sequant 1.0.0

package/templates/skills/security-review/references/security-checklists.md

@@ -0,0 +1,377 @@
+# Security Checklists Reference
+
+Detailed checklists for each security domain, used by the `/security-review` skill.
+
+## Authentication Checklist (AUTH)
+
+### AUTH-1: Password Hashing
+**Requirement:** Passwords must use bcrypt/argon2 with appropriate cost factor.
+
+**How to Verify:**
+```bash
+grep -r "bcrypt\|argon2\|hashPassword" lib/ app/
+```
+
+**Good:**
+```typescript
+import bcrypt from 'bcryptjs'
+const hash = await bcrypt.hash(password, 12)
+```
+
+**Bad:**
+```typescript
+const hash = crypto.createHash('sha256').update(password).digest('hex')
+```
+
+### AUTH-2: Session Token Randomness
+**Requirement:** Session tokens must be cryptographically random.
+
+**How to Verify:**
+```bash
+grep -r "crypto.randomBytes\|uuid\|nanoid" lib/auth/
+```
+
+**Good:**
+```typescript
+const token = crypto.randomBytes(32).toString('hex')
+```
+
+**Bad:**
+```typescript
+const token = Date.now().toString(36)
+```
+
+### AUTH-3: Session Expiration
+**Requirement:** Sessions must expire within appropriate timeframe.
+
+**How to Verify:**
+```bash
+grep -r "maxAge\|expires\|TTL" lib/auth/ app/api/auth/
+```
+
+**Good:** 15-60 minutes for sensitive, 1-7 days for general.
+
+**Bad:** No expiration or "remember me" without user consent.
+
+### AUTH-4: Logout Invalidation
+**Requirement:** Logout must invalidate session server-side.
+
+**How to Verify:**
+- Check logout handler deletes session from store
+- Verify token is invalidated, not just cleared from client
+
+### AUTH-5: Password Reset Tokens
+**Requirement:** Reset tokens must be single-use and time-limited.
+
+**How to Verify:**
+```bash
+grep -r "resetToken\|passwordReset" lib/ app/
+```
+
+**Good:** Token expires in 1 hour, deleted after use.
+
+**Bad:** Token reusable, no expiration.
+
+### AUTH-6: Login Rate Limiting
+**Requirement:** Failed login attempts must be rate-limited.
+
+**How to Verify:**
+```bash
+grep -r "rateLimit\|loginAttempts\|throttle" lib/ app/api/auth/
+```
+
+**Good:** 5 attempts per 15 minutes.
+
+### AUTH-7: Timing Attack Prevention
+**Requirement:** Password comparison must be constant-time.
+
+**How to Verify:**
+```bash
+grep -r "timingSafeEqual\|bcrypt.compare" lib/auth/
+```
+
+**Good:**
+```typescript
+await bcrypt.compare(input, hash)  // bcrypt is constant-time
+```
+
+**Bad:**
+```typescript
+if (input === password) // Direct comparison leaks timing info
+```
+
+### AUTH-8: MFA Implementation
+**Requirement:** If MFA is implemented, it must be properly enforced.
+
+**How to Verify:**
+- Check MFA cannot be bypassed
+- Verify backup codes are single-use
+- Confirm TOTP secrets are stored securely
+
+---
+
+## Authorization Checklist (AUTHZ)
+
+### AUTHZ-1: Authentication on All Endpoints
+**Requirement:** Every sensitive endpoint must check authentication.
+
+**How to Verify:**
+```bash
+grep -r "requireAuth\|getServerSession\|authenticate" app/api/ app/admin/
+```
+
+**Good:** Middleware checks auth before route handler.
+
+**Bad:** Route handler assumes auth without checking.
+
+### AUTHZ-2: RBAC Enforcement
+**Requirement:** Role checks must happen before privileged actions.
+
+**How to Verify:**
+```bash
+grep -r "role\|isAdmin\|hasPermission" lib/ app/
+```
+
+**Good:**
+```typescript
+if (user.role !== 'admin') throw new ForbiddenError()
+```
+
+**Bad:**
+```typescript
+// Role stored in frontend, not verified server-side
+```
+
+### AUTHZ-3: IDOR Prevention
+**Requirement:** Object access must verify user owns/can access the object.
+
+**How to Verify:**
+- Check queries filter by user_id or org_id
+- Verify route params can't access other users' data
+
+**Bad:**
+```typescript
+const shop = await db.shops.findUnique({ where: { id: shopId } })
+// Missing: .eq('owner_id', user.id)
+```
+
+### AUTHZ-4: Horizontal Privilege Escalation
+**Requirement:** Users cannot access other users' resources at same privilege level.
+
+**How to Verify:**
+- Review list queries for proper scoping
+- Check bulk operations filter by user
+
+### AUTHZ-5: Vertical Privilege Escalation
+**Requirement:** Lower-privilege users cannot perform admin actions.
+
+**How to Verify:**
+- Check admin routes have role verification
+- Verify form submissions validate permissions
+
+### AUTHZ-6: Audit Logging
+**Requirement:** Admin actions must be logged for audit.
+
+**How to Verify:**
+```bash
+grep -r "audit\|logAction\|shop_enrichment_log" lib/ app/admin/
+```
+
+**Good:**
+```typescript
+await logAuditEvent({ action: 'approve_shop', actor: userId, target: shopId })
+```
+
+---
+
+## API Security Checklist (API)
+
+### API-1: Input Validation
+**Requirement:** All inputs must be validated with schemas.
+
+**How to Verify:**
+```bash
+grep -r "z\.\|zod\|yup\|joi" lib/validations/ app/api/
+```
+
+**Good:**
+```typescript
+const schema = z.object({ name: z.string().min(1).max(100) })
+```
+
+**Bad:**
+```typescript
+const { name } = req.body // No validation
+```
+
+### API-2: XSS Prevention
+**Requirement:** Output must be properly encoded.
+
+**How to Verify:**
+- React/Next.js auto-escapes by default
+- Check for `dangerouslySetInnerHTML` usage
+- Verify markdown rendering is sanitized
+
+### API-3: SQL Injection Prevention
+**Requirement:** Queries must use parameterized statements.
+
+**How to Verify:**
+```bash
+grep -r "\.from\(" lib/ app/ | grep -v "supabase"
+grep -r "raw\|execute\|query" lib/ app/
+```
+
+**Good:**
+```typescript
+supabase.from('shops').select('*').eq('id', shopId)
+```
+
+**Bad:**
+```typescript
+db.query(`SELECT * FROM shops WHERE id = ${shopId}`)
+```
+
+### API-4: Rate Limiting
+**Requirement:** Public endpoints must be rate-limited.
+
+**How to Verify:**
+```bash
+grep -r "rateLimit\|Ratelimit" middleware/ lib/
+```
+
+### API-5: CORS Configuration
+**Requirement:** CORS must be properly configured.
+
+**How to Verify:**
+```bash
+grep -r "cors\|Access-Control" next.config.js middleware/
+```
+
+**Good:** Specific origins allowed.
+
+**Bad:** `Access-Control-Allow-Origin: *` for authenticated endpoints.
+
+### API-6: Error Message Safety
+**Requirement:** Error messages must not leak sensitive info.
+
+**How to Verify:**
+- Check error responses in production mode
+- Verify stack traces not exposed
+
+**Good:**
+```typescript
+return { error: 'Authentication failed' }
+```
+
+**Bad:**
+```typescript
+return { error: err.message, stack: err.stack }
+```
+
+### API-7: File Upload Validation
+**Requirement:** Uploads must validate type, size, and name.
+
+**How to Verify:**
+```bash
+grep -r "upload\|multipart\|formData" app/api/ lib/
+```
+
+**Good:**
+```typescript
+if (!['image/jpeg', 'image/png'].includes(file.type)) throw Error
+if (file.size > 5 * 1024 * 1024) throw Error
+```
+
+---
+
+## Data Protection Checklist (DATA)
+
+### DATA-1: Encryption at Rest
+**Requirement:** Sensitive data must be encrypted in database.
+
+**How to Verify:**
+- Supabase uses encryption by default
+- Check for additional encryption on highly sensitive fields
+
+### DATA-2: Encryption in Transit
+**Requirement:** All communications must use HTTPS.
+
+**How to Verify:**
+- Vercel enforces HTTPS automatically
+- Check for HTTP references in code
+
+### DATA-3: PII Handling
+**Requirement:** PII must be handled per privacy policy.
+
+**How to Verify:**
+- Check what user data is collected
+- Verify data retention policies
+- Confirm deletion procedures
+
+### DATA-4: Log Safety
+**Requirement:** Logs must not contain sensitive data.
+
+**How to Verify:**
+```bash
+grep -r "console.log\|logger" lib/ app/ | head -20
+```
+
+**Bad:**
+```typescript
+console.log('User login:', { email, password })
+```
+
+### DATA-5: Query Authorization
+**Requirement:** Queries must respect user permissions.
+
+**How to Verify:**
+- Check RLS policies exist for tables
+- Verify public client can't read unauthorized data
+
+---
+
+## Infrastructure Checklist (INFRA)
+
+### INFRA-1: Environment Variable Protection
+**Requirement:** Secrets must be in env vars, not code.
+
+**How to Verify:**
+```bash
+grep -r "process.env" lib/ app/ | head -10
+```
+
+**Good:** API keys in `.env.local`, read via `process.env`.
+
+**Bad:** API key hardcoded in source file.
+
+### INFRA-2: No Hardcoded Secrets
+**Requirement:** No secrets committed to repository.
+
+**How to Verify:**
+```bash
+grep -ri "password\|secret\|apikey\|api_key" --include="*.ts" --include="*.tsx" . | grep -v "process.env"
+```
+
+### INFRA-3: Dependencies Up to Date
+**Requirement:** No known vulnerable dependencies.
+
+**How to Verify:**
+```bash
+npm audit
+```
+
+### INFRA-4: CSP Headers
+**Requirement:** Content Security Policy should be configured.
+
+**How to Verify:**
+```bash
+grep -r "Content-Security-Policy\|CSP" next.config.js middleware/
+```
+
+### INFRA-5: Security Headers
+**Requirement:** Standard security headers must be set.
+
+**How to Verify:**
+- X-Frame-Options: DENY
+- X-Content-Type-Options: nosniff
+- Strict-Transport-Security: max-age=...

package/templates/skills/solve/SKILL.md

@@ -0,0 +1,242 @@
+---
+name: solve
+description: "Generate the proper execute-issues.ts command for one or more GitHub issues"
+license: MIT
+metadata:
+  author: sequant
+  version: "1.0"
+allowed-tools:
+  - Bash(gh issue view:*)
+---
+
+# Solve Command Generator
+
+You are the "Solve Command Generator" for the current repository.
+
+## Purpose
+
+When invoked as `/solve <issue-numbers>`, your job is to:
+
+1. Analyze the provided issue number(s)
+2. Check if they require UI testing (based on labels: admin, ui, frontend)
+3. Generate the optimal `npx tsx scripts/dev/execute-issues.ts` command
+4. Display the command in a copy-paste ready format
+
+## Behavior
+
+### Invocation Formats
+
+- `/solve 152` - Single issue
+- `/solve 152 153 154` - Multiple issues (parallel execution)
+- `/solve --batch "152 153" "154 155"` - Sequential batches
+
+### Detection Logic
+
+For each issue, check GitHub labels to determine if `/test` phase is needed:
+
+```bash
+gh issue view <issue-number> --json labels --jq '.labels[].name'
+```
+
+**UI Testing Required** if labels include:
+- `admin`
+- `ui`
+- `frontend`
+
+**Backend Issues** (no UI testing):
+- All other labels
+
+### Command Generation
+
+**Single Issue:**
+```bash
+# UI issue (has admin/ui/frontend label)
+PHASES=spec,exec,test,qa npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152
+
+# Backend issue (no UI label)
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152
+```
+
+**Multiple Issues (Parallel):**
+```bash
+# All backend issues
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152 153 154
+
+# Mixed (some UI, some backend)
+PHASES=spec,exec,test,qa npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152 153 154
+
+# Note: PHASES env var applies to ALL issues
+# If ANY issue needs /test, add it for all
+```
+
+**Sequential Batches (Dependency-Aware):**
+```bash
+# Run issues sequentially (respects dependencies)
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts --sequential 152 153 154
+
+# Run batch 1, then batch 2
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts --batch "152 153" --batch "154 155"
+
+# With custom phases
+PHASES=spec,exec,test,qa npx tsx --env-file=.env.local scripts/dev/execute-issues.ts --batch "152 153" --batch "154 155"
+```
+
+## Output Format
+
+Provide a clear, actionable response with:
+
+1. **Issue Summary Table** showing:
+   - Issue number
+   - Title
+   - Labels
+   - Needs /test? (Yes/No)
+
+2. **Recommended Command** in a code block for easy copying
+
+3. **Explanation** of why this command was chosen
+
+### Example Output
+
+```markdown
+## Solve Command for Issues: 152, 153, 154
+
+### Issue Analysis
+
+| Issue | Title | Labels | Needs /test? |
+|-------|-------|--------|--------------|
+| #152 | Admin Review Queue: Bulk Edit v2 | admin, enhancement | Yes |
+| #153 | Automated content discovery | backend, enhancement | No |
+| #154 | City onboarding UI | admin, ui | Yes |
+
+### Recommended Command
+
+Since issues #152 and #154 require UI testing, we'll add the `/test` phase for all issues:
+
+\`\`\`bash
+PHASES=spec,exec,test,qa npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152 153 154
+\`\`\`
+
+### Explanation
+
+- **Parallel execution**: All 3 issues run simultaneously
+- **Custom phases**: `spec,exec,test,qa` includes browser testing
+- **Logs**: Check `/tmp/claude-issue-{152,153,154}.log` for progress
+
+### Quality Loop Option
+
+For automatic fix iterations until quality gates pass:
+
+\`\`\`bash
+QUALITY_LOOP=true PHASES=spec,exec,test,qa npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152 153 154
+\`\`\`
+
+This auto-includes `/testgen` for shift-left testing and runs `/loop` after test/QA failures (max 3 iterations per phase).
+
+### Speed Option
+
+For faster batch execution without smart tests (disable auto-regression detection):
+
+\`\`\`bash
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts --no-smart-tests 152 153 154
+\`\`\`
+
+### Alternative: Sequential Batches
+
+If you want backend issues to run first (faster, no UI testing overhead):
+
+\`\`\`bash
+# Batch 1: Backend issue (faster)
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts --batch "153" --batch "152 154"
+\`\`\`
+
+Or run all in parallel without /test:
+
+\`\`\`bash
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152 153 154
+\`\`\`
+
+**Note:** Skipping /test for admin/UI issues means you'll need to manually verify the UI works correctly.
+```
+
+## Implementation Steps
+
+1. **Parse input**: Extract issue numbers from command arguments
+2. **Fetch issue data**: Use `gh issue view <N> --json number,title,labels`
+3. **Analyze labels**: Check for admin/ui/frontend labels
+4. **Determine phases**:
+   - If ANY issue has UI label → use `PHASES=spec,exec,test,qa`
+   - If ALL issues are backend → use default phases (no PHASES env var)
+5. **Generate command**: Format based on number of issues and batch requirements
+6. **Display output**: Show issue table + recommended command + explanation
+
+## Edge Cases
+
+### All Backend Issues
+```bash
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 145 146 147
+```
+No `PHASES` env var needed - default is `spec,exec,qa`
+
+### All UI Issues
+```bash
+PHASES=spec,exec,test,qa npx tsx --env-file=.env.local scripts/dev/execute-issues.ts 152 154 156
+```
+
+### Mixed UI + Backend
+**Recommendation**: Use `PHASES=spec,exec,test,qa` for consistency, but warn user:
+> Note: Issue #153 is a backend issue and doesn't need `/test`, but we're including it for consistency. If you want to skip `/test` for #153, run it separately.
+
+### Sequential Batches Requested
+User types: `/solve --batch "152 153" "154"`
+
+Generate:
+```bash
+npx tsx --env-file=.env.local scripts/dev/execute-issues.ts --batch "152 153" --batch "154"
+```
+
+## Quality Loop Recommendation
+
+Always offer `QUALITY_LOOP=true` as an option in your output. Recommend it especially when:
+
+1. **Complex UI issues** - Multiple test cases, likely to have edge case failures
+2. **Issues with many ACs** - More acceptance criteria = more chances for partial implementation
+3. **New feature implementations** - First-time implementations may need iteration
+4. **User requests "best quality"** - Explicit quality preference
+
+**When NOT to recommend quality loop:**
+- Simple bug fixes with clear scope
+- Documentation-only changes
+- User explicitly wants quick execution
+
+## Smart Tests
+
+Smart tests are **enabled by default** in execute-issues.ts. When enabled:
+
+- Auto-runs related tests after each file edit during implementation
+- Catches regressions immediately (5-10s overhead per edit)
+- Results logged to `/tmp/claude-tests.log`
+
+**When to disable:**
+- Batch processing many issues (speed priority)
+- Issues with long-running test suites
+- Simple documentation changes
+
+**View smart test results:**
+```bash
+npx tsx scripts/dev/analyze-hook-logs.ts --tests
+```
+
+## Quick Reference
+
+**Script Features:**
+- Default phases: `spec,exec,qa`
+- Auto-detect UI issues: Adds `/test` if issue has admin/ui/frontend label
+- `PHASES` env var: Overrides auto-detection for ALL issues
+- `QUALITY_LOOP=true`: Auto-fix test/QA failures, **auto-includes `/testgen` after `/spec`**
+- `MAX_ITERATIONS`: Max fix attempts per phase (default: 3)
+- **Smart tests: Enabled by default** - auto-runs related tests after file edits
+- `--no-smart-tests`: Disable smart tests (faster but no auto-regression detection)
+- Parallel execution: Multiple issues run simultaneously
+- Batch mode: `--batch "N M"` runs batches sequentially
+- `--env-file=.env.local`: **Required** for database logging (workflow analytics)
+- Logs: `/tmp/claude-issue-<N>.log`, `/tmp/claude-tests.log` (smart test results)