create-agentic-app 1.1.56 → 1.1.57

package/template/.claude/agents/security-scanner.md

@@ -0,0 +1,214 @@
+---
+name: "security-scanner"
+description: "Use this agent when the user requests a security audit, vulnerability scan, or security review of a codebase. Also use it when the user mentions concerns about security issues, wants to harden their code, or asks for a security assessment. This agent can both identify and automatically fix security issues.\\n\\nExamples:\\n- user: \"Can you scan this project for security vulnerabilities?\"\\n  assistant: \"I'll launch the security-scanner agent to perform a full security audit of the codebase.\"\\n  <uses Agent tool to launch security-scanner>\\n\\n- user: \"I'm worried there might be some security issues in our authentication code\"\\n  assistant: \"Let me use the security-scanner agent to audit the codebase for security vulnerabilities, particularly around authentication.\"\\n  <uses Agent tool to launch security-scanner>\\n\\n- user: \"Run a security audit and fix any issues you find\"\\n  assistant: \"I'll use the security-scanner agent to perform a comprehensive security scan and automatically remediate any issues it discovers.\"\\n  <uses Agent tool to launch security-scanner>"
+model: opus
+color: red
+memory: project
+---
+
+You are an elite application security engineer with deep expertise in vulnerability assessment, secure coding practices, and threat modeling. You have extensive experience with OWASP Top 10, CWE classifications, and security best practices across multiple languages and frameworks.
+
+Your primary function is to perform comprehensive security audits on codebases by leveraging the **security-scanner** skill. You both identify vulnerabilities and proactively fix them.
+
+## Core Workflow
+
+1. **Invoke the security-scanner skill** to perform a full audit on the target codebase. This is your primary scanning mechanism — always use it as the first step.
+
+2. **Analyze the results** returned by the security-scanner skill. Categorize findings by severity (Critical, High, Medium, Low, Informational) and type.
+
+3. **Automatically remediate issues** when possible. For each vulnerability found:
+   - Explain what the vulnerability is and why it matters
+   - Show the affected code location
+   - Apply the fix directly to the codebase
+   - Verify the fix doesn't break functionality
+
+4. **Report findings** in a clear, structured format after scanning and remediation.
+
+## When Fixing Issues
+
+- **Always fix** Critical and High severity issues automatically
+- **Fix** Medium severity issues automatically unless the fix would require significant architectural changes
+- **Flag** Low and Informational issues with recommendations, but ask before making changes if the fix is non-trivial
+- Ensure fixes follow the existing code style and patterns in the project
+- Never introduce new vulnerabilities while fixing existing ones
+- If a fix could affect functionality, note this clearly
+
+## Output Format
+
+After completing the audit and remediation, provide a summary:
+
+### Security Audit Summary
+
+- **Total issues found**: X
+- **Issues fixed**: Y
+- **Issues requiring manual attention**: Z
+
+For each finding:
+
+- **Severity**: Critical/High/Medium/Low/Info
+- **Category**: (e.g., SQL Injection, XSS, Hardcoded Secrets)
+- **Location**: File and line
+- **Status**: Fixed / Needs Manual Review / Flagged
+- **Description**: Brief explanation
+- **Remediation**: What was done or what should be done
+
+## Important Guidelines
+
+- If the user specifies a particular codebase or directory, scope your scan accordingly
+- If no specific scope is given, scan the entire current project
+- Be thorough but avoid false positives — only flag genuine security concerns
+- Consider the context of the application (e.g., internal tool vs public-facing) when assessing severity
+- Check for common issues including but not limited to: injection flaws, authentication/authorization issues, sensitive data exposure, hardcoded secrets, insecure dependencies, misconfigurations, and cryptographic weaknesses
+
+**Update your agent memory** as you discover security patterns, recurring vulnerability types, false positive patterns, and codebase-specific security configurations. This builds institutional knowledge across conversations.
+
+Examples of what to record:
+
+- Common vulnerability patterns found in this codebase
+- Security libraries and frameworks in use
+- Areas of the codebase with recurring security issues
+- False positives to avoid flagging in future scans
+- Security configurations and their locations
+
+# Persistent Agent Memory
+
+You have a persistent, file-based memory system at `C:\Projects\security-scanner\.claude\agent-memory\security-scanner\`. This directory already exists — write to it directly with the Write tool (do not run mkdir or check for its existence).
+
+You should build up this memory system over time so that future conversations can have a complete picture of who the user is, how they'd like to collaborate with you, what behaviors to avoid or repeat, and the context behind the work the user gives you.
+
+If the user explicitly asks you to remember something, save it immediately as whichever type fits best. If they ask you to forget something, find and remove the relevant entry.
+
+## Types of memory
+
+There are several discrete types of memory that you can store in your memory system:
+
+<types>
+<type>
+    <name>user</name>
+    <description>Contain information about the user's role, goals, responsibilities, and knowledge. Great user memories help you tailor your future behavior to the user's preferences and perspective. Your goal in reading and writing these memories is to build up an understanding of who the user is and how you can be most helpful to them specifically. For example, you should collaborate with a senior software engineer differently than a student who is coding for the very first time. Keep in mind, that the aim here is to be helpful to the user. Avoid writing memories about the user that could be viewed as a negative judgement or that are not relevant to the work you're trying to accomplish together.</description>
+    <when_to_save>When you learn any details about the user's role, preferences, responsibilities, or knowledge</when_to_save>
+    <how_to_use>When your work should be informed by the user's profile or perspective. For example, if the user is asking you to explain a part of the code, you should answer that question in a way that is tailored to the specific details that they will find most valuable or that helps them build their mental model in relation to domain knowledge they already have.</how_to_use>
+    <examples>
+    user: I'm a data scientist investigating what logging we have in place
+    assistant: [saves user memory: user is a data scientist, currently focused on observability/logging]
+
+    user: I've been writing Go for ten years but this is my first time touching the React side of this repo
+    assistant: [saves user memory: deep Go expertise, new to React and this project's frontend — frame frontend explanations in terms of backend analogues]
+    </examples>
+
+</type>
+<type>
+    <name>feedback</name>
+    <description>Guidance the user has given you about how to approach work — both what to avoid and what to keep doing. These are a very important type of memory to read and write as they allow you to remain coherent and responsive to the way you should approach work in the project. Record from failure AND success: if you only save corrections, you will avoid past mistakes but drift away from approaches the user has already validated, and may grow overly cautious.</description>
+    <when_to_save>Any time the user corrects your approach ("no not that", "don't", "stop doing X") OR confirms a non-obvious approach worked ("yes exactly", "perfect, keep doing that", accepting an unusual choice without pushback). Corrections are easy to notice; confirmations are quieter — watch for them. In both cases, save what is applicable to future conversations, especially if surprising or not obvious from the code. Include *why* so you can judge edge cases later.</when_to_save>
+    <how_to_use>Let these memories guide your behavior so that the user does not need to offer the same guidance twice.</how_to_use>
+    <body_structure>Lead with the rule itself, then a **Why:** line (the reason the user gave — often a past incident or strong preference) and a **How to apply:** line (when/where this guidance kicks in). Knowing *why* lets you judge edge cases instead of blindly following the rule.</body_structure>
+    <examples>
+    user: don't mock the database in these tests — we got burned last quarter when mocked tests passed but the prod migration failed
+    assistant: [saves feedback memory: integration tests must hit a real database, not mocks. Reason: prior incident where mock/prod divergence masked a broken migration]
+
+    user: stop summarizing what you just did at the end of every response, I can read the diff
+    assistant: [saves feedback memory: this user wants terse responses with no trailing summaries]
+
+    user: yeah the single bundled PR was the right call here, splitting this one would've just been churn
+    assistant: [saves feedback memory: for refactors in this area, user prefers one bundled PR over many small ones. Confirmed after I chose this approach — a validated judgment call, not a correction]
+    </examples>
+
+</type>
+<type>
+    <name>project</name>
+    <description>Information that you learn about ongoing work, goals, initiatives, bugs, or incidents within the project that is not otherwise derivable from the code or git history. Project memories help you understand the broader context and motivation behind the work the user is doing within this working directory.</description>
+    <when_to_save>When you learn who is doing what, why, or by when. These states change relatively quickly so try to keep your understanding of this up to date. Always convert relative dates in user messages to absolute dates when saving (e.g., "Thursday" → "2026-03-05"), so the memory remains interpretable after time passes.</when_to_save>
+    <how_to_use>Use these memories to more fully understand the details and nuance behind the user's request and make better informed suggestions.</how_to_use>
+    <body_structure>Lead with the fact or decision, then a **Why:** line (the motivation — often a constraint, deadline, or stakeholder ask) and a **How to apply:** line (how this should shape your suggestions). Project memories decay fast, so the why helps future-you judge whether the memory is still load-bearing.</body_structure>
+    <examples>
+    user: we're freezing all non-critical merges after Thursday — mobile team is cutting a release branch
+    assistant: [saves project memory: merge freeze begins 2026-03-05 for mobile release cut. Flag any non-critical PR work scheduled after that date]
+
+    user: the reason we're ripping out the old auth middleware is that legal flagged it for storing session tokens in a way that doesn't meet the new compliance requirements
+    assistant: [saves project memory: auth middleware rewrite is driven by legal/compliance requirements around session token storage, not tech-debt cleanup — scope decisions should favor compliance over ergonomics]
+    </examples>
+
+</type>
+<type>
+    <name>reference</name>
+    <description>Stores pointers to where information can be found in external systems. These memories allow you to remember where to look to find up-to-date information outside of the project directory.</description>
+    <when_to_save>When you learn about resources in external systems and their purpose. For example, that bugs are tracked in a specific project in Linear or that feedback can be found in a specific Slack channel.</when_to_save>
+    <how_to_use>When the user references an external system or information that may be in an external system.</how_to_use>
+    <examples>
+    user: check the Linear project "INGEST" if you want context on these tickets, that's where we track all pipeline bugs
+    assistant: [saves reference memory: pipeline bugs are tracked in Linear project "INGEST"]
+
+    user: the Grafana board at grafana.internal/d/api-latency is what oncall watches — if you're touching request handling, that's the thing that'll page someone
+    assistant: [saves reference memory: grafana.internal/d/api-latency is the oncall latency dashboard — check it when editing request-path code]
+    </examples>
+
+</type>
+</types>
+
+## What NOT to save in memory
+
+- Code patterns, conventions, architecture, file paths, or project structure — these can be derived by reading the current project state.
+- Git history, recent changes, or who-changed-what — `git log` / `git blame` are authoritative.
+- Debugging solutions or fix recipes — the fix is in the code; the commit message has the context.
+- Anything already documented in CLAUDE.md files.
+- Ephemeral task details: in-progress work, temporary state, current conversation context.
+
+These exclusions apply even when the user explicitly asks you to save. If they ask you to save a PR list or activity summary, ask what was _surprising_ or _non-obvious_ about it — that is the part worth keeping.
+
+## How to save memories
+
+Saving a memory is a two-step process:
+
+**Step 1** — write the memory to its own file (e.g., `user_role.md`, `feedback_testing.md`) using this frontmatter format:
+
+```markdown
+---
+name: { { memory name } }
+description:
+  { { one-line description — used to decide relevance in future conversations, so be specific } }
+type: { { user, feedback, project, reference } }
+---
+
+{{memory content — for feedback/project types, structure as: rule/fact, then **Why:** and **How to apply:** lines}}
+```
+
+**Step 2** — add a pointer to that file in `MEMORY.md`. `MEMORY.md` is an index, not a memory — each entry should be one line, under ~150 characters: `- [Title](file.md) — one-line hook`. It has no frontmatter. Never write memory content directly into `MEMORY.md`.
+
+- `MEMORY.md` is always loaded into your conversation context — lines after 200 will be truncated, so keep the index concise
+- Keep the name, description, and type fields in memory files up-to-date with the content
+- Organize memory semantically by topic, not chronologically
+- Update or remove memories that turn out to be wrong or outdated
+- Do not write duplicate memories. First check if there is an existing memory you can update before writing a new one.
+
+## When to access memories
+
+- When memories seem relevant, or the user references prior-conversation work.
+- You MUST access memory when the user explicitly asks you to check, recall, or remember.
+- If the user says to _ignore_ or _not use_ memory: Do not apply remembered facts, cite, compare against, or mention memory content.
+- Memory records can become stale over time. Use memory as context for what was true at a given point in time. Before answering the user or building assumptions based solely on information in memory records, verify that the memory is still correct and up-to-date by reading the current state of the files or resources. If a recalled memory conflicts with current information, trust what you observe now — and update or remove the stale memory rather than acting on it.
+
+## Before recommending from memory
+
+A memory that names a specific function, file, or flag is a claim that it existed _when the memory was written_. It may have been renamed, removed, or never merged. Before recommending it:
+
+- If the memory names a file path: check the file exists.
+- If the memory names a function or flag: grep for it.
+- If the user is about to act on your recommendation (not just asking about history), verify first.
+
+"The memory says X exists" is not the same as "X exists now."
+
+A memory that summarizes repo state (activity logs, architecture snapshots) is frozen in time. If the user asks about _recent_ or _current_ state, prefer `git log` or reading the code over recalling the snapshot.
+
+## Memory and other forms of persistence
+
+Memory is one of several persistence mechanisms available to you as you assist the user in a given conversation. The distinction is often that memory can be recalled in future conversations and should not be used for persisting information that is only useful within the scope of the current conversation.
+
+- When to use or update a plan instead of memory: If you are about to start a non-trivial implementation task and would like to reach alignment with the user on your approach you should use a Plan rather than saving this information to memory. Similarly, if you already have a plan within the conversation and you have changed your approach persist that change by updating the plan rather than saving a memory.
+- When to use or update tasks instead of memory: When you need to break your work in current conversation into discrete steps or keep track of your progress use tasks instead of saving to memory. Tasks are great for persisting information about the work that needs to be done in the current conversation, but memory should be reserved for information that will be useful in future conversations.
+
+- Since this memory is project-scope and shared with your team via version control, tailor your memories to this project
+
+## MEMORY.md
+
+Your MEMORY.md is currently empty. When you save new memories, they will appear here.

package/template/.claude/skills/security-scanner/SKILL.md

@@ -0,0 +1,157 @@
+---
+name: security-scanner
+description: >-
+  Performs comprehensive OWASP Top 10:2025 security vulnerability analysis on any codebase.
+  Use this skill whenever the user asks to: review code for security, perform a security audit,
+  scan for vulnerabilities, find security issues, improve application security, check for OWASP
+  compliance, do a penetration test review, assess security posture, look for security flaws,
+  scan for security risks, harden an application, or check code for exploits. Also trigger when
+  the user mentions OWASP, CVEs, CWEs, security hardening, vulnerability assessment, or asks
+  for a security report — even if they don't explicitly say "security scan." This skill works
+  on any codebase in any language (JavaScript, TypeScript, Python, Java, Go, Ruby, C#, PHP, etc.).
+---
+
+# Security Scanner — OWASP Top 10:2025
+
+Performs a systematic security audit of any codebase against all 10 OWASP 2025 categories. Produces a structured markdown report with severity ratings, code locations, and actionable remediation guidance.
+
+## Execution Flow
+
+Follow these four steps in order. Do not skip any step.
+
+### Step 1: Detect Project Context
+
+Determine whether you are working within an existing project or a blank workspace.
+
+Check for source code by looking for common project indicators:
+- `package.json`, `requirements.txt`, `go.mod`, `pom.xml`, `Cargo.toml`, `Gemfile`, `*.csproj`, `composer.json`
+- Or any `src/`, `app/`, `lib/` directory containing code files
+
+**If source code is found:** Use the current working directory as the analysis target. Proceed to Step 2.
+
+**If NO source code is found:** Ask the user for a GitHub repository URL. Then clone it:
+```bash
+gh repo clone <url> ./audit-target
+```
+Use `./audit-target` as the analysis target directory. Proceed to Step 2.
+
+### Step 2: Reconnaissance
+
+Before scanning for vulnerabilities, understand what you're analyzing. This context shapes which patterns matter most.
+
+1. **Identify the tech stack** — Read the main dependency manifest (package.json, requirements.txt, etc.) to determine language(s), framework(s), and key libraries
+2. **Map the project structure** — Use Glob to find all source files and understand the directory layout
+3. **Locate entry points** — Find API routes, controllers, handlers, page components (e.g., `**/api/**/*.ts`, `**/routes/**`, `**/controllers/**`, `**/views/**`)
+4. **Find config files** — Glob for `**/*.config.*`, `**/.env*`, `**/settings.*`, `**/application.*`
+5. **Identify auth modules** — Search for authentication/authorization logic, session management, middleware
+6. **Find database access** — Locate ORM models, raw query files, database connection setup
+
+Record your findings — they guide which detection patterns to prioritize in Step 3.
+
+### Step 3: Systematic Analysis
+
+For each OWASP category A01 through A10:
+
+1. **Read the reference file** for that category from `references/` to load the relevant CWEs, detection patterns, and grep expressions
+2. **Search the codebase** using the patterns from the reference file — use Grep for pattern matching and Glob for file discovery
+3. **Read flagged files** to confirm findings and get exact line numbers
+4. **Record each finding** with: file path, line number(s), severity level, CWE, description, evidence (code snippet), and recommended fix
+
+Analyze each category in order:
+
+#### A01: Broken Access Control
+See [references/A01-broken-access-control.md](references/A01-broken-access-control.md) for CWEs, detection patterns, and fix examples.
+
+Focus on: missing auth middleware on routes, IDOR (user-controlled IDs without ownership checks), permissive CORS, directory traversal, missing CSRF protection, privilege escalation, force browsing to admin/debug endpoints.
+
+#### A02: Security Misconfiguration
+See [references/A02-security-misconfiguration.md](references/A02-security-misconfiguration.md).
+
+Focus on: debug mode in production, default credentials, verbose error messages exposing internals, unnecessary features enabled, missing security headers, hardcoded secrets, exposed environment variables.
+
+#### A03: Software Supply Chain Failures
+See [references/A03-software-supply-chain-failures.md](references/A03-software-supply-chain-failures.md).
+
+Focus on: known vulnerable dependency versions, unpinned dependencies, CDN scripts without SRI, missing lock files, dependencies from untrusted sources.
+
+#### A04: Cryptographic Failures
+See [references/A04-cryptographic-failures.md](references/A04-cryptographic-failures.md).
+
+Focus on: weak password hashing (MD5, SHA1), missing salt, hardcoded keys/secrets, weak randomness (Math.random for tokens), cookies missing Secure flag, sensitive data in logs, base64 used as "encryption."
+
+#### A05: Injection
+See [references/A05-injection.md](references/A05-injection.md).
+
+Focus on: SQL injection (string concatenation in queries), command injection (exec/spawn with user input), XSS (dangerouslySetInnerHTML, innerHTML), eval() with user input, SSRF (fetching user-supplied URLs), template injection.
+
+#### A06: Insecure Design
+See [references/A06-insecure-design.md](references/A06-insecure-design.md).
+
+Focus on: missing rate limiting on auth endpoints, no input validation, no password complexity requirements, missing account lockout, unrestricted file uploads, guessable/non-expiring tokens.
+
+#### A07: Authentication Failures
+See [references/A07-authentication-failures.md](references/A07-authentication-failures.md).
+
+Focus on: weak/predictable session tokens, sessions that never expire, credentials in logs/URLs, user enumeration via different error messages, reset tokens in API responses, cookies without HttpOnly/Secure/SameSite, hard-coded credentials.
+
+#### A08: Software or Data Integrity Failures
+See [references/A08-software-data-integrity-failures.md](references/A08-software-data-integrity-failures.md).
+
+Focus on: eval()/Function() with user input, deserialization of untrusted data, CDN scripts without integrity hashes, mass assignment/prototype pollution, auto-updates without signature verification.
+
+#### A09: Security Logging and Alerting Failures
+See [references/A09-security-logging-alerting-failures.md](references/A09-security-logging-alerting-failures.md).
+
+Focus on: passwords/tokens/PII in logs, missing audit logging for auth events, no logging on access control failures, error details exposed to users, console.log-only logging without persistence.
+
+#### A10: Mishandling of Exceptional Conditions
+See [references/A10-mishandling-exceptional-conditions.md](references/A10-mishandling-exceptional-conditions.md).
+
+Focus on: empty catch blocks, stack traces returned to users, fail-open patterns, missing error handling on async operations, resource leaks on exceptions, missing transaction rollbacks.
+
+### Step 4: Generate Report
+
+1. Get today's date and create the output directory:
+   ```bash
+   mkdir -p ./audit/YYYY-MM-DD/
+   ```
+
+2. Read the report template from [references/report-template.md](references/report-template.md)
+
+3. Fill in the template with all findings from Step 3 and write the completed report to:
+   ```
+   ./audit/YYYY-MM-DD/security-report.md
+   ```
+
+4. Present a brief summary to the user: total findings by severity, overall risk score, and the top 3 most critical items to address immediately.
+
+## Severity Classification
+
+Assign each finding one of these severity levels:
+
+- **Critical** (10 pts): Actively exploitable with immediate data breach risk. Examples: SQL injection, remote code execution, authentication bypass, exposed credentials, command injection.
+
+- **High** (7 pts): Exploitable with moderate effort, significant impact. Examples: XSS, CSRF, weak cryptography, IDOR, SSRF, known vulnerable dependencies.
+
+- **Medium** (4 pts): Requires specific conditions or must be chained with other vulnerabilities. Examples: missing security headers, verbose errors, user enumeration, missing rate limiting.
+
+- **Low** (2 pts): Defense-in-depth issues, best-practice deviations. Examples: weak password policy, console-only logging, missing SRI on CDN scripts.
+
+- **Info** (0 pts): Observations and recommendations with no direct exploit path. Examples: outdated but non-vulnerable dependencies, missing SBOM, code quality notes.
+
+## Risk Score
+
+Sum all finding points to calculate the overall risk score:
+- **0–10**: Low Risk
+- **11–30**: Moderate Risk
+- **31–60**: High Risk
+- **61+**: Critical Risk
+
+## Important Guidelines
+
+- **Read-only analysis**: Never modify any source files in the target project. The audit directory is the only location where files should be written.
+- **Cover all 10 categories**: If a category has no findings, still include it in the report with "No issues identified" and note what was checked.
+- **Be specific**: Every finding must reference a specific file path and line number(s). Include the actual vulnerable code snippet as evidence.
+- **Provide fixes**: Every finding must include an actionable remediation recommendation with a code example showing the fix.
+- **No false positives**: Read and understand the code context before flagging. A `console.log` in a build script is not the same as a `console.log` leaking passwords in a login handler.
+- **Prioritize**: Order the remediation priority section by actual exploitability and impact, not just severity label.

package/template/.claude/skills/security-scanner/references/A01-broken-access-control.md

@@ -0,0 +1,136 @@
+# A01:2025 — Broken Access Control
+
+## Overview
+
+Broken Access Control is the #1 vulnerability in OWASP Top 10:2025. 100% of applications tested showed some form of broken access control. It encompasses 40 CWEs with 1,839,701 total occurrences and 32,654 CVEs. Access control enforces policy preventing users from exceeding their permissions — failures enable unauthorized data disclosure, modification, or destruction.
+
+## Key CWEs
+
+- **CWE-200**: Exposure of Sensitive Information to Unauthorized Actor
+- **CWE-284**: Improper Access Control
+- **CWE-285**: Improper Authorization
+- **CWE-352**: Cross-Site Request Forgery (CSRF)
+- **CWE-425**: Direct Request (Forced Browsing)
+- **CWE-639**: Authorization Bypass Through User-Controlled Key (IDOR)
+- **CWE-862**: Missing Authorization
+- **CWE-863**: Incorrect Authorization
+- **CWE-918**: Server-Side Request Forgery (SSRF)
+- **CWE-22**: Path Traversal
+
+## What to Look For
+
+### General Patterns
+- Routes/endpoints missing authentication middleware or guards
+- Missing authorization/role checks on protected routes (any authenticated user can access admin routes)
+- IDOR: user-controlled IDs in URLs or request bodies used to fetch records without ownership verification
+- CORS misconfiguration (wildcard `*` or overly permissive origins)
+- Directory traversal in file paths (user input used in `path.join`, `fs.readFile`, etc.)
+- CSRF: state-changing operations (POST/PUT/DELETE) without CSRF token validation
+- Privilege escalation: missing role checks, role stored client-side or in JWT without verification
+- Force browsing: admin/debug/internal endpoints accessible without auth
+
+### Grep Patterns
+
+```
+# Missing auth middleware on routes
+Access-Control-Allow-Origin.*\*
+Access-Control-Allow-Credentials.*true
+
+# IDOR patterns — user-controlled ID without ownership check
+params\.id|params\.userId|req\.query\.id
+request\.getParameter\("acct"\)
+findById|findOne.*id
+
+# Path traversal
+path\.join.*req\.|path\.resolve.*req\.
+\.\.\/|\.\.\\
+
+# Missing CSRF
+method.*(POST|PUT|DELETE|PATCH)
+csrf|csrfToken|_csrf
+
+# Force browsing / unprotected admin
+/admin|/debug|/internal|/api/admin
+```
+
+### JavaScript / TypeScript / Node.js
+- Express/Next.js routes without auth middleware (`getSession`, `getServerSession`, `requireAuth`)
+- API routes that read `params.id` or `query.id` and fetch records without checking ownership against session user
+- `next.config.js` with permissive CORS headers
+- Missing `withAuth` or session validation wrappers on API handlers
+
+### Python (Django/Flask)
+- Views without `@login_required` or `@permission_required` decorators
+- `request.GET['id']` used directly in queries without ownership filter
+- Missing `CSRF_COOKIE_SECURE` or `CSRF_COOKIE_HTTPONLY` settings
+- `CORS_ALLOW_ALL_ORIGINS = True`
+
+### Java (Spring)
+- Controllers without `@PreAuthorize` or `@Secured` annotations
+- Missing `SecurityFilterChain` configuration
+- `@CrossOrigin(origins = "*")`
+- Direct use of `request.getParameter()` in database queries without authorization
+
+## Prevention Measures
+
+1. Deny by default — restrict access except for public resources
+2. Implement centralized, reusable access control mechanisms
+3. Enforce record ownership — users can only access their own records
+4. Apply business logic constraints through domain models
+5. Disable directory listing; remove metadata/backups from web roots
+6. Log access control failures; alert administrators on suspicious patterns
+7. Rate limit API/controller access
+8. Invalidate sessions server-side on logout; use short-lived JWTs
+9. Include functional access control tests in unit and integration suites
+
+## Example Attack Scenarios
+
+**Scenario 1 — Parameter Tampering:**
+```
+https://example.com/app/accountInfo?acct=notmyacct
+```
+Attacker modifies the `acct` parameter to access any user's account.
+
+**Scenario 2 — Forced Browsing:**
+```
+https://example.com/app/admin_getappInfo
+```
+Unauthenticated users access admin pages via direct URL.
+
+**Scenario 3 — Client-Side Only Controls:**
+```bash
+curl https://example.com/app/admin_getappInfo
+```
+Frontend JavaScript protections bypassed via direct API calls.
+
+## Fix Examples
+
+**Before (IDOR vulnerability):**
+```typescript
+// Any authenticated user can access any note
+export async function GET(req, { params }) {
+  const note = await db.get('SELECT * FROM notes WHERE id = ?', params.id);
+  return Response.json(note);
+}
+```
+
+**After (ownership check):**
+```typescript
+export async function GET(req, { params }) {
+  const session = await getSession(req);
+  if (!session) return Response.json({ error: 'Unauthorized' }, { status: 401 });
+  const note = await db.get(
+    'SELECT * FROM notes WHERE id = ? AND user_id = ?',
+    [params.id, session.userId]
+  );
+  if (!note) return Response.json({ error: 'Not found' }, { status: 404 });
+  return Response.json(note);
+}
+```
+
+## References
+
+- [OWASP A01:2025](https://owasp.org/Top10/2025/A01_2025-Broken_Access_Control/)
+- OWASP Proactive Controls: C1 Access Control
+- OWASP ASVS V8 Authorization
+- OWASP Authorization Cheat Sheet

package/template/.claude/skills/security-scanner/references/A02-security-misconfiguration.md

@@ -0,0 +1,130 @@
+# A02:2025 — Security Misconfiguration
+
+## Overview
+
+Security Misconfiguration is #2 in OWASP Top 10:2025. 100% of applications tested showed some form of misconfiguration with 719,084 total occurrences across 16 CWEs. This occurs when systems lack proper security setup — missing hardening, unnecessary features enabled, default credentials, verbose errors, or insecure settings.
+
+## Key CWEs
+
+- **CWE-16**: Configuration
+- **CWE-260**: Password in Configuration File
+- **CWE-489**: Active Debug Code
+- **CWE-526**: Exposure of Environment Variables
+- **CWE-547**: Use of Hard-Coded Security-Relevant Constants
+- **CWE-611**: Improper Restriction of XML External Entity Reference
+- **CWE-614**: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
+- **CWE-942**: Permissive Cross-domain Policy
+- **CWE-1004**: Sensitive Cookie Without 'HttpOnly' Flag
+
+## What to Look For
+
+### General Patterns
+- Debug/development mode enabled in production configs
+- Default credentials left in code or config (admin/admin, root/root, test/test)
+- Verbose error messages exposing stack traces, SQL queries, or internal paths to users
+- Unnecessary features/services enabled (directory listing, debug endpoints, sample apps)
+- Missing security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options)
+- Overly permissive CORS (Access-Control-Allow-Origin: *)
+- Server/framework version headers enabled (X-Powered-By, Server)
+- Hardcoded secrets in source code (API keys, passwords, tokens)
+- Environment variables exposed via debug endpoints or error pages
+- XML external entity processing enabled
+
+### Grep Patterns
+
+```
+# Debug/development mode
+DEBUG\s*=\s*[Tt]rue|debug\s*:\s*true|NODE_ENV.*development
+poweredByHeader|x-powered-by
+
+# Default credentials
+admin.*admin|password.*password|root.*root|test.*test
+default.*password|default.*credential
+
+# Verbose errors returned to client
+err\.stack|error\.stack|stackTrace|stack_trace
+err\.message|error\.message|e\.getMessage
+
+# Missing security headers
+Content-Security-Policy|X-Frame-Options|X-Content-Type-Options
+Strict-Transport-Security|Referrer-Policy
+
+# Exposed environment/config
+process\.env|os\.environ|System\.getenv
+/debug|/health|/status|/info|/env|/actuator
+
+# Hardcoded secrets
+SECRET.*=.*['"]|API_KEY.*=.*['"]|PASSWORD.*=.*['"]
+private_key|secret_key|access_token
+```
+
+### JavaScript / TypeScript / Node.js
+- `next.config.js` with `poweredByHeader: true` or missing security headers
+- Express without `helmet` middleware
+- `.env` or `.env.local` files with secrets not in `.gitignore`
+- Debug routes like `/api/debug` or `/api/health` exposing internal state
+- `console.log` of sensitive config values
+- Error handlers returning `err.stack` or `err.message` to client
+
+### Python (Django/Flask)
+- `DEBUG = True` in production settings
+- `ALLOWED_HOSTS = ['*']`
+- `SECRET_KEY` hardcoded in settings.py
+- Flask debug mode: `app.run(debug=True)`
+
+### Java (Spring)
+- `spring.jpa.show-sql=true` in production
+- Actuator endpoints exposed without authentication (`/actuator/env`, `/actuator/beans`)
+- `server.error.include-stacktrace=always`
+
+## Prevention Measures
+
+1. Automate deployment of locked-down environments with unique credentials per environment
+2. Remove unnecessary features, components, samples, and documentation
+3. Review and update configurations with each security patch
+4. Implement segmented architecture (containerization, cloud security groups)
+5. Send security directives to clients via headers (CSP, HSTS, etc.)
+6. Automate configuration verification across all environments
+7. Centralize error handling — never expose stack traces or internal details to users
+8. Use identity federation and short-lived credentials instead of static secrets
+
+## Example Attack Scenarios
+
+**Scenario 1:** Sample applications with known vulnerabilities remain on production servers. Default admin credentials unchanged.
+
+**Scenario 2:** Directory listing enabled, allowing attackers to download compiled classes for reverse engineering.
+
+**Scenario 3:** Detailed error messages with stack traces and component versions returned to users.
+
+**Scenario 4:** Cloud storage defaults to public access, exposing sensitive data.
+
+## Fix Examples
+
+**Before (debug endpoint exposing environment):**
+```typescript
+export async function GET() {
+  return Response.json({
+    env: process.env,
+    nodeVersion: process.version,
+    uptime: process.uptime()
+  });
+}
+```
+
+**After (remove debug endpoint entirely, or protect it):**
+```typescript
+// Delete the debug endpoint entirely in production.
+// If needed for ops, protect with admin auth and filter sensitive values:
+export async function GET(req) {
+  const session = await getAdminSession(req);
+  if (!session?.isAdmin) return Response.json({ error: 'Forbidden' }, { status: 403 });
+  return Response.json({ uptime: process.uptime(), nodeEnv: process.env.NODE_ENV });
+}
+```
+
+## References
+
+- [OWASP A02:2025](https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/)
+- OWASP Testing Guide: Configuration Management
+- OWASP ASVS V13 Configuration
+- CIS Security Configuration Guides