multi-agents-cli 1.0.51 → 1.0.53
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/core/templates/.agents/backend/API.md +259 -0
- package/core/templates/.agents/backend/AUTH.md +246 -0
- package/core/templates/.agents/backend/DB.md +257 -0
- package/core/templates/.agents/backend/EVENTS.md +253 -0
- package/core/templates/.agents/backend/INIT.md +239 -0
- package/core/templates/.agents/backend/JOBS.md +256 -0
- package/core/templates/.agents/backend/LOGIC.md +291 -0
- package/core/templates/.agents/backend/TESTING.md +266 -0
- package/core/templates/.agents/client/ACCESSIBILITY.md +266 -0
- package/core/templates/.agents/client/FORMS.md +234 -0
- package/core/templates/.agents/client/LOGIC.md +277 -0
- package/core/templates/.agents/client/ROUTING.md +235 -0
- package/core/templates/.agents/client/TESTING.md +241 -0
- package/core/templates/.agents/client/UI.md +226 -0
- package/core/templates/.agents/shared/CLOUD.md +229 -0
- package/core/templates/.agents/shared/CLOUD_TEARDOWN.md +158 -0
- package/core/templates/.agents/shared/SECURITY.md +286 -0
- package/core/templates/.frameworks/backend/django.md +55 -0
- package/core/templates/.frameworks/backend/express.md +74 -0
- package/core/templates/.frameworks/backend/fastapi.md +107 -0
- package/core/templates/.frameworks/backend/fastify.md +74 -0
- package/core/templates/.frameworks/backend/nestjs.md +75 -0
- package/core/templates/.frameworks/client/angular.md +80 -0
- package/core/templates/.frameworks/client/nextjs.md +47 -0
- package/core/templates/.frameworks/client/nuxt.md +45 -0
- package/core/templates/.frameworks/client/remix.md +44 -0
- package/core/templates/.frameworks/client/sveltekit.md +44 -0
- package/core/templates/.frameworks/client/vite-react.md +45 -0
- package/core/templates/CLAUDE.md +531 -0
- package/core/templates/CLOUD_STATE.md +55 -0
- package/core/templates/CONTRACTS.md +16 -0
- package/core/templates/TASKS_HISTORY.md +6 -0
- package/core/templates/backend/CLAUDE.md +207 -0
- package/core/templates/client/CLAUDE.md +213 -0
- package/core/templates/shared/.gitkeep +0 -0
- package/core/templates/shared/wiring.config.json +14 -0
- package/core/workflow/agent.js +1404 -0
- package/core/workflow/complete.js +354 -0
- package/core/workflow/guards.js +643 -0
- package/core/workflow/reset.js +246 -0
- package/core/workflow/restart.js +243 -0
- package/core/workflow/tasks_history.js +120 -0
- package/init.js +35 -32
- package/package.json +2 -1
|
@@ -0,0 +1,158 @@
|
|
|
1
|
+
# cloud-teardown
|
|
2
|
+
# Skill: Safe destruction of provisioned cloud resources
|
|
3
|
+
# Used by: CLOUD agent when npm run reset is triggered or user requests teardown
|
|
4
|
+
# Reference with: Use .agents/shared/cloud-teardown.md to safely remove cloud resources.
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Mission
|
|
9
|
+
|
|
10
|
+
Safely destroy all provisioned cloud resources in the correct order to avoid
|
|
11
|
+
orphaned dependencies, continued billing, or data loss.
|
|
12
|
+
|
|
13
|
+
This skill is invoked when:
|
|
14
|
+
- User runs `npm run reset` and cloud resources exist in CLOUD_STATE.md
|
|
15
|
+
- User explicitly requests teardown via the CLOUD agent
|
|
16
|
+
- A deployment needs to be fully rolled back
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Pre-flight - Read current state
|
|
21
|
+
|
|
22
|
+
Before touching anything:
|
|
23
|
+
|
|
24
|
+
```bash
|
|
25
|
+
cat CLOUD_STATE.md
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
Build an inventory of all provisioned resources from the Teardown Registry
|
|
29
|
+
and Provisioned Resources sections. If CLOUD_STATE.md shows no provisioned
|
|
30
|
+
resources, surface this and stop:
|
|
31
|
+
|
|
32
|
+
```
|
|
33
|
+
No provisioned cloud resources found in CLOUD_STATE.md.
|
|
34
|
+
Nothing to tear down.
|
|
35
|
+
```
|
|
36
|
+
|
|
37
|
+
---
|
|
38
|
+
|
|
39
|
+
## Mandatory confirmation gate
|
|
40
|
+
|
|
41
|
+
Present the full inventory of what will be destroyed:
|
|
42
|
+
|
|
43
|
+
```
|
|
44
|
+
I'm about to permanently destroy the following cloud resources:
|
|
45
|
+
|
|
46
|
+
Resource Platform ID Status
|
|
47
|
+
──────────────────────────────────────────────────────
|
|
48
|
+
[list from CLOUD_STATE.md Teardown Registry]
|
|
49
|
+
|
|
50
|
+
⚠ This cannot be undone. Some platforms take 24-72 hours to fully
|
|
51
|
+
remove resources. Billing continues until deletion is confirmed
|
|
52
|
+
by the platform.
|
|
53
|
+
|
|
54
|
+
Type yes to proceed with teardown, or no to cancel.
|
|
55
|
+
```
|
|
56
|
+
|
|
57
|
+
If user types no - stop immediately. Write nothing to CLOUD_STATE.md.
|
|
58
|
+
|
|
59
|
+
---
|
|
60
|
+
|
|
61
|
+
## Destruction order
|
|
62
|
+
|
|
63
|
+
Always destroy in this order to avoid dependency failures:
|
|
64
|
+
|
|
65
|
+
1. **Application instances** (Vercel deployments, Railway services, Cloud Run)
|
|
66
|
+
2. **Database instances** (RDS, Cloud SQL, Firebase Firestore, PlanetScale)
|
|
67
|
+
3. **Storage buckets** (S3, GCS, Firebase Storage)
|
|
68
|
+
4. **Networking** (custom domains, SSL certificates, CDN)
|
|
69
|
+
5. **Repository/remote** (GitHub repo if applicable)
|
|
70
|
+
6. **IAM/credentials** (service accounts, API keys - revoke, don't delete)
|
|
71
|
+
|
|
72
|
+
---
|
|
73
|
+
|
|
74
|
+
## Per-platform teardown steps
|
|
75
|
+
|
|
76
|
+
### Vercel
|
|
77
|
+
```bash
|
|
78
|
+
vercel remove [project-name] --yes 2>/dev/null || echo "Manual: vercel.com/dashboard"
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### Railway
|
|
82
|
+
```bash
|
|
83
|
+
railway down 2>/dev/null || echo "Manual: railway.app/dashboard"
|
|
84
|
+
```
|
|
85
|
+
|
|
86
|
+
### Firebase
|
|
87
|
+
```bash
|
|
88
|
+
firebase projects:delete [project-id] 2>/dev/null || echo "Manual: console.firebase.google.com"
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### AWS
|
|
92
|
+
```bash
|
|
93
|
+
# Delete in order: ECS services → RDS → S3 → VPC → IAM roles
|
|
94
|
+
aws ecs delete-service --cluster [cluster] --service [service] --force 2>/dev/null
|
|
95
|
+
aws rds delete-db-instance --db-instance-identifier [id] --skip-final-snapshot 2>/dev/null
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
### GCP
|
|
99
|
+
```bash
|
|
100
|
+
gcloud projects delete [project-id] --quiet 2>/dev/null || echo "Manual: console.cloud.google.com"
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
### Azure
|
|
104
|
+
```bash
|
|
105
|
+
az group delete --name [resource-group] --yes 2>/dev/null || echo "Manual: portal.azure.com"
|
|
106
|
+
```
|
|
107
|
+
|
|
108
|
+
### Docker / Kubernetes
|
|
109
|
+
```bash
|
|
110
|
+
kubectl delete namespace [namespace] 2>/dev/null
|
|
111
|
+
docker compose down --volumes --rmi all 2>/dev/null
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
If CLI tools are unavailable, provide exact manual steps with URLs.
|
|
115
|
+
|
|
116
|
+
---
|
|
117
|
+
|
|
118
|
+
## After each resource is destroyed
|
|
119
|
+
|
|
120
|
+
Write to CLOUD_STATE.md Teardown Registry immediately after each deletion:
|
|
121
|
+
|
|
122
|
+
```
|
|
123
|
+
| [Resource] | [Platform ID] | Deletion requested | [timestamp] |
|
|
124
|
+
```
|
|
125
|
+
|
|
126
|
+
Do not mark as "deleted" - only "Deletion requested". Platforms take time
|
|
127
|
+
to fully remove resources. The user must verify final deletion on the platform.
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## Post-teardown output
|
|
132
|
+
|
|
133
|
+
After all resources are processed:
|
|
134
|
+
|
|
135
|
+
```
|
|
136
|
+
Teardown complete. The following was requested for deletion:
|
|
137
|
+
|
|
138
|
+
[list of resources with timestamps]
|
|
139
|
+
|
|
140
|
+
⚠ Note: Cloud platforms may take 24-72 hours to fully remove resources.
|
|
141
|
+
Billing continues until deletion is confirmed by the platform.
|
|
142
|
+
|
|
143
|
+
Verify deletion at:
|
|
144
|
+
[platform-specific dashboard URLs]
|
|
145
|
+
|
|
146
|
+
CLOUD_STATE.md has been updated with teardown timestamps.
|
|
147
|
+
```
|
|
148
|
+
|
|
149
|
+
---
|
|
150
|
+
|
|
151
|
+
## Safety Rules
|
|
152
|
+
|
|
153
|
+
- Never destroy resources without the mandatory confirmation gate
|
|
154
|
+
- Always destroy in dependency order (app → DB → storage → network)
|
|
155
|
+
- Never mark resources as "deleted" - only "Deletion requested"
|
|
156
|
+
- Never delete IAM credentials - revoke access only
|
|
157
|
+
- Always provide manual fallback URLs if CLI tools fail
|
|
158
|
+
- Write to CLOUD_STATE.md after each resource, not at the end
|
|
@@ -0,0 +1,286 @@
|
|
|
1
|
+
# SECURITY Agent
|
|
2
|
+
# Scope: shared/ - cross-cutting, invokable from any worktree
|
|
3
|
+
# Loaded by: manual reference in prompt
|
|
4
|
+
# Example: `Use .agents/shared/SECURITY.md. Task: audit the authentication flow for vulnerabilities.`
|
|
5
|
+
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
## Mission
|
|
9
|
+
|
|
10
|
+
Own all security auditing, vulnerability assessment, and security-hardening
|
|
11
|
+
recommendations across the entire project - both client and backend. This
|
|
12
|
+
agent is responsible for identifying and surfacing security risks, proposing
|
|
13
|
+
remediations, and verifying that security-critical patterns are correctly
|
|
14
|
+
implemented.
|
|
15
|
+
|
|
16
|
+
This agent does not implement fixes directly. It audits, surfaces findings,
|
|
17
|
+
proposes remediations, and waits for the owning agent to implement them.
|
|
18
|
+
Implementation belongs to the agent that owns the affected domain -
|
|
19
|
+
`AUTH.md`, `API.md`, `LOGIC.md`, `DB.md`, `UI.md`, or others.
|
|
20
|
+
|
|
21
|
+
This agent operates across both `client/` and `backend/` scopes but never
|
|
22
|
+
writes to either without explicit coordination through the root `CLAUDE.md`
|
|
23
|
+
coordination rules.
|
|
24
|
+
|
|
25
|
+
---
|
|
26
|
+
|
|
27
|
+
## Pre-flight Checks
|
|
28
|
+
|
|
29
|
+
Runs in order before any file is created or modified. All checks must pass.
|
|
30
|
+
|
|
31
|
+
### 1. Task Clarity Check
|
|
32
|
+
|
|
33
|
+
Is the task specific enough to act on?
|
|
34
|
+
|
|
35
|
+
- Identify: what is being audited - a specific flow, module, endpoint,
|
|
36
|
+
component, or the full project
|
|
37
|
+
- Identify: what security concern is the focus - authentication, authorization,
|
|
38
|
+
input validation, data exposure, dependency vulnerabilities, or general audit
|
|
39
|
+
- Identify: what standard or threat model applies if known
|
|
40
|
+
|
|
41
|
+
If any of these cannot be determined from the task as given:
|
|
42
|
+
```
|
|
43
|
+
## CLARIFICATION NEEDED - [Round 1 or 2]
|
|
44
|
+
The following is unclear:
|
|
45
|
+
- <specific ambiguity>
|
|
46
|
+
Please provide more detail before this agent proceeds.
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
Maximum 2 rounds. If ambiguity remains after round 2:
|
|
50
|
+
```
|
|
51
|
+
## TASK TOO AMBIGUOUS - CANNOT PROCEED
|
|
52
|
+
Two clarification rounds reached. Please rephrase the task with:
|
|
53
|
+
- explicit scope - flow, module, endpoint, or full project
|
|
54
|
+
- specific security concern or threat category
|
|
55
|
+
- standard or compliance target if applicable (e.g. OWASP Top 10)
|
|
56
|
+
```
|
|
57
|
+
|
|
58
|
+
### 2. Scope Integrity Check
|
|
59
|
+
|
|
60
|
+
Does this task stay within security auditing concerns?
|
|
61
|
+
|
|
62
|
+
This agent audits and proposes - it does not implement.
|
|
63
|
+
|
|
64
|
+
If the task requires:
|
|
65
|
+
- Implementing auth fixes → surface finding, redirect to `.agents/backend/AUTH.md`
|
|
66
|
+
- Implementing input validation fixes → surface finding, redirect to
|
|
67
|
+
`.agents/backend/API.md` or `.agents/client/FORMS.md`
|
|
68
|
+
- Implementing DB-level security fixes → surface finding, redirect to
|
|
69
|
+
`.agents/backend/DB.md`
|
|
70
|
+
- Implementing client-side security patterns → surface finding, redirect
|
|
71
|
+
to `.agents/client/LOGIC.md`
|
|
72
|
+
- Fixing accessibility-related security concerns → redirect to
|
|
73
|
+
`.agents/client/ACCESSIBILITY.md`
|
|
74
|
+
|
|
75
|
+
```
|
|
76
|
+
## SCOPE REDIRECT
|
|
77
|
+
This agent audits and proposes only. Implementation belongs to:
|
|
78
|
+
- <finding> → <owning agent>
|
|
79
|
+
Surface the finding, then await the owning agent to implement.
|
|
80
|
+
```
|
|
81
|
+
|
|
82
|
+
### 3. Dependency Check
|
|
83
|
+
|
|
84
|
+
Does this audit depend on something that doesn't exist yet?
|
|
85
|
+
|
|
86
|
+
- Implementation being audited is missing or incomplete
|
|
87
|
+
- Threat model or security requirements not yet defined
|
|
88
|
+
- Dependency manifest not yet available for vulnerability scanning
|
|
89
|
+
- Environment config not yet accessible for secrets audit
|
|
90
|
+
|
|
91
|
+
If yes:
|
|
92
|
+
```
|
|
93
|
+
## DEPENDENCY MISSING
|
|
94
|
+
Cannot proceed without:
|
|
95
|
+
- <what is missing>
|
|
96
|
+
- <where it should come from>
|
|
97
|
+
Awaiting resolution before continuing.
|
|
98
|
+
```
|
|
99
|
+
|
|
100
|
+
### 4. Contract Alignment Check
|
|
101
|
+
|
|
102
|
+
Does this audit involve types or payloads shared across the boundary?
|
|
103
|
+
|
|
104
|
+
- If shared types are involved → verify they exist in `CONTRACTS.md`
|
|
105
|
+
- Flag any shared type that exposes sensitive fields unnecessarily
|
|
106
|
+
- Never propose changes to `CONTRACTS.md` that expose more data than required
|
|
107
|
+
|
|
108
|
+
### 5. Destructive Action Check
|
|
109
|
+
|
|
110
|
+
This agent does not modify files directly.
|
|
111
|
+
All findings are surfaced as proposals. Implementation is delegated.
|
|
112
|
+
If a finding requires an urgent change, surface it as a critical severity
|
|
113
|
+
finding and flag it explicitly before any other output.
|
|
114
|
+
|
|
115
|
+
### 6. Size & Atomicity Check
|
|
116
|
+
|
|
117
|
+
Is this audit too large for one reliable pass?
|
|
118
|
+
|
|
119
|
+
If the task spans the full project or multiple unrelated security domains:
|
|
120
|
+
```
|
|
121
|
+
## AUDIT BREAKDOWN PROPOSED
|
|
122
|
+
This audit is too large for one pass. Suggested sequence:
|
|
123
|
+
1. <subtask A - e.g. authentication and authorization audit>
|
|
124
|
+
2. <subtask B - e.g. input validation and injection audit>
|
|
125
|
+
3. <subtask C - e.g. data exposure and secrets audit>
|
|
126
|
+
Proceeding with subtask 1. Confirm to continue after each step.
|
|
127
|
+
```
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## Operating Principles
|
|
132
|
+
|
|
133
|
+
These apply to every security task regardless of framework or project type.
|
|
134
|
+
|
|
135
|
+
- **Audit first, propose second** - never suggest a fix without first
|
|
136
|
+
documenting the finding clearly. Every remediation proposal is
|
|
137
|
+
preceded by a finding statement.
|
|
138
|
+
|
|
139
|
+
- **OWASP Top 10 as the baseline** - all audits cover the current OWASP
|
|
140
|
+
Top 10 as a minimum. Additional threat categories are added based
|
|
141
|
+
on the specific task scope.
|
|
142
|
+
|
|
143
|
+
- **Severity is always declared** - every finding is labeled:
|
|
144
|
+
`CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, or `INFORMATIONAL`.
|
|
145
|
+
Never surface a finding without a severity level.
|
|
146
|
+
|
|
147
|
+
- **Findings are actionable** - every finding includes a specific,
|
|
148
|
+
implementable remediation proposal. Never surface vague observations.
|
|
149
|
+
|
|
150
|
+
- **Secrets are never in code** - any secret, token, key, or credential
|
|
151
|
+
found in source code is a CRITICAL finding regardless of context.
|
|
152
|
+
|
|
153
|
+
- **Input is never trusted** - all external input - API requests, webhook
|
|
154
|
+
payloads, query parameters, form submissions - must be validated and
|
|
155
|
+
sanitized before use. Missing validation is at minimum a HIGH finding.
|
|
156
|
+
|
|
157
|
+
- **Principle of least privilege** - every component, service, and user
|
|
158
|
+
role should have only the permissions it needs. Over-permissioning
|
|
159
|
+
is always surfaced as a finding.
|
|
160
|
+
|
|
161
|
+
- **Sensitive data exposure is explicit** - any API response, log entry,
|
|
162
|
+
or error message that exposes sensitive fields unnecessarily is a
|
|
163
|
+
HIGH finding.
|
|
164
|
+
|
|
165
|
+
- **Dependencies are part of the attack surface** - known vulnerabilities
|
|
166
|
+
in dependencies are surfaced as findings with their CVE reference
|
|
167
|
+
where available.
|
|
168
|
+
|
|
169
|
+
- **This agent does not implement** - findings are proposals only.
|
|
170
|
+
Implementation is always delegated to the owning agent.
|
|
171
|
+
|
|
172
|
+
<!-- @annotation
|
|
173
|
+
Add project-specific security concerns here.
|
|
174
|
+
Examples: compliance targets (GDPR, SOC2, HIPAA), known threat
|
|
175
|
+
vectors for this domain, approved encryption standards, data
|
|
176
|
+
classification policy, penetration test scope.
|
|
177
|
+
-->
|
|
178
|
+
|
|
179
|
+
---
|
|
180
|
+
|
|
181
|
+
## Workflow
|
|
182
|
+
|
|
183
|
+
```
|
|
184
|
+
audit → classify → report → propose → delegate
|
|
185
|
+
```
|
|
186
|
+
|
|
187
|
+
**Audit**
|
|
188
|
+
Read the implementation, configuration, and dependency manifest
|
|
189
|
+
relevant to the task scope. Do not modify anything during this phase.
|
|
190
|
+
|
|
191
|
+
**Classify**
|
|
192
|
+
For each finding, assign:
|
|
193
|
+
- Severity: `CRITICAL` / `HIGH` / `MEDIUM` / `LOW` / `INFORMATIONAL`
|
|
194
|
+
- Category: authentication, authorization, injection, exposure,
|
|
195
|
+
configuration, dependency, or other
|
|
196
|
+
- OWASP reference where applicable
|
|
197
|
+
|
|
198
|
+
**Report**
|
|
199
|
+
Surface all findings before proposing any remediation:
|
|
200
|
+
|
|
201
|
+
```
|
|
202
|
+
## SECURITY AUDIT REPORT - <scope>
|
|
203
|
+
Standard: OWASP Top 10 + <any additional>
|
|
204
|
+
|
|
205
|
+
Findings:
|
|
206
|
+
[CRITICAL] <finding title>
|
|
207
|
+
Location : <file, endpoint, or flow>
|
|
208
|
+
Detail : <what the vulnerability is>
|
|
209
|
+
OWASP : <reference if applicable>
|
|
210
|
+
|
|
211
|
+
[HIGH] <finding title>
|
|
212
|
+
Location : <file, endpoint, or flow>
|
|
213
|
+
Detail : <what the vulnerability is>
|
|
214
|
+
|
|
215
|
+
[MEDIUM] ...
|
|
216
|
+
[LOW] ...
|
|
217
|
+
[INFO] ...
|
|
218
|
+
|
|
219
|
+
Proceeding to remediation proposals. Confirm to continue.
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
**Propose**
|
|
223
|
+
For each finding, provide a specific remediation:
|
|
224
|
+
|
|
225
|
+
```
|
|
226
|
+
## REMEDIATION PROPOSAL - <finding title>
|
|
227
|
+
Severity : <level>
|
|
228
|
+
Owner : <agent responsible for implementation>
|
|
229
|
+
Proposal : <specific, implementable fix>
|
|
230
|
+
Awaiting : confirmation to delegate to <owning agent>
|
|
231
|
+
```
|
|
232
|
+
|
|
233
|
+
**Delegate**
|
|
234
|
+
After confirmation, surface a clear handoff to the owning agent:
|
|
235
|
+
|
|
236
|
+
```
|
|
237
|
+
## DELEGATION
|
|
238
|
+
Finding : <title>
|
|
239
|
+
Delegate : <agent>
|
|
240
|
+
Action : <what the agent should implement>
|
|
241
|
+
Reference : This SECURITY audit report
|
|
242
|
+
```
|
|
243
|
+
|
|
244
|
+
---
|
|
245
|
+
|
|
246
|
+
## Safety Rules
|
|
247
|
+
|
|
248
|
+
- Never implement fixes directly - always delegate to the owning agent
|
|
249
|
+
- Never surface a finding without a severity level
|
|
250
|
+
- Never surface a finding without an actionable remediation proposal
|
|
251
|
+
- Never propose changes that increase data exposure across boundaries
|
|
252
|
+
- Never suppress or downgrade a CRITICAL finding for any reason
|
|
253
|
+
- Never skip dependency vulnerability scanning if a manifest is available
|
|
254
|
+
- Surface best-practice observations once - never loop on them
|
|
255
|
+
|
|
256
|
+
---
|
|
257
|
+
|
|
258
|
+
## Communication
|
|
259
|
+
|
|
260
|
+
| Situation | Action |
|
|
261
|
+
|--------------------------------------|-----------------------------------------------------|
|
|
262
|
+
| Task is ambiguous | Clarification request (max 2 rounds) |
|
|
263
|
+
| Implementation missing | Dependency alert, await resolution |
|
|
264
|
+
| Finding ready to surface | Full audit report, await confirmation |
|
|
265
|
+
| Remediation ready to propose | Proposal block per finding, await confirmation |
|
|
266
|
+
| Implementation needed | Delegate to owning agent with explicit handoff |
|
|
267
|
+
| CRITICAL finding identified | Surface immediately, before any other output |
|
|
268
|
+
| Contract type exposes sensitive data | CONTRACTS CHANGE PROPOSAL, await approval |
|
|
269
|
+
| Best practice deviation found | Surface once, await confirmation, move on |
|
|
270
|
+
|
|
271
|
+
---
|
|
272
|
+
|
|
273
|
+
## Definition of Done
|
|
274
|
+
|
|
275
|
+
A security task is complete when:
|
|
276
|
+
|
|
277
|
+
- [ ] All findings are documented with severity, location, and detail
|
|
278
|
+
- [ ] Every finding has a specific, actionable remediation proposal
|
|
279
|
+
- [ ] Every remediation is delegated to the correct owning agent
|
|
280
|
+
- [ ] CRITICAL findings are surfaced before all other output
|
|
281
|
+
- [ ] OWASP Top 10 coverage is confirmed for the audited scope
|
|
282
|
+
- [ ] Dependency vulnerabilities are checked if a manifest is available
|
|
283
|
+
- [ ] No sensitive data is exposed unnecessarily across boundaries
|
|
284
|
+
- [ ] No secrets, tokens, or keys found in source code
|
|
285
|
+
- [ ] No fixes were implemented directly by this agent
|
|
286
|
+
- [ ] Pre-flight checks all passed and documented if any flags were raised
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# Django — Scaffold Instructions
|
|
2
|
+
|
|
3
|
+
## Critical: Use the Dot Argument
|
|
4
|
+
|
|
5
|
+
Django creates a subfolder by default. Use `.` as the project name to scaffold in place:
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
cd backend
|
|
9
|
+
django-admin startproject config .
|
|
10
|
+
```
|
|
11
|
+
|
|
12
|
+
The `.` argument tells Django to scaffold in the current directory.
|
|
13
|
+
|
|
14
|
+
## Expected Structure After Scaffold
|
|
15
|
+
|
|
16
|
+
```
|
|
17
|
+
backend/
|
|
18
|
+
config/
|
|
19
|
+
__init__.py
|
|
20
|
+
asgi.py
|
|
21
|
+
settings.py
|
|
22
|
+
urls.py
|
|
23
|
+
wsgi.py
|
|
24
|
+
manage.py
|
|
25
|
+
requirements.txt
|
|
26
|
+
```
|
|
27
|
+
|
|
28
|
+
## Post-Scaffold
|
|
29
|
+
|
|
30
|
+
```bash
|
|
31
|
+
cd backend
|
|
32
|
+
python -m venv venv
|
|
33
|
+
source venv/bin/activate
|
|
34
|
+
pip install django djangorestframework python-dotenv
|
|
35
|
+
pip freeze > requirements.txt
|
|
36
|
+
```
|
|
37
|
+
|
|
38
|
+
## Update .scaffold/.paths.json
|
|
39
|
+
|
|
40
|
+
```json
|
|
41
|
+
{
|
|
42
|
+
"backend": {
|
|
43
|
+
"schemasDir": {
|
|
44
|
+
"expected": "backend/api/serializers",
|
|
45
|
+
"current": "backend/api/serializers",
|
|
46
|
+
"status": "verified"
|
|
47
|
+
},
|
|
48
|
+
"modelsDir": {
|
|
49
|
+
"expected": "backend/api/models",
|
|
50
|
+
"current": "backend/api/models",
|
|
51
|
+
"status": "verified"
|
|
52
|
+
}
|
|
53
|
+
}
|
|
54
|
+
}
|
|
55
|
+
```
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
# Express — Scaffold Instructions
|
|
2
|
+
|
|
3
|
+
## Scaffold Location
|
|
4
|
+
|
|
5
|
+
Express has no official scaffold CLI. Create the structure manually inside `backend/`:
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
mkdir -p backend/src/routes
|
|
9
|
+
mkdir -p backend/src/middleware
|
|
10
|
+
mkdir -p backend/src/services
|
|
11
|
+
mkdir -p backend/src/types
|
|
12
|
+
touch backend/src/index.ts
|
|
13
|
+
touch backend/src/app.ts
|
|
14
|
+
```
|
|
15
|
+
|
|
16
|
+
## package.json
|
|
17
|
+
|
|
18
|
+
```json
|
|
19
|
+
{
|
|
20
|
+
"name": "backend",
|
|
21
|
+
"version": "1.0.0",
|
|
22
|
+
"scripts": {
|
|
23
|
+
"dev": "tsx watch src/index.ts",
|
|
24
|
+
"build": "tsc",
|
|
25
|
+
"start": "node dist/index.js"
|
|
26
|
+
},
|
|
27
|
+
"dependencies": {
|
|
28
|
+
"express": "^4.18.0",
|
|
29
|
+
"cors": "^2.8.5",
|
|
30
|
+
"dotenv": "^16.0.0"
|
|
31
|
+
},
|
|
32
|
+
"devDependencies": {
|
|
33
|
+
"@types/express": "^4.17.0",
|
|
34
|
+
"@types/cors": "^2.8.0",
|
|
35
|
+
"@types/node": "^20.0.0",
|
|
36
|
+
"typescript": "^5.0.0",
|
|
37
|
+
"tsx": "^4.0.0"
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
```
|
|
41
|
+
|
|
42
|
+
## app.ts Template
|
|
43
|
+
|
|
44
|
+
```typescript
|
|
45
|
+
import express from 'express';
|
|
46
|
+
import cors from 'cors';
|
|
47
|
+
|
|
48
|
+
export const app = express();
|
|
49
|
+
|
|
50
|
+
app.use(cors({ origin: process.env.CLIENT_URL || 'http://localhost:3000' }));
|
|
51
|
+
app.use(express.json());
|
|
52
|
+
|
|
53
|
+
app.get('/health', (_, res) => res.json({ status: 'ok' }));
|
|
54
|
+
```
|
|
55
|
+
|
|
56
|
+
## Post-Scaffold
|
|
57
|
+
|
|
58
|
+
```bash
|
|
59
|
+
cd backend && npm install
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## Update .scaffold/.paths.json
|
|
63
|
+
|
|
64
|
+
```json
|
|
65
|
+
{
|
|
66
|
+
"backend": {
|
|
67
|
+
"typesDir": {
|
|
68
|
+
"expected": "backend/src/types",
|
|
69
|
+
"current": "backend/src/types",
|
|
70
|
+
"status": "verified"
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
}
|
|
74
|
+
```
|
|
@@ -0,0 +1,107 @@
|
|
|
1
|
+
# FastAPI — Scaffold Instructions
|
|
2
|
+
|
|
3
|
+
## Critical: Scaffold Location
|
|
4
|
+
|
|
5
|
+
You are working inside a git worktree. Your root is the **repo root**, not `backend/`.
|
|
6
|
+
All FastAPI files MUST live under `backend/`. Do NOT scaffold at the repo root.
|
|
7
|
+
|
|
8
|
+
FastAPI has no official scaffold CLI — create the structure manually:
|
|
9
|
+
|
|
10
|
+
```bash
|
|
11
|
+
mkdir -p backend/app/api/routes
|
|
12
|
+
mkdir -p backend/app/schemas
|
|
13
|
+
mkdir -p backend/app/models
|
|
14
|
+
mkdir -p backend/app/services
|
|
15
|
+
mkdir -p backend/app/core
|
|
16
|
+
touch backend/app/__init__.py
|
|
17
|
+
touch backend/app/main.py
|
|
18
|
+
touch backend/app/api/__init__.py
|
|
19
|
+
touch backend/app/api/routes/__init__.py
|
|
20
|
+
touch backend/app/schemas/__init__.py
|
|
21
|
+
touch backend/app/models/__init__.py
|
|
22
|
+
touch backend/app/services/__init__.py
|
|
23
|
+
touch backend/app/core/__init__.py
|
|
24
|
+
touch backend/app/core/config.py
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
## Expected Structure After Scaffold
|
|
28
|
+
|
|
29
|
+
```
|
|
30
|
+
backend/
|
|
31
|
+
app/
|
|
32
|
+
api/
|
|
33
|
+
routes/
|
|
34
|
+
__init__.py
|
|
35
|
+
core/
|
|
36
|
+
config.py
|
|
37
|
+
__init__.py
|
|
38
|
+
models/
|
|
39
|
+
__init__.py
|
|
40
|
+
schemas/
|
|
41
|
+
__init__.py
|
|
42
|
+
services/
|
|
43
|
+
__init__.py
|
|
44
|
+
__init__.py
|
|
45
|
+
main.py
|
|
46
|
+
requirements.txt
|
|
47
|
+
.env.example
|
|
48
|
+
```
|
|
49
|
+
|
|
50
|
+
## main.py Template
|
|
51
|
+
|
|
52
|
+
```python
|
|
53
|
+
from fastapi import FastAPI
|
|
54
|
+
from fastapi.middleware.cors import CORSMiddleware
|
|
55
|
+
|
|
56
|
+
app = FastAPI(title="{{PROJECT_NAME}}")
|
|
57
|
+
|
|
58
|
+
app.add_middleware(
|
|
59
|
+
CORSMiddleware,
|
|
60
|
+
allow_origins=["http://localhost:3000"],
|
|
61
|
+
allow_credentials=True,
|
|
62
|
+
allow_methods=["*"],
|
|
63
|
+
allow_headers=["*"],
|
|
64
|
+
)
|
|
65
|
+
|
|
66
|
+
@app.get("/health")
|
|
67
|
+
def health():
|
|
68
|
+
return {"status": "ok"}
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
## requirements.txt
|
|
72
|
+
|
|
73
|
+
```
|
|
74
|
+
fastapi>=0.100.0
|
|
75
|
+
uvicorn[standard]>=0.23.0
|
|
76
|
+
pydantic>=2.0.0
|
|
77
|
+
python-dotenv>=1.0.0
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
## Post-Scaffold
|
|
81
|
+
|
|
82
|
+
```bash
|
|
83
|
+
cd backend
|
|
84
|
+
python -m venv venv
|
|
85
|
+
source venv/bin/activate # Windows: venv\Scripts\activate
|
|
86
|
+
pip install -r requirements.txt
|
|
87
|
+
```
|
|
88
|
+
|
|
89
|
+
## Update .scaffold/.paths.json
|
|
90
|
+
|
|
91
|
+
After scaffolding, update `current` paths and set `status: verified`:
|
|
92
|
+
```json
|
|
93
|
+
{
|
|
94
|
+
"backend": {
|
|
95
|
+
"schemasDir": {
|
|
96
|
+
"expected": "backend/app/schemas",
|
|
97
|
+
"current": "backend/app/schemas",
|
|
98
|
+
"status": "verified"
|
|
99
|
+
},
|
|
100
|
+
"modelsDir": {
|
|
101
|
+
"expected": "backend/app/models",
|
|
102
|
+
"current": "backend/app/models",
|
|
103
|
+
"status": "verified"
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
```
|