vaspera 2.10.0 → 2.11.0

package/skills/vaspera-harden/SKILL.md

@@ -0,0 +1,102 @@
+---
+description: Run complete 6-phase hardening pipeline
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Edit, Write, Bash, Grep, Glob
+---
+
+Execute the full hardening pipeline with verification at each phase.
+
+## Pipeline Overview
+
+```
+Phase 1: Audit      → Baseline assessment
+Phase 2: Fix Critical → Resolve all CRITICAL findings
+Phase 3: Fix High   → Resolve HIGH findings (4 rounds)
+Phase 4: Fix Medium → Resolve MEDIUM findings
+Phase 5: Add Tests  → Generate security tests
+Phase 6: Verify     → Before/after comparison
+```
+
+## Execution
+
+### Phase 1: Audit
+Run `/vaspera-audit` to establish baseline.
+- Record initial Production Readiness Score
+- Save finding counts by severity
+
+### Phase 2: Fix Critical
+Run `/vaspera-fix-critical`
+- Must resolve ALL critical findings before proceeding
+- Commit: `fix: resolve critical security issues`
+- **Gate**: If any critical remains, STOP and report
+
+### Phase 3: Fix High
+Run `/vaspera-fix-high`
+- 4 rounds: validation → types → UI → API
+- Commit after each round: `fix: resolve high-severity issues (round X)`
+- **Verification**: Re-scan after each round
+
+### Phase 4: Fix Medium
+Run `/vaspera-fix-medium`
+- Single pass through medium findings
+- Commit: `fix: resolve medium-severity issues`
+
+### Phase 5: Add Tests
+Run `/vaspera-add-tests`
+- Priority: API routes → data layer → UI → utilities
+- Commit: `test: add security tests for critical paths`
+- **Gate**: `npm test` must pass
+
+### Phase 6: Verify
+Run `/vaspera-verify`
+- Generate HARDENING-REPORT.md
+- Compare before/after scores
+- Flag any regressions
+
+## Pre-commit Gate
+
+Before each commit, verify:
+- [ ] `npm run build` passes (TypeScript)
+- [ ] `npm test` passes (all tests)
+- [ ] No new console.logs introduced
+- [ ] No commented code added
+- [ ] No circular imports
+
+## Failure Handling
+
+**Build fails**: Pause, report error, suggest fix
+**Tests fail**: Roll back phase changes, report
+**Regressions detected**: Flag prominently, pause for review
+
+## Final Report
+
+```markdown
+# Hardening Complete
+
+## Score Improvement
+Before: XX/100 (LEVEL)
+After: YY/100 (LEVEL)
+Delta: +ZZ points
+
+## Findings Resolved
+- Critical: X → 0
+- High: Y → N
+- Medium: Z → M
+
+## Commits Made
+1. fix: resolve critical security issues
+2. fix: resolve high-severity issues (round A)
+...
+
+## Next Steps
+- Review and merge PR
+- Deploy to staging
+- Run production certification
+```
+
+## Important
+
+- This is a LONG-RUNNING operation — may take 30+ minutes
+- Each phase commits independently for clean rollback
+- The pipeline can be resumed from any phase if interrupted
+- Do NOT push to remote unless user explicitly requests

package/skills/vaspera-help/SKILL.md

@@ -0,0 +1,61 @@
+---
+description: List all available Vaspera Hardening skills
+argument-hint: ""
+allowed-tools: Bash
+---
+
+Display the Vaspera Hardening skill menu.
+
+## Output
+
+```
+Vaspera Hardening Skills
+========================
+
+AUDIT & VERIFY
+  /vaspera-audit         Run security audit, write findings to .vaspera/audit/
+  /vaspera-verify        Compare before/after audit state, generate report
+  /vaspera-verify-e2e    Runtime verification (M7) - test app actually works
+
+FIX BY SEVERITY
+  /vaspera-fix-critical  Fix all CRITICAL severity findings
+  /vaspera-fix-high      Fix HIGH severity findings (4 rounds)
+  /vaspera-fix-medium    Fix MEDIUM severity findings
+
+SPECIALIZED
+  /vaspera-fix-rls       Generate Supabase RLS policies
+  /vaspera-add-tests     Generate security tests (priority order)
+
+ORCHESTRATION
+  /vaspera-harden        Full 6-phase hardening pipeline
+                         (audit → fix-critical → fix-high → fix-medium → add-tests → verify)
+
+RUNTIME & SCALE (M7-M8)
+  /vaspera-verify-e2e    Launch app, run golden paths, calculate runtime score
+  /vaspera-load-test     Run k6 load tests, detect bottlenecks, estimate capacity
+  /vaspera-certify       Full production readiness certification (all dimensions)
+
+DEPLOYMENT (M9)
+  /vaspera-deploy        Health checks, smoke tests, Vercel integration
+
+AI CODE VERIFICATION (M10)
+  /vaspera-ai-verify     Detect AI patterns, hallucinations, confidence scoring
+
+DISCOVERY
+  /vaspera-help          This menu
+
+MCP TOOLS (stateful operations)
+  hardening_dashboard    Portfolio view across all projects
+  certification_*        Stateful certification workflow
+  consensus_*            Multi-agent consensus calculation
+  runtime_*              Runtime verification (7 tools)
+  scale_*                Scale assessment (5 tools)
+  deploy_*               Deployment verification (7 tools)
+```
+
+## Usage Tips
+
+- Start with `/vaspera-audit` to get a baseline
+- Fix by severity: critical → high → medium
+- Run `/vaspera-verify` after fixes to confirm improvement
+- Use `/vaspera-harden` for the full automated pipeline

package/skills/vaspera-load-test/SKILL.md

@@ -0,0 +1,167 @@
+---
+description: Run scale assessment and load testing (M8)
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Bash, Read, Write, Glob, Grep
+---
+
+Run scale assessment including load testing, bottleneck detection, and capacity estimation.
+
+## Prerequisites
+
+Install a load testing tool (k6 recommended):
+```bash
+# macOS
+brew install k6
+
+# Linux
+sudo apt install k6
+
+# Windows
+choco install k6
+```
+
+## Steps
+
+1. **Validate project path**
+   - Default to `.` if no argument provided
+   - Confirm the project exists
+
+2. **Check load testing tools**
+   - Use `scale_tools_check` MCP tool
+   - Verify k6 or Artillery is installed
+
+3. **Discover load profiles**
+   - Look for `.vaspera/load/*.yaml`
+   - If no profiles exist, offer to generate sample
+
+4. **Start the application**
+   - Use `runtime_launch` to start the dev server
+   - Wait for health check
+
+5. **Run load tests**
+   - Execute each profile scenario
+   - Collect latency, throughput, error metrics
+
+6. **Detect bottlenecks**
+   - Scan code for N+1 queries, memory leaks, blocking ops
+   - Analyze load test results for slow endpoints
+
+7. **Estimate capacity**
+   - Calculate max concurrent users
+   - Estimate breakpoint (where system fails)
+   - Project infrastructure costs
+
+8. **Stop the application**
+   - Clean shutdown of dev server
+
+9. **Present results**
+   ```
+   Scale Assessment Results
+   ========================
+   Load Testing Tool: k6
+
+   Profile: production
+   ┌─────────────────┬──────────┬──────────┬──────────┐
+   │ Scenario        │ VUs      │ RPS      │ p95 (ms) │
+   ├─────────────────┼──────────┼──────────┼──────────┤
+   │ Ramp Up         │ 1→50     │ 245      │ 89       │
+   │ Steady State    │ 50       │ 312      │ 124      │
+   │ Spike           │ 50→200   │ 156      │ 456      │
+   └─────────────────┴──────────┴──────────┴──────────┘
+
+   Bottlenecks Found: 3
+   - [HIGH] N+1 query in src/api/products.ts
+   - [MEDIUM] Blocking readFileSync in lib/config.ts
+   - [MEDIUM] No connection pooling detected
+
+   Capacity Estimate:
+   - Max Concurrent Users: ~250
+   - Max Requests/sec: ~400
+   - Breakpoint: ~300 VUs (60% confidence)
+
+   Projected Cost: $140/month (2x m5.large)
+
+   Scale Score: 72/100
+
+   Certification Level: 🟡 APPROVED
+   → Ship with monitoring
+   ```
+
+10. **Write assessment report**
+    - Create `.vaspera/scale/` directory
+    - Write to `.vaspera/scale/{ISO-timestamp}.json`
+
+## Load Profile Format
+
+Profiles are defined in `.vaspera/load/*.yaml`:
+
+```yaml
+name: "production"
+description: "Production-like load test"
+tool: k6
+
+endpoints:
+  - path: "/"
+    method: GET
+    weight: 50
+  - path: "/api/products"
+    method: GET
+    weight: 30
+  - path: "/api/checkout"
+    method: POST
+    weight: 20
+    body:
+      items: [{ id: 1, qty: 1 }]
+
+thresholds:
+  p95: 500       # 95th percentile < 500ms
+  p99: 1000      # 99th percentile < 1s
+  errorRate: 0.01  # < 1% errors
+
+scenarios:
+  - name: "Ramp Up"
+    type: ramp
+    duration: "2m"
+    vus:
+      start: 1
+      end: 50
+
+  - name: "Steady State"
+    type: ramp
+    duration: "5m"
+    vus:
+      start: 50
+      end: 50
+
+  - name: "Spike"
+    type: spike
+    duration: "30s"
+    vus:
+      start: 50
+      end: 200
+```
+
+## Bottleneck Types
+
+| Type | Examples | Severity |
+|------|----------|----------|
+| database | N+1 queries, missing indexes | High |
+| memory | Leaks, unbounded caches | Medium |
+| cpu | Blocking operations, sync crypto | Medium |
+| endpoint | Slow handlers, no caching | High |
+| network | No connection reuse | Low |
+
+## MCP Tools Used
+
+- `scale_tools_check` — Verify load testing tools
+- `scale_profiles_list` — Discover profiles
+- `scale_profile_generate` — Create sample profile
+- `scale_assess` — Full scale assessment
+- `scale_bottlenecks` — Quick bottleneck scan
+
+## Important
+
+- Requires k6 or Artillery installed
+- Load tests hit the actual app — use a test environment
+- Results vary by hardware — run on similar specs to production
+- Consider running during off-peak hours for accurate results

package/skills/vaspera-verify/SKILL.md

@@ -0,0 +1,70 @@
+---
+description: Compare before/after audit state to verify fixes worked
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Read, Write, Bash, Grep, Glob
+---
+
+Verify that fixes improved the security posture by comparing audit snapshots.
+
+## Steps
+
+1. **Preserve baseline**
+   - If `AUDIT.md` exists, rename to `AUDIT-BEFORE.md`
+   - If `.vaspera/audit/*.json` exists, note the latest as "before" snapshot
+
+2. **Run fresh audit**
+   - Execute `/vaspera-audit` to generate new findings
+   - This creates a new `.vaspera/audit/{timestamp}.json`
+
+3. **Compare before vs after**
+   Calculate deltas:
+   - Critical: before → after (delta)
+   - High: before → after (delta)
+   - Medium: before → after (delta)
+   - Low: before → after (delta)
+   - Total: before → after (delta)
+
+4. **Calculate Production Readiness Score**
+   Score = 100 - (critical×10 + high×5 + medium×2 + low×0.5)
+   
+   Certification levels:
+   - 90-100: CERTIFIED (green)
+   - 70-89: APPROVED (yellow)
+   - 40-69: REVIEW_REQUIRED (orange)
+   - 0-39: BLOCKED (red)
+
+5. **Detect regressions**
+   - New findings that didn't exist in "before" snapshot
+   - Flag these prominently — fixes may have introduced new issues
+
+6. **Generate HARDENING-REPORT.md**
+   ```markdown
+   # Hardening Report
+   
+   ## Summary
+   | Severity | Before | After | Delta |
+   |----------|--------|-------|-------|
+   | Critical | X | Y | -N |
+   ...
+   
+   ## Production Readiness Score
+   Before: XX/100 (LEVEL)
+   After: YY/100 (LEVEL)
+   
+   ## Remaining Issues
+   - [file:line] — description
+   
+   ## Regressions (NEW)
+   - [file:line] — description
+   
+   ## Deployment Checklist
+   - [ ] All critical fixed
+   - [ ] Tests passing
+   - [ ] Build succeeds
+   ```
+
+## Important
+
+- This skill is READ-ONLY for code — it generates reports, doesn't fix
+- Always flag regressions prominently
+- The score is informational — use judgment on whether to deploy

package/skills/vaspera-verify-e2e/SKILL.md

@@ -0,0 +1,117 @@
+---
+description: Run E2E runtime verification against a project (M7)
+argument-hint: "[project-path: defaults to .]"
+allowed-tools: Bash, Read, Write, Glob, Grep
+---
+
+Run runtime verification to ensure the app actually works, not just compiles.
+
+## Steps
+
+1. **Validate project path**
+   - Default to `.` if no argument provided
+   - Confirm the path exists and contains a recognizable framework
+
+2. **Detect framework**
+   - Use `runtime_detect` MCP tool if available
+   - Otherwise: check for Next.js, Vite, Express, FastAPI, Flask, Django, Rails
+   - Display detected framework and confidence
+
+3. **Discover golden path flows**
+   - Look for `.vaspera/flows/*.yaml`
+   - If no flows exist, offer to generate sample flow
+
+4. **Launch the application**
+   - Use `runtime_launch` MCP tool if available
+   - Otherwise: run `npm run dev` or detected dev command
+   - Wait for health check to pass
+   - Display startup time and URL
+
+5. **Run golden path flows**
+   - Execute each flow in priority order (critical → high → medium → low)
+   - For each flow, report:
+     - Flow name and priority
+     - Steps passed/failed
+     - Duration
+   - Stop on critical flow failure
+
+6. **Calculate runtime score**
+   - Score formula: weighted average of flow results
+     - Critical flows: weight 3
+     - High flows: weight 2
+     - Medium flows: weight 1.5
+     - Low flows: weight 1
+
+7. **Stop the application**
+   - Gracefully terminate the dev server
+   - Confirm cleanup
+
+8. **Present results**
+   ```
+   Runtime Verification Results
+   ============================
+   Framework: Next.js (confidence: 95%)
+   Startup Time: 2.3s
+   App URL: http://localhost:3000
+
+   Golden Path Flows:
+   ┌────────────────────┬──────────┬──────────┬──────────┐
+   │ Flow               │ Priority │ Status   │ Duration │
+   ├────────────────────┼──────────┼──────────┼──────────┤
+   │ checkout           │ critical │ ✅ PASS  │ 1.2s     │
+   │ user-registration  │ high     │ ✅ PASS  │ 0.8s     │
+   │ profile-update     │ medium   │ ❌ FAIL  │ 0.5s     │
+   └────────────────────┴──────────┴──────────┴──────────┘
+
+   Runtime Score: 75/100
+
+   Certification Level: APPROVED (70-89)
+   → Ship with monitoring
+   ```
+
+9. **Write verification report**
+   - Create `.vaspera/runtime/` directory if needed
+   - Write to `.vaspera/runtime/{ISO-timestamp}.json`
+
+## Golden Path Flow Format
+
+Flows are defined in `.vaspera/flows/*.yaml`:
+
+```yaml
+name: "checkout"
+description: "Verify checkout flow works"
+priority: critical
+tags:
+  - smoke
+  - e2e
+
+steps:
+  - action: navigate
+    url: "/"
+  - action: click
+    selector: "[data-testid='add-to-cart']"
+  - action: fill
+    selector: "#email"
+    value: "test@example.com"
+  - action: api
+    url: "/api/checkout"
+    method: POST
+  - action: assert
+    url: "/confirmation"
+```
+
+## Certification Levels
+
+| Score | Level | Recommendation |
+|-------|-------|----------------|
+| 90-100 | CERTIFIED | Ship to production |
+| 70-89 | APPROVED | Ship with monitoring |
+| 40-69 | REVIEW_REQUIRED | Fix before shipping |
+| 0-39 | BLOCKED | Critical issues |
+
+## Important
+
+- This skill launches the dev server — ensure port is available
+- Playwright integration for DOM actions is planned but not yet available
+- HTTP-based actions (navigate, api) work immediately
+- Click/fill/select actions require Playwright (marked as skipped)