ma-agents 1.1.0

package/skills/README.md

@@ -0,0 +1,312 @@
+# Development Skills
+
+This directory contains reusable skills for development workflows.
+
+## Available Skills
+
+### 1. Git Workflow Skill
+**Directory:** `git-workflow-skill/`
+
+Mandatory feature branch workflow for Git operations. Enforces branch creation from dev, conventional commits, automatic PR creation, and returns to dev branch after push.
+
+**Usage:**
+```bash
+# Start a new feature
+./git-workflow-skill/scripts/start-feature.sh feature my-feature-name
+
+# Finish, push, create PR, and return to dev (all automatic)
+./git-workflow-skill/scripts/finish-feature.sh
+
+# Validate workflow
+./git-workflow-skill/scripts/validate-workflow.sh
+```
+
+**Key Features:**
+- ✅ Enforces feature branch workflow
+- ✅ Prevents commits to dev/main
+- ✅ Conventional commit validation
+- ✅ **Automatic PR creation** (via `gh` CLI)
+- ✅ **Auto-switch to dev** after push
+- ✅ Git hooks for automation
+
+**Requirements:**
+- Git
+- GitHub CLI (`gh`) - For automatic PR creation (optional but recommended)
+
+---
+
+### 2. Verify Hardened Docker Skill
+**Directory:** `verify-hardened-docker-skill/`
+
+Comprehensive security verification for Docker configurations against CIS Docker Benchmark, OWASP, and NIST SP 800-190 standards.
+
+**Usage:**
+```bash
+# Verify all Docker security configurations
+./verify-hardened-docker-skill/scripts/verify-docker-hardening.sh [image-name]
+```
+
+**What It Checks:**
+- ✅ Image security (version tags, non-root user, no secrets)
+- ✅ Dockerfile hardening (multi-stage, permissions)
+- ✅ docker-compose.yml security (read-only, capabilities)
+- ✅ Runtime security (non-root execution, health checks)
+- ✅ Vulnerability scanning (Trivy integration)
+- ✅ Secret leakage detection
+
+**Exit Codes:**
+- `0` - All checks passed
+- `1` - CRITICAL vulnerabilities
+- `2` - Hardening failures
+- `3` - Secret leakage
+- `4` - Runtime violations
+- `5` - Missing files
+
+---
+
+### 4. JS/TS Security Skill
+**Directory:** `js-ts-security-skill/`
+
+Comprehensive security verification for JavaScript and TypeScript codebases following OWASP Top 10 standards. Detects dangerous patterns, hardcoded secrets, and vulnerable dependencies.
+
+**Usage:**
+```bash
+# Verify security of the current project
+./js-ts-security-skill/scripts/verify-security.sh
+```
+
+**Key Features:**
+- ✅ **Dependency Auditing**: Checks for known vulnerabilities in `node_modules`.
+- ✅ **Static Analysis**: Detects dangerous code patterns (eval, unsafe regex, etc.).
+- ✅ **Secret Scanning**: Finds hardcoded credentials and API keys.
+- ✅ **OWASP Compliance**: Maps findings to OWASP Top 10 categories.
+
+---
+
+### 3. Create Hardened Docker Skill
+**Directory:** `create-hardened-docker-skill/`
+
+Creates production-ready hardened Docker configurations following security best practices.
+
+**Usage:**
+```bash
+# Create all hardened Docker files
+./create-hardened-docker-skill/scripts/create-all.sh [app-name] [node-version] [nginx-version]
+```
+
+**What It Creates:**
+- ✅ **Dockerfile** - Multi-stage, non-root, Alpine-based
+- ✅ **docker-compose.yml** - Read-only filesystem, capability controls
+- ✅ **nginx.conf** - Security headers, TLS 1.2+, gzip compression
+- ✅ **.dockerignore** - Optimized build context
+- ✅ **.env.example** - Environment variable template
+
+**Security Features:**
+- ✅ Non-root user execution (nginx)
+- ✅ Read-only root filesystem
+- ✅ Tmpfs mounts for writable directories
+- ✅ All capabilities dropped (minimal additions)
+- ✅ No privilege escalation
+- ✅ Resource limits (512MB memory, 1.0 CPU)
+- ✅ TLS 1.2+ only with strong ciphers
+- ✅ Security headers (CSP, HSTS, X-Frame-Options)
+
+**Compliance:**
+- ✅ CIS Docker Benchmark v1.6.0
+- ✅ OWASP Docker Security Cheat Sheet
+- ✅ NIST Application Container Security Guide (SP 800-190)
+
+---
+
+## Recommended Workflow
+
+### For New Docker Projects
+
+1. **Create hardened configuration:**
+   ```bash
+   ./create-hardened-docker-skill/scripts/create-all.sh my-app
+   ```
+
+2. **Configure environment:**
+   ```bash
+   cp .env.example .env
+   # Edit .env with your credentials
+   ```
+
+3. **Build and test:**
+   ```bash
+   docker build -t my-app .
+   docker-compose up -d
+   ```
+
+4. **Verify security:**
+   ```bash
+   ./verify-hardened-docker-skill/scripts/verify-docker-hardening.sh my-app
+   ```
+
+5. **Fix any issues found and re-verify**
+
+### For Existing Docker Projects
+
+1. **Verify current configuration:**
+   ```bash
+   ./verify-hardened-docker-skill/scripts/verify-docker-hardening.sh my-app
+   ```
+
+2. **Review failed checks and warnings**
+
+3. **Apply hardening fixes manually or regenerate:**
+   ```bash
+   ./create-hardened-docker-skill/scripts/create-all.sh my-app
+   ```
+
+4. **Re-verify after changes:**
+   ```bash
+   ./verify-hardened-docker-skill/scripts/verify-docker-hardening.sh my-app
+   ```
+
+### For Feature Development
+
+1. **Start feature branch:**
+   ```bash
+   ./git-workflow-skill/scripts/start-feature.sh feature docker-hardening
+   ```
+
+2. **Make changes (e.g., update Dockerfile)**
+
+3. **Verify hardening before commit:**
+   ```bash
+   ./verify-hardened-docker-skill/scripts/verify-docker-hardening.sh my-app
+   ```
+
+4. **Commit, push, and create PR:**
+   ```bash
+   ./git-workflow-skill/scripts/finish-feature.sh
+   # This will:
+   # - Rebase on dev
+   # - Push the branch
+   # - Create PR automatically
+   # - Switch back to dev branch
+   ```
+
+---
+
+## Requirements
+
+### All Skills
+- Bash shell
+- Git
+
+### Git Workflow Skill
+- Git
+- GitHub CLI (`gh`) - For automatic PR creation (optional but recommended)
+  ```bash
+  # Install
+  brew install gh          # macOS
+  winget install GitHub.cli # Windows
+  apt install gh           # Linux
+
+  # Authenticate
+  gh auth login
+  ```
+
+### Docker Skills
+- Docker installed
+- docker-compose installed
+- Trivy scanner (optional, for vulnerability scanning)
+  ```bash
+  # macOS
+  brew install aquasecurity/trivy/trivy
+
+  # Linux
+  apt-get install trivy
+
+  # Windows
+  choco install trivy
+  ```
+
+---
+
+## Skill Structure
+
+Each skill follows this structure:
+
+```
+skill-name/
+├── SKILL.md          # Skill definition and documentation
+├── README.md         # Quick start guide
+└── scripts/          # Executable scripts
+    ├── script1.sh
+    └── script2.sh
+```
+
+---
+
+## Security Standards Reference
+
+### CIS Docker Benchmark v1.6.0
+Key controls implemented:
+- 4.1: Create user for container
+- 4.3: Verify file permissions
+- 4.5: Enable Content trust
+- 5.7: Don't map privileged ports
+- 5.10: Set memory limit
+- 5.11: Set CPU priority
+- 5.12: Read-only root filesystem
+- 5.25: No new privileges
+
+### OWASP Docker Security
+- Run containers as non-root
+- Use minimal base images (Alpine)
+- Scan for vulnerabilities
+- Limit container resources
+- Read-only filesystem
+- Drop unnecessary capabilities
+- Use security options
+- Specific image tags (not :latest)
+
+### NIST SP 800-190
+- Image security and integrity
+- Runtime configuration
+- Resource protection
+- Network isolation
+- Data protection
+
+### OWASP Top 10 2025
+- A01: Broken Access Control (includes SSRF)
+- A02: Security Misconfiguration
+- A03: Software Supply Chain Failures
+- A04: Cryptographic Failures
+- A05: Injection
+- A06: Insecure Design
+- A07: Authentication Failures
+- A08: Software or Data Integrity Failures
+- A09: Logging & Alerting Failures
+- A10: Mishandling of Exceptional Conditions
+
+---
+
+## Contributing
+
+To add a new skill:
+
+1. Create a new directory: `your-skill-name/`
+2. Add `SKILL.md` with frontmatter:
+   ```yaml
+   ---
+   name: your-skill
+   description: Brief description
+   ---
+   ```
+3. Add `README.md` for quick reference
+4. Add scripts in `scripts/` directory
+5. Update this README with the new skill
+
+---
+
+## References
+
+- [Docker Security Best Practices](https://docs.docker.com/develop/security-best-practices/)
+- [CIS Docker Benchmark](https://www.cisecurity.org/benchmark/docker)
+- [OWASP Docker Security](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
+- [NIST SP 800-190](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf)

package/skills/code-review/claude-code.md

@@ -0,0 +1,64 @@
+# Code Review Skill
+
+## Description
+Perform comprehensive code reviews following industry best practices and security guidelines.
+
+## Usage
+Invoke this skill by typing `/code-review` or asking for a code review.
+
+## Instructions
+
+When performing a code review, you should:
+
+1. **Code Quality Analysis**
+   - Check for code clarity and readability
+   - Identify potential bugs or logical errors
+   - Review variable and function naming conventions
+   - Assess code organization and structure
+
+2. **Best Practices**
+   - Verify adherence to language-specific best practices
+   - Check for proper error handling
+   - Review code for performance considerations
+   - Identify code duplication and suggest refactoring
+
+3. **Security Review**
+   - Look for common security vulnerabilities (OWASP Top 10)
+   - Check for SQL injection, XSS, CSRF vulnerabilities
+   - Verify input validation and sanitization
+   - Review authentication and authorization logic
+
+4. **Testing & Documentation**
+   - Assess test coverage
+   - Check for edge cases
+   - Review inline comments and documentation
+   - Suggest improvements to documentation
+
+5. **Output Format**
+   Present findings in this format:
+
+   ```
+   ## Code Review Summary
+
+   ### ✅ Strengths
+   - [List positive aspects]
+
+   ### ⚠️ Issues Found
+   - **[Severity]** [Description]
+     - Location: [file:line]
+     - Recommendation: [how to fix]
+
+   ### 💡 Suggestions
+   - [Improvement suggestions]
+
+   ### 📊 Overall Assessment
+   [Brief summary and rating]
+   ```
+
+## Examples
+
+**User**: "Review this authentication function"
+**Assistant**: [Performs thorough review following the structure above]
+
+**User**: "/code-review"
+**Assistant**: "I'll review the code in your current selection/file. What would you like me to focus on?"

package/skills/code-review/cline.md

@@ -0,0 +1,55 @@
+# Code Review Skill for Cline
+
+## Overview
+Comprehensive code review capability for analyzing code quality, security, and best practices.
+
+## When to Use
+- User requests code review
+- Before merging code changes
+- During development for quality checks
+
+## Review Checklist
+
+### Code Quality
+- [ ] Clear and readable code
+- [ ] Proper naming conventions
+- [ ] Well-organized structure
+- [ ] No obvious bugs
+
+### Best Practices
+- [ ] Follows language conventions
+- [ ] Proper error handling
+- [ ] Performance optimized
+- [ ] No code duplication
+
+### Security
+- [ ] No SQL injection vulnerabilities
+- [ ] No XSS vulnerabilities
+- [ ] Proper input validation
+- [ ] Secure authentication/authorization
+
+### Testing & Docs
+- [ ] Adequate test coverage
+- [ ] Edge cases handled
+- [ ] Well-documented code
+- [ ] Clear comments
+
+## Response Template
+
+```markdown
+## 🔍 Code Review Results
+
+### ✅ Strengths
+[List what's done well]
+
+### ⚠️ Issues
+**[Severity]** [Issue]
+- File: [path:line]
+- Fix: [solution]
+
+### 💡 Recommendations
+[Suggestions for improvement]
+
+### 📈 Score
+[Overall quality rating]
+```

package/skills/code-review/generic.md

@@ -0,0 +1,39 @@
+# Code Review
+
+Perform comprehensive code reviews following industry best practices.
+
+## What to Review
+
+1. **Code Quality**: Readability, naming conventions, structure
+2. **Best Practices**: Language-specific patterns, error handling, performance
+3. **Security**: Common vulnerabilities (SQL injection, XSS, CSRF, etc.)
+4. **Testing**: Coverage, edge cases, test quality
+5. **Documentation**: Comments, API docs, clarity
+
+## Review Process
+
+- Analyze code for bugs and logical errors
+- Check adherence to coding standards
+- Identify security vulnerabilities
+- Suggest refactoring opportunities
+- Assess test coverage and documentation
+
+## Output Format
+
+```
+## Code Review Summary
+
+### Strengths
+- [Positive aspects]
+
+### Issues Found
+- **[High/Medium/Low]** [Issue description]
+  - Location: [file:line]
+  - Fix: [recommendation]
+
+### Suggestions
+- [Improvements]
+
+### Overall Assessment
+[Summary and rating]
+```

package/skills/code-review/skill.json

@@ -0,0 +1,7 @@
+{
+  "name": "Code Review",
+  "description": "Performs comprehensive code reviews with best practices",
+  "version": "1.0.0",
+  "author": "AI Agent Skills",
+  "tags": ["review", "quality", "best-practices"]
+}

package/skills/commit-message/generic.md

@@ -0,0 +1,75 @@
+# Commit Message Generator
+
+Generate meaningful commit messages following Conventional Commits specification.
+
+## Format
+
+```
+<type>(<scope>): <subject>
+
+<body>
+
+<footer>
+```
+
+## Types
+
+- `feat`: New feature
+- `fix`: Bug fix
+- `docs`: Documentation changes
+- `style`: Code style/formatting
+- `refactor`: Code refactoring
+- `test`: Adding/updating tests
+- `chore`: Maintenance tasks
+- `perf`: Performance improvements
+- `ci`: CI/CD changes
+- `build`: Build system changes
+- `revert`: Revert previous commit
+
+## Guidelines
+
+1. **Subject line** (max 50 chars):
+   - Use imperative mood ("Add" not "Added")
+   - Don't capitalize first letter
+   - No period at the end
+
+2. **Body** (optional):
+   - Explain what and why, not how
+   - Wrap at 72 characters
+
+3. **Footer** (optional):
+   - Breaking changes: `BREAKING CHANGE: description`
+   - Issue references: `Fixes #123`
+
+## Examples
+
+```
+feat(auth): add JWT token refresh mechanism
+
+Implement automatic token refresh to improve user experience
+and reduce re-authentication prompts.
+
+Fixes #456
+```
+
+```
+fix(api): resolve memory leak in user service
+
+The user cache was not being cleared properly, causing
+memory to grow over time.
+```
+
+```
+docs: update installation instructions
+
+Add steps for Windows users and clarify dependency requirements.
+```
+
+## Process
+
+1. Analyze the code changes
+2. Determine the type of change
+3. Identify the scope (component/module affected)
+4. Write clear, concise subject
+5. Add body if changes need explanation
+6. Add footer for breaking changes or issue refs

package/skills/commit-message/skill.json

@@ -0,0 +1,7 @@
+{
+  "name": "Commit Message Generator",
+  "description": "Generates conventional commit messages from code changes",
+  "version": "1.0.0",
+  "author": "AI Agent Skills",
+  "tags": ["git", "commit", "conventional-commits", "version-control"]
+}

package/skills/create-hardened-docker-skill/README.md

@@ -0,0 +1,85 @@
+# Create Hardened Docker Skill
+
+Creates production-ready hardened Docker configurations.
+
+## Quick Start
+
+```bash
+# Create all hardened Docker files
+./scripts/create-all.sh [app-name] [node-version] [nginx-version]
+```
+
+## What It Creates
+
+✅ **Dockerfile** - Multi-stage, non-root, Alpine-based
+✅ **docker-compose.yml** - Read-only filesystem, capability controls
+✅ **nginx.conf** - Security headers, TLS 1.2+, gzip compression
+✅ **.dockerignore** - Optimized build context
+✅ **.env.example** - Environment variable template
+
+## Usage Examples
+
+```bash
+# Create with defaults (contacts-app, node:18.20.4, nginx:1.27.3)
+./scripts/create-all.sh
+
+# Create for custom app
+./scripts/create-all.sh my-app
+
+# Create with specific versions
+./scripts/create-all.sh my-app 20.11.1-alpine3.19 1.25.3-alpine3.18
+```
+
+## Generated Configuration Features
+
+### Security Hardening
+- ✅ Non-root user (nginx)
+- ✅ Read-only filesystem
+- ✅ Tmpfs for writable dirs
+- ✅ All capabilities dropped
+- ✅ No privilege escalation
+- ✅ Resource limits (512MB, 1 CPU)
+
+### Network Security
+- ✅ TLS 1.2+ only
+- ✅ HSTS headers
+- ✅ CSP headers
+- ✅ Server version hidden
+- ✅ Gzip compression
+
+### Image Optimization
+- ✅ Multi-stage builds
+- ✅ Alpine base images
+- ✅ Build cache cleanup
+- ✅ < 50MB final image
+
+## After Creation
+
+```bash
+# 1. Configure environment
+cp .env.example .env
+# Edit .env with your credentials
+
+# 2. Build image
+docker build -t my-app .
+
+# 3. Verify security
+./.agent/develop/verify-hardened-docker-skill/scripts/verify-docker-hardening.sh my-app
+
+# 4. Start container
+docker-compose up -d
+
+# 5. Test
+curl http://localhost
+```
+
+## Compliance
+
+- ✅ CIS Docker Benchmark v1.6.0
+- ✅ OWASP Docker Security Cheat Sheet
+- ✅ NIST SP 800-190
+
+## See Also
+
+- [SKILL.md](SKILL.md) - Full documentation
+- [verify-hardened-docker-skill](../verify-hardened-docker-skill) - Verify hardening