specweave 0.23.8 → 0.23.12

package/plugins/specweave/hooks/test-pretooluse-env.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+#
+# PreToolUse Environment Variable Validation Test
+#
+# Purpose: Validate that PreToolUse hooks receive tool arguments via env vars
+# This tests the core assumption of Tier 2 implementation
+#
+# Usage:
+#   1. Register this hook in plugin.json under PreToolUse:Edit
+#   2. Make 10 test edits to any file
+#   3. Review /tmp/pretooluse-test.log
+#   4. Check if TOOL_USE_ARGS is populated
+#
+# Success Criteria:
+#   - TOOL_USE_ARGS contains file_path
+#   - At least 80% of invocations have non-empty TOOL_USE_ARGS
+#
+# If this test fails, Tier 2 PreToolUse coordination cannot work
+# and we must rely on Tier 1 (mtime fallback) or proceed to Tier 3
+#
+# Version: v0.24.2 (Tier 2 Validation)
+# Date: 2025-11-22
+
+set +e  # Don't fail on errors (this is a diagnostic tool)
+
+TEST_LOG="/tmp/pretooluse-test.log"
+TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)
+
+# Initialize log on first run
+if [[ ! -f "$TEST_LOG" ]]; then
+  echo "==================================" > "$TEST_LOG"
+  echo "PreToolUse Environment Variable Test" >> "$TEST_LOG"
+  echo "Started: $TIMESTAMP" >> "$TEST_LOG"
+  echo "==================================" >> "$TEST_LOG"
+  echo "" >> "$TEST_LOG"
+fi
+
+# Record this invocation
+echo "[$TIMESTAMP] PreToolUse:Edit invocation #$(wc -l < "$TEST_LOG")" >> "$TEST_LOG"
+
+# Check ALL tool-related environment variables
+echo "  TOOL_USE_ARGS:    ${TOOL_USE_ARGS:-<EMPTY>}" >> "$TEST_LOG"
+echo "  TOOL_USE_CONTENT: ${TOOL_USE_CONTENT:-<EMPTY>}" >> "$TEST_LOG"
+echo "  TOOL_RESULT:      ${TOOL_RESULT:-<EMPTY>}" >> "$TEST_LOG"
+echo "  PWD:              $PWD" >> "$TEST_LOG"
+
+# Try to extract file_path if TOOL_USE_ARGS exists
+if [[ -n "${TOOL_USE_ARGS:-}" ]]; then
+  if command -v jq &> /dev/null; then
+    FILE_PATH=$(echo "$TOOL_USE_ARGS" | jq -r '.file_path // "<NOT_FOUND>"' 2>/dev/null)
+    echo "  Extracted file_path: $FILE_PATH" >> "$TEST_LOG"
+  else
+    FILE_PATH=$(echo "$TOOL_USE_ARGS" | grep -o '"file_path"[[:space:]]*:[[:space:]]*"[^"]*"' | head -1 | sed 's/.*"\([^"]*\)".*/\1/' || echo "<PARSE_FAILED>")
+    echo "  Extracted file_path (no jq): $FILE_PATH" >> "$TEST_LOG"
+  fi
+fi
+
+# Dump all TOOL* env vars
+echo "  All TOOL* environment variables:" >> "$TEST_LOG"
+env | grep -E "^TOOL" | while read line; do
+  echo "    $line" >> "$TEST_LOG"
+done
+
+echo "" >> "$TEST_LOG"
+
+# Log rotation: Keep last 100 invocations
+if [[ $(wc -l < "$TEST_LOG") -gt 500 ]]; then
+  tail -400 "$TEST_LOG" > "$TEST_LOG.tmp"
+  mv "$TEST_LOG.tmp" "$TEST_LOG"
+fi
+
+exit 0  # Always succeed (diagnostic tool)

package/plugins/specweave/skills/compliance-architecture/SKILL.md

@@ -0,0 +1,374 @@
+---
+name: compliance-architecture
+description: Enterprise-grade compliance architecture for SOC 2, HIPAA, GDPR, PCI-DSS. Provides compliance checklists, security controls, audit guidance, and regulatory requirements for serverless and cloud architectures. Activates for compliance, HIPAA, SOC2, SOC 2, GDPR, PCI-DSS, PCI DSS, regulatory, healthcare data, payment card, data protection, audit, security standards, regulated industry, BAA, business associate agreement, DPIA, data protection impact assessment.
+---
+
+# Compliance Architecture Expert
+
+I'm a specialist in enterprise compliance architecture across regulated industries. I help you design systems that meet regulatory requirements while maintaining operational efficiency.
+
+## When to Use This Skill
+
+Ask me when you need help with:
+- **SOC 2 Type II compliance** for SaaS applications
+- **HIPAA compliance** for healthcare data systems
+- **GDPR compliance** for European data protection
+- **PCI-DSS compliance** for payment card processing
+- **Security architecture** for regulated industries
+- **Audit preparation** and evidence collection
+- **Compliance validation** for serverless/cloud deployments
+
+## My Expertise
+
+### SOC 2 Type II Compliance
+
+**Core Requirements for Serverless**:
+
+1. **Encryption Standards**
+   - Encryption at rest: All data in databases, S3, DynamoDB encrypted
+   - Encryption in transit: TLS 1.2+ for all API communications
+   - Key management: Customer-managed keys (KMS, Key Vault, GCP KMS)
+   - Regular key rotation: Annual minimum or per compliance policy
+
+2. **Access Logging and Retention**
+   - CloudTrail (AWS), Activity Log (Azure), Cloud Audit Logs (GCP)
+   - Minimum retention: 90 days (24 months recommended)
+   - Centralized log aggregation: ELK Stack, Splunk, or cloud-native
+   - Immutable audit logs: Write-once storage for compliance evidence
+   - Real-time alerting on unauthorized access attempts
+
+3. **Access Controls**
+   - Least privilege IAM roles and policies
+   - No wildcard (*) permissions on sensitive resources
+   - Role-based access control (RBAC) by team/department
+   - Multi-factor authentication (MFA) for humans
+   - Service-to-service authentication via temporary credentials
+
+4. **Change Management**
+   - Documented change procedures with approval workflow
+   - Separation of duties: Developers, reviewers, approval authority
+   - Automated testing in CI/CD before production deployment
+   - Change logs with timestamps, author, and justification
+   - Rollback procedures documented and tested
+
+### HIPAA Compliance
+
+**Healthcare Data Protection Requirements**:
+
+1. **Business Associate Agreement (BAA)**
+   - Mandatory: Cloud provider must sign BAA before deployment
+   - Covers: AWS, Azure, GCP, managed services
+   - Do not use: Generic SaaS platforms without BAA
+
+2. **Encryption Requirements**
+   - Encryption at rest: AWS KMS, Azure Key Vault, or GCP KMS
+   - Customer-managed keys (CMK): Not provider-managed default keys
+   - Encryption in transit: TLS 1.2+ for all PHI transfers
+   - Database encryption: All databases holding PHI (RDS, DynamoDB)
+   - S3/Blob encryption: All healthcare data storage
+
+3. **Audit Logging**
+   - CloudTrail/Activity Log: All access to PHI systems
+   - Application logging: Access, modification, deletion events
+   - Retention: Minimum 6 years (state laws may require longer)
+   - Immutable storage: Prevent audit log tampering
+
+4. **Network Isolation**
+   - VPC for database and processing: No public endpoints
+   - Security groups: Whitelist only necessary ports
+   - NACLs: Network ACLs for additional layer
+   - Private subnets: Database and sensitive compute resources
+   - VPN/Bastion for administrative access
+
+5. **No Public Endpoints**
+   - API Gateway: Private endpoints, not public
+   - Lambda: Invoke only from VPC or authenticated clients
+   - Databases: Private subnets only
+   - S3: Block public access, bucket policies deny public
+
+### GDPR Compliance
+
+**European Data Protection Regulations**:
+
+1. **Data Residency Controls**
+   - EU data: Must reside in EU regions (eu-west-1, eu-central-1)
+   - Data localization: No automatic replication outside EU
+   - Backup regions: Only EU-based backup locations
+   - Processing: Ensure data processors operate in EU
+   - Documentation: Mapping of data to region/controller
+
+2. **Right to Erasure (Data Deletion)**
+   - Deletion capabilities: Systems must support complete data removal
+   - Orphaned data: Periodic scans for disconnected/abandoned data
+   - Backup deletion: Timely deletion from backup systems
+   - Third-party deletion: Data deletion from all processors
+   - Compliance evidence: Document deletion execution and timing
+   - Foreign keys: Cascade deletes or documented orphaned records
+
+3. **Consent Management**
+   - Consent records: Timestamp and version of every consent
+   - Granular consent: Separate for marketing, analytics, processing
+   - Easy withdrawal: Simple mechanisms to withdraw consent
+   - Documentation: Proof of consent for audits
+   - Cookie management: Consent before non-essential tracking
+
+4. **Data Portability**
+   - Export formats: JSON, CSV, or standard formats
+   - Completeness: All data subject to export request
+   - Machine-readable: Structured data in machine-readable format
+   - Timing: Provide within 30 days of request
+   - No fees: Free data export (no extraction charges)
+
+5. **Privacy by Design**
+   - Data minimization: Collect only necessary data
+   - Purpose limitation: Use data only for stated purposes
+   - Retention policies: Delete when no longer needed
+   - Default privacy: Private by default, not opt-in later
+   - Impact assessments: DPIA for new processing activities
+
+### PCI-DSS Compliance
+
+**Payment Card Data Protection (v3.2.1 or later)**:
+
+1. **Tokenization Requirements**
+   - Never store raw card data: PAN, CVV, expiration
+   - Tokenization service: Stripe, Square, or PCI-compliant provider
+   - Token storage only: Systems never handle raw card data
+   - Scope reduction: Tokenization dramatically reduces PCI scope
+
+2. **Encryption Requirements**
+   - Encryption at rest: All card data and keys in secure storage
+   - Encryption in transit: TLS 1.2+ minimum for all payments
+   - Key management: HSM (Hardware Security Module) recommended
+   - Key rotation: Annual minimum or per compliance policy
+   - Test keys: Separate test environment keys
+
+3. **Network Segmentation**
+   - Cardholder data environment (CDE): Isolated network segment
+   - Firewalls: Between CDE and non-CDE systems
+   - Intrusion detection: IDS monitoring for CDE
+   - Testing: Regular penetration testing (quarterly minimum)
+
+4. **Regular Security Audits**
+   - Quarterly vulnerability scans: External scanning service
+   - Annual penetration testing: By approved assessor
+   - Compliance validation: Annual SAQ or audit
+   - Incident response testing: Test breach response procedures
+
+5. **Secure Card Data Handling**
+   - No storage of sensitive authentication data: CVC/CVV, PIN
+   - No storage of magnetic stripe data after auth
+   - Transaction logging: All card interactions logged
+   - Access controls: Minimize people accessing card data
+
+## Security Misconfiguration Warnings
+
+**Common Serverless Security Issues**:
+
+### ❌ Public S3 Buckets
+```
+WRONG:
+- S3 bucket with public read access
+- "Block public access" disabled
+- Bucket policy allows s3:GetObject to "*"
+
+CORRECT:
+- Block public access: enabled
+- Bucket policy: Only CloudFront, VPC endpoints, specific IAM roles
+- Encryption: enabled with customer-managed keys
+```
+
+### ❌ Overly Permissive IAM Policies
+```
+WRONG:
+{
+  "Effect": "Allow",
+  "Action": "s3:*",           # WILDCARD ACTION
+  "Resource": "*"             # WILDCARD RESOURCE
+}
+
+CORRECT:
+{
+  "Effect": "Allow",
+  "Action": ["s3:GetObject", "s3:PutObject"],
+  "Resource": "arn:aws:s3:::specific-bucket/specific-prefix/*",
+  "Condition": {
+    "IpAddress": {"aws:SourceIp": "10.0.0.0/8"}
+  }
+}
+```
+
+### ❌ Hardcoded Secrets
+```
+WRONG:
+const apiKey = "sk_test_123456789abcdef";  // In code or env vars
+
+CORRECT:
+// AWS
+const secret = await secretsManager.getSecretValue('api-key');
+
+// Azure
+const credential = new DefaultAzureCredential();
+const client = new SecretClient(vaultUrl, credential);
+
+// GCP
+const [version] = await client.accessSecretVersion({name: secretName});
+```
+
+### ❌ Unencrypted Databases
+```
+WRONG:
+- RDS without encryption
+- DynamoDB without encryption
+- DocumentDB without encryption
+
+CORRECT:
+- All databases encrypted at rest
+- Customer-managed keys in KMS
+- Encryption enabled during creation
+- Cannot be disabled after creation
+```
+
+### ❌ Missing HTTPS Enforcement
+```
+WRONG:
+- API Gateway accepting HTTP traffic
+- No redirect from HTTP to HTTPS
+- Clients can connect via unencrypted channel
+
+CORRECT:
+- API Gateway: minimum TLS 1.2
+- Redirect HTTP → HTTPS (301)
+- Client certificates for additional security
+- HSTS header: Strict-Transport-Security
+```
+
+### ❌ Exposed Environment Variables
+```
+WRONG:
+export DATABASE_PASSWORD="MyPassword123"
+console.log(process.env.DATABASE_PASSWORD)  # In logs
+
+CORRECT:
+- Use AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
+- Inject as secret environment variables (redacted in logs)
+- Never log secrets or sensitive configuration
+- Rotate secrets annually
+```
+
+### ❌ Missing Network Isolation
+```
+WRONG:
+- Lambda in public subnet with NAT
+- Database accessible from internet
+- No security groups restricting access
+
+CORRECT:
+- Lambda in private subnet
+- Database in private subnet
+- Security groups: Lambda → Database only
+- No route to Internet Gateway from database subnet
+```
+
+## Production Security Checklist
+
+**Before deploying to production, verify all items**:
+
+### Identity & Access
+- [ ] IAM roles: Least privilege principle applied
+- [ ] No wildcard permissions: All permissions specific to resource/action
+- [ ] Cross-account access: No trusting wildcard principals
+- [ ] API keys: Rotated annually (or per policy)
+- [ ] MFA: Enabled for all human users
+- [ ] Service accounts: Using temporary credentials (STS)
+- [ ] Resource-based policies: Scoped to specific principals
+
+### Secrets Management
+- [ ] Database passwords: In Secrets Manager, not code
+- [ ] API keys: In Secrets Manager, not environment variables
+- [ ] Keys rotated: Annually or per compliance requirement
+- [ ] Audit logging: All secret access logged and monitored
+- [ ] Access restricted: Only authorized applications/users
+- [ ] Old versions: Deleted or marked deprecated
+
+### Encryption
+- [ ] Encryption at rest: Enabled for all databases and storage
+- [ ] Customer-managed keys: Using KMS, Key Vault, or equivalent
+- [ ] Encryption in transit: TLS 1.2+ for all APIs
+- [ ] Certificate validation: Proper SSL/TLS certificate chains
+- [ ] Key rotation: Automatic or scheduled rotation configured
+- [ ] Backward compatibility: Can decrypt older encrypted data
+
+### Network Security
+- [ ] VPC: Sensitive resources in private subnets
+- [ ] Security groups: Whitelisting only necessary ports
+- [ ] NACLs: Network ACLs for additional layer
+- [ ] NAT Gateway: For private subnet outbound traffic
+- [ ] No public endpoints: Databases, caches in private subnets
+- [ ] VPN/Bastion: For administrative access
+- [ ] HTTPS enforcement: Redirect HTTP to HTTPS
+
+### Data Protection
+- [ ] PII classification: Data tagged and tracked
+- [ ] Backup encryption: Backups encrypted with KMS keys
+- [ ] Backup testing: Regular restore tests from backups
+- [ ] Data retention: Policies documented and enforced
+- [ ] Data deletion: Procedures tested for GDPR/compliance
+- [ ] Sensitive data: No logs, error messages, or metrics
+- [ ] Database activity monitoring: Enabled for compliance
+
+### Logging & Monitoring
+- [ ] CloudTrail/Activity Logs: Enabled and retained 90+ days
+- [ ] Application logging: Access, modification, deletion events
+- [ ] Log aggregation: Centralized in ELK, Splunk, or cloud solution
+- [ ] Immutable logs: Write-once storage for audit trails
+- [ ] Alerting: Real-time alerts for security events
+- [ ] Log retention: Per compliance requirement (90 days minimum)
+- [ ] Log analysis: Regular review for anomalies
+
+### Deployment & CI/CD
+- [ ] Code scanning: SAST tools in CI/CD pipeline
+- [ ] Dependency scanning: SCA for vulnerable dependencies
+- [ ] Container scanning: Image scanning before deployment
+- [ ] Secrets scanning: Detect hardcoded secrets
+- [ ] Approval workflow: Required before production deployment
+- [ ] Automated testing: Security tests in pipeline
+- [ ] Change logs: All changes documented with justification
+
+### Compliance & Auditing
+- [ ] Compliance framework: Selected (SOC 2, HIPAA, GDPR, PCI-DSS)
+- [ ] BAA signed: If healthcare data (HIPAA required)
+- [ ] Security policy: Documented and communicated
+- [ ] Incident response: Plan documented and tested
+- [ ] Vulnerability disclosure: Process for reporting issues
+- [ ] Regular assessments: Penetration testing scheduled
+- [ ] Documentation: All security controls documented
+
+### Testing
+- [ ] Security tests: Unit and integration security tests
+- [ ] Penetration testing: Quarterly or annually
+- [ ] Chaos engineering: Test recovery from security incidents
+- [ ] Compliance validation: Annual audit or SAQ
+- [ ] Incident simulations: Quarterly breach response drills
+
+## When to Request Compliance Architecture
+
+Request my help when:
+1. User mentions regulated industry (healthcare, finance, payment processing)
+2. Project involves customer data, personal information, or sensitive records
+3. Requirements specify SOC 2, HIPAA, GDPR, PCI-DSS, or other compliance
+4. User asks about security best practices or data protection
+5. Deployment involves cross-border data transfer
+
+## Integration with Security Agent
+
+**Coordinate with Security Agent for**:
+- Detailed threat modeling and risk assessment
+- Security architecture review and hardening
+- Incident response planning and testing
+- Penetration testing coordination
+- Vulnerability management processes
+
+---
+
+**Remember**: Compliance is not a checkbox exercise - it's about building secure, trustworthy systems that protect user data and meet legal obligations.