cortexhawk 3.1.0

package/skills/security/security-logging/SKILL.md

@@ -0,0 +1,107 @@
+---
+name: security-logging
+description: Security event logging — what to log, log format, log protection, intrusion detection, alerting, and SIEM integration.
+requires: quality/log-analyzer
+---
+
+# Security Logging
+
+## What to Log
+```
+Authentication: login success/failure (IP, user-agent), logout, MFA, password changes, lockouts
+Authorization: access denied, privilege escalation, role changes, permission modifications
+Data access: sensitive data reads, bulk exports, admin operations, API key creation/revocation
+System: startup/shutdown, config changes, deployments, cert expiry, rate limit triggers
+```
+
+## Never Log
+```
+Passwords or hashes, session tokens or JWTs, API keys or secrets,
+full credit card numbers, SSNs, encryption keys, health info, raw request bodies with sensitive data
+
+Use masking: last 4 digits, hashed identifiers, or event type only
+```
+
+## Log Format (JSON)
+```json
+{
+  "timestamp": "ISO-8601 UTC",
+  "level": "INFO|WARN|ERROR|CRITICAL",
+  "event_type": "auth.login.success",
+  "actor": {
+    "user_id": "hashed or internal ID",
+    "ip": "x.x.x.x",
+    "user_agent": "..."
+  },
+  "resource": {
+    "type": "endpoint|record|file",
+    "id": "...",
+    "action": "read|write|delete"
+  },
+  "outcome": "success|failure",
+  "metadata": {
+    "request_id": "correlation-id",
+    "service": "service-name",
+    "environment": "production"
+  }
+}
+```
+
+## Log Protection
+1. Append-only storage (no modification/deletion)
+2. Ship to centralized system immediately (ELK, Splunk, CloudWatch, Datadog)
+3. Encrypt at rest and in transit
+4. Restrict access (security team + on-call only)
+5. Retention: min 90 days hot, 1 year cold
+6. Integrity checks (checksums, signing)
+7. Never expose logs via public endpoints
+
+## Intrusion Detection
+
+### Host-Based (HIDS)
+```
+Monitor: file integrity, unexpected processes, network connections, user changes, privilege escalation
+Tools: OSSEC, Wazuh, Falco (containers)
+```
+
+### Network-Based (NIDS)
+```
+Monitor: traffic spikes, known attack signatures, DNS anomalies, lateral movement
+Tools: Suricata, Zeek, AWS GuardDuty, GCP SCC
+```
+
+### Application-Level
+```
+Alert on: failed login spikes (brute force), repeated access denied, unusual data access,
+SQL error spikes (injection), rapid requests (scanning), unexpected geolocations, rate limit violations
+```
+
+## Alerting Rules
+| Event | Severity | Response | Action |
+|---|---|---|---|
+| Brute force (>10 fails/min) | HIGH | 5 min | Auto-block IP, alert team |
+| Privilege escalation attempt | CRITICAL | Immediate | Alert + investigate |
+| Unusual data export (>10x normal) | HIGH | 15 min | Alert, pause export |
+| New admin off-hours | HIGH | 15 min | Alert + verify |
+| SQL error spike (>5x baseline) | MEDIUM | 30 min | Alert dev team |
+| Cert expiry < 14 days | MEDIUM | 24h | Auto-renew or alert ops |
+
+## SIEM Integration
+```
+Pipeline: App logs -> Shipper (Fluentd/Filebeat) -> Queue (Kafka) -> SIEM (Splunk/ELK/Datadog)
+
+Correlation rules:
+1. Same user + failed auth from multiple IPs = credential stuffing
+2. Same IP + failed auth for multiple users = brute force
+3. Auth success + immediate sensitive access + large download = compromised account
+```
+
+## Checklist
+- [ ] All security events logged (see What to Log)
+- [ ] No sensitive data in logs
+- [ ] Logs shipped to centralized platform
+- [ ] Retention meets compliance (min 90 days)
+- [ ] Alerting configured for critical events
+- [ ] IDS active (host + network + application)
+- [ ] Log access restricted
+- [ ] Log integrity verification in place

package/skills/security/vulnerability-scanner/SKILL.md

@@ -0,0 +1,114 @@
+---
+name: vulnerability-scanner
+description: Scan code for vulnerabilities — injection, XSS, SSRF, path traversal, plus SAST/DAST tool guidance and security test cases.
+---
+
+# Vulnerability Scanner
+
+## SAST Tools by Stack
+| Language | Tools |
+|---|---|
+| JavaScript/TS | ESLint security plugin, Semgrep, CodeQL |
+| Python | Bandit, Semgrep, CodeQL |
+| Java/Kotlin | SpotBugs + FindSecBugs, Semgrep |
+| Go | gosec, Semgrep, CodeQL |
+| Ruby | Brakeman, Semgrep |
+| Rust | cargo-audit, clippy security lints |
+| Multi-language | Semgrep, CodeQL, SonarQube |
+
+## DAST Tools
+| Tool | Type | Best For |
+|---|---|---|
+| OWASP ZAP | Open source | General web app scanning |
+| Nuclei | Open source | Template-based scanning |
+| Burp Suite | Commercial | Deep manual + automated |
+| sqlmap | Open source | SQL injection testing |
+
+## Vulnerability Patterns
+
+### SQL Injection
+```python
+# VULNERABLE: string interpolation in queries
+query = f"SELECT * FROM users WHERE id = {user_input}"
+
+# SAFE: parameterized queries
+cursor.execute("SELECT * FROM users WHERE id = %s", (user_input,))
+```
+
+### XSS (Cross-Site Scripting)
+```
+VULNERABLE patterns to flag:
+- Raw HTML insertion from user data
+- DOM write APIs with unsanitized input
+- React unsafe HTML prop with unescaped content
+
+SAFE alternatives:
+- Use element.textContent for plain text
+- Use framework auto-escaping (React JSX, Vue templates)
+- Use DOMPurify if HTML rendering is required
+```
+
+### Command Injection
+```python
+# VULNERABLE: shell=True with user input
+subprocess.call(f"convert {filename}", shell=True)
+
+# SAFE: argument list, no shell
+subprocess.run(["ping", "-c", "1", validated_host], shell=False)
+```
+
+### Path Traversal
+```python
+# SAFE pattern — always validate resolved path
+safe_path = os.path.realpath(os.path.join(base_dir, user_input))
+if not safe_path.startswith(os.path.realpath(base_dir)):
+    raise ValueError("Path traversal detected")
+```
+
+### SSRF
+```python
+# SAFE — validate scheme + block internal IPs
+parsed = urlparse(user_url)
+if parsed.scheme not in ('http', 'https'):
+    raise ValueError("Invalid scheme")
+# Block 127.0.0.1, 10.x, 172.16-31.x, 192.168.x, 169.254.x
+```
+
+### Insecure Deserialization
+```
+VULNERABLE: Language-native serialization with untrusted data
+  (Python: native deserializer, Ruby: Marshal, Java: ObjectInputStream)
+
+SAFE: Use JSON or schema-validated formats
+  json.loads(user_data)
+  yaml.safe_load(data)
+```
+
+## Security Test Cases
+
+### Authentication
+- SQL injection in login fields
+- Brute force protection verification
+- Token replay after logout
+- Access with expired tokens
+- Privilege escalation (user to admin endpoints)
+
+### Input Validation
+- XSS payloads in all text inputs
+- Path traversal (../../etc/passwd)
+- Command injection in file names
+- Oversized payloads (DoS)
+- Unicode/encoding bypass
+
+### Business Logic
+- Race conditions on financial operations
+- Negative quantity/amount manipulation
+- Skip steps in multi-step workflows
+- IDOR — access other users' resources
+
+## Scan Process
+1. Search for vulnerable patterns (regex + AST)
+2. Check exploitability — is user input reaching the sink?
+3. Rate severity: Critical (remote), High (requires auth), Medium (limited)
+4. Provide specific fix with code for each finding
+5. Flag false positives as INFO

package/skills/testing/e2e-testing/SKILL.md

@@ -0,0 +1,119 @@
+---
+name: e2e-testing
+description: End-to-end testing with Playwright — page objects, fixtures, selectors, CI integration, and common patterns.
+detect: dir:tests dir:__tests__ dir:test
+---
+
+# E2E Testing (Playwright)
+
+## Setup
+```bash
+npm init playwright@latest
+# Creates: playwright.config.ts, tests/, .github/workflows/playwright.yml
+```
+
+## Page Object Pattern
+```typescript
+// pages/login.page.ts
+export class LoginPage {
+  constructor(private page: Page) {}
+
+  async goto() {
+    await this.page.goto('/login');
+  }
+
+  async login(email: string, password: string) {
+    await this.page.getByLabel('Email').fill(email);
+    await this.page.getByLabel('Password').fill(password);
+    await this.page.getByRole('button', { name: 'Sign in' }).click();
+  }
+
+  async expectError(message: string) {
+    await expect(this.page.getByRole('alert')).toContainText(message);
+  }
+}
+
+// tests/login.spec.ts
+test('successful login redirects to dashboard', async ({ page }) => {
+  const login = new LoginPage(page);
+  await login.goto();
+  await login.login('user@test.com', 'password123');
+  await expect(page).toHaveURL('/dashboard');
+});
+
+test('invalid password shows error', async ({ page }) => {
+  const login = new LoginPage(page);
+  await login.goto();
+  await login.login('user@test.com', 'wrong');
+  await login.expectError('Invalid credentials');
+});
+```
+
+## Selectors (priority order)
+```typescript
+// 1. Role-based (best — accessible, resilient)
+page.getByRole('button', { name: 'Submit' })
+page.getByRole('heading', { name: 'Dashboard' })
+
+// 2. Label-based (forms)
+page.getByLabel('Email')
+page.getByPlaceholder('Search...')
+
+// 3. Text-based
+page.getByText('Welcome back')
+
+// 4. Test ID (last resort)
+page.getByTestId('checkout-button')
+
+// AVOID: CSS selectors, XPath — brittle, break on refactors
+```
+
+## Fixtures
+```typescript
+// fixtures.ts
+import { test as base } from '@playwright/test';
+
+type Fixtures = {
+  authenticatedPage: Page;
+};
+
+export const test = base.extend<Fixtures>({
+  authenticatedPage: async ({ page }, use) => {
+    await page.goto('/login');
+    await page.getByLabel('Email').fill('test@test.com');
+    await page.getByLabel('Password').fill('password');
+    await page.getByRole('button', { name: 'Sign in' }).click();
+    await page.waitForURL('/dashboard');
+    await use(page);
+  },
+});
+```
+
+## Config
+```typescript
+// playwright.config.ts
+export default defineConfig({
+  testDir: './tests',
+  retries: process.env.CI ? 2 : 0,
+  use: {
+    baseURL: 'http://localhost:3000',
+    screenshot: 'only-on-failure',
+    trace: 'on-first-retry',
+  },
+  webServer: {
+    command: 'npm run dev',
+    port: 3000,
+    reuseExistingServer: !process.env.CI,
+  },
+});
+```
+
+## Checklist
+- Page Objects for every page/component — isolate selectors from tests
+- Role-based selectors first — they test accessibility for free
+- Test user flows, not implementation — "user can checkout" not "button has class"
+- Each test must be independent — no shared state between tests
+- Use fixtures for auth, seeded data, and common setup
+- Screenshots on failure + traces on retry for debugging CI flakes
+- Run against a real server (webServer config), not mocks
+- Parallelize tests — Playwright runs in parallel by default

package/skills/testing/tdd/SKILL.md

@@ -0,0 +1,40 @@
+---
+name: tdd
+description: Test-Driven Development workflow — red, green, refactor cycle.
+detect: base
+---
+
+# TDD
+
+## Cycle
+1. 🔴 **Red** — Write a failing test for the next piece of behavior
+2. 🟢 **Green** — Write the minimum code to make it pass
+3. 🔵 **Refactor** — Clean up while keeping tests green
+
+## Rules
+- Never write production code without a failing test first
+- Each cycle should take 2-5 minutes
+- One behavior per test, one test at a time
+- Refactor only when tests are green
+- Commit after each green phase
+
+## Example
+```python
+# 1. RED — write failing test
+def test_add_returns_sum():
+    assert add(2, 3) == 5  # NameError: add not defined
+
+# 2. GREEN — minimum code to pass
+def add(a, b):
+    return a + b
+
+# 3. REFACTOR — nothing to clean here, next test
+def test_add_negative_numbers():
+    assert add(-1, -2) == -3
+```
+
+## Process
+1. Start with the simplest case
+2. Add complexity one test at a time
+3. Let the tests drive the design — don't plan ahead
+4. When stuck, write a smaller test

package/skills/testing/test-generator/SKILL.md

@@ -0,0 +1,39 @@
+---
+name: test-generator
+description: Generate comprehensive tests — unit, integration, e2e. Auto-detect framework.
+detect: base
+---
+
+# Test Generator
+
+## Framework Detection
+- `pytest` / `unittest` → Python tests
+- `jest` / `vitest` → JavaScript/TypeScript tests
+- `go test` → Go tests
+- `cargo test` → Rust tests
+
+## Test Priority
+1. Happy path (expected inputs → expected outputs)
+2. Error paths (invalid inputs, exceptions, network failures)
+3. Edge cases (null, empty, 0, -1, MAX_INT, unicode, special chars)
+4. Boundary values (off-by-one, limits, overflow)
+5. Integration (component interactions, API calls, DB queries)
+
+## Structure
+```
+Arrange → Act → Assert (one assertion per test)
+```
+
+## Naming
+```
+test_[unit]_[condition]_[expected]
+test_create_user_with_valid_data_returns_201
+test_create_user_with_duplicate_email_returns_409
+test_create_user_with_missing_name_returns_422
+```
+
+## Mocking Rules
+- Mock external dependencies (APIs, DB, filesystem, time)
+- Never mock the thing you're testing
+- Prefer fakes over mocks when possible
+- Reset mocks between tests

package/skills/workflow/commit/SKILL.md

@@ -0,0 +1,61 @@
+---
+name: commit
+description: Conventional commit messages, atomic commits, and git staging best practices.
+detect: base
+---
+
+# Commit
+
+## Conventional Commits Format
+```
+type(scope): subject
+
+body (optional)
+
+footer (optional)
+```
+
+## Types
+| Type | When |
+|---|---|
+| `feat` | New feature |
+| `fix` | Bug fix |
+| `docs` | Documentation only |
+| `style` | Formatting, no code change |
+| `refactor` | Code restructure, no behavior change |
+| `test` | Adding or fixing tests |
+| `chore` | Build, CI, tooling, dependencies |
+| `perf` | Performance improvement |
+| `security` | Security fix or hardening |
+
+## Rules
+- Subject line: imperative mood, lowercase, no period, ≤72 chars
+- Scope: the module/component affected (e.g., `feat(auth): add JWT refresh`)
+- One logical change per commit — don't mix features with refactors
+- Stage specific files — avoid `git add -A` (catches .env, binaries)
+- Breaking changes: add `BREAKING CHANGE:` in footer or `!` after type
+- Body explains WHY, not WHAT — the diff shows the what
+
+## Atomic Commit Checklist
+- [ ] Single purpose — would the message need "and"? Split it
+- [ ] Tests pass after this commit
+- [ ] No unrelated changes mixed in
+- [ ] No debug artifacts (console.log, print, breakpoints)
+- [ ] No secrets or .env files staged
+
+## Examples
+```
+feat(api): add user registration endpoint
+
+fix(auth): prevent token reuse after password change
+
+docs: update README with new commands
+
+refactor(db): extract connection pooling into shared module
+
+chore: upgrade dependencies to latest patch versions
+
+feat(ui)!: redesign navigation layout
+
+BREAKING CHANGE: navigation component props changed
+```

package/skills/workflow/confidence-check/SKILL.md

@@ -0,0 +1,90 @@
+---
+name: confidence-check
+description: Assess confidence BEFORE implementation. Prevents wrong-direction execution by verifying duplicates, architecture, docs, references, and root cause. Requires ≥90% to proceed.
+detect: base
+---
+
+# Confidence Check
+
+Run this BEFORE implementing any task. Spend 100-200 tokens here to save 5,000-50,000 on wrong-direction work.
+
+## 5 Checks
+
+### 1. No Duplicate Implementations? (25%)
+Search the codebase for existing functionality before writing new code.
+```
+Grep for: function names, class names, similar logic
+Glob for: related modules, utils, helpers
+```
+- Pass: no duplicates found
+- Fail: similar implementation already exists — extend it instead
+
+### 2. Architecture Compliance? (25%)
+Verify the approach fits the existing tech stack and patterns.
+```
+Read: CLAUDE.md, PLANNING.md, existing code patterns
+Check: does this use the project's established tools?
+Avoid: introducing new dependencies unnecessarily
+```
+- Pass: uses existing stack (e.g., project already uses Supabase, pytest, UV)
+- Fail: introduces new tools when existing ones suffice
+
+### 3. Official Documentation Verified? (20%)
+Review official docs before implementing — don't rely on assumptions.
+```
+Use: Context7 MCP, WebFetch, WebSearch
+Verify: API signatures, version compatibility, deprecations
+```
+- Pass: official docs reviewed and confirmed
+- Fail: relying on memory or assumptions about API behavior
+
+### 4. Working OSS Reference Found? (15%)
+Find proven implementations to validate the approach.
+```
+Search: GitHub, Stack Overflow, framework examples
+Verify: code actually works, not just theoretically correct
+```
+- Pass: working reference found and reviewed
+- Fail: no proven examples exist — higher risk
+
+### 5. Root Cause Identified? (15%)
+Understand the actual problem before solving it.
+```
+Analyze: error messages, stack traces, logs
+Trace: data flow from input to failure point
+Distinguish: symptom vs root cause
+```
+- Pass: root cause is clear and specific
+- Fail: only symptoms identified — dig deeper first
+
+## Score Calculation
+
+```
+Total = Check1 (0.25) + Check2 (0.25) + Check3 (0.20) + Check4 (0.15) + Check5 (0.15)
+
+≥ 0.90  →  Proceed with implementation
+≥ 0.70  →  Present alternatives, ask clarifying questions
+< 0.70  →  STOP — request more context before proceeding
+```
+
+## Output Format
+
+```
+Confidence Checks:
+  [pass/fail] No duplicate implementations — [detail]
+  [pass/fail] Architecture compliance — [detail]
+  [pass/fail] Official docs verified — [detail]
+  [pass/fail] Working OSS reference — [detail]
+  [pass/fail] Root cause identified — [detail]
+
+Confidence: [score] ([percentage]%)
+[Proceed / Alternatives / STOP] — [reasoning]
+```
+
+## Rules
+- Run BEFORE writing any code — never after
+- Be honest about failed checks — don't inflate the score
+- A failed check is not a blocker if acknowledged with a mitigation plan
+- For bug fixes: checks 1, 2, 5 are critical. For new features: checks 1, 2, 3 are critical
+- If score is borderline (0.85-0.89), present the gaps and let the user decide
+- Skip check 4 (OSS reference) for project-specific business logic — score out of 0.85 instead

package/skills/workflow/pr-review-comments/SKILL.md

@@ -0,0 +1,81 @@
+---
+name: pr-review-comments
+description: Fetch, triage, and address PR review comments from GitHub (Copilot, reviewers, bots). Uses MCP GitHub tools with gh CLI fallback.
+detect: base
+---
+
+# PR Review Comments
+
+Fetch all review comments on the current branch's PR, triage them, and apply fixes.
+
+## Process
+
+1. **Auth** — Verify MCP GitHub or `gh` CLI is authenticated
+2. **Fetch** — Get all PR comments, reviews, and inline threads
+3. **Triage** — Group by author (Copilot, human reviewers, bots), summarize each
+4. **Present** — Number all threads, show file:line + summary
+5. **Fix** — Apply selected fixes, respond on the PR thread
+
+## Fetch Methods (priority order)
+
+### MCP GitHub (preferred)
+```
+mcp__github__list_pull_requests        → find PR for current branch
+mcp__github__get_pull_request_comments → conversation comments
+mcp__github__get_pull_request_reviews  → review submissions
+```
+
+### gh CLI fallback
+```bash
+# Quick: get PR comments as JSON
+gh pr view --json comments,reviews,reviewRequests
+
+# Full: use the bundled GraphQL script for inline threads
+python skills/workflow/pr-review-comments/scripts/fetch_comments.py
+```
+
+## Output Format
+
+```
+PR #[number]: [title]
+
+## Review Threads
+
+### [1] [author] — [file:line]
+> [comment summary]
+Status: [open/resolved/outdated]
+Fix: [proposed action]
+
+### [2] [author] — [file:line]
+> [comment summary]
+Status: [open/resolved/outdated]
+Fix: [proposed action]
+
+## Summary
+- Open threads: [count]
+- Resolved: [count]
+- By Copilot: [count]
+- By reviewers: [count]
+
+Which comments should I address? (e.g., 1, 3, 5 or "all")
+```
+
+## Responding
+
+After applying fixes:
+```
+mcp__github__create_pull_request_review   → batch response
+mcp__github__add_issue_comment            → single reply
+```
+
+Or via CLI:
+```bash
+gh pr comment [number] --body "Fixed in [commit]"
+```
+
+## Rules
+- Always present comments before fixing — let the user choose
+- Group Copilot comments separately from human review
+- Skip resolved and outdated threads unless explicitly asked
+- If auth fails mid-run, prompt user to `gh auth login` and retry
+- After fixing, respond on the PR thread to close the loop