cortex-agents 1.0.0

package/.opencode/agents/security.md

@@ -0,0 +1,90 @@
+---
+description: Security auditing and vulnerability detection
+mode: subagent
+model: kimi-for-coding/k2p5
+temperature: 0.1
+tools:
+  write: false
+  edit: false
+  bash: true
+  skill: true
+  task: true
+  grep: true
+  read: true
+permission:
+  edit: deny
+  bash: ask
+---
+
+You are a security specialist powered by k2p5. Your role is to audit code for security vulnerabilities and recommend fixes.
+
+## Core Principles
+- Assume all input is malicious
+- Defense in depth (multiple security layers)
+- Principle of least privilege
+- Never trust client-side validation
+- Secure by default
+- Regular dependency updates
+
+## Security Checklist
+
+### Input Validation
+- [ ] All inputs validated on server-side
+- [ ] SQL injection prevented (parameterized queries)
+- [ ] XSS prevented (output encoding)
+- [ ] CSRF tokens implemented
+- [ ] File uploads validated (type, size)
+- [ ] Command injection prevented
+
+### Authentication & Authorization
+- [ ] Strong password policies
+- [ ] Multi-factor authentication (MFA)
+- [ ] Session management secure
+- [ ] JWT tokens properly validated
+- [ ] Role-based access control (RBAC)
+- [ ] OAuth implementation follows best practices
+
+### Data Protection
+- [ ] Sensitive data encrypted at rest
+- [ ] HTTPS enforced
+- [ ] Secrets not in code (env vars)
+- [ ] PII handling compliant with regulations
+- [ ] Proper data retention policies
+
+### Infrastructure
+- [ ] Security headers set (CSP, HSTS)
+- [ ] CORS properly configured
+- [ ] Rate limiting implemented
+- [ ] Logging and monitoring in place
+- [ ] Dependency vulnerabilities checked
+
+## Common Vulnerabilities
+
+### OWASP Top 10
+1. Broken Access Control
+2. Cryptographic Failures
+3. Injection (SQL, NoSQL, OS)
+4. Insecure Design
+5. Security Misconfiguration
+6. Vulnerable Components
+7. ID and Auth Failures
+8. Software and Data Integrity
+9. Logging Failures
+10. SSRF (Server-Side Request Forgery)
+
+## Review Process
+1. Identify attack surfaces
+2. Review authentication flows
+3. Check authorization checks
+4. Validate input handling
+5. Examine output encoding
+6. Review error handling (no info leakage)
+7. Check secrets management
+8. Verify logging (no sensitive data)
+9. Review dependencies
+10. Test with security tools
+
+## Tools & Commands
+- Check for secrets: `grep -r "password\|secret\|token\|key" --include="*.js" --include="*.ts" --include="*.py"`
+- Dependency audit: `npm audit`, `pip-audit`, `cargo audit`
+- Static analysis: Semgrep, Bandit, ESLint security

package/.opencode/agents/testing.md

@@ -0,0 +1,89 @@
+---
+description: Test-driven development and quality assurance
+mode: subagent
+model: kimi-for-coding/k2p5
+temperature: 0.2
+tools:
+  write: true
+  edit: true
+  bash: true
+  skill: true
+  task: true
+permission:
+  edit: allow
+  bash: ask
+---
+
+You are a testing specialist powered by k2p5. Your role is to write comprehensive tests, improve test coverage, and ensure code quality.
+
+## Core Principles
+- Write tests that serve as documentation
+- Test behavior, not implementation details
+- Use appropriate testing levels (unit, integration, e2e)
+- Maintain high test coverage on critical paths
+- Make tests fast and reliable
+- Follow AAA pattern (Arrange, Act, Assert)
+
+## Testing Pyramid
+
+### Unit Tests (70%)
+- Test individual functions/classes in isolation
+- Mock external dependencies
+- Fast execution (< 10ms per test)
+- High coverage on business logic
+- Test edge cases and error conditions
+
+### Integration Tests (20%)
+- Test component interactions
+- Use real database (test instance)
+- Test API endpoints
+- Verify data flow between layers
+- Slower but more realistic
+
+### E2E Tests (10%)
+- Test complete user workflows
+- Use real browser (Playwright/Cypress)
+- Critical happy paths only
+- Most realistic but slowest
+- Run in CI/CD pipeline
+
+## Testing Patterns
+
+### Test Structure
+```typescript
+describe('FeatureName', () => {
+  describe('when condition', () => {
+    it('should expected behavior', () => {
+      // Arrange
+      const input = ...;
+      
+      // Act
+      const result = functionUnderTest(input);
+      
+      // Assert
+      expect(result).toBe(expected);
+    });
+  });
+});
+```
+
+### Best Practices
+- One assertion per test (ideally)
+- Descriptive test names
+- Use factories/fixtures for test data
+- Clean up after tests
+- Avoid test interdependencies
+- Parametrize tests for multiple scenarios
+
+## Coverage Goals
+- Business logic: >90%
+- API routes: >80%
+- UI components: >70%
+- Utilities/helpers: >80%
+
+## Testing Tools
+- Jest/Vitest for unit tests
+- Playwright/Cypress for e2e
+- React Testing Library for components
+- Supertest for API testing
+- MSW for API mocking

package/.opencode/skills/code-quality/SKILL.md

@@ -0,0 +1,251 @@
+---
+name: code-quality
+description: Refactoring patterns, code maintainability, and best practices for clean code
+license: Apache-2.0
+compatibility: opencode
+---
+
+# Code Quality Skill
+
+This skill provides patterns for writing clean, maintainable, and high-quality code.
+
+## When to Use
+
+Use this skill when:
+- Refactoring existing code
+- Code reviewing
+- Setting up linting/formatting
+- Improving code maintainability
+- Reducing technical debt
+
+## Clean Code Principles
+
+### SOLID Principles
+- **S**ingle Responsibility Principle
+- **O**pen/Closed Principle
+- **L**iskov Substitution Principle
+- **I**nterface Segregation Principle
+- **D**ependency Inversion Principle
+
+### DRY (Don't Repeat Yourself)
+- Extract duplicated logic
+- Create reusable functions
+- Use composition
+- Avoid copy-paste programming
+
+### KISS (Keep It Simple, Stupid)
+- Simple solutions over clever ones
+- Avoid premature optimization
+- Clear naming over comments
+- Small functions and classes
+
+### YAGNI (You Aren't Gonna Need It)
+- Don't add functionality until needed
+- Avoid speculative generality
+- Iterate based on requirements
+- Simple first, generalize later
+
+## Refactoring Patterns
+
+### Extract Method
+Move code block into separate method with descriptive name.
+
+Before:
+```typescript
+function processOrder(order) {
+  // validate
+  if (!order.items || order.items.length === 0) {
+    throw new Error('Order must have items');
+  }
+  if (!order.customerId) {
+    throw new Error('Order must have customer');
+  }
+  
+  // calculate total
+  let total = 0;
+  for (const item of order.items) {
+    total += item.price * item.quantity;
+  }
+  
+  // save
+  database.save(order);
+}
+```
+
+After:
+```typescript
+function processOrder(order) {
+  validateOrder(order);
+  order.total = calculateTotal(order.items);
+  database.save(order);
+}
+
+function validateOrder(order) {
+  if (!order.items?.length) {
+    throw new Error('Order must have items');
+  }
+  if (!order.customerId) {
+    throw new Error('Order must have customer');
+  }
+}
+
+function calculateTotal(items) {
+  return items.reduce((sum, item) => sum + item.price * item.quantity, 0);
+}
+```
+
+### Replace Conditional with Polymorphism
+Use inheritance/polymorphism instead of switch statements.
+
+### Introduce Parameter Object
+Group related parameters into an object.
+
+### Remove Dead Code
+Delete unused functions, variables, and comments.
+
+### Rename Variable/Function
+Use descriptive, intention-revealing names.
+
+## Code Organization
+
+### File Structure
+- One class/component per file
+- Cohesive modules
+- Clear folder hierarchy
+- Index files for clean imports
+
+### Naming Conventions
+- Classes: PascalCase (UserController)
+- Functions/Variables: camelCase (getUserById)
+- Constants: UPPER_SNAKE_CASE (MAX_RETRIES)
+- Private: _prefixed (_internalMethod)
+- Boolean: is/has/should prefix (isValid)
+
+### Import Organization
+Group imports:
+1. Built-in modules
+2. External libraries
+3. Internal modules
+4. Relative imports
+
+Sort alphabetically within groups.
+
+## Language-Specific Quality
+
+### TypeScript
+- Use strict mode
+- Prefer interfaces for objects
+- Use type for unions/tuples
+- Avoid `any`
+- Use unknown for error handling
+- Leverage discriminated unions
+
+### Python
+- Follow PEP 8
+- Use type hints
+- Prefer dataclasses
+- Use list/dict comprehensions
+- Handle exceptions explicitly
+- Write docstrings
+
+### Go
+- Format with gofmt
+- Use golint and go vet
+- Keep functions small
+- Return errors, don't panic
+- Use interfaces for abstraction
+- Write table-driven tests
+
+### Rust
+- Run cargo fmt and clippy
+- Use Result/Option
+- Leverage ownership system
+- Write documentation comments
+- Avoid unwrap/expect in production
+- Use enums for state machines
+
+## Code Review Checklist
+
+### Functionality
+- [ ] Works as intended
+- [ ] Handles edge cases
+- [ ] No obvious bugs
+- [ ] Error handling appropriate
+
+### Readability
+- [ ] Naming is clear
+- [ ] Functions are focused
+- [ ] Comments explain why, not what
+- [ ] No magic numbers/strings
+
+### Maintainability
+- [ ] No code duplication
+- [ ] SOLID principles followed
+- [ ] Easy to test
+- [ ] Properly documented
+
+### Performance
+- [ ] No obvious bottlenecks
+- [ ] Efficient algorithms
+- [ ] Resource cleanup
+- [ ] Appropriate data structures
+
+### Security
+- [ ] No injection vulnerabilities
+- [ ] Input validation
+- [ ] No sensitive data exposure
+- [ ] Proper auth checks
+
+## Linting and Formatting
+
+### Configuration
+- Share configs across team
+- Integrate with CI/CD
+- Pre-commit hooks
+- Editor integration
+- Gradual adoption for legacy
+
+### Tools
+- **ESLint** - JavaScript/TypeScript
+- **Prettier** - Multi-language formatter
+- **Black** - Python formatter
+- **Ruff** - Python linter
+- **gofmt** - Go formatter
+- **rustfmt** - Rust formatter
+- **RuboCop** - Ruby
+
+## Technical Debt Management
+
+### Identify Debt
+- Code smells
+- Complex functions
+- Outdated dependencies
+- Missing tests
+- Documentation gaps
+
+### Prioritize
+- Impact vs effort analysis
+- Business risk assessment
+- Frequency of changes
+- Team productivity impact
+
+### Address Strategy
+- Boy Scout Rule: Leave it better
+- Refactoring sprints
+- Incremental improvements
+- Big-bang rewrites (last resort)
+
+## Documentation
+
+### Code Documentation
+- JSDoc/TSDoc for public APIs
+- Docstrings for Python
+- Comments for complex logic
+- README for modules
+- Architecture Decision Records (ADRs)
+
+### Living Documentation
+- Keep docs with code
+- Use tools that extract from code
+- Examples in documentation
+- Regular reviews and updates

package/.opencode/skills/deployment-automation/SKILL.md

@@ -0,0 +1,258 @@
+---
+name: deployment-automation
+description: CI/CD pipelines, containerization, cloud deployment, and infrastructure patterns
+license: Apache-2.0
+compatibility: opencode
+---
+
+# Deployment Automation Skill
+
+This skill provides patterns for automating deployment and managing infrastructure.
+
+## When to Use
+
+Use this skill when:
+- Setting up CI/CD pipelines
+- Dockerizing applications
+- Configuring cloud infrastructure
+- Setting up monitoring
+- Automating deployments
+
+## CI/CD Fundamentals
+
+### Pipeline Stages
+1. **Source** - Code commit triggers
+2. **Build** - Compile and package
+3. **Test** - Run test suites
+4. **Security Scan** - Vulnerability checks
+5. **Deploy** - Push to environment
+6. **Verify** - Smoke tests and health checks
+
+### GitOps Principles
+- Git as single source of truth
+- Declarative infrastructure
+- Automated synchronization
+- Drift detection
+- Rollback capability
+
+## GitHub Actions
+
+### Workflow Structure
+```yaml
+name: CI/CD Pipeline
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+      - run: npm ci
+      - run: npm test
+      
+  deploy:
+    needs: test
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: ./deploy.sh
+```
+
+### Best Practices
+- Use secrets for sensitive data
+- Cache dependencies
+- Matrix builds for multiple versions
+- Reusable workflows
+- Environment protection rules
+
+## Docker
+
+### Dockerfile Best Practices
+- Use official base images
+- Multi-stage builds
+- Non-root user
+- Layer caching
+- .dockerignore
+
+Example:
+```dockerfile
+# Build stage
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+# Production stage
+FROM node:20-alpine
+WORKDIR /app
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/node_modules ./node_modules
+USER node
+CMD ["node", "dist/index.js"]
+```
+
+### Docker Compose
+- Service definitions
+- Environment variables
+- Volume mounting
+- Network configuration
+- Health checks
+
+## Cloud Deployment
+
+### Container Orchestration
+- Kubernetes basics
+- Deployments and Services
+- ConfigMaps and Secrets
+- Ingress controllers
+- Horizontal Pod Autoscaling
+
+### Platform-Specific
+
+#### AWS
+- ECS (Elastic Container Service)
+- EKS (Elastic Kubernetes Service)
+- Lambda (serverless)
+- Elastic Beanstalk
+- CodeDeploy
+
+#### GCP
+- Cloud Run
+- GKE (Google Kubernetes Engine)
+- Cloud Functions
+- App Engine
+
+#### Azure
+- Container Apps
+- AKS (Azure Kubernetes Service)
+- Azure Functions
+- App Service
+
+## Infrastructure as Code
+
+### Terraform
+- Providers and resources
+- State management
+- Modules
+- Workspaces
+- Remote backends
+
+### Pulumi
+- Programming language approach
+- State management
+- Component resources
+- Policy as code
+
+### CloudFormation (AWS)
+- Templates
+- Stacks
+- Change sets
+- Stack policies
+- Custom resources
+
+## Deployment Strategies
+
+### Basic Strategies
+- **Recreate** - Stop old, start new
+- **Rolling** - Gradual replacement
+- **Blue/Green** - Two identical environments
+- **Canary** - Gradual traffic shifting
+- **A/B Testing** - Split traffic for testing
+
+### Advanced Patterns
+- Feature flags
+- Dark launches
+- Circuit breakers
+- Graceful degradation
+- Database migrations with downtime minimization
+
+## Monitoring & Observability
+
+### Logging
+- Structured logging (JSON)
+- Log levels
+- Centralized aggregation
+- Log retention policies
+- Sensitive data filtering
+
+### Metrics
+- Application metrics
+- Infrastructure metrics
+- Business metrics
+- Custom metrics
+- SLIs and SLOs
+
+### Alerting
+- Alert rules
+- Notification channels
+- On-call rotations
+- Incident response
+- Post-mortems
+
+### Tools
+- Prometheus + Grafana
+- Datadog
+- New Relic
+- CloudWatch
+- Splunk
+
+## Security in DevOps (DevSecOps)
+
+### Shift Left Security
+- Security in CI/CD
+- Automated scanning
+- Policy as code
+- Compliance checks
+
+### Container Security
+- Image scanning
+- Runtime security
+- Network policies
+- Pod security
+
+### Secrets Management
+- HashiCorp Vault
+- AWS Secrets Manager
+- Azure Key Vault
+- Google Secret Manager
+- Sealed Secrets
+
+## Performance Optimization
+
+### Build Optimization
+- Layer caching
+- Parallel builds
+- BuildKit features
+- Slim base images
+- Distroless images
+
+### Runtime Optimization
+- Resource limits
+- Health checks
+- Graceful shutdown
+- Connection pooling
+- Caching strategies
+
+## Disaster Recovery
+
+### Backup Strategies
+- Regular backups
+- Point-in-time recovery
+- Cross-region replication
+- Backup testing
+- Retention policies
+
+### High Availability
+- Multi-region deployment
+- Load balancing
+- Auto-scaling
+- Health checks
+- Circuit breakers