devflow-kit 0.9.0 → 1.1.0

package/plugins/devflow-code-review/skills/security-patterns/references/violations.md

@@ -0,0 +1,237 @@
+# Security Violation Examples
+
+Extended violation patterns for security reviews. Reference from main SKILL.md.
+
+## Injection Vulnerabilities
+
+### SQL Injection
+```typescript
+// VULNERABLE: String interpolation in query
+const user = await db.query(`SELECT * FROM users WHERE id = '${userId}'`);
+const result = await db.query(`SELECT * FROM products WHERE name LIKE '%${search}%'`);
+```
+
+### NoSQL Injection
+```typescript
+// VULNERABLE: Direct object from request
+const user = await db.users.findOne({ username: req.body.username });
+// Attacker sends: { username: { $gt: "" } }
+
+// VULNERABLE: $where operator accepts arbitrary JS
+db.users.find({ $where: `this.name === '${userInput}'` });
+
+// VULNERABLE: regex injection
+db.users.find({ name: { $regex: userInput } });
+// Attacker sends: ".*" (matches everything)
+```
+
+### Command Injection
+```typescript
+// VULNERABLE: User input in shell command
+exec(`ls ${userInput}`);
+exec(`convert ${filename} output.png`);
+exec(`ping -c 4 ${hostname}`);
+
+// Dangerous characters: ; | & $ ` ( ) < > \ ' "
+// Example attack: userInput = "file.txt; rm -rf /"
+```
+
+### Path Traversal
+```typescript
+// VULNERABLE: Direct path concatenation
+const file = req.params.filename;
+fs.readFile(`./uploads/${file}`);  // Attacker: ../../../etc/passwd
+
+// VULNERABLE: Encoded traversal
+// Attacker sends: %2e%2e%2f%2e%2e%2fetc/passwd (URL encoded ../..)
+const decoded = decodeURIComponent(req.params.filename);
+fs.readFile(`./uploads/${decoded}`);
+
+// VULNERABLE: Double encoding
+// Attacker sends: %252e%252e%252f (double-encoded ../)
+```
+
+### LDAP Injection
+```typescript
+// VULNERABLE: Unescaped LDAP filter
+const filter = `(uid=${username})`;
+ldap.search(baseDN, filter);
+// Attacker: username = "admin)(&(password=*)"
+```
+
+### Template Injection (SSTI)
+```typescript
+// VULNERABLE: User input in template
+const template = `Hello ${req.body.name}!`;
+ejs.render(template);
+// Attacker: name = "<%= process.env.SECRET %>"
+```
+
+### Header Injection
+```typescript
+// VULNERABLE: CRLF injection
+res.setHeader('Location', `/user/${userInput}`);
+// Attacker: userInput = "test\r\nSet-Cookie: admin=true"
+```
+
+---
+
+## Authentication Vulnerabilities
+
+### Weak Password Policies
+```typescript
+// VULNERABLE: Weak password requirements
+if (password.length >= 6) { /* accept */ }
+```
+
+### Session Management Issues
+```typescript
+// VULNERABLE: Session ID in URL
+app.get('/dashboard?session=abc123');
+
+// VULNERABLE: Predictable session IDs
+const sessionId = `user_${userId}`;
+
+// VULNERABLE: No session timeout or rotation
+```
+
+### JWT Misuse
+```typescript
+// VULNERABLE: Weak secret
+jwt.sign(payload, 'secret123');
+
+// VULNERABLE: No expiration
+jwt.sign(payload, secret);
+
+// VULNERABLE: Algorithm confusion (accepts 'none')
+jwt.verify(token, secret);  // Without algorithm specification
+```
+
+### Missing Authorization
+```typescript
+// VULNERABLE: No auth checks
+app.delete('/api/users/:id', async (req, res) => {
+  await deleteUser(req.params.id);  // No auth check!
+});
+```
+
+---
+
+## Cryptography Vulnerabilities
+
+### Hardcoded Secrets
+```typescript
+// VULNERABLE: Secrets in code
+const API_KEY = 'sk-abc123xyz789';
+const dbPassword = 'admin123';
+const jwtSecret = 'mysecret';
+
+// VULNERABLE: Secrets in config files
+const config = {
+  database: {
+    password: 'prod_password_123'
+  },
+  api: {
+    key: 'sk-live-abcdef123456'
+  }
+};
+```
+
+### Weak Cryptography
+```typescript
+// VULNERABLE: Broken hash algorithms
+crypto.createHash('md5').update(password);  // MD5 is broken
+crypto.createHash('sha1').update(password);  // SHA1 weak for passwords
+
+// VULNERABLE: Using password directly as key
+const key = password;
+crypto.createCipheriv('aes-256-gcm', key, iv);
+```
+
+### Insecure Random
+```typescript
+// VULNERABLE: Predictable random
+const token = Math.random().toString(36);  // Predictable!
+const id = Date.now().toString();
+const code = Math.floor(Math.random() * 1000000);
+```
+
+### Weak Encryption
+```typescript
+// VULNERABLE: ECB mode (patterns visible)
+crypto.createCipheriv('aes-256-ecb', key, null);
+
+// VULNERABLE: No authentication (CBC without HMAC)
+crypto.createCipheriv('aes-256-cbc', key, iv);
+```
+
+### Timing Attacks
+```typescript
+// VULNERABLE: Early exit reveals length info
+function verifyToken(provided: string, stored: string): boolean {
+  return provided === stored; // Early exit reveals info
+}
+```
+
+---
+
+## Detection Grep Commands
+
+### Injection Detection
+```bash
+# SQL Injection
+grep -rn "query.*\${" --include="*.ts" --include="*.js"
+grep -rn "query.*+ " --include="*.ts" --include="*.js"
+grep -rn "execute.*\`" --include="*.ts" --include="*.js"
+
+# NoSQL Injection
+grep -rn "findOne.*req\.\|find.*req\." --include="*.ts" --include="*.js"
+grep -rn "\$where" --include="*.ts" --include="*.js"
+
+# Command Injection
+grep -rn "exec\s*\(" --include="*.ts" --include="*.js"
+grep -rn "spawn.*\`\|execSync.*\`" --include="*.ts" --include="*.js"
+
+# Path Traversal
+grep -rn "readFile.*req\.\|readFileSync.*req\." --include="*.ts" --include="*.js"
+grep -rn "path\.join.*req\." --include="*.ts" --include="*.js"
+```
+
+### Auth Detection
+```bash
+# Missing auth middleware
+grep -rn "app\.\(get\|post\|put\|delete\).*async" --include="*.ts" --include="*.js" | \
+  grep -v "requireAuth\|isAuthenticated\|authorize"
+
+# Weak JWT configuration
+grep -rn "jwt\.sign\|jwt\.verify" --include="*.ts" --include="*.js" -A 5 | \
+  grep -v "algorithm\|expiresIn"
+
+# Session issues
+grep -rn "session\|cookie" --include="*.ts" --include="*.js" | \
+  grep -v "httpOnly\|secure\|sameSite"
+
+# Password handling
+grep -rn "password.*length" --include="*.ts" --include="*.js"
+```
+
+### Crypto Detection
+```bash
+# Hardcoded secrets
+grep -rn "password.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "api.key.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "secret.*=.*['\"]" --include="*.ts" --include="*.js"
+grep -rn "sk-\|pk-\|api_" --include="*.ts" --include="*.js"
+
+# Weak crypto
+grep -rn "createHash.*md5\|sha1" --include="*.ts" --include="*.js"
+grep -rn "DES\|RC4\|Blowfish" --include="*.ts" --include="*.js"
+grep -rn "aes-.*-ecb\|aes-.*-cbc" --include="*.ts" --include="*.js"
+
+# Insecure random
+grep -rn "Math.random" --include="*.ts" --include="*.js"
+grep -rn "Date.now.*id\|Date.now.*token" --include="*.ts" --include="*.js"
+
+# String comparison for secrets
+grep -rn "token.*===\|secret.*===\|key.*===" --include="*.ts" --include="*.js"
+```

package/plugins/devflow-code-review/skills/test-patterns/SKILL.md

@@ -0,0 +1,183 @@
+---
+name: test-patterns
+description: This skill should be used when the user asks to "write tests", "fix failing tests", "improve test coverage", "add integration tests", "debug a flaky test", or reviews test quality. Provides behavior-focused testing patterns, coverage analysis, and detection of brittle test anti-patterns like implementation coupling and non-deterministic assertions.
+user-invocable: false
+allowed-tools: Read, Grep, Glob, AskUserQuestion
+activation:
+  file-patterns:
+    - "**/*.test.*"
+    - "**/*.spec.*"
+    - "**/test/**"
+    - "**/tests/**"
+    - "**/__tests__/**"
+  exclude:
+    - "node_modules/**"
+---
+
+# Test Patterns
+
+## Iron Law
+
+> **TESTS VALIDATE BEHAVIOR, NOT IMPLEMENTATION**
+>
+> A test should fail when behavior breaks, not when implementation changes. If refactoring
+> breaks tests without changing behavior, the tests are wrong. Mock boundaries, not internals.
+> Test the contract, not the code. If tests are hard to write, the design is wrong — fix the
+> architecture, not the tests.
+
+---
+
+## Test Design Red Flags
+
+### 1. Complex Setup
+
+**RED FLAG**: Test setup >10 lines means the design is wrong.
+
+```typescript
+// VIOLATION: Too many dependencies
+beforeEach(async () => {
+  mockDb = new MockDatabase();
+  await mockDb.connect();
+  mockCache = new MockCache();
+  // ... 10+ more lines
+  service = new UserService(mockDb, mockCache, mockLogger, mockConfig);
+});
+
+// CORRECT: Simple setup
+it('should return Ok with valid data', () => {
+  const result = createUser({ name: 'test', email: 'test@example.com' });
+  expect(result.ok).toBe(true);
+});
+```
+
+**Detection**: `beforeEach` >10 lines, multiple mocks, async setup, database seeding
+
+### 2. Repetitive Boilerplate
+
+**RED FLAG**: Same pattern repeated >3 times means the API is wrong.
+
+```typescript
+// VIOLATION: Try/catch everywhere
+try { await api.createUser(data); fail(); } catch (e) { expect(e.status).toBe(400); }
+
+// CORRECT: Result types eliminate repetition
+const result = createUser(invalidData);
+expect(result.ok).toBe(false);
+expect(result.error.type).toBe('ValidationError');
+```
+
+### 3. Difficult Mocking
+
+**RED FLAG**: Mock setup >20 lines means dependencies are wrong.
+
+```typescript
+// VIOLATION: Nested mock structures
+mockDb = { transaction: jest.fn(), orders: { create: jest.fn(), update: jest.fn() } };
+
+// CORRECT: Pure functions need no mocking
+const result = processOrder(order);
+expect(result.ok).toBe(true);
+```
+
+### 4. Implementation Testing
+
+**RED FLAG**: Testing internals means tests are fragile.
+
+```typescript
+// VIOLATION: Spying on private methods
+const spy = jest.spyOn(cart as any, 'updateTotal');
+expect(spy).toHaveBeenCalled();
+
+// CORRECT: Test observable behavior
+expect(cart.getTotal()).toBe(10);
+```
+
+---
+
+## Coverage & Review
+
+### Coverage Issues
+
+- **Untested new code**: New functions/branches without corresponding tests
+- **Missing edge cases**: Only happy path tested, no error paths
+- **Missing error paths**: `throw`/`reject` in source without matching test assertions
+
+### Test Quality Issues
+
+- **Brittle tests**: Testing HOW (mock call verification) not WHAT (outcome)
+- **Unclear test names**: `it('test1')` instead of `it('validates email format on creation')`
+- **Missing AAA structure**: Mixed arrange/act/assert without clear separation
+
+### Mocking Issues
+
+- **Over-mocking**: Everything mocked, nothing actually tested
+- **Mocking third-party internals**: Mock at your own interface boundary instead
+
+---
+
+## Severity Guidelines
+
+| Severity | Criteria |
+|----------|----------|
+| **CRITICAL** | Tests pass but don't verify behavior; critical paths untested; tests mock everything |
+| **HIGH** | Missing error path coverage; flaky tests; extremely slow (>10s); >10 line setup |
+| **MEDIUM** | Some edge cases missing; weak assertions; unclear structure |
+| **LOW** | Organization could improve; naming could be clearer |
+
+---
+
+## Test Suite Safety
+
+```typescript
+// vitest.config.ts / jest.config.js
+{ fileParallelism: false, maxWorkers: 1, testTimeout: 10000 }
+```
+
+```bash
+NODE_OPTIONS="--max-old-space-size=512" npm test
+```
+
+---
+
+## Extended References
+
+For comprehensive examples and detection patterns:
+
+| Reference | Contents |
+|-----------|----------|
+| `references/violations.md` | Full violation examples for all categories |
+| `references/patterns.md` | Correct test patterns and organization |
+| `references/detection.md` | Bash commands for automated detection |
+| `references/report-template.md` | Full report format for documenting issues |
+
+---
+
+## Quality Gates
+
+Tests pass design review when:
+- [ ] Setup code <10 lines per test file
+- [ ] No repetitive try/catch or error handling patterns
+- [ ] Mocking requires <5 lines of setup
+- [ ] No spying on private methods or internal state
+- [ ] Tests verify behavior, not implementation details
+- [ ] Pure business logic testable without mocks
+- [ ] New code has corresponding tests
+- [ ] All branches covered (happy path + errors + edge cases)
+- [ ] Test names describe expected behavior
+- [ ] Tests follow Arrange-Act-Assert structure
+- [ ] No real delays (use mocked timers)
+- [ ] No flaky patterns (race conditions, timing dependencies)
+
+---
+
+## Review Checklist
+
+- [ ] New code has corresponding tests
+- [ ] All branches covered (happy path + errors + edge cases)
+- [ ] Tests verify behavior, not implementation
+- [ ] Test names describe expected behavior
+- [ ] Tests follow Arrange-Act-Assert structure
+- [ ] No real delays (use mocked timers)
+- [ ] Assertions are specific and meaningful
+- [ ] Mocking limited to boundaries (not internals)
+- [ ] No flaky patterns (race conditions, timing dependencies)

package/plugins/devflow-code-review/skills/test-patterns/references/detection.md

@@ -0,0 +1,149 @@
+# Test Issue Detection
+
+Commands and patterns for detecting test quality issues.
+
+---
+
+## Coverage Detection
+
+### Find Untested Functions
+
+```bash
+# List exported functions in source
+grep -rn "export function\|export async function" --include="*.ts" src/ | cut -d: -f1,3 | sort
+
+# List tested functions
+grep -rn "describe\|it\(" --include="*.test.ts" | grep -oE "'[^']+'" | sort -u
+
+# Compare to find gaps (manual comparison needed)
+```
+
+### Find Missing Error Tests
+
+```bash
+# Count error-throwing code in source
+grep -rn "throw\|reject\|Error" --include="*.ts" src/ | grep -v test | wc -l
+
+# Count error test assertions
+grep -rn "rejects.toThrow\|toThrow\|toThrowError" --include="*.test.ts" | wc -l
+
+# Large discrepancy indicates missing error tests
+```
+
+---
+
+## Quality Detection
+
+### Tests Without Assertions
+
+```bash
+# Find test blocks that may lack assertions
+grep -rn "it\(.*=>" --include="*.test.ts" -A20 | grep -v "expect" | head -50
+
+# Find empty test blocks
+grep -rn "it\(.*{\s*}\)" --include="*.test.ts"
+```
+
+### Weak Assertions
+
+```bash
+# Find overly permissive assertions
+grep -rn "toBeDefined\|toBeTruthy\|not.toBeNull\|not.toBeUndefined" --include="*.test.ts"
+
+# Count for comparison with strong assertions
+grep -rn "toEqual\|toMatchObject\|toHaveLength\|toBe(" --include="*.test.ts" | wc -l
+```
+
+### Implementation Testing
+
+```bash
+# Find tests that verify mock calls (may indicate implementation testing)
+grep -rn "toHaveBeenCalledWith\|toHaveBeenCalled\|toHaveBeenCalledTimes" --include="*.test.ts"
+```
+
+---
+
+## Design Detection
+
+### Slow Tests
+
+```bash
+# Find tests with long timeouts (>5000ms)
+grep -rn "}, [0-9][0-9][0-9][0-9][0-9])" --include="*.test.ts"
+
+# Find real delays in tests
+grep -rn "setTimeout\|sleep\|delay" --include="*.test.ts"
+```
+
+### Complex Setup
+
+```bash
+# Find tests with many mock objects
+grep -rn "jest.fn\|sinon.stub\|mock" --include="*.test.ts" | cut -d: -f1 | uniq -c | sort -rn | head -10
+
+# Find long beforeEach blocks
+grep -rn "beforeEach" --include="*.test.ts" -A30 | head -100
+```
+
+---
+
+## Mocking Detection
+
+### Over-Mocking
+
+```bash
+# Count mocks per test file
+for f in $(find . -name "*.test.ts" -type f); do
+  count=$(grep -c "jest.fn\|mock" "$f" 2>/dev/null || echo 0)
+  echo "$count $f"
+done | sort -rn | head -20
+
+# Files with >20 mocks may be over-mocked
+```
+
+### Third-Party Library Mocking
+
+```bash
+# Find jest.mock of node_modules
+grep -rn "jest.mock\(['\"]" --include="*.test.ts" | grep -v "\./" | grep -v "\.\./"
+
+# These should be wrapped in interfaces instead
+```
+
+---
+
+## Summary Report Script
+
+```bash
+#!/bin/bash
+# test-health-check.sh - Quick test quality assessment
+
+echo "=== Test Health Check ==="
+echo ""
+
+echo "Coverage Indicators:"
+echo "  Source functions: $(grep -rn 'export function' --include='*.ts' src/ 2>/dev/null | wc -l)"
+echo "  Test blocks: $(grep -rn 'it\(' --include='*.test.ts' 2>/dev/null | wc -l)"
+echo ""
+
+echo "Quality Indicators:"
+echo "  Strong assertions: $(grep -rn 'toEqual\|toMatchObject' --include='*.test.ts' 2>/dev/null | wc -l)"
+echo "  Weak assertions: $(grep -rn 'toBeDefined\|toBeTruthy' --include='*.test.ts' 2>/dev/null | wc -l)"
+echo ""
+
+echo "Design Indicators:"
+echo "  Long timeouts: $(grep -rn '}, [0-9]\{5,\})' --include='*.test.ts' 2>/dev/null | wc -l)"
+echo "  Mock count: $(grep -rn 'jest.fn\|mock' --include='*.test.ts' 2>/dev/null | wc -l)"
+```
+
+---
+
+## Test Coverage Guidelines
+
+| Code Type | Required Coverage | Test Type |
+|-----------|-------------------|-----------|
+| Business logic | 90%+ | Unit tests |
+| API endpoints | 80%+ | Integration tests |
+| UI components | 70%+ | Component tests |
+| Utilities | 100% | Unit tests |
+| Error paths | 100% | Unit tests |