kiro-agent-team 1.0.0

package/.kiro/prompts/code-review-security.md

@@ -0,0 +1,454 @@
+# Security-Focused Code Review
+
+## Security Code Review Framework
+
+This specialized code review framework focuses on identifying security vulnerabilities, validating security controls, and ensuring compliance with security best practices.
+
+## Security Review Process
+
+### Phase 1: Security Context Analysis
+**Security Review Preparation:**
+- Identify security-sensitive components and data flows
+- Review threat model and security requirements
+- Understand compliance requirements and standards
+- Analyze attack surface and potential vulnerabilities
+- Review previous security findings and remediation
+
+**Security Context Questions:**
+- What security-sensitive operations are being performed?
+- What data is being processed and how sensitive is it?
+- What authentication and authorization controls are in place?
+- What external interfaces and integrations exist?
+- What compliance requirements apply to this code?
+
+### Phase 2: Vulnerability Assessment
+**Common Vulnerability Categories:**
+
+#### Authentication and Session Management
+```typescript
+// ❌ SECURITY ISSUE: Weak password requirements
+const isValidPassword = (password: string) => password.length >= 6;
+
+// ✅ SECURE: Strong password requirements
+const isValidPassword = (password: string) => {
+  const minLength = 12;
+  const hasUpperCase = /[A-Z]/.test(password);
+  const hasLowerCase = /[a-z]/.test(password);
+  const hasNumbers = /\d/.test(password);
+  const hasSpecialChar = /[!@#$%^&*(),.?":{}|<>]/.test(password);
+  
+  return password.length >= minLength && 
+         hasUpperCase && 
+         hasLowerCase && 
+         hasNumbers && 
+         hasSpecialChar;
+};
+
+// ❌ SECURITY ISSUE: JWT secret in code
+const JWT_SECRET = 'mysecret123';
+
+// ✅ SECURE: JWT secret from environment
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET) {
+  throw new Error('JWT_SECRET environment variable is required');
+}
+```
+
+#### Input Validation and Injection Prevention
+```typescript
+// ❌ SECURITY ISSUE: SQL injection vulnerability
+const getUserById = async (id: string) => {
+  const query = `SELECT * FROM users WHERE id = '${id}'`;
+  return await db.query(query);
+};
+
+// ✅ SECURE: Parameterized query
+const getUserById = async (id: string) => {
+  const query = 'SELECT * FROM users WHERE id = $1';
+  return await db.query(query, [id]);
+};
+
+// ❌ SECURITY ISSUE: XSS vulnerability
+const displayUserName = (name: string) => {
+  return `<h1>Welcome ${name}</h1>`;
+};
+
+// ✅ SECURE: Proper escaping
+import DOMPurify from 'isomorphic-dompurify';
+
+const displayUserName = (name: string) => {
+  const sanitizedName = DOMPurify.sanitize(name);
+  return `<h1>Welcome ${sanitizedName}</h1>`;
+};
+```
+
+#### Authorization and Access Control
+```typescript
+// ❌ SECURITY ISSUE: Missing authorization check
+app.get('/admin/users', (req, res) => {
+  const users = getAllUsers();
+  res.json(users);
+});
+
+// ✅ SECURE: Proper authorization
+app.get('/admin/users', authenticate, authorize(['admin']), (req, res) => {
+  const users = getAllUsers();
+  res.json(users);
+});
+
+// ❌ SECURITY ISSUE: Insecure direct object reference
+app.get('/user/:id/profile', (req, res) => {
+  const profile = getUserProfile(req.params.id);
+  res.json(profile);
+});
+
+// ✅ SECURE: Access control validation
+app.get('/user/:id/profile', authenticate, (req, res) => {
+  const requestedUserId = req.params.id;
+  const currentUserId = req.user.id;
+  
+  // Users can only access their own profile unless they're admin
+  if (requestedUserId !== currentUserId && !req.user.isAdmin) {
+    return res.status(403).json({ error: 'Access denied' });
+  }
+  
+  const profile = getUserProfile(requestedUserId);
+  res.json(profile);
+});
+```
+
+#### Data Protection and Encryption
+```typescript
+// ❌ SECURITY ISSUE: Storing passwords in plain text
+const createUser = async (userData: any) => {
+  const user = {
+    ...userData,
+    password: userData.password // Plain text password
+  };
+  return await db.users.create(user);
+};
+
+// ✅ SECURE: Proper password hashing
+import bcrypt from 'bcrypt';
+
+const createUser = async (userData: any) => {
+  const saltRounds = 12;
+  const hashedPassword = await bcrypt.hash(userData.password, saltRounds);
+  
+  const user = {
+    ...userData,
+    password: hashedPassword
+  };
+  return await db.users.create(user);
+};
+
+// ❌ SECURITY ISSUE: Sensitive data in logs
+logger.info('User login attempt', { email, password });
+
+// ✅ SECURE: No sensitive data in logs
+logger.info('User login attempt', { email, timestamp: new Date().toISOString() });
+```
+
+### Phase 3: Security Control Validation
+**Security Control Checklist:**
+
+#### Rate Limiting and DDoS Protection
+```typescript
+// ✅ SECURE: Rate limiting implementation
+import rateLimit from 'express-rate-limit';
+
+const loginRateLimit = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // Limit each IP to 5 requests per windowMs
+  message: 'Too many login attempts, please try again later',
+  standardHeaders: true,
+  legacyHeaders: false,
+});
+
+app.post('/auth/login', loginRateLimit, loginController);
+```
+
+#### Security Headers
+```typescript
+// ✅ SECURE: Security headers middleware
+const securityHeaders = (req: Request, res: Response, next: NextFunction) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-XSS-Protection', '1; mode=block');
+  res.setHeader('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
+  res.setHeader('Content-Security-Policy', "default-src 'self'");
+  next();
+};
+
+app.use(securityHeaders);
+```
+
+#### Error Handling
+```typescript
+// ❌ SECURITY ISSUE: Information disclosure in errors
+app.use((error: Error, req: Request, res: Response, next: NextFunction) => {
+  res.status(500).json({
+    error: error.message,
+    stack: error.stack, // Exposes internal information
+    query: req.query    // May contain sensitive data
+  });
+});
+
+// ✅ SECURE: Safe error handling
+app.use((error: Error, req: Request, res: Response, next: NextFunction) => {
+  // Log full error details securely
+  logger.error('Application error', {
+    message: error.message,
+    stack: error.stack,
+    url: req.url,
+    method: req.method,
+    ip: req.ip
+  });
+  
+  // Return generic error to client
+  res.status(500).json({
+    error: 'Internal server error',
+    timestamp: new Date().toISOString()
+  });
+});
+```
+
+### Phase 4: Compliance Validation
+**Compliance Requirements Check:**
+
+#### GDPR Compliance
+```typescript
+// ✅ GDPR: Data minimization and purpose limitation
+const collectUserData = (userData: any) => {
+  // Only collect necessary data
+  const { email, name, preferences } = userData;
+  
+  return {
+    email,
+    name,
+    preferences,
+    createdAt: new Date(),
+    // Don't collect unnecessary personal data
+  };
+};
+
+// ✅ GDPR: Right to deletion
+const deleteUserData = async (userId: string) => {
+  await db.transaction(async (tx) => {
+    // Delete user data from all tables
+    await tx.userProfiles.delete({ where: { userId } });
+    await tx.userPreferences.delete({ where: { userId } });
+    await tx.users.delete({ where: { id: userId } });
+    
+    // Log deletion for audit trail
+    await tx.auditLog.create({
+      data: {
+        action: 'USER_DATA_DELETED',
+        userId,
+        timestamp: new Date()
+      }
+    });
+  });
+};
+```
+
+#### SOC 2 Compliance
+```typescript
+// ✅ SOC 2: Audit logging
+const auditLog = {
+  logUserAction: async (userId: string, action: string, details: any) => {
+    await db.auditLog.create({
+      data: {
+        userId,
+        action,
+        details: JSON.stringify(details),
+        timestamp: new Date(),
+        ipAddress: details.ipAddress,
+        userAgent: details.userAgent
+      }
+    });
+  }
+};
+
+// ✅ SOC 2: Access monitoring
+const monitorAccess = async (req: Request, res: Response, next: NextFunction) => {
+  await auditLog.logUserAction(req.user?.id, 'RESOURCE_ACCESS', {
+    resource: req.path,
+    method: req.method,
+    ipAddress: req.ip,
+    userAgent: req.get('User-Agent')
+  });
+  
+  next();
+};
+```
+
+### Phase 5: Security Testing Validation
+**Security Test Coverage:**
+
+#### Authentication Tests
+```typescript
+describe('Authentication Security', () => {
+  it('should prevent brute force attacks', async () => {
+    const email = 'test@example.com';
+    
+    // Attempt multiple failed logins
+    for (let i = 0; i < 6; i++) {
+      await request(app)
+        .post('/auth/login')
+        .send({ email, password: 'wrongpassword' })
+        .expect(i < 5 ? 401 : 429);
+    }
+  });
+
+  it('should invalidate tokens on logout', async () => {
+    const { token } = await loginUser();
+    
+    await request(app)
+      .post('/auth/logout')
+      .set('Authorization', `Bearer ${token}`)
+      .expect(200);
+    
+    // Token should no longer work
+    await request(app)
+      .get('/protected')
+      .set('Authorization', `Bearer ${token}`)
+      .expect(401);
+  });
+});
+```
+
+#### Input Validation Tests
+```typescript
+describe('Input Validation Security', () => {
+  it('should prevent SQL injection', async () => {
+    const maliciousInput = "'; DROP TABLE users; --";
+    
+    const response = await request(app)
+      .get(`/users/search?name=${encodeURIComponent(maliciousInput)}`)
+      .expect(200);
+    
+    // Should return empty results, not execute malicious SQL
+    expect(response.body.users).toEqual([]);
+    
+    // Verify users table still exists
+    const userCount = await db.users.count();
+    expect(userCount).toBeGreaterThan(0);
+  });
+
+  it('should sanitize XSS attempts', async () => {
+    const xssPayload = '<script>alert("xss")</script>';
+    
+    const response = await request(app)
+      .post('/comments')
+      .send({ content: xssPayload })
+      .expect(201);
+    
+    // Content should be sanitized
+    expect(response.body.comment.content).not.toContain('<script>');
+  });
+});
+```
+
+## Security Review Checklist
+
+### Authentication and Authorization
+- [ ] Strong password policies enforced
+- [ ] Multi-factor authentication implemented where required
+- [ ] Session management secure (no session fixation, proper timeout)
+- [ ] JWT tokens properly signed and validated
+- [ ] Authorization checks on all protected endpoints
+- [ ] Principle of least privilege enforced
+- [ ] Role-based access control properly implemented
+
+### Input Validation and Injection Prevention
+- [ ] All user inputs validated and sanitized
+- [ ] SQL injection prevention (parameterized queries)
+- [ ] XSS prevention (proper output encoding)
+- [ ] Command injection prevention
+- [ ] Path traversal prevention
+- [ ] File upload security implemented
+- [ ] API input validation comprehensive
+
+### Data Protection
+- [ ] Sensitive data encrypted at rest and in transit
+- [ ] Encryption keys properly managed
+- [ ] Passwords properly hashed (bcrypt, scrypt, or Argon2)
+- [ ] Sensitive data not logged or exposed in errors
+- [ ] Data retention policies implemented
+- [ ] Secure data deletion implemented
+
+### Security Controls
+- [ ] Rate limiting implemented for sensitive endpoints
+- [ ] Security headers properly configured
+- [ ] HTTPS enforced for all communications
+- [ ] CORS properly configured
+- [ ] Content Security Policy implemented
+- [ ] Error handling doesn't leak information
+- [ ] Audit logging captures security events
+
+### Infrastructure Security
+- [ ] Dependencies regularly updated and scanned
+- [ ] Environment variables used for secrets
+- [ ] No hardcoded credentials or secrets
+- [ ] Proper file permissions and access controls
+- [ ] Security monitoring and alerting implemented
+- [ ] Incident response procedures documented
+
+### Compliance Requirements
+- [ ] GDPR compliance (if applicable)
+- [ ] HIPAA compliance (if applicable)
+- [ ] SOC 2 compliance (if applicable)
+- [ ] PCI DSS compliance (if applicable)
+- [ ] Industry-specific requirements met
+- [ ] Audit trails comprehensive and tamper-proof
+
+## Security Review Report Template
+
+### Executive Summary
+- Overall security posture assessment
+- Critical vulnerabilities identified
+- Compliance status summary
+- Recommended priority actions
+
+### Detailed Findings
+
+#### Critical Issues (Fix Immediately)
+- **Issue**: [Description]
+- **Impact**: [Security impact and business risk]
+- **Location**: [File and line number]
+- **Recommendation**: [Specific fix instructions]
+- **Timeline**: Immediate
+
+#### High Priority Issues (Fix Within 1 Week)
+- **Issue**: [Description]
+- **Impact**: [Security impact and business risk]
+- **Location**: [File and line number]
+- **Recommendation**: [Specific fix instructions]
+- **Timeline**: 1 week
+
+#### Medium Priority Issues (Fix Within 1 Month)
+- **Issue**: [Description]
+- **Impact**: [Security impact and business risk]
+- **Location**: [File and line number]
+- **Recommendation**: [Specific fix instructions]
+- **Timeline**: 1 month
+
+### Security Best Practices Validation
+- Authentication and authorization implementation
+- Input validation and injection prevention
+- Data protection and encryption
+- Security controls and monitoring
+- Compliance requirements adherence
+
+### Recommendations
+- Immediate security improvements
+- Long-term security strategy enhancements
+- Security training and awareness needs
+- Security tool and process improvements
+
+## Output Format
+
+Save a new file to `.kiro/code-reviews/security-[appropriate-name].md`
+
+This security-focused code review framework ensures comprehensive security validation and provides actionable recommendations for maintaining a strong security posture.

package/.kiro/prompts/code-review.md

@@ -0,0 +1,113 @@
+---
+description: Technical code review for quality and bugs that runs pre-commit
+---
+
+Perform technical code review on recently changed files.
+
+## Core Principles
+
+Review Philosophy:
+
+- Simplicity is the ultimate sophistication - every line should justify its existence
+- Code is read far more often than it's written - optimize for readability
+- The best code is often the code you don't write
+- Elegance emerges from clarity of intent and economy of expression
+
+## What to Review
+
+Start by gathering codebase context to understand the codebase standards and patterns.
+
+Start by examining:
+
+- PRD.md
+- README.md
+- Key files in the /core module
+- Documented standards in the /docs directory
+
+After you have a good understanding
+
+Run these commands:
+
+```bash
+git status
+git diff HEAD
+git diff --stat HEAD
+```
+
+Then check the list of new files:
+
+```bash
+git ls-files --others --exclude-standard
+```
+
+Read each new file in its entirety. Read each changed file in its entirety (not just the diff) to understand full context.
+
+For each changed file or new file, analyze for:
+
+1. **Logic Errors**
+   - Off-by-one errors
+   - Incorrect conditionals
+   - Missing error handling
+   - Race conditions
+
+2. **Security Issues**
+   - SQL injection vulnerabilities
+   - XSS vulnerabilities
+   - Insecure data handling
+   - Exposed secrets or API keys
+
+3. **Performance Problems**
+   - N+1 queries
+   - Inefficient algorithms
+   - Memory leaks
+   - Unnecessary computations
+
+4. **Code Quality**
+   - Violations of DRY principle
+   - Overly complex functions
+   - Poor naming
+   - Missing type hints/annotations
+
+5. **Adherence to Codebase Standards and Existing Patterns**
+   - Adherence to standards documented in the /docs directory
+   - Linting, typing, and formatting standards
+   - Logging standards
+   - Testing standards
+
+## Verify Issues Are Real
+
+- Run specific tests for issues found
+- Confirm type errors are legitimate
+- Validate security concerns with context
+
+## Output Format
+
+Save a new file to `.kiro/code-reviews/[appropriate-name].md`
+
+**Stats:**
+
+- Files Modified: 0
+- Files Added: 0
+- Files Deleted: 0
+- New lines: 0
+- Deleted lines: 0
+
+**For each issue found:**
+
+```
+severity: critical|high|medium|low
+file: path/to/file.py
+line: 42
+issue: [one-line description]
+detail: [explanation of why this is a problem]
+suggestion: [how to fix it]
+```
+
+If no issues found: "Code review passed. No technical issues detected."
+
+## Important
+
+- Be specific (line numbers, not vague complaints)
+- Focus on real bugs, not style
+- Suggest fixes, don't just complain
+- Flag security issues as CRITICAL

package/.kiro/prompts/create-prd.md

@@ -0,0 +1,151 @@
+---
+description: Create a Product Requirements Document from conversation
+argument-hint: [output-filename]
+---
+
+# Create PRD: Generate Product Requirements Document
+
+## Overview
+
+Generate a comprehensive Product Requirements Document (PRD) based on the current conversation context and requirements discussed. Use the structure and sections defined below to create a thorough, professional PRD.
+
+## Output File
+
+Write the PRD to: `$ARGUMENTS` (default: `./kiro/PRD.md`)
+
+## PRD Structure
+
+Create a well-structured PRD with the following sections. Adapt depth and detail based on available information:
+
+### Required Sections
+
+**1. Executive Summary**
+- Concise product overview (2-3 paragraphs)
+- Core value proposition
+- MVP goal statement
+
+**2. Mission**
+- Product mission statement
+- Core principles (3-5 key principles)
+
+**3. Target Users**
+- Primary user personas
+- Technical comfort level
+- Key user needs and pain points
+
+**4. MVP Scope**
+- **In Scope:** Core functionality for MVP (use ✅ checkboxes)
+- **Out of Scope:** Features deferred to future phases (use ❌ checkboxes)
+- Group by categories (Core Functionality, Technical, Integration, Deployment)
+
+**5. User Stories**
+- Primary user stories (5-8 stories) in format: "As a [user], I want to [action], so that [benefit]"
+- Include concrete examples for each story
+- Add technical user stories if relevant
+
+**6. Core Architecture & Patterns**
+- High-level architecture approach
+- Directory structure (if applicable)
+- Key design patterns and principles
+- Technology-specific patterns
+
+**7. Tools/Features**
+- Detailed feature specifications
+- If building an agent: Tool designs with purpose, operations, and key features
+- If building an app: Core feature breakdown
+
+**8. Technology Stack**
+- Backend/Frontend technologies with versions
+- Dependencies and libraries
+- Optional dependencies
+- Third-party integrations
+
+**9. Security & Configuration**
+- Authentication/authorization approach
+- Configuration management (environment variables, settings)
+- Security scope (in-scope and out-of-scope)
+- Deployment considerations
+
+**10. API Specification** (if applicable)
+- Endpoint definitions
+- Request/response formats
+- Authentication requirements
+- Example payloads
+
+**11. Success Criteria**
+- MVP success definition
+- Functional requirements (use ✅ checkboxes)
+- Quality indicators
+- User experience goals
+
+**12. Implementation Phases**
+- Break down into 3-4 phases
+- Each phase includes: Goal, Deliverables (✅ checkboxes), Validation criteria
+- Realistic timeline estimates
+
+**13. Future Considerations**
+- Post-MVP enhancements
+- Integration opportunities
+- Advanced features for later phases
+
+**14. Risks & Mitigations**
+- 3-5 key risks with specific mitigation strategies
+
+**15. Appendix** (if applicable)
+- Related documents
+- Key dependencies with links
+- Repository/project structure
+
+## Instructions
+
+### 1. Extract Requirements
+- Review the entire conversation history
+- Identify explicit requirements and implicit needs
+- Note technical constraints and preferences
+- Capture user goals and success criteria
+
+### 2. Synthesize Information
+- Organize requirements into appropriate sections
+- Fill in reasonable assumptions where details are missing
+- Maintain consistency across sections
+- Ensure technical feasibility
+
+### 3. Write the PRD
+- Use clear, professional language
+- Include concrete examples and specifics
+- Use markdown formatting (headings, lists, code blocks, checkboxes)
+- Add code snippets for technical sections where helpful
+- Keep Executive Summary concise but comprehensive
+
+### 4. Quality Checks
+- ✅ All required sections present
+- ✅ User stories have clear benefits
+- ✅ MVP scope is realistic and well-defined
+- ✅ Technology choices are justified
+- ✅ Implementation phases are actionable
+- ✅ Success criteria are measurable
+- ✅ Consistent terminology throughout
+
+## Style Guidelines
+
+- **Tone:** Professional, clear, action-oriented
+- **Format:** Use markdown extensively (headings, lists, code blocks, tables)
+- **Checkboxes:** Use ✅ for in-scope items, ❌ for out-of-scope
+- **Specificity:** Prefer concrete examples over abstract descriptions
+- **Length:** Comprehensive but scannable (typically 30-60 sections worth of content)
+
+## Output Confirmation
+
+After creating the PRD:
+1. Confirm the file path where it was written
+2. Provide a brief summary of the PRD contents
+3. Highlight any assumptions made due to missing information
+4. Suggest next steps (e.g., review, refinement, planning)
+
+## Notes
+
+- If critical information is missing, ask clarifying questions before generating
+- Adapt section depth based on available details
+- For highly technical products, emphasize architecture and technical stack
+- For user-facing products, emphasize user stories and experience
+- This command contains the complete PRD template structure - no external references needed