npm - start-vibing-stacks - Versions diffs - 2.6.0 → 2.7.3 - Mend

start-vibing-stacks 2.6.0 → 2.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (80) hide show

package/stacks/nodejs/skills/api-security-node/SKILL.md ADDED Viewed

@@ -0,0 +1,275 @@
+---
+name: api-security-node
+version: 1.0.0
+description: Production-grade API hardening for Node.js (Express, Fastify, Next.js Route Handlers, Server Actions). Rate limit, CORS, JWT, secure cookies, CSRF, headers.
+---
+# API Security — Node.js
+**ALWAYS invoke when building API endpoints, auth flows, Server Actions, or Route Handlers.**
+> Pair this with `security-baseline` for OWASP Top 10. This skill is stack-specific hardening.
+## Layered Defense
+```
+Edge (CDN/WAF) → Rate Limit → CORS → Headers → Auth → Authz → Validate → Logic → Encode → Audit
+```
+---
+## 1. Security Headers
+### Express / Fastify
+```ts
+import helmet from 'helmet';
+app.use(helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      scriptSrc: ["'self'", "'strict-dynamic'", (_, res) => `'nonce-${res.locals.nonce}'`],
+      styleSrc: ["'self'", "'unsafe-inline'"], // Tailwind needs inline; otherwise remove
+      imgSrc: ["'self'", 'data:', 'https:'],
+      connectSrc: ["'self'"],
+      frameAncestors: ["'none'"],
+    },
+  },
+  hsts: { maxAge: 63072000, includeSubDomains: true, preload: true },
+  referrerPolicy: { policy: 'strict-origin-when-cross-origin' },
+  crossOriginOpenerPolicy: { policy: 'same-origin' },
+}));
+```
+### Next.js — `next.config.ts`
+```ts
+const securityHeaders = [
+  { key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubDomains; preload' },
+  { key: 'X-Content-Type-Options', value: 'nosniff' },
+  { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+  { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
+  { key: 'X-Frame-Options', value: 'DENY' },
+];
+export default {
+  async headers() { return [{ source: '/(.*)', headers: securityHeaders }]; },
+};
+```
+CSP for Next.js is best done in middleware with per-request nonces (script-src `'strict-dynamic'`).
+---
+## 2. CORS — Strict Allowlist
+```ts
+import cors from 'cors';
+const ALLOW = (process.env['CORS_ORIGINS'] ?? '').split(',').filter(Boolean);
+app.use(cors({
+  origin: (origin, cb) => {
+    if (!origin) return cb(null, true);          // server-to-server
+    if (ALLOW.includes(origin)) return cb(null, true);
+    return cb(new Error('CORS blocked'));
+  },
+  credentials: true,                              // required for cookies
+  methods: ['GET', 'POST', 'PATCH', 'DELETE'],
+  maxAge: 600,
+}));
+```
+**Never** use `origin: '*'` with `credentials: true` — browsers will reject and you'll silently break auth.
+---
+## 3. Rate Limiting
+### Express — `express-rate-limit` + Redis
+```ts
+import rateLimit from 'express-rate-limit';
+import RedisStore from 'rate-limit-redis';
+const authLimiter = rateLimit({
+  store: new RedisStore({ sendCommand: (...args) => redis.call(...args) }),
+  windowMs: 15 * 60 * 1000,
+  max: 5,                          // 5 attempts / 15 min / IP
+  standardHeaders: true,
+  legacyHeaders: false,
+  skipSuccessfulRequests: true,    // only count failures on /login
+});
+app.post('/auth/login', authLimiter, loginHandler);
+```
+### Next.js — `@upstash/ratelimit`
+```ts
+import { Ratelimit } from '@upstash/ratelimit';
+import { Redis } from '@upstash/redis';
+const limiter = new Ratelimit({
+  redis: Redis.fromEnv(),
+  limiter: Ratelimit.slidingWindow(10, '60s'),
+  analytics: true,
+});
+export async function POST(req: Request) {
+  const ip = req.headers.get('x-forwarded-for') ?? 'anonymous';
+  const { success } = await limiter.limit(ip);
+  if (!success) return new Response('Too Many Requests', { status: 429 });
+  // ...
+}
+```
+**Limits to set:** auth (5/15min), password reset (3/hour), signup (3/hour/IP), generic write (60/min/user).
+---
+## 4. Cookies
+```ts
+res.cookie('session', token, {
+  httpOnly: true,                         // JS cannot read
+  secure: process.env['NODE_ENV'] === 'production',
+  sameSite: 'lax',                        // 'strict' if no cross-site flows
+  path: '/',
+  maxAge: 1000 * 60 * 60 * 24 * 7,        // 7d
+  domain: process.env['COOKIE_DOMAIN'],   // e.g. .example.com
+});
+```
+For sensitive ops, also set a CSRF token cookie (readable) + require it in `X-CSRF-Token` header.
+---
+## 5. JWT / Session Tokens
+```ts
+import { SignJWT, jwtVerify } from 'jose';
+const SECRET = new TextEncoder().encode(process.env['JWT_SECRET']);
+// Issue access token (short-lived) + refresh token (rotated)
+const accessToken = await new SignJWT({ sub: user.id, role: user.role })
+  .setProtectedHeader({ alg: 'HS256' })
+  .setIssuedAt()
+  .setExpirationTime('15m')
+  .setJti(crypto.randomUUID())
+  .sign(SECRET);
+// Verify
+const { payload } = await jwtVerify(token, SECRET, {
+  algorithms: ['HS256'],   // pin algorithm — never accept 'none'
+  clockTolerance: 5,
+});
+```
+Rules:
+- Access tokens: ≤ 15 min. Refresh tokens: rotate on use, store hash in DB, revocable.
+- Pin algorithm. The `alg: 'none'` and key-confusion attacks are real.
+- Include `jti` for revocation lists.
+---
+## 6. CSRF — Next.js Server Actions / Route Handlers
+Server Actions: Next.js 14+ verifies origin automatically when called via form/`useFormState`. For Route Handlers and any cross-origin form, implement double-submit cookie:
+```ts
+// middleware.ts
+import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
+export function middleware(req: NextRequest) {
+  const res = NextResponse.next();
+  if (!req.cookies.get('csrf-token')) {
+    res.cookies.set('csrf-token', crypto.randomUUID(), {
+      sameSite: 'lax', secure: true, path: '/',
+    });
+  }
+  if (['POST', 'PUT', 'PATCH', 'DELETE'].includes(req.method)) {
+    const cookie = req.cookies.get('csrf-token')?.value;
+    const header = req.headers.get('x-csrf-token');
+    if (!cookie || cookie !== header) {
+      return new NextResponse('CSRF', { status: 403 });
+    }
+  }
+  return res;
+}
+```
+---
+## 7. Input Validation Boundary (Zod)
+```ts
+import { z } from 'zod';
+const Body = z.object({
+  email: z.string().email().max(254),
+  age: z.number().int().min(13).max(120),
+}).strict();   // .strict() rejects unknown keys → blocks mass assignment
+export async function POST(req: Request) {
+  const parsed = Body.safeParse(await req.json());
+  if (!parsed.success) {
+    return Response.json({ errors: parsed.error.flatten() }, { status: 422 });
+  }
+  // parsed.data is type-safe and clean
+}
+```
+---
+## 8. File Upload
+- Cap size at the proxy AND in the handler.
+- Validate MIME by **magic bytes** (`file-type` package), not by extension or `Content-Type`.
+- Store outside webroot. Serve via signed URLs.
+- Never use the user-supplied filename on disk — generate a UUID.
+```ts
+import { fileTypeFromBuffer } from 'file-type';
+const ft = await fileTypeFromBuffer(buf);
+if (!ft || !['image/jpeg', 'image/png', 'image/webp'].includes(ft.mime)) {
+  throw new BadRequestError('Invalid file type');
+}
+```
+---
+## 9. Password Hashing
+```ts
+import { hash, verify } from '@node-rs/argon2';
+const hashed = await hash(password, { memoryCost: 19456, timeCost: 2, parallelism: 1 });
+const ok = await verify(hashed, attempt);   // constant-time
+```
+Never use `bcryptjs` (pure JS, slow); prefer native `bcrypt` or `argon2`. Argon2id is the modern default.
+---
+## 10. Server Action / Route Handler Checklist
+- [ ] `auth()` called first; reject if no session for protected routes
+- [ ] User ID from session, **never** from body
+- [ ] Zod schema with `.strict()`
+- [ ] Authz check (RBAC/ABAC) on the resource
+- [ ] Rate limit applied
+- [ ] No `console.log(req.body)` (PII leak — see `observability`)
+- [ ] Errors return generic message; details to logs only
+## FORBIDDEN
+| Anti-pattern | Reason |
+|---|---|
+| `cors({ origin: '*', credentials: true })` | Browsers reject; you're disabling auth |
+| `jwt.verify(token)` without `algorithms` | `alg: none` and key confusion attacks |
+| Storing JWT in `localStorage` | XSS exfiltration trivial — use HttpOnly cookies |
+| `app.use(express.json({ limit: '50mb' }))` everywhere | DoS — set per-route |
+| `req.body.userId` for ownership | A01 violation — use session |
+| Logging `req.body` or `req.headers` | Logs passwords, cookies, tokens |
+| `bcrypt.compare(a, b)` with non-string | Type coercion bugs leak info |
+## See Also
+- `security-baseline` — OWASP Top 10
+- `secrets-management` — env vars, rotation
+- `zod-validation` — schema patterns
+- `observability` — structured logs without PII

package/stacks/nodejs/skills/bun-runtime/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: bun-runtime
+version: 1.0.0
+---
 # Bun Runtime — Fast JavaScript Runtime
 **ALWAYS invoke when using Bun for scripts, packages, bundling, or testing.**

package/stacks/nodejs/skills/mongoose-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: mongoose-patterns
+version: 1.0.0
+---
 # Mongoose Patterns — MongoDB ODM
 **ALWAYS invoke when writing Mongoose schemas, queries, or aggregations.**

package/stacks/nodejs/skills/nextjs-app-router/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: nextjs-app-router
+version: 1.0.0
+---
 # Next.js App Router — Modern Patterns
 **ALWAYS invoke when writing Next.js pages, layouts, or server components.**

package/stacks/nodejs/skills/trpc-api/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: trpc-api
+version: 1.0.0
+---
 # tRPC API — End-to-End Type Safety
 **ALWAYS invoke when building type-safe API routes with tRPC.**

package/stacks/nodejs/skills/typescript-strict/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: typescript-strict
+version: 1.0.0
+---
 # TypeScript Strict — Type Safety Patterns
 **ALWAYS invoke when writing .ts/.tsx files.**

package/stacks/nodejs/stack.json CHANGED Viewed

@@ -105,7 +105,8 @@
   "skills": [
     "typescript-strict",
     "bun-runtime",
-    "zod-validation"
+    "zod-validation",
+    "api-security-node"
   ],
   "requirements": [
     {

package/stacks/nodejs/workflows/ci.yml ADDED Viewed

@@ -0,0 +1,90 @@
+name: CI
+on:
+  pull_request:
+  push:
+    branches: [main]
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+permissions:
+  contents: read
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+      - name: Typecheck
+        run: bun run typecheck
+      - name: Lint
+        run: bun run lint
+      - name: Unit tests
+        run: bun run test
+      - name: Build
+        run: bun run build
+  security:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+      - name: Audit dependencies
+        run: bun audit --audit-level=high
+        continue-on-error: false
+      - name: Gitleaks (secret scan)
+        uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  e2e:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    if: github.event_name == 'pull_request' || github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - name: Install dependencies
+        run: bun install --frozen-lockfile
+      - name: Install Playwright browsers
+        run: bunx playwright install --with-deps chromium
+      - name: Run Playwright tests
+        run: bunx playwright test
+      - uses: actions/upload-artifact@v4
+        if: failure()
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 14

package/stacks/nodejs/workflows/security.yml ADDED Viewed

@@ -0,0 +1,45 @@
+name: Security
+on:
+  schedule:
+    - cron: '0 4 * * 1'         # Mondays 04:00 UTC
+  push:
+    branches: [main]
+  workflow_dispatch:
+permissions:
+  contents: read
+  security-events: write
+jobs:
+  audit:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: latest
+      - run: bun install --frozen-lockfile
+      - run: bun audit --audit-level=high
+  gitleaks:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: gitleaks/gitleaks-action@v2
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  codeql:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v4
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: javascript-typescript
+      - uses: github/codeql-action/analyze@v3

package/stacks/php/skills/api-design/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: api-design
+version: 1.0.0
+---
 # PHP API Design Standards
 ## RESTful Principles

package/stacks/php/skills/api-security/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: api-security
+version: 1.0.0
+---
 # API Security — NSA-Level Hardening for Laravel + Octane
 **ALWAYS invoke when building APIs, auth endpoints, or handling user input.**

package/stacks/php/skills/composer-workflow/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: composer-workflow
+version: 1.0.0
+---
 # Composer Workflow
 ## Requirements

package/stacks/php/skills/external-api-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: external-api-patterns
+version: 1.0.0
+---
 # External API Patterns — HTTP Client for Laravel + Octane
 **ALWAYS invoke when consuming external APIs, webhooks, or third-party services.**

package/stacks/php/skills/inertia-react/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: inertia-react
+version: 1.0.0
+---
 # Inertia.js + React — Laravel Frontend
 **ALWAYS invoke when writing Inertia.js pages, components, or shared data.**

package/stacks/php/skills/laravel-inertia-i18n/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: laravel-inertia-i18n
+version: 1.0.0
+---
 # Laravel + Inertia i18n — Centralized Translations
 **ALWAYS invoke when adding translations, creating new pages, or working with multilingual content.**

package/stacks/php/skills/laravel-octane/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: laravel-octane
+version: 1.0.0
+---
 # Laravel Octane (RoadRunner) Patterns
 ## How Octane Works

package/stacks/php/skills/laravel-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: laravel-patterns
+version: 1.0.0
+---
 # Laravel Patterns & Standards
 ## Model Standards

package/stacks/php/skills/mariadb-octane/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: mariadb-octane
+version: 1.0.0
+---
 # MariaDB + Octane — Database Patterns for Persistent Workers
 **ALWAYS invoke when writing queries, migrations, models, or DB config in Laravel Octane.**

package/stacks/php/skills/php-patterns/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: php-patterns
+version: 1.0.0
+---
 # PHP 8.3+ Patterns for Laravel
 ## Version Requirements

package/stacks/php/skills/phpstan-analysis/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: phpstan-analysis
+version: 1.0.0
+---
 # PHPStan Static Analysis
 ## Setup

package/stacks/php/skills/phpunit-testing/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: phpunit-testing
+version: 1.0.0
+---
 # PHPUnit Testing Skill
 ## Setup

package/stacks/php/skills/security-scan-php/SKILL.md CHANGED Viewed

@@ -1,3 +1,8 @@
+---
+name: security-scan-php
+version: 1.0.0
+---
 # Laravel Security Scan
 ## OWASP Top 10 for Laravel