vaspera 2.10.0 → 2.10.1

package/skills/vaspera-fix-critical/SKILL.md

@@ -0,0 +1,52 @@
+---
+description: Fix all CRITICAL severity security findings
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Remediate all CRITICAL severity findings with verification loop.
+
+## Steps
+
+1. **Load audit findings**
+   - Read latest from `.vaspera/audit/*.json` (most recent by timestamp)
+   - If no audit exists, run `/vaspera-audit` first
+   - Filter findings where `severity === "critical"`
+
+2. **Categorize critical findings**
+   Critical categories:
+   - Unhandled async/await (crashes)
+   - Missing auth checks (unauthorized access)
+   - Missing RLS policies (data leakage)
+   - Hardcoded secrets (credential exposure)
+   - Raw SQL injection (CWE-89)
+   - dangerouslySetInnerHTML (XSS, CWE-79)
+   - Publicly exposed endpoints
+   - Missing CORS configuration
+
+3. **For each finding**
+   - Show file location with context (3 lines before/after)
+   - Preview the fix (before/after diff)
+   - Apply fix:
+     - Auto-apply if pattern has `safeToAutoApply: true`
+     - Otherwise, confirm with user
+   - Run `npm run build` to verify no compile errors
+
+4. **Verification loop**
+   - After fixing a group of related findings, re-run the targeted scanner
+   - Example: after fixing gitleaks findings, run gitleaks again
+   - Confirm finding count decreased
+   - If new findings appear (regressions), flag immediately
+
+5. **Final report**
+   - N critical findings fixed
+   - M critical findings remaining (with reasons)
+   - Any regressions introduced
+   - Suggest `/vaspera-fix-high` as next step
+
+## Important
+
+- ALWAYS run `npm run build` after each fix to catch compile errors early
+- NEVER skip the verification loop — re-scan to confirm fixes worked
+- Stage changes but do NOT commit unless user requests
+- If a fix requires manual intervention, explain why and provide guidance

package/skills/vaspera-fix-high/SKILL.md

@@ -0,0 +1,81 @@
+---
+description: Fix HIGH severity findings in 4 rounds
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Remediate HIGH severity findings systematically in 4 rounds.
+
+## Steps
+
+1. **Load audit findings**
+   - Read latest from `.vaspera/audit/*.json`
+   - Filter findings where `severity === "high"`
+   - Group by category for round assignment
+
+2. **Round A: Input Validation**
+   Target findings related to:
+   - Missing Zod schemas
+   - Missing safeParse calls
+   - Missing 400 responses for invalid input
+   - Unvalidated user input
+   
+   For each:
+   - Add Zod schema if missing
+   - Replace direct access with safeParse
+   - Add proper error responses
+   - Run `npm run build` to verify
+
+3. **Round B: TypeScript Strictness**
+   Target findings related to:
+   - `any` type annotations
+   - Missing explicit return types
+   - Unsafe type assertions (`as unknown as T`)
+   
+   For each:
+   - Replace `any` with proper types or `unknown`
+   - Add explicit return types to functions
+   - Replace unsafe casts with type guards
+   - Run `npm run build` to verify
+
+4. **Round C: UI Resilience**
+   Target findings related to:
+   - Missing loading states
+   - Missing error states
+   - Missing empty states
+   - Missing cleanup for subscriptions/listeners
+   - Missing Error Boundaries
+   
+   For each:
+   - Add loading/error/empty state handling
+   - Add cleanup in useEffect return
+   - Wrap risky components in Error Boundaries
+   - Run `npm run build` to verify
+
+5. **Round D: API Hardening**
+   Target findings related to:
+   - Error response leaking internal details
+   - Missing revalidatePath calls
+   - Inconsistent response shapes
+   
+   For each:
+   - Sanitize error responses
+   - Add cache invalidation
+   - Standardize response format
+   - Run `npm run build` to verify
+
+6. **After each round**
+   - Commit with: `fix: resolve high-severity issues (round X)`
+   - Re-scan to verify finding count decreased
+   - Report progress: N fixed in round X
+
+7. **Final report**
+   - Total high findings fixed across all rounds
+   - Remaining high findings (if any)
+   - Suggest `/vaspera-fix-medium` as next step
+
+## Important
+
+- Complete each round fully before moving to next
+- Commit after each round for clean rollback if needed
+- If a fix is unclear, ask for guidance rather than guessing

package/skills/vaspera-fix-medium/SKILL.md

@@ -0,0 +1,56 @@
+---
+description: Fix MEDIUM severity findings
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Remediate MEDIUM severity findings in a single pass.
+
+## Steps
+
+1. **Load audit findings**
+   - Read latest from `.vaspera/audit/*.json`
+   - Filter findings where `severity === "medium"`
+
+2. **Categorize and fix**
+   Medium categories:
+   
+   **Code Quality**
+   - Missing test files → Add basic test coverage
+   - Code duplication → Extract shared utilities
+   - Components >300 lines → Split into smaller components
+   - Hardcoded strings → Extract to constants/i18n
+   
+   **Type Safety**
+   - Missing return types → Add explicit return types
+   - Implicit any (not explicit) → Add proper typing
+   
+   **Error Handling**
+   - No structured logging → Add logger calls
+   - Inconsistent error responses → Standardize format
+   - No error boundaries → Add React Error Boundaries
+   
+   **Architecture**
+   - Manual schema management → Add migration files
+   - Scattered Supabase clients → Centralize client creation
+
+3. **For each finding**
+   - Show context and proposed fix
+   - Apply fix with user confirmation
+   - Run `npm run build` to verify
+
+4. **Verification**
+   - After all fixes, re-run audit
+   - Confirm medium count decreased
+   - Flag any regressions
+
+5. **Final report**
+   - N medium findings fixed
+   - Remaining medium findings
+   - Suggest `/vaspera-add-tests` as next step
+
+## Important
+
+- Medium fixes are lower priority but improve maintainability
+- Some fixes may require architectural decisions — ask if unclear
+- Stage changes but do NOT commit unless user requests

package/skills/vaspera-fix-rls/SKILL.md

@@ -0,0 +1,85 @@
+---
+description: Generate and apply Supabase Row Level Security policies
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Write, Bash, Grep, Glob
+---
+
+Generate RLS policies for Supabase tables to prevent unauthorized data access.
+
+## Steps
+
+1. **Discover tables**
+   - Scan `supabase/migrations/` for CREATE TABLE statements
+   - Scan seed files for table references
+   - Scan codebase for `supabase.from('table_name')` calls
+   - Build complete table inventory
+
+2. **Detect existing policies**
+   - Look for `CREATE POLICY` statements in migrations
+   - Look for `ALTER TABLE ... ENABLE ROW LEVEL SECURITY`
+   - Identify tables with RLS enabled vs disabled
+
+3. **Analyze access patterns**
+   For each `supabase.from()` call:
+   - What columns are selected?
+   - Is there a `.eq('user_id', ...)` filter?
+   - Is it in an authenticated context?
+   - Infer ownership column (usually `user_id` or `owner_id`)
+
+4. **Generate migration**
+   For tables missing RLS:
+   ```sql
+   -- Enable RLS
+   ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;
+   
+   -- SELECT: users can only read their own rows
+   CREATE POLICY "Users can view own rows"
+     ON table_name FOR SELECT
+     USING (auth.uid() = user_id);
+   
+   -- INSERT: users can only insert with their user_id
+   CREATE POLICY "Users can insert own rows"
+     ON table_name FOR INSERT
+     WITH CHECK (auth.uid() = user_id);
+   
+   -- UPDATE: users can only update their own rows
+   CREATE POLICY "Users can update own rows"
+     ON table_name FOR UPDATE
+     USING (auth.uid() = user_id);
+   
+   -- DELETE: users can only delete their own rows
+   CREATE POLICY "Users can delete own rows"
+     ON table_name FOR DELETE
+     USING (auth.uid() = user_id);
+   ```
+
+5. **Write migration file**
+   - Create `supabase/migrations/{timestamp}_add_rls_policies.sql`
+   - Include all generated policies
+
+6. **Generate RLS-REPORT.md**
+   ```markdown
+   # RLS Policy Report
+   
+   ## Tables with RLS
+   | Table | SELECT | INSERT | UPDATE | DELETE |
+   |-------|--------|--------|--------|--------|
+   | users | ✅ | ✅ | ✅ | ✅ |
+   
+   ## Tables MISSING RLS (CRITICAL)
+   - orders (no policies, added in migration)
+   
+   ## Service Role Usage (review required)
+   - src/api/admin.ts:42 — uses service role key
+   ```
+
+7. **Optionally apply**
+   - If user confirms: `supabase db push`
+   - Otherwise: leave migration file for manual review
+
+## Important
+
+- RLS is the MOST IMPORTANT security control for multi-tenant Supabase apps
+- Missing RLS = any authenticated user can read ALL data
+- Service role key bypasses RLS — flag all usages for review
+- Always test policies locally before pushing to production

package/skills/vaspera-harden/SKILL.md

@@ -0,0 +1,102 @@
+---
+description: Run complete 6-phase hardening pipeline
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Execute the full hardening pipeline with verification at each phase.
+
+## Pipeline Overview
+
+```
+Phase 1: Audit      → Baseline assessment
+Phase 2: Fix Critical → Resolve all CRITICAL findings
+Phase 3: Fix High   → Resolve HIGH findings (4 rounds)
+Phase 4: Fix Medium → Resolve MEDIUM findings
+Phase 5: Add Tests  → Generate security tests
+Phase 6: Verify     → Before/after comparison
+```
+
+## Execution
+
+### Phase 1: Audit
+Run `/vaspera-audit` to establish baseline.
+- Record initial Production Readiness Score
+- Save finding counts by severity
+
+### Phase 2: Fix Critical
+Run `/vaspera-fix-critical`
+- Must resolve ALL critical findings before proceeding
+- Commit: `fix: resolve critical security issues`
+- **Gate**: If any critical remains, STOP and report
+
+### Phase 3: Fix High
+Run `/vaspera-fix-high`
+- 4 rounds: validation → types → UI → API
+- Commit after each round: `fix: resolve high-severity issues (round X)`
+- **Verification**: Re-scan after each round
+
+### Phase 4: Fix Medium
+Run `/vaspera-fix-medium`
+- Single pass through medium findings
+- Commit: `fix: resolve medium-severity issues`
+
+### Phase 5: Add Tests
+Run `/vaspera-add-tests`
+- Priority: API routes → data layer → UI → utilities
+- Commit: `test: add security tests for critical paths`
+- **Gate**: `npm test` must pass
+
+### Phase 6: Verify
+Run `/vaspera-verify`
+- Generate HARDENING-REPORT.md
+- Compare before/after scores
+- Flag any regressions
+
+## Pre-commit Gate
+
+Before each commit, verify:
+- [ ] `npm run build` passes (TypeScript)
+- [ ] `npm test` passes (all tests)
+- [ ] No new console.logs introduced
+- [ ] No commented code added
+- [ ] No circular imports
+
+## Failure Handling
+
+**Build fails**: Pause, report error, suggest fix
+**Tests fail**: Roll back phase changes, report
+**Regressions detected**: Flag prominently, pause for review
+
+## Final Report
+
+```markdown
+# Hardening Complete
+
+## Score Improvement
+Before: XX/100 (LEVEL)
+After: YY/100 (LEVEL)
+Delta: +ZZ points
+
+## Findings Resolved
+- Critical: X → 0
+- High: Y → N
+- Medium: Z → M
+
+## Commits Made
+1. fix: resolve critical security issues
+2. fix: resolve high-severity issues (round A)
+...
+
+## Next Steps
+- Review and merge PR
+- Deploy to staging
+- Run production certification
+```
+
+## Important
+
+- This is a LONG-RUNNING operation — may take 30+ minutes
+- Each phase commits independently for clean rollback
+- The pipeline can be resumed from any phase if interrupted
+- Do NOT push to remote unless user explicitly requests

package/skills/vaspera-help/SKILL.md

@@ -0,0 +1,61 @@
+---
+description: List all available Vaspera Hardening skills
+argument-hint: ""
+allowed-tools: Bash
+---
+
+Display the Vaspera Hardening skill menu.
+
+## Output
+
+```
+Vaspera Hardening Skills
+========================
+
+AUDIT & VERIFY
+  /vaspera-audit         Run security audit, write findings to .vaspera/audit/
+  /vaspera-verify        Compare before/after audit state, generate report
+  /vaspera-verify-e2e    Runtime verification (M7) - test app actually works
+
+FIX BY SEVERITY
+  /vaspera-fix-critical  Fix all CRITICAL severity findings
+  /vaspera-fix-high      Fix HIGH severity findings (4 rounds)
+  /vaspera-fix-medium    Fix MEDIUM severity findings
+
+SPECIALIZED
+  /vaspera-fix-rls       Generate Supabase RLS policies
+  /vaspera-add-tests     Generate security tests (priority order)
+
+ORCHESTRATION
+  /vaspera-harden        Full 6-phase hardening pipeline
+                         (audit → fix-critical → fix-high → fix-medium → add-tests → verify)
+
+RUNTIME & SCALE (M7-M8)
+  /vaspera-verify-e2e    Launch app, run golden paths, calculate runtime score
+  /vaspera-load-test     Run k6 load tests, detect bottlenecks, estimate capacity
+  /vaspera-certify       Full production readiness certification (all dimensions)
+
+DEPLOYMENT (M9)
+  /vaspera-deploy        Health checks, smoke tests, Vercel integration
+
+AI CODE VERIFICATION (M10)
+  /vaspera-ai-verify     Detect AI patterns, hallucinations, confidence scoring
+
+DISCOVERY
+  /vaspera-help          This menu
+
+MCP TOOLS (stateful operations)
+  hardening_dashboard    Portfolio view across all projects
+  certification_*        Stateful certification workflow
+  consensus_*            Multi-agent consensus calculation
+  runtime_*              Runtime verification (7 tools)
+  scale_*                Scale assessment (5 tools)
+  deploy_*               Deployment verification (7 tools)
+```
+
+## Usage Tips
+
+- Start with `/vaspera-audit` to get a baseline
+- Fix by severity: critical → high → medium
+- Run `/vaspera-verify` after fixes to confirm improvement
+- Use `/vaspera-harden` for the full automated pipeline

package/skills/vaspera-load-test/SKILL.md

@@ -0,0 +1,167 @@
+---
+description: Run scale assessment and load testing (M8)
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Bash, Read, Write, Glob, Grep
+---
+
+Run scale assessment including load testing, bottleneck detection, and capacity estimation.
+
+## Prerequisites
+
+Install a load testing tool (k6 recommended):
+```bash
+# macOS
+brew install k6
+
+# Linux
+sudo apt install k6
+
+# Windows
+choco install k6
+```
+
+## Steps
+
+1. **Validate project path**
+   - Default to `.` if no argument provided
+   - Confirm the project exists
+
+2. **Check load testing tools**
+   - Use `scale_tools_check` MCP tool
+   - Verify k6 or Artillery is installed
+
+3. **Discover load profiles**
+   - Look for `.vaspera/load/*.yaml`
+   - If no profiles exist, offer to generate sample
+
+4. **Start the application**
+   - Use `runtime_launch` to start the dev server
+   - Wait for health check
+
+5. **Run load tests**
+   - Execute each profile scenario
+   - Collect latency, throughput, error metrics
+
+6. **Detect bottlenecks**
+   - Scan code for N+1 queries, memory leaks, blocking ops
+   - Analyze load test results for slow endpoints
+
+7. **Estimate capacity**
+   - Calculate max concurrent users
+   - Estimate breakpoint (where system fails)
+   - Project infrastructure costs
+
+8. **Stop the application**
+   - Clean shutdown of dev server
+
+9. **Present results**
+   ```
+   Scale Assessment Results
+   ========================
+   Load Testing Tool: k6
+
+   Profile: production
+   ┌─────────────────┬──────────┬──────────┬──────────┐
+   │ Scenario        │ VUs      │ RPS      │ p95 (ms) │
+   ├─────────────────┼──────────┼──────────┼──────────┤
+   │ Ramp Up         │ 1→50     │ 245      │ 89       │
+   │ Steady State    │ 50       │ 312      │ 124      │
+   │ Spike           │ 50→200   │ 156      │ 456      │
+   └─────────────────┴──────────┴──────────┴──────────┘
+
+   Bottlenecks Found: 3
+   - [HIGH] N+1 query in src/api/products.ts
+   - [MEDIUM] Blocking readFileSync in lib/config.ts
+   - [MEDIUM] No connection pooling detected
+
+   Capacity Estimate:
+   - Max Concurrent Users: ~250
+   - Max Requests/sec: ~400
+   - Breakpoint: ~300 VUs (60% confidence)
+
+   Projected Cost: $140/month (2x m5.large)
+
+   Scale Score: 72/100
+
+   Certification Level: 🟡 APPROVED
+   → Ship with monitoring
+   ```
+
+10. **Write assessment report**
+    - Create `.vaspera/scale/` directory
+    - Write to `.vaspera/scale/{ISO-timestamp}.json`
+
+## Load Profile Format
+
+Profiles are defined in `.vaspera/load/*.yaml`:
+
+```yaml
+name: "production"
+description: "Production-like load test"
+tool: k6
+
+endpoints:
+  - path: "/"
+    method: GET
+    weight: 50
+  - path: "/api/products"
+    method: GET
+    weight: 30
+  - path: "/api/checkout"
+    method: POST
+    weight: 20
+    body:
+      items: [{ id: 1, qty: 1 }]
+
+thresholds:
+  p95: 500       # 95th percentile < 500ms
+  p99: 1000      # 99th percentile < 1s
+  errorRate: 0.01  # < 1% errors
+
+scenarios:
+  - name: "Ramp Up"
+    type: ramp
+    duration: "2m"
+    vus:
+      start: 1
+      end: 50
+
+  - name: "Steady State"
+    type: ramp
+    duration: "5m"
+    vus:
+      start: 50
+      end: 50
+
+  - name: "Spike"
+    type: spike
+    duration: "30s"
+    vus:
+      start: 50
+      end: 200
+```
+
+## Bottleneck Types
+
+| Type | Examples | Severity |
+|------|----------|----------|
+| database | N+1 queries, missing indexes | High |
+| memory | Leaks, unbounded caches | Medium |
+| cpu | Blocking operations, sync crypto | Medium |
+| endpoint | Slow handlers, no caching | High |
+| network | No connection reuse | Low |
+
+## MCP Tools Used
+
+- `scale_tools_check` — Verify load testing tools
+- `scale_profiles_list` — Discover profiles
+- `scale_profile_generate` — Create sample profile
+- `scale_assess` — Full scale assessment
+- `scale_bottlenecks` — Quick bottleneck scan
+
+## Important
+
+- Requires k6 or Artillery installed
+- Load tests hit the actual app — use a test environment
+- Results vary by hardware — run on similar specs to production
+- Consider running during off-peak hours for accurate results

package/skills/vaspera-verify/SKILL.md

@@ -0,0 +1,70 @@
+---
+description: Compare before/after audit state to verify fixes worked
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Write, Bash, Grep, Glob
+---
+
+Verify that fixes improved the security posture by comparing audit snapshots.
+
+## Steps
+
+1. **Preserve baseline**
+   - If `AUDIT.md` exists, rename to `AUDIT-BEFORE.md`
+   - If `.vaspera/audit/*.json` exists, note the latest as "before" snapshot
+
+2. **Run fresh audit**
+   - Execute `/vaspera-audit` to generate new findings
+   - This creates a new `.vaspera/audit/{timestamp}.json`
+
+3. **Compare before vs after**
+   Calculate deltas:
+   - Critical: before → after (delta)
+   - High: before → after (delta)
+   - Medium: before → after (delta)
+   - Low: before → after (delta)
+   - Total: before → after (delta)
+
+4. **Calculate Production Readiness Score**
+   Score = 100 - (critical×10 + high×5 + medium×2 + low×0.5)
+   
+   Certification levels:
+   - 90-100: CERTIFIED (green)
+   - 70-89: APPROVED (yellow)
+   - 40-69: REVIEW_REQUIRED (orange)
+   - 0-39: BLOCKED (red)
+
+5. **Detect regressions**
+   - New findings that didn't exist in "before" snapshot
+   - Flag these prominently — fixes may have introduced new issues
+
+6. **Generate HARDENING-REPORT.md**
+   ```markdown
+   # Hardening Report
+   
+   ## Summary
+   | Severity | Before | After | Delta |
+   |----------|--------|-------|-------|
+   | Critical | X | Y | -N |
+   ...
+   
+   ## Production Readiness Score
+   Before: XX/100 (LEVEL)
+   After: YY/100 (LEVEL)
+   
+   ## Remaining Issues
+   - [file:line] — description
+   
+   ## Regressions (NEW)
+   - [file:line] — description
+   
+   ## Deployment Checklist
+   - [ ] All critical fixed
+   - [ ] Tests passing
+   - [ ] Build succeeds
+   ```
+
+## Important
+
+- This skill is READ-ONLY for code — it generates reports, doesn't fix
+- Always flag regressions prominently
+- The score is informational — use judgment on whether to deploy