- Swallowed errors (`catch {}` with no log)
+- Missing structured context in error logs
+- PII in log output
+
+## Process
+
+### 1. Spawn Adversarial Reviewer
+
+Dispatch `code-reviewer` subagent with adversarial prompt:
+
+```
+You are an adversarial code reviewer. Your ONLY job is to find ways this code
+can fail, be exploited, or produce incorrect results.
+
+DO NOT praise the code. DO NOT note what works well.
+ONLY report problems. If you find nothing, say "No findings" -- but try harder first.
+
+Focus on ADDED/MODIFIED lines (+ prefix in diff). Pre-existing code is out of scope
+unless the change makes it newly exploitable.
+
+Context (read for understanding, DO NOT review):
+{CONTEXT_FILES}
+
+Runtime: {RUNTIME} (e.g., Node.js single-threaded, browser, serverless)
+Framework: {FRAMEWORK} (e.g., Express with global error handler at app.ts:45)
+
+Review this diff:
+{DIFF}
+
+Changed files: {FILES}
+
+Attack vectors to check:
+1. Security holes (injection, auth bypass, secrets exposure)
+2. False assumptions (null, empty, ordering, config, API contracts)
+3. Failure modes + resource exhaustion (timeouts, leaks, unbounded input)
+4. Race conditions (shared state, TOCTOU, async ordering)
+5. Data corruption (partial writes, type coercion, encoding)
+6. Supply chain (new deps, lockfile changes, transitive vulns)
+7. Observability (swallowed errors, missing logs, PII in output)
+
+For each finding, report:
+- SEVERITY: Critical / Medium / Low
+- CATEGORY: Security / Assumption / Failure / Race / Data / Supply / Observability
+- LOCATION: file:line
+- ATTACK: How to trigger the problem
+- IMPACT: What happens when triggered
+- FIX: Describe the fix approach (e.g., "add null check before line 42").
+  Do NOT write implementation code -- the implementer has full context.
+```
+
+**If adversarial produces >10 findings on <100 lines changed:** likely too aggressive. Batch-reject noise, deep-review only Critical/Medium.
+
+### 2. Adjudicate Findings
+
+Main agent reviews each adversarial finding and assigns verdict:
+
+| Verdict | Meaning | Action |
+|---------|---------|--------|
+| **Accept** | Valid flaw, reproducible or clearly reasoned | Must fix before merge |
+| **Reject** | False positive, already handled, or impossible path | Document why, no action |
+| **Defer** | Valid but low-risk, tracked for later | Create GitHub issue for tracking |
+
+**Rules:**
+- Every finding gets a verdict -- no silent dismissals
+- Critical findings: Accept unless you can PROVE false positive
+- Benefit of doubt goes to the adversary (safer to fix than to dismiss)
+- If >50% of findings are Rejected, the adversary was too aggressive -- but still report all
+
+**Calibration examples:**
+
+| Verdict | Example | Reasoning |
+|---------|---------|-----------|
+| Accept | "SQL injection via string interpolation in query builder" | Clearly exploitable, concrete path shown |
+| Reject | "Missing null check on config.apiUrl" | Config loaded at startup with schema validation (see config.ts:12), cannot be null at runtime |
+| Defer | "No rate limiting on POST /api/upload" | Valid concern but internal-only tool currently; track for public exposure |
+
+### 3. Report Format
+
+```
+## Adversarial Review -- Stage 3
+
+### Summary
+- Findings: N total (X Critical, Y Medium, Z Low)
+- Accepted: A (must fix)
+- Rejected: B (false positive)
+- Deferred: C (tracked via GitHub issues)
+
+### Accepted Findings (Must Fix)
+
+#### [1] SEVERITY -- CATEGORY -- file:line
+**Attack:** How to trigger
+**Impact:** What happens
+**Fix:** Approach description
+**Verdict:** Accept -- [reason]
+
+### Rejected Findings
+
+#### [N] SEVERITY -- CATEGORY -- file:line
+**Attack:** Claimed vector
+**Verdict:** Reject -- [reason this is a false positive]
+
+### Deferred Findings
+
+#### [N] SEVERITY -- CATEGORY -- file:line
+**Attack:** How to trigger
+**Verdict:** Defer -- [reason] → GitHub issue #X
+```
+
+### 4. Fix Accepted Findings
+
+- Critical: Block merge. Fix immediately via `/fix` or manual edit.
+- Medium: Fix before merge if feasible. Defer only with explicit user approval.
+- Low: Track. Fix in follow-up if pattern repeats.
+
+### Re-review Optimization
+
+On fix cycles (re-running after accepted findings were fixed):
+- Only pass the FIX diff to adversarial, not the full original diff
+- Verify accepted findings are resolved
+- Check for regression: did the fix introduce new issues?
+
+## Integration with Pipeline
+
+```
+Stage 1 (Spec) → PASS
+  ↓
+Stage 2 (Quality) → PASS
+  ↓
+Scope gate → below threshold? → skip (note in report)
+  ↓ (above threshold)
+Stage 3 (Adversarial) → findings
+  ├─ 0 Accepted → PASS → proceed
+  ├─ Accepted Critical → BLOCK → fix → re-run Stage 3 (fix diff only)
+  └─ Accepted Medium/Low only → fix or defer → proceed
+```
+
+**Task pipeline update:** When using task-managed reviews, adversarial review gets its own task between "Review implementation" and "Fix critical issues".
+
+## What This Is NOT
+
+- NOT a style review (Stage 2 handles that)
+- NOT a spec compliance check (Stage 1 handles that)
+- NOT dependency graph analysis or import tracing (scout handles that)
+- NOT a general "suggestions for improvement" pass
+
+This is a focused, hostile attempt to break the code. If the code survives, it's ready to ship.

package/skills/code-review/references/checklist-workflow.md

@@ -0,0 +1,100 @@
+# Checklist-Based Review Workflow
+
+How to apply structured review checklists during code review.
+
+## When to Use
+
+- Pre-landing review (from `/ck-ship` pipeline)
+- Explicit request for checklist review
+- Security audit before release
+- Code-reviewer agent when reviewing significant changes (10+ files or security-sensitive)
+
+## Workflow
+
+### 1. Auto-Detect Project Type
+
+```bash
+# Check for web app frameworks
+if grep -qE '"(react|vue|svelte|next|nuxt|angular)"' package.json 2>/dev/null; then
+  echo "web-app"
+# Check for API patterns
+elif ls src/routes/ src/api/ src/controllers/ app/controllers/ 2>/dev/null | head -1; then
+  echo "api"
+else
+  echo "base-only"
+fi
+```
+
+### 2. Load Checklists
+
+Always load: `checklists/base.md`
+
+Overlay based on detection:
+- `web-app` → also load `checklists/web-app.md`
+- `api` → also load `checklists/api.md`
+- Both detected → load both overlays
+
+### 3. Get the Diff
+
+```bash
+git fetch origin main --quiet
+git diff origin/main
+```
+
+**CRITICAL:** Read the FULL diff before flagging anything. Checklist suppressions require full context.
+
+### 4. Two-Pass Review
+
+**Pass 1 (CRITICAL) — Run first:**
+- Scan diff against ALL critical categories (base + overlays)
+- Each finding must include: `[file:line]`, problem, fix
+- These block `/ship` pipeline
+
+**Pass 2 (INFORMATIONAL) — Run second:**
+- Scan diff against ALL informational categories (base + overlays)
+- Same format: `[file:line]`, problem, fix
+- Included in PR body but don't block
+
+### 5. Check Suppressions
+
+Before reporting any finding, verify it's NOT in the suppressions list (bottom of `base.md`).
+
+Key suppressions:
+- Already addressed in the diff
+- Readability-aiding redundancy
+- Style/formatting issues
+- "Consider using X" when Y works fine
+
+### 6. Output
+
+```
+Pre-Landing Review: N issues (X critical, Y informational)
+
+**CRITICAL** (blocking):
+- [src/auth/login.ts:42] SQL injection via string interpolation in user lookup
+  Fix: Use parameterized query: `db.query('SELECT * FROM users WHERE email = $1', [email])`
+
+**Issues** (non-blocking):
+- [src/api/users.ts:88] Magic number 30 for pagination limit
+  Fix: Extract to constant `DEFAULT_PAGE_SIZE = 30`
+```
+
+### 7. Critical Issue Resolution
+
+For each critical issue, ask the user:
+- Problem with `file:line`
+- Recommended fix
+- Options:
+  - A) Fix now (recommended)
+  - B) Acknowledge and proceed
+  - C) False positive — skip
+
+If user chose A (fix): apply fixes, commit, then re-run tests before continuing.
+
+## Integration with /ck-ship
+
+The ship pipeline calls this workflow at Step 4. Critical findings block the pipeline. Informational findings are included in the PR body.
+
+## Integration with /ck-code-review
+
+When invoked as part of standard code review, the checklist augments (not replaces) the existing scout → review → fix → verify pipeline. Checklist findings are merged with code-reviewer's own findings.

package/skills/code-review/references/checklists/api.md

@@ -0,0 +1,52 @@
+# API Review Checklist (Overlay)
+
+Additive to `base.md`. Apply when project exposes REST/GraphQL/gRPC APIs.
+
+## Detection
+
+Apply this overlay when any of these are true:
+- Project has route definitions (Express, FastAPI, NestJS, Django, Rails, Go chi/gin)
+- OpenAPI/Swagger spec file exists
+- `src/routes/`, `src/api/`, `src/controllers/` directories
+- GraphQL schema files in the diff
+
+---
+
+## Pass 1 — CRITICAL (additions to base)
+
+### Auth & Rate Limiting
+- Public endpoints missing rate limiting (login, registration, password reset)
+- API keys or tokens exposed in URL query parameters (use headers)
+- Missing auth middleware on new routes
+- Batch/bulk endpoints without per-item authorization checks
+
+### Input Validation
+- Request body accepted without schema validation (missing Zod, Joi, Pydantic, etc.)
+- Mass assignment: entire request body spread into database model
+- File upload without size/type restrictions
+- Array inputs without length limits (DoS via large payloads)
+
+### Data Exposure
+- Sensitive fields in API responses (password hashes, internal IDs, tokens)
+- Stack traces or internal error details in production error responses
+- Verbose error messages that leak schema/implementation details
+
+---
+
+## Pass 2 — INFORMATIONAL (additions to base)
+
+### API Design
+- List endpoints without pagination (LIMIT/OFFSET or cursor-based)
+- Missing consistent error response format across endpoints
+- Inconsistent naming conventions (camelCase vs snake_case in same API)
+- Missing request/response content-type headers
+
+### Observability
+- New endpoints without logging/metrics
+- Error paths that swallow exceptions silently
+- Missing correlation/request IDs for tracing
+
+### Versioning & Compatibility
+- Breaking changes to existing response shapes without version bump
+- Removed fields without deprecation notice
+- Changed field types (string → number) in existing responses

package/skills/code-review/references/checklists/base.md

@@ -0,0 +1,100 @@
+# Base Review Checklist
+
+Universal checklist for all project types. Two-pass model: critical (blocking) + informational (non-blocking).
+
+## Instructions
+
+Review `git diff origin/main` for the issues below. Be specific — cite `file:line` and suggest fixes. Skip anything that's fine. Only flag real problems.
+
+**Output format:**
+
+```
+Pre-Landing Review: N issues (X critical, Y informational)
+
+**CRITICAL** (blocking):
+- [file:line] Problem description
+  Fix: suggested fix
+
+**Issues** (non-blocking):
+- [file:line] Problem description
+  Fix: suggested fix
+```
+
+If no issues: `Pre-Landing Review: No issues found.`
+
+Be terse. One line problem, one line fix. No preamble.
+
+---
+
+## Pass 1 — CRITICAL (blocking)
+
+### Injection & Data Safety
+- String interpolation in SQL/database queries (even with type casting — use parameterized queries)
+- Unsanitized user input written to database or rendered in HTML
+- Raw HTML output from user-controlled data (`innerHTML`, `dangerouslySetInnerHTML`, `html_safe`, `raw()`, `| safe`)
+- Command injection via string concatenation in shell commands (use argument arrays)
+- Path traversal via user input in file operations
+
+### Race Conditions & Concurrency
+- Read-check-write without atomic operations (check-then-set should be atomic WHERE + UPDATE)
+- Find-or-create without unique database constraint (concurrent calls create duplicates)
+- Status transitions without atomic WHERE old_status + UPDATE new_status
+- Shared mutable state accessed without synchronization
+
+### Security Boundaries
+- Missing authentication checks on new endpoints/routes
+- Privilege escalation paths (user can access/modify another user's data — IDOR)
+- Secrets in logs, error responses, or client-side code
+- LLM/AI output written to database or used in queries without validation
+- JWT/token comparison using `==` instead of constant-time comparison
+
+### Auth & Access Control
+- New API endpoints without auth middleware
+- Missing authorization check (authenticated but not authorized)
+- Admin-only operations accessible to regular users
+- Session fixation or token reuse vulnerabilities
+
+---
+
+## Pass 2 — INFORMATIONAL (non-blocking)
+
+### Conditional Side Effects
+- Code branches on condition but forgets side effect on one branch (e.g., sets status but not associated data)
+- Log messages claiming action happened but action was conditionally skipped
+
+### Magic Numbers & String Coupling
+- Bare numeric literals used in multiple files — should be named constants
+- Error message strings used as query filters elsewhere (grep for the string)
+
+### Dead Code & Consistency
+- Variables assigned but never read
+- Stale comments describing old behavior after code changed
+- Import/require statements for unused modules
+
+### Test Gaps
+- Missing negative-path tests (error cases, validation failures)
+- Assertions on type/status but not side effects (e.g., checks status but not that email was sent)
+- Missing integration tests for security enforcement (auth, rate limiting, access control)
+
+### Type Coercion at Boundaries
+- Values crossing language/system boundaries where type could change (string vs number)
+- Hash/digest inputs that don't normalize types before serialization
+
+### Performance
+- O(n*m) lookups in views/templates (array search inside loops — use hash/map lookup)
+- Missing pagination on list endpoints returning unbounded results
+- N+1 queries: loading associations inside loops without eager loading
+- Unbounded queries without LIMIT
+
+---
+
+## Suppressions — DO NOT flag these
+
+- Redundancy that aids readability (e.g., `present?` redundant with length check)
+- "Add comment explaining why this threshold was chosen" — thresholds change, comments rot
+- "This assertion could be tighter" when assertion already covers the behavior
+- Consistency-only changes (wrapping a value to match how another constant is guarded)
+- Harmless no-ops (e.g., `.filter()` on array that never contains the filtered value)
+- ANYTHING already addressed in the diff being reviewed — read the FULL diff before commenting
+- Style/formatting issues (use a linter for that)
+- "Consider using X instead of Y" when Y works fine

package/skills/code-review/references/checklists/web-app.md

@@ -0,0 +1,54 @@
+# Web App Review Checklist (Overlay)
+
+Additive to `base.md`. Apply when project has frontend framework (React, Vue, Svelte, Next.js, etc.).
+
+## Detection
+
+Apply this overlay when any of these are true:
+- `package.json` has `react`, `vue`, `svelte`, `next`, `nuxt`, `angular` dependency
+- Project has `src/pages/`, `src/app/`, `src/components/`, `src/views/` directories
+- HTML/JSX/TSX/Vue files in the diff
+
+---
+
+## Pass 1 — CRITICAL (additions to base)
+
+### XSS
+- `innerHTML` assignment from any non-static source
+- Template literals interpolated into DOM without escaping
+- URL parameters rendered without sanitization
+- `<a href={userInput}>` without protocol validation (javascript: protocol)
+- Server-rendered user content without HTML entity encoding
+
+### CSRF
+- State-changing endpoints (POST/PUT/DELETE) without CSRF token verification
+- Cookie-based auth without SameSite attribute
+- Form submissions to external URLs
+
+### N+1 Queries (server-rendered views)
+- Database queries inside loops rendering lists
+- Missing eager loading for associations rendered in views/pages
+- Sequential API calls that could be batched
+
+---
+
+## Pass 2 — INFORMATIONAL (additions to base)
+
+### Frontend Performance
+- Inline `<style>` blocks in components re-parsed every render
+- Missing `key` prop on list items
+- Large bundle imports that could be lazy-loaded (e.g., full lodash instead of lodash/get)
+- Images without width/height causing layout shift
+- Missing `loading="lazy"` on below-fold images
+
+### Accessibility
+- Interactive elements without keyboard support (onClick without onKeyDown)
+- Missing `alt` text on images
+- Form inputs without associated labels
+- Color-only indicators (no text/icon fallback)
+- Missing ARIA attributes on custom interactive components
+
+### Responsive / Layout
+- Fixed pixel widths that break on mobile
+- Missing viewport meta tag
+- Overflow hidden cutting off content on small screens