create-agentic-app 1.1.55 → 1.1.57

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-agentic-app",
-  "version": "1.1.55",
+  "version": "1.1.57",
   "description": "Scaffold a new agentic AI application with Next.js, Better Auth, and AI SDK",
   "type": "module",
   "bin": {

package/template/.agents/skills/security-scanner/SKILL.md

@@ -0,0 +1,157 @@
+---
+name: security-scanner
+description: >-
+  Performs comprehensive OWASP Top 10:2025 security vulnerability analysis on any codebase.
+  Use this skill whenever the user asks to: review code for security, perform a security audit,
+  scan for vulnerabilities, find security issues, improve application security, check for OWASP
+  compliance, do a penetration test review, assess security posture, look for security flaws,
+  scan for security risks, harden an application, or check code for exploits. Also trigger when
+  the user mentions OWASP, CVEs, CWEs, security hardening, vulnerability assessment, or asks
+  for a security report — even if they don't explicitly say "security scan." This skill works
+  on any codebase in any language (JavaScript, TypeScript, Python, Java, Go, Ruby, C#, PHP, etc.).
+---
+
+# Security Scanner — OWASP Top 10:2025
+
+Performs a systematic security audit of any codebase against all 10 OWASP 2025 categories. Produces a structured markdown report with severity ratings, code locations, and actionable remediation guidance.
+
+## Execution Flow
+
+Follow these four steps in order. Do not skip any step.
+
+### Step 1: Detect Project Context
+
+Determine whether you are working within an existing project or a blank workspace.
+
+Check for source code by looking for common project indicators:
+- `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `Cargo.toml`, `Gemfile`, `*.csproj`, `composer.json`
+- Or any `src/`, `app/`, `lib/` directory containing code files
+
+**If source code is found:** Use the current working directory as the analysis target. Proceed to Step 2.
+
+**If NO source code is found:** Ask the user for a GitHub repository URL. Then clone it:
+```bash
+gh repo clone <url> ./audit-target
+```
+Use `./audit-target` as the analysis target directory. Proceed to Step 2.
+
+### Step 2: Reconnaissance
+
+Before scanning for vulnerabilities, understand what you're analyzing. This context shapes which patterns matter most.
+
+1. **Identify the tech stack** — Read the main dependency manifest (package.json, requirements.txt, etc.) to determine language(s), framework(s), and key libraries
+2. **Map the project structure** — Use Glob to find all source files and understand the directory layout
+3. **Locate entry points** — Find API routes, controllers, handlers, page components (e.g., `**/api/**/*.ts`, `**/routes/**`, `**/controllers/**`, `**/views/**`)
+4. **Find config files** — Glob for `**/*.config.*`, `**/.env*`, `**/settings.*`, `**/application.*`
+5. **Identify auth modules** — Search for authentication/authorization logic, session management, middleware
+6. **Find database access** — Locate ORM models, raw query files, database connection setup
+
+Record your findings — they guide which detection patterns to prioritize in Step 3.
+
+### Step 3: Systematic Analysis
+
+For each OWASP category A01 through A10:
+
+1. **Read the reference file** for that category from `references/` to load the relevant CWEs, detection patterns, and grep expressions
+2. **Search the codebase** using the patterns from the reference file — use Grep for pattern matching and Glob for file discovery
+3. **Read flagged files** to confirm findings and get exact line numbers
+4. **Record each finding** with: file path, line number(s), severity level, CWE, description, evidence (code snippet), and recommended fix
+
+Analyze each category in order:
+
+#### A01: Broken Access Control
+See [references/A01-broken-access-control.md](references/A01-broken-access-control.md) for CWEs, detection patterns, and fix examples.
+
+Focus on: missing auth middleware on routes, IDOR (user-controlled IDs without ownership checks), permissive CORS, directory traversal, missing CSRF protection, privilege escalation, force browsing to admin/debug endpoints.
+
+#### A02: Security Misconfiguration
+See [references/A02-security-misconfiguration.md](references/A02-security-misconfiguration.md).
+
+Focus on: debug mode in production, default credentials, verbose error messages exposing internals, unnecessary features enabled, missing security headers, hardcoded secrets, exposed environment variables.
+
+#### A03: Software Supply Chain Failures
+See [references/A03-software-supply-chain-failures.md](references/A03-software-supply-chain-failures.md).
+
+Focus on: known vulnerable dependency versions, unpinned dependencies, CDN scripts without SRI, missing lock files, dependencies from untrusted sources.
+
+#### A04: Cryptographic Failures
+See [references/A04-cryptographic-failures.md](references/A04-cryptographic-failures.md).
+
+Focus on: weak password hashing (MD5, SHA1), missing salt, hardcoded keys/secrets, weak randomness (Math.random for tokens), cookies missing Secure flag, sensitive data in logs, base64 used as "encryption."
+
+#### A05: Injection
+See [references/A05-injection.md](references/A05-injection.md).
+
+Focus on: SQL injection (string concatenation in queries), command injection (exec/spawn with user input), XSS (dangerouslySetInnerHTML, innerHTML), eval() with user input, SSRF (fetching user-supplied URLs), template injection.
+
+#### A06: Insecure Design
+See [references/A06-insecure-design.md](references/A06-insecure-design.md).
+
+Focus on: missing rate limiting on auth endpoints, no input validation, no password complexity requirements, missing account lockout, unrestricted file uploads, guessable/non-expiring tokens.
+
+#### A07: Authentication Failures
+See [references/A07-authentication-failures.md](references/A07-authentication-failures.md).
+
+Focus on: weak/predictable session tokens, sessions that never expire, credentials in logs/URLs, user enumeration via different error messages, reset tokens in API responses, cookies without HttpOnly/Secure/SameSite, hard-coded credentials.
+
+#### A08: Software or Data Integrity Failures
+See [references/A08-software-data-integrity-failures.md](references/A08-software-data-integrity-failures.md).
+
+Focus on: eval()/Function() with user input, deserialization of untrusted data, CDN scripts without integrity hashes, mass assignment/prototype pollution, auto-updates without signature verification.
+
+#### A09: Security Logging and Alerting Failures
+See [references/A09-security-logging-alerting-failures.md](references/A09-security-logging-alerting-failures.md).
+
+Focus on: passwords/tokens/PII in logs, missing audit logging for auth events, no logging on access control failures, error details exposed to users, console.log-only logging without persistence.
+
+#### A10: Mishandling of Exceptional Conditions
+See [references/A10-mishandling-exceptional-conditions.md](references/A10-mishandling-exceptional-conditions.md).
+
+Focus on: empty catch blocks, stack traces returned to users, fail-open patterns, missing error handling on async operations, resource leaks on exceptions, missing transaction rollbacks.
+
+### Step 4: Generate Report
+
+1. Get today's date and create the output directory:
+   ```bash
+   mkdir -p ./audit/YYYY-MM-DD/
+   ```
+
+2. Read the report template from [references/report-template.md](references/report-template.md)
+
+3. Fill in the template with all findings from Step 3 and write the completed report to:
+   ```
+   ./audit/YYYY-MM-DD/security-report.md
+   ```
+
+4. Present a brief summary to the user: total findings by severity, overall risk score, and the top 3 most critical items to address immediately.
+
+## Severity Classification
+
+Assign each finding one of these severity levels:
+
+- **Critical** (10 pts): Actively exploitable with immediate data breach risk. Examples: SQL injection, remote code execution, authentication bypass, exposed credentials, command injection.
+
+- **High** (7 pts): Exploitable with moderate effort, significant impact. Examples: XSS, CSRF, weak cryptography, IDOR, SSRF, known vulnerable dependencies.
+
+- **Medium** (4 pts): Requires specific conditions or must be chained with other vulnerabilities. Examples: missing security headers, verbose errors, user enumeration, missing rate limiting.
+
+- **Low** (2 pts): Defense-in-depth issues, best-practice deviations. Examples: weak password policy, console-only logging, missing SRI on CDN scripts.
+
+- **Info** (0 pts): Observations and recommendations with no direct exploit path. Examples: outdated but non-vulnerable dependencies, missing SBOM, code quality notes.
+
+## Risk Score
+
+Sum all finding points to calculate the overall risk score:
+- **0–10**: Low Risk
+- **11–30**: Moderate Risk
+- **31–60**: High Risk
+- **61+**: Critical Risk
+
+## Important Guidelines
+
+- **Read-only analysis**: Never modify any source files in the target project. The audit directory is the only location where files should be written.
+- **Cover all 10 categories**: If a category has no findings, still include it in the report with "No issues identified" and note what was checked.
+- **Be specific**: Every finding must reference a specific file path and line number(s). Include the actual vulnerable code snippet as evidence.
+- **Provide fixes**: Every finding must include an actionable remediation recommendation with a code example showing the fix.
+- **No false positives**: Read and understand the code context before flagging. A `console.log` in a build script is not the same as a `console.log` leaking passwords in a login handler.
+- **Prioritize**: Order the remediation priority section by actual exploitability and impact, not just severity label.

package/template/.agents/skills/security-scanner/references/A01-broken-access-control.md

@@ -0,0 +1,136 @@
+# A01:2025 — Broken Access Control
+
+## Overview
+
+Broken Access Control is the #1 vulnerability in OWASP Top 10:2025. 100% of applications tested showed some form of broken access control. It encompasses 40 CWEs with 1,839,701 total occurrences and 32,654 CVEs. Access control enforces policy preventing users from exceeding their permissions — failures enable unauthorized data disclosure, modification, or destruction.
+
+## Key CWEs
+
+- **CWE-200**: Exposure of Sensitive Information to Unauthorized Actor
+- **CWE-284**: Improper Access Control
+- **CWE-285**: Improper Authorization
+- **CWE-352**: Cross-Site Request Forgery (CSRF)
+- **CWE-425**: Direct Request (Forced Browsing)
+- **CWE-639**: Authorization Bypass Through User-Controlled Key (IDOR)
+- **CWE-862**: Missing Authorization
+- **CWE-863**: Incorrect Authorization
+- **CWE-918**: Server-Side Request Forgery (SSRF)
+- **CWE-22**: Path Traversal
+
+## What to Look For
+
+### General Patterns
+- Routes/endpoints missing authentication middleware or guards
+- Missing authorization/role checks on protected routes (any authenticated user can access admin routes)
+- IDOR: user-controlled IDs in URLs or request bodies used to fetch records without ownership verification
+- CORS misconfiguration (wildcard `*` or overly permissive origins)
+- Directory traversal in file paths (user input used in `path.join`, `fs.readFile`, etc.)
+- CSRF: state-changing operations (POST/PUT/DELETE) without CSRF token validation
+- Privilege escalation: missing role checks, role stored client-side or in JWT without verification
+- Force browsing: admin/debug/internal endpoints accessible without auth
+
+### Grep Patterns
+
+```
+# Missing auth middleware on routes
+Access-Control-Allow-Origin.*\*
+Access-Control-Allow-Credentials.*true
+
+# IDOR patterns — user-controlled ID without ownership check
+params\.id|params\.userId|req\.query\.id
+request\.getParameter\("acct"\)
+findById|findOne.*id
+
+# Path traversal
+path\.join.*req\.|path\.resolve.*req\.
+\.\.\/|\.\.\\
+
+# Missing CSRF
+method.*(POST|PUT|DELETE|PATCH)
+csrf|csrfToken|_csrf
+
+# Force browsing / unprotected admin
+/admin|/debug|/internal|/api/admin
+```
+
+### JavaScript / TypeScript / Node.js
+- Express/Next.js routes without auth middleware (`getSession`, `getServerSession`, `requireAuth`)
+- API routes that read `params.id` or `query.id` and fetch records without checking ownership against session user
+- `next.config.js` with permissive CORS headers
+- Missing `withAuth` or session validation wrappers on API handlers
+
+### Python (Django/Flask)
+- Views without `@login_required` or `@permission_required` decorators
+- `request.GET['id']` used directly in queries without ownership filter
+- Missing `CSRF_COOKIE_SECURE` or `CSRF_COOKIE_HTTPONLY` settings
+- `CORS_ALLOW_ALL_ORIGINS = True`
+
+### Java (Spring)
+- Controllers without `@PreAuthorize` or `@Secured` annotations
+- Missing `SecurityFilterChain` configuration
+- `@CrossOrigin(origins = "*")`
+- Direct use of `request.getParameter()` in database queries without authorization
+
+## Prevention Measures
+
+1. Deny by default — restrict access except for public resources
+2. Implement centralized, reusable access control mechanisms
+3. Enforce record ownership — users can only access their own records
+4. Apply business logic constraints through domain models
+5. Disable directory listing; remove metadata/backups from web roots
+6. Log access control failures; alert administrators on suspicious patterns
+7. Rate limit API/controller access
+8. Invalidate sessions server-side on logout; use short-lived JWTs
+9. Include functional access control tests in unit and integration suites
+
+## Example Attack Scenarios
+
+**Scenario 1 — Parameter Tampering:**
+```
+https://example.com/app/accountInfo?acct=notmyacct
+```
+Attacker modifies the `acct` parameter to access any user's account.
+
+**Scenario 2 — Forced Browsing:**
+```
+https://example.com/app/admin_getappInfo
+```
+Unauthenticated users access admin pages via direct URL.
+
+**Scenario 3 — Client-Side Only Controls:**
+```bash
+curl https://example.com/app/admin_getappInfo
+```
+Frontend JavaScript protections bypassed via direct API calls.
+
+## Fix Examples
+
+**Before (IDOR vulnerability):**
+```typescript
+// Any authenticated user can access any note
+export async function GET(req, { params }) {
+  const note = await db.get('SELECT * FROM notes WHERE id = ?', params.id);
+  return Response.json(note);
+}
+```
+
+**After (ownership check):**
+```typescript
+export async function GET(req, { params }) {
+  const session = await getSession(req);
+  if (!session) return Response.json({ error: 'Unauthorized' }, { status: 401 });
+  const note = await db.get(
+    'SELECT * FROM notes WHERE id = ? AND user_id = ?',
+    [params.id, session.userId]
+  );
+  if (!note) return Response.json({ error: 'Not found' }, { status: 404 });
+  return Response.json(note);
+}
+```
+
+## References
+
+- [OWASP A01:2025](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)
+- OWASP Proactive Controls: C1 Access Control
+- OWASP ASVS V8 Authorization
+- OWASP Authorization Cheat Sheet

package/template/.agents/skills/security-scanner/references/A02-security-misconfiguration.md

@@ -0,0 +1,130 @@
+# A02:2025 — Security Misconfiguration
+
+## Overview
+
+Security Misconfiguration is #2 in OWASP Top 10:2025. 100% of applications tested showed some form of misconfiguration with 719,084 total occurrences across 16 CWEs. This occurs when systems lack proper security setup — missing hardening, unnecessary features enabled, default credentials, verbose errors, or insecure settings.
+
+## Key CWEs
+
+- **CWE-16**: Configuration
+- **CWE-260**: Password in Configuration File
+- **CWE-489**: Active Debug Code
+- **CWE-526**: Exposure of Environment Variables
+- **CWE-547**: Use of Hard-Coded Security-Relevant Constants
+- **CWE-611**: Improper Restriction of XML External Entity Reference
+- **CWE-614**: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
+- **CWE-942**: Permissive Cross-domain Policy
+- **CWE-1004**: Sensitive Cookie Without 'HttpOnly' Flag
+
+## What to Look For
+
+### General Patterns
+- Debug/development mode enabled in production configs
+- Default credentials left in code or config (admin/admin, root/root, test/test)
+- Verbose error messages exposing stack traces, SQL queries, or internal paths to users
+- Unnecessary features/services enabled (directory listing, debug endpoints, sample apps)
+- Missing security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
+- Overly permissive CORS (Access-Control-Allow-Origin: *)
+- Server/framework version headers enabled (X-Powered-By, Server)
+- Hardcoded secrets in source code (API keys, passwords, tokens)
+- Environment variables exposed via debug endpoints or error pages
+- XML external entity processing enabled
+
+### Grep Patterns
+
+```
+# Debug/development mode
+DEBUG\s*=\s*[Tt]rue|debug\s*:\s*true|NODE_ENV.*development
+poweredByHeader|x-powered-by
+
+# Default credentials
+admin.*admin|password.*password|root.*root|test.*test
+default.*password|default.*credential
+
+# Verbose errors returned to client
+err\.stack|error\.stack|stackTrace|stack_trace
+err\.message|error\.message|e\.getMessage
+
+# Missing security headers
+Content-Security-Policy|X-Frame-Options|X-Content-Type-Options
+Strict-Transport-Security|Referrer-Policy
+
+# Exposed environment/config
+process\.env|os\.environ|System\.getenv
+/debug|/health|/status|/info|/env|/actuator
+
+# Hardcoded secrets
+SECRET.*=.*['"]|API_KEY.*=.*['"]|PASSWORD.*=.*['"]
+private_key|secret_key|access_token
+```
+
+### JavaScript / TypeScript / Node.js
+- `next.config.js` with `poweredByHeader: true` or missing security headers
+- Express without `helmet` middleware
+- `.env` or `.env.local` files with secrets not in `.gitignore`
+- Debug routes like `/api/debug` or `/api/health` exposing internal state
+- `console.log` of sensitive config values
+- Error handlers returning `err.stack` or `err.message` to client
+
+### Python (Django/Flask)
+- `DEBUG = True` in production settings
+- `ALLOWED_HOSTS = ['*']`
+- `SECRET_KEY` hardcoded in settings.py
+- Flask debug mode: `app.run(debug=True)`
+
+### Java (Spring)
+- `spring.jpa.show-sql=true` in production
+- Actuator endpoints exposed without authentication (`/actuator/env`, `/actuator/beans`)
+- `server.error.include-stacktrace=always`
+
+## Prevention Measures
+
+1. Automate deployment of locked-down environments with unique credentials per environment
+2. Remove unnecessary features, components, samples, and documentation
+3. Review and update configurations with each security patch
+4. Implement segmented architecture (containerization, cloud security groups)
+5. Send security directives to clients via headers (CSP, HSTS, etc.)
+6. Automate configuration verification across all environments
+7. Centralize error handling — never expose stack traces or internal details to users
+8. Use identity federation and short-lived credentials instead of static secrets
+
+## Example Attack Scenarios
+
+**Scenario 1:** Sample applications with known vulnerabilities remain on production servers. Default admin credentials unchanged.
+
+**Scenario 2:** Directory listing enabled, allowing attackers to download compiled classes for reverse engineering.
+
+**Scenario 3:** Detailed error messages with stack traces and component versions returned to users.
+
+**Scenario 4:** Cloud storage defaults to public access, exposing sensitive data.
+
+## Fix Examples
+
+**Before (debug endpoint exposing environment):**
+```typescript
+export async function GET() {
+  return Response.json({
+    env: process.env,
+    nodeVersion: process.version,
+    uptime: process.uptime()
+  });
+}
+```
+
+**After (remove debug endpoint entirely, or protect it):**
+```typescript
+// Delete the debug endpoint entirely in production.
+// If needed for ops, protect with admin auth and filter sensitive values:
+export async function GET(req) {
+  const session = await getAdminSession(req);
+  if (!session?.isAdmin) return Response.json({ error: 'Forbidden' }, { status: 403 });
+  return Response.json({ uptime: process.uptime(), nodeEnv: process.env.NODE_ENV });
+}
+```
+
+## References
+
+- [OWASP A02:2025](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)
+- OWASP Testing Guide: Configuration Management
+- OWASP ASVS V13 Configuration
+- CIS Security Configuration Guides

package/template/.agents/skills/security-scanner/references/A03-software-supply-chain-failures.md

@@ -0,0 +1,117 @@
+# A03:2025 — Software Supply Chain Failures
+
+## Overview
+
+Software Supply Chain Failures is #3 in OWASP Top 10:2025. This category covers compromises in building, distributing, or updating software — vulnerabilities or malicious changes embedded in third-party code, tools, or dependencies. Notable incidents include SolarWinds (2019, 18,000 orgs compromised), Bybit ($1.5B theft, 2025), and Log4Shell (CVE-2021-44228).
+
+## Key CWEs
+
+- **CWE-937**: Using Components with Known Vulnerabilities
+- **CWE-1035**: Using Components from Untrusted Sources
+- **CWE-1104**: Use of Unmaintained Third-Party Components
+- **CWE-829**: Inclusion of Functionality from Untrusted Control Sphere
+- **CWE-494**: Download of Code Without Integrity Check
+- **CWE-506**: Embedded Malicious Code
+
+## What to Look For
+
+### General Patterns
+- Known vulnerable dependency versions in package manifests
+- Unpinned or wildcard dependency versions (`*`, `^`, `~` with major ranges)
+- CDN scripts loaded without Subresource Integrity (SRI) hashes
+- Missing lock files or significantly outdated lock files
+- Dependencies from unofficial or untrusted registries
+- No Software Bill of Materials (SBOM) tracking
+- Single-person deployment without review gates
+- CI/CD pipeline configs with weaker security than production
+- Transitive dependencies not tracked or audited
+
+### Grep Patterns
+
+```
+# Wildcard or loose versioning
+"\*"|"latest"|"\^0\."
+">="|"<="|"~"
+
+# CDN scripts without integrity
+<script.*src=.*cdn|<link.*href=.*cdn
+integrity=|crossorigin=
+
+# Known vulnerable patterns (check versions)
+lodash.*4\.17\.(0|1[0-1])  # prototype pollution
+axios.*0\.21\.[0-1]         # SSRF
+jsonwebtoken.*[5-8]\.       # various CVEs
+log4j.*2\.(0|1[0-6])        # Log4Shell
+
+# Package manifest files to check
+package\.json|requirements\.txt|Gemfile|go\.mod|pom\.xml|Cargo\.toml|\.csproj
+```
+
+### JavaScript / TypeScript / Node.js
+- Check `package.json` dependency versions against known CVEs
+- Look for `<script src="https://cdn...">` without `integrity` attribute in HTML/JSX
+- Run `npm audit` or `yarn audit` mentally — flag packages with known issues
+- Check for `package-lock.json` / `yarn.lock` existence and freshness
+- Flag use of deprecated packages (e.g., `request`, `querystring`)
+
+### Python
+- Check `requirements.txt` for pinned versions with known CVEs
+- Look for `pip install` without `--require-hashes`
+- Check for `Pipfile.lock` or `poetry.lock`
+
+### Java
+- Check `pom.xml` dependency versions against known CVEs
+- Look for `<repository>` entries pointing to unofficial Maven repos
+- Flag old Spring, Log4j, Jackson, or Apache Commons versions
+
+## Prevention Measures
+
+1. Generate and maintain Software Bill of Materials (SBOM)
+2. Track all direct and transitive dependencies
+3. Remove unused dependencies and unnecessary components
+4. Continuously monitor for CVEs (OWASP Dependency Check, Snyk, npm audit)
+5. Obtain components only from official, trusted sources via secure channels
+6. Implement Subresource Integrity (SRI) for all CDN-loaded resources
+7. Pin dependency versions and use lock files
+8. Implement staged rollouts, not simultaneous deployments
+9. Harden CI/CD pipelines with MFA and access controls
+10. Require code review for all changes before merge
+
+## Example Attack Scenarios
+
+**SolarWinds (2019):** Trusted vendor infiltrated — malware propagated to 18,000 orgs via software updates.
+
+**Log4Shell (2021):** CVE-2021-44228 in Apache Log4j enabled remote code execution, affecting millions of Java applications.
+
+**Shai-Hulud (2025):** First self-propagating npm worm infected 500+ package versions, harvesting developer credentials.
+
+## Fix Examples
+
+**Before (CDN without SRI):**
+```html
+<script src="https://cdn.example.com/lib.min.js"></script>
+```
+
+**After (CDN with SRI):**
+```html
+<script src="https://cdn.example.com/lib.min.js"
+  integrity="sha384-abc123..."
+  crossorigin="anonymous"></script>
+```
+
+**Before (loose dependency versions):**
+```json
+{ "lodash": "^4.17.0", "axios": "*" }
+```
+
+**After (pinned versions, updated):**
+```json
+{ "lodash": "4.17.21", "axios": "1.7.2" }
+```
+
+## References
+
+- [OWASP A03:2025](https://owasp.org/Top10/2025/A03_2025-Software_Supply_Chain_Failures/)
+- OWASP Dependency Check / Dependency Track
+- CycloneDX SBOM Standard
+- OWASP ASVS: Component Verification