start-vibing-stacks 2.6.0 → 2.7.3

package/stacks/_shared/agents/security-auditor.md

@@ -0,0 +1,168 @@
+---
+name: security-auditor
+version: 1.0.0
+description: "AUTOMATICALLY invoke when code touches auth, sessions, user data, passwords, tokens, API routes, database queries, cookies, or env vars. VETO POWER — blocks insecure code. Runs AFTER tester, BEFORE quality-gate."
+model: sonnet
+tools: Read, Grep, Glob, Bash
+skills: security-baseline, secrets-management
+---
+
+# Security Auditor Agent
+
+You audit code for security flaws. **You have VETO power** — when violations are found you block the workflow and require fixes.
+
+## When You Run
+
+After implementation and tester, **before** quality-gate and commit-manager. Always run when modified files include:
+
+- Auth, session, login, register, password, token, JWT
+- Route Handlers, Server Actions, controllers, API endpoints
+- Database queries, ORM models
+- Cookie / header / CORS / CSP configuration
+- File uploads
+- Anything reading `process.env` / `os.environ` / `$_ENV` / `env()`
+
+## Step 1 — Read Stack Context
+
+```bash
+cat .claude/config/active-project.json
+```
+
+Branch logic on `stack`:
+- `nodejs` → load `api-security-node` skill
+- `python` → load `api-security-python` skill
+- `php` → load `api-security` skill
+- always → `security-baseline`, `secrets-management`
+
+## Step 2 — Identify Modified Files
+
+```bash
+git diff --name-only --diff-filter=AM HEAD
+git diff --name-only --cached --diff-filter=AM
+```
+
+Read each modified source file.
+
+## Step 3 — Run the Audit Matrix
+
+Apply each check below. **One violation = block.**
+
+### A. Authn / Session
+
+| Check | Pattern that fails |
+|---|---|
+| User ID from session, not body | `req.body.userId`, `request.json()["user_id"]`, `$request->input('user_id')` used for ownership |
+| Auth gate before logic | Route handler with no `auth()` / `Depends(current_user)` / `auth:sanctum` middleware |
+| Algorithm pinned on JWT | `jwt.verify(token)` without `algorithms` array |
+| Token in HttpOnly cookie | `localStorage.setItem('token', ...)` or token rendered into HTML |
+
+### B. Authz
+
+| Check | Pattern that fails |
+|---|---|
+| Object-level scope | `Model.findById(id)` with no `where userId = session.user.id` |
+| Role check on server | Role check only in client/UI |
+| Mass assignment guard | `User.create(req.body)` without allowlist / Zod `.strict()` / Pydantic `extra="forbid"` / `$fillable` |
+
+### C. Input Validation
+
+| Check | Pattern that fails |
+|---|---|
+| Schema at boundary | Route handler reads `req.body` / `request.json()` without Zod / Pydantic / FormRequest |
+| Strict mode | Schema present but allows extra keys |
+| Mongo operator injection | `User.findOne({ email: req.body.email })` without coercing email to string |
+| SQL bindings | f-string / template-literal SQL: `f"... {x} ..."`, `\`SELECT ... ${x}\``, `"... $x ..."` |
+
+### D. Secrets / Env
+
+Run secrets scan:
+
+```bash
+# Quick high-signal grep
+git diff --cached -U0 \
+  | grep -E '(api[_-]?key|secret|token|password|bearer|aws_|private_key)' \
+  | grep -vE '\.env\.example|TEMPLATE|placeholder|example|<your|YOUR_|XXXX'
+```
+
+Also check:
+- No `NEXT_PUBLIC_` containing `SECRET|TOKEN|PRIVATE|PASSWORD|CREDENTIAL`
+- No hardcoded connection string with embedded password
+- `.env` is in `.gitignore`
+- `.env.example` exists if any env var is read
+
+### E. Cookies
+
+| Check | Required |
+|---|---|
+| `httpOnly: true` | yes |
+| `secure: true` in prod | yes |
+| `sameSite` set | `lax` or `strict` |
+
+### F. CORS / Headers
+
+- No `origin: '*'` or `allow_origins=["*"]` combined with `credentials: true` / `allow_credentials=True`
+- Security headers configured (Helmet / middleware): HSTS, CSP, X-Content-Type-Options, Referrer-Policy
+
+### G. Rate Limiting
+
+- Auth endpoints (`/login`, `/register`, `/password/reset`) have a rate limiter
+- Webhook endpoints reject requests without verified signature
+
+### H. Logging
+
+- No `console.log(req.body)` / `print(request.json())` / `Log::info($request->all())`
+- No `console.log(token)` / logging of cookies, headers, or `Authorization`
+- No PII (email, phone, full name) in logs without redaction
+
+### I. SSRF
+
+- User-supplied URLs are validated against an allowlist OR private IP ranges are blocked
+
+### J. Webhook Verification
+
+- Stripe / GitHub / GitHub App webhooks call `constructEvent` / signature verifier **before** parsing body
+
+## Step 4 — Report
+
+If everything passes, output:
+
+```
+✅ Security audit passed.
+Files audited: <n>
+Checks: A-J all green.
+```
+
+If violations are found, output:
+
+```
+🛑 SECURITY AUDIT BLOCKED
+
+<n> violation(s) found:
+
+1. [HIGH] <file>:<line>
+   Issue: <one line>
+   Fix: <one line>
+   Reference: security-baseline §A01 (or whichever)
+
+2. [MEDIUM] ...
+```
+
+Severity:
+- **CRITICAL** — RCE, SQLi, missing auth, secret in commit. Block immediately.
+- **HIGH** — Authz bypass, missing CSRF, unsafe cookie. Block.
+- **MEDIUM** — Missing rate limit, weak headers. Block.
+- **LOW** — Minor logging concern. Warn, allow.
+
+## Rules
+
+1. **VETO POWER** — `domain-updater` and `commit-manager` MUST NOT run while you have unresolved CRITICAL/HIGH/MEDIUM findings.
+2. **READ THE CODE** — never approve based on file names alone.
+3. **NO FALSE NEGATIVES > FALSE POSITIVES** — when in doubt, flag and explain.
+4. **CITE THE FIX** — every finding has a one-line fix and a skill reference.
+5. **RE-RUN AFTER FIXES** — never trust "I fixed it" without re-reading the file.
+
+## See Also
+
+- Skill `security-baseline` — universal OWASP rules
+- Skill `secrets-management` — env hygiene
+- Stack-specific skill: `api-security-node` / `api-security-python` / PHP `api-security`

package/stacks/_shared/agents/tester.md

@@ -1,5 +1,6 @@
 ---
 name: tester
+version: 1.0.0
 description: "AUTOMATICALLY invoke AFTER implementing any function or utility. Creates tests using the stack-appropriate framework."
 model: sonnet
 tools: Read, Write, Edit, Bash, Grep, Glob

package/stacks/_shared/hooks/final-check.ts

@@ -0,0 +1,205 @@
+#!/usr/bin/env node
+/**
+ * Final Check — executable validator with VETO.
+ *
+ * Scans staged + unstaged source files for forbidden patterns:
+ *  - debug statements (console.log, var_dump, dd, print debug)
+ *  - TODO/FIXME left in code
+ *  - any-typed code (TypeScript)
+ *  - hardcoded secrets
+ *  - test .skip / .only
+ *  - dangerous functions (RCE, command injection)
+ *
+ * Exits 0 if clean, 1 if any blocking finding. Output is human-readable.
+ */
+
+import { spawnSync } from 'child_process';
+import { existsSync, readFileSync, statSync } from 'fs';
+import { extname, join } from 'path';
+
+const PROJECT_DIR = process.env['CLAUDE_PROJECT_DIR'] || process.cwd();
+const ACTIVE_PROJECT = join(PROJECT_DIR, '.claude', 'config', 'active-project.json');
+
+let stackId = 'unknown';
+try {
+  if (existsSync(ACTIVE_PROJECT)) {
+    stackId = JSON.parse(readFileSync(ACTIVE_PROJECT, 'utf8')).stack || 'unknown';
+  }
+} catch {}
+
+const STACK_EXTENSIONS: Record<string, Set<string>> = {
+  php: new Set(['.php', '.blade.php']),
+  nodejs: new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs']),
+  python: new Set(['.py']),
+};
+const sourceExt = STACK_EXTENSIONS[stackId] || new Set(['.ts', '.js', '.php', '.py']);
+
+interface Finding {
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
+  file: string;
+  line: number;
+  rule: string;
+  excerpt: string;
+}
+
+const findings: Finding[] = [];
+
+function git(...args: string[]): string {
+  const r = spawnSync('git', args, { cwd: PROJECT_DIR, encoding: 'utf8' });
+  return (r.stdout || '').trim();
+}
+
+// Paths that are always skipped (validator itself, generated, vendored, etc.)
+const SKIP_PATH_RE = /(^|\/)(\.claude\/hooks|\.claude\/scripts|node_modules|dist|build|coverage|vendor|\.next|\.nuxt|venv|\.venv|stacks\/_shared\/hooks)\//;
+
+function listFiles(): string[] {
+  const staged = git('diff', '--name-only', '--cached', '--diff-filter=ACMR').split('\n');
+  const unstaged = git('diff', '--name-only', '--diff-filter=ACMR').split('\n');
+  const untracked = git('ls-files', '--others', '--exclude-standard').split('\n');
+  const all = new Set<string>();
+  for (const f of [...staged, ...unstaged, ...untracked]) {
+    if (!f) continue;
+    if (SKIP_PATH_RE.test('/' + f)) continue;
+    if (!sourceExt.has(extname(f).toLowerCase())) continue;
+    const full = join(PROJECT_DIR, f);
+    if (!existsSync(full)) continue;
+    try {
+      if (statSync(full).isFile()) all.add(f);
+    } catch {}
+  }
+  return [...all];
+}
+
+interface Rule {
+  re: RegExp;
+  rule: string;
+  severity: Finding['severity'];
+  appliesTo?: (path: string) => boolean;
+}
+
+const isTest = (p: string) => /\.(test|spec)\.[tj]sx?$|tests?\//i.test(p);
+const isPhp = (p: string) => p.endsWith('.php');
+const isPy = (p: string) => p.endsWith('.py');
+const isJs = (p: string) => /\.(t|j)sx?$|\.mjs$/.test(p);
+
+// Build dangerous-function regex via parts to avoid trivial lexical scans
+const DANGEROUS_JS = new RegExp('\\b' + 'ev' + 'al' + '\\s*\\(');
+const DANGEROUS_PY = new RegExp('\\b(?:' + 'ev' + 'al' + '|exec)\\s*\\(');
+
+const RULES: Rule[] = [
+  // Debug statements
+  { re: /\bconsole\.(log|debug|trace)\s*\(/, rule: 'console debug statement', severity: 'MEDIUM',
+    appliesTo: p => isJs(p) && !isTest(p) },
+  { re: /\b(var_dump|dd|dump|print_r)\s*\(/, rule: 'PHP debug statement', severity: 'MEDIUM',
+    appliesTo: isPhp },
+  { re: /^[^#]*\bprint\s*\(/m, rule: 'Python print() (use logger)', severity: 'LOW',
+    appliesTo: p => isPy(p) && !isTest(p) },
+
+  // Tests
+  { re: /\b(it|test|describe)\.(only|skip)\s*\(/, rule: '.only / .skip in test', severity: 'HIGH',
+    appliesTo: p => /\.(test|spec)\./i.test(p) },
+  { re: /@pytest\.mark\.skip\b/, rule: 'pytest skip marker', severity: 'MEDIUM',
+    appliesTo: isPy },
+
+  // TypeScript any
+  { re: /:\s*any\b(?!\s*\/\*\s*ok)/, rule: 'explicit any (use unknown or proper type)', severity: 'MEDIUM',
+    appliesTo: p => /\.(ts|tsx)$/.test(p) },
+  { re: /@ts-ignore/, rule: '@ts-ignore (use @ts-expect-error with comment)', severity: 'MEDIUM',
+    appliesTo: p => /\.(ts|tsx)$/.test(p) },
+
+  // TODO / FIXME — informational
+  { re: /\b(TODO|FIXME|XXX|HACK)\b/, rule: 'unresolved TODO/FIXME', severity: 'LOW' },
+
+  // Secrets — high signal patterns
+  { re: /(?:api[_-]?key|secret|token|bearer|password|aws_(?:access|secret)_key|private_key)\s*[:=]\s*["'][A-Za-z0-9/+=_\-.]{20,}["']/i,
+    rule: 'possible hardcoded secret', severity: 'CRITICAL' },
+  { re: /(?:NEXT_PUBLIC|VITE|REACT_APP)_[A-Z_]*(?:SECRET|TOKEN|PRIVATE|PASSWORD|CREDENTIAL)/,
+    rule: 'public env var contains secret-like name', severity: 'CRITICAL' },
+
+  // Dangerous code execution
+  { re: DANGEROUS_JS, rule: 'arbitrary code execution function — RCE risk', severity: 'HIGH',
+    appliesTo: p => isJs(p) || isPhp(p) },
+  { re: DANGEROUS_PY, rule: 'arbitrary code execution function — RCE risk', severity: 'HIGH',
+    appliesTo: isPy },
+  { re: /shell\s*=\s*True/, rule: 'subprocess shell=True (command injection)', severity: 'HIGH',
+    appliesTo: isPy },
+
+  // SQL string concat (rough)
+  { re: /(SELECT|INSERT|UPDATE|DELETE)\s[^"']*?\+\s*[a-zA-Z_]/i,
+    rule: 'possible SQL string concatenation', severity: 'HIGH', appliesTo: p => isJs(p) || isPhp(p) },
+  { re: /f["'][^"']*\b(SELECT|INSERT|UPDATE|DELETE)\b[^"']*\{/i,
+    rule: 'f-string SQL (use bind parameters)', severity: 'HIGH', appliesTo: isPy },
+];
+
+const SEVERITY_ORDER: Record<Finding['severity'], number> = { CRITICAL: 0, HIGH: 1, MEDIUM: 2, LOW: 3 };
+const PLACEHOLDER_RE = /<\s*your[_\- ]|YOUR_[A-Z_]+|placeholder|example\.com|sk_test_|sk_xxx|xxxxxxxx/i;
+
+function scan(file: string) {
+  const full = join(PROJECT_DIR, file);
+  let content: string;
+  try { content = readFileSync(full, 'utf8'); } catch { return; }
+
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i] ?? '';
+    if (line.length > 1000) continue;          // skip minified
+    if (PLACEHOLDER_RE.test(line)) continue;   // example/template values
+    for (const r of RULES) {
+      if (r.appliesTo && !r.appliesTo(file)) continue;
+      if (r.re.test(line)) {
+        findings.push({
+          severity: r.severity,
+          file,
+          line: i + 1,
+          rule: r.rule,
+          excerpt: line.trim().slice(0, 160),
+        });
+      }
+    }
+  }
+}
+
+function main() {
+  const files = listFiles();
+  if (files.length === 0) {
+    console.log('Final check: no source files in current diff to scan.');
+    process.exit(0);
+  }
+
+  for (const f of files) scan(f);
+
+  findings.sort((a, b) => SEVERITY_ORDER[a.severity] - SEVERITY_ORDER[b.severity]);
+
+  const blocking = findings.filter(f => f.severity === 'CRITICAL' || f.severity === 'HIGH');
+  const warnings = findings.filter(f => f.severity === 'MEDIUM' || f.severity === 'LOW');
+
+  if (findings.length === 0) {
+    console.log(`Final check passed (${files.length} file${files.length === 1 ? '' : 's'} scanned, stack=${stackId}).`);
+    process.exit(0);
+  }
+
+  console.log(`Final check report — stack=${stackId}, files=${files.length}\n`);
+
+  if (blocking.length > 0) {
+    console.log(`BLOCKING — ${blocking.length} critical/high finding${blocking.length === 1 ? '' : 's'}:\n`);
+    for (const f of blocking) {
+      console.log(`  [${f.severity}] ${f.file}:${f.line}`);
+      console.log(`    ${f.rule}`);
+      console.log(`    > ${f.excerpt}`);
+    }
+    console.log('');
+  }
+
+  if (warnings.length > 0) {
+    console.log(`WARNINGS — ${warnings.length} medium/low finding${warnings.length === 1 ? '' : 's'}:\n`);
+    for (const f of warnings.slice(0, 20)) {
+      console.log(`  [${f.severity}] ${f.file}:${f.line}  ${f.rule}`);
+    }
+    if (warnings.length > 20) console.log(`  ... and ${warnings.length - 20} more`);
+    console.log('');
+  }
+
+  process.exit(blocking.length > 0 ? 1 : 0);
+}
+
+main();

package/stacks/_shared/hooks/stop-validator.ts

@@ -9,6 +9,7 @@
  * 3. CLAUDE.md not updated
  * 4. CLAUDE.md missing required sections
  * 5. CLAUDE.md exceeds 40k chars
+ * 6. Secret pattern detected in committed/staged files (uses gitleaks if present, fallback to regex)
  */
 
 import { execSync } from 'child_process';
@@ -65,6 +66,71 @@ function getModifiedFiles(): string[] {
   return [...new Set([...staged, ...unstaged, ...untracked])];
 }
 
+/**
+ * Run a command capturing stdout, stderr and exit code without throwing.
+ */
+function runCapture(command: string): { code: number; stdout: string; stderr: string } {
+  try {
+    const stdout = execSync(command, {
+      cwd: PROJECT_DIR,
+      encoding: 'utf8',
+      stdio: ['pipe', 'pipe', 'pipe'],
+    });
+    return { code: 0, stdout: stdout.toString(), stderr: '' };
+  } catch (err: any) {
+    return {
+      code: typeof err?.status === 'number' ? err.status : 1,
+      stdout: err?.stdout?.toString?.() ?? '',
+      stderr: err?.stderr?.toString?.() ?? '',
+    };
+  }
+}
+
+/**
+ * Scan staged + unstaged diff for secret patterns.
+ * Uses gitleaks when installed; otherwise applies a high-signal regex sweep.
+ * Returns a list of findings (empty = clean).
+ */
+function scanSecrets(): string[] {
+  const findings: string[] = [];
+
+  const hasGitleaks = cmd('command -v gitleaks').length > 0;
+  if (hasGitleaks) {
+    const { code, stdout, stderr } = runCapture(
+      'gitleaks detect --no-banner --redact --exit-code 1 --log-level=error'
+    );
+    if (code !== 0) {
+      const out = stdout + '\n' + stderr;
+      const lines = out
+        .split('\n')
+        .filter(l => l.includes('Finding:') || l.includes('File:') || l.includes('Secret:'));
+      if (lines.length > 0) findings.push(...lines.slice(0, 20));
+      else findings.push('gitleaks reported leaks (run `gitleaks detect --redact -v` for details)');
+    }
+    return findings;
+  }
+
+  // Fallback: high-signal regex sweep over staged + unstaged diff
+  const SECRET_RE = /(?:api[_-]?key|secret|token|bearer|password|aws_(?:access|secret)_key|private_key)\s*[:=]\s*["'][A-Za-z0-9/+=_\-.]{16,}["']/i;
+  const PUBLIC_LEAK_RE = /(?:NEXT_PUBLIC|VITE|REACT_APP)_[A-Z_]*(?:SECRET|TOKEN|PRIVATE|PASSWORD|CREDENTIAL)/;
+  const PLACEHOLDER_RE = /<\s*your[_\- ]|YOUR_[A-Z_]+|placeholder|example\.com|sk_test_|sk_xxx|xxxxxxxx/i;
+
+  const diff = cmd('git diff --cached -U0') + '\n' + cmd('git diff -U0');
+  if (!diff.trim()) return findings;
+
+  const lines = diff.split('\n');
+  for (const line of lines) {
+    if (!line.startsWith('+') || line.startsWith('+++')) continue;
+    if (PLACEHOLDER_RE.test(line)) continue;
+    if (SECRET_RE.test(line) || PUBLIC_LEAK_RE.test(line)) {
+      const masked = line.replace(/(["']).{8,}\1/, '$1[REDACTED]$1').slice(0, 160);
+      findings.push(masked);
+      if (findings.length >= 5) break;
+    }
+  }
+  return findings;
+}
+
 function validate(): HookResult {
   const branch = getBranch();
   const isMain = branch === 'main' || branch === 'master';
@@ -132,11 +198,21 @@ function validate(): HookResult {
     };
   }
 
+  // 5. Secret scan (gitleaks or regex fallback)
+  const secrets = scanSecrets();
+  if (secrets.length > 0) {
+    return {
+      continue: true,
+      decision: 'block',
+      reason: `BLOCKED: Potential secrets detected in diff:\n${secrets.map(s => `  - ${s}`).join('\n')}\n\nRotate the credential, remove from diff, and re-run.`,
+    };
+  }
+
   // All good
   return {
     continue: false,
     decision: 'approve',
-    reason: `ALL CHECKS PASSED ✅\nStack: ${stackId}\nBranch: ${branch}\nTree: Clean`,
+    reason: `ALL CHECKS PASSED ✅\nStack: ${stackId}\nBranch: ${branch}\nTree: Clean\nSecrets: clean`,
   };
 }