sinapse-ai 9.3.0 → 9.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/CLAUDE.md +60 -341
- package/.claude/hooks/enforce-architecture-first.py +197 -197
- package/.claude/hooks/enforce-git-push-authority.sh +25 -4
- package/.claude/hooks/mind-clone-governance.py +193 -193
- package/.claude/hooks/read-protection.py +152 -152
- package/.claude/hooks/sql-governance.py +183 -183
- package/.claude/hooks/verify-packages.cjs +83 -0
- package/.claude/hooks/write-path-validation.py +195 -195
- package/.claude/rules/agent-authority.md +6 -0
- package/.claude/rules/agent-handoff.md +5 -0
- package/.claude/rules/cross-squad-routing.md +5 -0
- package/.claude/rules/hook-governance.md +7 -0
- package/.claude/rules/mandatory-delegation.md +24 -0
- package/.claude/rules/mcp-usage.md +3 -1
- package/.claude/rules/project-intelligence.md +63 -0
- package/.claude/rules/response-format.md +4 -0
- package/.claude/rules/safe-collaboration.md +14 -2
- package/.claude/rules/security-data-protection.md +27 -0
- package/.claude/rules/squad-awareness.md +96 -68
- package/.claude/rules/token-economy.md +148 -0
- package/.claude/rules/tool-examples.md +6 -0
- package/.claude/rules/workflow-execution.md +7 -0
- package/.codex/agents/analyst.md +342 -71
- package/.codex/agents/architect.md +533 -68
- package/.codex/agents/data-engineer.md +530 -106
- package/.codex/agents/developer.md +657 -0
- package/.codex/agents/devops.md +639 -69
- package/.codex/agents/product-lead.md +362 -0
- package/.codex/agents/project-lead.md +405 -0
- package/.codex/agents/quality-gate.md +538 -0
- package/.codex/agents/sinapse-orqx.md +9 -7
- package/.codex/agents/sprint-lead.md +315 -0
- package/.codex/agents/squad-creator.md +402 -0
- package/.codex/agents/ux-design-expert.md +523 -0
- package/.codex/delegation-matrix.json +756 -44
- package/.codex/handoff-packet.schema.json +30 -6
- package/.sinapse-ai/core/code-intel/registry-syncer.js +56 -3
- package/.sinapse-ai/core/doctor/checks/agent-memory.js +5 -1
- package/.sinapse-ai/core/doctor/checks/claude-md.js +4 -1
- package/.sinapse-ai/core/doctor/checks/code-intel.js +5 -1
- package/.sinapse-ai/core/doctor/checks/commands-count.js +4 -1
- package/.sinapse-ai/core/doctor/checks/constitution-consistency.js +4 -1
- package/.sinapse-ai/core/doctor/checks/core-config.js +4 -1
- package/.sinapse-ai/core/doctor/checks/entity-registry.js +6 -1
- package/.sinapse-ai/core/doctor/checks/git-hooks.js +5 -1
- package/.sinapse-ai/core/doctor/checks/graph-dashboard.js +4 -1
- package/.sinapse-ai/core/doctor/checks/hooks-claude-count.js +5 -1
- package/.sinapse-ai/core/doctor/checks/ide-sync.js +4 -1
- package/.sinapse-ai/core/doctor/checks/node-version.js +4 -1
- package/.sinapse-ai/core/doctor/checks/npm-packages.js +4 -1
- package/.sinapse-ai/core/doctor/checks/rules-files.js +4 -1
- package/.sinapse-ai/core/doctor/checks/settings-json.js +4 -1
- package/.sinapse-ai/core/doctor/checks/skills-count.js +4 -1
- package/.sinapse-ai/core/doctor/index.js +157 -50
- package/.sinapse-ai/core/ids/registry-updater.js +6 -1
- package/.sinapse-ai/core/logger/index.js +319 -0
- package/.sinapse-ai/core/orchestration/terminal-spawner.js +2 -2
- package/.sinapse-ai/core/telemetry/index.js +247 -0
- package/.sinapse-ai/data/entity-registry.yaml +1060 -808
- package/.sinapse-ai/development/agents/analyst.md +90 -0
- package/.sinapse-ai/development/agents/architect.md +78 -0
- package/.sinapse-ai/development/agents/data-engineer.md +38 -0
- package/.sinapse-ai/development/agents/developer.md +97 -0
- package/.sinapse-ai/development/agents/devops.md +121 -0
- package/.sinapse-ai/development/agents/product-lead.md +27 -0
- package/.sinapse-ai/development/agents/project-lead.md +28 -0
- package/.sinapse-ai/development/agents/quality-gate.md +89 -0
- package/.sinapse-ai/development/agents/sprint-lead/MEMORY.md +8 -0
- package/.sinapse-ai/development/agents/sprint-lead.md +28 -0
- package/.sinapse-ai/development/agents/squad-creator.md +58 -0
- package/.sinapse-ai/development/agents/ux-design-expert.md +28 -0
- package/.sinapse-ai/development/checklists/agent-quality-gate.md +27 -0
- package/.sinapse-ai/development/checklists/brownfield-compatibility-checklist.md +20 -0
- package/.sinapse-ai/development/checklists/code-review-checklist.md +106 -0
- package/.sinapse-ai/development/checklists/issue-triage-checklist.md +9 -0
- package/.sinapse-ai/development/checklists/memory-audit-checklist.md +16 -0
- package/.sinapse-ai/development/checklists/pr-quality-checklist.md +72 -0
- package/.sinapse-ai/development/checklists/security-deployment-checklist.md +54 -0
- package/.sinapse-ai/development/checklists/self-critique-checklist.md +19 -1
- package/.sinapse-ai/development/knowledge-base/agent-communication-protocol.md +127 -0
- package/.sinapse-ai/development/knowledge-base/database-scaling-patterns.md +374 -0
- package/.sinapse-ai/development/knowledge-base/environment-deployment-patterns.md +353 -0
- package/.sinapse-ai/development/knowledge-base/gotchas-patterns.md +224 -0
- package/.sinapse-ai/development/knowledge-base/infrastructure-decision-framework.md +221 -0
- package/.sinapse-ai/development/knowledge-base/security-pre-deploy-checklist.md +410 -0
- package/.sinapse-ai/development/knowledge-base/software-architecture-patterns.md +299 -0
- package/.sinapse-ai/development/knowledge-base/token-economy-guide.md +198 -0
- package/.sinapse-ai/development/scripts/populate-entity-registry.js +5 -1
- package/.sinapse-ai/development/skills/captcha-handler.md +82 -0
- package/.sinapse-ai/development/skills/chrome-brain.md +81 -0
- package/.sinapse-ai/development/skills/debug.md +57 -0
- package/.sinapse-ai/development/skills/deploy-readiness.md +93 -0
- package/.sinapse-ai/development/skills/fast-review.md +69 -0
- package/.sinapse-ai/development/skills/model-router.md +92 -0
- package/.sinapse-ai/development/skills/research-synthesis.md +77 -0
- package/.sinapse-ai/development/skills/security-scan.md +73 -0
- package/.sinapse-ai/development/skills/sinapse-methodology.md +175 -0
- package/.sinapse-ai/development/skills/story-fast-track.md +71 -0
- package/.sinapse-ai/development/skills/verify.md +53 -0
- package/.sinapse-ai/development/tasks/dev-develop-story.md +10 -0
- package/.sinapse-ai/development/tasks/environment-promotion-pipeline.md +582 -0
- package/.sinapse-ai/development/tasks/generate-agent-handoff.md +223 -0
- package/.sinapse-ai/development/tasks/infrastructure-assessment.md +432 -0
- package/.sinapse-ai/development/tasks/load-testing-setup.md +611 -0
- package/.sinapse-ai/development/tasks/observability-blueprint.md +562 -0
- package/.sinapse-ai/development/templates/legal/breach-notification-tmpl.md +113 -0
- package/.sinapse-ai/development/templates/legal/privacy-policy-tmpl.md +93 -0
- package/.sinapse-ai/development/templates/legal/terms-of-service-tmpl.md +85 -0
- package/.sinapse-ai/development/templates/service-template/README.md.hbs +159 -159
- package/.sinapse-ai/development/templates/service-template/__tests__/index.test.ts.hbs +238 -238
- package/.sinapse-ai/development/templates/service-template/client.ts.hbs +404 -404
- package/.sinapse-ai/development/templates/service-template/errors.ts.hbs +183 -183
- package/.sinapse-ai/development/templates/service-template/index.ts.hbs +121 -121
- package/.sinapse-ai/development/templates/service-template/package.json.hbs +88 -88
- package/.sinapse-ai/development/templates/service-template/types.ts.hbs +146 -146
- package/.sinapse-ai/development/templates/squad/agent-template.md +17 -4
- package/.sinapse-ai/development/templates/squad/checklist-template.md +13 -5
- package/.sinapse-ai/development/templates/squad/task-template.md +7 -0
- package/.sinapse-ai/development/templates/squad/workflow-template.yaml +7 -0
- package/.sinapse-ai/development/templates/squad-template/LICENSE +22 -22
- package/.sinapse-ai/development/workflows/fast-track.yaml +87 -0
- package/.sinapse-ai/development/workflows/story-development-cycle.yaml +40 -1
- package/.sinapse-ai/hooks/ids-post-commit.js +22 -0
- package/.sinapse-ai/infrastructure/contracts/compatibility/README.md +42 -0
- package/.sinapse-ai/infrastructure/contracts/compatibility/sinapse-current.yaml +35 -0
- package/.sinapse-ai/infrastructure/scripts/llm-routing/templates/claude-free-tracked.cmd +127 -127
- package/.sinapse-ai/infrastructure/scripts/llm-routing/templates/deepseek-proxy.cmd +71 -71
- package/.sinapse-ai/infrastructure/scripts/llm-routing/templates/deepseek-usage.cmd +51 -51
- package/.sinapse-ai/infrastructure/scripts/pr-review-ai.js +16 -13
- package/.sinapse-ai/infrastructure/scripts/setup-project-infra.js +128 -0
- package/.sinapse-ai/infrastructure/scripts/test-discovery.js +8 -3
- package/.sinapse-ai/infrastructure/scripts/validate-codex-delegation.js +3 -1
- package/.sinapse-ai/infrastructure/scripts/validate-manifest-parity.js +380 -0
- package/.sinapse-ai/infrastructure/scripts/validate-parity.js +76 -25
- package/.sinapse-ai/infrastructure/templates/coderabbit.yaml.template +280 -280
- package/.sinapse-ai/infrastructure/templates/config/env.example +16 -0
- package/.sinapse-ai/infrastructure/templates/config/gitignore-additions.tmpl +59 -0
- package/.sinapse-ai/infrastructure/templates/github/CODEOWNERS.template +12 -0
- package/.sinapse-ai/infrastructure/templates/github/PULL_REQUEST_TEMPLATE.md +29 -0
- package/.sinapse-ai/infrastructure/templates/github/ci-template.yml +77 -0
- package/.sinapse-ai/infrastructure/templates/github/issue-templates/bug_report.md +34 -0
- package/.sinapse-ai/infrastructure/templates/github/issue-templates/feature_request.md +19 -0
- package/.sinapse-ai/infrastructure/templates/github-workflows/ci.yml.template +170 -170
- package/.sinapse-ai/infrastructure/templates/github-workflows/pr-automation.yml.template +331 -331
- package/.sinapse-ai/infrastructure/templates/github-workflows/release.yml.template +197 -197
- package/.sinapse-ai/infrastructure/templates/gitignore/gitignore-brownfield-merge.tmpl +19 -19
- package/.sinapse-ai/infrastructure/templates/gitignore/gitignore-node.tmpl +86 -86
- package/.sinapse-ai/infrastructure/templates/gitignore/gitignore-python.tmpl +146 -146
- package/.sinapse-ai/infrastructure/templates/gitignore/gitignore-sinapse-base.tmpl +64 -64
- package/.sinapse-ai/infrastructure/templates/sinapse-sync.yaml.template +183 -183
- package/.sinapse-ai/install-manifest.yaml +333 -162
- package/.sinapse-ai/local-config.yaml.template +65 -65
- package/.sinapse-ai/monitor/hooks/lib/__init__.py +2 -2
- package/.sinapse-ai/monitor/hooks/lib/enrich.py +59 -59
- package/.sinapse-ai/monitor/hooks/lib/send_event.py +48 -48
- package/.sinapse-ai/monitor/hooks/notification.py +30 -30
- package/.sinapse-ai/monitor/hooks/post_tool_use.py +46 -46
- package/.sinapse-ai/monitor/hooks/pre_compact.py +30 -30
- package/.sinapse-ai/monitor/hooks/pre_tool_use.py +41 -41
- package/.sinapse-ai/monitor/hooks/stop.py +30 -30
- package/.sinapse-ai/monitor/hooks/subagent_stop.py +30 -30
- package/.sinapse-ai/monitor/hooks/user_prompt_submit.py +39 -39
- package/.sinapse-ai/product/templates/adr.hbs +126 -126
- package/.sinapse-ai/product/templates/dbdr.hbs +242 -242
- package/.sinapse-ai/product/templates/epic.hbs +213 -213
- package/.sinapse-ai/product/templates/pmdr.hbs +187 -187
- package/.sinapse-ai/product/templates/prd-v2.0.hbs +217 -217
- package/.sinapse-ai/product/templates/prd.hbs +202 -202
- package/.sinapse-ai/product/templates/story-tmpl.yaml +59 -0
- package/.sinapse-ai/product/templates/story.hbs +264 -264
- package/.sinapse-ai/product/templates/task.hbs +171 -171
- package/.sinapse-ai/product/templates/tmpl-comment-on-examples.sql +159 -159
- package/.sinapse-ai/product/templates/tmpl-migration-script.sql +92 -92
- package/.sinapse-ai/product/templates/tmpl-rls-granular-policies.sql +105 -105
- package/.sinapse-ai/product/templates/tmpl-rls-kiss-policy.sql +11 -11
- package/.sinapse-ai/product/templates/tmpl-rls-roles.sql +136 -136
- package/.sinapse-ai/product/templates/tmpl-rls-simple.sql +78 -78
- package/.sinapse-ai/product/templates/tmpl-rls-tenant.sql +153 -153
- package/.sinapse-ai/product/templates/tmpl-rollback-script.sql +78 -78
- package/.sinapse-ai/product/templates/tmpl-seed-data.sql +141 -141
- package/.sinapse-ai/product/templates/tmpl-smoke-test.sql +17 -17
- package/.sinapse-ai/product/templates/tmpl-staging-copy-merge.sql +140 -140
- package/.sinapse-ai/product/templates/tmpl-stored-proc.sql +141 -141
- package/.sinapse-ai/product/templates/tmpl-trigger.sql +153 -153
- package/.sinapse-ai/product/templates/tmpl-view-materialized.sql +134 -134
- package/.sinapse-ai/product/templates/tmpl-view.sql +178 -178
- package/.sinapse-ai/scripts/diagnostics/health-dashboard/package-lock.json +427 -355
- package/LICENSE +34 -34
- package/README.en.md +167 -20
- package/README.md +190 -22
- package/bin/cli.js +510 -196
- package/bin/postinstall.js +564 -0
- package/bin/sinapse-cli +283 -283
- package/bin/sinapse-graph.js +9 -0
- package/bin/sinapse-init.js +36 -4
- package/bin/sinapse-minimal.js +20 -9
- package/bin/sinapse.js +202 -122
- package/bin/utils/deprecation-warning.js +46 -0
- package/bin/utils/pre-push-safety.js +14 -0
- package/docs/TELEMETRY.md +131 -0
- package/docs/chrome-brain-upgrade-plan.md +624 -0
- package/docs/codex-integration-process.md +22 -0
- package/docs/codex-parity-program.md +27 -0
- package/docs/framework/orqx-plan.md +1 -1
- package/docs/ide-integration.md +36 -0
- package/docs/installation/chrome-brain.md +17 -7
- package/docs/mega-upgrade-orchestration-plan.md +71 -0
- package/docs/pt/contributing.md +20 -0
- package/docs/research-synthesis-for-upgrade.md +511 -0
- package/docs/security-audit-report.md +306 -0
- package/package.json +20 -8
- package/packages/installer/src/config/configure-environment.js +19 -44
- package/packages/installer/src/detection/detect-project-type.js +181 -63
- package/packages/installer/src/installer/manifest-signature.js +32 -17
- package/packages/installer/src/wizard/i18n.js +12 -0
- package/packages/installer/src/wizard/ide-config-generator.js +8 -39
- package/packages/installer/src/wizard/index.js +119 -14
- package/packages/installer/src/wizard/questions.js +2 -3
- package/packages/installer/tests/integration/environment-configuration.test.js +7 -5
- package/packages/installer/tests/unit/detection/detect-project-type.test.js +138 -1
- package/packages/installer/tests/unit/doctor/doctor-orchestrator.test.js +3 -3
- package/packages/sinapse-install/bin/edmcp.js +0 -0
- package/packages/sinapse-install/bin/sinapse-install.js +0 -0
- package/packages/sinapse-pro-cli/bin/sinapse-pro.js +0 -0
- package/scripts/check-markdown-links.py +353 -353
- package/scripts/coverage-report-summary.js +169 -0
- package/scripts/generate-install-manifest.js +6 -2
- package/scripts/release-readiness.js +169 -0
- package/scripts/test-install-matrix-local.sh +153 -0
- package/scripts/validate-install-docs.js +394 -0
- package/scripts/validate-no-external-refs.js +376 -0
- package/scripts/validate-squad-orqx.js +302 -0
- package/scripts/validate-story-meta.js +263 -0
- package/squads/claude-code-mastery/CHANGELOG.md +1 -1
- package/squads/claude-code-mastery/README.md +2 -2
- package/squads/claude-code-mastery/knowledge-base/claude-code-internals-reference.md +927 -0
- package/squads/claude-code-mastery/squad.yaml +1 -1
- package/squads/squad-artdir/README.md +90 -0
- package/squads/squad-artdir/agents/accessibility-guardian.md +184 -0
- package/squads/squad-artdir/agents/artdir-orqx.md +145 -0
- package/squads/squad-artdir/agents/color-psychologist.md +166 -0
- package/squads/squad-artdir/agents/cro-persuasion.md +161 -0
- package/squads/squad-artdir/agents/design-system-architect.md +100 -0
- package/squads/squad-artdir/agents/ia-architect.md +169 -0
- package/squads/squad-artdir/agents/interaction-designer.md +162 -0
- package/squads/squad-artdir/agents/layout-engineer.md +163 -0
- package/squads/squad-artdir/agents/motion-architect.md +185 -0
- package/squads/squad-artdir/agents/platform-aesthetic-director.md +84 -0
- package/squads/squad-artdir/agents/premium-packaging-strategist.md +107 -0
- package/squads/squad-artdir/agents/product-surface-director.md +86 -0
- package/squads/squad-artdir/agents/type-systemist.md +138 -0
- package/squads/squad-artdir/agents/visual-strategist.md +127 -0
- package/squads/squad-artdir/checklists/seven-pillars-validation-checklist.md +172 -0
- package/squads/squad-artdir/knowledge-base/case-nyo-ia-reference.md +289 -0
- package/squads/squad-artdir/knowledge-base/deliverables-templates.md +457 -0
- package/squads/squad-artdir/knowledge-base/motion-technique-catalog.md +247 -0
- package/squads/squad-artdir/knowledge-base/premium-packaging-principles.md +133 -0
- package/squads/squad-artdir/knowledge-base/psychological-toolkit.md +229 -0
- package/squads/squad-artdir/knowledge-base/saas-art-direction-canon.md +242 -0
- package/squads/squad-artdir/knowledge-base/seven-pillars-framework.md +289 -0
- package/squads/squad-artdir/knowledge-base/ten-pillars-framework.md +221 -0
- package/squads/squad-artdir/package.json +20 -0
- package/squads/squad-artdir/squad.yaml +271 -0
- package/squads/squad-artdir/tasks/audit-conversion.md +97 -0
- package/squads/squad-artdir/tasks/audit-drift-multi-surface.md +55 -0
- package/squads/squad-artdir/tasks/consult-saas-canon.md +54 -0
- package/squads/squad-artdir/tasks/create-art-direction-brief.md +110 -0
- package/squads/squad-artdir/tasks/create-premium-packaging-brief.md +61 -0
- package/squads/squad-artdir/tasks/create-wireflow.md +84 -0
- package/squads/squad-artdir/tasks/design-color-system.md +81 -0
- package/squads/squad-artdir/tasks/design-product-surface.md +60 -0
- package/squads/squad-artdir/tasks/design-token-system.md +58 -0
- package/squads/squad-artdir/tasks/diagnose-visual-language.md +92 -0
- package/squads/squad-artdir/tasks/first-5-minutes-choreography.md +65 -0
- package/squads/squad-artdir/tasks/specify-motion-system.md +84 -0
- package/squads/squad-artdir/tasks/validate-against-pillars.md +143 -0
- package/squads/squad-artdir/templates/art-direction-brief-template.md +215 -0
- package/squads/squad-artdir/workflows/conversion-audit-cycle.yaml +78 -0
- package/squads/squad-artdir/workflows/full-art-direction-cycle.yaml +98 -0
- package/squads/squad-artdir/workflows/saas-platform-art-direction-cycle.yaml +174 -0
- package/squads/squad-brand/knowledge-base/ai-visual-generation-canon.md +234 -0
- package/squads/squad-brand/knowledge-base/archetype-brand-mapping.md +12 -1
- package/squads/squad-brand/knowledge-base/brand-activism-cultural-branding.md +216 -0
- package/squads/squad-brand/knowledge-base/brand-audit-criteria.md +58 -0
- package/squads/squad-brand/knowledge-base/brand-digital-strategy.md +188 -0
- package/squads/squad-brand/knowledge-base/brand-legal-ip.md +222 -0
- package/squads/squad-brand/knowledge-base/brand-naming-framework.md +163 -0
- package/squads/squad-brand/knowledge-base/branding-master-reference.md +1001 -0
- package/squads/squad-brand/knowledge-base/color-psychology.md +25 -12
- package/squads/squad-brand/knowledge-base/employer-personal-branding.md +206 -0
- package/squads/squad-brand/knowledge-base/routing-catalog.md +34 -0
- package/squads/squad-brand/knowledge-base/sonic-branding-principles.md +6 -1
- package/squads/squad-brand/knowledge-base/typography-personality.md +34 -0
- package/squads/squad-brand/squad.yaml +20 -6
- package/squads/squad-claude/knowledge-base/context-window-optimization.md +334 -0
- package/squads/squad-claude/knowledge-base/knowledge-architecture-reference.md +403 -0
- package/squads/squad-claude/knowledge-base/memory-systems-reference.md +412 -0
- package/squads/squad-claude/knowledge-base/obsidian-claude-integration.md +423 -0
- package/squads/squad-claude/knowledge-base/retrieval-augmented-generation.md +320 -0
- package/squads/squad-claude/knowledge-base/skill-creation-patterns.md +380 -0
- package/squads/squad-claude/knowledge-base/swarm-orchestration-patterns.md +411 -0
- package/squads/squad-cloning/knowledge-base/clone-quality-assurance.md +211 -0
- package/squads/squad-cloning/knowledge-base/confidence-scoring.md +51 -0
- package/squads/squad-cloning/knowledge-base/cross-squad-deployment.md +47 -0
- package/squads/squad-cloning/knowledge-base/ethical-guidelines.md +237 -0
- package/squads/squad-cloning/knowledge-base/knowledge-graph-for-clones.md +295 -0
- package/squads/squad-cloning/knowledge-base/memory-architecture-for-clones.md +229 -0
- package/squads/squad-cloning/knowledge-base/multi-agent-deployment-patterns.md +320 -0
- package/squads/squad-cloning/knowledge-base/skill-standard-for-clones.md +262 -0
- package/squads/squad-cloning/knowledge-base/sop-extraction-guide.md +243 -0
- package/squads/squad-commercial/knowledge-base/account-based-selling.md +206 -0
- package/squads/squad-commercial/knowledge-base/ai-as-competitive-infrastructure.md +14 -0
- package/squads/squad-commercial/knowledge-base/ai-in-sales.md +199 -0
- package/squads/squad-commercial/knowledge-base/brazilian-sales-context.md +195 -0
- package/squads/squad-commercial/knowledge-base/customer-success-operations.md +83 -2
- package/squads/squad-commercial/knowledge-base/prospecting-pipeline-generation.md +69 -0
- package/squads/squad-commercial/knowledge-base/sales-enablement-playbook.md +260 -0
- package/squads/squad-commercial/knowledge-base/sales-methodology-comparison.md +185 -0
- package/squads/squad-commercial/knowledge-base/sales-revenue-master-reference.md +1123 -0
- package/squads/squad-content/knowledge-base/ai-native-content-loop.md +220 -0
- package/squads/squad-content/knowledge-base/brazilian-content-context.md +176 -0
- package/squads/squad-content/knowledge-base/competitor-analysis-methods.md +40 -1
- package/squads/squad-content/knowledge-base/content-architecture-taxonomy.md +206 -0
- package/squads/squad-content/knowledge-base/content-formats-encyclopedia.md +58 -1
- package/squads/squad-content/knowledge-base/content-references-bibliography.md +130 -0
- package/squads/squad-content/knowledge-base/content-strategy-master-reference.md +1097 -0
- package/squads/squad-content/knowledge-base/content-tech-stack.md +150 -0
- package/squads/squad-content/knowledge-base/copywriting-formulas-library.md +188 -0
- package/squads/squad-content/knowledge-base/email-newsletter-strategy.md +161 -0
- package/squads/squad-content/knowledge-base/platform-algorithm-intelligence.md +86 -1
- package/squads/squad-content/knowledge-base/signal-intelligence-v2.md +234 -0
- package/squads/squad-content/knowledge-base/social-algorithms-master-reference.md +1007 -0
- package/squads/squad-content/knowledge-base/task-ownership-map.md +235 -0
- package/squads/squad-content/knowledge-base/video-audio-content-playbook.md +218 -0
- package/squads/squad-content/squad.yaml +187 -27
- package/squads/squad-copy/knowledge-base/ai-copy-human-loop-canon.md +235 -0
- package/squads/squad-copy/knowledge-base/ai-copy-production.md +254 -0
- package/squads/squad-copy/knowledge-base/brazilian-copywriting-context.md +242 -0
- package/squads/squad-copy/knowledge-base/email-copywriting-system.md +299 -0
- package/squads/squad-copy/knowledge-base/landing-page-copy-architecture.md +267 -0
- package/squads/squad-copy/knowledge-base/power-words-catalog.md +205 -0
- package/squads/squad-copy/knowledge-base/seo-copywriting.md +255 -0
- package/squads/squad-copy/knowledge-base/video-script-copywriting.md +239 -0
- package/squads/squad-copy/squad.yaml +19 -4
- package/squads/squad-council/knowledge-base/brand-strategy-models.md +193 -0
- package/squads/squad-council/knowledge-base/growth-strategy-models.md +267 -0
- package/squads/squad-council/knowledge-base/innovation-disruption-frameworks.md +193 -0
- package/squads/squad-council/knowledge-base/market-analysis-frameworks.md +240 -0
- package/squads/squad-council/knowledge-base/organizational-leadership-models.md +212 -0
- package/squads/squad-council/knowledge-base/sales-strategy-models.md +215 -0
- package/squads/squad-courses/knowledge-base/course-launch-strategy.md +251 -0
- package/squads/squad-courses/knowledge-base/domain-advocacia-curriculum.md +385 -0
- package/squads/squad-courses/knowledge-base/domain-contabilidade-curriculum.md +266 -0
- package/squads/squad-courses/knowledge-base/platform-comparison.md +68 -0
- package/squads/squad-courses/knowledge-base/video-production-guide.md +70 -0
- package/squads/squad-cybersecurity/knowledge-base/cloud-security-reference.md +363 -0
- package/squads/squad-cybersecurity/knowledge-base/compliance-frameworks.md +273 -0
- package/squads/squad-cybersecurity/knowledge-base/database-security.md +438 -0
- package/squads/squad-cybersecurity/knowledge-base/incident-response-playbook.md +420 -0
- package/squads/squad-cybersecurity/knowledge-base/network-security-reference.md +477 -0
- package/squads/squad-cybersecurity/knowledge-base/penetration-testing-methodology.md +350 -0
- package/squads/squad-cybersecurity/knowledge-base/vulnerability-management.md +349 -0
- package/squads/squad-design/knowledge-base/brazilian-design-context.md +223 -0
- package/squads/squad-design/knowledge-base/component-api-patterns.md +208 -4
- package/squads/squad-design/knowledge-base/cross-surface-token-canon.md +209 -0
- package/squads/squad-design/knowledge-base/design-system-master-reference.md +1302 -0
- package/squads/squad-design/knowledge-base/design-systems-frameworks.md +91 -1
- package/squads/squad-design/knowledge-base/responsive-modern-css.md +96 -4
- package/squads/squad-design/knowledge-base/wcag-aria-reference.md +117 -5
- package/squads/squad-design/knowledge-base/web-performance-reference.md +127 -4
- package/squads/squad-design/squad.yaml +19 -4
- package/squads/squad-finance/knowledge-base/brazilian-taxation.md +263 -0
- package/squads/squad-finance/knowledge-base/contabilidade-master-reference.md +998 -0
- package/squads/squad-finance/knowledge-base/finance-master-reference.md +946 -0
- package/squads/squad-finance/knowledge-base/financial-reporting-analysis.md +316 -0
- package/squads/squad-finance/knowledge-base/fintech-brazilian-context.md +242 -0
- package/squads/squad-finance/knowledge-base/fpa-planning-frameworks.md +286 -0
- package/squads/squad-finance/knowledge-base/ma-and-transactions.md +285 -0
- package/squads/squad-finance/knowledge-base/risk-management.md +233 -0
- package/squads/squad-finance/knowledge-base/startups-venture-capital.md +337 -0
- package/squads/squad-growth/knowledge-base/ai-growth-playbook.md +216 -0
- package/squads/squad-growth/knowledge-base/attribution-models.md +78 -0
- package/squads/squad-growth/knowledge-base/brazilian-growth-context.md +208 -0
- package/squads/squad-growth/knowledge-base/community-led-growth.md +175 -0
- package/squads/squad-growth/knowledge-base/content-marketing-flywheel.md +190 -0
- package/squads/squad-growth/knowledge-base/email-lifecycle-framework.md +192 -0
- package/squads/squad-growth/knowledge-base/growth-frameworks-catalog.md +82 -0
- package/squads/squad-growth/knowledge-base/growth-master-reference.md +1168 -0
- package/squads/squad-growth/knowledge-base/routing-catalog.md +53 -11
- package/squads/squad-paidmedia/knowledge-base/audiences-segmentation-deep.md +285 -0
- package/squads/squad-paidmedia/knowledge-base/creative-strategy-deep.md +294 -0
- package/squads/squad-paidmedia/knowledge-base/google-ads-account-architecture.md +87 -0
- package/squads/squad-paidmedia/knowledge-base/meta-ads-campaign-architecture.md +76 -0
- package/squads/squad-paidmedia/knowledge-base/paid-media-metrics-reference.md +117 -0
- package/squads/squad-paidmedia/knowledge-base/paid-traffic-master-reference.md +1308 -0
- package/squads/squad-paidmedia/knowledge-base/routing-catalog.md +95 -18
- package/squads/squad-paidmedia/knowledge-base/traffic-masters-frameworks.md +71 -0
- package/squads/squad-product/knowledge-base/brazilian-product-context.md +284 -0
- package/squads/squad-product/knowledge-base/discovery-methodology-playbook.md +141 -0
- package/squads/squad-product/knowledge-base/pm-frameworks-reference.md +125 -9
- package/squads/squad-product/knowledge-base/product-analytics-formulas.md +72 -0
- package/squads/squad-product/knowledge-base/product-led-growth-reference.md +155 -13
- package/squads/squad-product/knowledge-base/product-market-fit-framework.md +222 -0
- package/squads/squad-product/knowledge-base/routing-catalog.md +32 -0
- package/squads/squad-research/knowledge-base/agentic-second-brain-reference.md +591 -0
- package/squads/squad-research/knowledge-base/ai-augmented-research.md +212 -0
- package/squads/squad-research/knowledge-base/brazilian-market-research-sources.md +197 -0
- package/squads/squad-research/knowledge-base/community-platforms-reference.md +786 -0
- package/squads/squad-research/knowledge-base/community-research-methods.md +194 -0
- package/squads/squad-research/knowledge-base/mixed-methods-research-design.md +168 -0
- package/squads/squad-research/knowledge-base/network-effects-analysis.md +192 -0
- package/squads/squad-research/knowledge-base/qualitative-research-deep-methods.md +202 -0
- package/squads/squad-research/knowledge-base/quantitative-research-methods.md +208 -0
- package/squads/squad-research/knowledge-base/research-frameworks-encyclopedia.md +40 -0
- package/squads/squad-research/knowledge-base/research-synthesis-frameworks.md +223 -0
- package/squads/squad-storytelling/knowledge-base/brand-mythology-framework.md +236 -0
- package/squads/squad-storytelling/knowledge-base/brazilian-storytelling-context.md +237 -0
- package/squads/squad-storytelling/knowledge-base/data-storytelling.md +232 -0
- package/squads/squad-storytelling/knowledge-base/improv-storytelling.md +226 -0
- package/squads/squad-storytelling/knowledge-base/persuasion-narrative-techniques.md +269 -0
- package/squads/squad-storytelling/knowledge-base/social-movement-narratives.md +191 -0
- package/squads/squad-storytelling/knowledge-base/video-storytelling.md +252 -0
- package/.sinapse-ai/core/registry/service-registry.json +0 -6346
- package/.sinapse-ai/data/registry-update-log.jsonl +0 -1307
- package/.sinapse-ai/manifests/agents.csv +0 -29
- package/.sinapse-ai/manifests/tasks.csv +0 -204
- package/.sinapse-ai/manifests/workers.csv +0 -196
- package/squads/claude-code-mastery/data/swarm-orchestration-patterns.yaml +0 -378
- package/squads/squad-animations/knowledge-base/framer-motion-complete-reference.md +0 -710
- package/squads/squad-animations/knowledge-base/web-animations-api-view-transitions.md +0 -478
- package/squads/squad-growth/tasks/calculate-sample-size.md +0 -121
- package/squads/squad-paidmedia/tasks/calculate-sample-size.md +0 -57
|
@@ -0,0 +1,477 @@
|
|
|
1
|
+
# Network Security Reference
|
|
2
|
+
|
|
3
|
+
## Purpose
|
|
4
|
+
|
|
5
|
+
Reference for network security controls — firewalls, WAF, DDoS protection, VPN alternatives, mTLS, network segmentation, and IDS/IPS. Used by Wire (network-security-engineer).
|
|
6
|
+
|
|
7
|
+
---
|
|
8
|
+
|
|
9
|
+
## Network Security Architecture
|
|
10
|
+
|
|
11
|
+
### Defense in Depth — Layer Model
|
|
12
|
+
|
|
13
|
+
```
|
|
14
|
+
Internet
|
|
15
|
+
|
|
|
16
|
+
[Cloudflare / CDN Edge] -- DDoS, WAF, Bot management, TLS termination
|
|
17
|
+
|
|
|
18
|
+
[Load Balancer] -- Health checks, SSL passthrough option
|
|
19
|
+
|
|
|
20
|
+
[WAF (application layer)] -- OWASP rules, rate limiting, custom rules
|
|
21
|
+
|
|
|
22
|
+
[Application Servers] -- In private subnet, no direct internet access
|
|
23
|
+
|
|
|
24
|
+
[Service Mesh mTLS] -- Istio/Linkerd for service-to-service encryption
|
|
25
|
+
|
|
|
26
|
+
[Database Subnet] -- No inbound from internet, only from app layer
|
|
27
|
+
|
|
|
28
|
+
[Network Security Groups] -- Stateful firewall rules, least-privilege
|
|
29
|
+
```
|
|
30
|
+
|
|
31
|
+
Every layer should fail securely and independently. If the WAF is bypassed, the network firewall still limits access. If the load balancer is misconfigured, the app servers are still in a private subnet.
|
|
32
|
+
|
|
33
|
+
---
|
|
34
|
+
|
|
35
|
+
## Firewalls
|
|
36
|
+
|
|
37
|
+
### Network Security Groups (Cloud Firewall)
|
|
38
|
+
|
|
39
|
+
Cloud firewalls (AWS Security Groups, Azure NSGs, GCP Firewall Rules) operate as distributed stateful firewalls. Core principles:
|
|
40
|
+
|
|
41
|
+
**Default posture:** Deny all inbound, permit all outbound (then restrict outbound as needed).
|
|
42
|
+
|
|
43
|
+
```bash
|
|
44
|
+
# AWS Security Group for web servers
|
|
45
|
+
aws ec2 create-security-group \
|
|
46
|
+
--group-name web-server-sg \
|
|
47
|
+
--description "Security group for web servers"
|
|
48
|
+
|
|
49
|
+
# Allow HTTPS from internet
|
|
50
|
+
aws ec2 authorize-security-group-ingress \
|
|
51
|
+
--group-id sg-xxx \
|
|
52
|
+
--protocol tcp \
|
|
53
|
+
--port 443 \
|
|
54
|
+
--cidr 0.0.0.0/0
|
|
55
|
+
|
|
56
|
+
# Allow HTTP (redirect to HTTPS at app level)
|
|
57
|
+
aws ec2 authorize-security-group-ingress \
|
|
58
|
+
--group-id sg-xxx \
|
|
59
|
+
--protocol tcp \
|
|
60
|
+
--port 80 \
|
|
61
|
+
--cidr 0.0.0.0/0
|
|
62
|
+
|
|
63
|
+
# Allow SSH ONLY from bastion host, not internet
|
|
64
|
+
# NEVER: --cidr 0.0.0.0/0 for SSH (port 22)
|
|
65
|
+
aws ec2 authorize-security-group-ingress \
|
|
66
|
+
--group-id sg-xxx \
|
|
67
|
+
--protocol tcp \
|
|
68
|
+
--port 22 \
|
|
69
|
+
--source-group sg-bastion-id
|
|
70
|
+
|
|
71
|
+
# Database security group -- only from app tier
|
|
72
|
+
aws ec2 authorize-security-group-ingress \
|
|
73
|
+
--group-id sg-db \
|
|
74
|
+
--protocol tcp \
|
|
75
|
+
--port 5432 \
|
|
76
|
+
--source-group sg-app-servers
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
### Firewall Rule Audit
|
|
80
|
+
|
|
81
|
+
```bash
|
|
82
|
+
# Find overpermissive AWS Security Group rules
|
|
83
|
+
# All security groups with SSH or RDP open to internet
|
|
84
|
+
aws ec2 describe-security-groups --query \
|
|
85
|
+
"SecurityGroups[?IpPermissions[?contains(IpRanges[].CidrIp, '0.0.0.0/0') && \
|
|
86
|
+
(FromPort==\`22\` || FromPort==\`3389\`)]].[GroupId,GroupName]" \
|
|
87
|
+
--output table
|
|
88
|
+
|
|
89
|
+
# Find security groups with all traffic allowed
|
|
90
|
+
aws ec2 describe-security-groups --query \
|
|
91
|
+
"SecurityGroups[?IpPermissions[?IpProtocol=='-1' && \
|
|
92
|
+
contains(IpRanges[].CidrIp, '0.0.0.0/0')]].[GroupId,GroupName]"
|
|
93
|
+
```
|
|
94
|
+
|
|
95
|
+
---
|
|
96
|
+
|
|
97
|
+
## Web Application Firewall (WAF)
|
|
98
|
+
|
|
99
|
+
### Cloudflare WAF (Primary for most deployments)
|
|
100
|
+
|
|
101
|
+
Cloudflare WAF operates at the edge, blocking attacks before they reach origin servers.
|
|
102
|
+
|
|
103
|
+
**Rule categories:**
|
|
104
|
+
|
|
105
|
+
| Rule Set | Coverage | Recommendation |
|
|
106
|
+
|----------|----------|---------------|
|
|
107
|
+
| Cloudflare Managed Rules | Emerging threats, 0-day | Enable in production |
|
|
108
|
+
| OWASP Core Rule Set | SQLi, XSS, path traversal | Enable, tune for false positives |
|
|
109
|
+
| Custom Rules | Application-specific | Write for your attack surface |
|
|
110
|
+
| Rate Limiting Rules | Brute force, DDoS | Essential for auth endpoints |
|
|
111
|
+
|
|
112
|
+
**Rate limiting configuration:**
|
|
113
|
+
```javascript
|
|
114
|
+
// Cloudflare Rate Limiting Rule examples
|
|
115
|
+
|
|
116
|
+
// Login endpoint -- 5 requests per minute per IP
|
|
117
|
+
{
|
|
118
|
+
expression: '(http.request.uri.path eq "/api/auth/login")',
|
|
119
|
+
action: 'block',
|
|
120
|
+
characteristics: ['ip.src'],
|
|
121
|
+
period: 60,
|
|
122
|
+
requestsPerPeriod: 5,
|
|
123
|
+
mitigationTimeout: 300
|
|
124
|
+
}
|
|
125
|
+
|
|
126
|
+
// API endpoints -- 100 requests per minute per authenticated user
|
|
127
|
+
{
|
|
128
|
+
expression: '(http.request.uri.path matches "^/api/")',
|
|
129
|
+
action: 'challenge',
|
|
130
|
+
characteristics: ['cf.unique_visitor_id'],
|
|
131
|
+
period: 60,
|
|
132
|
+
requestsPerPeriod: 100
|
|
133
|
+
}
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
### AWS WAF v2
|
|
137
|
+
|
|
138
|
+
```bash
|
|
139
|
+
# Create WAF WebACL with managed rules
|
|
140
|
+
aws wafv2 create-web-acl \
|
|
141
|
+
--name "production-waf" \
|
|
142
|
+
--scope REGIONAL \
|
|
143
|
+
--default-action Allow={} \
|
|
144
|
+
--rules '[
|
|
145
|
+
{
|
|
146
|
+
"Name": "AWSManagedRulesCommonRuleSet",
|
|
147
|
+
"Priority": 0,
|
|
148
|
+
"Statement": {
|
|
149
|
+
"ManagedRuleGroupStatement": {
|
|
150
|
+
"VendorName": "AWS",
|
|
151
|
+
"Name": "AWSManagedRulesCommonRuleSet"
|
|
152
|
+
}
|
|
153
|
+
},
|
|
154
|
+
"Action": {"Block":{}},
|
|
155
|
+
"VisibilityConfig": {...}
|
|
156
|
+
}
|
|
157
|
+
]'
|
|
158
|
+
```
|
|
159
|
+
|
|
160
|
+
---
|
|
161
|
+
|
|
162
|
+
## DDoS Protection
|
|
163
|
+
|
|
164
|
+
### Attack Categories
|
|
165
|
+
|
|
166
|
+
| Attack Type | Layer | Example | Defense |
|
|
167
|
+
|------------|-------|---------|---------|
|
|
168
|
+
| Volumetric | L3/L4 | UDP flood, ICMP flood | CDN/Anycast absorption |
|
|
169
|
+
| Protocol | L4 | SYN flood, Smurf | SYN cookies, upstream filtering |
|
|
170
|
+
| Application | L7 | HTTP flood, Slowloris | WAF, rate limiting, bot management |
|
|
171
|
+
| Amplification | L3/L4 | DNS/NTP amplification | Block UDP amplifiers |
|
|
172
|
+
|
|
173
|
+
### Defense Strategy
|
|
174
|
+
|
|
175
|
+
**Layer 1: CDN/Anycast absorption (primary defense)**
|
|
176
|
+
```
|
|
177
|
+
Cloudflare / AWS CloudFront / Azure Front Door
|
|
178
|
+
|
|
179
|
+
Benefits:
|
|
180
|
+
- Absorbs volumetric attacks at the edge (100Gbps+ capacity)
|
|
181
|
+
- Origin IP hidden from attackers
|
|
182
|
+
- Always-on protection included in free/basic tiers
|
|
183
|
+
- DDoS traffic scrubbed before reaching origin
|
|
184
|
+
```
|
|
185
|
+
|
|
186
|
+
**Layer 2: Rate limiting**
|
|
187
|
+
```nginx
|
|
188
|
+
# Nginx rate limiting for self-hosted (complement to CDN)
|
|
189
|
+
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
|
|
190
|
+
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/s;
|
|
191
|
+
|
|
192
|
+
server {
|
|
193
|
+
location /api/ {
|
|
194
|
+
limit_req zone=api burst=20 nodelay;
|
|
195
|
+
limit_req_status 429;
|
|
196
|
+
}
|
|
197
|
+
|
|
198
|
+
location /auth/ {
|
|
199
|
+
limit_req zone=login burst=5;
|
|
200
|
+
limit_req_status 429;
|
|
201
|
+
}
|
|
202
|
+
}
|
|
203
|
+
```
|
|
204
|
+
|
|
205
|
+
**Layer 3: Application-level (Express.js)**
|
|
206
|
+
```javascript
|
|
207
|
+
const rateLimit = require('express-rate-limit')
|
|
208
|
+
|
|
209
|
+
// Trust Cloudflare's forwarded IP (when behind Cloudflare)
|
|
210
|
+
app.set('trust proxy', 1)
|
|
211
|
+
|
|
212
|
+
const apiLimiter = rateLimit({
|
|
213
|
+
windowMs: 15 * 60 * 1000, // 15 minutes
|
|
214
|
+
max: 100,
|
|
215
|
+
standardHeaders: true,
|
|
216
|
+
legacyHeaders: false,
|
|
217
|
+
message: { error: 'Too many requests, please try again later.' },
|
|
218
|
+
keyGenerator: (req) => req.ip, // Use real IP from X-Forwarded-For
|
|
219
|
+
})
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
---
|
|
223
|
+
|
|
224
|
+
## mTLS (Mutual TLS) — Service-to-Service
|
|
225
|
+
|
|
226
|
+
### Why mTLS
|
|
227
|
+
|
|
228
|
+
Standard TLS authenticates the server to the client. Mutual TLS adds client authentication — both sides prove their identity. This is the foundation of zero trust service mesh.
|
|
229
|
+
|
|
230
|
+
### Service Mesh Implementation
|
|
231
|
+
|
|
232
|
+
**Istio (Kubernetes):**
|
|
233
|
+
```yaml
|
|
234
|
+
# Enforce mTLS for entire namespace
|
|
235
|
+
apiVersion: security.istio.io/v1beta1
|
|
236
|
+
kind: PeerAuthentication
|
|
237
|
+
metadata:
|
|
238
|
+
name: default
|
|
239
|
+
namespace: production
|
|
240
|
+
spec:
|
|
241
|
+
mtls:
|
|
242
|
+
mode: STRICT # Reject all non-mTLS traffic
|
|
243
|
+
|
|
244
|
+
---
|
|
245
|
+
# Allow traffic only from specific service
|
|
246
|
+
apiVersion: security.istio.io/v1beta1
|
|
247
|
+
kind: AuthorizationPolicy
|
|
248
|
+
metadata:
|
|
249
|
+
name: payment-service-policy
|
|
250
|
+
namespace: production
|
|
251
|
+
spec:
|
|
252
|
+
selector:
|
|
253
|
+
matchLabels:
|
|
254
|
+
app: payment-service
|
|
255
|
+
rules:
|
|
256
|
+
- from:
|
|
257
|
+
- source:
|
|
258
|
+
principals: ["cluster.local/ns/production/sa/checkout-service"]
|
|
259
|
+
to:
|
|
260
|
+
- operation:
|
|
261
|
+
methods: ["POST"]
|
|
262
|
+
paths: ["/api/charge"]
|
|
263
|
+
```
|
|
264
|
+
|
|
265
|
+
**Linkerd (simpler, lower overhead):**
|
|
266
|
+
```bash
|
|
267
|
+
# Inject Linkerd sidecar -- automatic mTLS
|
|
268
|
+
kubectl annotate namespace production linkerd.io/inject=enabled
|
|
269
|
+
|
|
270
|
+
# Check mTLS is working
|
|
271
|
+
linkerd viz edges deployment -n production
|
|
272
|
+
# Should show "secured" for all traffic
|
|
273
|
+
```
|
|
274
|
+
|
|
275
|
+
---
|
|
276
|
+
|
|
277
|
+
## VPN Alternatives
|
|
278
|
+
|
|
279
|
+
### Traditional VPN Problems
|
|
280
|
+
|
|
281
|
+
| Problem | Impact |
|
|
282
|
+
|---------|--------|
|
|
283
|
+
| Lateral movement risk | Once on VPN, can reach all internal services |
|
|
284
|
+
| Client management overhead | Updates, certificates, split-tunneling issues |
|
|
285
|
+
| Performance | VPN concentrator bottleneck |
|
|
286
|
+
| "Always trusted inside" fallacy | VPN doesn't equal zero trust |
|
|
287
|
+
|
|
288
|
+
### Modern Alternatives
|
|
289
|
+
|
|
290
|
+
**Cloudflare WARP + Access (Zero Trust Network Access):**
|
|
291
|
+
```
|
|
292
|
+
Architecture:
|
|
293
|
+
User device (WARP client) → Cloudflare edge → Identity check (SSO) → Internal resource
|
|
294
|
+
|
|
295
|
+
Benefits:
|
|
296
|
+
- Per-application access (not network-wide)
|
|
297
|
+
- No VPN concentrator bottleneck
|
|
298
|
+
- Audit log of every access
|
|
299
|
+
- Device posture enforcement
|
|
300
|
+
- Works on any device, any network
|
|
301
|
+
```
|
|
302
|
+
|
|
303
|
+
**Tailscale (WireGuard-based mesh):**
|
|
304
|
+
```bash
|
|
305
|
+
# Set up Tailscale for small teams / internal tools
|
|
306
|
+
# Install on each device: tailscale.com/download
|
|
307
|
+
|
|
308
|
+
# Key features:
|
|
309
|
+
# - Peer-to-peer WireGuard connections (fast, low overhead)
|
|
310
|
+
# - ACL-based access control per device
|
|
311
|
+
# - Magic DNS for service discovery
|
|
312
|
+
# - Works across NAT without port forwarding
|
|
313
|
+
# - SSO integration (Google, GitHub, Okta)
|
|
314
|
+
```
|
|
315
|
+
|
|
316
|
+
**AWS Systems Manager Session Manager:**
|
|
317
|
+
```bash
|
|
318
|
+
# SSH/RDP replacement -- no port 22/3389 needed
|
|
319
|
+
# No inbound firewall rules required
|
|
320
|
+
|
|
321
|
+
# Connect to EC2 without SSH
|
|
322
|
+
aws ssm start-session --target i-1234567890abcdef0
|
|
323
|
+
|
|
324
|
+
# Benefits:
|
|
325
|
+
# - Encrypted channel via SSM API
|
|
326
|
+
# - Audit log in CloudTrail
|
|
327
|
+
# - IAM-based access control
|
|
328
|
+
# - No bastion hosts needed
|
|
329
|
+
```
|
|
330
|
+
|
|
331
|
+
---
|
|
332
|
+
|
|
333
|
+
## Network Segmentation
|
|
334
|
+
|
|
335
|
+
### Subnetting Strategy
|
|
336
|
+
|
|
337
|
+
```
|
|
338
|
+
VPC: 10.0.0.0/16
|
|
339
|
+
|
|
|
340
|
+
├── Public Subnets (10.0.0.0/24, 10.0.1.0/24)
|
|
341
|
+
│ └── Load balancers, NAT gateways
|
|
342
|
+
│ Internet Gateway → Public Subnet → Private Subnet
|
|
343
|
+
│
|
|
344
|
+
├── Private Application Subnets (10.0.10.0/24, 10.0.11.0/24)
|
|
345
|
+
│ └── Application servers, ECS tasks, Lambda in VPC
|
|
346
|
+
│ No direct internet access (NAT gateway for outbound only)
|
|
347
|
+
│
|
|
348
|
+
├── Private Database Subnets (10.0.20.0/24, 10.0.21.0/24)
|
|
349
|
+
│ └── RDS, ElastiCache, databases
|
|
350
|
+
│ No internet access at all (no NAT gateway)
|
|
351
|
+
│ Only accessible from application subnets
|
|
352
|
+
│
|
|
353
|
+
└── Management Subnet (10.0.30.0/24)
|
|
354
|
+
└── Bastion host (if needed), monitoring agents
|
|
355
|
+
Limited to specific trusted IPs only
|
|
356
|
+
```
|
|
357
|
+
|
|
358
|
+
### Kubernetes Network Policies
|
|
359
|
+
|
|
360
|
+
```yaml
|
|
361
|
+
# Default deny-all policy (apply to every namespace)
|
|
362
|
+
apiVersion: networking.k8s.io/v1
|
|
363
|
+
kind: NetworkPolicy
|
|
364
|
+
metadata:
|
|
365
|
+
name: default-deny-all
|
|
366
|
+
namespace: production
|
|
367
|
+
spec:
|
|
368
|
+
podSelector: {}
|
|
369
|
+
policyTypes:
|
|
370
|
+
- Ingress
|
|
371
|
+
- Egress
|
|
372
|
+
|
|
373
|
+
---
|
|
374
|
+
# Allow only specific traffic to API service
|
|
375
|
+
apiVersion: networking.k8s.io/v1
|
|
376
|
+
kind: NetworkPolicy
|
|
377
|
+
metadata:
|
|
378
|
+
name: api-server-policy
|
|
379
|
+
namespace: production
|
|
380
|
+
spec:
|
|
381
|
+
podSelector:
|
|
382
|
+
matchLabels:
|
|
383
|
+
app: api-server
|
|
384
|
+
policyTypes:
|
|
385
|
+
- Ingress
|
|
386
|
+
- Egress
|
|
387
|
+
ingress:
|
|
388
|
+
- from:
|
|
389
|
+
- podSelector:
|
|
390
|
+
matchLabels:
|
|
391
|
+
app: nginx-ingress
|
|
392
|
+
ports:
|
|
393
|
+
- protocol: TCP
|
|
394
|
+
port: 8080
|
|
395
|
+
egress:
|
|
396
|
+
- to:
|
|
397
|
+
- podSelector:
|
|
398
|
+
matchLabels:
|
|
399
|
+
app: postgres
|
|
400
|
+
ports:
|
|
401
|
+
- protocol: TCP
|
|
402
|
+
port: 5432
|
|
403
|
+
```
|
|
404
|
+
|
|
405
|
+
---
|
|
406
|
+
|
|
407
|
+
## IDS/IPS (Intrusion Detection/Prevention)
|
|
408
|
+
|
|
409
|
+
### Network-Based Detection
|
|
410
|
+
|
|
411
|
+
| Tool | Type | Deployment |
|
|
412
|
+
|------|------|-----------|
|
|
413
|
+
| **Suricata** | NIDS/NIPS | Network tap or inline |
|
|
414
|
+
| **Snort** | NIDS | Network tap |
|
|
415
|
+
| **Zeek (Bro)** | NSM | Passive monitoring, log generation |
|
|
416
|
+
| **AWS Network Firewall** | Managed NIDS/NIPS | AWS VPCs |
|
|
417
|
+
|
|
418
|
+
### Host-Based Detection
|
|
419
|
+
|
|
420
|
+
| Tool | Type | Focus |
|
|
421
|
+
|------|------|-------|
|
|
422
|
+
| **Falco** | HIDS (eBPF) | Container/Kubernetes runtime |
|
|
423
|
+
| **OSSEC/Wazuh** | HIDS | File integrity, log analysis |
|
|
424
|
+
| **CrowdStrike Falcon** | EDR | Endpoint behavior |
|
|
425
|
+
| **Cilium Tetragon** | eBPF | K8s security observability |
|
|
426
|
+
|
|
427
|
+
**Falco for Kubernetes runtime detection:**
|
|
428
|
+
```yaml
|
|
429
|
+
# Example Falco rule -- detect web shell activity
|
|
430
|
+
- rule: Suspicious Web Shell Activity
|
|
431
|
+
desc: Detect execution of commands via web shell
|
|
432
|
+
condition: >
|
|
433
|
+
spawned_process and
|
|
434
|
+
proc.pname in (apache2, nginx, httpd) and
|
|
435
|
+
proc.name in (bash, sh, python, perl, ruby)
|
|
436
|
+
output: >
|
|
437
|
+
Web shell detected (user=%user.name command=%proc.cmdline
|
|
438
|
+
container=%container.name)
|
|
439
|
+
priority: CRITICAL
|
|
440
|
+
tags: [web, shell, attack]
|
|
441
|
+
```
|
|
442
|
+
|
|
443
|
+
---
|
|
444
|
+
|
|
445
|
+
## Legacy Protocol Security
|
|
446
|
+
|
|
447
|
+
### Protocols to Disable Immediately
|
|
448
|
+
|
|
449
|
+
| Protocol | Replacement | Why Deprecated |
|
|
450
|
+
|----------|------------|---------------|
|
|
451
|
+
| SSLv3 | TLS 1.3 | POODLE attack |
|
|
452
|
+
| TLS 1.0 | TLS 1.2+ | BEAST, POODLE |
|
|
453
|
+
| TLS 1.1 | TLS 1.2+ | Weak ciphers |
|
|
454
|
+
| Telnet | SSH | Cleartext protocol |
|
|
455
|
+
| FTP | SFTP/FTPS | Cleartext protocol |
|
|
456
|
+
| SNMPv1/v2 | SNMPv3 | No authentication |
|
|
457
|
+
| HTTP | HTTPS | Cleartext |
|
|
458
|
+
|
|
459
|
+
```nginx
|
|
460
|
+
# Nginx -- only TLS 1.2 and 1.3
|
|
461
|
+
ssl_protocols TLSv1.2 TLSv1.3;
|
|
462
|
+
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256;
|
|
463
|
+
ssl_prefer_server_ciphers off;
|
|
464
|
+
|
|
465
|
+
# HSTS -- force HTTPS for 2 years
|
|
466
|
+
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
|
|
467
|
+
```
|
|
468
|
+
|
|
469
|
+
---
|
|
470
|
+
|
|
471
|
+
## Sources
|
|
472
|
+
|
|
473
|
+
- NIST SP 800-41 (Firewalls): https://csrc.nist.gov/publications/detail/sp/800-41/rev-1/final
|
|
474
|
+
- CIS Benchmarks (Networking): https://www.cisecurity.org/cis-benchmarks
|
|
475
|
+
- Cloudflare Security Learning: https://www.cloudflare.com/learning/security/
|
|
476
|
+
- Istio Security: https://istio.io/latest/docs/concepts/security/
|
|
477
|
+
- Falco: https://falco.org/docs/
|