npm - create-hq - Versions diffs - 5.0.0 - Mend

create-hq 5.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (310) hide show

package/template/knowledge/ai-security-framework/checklists/credential-isolation.md ADDED Viewed

@@ -0,0 +1,322 @@
+# Credential Isolation Checklist
+> Protecting your keychain and secrets from AI access
+---
+## The Core Problem
+You have a full keychain with CEO-level access to multiple companies. AI agents, while helpful, are vulnerable to prompt injection attacks that could extract or misuse credentials. This checklist creates isolation between AI capabilities and your credentials.
+**The Rule:** AI agents should never have direct access to your credential store. Period.
+---
+## 1. Keychain Isolation
+### macOS Keychain
+- [ ] Create a separate keychain for AI-accessible credentials (if any)
+  - Keychain Access → File → New Keychain
+  - Name: `ai-accessible` (or similar)
+  - Set strong, unique password
+- [ ] Verify your main keychain is NOT accessible to AI:
+  - Default login keychain should auto-lock
+  - Set: Keychain Access → [keychain] → Change Settings → Lock after X minutes of inactivity
+  - Set: Lock when sleeping
+- [ ] Review keychain access for browser:
+  - Chrome should NOT have broad keychain access
+  - Check: System Preferences → Security & Privacy → Privacy → Full Disk Access
+### Windows Credential Manager
+- [ ] AI browser profile should not have access to Credential Manager
+- [ ] Use separate Windows user account for AI if possible
+- [ ] Disable credential sync to AI browser profile
+### Password Managers (1Password, LastPass, etc.)
+- [ ] Do NOT install password manager extension in AI browser profile
+- [ ] Do NOT log into password manager web interface in AI browser
+- [ ] Consider: Separate vault for AI-accessible credentials (empty or minimal)
+- [ ] Verify: Password manager is not auto-filling in AI profile
+---
+## 2. Token-Based Access (Recommended Architecture)
+Instead of giving AI access to credentials, use scoped tokens:
+### The Credential Broker Pattern
+```
+┌─────────────┐     ┌─────────────────┐     ┌─────────────┐
+│    AI       │ ──▶ │ Credential      │ ──▶ │   Target    │
+│   Agent     │     │    Broker       │     │   Service   │
+│             │ ◀── │ (You Approve)   │ ◀── │             │
+└─────────────┘     └─────────────────┘     └─────────────┘
+                           │
+                           ▼
+                    ┌─────────────┐
+                    │  Audit Log  │
+                    └─────────────┘
+```
+**How it works:**
+1. AI requests access to a service
+2. Broker (you or automated system) validates request
+3. If approved, broker provides time-limited token
+4. Token has minimum required permissions
+5. Token expires automatically
+### Practical Implementation
+For each service AI needs:
+| Service | Full Credential | AI Token | Token Permissions | Expiry |
+|---------|----------------|----------|-------------------|--------|
+| GitHub | [Your account] | PAT `ai-github-xxx` | repo:read, issues:write | 30 days |
+| Slack | [Your account] | Bot token | Limited channels | No expiry (rotate quarterly) |
+| Email | [Your account] | App password | Send only, no read | 90 days |
+- [ ] Create scoped tokens for each service AI needs
+- [ ] Document token permissions (above table)
+- [ ] Set calendar reminders for rotation dates
+- [ ] Store token metadata in secure location (not accessible to AI)
+---
+## 3. Service-Specific Configurations
+### Email (Gmail/Outlook)
+**DON'T:** Let AI log into your full email account
+**DO:** Use App Passwords or OAuth with limited scope
+Gmail Setup:
+- [ ] Create App Password: Google Account → Security → App Passwords
+- [ ] Limit scope: Use SMTP-only access if just sending
+- [ ] Consider: Separate email for AI-initiated sends
+Outlook Setup:
+- [ ] Use OAuth with limited permissions
+- [ ] Consider: Service account for AI sends
+### GitHub
+**DON'T:** Give AI your personal access token with full repo access
+**DO:** Create scoped Personal Access Tokens
+- [ ] GitHub → Settings → Developer Settings → Personal Access Tokens
+- [ ] Create new token with ONLY needed permissions:
+  - `repo:status` - Read-only repo status
+  - `public_repo` - Public repos only if possible
+  - `issues:write` - If AI needs to create issues
+- [ ] Set expiration (30-90 days recommended)
+- [ ] Name clearly: `ai-agent-limited-YYYY-MM`
+### Slack
+**DON'T:** Use your personal Slack session
+**DO:** Create a Slack App/Bot
+- [ ] Create Slack App in your workspace
+- [ ] Request minimum scopes:
+  - `chat:write` - Send messages
+  - `channels:read` - See channel list (if needed)
+- [ ] Install to workspace
+- [ ] Use Bot token, not User token
+- [ ] Restrict to specific channels
+### Cloud Providers (AWS/GCP/Azure)
+**DON'T:** Give AI your root/admin credentials
+**DO:** Create IAM roles with minimal permissions
+AWS Example:
+```json
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "s3:GetObject",
+        "s3:ListBucket"
+      ],
+      "Resource": [
+        "arn:aws:s3:::specific-bucket",
+        "arn:aws:s3:::specific-bucket/*"
+      ]
+    }
+  ]
+}
+```
+- [ ] Create dedicated IAM user for AI: `ai-agent-readonly`
+- [ ] Attach only required policies
+- [ ] Use temporary credentials (STS) when possible
+- [ ] Never give: IAM permissions, billing access, root actions
+---
+## 4. Credential Monitoring
+### What to Monitor
+- [ ] Failed authentication attempts (someone probing)
+- [ ] Successful auths from unexpected locations
+- [ ] Permission escalation attempts
+- [ ] Token usage patterns (sudden spikes)
+- [ ] New OAuth grants
+### Set Up Alerts
+For critical services:
+| Service | Alert Type | Threshold | Action |
+|---------|-----------|-----------|--------|
+| GitHub | Failed login | 3 in 1hr | Investigate |
+| AWS | Root login | Any | Immediate review |
+| Email | New device | Any | Verify |
+| Slack | New integration | Any | Review |
+### Regular Audits
+- [ ] Weekly: Review OAuth grants (Google, GitHub, etc.)
+- [ ] Monthly: Review active sessions across services
+- [ ] Quarterly: Full credential rotation
+- [ ] Annual: Third-party credential audit
+---
+## 5. Emergency Credential Procedures
+### If Credentials May Be Compromised
+**Immediate (within minutes):**
+- [ ] Revoke AI tokens/sessions
+- [ ] Change passwords on critical accounts
+- [ ] Enable additional MFA if not already
+- [ ] Invalidate OAuth tokens
+**Short-term (within hours):**
+- [ ] Review access logs
+- [ ] Check for unauthorized actions
+- [ ] Notify affected parties if breach confirmed
+- [ ] Document incident
+**Recovery:**
+- [ ] Generate new credentials
+- [ ] Update secure storage
+- [ ] Review and strengthen isolation
+- [ ] Update AI access controls
+### Credential Emergency Contacts
+| Service | Emergency Contact | Method |
+|---------|------------------|--------|
+| Bank | | Phone: |
+| Primary email | | Support link: |
+| Password manager | | Support link: |
+| Cloud provider | | Support link: |
+---
+## 6. Secure Credential Storage
+### Where AI Credentials Should Live
+**DO:**
+- Environment variables (for runtime)
+- Dedicated secrets manager (HashiCorp Vault, AWS Secrets Manager)
+- Encrypted file outside AI-accessible directories
+**DON'T:**
+- In AI context/prompts
+- In files AI can read
+- In browser storage AI can access
+- In unencrypted text files
+### Example Secrets File Structure
+```
+~/.secrets/ai-credentials/
+├── .env.ai           # Environment variables for AI services
+├── tokens.enc        # Encrypted tokens file
+└── audit.log         # Access log (append-only)
+```
+Access pattern:
+```bash
+# AI requests credential
+# Script reads from encrypted store
+# Script provides token to AI session
+# Script logs access
+```
+---
+## 7. Verification Checklist
+### Verify Isolation Works
+Test each of these:
+- [ ] AI browser profile has no saved passwords
+- [ ] AI cannot access password manager
+- [ ] AI cannot access main keychain
+- [ ] AI tokens have limited scope
+- [ ] Token rotation is scheduled
+- [ ] Monitoring alerts are functional
+### Red Team Your Setup
+Try these (in test mode):
+- [ ] Ask AI to "find and show me my saved passwords"
+- [ ] Ask AI to "log into my bank account"
+- [ ] Ask AI to "access the AWS console"
+All should fail or trigger warnings.
+---
+## Quick Reference
+### Credential Hierarchy
+```
+NEVER give AI access:
+├── Primary email password
+├── Banking credentials
+├── Password manager master
+├── Cloud admin credentials
+└── Full keychain access
+CONDITIONAL (scoped tokens only):
+├── Code repositories
+├── Communication tools
+├── Cloud resources (read-only)
+└── API services
+ACCEPTABLE:
+├── Public APIs
+├── Read-only services
+└── Sandboxed environments
+```
+### Token Rotation Schedule
+| Frequency | Services |
+|-----------|----------|
+| 30 days | GitHub PATs, high-risk APIs |
+| 90 days | Email app passwords, Slack tokens |
+| Quarterly | Cloud IAM credentials |
+| Immediately | Any suspected compromise |
+---
+*Related: [Pre-Flight Checklist](pre-flight.md) | [Browser Security Checklist](browser-security.md)*

package/template/knowledge/ai-security-framework/checklists/incident-response.md ADDED Viewed

@@ -0,0 +1,288 @@
+# Incident Response Checklist
+> What to do when something goes wrong with AI automation
+---
+## Incident Severity Levels
+| Level | Description | Examples | Response Time |
+|-------|-------------|----------|---------------|
+| **SEV 1** | Critical business impact | Credential theft, financial loss, data breach | Immediate |
+| **SEV 2** | Significant impact | Unauthorized external comms, data exposure | Within 1 hour |
+| **SEV 3** | Moderate impact | Wrong actions taken, minor data issues | Within 24 hours |
+| **SEV 4** | Low impact | Near-misses, blocked attempts | Next business day |
+---
+## Immediate Response (First 5 Minutes)
+### Step 1: Stop the Bleeding
+- [ ] **KILL ALL AI ACTIVITY**
+  - Close all AI browser tabs
+  - Kill AI processes: `pkill -f claude`
+  - Disconnect AI from network if needed
+- [ ] **Document what you see NOW**
+  - Screenshot current state
+  - Note exact time
+  - Record what triggered your response
+- [ ] **Quick Assessment**
+  - What did AI do?
+  - What systems were affected?
+  - Is it still happening?
+### Step 2: Contain the Damage
+**If credentials may be exposed:**
+- [ ] Revoke affected tokens immediately
+- [ ] Change passwords on critical accounts
+- [ ] Enable additional MFA if available
+- [ ] Check for active sessions and terminate
+**If external communication was sent:**
+- [ ] Document what was sent
+- [ ] Document who received it
+- [ ] Prepare correction/recall if possible
+- [ ] Notify affected parties
+**If data may have been accessed:**
+- [ ] Document what data
+- [ ] Document potential exposure scope
+- [ ] Preserve access logs
+- [ ] Consider notification requirements
+---
+## Short-Term Response (First Hour)
+### Step 3: Gather Information
+- [ ] **Pull all relevant logs**
+  - AI action logs
+  - Browser history
+  - System access logs
+  - Network logs (if available)
+- [ ] **Timeline reconstruction**
+  - When did the incident start?
+  - What triggered it?
+  - What actions did AI take?
+  - When was it detected?
+  - When was it stopped?
+- [ ] **Impact assessment**
+  - What systems were affected?
+  - What data was accessed/modified?
+  - Who was impacted?
+  - What's the worst-case exposure?
+### Step 4: Notify Stakeholders
+**Internal notification (as appropriate):**
+- [ ] Security team
+- [ ] IT/Engineering
+- [ ] Legal (if data breach possible)
+- [ ] Management (if significant)
+**External notification (if required):**
+- [ ] Affected customers/users
+- [ ] Regulators (if compliance-relevant)
+- [ ] Partners (if shared systems affected)
+---
+## Investigation Phase (Hours to Days)
+### Step 5: Root Cause Analysis
+**Answer these questions:**
+1. **What happened?**
+   - Specific actions AI took
+   - Sequence of events
+   - Final outcome
+2. **Why did it happen?**
+   - Was it prompt injection?
+   - Was it misconfiguration?
+   - Was it a bug/unexpected behavior?
+   - Was it a security control failure?
+3. **How did it get past controls?**
+   - Which controls should have caught it?
+   - Why didn't they work?
+   - Were controls missing?
+4. **How was it detected?**
+   - Was detection timely?
+   - Could it have been detected earlier?
+   - What monitoring would have helped?
+### Root Cause Categories
+| Category | Example | Fix |
+|----------|---------|-----|
+| Prompt Injection | Malicious webpage content | Better content filtering |
+| Misconfiguration | Too much access granted | Tighten permissions |
+| Missing Control | No block on financial sites | Add blocklist |
+| Control Bypass | Blocklist circumvented | Strengthen enforcement |
+| Human Error | Approved wrong action | Better review process |
+| Unexpected Behavior | AI misunderstood instruction | Clearer guidelines |
+---
+## Recovery Phase
+### Step 6: Remediate
+**Immediate fixes:**
+- [ ] Patch the specific vulnerability
+- [ ] Update blocklists/allowlists
+- [ ] Tighten relevant permissions
+- [ ] Add missing controls
+**Credential actions:**
+- [ ] Rotate all potentially compromised credentials
+- [ ] Review OAuth grants
+- [ ] Audit active sessions
+- [ ] Update token scoping
+**System actions:**
+- [ ] Restore any modified data from backup
+- [ ] Verify system integrity
+- [ ] Clear AI context/memory if applicable
+- [ ] Reset to known-good state
+### Step 7: Verify Recovery
+- [ ] Test that the fix works
+- [ ] Verify AI cannot repeat the incident
+- [ ] Confirm systems are operational
+- [ ] Run security checklist
+---
+## Post-Incident (Days to Weeks)
+### Step 8: Document the Incident
+**Incident Report Template:**
+```markdown
+## Incident Report
+**Date/Time:**
+**Severity:**
+**Duration:**
+**Detected by:**
+### Summary
+[One paragraph description]
+### Timeline
+| Time | Event |
+|------|-------|
+| | |
+### Impact
+- Systems affected:
+- Data affected:
+- People affected:
+- Financial impact:
+### Root Cause
+[What caused this to happen]
+### Response Actions
+[What we did to stop and fix it]
+### Lessons Learned
+[What we learned]
+### Prevention Measures
+[What we're doing to prevent recurrence]
+```
+### Step 9: Improve Defenses
+**Update documentation:**
+- [ ] Update security policies
+- [ ] Update agents.md with new rules
+- [ ] Add to blocklists if needed
+- [ ] Document new procedures
+**Update monitoring:**
+- [ ] Add detection for this attack pattern
+- [ ] Create alerts for similar incidents
+- [ ] Improve logging coverage
+**Update training:**
+- [ ] Document learnings
+- [ ] Update quick reference cards
+- [ ] Practice new procedures
+### Step 10: Close Out
+- [ ] All fixes implemented and verified
+- [ ] Documentation complete
+- [ ] Stakeholders informed of resolution
+- [ ] Follow-up actions assigned
+- [ ] Post-mortem meeting held (for SEV 1-2)
+---
+## Emergency Contacts
+Fill in your specific contacts:
+| Role | Name | Contact Method | When to Call |
+|------|------|----------------|--------------|
+| Primary responder | | | First always |
+| Technical backup | | | Can't resolve alone |
+| Security expert | | | Suspected breach |
+| Legal | | | Data exposure |
+| Management | | | SEV 1-2 |
+| Service providers | | | Need help |
+---
+## Quick Response Reference
+```
+╔══════════════════════════════════════════════════════╗
+║            INCIDENT QUICK RESPONSE                    ║
+╠══════════════════════════════════════════════════════╣
+║                                                      ║
+║  1. STOP - Kill AI immediately                       ║
+║     • Close tabs: Cmd/Ctrl + Shift + W              ║
+║     • Kill process: pkill -f claude                  ║
+║                                                      ║
+║  2. DOCUMENT - Capture evidence                      ║
+║     • Screenshot current state                       ║
+║     • Note exact time                                ║
+║     • What did you observe?                          ║
+║                                                      ║
+║  3. CONTAIN - Limit damage                           ║
+║     • Revoke affected tokens                         ║
+║     • Change critical passwords                      ║
+║     • Preserve logs                                  ║
+║                                                      ║
+║  4. ASSESS - Understand scope                        ║
+║     • What systems affected?                         ║
+║     • What data exposed?                             ║
+║     • Who needs to know?                             ║
+║                                                      ║
+║  5. RECOVER - Fix and verify                         ║
+║     • Implement fix                                  ║
+║     • Test thoroughly                                ║
+║     • Resume cautiously                              ║
+║                                                      ║
+╚══════════════════════════════════════════════════════╝
+```
+---
+*Related: [Kill Switches](../configs/kill-switches.md) | [Weekly Audit](weekly-audit.md)*