vaspera 2.10.0 → 2.11.0

package/skills/vaspera-audit/SKILL.md

@@ -0,0 +1,67 @@
+---
+description: Run a security audit and write findings to .vaspera/audit/
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Bash, Read, Grep, Glob
+---
+
+Run a security audit against the specified project (or current directory).
+
+## Steps
+
+1. **Validate project path**
+   - Default to `.` if no argument provided
+   - Confirm the path exists and contains code (`package.json`, `go.mod`, `requirements.txt`, etc.)
+
+2. **Run certification scan**
+   - Use the `certification_scan` MCP tool if available in session
+   - Otherwise: `npx vaspera-hardening-mcp-server scan <path>`
+   - Auto-detect languages and run appropriate scanners:
+     - JavaScript/TypeScript: semgrep, npm-audit, tsc, eslint
+     - Python: semgrep, bandit
+     - Go: semgrep, gosec
+     - Ruby: semgrep, brakeman
+     - All: gitleaks (secrets), trivy (containers)
+
+3. **Write findings to stable location**
+   - Create `.vaspera/audit/` directory if it doesn't exist
+   - Write findings to `.vaspera/audit/{ISO-timestamp}.json`
+   - Schema:
+     ```json
+     {
+       "timestamp": "2026-05-29T10:30:00.000Z",
+       "project_path": ".",
+       "scanners_run": ["semgrep", "npm-audit", "gitleaks"],
+       "findings": [...],
+       "summary": {
+         "total": 42,
+         "by_severity": {"critical": 2, "high": 5, "medium": 15, "low": 20},
+         "by_scanner": {"semgrep": 30, "npm-audit": 10, "gitleaks": 2}
+       },
+       "duration_ms": 12345
+     }
+     ```
+
+4. **Summarize results**
+   Present findings as a table:
+
+   | Severity | Count | Top Scanners |
+   |----------|-------|--------------|
+   | critical | N | semgrep, gitleaks |
+   | high | N | npm-audit |
+   | medium | N | semgrep |
+   | low | N | eslint |
+
+   Then list **top 5 findings** with clickable file references:
+   - `[src/auth/login.ts:42](src/auth/login.ts#L42)` — SQL injection (CWE-89)
+   - etc.
+
+5. **Provide recommendations**
+   - Identify the 3 highest-impact fixes (severity × fixability)
+   - Do NOT modify code or open PRs
+   - Suggest running `/vaspera-fix-critical` for remediation (future skill)
+
+## Important
+
+- This skill is READ-ONLY — it audits but does not fix
+- Findings are written to `.vaspera/audit/` (separate from MCP cache)
+- Use this skill for A/B comparison against the `certification_scan` MCP tool

package/skills/vaspera-certify/SKILL.md

@@ -0,0 +1,130 @@
+---
+description: Full production readiness certification (code + security + runtime)
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Bash, Read, Write, Glob, Grep
+---
+
+Run complete production readiness certification across all dimensions.
+
+## Overview
+
+This is the master certification skill that combines:
+- **Code Quality** (20%) — Type safety, patterns, test coverage
+- **Security** (25%) — Vulnerabilities, secrets, RLS policies
+- **Runtime Verified** (25%) — E2E tests, visual regression, API tests
+- **Scale Ready** (15%) — Load tested, capacity estimation (M8)
+- **Deploy Ready** (15%) — Canary success, health checks (M9)
+
+## Steps
+
+1. **Validate project path**
+   - Default to `.` if no argument provided
+   - Detect project type (web app, API, CLI, library)
+
+2. **Run security audit** (`/vaspera-audit` equivalent)
+   - Use `certification_scan` MCP tool
+   - Collect findings by severity
+
+3. **Run runtime verification** (`/vaspera-verify-e2e` equivalent)
+   - Detect framework
+   - Launch app (if web/API project)
+   - Execute golden path flows
+   - Calculate runtime score
+
+4. **Run scale assessment** (M8 - if available)
+   - Check for `.vaspera/load/*.yaml` profiles
+   - Run load tests if profiles exist
+   - Calculate scale score
+
+5. **Check deployment readiness** (M9 - if available)
+   - Verify health endpoints exist
+   - Check for deployment configuration
+   - Calculate deploy score
+
+6. **Calculate Production Readiness Score**
+   ```
+   Score = (
+     code_quality * 0.20 +
+     security * 0.25 +
+     runtime * 0.25 +
+     scale * 0.15 +
+     deploy * 0.15
+   )
+   ```
+
+7. **Determine certification level**
+   | Score | Level | Badge | Recommendation |
+   |-------|-------|-------|----------------|
+   | 90-100 | CERTIFIED | 🟢 | Ship to production |
+   | 70-89 | APPROVED | 🟡 | Ship with monitoring |
+   | 40-69 | REVIEW_REQUIRED | 🟠 | Fix before shipping |
+   | 0-39 | BLOCKED | 🔴 | Critical issues |
+
+8. **Generate certification report**
+   ```
+   ╔══════════════════════════════════════════════════════════════╗
+   ║           PRODUCTION READINESS CERTIFICATION                 ║
+   ╠══════════════════════════════════════════════════════════════╣
+   ║                                                              ║
+   ║  Project: my-app                                             ║
+   ║  Framework: Next.js 14.2.3                                   ║
+   ║  Certified: 2026-05-29T21:30:00Z                             ║
+   ║                                                              ║
+   ╠══════════════════════════════════════════════════════════════╣
+   ║                                                              ║
+   ║  Code Quality:     92/100  ████████████████████░░░░  (20%)   ║
+   ║  Security:         88/100  ██████████████████░░░░░░  (25%)   ║
+   ║  Runtime Verified: 95/100  █████████████████████░░░  (25%)   ║
+   ║  Scale Ready:      --/100  (not tested)              (15%)   ║
+   ║  Deploy Ready:     --/100  (not tested)              (15%)   ║
+   ║  ──────────────────────────────────────────────────────────  ║
+   ║  OVERALL:          88/100                                    ║
+   ║                                                              ║
+   ╠══════════════════════════════════════════════════════════════╣
+   ║                                                              ║
+   ║  Level: 🟡 APPROVED                                          ║
+   ║  → Ship with monitoring                                      ║
+   ║                                                              ║
+   ╠══════════════════════════════════════════════════════════════╣
+   ║                                                              ║
+   ║  Top Issues:                                                 ║
+   ║  1. [CRITICAL] SQL injection in auth/login.ts:42             ║
+   ║  2. [HIGH] Missing RLS on users table                        ║
+   ║  3. [HIGH] No rate limiting on /api/checkout                 ║
+   ║                                                              ║
+   ╚══════════════════════════════════════════════════════════════╝
+   ```
+
+9. **Write certification to stable location**
+   - Create `.vaspera/certifications/` directory
+   - Write to `.vaspera/certifications/{ISO-timestamp}.json`
+   - Include full breakdown and remediation recommendations
+
+## Fallback Scoring
+
+When a dimension isn't testable:
+- **No web app** → Runtime defaults to 50 (neutral)
+- **No load profiles** → Scale defaults to 50 (neutral)
+- **No deploy config** → Deploy defaults to 50 (neutral)
+
+## MCP Tools Used
+
+- `certification_scan` — Security findings
+- `runtime_detect` — Framework detection
+- `runtime_verify` — Runtime verification (if applicable)
+- `certification_summary` — Final summary
+
+## Certification Badge
+
+Projects passing certification can display:
+
+```markdown
+[![Production Ready](https://img.shields.io/badge/Production%20Ready-88%25-green)](CERTIFICATION.md)
+```
+
+## Important
+
+- This is a comprehensive audit — may take several minutes
+- Requires MCP server connection for full functionality
+- Falls back to CLI tools when MCP unavailable
+- Does NOT auto-fix issues — use `/vaspera-harden` for that

package/skills/vaspera-deploy/SKILL.md

@@ -0,0 +1,152 @@
+---
+description: Run deployment verification and health checks (M9)
+argument-hint: "[deployment-url]"
+allowed-tools: Bash, Read, Write, Glob, Grep
+---
+
+Run deployment verification against a deployed app.
+
+## Steps
+
+1. **Validate deployment URL**
+   - Require deployment URL as argument
+   - Validate URL format
+
+2. **Detect deployment provider**
+   - Use `deploy_detect` MCP tool
+   - Check for Vercel, AWS, GCP, Railway, Render, Fly
+
+3. **Load deployment config**
+   - Look for `.vaspera/deploy.yaml`
+   - If not found, offer to generate sample config
+
+4. **Run health checks**
+   - Check configured health endpoints
+   - Default: `/`, `/api/health`
+   - Measure response times and status codes
+
+5. **Run smoke tests**
+   - Execute tests from config
+   - Check status codes, latency, response bodies
+
+6. **Analyze results**
+   - Calculate health score (0-100)
+   - Calculate smoke test score (0-100)
+   - Calculate overall deploy score
+
+7. **Present results**
+   ```
+   Deployment Verification Results
+   ================================
+   Provider: Vercel (detected)
+   URL: https://my-app.vercel.app
+
+   Health Checks:
+   ┌────────────────┬──────────┬──────────┬────────────┐
+   │ Endpoint       │ Status   │ Code     │ Time (ms)  │
+   ├────────────────┼──────────┼──────────┼────────────┤
+   │ /              │ ✅ healthy│ 200      │ 89         │
+   │ /api/health    │ ✅ healthy│ 200      │ 45         │
+   │ /api/data      │ ⚠️ degraded│ 200     │ 612        │
+   └────────────────┴──────────┴──────────┴────────────┘
+
+   Smoke Tests:
+   ┌────────────────────────┬──────────┬────────────┐
+   │ Test                   │ Status   │ Time (ms)  │
+   ├────────────────────────┼──────────┼────────────┤
+   │ Homepage loads         │ ✅ PASS  │ 89         │
+   │ API health check       │ ✅ PASS  │ 45         │
+   │ User can login         │ ❌ FAIL  │ 1200       │
+   └────────────────────────┴──────────┴────────────┘
+
+   Scores:
+   - Health: 87/100
+   - Smoke Tests: 67/100
+   - Overall: 77/100
+
+   Certification Level: 🟡 APPROVED
+   → Ship with monitoring
+   ```
+
+8. **Vercel-specific actions** (if Vercel detected)
+   - List recent deployments
+   - Promote preview to production
+   - Rollback to previous version
+
+## Config Format
+
+Config is defined in `.vaspera/deploy.yaml`:
+
+```yaml
+provider: vercel  # Optional, auto-detected
+
+healthEndpoints:
+  - /
+  - /api/health
+  - /api/ready
+
+smokeTests:
+  - name: "Homepage loads"
+    endpoint: "/"
+    method: GET
+    expectedStatus: 200
+
+  - name: "API health check"
+    endpoint: "/api/health"
+    method: GET
+    expectedStatus: 200
+    assertions:
+      - type: latency
+        operator: lt
+        value: 500
+
+  - name: "User can login"
+    endpoint: "/api/auth/login"
+    method: POST
+    expectedStatus: 200
+    body:
+      email: "test@example.com"
+      password: "testpass"
+
+canary:
+  enabled: true
+  trafficPercent: 10
+  duration: "10m"
+  thresholds:
+    errorRate: 0.01
+    p95Latency: 500
+  rollbackOnFailure: true
+
+rollback:
+  autoRollback: true
+  retainVersions: 5
+```
+
+## MCP Tools Used
+
+- `deploy_detect` — Detect deployment provider
+- `deploy_verify` — Full verification
+- `deploy_health` — Quick health check
+- `deploy_config_generate` — Create sample config
+- `deploy_vercel_list` — List Vercel deployments
+- `deploy_vercel_promote` — Promote to production
+- `deploy_vercel_rollback` — Rollback deployment
+
+## Vercel Integration
+
+Set `VERCEL_TOKEN` for full Vercel integration:
+```bash
+export VERCEL_TOKEN=your_token_here
+```
+
+Commands available with Vercel token:
+- List recent deployments
+- Promote preview to production
+- Rollback to previous version
+
+## Important
+
+- Always verify deployment URLs before promoting to production
+- Smoke tests hit the actual deployment — use test data
+- Canary analysis requires the app to be running for the duration
+- Rollbacks are immediate — verify the target deployment first

package/skills/vaspera-fix-critical/SKILL.md

@@ -0,0 +1,52 @@
+---
+description: Fix all CRITICAL severity security findings
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Remediate all CRITICAL severity findings with verification loop.
+
+## Steps
+
+1. **Load audit findings**
+   - Read latest from `.vaspera/audit/*.json` (most recent by timestamp)
+   - If no audit exists, run `/vaspera-audit` first
+   - Filter findings where `severity === "critical"`
+
+2. **Categorize critical findings**
+   Critical categories:
+   - Unhandled async/await (crashes)
+   - Missing auth checks (unauthorized access)
+   - Missing RLS policies (data leakage)
+   - Hardcoded secrets (credential exposure)
+   - Raw SQL injection (CWE-89)
+   - dangerouslySetInnerHTML (XSS, CWE-79)
+   - Publicly exposed endpoints
+   - Missing CORS configuration
+
+3. **For each finding**
+   - Show file location with context (3 lines before/after)
+   - Preview the fix (before/after diff)
+   - Apply fix:
+     - Auto-apply if pattern has `safeToAutoApply: true`
+     - Otherwise, confirm with user
+   - Run `npm run build` to verify no compile errors
+
+4. **Verification loop**
+   - After fixing a group of related findings, re-run the targeted scanner
+   - Example: after fixing gitleaks findings, run gitleaks again
+   - Confirm finding count decreased
+   - If new findings appear (regressions), flag immediately
+
+5. **Final report**
+   - N critical findings fixed
+   - M critical findings remaining (with reasons)
+   - Any regressions introduced
+   - Suggest `/vaspera-fix-high` as next step
+
+## Important
+
+- ALWAYS run `npm run build` after each fix to catch compile errors early
+- NEVER skip the verification loop — re-scan to confirm fixes worked
+- Stage changes but do NOT commit unless user requests
+- If a fix requires manual intervention, explain why and provide guidance

package/skills/vaspera-fix-high/SKILL.md

@@ -0,0 +1,81 @@
+---
+description: Fix HIGH severity findings in 4 rounds
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Remediate HIGH severity findings systematically in 4 rounds.
+
+## Steps
+
+1. **Load audit findings**
+   - Read latest from `.vaspera/audit/*.json`
+   - Filter findings where `severity === "high"`
+   - Group by category for round assignment
+
+2. **Round A: Input Validation**
+   Target findings related to:
+   - Missing Zod schemas
+   - Missing safeParse calls
+   - Missing 400 responses for invalid input
+   - Unvalidated user input
+   
+   For each:
+   - Add Zod schema if missing
+   - Replace direct access with safeParse
+   - Add proper error responses
+   - Run `npm run build` to verify
+
+3. **Round B: TypeScript Strictness**
+   Target findings related to:
+   - `any` type annotations
+   - Missing explicit return types
+   - Unsafe type assertions (`as unknown as T`)
+   
+   For each:
+   - Replace `any` with proper types or `unknown`
+   - Add explicit return types to functions
+   - Replace unsafe casts with type guards
+   - Run `npm run build` to verify
+
+4. **Round C: UI Resilience**
+   Target findings related to:
+   - Missing loading states
+   - Missing error states
+   - Missing empty states
+   - Missing cleanup for subscriptions/listeners
+   - Missing Error Boundaries
+   
+   For each:
+   - Add loading/error/empty state handling
+   - Add cleanup in useEffect return
+   - Wrap risky components in Error Boundaries
+   - Run `npm run build` to verify
+
+5. **Round D: API Hardening**
+   Target findings related to:
+   - Error response leaking internal details
+   - Missing revalidatePath calls
+   - Inconsistent response shapes
+   
+   For each:
+   - Sanitize error responses
+   - Add cache invalidation
+   - Standardize response format
+   - Run `npm run build` to verify
+
+6. **After each round**
+   - Commit with: `fix: resolve high-severity issues (round X)`
+   - Re-scan to verify finding count decreased
+   - Report progress: N fixed in round X
+
+7. **Final report**
+   - Total high findings fixed across all rounds
+   - Remaining high findings (if any)
+   - Suggest `/vaspera-fix-medium` as next step
+
+## Important
+
+- Complete each round fully before moving to next
+- Commit after each round for clean rollback if needed
+- If a fix is unclear, ask for guidance rather than guessing

package/skills/vaspera-fix-medium/SKILL.md

@@ -0,0 +1,56 @@
+---
+description: Fix MEDIUM severity findings
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Remediate MEDIUM severity findings in a single pass.
+
+## Steps
+
+1. **Load audit findings**
+   - Read latest from `.vaspera/audit/*.json`
+   - Filter findings where `severity === "medium"`
+
+2. **Categorize and fix**
+   Medium categories:
+   
+   **Code Quality**
+   - Missing test files → Add basic test coverage
+   - Code duplication → Extract shared utilities
+   - Components >300 lines → Split into smaller components
+   - Hardcoded strings → Extract to constants/i18n
+   
+   **Type Safety**
+   - Missing return types → Add explicit return types
+   - Implicit any (not explicit) → Add proper typing
+   
+   **Error Handling**
+   - No structured logging → Add logger calls
+   - Inconsistent error responses → Standardize format
+   - No error boundaries → Add React Error Boundaries
+   
+   **Architecture**
+   - Manual schema management → Add migration files
+   - Scattered Supabase clients → Centralize client creation
+
+3. **For each finding**
+   - Show context and proposed fix
+   - Apply fix with user confirmation
+   - Run `npm run build` to verify
+
+4. **Verification**
+   - After all fixes, re-run audit
+   - Confirm medium count decreased
+   - Flag any regressions
+
+5. **Final report**
+   - N medium findings fixed
+   - Remaining medium findings
+   - Suggest `/vaspera-add-tests` as next step
+
+## Important
+
+- Medium fixes are lower priority but improve maintainability
+- Some fixes may require architectural decisions — ask if unclear
+- Stage changes but do NOT commit unless user requests

package/skills/vaspera-fix-rls/SKILL.md

@@ -0,0 +1,85 @@
+---
+description: Generate and apply Supabase Row Level Security policies
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Write, Bash, Grep, Glob
+---
+
+Generate RLS policies for Supabase tables to prevent unauthorized data access.
+
+## Steps
+
+1. **Discover tables**
+   - Scan `supabase/migrations/` for CREATE TABLE statements
+   - Scan seed files for table references
+   - Scan codebase for `supabase.from('table_name')` calls
+   - Build complete table inventory
+
+2. **Detect existing policies**
+   - Look for `CREATE POLICY` statements in migrations
+   - Look for `ALTER TABLE ... ENABLE ROW LEVEL SECURITY`
+   - Identify tables with RLS enabled vs disabled
+
+3. **Analyze access patterns**
+   For each `supabase.from()` call:
+   - What columns are selected?
+   - Is there a `.eq('user_id', ...)` filter?
+   - Is it in an authenticated context?
+   - Infer ownership column (usually `user_id` or `owner_id`)
+
+4. **Generate migration**
+   For tables missing RLS:
+   ```sql
+   -- Enable RLS
+   ALTER TABLE table_name ENABLE ROW LEVEL SECURITY;
+   
+   -- SELECT: users can only read their own rows
+   CREATE POLICY "Users can view own rows"
+     ON table_name FOR SELECT
+     USING (auth.uid() = user_id);
+   
+   -- INSERT: users can only insert with their user_id
+   CREATE POLICY "Users can insert own rows"
+     ON table_name FOR INSERT
+     WITH CHECK (auth.uid() = user_id);
+   
+   -- UPDATE: users can only update their own rows
+   CREATE POLICY "Users can update own rows"
+     ON table_name FOR UPDATE
+     USING (auth.uid() = user_id);
+   
+   -- DELETE: users can only delete their own rows
+   CREATE POLICY "Users can delete own rows"
+     ON table_name FOR DELETE
+     USING (auth.uid() = user_id);
+   ```
+
+5. **Write migration file**
+   - Create `supabase/migrations/{timestamp}_add_rls_policies.sql`
+   - Include all generated policies
+
+6. **Generate RLS-REPORT.md**
+   ```markdown
+   # RLS Policy Report
+   
+   ## Tables with RLS
+   | Table | SELECT | INSERT | UPDATE | DELETE |
+   |-------|--------|--------|--------|--------|
+   | users | ✅ | ✅ | ✅ | ✅ |
+   
+   ## Tables MISSING RLS (CRITICAL)
+   - orders (no policies, added in migration)
+   
+   ## Service Role Usage (review required)
+   - src/api/admin.ts:42 — uses service role key
+   ```
+
+7. **Optionally apply**
+   - If user confirms: `supabase db push`
+   - Otherwise: leave migration file for manual review
+
+## Important
+
+- RLS is the MOST IMPORTANT security control for multi-tenant Supabase apps
+- Missing RLS = any authenticated user can read ALL data
+- Service role key bypasses RLS — flag all usages for review
+- Always test policies locally before pushing to production