superkit-mcp-server 1.0.1 → 1.0.2

package/skills/tech/vulnerability-scanner/scripts/security_scan.py

@@ -1,458 +0,0 @@
-#!/usr/bin/env python3
-"""
-Skill: vulnerability-scanner
-Script: security_scan.py
-Purpose: Validate that security principles from SKILL.md are applied correctly
-Usage: python security_scan.py <project_path> [--scan-type all|deps|secrets|patterns|config]
-Output: JSON with validation findings
-
-This script verifies:
-1. Dependencies - Supply chain security (OWASP A03)
-2. Secrets - No hardcoded credentials (OWASP A04)
-3. Code Patterns - Dangerous patterns identified (OWASP A05)
-4. Configuration - Security settings validated (OWASP A02)
-"""
-import subprocess
-import json
-import os
-import sys
-import re
-import argparse
-from pathlib import Path
-from typing import Dict, List, Any
-from datetime import datetime
-
-# Fix Windows console encoding for Unicode output
-try:
-    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
-    sys.stderr.reconfigure(encoding='utf-8', errors='replace')
-except AttributeError:
-    pass  # Python < 3.7
-
-
-# ============================================================================
-#  CONFIGURATION
-# ============================================================================
-
-SECRET_PATTERNS = [
-    # API Keys & Tokens
-    (r'api[_-]?key\s*[=:]\s*["\'][^"\']{10,}["\']', "API Key", "high"),
-    (r'token\s*[=:]\s*["\'][^"\']{10,}["\']', "Token", "high"),
-    (r'bearer\s+[a-zA-Z0-9\-_.]+', "Bearer Token", "critical"),
-    
-    # Cloud Credentials
-    (r'AKIA[0-9A-Z]{16}', "AWS Access Key", "critical"),
-    (r'aws[_-]?secret[_-]?access[_-]?key\s*[=:]\s*["\'][^"\']+["\']', "AWS Secret", "critical"),
-    (r'AZURE[_-]?[A-Z_]+\s*[=:]\s*["\'][^"\']+["\']', "Azure Credential", "critical"),
-    (r'GOOGLE[_-]?[A-Z_]+\s*[=:]\s*["\'][^"\']+["\']', "GCP Credential", "critical"),
-    
-    # Database & Connections
-    (r'password\s*[=:]\s*["\'][^"\']{4,}["\']', "Password", "high"),
-    (r'(mongodb|postgres|mysql|redis):\/\/[^\s"\']+', "Database Connection String", "critical"),
-    
-    # Private Keys
-    (r'-----BEGIN\s+(RSA|PRIVATE|EC)\s+KEY-----', "Private Key", "critical"),
-    (r'ssh-rsa\s+[A-Za-z0-9+/]+', "SSH Key", "critical"),
-    
-    # JWT
-    (r'eyJ[A-Za-z0-9-_]+\.eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+', "JWT Token", "high"),
-]
-
-DANGEROUS_PATTERNS = [
-    # Injection risks
-    (r'eval\s*\(', "eval() usage", "critical", "Code Injection risk"),
-    (r'exec\s*\(', "exec() usage", "critical", "Code Injection risk"),
-    (r'new\s+Function\s*\(', "Function constructor", "high", "Code Injection risk"),
-    (r'child_process\.exec\s*\(', "child_process.exec", "high", "Command Injection risk"),
-    (r'subprocess\.call\s*\([^)]*shell\s*=\s*True', "subprocess with shell=True", "high", "Command Injection risk"),
-    
-    # XSS risks
-    (r'dangerouslySetInnerHTML', "dangerouslySetInnerHTML", "high", "XSS risk"),
-    (r'\.innerHTML\s*=', "innerHTML assignment", "medium", "XSS risk"),
-    (r'document\.write\s*\(', "document.write", "medium", "XSS risk"),
-    
-    # SQL Injection indicators
-    (r'["\'][^"\']*\+\s*[a-zA-Z_]+\s*\+\s*["\'].*(?:SELECT|INSERT|UPDATE|DELETE)', "SQL String Concat", "critical", "SQL Injection risk"),
-    (r'f"[^"]*(?:SELECT|INSERT|UPDATE|DELETE)[^"]*\{', "SQL f-string", "critical", "SQL Injection risk"),
-    
-    # Insecure configurations
-    (r'verify\s*=\s*False', "SSL Verify Disabled", "high", "MITM risk"),
-    (r'--insecure', "Insecure flag", "medium", "Security disabled"),
-    (r'disable[_-]?ssl', "SSL Disabled", "high", "MITM risk"),
-    
-    # Unsafe deserialization
-    (r'pickle\.loads?\s*\(', "pickle usage", "high", "Deserialization risk"),
-    (r'yaml\.load\s*\([^)]*\)(?!\s*,\s*Loader)', "Unsafe YAML load", "high", "Deserialization risk"),
-]
-
-SKIP_DIRS = {'node_modules', '.git', 'dist', 'build', '__pycache__', '.venv', 'venv', '.next'}
-CODE_EXTENSIONS = {'.js', '.ts', '.jsx', '.tsx', '.py', '.go', '.java', '.rb', '.php'}
-CONFIG_EXTENSIONS = {'.json', '.yaml', '.yml', '.toml', '.env', '.env.local', '.env.development'}
-
-
-# ============================================================================
-#  SCANNING FUNCTIONS
-# ============================================================================
-
-def scan_dependencies(project_path: str) -> Dict[str, Any]:
-    """
-    Validate supply chain security (OWASP A03).
-    Checks: npm audit, lock file presence, dependency age.
-    """
-    results = {"tool": "dependency_scanner", "findings": [], "status": "[OK] Secure"}
-    
-    # Check for lock files
-    lock_files = {
-        "npm": ["package-lock.json", "npm-shrinkwrap.json"],
-        "yarn": ["yarn.lock"],
-        "pnpm": ["pnpm-lock.yaml"],
-        "pip": ["requirements.txt", "Pipfile.lock", "poetry.lock"],
-    }
-    
-    found_locks = []
-    missing_locks = []
-    
-    for manager, files in lock_files.items():
-        pkg_file = "package.json" if manager in ["npm", "yarn", "pnpm"] else "setup.py"
-        pkg_path = Path(project_path) / pkg_file
-        
-        if pkg_path.exists() or (manager == "pip" and (Path(project_path) / "requirements.txt").exists()):
-            has_lock = any((Path(project_path) / f).exists() for f in files)
-            if has_lock:
-                found_locks.append(manager)
-            else:
-                missing_locks.append(manager)
-                results["findings"].append({
-                    "type": "Missing Lock File",
-                    "severity": "high",
-                    "message": f"{manager}: No lock file found. Supply chain integrity at risk."
-                })
-    
-    # Run npm audit if applicable
-    if (Path(project_path) / "package.json").exists():
-        try:
-            result = subprocess.run(
-                ["npm", "audit", "--json"],
-                cwd=project_path,
-                capture_output=True,
-                text=True,
-                timeout=60
-            )
-            
-            try:
-                audit_data = json.loads(result.stdout)
-                vulnerabilities = audit_data.get("vulnerabilities", {})
-                
-                severity_count = {"critical": 0, "high": 0, "moderate": 0, "low": 0}
-                for vuln in vulnerabilities.values():
-                    sev = vuln.get("severity", "low").lower()
-                    if sev in severity_count:
-                        severity_count[sev] += 1
-                
-                if severity_count["critical"] > 0:
-                    results["status"] = "[!!] Critical vulnerabilities"
-                    results["findings"].append({
-                        "type": "npm audit",
-                        "severity": "critical",
-                        "message": f"{severity_count['critical']} critical vulnerabilities in dependencies"
-                    })
-                elif severity_count["high"] > 0:
-                    results["status"] = "[!] High vulnerabilities"
-                    results["findings"].append({
-                        "type": "npm audit",
-                        "severity": "high",
-                        "message": f"{severity_count['high']} high severity vulnerabilities"
-                    })
-                
-                results["npm_audit"] = severity_count
-                
-            except json.JSONDecodeError:
-                pass
-                
-        except (FileNotFoundError, subprocess.TimeoutExpired):
-            pass
-    
-    if not results["findings"]:
-        results["status"] = "[OK] Supply chain checks passed"
-    
-    return results
-
-
-def scan_secrets(project_path: str) -> Dict[str, Any]:
-    """
-    Validate no hardcoded secrets (OWASP A04).
-    Checks: API keys, tokens, passwords, cloud credentials.
-    """
-    results = {
-        "tool": "secret_scanner",
-        "findings": [],
-        "status": "[OK] No secrets detected",
-        "scanned_files": 0,
-        "by_severity": {"critical": 0, "high": 0, "medium": 0}
-    }
-    
-    for root, dirs, files in os.walk(project_path):
-        dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
-        
-        for file in files:
-            ext = Path(file).suffix.lower()
-            if ext not in CODE_EXTENSIONS and ext not in CONFIG_EXTENSIONS:
-                continue
-                
-            filepath = Path(root) / file
-            results["scanned_files"] += 1
-            
-            try:
-                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
-                    content = f.read()
-                    
-                    for pattern, secret_type, severity in SECRET_PATTERNS:
-                        matches = re.findall(pattern, content, re.IGNORECASE)
-                        if matches:
-                            results["findings"].append({
-                                "file": str(filepath.relative_to(project_path)),
-                                "type": secret_type,
-                                "severity": severity,
-                                "count": len(matches)
-                            })
-                            results["by_severity"][severity] += len(matches)
-                            
-            except Exception:
-                pass
-    
-    if results["by_severity"]["critical"] > 0:
-        results["status"] = "[!!] CRITICAL: Secrets exposed!"
-    elif results["by_severity"]["high"] > 0:
-        results["status"] = "[!] HIGH: Secrets found"
-    elif sum(results["by_severity"].values()) > 0:
-        results["status"] = "[?] Potential secrets detected"
-    
-    # Limit findings for output
-    results["findings"] = results["findings"][:15]
-    
-    return results
-
-
-def scan_code_patterns(project_path: str) -> Dict[str, Any]:
-    """
-    Validate dangerous code patterns (OWASP A05).
-    Checks: Injection risks, XSS, unsafe deserialization.
-    """
-    results = {
-        "tool": "pattern_scanner",
-        "findings": [],
-        "status": "[OK] No dangerous patterns",
-        "scanned_files": 0,
-        "by_category": {}
-    }
-    
-    for root, dirs, files in os.walk(project_path):
-        dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
-        
-        for file in files:
-            ext = Path(file).suffix.lower()
-            if ext not in CODE_EXTENSIONS:
-                continue
-                
-            filepath = Path(root) / file
-            results["scanned_files"] += 1
-            
-            try:
-                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
-                    lines = f.readlines()
-                    
-                    for line_num, line in enumerate(lines, 1):
-                        for pattern, name, severity, category in DANGEROUS_PATTERNS:
-                            if re.search(pattern, line, re.IGNORECASE):
-                                results["findings"].append({
-                                    "file": str(filepath.relative_to(project_path)),
-                                    "line": line_num,
-                                    "pattern": name,
-                                    "severity": severity,
-                                    "category": category,
-                                    "snippet": line.strip()[:80]
-                                })
-                                results["by_category"][category] = results["by_category"].get(category, 0) + 1
-                                
-            except Exception:
-                pass
-    
-    critical_count = sum(1 for f in results["findings"] if f["severity"] == "critical")
-    high_count = sum(1 for f in results["findings"] if f["severity"] == "high")
-    
-    if critical_count > 0:
-        results["status"] = f"[!!] CRITICAL: {critical_count} dangerous patterns"
-    elif high_count > 0:
-        results["status"] = f"[!] HIGH: {high_count} risky patterns"
-    elif results["findings"]:
-        results["status"] = "[?] Some patterns need review"
-    
-    # Limit findings
-    results["findings"] = results["findings"][:20]
-    
-    return results
-
-
-def scan_configuration(project_path: str) -> Dict[str, Any]:
-    """
-    Validate security configuration (OWASP A02).
-    Checks: Security headers, CORS, debug modes.
-    """
-    results = {
-        "tool": "config_scanner",
-        "findings": [],
-        "status": "[OK] Configuration secure",
-        "checks": {}
-    }
-    
-    # Check common config files for issues
-    config_issues = [
-        (r'"DEBUG"\s*:\s*true', "Debug mode enabled", "high"),
-        (r'debug\s*=\s*True', "Debug mode enabled", "high"),
-        (r'NODE_ENV.*development', "Development mode in config", "medium"),
-        (r'"CORS_ALLOW_ALL".*true', "CORS allow all origins", "high"),
-        (r'"Access-Control-Allow-Origin".*\*', "CORS wildcard", "high"),
-        (r'allowCredentials.*true.*origin.*\*', "Dangerous CORS combo", "critical"),
-    ]
-    
-    for root, dirs, files in os.walk(project_path):
-        dirs[:] = [d for d in dirs if d not in SKIP_DIRS]
-        
-        for file in files:
-            ext = Path(file).suffix.lower()
-            if ext not in CONFIG_EXTENSIONS and file not in ['next.config.js', 'webpack.config.js', '.eslintrc.js']:
-                continue
-                
-            filepath = Path(root) / file
-            
-            try:
-                with open(filepath, 'r', encoding='utf-8', errors='ignore') as f:
-                    content = f.read()
-                    
-                    for pattern, issue, severity in config_issues:
-                        if re.search(pattern, content, re.IGNORECASE):
-                            results["findings"].append({
-                                "file": str(filepath.relative_to(project_path)),
-                                "issue": issue,
-                                "severity": severity
-                            })
-                            
-            except Exception:
-                pass
-    
-    # Check for security header configurations
-    header_files = ["next.config.js", "next.config.mjs", "middleware.ts", "nginx.conf"]
-    for hf in header_files:
-        hf_path = Path(project_path) / hf
-        if hf_path.exists():
-            results["checks"]["security_headers_config"] = True
-            break
-    else:
-        results["checks"]["security_headers_config"] = False
-        results["findings"].append({
-            "issue": "No security headers configuration found",
-            "severity": "medium",
-            "recommendation": "Configure CSP, HSTS, X-Frame-Options headers"
-        })
-    
-    if any(f["severity"] == "critical" for f in results["findings"]):
-        results["status"] = "[!!] CRITICAL: Configuration issues"
-    elif any(f["severity"] == "high" for f in results["findings"]):
-        results["status"] = "[!] HIGH: Configuration review needed"
-    elif results["findings"]:
-        results["status"] = "[?] Minor configuration issues"
-    
-    return results
-
-
-# ============================================================================
-#  MAIN
-# ============================================================================
-
-def run_full_scan(project_path: str, scan_type: str = "all") -> Dict[str, Any]:
-    """Execute security validation scans."""
-    
-    report = {
-        "project": project_path,
-        "timestamp": datetime.now().isoformat(),
-        "scan_type": scan_type,
-        "scans": {},
-        "summary": {
-            "total_findings": 0,
-            "critical": 0,
-            "high": 0,
-            "overall_status": "[OK] SECURE"
-        }
-    }
-    
-    scanners = {
-        "deps": ("dependencies", scan_dependencies),
-        "secrets": ("secrets", scan_secrets),
-        "patterns": ("code_patterns", scan_code_patterns),
-        "config": ("configuration", scan_configuration),
-    }
-    
-    for key, (name, scanner) in scanners.items():
-        if scan_type == "all" or scan_type == key:
-            result = scanner(project_path)
-            report["scans"][name] = result
-            
-            findings_count = len(result.get("findings", []))
-            report["summary"]["total_findings"] += findings_count
-            
-            for finding in result.get("findings", []):
-                sev = finding.get("severity", "low")
-                if sev == "critical":
-                    report["summary"]["critical"] += 1
-                elif sev == "high":
-                    report["summary"]["high"] += 1
-    
-    # Determine overall status
-    if report["summary"]["critical"] > 0:
-        report["summary"]["overall_status"] = "[!!] CRITICAL ISSUES FOUND"
-    elif report["summary"]["high"] > 0:
-        report["summary"]["overall_status"] = "[!] HIGH RISK ISSUES"
-    elif report["summary"]["total_findings"] > 0:
-        report["summary"]["overall_status"] = "[?] REVIEW RECOMMENDED"
-    
-    return report
-
-
-def main():
-    parser = argparse.ArgumentParser(
-        description="Validate security principles from vulnerability-scanner skill"
-    )
-    parser.add_argument("project_path", nargs="?", default=".", help="Project directory to scan")
-    parser.add_argument("--scan-type", choices=["all", "deps", "secrets", "patterns", "config"],
-                        default="all", help="Type of scan to run")
-    parser.add_argument("--output", choices=["json", "summary"], default="json",
-                        help="Output format")
-    
-    args = parser.parse_args()
-    
-    if not os.path.isdir(args.project_path):
-        print(json.dumps({"error": f"Directory not found: {args.project_path}"}))
-        sys.exit(1)
-    
-    result = run_full_scan(args.project_path, args.scan_type)
-    
-    if args.output == "summary":
-        print(f"\n{'='*60}")
-        print(f"Security Scan: {result['project']}")
-        print(f"{'='*60}")
-        print(f"Status: {result['summary']['overall_status']}")
-        print(f"Total Findings: {result['summary']['total_findings']}")
-        print(f"  Critical: {result['summary']['critical']}")
-        print(f"  High: {result['summary']['high']}")
-        print(f"{'='*60}\n")
-        
-        for scan_name, scan_result in result['scans'].items():
-            print(f"\n{scan_name.upper()}: {scan_result['status']}")
-            for finding in scan_result.get('findings', [])[:5]:
-                print(f"  - {finding}")
-    else:
-        print(json.dumps(result, indent=2))
-
-
-if __name__ == "__main__":
-    main()

package/skills/tech/webapp-testing/scripts/playwright_runner.py

@@ -1,173 +0,0 @@
-#!/usr/bin/env python3
-"""
-Skill: webapp-testing
-Script: playwright_runner.py
-Purpose: Run basic Playwright browser tests
-Usage: python playwright_runner.py <url> [--screenshot]
-Output: JSON with page info, health status, and optional screenshot path
-Note: Requires playwright (pip install playwright && playwright install chromium)
-Screenshots: Saved to system temp directory (auto-cleaned by OS)
-"""
-import sys
-import json
-import os
-import tempfile
-from datetime import datetime
-
-# Fix Windows console encoding for Unicode output
-try:
-    sys.stdout.reconfigure(encoding='utf-8', errors='replace')
-    sys.stderr.reconfigure(encoding='utf-8', errors='replace')
-except AttributeError:
-    pass  # Python < 3.7
-
-try:
-    from playwright.sync_api import sync_playwright
-    PLAYWRIGHT_AVAILABLE = True
-except ImportError:
-    PLAYWRIGHT_AVAILABLE = False
-
-
-def run_basic_test(url: str, take_screenshot: bool = False) -> dict:
-    """Run basic browser test on URL."""
-    if not PLAYWRIGHT_AVAILABLE:
-        return {
-            "error": "Playwright not installed",
-            "fix": "pip install playwright && playwright install chromium"
-        }
-    
-    result = {
-        "url": url,
-        "timestamp": datetime.now().isoformat(),
-        "status": "pending"
-    }
-    
-    try:
-        with sync_playwright() as p:
-            browser = p.chromium.launch(headless=True)
-            context = browser.new_context(
-                viewport={"width": 1280, "height": 720},
-                user_agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
-            )
-            page = context.new_page()
-            
-            # Navigate
-            response = page.goto(url, wait_until="networkidle", timeout=30000)
-            
-            # Basic info
-            result["page"] = {
-                "title": page.title(),
-                "url": page.url,
-                "status_code": response.status if response else None
-            }
-            
-            # Health checks
-            result["health"] = {
-                "loaded": response.ok if response else False,
-                "has_title": bool(page.title()),
-                "has_h1": page.locator("h1").count() > 0,
-                "has_links": page.locator("a").count() > 0,
-                "has_images": page.locator("img").count() > 0
-            }
-            
-            # Console errors
-            console_errors = []
-            page.on("console", lambda msg: console_errors.append(msg.text) if msg.type == "error" else None)
-            
-            # Performance metrics
-            result["performance"] = {
-                "dom_content_loaded": page.evaluate("window.performance.timing.domContentLoadedEventEnd - window.performance.timing.navigationStart"),
-                "load_complete": page.evaluate("window.performance.timing.loadEventEnd - window.performance.timing.navigationStart")
-            }
-            
-            # Screenshot - uses system temp directory (cross-platform, auto-cleaned)
-            if take_screenshot:
-                # Cross-platform: Windows=%TEMP%, Linux/macOS=/tmp
-                screenshot_dir = os.path.join(tempfile.gettempdir(), "maestro_screenshots")
-                os.makedirs(screenshot_dir, exist_ok=True)
-                screenshot_path = os.path.join(screenshot_dir, f"screenshot_{datetime.now().strftime('%Y%m%d_%H%M%S')}.png")
-                page.screenshot(path=screenshot_path, full_page=True)
-                result["screenshot"] = screenshot_path
-                result["screenshot_note"] = "Saved to temp directory (auto-cleaned by OS)"
-            
-            # Element counts
-            result["elements"] = {
-                "links": page.locator("a").count(),
-                "buttons": page.locator("button").count(),
-                "inputs": page.locator("input").count(),
-                "images": page.locator("img").count(),
-                "forms": page.locator("form").count()
-            }
-            
-            browser.close()
-            
-            result["status"] = "success" if result["health"]["loaded"] else "failed"
-            result["summary"] = "[OK] Page loaded successfully" if result["status"] == "success" else "[X] Page failed to load"
-            
-    except Exception as e:
-        result["status"] = "error"
-        result["error"] = str(e)
-        result["summary"] = f"[X] Error: {str(e)[:100]}"
-    
-    return result
-
-
-def run_accessibility_check(url: str) -> dict:
-    """Run basic accessibility check."""
-    if not PLAYWRIGHT_AVAILABLE:
-        return {"error": "Playwright not installed"}
-    
-    result = {"url": url, "accessibility": {}}
-    
-    try:
-        with sync_playwright() as p:
-            browser = p.chromium.launch(headless=True)
-            page = browser.new_page()
-            page.goto(url, wait_until="networkidle", timeout=30000)
-            
-            # Basic a11y checks
-            result["accessibility"] = {
-                "images_with_alt": page.locator("img[alt]").count(),
-                "images_without_alt": page.locator("img:not([alt])").count(),
-                "buttons_with_label": page.locator("button[aria-label], button:has-text('')").count(),
-                "links_with_text": page.locator("a:has-text('')").count(),
-                "form_labels": page.locator("label").count(),
-                "headings": {
-                    "h1": page.locator("h1").count(),
-                    "h2": page.locator("h2").count(),
-                    "h3": page.locator("h3").count()
-                }
-            }
-            
-            browser.close()
-            result["status"] = "success"
-            
-    except Exception as e:
-        result["status"] = "error"
-        result["error"] = str(e)
-    
-    return result
-
-
-if __name__ == "__main__":
-    if len(sys.argv) < 2:
-        print(json.dumps({
-            "error": "Usage: python playwright_runner.py <url> [--screenshot] [--a11y]",
-            "examples": [
-                "python playwright_runner.py https://example.com",
-                "python playwright_runner.py https://example.com --screenshot",
-                "python playwright_runner.py https://example.com --a11y"
-            ]
-        }, indent=2))
-        sys.exit(1)
-    
-    url = sys.argv[1]
-    take_screenshot = "--screenshot" in sys.argv
-    check_a11y = "--a11y" in sys.argv
-    
-    if check_a11y:
-        result = run_accessibility_check(url)
-    else:
-        result = run_basic_test(url, take_screenshot)
-    
-    print(json.dumps(result, indent=2))