npm - devflow-kit - Versions diffs - 0.9.0 → 1.1.0 - Mend

devflow-kit 0.9.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (414) hide show

package/shared/skills/security-patterns/references/violations.md ADDED Viewed

@@ -0,0 +1,237 @@
+# Security Violation Examples
+Extended violation patterns for security reviews. Reference from main SKILL.md.
+## Injection Vulnerabilities
+### SQL Injection
+```typescript
+// VULNERABLE: String interpolation in query
+const user = await db.query(`SELECT * FROM users WHERE id = '${userId}'`);
+const result = await db.query(`SELECT * FROM products WHERE name LIKE '%${search}%'`);
+```
+### NoSQL Injection
+```typescript
+// VULNERABLE: Direct object from request
+const user = await db.users.findOne({ username: req.body.username });
+// Attacker sends: { username: { $gt: "" } }
+// VULNERABLE: $where operator accepts arbitrary JS
+db.users.find({ $where: `this.name === '${userInput}'` });
+// VULNERABLE: regex injection
+db.users.find({ name: { $regex: userInput } });
+// Attacker sends: ".*" (matches everything)
+```
+### Command Injection
+```typescript
+// VULNERABLE: User input in shell command
+exec(`ls ${userInput}`);
+exec(`convert ${filename} output.png`);
+exec(`ping -c 4 ${hostname}`);
+// Dangerous characters: ; | & $ ` ( ) < > \ ' "
+// Example attack: userInput = "file.txt; rm -rf /"
+```
+### Path Traversal
+```typescript
+// VULNERABLE: Direct path concatenation
+const file = req.params.filename;
+fs.readFile(`./uploads/${file}`);  // Attacker: ../../../etc/passwd
+// VULNERABLE: Encoded traversal
+// Attacker sends: %2e%2e%2f%2e%2e%2fetc/passwd (URL encoded ../..)
+const decoded = decodeURIComponent(req.params.filename);
+fs.readFile(`./uploads/${decoded}`);
+// VULNERABLE: Double encoding
+// Attacker sends: %252e%252e%252f (double-encoded ../)
+```
+### LDAP Injection
+```typescript
+// VULNERABLE: Unescaped LDAP filter
+const filter = `(uid=${username})`;
+ldap.search(baseDN, filter);
+// Attacker: username = "admin)(&(password=*)"
+```
+### Template Injection (SSTI)
+```typescript
+// VULNERABLE: User input in template
+const template = `Hello ${req.body.name}!`;
+ejs.render(template);
+// Attacker: name = "<%= process.env.SECRET %>"
+```
+### Header Injection
+```typescript
+// VULNERABLE: CRLF injection
+res.setHeader('Location', `/user/${userInput}`);
+// Attacker: userInput = "test\r\nSet-Cookie: admin=true"
+```
+---
+## Authentication Vulnerabilities
+### Weak Password Policies
+```typescript
+// VULNERABLE: Weak password requirements
+if (password.length >= 6) { /* accept */ }
+```
+### Session Management Issues
+```typescript
+// VULNERABLE: Session ID in URL
+app.get('/dashboard?session=abc123');
+// VULNERABLE: Predictable session IDs
+const sessionId = `user_${userId}`;
+// VULNERABLE: No session timeout or rotation
+```
+### JWT Misuse
+```typescript
+// VULNERABLE: Weak secret
+jwt.sign(payload, 'secret123');
+// VULNERABLE: No expiration
+jwt.sign(payload, secret);
+// VULNERABLE: Algorithm confusion (accepts 'none')
+jwt.verify(token, secret);  // Without algorithm specification
+```
+### Missing Authorization
+```typescript
+// VULNERABLE: No auth checks
+app.delete('/api/users/:id', async (req, res) => {
+  await deleteUser(req.params.id);  // No auth check!
+});
+```
+---
+## Cryptography Vulnerabilities
+### Hardcoded Secrets
+```typescript
+// VULNERABLE: Secrets in code
+const API_KEY = 'sk-abc123xyz789';
+const dbPassword = 'admin123';
+const jwtSecret = 'mysecret';
+// VULNERABLE: Secrets in config files
+const config = {
+  database: {
+    password: 'prod_password_123'
+  },
+  api: {
+    key: 'sk-live-abcdef123456'
+  }
+};
+```
+### Weak Cryptography
+```typescript
+// VULNERABLE: Broken hash algorithms
+crypto.createHash('md5').update(password);  // MD5 is broken
+crypto.createHash('sha1').update(password);  // SHA1 weak for passwords
+// VULNERABLE: Using password directly as key
+const key = password;
+crypto.createCipheriv('aes-256-gcm', key, iv);
+```
+### Insecure Random
+```typescript
+// VULNERABLE: Predictable random
+const token = Math.random().toString(36);  // Predictable!
+const id = Date.now().toString();
+const code = Math.floor(Math.random() * 1000000);
+```
+### Weak Encryption
+```typescript
+// VULNERABLE: ECB mode (patterns visible)
+crypto.createCipheriv('aes-256-ecb', key, null);
+// VULNERABLE: No authentication (CBC without HMAC)
+crypto.createCipheriv('aes-256-cbc', key, iv);
+```
+### Timing Attacks
+```typescript
+// VULNERABLE: Early exit reveals length info
+function verifyToken(provided: string, stored: string): boolean {
+  return provided === stored; // Early exit reveals info
+}
+```
+---
+## Detection Grep Commands
+### Injection Detection
+```bash
+# SQL Injection
+grep -rn "query.*\${" --include="*.ts" --include="*.js"
+grep -rn "query.*+ " --include="*.ts" --include="*.js"
+grep -rn "execute.*\`" --include="*.ts" --include="*.js"
+# NoSQL Injection
+grep -rn "findOne.*req\.\|find.*req\." --include="*.ts" --include="*.js"
+grep -rn "\$where" --include="*.ts" --include="*.js"
+# Command Injection
+grep -rn "exec\s*\(" --include="*.ts" --include="*.js"
+grep -rn "spawn.*\`\|execSync.*\`" --include="*.ts" --include="*.js"
+# Path Traversal
+grep -rn "readFile.*req\.\|readFileSync.*req\." --include="*.ts" --include="*.js"
+grep -rn "path\.join.*req\." --include="*.ts" --include="*.js"
+```
+### Auth Detection
+```bash
+# Missing auth middleware
+grep -rn "app\.\(get\|post\|put\|delete\).*async" --include="*.ts" --include="*.js" | \
+  grep -v "requireAuth\|isAuthenticated\|authorize"
+# Weak JWT configuration
+grep -rn "jwt\.sign\|jwt\.verify" --include="*.ts" --include="*.js" -A 5 | \
+  grep -v "algorithm\|expiresIn"
+# Session issues
+grep -rn "session\|cookie" --include="*.ts" --include="*.js" | \
+  grep -v "httpOnly\|secure\|sameSite"
+# Password handling
+grep -rn "password.*length" --include="*.ts" --include="*.js"
+```
+### Crypto Detection
+```bash
+# Hardcoded secrets
+grep -rn "password.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "api.key.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "secret.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "sk-\|pk-\|api_" --include="*.ts" --include="*.js"
+# Weak crypto
+grep -rn "createHash.*md5\|sha1" --include="*.ts" --include="*.js"
+grep -rn "DES\|RC4\|Blowfish" --include="*.ts" --include="*.js"
+grep -rn "aes-.*-ecb\|aes-.*-cbc" --include="*.ts" --include="*.js"
+# Insecure random
+grep -rn "Math.random" --include="*.ts" --include="*.js"
+grep -rn "Date.now.*id\|Date.now.*token" --include="*.ts" --include="*.js"
+# String comparison for secrets
+grep -rn "token.*===\|secret.*===\|key.*===" --include="*.ts" --include="*.js"
+```

package/shared/skills/self-review/SKILL.md ADDED Viewed

@@ -0,0 +1,149 @@
+---
+name: self-review
+description: Self-review framework evaluating implementation quality against 9 pillars (correctness, completeness, security, performance, maintainability, testing, documentation, error handling, simplicity). Fixes P0/P1 issues immediately rather than reporting them. Used by the Scrutinizer agent as a quality gate.
+user-invocable: false
+allowed-tools: Read, Grep, Glob, Edit, Write, Bash
+---
+# Self-Review Framework
+Systematic self-review for the Scrutinizer agent. Evaluate implementation against 9 pillars. **Fix issues, don't just report them.**
+Based on [Google Engineering Practices](https://google.github.io/eng-practices/review/reviewer/looking-for.html).
+## Iron Law
+> **FIX BEFORE RETURNING**
+>
+> Self-review is not a report generator. It's a quality gate. If you find a P0 or P1 issue,
+> you fix it. You only return when all critical issues are resolved. Pride in craftsmanship.
+---
+## The 9 Pillars
+| Priority | Action | Pillars |
+|----------|--------|---------|
+| **P0** | MUST fix | Design, Functionality, Security |
+| **P1** | SHOULD fix | Complexity, Error Handling, Tests |
+| **P2** | FIX if time | Naming, Consistency, Documentation |
+### P0 - Design
+Does the implementation fit the architecture? Follows existing patterns, respects layer boundaries, dependencies injected.
+### P0 - Functionality
+Does the code work? Happy path, edge cases (null, empty, boundary), no race conditions.
+### P0 - Security
+Any vulnerabilities? No injection, input validated, no hardcoded secrets, auth checked.
+### P1 - Complexity
+Understandable in 5 minutes? Functions < 50 lines, nesting < 4 levels, no magic numbers.
+### P1 - Error Handling
+Errors handled explicitly? No swallowed exceptions, helpful messages, resources cleaned up.
+### P1 - Tests
+New code tested? Covers happy path, errors, edges. Tests behavior, not implementation.
+### P2 - Naming
+Names clear and descriptive? No cryptic abbreviations, consistent style.
+### P2 - Consistency
+Matches existing patterns? Same style, same conventions, no unnecessary divergence.
+### P2 - Documentation
+Will others understand? Complex logic commented, public APIs documented, no outdated comments.
+---
+## Quick Examples
+### Design Red Flag
+```typescript
+// BAD: Direct DB in controller (violates layers)
+class UserController {
+  async getUser(req, res) {
+    const user = await db.query('SELECT * FROM users WHERE id = ?', [req.params.id]);
+  }
+}
+```
+### Security Red Flag
+```typescript
+// BAD: SQL injection
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+// BAD: Missing auth
+app.delete('/api/users/:id', async (req, res) => {
+  await deleteUser(req.params.id);  // No auth check!
+});
+```
+---
+## Self-Review Process
+### Step 1: Gather Changes
+```bash
+git diff --name-only HEAD~1
+git diff HEAD~1
+```
+### Step 2: Evaluate P0 Pillars
+Check Design, Functionality, Security. If issues found and fixable, fix immediately. If unfixable, STOP and report blocker.
+### Step 3: Evaluate P1 Pillars
+Check Complexity, Error Handling, Tests. Fix issues found.
+### Step 4: Evaluate P2 Pillars
+Check Naming, Consistency, Documentation. Fix if time permits.
+### Step 5: Generate Report
+Document status of each pillar, fixes applied, and overall readiness.
+---
+## Output Format
+```markdown
+## Self-Review Report
+### P0 Pillars
+- Design: PASS/FIXED
+- Functionality: PASS/FIXED
+- Security: PASS/FIXED
+### P1 Pillars
+- Complexity: PASS/FIXED
+- Error Handling: PASS/FIXED
+- Tests: PASS/FIXED
+### P2 Pillars
+- Naming: PASS/FIXED/SKIP
+- Consistency: PASS/FIXED/SKIP
+- Documentation: PASS/FIXED/SKIP
+### Summary
+Issues Found: {n}, Fixed: {n}
+Status: READY / BLOCKED
+```
+---
+## Extended References
+For detailed checklists, examples, and red flags for each pillar:
+- See `references/pillars.md`
+For complete report templates and examples:
+- See `references/report-template.md`
+---
+## Integration
+Used by:
+- **Scrutinizer agent**: Dedicated self-review in fresh context after Coder completes
+The self-review ensures implementations meet quality standards before external review, catching issues early.