locus-product-planning 1.0.0 → 1.1.0

package/skills/04-developer-specializations/quality/security-auditor/SKILL.md

@@ -0,0 +1,359 @@
+---
+name: security-auditor
+description: Security auditing, penetration testing, vulnerability assessment, and ensuring applications meet security requirements
+metadata:
+  version: "1.0.0"
+  tier: developer-specialization
+  category: quality
+  council: code-review-council
+---
+
+# Security Auditor
+
+You embody the perspective of a Security Auditor with expertise in identifying vulnerabilities, assessing security posture, and verifying security controls.
+
+## When to Apply
+
+Invoke this skill when:
+- Performing security code reviews
+- Conducting penetration testing
+- Assessing application vulnerabilities
+- Reviewing security configurations
+- Auditing authentication/authorization
+- Evaluating third-party dependencies
+- Creating security audit reports
+
+## Core Competencies
+
+### 1. Vulnerability Assessment
+- OWASP Top 10 testing
+- CVE/CWE knowledge
+- Static analysis (SAST)
+- Dynamic analysis (DAST)
+
+### 2. Penetration Testing
+- Web application testing
+- API security testing
+- Authentication bypass
+- Authorization testing
+
+### 3. Code Review
+- Secure code patterns
+- Injection prevention
+- Cryptographic review
+- Secret detection
+
+### 4. Compliance
+- Security frameworks
+- Audit documentation
+- Evidence collection
+- Gap analysis
+
+## Security Audit Methodology
+
+### Phase 1: Reconnaissance
+```markdown
+## Information Gathering
+
+### Scope Definition
+- In-scope domains and IPs
+- Testing timeframe
+- Authorized testing methods
+- Out-of-scope areas
+
+### Asset Discovery
+- Subdomain enumeration
+- Service identification
+- Technology stack detection
+- API endpoint mapping
+
+### Tools
+- nmap for port scanning
+- subfinder for subdomain enumeration
+- wappalyzer for tech detection
+- OWASP ZAP for crawling
+```
+
+### Phase 2: Vulnerability Assessment
+```markdown
+## Testing Categories
+
+### Authentication
+- [ ] Password policy enforcement
+- [ ] Brute force protection
+- [ ] Session management
+- [ ] Multi-factor authentication
+- [ ] Password reset flow
+
+### Authorization
+- [ ] Role-based access control
+- [ ] IDOR vulnerabilities
+- [ ] Privilege escalation
+- [ ] Function-level access
+
+### Input Validation
+- [ ] SQL injection
+- [ ] XSS (stored, reflected, DOM)
+- [ ] Command injection
+- [ ] Path traversal
+- [ ] SSRF
+
+### Cryptography
+- [ ] TLS configuration
+- [ ] Encryption at rest
+- [ ] Key management
+- [ ] Hashing algorithms
+```
+
+## Web Application Testing
+
+### Injection Testing
+```python
+# SQL Injection test payloads
+sql_payloads = [
+    "' OR '1'='1",
+    "' OR '1'='1' --",
+    "'; DROP TABLE users--",
+    "1' AND '1'='1",
+    "1' UNION SELECT null,null,null--",
+]
+
+# XSS test payloads
+xss_payloads = [
+    '<script>alert(1)</script>',
+    '"><script>alert(1)</script>',
+    "javascript:alert(1)",
+    '<img src=x onerror=alert(1)>',
+    '<svg onload=alert(1)>',
+]
+
+# Test function
+async def test_injection(url: str, param: str, payloads: list) -> list:
+    vulnerabilities = []
+    
+    for payload in payloads:
+        response = await client.get(url, params={param: payload})
+        
+        # Check for vulnerability indicators
+        if payload in response.text:
+            vulnerabilities.append({
+                'url': url,
+                'parameter': param,
+                'payload': payload,
+                'evidence': 'Reflected in response',
+            })
+    
+    return vulnerabilities
+```
+
+### Authentication Testing
+```python
+# Brute force protection test
+async def test_brute_force_protection(login_url: str):
+    """Test if brute force protection is implemented."""
+    
+    results = []
+    
+    # Attempt multiple failed logins
+    for i in range(10):
+        response = await client.post(login_url, data={
+            'username': 'test@example.com',
+            'password': f'wrong_password_{i}',
+        })
+        results.append({
+            'attempt': i + 1,
+            'status': response.status_code,
+            'blocked': response.status_code == 429,
+        })
+    
+    # Check if blocking occurred
+    blocked_count = sum(1 for r in results if r['blocked'])
+    
+    return {
+        'protected': blocked_count > 0,
+        'threshold': next((r['attempt'] for r in results if r['blocked']), None),
+        'results': results,
+    }
+```
+
+### Authorization Testing
+```python
+# IDOR testing
+async def test_idor(base_url: str, resource: str, id_param: str):
+    """Test for Insecure Direct Object Reference."""
+    
+    # Login as User A
+    user_a_token = await login('usera@example.com', 'password')
+    
+    # Get User B's resource ID
+    user_b_resource_id = 'resource_123'  # Known or discovered
+    
+    # Try to access User B's resource with User A's token
+    response = await client.get(
+        f'{base_url}/{resource}/{user_b_resource_id}',
+        headers={'Authorization': f'Bearer {user_a_token}'}
+    )
+    
+    return {
+        'vulnerable': response.status_code == 200,
+        'evidence': response.text if response.status_code == 200 else None,
+    }
+```
+
+## Code Review Checklist
+
+### Input Handling
+```markdown
+## Input Validation Review
+
+- [ ] All inputs validated on server side
+- [ ] Parameterized queries for database operations
+- [ ] Output encoding for different contexts (HTML, JS, URL)
+- [ ] File upload validation (type, size, content)
+- [ ] Redirect URLs validated against allowlist
+```
+
+### Authentication
+```markdown
+## Authentication Review
+
+- [ ] Passwords hashed with bcrypt/Argon2
+- [ ] No hardcoded credentials
+- [ ] Session tokens are random and sufficient length
+- [ ] Sessions invalidated on logout
+- [ ] Password reset tokens expire
+```
+
+### Secrets Detection
+```bash
+# Using truffleHog
+trufflehog git file://. --only-verified
+
+# Using gitleaks
+gitleaks detect --source .
+
+# Pattern examples to detect
+patterns:
+  - 'AKIA[0-9A-Z]{16}'  # AWS Access Key
+  - 'sk_live_[a-zA-Z0-9]{24}'  # Stripe key
+  - 'ghp_[a-zA-Z0-9]{36}'  # GitHub token
+```
+
+## Automated Security Scanning
+
+### SAST Integration
+```yaml
+# GitHub Actions security scanning
+name: Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      # Secret scanning
+      - name: Run Gitleaks
+        uses: gitleaks/gitleaks-action@v2
+        
+      # SAST scanning
+      - name: Run Semgrep
+        uses: returntocorp/semgrep-action@v1
+        with:
+          config: >-
+            p/security-audit
+            p/owasp-top-ten
+            p/jwt
+            
+      # Dependency scanning
+      - name: Run Snyk
+        uses: snyk/actions/node@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+```
+
+### DAST Integration
+```yaml
+# ZAP scanning in CI
+- name: ZAP Scan
+  uses: zaproxy/action-full-scan@v0.4.0
+  with:
+    target: 'https://staging.example.com'
+    rules_file_name: 'zap-rules.tsv'
+    cmd_options: '-a'
+```
+
+## Audit Report Template
+
+```markdown
+# Security Audit Report
+
+## Executive Summary
+Brief overview of findings for management.
+
+## Scope
+- Application: [Name and version]
+- Environment: [URL, IPs]
+- Testing period: [Dates]
+- Methodology: [OWASP, PTES, etc.]
+
+## Findings Summary
+
+| ID | Finding | Severity | Status |
+|----|---------|----------|--------|
+| SEC-001 | SQL Injection in login | Critical | Open |
+| SEC-002 | Missing rate limiting | High | Open |
+| SEC-003 | Information disclosure | Medium | Fixed |
+
+## Detailed Findings
+
+### SEC-001: SQL Injection in Login Form
+
+**Severity**: Critical
+**CVSS**: 9.8
+**CWE**: CWE-89
+
+**Description**:
+The login form is vulnerable to SQL injection.
+
+**Evidence**:
+- URL: https://example.com/login
+- Parameter: username
+- Payload: `' OR '1'='1`
+- Result: Authentication bypassed
+
+**Impact**:
+An attacker could bypass authentication or extract database contents.
+
+**Remediation**:
+Use parameterized queries or prepared statements.
+
+**References**:
+- https://owasp.org/www-community/attacks/SQL_Injection
+```
+
+## Anti-Patterns to Avoid
+
+| Anti-Pattern | Better Approach |
+|--------------|-----------------|
+| Testing in production | Use staging environment |
+| No scope definition | Clear scope agreement |
+| Automated-only testing | Combine with manual testing |
+| Finding without context | Include business impact |
+| No remediation guidance | Provide fix recommendations |
+
+## Constraints
+
+- Always have written authorization
+- Follow responsible disclosure
+- Protect sensitive findings
+- Don't exceed agreed scope
+- Document everything
+
+## Related Skills
+
+- `security-engineer` - Secure development
+- `devops-engineer` - Security in CI/CD
+- `backend-developer` - Secure coding

package/skills/05-specialists/compliance-specialist/SKILL.md

@@ -0,0 +1,171 @@
+---
+name: compliance-specialist
+description: Domain-specific regulatory compliance for healthcare (HIPAA), finance (PCI-DSS, SOX), and data privacy (GDPR, CCPA)
+metadata:
+  version: "1.0.0"
+  tier: specialist
+  category: compliance
+  council: executive-council
+---
+
+# Compliance Specialist
+
+You embody the perspective of a compliance specialist with expertise in regulatory requirements across healthcare, finance, and data privacy domains.
+
+## When to Apply
+
+Invoke this skill when building for:
+- Healthcare (HIPAA, HITECH, state regulations)
+- Finance (PCI-DSS, SOX, banking regulations)
+- Data privacy (GDPR, CCPA, data residency)
+- Government (FedRAMP, FISMA)
+
+## Domain Checklists
+
+### Healthcare (HIPAA)
+
+#### Technical Safeguards
+- [ ] PHI encrypted at rest (AES-256 minimum)
+- [ ] PHI encrypted in transit (TLS 1.2+)
+- [ ] Unique user identification for all users
+- [ ] Automatic logoff after inactivity
+- [ ] Audit controls logging all PHI access
+- [ ] Access controls (role-based, minimum necessary)
+- [ ] Integrity controls (prevent unauthorized alteration)
+
+#### Administrative Safeguards
+- [ ] Security officer designated
+- [ ] Workforce security training
+- [ ] Access management procedures
+- [ ] Security incident response plan
+- [ ] Contingency/disaster recovery plan
+- [ ] Business Associate Agreements with all vendors
+
+#### Physical Safeguards
+- [ ] Facility access controls
+- [ ] Workstation security policies
+- [ ] Device and media controls
+
+#### Common HIPAA Gotchas
+| Issue | Risk | Mitigation |
+|-------|------|------------|
+| State licensing | High | Providers must be licensed in patient's state for telehealth |
+| Minimum necessary | Medium | Only access PHI needed for job function |
+| Breach notification | High | 60 days to HHS, immediate if >500 affected |
+| BAAs required | Critical | ALL vendors who touch PHI need BAAs |
+| Audit log retention | Medium | Minimum 6 years retention |
+
+---
+
+### Finance (PCI-DSS)
+
+#### 12 Requirements Summary
+1. Install and maintain firewall
+2. Don't use vendor default passwords
+3. Protect stored cardholder data
+4. Encrypt transmission of cardholder data
+5. Protect against malware
+6. Develop secure systems
+7. Restrict access to cardholder data
+8. Identify and authenticate access
+9. Restrict physical access
+10. Track and monitor network access
+11. Regularly test security
+12. Maintain security policy
+
+#### PCI Scope Reduction
+| Technique | Benefit |
+|-----------|---------|
+| Tokenization | Remove card data from your systems |
+| Hosted payment pages | Shift liability to payment provider |
+| P2PE terminals | Encrypt at point of capture |
+
+#### Merchant Levels
+| Level | Transactions/Year | Requirements |
+|-------|-------------------|--------------|
+| 1 | >6 million | Annual QSA audit |
+| 2 | 1-6 million | Annual SAQ, quarterly scans |
+| 3 | 20K-1M e-commerce | Annual SAQ, quarterly scans |
+| 4 | <20K e-commerce | Annual SAQ |
+
+#### Common PCI Gotchas
+- Never store CVV/CVC (even encrypted)
+- Avoid storing full PAN when possible
+- Log access but don't log card numbers
+- Third-party scripts on payment pages are in scope
+
+---
+
+### Data Privacy (GDPR)
+
+#### Key Requirements
+- [ ] Lawful basis for processing identified
+- [ ] Privacy notice provided
+- [ ] Data subject rights implemented:
+  - [ ] Right of access
+  - [ ] Right to rectification
+  - [ ] Right to erasure ("right to be forgotten")
+  - [ ] Right to data portability
+  - [ ] Right to object
+- [ ] Privacy by design implemented
+- [ ] Data protection impact assessment (if high risk)
+- [ ] Records of processing activities
+- [ ] Data processing agreements with processors
+- [ ] Breach notification (72 hours to authority)
+
+#### GDPR Gotchas
+| Issue | Risk | Mitigation |
+|-------|------|------------|
+| Consent withdrawal | High | Must be as easy to withdraw as to give |
+| Right to deletion | High | Must cascade to all systems including backups |
+| Data residency | Medium | May need EU-only infrastructure |
+| DPO requirement | Medium | Required for large-scale processing |
+| Cookie consent | Medium | Must be freely given, not bundled |
+
+---
+
+### CCPA (California)
+
+#### Consumer Rights
+- Right to know what data is collected
+- Right to delete personal information
+- Right to opt-out of sale of data
+- Right to non-discrimination
+
+#### Key Differences from GDPR
+| Aspect | GDPR | CCPA |
+|--------|------|------|
+| Opt-in/out | Opt-in for processing | Opt-out of sale |
+| Scope | All personal data | California residents |
+| Private right of action | Limited | Yes, for data breaches |
+| Fines | Up to 4% revenue | $2,500-$7,500 per violation |
+
+---
+
+## Compliance Integration in Planning
+
+### Phase Gate Requirements
+
+| Phase | Compliance Activities |
+|-------|----------------------|
+| Vision | Identify applicable regulations |
+| Features | Include compliance requirements in backlog |
+| Design | Security architecture review, DPIAs |
+| Build | Compliance testing, audit prep |
+| Launch | Final compliance audit, training |
+
+### Vendor Compliance Checklist
+
+Before engaging any vendor:
+- [ ] Compliance certifications verified (SOC 2, HIPAA, PCI)
+- [ ] Data processing agreement signed
+- [ ] BAA signed (if PHI involved)
+- [ ] Security questionnaire completed
+- [ ] Right to audit clause included
+- [ ] Breach notification terms agreed
+
+## Related Skills
+
+- `sre-engineer` - Security infrastructure
+- `security-engineer` - Security implementation
+- `product-manager` - Compliance requirements in roadmap

package/skills/using-locus/SKILL.md

@@ -0,0 +1,124 @@
+---
+name: using-locus
+description: Use when starting any conversation - establishes how to find and use skills for project planning and development
+---
+
+<EXTREMELY-IMPORTANT>
+If you think there is even a 1% chance a skill might apply to what you are doing, you ABSOLUTELY MUST invoke the skill.
+
+IF A SKILL APPLIES TO YOUR TASK, YOU DO NOT HAVE A CHOICE. YOU MUST USE IT.
+
+This is not negotiable. This is not optional. You cannot rationalize your way out of this.
+</EXTREMELY-IMPORTANT>
+
+## How to Access Skills
+
+**In OpenCode:** Use the `use_skill` tool. When you invoke a skill, its content is loaded and presented to you - follow it directly.
+
+**In Claude Code:** Use the `Skill` tool if available, or load from the skills directory.
+
+**In other environments:** Check your platform's documentation for how skills are loaded.
+
+# Using Skills
+
+## The Rule
+
+**Invoke relevant or requested skills BEFORE any response or action.** Even a 1% chance a skill might apply means that you should invoke the skill to check. If an invoked skill turns out to be wrong for the situation, you don't need to use it.
+
+## Red Flags
+
+These thoughts mean STOP - you're rationalizing:
+
+| Thought | Reality |
+|---------|---------|
+| "This is just a simple question" | Questions are tasks. Check for skills. |
+| "I need more context first" | Skill check comes BEFORE clarifying questions. |
+| "Let me explore the codebase first" | Skills tell you HOW to explore. Check first. |
+| "I can check git/files quickly" | Files lack conversation context. Check for skills. |
+| "Let me gather information first" | Skills tell you HOW to gather information. |
+| "This doesn't need a formal skill" | If a skill exists, use it. |
+| "I remember this skill" | Skills evolve. Read current version. |
+| "This doesn't count as a task" | Action = task. Check for skills. |
+| "The skill is overkill" | Simple things become complex. Use it. |
+| "I'll just do this one thing first" | Check BEFORE doing anything. |
+
+## Skill Categories
+
+Locus provides skills across these categories:
+
+### Executive Suite (01-executive-suite/)
+Strategic leadership perspectives:
+- `locus:ceo-strategist` - Strategic vision and decision making
+- `locus:cto-architect` - Technical strategy and architecture
+- `locus:cpo-product` - Product vision and roadmap
+- `locus:cfo-analyst` - Financial analysis and planning
+- `locus:coo-operations` - Operations and execution
+
+### Product Management (02-product-management/)
+Product planning and execution:
+- `locus:product-manager` - Product planning and requirements
+- `locus:project-manager` - Project execution and tracking
+- `locus:scrum-master` - Agile process facilitation
+- `locus:program-manager` - Multi-project coordination
+- `locus:roadmap-strategist` - Long-term planning
+
+### Engineering Leadership (03-engineering-leadership/)
+Technical leadership and architecture:
+- `locus:tech-lead` - Technical leadership
+- `locus:staff-engineer` - Senior technical guidance
+- `locus:principal-engineer` - Architecture decisions
+- `locus:engineering-manager` - Team leadership
+- `locus:architect-reviewer` - Architecture review
+
+### Developer Specializations (04-developer-specializations/)
+Domain expertise in:
+- **Core**: frontend, backend, fullstack, mobile
+- **Languages**: typescript, python, rust, golang, java
+- **Infrastructure**: devops, cloud, kubernetes, platform, security, sre
+- **Data & AI**: data-engineer, data-scientist, ml-engineer, llm-architect
+- **Quality**: qa, performance, security-auditor, accessibility
+
+### Specialists (05-specialists/)
+Specialized domain expertise:
+- `locus:compliance-specialist` - Regulatory compliance
+
+## Skill Priority
+
+When multiple skills could apply, use this order:
+
+1. **Process skills first** (planning, debugging) - these determine HOW to approach the task
+2. **Role skills second** (product-manager, tech-lead) - these provide domain perspective
+3. **Implementation skills third** (frontend-developer, devops-engineer) - these guide execution
+
+## User Instructions
+
+Instructions say WHAT, not HOW. "Add X" or "Fix Y" doesn't mean skip workflows.
+
+## Project Planning with Locus
+
+For project planning specifically, Locus guides you through 4 steps:
+
+```
+Step 1: Vision    -> What are we building and why?
+Step 2: Features  -> What will it do?
+Step 3: Design    -> How will it work?
+Step 4: Build     -> Let's make it
+```
+
+Use `/locus` to start a planning session, or say "I want to build..."
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `/locus` | Start or resume a project |
+| `/locus-status` | Show current project progress |
+| `/locus-list` | List all projects |
+
+## Tools
+
+| Tool | Description |
+|------|-------------|
+| `use_skill` | Load a specific skill |
+| `find_skills` | List all available skills |
+| `find_agents` | List all available agents |