omgkit 2.1.1 → 2.3.0

package/plugin/skills/security/owasp/SKILL.md

@@ -1,57 +1,134 @@
 ---
-name: owasp
-description: OWASP security. Use for security best practices, vulnerability prevention.
+name: Applying OWASP Security
+description: Claude applies OWASP security best practices to web applications. Use when preventing vulnerabilities, implementing input validation, securing authentication, configuring security headers, or conducting security reviews.
 ---
 
-# OWASP Skill
+# Applying OWASP Security
 
-## Top 10 Prevention
+## Quick Start
 
-### 1. Injection
 ```typescript
-// Bad
-db.query(`SELECT * FROM users WHERE id = ${id}`);
+// lib/security/validation.ts
+import { z } from "zod";
+import DOMPurify from "isomorphic-dompurify";
 
-// Good
-db.query('SELECT * FROM users WHERE id = $1', [id]);
-```
+// Input validation
+export const userSchema = z.object({
+  email: z.string().email().max(254),
+  password: z.string().min(12).max(128),
+  name: z.string().min(2).max(100).regex(/^[\p{L}\s'-]+$/u),
+});
 
-### 2. Broken Authentication
-```typescript
-// Use secure session management
-// Implement MFA
-// Rate limit login attempts
+// HTML sanitization
+export const sanitizeHtml = (dirty: string) =>
+  DOMPurify.sanitize(dirty, { ALLOWED_TAGS: ["b", "i", "em", "strong", "a", "p"] });
 ```
 
-### 3. XSS Prevention
+## Features
+
+| Feature | Description | Reference |
+|---------|-------------|-----------|
+| Injection Prevention | SQL, NoSQL, command injection protection | [OWASP Injection](https://owasp.org/Top10/A03_2021-Injection/) |
+| XSS Prevention | Output encoding and HTML sanitization | [OWASP XSS](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) |
+| CSRF Protection | Token-based cross-site request forgery defense | [OWASP CSRF](https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html) |
+| Authentication Security | Password hashing, rate limiting, session management | [OWASP Auth](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html) |
+| Security Headers | CSP, HSTS, X-Frame-Options configuration | [OWASP Headers](https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html) |
+| Input Validation | Schema validation and sanitization | [OWASP Validation](https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html) |
+
+## Common Patterns
+
+### Parameterized Queries (SQL Injection Prevention)
+
 ```typescript
-// Bad
-element.innerHTML = userInput;
+// BAD - SQL injection vulnerable
+const result = await db.$queryRawUnsafe(`SELECT * FROM users WHERE id = '${userId}'`);
 
-// Good
-element.textContent = userInput;
-// Or use DOMPurify
+// GOOD - Parameterized query
+const result = await db.user.findUnique({ where: { id: userId } });
+const result = await db.$queryRaw`SELECT * FROM users WHERE id = ${userId}`;
 ```
 
-### 4. CSRF Prevention
+### CSRF Protection Middleware
+
 ```typescript
-// Use CSRF tokens
-// SameSite cookies
-// Verify Origin header
+import crypto from "crypto";
+
+export function csrfProtection(req: Request, res: Response, next: NextFunction) {
+  if (["GET", "HEAD", "OPTIONS"].includes(req.method)) return next();
+
+  const cookieToken = req.cookies["csrf_token"];
+  const headerToken = req.headers["x-csrf-token"];
+
+  if (!cookieToken || !headerToken || cookieToken !== headerToken) {
+    return res.status(403).json({ error: "CSRF validation failed" });
+  }
+  next();
+}
 ```
 
-### 5. Security Headers
+### Security Headers Configuration
+
 ```typescript
+import helmet from "helmet";
+
 app.use(helmet({
-  contentSecurityPolicy: true,
-  hsts: true,
-  noSniff: true,
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'strict-dynamic'"],
+      styleSrc: ["'self'", "'unsafe-inline'"],
+      imgSrc: ["'self'", "data:", "https:"],
+      frameSrc: ["'none'"],
+      objectSrc: ["'none'"],
+    },
+  },
+  strictTransportSecurity: { maxAge: 31536000, includeSubDomains: true, preload: true },
+  frameguard: { action: "deny" },
 }));
 ```
 
-## Checklist
-- [ ] Input validation
-- [ ] Output encoding
-- [ ] Parameterized queries
-- [ ] Secure headers
-- [ ] HTTPS only
+### Password Security
+
+```typescript
+import bcrypt from "bcrypt";
+
+const SALT_ROUNDS = 12;
+
+export async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+export async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}
+
+export function validatePasswordStrength(password: string): string[] {
+  const errors: string[] = [];
+  if (password.length < 12) errors.push("Must be at least 12 characters");
+  if (!/[a-z]/.test(password)) errors.push("Must contain lowercase");
+  if (!/[A-Z]/.test(password)) errors.push("Must contain uppercase");
+  if (!/\d/.test(password)) errors.push("Must contain digit");
+  if (!/[!@#$%^&*]/.test(password)) errors.push("Must contain special character");
+  return errors;
+}
+```
+
+## Best Practices
+
+| Do | Avoid |
+|----|-------|
+| Validate all input on the server side | Trusting client-side validation alone |
+| Use parameterized queries for all DB access | String concatenation in queries |
+| Set security headers on all responses | Disabling security features for convenience |
+| Implement rate limiting on sensitive endpoints | Allowing unlimited attempts |
+| Hash passwords with bcrypt (12+ rounds) | Using weak/deprecated crypto algorithms |
+| Log security events for monitoring | Exposing detailed error messages to users |
+| Keep dependencies updated | Ignoring security warnings |
+| Use HTTPS for all communications | Hardcoding secrets in source code |
+
+## References
+
+- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
+- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/)
+- [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/)
+- [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/)

package/plugin/skills/testing/playwright/SKILL.md

@@ -1,60 +1,163 @@
 ---
-name: playwright
-description: Playwright E2E testing. Use for browser automation, E2E tests.
+name: Testing with Playwright
+description: Claude writes reliable E2E tests using Playwright for browser automation. Use when writing end-to-end tests, implementing Page Object Model, visual regression testing, API mocking, or cross-browser testing.
 ---
 
-# Playwright Skill
+# Testing with Playwright
 
-## Basic Test
-```typescript
-import { test, expect } from '@playwright/test';
+## Quick Start
 
-test('homepage has title', async ({ page }) => {
-  await page.goto('/');
-  await expect(page).toHaveTitle(/My App/);
-});
+```typescript
+// playwright.config.ts
+import { defineConfig, devices } from "@playwright/test";
 
-test('login flow', async ({ page }) => {
-  await page.goto('/login');
-  await page.fill('[name="email"]', 'test@example.com');
-  await page.fill('[name="password"]', 'password');
-  await page.click('button[type="submit"]');
-  await expect(page).toHaveURL('/dashboard');
+export default defineConfig({
+  testDir: "./tests/e2e",
+  fullyParallel: true,
+  retries: process.env.CI ? 2 : 0,
+  reporter: [["list"], ["html"]],
+  use: {
+    baseURL: "http://localhost:3000",
+    trace: "on-first-retry",
+    screenshot: "only-on-failure",
+  },
+  projects: [
+    { name: "chromium", use: { ...devices["Desktop Chrome"] } },
+    { name: "firefox", use: { ...devices["Desktop Firefox"] } },
+    { name: "mobile", use: { ...devices["iPhone 12"] } },
+  ],
+  webServer: { command: "npm run dev", url: "http://localhost:3000" },
 });
 ```
 
-## Page Object Model
+## Features
+
+| Feature | Description | Reference |
+|---------|-------------|-----------|
+| Page Object Model | Maintainable test architecture pattern | [POM Guide](https://playwright.dev/docs/pom) |
+| Auto-Waiting | Built-in waiting for elements and assertions | [Auto-Waiting](https://playwright.dev/docs/actionability) |
+| Network Mocking | Intercept and mock API responses | [Network](https://playwright.dev/docs/network) |
+| Visual Testing | Screenshot comparison for regression testing | [Visual Comparisons](https://playwright.dev/docs/test-snapshots) |
+| Cross-Browser | Chrome, Firefox, Safari, mobile devices | [Browsers](https://playwright.dev/docs/browsers) |
+| Trace Viewer | Debug failing tests with timeline | [Trace Viewer](https://playwright.dev/docs/trace-viewer) |
+
+## Common Patterns
+
+### Page Object Model
+
 ```typescript
-class LoginPage {
-  constructor(private page: Page) {}
+// tests/pages/login.page.ts
+import { Page, Locator, expect } from "@playwright/test";
+
+export class LoginPage {
+  readonly emailInput: Locator;
+  readonly passwordInput: Locator;
+  readonly submitButton: Locator;
+
+  constructor(private page: Page) {
+    this.emailInput = page.getByLabel("Email");
+    this.passwordInput = page.getByLabel("Password");
+    this.submitButton = page.getByRole("button", { name: "Sign in" });
+  }
 
   async login(email: string, password: string) {
-    await this.page.fill('[name="email"]', email);
-    await this.page.fill('[name="password"]', password);
-    await this.page.click('button[type="submit"]');
+    await this.emailInput.fill(email);
+    await this.passwordInput.fill(password);
+    await this.submitButton.click();
+  }
+
+  async expectError(message: string) {
+    await expect(this.page.getByRole("alert")).toContainText(message);
   }
 }
 ```
 
-## Config
+### API Mocking
+
 ```typescript
-// playwright.config.ts
-export default defineConfig({
-  testDir: './tests',
-  use: {
-    baseURL: 'http://localhost:3000',
-    screenshot: 'only-on-failure',
+import { test, expect } from "@playwright/test";
+
+test("mock API response", async ({ page }) => {
+  await page.route("**/api/users", (route) =>
+    route.fulfill({
+      status: 200,
+      contentType: "application/json",
+      body: JSON.stringify({ users: [{ id: 1, name: "John" }] }),
+    })
+  );
+
+  await page.goto("/users");
+  await expect(page.getByText("John")).toBeVisible();
+});
+
+test("capture network requests", async ({ page }) => {
+  const requestPromise = page.waitForRequest("**/api/analytics");
+  await page.goto("/dashboard");
+  const request = await requestPromise;
+  expect(request.postDataJSON()).toMatchObject({ event: "page_view" });
+});
+```
+
+### Authentication Fixture
+
+```typescript
+// tests/fixtures/auth.fixture.ts
+import { test as base } from "@playwright/test";
+import { LoginPage } from "../pages/login.page";
+
+export const test = base.extend<{ authenticatedPage: Page }>({
+  authenticatedPage: async ({ page }, use) => {
+    // Fast auth via API
+    const response = await page.request.post("/api/auth/login", {
+      data: { email: "test@example.com", password: "password" },
+    });
+    const { token } = await response.json();
+
+    await page.context().addCookies([
+      { name: "auth_token", value: token, domain: "localhost", path: "/" },
+    ]);
+
+    await page.goto("/dashboard");
+    await use(page);
   },
-  projects: [
-    { name: 'chromium', use: { ...devices['Desktop Chrome'] } },
-    { name: 'mobile', use: { ...devices['iPhone 12'] } },
-  ],
 });
 ```
 
-## Run
-```bash
-npx playwright test
-npx playwright test --ui
-npx playwright codegen
+### Visual Regression Testing
+
+```typescript
+test("visual snapshot", async ({ page }) => {
+  await page.goto("/");
+  await page.addStyleTag({
+    content: "*, *::before, *::after { animation-duration: 0s !important; }",
+  });
+
+  await expect(page).toHaveScreenshot("homepage.png", {
+    fullPage: true,
+    maxDiffPixels: 100,
+  });
+
+  // Mask dynamic content
+  await expect(page).toHaveScreenshot("dashboard.png", {
+    mask: [page.getByTestId("timestamp"), page.getByTestId("avatar")],
+  });
+});
 ```
+
+## Best Practices
+
+| Do | Avoid |
+|----|-------|
+| Use Page Object Model for maintainability | Fragile CSS selectors |
+| Prefer user-facing locators (getByRole, getByLabel) | Relying on arbitrary waits |
+| Use API auth for faster test setup | Sharing state between tests |
+| Enable traces and screenshots for debugging | Testing third-party services directly |
+| Run tests in parallel for speed | Skipping flaky tests without fixing |
+| Mock external APIs for reliability | Hardcoding test data |
+
+## References
+
+- [Playwright Documentation](https://playwright.dev/docs/intro)
+- [Playwright Best Practices](https://playwright.dev/docs/best-practices)
+- [Page Object Model](https://playwright.dev/docs/pom)
+- [Visual Comparisons](https://playwright.dev/docs/test-snapshots)

package/plugin/skills/testing/pytest/SKILL.md

@@ -1,58 +1,157 @@
 ---
-name: pytest
-description: Python testing with pytest. Use for unit tests, fixtures, mocking.
+name: Testing with Pytest
+description: Claude writes comprehensive Python tests using pytest. Use when writing unit tests, creating fixtures, parametrizing tests, mocking dependencies, testing async code, or setting up CI test pipelines.
 ---
 
-# Pytest Skill
+# Testing with Pytest
 
-## Basic Tests
-```python
-def test_add():
-    assert add(1, 2) == 3
+## Quick Start
 
-def test_raises():
-    with pytest.raises(ValueError):
-        validate("")
+```ini
+# pytest.ini
+[pytest]
+testpaths = tests
+python_files = test_*.py
+addopts = -v --strict-markers --cov=src --cov-report=term-missing --cov-fail-under=80
+markers =
+    slow: marks tests as slow
+    integration: marks tests as integration tests
+asyncio_mode = auto
 ```
 
-## Fixtures
 ```python
-@pytest.fixture
-def user():
-    return User(email="test@example.com")
+# tests/conftest.py
+import pytest
+from sqlalchemy.orm import Session
 
 @pytest.fixture
-async def db():
-    conn = await create_connection()
-    yield conn
-    await conn.close()
+def db_session(engine) -> Session:
+    """Create database session with automatic rollback."""
+    connection = engine.connect()
+    transaction = connection.begin()
+    session = sessionmaker(bind=connection)()
+    yield session
+    session.close()
+    transaction.rollback()
+    connection.close()
+```
+
+## Features
+
+| Feature | Description | Reference |
+|---------|-------------|-----------|
+| Fixtures | Reusable test setup with dependency injection | [Fixtures Guide](https://docs.pytest.org/en/latest/how-to/fixtures.html) |
+| Parametrization | Test multiple inputs with @pytest.mark.parametrize | [Parametrize](https://docs.pytest.org/en/latest/how-to/parametrize.html) |
+| Mocking | unittest.mock integration for patching | [pytest-mock](https://pytest-mock.readthedocs.io/) |
+| Async Testing | Native async/await support with pytest-asyncio | [pytest-asyncio](https://pytest-asyncio.readthedocs.io/) |
+| Markers | Categorize and filter tests | [Markers](https://docs.pytest.org/en/latest/how-to/mark.html) |
+| Coverage | Code coverage with pytest-cov | [pytest-cov](https://pytest-cov.readthedocs.io/) |
+
+## Common Patterns
+
+### Parametrized Validation Tests
 
-def test_user_email(user):
-    assert user.email == "test@example.com"
+```python
+import pytest
+from src.validators import validate_email, ValidationError
+
+class TestEmailValidation:
+    @pytest.mark.parametrize("email", [
+        "user@example.com",
+        "user.name@example.com",
+        "user+tag@example.co.uk",
+    ])
+    def test_valid_emails(self, email: str):
+        assert validate_email(email) is True
+
+    @pytest.mark.parametrize("email,error", [
+        ("", "Email is required"),
+        ("invalid", "Invalid email format"),
+        ("@example.com", "Invalid email format"),
+    ])
+    def test_invalid_emails(self, email: str, error: str):
+        with pytest.raises(ValidationError, match=error):
+            validate_email(email)
 ```
 
-## Parametrize
+### Factory Fixtures
+
 ```python
-@pytest.mark.parametrize("input,expected", [
-    (1, 2),
-    (2, 4),
-    (3, 6),
-])
-def test_double(input, expected):
-    assert double(input) == expected
+@pytest.fixture
+def user_factory(db_session):
+    """Factory for creating test users."""
+    def _create_user(email="test@example.com", name="Test User", **kwargs):
+        user = User(email=email, name=name, **kwargs)
+        db_session.add(user)
+        db_session.commit()
+        return user
+    return _create_user
+
+@pytest.fixture
+def test_user(user_factory):
+    return user_factory(email="testuser@example.com")
 ```
 
-## Mocking
+### Mocking External Services
+
 ```python
-def test_api_call(mocker):
-    mocker.patch('module.fetch', return_value={'data': 'test'})
-    result = get_data()
-    assert result == {'data': 'test'}
+from unittest.mock import patch, MagicMock
+
+class TestUserService:
+    def test_create_user_sends_email(self, user_service, mock_email_service):
+        user = user_service.create_user(email="new@example.com", name="New")
+
+        mock_email_service.send_email.assert_called_once_with(
+            to="new@example.com",
+            template="welcome",
+            context={"name": "New"},
+        )
+
+    @patch("src.services.user_service.datetime")
+    def test_last_login_updated(self, mock_datetime, user_service, test_user):
+        from datetime import datetime
+        mock_datetime.utcnow.return_value = datetime(2024, 1, 15, 10, 30)
+
+        user_service.authenticate(test_user.email, "password")
+        assert test_user.last_login == datetime(2024, 1, 15, 10, 30)
 ```
 
-## Run
-```bash
-pytest -v
-pytest --cov=src
-pytest -k "test_user"
+### Async API Testing
+
+```python
+import pytest
+from httpx import AsyncClient
+
+@pytest.mark.asyncio
+class TestAPIEndpoints:
+    async def test_get_users(self, async_client: AsyncClient, test_user):
+        response = await async_client.get("/api/users")
+        assert response.status_code == 200
+        assert len(response.json()["users"]) >= 1
+
+    async def test_create_user(self, async_client: AsyncClient):
+        response = await async_client.post("/api/users", json={
+            "email": "new@example.com",
+            "name": "New User",
+            "password": "SecurePass123!",
+        })
+        assert response.status_code == 201
 ```
+
+## Best Practices
+
+| Do | Avoid |
+|----|-------|
+| Use descriptive test names explaining the scenario | Sharing state between tests |
+| Create reusable fixtures for common setup | Using sleep for timing issues |
+| Use parametrize for testing multiple inputs | Testing implementation details |
+| Mock external dependencies | Writing tests that depend on order |
+| Group related tests in classes | Using hardcoded file paths |
+| Use factories for test data creation | Leaving commented-out test code |
+
+## References
+
+- [Pytest Documentation](https://docs.pytest.org/)
+- [pytest-asyncio](https://pytest-asyncio.readthedocs.io/)
+- [pytest-mock](https://pytest-mock.readthedocs.io/)
+- [pytest-cov](https://pytest-cov.readthedocs.io/)