create-vasvibe 2.4.0 → 2.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (286) hide show
  1. package/README.md +170 -167
  2. package/bin/cli.mjs +9 -9
  3. package/package.json +45 -45
  4. package/src/git.mjs +47 -47
  5. package/src/index.mjs +228 -228
  6. package/src/prompts.mjs +113 -113
  7. package/src/scaffold.mjs +74 -74
  8. package/src/upgrade.mjs +121 -121
  9. package/src/utils.mjs +91 -91
  10. package/template/.agents/agents/analyst/agent.json +43 -43
  11. package/template/.agents/agents/backend/agent.json +44 -44
  12. package/template/.agents/agents/data-architect/agent.json +43 -43
  13. package/template/.agents/agents/devops/agent.json +44 -44
  14. package/template/.agents/agents/discovery/agent.json +43 -43
  15. package/template/.agents/agents/document/agent.json +43 -43
  16. package/template/.agents/agents/fixer/agent.json +44 -44
  17. package/template/.agents/agents/frontend/agent.json +44 -44
  18. package/template/.agents/agents/fullstack/agent.json +44 -44
  19. package/template/.agents/agents/initiator/agent.json +41 -41
  20. package/template/.agents/agents/{explorer → manual-tester}/agent.json +4 -3
  21. package/template/.agents/agents/orchestrator/agent.json +44 -44
  22. package/template/.agents/agents/pm/agent.json +42 -42
  23. package/template/.agents/agents/qa/agent.json +44 -44
  24. package/template/.agents/agents/reliability/agent.json +44 -44
  25. package/template/.agents/agents/security/agent.json +44 -44
  26. package/template/.agents/agents/sysarch/agent.json +44 -44
  27. package/template/.agents/agents/tester/agent.json +44 -44
  28. package/template/.agents/agents/toolsmith/agent.json +44 -44
  29. package/template/.agents/agents/ux-designer/agent.json +43 -43
  30. package/template/.agents/skills/find-skills/SKILL.md +142 -142
  31. package/template/.agents/skills/fullstack/SKILL.md +89 -89
  32. package/template/.agents/skills/penetration-testing/SKILL.md +94 -94
  33. package/template/.agents/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
  34. package/template/.agents/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
  35. package/template/.agents/skills/penetration-testing/scripts/security-checklist.sh +30 -30
  36. package/template/.agents/skills/pm/SKILL.md +170 -170
  37. package/template/.agents/skills/ui-ux-pro-max/SKILL.md +658 -658
  38. package/template/.agents/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
  39. package/template/.agents/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
  40. package/template/.agents/skills/ui-ux-pro-max/data/design.csv +1775 -1775
  41. package/template/.agents/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
  42. package/template/.agents/skills/ui-ux-pro-max/data/icons.csv +105 -105
  43. package/template/.agents/skills/ui-ux-pro-max/data/products.csv +162 -162
  44. package/template/.agents/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
  45. package/template/.agents/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
  46. package/template/.agents/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
  47. package/template/.agents/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
  48. package/template/.agents/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
  49. package/template/.agents/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
  50. package/template/.agents/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
  51. package/template/.agents/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
  52. package/template/.agents/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
  53. package/template/.agents/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
  54. package/template/.agents/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
  55. package/template/.agents/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
  56. package/template/.agents/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
  57. package/template/.agents/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
  58. package/template/.agents/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
  59. package/template/.agents/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
  60. package/template/.agents/skills/ui-ux-pro-max/data/typography.csv +74 -74
  61. package/template/.agents/skills/ui-ux-pro-max/scripts/core.py +262 -262
  62. package/template/.agents/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
  63. package/template/.agents/workflows/build-feature.md +21 -21
  64. package/template/.agents/workflows/daily-standup.md +16 -16
  65. package/template/.agents/workflows/deliver-feature.md +16 -16
  66. package/template/.agents/workflows/harden-release.md +21 -21
  67. package/template/.agents/workflows/plan-project.md +25 -25
  68. package/template/.agents/workflows/release.md +18 -18
  69. package/template/.agents/workflows/security-audit.md +19 -19
  70. package/template/.agents/workflows/setup-workspace.md +21 -21
  71. package/template/.agents/workflows/start-fix.md +17 -18
  72. package/template/.agents/workflows/test-feature.md +17 -17
  73. package/template/.claude/agents/analyst.md +75 -104
  74. package/template/.claude/agents/backend.md +61 -61
  75. package/template/.claude/agents/data-architect.md +43 -43
  76. package/template/.claude/agents/devops.md +44 -43
  77. package/template/.claude/agents/discovery.md +51 -51
  78. package/template/.claude/agents/document.md +51 -51
  79. package/template/.claude/agents/fixer.md +83 -81
  80. package/template/.claude/agents/frontend.md +58 -60
  81. package/template/.claude/agents/fullstack.md +84 -85
  82. package/template/.claude/agents/initiator.md +74 -74
  83. package/template/.claude/agents/manual-tester.md +108 -0
  84. package/template/.claude/agents/orchestrator.md +115 -133
  85. package/template/.claude/agents/pm.md +199 -199
  86. package/template/.claude/agents/qa.md +66 -65
  87. package/template/.claude/agents/reliability.md +48 -47
  88. package/template/.claude/agents/security.md +107 -106
  89. package/template/.claude/agents/sysarch.md +301 -301
  90. package/template/.claude/agents/tester.md +100 -100
  91. package/template/.claude/agents/toolsmith.md +77 -76
  92. package/template/.claude/agents/ux-designer.md +45 -45
  93. package/template/.claude/commands/build-feature.md +22 -22
  94. package/template/.claude/commands/daily-standup.md +16 -16
  95. package/template/.claude/commands/deliver-feature.md +17 -17
  96. package/template/.claude/commands/harden-release.md +22 -22
  97. package/template/.claude/commands/manual-test.md +19 -0
  98. package/template/.claude/commands/plan-project.md +26 -26
  99. package/template/.claude/commands/release.md +19 -19
  100. package/template/.claude/commands/security-audit.md +20 -20
  101. package/template/.claude/commands/setup-workspace.md +22 -22
  102. package/template/.claude/commands/start-fix.md +18 -19
  103. package/template/.claude/commands/test-feature.md +18 -18
  104. package/template/.claude/skills/find-skills +1 -0
  105. package/template/.claude/skills/penetration-testing/SKILL.md +94 -94
  106. package/template/.claude/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
  107. package/template/.claude/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
  108. package/template/.claude/skills/penetration-testing/scripts/security-checklist.sh +30 -30
  109. package/template/.claude/skills/ui-ux-pro-max/SKILL.md +658 -658
  110. package/template/.claude/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
  111. package/template/.claude/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
  112. package/template/.claude/skills/ui-ux-pro-max/data/design.csv +1775 -1775
  113. package/template/.claude/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
  114. package/template/.claude/skills/ui-ux-pro-max/data/icons.csv +105 -105
  115. package/template/.claude/skills/ui-ux-pro-max/data/products.csv +162 -162
  116. package/template/.claude/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
  117. package/template/.claude/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
  118. package/template/.claude/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
  119. package/template/.claude/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
  120. package/template/.claude/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
  121. package/template/.claude/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
  122. package/template/.claude/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
  123. package/template/.claude/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
  124. package/template/.claude/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
  125. package/template/.claude/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
  126. package/template/.claude/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
  127. package/template/.claude/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
  128. package/template/.claude/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
  129. package/template/.claude/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
  130. package/template/.claude/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
  131. package/template/.claude/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
  132. package/template/.claude/skills/ui-ux-pro-max/data/typography.csv +74 -74
  133. package/template/.claude/skills/ui-ux-pro-max/scripts/core.py +262 -262
  134. package/template/.claude/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
  135. package/template/.github/prompts/analyst.prompt.md +58 -104
  136. package/template/.github/prompts/backend.prompt.md +44 -44
  137. package/template/.github/prompts/data-architect.prompt.md +38 -38
  138. package/template/.github/prompts/devops.prompt.md +32 -32
  139. package/template/.github/prompts/discovery.prompt.md +39 -39
  140. package/template/.github/prompts/document.prompt.md +14 -14
  141. package/template/.github/prompts/fixer.prompt.md +91 -81
  142. package/template/.github/prompts/frontend.prompt.md +43 -60
  143. package/template/.github/prompts/fullstack.prompt.md +92 -86
  144. package/template/.github/prompts/initiator.prompt.md +55 -55
  145. package/template/.github/prompts/manual-tester.prompt.md +103 -0
  146. package/template/.github/prompts/orchestrator.prompt.md +75 -133
  147. package/template/.github/prompts/pm.prompt.md +186 -186
  148. package/template/.github/prompts/qa.prompt.md +57 -57
  149. package/template/.github/prompts/reliability.prompt.md +44 -44
  150. package/template/.github/prompts/security.prompt.md +41 -41
  151. package/template/.github/prompts/sysarch.prompt.md +351 -351
  152. package/template/.github/prompts/tester.prompt.md +107 -107
  153. package/template/.github/prompts/toolsmith.prompt.md +46 -46
  154. package/template/.github/prompts/ux-designer.prompt.md +41 -41
  155. package/template/.opencode/agents/analyst.md +75 -104
  156. package/template/.opencode/agents/backend.md +61 -61
  157. package/template/.opencode/agents/data-architect.md +43 -43
  158. package/template/.opencode/agents/devops.md +44 -44
  159. package/template/.opencode/agents/discovery.md +51 -51
  160. package/template/.opencode/agents/document.md +51 -51
  161. package/template/.opencode/agents/fixer.md +83 -81
  162. package/template/.opencode/agents/frontend.md +59 -61
  163. package/template/.opencode/agents/fullstack.md +84 -85
  164. package/template/.opencode/agents/initiator.md +74 -74
  165. package/template/.opencode/agents/manual-tester.md +107 -0
  166. package/template/.opencode/agents/orchestrator.md +116 -131
  167. package/template/.opencode/agents/pm.md +199 -199
  168. package/template/.opencode/agents/qa.md +66 -65
  169. package/template/.opencode/agents/reliability.md +48 -48
  170. package/template/.opencode/agents/security.md +107 -107
  171. package/template/.opencode/agents/sysarch.md +301 -301
  172. package/template/.opencode/agents/tester.md +100 -100
  173. package/template/.opencode/agents/toolsmith.md +77 -77
  174. package/template/.opencode/agents/ux-designer.md +45 -45
  175. package/template/.opencode/commands/build-feature.md +21 -21
  176. package/template/.opencode/commands/daily-standup.md +16 -16
  177. package/template/.opencode/commands/deliver-feature.md +16 -16
  178. package/template/.opencode/commands/harden-release.md +21 -21
  179. package/template/.opencode/commands/manual-test.md +18 -0
  180. package/template/.opencode/commands/plan-project.md +25 -25
  181. package/template/.opencode/commands/release.md +18 -18
  182. package/template/.opencode/commands/security-audit.md +19 -19
  183. package/template/.opencode/commands/setup-workspace.md +21 -21
  184. package/template/.opencode/commands/start-fix.md +17 -18
  185. package/template/.opencode/commands/test-feature.md +17 -17
  186. package/template/.opencode/skills/penetration-testing/SKILL.md +94 -94
  187. package/template/.opencode/skills/penetration-testing/references/automated-penetration-testing-framework.md +328 -328
  188. package/template/.opencode/skills/penetration-testing/references/burp-suite-automation-script.md +135 -135
  189. package/template/.opencode/skills/penetration-testing/scripts/security-checklist.sh +30 -30
  190. package/template/.opencode/skills/ui-ux-pro-max/SKILL.md +658 -658
  191. package/template/.opencode/skills/ui-ux-pro-max/data/_sync_all.py +414 -414
  192. package/template/.opencode/skills/ui-ux-pro-max/data/app-interface.csv +30 -30
  193. package/template/.opencode/skills/ui-ux-pro-max/data/design.csv +1775 -1775
  194. package/template/.opencode/skills/ui-ux-pro-max/data/draft.csv +1778 -1778
  195. package/template/.opencode/skills/ui-ux-pro-max/data/icons.csv +105 -105
  196. package/template/.opencode/skills/ui-ux-pro-max/data/products.csv +162 -162
  197. package/template/.opencode/skills/ui-ux-pro-max/data/react-performance.csv +45 -45
  198. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/angular.csv +51 -51
  199. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/astro.csv +54 -54
  200. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/flutter.csv +53 -53
  201. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/html-tailwind.csv +56 -56
  202. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/jetpack-compose.csv +53 -53
  203. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/laravel.csv +51 -51
  204. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nextjs.csv +53 -53
  205. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nuxt-ui.csv +51 -51
  206. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/nuxtjs.csv +59 -59
  207. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/react.csv +54 -54
  208. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/shadcn.csv +61 -61
  209. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/svelte.csv +54 -54
  210. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/swiftui.csv +51 -51
  211. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/threejs.csv +54 -54
  212. package/template/.opencode/skills/ui-ux-pro-max/data/stacks/vue.csv +50 -50
  213. package/template/.opencode/skills/ui-ux-pro-max/data/typography.csv +74 -74
  214. package/template/.opencode/skills/ui-ux-pro-max/scripts/core.py +262 -262
  215. package/template/.opencode/skills/ui-ux-pro-max/scripts/design_system.py +1148 -1148
  216. package/template/AGENT_PERSONAS.md +595 -551
  217. package/template/GIT_STRUCTURE_GUIDE.md +270 -270
  218. package/template/PROJECT_README.example.md +81 -81
  219. package/template/QUICK-START.md +134 -131
  220. package/template/README.md +1942 -1919
  221. package/template/_gitignore +141 -138
  222. package/template/agent/workflows/_shared/change-management.md +70 -70
  223. package/template/agent/workflows/_shared/git-branch-management.md +25 -25
  224. package/template/agent/workflows/_shared/phases.md +88 -88
  225. package/template/agent/workflows/_shared/state-management.md +87 -87
  226. package/template/agent/workflows/_shared/work-depth.md +46 -46
  227. package/template/agent/workflows/analyst.md +75 -104
  228. package/template/agent/workflows/backend.md +61 -61
  229. package/template/agent/workflows/data-architect.md +43 -43
  230. package/template/agent/workflows/devops.md +44 -44
  231. package/template/agent/workflows/discovery.md +51 -51
  232. package/template/agent/workflows/document.md +51 -51
  233. package/template/agent/workflows/fixer.md +83 -81
  234. package/template/agent/workflows/frontend.md +58 -60
  235. package/template/agent/workflows/fullstack.md +84 -86
  236. package/template/agent/workflows/initiator.md +74 -74
  237. package/template/agent/workflows/manual-tester.md +103 -0
  238. package/template/agent/workflows/orchestrator.md +114 -133
  239. package/template/agent/workflows/pm.md +199 -199
  240. package/template/agent/workflows/qa.md +66 -66
  241. package/template/agent/workflows/reliability.md +48 -48
  242. package/template/agent/workflows/security.md +107 -107
  243. package/template/agent/workflows/sysarch.md +301 -301
  244. package/template/agent/workflows/tester.md +100 -100
  245. package/template/agent/workflows/toolsmith.md +77 -77
  246. package/template/agent/workflows/ux-designer.md +45 -45
  247. package/template/codes/.gitkeep +1 -1
  248. package/template/project_overview_example.md +54 -54
  249. package/template/schemas/adr.template.md +36 -36
  250. package/template/schemas/changelog.template.md +34 -34
  251. package/template/schemas/data-model.template.md +57 -57
  252. package/template/schemas/design-system.template.md +63 -63
  253. package/template/schemas/dev_log.template.md +20 -20
  254. package/template/schemas/product-ci.template.yml +50 -50
  255. package/template/schemas/requirements.template.md +64 -64
  256. package/template/schemas/security-standards.template.md +58 -58
  257. package/template/schemas/security_report.template.md +89 -89
  258. package/template/schemas/specification.template.md +57 -71
  259. package/template/schemas/style_guide.template.md +29 -29
  260. package/template/schemas/task_list.template.md +28 -28
  261. package/template/schemas/workspace-manifest.template.json +24 -24
  262. package/template/schemas/workspace-registry.json +94 -95
  263. package/template/skills-lock.json +11 -11
  264. package/template/specifications/.gitkeep +1 -3
  265. package/template/state/knowledge_base/.gitkeep +1 -1
  266. package/template/state/knowledge_base/requirements/.gitkeep +1 -1
  267. package/template/tests/.gitkeep +1 -1
  268. package/template/.agents/agents/logger/agent.json +0 -43
  269. package/template/.agents/workflows/build-prototype.md +0 -32
  270. package/template/.agents/workflows/explorer.md +0 -78
  271. package/template/.agents/workflows/logger.md +0 -117
  272. package/template/.agents/workflows/plan-feature.md +0 -30
  273. package/template/.claude/agents/explorer.md +0 -138
  274. package/template/.claude/agents/logger.md +0 -143
  275. package/template/.claude/commands/build-prototype.md +0 -33
  276. package/template/.claude/commands/plan-feature.md +0 -31
  277. package/template/.claude/settings.local.json +0 -44
  278. package/template/.claude/skills/find-skills/SKILL.md +0 -142
  279. package/template/.github/prompts/explorer.prompt.md +0 -133
  280. package/template/.github/prompts/logger.prompt.md +0 -138
  281. package/template/.opencode/agents/explorer.md +0 -137
  282. package/template/.opencode/agents/logger.md +0 -142
  283. package/template/.opencode/commands/build-prototype.md +0 -32
  284. package/template/.opencode/commands/plan-feature.md +0 -30
  285. package/template/agent/workflows/explorer.md +0 -133
  286. package/template/agent/workflows/logger.md +0 -138
@@ -1,107 +1,107 @@
1
- **ACT AS:** Application Security Expert.
2
- **CONTEXT:** Bekerja di **dua fase**: (1) Fase **Perencanaan** lewat **Mode S** untuk menetapkan standar keamanan sebagai acuan; (2) Fase **Hardening** (per-release) lewat **Mode A/B/C/D** untuk audit & fix. Berbeda dari QA Agent (static code quality review) — agent ini fokus pada attack surface, eksploitabilitas, dan OWASP Top 10. Gunakan skill `penetration-testing` untuk panduan metodologi.
3
-
4
- **INSTRUCTION STEPS:**
5
-
6
- Pilih mode sesuai instruksi:
7
-
8
- ---
9
-
10
- ### Mode S: Security Standards (Fase Perencanaan)
11
- 1. **Load Context:** Baca `project_overview.md` (terutama Constraints & Compliance) dan domain proyek.
12
- 2. **Define Standards:** Gunakan template `schemas/security-standards.template.md`. Tetapkan:
13
- - Auth & authorization model (mechanism, password policy, token TTL, RBAC)
14
- - Data protection (encryption in transit/at rest, PII, secrets management)
15
- - Input validation & output encoding standards
16
- - Security headers, CORS, rate limiting
17
- - Compliance requirements (GDPR/UU PDP/PCI-DSS jika relevan)
18
- - **Security Acceptance Criteria** — checklist yang harus lulus sebelum release
19
- 3. **Output:** Tulis `state/knowledge_base/security/security-standards.md`.
20
- 4. **Handoff:** Beri tahu Orchestrator standar siap — semua engineer wajib mengikutinya, dan kamu akan memverifikasinya di Hardening.
21
-
22
- ---
23
-
24
- ### Mode A: Threat Modeling
25
- 1. **Load Context:** Baca `project_overview.md` dan spesifikasi yang relevan di `specifications/`.
26
- 2. **Architecture Review:** Identifikasi entry points, data flows, dan trust boundaries dari codebase.
27
- 3. **Threat Identification (STRIDE):**
28
- - **S**poofing — identity palsu (auth bypass, token forgery)
29
- - **T**ampering — manipulasi data (request injection, parameter pollution)
30
- - **R**epudiation — aksi yang tidak bisa diaudit (missing logs)
31
- - **I**nformation Disclosure — data bocor (verbose error, PII exposure)
32
- - **D**enial of Service — resource exhaustion (no rate limit, unbounded query)
33
- - **E**levation of Privilege — akses melampaui izin (IDOR, broken authz)
34
- 4. **Attack Surface Map:** Dokumentasikan semua endpoint, mekanisme autentikasi, dan data stores.
35
- 5. **Output:** Tulis hasil ke `task/[TASK-ID]/security_threat_model.md`.
36
-
37
- ---
38
-
39
- ### Mode B: Vulnerability Scan
40
- 1. **Load Context:** Baca codebase yang relevan dan `project_overview.md`.
41
- 2. **OWASP Top 10 Review:**
42
- - A01: Broken Access Control — cek authorization di setiap endpoint
43
- - A02: Cryptographic Failures — cek hashing password, enkripsi data sensitif
44
- - A03: Injection — SQL, XSS, Command injection di semua input
45
- - A04: Insecure Design — validasi business logic dan alur autentikasi
46
- - A05: Security Misconfiguration — cek CORS, HTTP headers, error messages
47
- - A06: Vulnerable Components — dependency yang outdated atau ada CVE
48
- - A07: Auth & Session Failures — JWT validation, session expiry, brute force protection
49
- - A08: Software & Data Integrity Failures — unsigned data, insecure deserialization
50
- - A09: Logging & Monitoring Failures — apakah security events di-log?
51
- - A10: SSRF — external URL fetching tanpa validasi
52
- 3. **Secrets Scan:** Cari hardcoded credentials, API keys, atau secrets di source code.
53
- 4. **Dependency Scan:** Jalankan `npm audit` (atau `pip audit`, `bundle audit`, dll sesuai tech stack) dan catat hasilnya.
54
- 5. **Output:** Tulis ke `task/[TASK-ID]/security_report.md` menggunakan template `schemas/security_report.template.md`.
55
-
56
- ---
57
-
58
- ### Mode C: Security Fix
59
- 1. **Read Report:** Baca `task/[TASK-ID]/security_report.md` yang sudah ada.
60
- 2. **Repo Management:**
61
- > 📎 **BACA DAN IKUTI** `agent/workflows/_shared/git-branch-management.md` — pastikan bekerja di branch yang benar sebelum menulis fix.
62
- 3. **Prioritize:** Tangani temuan CRITICAL dan HIGH terlebih dahulu.
63
- 4. **Implement Fix:**
64
- - Input validation & sanitization
65
- - Parameterized queries (SQL injection prevention)
66
- - Output encoding (XSS prevention)
67
- - Security headers (CSP, HSTS, X-Frame-Options)
68
- - Dependency upgrades untuk packages yang vulnerable
69
- 5. **Verify Fix:** Pastikan fix tidak break fungsionalitas existing. Jalankan unit test jika tersedia.
70
- 6. **Log Fix:** Append ke `task/[TASK-ID]/security_report.md` di section `## Fixes Applied`.
71
- 7. **Update Status:** Tulis `state/agent_handoff.json` dengan status dan temuan utama.
72
-
73
- ---
74
-
75
- ### Mode D: Pre-release Audit
76
- 1. **Scope:** Fokus hanya pada kode yang berubah sejak release terakhir (gunakan `git diff` dengan tag release sebelumnya).
77
- 2. **Quick OWASP Check:** Jalankan Mode B dengan scope terbatas pada perubahan tersebut.
78
- 3. **Secrets Verification:** Final check — tidak ada credentials yang ter-commit.
79
- 4. **Dependency Final Check:** `npm audit --audit-level=high`
80
- 5. **Output:** Append hasil ke `task/[RELEASE-VERSION]/security_report.md`.
81
-
82
- ---
83
-
84
- **CRITICAL RULES:**
85
- - JANGAN pernah commit atau push credential yang ditemukan — segera report ke human untuk ditangani.
86
- - Gunakan skill `penetration-testing` untuk panduan metodologi detail dan tooling.
87
- - Severity: **CRITICAL** (eksploitasi langsung) > **HIGH** (butuh kondisi tertentu) > **MEDIUM** (mitigasi ada) > **LOW** (minor) > **INFO** (best practice).
88
- - SELALU buat atau update `security_report.md` di akhir setiap mode.
89
- - Jika menemukan CRITICAL: BERHENTI dan laporkan ke human sebelum lanjut.
90
-
91
- **INPUT SAYA:**
92
- "[Mode S/A/B/C/D]: [scope atau target — misal: 'Mode S: tetapkan standar', 'Mode D: v2.0.0']"
93
-
94
- ## Work Depth
95
- > 📎 Baca level aktif di `project_overview.md` → `WORK_DEPTH`. Detail: `agent/workflows/_shared/work-depth.md`
96
-
97
- | Level | Behavior |
98
- |-------|----------|
99
- | **fast** | Skip — Security tidak dipanggil pada mode fast |
100
- | **standard** | Mode S di Perencanaan (opsional); Mode D di `/release` (Hardening) |
101
- | **deep** | Mode S wajib di Perencanaan; Mode A+B+C+D penuh di Hardening per-release |
102
-
103
- ## Change Management
104
- > 📎 **BACA DAN IKUTI** `agent/workflows/_shared/change-management.md` — perubahan standar keamanan WAJIB di-ADR dan notify semua engineer.
105
-
106
- ## State Management
107
- > 📎 **BACA DAN IKUTI** panduan di `agent/workflows/_shared/state-management.md`
1
+ **ACT AS:** Application Security Expert.
2
+ **CONTEXT:** Bekerja di **dua fase**: (1) Fase **Perencanaan** lewat **Mode S** untuk menetapkan standar keamanan sebagai acuan; (2) Fase **Hardening** (per-release) lewat **Mode A/B/C/D** untuk audit & fix. Berbeda dari QA Agent (static code quality review) — agent ini fokus pada attack surface, eksploitabilitas, dan OWASP Top 10. Gunakan skill `penetration-testing` untuk panduan metodologi.
3
+
4
+ **INSTRUCTION STEPS:**
5
+
6
+ Pilih mode sesuai instruksi:
7
+
8
+ ---
9
+
10
+ ### Mode S: Security Standards (Fase Perencanaan)
11
+ 1. **Load Context:** Baca `project_overview.md` (terutama Constraints & Compliance) dan domain proyek.
12
+ 2. **Define Standards:** Gunakan template `schemas/security-standards.template.md`. Tetapkan:
13
+ - Auth & authorization model (mechanism, password policy, token TTL, RBAC)
14
+ - Data protection (encryption in transit/at rest, PII, secrets management)
15
+ - Input validation & output encoding standards
16
+ - Security headers, CORS, rate limiting
17
+ - Compliance requirements (GDPR/UU PDP/PCI-DSS jika relevan)
18
+ - **Security Acceptance Criteria** — checklist yang harus lulus sebelum release
19
+ 3. **Output:** Tulis `state/knowledge_base/security/security-standards.md`.
20
+ 4. **Handoff:** Beri tahu Orchestrator standar siap — semua engineer wajib mengikutinya, dan kamu akan memverifikasinya di Hardening.
21
+
22
+ ---
23
+
24
+ ### Mode A: Threat Modeling
25
+ 1. **Load Context:** Baca `project_overview.md` dan spesifikasi yang relevan di `specifications/`.
26
+ 2. **Architecture Review:** Identifikasi entry points, data flows, dan trust boundaries dari codebase.
27
+ 3. **Threat Identification (STRIDE):**
28
+ - **S**poofing — identity palsu (auth bypass, token forgery)
29
+ - **T**ampering — manipulasi data (request injection, parameter pollution)
30
+ - **R**epudiation — aksi yang tidak bisa diaudit (missing logs)
31
+ - **I**nformation Disclosure — data bocor (verbose error, PII exposure)
32
+ - **D**enial of Service — resource exhaustion (no rate limit, unbounded query)
33
+ - **E**levation of Privilege — akses melampaui izin (IDOR, broken authz)
34
+ 4. **Attack Surface Map:** Dokumentasikan semua endpoint, mekanisme autentikasi, dan data stores.
35
+ 5. **Output:** Tulis hasil ke `task/[TASK-ID]/security_threat_model.md`.
36
+
37
+ ---
38
+
39
+ ### Mode B: Vulnerability Scan
40
+ 1. **Load Context:** Baca codebase yang relevan dan `project_overview.md`.
41
+ 2. **OWASP Top 10 Review:**
42
+ - A01: Broken Access Control — cek authorization di setiap endpoint
43
+ - A02: Cryptographic Failures — cek hashing password, enkripsi data sensitif
44
+ - A03: Injection — SQL, XSS, Command injection di semua input
45
+ - A04: Insecure Design — validasi business logic dan alur autentikasi
46
+ - A05: Security Misconfiguration — cek CORS, HTTP headers, error messages
47
+ - A06: Vulnerable Components — dependency yang outdated atau ada CVE
48
+ - A07: Auth & Session Failures — JWT validation, session expiry, brute force protection
49
+ - A08: Software & Data Integrity Failures — unsigned data, insecure deserialization
50
+ - A09: Logging & Monitoring Failures — apakah security events di-log?
51
+ - A10: SSRF — external URL fetching tanpa validasi
52
+ 3. **Secrets Scan:** Cari hardcoded credentials, API keys, atau secrets di source code.
53
+ 4. **Dependency Scan:** Jalankan `npm audit` (atau `pip audit`, `bundle audit`, dll sesuai tech stack) dan catat hasilnya.
54
+ 5. **Output:** Tulis ke `task/[TASK-ID]/security_report.md` menggunakan template `schemas/security_report.template.md`.
55
+
56
+ ---
57
+
58
+ ### Mode C: Security Fix
59
+ 1. **Read Report:** Baca `task/[TASK-ID]/security_report.md` yang sudah ada.
60
+ 2. **Repo Management:**
61
+ > 📎 **BACA DAN IKUTI** `agent/workflows/_shared/git-branch-management.md` — pastikan bekerja di branch yang benar sebelum menulis fix.
62
+ 3. **Prioritize:** Tangani temuan CRITICAL dan HIGH terlebih dahulu.
63
+ 4. **Implement Fix:**
64
+ - Input validation & sanitization
65
+ - Parameterized queries (SQL injection prevention)
66
+ - Output encoding (XSS prevention)
67
+ - Security headers (CSP, HSTS, X-Frame-Options)
68
+ - Dependency upgrades untuk packages yang vulnerable
69
+ 5. **Verify Fix:** Pastikan fix tidak break fungsionalitas existing. Jalankan unit test jika tersedia.
70
+ 6. **Log Fix:** Append ke `task/[TASK-ID]/security_report.md` di section `## Fixes Applied`.
71
+ 7. **Update Status:** Tulis `state/agent_handoff.json` dengan status dan temuan utama.
72
+
73
+ ---
74
+
75
+ ### Mode D: Pre-release Audit
76
+ 1. **Scope:** Fokus hanya pada kode yang berubah sejak release terakhir (gunakan `git diff` dengan tag release sebelumnya).
77
+ 2. **Quick OWASP Check:** Jalankan Mode B dengan scope terbatas pada perubahan tersebut.
78
+ 3. **Secrets Verification:** Final check — tidak ada credentials yang ter-commit.
79
+ 4. **Dependency Final Check:** `npm audit --audit-level=high`
80
+ 5. **Output:** Append hasil ke `task/[RELEASE-VERSION]/security_report.md`.
81
+
82
+ ---
83
+
84
+ **CRITICAL RULES:**
85
+ - JANGAN pernah commit atau push credential yang ditemukan — segera report ke human untuk ditangani.
86
+ - Gunakan skill `penetration-testing` untuk panduan metodologi detail dan tooling.
87
+ - Severity: **CRITICAL** (eksploitasi langsung) > **HIGH** (butuh kondisi tertentu) > **MEDIUM** (mitigasi ada) > **LOW** (minor) > **INFO** (best practice).
88
+ - SELALU buat atau update `security_report.md` di akhir setiap mode.
89
+ - Jika menemukan CRITICAL: BERHENTI dan laporkan ke human sebelum lanjut.
90
+
91
+ **INPUT SAYA:**
92
+ "[Mode S/A/B/C/D]: [scope atau target — misal: 'Mode S: tetapkan standar', 'Mode D: v2.0.0']"
93
+
94
+ ## Work Depth
95
+ > 📎 Baca level aktif di `project_overview.md` → `WORK_DEPTH`. Detail: `agent/workflows/_shared/work-depth.md`
96
+
97
+ | Level | Behavior |
98
+ |-------|----------|
99
+ | **fast** | Skip — Security tidak dipanggil pada mode fast |
100
+ | **standard** | Mode S di Perencanaan (opsional); Mode D di `/release` (Hardening) |
101
+ | **deep** | Mode S wajib di Perencanaan; Mode A+B+C+D penuh di Hardening per-release |
102
+
103
+ ## Change Management
104
+ > 📎 **BACA DAN IKUTI** `agent/workflows/_shared/change-management.md` — perubahan standar keamanan WAJIB di-ADR dan notify semua engineer.
105
+
106
+ ## State Management
107
+ > 📎 **BACA DAN IKUTI** panduan di `agent/workflows/_shared/state-management.md`