ma-agents 2.6.0 → 2.8.0

package/README.md

@@ -85,6 +85,7 @@ skills/code-review/
 | `opentelemetry-best-practices` | Logic | Distributed tracing and semantic conventions |
 | `vercel-react-best-practices` | Web | 57 Performance rules for React and Next.js |
 | `git-workflow-skill` | Git | Worktree-based feature branch workflow |
+| `self-signed-cert` | Security | Automated Root CA and self-signed certificate generation |
 
 ## Automated Skill Discovery
 

package/lib/bmad-workflows/cyber/generate-certs.md

@@ -1,17 +1,15 @@
 # workflow-generate-certs.md
 # Secure Certificate Generation Workflow
 
-Automated workflow for generating self-signed certificates for internal services and local development.
+Automated workflow for generating self-signed certificates using the `self-signed-cert` skill.
 
 ## Instructions
-1.  **Requirement Analysis**: Determine common name (CN) and Subject Alternative Names (SANs).
-2.  **CA Generation** (if needed):
-    - `openssl genrsa -out rootCA.key 4096`
-    - `openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt`
-3.  **Certificate Generation**:
-    - Generate private key and CSR (Certificate Signing Request).
-    - Sign with CA or generate standalone self-signed cert.
-    - `openssl x509 -req -in {csr} -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out {crt} -days 365 -sha256`
+1.  **Load Skill**: Activate the `self-signed-cert` skill instructions.
+2.  **Requirement Analysis**: Determine common name (CN) and Subject Alternative Names (SANs).
+3.  **Execution**:
+    - Use the `generate-cert.sh` script from the skill's scripts directory.
+    - Choice A: `bash scripts/generate-cert.sh root my-internal-ca`
+    - Choice B: `bash scripts/generate-cert.sh cert my-service localhost`
 4.  **Packaging**: Provide instructions for importing the cert into trust stores (OS, Browsers) or mounting in Kubernetes secrets.
 5.  **Security**: Ensure private keys are stored with restricted permissions (600).
 6.  **Rotation**: Offer a schedule for certificate renewal.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ma-agents",
-  "version": "2.6.0",
+  "version": "2.8.0",
   "description": "NPX tool to install skills for AI coding agents (Claude Code, Gemini, Copilot, Kilocode, Cline, Cursor)",
   "main": "index.js",
   "bin": {

package/skills/self-signed-cert/SKILL.md

@@ -0,0 +1,38 @@
+# Self-Signed Certificate Generator
+
+## Purpose
+Automate the creation of Root CAs and self-signed certificates for internal services, local development, and testing environments.
+
+## Instructions
+1.  **Environment Check**: Ensure `openssl` is installed and available in the PATH.
+2.  **Workflow Selection**:
+    - **Standalone Self-Signed**: Quickest for single service testing.
+    - **Root CA + Signed Cert**: Recommended for internal architectures where multiple services need to trust a single authority.
+3.  **Security Standards**:
+    - Key Size: Minimum 2048-bit (4096-bit preferred).
+    - Hashing: SHA-256 or higher.
+    - Permissions: Private keys must be set to `600`.
+
+## Rules
+- NEVER store private keys in version control.
+- ALWAYS include Subject Alternative Names (SANs) for modern browser compatibility.
+- Ensure the certificate Common Name (CN) matches the intended hostname.
+
+## Usage
+The skill provide both Bash (Linux/macOS) and PowerShell (Windows) scripts.
+
+### Linux / macOS
+Run `scripts/generate-cert.sh` with:
+- `TYPE`: `root` or `cert`
+- `NAME`: Base name for the files
+- `DNS`: Primary domain/IP
+
+Example: `bash scripts/generate-cert.sh cert my-service localhost`
+
+### Windows (PowerShell)
+Run `scripts/generate-cert.ps1` with:
+- `-Type`: `root` or `cert`
+- `-Name`: Base name
+- `-Dns`: Primary domain/IP
+
+Example: `.\scripts\generate-cert.ps1 -Type cert -Name my-service -Dns localhost`

package/skills/self-signed-cert/scripts/generate-cert.ps1

@@ -0,0 +1,45 @@
+param (
+    [Parameter(Mandatory=$true)]
+    [ValidateSet("root", "cert")]
+    [string]$Type,
+    
+    [string]$Name = "server",
+    
+    [string]$Dns = "localhost",
+    
+    [string]$CaKey,
+    
+    [string]$CaCert
+)
+
+$ErrorActionPreference = "Stop"
+
+if ($Type -eq "root") {
+    Write-Host "Generating Root CA..." -ForegroundColor Cyan
+    openssl genrsa -out "${Name}_rootCA.key" 4096
+    openssl req -x509 -new -nodes -key "${Name}_rootCA.key" -sha256 -days 3650 -out "${Name}_rootCA.crt" `
+        -subj "/CN=${Name}-Root-CA/O=MA-Agents/C=US"
+    Write-Host "Root CA created: ${Name}_rootCA.crt" -ForegroundColor Green
+
+} elseif ($Type -eq "cert") {
+    if (-not $CaKey -or -not $CaCert) {
+        Write-Host "Generating standalone self-signed certificate..." -ForegroundColor Cyan
+        openssl req -x509 -newnodes -days 365 -newkey rsa:2048 `
+            -keyout "${Name}.key" -out "${Name}.crt" `
+            -subj "/CN=${Dns}/O=MA-Agents" `
+            -addext "subjectAltName = DNS:${Dns}"
+    } else {
+        Write-Host "Generating certificate signed by CA..." -ForegroundColor Cyan
+        openssl genrsa -out "${Name}.key" 2048
+        openssl req -new -key "${Name}.key" -out "${Name}.csr" -subj "/CN=${Dns}/O=MA-Agents"
+        
+        # Extension file for SAN
+        "subjectAltName = DNS:${Dns}" | Out-File -FilePath "${Name}.ext" -Encoding ascii
+        
+        openssl x509 -req -in "${Name}.csr" -CA "$CaCert" -CAkey "$CaKey" -CAcreateserial `
+            -out "${Name}.crt" -days 365 -sha256 -extfile "${Name}.ext"
+        
+        Remove-Item "${Name}.csr", "${Name}.ext" -ErrorAction SilentlyContinue
+    }
+    Write-Host "Certificate created: ${Name}.crt" -ForegroundColor Green
+}

package/skills/self-signed-cert/scripts/generate-cert.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# generate-cert.sh - Part of ma-agents self-signed-cert skill
+
+TYPE=$1
+NAME=${2:-"server"}
+DNS=${3:-"localhost"}
+
+if [ "$TYPE" == "root" ]; then
+    echo "Generating Root CA..."
+    openssl genrsa -out "${NAME}_rootCA.key" 4096
+    openssl req -x509 -new -nodes -key "${NAME}_rootCA.key" -sha256 -days 3650 -out "${NAME}_rootCA.crt" \
+        -subj "/CN=${NAME}-Root-CA/O=MA-Agents/C=US"
+    chmod 600 "${NAME}_rootCA.key"
+    echo "Root CA created: ${NAME}_rootCA.crt"
+
+elif [ "$TYPE" == "cert" ]; then
+    CA_KEY=$4
+    CA_CRT=$5
+
+    if [ -z "$CA_KEY" ] || [ -z "$CA_CRT" ]; then
+        echo "Generating standalone self-signed certificate..."
+        openssl req -x509 -newnodes -days 365 -newkey rsa:2048 \
+            -keyout "${NAME}.key" -out "${NAME}.crt" \
+            -subj "/CN=${DNS}/O=MA-Agents" \
+            -addext "subjectAltName = DNS:${DNS}"
+    else
+        echo "Generating certificate signed by CA..."
+        openssl genrsa -out "${NAME}.key" 2048
+        openssl req -new -key "${NAME}.key" -out "${NAME}.csr" -subj "/CN=${DNS}/O=MA-Agents"
+        
+        # Extension file for SAN
+        echo "subjectAltName = DNS:${DNS}" > "${NAME}.ext"
+        
+        openssl x509 -req -in "${NAME}.csr" -CA "$CA_CRT" -CAkey "$CA_KEY" -CAcreateserial \
+            -out "${NAME}.crt" -days 365 -sha256 -extfile "${NAME}.ext"
+        rm "${NAME}.csr" "${NAME}.ext"
+    fi
+    chmod 600 "${NAME}.key"
+    echo "Certificate created: ${NAME}.crt"
+else
+    echo "Usage: $0 [root|cert] [name] [dns] [ca_key] [ca_crt]"
+    exit 1
+fi

package/skills/self-signed-cert/skill.json

@@ -0,0 +1,12 @@
+{
+    "name": "Self-Signed Certificate Generator",
+    "description": "Generates secure self-signed certificates and Root CAs using OpenSSL.",
+    "version": "1.0.0",
+    "author": "Yael (Cyber Analyst)",
+    "tags": [
+        "security",
+        "pki",
+        "certificates",
+        "openssl"
+    ]
+}