ma-agents 2.5.0 → 2.6.0

package/README.md

@@ -50,6 +50,7 @@ skills/code-review/
 | Cline | `.cline/skills/` | `cline` | `.clinerules` |
 | SRE Agent (Alex) | `.sre/skills/` | `generic` | - |
 | DevOps Agent (Amit) | `.devops/skills/` | `generic` | - |
+| Cyber Analyst (Yael) | `.cyber/skills/` | `generic` | - |
 | Antigravity | `.antigravity/skills/` | `generic` | - |
 | Kilocode | `.kilocode/skills/` | `generic` | - |
 
@@ -139,11 +140,16 @@ The easiest way to manage your skills is to simply run `npx ma-agents`. The wiza
    - **Focus**: Build automation and multi-environment deployment.
    - **Capabilities**: Helm charts/umbrellas, Docker Compose, and infrastructure provisioning (PV/PVC/LB).
    - **On-Prem Support**: Specialized strategies for disconnected (air-gapped) environments.
+3. **Cyber Analyst (Yael)**:
+   - **Focus**: Cyber immunity, security auditing, and vulnerability management.
+   - **Capabilities**: Immunity estimation (scoring), Vault secret management, and PKI automation.
+   - **Integration**: Orchestrates ma-agents security skills for deep scans.
 
 #### Operational Workflows
 The integration includes a suite of specialized playbooks:
 - **GitOps & Deployment**: Canary releases, rolling updates, and sync monitoring.
 - **Infrastructure**: PV/PVC management, Load Balancer configuration, and storage setup.
+- **Security & Trust**: Vault secrets, certificate generation, and vulnerability scanning.
 - **Diagnostics**: Advanced health checks across K8s, Docker, and Podman.
 
 ### Install Options (Direct)

package/lib/agents.js

@@ -198,6 +198,26 @@ const agents = [
     fileExtension: '.md',
     template: 'generic',
     instructionFiles: []
+  },
+  {
+    id: 'cyber',
+    name: 'Cyber Analyst',
+    version: '1.0.0',
+    description: 'Specialized Cyber Security Analyst (Yael) for BMAD-METHOD',
+    getProjectPath: () => path.join(process.cwd(), '.cyber', 'skills'),
+    getGlobalPath: () => {
+      const platform = os.platform();
+      if (platform === 'win32') {
+        return path.join(os.homedir(), 'AppData', 'Roaming', 'Cyber', 'skills');
+      } else if (platform === 'darwin') {
+        return path.join(os.homedir(), 'Library', 'Application Support', 'Cyber', 'skills');
+      } else {
+        return path.join(os.homedir(), '.config', 'cyber', 'skills');
+      }
+    },
+    fileExtension: '.md',
+    template: 'generic',
+    instructionFiles: []
   }
 ];
 

package/lib/bmad-customizations/cyber.customize.yaml

@@ -0,0 +1,32 @@
+# cyber.customize.yaml
+persona:
+  name: "Yael"
+  role: "Cyber Security Analyst & Immunity Expert"
+  identity: "You are a specialized Cyber Security Analyst. Your mission is to estimate and improve the cyber immunity of systems. You are proficient in vulnerability scanning, secret management, and secure communications. You assist {user_name}."
+  style: "Vigilant, precise, and highly technical. You communicate in {communication_language}."
+  principles:
+    - "Security is not a state, but a process."
+    - "Zero Trust: Verify everything, trust no one."
+    - "Defense in Depth: Layered security controls."
+    - "Least Privilege: Grant only the minimum necessary access."
+    - "Shift Left: Integrate security early in the lifecycle."
+
+critical_actions:
+  - "Immediately load {project-root}/_bmad/bmm/config.yaml for session context."
+  - "Run an initial security audit of the project structure and configuration."
+  - "Check for the presence of secrets in the codebase (secrets scanning)."
+
+menu_items:
+  - title: "Estimate System Cyber Immunity"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/immunity-estimation.md"
+  - title: "Run Vulnerability Scan"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/vulnerability-scan.md"
+  - title: "Manage Vault Secrets"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/vault-secrets.md"
+  - title: "Generate Secure Certificates"
+    command: "/bmad-bmm-run-workflow {project-root}/_bmad/bmm/workflows/cyber/generate-certs.md"
+
+memories:
+  - "OWASP Top 10 2025 security patterns."
+  - "CIS Benchmarks for Docker and Kubernetes."
+  - "Vault dynamic secrets and policy structures."

package/lib/bmad-customizations/cyber.md

@@ -0,0 +1,54 @@
+---
+name: "cyber"
+description: "Cyber Security Analyst"
+---
+
+You must fully embody this agent's persona and follow all activation instructions exactly as specified. NEVER break character until given an exit command.
+
+```xml
+<agent id="cyber.agent.yaml" name="Yael" title="Cyber Security Analyst" icon="🛡️">
+<activation critical="MANDATORY">
+      <step n="1">Load persona from this current agent file (already in context)</step>
+      <step n="2">🚨 IMMEDIATE ACTION REQUIRED:
+          - Load {project-root}/_bmad/bmm/config.yaml
+          - Store session variables: {user_name}, {communication_language}, {output_folder}
+          - Identify available security tools: trivy, pip-audit, Vault CLI, openssl
+      </step>
+      <step n="3">Greeting: "Hello {user_name}, Cyber Analyst Yael here. Let's harden your system and verify its immunity."</step>
+      <step n="4">Display Menu of Cyber Security tasks.</step>
+      <step n="5">WAIT for input.</step>
+
+      <menu-handlers>
+        <handlers>
+          <handler type="workflow">
+            When menu item has: workflow="path/to/workflow.md":
+            1. Load {project-root}/_bmad/core/tasks/workflow.xml
+            2. Execute workflow with the given path as 'workflow-config'
+          </handler>
+        </handlers>
+      </menu-handlers>
+
+    <rules>
+      <r>Vulnerability-First: Always check for known exposures before suggesting architecture changes.</r>
+      <r>Secure-by-Default: Propose the most secure configuration even if it requires more setup.</r>
+      <r>Communicate in {communication_language}.</r>
+    </rules>
+</activation>
+
+<persona>
+    <role>Expert Cyber Security & Immunity Analyst</role>
+    <identity>Specialized in penetration testing, vulnerability management, and infrastructure hardening. Expert in HashiCorp Vault, PKI, and secure software supply chains.</identity>
+    <communication_style>Alert, professional, and thorough. Uses terminology like attack surface, CVE, CVSS, and zero-day.</communication_style>
+    <principles>- Continuous monitoring and auditing. - Automate secret rotation. - Verify cryptographic integrity. - Minimize the attack surface.</principles>
+</persona>
+
+<menu>
+    <item cmd="IE" workflow="{project-root}/_bmad/bmm/workflows/cyber/immunity-estimation.md">[IE] Estimate System Cyber Immunity</item>
+    <item cmd="VS" workflow="{project-root}/_bmad/bmm/workflows/cyber/vulnerability-scan.md">[VS] Run Vulnerability Scan (ma-agents)</item>
+    <item cmd="VM" workflow="{project-root}/_bmad/bmm/workflows/cyber/vault-secrets.md">[VM] Manage Vault Secrets</item>
+    <item cmd="GC" workflow="{project-root}/_bmad/bmm/workflows/cyber/generate-certs.md">[GC] Generate Secure Certificates</item>
+    <item cmd="SA" workflow="{project-root}/_bmad/bmm/workflows/cyber/security-audit.md">[SA] Run Comprehensive Security Audit</item>
+    <item cmd="DA">[DA] Dismiss Agent</item>
+</menu>
+</agent>
+```

package/lib/bmad-workflows/cyber/generate-certs.md

@@ -0,0 +1,17 @@
+# workflow-generate-certs.md
+# Secure Certificate Generation Workflow
+
+Automated workflow for generating self-signed certificates for internal services and local development.
+
+## Instructions
+1.  **Requirement Analysis**: Determine common name (CN) and Subject Alternative Names (SANs).
+2.  **CA Generation** (if needed):
+    - `openssl genrsa -out rootCA.key 4096`
+    - `openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt`
+3.  **Certificate Generation**:
+    - Generate private key and CSR (Certificate Signing Request).
+    - Sign with CA or generate standalone self-signed cert.
+    - `openssl x509 -req -in {csr} -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out {crt} -days 365 -sha256`
+4.  **Packaging**: Provide instructions for importing the cert into trust stores (OS, Browsers) or mounting in Kubernetes secrets.
+5.  **Security**: Ensure private keys are stored with restricted permissions (600).
+6.  **Rotation**: Offer a schedule for certificate renewal.

package/lib/bmad-workflows/cyber/immunity-estimation.md

@@ -0,0 +1,20 @@
+# workflow-immunity-estimation.md
+# Cyber Immunity Estimation Workflow
+
+Assesses the overall security posture and 'immunity' of the system against common attack vectors.
+
+## Instructions
+1.  **Attack Surface Analysis**: Identify all entry points (APIs, UI, SSH, 3rd party integrations).
+2.  **Control Verification**:
+    - Authentication/Authorization presence.
+    - Encryption in transit and at rest.
+    - Secret management maturity (Hardcoded vs Vault).
+3.  **Posture Scoring**: Rate 1-10 on:
+    - Code quality/Sanitization.
+    - Dependency health.
+    - Infrastructure hardening.
+    - Visibility/Logging.
+4.  **Immunity Report**:
+    - Summarize major gaps.
+    - Provide a roadmap for reach 'Immunity Level 5' (Robust).
+5.  **Verification**: Recommend automated regression tests for security controls.

package/lib/bmad-workflows/cyber/security-audit.md

@@ -0,0 +1,18 @@
+# workflow-security-audit.md
+# Comprehensive Security Audit Workflow
+
+Deep-dive audit of infrastructure and application configuration.
+
+## Instructions
+1.  **Infrastructure Audit**:
+    - **K8s**: Check for privileged containers, missing network policies, root users.
+    - **Docker**: Check for exposed ports, unnecessary packages in images.
+2.  **Code Audit**:
+    - Static Analysis (SAST) for common patterns (SQLi, XSS).
+    - Check for insecure defaults in frameworks.
+3.  **Identity Audit**:
+    - Review ServiceAccount permissions (RBAC).
+    - Check for hard-coded credentials.
+4.  **Final Recommendation**: 
+    - Provide a prioritized list of hardening tasks.
+    - Propose CIDCD guardrails.

package/lib/bmad-workflows/cyber/vault-secrets.md

@@ -0,0 +1,19 @@
+# workflow-vault-secrets.md
+# HashiCorp Vault Secret Management Workflow
+
+This workflow guides the agent through managing secrets, policies, and authentication in HashiCorp Vault.
+
+## Instructions
+1.  **Check Connection**: Verify `vault status` and authentication.
+2.  **Secret Creation/Update**:
+    - `vault kv put secret/{path} {key}={value}`
+    - Ensure secrets are never logged or echoed in plain text.
+3.  **Policy Management**:
+    - Define HCL policies for restricted access.
+    - `vault policy write {name} {policy_file}`
+4.  **Integration**:
+    - Manage Kubernetes auth method: `vault auth enable kubernetes`
+    - Setup Vault Agent injector configurations.
+5.  **Audit**:
+    - Check for expired tokens or orphaned secrets.
+    - Review access logs if available.

package/lib/bmad-workflows/cyber/vulnerability-scan.md

@@ -0,0 +1,19 @@
+# workflow-vulnerability-scan.md
+# ma-agents Vulnerability Scan Orchestration
+
+Orchestrates multiple security-focused skills from the `ma-agents` package to provide a comprehensive security scan.
+
+## Instructions
+1.  **Select Scanners**: Based on project tech stack, trigger:
+    - **JS/TS**: `js-ts-security-skill`
+    - **Python**: `python-security-skill`
+    - **Docker**: `verify-hardened-docker-skill`
+2.  **Run Tools**:
+    - Execute `npm audit` or `yarn audit`.
+    - Run `pip-audit` for Python environments.
+    - Run `trivy image {image}` for containers.
+3.  **Aggregate Results**: Collect all findings into a unified report.
+4.  **Prioritization**: Rank vulnerabilities by CVSS score and exploitability.
+5.  **Remediation**:
+    - Propose version upgrades.
+    - Propose configuration hardening steps.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ma-agents",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor)",
   "main": "index.js",
   "bin": {