forge-dev-framework 1.0.1 → 1.2.0

package/dist/templates/.claude/rules/security-baseline.md.template

@@ -0,0 +1,322 @@
+# Security Baseline — {{projectName}}
+
+> **Scope:** Security requirements and practices | **Loaded On-Demand**
+
+---
+
+## Security Principles
+
+{{#if securityPrinciples}}
+{{#each securityPrinciples}}
+- {{this}}
+{{/each}}
+{{else}}
+- **Never trust user input** — Validate, sanitize, verify
+- **Defense in depth** — Multiple layers of security
+- **Least privilege** — Minimal access required
+- **Fail secure** — Error states don't expose data
+- **Security by design** — Built in, not bolted on
+{{/if}}
+
+---
+
+## Authentication
+
+### Password Requirements
+{{#if passwordPolicy}}
+{{passwordPolicy}}
+{{else}}
+- Minimum 12 characters
+- Require: uppercase, lowercase, number, special char
+- Check against common password lists
+- No personal information (name, email)
+{{/if}}
+
+### Session Management
+{{#if sessionManagement}}
+{{sessionManagement}}
+{{else}}
+- JWT tokens with short expiration (15 minutes)
+- Refresh tokens with longer expiration (7 days)
+- httpOnly, secure, SameSite cookies
+- Invalidate on logout
+- Rotate tokens periodically
+{{/if}}
+
+### Multi-Factor Authentication
+{{#if mfa}}
+{{mfa}}
+{{else}}
+- Require MFA for admin accounts
+- Support TOTP (Google Authenticator)
+- Backup codes for recovery
+{{/if}}
+
+---
+
+## Authorization
+
+### Access Control
+{{#if accessControl}}
+{{accessControl}}
+{{else}}
+- Role-Based Access Control (RBAC)
+- Check permissions at every layer (API, service, data)
+- Default deny: explicit allow only
+- Audit all authorization decisions
+{{/if}}
+
+### Role Hierarchy
+{{#if roles}}
+{{#each roles}}
+- **{{this.name}}:** {{this.description}}
+{{/each}}
+{{else}}
+- **guest** — Unauthenticated access
+- **user** — Authenticated, basic access
+- **admin** — Full system access
+- **superadmin** — Emergency access, audit only
+{{/if}}
+
+---
+
+## Input Validation
+
+### Validation Rules
+{{#if inputValidation}}
+{{inputValidation}}
+{{else}}
+- Validate all inputs at API boundary
+- Use schema validation (Zod/Joi/Yup)
+- Whitelist allowed values (don't blacklist)
+- Sanitize HTML (DOMPurify)
+- Truncate excessively long inputs
+{{/if}}
+
+### SQL Injection Prevention
+{{#if sqlPrevention}}
+{{sqlPrevention}}
+{{else}}
+- Use parameterized queries only
+- Never concatenate SQL strings
+- Use ORM-provided query builders
+- Enable query logging in development
+{{/if}}
+
+### XSS Prevention
+{{#if xssPrevention}}
+{{xssPrevention}}
+{{else}}
+- Escape all user-generated content
+- Use CSP headers (Content-Security-Policy)
+- Set `httpOnly` cookies
+- Validate and sanitize file uploads
+{{/if}}
+
+---
+
+## Data Protection
+
+### Encryption at Rest
+{{#if encryptionAtRest}}
+{{encryptionAtRest}}
+{{else}}
+- Database: {{encryption.db}}
+- File storage: {{encryption.files}}
+- Secrets: {{encryption.secrets}}
+- Backup: {{encryption.backup}}
+{{/if}}
+
+### Encryption in Transit
+{{#if encryptionInTransit}}
+{{encryptionInTransit}}
+{{else}}
+- HTTPS only (TLS 1.3+)
+- HSTS headers enabled
+- Secure cipher suites only
+{{/if}}
+
+### PII Handling
+{{#if piiHandling}}
+{{piiHandling}}
+{{else}}
+- Identify all PII in code (comment: # PII)
+- Encrypt sensitive fields in database
+- Log PII only when necessary
+- Mask PII in logs (email: u***@example.com)
+{{/if}}
+
+---
+
+## API Security
+
+### Rate Limiting
+{{#if rateLimiting}}
+{{rateLimiting}}
+{{else}}
+- Per-IP limits for anonymous: 100/min
+- Per-user limits: 1000/min
+- Per-endpoint limits for expensive operations
+- Track with Redis, expire after window
+{{/if}}
+
+### API Key Management
+{{#if apiKeyManagement}}
+{{apiKeyManagement}}
+{{else}}
+- Rotate API keys quarterly
+- Include key owner in key metadata
+- Revoke immediately on leak
+- Monitor usage patterns
+{{/if}}
+
+### CORS Configuration
+{{#if cors}}
+{{cors}}
+{{else}}
+- Whitelist allowed origins only
+- Don't use `*` in production
+- Expose only necessary headers
+- Max age: 1 hour
+{{/if}}
+
+---
+
+## Dependencies
+
+### Supply Chain Security
+{{#if supplyChain}}
+{{supplyChain}}
+{{else}}
+- Lock dependency versions
+- Run `npm audit` in CI
+- Use Dependabot or Renovate
+- Review PR from dependabots
+- Pin action versions in GitHub Actions
+{{/if}}
+
+### Vulnerability Scanning
+{{#if vulnScanning}}
+{{vulnScanning}}
+{{else}}
+- SAST: {{sastTool}} in CI
+- SCA: {{scaTool}} for dependencies
+- DAST: {{dastTool}} on staging
+- Container scan: {{containerScanTool}}
+{{/if}}
+
+---
+
+## Secrets Management
+
+### Secrets Policy
+{{#if secretsPolicy}}
+{{secretsPolicy}}
+{{else}}
+- Never commit secrets to git
+- Use environment variables or vault
+- Rotate secrets quarterly
+- Different secrets per environment
+{{/if}}
+
+### Secrets Storage
+{{#if secretsStorage}}
+{{secretsStorage}}
+{{else}}
+- Development: `.env` (gitignored)
+- Production: {{secretsManager}}
+- CI/CD: {{ciSecrets}}
+{{/if}}
+
+---
+
+## Logging & Monitoring
+
+### Security Logging
+{{#if securityLogging}}
+{{securityLogging}}
+{{else}}
+Log all security events:
+- Failed authentication
+- Authorization failures
+- Rate limit violations
+- Admin actions
+- Data exports
+- Configuration changes
+
+Include:
+- Timestamp
+- User ID (if available)
+- IP address
+- Action
+- Result
+{{/if}}
+
+### Alerting
+{{#if alerting}}
+{{alerting}}
+{{else}}
+Alert on:
+- > 10 failed auth attempts / 5 min / IP
+- > 100 failed auth attempts / 5 min globally
+- New admin account created
+- Database backup accessed
+- Unusual data export volume
+{{/if}}
+
+---
+
+## Compliance
+
+{{#if compliance}}
+{{#each compliance}}
+### {{this.framework}}
+{{this.requirements}}
+{{/each}}
+{{/if}}
+
+---
+
+## Security Checklist
+
+Before deploying:
+{{#if deploymentChecklist}}
+{{#each deploymentChecklist}}
+- [ ] {{this}}
+{{/each}}
+{{else}}
+- [ ] All dependencies audited
+- [ ] No secrets in code
+- [ ] HTTPS enabled
+- [ ] CORS configured
+- [ ] Rate limiting enabled
+- [ ] Input validation on all endpoints
+- [ ] Authentication required for sensitive operations
+- [ ] Authorization checks on all endpoints
+- [ ] Security headers configured
+- [ ] Logging enabled
+- [ ] Error handling doesn't leak info
+- [ ] File upload validation
+- [ ] Database encryption enabled
+{{/if}}
+
+---
+
+## Incident Response
+
+{{#if incidentResponse}}
+{{incidentResponse}}
+{{else}}
+### Breach Response
+1. **Detect** — Monitoring/alerts fire
+2. **Contain** — Isolate affected systems
+3. **Investigate** — Determine scope and impact
+4. **Remediate** — Patch vulnerabilities
+5. **Recover** — Restore from backups if needed
+6. **Post-mortem** — Document and improve
+{{/if}}
+
+---
+
+> **Token Budget:** ~1000 tokens max
+> **Loaded On-Demand** — Only when working on security

package/dist/templates/.claude/rules/testing-standards.md.template

@@ -0,0 +1,280 @@
+# Testing Standards — {{projectName}}
+
+> **Scope:** All testing activities | **Loaded On-Demand**
+
+---
+
+## Testing Philosophy
+
+{{#if testingPhilosophy}}
+{{testingPhilosophy}}
+{{else}}
+- **Tests are documentation** — Readability matters
+- **Fast feedback** — Unit tests should run in < 1 second
+- **Test behavior, not implementation** — Black-box over white-box
+- **Arrange-Act-Assert** — Clear test structure
+- **One assertion per test** — When possible
+{{/if}}
+
+---
+
+## Test Structure
+
+### File Organization
+{{#if testStructure}}
+{{testStructure}}
+{{else}}
+```
+src/
+├── features/auth/
+│   ├── auth.service.ts
+│   ├── auth.service.test.ts      # Unit tests
+│   ├── auth.controller.ts
+│   └── auth.controller.test.ts   # Integration tests
+├── __tests__/
+│   ├── e2e/                      # End-to-end tests
+│   └── fixtures/                 # Test data, factories
+└── test/
+    ├── setup.ts                   # Global test setup
+    └── teardown.ts                # Global test teardown
+```
+{{/if}}
+
+### Test File Naming
+{{#if testNaming}}
+{{testNaming}}
+{{else}}
+- Unit tests: `*.test.ts` or `*.spec.ts`
+- E2E tests: `*.e2e.test.ts`
+- Co-locate tests with source code
+{{/if}}
+
+---
+
+## Unit Tests
+
+### What to Test
+{{#if unitTestScope}}
+{{unitTestScope}}
+{{else}}
+- **Business logic** — Pure functions, services
+- **Utilities** — Helpers, formatters
+- **Components** — React/Vue/Svelte components
+- **Hooks** — Custom React hooks
+
+### What NOT to Test
+- Third-party libraries (trust them)
+- Implementation details (private methods)
+- Trivial getters/setters
+{{/if}}
+
+### Test Template
+```typescript
+describe('{{feature}}', () => {
+  describe('{{scenario}}', () => {
+    it('{{expected outcome}}', () => {
+      // Arrange
+      const input = {
+        // setup
+      };
+
+      // Act
+      const result = doSomething(input);
+
+      // Assert
+      expect(result).toBe(expected);
+    });
+  });
+});
+```
+
+### Coverage Requirements
+{{#if coverage}}
+{{coverage}}
+{{else}}
+- Minimum: {{coverage.min}}% overall
+- Critical paths: 100%
+- New code: 100% before merge
+{{/if}}
+
+---
+
+## Integration Tests
+
+### Scope
+{{#if integrationScope}}
+{{integrationScope}}
+{{else}}
+- API endpoints with real database (in-memory)
+- Database interactions and migrations
+- Authentication/authorization flows
+- External service integrations (mocked)
+{{/if}}
+
+### Database Testing
+{{#if dbTesting}}
+{{dbTesting}}
+{{else}}
+- Use in-memory database for tests
+- Migrate up/down in `beforeAll`/`afterAll`
+- Seed test data in `beforeEach`
+- Clean tables in `afterEach`
+{{/if}}
+
+---
+
+## End-to-End Tests
+
+### Framework
+{{#if e2eFramework}}
+{{e2eFramework}}
+{{else}}
+- Use {{e2eTool}} (Playwright/Cypress)
+- Test critical user journeys
+- Run in CI before deployment
+{{/if}}
+
+### E2E Test Checklist
+{{#if e2eChecklist}}
+{{e2eChecklist}}
+{{else}}
+{{#each e2eScenarios}}
+- {{this}}
+{{/each}}
+{{/if}}
+
+---
+
+## Test Data Management
+
+### Factories & Fixtures
+{{#if testFactories}}
+{{testFactories}}
+{{else}}
+Use factories for test data:
+
+```typescript
+// test/factories/user.factory.ts
+export const userFactory = (overrides = {}) => ({
+  id: 'user-1',
+  email: 'test@example.com',
+  name: 'Test User',
+  role: 'user',
+  ...overrides,
+});
+```
+{{/if}}
+
+### Seeding Strategy
+{{#if seedingStrategy}}
+{{seedingStrategy}}
+{{else}}
+- Use deterministic IDs
+- Clean database between tests
+- Use transactions when possible
+{{/if}}
+
+---
+
+## Mocking & Stubbing
+
+### Mocking Guidelines
+{{#if mockingGuidelines}}
+{{mockingGuidelines}}
+{{else}}
+- Mock external services only
+- Prefer real implementations over mocks
+- Clear mocks in `afterEach`
+- Verify mock calls when relevant
+{{/if}}
+
+### Example
+```typescript
+jest.mock('./external-api', () => ({
+  getData: jest.fn().mockResolvedValue({ data: 'mock' }),
+}));
+
+// In test
+await expect(action()).resolves.toEqual(expected);
+expect(externalApi.getData).toHaveBeenCalledWith(expectedArgs);
+```
+
+---
+
+## Performance Tests
+
+{{#if performanceTests}}
+{{performanceTests}}
+{{else}}
+- Load test API endpoints (k6, artillery)
+- Benchmark critical functions
+- Test database query performance
+- Set performance budgets in CI
+{{/if}}
+
+---
+
+## Security Tests
+
+{{#if securityTests}}
+{{securityTests}}
+{{else}}
+- Test authentication bypass attempts
+- Test authorization checks
+- Test input validation (SQL injection, XSS)
+- Test rate limiting
+- Run SAST/DAST scans in CI
+{{/if}}
+
+---
+
+## Test Commands
+
+{{#if testCommands}}
+{{testCommands}}
+{{else}}
+```bash
+# Run all tests
+npm test
+
+# Run with coverage
+npm test -- --coverage
+
+# Run watch mode
+npm test -- --watch
+
+# Run specific test file
+npm test -- auth.service.test
+
+# Run E2E tests
+npm run test:e2e
+
+# Run performance tests
+npm run test:performance
+```
+{{/if}}
+
+---
+
+## CI/CD Integration
+
+{{#if ciTesting}}
+{{ciTesting}}
+{{else}}
+### Required Checks
+- Unit tests pass
+- Coverage threshold met
+- E2E tests pass (on main branch)
+- Security scan passes
+- Linting passes
+
+### Test Results
+- Upload coverage reports
+- Visualize test trends
+- Report flaky tests
+{{/if}}
+
+---
+
+> **Token Budget:** ~1000 tokens max
+> **Loaded On-Demand** — Only when working on tests