proagents 1.0.0

package/proagents/prompts/security-audit/code-review.md

@@ -0,0 +1,260 @@
+# Security Code Review
+
+Comprehensive security review for code.
+
+---
+
+## Prompt Template
+
+```
+Review this code for security vulnerabilities:
+
+{code}
+
+Check for:
+1. Injection vulnerabilities (SQL, NoSQL, Command, LDAP)
+2. Authentication/Authorization issues
+3. Sensitive data exposure
+4. XSS vulnerabilities
+5. CSRF vulnerabilities
+6. Insecure deserialization
+7. Security misconfiguration
+8. Hardcoded secrets/credentials
+9. Insufficient logging
+10. Using components with known vulnerabilities
+
+For each issue found:
+- Describe the vulnerability
+- Explain the risk (with CWE reference)
+- Provide severity rating
+- Show secure code fix
+```
+
+---
+
+## OWASP Top 10 Checks
+
+### A01: Broken Access Control
+
+```typescript
+// ❌ Vulnerable: No authorization check
+app.get('/api/users/:id', async (req, res) => {
+  const user = await User.findById(req.params.id);
+  res.json(user);
+});
+
+// ✅ Secure: Authorization check
+app.get('/api/users/:id', authenticate, async (req, res) => {
+  // Check if user can access this resource
+  if (req.user.id !== req.params.id && !req.user.isAdmin) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+
+  const user = await User.findById(req.params.id);
+  res.json(user);
+});
+```
+
+### A02: Cryptographic Failures
+
+```typescript
+// ❌ Vulnerable: Weak hashing
+const hashedPassword = md5(password);
+
+// ❌ Vulnerable: Hardcoded secret
+const token = jwt.sign(payload, 'my-secret-key');
+
+// ✅ Secure: Strong hashing with bcrypt
+const hashedPassword = await bcrypt.hash(password, 12);
+
+// ✅ Secure: Environment variable secret
+const token = jwt.sign(payload, process.env.JWT_SECRET);
+```
+
+### A03: Injection
+
+```typescript
+// ❌ Vulnerable: SQL injection
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+db.query(query);
+
+// ❌ Vulnerable: NoSQL injection
+User.find({ email: req.body.email });
+
+// ✅ Secure: Parameterized query
+const query = 'SELECT * FROM users WHERE email = $1';
+db.query(query, [email]);
+
+// ✅ Secure: Input validation
+const email = z.string().email().parse(req.body.email);
+User.find({ email });
+```
+
+### A04: Insecure Design
+
+```typescript
+// ❌ Vulnerable: No rate limiting
+app.post('/api/login', async (req, res) => {
+  const user = await authenticate(req.body);
+  res.json(user);
+});
+
+// ✅ Secure: Rate limiting
+import rateLimit from 'express-rate-limit';
+
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // 5 attempts
+  message: 'Too many login attempts',
+});
+
+app.post('/api/login', loginLimiter, async (req, res) => {
+  const user = await authenticate(req.body);
+  res.json(user);
+});
+```
+
+### A05: Security Misconfiguration
+
+```typescript
+// ❌ Vulnerable: Verbose errors in production
+app.use((err, req, res, next) => {
+  res.status(500).json({
+    error: err.message,
+    stack: err.stack, // Exposes internal details
+  });
+});
+
+// ✅ Secure: Generic errors in production
+app.use((err, req, res, next) => {
+  logger.error(err);
+
+  if (process.env.NODE_ENV === 'production') {
+    res.status(500).json({ error: 'Internal server error' });
+  } else {
+    res.status(500).json({ error: err.message, stack: err.stack });
+  }
+});
+```
+
+### A07: XSS
+
+```typescript
+// ❌ Vulnerable: Direct HTML insertion
+function Comment({ content }) {
+  return <div dangerouslySetInnerHTML={{ __html: content }} />;
+}
+
+// ✅ Secure: Text content only
+function Comment({ content }) {
+  return <div>{content}</div>;
+}
+
+// ✅ Secure: Sanitize if HTML needed
+import DOMPurify from 'dompurify';
+
+function Comment({ content }) {
+  const sanitized = DOMPurify.sanitize(content);
+  return <div dangerouslySetInnerHTML={{ __html: sanitized }} />;
+}
+```
+
+---
+
+## Secret Detection
+
+```typescript
+// ❌ Vulnerable: Hardcoded secrets
+const API_KEY = 'sk_live_abc123xyz';
+const DB_PASSWORD = 'admin123';
+const JWT_SECRET = 'super-secret-key';
+
+// ❌ Vulnerable: Committed to repo
+// .env (should be in .gitignore)
+API_KEY=sk_live_abc123xyz
+
+// ✅ Secure: Environment variables
+const API_KEY = process.env.API_KEY;
+const DB_PASSWORD = process.env.DB_PASSWORD;
+
+// Validate secrets exist
+if (!process.env.API_KEY) {
+  throw new Error('API_KEY environment variable required');
+}
+```
+
+---
+
+## Security Headers
+
+```typescript
+import helmet from 'helmet';
+
+app.use(helmet());
+
+// Or configure individually
+app.use(helmet.contentSecurityPolicy({
+  directives: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'", "'unsafe-inline'"],
+    styleSrc: ["'self'", "'unsafe-inline'"],
+    imgSrc: ["'self'", 'data:', 'https:'],
+  },
+}));
+
+app.use(helmet.hsts({
+  maxAge: 31536000,
+  includeSubDomains: true,
+}));
+```
+
+---
+
+## Input Validation
+
+```typescript
+import { z } from 'zod';
+
+// Define strict schemas
+const userSchema = z.object({
+  email: z.string().email().max(255),
+  password: z.string().min(8).max(100),
+  name: z.string().min(1).max(100).regex(/^[a-zA-Z\s]+$/),
+});
+
+// Validate all inputs
+app.post('/api/users', async (req, res) => {
+  const result = userSchema.safeParse(req.body);
+
+  if (!result.success) {
+    return res.status(400).json({
+      error: 'Validation failed',
+      details: result.error.issues,
+    });
+  }
+
+  const user = await createUser(result.data);
+  res.json(user);
+});
+```
+
+---
+
+## Security Commands
+
+```bash
+# Full security audit
+/security audit ./src
+
+# Check for OWASP Top 10
+/security owasp ./src/api
+
+# Find secrets
+/security secrets ./
+
+# Check dependencies
+/security deps
+
+# Generate security report
+/security report
+```

package/proagents/prompts/security-audit/vulnerability-scan.md

@@ -0,0 +1,288 @@
+# Vulnerability Scanning Prompt
+
+Identify security vulnerabilities in code.
+
+---
+
+## Prompt Template
+
+```markdown
+## Security Vulnerability Scan
+
+Analyze the following code for security vulnerabilities:
+
+```{{language}}
+{{code}}
+```
+
+### Check For (OWASP Top 10):
+
+1. **Broken Access Control (A01)**
+   - [ ] Missing authorization checks
+   - [ ] IDOR vulnerabilities
+   - [ ] Privilege escalation
+
+2. **Cryptographic Failures (A02)**
+   - [ ] Weak encryption
+   - [ ] Hardcoded secrets
+   - [ ] Insecure random numbers
+
+3. **Injection (A03)**
+   - [ ] SQL injection
+   - [ ] Command injection
+   - [ ] XSS vulnerabilities
+
+4. **Insecure Design (A04)**
+   - [ ] Missing rate limiting
+   - [ ] Insufficient validation
+
+5. **Security Misconfiguration (A05)**
+   - [ ] Verbose error messages
+   - [ ] Default credentials
+   - [ ] Missing security headers
+
+6. **Vulnerable Components (A06)**
+   - [ ] Outdated dependencies
+   - [ ] Known vulnerabilities
+
+7. **Authentication Failures (A07)**
+   - [ ] Weak password policies
+   - [ ] Session management issues
+
+8. **Data Integrity Failures (A08)**
+   - [ ] Missing input validation
+   - [ ] Insecure deserialization
+
+9. **Logging Failures (A09)**
+   - [ ] Insufficient logging
+   - [ ] Sensitive data in logs
+
+10. **SSRF (A10)**
+    - [ ] User-controlled URLs
+    - [ ] Internal network access
+
+### Output Format:
+For each vulnerability:
+1. OWASP category
+2. Severity (Critical/High/Medium/Low)
+3. Location in code
+4. Exploitation scenario
+5. Remediation steps
+6. Fixed code
+```
+
+---
+
+## Common Vulnerabilities
+
+### SQL Injection
+
+```typescript
+// ❌ Vulnerable
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+await db.query(query);
+
+// ✅ Secure
+const query = 'SELECT * FROM users WHERE id = $1';
+await db.query(query, [userId]);
+
+// ✅ Using ORM (Prisma)
+await prisma.user.findUnique({ where: { id: userId } });
+```
+
+### XSS (Cross-Site Scripting)
+
+```tsx
+// ❌ Vulnerable - React
+<div dangerouslySetInnerHTML={{ __html: userInput }} />
+
+// ✅ Secure - sanitize if HTML needed
+import DOMPurify from 'dompurify';
+<div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(userInput) }} />
+
+// ✅ Secure - text content (React auto-escapes)
+<div>{userInput}</div>
+```
+
+### Command Injection
+
+```typescript
+// ❌ Vulnerable
+exec(`ls ${userInput}`, (err, stdout) => { ... });
+
+// ✅ Secure - use parameterized
+execFile('ls', [userInput], (err, stdout) => { ... });
+
+// ✅ Secure - validate/sanitize input
+if (!/^[a-zA-Z0-9_-]+$/.test(userInput)) {
+  throw new Error('Invalid input');
+}
+```
+
+### Path Traversal
+
+```typescript
+// ❌ Vulnerable
+const filePath = `/uploads/${req.params.filename}`;
+fs.readFile(filePath);
+
+// ✅ Secure
+import path from 'path';
+
+const safePath = path.join('/uploads', path.basename(req.params.filename));
+if (!safePath.startsWith('/uploads/')) {
+  throw new Error('Invalid path');
+}
+```
+
+### Insecure Direct Object Reference (IDOR)
+
+```typescript
+// ❌ Vulnerable - no authorization check
+app.get('/api/users/:id/data', async (req, res) => {
+  const data = await getUserData(req.params.id);
+  res.json(data);
+});
+
+// ✅ Secure - verify ownership
+app.get('/api/users/:id/data', async (req, res) => {
+  if (req.user.id !== req.params.id && !req.user.isAdmin) {
+    return res.status(403).json({ error: 'Forbidden' });
+  }
+  const data = await getUserData(req.params.id);
+  res.json(data);
+});
+```
+
+### Hardcoded Secrets
+
+```typescript
+// ❌ Vulnerable
+const apiKey = 'sk-12345abcdef';
+const dbPassword = 'mysecretpassword';
+
+// ✅ Secure - use environment variables
+const apiKey = process.env.API_KEY;
+const dbPassword = process.env.DB_PASSWORD;
+
+// ✅ Secure - use secrets manager
+const apiKey = await secretsManager.getSecret('api-key');
+```
+
+---
+
+## Security Headers
+
+```typescript
+// Next.js next.config.js
+const securityHeaders = [
+  {
+    key: 'X-DNS-Prefetch-Control',
+    value: 'on'
+  },
+  {
+    key: 'Strict-Transport-Security',
+    value: 'max-age=63072000; includeSubDomains; preload'
+  },
+  {
+    key: 'X-XSS-Protection',
+    value: '1; mode=block'
+  },
+  {
+    key: 'X-Frame-Options',
+    value: 'SAMEORIGIN'
+  },
+  {
+    key: 'X-Content-Type-Options',
+    value: 'nosniff'
+  },
+  {
+    key: 'Referrer-Policy',
+    value: 'origin-when-cross-origin'
+  },
+  {
+    key: 'Content-Security-Policy',
+    value: "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
+  }
+];
+```
+
+---
+
+## Input Validation
+
+```typescript
+import { z } from 'zod';
+
+// Define schema
+const userSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8).regex(/[A-Z]/).regex(/[0-9]/),
+  age: z.number().int().min(18).max(120),
+  role: z.enum(['user', 'admin']),
+});
+
+// Validate input
+export async function createUser(input: unknown) {
+  const validated = userSchema.parse(input);
+  // Safe to use validated data
+  return await db.user.create({ data: validated });
+}
+```
+
+---
+
+## Rate Limiting
+
+```typescript
+import rateLimit from 'express-rate-limit';
+
+// General rate limit
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // 100 requests per window
+  message: 'Too many requests',
+});
+
+// Strict limit for auth endpoints
+const authLimiter = rateLimit({
+  windowMs: 60 * 60 * 1000, // 1 hour
+  max: 5, // 5 attempts per hour
+  message: 'Too many login attempts',
+});
+
+app.use('/api/', limiter);
+app.use('/api/auth/', authLimiter);
+```
+
+---
+
+## Security Testing
+
+```typescript
+// Automated security tests
+describe('Security', () => {
+  it('should prevent SQL injection', async () => {
+    const maliciousInput = "'; DROP TABLE users; --";
+    const response = await request(app)
+      .get(`/api/users/${maliciousInput}`)
+      .expect(400); // Should reject, not execute
+  });
+
+  it('should prevent XSS', async () => {
+    const maliciousInput = '<script>alert("xss")</script>';
+    const response = await request(app)
+      .post('/api/comments')
+      .send({ content: maliciousInput });
+
+    expect(response.body.content).not.toContain('<script>');
+  });
+
+  it('should enforce authorization', async () => {
+    await request(app)
+      .get('/api/users/other-user-id/data')
+      .set('Authorization', `Bearer ${userToken}`)
+      .expect(403);
+  });
+});
+```

package/proagents/reporting/README.md

@@ -0,0 +1,158 @@
+# Reporting & Analytics Dashboard
+
+Track development metrics, team productivity, and project health.
+
+---
+
+## Overview
+
+ProAgents provides comprehensive reporting and analytics to track development progress and identify areas for improvement.
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                    Analytics Dashboard                       │
+├─────────────────────────────────────────────────────────────┤
+│                                                             │
+│  ┌─────────────────┐  ┌─────────────────┐                  │
+│  │    Velocity     │  │    Quality      │                  │
+│  │  ████████░░ 80% │  │  ████████░░ 85% │                  │
+│  │  Features/Week  │  │  Test Coverage  │                  │
+│  └─────────────────┘  └─────────────────┘                  │
+│                                                             │
+│  ┌─────────────────┐  ┌─────────────────┐                  │
+│  │   Efficiency    │  │    Team         │                  │
+│  │  ████████░░ 75% │  │  ████████░░ 90% │                  │
+│  │  Phase Time     │  │  Collaboration  │                  │
+│  └─────────────────┘  └─────────────────┘                  │
+│                                                             │
+└─────────────────────────────────────────────────────────────┘
+```
+
+---
+
+## Quick Start
+
+### Generate Reports
+
+```bash
+# Generate velocity report
+proagents report velocity
+
+# Generate quality report
+proagents report quality
+
+# Generate all reports
+proagents report all
+```
+
+### View Dashboard
+
+```bash
+# Open dashboard in browser
+proagents dashboard
+
+# Generate static dashboard
+proagents dashboard export --format html
+```
+
+---
+
+## Report Types
+
+| Report | Description | Frequency |
+|--------|-------------|-----------|
+| **Velocity** | Development speed and throughput | Weekly |
+| **Quality** | Code quality and test coverage | Weekly |
+| **Team** | Team activity and collaboration | Weekly |
+| **Features** | Feature completion and status | Daily |
+| **Security** | Security vulnerabilities and fixes | Weekly |
+| **Dependencies** | Dependency health and updates | Weekly |
+
+---
+
+## Documentation Files
+
+| File | Description |
+|------|-------------|
+| [velocity-metrics.md](./velocity-metrics.md) | Velocity tracking and metrics |
+| [quality-metrics.md](./quality-metrics.md) | Code quality metrics |
+| [dashboards.md](./dashboards.md) | Dashboard configuration |
+| [exports.md](./exports.md) | Report export options |
+
+---
+
+## Key Metrics
+
+### Development Velocity
+
+- Features completed per week
+- Average time per phase
+- Cycle time (start to deploy)
+- Lead time (idea to deploy)
+
+### Code Quality
+
+- Test coverage percentage
+- Code review completion rate
+- Bug escape rate
+- Technical debt score
+
+### Team Performance
+
+- Features per developer
+- Review turnaround time
+- Collaboration score
+- Knowledge sharing
+
+---
+
+## Configuration
+
+```yaml
+# proagents.config.yaml
+
+reporting:
+  enabled: true
+
+  # Automatic reports
+  schedules:
+    - report: velocity
+      frequency: weekly
+      day: monday
+      recipients: [team@company.com]
+
+    - report: quality
+      frequency: weekly
+      day: friday
+      recipients: [tech-lead@company.com]
+
+  # Dashboard settings
+  dashboard:
+    refresh_interval: "5m"
+    default_period: "30d"
+
+  # Metrics collection
+  metrics:
+    velocity: true
+    quality: true
+    team: true
+    security: true
+
+  # Export settings
+  export:
+    formats: [pdf, html, json]
+    include_charts: true
+```
+
+---
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `proagents report velocity` | Generate velocity report |
+| `proagents report quality` | Generate quality report |
+| `proagents report team` | Generate team report |
+| `proagents report all` | Generate all reports |
+| `proagents dashboard` | Open live dashboard |
+| `proagents metrics` | Show current metrics |