maestro-flow 0.4.1 → 0.4.3

package/.claude/commands/security-audit.md

@@ -0,0 +1,154 @@
+---
+name: security-audit
+description: OWASP Top 10 and STRIDE security auditing with supply chain analysis
+argument-hint: "[quick|standard|deep] [--scope <path>]"
+allowed-tools:
+  - Read
+  - Bash
+  - Glob
+  - Grep
+  - Agent
+  - AskUserQuestion
+---
+<purpose>
+Systematic security audit covering OWASP Top 10, dependency supply chain, secrets detection,
+CI/CD pipeline review, and optional STRIDE threat modeling. Three tiers control depth vs speed.
+</purpose>
+
+<context>
+$ARGUMENTS — Parse tier and scope:
+- Tier: `quick` (default) | `standard` | `deep`
+- `--scope <path>`: Limit scan to directory (default: project root)
+
+**Tier coverage:**
+
+| Tier | OWASP | Dependencies | Secrets | CI/CD | STRIDE | Git History |
+|------|-------|-------------|---------|-------|--------|-------------|
+| quick | ✓ | ✓ | — | — | — | — |
+| standard | ✓ | ✓ | ✓ | ✓ | — | — |
+| deep | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ |
+</context>
+
+<execution>
+
+**Phase 1: Reconnaissance**
+
+1. Detect tech stack from package.json / go.mod / requirements.txt / Cargo.toml
+2. Identify entry points: HTTP handlers, API routes, CLI parsers, WebSocket handlers
+3. List authentication/authorization modules
+4. Map data flow: user input → processing → storage → output
+
+**Phase 2: OWASP Top 10 Scan** (all tiers)
+
+For each category, scan relevant source files:
+
+| # | Category | What to check |
+|---|----------|--------------|
+| A01 | Broken Access Control | Missing auth middleware, direct object references, path traversal |
+| A02 | Cryptographic Failures | Weak algorithms, hardcoded keys, missing TLS, plaintext storage |
+| A03 | Injection | SQL concatenation, shell exec with user input, template injection |
+| A04 | Insecure Design | Missing rate limits, no CSRF tokens, predictable tokens |
+| A05 | Security Misconfiguration | Debug mode, default credentials, verbose errors, open CORS |
+| A06 | Vulnerable Components | Known CVEs in dependencies |
+| A07 | Auth Failures | Weak password rules, missing brute-force protection, session fixation |
+| A08 | Data Integrity | Deserialization of untrusted data, unsigned updates |
+| A09 | Logging Failures | Missing audit logs, logging sensitive data |
+| A10 | SSRF | Unvalidated URLs in server-side requests |
+
+Use `Grep` for pattern matching (e.g., `eval(`, `exec(`, `innerHTML`, `dangerouslySetInnerHTML`,
+`sql.*\+.*req\.`, `process\.env` without validation).
+
+**Phase 3: Dependency Audit** (all tiers)
+
+```bash
+# Node.js
+npm audit --json 2>/dev/null || true
+# Check lockfile integrity
+test -f package-lock.json && echo "lockfile present" || echo "WARNING: no lockfile"
+```
+
+Check for:
+- Known vulnerabilities (CVE references)
+- Lockfile presence and integrity
+- Typosquatting risk on critical dependencies (manually check suspicious names)
+
+**Phase 4: Secrets Detection** (standard + deep)
+
+```bash
+# Current codebase
+grep -rn --include="*.ts" --include="*.js" --include="*.json" --include="*.env*" \
+  -E "(password|secret|api.?key|token|credential).*=.*['\"][^'\"]{8,}" . || true
+```
+
+Check `.env.example` for leaked values. Check `.gitignore` for missing `.env` patterns.
+
+**Phase 5: CI/CD Audit** (standard + deep)
+
+Scan `.github/workflows/*.yml` for:
+- Overly permissive `permissions:` (write-all, contents: write)
+- Unpinned action versions (`uses: actions/checkout@main` vs `@v4.1.0`)
+- Secrets in logs (missing `mask` or `add-mask`)
+- Pull request trigger with `pull_request_target` (code injection risk)
+
+**Phase 6: STRIDE Threat Modeling** (deep only)
+
+For each critical module identified in Phase 1:
+
+| Threat | Question |
+|--------|----------|
+| **S**poofing | Can identity be faked? Is auth per-request? |
+| **T**ampering | Can data be modified in transit/storage? Integrity checks? |
+| **R**epudiation | Are actions logged with user identity? |
+| **I**nformation Disclosure | Can unauthorized data be accessed? |
+| **D**enial of Service | Resource limits? Rate limiting? |
+| **E**levation of Privilege | Can roles be escalated? Input validation on role fields? |
+
+**Phase 7: Git History Archaeology** (deep only)
+
+```bash
+# Search for previously committed secrets
+git log --all --diff-filter=D --name-only --pretty=format: -- "*.env" "*.key" "*.pem" 2>/dev/null | head -20
+git log -p --all -S "password" --since="1 year ago" -- "*.ts" "*.js" 2>/dev/null | head -50
+```
+
+**Phase 8: Report**
+
+Output severity matrix:
+
+```
+=== Security Audit ({tier}) ===
+
+CRITICAL ({count}):
+  - [A03] SQL injection in {file}:{line} — {description}
+    Fix: {remediation}
+
+HIGH ({count}):
+  ...
+
+MEDIUM ({count}):
+  ...
+
+LOW ({count}):
+  ...
+
+Summary: {total} findings ({critical} critical, {high} high, {medium} medium, {low} low)
+```
+
+Emit completion status:
+```
+--- COMPLETION STATUS ---
+STATUS: DONE|DONE_WITH_CONCERNS
+CONCERNS: {count} critical findings require immediate action
+NEXT: /quality-review
+--- END STATUS ---
+```
+</execution>
+
+<success_criteria>
+- [ ] Tech stack identified and entry points mapped
+- [ ] OWASP Top 10 categories all checked (tier-appropriate)
+- [ ] Dependency audit completed with CVE listing
+- [ ] Severity matrix produced with file:line references
+- [ ] Each finding includes remediation suggestion
+- [ ] Completion status block emitted
+</success_criteria>

package/.claude/skills/maestro-help/index/catalog.json

@@ -23,6 +23,7 @@
     {"name": "maestro-milestone-complete", "command": "/maestro-milestone-complete", "category": "milestone", "description": "里程碑完成 — 归档里程碑并推进下一个", "source": "../../commands/maestro-milestone-complete.md"},
     {"name": "maestro-milestone-release", "command": "/maestro-milestone-release", "category": "milestone", "description": "里程碑发布 — 生成发布说明和变更日志", "source": "../../commands/maestro-milestone-release.md"},
     {"name": "maestro-composer", "command": "/maestro-composer", "category": "core", "description": "编排器 — compose + play 工作流组合执行", "source": "../../commands/maestro-composer.md"},
+    {"name": "maestro-guard", "command": "/maestro-guard", "category": "core", "description": "编辑边界治理", "source": "../../commands/maestro-guard.md"},
     {"name": "maestro-player", "command": "/maestro-player", "category": "core", "description": "播放器 — 执行已编排的工作流", "source": "../../commands/maestro-player.md"},
     {"name": "maestro-ralph", "command": "/maestro-ralph", "category": "ralph", "description": "Ralph 引擎 — 自适应生命周期决策节点管理", "source": "../../commands/maestro-ralph.md"},
     {"name": "maestro-ralph-execute", "command": "/maestro-ralph-execute", "category": "ralph", "description": "Ralph 执行 — 运行自适应决策链", "source": "../../commands/maestro-ralph-execute.md"},
@@ -45,6 +46,7 @@
     {"name": "quality-review", "command": "/quality-review", "category": "quality", "description": "代码审查 — 多维度代码质量检查", "source": "../../commands/quality-review.md"},
     {"name": "quality-auto-test", "command": "/quality-auto-test", "category": "quality", "description": "自动测试 — 智能路由 spec/gap/code 测试", "source": "../../commands/quality-auto-test.md"},
     {"name": "quality-test", "command": "/quality-test", "category": "quality", "description": "业务测试 — 会话式 UAT 验证", "source": "../../commands/quality-test.md"},
+    {"name": "security-audit", "command": "/security-audit", "category": "quality", "description": "OWASP/STRIDE 安全审计", "source": "../../commands/security-audit.md"},
     {"name": "quality-debug", "command": "/quality-debug", "category": "quality", "description": "质量调试 — 诊断测试失败并提供修复方案", "source": "../../commands/quality-debug.md"},
     {"name": "quality-refactor", "command": "/quality-refactor", "category": "quality", "description": "代码重构 — 结构优化和模式改进", "source": "../../commands/quality-refactor.md"},
     {"name": "quality-sync", "command": "/quality-sync", "category": "quality", "description": "质量同步 — 跨 Phase 质量状态对齐", "source": "../../commands/quality-sync.md"},

package/.codex/skills/maestro-analyze/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-analyze
-description: Multi-angle analysis with CLI-assisted exploration
+description: Use when a topic needs structured multi-dimensional investigation before planning or decision-making
 argument-hint: "[-y|--yes] [-c|--concurrency N] [--continue] \"<phase|topic> [-q|--quick] [--gaps [ISS-ID]]\""
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, AskUserQuestion
 ---
@@ -158,6 +158,17 @@ Gray area detection: domain-aware (things users SEE/CALL/RUN/READ), phase-specif
 4. Spec enrichment: Locked decisions -> `maestro spec add arch`; code patterns -> `maestro spec add coding`
 5. Register artifact in state.json (type: analyze)
 6. Copy outputs to scratchDir, display summary
+7. **Next-step routing**:
+
+   | Scope | Condition | Next |
+   |-------|-----------|------|
+   | Phase/Milestone | Go + UI work needed | `$maestro-impeccable build {target}` |
+   | Phase/Milestone | Go + ready to plan | `$maestro-plan` or `$maestro-plan {phase}` |
+   | Phase/Milestone | No-Go | `$maestro-brainstorm {topic}` |
+   | Adhoc/Standalone | Ready to plan | `$maestro-plan --dir {scratch_dir}` |
+   | Adhoc/Standalone | Need more exploration | `$maestro-analyze {topic} --continue` |
+   | Gaps | Issues analyzed | `$maestro-plan --gaps` |
+   | Gaps | Need more context | `$maestro-analyze --gaps {ISS-ID}` |
 
 </actions>
 
@@ -192,9 +203,15 @@ Protocol: read before analysis, append-only, dedup by type+key.
 <success_criteria>
 - [ ] All waves executed in order (or skipped per mode)
 - [ ] context.md produced (all modes); analysis.md + conclusions.json (full mode)
+- [ ] context.md contains all decisions classified as Locked/Free/Deferred
+- [ ] Decision Recording Protocol applied to all decisions
 - [ ] Confidence scored per dimension with factor-based model (full mode)
+- [ ] Readiness gate checked before synthesis (wave 3)
+- [ ] Pressure pass completed ≥ 1 time on highest-risk dimension before synthesis
 - [ ] Deferred items auto-created as issues
+- [ ] Scope creep redirected to Deferred section
 - [ ] Artifact registered in state.json
 - [ ] discoveries.ndjson append-only throughout
+- [ ] Next step routed (plan for Go, brainstorm for No-Go, plan --gaps for Gaps)
 </success_criteria>
 </output>

package/.codex/skills/maestro-brainstorm/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-brainstorm
-description: Brainstorm with auto pipeline or single-role analysis
+description: Use when exploring ideas, evaluating approaches, or needing multi-perspective analysis before implementation
 argument-hint: "[topic] [-y|--yes] [-c|--concurrency N] [--continue] [--count N] [--skip-questions]"
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, request_user_input
 ---
@@ -17,6 +17,11 @@ $ARGUMENTS — topic text and optional flags.
 
 **9 valid roles**: data-architect, product-manager, product-owner, scrum-master, subject-matter-expert, system-architect, test-strategist, ui-designer, ux-expert
 
+### Pre-load specs
+1. **Architecture specs**: `maestro spec load --category arch` — load architecture constraints as context for multi-role analysis (roles respect documented decisions).
+2. **Role Knowledge**: `maestro wiki list --category arch` → identify relevant entries → `maestro wiki load <id1> [id2...]`
+3. Both optional — proceed without if unavailable.
+
 **Session**: `.workflow/.csv-wave/{YYYYMMDD}-brainstorm-{slug}/`
 **Output**: tasks.csv, results.csv, discoveries.ndjson, context.md, `.brainstorming/` (guidance-specification.md, feature-index.json, synthesis-changelog.md, feature-specs/, {role}/analysis*.md)
 </context>
@@ -139,8 +144,16 @@ Protocol: read before analysis, append-only, dedup by type+key.
 
 <success_criteria>
 - [ ] 3 waves executed: guidance → parallel roles → synthesis
-- [ ] guidance-specification.md + role analyses + synthesis artifacts produced
-- [ ] feature-index.json + context.md generated
+- [ ] guidance-specification.md with RFC 2119 keywords, terminology, non-goals, feature decomposition
+- [ ] Role analysis files for each selected NON-UI role
+- [ ] If ui-designer selected: DESIGN.md established via impeccable explore; analysis.md with UX analysis
+- [ ] Feature specs in `.brainstorming/feature-specs/` or synthesis-specification.md
+- [ ] UI-bearing feature specs reference DESIGN.md for visual constraints
+- [ ] feature-index.json + synthesis-changelog.md + context.md generated
+- [ ] All user decisions captured with Decision Recording Protocol
+- [ ] Confidence scored per role and after cross-role analysis
+- [ ] Readiness gate checked before spec generation (wave 3)
+- [ ] Pressure pass completed on at least 1 feature spec
 - [ ] discoveries.ndjson append-only throughout
-- [ ] Confidence scored, conflict quality gate evaluated
+- [ ] Conflict quality gate: >3 UNRESOLVED → warn
 </success_criteria>

package/.codex/skills/maestro-collab/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: maestro-collab
-description: Multi-CLI collaborative analysis -- fan-out to multiple CLI tools, cross-verify, synthesize
+description: Use when a question needs cross-verification from multiple CLI tools or diverse analytical perspectives
 argument-hint: "\"<requirement>\" [--tools gemini,qwen,claude] [--mode analysis|write] [--rule <template>] [-y]"
 allowed-tools: spawn_agents_on_csv, Read, Write, Edit, Bash, Glob, Grep, request_user_input
 ---
@@ -216,3 +216,9 @@ Protocol: read before analysis, append-only, dedup by type+key.
 - [ ] CLB artifact registered, outputs copied to scratchDir
 - [ ] Partial degradation: continued if 1+ tools succeeded
 </success_criteria>
+
+<next_step_routing>
+- Deep feasibility analysis → `$maestro-analyze "{topic}"`
+- Plan from conclusions → `$maestro-plan --dir {dir}`
+- Expand exploration → `$maestro-brainstorm "{topic}"`
+</next_step_routing>