cortex-agents 1.0.0

package/.opencode/skills/git-workflow/SKILL.md

@@ -0,0 +1,281 @@
+---
+name: git-workflow
+description: Git branching strategies, worktree management, and collaborative development workflows
+license: Apache-2.0
+compatibility: opencode
+---
+
+# Git Workflow Skill
+
+This skill provides patterns for git branching, worktree management, and collaborative workflows.
+
+## When to Use
+
+Use this skill when:
+- Setting up branch strategy for new work
+- Managing parallel development with worktrees
+- Handling production hotfixes
+- Coordinating team workflows
+- Understanding git best practices
+
+## Branch Naming Conventions
+
+| Type | Prefix | Example | Use Case |
+|------|--------|---------|----------|
+| Feature | `feature/` | `feature/user-authentication` | New functionality |
+| Bugfix | `bugfix/` | `bugfix/login-validation` | Non-critical bug fixes |
+| Hotfix | `hotfix/` | `hotfix/security-patch` | Critical production fixes |
+| Refactor | `refactor/` | `refactor/api-cleanup` | Code restructuring |
+| Docs | `docs/` | `docs/api-reference` | Documentation only |
+| Test | `test/` | `test/e2e-coverage` | Test additions |
+| Spike | `spike/` | `spike/graphql-poc` | Research/proof of concept |
+| Chore | `chore/` | `chore/update-deps` | Maintenance tasks |
+
+## Protected Branches
+
+These branches should never be committed to directly:
+- `main` / `master` - Production code
+- `develop` - Integration branch
+- `staging` - Pre-production testing
+- `production` - Live deployment
+
+Always create a feature/bugfix branch and merge via Pull Request.
+
+## Worktree Workflow
+
+### When to Use Worktrees
+
+Worktrees are ideal for:
+- Parallel feature development
+- Urgent hotfix while mid-feature
+- Testing different approaches simultaneously
+- Code review while continuing work
+- Running different versions side-by-side
+
+### Worktree Structure
+
+```
+project/                    # Main worktree (main branch)
+../.worktrees/
+├── feature-auth/           # feature/auth worktree
+├── hotfix-security/        # hotfix/security worktree
+└── spike-graphql/          # spike/graphql worktree
+```
+
+### Worktree Commands
+
+```bash
+# Create worktree with new branch
+git worktree add -b feature/auth ../.worktrees/feature-auth
+
+# List all worktrees
+git worktree list
+
+# Remove worktree (after merge)
+git worktree remove ../.worktrees/feature-auth
+
+# Prune stale worktree references
+git worktree prune
+```
+
+### Worktree Best Practices
+
+1. **Keep worktrees short-lived** - Merge and clean up promptly
+2. **Name descriptively** - Match branch name for clarity
+3. **Share dependencies** - Use same node_modules when possible
+4. **Clean up after merge** - Remove worktree and optionally delete branch
+5. **Don't nest worktrees** - Keep them as siblings
+
+## Workflow Patterns
+
+### Feature Development Flow
+
+```mermaid
+graph LR
+    A[main] -->|branch| B[feature/x]
+    B -->|develop| C[commits]
+    C -->|PR| D[review]
+    D -->|merge| A
+```
+
+Steps:
+1. Create feature branch from main
+2. Develop and commit regularly
+3. Push and create Pull Request
+4. Address review feedback
+5. Merge after approval
+6. Delete feature branch
+
+### Hotfix Flow (with Worktree)
+
+```mermaid
+graph LR
+    A[main] -->|worktree| B[hotfix/x]
+    B -->|fix| C[test]
+    C -->|deploy| D[production]
+    D -->|merge| A
+```
+
+Steps:
+1. Create worktree from main: `worktree_create hotfix critical-bug`
+2. Open new terminal: `worktree_open critical-bug`
+3. Fix issue in new terminal
+4. Test and deploy
+5. Merge back to main
+6. Remove worktree
+
+### Parallel Development
+
+```mermaid
+graph TD
+    A[main] -->|worktree 1| B[feature/a]
+    A -->|worktree 2| C[feature/b]
+    B -->|merge| A
+    C -->|merge| A
+```
+
+Use when:
+- Multiple features needed simultaneously
+- Don't want to stash/switch constantly
+- Need to compare implementations
+
+## Commit Message Convention
+
+### Format
+
+```
+<type>(<scope>): <subject>
+
+<body>
+
+<footer>
+```
+
+### Types
+
+| Type | Description |
+|------|-------------|
+| `feat` | New feature |
+| `fix` | Bug fix |
+| `docs` | Documentation only |
+| `style` | Formatting, no code change |
+| `refactor` | Code change, no feature/fix |
+| `test` | Adding tests |
+| `chore` | Maintenance |
+| `perf` | Performance improvement |
+| `ci` | CI/CD changes |
+
+### Examples
+
+```
+feat(auth): add OAuth2 login flow
+
+Implement Google and GitHub OAuth providers.
+Includes token refresh and session management.
+
+Closes #123
+```
+
+```
+fix(api): handle null response in user endpoint
+
+The /users/:id endpoint was crashing when user
+not found. Now returns proper 404 response.
+
+Fixes #456
+```
+
+## Pull Request Best Practices
+
+### PR Title
+- Use same format as commits: `type(scope): description`
+- Keep under 72 characters
+- Be specific about the change
+
+### PR Description Template
+
+```markdown
+## Summary
+Brief description of changes
+
+## Changes
+- Change 1
+- Change 2
+
+## Testing
+How was this tested?
+
+## Screenshots (if applicable)
+
+## Checklist
+- [ ] Tests added/updated
+- [ ] Documentation updated
+- [ ] No breaking changes
+```
+
+### Review Guidelines
+
+1. **Keep PRs small** - Under 400 lines ideally
+2. **One concern per PR** - Don't mix features
+3. **Self-review first** - Check your own diff
+4. **Respond to feedback** - Address or discuss all comments
+5. **Squash if needed** - Clean up messy history before merge
+
+## Git Configuration
+
+### Recommended Global Config
+
+```bash
+# Use rebase by default when pulling
+git config --global pull.rebase true
+
+# Prune deleted remote branches
+git config --global fetch.prune true
+
+# Sign commits (optional)
+git config --global commit.gpgsign true
+
+# Default branch name
+git config --global init.defaultBranch main
+```
+
+### Useful Aliases
+
+```bash
+git config --global alias.co checkout
+git config --global alias.br branch
+git config --global alias.st status
+git config --global alias.last 'log -1 HEAD'
+git config --global alias.unstage 'reset HEAD --'
+git config --global alias.visual '!gitk'
+```
+
+## Troubleshooting
+
+### Undo Last Commit (keep changes)
+```bash
+git reset --soft HEAD~1
+```
+
+### Discard Local Changes
+```bash
+git checkout -- <file>      # Single file
+git checkout -- .           # All files
+```
+
+### Fix Commit Message
+```bash
+git commit --amend -m "New message"
+```
+
+### Recover Deleted Branch
+```bash
+git reflog                  # Find commit hash
+git checkout -b branch-name <hash>
+```
+
+### Clean Untracked Files
+```bash
+git clean -n                # Dry run
+git clean -f                # Actually delete
+```

package/.opencode/skills/security-hardening/SKILL.md

@@ -0,0 +1,209 @@
+---
+name: security-hardening
+description: Security best practices, vulnerability detection, and secure coding patterns
+license: Apache-2.0
+compatibility: opencode
+---
+
+# Security Hardening Skill
+
+This skill provides guidance for writing secure code and identifying vulnerabilities.
+
+## When to Use
+
+Use this skill when:
+- Reviewing code for security issues
+- Implementing authentication/authorization
+- Handling sensitive data
+- Setting up security headers
+- Auditing dependencies
+
+## Security Principles
+
+### Core Concepts
+- Defense in depth
+- Principle of least privilege
+- Fail securely
+- Keep it simple
+- Don't trust user input
+- Security through obscurity is not security
+
+### Threat Model
+- Identify assets
+- Identify threats
+- Identify vulnerabilities
+- Assess risk
+- Mitigate threats
+
+## Common Vulnerabilities
+
+### OWASP Top 10 (2021)
+1. Broken Access Control
+2. Cryptographic Failures
+3. Injection
+4. Insecure Design
+5. Security Misconfiguration
+6. Vulnerable Components
+7. ID and Auth Failures
+8. Software Integrity Failures
+9. Logging Failures
+10. SSRF
+
+### Injection Attacks
+- SQL Injection
+- NoSQL Injection
+- Command Injection
+- LDAP Injection
+- XPath Injection
+
+Prevention:
+- Use parameterized queries
+- Input validation
+- ORM/ODM libraries
+- WAF rules
+
+### XSS (Cross-Site Scripting)
+- Stored XSS
+- Reflected XSS
+- DOM-based XSS
+
+Prevention:
+- Output encoding
+- Content Security Policy
+- HttpOnly cookies
+- Input sanitization
+
+### CSRF (Cross-Site Request Forgery)
+Prevention:
+- CSRF tokens
+- SameSite cookies
+- Double-submit cookies
+- Custom headers
+
+## Authentication & Authorization
+
+### Password Security
+- Strong hashing (bcrypt, Argon2)
+- Salt generation
+- Password complexity rules
+- Rate limiting on auth endpoints
+- Account lockout policies
+
+### Session Management
+- Secure session IDs
+- Session timeout
+- Secure cookie attributes
+- Session invalidation on logout
+- Concurrent session handling
+
+### JWT Security
+- Strong signing algorithms (RS256, ES256)
+- Short expiration times
+- Refresh token rotation
+- Secure token storage
+- Token revocation
+
+### Authorization Patterns
+- RBAC (Role-Based Access Control)
+- ABAC (Attribute-Based Access Control)
+- OAuth 2.0 scopes
+- API key management
+- Claims-based authorization
+
+## Data Protection
+
+### Encryption
+- Encryption at rest (AES-256)
+- Encryption in transit (TLS 1.3)
+- Key management (KMS, Vault)
+- Database encryption (TDE)
+- Field-level encryption
+
+### Secrets Management
+- Never commit secrets to code
+- Use environment variables
+- Secrets management tools (Vault, AWS Secrets Manager)
+- Regular rotation
+- Least privilege access
+
+### PII Handling
+- Data minimization
+- Anonymization/pseudonymization
+- Consent management
+- Right to erasure
+- Audit logging
+
+## Secure Coding Practices
+
+### Input Validation
+- Whitelist validation
+- Type checking
+- Length limits
+- Format validation (regex)
+- Sanitization
+
+### Output Encoding
+- HTML encoding
+- JavaScript encoding
+- URL encoding
+- CSS encoding
+- JSON encoding
+
+### Error Handling
+- Don't leak sensitive info
+- Generic error messages
+- Log detailed errors securely
+- Fail securely
+- Stack trace exposure
+
+## Security Headers
+
+Essential headers:
+- Content-Security-Policy
+- X-Content-Type-Options
+- X-Frame-Options
+- X-XSS-Protection
+- Strict-Transport-Security
+- Referrer-Policy
+- Permissions-Policy
+
+## Dependency Security
+
+### Vulnerability Management
+- Regular dependency audits
+- Automated scanning (Snyk, Dependabot)
+- SBOM generation
+- License compliance
+- Version pinning
+
+### Supply Chain Security
+- Verify package signatures
+- Use lock files
+- Private registries
+- Provenance attestation
+- Reproducible builds
+
+## Security Testing
+
+### Static Analysis (SAST)
+- Semgrep
+- SonarQube
+- Bandit (Python)
+- ESLint security plugin
+
+### Dynamic Analysis (DAST)
+- OWASP ZAP
+- Burp Suite
+- Nikto
+
+### Dependency Scanning
+- npm audit
+- Snyk
+- OWASP Dependency-Check
+
+### Penetration Testing
+- Reconnaissance
+- Vulnerability scanning
+- Exploitation
+- Post-exploitation
+- Reporting

package/.opencode/skills/testing-strategies/SKILL.md

@@ -0,0 +1,159 @@
+---
+name: testing-strategies
+description: Comprehensive testing approaches including unit, integration, and end-to-end testing patterns
+license: Apache-2.0
+compatibility: opencode
+---
+
+# Testing Strategies Skill
+
+This skill provides patterns and best practices for writing effective tests.
+
+## When to Use
+
+Use this skill when:
+- Setting up testing infrastructure
+- Writing new tests
+- Improving test coverage
+- Debugging test failures
+- Choosing testing tools
+
+## Testing Fundamentals
+
+### The Testing Pyramid
+- Unit tests (70%) - Fast, isolated, cheap
+- Integration tests (20%) - Medium speed, test interactions
+- E2E tests (10%) - Slow, realistic, expensive
+
+### Test Quality Attributes
+- Fast (< 100ms per test ideally)
+- Independent (no shared state)
+- Repeatable (same results every time)
+- Self-validating (pass/fail clearly)
+- Timely (written with or before code)
+
+## Unit Testing
+
+### Best Practices
+- Test one concept per test
+- Use descriptive test names
+- Follow AAA pattern (Arrange, Act, Assert)
+- Mock external dependencies
+- Test edge cases and errors
+
+### Test Structure
+```typescript
+describe('Calculator', () => {
+  describe('add', () => {
+    it('should return sum of two positive numbers', () => {
+      // Arrange
+      const calc = new Calculator();
+      
+      // Act
+      const result = calc.add(2, 3);
+      
+      // Assert
+      expect(result).toBe(5);
+    });
+    
+    it('should handle negative numbers', () => {
+      const calc = new Calculator();
+      const result = calc.add(-2, -3);
+      expect(result).toBe(-5);
+    });
+  });
+});
+```
+
+### Mocking Strategies
+- Mock external APIs
+- Mock database calls
+- Mock file system operations
+- Mock time (Date.now)
+- Mock randomness
+
+## Integration Testing
+
+### Database Testing
+- Use test database (in-memory or dedicated)
+- Reset state between tests
+- Test transactions
+- Verify data integrity
+- Test migrations
+
+### API Testing
+- Test all endpoints
+- Verify status codes
+- Check response schemas
+- Test authentication
+- Test error scenarios
+
+### Component Testing
+- Render components in isolation
+- Test user interactions
+- Verify state changes
+- Check accessibility
+- Test responsive behavior
+
+## End-to-End Testing
+
+### Best Practices
+- Test critical user journeys
+- Avoid testing implementation details
+- Use data-testid attributes
+- Handle async operations
+- Clean up test data
+
+### Test Scenarios
+- User registration/login
+- Complete purchase flow
+- CRUD operations
+- Search functionality
+- File uploads
+
+### Tools
+- Playwright (recommended)
+- Cypress
+- Selenium
+- Puppeteer
+
+## Test Coverage
+
+### Goals by Layer
+- Business logic: >90%
+- Utilities: >80%
+- Components: >70%
+- API routes: >80%
+- Integration points: >75%
+
+### Coverage Reports
+- Use coverage tools (Istanbul, c8)
+- Track trends over time
+- Focus on meaningful coverage
+- Don't chase 100% blindly
+- Identify untested critical paths
+
+## Testing Tools by Language
+
+### JavaScript/TypeScript
+- Jest or Vitest (unit)
+- React Testing Library (components)
+- Playwright (e2e)
+- MSW (API mocking)
+
+### Python
+- pytest (unit/integration)
+- pytest-asyncio (async)
+- factory-boy (fixtures)
+- Playwright (e2e)
+
+### Go
+- Testing package (built-in)
+- Testify (assertions)
+- GoMock (mocking)
+- Playwright (e2e)
+
+### Rust
+- Built-in test framework
+- Mockall (mocking)
+- Playwright (e2e)