myconvergio 2.1.0

package/.claude/skills/release-management/SKILL.md

@@ -0,0 +1,342 @@
+# Release Management Skill
+
+> Reusable workflow extracted from app-release-manager expertise.
+
+## Purpose
+Execute comprehensive pre-release quality assurance through automated checks, security audits, versioning, and professional release preparation to ensure production-ready software with zero tolerance for quality issues.
+
+## When to Use
+- Pre-release quality validation
+- Version release preparation
+- Production deployment readiness assessment
+- Post-development quality gates
+- Continuous deployment pipeline final stage
+- Major version releases
+- Hotfix validation before deployment
+
+## Workflow Steps
+
+1. **Pre-Flight Checks**
+   - Verify git working tree is clean
+   - Confirm on correct branch (main/master)
+   - Check all changes are committed
+   - Validate no merge conflicts
+   - Ensure CI/CD pipeline is green
+
+2. **Model/Dependency Freshness** (Phase 0 - Run First)
+   - Search for latest model versions (AI models, dependencies)
+   - Compare current configuration vs latest available
+   - Auto-update configuration files if outdated
+   - Rebuild project after updates
+   - Verify models load correctly
+
+3. **Compilation & Build Quality** (Phase 1)
+   - Compile with warnings-as-errors enabled
+   - Zero compiler warnings tolerance
+   - Check for deprecated API usage
+   - Validate build artifacts produced
+   - Verify binary/bundle sizes within limits
+
+4. **Security Audit** (Phase 2)
+   - Scan for hardcoded secrets/credentials
+   - Check for unsafe functions (strcpy, sprintf, etc.)
+   - Static analysis with security rules
+   - Dependency vulnerability scanning
+   - Check for exposed sensitive files (.env, credentials)
+
+5. **Code Quality Gates** (Phase 3)
+   - Remove all TODO/FIXME comments
+   - Remove debug prints (printf, NSLog, console.log)
+   - Remove commented-out code
+   - Check for trailing whitespace
+   - Validate consistent code formatting
+   - Remove unused imports/variables
+
+6. **Test Execution** (Phase 4)
+   - Run full unit test suite (100% pass required)
+   - Execute integration tests
+   - Run end-to-end (E2E) tests
+   - Perform smoke tests
+   - Execute regression test suite
+   - Zero test failures tolerance
+
+7. **Documentation Validation** (Phase 5)
+   - Verify README is current and complete
+   - Check API documentation up-to-date
+   - Validate inline code comments
+   - Ensure CHANGELOG updated
+   - Verify installation instructions work
+
+8. **Version Management** (Phase 6)
+   - Update version number (SemVer: MAJOR.MINOR.PATCH)
+   - Update VERSION file
+   - Sync versions across package.json, setup.py, etc.
+   - Generate/update CHANGELOG
+   - Tag git commit with version
+
+9. **Auto-Fix Execution** (Phase 7)
+   - Automatically fix all auto-fixable issues
+   - Remove trailing whitespace
+   - Add missing EOF newlines
+   - Remove debug prints
+   - Remove unused imports
+   - Re-run affected checks after fixes
+
+10. **Final Decision** (Phase 8)
+    - Aggregate all check results
+    - Generate comprehensive release report
+    - **APPROVE** (all checks pass) or **BLOCK** (any failures)
+    - If BLOCKED: Provide prioritized fix list
+    - If APPROVED: Proceed to release steps
+
+11. **Release Execution** (Phase 9 - Only if Approved)
+    - Create git tag for version
+    - Push to remote repository
+    - Create GitHub release with changelog
+    - Build and publish artifacts (npm, PyPI, Docker, etc.)
+    - Deploy to production (if auto-deploy enabled)
+    - Notify stakeholders
+
+## Inputs Required
+- **Repository**: Clean git working tree, committed changes
+- **Version**: Target version number (or auto-increment)
+- **Release Type**: major/minor/patch (for SemVer)
+- **Changelog**: Summary of changes since last release
+- **Deployment target**: Staging, production, or both
+
+## Outputs Produced
+- **Release Report**: Comprehensive checklist with pass/fail status
+- **Auto-Fix Log**: List of issues automatically fixed
+- **Blocking Issues**: Prioritized list of issues preventing release
+- **Version Tag**: Git tag with version number
+- **Release Artifacts**: Built binaries, packages, containers
+- **CHANGELOG**: Updated with version and changes
+- **GitHub Release**: Published release with notes
+
+## Zero Tolerance Policy
+
+### Blocking Issues (NO RELEASE)
+- ❌ ANY compiler warning
+- ❌ ANY test failure
+- ❌ ANY security vulnerability
+- ❌ ANY TODO/FIXME in code
+- ❌ ANY hardcoded secrets/credentials
+- ❌ ANY debug prints in code
+- ❌ ANY commented-out code
+- ❌ ANY outdated dependencies with known CVEs
+- ❌ ANY version mismatches across files
+- ❌ ANY missing documentation for public APIs
+
+## Auto-Fix Protocol
+
+### Immediately Auto-Fixable Issues
+| Issue | Auto-Fix Action | Priority |
+|-------|----------------|----------|
+| Compiler warnings | Edit source to fix | P0 |
+| TODO/FIXME comments | Remove or create ticket | P0 |
+| Debug prints | Remove all printf/console.log | P0 |
+| Version mismatches | Update VERSION file | P0 |
+| Trailing whitespace | sed strip command | P1 |
+| Missing EOF newline | echo >> file | P1 |
+| Unused imports | Remove automatically | P1 |
+| Outdated models | Update config, rebuild | P0 |
+
+### Auto-Fix Execution Pattern
+```
+FOR EACH issue found:
+  IF auto-fixable:
+    1. FIX IT IMMEDIATELY (use Edit/Write tools)
+    2. VERIFY fix worked
+    3. LOG: "Auto-fixed: {description}"
+  ELSE:
+    1. ADD to blocking issues list
+    2. CONTINUE checking
+
+AFTER all auto-fixes:
+  RE-RUN affected checks
+  IF issues remain: BLOCK release
+  ELSE: APPROVE release
+```
+
+## SemVer Version Bumping
+
+### Semantic Versioning (MAJOR.MINOR.PATCH)
+- **MAJOR**: Breaking changes, incompatible API changes
+- **MINOR**: New features, backward-compatible additions
+- **PATCH**: Bug fixes, backward-compatible fixes
+
+### Version Increment Rules
+```
+Current: 1.4.2
+
+Bump major (breaking): 2.0.0
+Bump minor (feature):  1.5.0
+Bump patch (bugfix):   1.4.3
+```
+
+## Changelog Format (Keep a Changelog)
+
+```markdown
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/),
+and this project adheres to [Semantic Versioning](https://semver.org/).
+
+## [Unreleased]
+
+## [1.5.0] - 2025-01-15
+
+### Added
+- New user authentication system with OAuth2
+- Real-time notifications via WebSockets
+- Export data to CSV feature
+
+### Changed
+- Improved API response time by 60% through caching
+- Updated UI to Material Design 3
+
+### Fixed
+- Fixed memory leak in background worker
+- Resolved race condition in payment processing
+
+### Security
+- Patched SQL injection vulnerability in search
+- Updated dependencies to address CVE-2024-12345
+
+## [1.4.2] - 2025-01-01
+
+### Fixed
+- Critical bug in user session management
+```
+
+## Release Report Template
+
+```markdown
+# Release Report: v{VERSION}
+
+## Status: ✅ APPROVED / 🔴 BLOCKED
+
+## Summary
+- Total Checks: {count}
+- Passed: {count}
+- Failed: {count}
+- Auto-Fixed: {count}
+
+## Phase Results
+
+### ✅ Phase 0: Model Freshness
+- Models checked: {count}
+- Models updated: {count}
+- Status: UP_TO_DATE
+
+### ✅ Phase 1: Compilation & Build
+- Compiler warnings: 0
+- Build succeeded: Yes
+- Binary size: {size}MB
+
+### ✅ Phase 2: Security Audit
+- Hardcoded secrets: None found
+- Unsafe functions: None found
+- Dependency vulnerabilities: 0
+
+### ✅ Phase 3: Code Quality
+- TODO/FIXME: 0 (auto-fixed: {count})
+- Debug prints: 0 (auto-fixed: {count})
+- Commented code: None
+
+### ✅ Phase 4: Tests
+- Unit tests: {passed}/{total} (100%)
+- Integration tests: {passed}/{total} (100%)
+- E2E tests: {passed}/{total} (100%)
+
+### ✅ Phase 5: Documentation
+- README: Up-to-date
+- API docs: Complete
+- CHANGELOG: Updated
+
+### ✅ Phase 6: Version Management
+- Version: {version}
+- SemVer: Valid
+- Git tag: Created
+
+## Auto-Fixes Applied
+1. Removed 3 TODO comments
+2. Stripped trailing whitespace (12 files)
+3. Removed 5 debug print statements
+4. Updated outdated model config
+
+## Next Steps
+1. Create GitHub release
+2. Publish to npm/PyPI
+3. Deploy to production
+4. Notify stakeholders
+```
+
+## Example Usage
+
+```
+Input: Prepare release for v2.3.0 of web application
+
+Workflow Execution:
+1. Pre-Flight: ✅ Git clean, on main branch
+2. Model Freshness: Updated 2 AI model versions, rebuilt
+3. Compilation: ❌ Found 3 compiler warnings
+   → Auto-fixed all 3 warnings
+   → Re-compiled: ✅ Zero warnings
+4. Security: ❌ Found debug console.log in auth.js
+   → Auto-removed debug prints
+   → Re-scanned: ✅ Clean
+5. Code Quality: ❌ Found 5 TODO comments
+   → Auto-removed TODOs, created tickets
+   → Re-checked: ✅ Clean
+6. Tests: ❌ 2 E2E tests failing
+   → Cannot auto-fix, BLOCKING
+7. Documentation: ✅ All docs current
+8. Version: ✅ Updated to 2.3.0
+
+Output:
+🔴 RELEASE BLOCKED
+
+Blocking Issues (Must Fix):
+1. 🔴 E2E test failure: test_user_login - timeout waiting for element
+2. 🔴 E2E test failure: test_checkout_flow - payment API connection refused
+
+Auto-Fixes Applied:
+✅ Fixed 3 compiler warnings
+✅ Removed 8 debug print statements
+✅ Removed 5 TODO comments
+✅ Updated 2 model configurations
+
+Next Steps:
+1. Fix E2E test failures
+2. Re-run release-management skill
+3. Address root cause of test instability
+```
+
+## Rollback Procedures
+
+### If Release Fails in Production
+1. **Immediate**: Revert to previous version tag
+2. **Git**: `git revert {commit}` or `git checkout v{previous}`
+3. **Deploy**: Trigger rollback deployment
+4. **Communicate**: Notify stakeholders of rollback
+5. **Post-Mortem**: Blameless analysis of what went wrong
+
+## Related Agents
+- **app-release-manager** - Full agent with reasoning and orchestration
+- **thor-quality-assurance-guardian** - Quality standards enforcement
+- **rex-code-reviewer** - Pre-release code review
+- **luca-security-expert** - Security audit support
+- **marco-devops-engineer** - Deployment automation
+
+## ISE Engineering Fundamentals Alignment
+- Code without tests is incomplete - 100% test pass required
+- Security integrated into release pipeline
+- Automated quality gates block bad releases
+- Version control with semantic versioning
+- Changelog maintained for transparency
+- Shift-left testing: catch issues early
+- Continuous integration validates every change
+- Blue-green or canary deployments for safety

package/.claude/skills/security-audit/SKILL.md

@@ -0,0 +1,276 @@
+# Security Audit Skill
+
+> Reusable workflow extracted from luca-security-expert expertise.
+
+## Purpose
+Conduct comprehensive security assessments to identify vulnerabilities, assess risks, and provide remediation strategies aligned with OWASP, zero-trust principles, and compliance requirements.
+
+## When to Use
+- Pre-release security validation
+- Post-incident security review
+- Compliance audit preparation (SOC2, ISO27001, GDPR)
+- Third-party vendor security assessment
+- Penetration testing planning
+- Security architecture review
+- Incident response and forensics
+- Security posture assessment
+
+## Workflow Steps
+
+1. **Scope Definition**
+   - Identify assets in scope (applications, infrastructure, data)
+   - Define assessment boundaries
+   - Establish testing authorization and rules of engagement
+   - Identify compliance requirements (GDPR, HIPAA, PCI-DSS)
+   - Set testing timeline and constraints
+
+2. **Information Gathering**
+   - Map attack surface (endpoints, services, dependencies)
+   - Inventory assets and technologies
+   - Review architecture and data flow diagrams
+   - Collect existing security documentation
+   - Identify critical business functions
+
+3. **Threat Modeling**
+   - Apply STRIDE methodology (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)
+   - Identify threat actors and motivations
+   - Map potential attack vectors
+   - Prioritize threats by likelihood and impact
+   - Create attack scenarios
+
+4. **Vulnerability Assessment**
+   - OWASP Top 10 verification
+   - Authentication/authorization testing
+   - Input validation and injection testing
+   - Session management review
+   - Cryptography assessment
+   - API security testing
+   - Infrastructure configuration review
+   - Dependency vulnerability scanning
+
+5. **Risk Analysis**
+   - Calculate risk scores (Likelihood × Impact)
+   - Classify vulnerabilities by severity
+   - Assess business impact of each vulnerability
+   - Identify compensating controls
+   - Prioritize remediation efforts
+
+6. **Penetration Testing** (if authorized)
+   - Manual security testing
+   - Automated scanning (Burp Suite, OWASP ZAP)
+   - Exploitation attempts (in controlled manner)
+   - Privilege escalation testing
+   - Lateral movement simulation
+
+7. **Remediation Planning**
+   - Create prioritized remediation roadmap
+   - Provide specific fix recommendations
+   - Suggest compensating controls for deferred fixes
+   - Estimate effort and timeline
+   - Define validation criteria
+
+8. **Reporting & Validation**
+   - Document findings with evidence
+   - Create executive summary for leadership
+   - Provide technical details for developers
+   - Re-test after remediation
+   - Update security baseline
+
+## Inputs Required
+- **Scope**: Systems, applications, infrastructure to assess
+- **Authorization**: Written permission for security testing
+- **Access**: Test credentials, environment access
+- **Documentation**: Architecture diagrams, tech stack, existing security docs
+- **Compliance**: Regulatory requirements (GDPR, HIPAA, PCI-DSS, etc.)
+- **Constraints**: Testing windows, off-limits areas
+
+## Outputs Produced
+- **Security Assessment Report**: Comprehensive findings with evidence
+- **Risk Register**: Vulnerabilities ranked by severity and impact
+- **Remediation Roadmap**: Prioritized fixes with timelines
+- **Executive Summary**: High-level risk overview for leadership
+- **Technical Details**: Exploitation steps and fix guidance for developers
+- **Compliance Gap Analysis**: Gaps vs required standards
+
+## OWASP Top 10 Checklist
+
+### A01:2021 - Broken Access Control
+- [ ] Authentication required for all sensitive operations
+- [ ] Authorization checks on server-side (not just client)
+- [ ] Principle of least privilege enforced
+- [ ] No direct object references without validation
+- [ ] CORS configured properly
+
+### A02:2021 - Cryptographic Failures
+- [ ] Sensitive data encrypted at rest
+- [ ] TLS/HTTPS enforced for data in transit
+- [ ] Strong cryptographic algorithms (AES-256, RSA-2048+)
+- [ ] Secrets not hardcoded in source code
+- [ ] Proper key management and rotation
+
+### A03:2021 - Injection
+- [ ] All inputs validated and sanitized
+- [ ] Parameterized queries used (no string concatenation)
+- [ ] ORM used correctly (no raw SQL injection)
+- [ ] Command injection prevention
+- [ ] NoSQL injection prevention
+
+### A04:2021 - Insecure Design
+- [ ] Threat modeling conducted
+- [ ] Security requirements defined
+- [ ] Secure design patterns applied
+- [ ] Security by design, not as afterthought
+
+### A05:2021 - Security Misconfiguration
+- [ ] Default credentials changed
+- [ ] Error messages don't leak sensitive info
+- [ ] Security headers configured (CSP, HSTS, X-Frame-Options)
+- [ ] Unnecessary features/services disabled
+- [ ] Software up to date with security patches
+
+### A06:2021 - Vulnerable and Outdated Components
+- [ ] Dependency inventory maintained (SBOM)
+- [ ] Automated vulnerability scanning
+- [ ] Regular updates applied
+- [ ] No known CVEs in dependencies
+
+### A07:2021 - Identification and Authentication Failures
+- [ ] Multi-factor authentication available
+- [ ] Password complexity requirements enforced
+- [ ] Rate limiting on login attempts
+- [ ] Session management secure (timeout, regeneration)
+- [ ] Credential stuffing prevention
+
+### A08:2021 - Software and Data Integrity Failures
+- [ ] Code signing implemented
+- [ ] CI/CD pipeline secured
+- [ ] Dependency integrity verified (checksums)
+- [ ] Auto-update mechanism secured
+
+### A09:2021 - Security Logging and Monitoring Failures
+- [ ] Security events logged (login, access control)
+- [ ] Logs protected from tampering
+- [ ] Real-time alerting for anomalies
+- [ ] Log retention policy defined
+- [ ] SIEM integration
+
+### A10:2021 - Server-Side Request Forgery (SSRF)
+- [ ] URL validation and allowlisting
+- [ ] Network segmentation
+- [ ] Disable unused URL schemas
+- [ ] Response validation
+
+## Risk Rating Matrix
+
+| Severity | Likelihood | Impact | Action Required |
+|----------|-----------|--------|-----------------|
+| **Critical** | High + High | Data breach, system compromise | Fix within 24 hours |
+| **High** | High + Medium or Medium + High | Significant security risk | Fix within 7 days |
+| **Medium** | Medium + Medium or Low + High | Moderate security concern | Fix within 30 days |
+| **Low** | Low + Low or Low + Medium | Minor security issue | Fix in next release |
+
+### Risk Calculation
+- **Likelihood**: How probable is exploitation? (Low, Medium, High)
+- **Impact**: What damage if exploited? (Low, Medium, High, Critical)
+- **Risk Score**: Likelihood × Impact = Priority
+
+## Example Usage
+
+```
+Input: Pre-release security audit for financial application
+
+Workflow Execution:
+1. Scope: Web app + API + Database, PCI-DSS compliance required
+2. Information: React frontend, Node.js API, PostgreSQL, AWS hosting
+3. Threat Model: STRIDE analysis identifies data exposure and injection risks
+4. Vulnerabilities Found:
+   - 🔴 CRITICAL: SQL injection in payment endpoint
+   - 🔴 CRITICAL: JWT tokens never expire
+   - 🟠 HIGH: Weak password policy (6 chars, no complexity)
+   - 🟡 MEDIUM: Missing rate limiting on API
+   - 🟢 LOW: Security headers not optimized
+5. Risk Analysis: SQL injection = HIGH likelihood + CRITICAL impact = P0
+6. Remediation:
+   - P0: Parameterized queries, token expiration (24h immediate)
+   - P1: Password policy update, rate limiting (7 days)
+   - P2: Security headers (next sprint)
+7. Report: Executive summary + technical details + remediation roadmap
+8. Validation: Re-test after fixes applied
+
+Output:
+BLOCKED for release - 2 critical vulnerabilities must be fixed first
+Remediation roadmap provided with 24h timeline for critical fixes
+```
+
+## Security Testing Tools
+
+### Vulnerability Scanning
+- **OWASP ZAP**: Web application scanner
+- **Burp Suite**: Penetration testing toolkit
+- **Nmap**: Network scanning
+- **Nikto**: Web server scanner
+
+### Code Analysis
+- **SonarQube**: Static code analysis
+- **Snyk**: Dependency vulnerability scanning
+- **Semgrep**: Pattern-based code scanning
+- **GitHub Advanced Security**: CodeQL scanning
+
+### Infrastructure
+- **Trivy**: Container/IaC scanning
+- **Checkov**: Infrastructure as Code scanner
+- **AWS Security Hub**: Cloud security posture
+- **Prowler**: AWS security assessment
+
+### Authentication Testing
+- **Hydra**: Brute force testing
+- **John the Ripper**: Password cracking
+- **Hashcat**: Hash cracking
+
+## Zero-Trust Security Principles
+
+1. **Verify Explicitly**: Always authenticate and authorize
+2. **Least Privilege Access**: Minimal permissions required
+3. **Assume Breach**: Design for compromise, limit blast radius
+4. **Microsegmentation**: Isolate workloads and networks
+5. **Continuous Monitoring**: Real-time threat detection
+
+## Compliance Frameworks
+
+### GDPR (Data Privacy)
+- Data protection by design and by default
+- Right to erasure (delete user data)
+- Data breach notification (72 hours)
+- Privacy impact assessments
+
+### SOC2 (Security Controls)
+- Security, availability, processing integrity
+- Confidentiality, privacy
+- Annual audits required
+
+### ISO27001 (Information Security)
+- 114 security controls across 14 domains
+- Risk management framework
+- Continuous improvement cycle
+
+### PCI-DSS (Payment Card)
+- Build and maintain secure network
+- Protect cardholder data
+- Vulnerability management program
+- Regular monitoring and testing
+
+## Related Agents
+- **luca-security-expert** - Full agent with reasoning and threat analysis
+- **rex-code-reviewer** - Code-level security review
+- **baccio-tech-architect** - Security architecture validation
+- **marco-devops-engineer** - Infrastructure security
+- **elena-legal-compliance-expert** - Regulatory compliance guidance
+
+## ISE Engineering Fundamentals Alignment
+- Threat modeling (STRIDE/DREAD) for all features
+- Static and dynamic security testing in CI/CD
+- Shift-left security: checks early in pipeline
+- Dependency scanning automated
+- Container security: image scanning, runtime protection
+- Secret management: vault-based, no secrets in code
+- Security code review checklist for every PR