create-issflow 1.0.2 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (42) hide show
  1. package/README.md +61 -56
  2. package/bin/cli.js +269 -259
  3. package/package.json +32 -28
  4. package/template/.claude/agents/debugger.md +47 -47
  5. package/template/.claude/agents/e2e-runner.md +66 -66
  6. package/template/.claude/agents/implementer.md +79 -75
  7. package/template/.claude/agents/planner.md +93 -71
  8. package/template/.claude/agents/researcher.md +103 -103
  9. package/template/.claude/agents/synthesizer.md +78 -72
  10. package/template/.claude/agents/test-author.md +70 -70
  11. package/template/.claude/commands/change-request.md +53 -0
  12. package/template/.claude/commands/log-decision.md +33 -33
  13. package/template/.claude/commands/log-issue.md +28 -28
  14. package/template/.claude/commands/overview.md +114 -99
  15. package/template/.claude/commands/phase.md +230 -202
  16. package/template/.claude/commands/propose.md +71 -0
  17. package/template/.claude/commands/quick.md +30 -30
  18. package/template/.claude/commands/replan.md +68 -63
  19. package/template/.claude/commands/store-wisdom.md +195 -195
  20. package/template/.claude/commands/synthesize.md +26 -26
  21. package/template/.claude/commands/unstuck.md +40 -40
  22. package/template/.claude/hooks/pre-compact.js +42 -0
  23. package/template/.claude/hooks/session-start.js +137 -0
  24. package/template/.claude/hooks/subagent-stop.js +18 -0
  25. package/template/.claude/istartsoft-flow/METHODOLOGY.md +403 -229
  26. package/template/.claude/skills/caveman/SKILL.md +39 -39
  27. package/template/.claude/skills/code-standards/SKILL.md +61 -0
  28. package/template/.claude/skills/code-standards/references/architecture.md +61 -0
  29. package/template/.claude/skills/code-standards/references/naming.md +60 -0
  30. package/template/.claude/skills/grill-me/SKILL.md +31 -10
  31. package/template/.claude/skills/karpathy-guidelines/SKILL.md +34 -34
  32. package/template/.claude/skills/security/SKILL.md +70 -0
  33. package/template/.claude/skills/security/references/pentest-checklist.md +46 -0
  34. package/template/.claude/skills/security/references/secure-coding.md +50 -0
  35. package/template/.claude/skills/security/references/standards.md +60 -0
  36. package/template/.claude/skills/security/references/threat-modeling.md +36 -0
  37. package/template/.claude/skills/ux-design/SKILL.md +113 -99
  38. package/template/.claude/skills/ux-design/{wireframe-template.md → references/wireframe-template.md} +95 -95
  39. package/template/.claude/templates/proposal.html +126 -0
  40. package/template/.claude/hooks/pre-compact.sh +0 -25
  41. package/template/.claude/hooks/session-start.sh +0 -120
  42. package/template/.claude/hooks/subagent-stop.sh +0 -11
@@ -1,39 +1,39 @@
1
- ---
2
- name: caveman
3
- description: >
4
- Ultra-compressed communication mode. Cuts token usage ~75% by dropping
5
- filler, articles, and pleasantries while keeping full technical accuracy.
6
- Use when user says "caveman mode", "talk like caveman", "use caveman",
7
- "less tokens", "be brief", or invokes /caveman.
8
- ---
9
-
10
- Respond terse like smart caveman. All technical substance stay. Only fluff die.
11
-
12
- ## Persistence
13
-
14
- ACTIVE EVERY RESPONSE once triggered. No revert after many turns. No filler drift. Still active if unsure. Off only when user says "stop caveman" or "normal mode".
15
-
16
- ## Rules
17
-
18
- Drop: articles (a/an/the), filler (just/really/basically/actually/simply), pleasantries (sure/certainly/of course/happy to), hedging. Fragments OK. Short synonyms (big not extensive, fix not "implement a solution for"). Abbreviate common terms (DB/auth/config/req/res/fn/impl). Strip conjunctions. Use arrows for causality (X -> Y). One word when one word enough.
19
-
20
- Technical terms stay exact. Code blocks unchanged. Errors quoted exact.
21
-
22
- Pattern: `[thing] [action] [reason]. [next step].`
23
-
24
- Not: "Sure! I'd be happy to help you with that. The issue you're experiencing is likely caused by..."
25
- Yes: "Bug in auth middleware. Token expiry check use `<` not `<=`. Fix:"
26
-
27
- ### Examples
28
-
29
- **"Why React component re-render?"**
30
-
31
- > Inline obj prop -> new ref -> re-render. `useMemo`.
32
-
33
- **"Explain database connection pooling."**
34
-
35
- > Pool = reuse DB conn. Skip handshake -> fast under load.
36
-
37
- ## Auto-Clarity Exception
38
-
39
- Drop caveman temporarily for: security warnings, irreversible action confirmations, multi-step sequences where fragment order risks misread, user asks to clarify or repeats question. Resume caveman after.
1
+ ---
2
+ name: caveman
3
+ description: >
4
+ Ultra-compressed communication mode. Cuts token usage ~75% by dropping
5
+ filler, articles, and pleasantries while keeping full technical accuracy.
6
+ Use when user says "caveman mode", "talk like caveman", "use caveman",
7
+ "less tokens", "be brief", or invokes /caveman.
8
+ ---
9
+
10
+ Respond terse like smart caveman. All technical substance stay. Only fluff die.
11
+
12
+ ## Persistence
13
+
14
+ ACTIVE EVERY RESPONSE once triggered. No revert after many turns. No filler drift. Still active if unsure. Off only when user says "stop caveman" or "normal mode".
15
+
16
+ ## Rules
17
+
18
+ Drop: articles (a/an/the), filler (just/really/basically/actually/simply), pleasantries (sure/certainly/of course/happy to), hedging. Fragments OK. Short synonyms (big not extensive, fix not "implement a solution for"). Abbreviate common terms (DB/auth/config/req/res/fn/impl). Strip conjunctions. Use arrows for causality (X -> Y). One word when one word enough.
19
+
20
+ Technical terms stay exact. Code blocks unchanged. Errors quoted exact.
21
+
22
+ Pattern: `[thing] [action] [reason]. [next step].`
23
+
24
+ Not: "Sure! I'd be happy to help you with that. The issue you're experiencing is likely caused by..."
25
+ Yes: "Bug in auth middleware. Token expiry check use `<` not `<=`. Fix:"
26
+
27
+ ### Examples
28
+
29
+ **"Why React component re-render?"**
30
+
31
+ > Inline obj prop -> new ref -> re-render. `useMemo`.
32
+
33
+ **"Explain database connection pooling."**
34
+
35
+ > Pool = reuse DB conn. Skip handshake -> fast under load.
36
+
37
+ ## Auto-Clarity Exception
38
+
39
+ Drop caveman temporarily for: security warnings, irreversible action confirmations, multi-step sequences where fragment order risks misread, user asks to clarify or repeats question. Resume caveman after.
@@ -0,0 +1,61 @@
1
+ ---
2
+ name: code-standards
3
+ description: Code conventions & architecture cookbook — naming follows each language's OWN idiom (camelCase / snake_case / PascalCase as the language dictates, not one-size-fits-all), plus project structure and the architecture pattern (Feature-Based by default; layered / hexagonal / modular when they fit). Use when scaffolding a project, choosing an architecture, naming things, or reviewing code structure. Keywords: naming, convention, camelCase, snake_case, PascalCase, style guide, lint, format, prettier, eslint, architecture, feature-based, layered, hexagonal, clean architecture, folder structure, project structure, conventions.
4
+ ---
5
+
6
+ # code-standards — conventions & architecture cookbook
7
+
8
+ Caveman ULTRA mode. Consistency beats personal preference. Match the LANGUAGE'S
9
+ idiom, not a favourite style. Read on demand: `references/naming.md`,
10
+ `references/architecture.md`.
11
+
12
+ ## 1. Naming — follow the language, not a habit
13
+
14
+ Use each language's OWN convention. Do NOT force `camelCase` everywhere.
15
+
16
+ | Language | vars / functions | types / classes | constants | files |
17
+ |----------|------------------|-----------------|-----------|-------|
18
+ | JS / TS | `camelCase` | `PascalCase` | `UPPER_SNAKE` | `kebab-case` (or per framework) |
19
+ | Python | `snake_case` | `PascalCase` | `UPPER_SNAKE` | `snake_case` |
20
+ | Go | `camelCase`; exported → `PascalCase` | `PascalCase` | `MixedCaps` | `lowercase` / `snake` |
21
+ | Rust | `snake_case` | `PascalCase` | `UPPER_SNAKE` | `snake_case` |
22
+ | Java / Kotlin | `camelCase` | `PascalCase` | `UPPER_SNAKE` | `PascalCase` |
23
+ | C# | `camelCase` locals, `PascalCase` members | `PascalCase` | `PascalCase` | `PascalCase` |
24
+ | Ruby | `snake_case` | `PascalCase` | `SCREAMING_SNAKE` | `snake_case` |
25
+ | SQL | `snake_case` | — | — | — |
26
+
27
+ Names say what a thing IS; no non-standard abbreviations; booleans read as
28
+ predicates (`isActive`, `has_items`). The project's declared style guide (PEP 8,
29
+ Effective Go, Airbnb JS/TS, Rust style, Google Java…) is the tie-breaker.
30
+ Details + edge cases → `references/naming.md`.
31
+
32
+ ## 2. Architecture — Feature-Based by default
33
+
34
+ Default: **Feature-Based** (feature-sliced / vertical) — group code by FEATURE, not
35
+ by technical layer. It matches the kit's vertical-slice loop: one slice ≈ one
36
+ feature folder, front-to-back. Alternatives (declare the choice in OVERVIEW):
37
+
38
+ - **Layered (n-tier)** — simple CRUD; controllers / services / repositories.
39
+ - **Hexagonal / Clean** — domain-centric, dependencies point inward; complex domains.
40
+ - **Modular monolith / DDD bounded contexts** — large apps trending toward services.
41
+
42
+ Pick the SIMPLEST that fits; don't import enterprise patterns into a small app.
43
+ Patterns, trade-offs, and folder layouts → `references/architecture.md`.
44
+
45
+ ## 3. Structure & enforcement
46
+
47
+ - One consistent project structure that reflects the chosen architecture; declare it.
48
+ - A formatter + linter is NOT optional and NOT a bikeshed: use the language's
49
+ STANDARD tool and let it decide — prettier/eslint, black/ruff, gofmt/golangci-lint,
50
+ rustfmt/clippy. CI fails on lint/format errors.
51
+
52
+ ## RETURN FORMAT
53
+
54
+ ```
55
+ CODE-STANDARDS CHECK: <change>
56
+ - naming: PASS | FAIL (<names that break the language idiom>)
57
+ - architecture: conforms to <pattern> | DRIFT (<what drifted>)
58
+ - structure: PASS | FAIL
59
+ - lint / format: clean | <errors>
60
+ - VERDICT: PASS | BLOCK
61
+ ```
@@ -0,0 +1,61 @@
1
+ # Architecture patterns (pick the simplest that fits)
2
+
3
+ Declare the chosen pattern in OVERVIEW. Default = **Feature-Based**. Don't import
4
+ enterprise patterns into a small app; don't ship a big app as one flat folder.
5
+
6
+ ## Feature-Based (feature-sliced / vertical) — DEFAULT
7
+
8
+ Group by FEATURE, not by technical layer. Each feature owns its UI, logic, data
9
+ access, and tests — front-to-back. Matches the kit's vertical-slice loop (one slice
10
+ ≈ one feature).
11
+
12
+ ```
13
+ src/
14
+ features/
15
+ auth/ { ui, api, model, hooks, auth.test }
16
+ billing/ { ui, api, model, billing.test }
17
+ dashboard/ { ... }
18
+ shared/ # cross-feature primitives (ui kit, lib, config)
19
+ app/ # composition root, routing, providers
20
+ ```
21
+ - **Pros:** high cohesion, easy to find/change/delete a feature, scales with team.
22
+ - **Watch:** keep `shared/` thin; features must not import each other's internals
23
+ (go through a public entry or `shared/`).
24
+ - Frontend flavour: "Feature-Sliced Design". Backend flavour: a module per feature.
25
+
26
+ ## Layered (n-tier)
27
+
28
+ ```
29
+ controllers/ → services/ → repositories/ → db
30
+ ```
31
+ - **Use when:** straightforward CRUD, small team, shallow domain.
32
+ - **Watch:** grows into a "fat service" tangle as features multiply; layers cut
33
+ ACROSS features so a change touches every layer.
34
+
35
+ ## Hexagonal / Ports & Adapters / Clean
36
+
37
+ Domain at the centre; dependencies point INWARD. The domain knows nothing about the
38
+ DB, framework, or transport — those are adapters behind ports (interfaces).
39
+ - **Use when:** complex/long-lived business rules, many integrations, high testability
40
+ needs (domain tested with no infra).
41
+ - **Watch:** ceremony/indirection — overkill for CRUD.
42
+
43
+ ## Modular monolith / DDD bounded contexts
44
+
45
+ Independent modules with explicit boundaries + their own data ownership, in one
46
+ deployable. Each bounded context is feature-based inside.
47
+ - **Use when:** large app likely to split into services later; multiple teams.
48
+ - **Watch:** enforce boundaries (no reaching into another module's tables/internals).
49
+
50
+ ## Choosing
51
+
52
+ | Signal | Lean toward |
53
+ |--------|-------------|
54
+ | small CRUD, 1–2 devs | Layered or Feature-Based |
55
+ | product app, growing features | **Feature-Based** |
56
+ | rich domain rules, many integrations | Hexagonal / Clean |
57
+ | large, multi-team, future services | Modular monolith / DDD |
58
+
59
+ Cross-cutting (auth, logging, errors, config) lives in `shared/` regardless. The
60
+ architecture is a phase-0 / planning decision — record it and the folder layout in
61
+ OVERVIEW so every phase builds the same way.
@@ -0,0 +1,60 @@
1
+ # Naming conventions (per language)
2
+
3
+ The golden rule: **follow the language's official style guide.** Below is the
4
+ idiom + the canonical guide to defer to. When in doubt, run the language's
5
+ formatter/linter — it encodes most of this.
6
+
7
+ ## Per language
8
+
9
+ ### JavaScript / TypeScript — Airbnb / Google / TS handbook
10
+ - vars, functions, methods, object keys → `camelCase`
11
+ - classes, types, interfaces, enums, React components → `PascalCase`
12
+ - module-level constants / enum members → `UPPER_SNAKE_CASE`
13
+ - files → `kebab-case` (or framework rule: React often `PascalCase.tsx`)
14
+ - private (convention) → leading `_` only if the codebase already does; prefer `#private`
15
+ - no Hungarian notation; interfaces are NOT prefixed with `I` in modern TS.
16
+
17
+ ### Python — PEP 8
18
+ - vars, functions, methods, modules, packages → `snake_case`
19
+ - classes, exceptions → `PascalCase`
20
+ - constants → `UPPER_SNAKE_CASE`
21
+ - "internal" → single leading `_`; name-mangled → `__` ; dunder reserved for Python.
22
+
23
+ ### Go — Effective Go
24
+ - identifiers → `MixedCaps` / `camelCase`; **exported = capitalised** (`PascalCase`),
25
+ unexported = lowercase first letter. NO underscores in names.
26
+ - acronyms stay all-caps: `userID`, `httpServer` → `HTTPServer`, `userURL`.
27
+ - short, local names for short scopes (`i`, `r`, `buf`); longer for package API.
28
+
29
+ ### Rust — Rust style / rustfmt
30
+ - vars, functions, modules, files → `snake_case`
31
+ - types, traits, enums, enum variants → `PascalCase`
32
+ - constants, statics → `UPPER_SNAKE_CASE`
33
+
34
+ ### Java / Kotlin — Google Java Style
35
+ - vars, methods, params → `camelCase`; classes → `PascalCase`;
36
+ constants (`static final`) → `UPPER_SNAKE`; packages → `lowercase`.
37
+
38
+ ### C# — Microsoft guidelines
39
+ - public members, methods, properties, types → `PascalCase`
40
+ - locals + parameters → `camelCase`; interfaces prefixed `I` (`IService`);
41
+ private fields → `_camelCase` (common).
42
+
43
+ ### Ruby — Ruby Style Guide
44
+ - methods, vars, symbols, files → `snake_case`; classes/modules → `PascalCase`;
45
+ constants → `SCREAMING_SNAKE_CASE`.
46
+
47
+ ### SQL
48
+ - tables, columns → `snake_case`; tables usually plural (`users`); keywords UPPER (style).
49
+
50
+ ## Cross-language rules
51
+
52
+ - **Say what it IS.** `userList` not `ul`; `elapsedMs` not `t`. No mystery abbreviations.
53
+ - **Booleans are predicates** — `isActive`, `hasAccess`, `canEdit`, `should_retry`.
54
+ - **Functions are verbs** (`fetchUser`, `parse_config`); **values are nouns**.
55
+ - **Units in the name** when ambiguous — `timeoutMs`, `widthPx`, `priceCents`.
56
+ - **Acronyms** — follow the language (Go: `ID`/`URL` all caps; TS: usually `Id`/`Url`
57
+ in camelCase members). Be consistent within the codebase.
58
+ - **No type in the name** unless the language culture does it (avoid `strName`).
59
+
60
+ The declared style guide in OVERVIEW wins any tie. Let the formatter enforce mechanics.
@@ -1,10 +1,31 @@
1
- ---
2
- name: grill-me
3
- description: Interview the user relentlessly about a plan or design until reaching shared understanding, resolving each branch of the decision tree.
4
- ---
5
-
6
- Interview me relentlessly about every aspect of this plan until we reach a shared understanding. Walk down each branch of the design tree, resolving dependencies between decisions one-by-one. For each question, provide your recommended answer.
7
-
8
- Ask the questions one at a time.
9
-
10
- If a question can be answered by exploring the codebase, explore the codebase instead.
1
+ ---
2
+ name: grill-me
3
+ description: Interviews the user relentlessly about a plan or design one question at a time, resolving each branch of the decision tree — until you reach shared understanding. Use before committing to a plan or spec, when the user says "grill me", "grill this plan", "interrogate the design", "poke holes", "pressure-test this", or invokes /grill-me; or whenever a plan is ambiguous and needs hardening before work starts.
4
+ ---
5
+
6
+ Interview me relentlessly about every aspect of this plan until we reach a shared understanding. Walk down each branch of the design tree, resolving dependencies between decisions one-by-one. For each question, provide your recommended answer.
7
+
8
+ Ask the questions one at a time.
9
+
10
+ If a question can be answered by exploring the codebase, explore the codebase instead.
11
+
12
+ ## Language
13
+
14
+ Grill in the USER'S language. If they write Thai, ask in **natural Thai** — real
15
+ spoken business/dev Thai, not stiff word-for-word translations of English questions.
16
+ Keep technical terms in English where a Thai team naturally would (API, deploy,
17
+ auth, token, schema…). Mix is fine. The goal is that a Thai founder feels they are
18
+ talking to a sharp Thai tech lead, not a translated bot. Capture the answers
19
+ faithfully (the nuance often lives in the Thai phrasing).
20
+
21
+ ## Depth & stop condition
22
+
23
+ - **Stop on CONVERGENCE, not a fixed count.** Keep going until a full pass surfaces
24
+ no new material question or unresolved decision. Don't pad; don't cut early.
25
+ - **5-whys depth, per branch.** When an answer is a symptom or a "what" with no
26
+ "why", drill that branch — ask "why" down it (up to ~5 levels) until you hit the
27
+ real need or constraint. This is per-answer depth, not a number of rounds.
28
+ - **Two structured passes is the default** (used by `/overview`): round 1 = scope →
29
+ design-research → round 2 = research-informed re-grill. Research surfaces questions
30
+ round 1 couldn't. A *third* pass still finding material unknowns is a signal the
31
+ project is under-defined — flag that, don't loop. Configurable per project.
@@ -1,34 +1,34 @@
1
- ---
2
- name: karpathy-guidelines
3
- description: Coding and debugging discipline. Apply on every coding and debug task.
4
- ---
5
-
6
- # karpathy-guidelines
7
-
8
- Apply on every coding + debug task. Caveman ULTRA mode.
9
-
10
- ## Coding
11
- - Smallest change that works. No speculative abstraction. No "while I'm here".
12
- - Make it run, then make it right, then make it fast — in that order.
13
- - One concern per change. If the diff does two things, split it.
14
- - Read before write — understand the existing code path before editing.
15
- - Name things for what they are. Delete dead code, don't comment it out.
16
- - Prefer boring, obvious solutions over clever ones.
17
-
18
- ## Debugging
19
- - Reproduce first.
20
- - One hypothesis at a time. State it before changing anything.
21
- - Change one variable, observe, conclude. No shotgun edits.
22
- - Read the actual error and stack — top to bottom — before theorizing.
23
- - When stuck: the bug is somewhere you're sure it isn't. Check assumptions.
24
- - 3 failed attempts -> stop poking, go research.
25
-
26
- ## Honesty
27
- - Don't claim it works until you ran it.
28
- - "I don't know yet" is valid — say it instead of guessing.
29
- - A failing test is information. Don't edit the test to hide it.
30
- - Surface uncertainty to the orchestrator; don't paper over it.
31
-
32
- ## Verification
33
- - Every change gets run. Lint/typecheck/smoke at minimum.
34
- - The real test is written blind by test-author — your own run is just sanity.
1
+ ---
2
+ name: karpathy-guidelines
3
+ description: Engineering discipline for writing and debugging code — smallest change that works, one hypothesis at a time, no shotgun edits, run before claiming done. Use on every coding or debugging task: implementing a feature, fixing a bug, refactoring, or chasing a failing test. Keywords: code, implement, debug, fix, refactor, test failure, stack trace, error.
4
+ ---
5
+
6
+ # karpathy-guidelines
7
+
8
+ Apply on every coding + debug task. Caveman ULTRA mode.
9
+
10
+ ## Coding
11
+ - Smallest change that works. No speculative abstraction. No "while I'm here".
12
+ - Make it run, then make it right, then make it fast — in that order.
13
+ - One concern per change. If the diff does two things, split it.
14
+ - Read before write — understand the existing code path before editing.
15
+ - Name things for what they are. Delete dead code, don't comment it out.
16
+ - Prefer boring, obvious solutions over clever ones.
17
+
18
+ ## Debugging
19
+ - Reproduce first.
20
+ - One hypothesis at a time. State it before changing anything.
21
+ - Change one variable, observe, conclude. No shotgun edits.
22
+ - Read the actual error and stack — top to bottom — before theorizing.
23
+ - When stuck: the bug is somewhere you're sure it isn't. Check assumptions.
24
+ - 3 failed attempts -> stop poking, go research.
25
+
26
+ ## Honesty
27
+ - Don't claim it works until you ran it.
28
+ - "I don't know yet" is valid — say it instead of guessing.
29
+ - A failing test is information. Don't edit the test to hide it.
30
+ - Surface uncertainty to the orchestrator; don't paper over it.
31
+
32
+ ## Verification
33
+ - Every change gets run. Lint/typecheck/smoke at minimum.
34
+ - The real test is written blind by test-author — your own run is just sanity.
@@ -0,0 +1,70 @@
1
+ ---
2
+ name: security
3
+ description: Secure SDLC cookbook — weaves security through the whole lifecycle: threat modeling at design, secure coding while building, SAST/SCA/secrets at build, DAST + pentest before deploy, and vulnerability management + security review after. Grounded in OWASP Top 10 (2025), OWASP ASVS 5.0 / WSTG, ISO/IEC 27001 & 25010, and SLSA. Use on any security-sensitive change (auth, authorization, secrets, crypto, input handling, file upload, external input), at design when threat-modeling a feature, and as the gate before a deploy phase closes. Keywords: security, secure sdlc, devsecops, threat model, STRIDE, auth, login, token, jwt, secret, password, crypto, encryption, injection, xss, sqli, ssrf, csrf, permission, authorization, vulnerability, CVE, dependency, SAST, DAST, SCA, pentest, deploy, audit, security review.
4
+ ---
5
+
6
+ # security — Secure SDLC cookbook
7
+
8
+ Caveman ULTRA mode. Security is not a phase — it runs through the WHOLE lifecycle
9
+ (shift-left). It is a HARD gate (METHODOLOGY rule 11). A `BLOCK` verdict stops the phase.
10
+
11
+ Read on demand: `references/threat-modeling.md` (design stage),
12
+ `references/secure-coding.md` (implement stage), `references/pentest-checklist.md`
13
+ (deploy stage), `references/standards.md` (ISO 27001 / 25010 / SLSA mapping).
14
+
15
+ ## Secure SDLC — security at every stage of the loop
16
+
17
+ | Loop stage | Security practice | Output / gate |
18
+ |------------|-------------------|----------------|
19
+ | **design-research / plan** | **Threat modeling** (STRIDE), abuse cases, pick the **ASVS level** (L1/L2/L3) | threats + security acceptance criteria in PLAN |
20
+ | **implement** | **Secure coding** — OWASP Top 10 rules, input validation, authz, crypto, secret handling | code that obeys `references/secure-coding.md` |
21
+ | **build (CLOSE, every phase)** | **SAST** + **SCA** (dependency CVEs) + **secrets scan** | no high/critical → else BLOCK |
22
+ | **test** | **DAST** + security/abuse test cases (test-author writes them blind) | no high/critical |
23
+ | **pre-deploy** | **Pentest gate** (OWASP WSTG run) + **security review** of the diff | zero open high/critical → else BLOCK |
24
+ | **operate** | **Vulnerability management** — SBOM + continuous CVE/SCA monitoring, re-research stale advisories | tracked; new criticals → new phase |
25
+
26
+ ## Per-stage checklist
27
+
28
+ ### Design — threat model first
29
+ - STRIDE the feature (Spoofing, Tampering, Repudiation, Info disclosure, DoS,
30
+ Elevation). Mark trust boundaries + untrusted inputs. Write abuse cases as
31
+ negative acceptance criteria. Set the ASVS target (default **L2**).
32
+ → `references/threat-modeling.md`
33
+
34
+ ### Implement — secure coding (OWASP Top 10 2025)
35
+ - A01 access control server-side, deny-by-default, no IDOR · A04 TLS + strong crypto,
36
+ no secrets in code · A05 parameterized queries + output encoding + allow-list input
37
+ · A07 safe auth/session/token · A09 log security events (no secrets) · A10 fail
38
+ safe, handle every error path. → `references/secure-coding.md`
39
+
40
+ ### Build — automated gates (run at every phase CLOSE)
41
+ - **Secrets scan** clean · **SCA** no unpatched critical/high CVE (emit SBOM) ·
42
+ **SAST** no high/critical on changed code.
43
+
44
+ ### Test — dynamic + abuse
45
+ - **DAST** on staging · security/abuse test cases asserted blind.
46
+
47
+ ### Pre-deploy — pentest gate + review (A03 supply chain, SLSA L2+)
48
+ - Run the WSTG checklist; security-review the diff; sign artifacts (SLSA L2+).
49
+ → `references/pentest-checklist.md`
50
+
51
+ ### Operate — vulnerability management
52
+ - Keep an SBOM; monitor dependencies for new CVEs; a new critical → open a
53
+ remediation phase. Promote findings to the shared KB (`/store-wisdom`).
54
+
55
+ ## RETURN FORMAT
56
+
57
+ ```
58
+ SECURE SDLC CHECK: <change / phase / deploy>
59
+ - stage: design | implement | build | test | pre-deploy | operate
60
+ - threat model (design): done | n/a — top risks: <STRIDE hits>
61
+ - secure coding: PASS | FAIL (<A0x gap>)
62
+ - build gates: SCA <clean/CVEs> · secrets <clean/found> · SAST <clean/findings>
63
+ - DAST/pentest (deploy): PASS | findings <high/critical count>
64
+ - ASVS target: L1 | L2 | L3 -> PASS | gaps: <chapters>
65
+ - VERDICT: PASS | BLOCK (phase cannot close)
66
+ ```
67
+
68
+ Standards (current): OWASP Top 10 2025 · ASVS 5.0 · WSTG v4.2 · ISO/IEC 27001:2022 ·
69
+ ISO/IEC 25010:2023 · SLSA v1.1. Sourced from
70
+ `docs/research/design-security-standards-cookbook.md`.
@@ -0,0 +1,46 @@
1
+ # Pre-deploy pentest checklist (OWASP WSTG)
2
+
3
+ Run before a deploy phase closes. Walk the WSTG categories below; for each finding,
4
+ classify severity and map it back to an OWASP Top 10 2025 risk (A01–A10). Gate the
5
+ deploy on zero open HIGH/CRITICAL findings. Methodology: PTES (7 phases) for depth,
6
+ NIST SP 800-115 (5 phases) for the compliance artifact.
7
+
8
+ > Scope first. Only test systems you are authorized to test. For a managed-infra app
9
+ > this is your own app + your own staging environment — never third-party services.
10
+
11
+ ## Phases (NIST SP 800-115 / PTES condensed)
12
+ 1. **Plan / pre-engagement** — scope, rules of engagement, target = staging.
13
+ 2. **Information gathering** — tech stack, endpoints, headers, exposed config.
14
+ 3. **Vulnerability analysis** — run the WSTG categories below + automated DAST.
15
+ 4. **Exploitation (PoC)** — prove impact for each suspected issue (no destruction).
16
+ 5. **Reporting** — findings + severity + remediation; attach to the release record.
17
+
18
+ ## WSTG categories (check each → maps to Top 10)
19
+
20
+ - **WSTG-INFO** Information Gathering — no version/debug/source leakage. (A02)
21
+ - **WSTG-CONF** Configuration & Deployment — TLS config, HTTP methods, no debug
22
+ endpoints, security headers (CSP, HSTS, X-Content-Type-Options), CORS scoped. (A02)
23
+ - **WSTG-IDNT** Identity Management — no account enumeration; safe registration/recovery. (A07)
24
+ - **WSTG-AUTH** Authentication — credential transport over TLS, no default creds,
25
+ lockout / rate-limit, MFA where it matters. (A07)
26
+ - **WSTG-AZON** Authorization — no privilege escalation, no IDOR; deny-by-default. (A01)
27
+ - **WSTG-SESS** Session Management — secure/HttpOnly/SameSite cookies, fixation
28
+ resistance, CSRF protection, real logout. (A01/A07)
29
+ - **WSTG-INPV** Input Validation — XSS, SQLi, SSRF, command injection, SSTI,
30
+ deserialization. (A05/A01)
31
+ - **WSTG-BUSL** Business Logic — workflow abuse, race conditions, replay, upload
32
+ abuse, value/price tampering. (A06)
33
+ - **WSTG-CLNT** Client-Side — DOM XSS, postMessage, clickjacking, CORS, web storage. (A05)
34
+ - **WSTG-APIT** API Testing — authz per endpoint, rate limiting, mass assignment,
35
+ schema/pagination abuse (REST/GraphQL). (A01/A04)
36
+
37
+ ## Automated gates to run alongside
38
+ - **Secrets scan** (e.g. TruffleHog/GitGuardian) — clean.
39
+ - **SCA** (e.g. Snyk/Dependabot) — no unpatched critical/high CVE; SBOM emitted.
40
+ - **SAST** (e.g. Semgrep/SonarQube) — no high/critical on changed code.
41
+ - **DAST** (e.g. OWASP ZAP) against staging — no high/critical.
42
+
43
+ ## Gate
44
+ Deploy proceeds only when every HIGH/CRITICAL finding is remediated OR explicitly
45
+ risk-accepted (documented) AND a human security sign-off is recorded (this is a
46
+ hard-stop — see METHODOLOGY → Autonomy).
@@ -0,0 +1,50 @@
1
+ # Secure coding (implement stage)
2
+
3
+ Concrete rules the implementer follows while writing code. Grouped by OWASP Top 10
4
+ 2025 risk. Language-agnostic — apply the equivalent in your stack.
5
+
6
+ ## Input & injection (A05)
7
+ - Parameterized queries / prepared statements — NEVER string-concatenate SQL.
8
+ - Output-encode for the sink (HTML, attribute, JS, URL, shell) to stop XSS.
9
+ - Allow-list validate every external input (type, length, range, format).
10
+ - No `eval` / dynamic template from user input (SSTI); no unsafe deserialization.
11
+ - Guard SSRF: validate/allow-list outbound URLs; block internal ranges.
12
+
13
+ ## Access control (A01)
14
+ - Enforce authorization SERVER-SIDE on every route and every object access.
15
+ - Deny-by-default; check ownership (no IDOR — don't trust an id from the client).
16
+ - Never rely on hidden UI / client checks for security.
17
+
18
+ ## Auth, sessions, tokens (A07)
19
+ - Hash passwords with argon2id / bcrypt (never plaintext / fast hashes).
20
+ - Secure session cookies: `HttpOnly`, `Secure`, `SameSite`; rotate on login;
21
+ real server-side logout. Validate JWT signature + exp + aud; short-lived.
22
+ - Rate-limit / lock out credential endpoints; MFA where it matters.
23
+
24
+ ## Crypto & secrets (A04)
25
+ - TLS for all transport. Use vetted libraries + current algorithms (AES-GCM,
26
+ SHA-256+); no home-rolled crypto, no ECB, no MD5/SHA1 for security.
27
+ - Secrets ONLY from env / a secret manager — never in code, config-in-repo,
28
+ prompts, or logs. Separate per environment; least privilege; rotate.
29
+
30
+ ## Errors, logging, exceptions (A09, A10)
31
+ - Fail safe / closed; handle EVERY error path; never leak stack traces or
32
+ internal detail to the client.
33
+ - Log security-relevant events (authn/authz failures, input rejections) WITHOUT
34
+ secrets or PII. Make logs tamper-evident where it matters.
35
+
36
+ ## Supply chain & integrity (A03, A08)
37
+ - Pin dependency versions; pull from trusted registries; keep an SBOM.
38
+ - Verify integrity of updates / CI artifacts; no insecure deserialization of
39
+ untrusted data.
40
+
41
+ ## Config (A02)
42
+ - No debug endpoints, default credentials, or verbose errors in prod.
43
+ - Set security headers (CSP, HSTS, X-Content-Type-Options); scope CORS tightly.
44
+
45
+ ## Self-check before handing off
46
+ Map each touched area to its risk above; anything unmet → fix or flag to the
47
+ `security` cookbook gate. The blind security/abuse tests will assert these.
48
+
49
+ Reference: OWASP Top 10 2025, OWASP ASVS 5.0 (V2/V6/V7/V8/V11/V12/V14/V16),
50
+ OWASP Cheat Sheet Series.
@@ -0,0 +1,60 @@
1
+ # Standards mapping — ISO 27001 · ISO 25010 · SLSA
2
+
3
+ Read on demand. The day-to-day gate is the OWASP cookbook in SKILL.md; this file is
4
+ for when a project must speak in ISO / supply-chain terms (audits, compliance,
5
+ regulated domains). Apply the depth your project actually needs — these are not all
6
+ mandatory for every app.
7
+
8
+ ## ISO/IEC 27001:2022 — information security controls (Annex A)
9
+
10
+ 93 controls in 4 themes. For a software dev kit, the **Technological (A.8)** theme
11
+ is the code/deploy-facing one; map your security work to it.
12
+
13
+ | Theme | Controls | What it covers for us |
14
+ |-------|----------|------------------------|
15
+ | Organizational (A.5) | 37 | policies, supplier/cloud management, access policy, incident process |
16
+ | People (A.6) | 8 | awareness, responsibilities, the human sign-off chain |
17
+ | Physical (A.7) | 14 | facilities (mostly N/A for managed/cloud infra) |
18
+ | **Technological (A.8)** | 34 | access control, crypto, secure dev, logging, monitoring, vuln mgmt, backup |
19
+
20
+ Selection is risk-driven via a Statement of Applicability — pick the controls your
21
+ risk profile warrants; document the choice. Map OWASP ASVS chapters → A.8 controls
22
+ for dual compliance.
23
+
24
+ ## ISO/IEC 25010:2023 — product quality model (the "definition of done")
25
+
26
+ 9 characteristics. Use as a quality cookbook beyond just security — a phase is
27
+ "done" when the relevant ones hold:
28
+
29
+ 1. **Functional Suitability** — correct, complete, appropriate (your acceptance tests).
30
+ 2. **Performance Efficiency** — time behavior, resource use, capacity.
31
+ 3. **Compatibility** — interoperability, coexistence.
32
+ 4. **Interaction Capability** — learnability, accessibility, UI quality (→ `ux-design`).
33
+ 5. **Reliability** — availability, fault tolerance, recoverability (→ OWASP A10).
34
+ 6. **Security** — confidentiality, integrity, authenticity, accountability,
35
+ non-repudiation (→ the OWASP cookbook + ASVS).
36
+ 7. **Maintainability** — modularity, reusability, analyzability, modifiability
37
+ (→ `karpathy-guidelines`).
38
+ 8. **Flexibility** — installability, adaptability, replaceability.
39
+ 9. **Safety** — operational constraint, fail-safe, hazard warning.
40
+
41
+ > Note: 2023 renamed Usability → Interaction Capability and Portability → Flexibility,
42
+ > and added Safety. The kit's other skills already cover #4, #6, #7.
43
+
44
+ ## SLSA v1.1 — supply-chain provenance (Build Track)
45
+
46
+ | Level | Requirement |
47
+ |-------|-------------|
48
+ | L0 | no provenance (baseline) |
49
+ | L1 | document how the artifact was built (provenance generated) |
50
+ | **L2** | hosted, auditable build + signed, tamper-evident provenance |
51
+ | L3 | isolated, hardened build; cryptographically signed; full chain of custody |
52
+
53
+ Target **L2+** for production releases: signed build + SBOM + provenance attached to
54
+ the release record. Pairs with OWASP A03 (Software Supply Chain Failures) and the
55
+ SCA gate.
56
+
57
+ ## Sources
58
+ OWASP Top 10 2025 · ASVS 5.0 · WSTG v4.2 — owasp.org · ISO/IEC 25010:2023 /
59
+ 27001:2022 — iso.org · NIST SP 800-115 / 800-204D — nist.gov · SLSA v1.1 — slsa.dev.
60
+ Full detail: `docs/research/design-security-standards-cookbook.md`.
@@ -0,0 +1,36 @@
1
+ # Threat modeling (design stage)
2
+
3
+ Do this when a phase touches a trust boundary: new input, auth/authz, data store,
4
+ external service, file upload, money, or PII. Output = abuse cases written as
5
+ NEGATIVE acceptance criteria in PLAN, so `test-author` can assert them blind.
6
+
7
+ ## 1. Sketch the data flow
8
+ - Components, data stores, external services, and the **trust boundaries** between
9
+ them. Mark every place untrusted data crosses a boundary (the attack surface).
10
+
11
+ ## 2. STRIDE each element
12
+ | Threat | Question | Mitigation direction |
13
+ |--------|----------|----------------------|
14
+ | **S**poofing | Can someone pretend to be another identity? | strong auth, MFA, signed tokens |
15
+ | **T**ampering | Can data be altered in transit/at rest? | TLS, integrity checks, input validation |
16
+ | **R**epudiation | Can an actor deny an action? | security logging, audit trail (no secrets) |
17
+ | **I**nfo disclosure | Can data leak? | authz, encryption, least data, safe errors |
18
+ | **D**enial of service | Can it be exhausted? | rate limits, quotas, timeouts |
19
+ | **E**levation of privilege | Can a user gain more rights? | deny-by-default authz, no IDOR |
20
+
21
+ ## 3. Set the assurance level (OWASP ASVS)
22
+ - **L1** baseline · **L2** default for most apps · **L3** finance/health/critical.
23
+ - Record the target in OVERVIEW; the build/test gates verify to that level.
24
+
25
+ ## 4. Write abuse cases as negative acceptance criteria
26
+ For each credible threat, add a criterion the tests must enforce, e.g.:
27
+ - GIVEN a user A token WHEN requesting user B's resource THEN 403 (no IDOR).
28
+ - GIVEN a login endpoint WHEN 10 bad attempts THEN lockout / rate-limit.
29
+ - GIVEN an upload WHEN a non-allowed type/size THEN rejected, not stored.
30
+
31
+ ## 5. Feed it forward
32
+ - Threats → secure-coding focus (`references/secure-coding.md`).
33
+ - Abuse cases → the phase's acceptance criteria (planner) → blind tests.
34
+ - Residual risks → logged; high ones → their own slice.
35
+
36
+ Reference: OWASP Top 10 2025 (A06 Insecure Design), Microsoft STRIDE, OWASP ASVS 5.0.