ma-agents 2.20.0 → 2.20.1

package/.kilocode/skills/verify-hardened-docker-skill/scripts/verify-docker-hardening.sh

@@ -1,439 +0,0 @@
-#!/bin/bash
-#
-# verify-docker-hardening.sh
-# Comprehensive Docker security verification script
-# Checks Dockerfile, docker-compose.yml, and running containers
-# against CIS, OWASP, and NIST standards
-#
-
-set -e
-
-# Colors for output
-RED='\033[0;31m'
-GREEN='\033[0;32m'
-YELLOW='\033[1;33m'
-BLUE='\033[0;34m'
-NC='\033[0m' # No Color
-
-# Configuration
-IMAGE_NAME="${1:-contacts-app}"
-CONTAINER_NAME="${2:-contacts-app}"
-EXIT_CODE=0
-
-# Counters
-TOTAL_CHECKS=0
-PASSED_CHECKS=0
-FAILED_CHECKS=0
-WARNING_CHECKS=0
-
-# Helper functions
-print_header() {
-    echo ""
-    echo -e "${BLUE}========================================${NC}"
-    echo -e "${BLUE}$1${NC}"
-    echo -e "${BLUE}========================================${NC}"
-}
-
-print_check() {
-    TOTAL_CHECKS=$((TOTAL_CHECKS + 1))
-    echo -ne "  [$TOTAL_CHECKS] $1... "
-}
-
-pass() {
-    PASSED_CHECKS=$((PASSED_CHECKS + 1))
-    echo -e "${GREEN}✅ PASS${NC}"
-}
-
-fail() {
-    FAILED_CHECKS=$((FAILED_CHECKS + 1))
-    EXIT_CODE=2
-    echo -e "${RED}❌ FAIL${NC}"
-    [ -n "$1" ] && echo -e "      ${RED}→ $1${NC}"
-}
-
-warn() {
-    WARNING_CHECKS=$((WARNING_CHECKS + 1))
-    echo -e "${YELLOW}⚠️  WARN${NC}"
-    [ -n "$1" ] && echo -e "      ${YELLOW}→ $1${NC}"
-}
-
-critical() {
-    FAILED_CHECKS=$((FAILED_CHECKS + 1))
-    EXIT_CODE=1
-    echo -e "${RED}🚨 CRITICAL${NC}"
-    [ -n "$1" ] && echo -e "      ${RED}→ $1${NC}"
-}
-
-# Start verification
-echo -e "${BLUE}🔍 Docker Security Verification${NC}"
-echo -e "${BLUE}================================${NC}"
-echo "Image: $IMAGE_NAME"
-echo "Container: $CONTAINER_NAME"
-
-# ============================================================================
-# 1. Dockerfile Verification
-# ============================================================================
-print_header "1. Dockerfile Security"
-
-if [ ! -f "Dockerfile" ]; then
-    print_check "Dockerfile exists"
-    critical "Dockerfile not found in current directory"
-    EXIT_CODE=5
-    exit $EXIT_CODE
-fi
-
-# Check for specific version tags
-print_check "Specific version tags (no :latest)"
-if grep -qE "^FROM.*:(latest|alpine)$" Dockerfile; then
-    fail "Using :latest or unversioned :alpine tag"
-else
-    pass
-fi
-
-# Check for non-root user
-print_check "Non-root user configured"
-if grep -qE "^USER (root|[0-9]+)" Dockerfile; then
-    if grep -qE "^USER root" Dockerfile; then
-        fail "Running as root user"
-    else
-        pass
-    fi
-elif grep -qE "^USER [a-zA-Z]" Dockerfile; then
-    pass
-else
-    fail "No USER directive found"
-fi
-
-# Check for HEALTHCHECK
-print_check "HEALTHCHECK instruction"
-if grep -q "^HEALTHCHECK" Dockerfile; then
-    pass
-else
-    warn "Missing HEALTHCHECK instruction"
-fi
-
-# Check for hardcoded secrets
-print_check "No hardcoded secrets in ENV/ARG"
-if grep -iE "^(ENV|ARG).*(SECRET|PASSWORD|KEY|TOKEN|CLIENT_ID)=" Dockerfile | grep -v "REACT_APP_API_BASE_URL" > /dev/null; then
-    fail "Potential hardcoded secrets found"
-else
-    pass
-fi
-
-# Check for multi-stage build
-print_check "Multi-stage build pattern"
-if [ $(grep -c "^FROM" Dockerfile) -ge 2 ]; then
-    pass
-else
-    warn "Not using multi-stage build"
-fi
-
-# Check for Alpine base images
-print_check "Minimal Alpine base images"
-if grep -qE "^FROM.*alpine" Dockerfile; then
-    pass
-else
-    warn "Not using Alpine base images"
-fi
-
-# ============================================================================
-# 2. docker-compose.yml Verification
-# ============================================================================
-print_header "2. docker-compose.yml Security"
-
-if [ ! -f "docker-compose.yml" ]; then
-    print_check "docker-compose.yml exists"
-    warn "docker-compose.yml not found (optional)"
-else
-    # Check for read-only filesystem
-    print_check "Read-only root filesystem"
-    if grep -q "read_only: true" docker-compose.yml; then
-        pass
-    else
-        fail "Missing read_only: true"
-    fi
-
-    # Check for no-new-privileges
-    print_check "No new privileges"
-    if grep -q "no-new-privileges:true" docker-compose.yml; then
-        pass
-    else
-        fail "Missing security_opt: no-new-privileges:true"
-    fi
-
-    # Check for capability dropping
-    print_check "Capabilities dropped"
-    if grep -q "cap_drop:" docker-compose.yml; then
-        pass
-    else
-        fail "Missing cap_drop configuration"
-    fi
-
-    # Check for tmpfs mounts
-    print_check "Tmpfs mounts for writable dirs"
-    if grep -q "tmpfs:" docker-compose.yml; then
-        pass
-    else
-        fail "Missing tmpfs mounts"
-    fi
-
-    # Check for resource limits
-    print_check "Memory limits configured"
-    if grep -q "memory:" docker-compose.yml; then
-        pass
-    else
-        warn "Missing memory limits"
-    fi
-
-    print_check "CPU limits configured"
-    if grep -q "cpus:" docker-compose.yml; then
-        pass
-    else
-        warn "Missing CPU limits"
-    fi
-
-    # Check for health check
-    print_check "Healthcheck configured"
-    if grep -q "healthcheck:" docker-compose.yml; then
-        pass
-    else
-        warn "Missing healthcheck configuration"
-    fi
-
-    # Check for privileged mode
-    print_check "Not running in privileged mode"
-    if grep -q "privileged: true" docker-compose.yml; then
-        critical "Running in privileged mode"
-    else
-        pass
-    fi
-fi
-
-# ============================================================================
-# 3. .dockerignore Verification
-# ============================================================================
-print_header "3. .dockerignore Configuration"
-
-if [ ! -f ".dockerignore" ]; then
-    print_check ".dockerignore exists"
-    warn ".dockerignore not found"
-else
-    print_check ".env excluded from Docker context"
-    if grep -qE "^\.env$" .dockerignore; then
-        pass
-    else
-        critical ".env not in .dockerignore - secret leakage risk!"
-    fi
-
-    print_check "node_modules excluded"
-    if grep -q "node_modules" .dockerignore; then
-        pass
-    else
-        warn "node_modules not excluded"
-    fi
-
-    print_check ".git excluded"
-    if grep -qE "^\.git" .dockerignore; then
-        pass
-    else
-        warn ".git not excluded"
-    fi
-fi
-
-# ============================================================================
-# 4. Image Security Scanning
-# ============================================================================
-print_header "4. Image Vulnerability Scanning"
-
-# Check if image exists
-if ! docker images --format "{{.Repository}}" | grep -q "^${IMAGE_NAME}$"; then
-    print_check "Docker image exists"
-    warn "Image '$IMAGE_NAME' not found locally. Skipping image scans."
-    echo "      Run 'docker build -t $IMAGE_NAME .' to build the image."
-else
-    # Check if trivy is installed
-    if ! command -v trivy &> /dev/null; then
-        print_check "Trivy scanner installed"
-        warn "Trivy not installed. Skipping vulnerability scans."
-        echo "      Install: brew install aquasecurity/trivy/trivy (macOS)"
-        echo "             : apt-get install trivy (Linux)"
-    else
-        # Scan for CRITICAL vulnerabilities
-        print_check "No CRITICAL vulnerabilities"
-        if trivy image --quiet --severity CRITICAL --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
-            pass
-        else
-            critical "CRITICAL vulnerabilities found. Run: trivy image --severity CRITICAL $IMAGE_NAME"
-        fi
-
-        # Scan for HIGH vulnerabilities
-        print_check "No HIGH vulnerabilities"
-        if trivy image --quiet --severity HIGH --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
-            pass
-        else
-            fail "HIGH vulnerabilities found. Run: trivy image --severity HIGH $IMAGE_NAME"
-        fi
-
-        # Scan for leaked secrets
-        print_check "No leaked secrets in image"
-        if trivy image --quiet --scanners secret --exit-code 1 "$IMAGE_NAME" > /dev/null 2>&1; then
-            pass
-        else
-            critical "Secrets detected in image! Run: trivy image --scanners secret $IMAGE_NAME"
-        fi
-    fi
-
-    # Check image size
-    print_check "Optimized image size (< 100MB)"
-    IMAGE_SIZE=$(docker images --format "{{.Size}}" "$IMAGE_NAME" | head -1 | sed 's/MB//' | sed 's/GB/*1024/' | bc 2>/dev/null || echo "0")
-    if [ -n "$IMAGE_SIZE" ] && [ "$IMAGE_SIZE" != "0" ]; then
-        if (( $(echo "$IMAGE_SIZE < 100" | bc -l) )); then
-            pass
-        else
-            warn "Image size is ${IMAGE_SIZE}MB (recommended < 100MB)"
-        fi
-    else
-        warn "Could not determine image size"
-    fi
-
-    # Check for .env in image
-    print_check ".env file not baked into image"
-    if docker run --rm "$IMAGE_NAME" sh -c "ls -la / 2>/dev/null | grep -q .env"; then
-        critical ".env file found in image! Secrets leaked!"
-    else
-        pass
-    fi
-fi
-
-# ============================================================================
-# 5. Runtime Security (if container is running)
-# ============================================================================
-print_header "5. Runtime Security Verification"
-
-if ! docker ps --filter "name=$CONTAINER_NAME" --format "{{.Names}}" | grep -q "^$CONTAINER_NAME$"; then
-    echo -e "${YELLOW}  Container '$CONTAINER_NAME' is not running.${NC}"
-    echo -e "${YELLOW}  Run 'docker-compose up -d' to enable runtime checks.${NC}"
-else
-    # Check container runs as non-root
-    print_check "Container runs as non-root"
-    CONTAINER_USER=$(docker exec "$CONTAINER_NAME" whoami 2>/dev/null || echo "root")
-    if [ "$CONTAINER_USER" != "root" ]; then
-        pass
-    else
-        critical "Container running as root user!"
-    fi
-
-    # Check user ID is not 0
-    print_check "User ID is not 0 (root)"
-    USER_ID=$(docker exec "$CONTAINER_NAME" id -u 2>/dev/null || echo "0")
-    if [ "$USER_ID" != "0" ]; then
-        pass
-    else
-        critical "Container running with UID 0 (root)!"
-    fi
-
-    # Check read-only filesystem
-    print_check "Root filesystem is read-only"
-    if docker exec "$CONTAINER_NAME" sh -c "touch /test 2>/dev/null"; then
-        fail "Root filesystem is writable"
-        docker exec "$CONTAINER_NAME" sh -c "rm /test 2>/dev/null" || true
-    else
-        pass
-    fi
-
-    # Check tmpfs is writable
-    print_check "Tmpfs mount is writable"
-    if docker exec "$CONTAINER_NAME" sh -c "touch /tmp/test 2>/dev/null && rm /tmp/test 2>/dev/null"; then
-        pass
-    else
-        warn "Tmpfs mount /tmp is not writable"
-    fi
-
-    # Check health status
-    print_check "Container is healthy"
-    HEALTH_STATUS=$(docker inspect --format='{{.State.Health.Status}}' "$CONTAINER_NAME" 2>/dev/null || echo "none")
-    if [ "$HEALTH_STATUS" = "healthy" ]; then
-        pass
-    elif [ "$HEALTH_STATUS" = "none" ]; then
-        warn "No health check configured"
-    else
-        fail "Container health status: $HEALTH_STATUS"
-    fi
-
-    # Check capabilities
-    print_check "Capabilities dropped"
-    CAPS_DROPPED=$(docker inspect --format='{{.HostConfig.CapDrop}}' "$CONTAINER_NAME" 2>/dev/null || echo "[]")
-    if echo "$CAPS_DROPPED" | grep -q "ALL"; then
-        pass
-    else
-        warn "Not all capabilities dropped"
-    fi
-
-    # Check memory limit
-    print_check "Memory limit enforced"
-    MEMORY_LIMIT=$(docker inspect --format='{{.HostConfig.Memory}}' "$CONTAINER_NAME" 2>/dev/null || echo "0")
-    if [ "$MEMORY_LIMIT" != "0" ]; then
-        pass
-    else
-        warn "No memory limit set"
-    fi
-fi
-
-# ============================================================================
-# 6. Git Secret Protection
-# ============================================================================
-print_header "6. Git Secret Protection"
-
-if [ -d ".git" ]; then
-    # Check .env in .gitignore
-    print_check ".env in .gitignore"
-    if [ -f ".gitignore" ] && grep -qE "^\.env$" .gitignore; then
-        pass
-    else
-        critical ".env not in .gitignore! Secrets may be committed!"
-    fi
-
-    # Check .env.example exists
-    print_check ".env.example exists (template)"
-    if [ -f ".env.example" ]; then
-        pass
-    else
-        warn ".env.example not found"
-    fi
-
-    # Check if .env is committed
-    print_check ".env not committed to git"
-    if git ls-files --error-unmatch .env > /dev/null 2>&1; then
-        critical ".env is tracked by git! Remove immediately!"
-    else
-        pass
-    fi
-else
-    echo -e "${YELLOW}  Not a git repository. Skipping git checks.${NC}"
-fi
-
-# ============================================================================
-# Summary
-# ============================================================================
-print_header "Verification Summary"
-
-echo ""
-echo "  Total checks:    $TOTAL_CHECKS"
-echo -e "  ${GREEN}Passed:          $PASSED_CHECKS${NC}"
-echo -e "  ${YELLOW}Warnings:        $WARNING_CHECKS${NC}"
-echo -e "  ${RED}Failed:          $FAILED_CHECKS${NC}"
-echo ""
-
-if [ $FAILED_CHECKS -eq 0 ]; then
-    echo -e "${GREEN}✅ All critical security checks passed!${NC}"
-    if [ $WARNING_CHECKS -gt 0 ]; then
-        echo -e "${YELLOW}⚠️  $WARNING_CHECKS warning(s) - consider addressing these.${NC}"
-    fi
-else
-    echo -e "${RED}❌ $FAILED_CHECKS security check(s) failed!${NC}"
-    echo -e "${RED}   Please fix the issues above before deploying.${NC}"
-fi
-
-echo ""
-
-exit $EXIT_CODE

package/lib/bmad-cache/tea/.github/CODE_OF_CONDUCT.md

@@ -1,128 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, religion, or sexual identity
-and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-the official BMAD Discord server (<https://discord.com/invite/gk8jAdXWmj>) - DM a moderator or flag a post.
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series
-of actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or
-permanent ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within
-the community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.0, available at
-<https://www.contributor-covenant.org/version/2/0/code_of_conduct.html>.
-
-Community Impact Guidelines were inspired by [Mozilla's code of conduct
-enforcement ladder](https://github.com/mozilla/diversity).
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see the FAQ at
-<https://www.contributor-covenant.org/faq>. Translations are available at
-<https://www.contributor-covenant.org/translations>.

package/lib/bmad-cache/tea/.github/FUNDING.yaml

@@ -1,15 +0,0 @@
-# These are supported funding model platforms
-
-github: # Replace with up to 4 GitHub Sponsors-enabled usernames e.g., [user1, user2]
-patreon: # Replace with a single Patreon username
-open_collective: # Replace with a single Open Collective username
-ko_fi: # Replace with a single Ko-fi username
-tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
-community_bridge: # Replace with a single Community Bridge project_name e.g., cloud-foundry
-liberapay: # Replace with a single Liberapay username
-issuehunt: # Replace with a single IssueHunt username
-lfx_crowdfunding: # Replace with a single LFX Crowdfunding project_name e.g., cloud-foundry
-polar: # Replace with a single Polar username
-buy_me_a_coffee: bmad
-thanks_dev: # Replace with a single thanks.dev username
-custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2']

package/lib/bmad-cache/tea/.github/ISSUE_TEMPLATE/config.yaml

@@ -1,11 +0,0 @@
-blank_issues_enabled: false
-contact_links:
-  - name: 📚 Documentation
-    url: https://test-architect.bmad-method.org
-    about: Check the docs first — tutorials, guides, and reference
-  - name: 💬 GitHub Discussions
-    url: https://github.com/bmad-code-org/bmad-method-test-architecture-enterprise/discussions
-    about: Ask questions and discuss TEA usage before opening an issue
-  - name: 🐛 Troubleshooting Guide
-    url: https://test-architect.bmad-method.org/reference/troubleshooting
-    about: Common issues and solutions

package/lib/bmad-cache/tea/.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,70 +0,0 @@
----
-name: Feature Request
-about: Suggest an idea or new feature for TEA
-title: ''
-labels: 'enhancement'
-assignees: ''
----
-
-**Describe your idea**
-A clear and concise description of what you'd like to see added or changed in TEA.
-
-**Why is this needed?**
-Explain the problem this solves or the benefit it brings to:
-
-- TEA users
-- Test automation practices
-- Quality engineering workflows
-- Testing best practices
-
-**Which component would this affect?**
-Please check all that apply:
-
-- [ ] Workflows (test-design, automate, atdd, test-review, trace, nfr-assess, ci, framework)
-- [ ] Knowledge Base (new testing patterns or fragments)
-- [ ] Subagent Architecture (parallel execution)
-- [ ] Configuration (module variables or settings)
-- [ ] Documentation (guides, tutorials, or references)
-- [ ] Integrations (Playwright Utils, MCP, or other tools)
-- [ ] Quality Gates (risk assessment, traceability, scoring)
-- [ ] Other (please specify)
-
-**How should it work?**
-Describe your proposed solution:
-
-1. What would the user experience look like?
-2. What workflow would be affected?
-3. What knowledge base updates would be needed?
-4. Any implementation ideas?
-
-**Use Case Example**
-Provide a concrete example of how this feature would be used:
-
-```
-Example scenario:
-User wants to [specific goal]
-Currently: [what happens now]
-With this feature: [what would happen]
-```
-
-**Alternatives considered**
-Have you considered any alternative solutions or workarounds?
-
-**Impact & Priority**
-How important is this feature?
-
-- [ ] Critical - blocking adoption or major workflow
-- [ ] High - significantly improves user experience
-- [ ] Medium - nice to have, would help some users
-- [ ] Low - minor improvement or edge case
-
-**Contribution**
-If you'd like to contribute, please indicate you're working on this or link to your PR. Please review [CONTRIBUTING.md](../../CONTRIBUTING.md) — contributions are always welcome!
-
-**Additional context**
-Add any other context, screenshots, or links that help explain your idea:
-
-- Related workflows or knowledge fragments
-- Testing frameworks this would support
-- Industry standards or best practices this aligns with
-- Links to similar features in other tools