npm - start-vibing - Versions diffs - 1.1.2 → 1.1.3 - Mend

start-vibing 1.1.2 → 1.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (39) hide show

package/package.json +1 -1
package/template/.claude/CLAUDE.md +129 -168
package/template/.claude/README.md +135 -126
package/template/.claude/agents/analyzer.md +0 -14
package/template/.claude/agents/commit-manager.md +0 -19
package/template/.claude/agents/documenter.md +0 -10
package/template/.claude/agents/domain-updater.md +194 -200
package/template/.claude/agents/final-validator.md +0 -18
package/template/.claude/agents/orchestrator.md +0 -12
package/template/.claude/agents/quality-checker.md +0 -24
package/template/.claude/agents/research.md +251 -262
package/template/.claude/agents/security-auditor.md +1 -14
package/template/.claude/agents/tester.md +0 -8
package/template/.claude/agents/ui-ux-reviewer.md +0 -8
package/template/.claude/commands/feature.md +48 -102
package/template/.claude/config/README.md +30 -30
package/template/.claude/config/domain-mapping.json +55 -26
package/template/.claude/config/project-config.json +56 -53
package/template/.claude/config/quality-gates.json +46 -46
package/template/.claude/config/security-rules.json +45 -45
package/template/.claude/config/testing-config.json +168 -168
package/template/.claude/hooks/SETUP.md +52 -181
package/template/.claude/hooks/user-prompt-submit.py +37 -246
package/template/.claude/settings.json +39 -267
package/template/.claude/skills/codebase-knowledge/SKILL.md +71 -145
package/template/.claude/skills/codebase-knowledge/domains/claude-system.md +54 -321
package/template/.claude/skills/docs-tracker/SKILL.md +63 -239
package/template/.claude/skills/final-check/SKILL.md +72 -284
package/template/.claude/skills/quality-gate/SKILL.md +71 -278
package/template/.claude/skills/research-cache/SKILL.md +73 -207
package/template/.claude/skills/security-scan/SKILL.md +75 -206
package/template/.claude/skills/test-coverage/SKILL.md +66 -441
package/template/.claude/skills/ui-ux-audit/SKILL.md +68 -254
package/template/.claude/hooks/post-tool-use.py +0 -155
package/template/.claude/hooks/pre-tool-use.py +0 -159
package/template/.claude/hooks/stop-validation.py +0 -155
package/template/.claude/hooks/validate-commit.py +0 -200
package/template/.claude/hooks/workflow-manager.py +0 -350
package/template/.claude/workflow-state.schema.json +0 -200

package/template/.claude/skills/security-scan/SKILL.md CHANGED Viewed

@@ -1,206 +1,75 @@
----
-name: security-scan
-description: Audits code security against OWASP Top 10. Validates user ID from session, detects sensitive data leaks, verifies Zod validation. HAS VETO POWER - blocks insecure code.
-allowed-tools: Read, Grep, Glob, Bash
----
-# Security Scan - Security Audit System
-## VETO POWER
-> **WARNING:** This skill HAS VETO POWER.
-> If critical vulnerability detected, MUST:
->
-> 1. STOP implementation
-> 2. REPORT vulnerability
-> 3. REQUIRE fix before proceeding
----
-## Purpose
-This skill audits code security:
-- **Validates** user ID comes from session (NEVER from request)
-- **Detects** sensitive data being sent to frontend
-- **Verifies** Zod validation on all routes
-- **Audits** against OWASP Top 10
-- **Blocks** commits with critical vulnerabilities
----
-## Critical Security Rules
-### 1. USER ID ALWAYS FROM SESSION
-> **NEVER** trust user ID from frontend.
-> **ALWAYS** extract from `ctx.session.userId` or `ctx.user._id`.
-```typescript
-// WRONG - VULNERABLE (IMMEDIATE VETO)
-async function getData({ userId }: { userId: string }) {
-	return db.find({ userId }); // userId can be manipulated!
-}
-// CORRECT
-async function getData({ ctx }: { ctx: Context }) {
-	const userId = ctx.user._id; // Always from session
-	return db.find({ userId });
-}
-```
-### 2. SENSITIVE DATA NEVER TO FRONTEND
-> **NEVER** send to frontend:
->
-> - Passwords (even hashed)
-> - API tokens
-> - Secret keys
-> - Other users' data
-> - Stack traces in production
-```typescript
-// WRONG - DATA LEAK (IMMEDIATE VETO)
-return {
-	user: await UserModel.findById(id), // Includes passwordHash!
-};
-// CORRECT
-return {
-	user: user.toPublic(), // Sanitization method
-};
-```
-### 3. ZOD VALIDATION REQUIRED
-> **EVERY** tRPC route MUST have `.input(z.object({...}))`.
-> Unvalidated inputs are attack vectors.
-```typescript
-// WRONG - NO VALIDATION (IMMEDIATE VETO)
-.mutation(async ({ input }) => {
-  await db.create(input); // input can have anything!
-})
-// CORRECT
-.input(createSchema) // Zod schema
-.mutation(async ({ input }) => {
-  await db.create(input); // input is validated
-})
-```
----
-## OWASP Top 10 Checklist
-### A01: Broken Access Control
-- [ ] All protected routes use `protectedProcedure`?
-- [ ] User ID from session, not input?
-- [ ] Resources filtered by user/tenant?
-### A02: Cryptographic Failures
-- [ ] Passwords hashed with bcrypt (salt >= 10)?
-- [ ] Tokens generated with crypto.randomBytes?
-- [ ] Cookies with HttpOnly, Secure, SameSite?
-- [ ] No secrets in code (use env vars)?
-### A03: Injection
-- [ ] Queries use Mongoose (prevents NoSQL injection)?
-- [ ] Inputs validated with Zod?
-- [ ] No string concatenation in queries?
-### A07: Authentication Failures
-- [ ] Passwords with minimum requirements?
-- [ ] Brute force protection?
-- [ ] Sessions invalidated on logout?
-- [ ] Tokens with expiration?
----
-## Detection Patterns
-### Detect User ID from Input (VETO)
-```bash
-grep -r "input\.userId\|input\.user_id\|{ userId }" server/ --include="*.ts"
-```
-### Detect Password Return (VETO)
-```bash
-grep -r "passwordHash\|password:" server/ --include="*.ts"
-```
-### Detect Route Without Validation (VETO)
-```bash
-grep -A5 "Procedure\." server/ --include="*.ts" | grep -v ".input("
-```
----
-## Output Format
-### Approved
-```markdown
-## SECURITY SCAN - APPROVED
-### Scope
-- **Files:** X
-- **Routes:** Y
-### Checks
-- [x] User ID always from session
-- [x] No sensitive data in response
-- [x] All routes with Zod validation
-- [x] OWASP Top 10 OK
-**STATUS: APPROVED**
-```
-### Vetoed
-```markdown
-## SECURITY SCAN - VETOED
-### CRITICAL VULNERABILITY
-**Type:** User ID from Input
-**File:** `server/routers/example.ts:45`
-**Risk:** Any user can access other users' data
-**Fix:** Use `ctx.user._id` instead of `input.userId`
-**STATUS: VETOED** - Fix before proceeding
-```
----
-## VETO Rules
-### IMMEDIATE VETO
-1. User ID from input/request body
-2. Password returned in response
-3. API tokens exposed
-4. Protected route without `protectedProcedure`
-5. Query without user/tenant filter
-### VETO BEFORE MERGE
-1. Route without Zod validation
-2. Unsanitized sensitive data
-3. bun audit (or npm audit) with critical vulnerabilities
----
-## Version
-- **v2.0.0** - Generic template
+---
+name: security-scan
+description: Audits code for security vulnerabilities. HAS VETO POWER. Activates when code touches authentication, passwords, tokens, API routes, database queries, user data, sessions, or cookies. Blocks insecure code from being committed.
+allowed-tools: Read, Grep, Glob, Bash
+---
+# Security Scan
+## VETO POWER
+This skill CAN and MUST block insecure code.
+## When to Use
+- When code touches: auth, session, user data, API, database
+- Before committing security-sensitive changes
+- When user mentions: password, token, authentication, permissions
+## Critical Rules (VETO if violated)
+### 1. User ID ALWAYS from Session
+```typescript
+// WRONG (VETO)
+async function getData({ userId }: { userId: string }) { ... }
+// CORRECT
+async function getData({ ctx }: { ctx: Context }) {
+  const userId = ctx.user._id;  // From session
+}
+```
+### 2. No Sensitive Data to Frontend
+Never send: passwords (even hashed), API tokens, secret keys, stack traces
+```typescript
+// WRONG (VETO)
+return { user: await UserModel.findById(id) };  // Has passwordHash!
+// CORRECT
+return { user: user.toPublic() };
+```
+### 3. Zod Validation Required
+```typescript
+// WRONG (VETO)
+.mutation(async ({ input }) => { await db.create(input); })
+// CORRECT
+.input(createSchema).mutation(async ({ input }) => { ... })
+```
+## Detection Commands
+```bash
+# User ID from input
+grep -r "input\.userId\|input\.user_id" server/
+# Password in response
+grep -r "passwordHash\|password:" server/
+```
+## OWASP Checklist
+- [ ] A01: User ID from session, not input?
+- [ ] A02: Passwords hashed (bcrypt, salt >= 10)?
+- [ ] A03: Queries use ORM (no string concat)?
+- [ ] A07: Sessions invalidated on logout?
+## Output
+**APPROVED:** No vulnerabilities found
+**VETOED:** Critical vulnerability - must fix before commit