create-vasvibe 1.2.0 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/template/.agents/agents/backend/agent.json +44 -0
- package/template/.agents/agents/data-architect/agent.json +43 -0
- package/template/.agents/agents/discovery/agent.json +43 -0
- package/template/.agents/agents/frontend/agent.json +44 -0
- package/template/.agents/agents/{developer → fullstack}/agent.json +3 -3
- package/template/.agents/agents/reliability/agent.json +44 -0
- package/template/.agents/agents/security/agent.json +44 -0
- package/template/.agents/agents/ux-designer/agent.json +43 -0
- package/template/.agents/skills/{developer → fullstack}/SKILL.md +1 -1
- package/template/.agents/workflows/build-feature.md +21 -0
- package/template/.agents/workflows/daily-standup.md +16 -0
- package/template/.agents/workflows/deliver-feature.md +16 -0
- package/template/.agents/workflows/harden-release.md +21 -0
- package/template/.agents/workflows/plan-project.md +25 -0
- package/template/.agents/workflows/release.md +18 -0
- package/template/.agents/workflows/security-audit.md +19 -0
- package/template/.agents/workflows/start-fix.md +17 -0
- package/template/.agents/workflows/test-feature.md +17 -0
- package/template/.claude/agents/analyst.md +7 -1
- package/template/.claude/agents/backend.md +66 -0
- package/template/.claude/agents/data-architect.md +48 -0
- package/template/.claude/agents/devops.md +9 -4
- package/template/.claude/agents/discovery.md +56 -0
- package/template/.claude/agents/document.md +3 -0
- package/template/.claude/agents/fixer.md +3 -0
- package/template/.claude/agents/frontend.md +63 -0
- package/template/{agent/workflows/developer.md → .claude/agents/fullstack.md} +13 -6
- package/template/.claude/agents/initiator.md +14 -8
- package/template/.claude/agents/orchestrator.md +85 -50
- package/template/.claude/agents/pm.md +3 -0
- package/template/.claude/agents/qa.md +7 -4
- package/template/.claude/agents/reliability.md +52 -0
- package/template/.claude/agents/security.md +111 -0
- package/template/.claude/agents/sysarch.md +3 -0
- package/template/.claude/agents/tester.md +3 -0
- package/template/.claude/agents/ux-designer.md +50 -0
- package/template/.claude/commands/build-feature.md +22 -0
- package/template/.claude/commands/daily-standup.md +16 -0
- package/template/.claude/commands/deliver-feature.md +17 -0
- package/template/.claude/commands/harden-release.md +22 -0
- package/template/.claude/commands/plan-project.md +26 -0
- package/template/.claude/commands/release.md +19 -0
- package/template/.claude/commands/security-audit.md +20 -0
- package/template/.claude/commands/start-fix.md +18 -0
- package/template/.claude/commands/test-feature.md +18 -0
- package/template/.claude/settings.local.json +8 -1
- package/template/.github/prompts/backend.prompt.md +44 -0
- package/template/.github/prompts/data-architect.prompt.md +38 -0
- package/template/.github/prompts/devops.prompt.md +32 -0
- package/template/.github/prompts/discovery.prompt.md +39 -0
- package/template/.github/prompts/frontend.prompt.md +43 -0
- package/template/.github/prompts/{developer.prompt.md → fullstack.prompt.md} +3 -10
- package/template/.github/prompts/initiator.prompt.md +8 -7
- package/template/.github/prompts/orchestrator.prompt.md +75 -0
- package/template/.github/prompts/qa.prompt.md +57 -0
- package/template/.github/prompts/reliability.prompt.md +44 -0
- package/template/.github/prompts/security.prompt.md +41 -0
- package/template/.github/prompts/ux-designer.prompt.md +41 -0
- package/template/.opencode/agents/analyst.md +7 -1
- package/template/.opencode/agents/backend.md +65 -0
- package/template/.opencode/agents/data-architect.md +47 -0
- package/template/.opencode/agents/devops.md +3 -0
- package/template/.opencode/agents/discovery.md +55 -0
- package/template/.opencode/agents/document.md +3 -0
- package/template/.opencode/agents/fixer.md +3 -0
- package/template/.opencode/agents/frontend.md +62 -0
- package/template/.opencode/agents/{developer.md → fullstack.md} +9 -7
- package/template/.opencode/agents/initiator.md +13 -7
- package/template/.opencode/agents/orchestrator.md +85 -50
- package/template/.opencode/agents/pm.md +3 -0
- package/template/.opencode/agents/qa.md +7 -4
- package/template/.opencode/agents/reliability.md +50 -0
- package/template/.opencode/agents/security.md +109 -0
- package/template/.opencode/agents/sysarch.md +4 -1
- package/template/.opencode/agents/tester.md +3 -0
- package/template/.opencode/agents/ux-designer.md +49 -0
- package/template/.opencode/commands/build-feature.md +21 -0
- package/template/.opencode/commands/daily-standup.md +16 -0
- package/template/.opencode/commands/deliver-feature.md +16 -0
- package/template/.opencode/commands/harden-release.md +21 -0
- package/template/.opencode/commands/plan-project.md +25 -0
- package/template/.opencode/commands/release.md +18 -0
- package/template/.opencode/commands/security-audit.md +19 -0
- package/template/.opencode/commands/start-fix.md +17 -0
- package/template/.opencode/commands/test-feature.md +17 -0
- package/template/AGENT_PERSONAS.md +143 -11
- package/template/QUICK-START.md +121 -0
- package/template/agent/workflows/_shared/change-management.md +70 -0
- package/template/agent/workflows/_shared/phases.md +86 -0
- package/template/agent/workflows/_shared/state-management.md +3 -3
- package/template/agent/workflows/analyst.md +7 -1
- package/template/agent/workflows/backend.md +61 -0
- package/template/agent/workflows/data-architect.md +43 -0
- package/template/agent/workflows/devops.md +9 -3
- package/template/agent/workflows/discovery.md +51 -0
- package/template/agent/workflows/document.md +3 -0
- package/template/agent/workflows/fixer.md +3 -0
- package/template/agent/workflows/frontend.md +58 -0
- package/template/{.claude/agents/developer.md → agent/workflows/fullstack.md} +9 -11
- package/template/agent/workflows/initiator.md +13 -7
- package/template/agent/workflows/orchestrator.md +84 -48
- package/template/agent/workflows/pm.md +3 -0
- package/template/agent/workflows/qa.md +7 -3
- package/template/agent/workflows/reliability.md +48 -0
- package/template/agent/workflows/security.md +107 -0
- package/template/agent/workflows/sysarch.md +3 -0
- package/template/agent/workflows/tester.md +3 -0
- package/template/agent/workflows/ux-designer.md +45 -0
- package/template/schemas/adr.template.md +36 -0
- package/template/schemas/data-model.template.md +57 -0
- package/template/schemas/design-system.template.md +63 -0
- package/template/schemas/requirements.template.md +64 -0
- package/template/schemas/security-standards.template.md +58 -0
- package/template/schemas/security_report.template.md +89 -0
- package/template/state/knowledge_base/architecture/.gitkeep +0 -0
- package/template/state/knowledge_base/data-model/.gitkeep +0 -0
- package/template/state/knowledge_base/decisions/.gitkeep +0 -0
- package/template/state/knowledge_base/design-system/.gitkeep +0 -0
- package/template/state/knowledge_base/requirements/.gitkeep +1 -0
- package/template/state/knowledge_base/security/.gitkeep +0 -0
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
**ACT AS:** Application Security Expert.
|
|
2
|
+
**CONTEXT:** Bekerja di **dua fase**: (1) Fase **Perencanaan** lewat **Mode S** untuk menetapkan standar keamanan sebagai acuan; (2) Fase **Hardening** (per-release) lewat **Mode A/B/C/D** untuk audit & fix. Berbeda dari QA Agent (static code quality review) — agent ini fokus pada attack surface, eksploitabilitas, dan OWASP Top 10. Gunakan skill `penetration-testing` untuk panduan metodologi.
|
|
3
|
+
|
|
4
|
+
**INSTRUCTION STEPS:**
|
|
5
|
+
|
|
6
|
+
Pilih mode sesuai instruksi:
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
### Mode S: Security Standards (Fase Perencanaan)
|
|
11
|
+
1. **Load Context:** Baca `project_overview.md` (terutama Constraints & Compliance) dan domain proyek.
|
|
12
|
+
2. **Define Standards:** Gunakan template `schemas/security-standards.template.md`. Tetapkan:
|
|
13
|
+
- Auth & authorization model (mechanism, password policy, token TTL, RBAC)
|
|
14
|
+
- Data protection (encryption in transit/at rest, PII, secrets management)
|
|
15
|
+
- Input validation & output encoding standards
|
|
16
|
+
- Security headers, CORS, rate limiting
|
|
17
|
+
- Compliance requirements (GDPR/UU PDP/PCI-DSS jika relevan)
|
|
18
|
+
- **Security Acceptance Criteria** — checklist yang harus lulus sebelum release
|
|
19
|
+
3. **Output:** Tulis `state/knowledge_base/security/security-standards.md`.
|
|
20
|
+
4. **Handoff:** Beri tahu Orchestrator standar siap — semua engineer wajib mengikutinya, dan kamu akan memverifikasinya di Hardening.
|
|
21
|
+
|
|
22
|
+
---
|
|
23
|
+
|
|
24
|
+
### Mode A: Threat Modeling
|
|
25
|
+
1. **Load Context:** Baca `project_overview.md` dan spesifikasi yang relevan di `specifications/`.
|
|
26
|
+
2. **Architecture Review:** Identifikasi entry points, data flows, dan trust boundaries dari codebase.
|
|
27
|
+
3. **Threat Identification (STRIDE):**
|
|
28
|
+
- **S**poofing — identity palsu (auth bypass, token forgery)
|
|
29
|
+
- **T**ampering — manipulasi data (request injection, parameter pollution)
|
|
30
|
+
- **R**epudiation — aksi yang tidak bisa diaudit (missing logs)
|
|
31
|
+
- **I**nformation Disclosure — data bocor (verbose error, PII exposure)
|
|
32
|
+
- **D**enial of Service — resource exhaustion (no rate limit, unbounded query)
|
|
33
|
+
- **E**levation of Privilege — akses melampaui izin (IDOR, broken authz)
|
|
34
|
+
4. **Attack Surface Map:** Dokumentasikan semua endpoint, mekanisme autentikasi, dan data stores.
|
|
35
|
+
5. **Output:** Tulis hasil ke `task/[TASK-ID]/security_threat_model.md`.
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
### Mode B: Vulnerability Scan
|
|
40
|
+
1. **Load Context:** Baca codebase yang relevan dan `project_overview.md`.
|
|
41
|
+
2. **OWASP Top 10 Review:**
|
|
42
|
+
- A01: Broken Access Control — cek authorization di setiap endpoint
|
|
43
|
+
- A02: Cryptographic Failures — cek hashing password, enkripsi data sensitif
|
|
44
|
+
- A03: Injection — SQL, XSS, Command injection di semua input
|
|
45
|
+
- A04: Insecure Design — validasi business logic dan alur autentikasi
|
|
46
|
+
- A05: Security Misconfiguration — cek CORS, HTTP headers, error messages
|
|
47
|
+
- A06: Vulnerable Components — dependency yang outdated atau ada CVE
|
|
48
|
+
- A07: Auth & Session Failures — JWT validation, session expiry, brute force protection
|
|
49
|
+
- A08: Software & Data Integrity Failures — unsigned data, insecure deserialization
|
|
50
|
+
- A09: Logging & Monitoring Failures — apakah security events di-log?
|
|
51
|
+
- A10: SSRF — external URL fetching tanpa validasi
|
|
52
|
+
3. **Secrets Scan:** Cari hardcoded credentials, API keys, atau secrets di source code.
|
|
53
|
+
4. **Dependency Scan:** Jalankan `npm audit` (atau `pip audit`, `bundle audit`, dll sesuai tech stack) dan catat hasilnya.
|
|
54
|
+
5. **Output:** Tulis ke `task/[TASK-ID]/security_report.md` menggunakan template `schemas/security_report.template.md`.
|
|
55
|
+
|
|
56
|
+
---
|
|
57
|
+
|
|
58
|
+
### Mode C: Security Fix
|
|
59
|
+
1. **Read Report:** Baca `task/[TASK-ID]/security_report.md` yang sudah ada.
|
|
60
|
+
2. **Repo Management:**
|
|
61
|
+
> 📎 **BACA DAN IKUTI** `agent/workflows/_shared/git-branch-management.md` — pastikan bekerja di branch yang benar sebelum menulis fix.
|
|
62
|
+
3. **Prioritize:** Tangani temuan CRITICAL dan HIGH terlebih dahulu.
|
|
63
|
+
4. **Implement Fix:**
|
|
64
|
+
- Input validation & sanitization
|
|
65
|
+
- Parameterized queries (SQL injection prevention)
|
|
66
|
+
- Output encoding (XSS prevention)
|
|
67
|
+
- Security headers (CSP, HSTS, X-Frame-Options)
|
|
68
|
+
- Dependency upgrades untuk packages yang vulnerable
|
|
69
|
+
5. **Verify Fix:** Pastikan fix tidak break fungsionalitas existing. Jalankan unit test jika tersedia.
|
|
70
|
+
6. **Log Fix:** Append ke `task/[TASK-ID]/security_report.md` di section `## Fixes Applied`.
|
|
71
|
+
7. **Update Status:** Tulis `state/agent_handoff.json` dengan status dan temuan utama.
|
|
72
|
+
|
|
73
|
+
---
|
|
74
|
+
|
|
75
|
+
### Mode D: Pre-release Audit
|
|
76
|
+
1. **Scope:** Fokus hanya pada kode yang berubah sejak release terakhir (gunakan `git diff` dengan tag release sebelumnya).
|
|
77
|
+
2. **Quick OWASP Check:** Jalankan Mode B dengan scope terbatas pada perubahan tersebut.
|
|
78
|
+
3. **Secrets Verification:** Final check — tidak ada credentials yang ter-commit.
|
|
79
|
+
4. **Dependency Final Check:** `npm audit --audit-level=high`
|
|
80
|
+
5. **Output:** Append hasil ke `task/[RELEASE-VERSION]/security_report.md`.
|
|
81
|
+
|
|
82
|
+
---
|
|
83
|
+
|
|
84
|
+
**CRITICAL RULES:**
|
|
85
|
+
- JANGAN pernah commit atau push credential yang ditemukan — segera report ke human untuk ditangani.
|
|
86
|
+
- Gunakan skill `penetration-testing` untuk panduan metodologi detail dan tooling.
|
|
87
|
+
- Severity: **CRITICAL** (eksploitasi langsung) > **HIGH** (butuh kondisi tertentu) > **MEDIUM** (mitigasi ada) > **LOW** (minor) > **INFO** (best practice).
|
|
88
|
+
- SELALU buat atau update `security_report.md` di akhir setiap mode.
|
|
89
|
+
- Jika menemukan CRITICAL: BERHENTI dan laporkan ke human sebelum lanjut.
|
|
90
|
+
|
|
91
|
+
**INPUT SAYA:**
|
|
92
|
+
"[Mode S/A/B/C/D]: [scope atau target — misal: 'Mode S: tetapkan standar', 'Mode D: v2.0.0']"
|
|
93
|
+
|
|
94
|
+
## Work Depth
|
|
95
|
+
> 📎 Baca level aktif di `project_overview.md` → `WORK_DEPTH`. Detail: `agent/workflows/_shared/work-depth.md`
|
|
96
|
+
|
|
97
|
+
| Level | Behavior |
|
|
98
|
+
|-------|----------|
|
|
99
|
+
| **fast** | Skip — Security tidak dipanggil pada mode fast |
|
|
100
|
+
| **standard** | Mode S di Perencanaan (opsional); Mode D di `/release` (Hardening) |
|
|
101
|
+
| **deep** | Mode S wajib di Perencanaan; Mode A+B+C+D penuh di Hardening per-release |
|
|
102
|
+
|
|
103
|
+
## Change Management
|
|
104
|
+
> 📎 **BACA DAN IKUTI** `agent/workflows/_shared/change-management.md` — perubahan standar keamanan WAJIB di-ADR dan notify semua engineer.
|
|
105
|
+
|
|
106
|
+
## State Management
|
|
107
|
+
> 📎 **BACA DAN IKUTI** panduan di `agent/workflows/_shared/state-management.md`
|
|
@@ -294,5 +294,8 @@ Specs:
|
|
|
294
294
|
| **standard** | Arsitektur lengkap + capacity planning |
|
|
295
295
|
| **deep** | + Disaster recovery plan, multi-region consideration, security architecture review |
|
|
296
296
|
|
|
297
|
+
## Change Management
|
|
298
|
+
> 📎 **BACA DAN IKUTI** `agent/workflows/_shared/change-management.md` — setiap perubahan dari user WAJIB ditulis ke dokumen acuan terkait + notify agen hilir. No silent changes.
|
|
299
|
+
|
|
297
300
|
## State Management
|
|
298
301
|
> 📎 **BACA DAN IKUTI** panduan di `agent/workflows/_shared/state-management.md`
|
|
@@ -93,5 +93,8 @@
|
|
|
93
93
|
| **standard** | Full E2E test suite sesuai spec |
|
|
94
94
|
| **deep** | + Edge cases, negative tests, performance assertion dasar |
|
|
95
95
|
|
|
96
|
+
## Change Management
|
|
97
|
+
> 📎 **BACA DAN IKUTI** `agent/workflows/_shared/change-management.md` — setiap perubahan dari user WAJIB ditulis ke dokumen acuan terkait + notify agen hilir. No silent changes.
|
|
98
|
+
|
|
96
99
|
## State Management
|
|
97
100
|
> 📎 **BACA DAN IKUTI** panduan di `agent/workflows/_shared/state-management.md`
|
|
@@ -0,0 +1,45 @@
|
|
|
1
|
+
**ACT AS:** UX/UI Designer.
|
|
2
|
+
**CONTEXT:** Fase Perencanaan (Planning). Merancang design system dan UX proyek: prinsip desain, color palette, tipografi, spacing, spec komponen, dan pola interaksi. Output kamu adalah **acuan** yang diikuti Frontend Engineer. Berbeda dari Frontend Engineer — kamu merancang (design-time), bukan meng-implementasi kode.
|
|
3
|
+
|
|
4
|
+
**ACUAN INPUT:**
|
|
5
|
+
- `project_overview.md` — bagian "UI/UX Guidelines & Design System" dan "Visual Vibe"
|
|
6
|
+
- `specifications/` — alur fitur yang butuh UI
|
|
7
|
+
|
|
8
|
+
**INSTRUCTION STEPS:**
|
|
9
|
+
1. **Load Context:** Baca `project_overview.md`, terutama Visual Vibe, target audience, dan UI guidelines yang sudah diisi Initiator.
|
|
10
|
+
2. **Validate:** Jika Visual Vibe / brand direction belum jelas, BERHENTI dan tanyakan ke human (warna brand, mood, referensi).
|
|
11
|
+
3. **Use Skill:** **CRITICAL** — gunakan skill `ui-ux-pro-max` untuk memilih style, palette, font pairing, dan pola UX yang sesuai dengan jenis produk.
|
|
12
|
+
4. **Directory Check:** Cek/Buat `state/knowledge_base/design-system/`.
|
|
13
|
+
5. **Build Design System:** Gunakan template `schemas/design-system.template.md`. Hasilkan `state/knowledge_base/design-system/design-system.md` mencakup:
|
|
14
|
+
- **Design Principles** (3-5)
|
|
15
|
+
- **Color Palette** (token + hex + usage)
|
|
16
|
+
- **Typography** (role, font, size, weight)
|
|
17
|
+
- **Spacing & Layout** (scale, breakpoints, container)
|
|
18
|
+
- **Component Specs** (variants & states untuk Button, Input, Card, Modal, Navbar, Table)
|
|
19
|
+
- **Interaction & Motion** (durasi, easing, feedback states)
|
|
20
|
+
- **Accessibility** (kontras, focus, keyboard, ARIA)
|
|
21
|
+
6. **Wireframe (opsional, deep):** Untuk alur kompleks, sertakan wireframe teks/ASCII atau deskripsi layout per screen.
|
|
22
|
+
7. **Human Review Loop:** Minta human review. Revisi sesuai feedback, update Revision History.
|
|
23
|
+
8. **Finalize:** Tandai `Approved`. Beri tahu Orchestrator design system siap dipakai Frontend Engineer.
|
|
24
|
+
|
|
25
|
+
**PRINSIP:**
|
|
26
|
+
- Design system adalah satu sumber kebenaran visual — Frontend tidak boleh mengarang di luar ini.
|
|
27
|
+
- Konsisten > kreatif berlebihan. Setiap token punya alasan.
|
|
28
|
+
|
|
29
|
+
**INPUT SAYA:**
|
|
30
|
+
"Rancang design system untuk [proyek]."
|
|
31
|
+
|
|
32
|
+
## Work Depth
|
|
33
|
+
> 📎 Baca level aktif di `project_overview.md` → `WORK_DEPTH`. Detail: `agent/workflows/_shared/work-depth.md`
|
|
34
|
+
|
|
35
|
+
| Level | Behavior |
|
|
36
|
+
|-------|----------|
|
|
37
|
+
| **fast** | Palette + tipografi + token dasar, komponen inti saja |
|
|
38
|
+
| **standard** | Full design system: semua komponen kunci + states + motion |
|
|
39
|
+
| **deep** | + Wireframe per screen, a11y spec lengkap, dark mode, responsive detail, design tokens export |
|
|
40
|
+
|
|
41
|
+
## Change Management
|
|
42
|
+
> 📎 **BACA DAN IKUTI** `agent/workflows/_shared/change-management.md` — perubahan design system WAJIB di-update di acuan dan notify Frontend Engineer.
|
|
43
|
+
|
|
44
|
+
## State Management
|
|
45
|
+
> 📎 **BACA DAN IKUTI** panduan di `agent/workflows/_shared/state-management.md`
|
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
# ADR-[NNN]: [Judul Keputusan Singkat]
|
|
2
|
+
|
|
3
|
+
**Status:** `Proposed` / `Accepted` / `Superseded by ADR-XXX` / `Deprecated`
|
|
4
|
+
**Date:** [YYYY-MM-DD]
|
|
5
|
+
**Author Agent:** [agen yang membuat]
|
|
6
|
+
**Phase:** [Planning / Implementation / Testing / Hardening]
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## Context
|
|
11
|
+
|
|
12
|
+
[Apa situasi/masalah yang memicu keputusan ini? Kalau perubahan diminta user, sebutkan permintaannya.]
|
|
13
|
+
|
|
14
|
+
## Decision
|
|
15
|
+
|
|
16
|
+
[Keputusan yang diambil — jelas dan ringkas.]
|
|
17
|
+
|
|
18
|
+
## Alternatives Considered
|
|
19
|
+
|
|
20
|
+
| Opsi | Pro | Kontra | Dipilih? |
|
|
21
|
+
|------|-----|--------|----------|
|
|
22
|
+
| [Opsi A] | | | ✅ / ❌ |
|
|
23
|
+
| [Opsi B] | | | ✅ / ❌ |
|
|
24
|
+
|
|
25
|
+
## Consequences
|
|
26
|
+
|
|
27
|
+
- **Positif:** [keuntungan]
|
|
28
|
+
- **Negatif / Trade-off:** [biaya, risiko, utang teknis]
|
|
29
|
+
- **Dokumen acuan yang ikut berubah:** [daftar file yang di-update karena keputusan ini]
|
|
30
|
+
- **Agen yang perlu tahu:** [Backend / Frontend / Tester / dll]
|
|
31
|
+
|
|
32
|
+
## Revision History
|
|
33
|
+
|
|
34
|
+
| Timestamp | Agen | Perubahan |
|
|
35
|
+
|-----------|------|-----------|
|
|
36
|
+
| [YYYY-MM-DD HH:MM] | [agen] | ADR dibuat |
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
# DATA MODEL — [Project Name]
|
|
2
|
+
|
|
3
|
+
**Owner Agent:** Data Architect
|
|
4
|
+
**Date:** [YYYY-MM-DD HH:MM]
|
|
5
|
+
**Phase:** Planning
|
|
6
|
+
**Status:** `Draft` / `Approved`
|
|
7
|
+
|
|
8
|
+
> Acuan resmi struktur data proyek. Backend Engineer WAJIB mengikuti ini. Perubahan harus lewat `_shared/change-management.md`.
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## 1. Entity Overview
|
|
13
|
+
|
|
14
|
+
[Daftar entity utama dan deskripsi singkat perannya.]
|
|
15
|
+
|
|
16
|
+
## 2. Entity Relationship Diagram (ERD)
|
|
17
|
+
|
|
18
|
+
```
|
|
19
|
+
[Diagram teks / mermaid. Contoh:
|
|
20
|
+
User ||--o{ Booking : places
|
|
21
|
+
Booking }o--|| Tour : references
|
|
22
|
+
]
|
|
23
|
+
```
|
|
24
|
+
|
|
25
|
+
## 3. Schema Detail
|
|
26
|
+
|
|
27
|
+
### [Entity: User]
|
|
28
|
+
| Field | Type | Constraints | Notes |
|
|
29
|
+
|-------|------|-------------|-------|
|
|
30
|
+
| id | UUID | PK | |
|
|
31
|
+
| email | string | unique, not null | |
|
|
32
|
+
| password_hash | string | not null | bcrypt, JANGAN simpan plaintext |
|
|
33
|
+
| created_at | timestamp | default now | |
|
|
34
|
+
|
|
35
|
+
*(Ulangi per entity)*
|
|
36
|
+
|
|
37
|
+
## 4. Indexes & Performance
|
|
38
|
+
|
|
39
|
+
- [Index yang dibutuhkan untuk query berat — misal: `idx_booking_user_id`]
|
|
40
|
+
|
|
41
|
+
## 5. Data Governance
|
|
42
|
+
|
|
43
|
+
- **PII fields:** [daftar field sensitif — email, phone, dll]
|
|
44
|
+
- **Retention:** [berapa lama data disimpan]
|
|
45
|
+
- **Encryption at rest:** [field mana yang dienkripsi]
|
|
46
|
+
- **Audit:** [tabel mana yang butuh audit log]
|
|
47
|
+
|
|
48
|
+
## 6. Migration Strategy
|
|
49
|
+
|
|
50
|
+
- [Tooling migrasi — Prisma Migrate, TypeORM, Alembic, dll]
|
|
51
|
+
- [Strategi seed data]
|
|
52
|
+
|
|
53
|
+
## Revision History
|
|
54
|
+
|
|
55
|
+
| Timestamp | Agen | Perubahan |
|
|
56
|
+
|-----------|------|-----------|
|
|
57
|
+
| [YYYY-MM-DD HH:MM] | Data Architect | Initial data model |
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
# DESIGN SYSTEM — [Project Name]
|
|
2
|
+
|
|
3
|
+
**Owner Agent:** UX Designer
|
|
4
|
+
**Date:** [YYYY-MM-DD HH:MM]
|
|
5
|
+
**Phase:** Planning
|
|
6
|
+
**Status:** `Draft` / `Approved`
|
|
7
|
+
|
|
8
|
+
> Acuan resmi UI/UX proyek. Frontend Engineer WAJIB mengikuti ini. Perubahan harus lewat `_shared/change-management.md`.
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## 1. Design Principles
|
|
13
|
+
|
|
14
|
+
[3-5 prinsip — misal: "Mobile-first", "Aksesibilitas WCAG AA", "Minimalis, fokus konten"]
|
|
15
|
+
|
|
16
|
+
## 2. Color Palette
|
|
17
|
+
|
|
18
|
+
| Token | Value (Hex) | Usage |
|
|
19
|
+
|-------|-------------|-------|
|
|
20
|
+
| primary | #____ | tombol utama, link |
|
|
21
|
+
| secondary | #____ | aksen |
|
|
22
|
+
| background | #____ | latar |
|
|
23
|
+
| surface | #____ | card, panel |
|
|
24
|
+
| text-primary | #____ | teks utama |
|
|
25
|
+
| error / success / warning | #____ | state |
|
|
26
|
+
|
|
27
|
+
## 3. Typography
|
|
28
|
+
|
|
29
|
+
| Role | Font | Size | Weight |
|
|
30
|
+
|------|------|------|--------|
|
|
31
|
+
| Heading 1 | [font] | | |
|
|
32
|
+
| Body | [font] | | |
|
|
33
|
+
| Caption | [font] | | |
|
|
34
|
+
|
|
35
|
+
## 4. Spacing & Layout
|
|
36
|
+
|
|
37
|
+
- **Scale:** [4px base / 8px grid / dll]
|
|
38
|
+
- **Breakpoints:** mobile < 640, tablet 640–1024, desktop > 1024
|
|
39
|
+
- **Container max-width:** [px]
|
|
40
|
+
|
|
41
|
+
## 5. Component Specs
|
|
42
|
+
|
|
43
|
+
### [Component: Button]
|
|
44
|
+
- **Variants:** primary, secondary, ghost, destructive
|
|
45
|
+
- **States:** default, hover, active, disabled, loading
|
|
46
|
+
- **Radius / shadow:** [nilai]
|
|
47
|
+
|
|
48
|
+
*(Ulangi untuk komponen kunci: Input, Card, Modal, Navbar, Table)*
|
|
49
|
+
|
|
50
|
+
## 6. Interaction & Motion
|
|
51
|
+
|
|
52
|
+
- **Animasi:** [durasi, easing — misal 200ms ease-out]
|
|
53
|
+
- **Feedback:** loading state, empty state, error state
|
|
54
|
+
|
|
55
|
+
## 7. Accessibility
|
|
56
|
+
|
|
57
|
+
- Kontras minimum, focus ring, keyboard nav, ARIA labels
|
|
58
|
+
|
|
59
|
+
## Revision History
|
|
60
|
+
|
|
61
|
+
| Timestamp | Agen | Perubahan |
|
|
62
|
+
|-----------|------|-----------|
|
|
63
|
+
| [YYYY-MM-DD HH:MM] | UX Designer | Initial design system |
|
|
@@ -0,0 +1,64 @@
|
|
|
1
|
+
# REQUIREMENTS — [Project Name]
|
|
2
|
+
|
|
3
|
+
**Owner Agent:** Discovery
|
|
4
|
+
**Date:** [YYYY-MM-DD HH:MM]
|
|
5
|
+
**Phase:** Planning (hulu)
|
|
6
|
+
**Status:** `Gathering` / `Approved`
|
|
7
|
+
|
|
8
|
+
> Hasil requirement gathering dengan human. Acuan paling hulu — menjadi input Initiator untuk `project_overview.md`. Perubahan lewat `_shared/change-management.md`.
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## 1. Problem & Goals
|
|
13
|
+
- **Masalah:** [masalah yang diselesaikan]
|
|
14
|
+
- **Kenapa sekarang:** [urgensi/konteks]
|
|
15
|
+
- **Definisi sukses (metrik):** [bagaimana tahu ini berhasil]
|
|
16
|
+
|
|
17
|
+
## 2. Users & Personas
|
|
18
|
+
| Persona | Konteks / Pain | Kebutuhan utama |
|
|
19
|
+
|---------|----------------|-----------------|
|
|
20
|
+
| [Admin] | | |
|
|
21
|
+
| [End user] | | |
|
|
22
|
+
|
|
23
|
+
## 3. Scope
|
|
24
|
+
- **Must-have:** [fitur wajib]
|
|
25
|
+
- **Nice-to-have:** [fitur opsional]
|
|
26
|
+
- **Out of scope (eksplisit):** [yang TIDAK dikerjakan]
|
|
27
|
+
|
|
28
|
+
## 4. Key Features & Flows
|
|
29
|
+
- [Alur/fitur utama 1]
|
|
30
|
+
- [Alur/fitur utama 2]
|
|
31
|
+
|
|
32
|
+
## 5. Non-Functional Requirements
|
|
33
|
+
- **Skala/Beban:** [perkiraan user, transaksi]
|
|
34
|
+
- **Performa:** [target response time, dll]
|
|
35
|
+
- **Security & Compliance:** [GDPR / UU PDP / PCI-DSS / dll]
|
|
36
|
+
- **Availability:** [uptime target jika ada]
|
|
37
|
+
- **Budget:** [jika relevan]
|
|
38
|
+
|
|
39
|
+
## 6. Constraints
|
|
40
|
+
- **Tech preferences:** [stack yang diinginkan/dihindari]
|
|
41
|
+
- **Sistem existing:** [yang harus diintegrasikan]
|
|
42
|
+
- **Timeline & tim:** [deadline, ukuran tim]
|
|
43
|
+
|
|
44
|
+
## 7. Data & Integrations
|
|
45
|
+
- **Data sensitif:** [PII, finansial, dll]
|
|
46
|
+
- **Integrasi pihak ketiga:** [payment, auth, notifikasi, dll]
|
|
47
|
+
|
|
48
|
+
## 8. Assumptions
|
|
49
|
+
- [Asumsi 1 — perlu diverifikasi]
|
|
50
|
+
- [Asumsi 2]
|
|
51
|
+
|
|
52
|
+
## 9. Open Questions
|
|
53
|
+
- [ ] [Pertanyaan yang belum terjawab 1]
|
|
54
|
+
- [ ] [Pertanyaan 2]
|
|
55
|
+
|
|
56
|
+
## 10. Risks
|
|
57
|
+
| Risiko | Dampak | Mitigasi awal |
|
|
58
|
+
|--------|--------|---------------|
|
|
59
|
+
| | | |
|
|
60
|
+
|
|
61
|
+
## Revision History
|
|
62
|
+
| Timestamp | Agen | Perubahan |
|
|
63
|
+
|-----------|------|-----------|
|
|
64
|
+
| [YYYY-MM-DD HH:MM] | Discovery | Initial requirements gathered |
|
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
# SECURITY STANDARDS — [Project Name]
|
|
2
|
+
|
|
3
|
+
**Owner Agent:** Security Expert (Mode Standards)
|
|
4
|
+
**Date:** [YYYY-MM-DD HH:MM]
|
|
5
|
+
**Phase:** Planning
|
|
6
|
+
**Status:** `Draft` / `Approved`
|
|
7
|
+
|
|
8
|
+
> Acuan standar keamanan proyek yang ditetapkan di awal. Semua engineer WAJIB mengikuti. Diverifikasi ulang oleh Security di fase Hardening. Perubahan lewat `_shared/change-management.md`.
|
|
9
|
+
|
|
10
|
+
---
|
|
11
|
+
|
|
12
|
+
## 1. Authentication & Authorization
|
|
13
|
+
|
|
14
|
+
- **Auth mechanism:** [JWT / session / OAuth2 — pilih dan jelaskan]
|
|
15
|
+
- **Password policy:** [hashing algo (bcrypt/argon2), min length, complexity]
|
|
16
|
+
- **Token expiry:** [access token TTL, refresh token strategy]
|
|
17
|
+
- **Authorization model:** [RBAC / ABAC — daftar role dan permission]
|
|
18
|
+
|
|
19
|
+
## 2. Data Protection
|
|
20
|
+
|
|
21
|
+
- **Encryption in transit:** TLS 1.2+ wajib
|
|
22
|
+
- **Encryption at rest:** [field/tabel yang dienkripsi]
|
|
23
|
+
- **PII handling:** [masking, minimization]
|
|
24
|
+
- **Secrets management:** semua via env var, JANGAN hardcode; daftarkan di `.env.example`
|
|
25
|
+
|
|
26
|
+
## 3. Input Validation & Output Encoding
|
|
27
|
+
|
|
28
|
+
- Validasi semua input di server-side
|
|
29
|
+
- Parameterized queries (anti SQL injection)
|
|
30
|
+
- Output encoding (anti XSS)
|
|
31
|
+
|
|
32
|
+
## 4. Security Headers & Config
|
|
33
|
+
|
|
34
|
+
- CSP, HSTS, X-Frame-Options, X-Content-Type-Options
|
|
35
|
+
- CORS policy: [origin yang diizinkan]
|
|
36
|
+
- Rate limiting: [batas per endpoint sensitif]
|
|
37
|
+
|
|
38
|
+
## 5. Compliance Requirements
|
|
39
|
+
|
|
40
|
+
- [GDPR / UU PDP / PCI-DSS — jika relevan]
|
|
41
|
+
|
|
42
|
+
## 6. Threat Model Summary
|
|
43
|
+
|
|
44
|
+
[Threat utama yang diantisipasi sejak desain — referensi ke STRIDE jika sudah ada threat model.]
|
|
45
|
+
|
|
46
|
+
## 7. Security Acceptance Criteria
|
|
47
|
+
|
|
48
|
+
Checklist yang harus lulus sebelum release (diverifikasi Security di Hardening):
|
|
49
|
+
- [ ] Tidak ada hardcoded secret
|
|
50
|
+
- [ ] Semua endpoint ter-proteksi authz
|
|
51
|
+
- [ ] Dependency bebas CVE critical/high
|
|
52
|
+
- [ ] OWASP Top 10 ter-review
|
|
53
|
+
|
|
54
|
+
## Revision History
|
|
55
|
+
|
|
56
|
+
| Timestamp | Agen | Perubahan |
|
|
57
|
+
|-----------|------|-----------|
|
|
58
|
+
| [YYYY-MM-DD HH:MM] | Security | Initial security standards |
|
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
# SECURITY REPORT - [TASK-ID / SCOPE]
|
|
2
|
+
|
|
3
|
+
**Date:** [YYYY-MM-DD HH:MM]
|
|
4
|
+
**Agent:** Security Expert Agent
|
|
5
|
+
**Scope:** [Deskripsi scope yang diaudit — misal: "Fitur Login & Auth", "Seluruh codebase", "v1.2.0 release"]
|
|
6
|
+
**Mode:** [A: Threat Model / B: Vulnerability Scan / C: Security Fix / D: Pre-release Audit]
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## Executive Summary
|
|
11
|
+
|
|
12
|
+
[Ringkasan singkat — apa yang diaudit, berapa temuan, dan rekomendasi utama.]
|
|
13
|
+
|
|
14
|
+
**Overall Risk Level:** `CRITICAL` / `HIGH` / `MEDIUM` / `LOW` / `CLEAR`
|
|
15
|
+
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
## Findings
|
|
19
|
+
|
|
20
|
+
### CRITICAL
|
|
21
|
+
| # | Vulnerability | Location | Description | Recommendation |
|
|
22
|
+
|---|---------------|----------|-------------|----------------|
|
|
23
|
+
| 1 | | | | |
|
|
24
|
+
|
|
25
|
+
### HIGH
|
|
26
|
+
| # | Vulnerability | Location | Description | Recommendation |
|
|
27
|
+
|---|---------------|----------|-------------|----------------|
|
|
28
|
+
| 1 | | | | |
|
|
29
|
+
|
|
30
|
+
### MEDIUM
|
|
31
|
+
| # | Vulnerability | Location | Description | Recommendation |
|
|
32
|
+
|---|---------------|----------|-------------|----------------|
|
|
33
|
+
| 1 | | | | |
|
|
34
|
+
|
|
35
|
+
### LOW / INFO
|
|
36
|
+
| # | Vulnerability | Location | Description | Recommendation |
|
|
37
|
+
|---|---------------|----------|-------------|----------------|
|
|
38
|
+
| 1 | | | | |
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
|
|
42
|
+
## OWASP Top 10 Checklist
|
|
43
|
+
|
|
44
|
+
- [ ] A01: Broken Access Control
|
|
45
|
+
- [ ] A02: Cryptographic Failures
|
|
46
|
+
- [ ] A03: Injection (SQL, XSS, Command)
|
|
47
|
+
- [ ] A04: Insecure Design
|
|
48
|
+
- [ ] A05: Security Misconfiguration
|
|
49
|
+
- [ ] A06: Vulnerable & Outdated Components
|
|
50
|
+
- [ ] A07: Authentication & Session Failures
|
|
51
|
+
- [ ] A08: Software & Data Integrity Failures
|
|
52
|
+
- [ ] A09: Security Logging & Monitoring Failures
|
|
53
|
+
- [ ] A10: Server-Side Request Forgery (SSRF)
|
|
54
|
+
|
|
55
|
+
---
|
|
56
|
+
|
|
57
|
+
## Dependency Scan Results
|
|
58
|
+
|
|
59
|
+
```
|
|
60
|
+
[Output dari npm audit / pip audit / bundle audit]
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
**Vulnerable packages found:** [X critical, Y high, Z moderate]
|
|
64
|
+
|
|
65
|
+
---
|
|
66
|
+
|
|
67
|
+
## Secrets Scan Results
|
|
68
|
+
|
|
69
|
+
- [ ] No hardcoded credentials found
|
|
70
|
+
- [ ] No API keys in source code
|
|
71
|
+
- [ ] `.env.example` does not contain real values
|
|
72
|
+
- [ ] `.gitignore` covers all `.env` variants
|
|
73
|
+
|
|
74
|
+
---
|
|
75
|
+
|
|
76
|
+
## Fixes Applied
|
|
77
|
+
|
|
78
|
+
| # | Vulnerability | Fix Description | Files Changed | Timestamp |
|
|
79
|
+
|---|---------------|-----------------|---------------|-----------|
|
|
80
|
+
| 1 | | | | |
|
|
81
|
+
|
|
82
|
+
---
|
|
83
|
+
|
|
84
|
+
## Sign-off
|
|
85
|
+
|
|
86
|
+
- **Status:** `Pending Fix` / `All Clear` / `Conditional Approval`
|
|
87
|
+
- **Remaining Issues:** [Daftar temuan yang belum di-fix dan alasannya — misal: "MEDIUM-1: accepted risk, ditangani di sprint berikutnya"]
|
|
88
|
+
- **Next Action:** [Fix CRITICAL-1 sebelum deploy / Ready for release / dll]
|
|
89
|
+
- **Reviewed By:** [Security Agent + Human approval jika sudah di-review]
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
# Keep this folder tracked by git
|
|
File without changes
|