npm - start-vibing-stacks - Versions diffs - 2.6.0 → 2.7.0 - Mend

start-vibing-stacks 2.6.0 → 2.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (79) hide show

package/stacks/_shared/skills/security-baseline/SKILL.md ADDED Viewed

@@ -0,0 +1,202 @@
+---
+name: security-baseline
+version: 1.0.0
+description: Universal OWASP Top 10 baseline with stack-aware examples. Invoke before designing or reviewing any feature that touches user data, auth, persistence, or external IO.
+---
+# Security Baseline — OWASP Top 10 (2021)
+**ALWAYS invoke when designing auth, APIs, persistence, file uploads, or any user-input flow.**
+> Threat model first. Then code. Defense in depth: every layer assumes the previous one failed.
+## Core Principles
+1. **Trust no input** — validate at every boundary (HTTP, queue, file, env, IPC).
+2. **Least privilege** — minimum scopes, minimum table access, minimum filesystem rights.
+3. **Fail closed** — on error, deny. Never default to "allow on exception".
+4. **Defense in depth** — auth + authz + input validation + output encoding + audit log.
+5. **No security by obscurity** — assume attacker has source code.
+---
+## A01 — Broken Access Control
+| Anti-pattern | Fix |
+|---|---|
+| User ID from request body/query | Always derive from session/JWT |
+| Unscoped `Model.findById(id)` | Scope by owner: `where userId == session.userId` |
+| Role check in frontend only | Re-check on server |
+| IDOR (sequential IDs leak existence) | Use UUIDs **and** authz check |
+### Node.js (Next.js / Express)
+```ts
+// WRONG — uses body userId
+const userId = req.body.userId;
+const orders = await Order.find({ userId });
+// CORRECT — derives from session
+const session = await auth();
+if (!session) throw new UnauthorizedError();
+const orders = await Order.find({ userId: session.user.id });
+```
+### Python (FastAPI)
+```python
+# CORRECT — Depends() resolves authenticated user
+@app.get("/orders")
+async def list_orders(user: User = Depends(current_user)):
+    return await Order.filter(user_id=user.id).all()
+```
+### PHP (Laravel)
+```php
+// CORRECT — Policy + scoped query
+$orders = $request->user()->orders()->get();
+$this->authorize('view', $order);
+```
+---
+## A02 — Cryptographic Failures
+- **Never** use MD5/SHA1 for passwords. Use bcrypt/argon2/scrypt.
+- **TLS everywhere**. HSTS header in production.
+- **Cookies**: `HttpOnly`, `Secure`, `SameSite=Strict|Lax`.
+- **Secrets** never in code, never in logs, never in URLs.
+- **JWT**: short expiry (15m access, 7d refresh), rotate refresh tokens, signed with strong secret.
+```ts
+// Node.js password hashing
+import { hash, verify } from '@node-rs/argon2';
+const hashed = await hash(password, { memoryCost: 19456, timeCost: 2 });
+const ok = await verify(hashed, attempt);
+```
+---
+## A03 — Injection
+| Type | Fix |
+|---|---|
+| SQL | Parameterized queries / ORM with bindings |
+| NoSQL | Sanitize operators (`$where`, `$regex`) — never accept raw object from user |
+| Command | `execFile` with array args, never `exec` with string |
+| LDAP/XPath/Template | Library-specific escapers |
+| Header injection | Strip `\r\n` from any user-controlled header value |
+```ts
+// WRONG — Mongo operator injection
+User.findOne({ email: req.body.email });
+// If body is { email: { $ne: null } } → returns first user
+// CORRECT — coerce to string/Zod parse first
+const { email } = z.object({ email: z.string().email() }).parse(req.body);
+User.findOne({ email });
+```
+---
+## A04 — Insecure Design
+- Threat-model **before** coding new flows. Document threats in `domain.md`.
+- Anti-automation: rate limit, CAPTCHA on signup/login/password reset.
+- Business logic limits: max items per cart, max API calls per minute, max file size.
+---
+## A05 — Security Misconfiguration
+- Disable directory listings, default accounts, sample apps.
+- Set security headers: `Content-Security-Policy`, `X-Content-Type-Options: nosniff`, `Referrer-Policy`, `Permissions-Policy`.
+- Error messages: generic to clients, detailed in server logs only.
+- `NODE_ENV=production` / `APP_DEBUG=false` in prod — verify in CI.
+---
+## A06 — Vulnerable Components
+- Run `npm audit` / `pip-audit` / `composer audit` in CI.
+- Pin lockfiles. Use Dependabot/Renovate.
+- See `supply-chain` notes in `secrets-management` skill.
+---
+## A07 — Authentication Failures
+- Lockout after N failed attempts (with exponential backoff or CAPTCHA, **not** permanent — DoS risk).
+- Require MFA for admin/sensitive actions.
+- Rotate session token on login, logout, password change, privilege change.
+- Password reset tokens: single-use, expire ≤ 1h, sent to email of record.
+---
+## A08 — Software & Data Integrity
+- Verify signatures on dependencies where possible (Sigstore, npm provenance).
+- Sign artifacts in CI/CD.
+- Validate webhook signatures (Stripe, GitHub, etc.) **before** parsing body.
+```ts
+// Stripe webhook — verify FIRST
+const sig = req.headers['stripe-signature'];
+const event = stripe.webhooks.constructEvent(rawBody, sig, secret);
+```
+---
+## A09 — Security Logging Failures
+- Log: auth events, authz denials, validation failures, admin actions, payment events.
+- Never log: passwords, tokens, full PAN, full SSN, raw cookies, secrets.
+- Use correlation IDs to trace a request across services. See `observability` skill.
+---
+## A10 — Server-Side Request Forgery (SSRF)
+- Allowlist outbound destinations when fetching user-supplied URLs.
+- Block private IP ranges (10/8, 172.16/12, 192.168/16, 169.254/16, ::1, fc00::/7).
+- Resolve DNS yourself and check the IP — defeats DNS rebinding.
+```ts
+import { isIP } from 'net';
+const PRIVATE = /^(10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|127\.|169\.254\.|::1|fc|fd)/i;
+const url = new URL(userUrl);
+const ip = await dns.lookup(url.hostname);
+if (PRIVATE.test(ip.address)) throw new ForbiddenError('Private IP not allowed');
+```
+---
+## Mandatory Boundary Validation
+Every external input MUST be validated by a schema:
+| Stack | Library |
+|---|---|
+| Node.js | Zod (`zod-validation` skill) |
+| Python | Pydantic (`pydantic-validation` skill) |
+| PHP | FormRequest + rules |
+No exceptions for "trusted" sources. Internal services drift, queues replay malformed payloads, env files are edited by hand.
+---
+## Pre-Commit Security Checklist
+- [ ] All routes have authn + authz checks
+- [ ] User ID derived from session, never from body
+- [ ] All inputs validated by schema
+- [ ] No secrets in code (see `secrets-management`)
+- [ ] No raw SQL / Mongo operators from user input
+- [ ] Security headers set on responses
+- [ ] Rate limit on auth + write endpoints
+- [ ] PII not in logs (see `observability`)
+- [ ] Webhook signatures verified before parsing
+## See Also
+- `secrets-management` — env hygiene, gitleaks
+- `observability` — log redaction
+- `api-security-node` / `api-security-python` / PHP `api-security` — stack-specific hardening

package/stacks/_shared/skills/test-coverage/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: test-coverage
+version: 1.0.0
+---
 # Test Coverage — Testing Management
 **ALWAYS invoke AFTER implementing any feature. Do NOT skip.**

package/stacks/_shared/skills/ui-ux-audit/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: ui-ux-audit
+version: 1.0.0
+---
 # UI/UX Audit
 **ALWAYS invoke BEFORE implementing any UI feature.**

package/stacks/frontend/react/skills/preline-ui/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: preline-ui
+version: 1.0.0
+---
 # Preline UI — Component & Theme System for TailwindCSS 4
 **ALWAYS invoke when using Preline components, creating themes, or customizing design tokens.**

package/stacks/frontend/react/skills/react-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: react-patterns
+version: 1.0.0
+---
 # React Patterns — Modern Component Architecture
 **ALWAYS invoke when writing React components, hooks, or state management.**

package/stacks/frontend/react/skills/react-standards/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: react-standards
+version: 1.0.0
+---
 # React 19+ Standards
 ## Version Requirements

package/stacks/frontend/react/skills/react-ui-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: react-ui-patterns
+version: 1.0.0
+---
 # React UI Patterns — Loading, Errors, Empty States & Forms
 **ALWAYS invoke when handling async UI states, forms, or user feedback.**

package/stacks/frontend/react/skills/shadcn-ui/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: shadcn-ui
+version: 1.0.0
+---
 # shadcn/ui — Component Library Patterns
 **ALWAYS invoke when adding or modifying shadcn/ui components.**

package/stacks/frontend/react/skills/tailwind-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: tailwind-patterns
+version: 1.0.0
+---
 # TailwindCSS 4 — CSS-First Design System
 **ALWAYS invoke when writing Tailwind classes, theming, or responsive layouts.**

package/stacks/frontend/react/skills/zod-validation/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: zod-validation
+version: 1.0.0
+---
 # Zod Validation — Runtime Type Safety
 **ALWAYS use Zod for form validation, API responses, and data boundaries.**

package/stacks/frontend/react-inertia/skills/inertia-react/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: inertia-react
+version: 1.0.0
+---
 # Inertia.js + React Integration
 ## Architecture Overview

package/stacks/frontend/react-inertia/skills/react-standards/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: react-standards
+version: 1.0.0
+---
 # React 19+ Standards (with Inertia.js)
 ## Version Requirements

package/stacks/nodejs/skills/api-security-node/SKILL.md ADDED Viewed

@@ -0,0 +1,275 @@
+---
+name: api-security-node
+version: 1.0.0
+description: Production-grade API hardening for Node.js (Express, Fastify, Next.js Route Handlers, Server Actions). Rate limit, CORS, JWT, secure cookies, CSRF, headers.
+---
+# API Security — Node.js
+**ALWAYS invoke when building API endpoints, auth flows, Server Actions, or Route Handlers.**
+> Pair this with `security-baseline` for OWASP Top 10. This skill is stack-specific hardening.
+## Layered Defense
+```
+Edge (CDN/WAF) → Rate Limit → CORS → Headers → Auth → Authz → Validate → Logic → Encode → Audit
+```
+---
+## 1. Security Headers
+### Express / Fastify
+```ts
+import helmet from 'helmet';
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'strict-dynamic'", (_, res) => `'nonce-${res.locals.nonce}'`],
+      styleSrc: ["'self'", "'unsafe-inline'"], // Tailwind needs inline; otherwise remove
+      imgSrc: ["'self'", 'data:', 'https:'],
+      connectSrc: ["'self'"],
+      frameAncestors: ["'none'"],
+    },
+  },
+  hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
+  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+  crossOriginOpenerPolicy: { policy: 'same-origin' },
+}));
+```
+### Next.js — `next.config.ts`
+```ts
+const securityHeaders = [
+  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
+  { key: 'X-Content-Type-Options', value: 'nosniff' },
+  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+  { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
+  { key: 'X-Frame-Options', value: 'DENY' },
+];
+export default {
+  async headers() { return [{ source: '/(.*)', headers: securityHeaders }]; },
+};
+```
+CSP for Next.js is best done in middleware with per-request nonces (script-src `'strict-dynamic'`).
+---
+## 2. CORS — Strict Allowlist
+```ts
+import cors from 'cors';
+const ALLOW = (process.env['CORS_ORIGINS'] ?? '').split(',').filter(Boolean);
+app.use(cors({
+  origin: (origin, cb) => {
+    if (!origin) return cb(null, true);          // server-to-server
+    if (ALLOW.includes(origin)) return cb(null, true);
+    return cb(new Error('CORS blocked'));
+  },
+  credentials: true,                              // required for cookies
+  methods: ['GET', 'POST', 'PATCH', 'DELETE'],
+  maxAge: 600,
+}));
+```
+**Never** use `origin: '*'` with `credentials: true` — browsers will reject and you'll silently break auth.
+---
+## 3. Rate Limiting
+### Express — `express-rate-limit` + Redis
+```ts
+import rateLimit from 'express-rate-limit';
+import RedisStore from 'rate-limit-redis';
+const authLimiter = rateLimit({
+  store: new RedisStore({ sendCommand: (...args) => redis.call(...args) }),
+  windowMs: 15 * 60 * 1000,
+  max: 5,                          // 5 attempts / 15 min / IP
+  standardHeaders: true,
+  legacyHeaders: false,
+  skipSuccessfulRequests: true,    // only count failures on /login
+});
+app.post('/auth/login', authLimiter, loginHandler);
+```
+### Next.js — `@upstash/ratelimit`
+```ts
+import { Ratelimit } from '@upstash/ratelimit';
+import { Redis } from '@upstash/redis';
+const limiter = new Ratelimit({
+  redis: Redis.fromEnv(),
+  limiter: Ratelimit.slidingWindow(10, '60s'),
+  analytics: true,
+});
+export async function POST(req: Request) {
+  const ip = req.headers.get('x-forwarded-for') ?? 'anonymous';
+  const { success } = await limiter.limit(ip);
+  if (!success) return new Response('Too Many Requests', { status: 429 });
+  // ...
+}
+```
+**Limits to set:** auth (5/15min), password reset (3/hour), signup (3/hour/IP), generic write (60/min/user).
+---
+## 4. Cookies
+```ts
+res.cookie('session', token, {
+  httpOnly: true,                         // JS cannot read
+  secure: process.env['NODE_ENV'] === 'production',
+  sameSite: 'lax',                        // 'strict' if no cross-site flows
+  path: '/',
+  maxAge: 1000 * 60 * 60 * 24 * 7,        // 7d
+  domain: process.env['COOKIE_DOMAIN'],   // e.g. .example.com
+});
+```
+For sensitive ops, also set a CSRF token cookie (readable) + require it in `X-CSRF-Token` header.
+---
+## 5. JWT / Session Tokens
+```ts
+import { SignJWT, jwtVerify } from 'jose';
+const SECRET = new TextEncoder().encode(process.env['JWT_SECRET']);
+// Issue access token (short-lived) + refresh token (rotated)
+const accessToken = await new SignJWT({ sub: user.id, role: user.role })
+  .setProtectedHeader({ alg: 'HS256' })
+  .setIssuedAt()
+  .setExpirationTime('15m')
+  .setJti(crypto.randomUUID())
+  .sign(SECRET);
+// Verify
+const { payload } = await jwtVerify(token, SECRET, {
+  algorithms: ['HS256'],   // pin algorithm — never accept 'none'
+  clockTolerance: 5,
+});
+```
+Rules:
+- Access tokens: ≤ 15 min. Refresh tokens: rotate on use, store hash in DB, revocable.
+- Pin algorithm. The `alg: 'none'` and key-confusion attacks are real.
+- Include `jti` for revocation lists.
+---
+## 6. CSRF — Next.js Server Actions / Route Handlers
+Server Actions: Next.js 14+ verifies origin automatically when called via form/`useFormState`. For Route Handlers and any cross-origin form, implement double-submit cookie:
+```ts
+// middleware.ts
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+export function middleware(req: NextRequest) {
+  const res = NextResponse.next();
+  if (!req.cookies.get('csrf-token')) {
+    res.cookies.set('csrf-token', crypto.randomUUID(), {
+      sameSite: 'lax', secure: true, path: '/',
+    });
+  }
+  if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
+    const cookie = req.cookies.get('csrf-token')?.value;
+    const header = req.headers.get('x-csrf-token');
+    if (!cookie || cookie !== header) {
+      return new NextResponse('CSRF', { status: 403 });
+    }
+  }
+  return res;
+}
+```
+---
+## 7. Input Validation Boundary (Zod)
+```ts
+import { z } from 'zod';
+const Body = z.object({
+  email: z.string().email().max(254),
+  age: z.number().int().min(13).max(120),
+}).strict();   // .strict() rejects unknown keys → blocks mass assignment
+export async function POST(req: Request) {
+  const parsed = Body.safeParse(await req.json());
+  if (!parsed.success) {
+    return Response.json({ errors: parsed.error.flatten() }, { status: 422 });
+  }
+  // parsed.data is type-safe and clean
+}
+```
+---
+## 8. File Upload
+- Cap size at the proxy AND in the handler.
+- Validate MIME by **magic bytes** (`file-type` package), not by extension or `Content-Type`.
+- Store outside webroot. Serve via signed URLs.
+- Never use the user-supplied filename on disk — generate a UUID.
+```ts
+import { fileTypeFromBuffer } from 'file-type';
+const ft = await fileTypeFromBuffer(buf);
+if (!ft || !['image/jpeg', 'image/png', 'image/webp'].includes(ft.mime)) {
+  throw new BadRequestError('Invalid file type');
+}
+```
+---
+## 9. Password Hashing
+```ts
+import { hash, verify } from '@node-rs/argon2';
+const hashed = await hash(password, { memoryCost: 19456, timeCost: 2, parallelism: 1 });
+const ok = await verify(hashed, attempt);   // constant-time
+```
+Never use `bcryptjs` (pure JS, slow); prefer native `bcrypt` or `argon2`. Argon2id is the modern default.
+---
+## 10. Server Action / Route Handler Checklist
+- [ ] `auth()` called first; reject if no session for protected routes
+- [ ] User ID from session, **never** from body
+- [ ] Zod schema with `.strict()`
+- [ ] Authz check (RBAC/ABAC) on the resource
+- [ ] Rate limit applied
+- [ ] No `console.log(req.body)` (PII leak — see `observability`)
+- [ ] Errors return generic message; details to logs only
+## FORBIDDEN
+| Anti-pattern | Reason |
+|---|---|
+| `cors({ origin: '*', credentials: true })` | Browsers reject; you're disabling auth |
+| `jwt.verify(token)` without `algorithms` | `alg: none` and key confusion attacks |
+| Storing JWT in `localStorage` | XSS exfiltration trivial — use HttpOnly cookies |
+| `app.use(express.json({ limit: '50mb' }))` everywhere | DoS — set per-route |
+| `req.body.userId` for ownership | A01 violation — use session |
+| Logging `req.body` or `req.headers` | Logs passwords, cookies, tokens |
+| `bcrypt.compare(a, b)` with non-string | Type coercion bugs leak info |
+## See Also
+- `security-baseline` — OWASP Top 10
+- `secrets-management` — env vars, rotation
+- `zod-validation` — schema patterns
+- `observability` — structured logs without PII

package/stacks/nodejs/skills/bun-runtime/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: bun-runtime
+version: 1.0.0
+---
 # Bun Runtime — Fast JavaScript Runtime
 **ALWAYS invoke when using Bun for scripts, packages, bundling, or testing.**

package/stacks/nodejs/skills/mongoose-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: mongoose-patterns
+version: 1.0.0
+---
 # Mongoose Patterns — MongoDB ODM
 **ALWAYS invoke when writing Mongoose schemas, queries, or aggregations.**

package/stacks/nodejs/skills/nextjs-app-router/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: nextjs-app-router
+version: 1.0.0
+---
 # Next.js App Router — Modern Patterns
 **ALWAYS invoke when writing Next.js pages, layouts, or server components.**

package/stacks/nodejs/skills/trpc-api/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: trpc-api
+version: 1.0.0
+---
 # tRPC API — End-to-End Type Safety
 **ALWAYS invoke when building type-safe API routes with tRPC.**

package/stacks/nodejs/skills/typescript-strict/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: typescript-strict
+version: 1.0.0
+---
 # TypeScript Strict — Type Safety Patterns
 **ALWAYS invoke when writing .ts/.tsx files.**

package/stacks/nodejs/stack.json CHANGED Viewed

@@ -105,7 +105,8 @@
   "skills": [
     "typescript-strict",
     "bun-runtime",
-    "zod-validation"
+    "zod-validation",
+    "api-security-node"
   ],
   "requirements": [
     {