invar-tools 1.7.1__py3-none-any.whl → 1.10.0__py3-none-any.whl

invar/templates/skills/extensions/security/patterns/python.yaml

@@ -0,0 +1,155 @@
+# Python Security Patterns
+# Extends _common.yaml with Python-specific patterns
+
+version: "1.0"
+extends: _common
+
+patterns:
+  # A03: Injection
+  sql_injection_fstring:
+    category: A03
+    severity: Critical
+    description: "SQL injection via f-string formatting"
+    regex:
+      - "f\"[^\"]*SELECT[^\"]*\\{[^}]+\\}\""
+      - "f'[^']*SELECT[^']*\\{[^}]+\\}'"
+      - "f\"[^\"]*INSERT[^\"]*\\{[^}]+\\}\""
+      - "f\"[^\"]*UPDATE[^\"]*\\{[^}]+\\}\""
+      - "f\"[^\"]*DELETE[^\"]*\\{[^}]+\\}\""
+    false_positive_hints:
+      - "Check if query uses ORM with proper parameterization"
+      - "Verify if variable is validated/sanitized before use"
+
+  sql_injection_format:
+    category: A03
+    severity: Critical
+    description: "SQL injection via .format() or % formatting"
+    regex:
+      - "\\.format\\([^)]*\\)[^\"]*SELECT"
+      - "SELECT[^\"]*\\.format\\("
+      - "%s[^\"]*SELECT|SELECT[^\"]*%s"
+      - "\"%.*SELECT.*%.*\"\\s*%"
+    false_positive_hints:
+      - "Check if parameterized queries are used"
+
+  command_injection:
+    category: A03
+    severity: Critical
+    description: "Command injection via shell execution"
+    regex:
+      - "os\\.system\\s*\\("
+      - "os\\.popen\\s*\\("
+      - "subprocess\\.call\\s*\\([^)]*shell\\s*=\\s*True"
+      - "subprocess\\.run\\s*\\([^)]*shell\\s*=\\s*True"
+      - "subprocess\\.Popen\\s*\\([^)]*shell\\s*=\\s*True"
+    false_positive_hints:
+      - "Check if command includes user input"
+      - "Prefer subprocess with list arguments (shell=False)"
+
+  code_execution:
+    category: A03
+    severity: Critical
+    description: "Dynamic code execution"
+    regex:
+      - "\\beval\\s*\\("
+      - "\\bexec\\s*\\("
+      - "compile\\s*\\([^)]+,[^)]+,[\"']exec[\"']\\)"
+    false_positive_hints:
+      - "Check if input is from trusted source"
+      - "Consider safer alternatives (ast.literal_eval)"
+
+  template_injection:
+    category: A03
+    severity: High
+    description: "Server-side template injection"
+    regex:
+      - "render_template_string\\s*\\("
+      - "Template\\s*\\(\\s*\\w+\\s*\\)"
+      - "Environment\\s*\\([^)]*\\)\\.from_string"
+    false_positive_hints:
+      - "Check if template content is user-controlled"
+
+  # A08: Data Integrity Failures
+  unsafe_pickle:
+    category: A08
+    severity: High
+    description: "Unsafe deserialization with pickle"
+    regex:
+      - "pickle\\.loads?\\s*\\("
+      - "cPickle\\.loads?\\s*\\("
+      - "_pickle\\.loads?\\s*\\("
+    false_positive_hints:
+      - "Check if data source is trusted"
+      - "Consider using JSON or other safe formats"
+
+  unsafe_yaml:
+    category: A08
+    severity: High
+    description: "Unsafe YAML loading"
+    regex:
+      - "yaml\\.load\\s*\\([^)]*\\)"
+      - "yaml\\.unsafe_load\\s*\\("
+    exclude_if_contains:
+      - "Loader=yaml.SafeLoader"
+      - "Loader=SafeLoader"
+    false_positive_hints:
+      - "Use yaml.safe_load() instead"
+
+  # A01: Broken Access Control
+  missing_auth_decorator:
+    category: A01
+    severity: Medium
+    description: "Route potentially missing authentication"
+    regex:
+      - "@app\\.route\\s*\\([^)]*\\)\\s*\\ndef\\s+\\w+\\s*\\([^)]*\\)\\s*:"
+      - "@router\\.(get|post|put|delete)\\s*\\([^)]*\\)\\s*\\n(?!.*@.*auth)"
+    false_positive_hints:
+      - "Check if route should be public"
+      - "Verify auth is handled in middleware"
+
+  # A02: Cryptographic Failures (Python-specific)
+  weak_password_hash:
+    category: A02
+    severity: High
+    description: "Weak password hashing"
+    regex:
+      - "hashlib\\.md5\\s*\\("
+      - "hashlib\\.sha1\\s*\\("
+      - "crypt\\.crypt\\s*\\("
+    false_positive_hints:
+      - "Use bcrypt, argon2, or scrypt for passwords"
+      - "MD5/SHA1 ok for non-password checksums"
+
+  # A05: Security Misconfiguration
+  flask_debug:
+    category: A05
+    severity: High
+    description: "Flask debug mode enabled"
+    regex:
+      - "app\\.run\\s*\\([^)]*debug\\s*=\\s*True"
+      - "FLASK_DEBUG\\s*=\\s*1"
+      - "FLASK_ENV\\s*=\\s*[\"']development[\"']"
+    false_positive_hints:
+      - "Ensure this is not production configuration"
+
+  django_debug:
+    category: A05
+    severity: High
+    description: "Django debug mode enabled"
+    regex:
+      - "DEBUG\\s*=\\s*True"
+    file_pattern: "settings*.py"
+    false_positive_hints:
+      - "Check if this is production settings file"
+
+  # A07: Authentication Failures
+  weak_jwt:
+    category: A07
+    severity: High
+    description: "Weak JWT configuration"
+    regex:
+      - "algorithm\\s*=\\s*[\"']none[\"']"
+      - "algorithms\\s*=\\s*\\[[\"']none[\"']\\]"
+      - "verify\\s*=\\s*False"
+    false_positive_hints:
+      - "JWT should use HS256 or RS256 minimum"

invar/templates/skills/extensions/security/patterns/typescript.yaml

@@ -0,0 +1,194 @@
+# TypeScript/JavaScript Security Patterns
+# Extends _common.yaml with TS/JS-specific patterns
+
+version: "1.0"
+extends: _common
+
+patterns:
+  # A03: Injection
+  xss_innerhtml:
+    category: A03
+    severity: High
+    description: "Cross-site scripting via innerHTML"
+    regex:
+      - "\\.innerHTML\\s*="
+      - "\\.outerHTML\\s*="
+      - "document\\.write\\s*\\("
+      - "document\\.writeln\\s*\\("
+    false_positive_hints:
+      - "Check if content is from user input"
+      - "Use textContent or DOMPurify for sanitization"
+
+  xss_react:
+    category: A03
+    severity: High
+    description: "React XSS via dangerouslySetInnerHTML"
+    regex:
+      - "dangerouslySetInnerHTML"
+    false_positive_hints:
+      - "Ensure content is sanitized with DOMPurify"
+      - "Verify source of HTML content"
+
+  xss_vue:
+    category: A03
+    severity: High
+    description: "Vue XSS via v-html directive"
+    regex:
+      - "v-html\\s*="
+    false_positive_hints:
+      - "Sanitize content before using v-html"
+
+  xss_angular:
+    category: A03
+    severity: High
+    description: "Angular XSS via innerHTML binding"
+    regex:
+      - "\\[innerHTML\\]\\s*="
+      - "bypassSecurityTrustHtml"
+    false_positive_hints:
+      - "bypassSecurityTrust* should only be used with trusted content"
+
+  code_execution:
+    category: A03
+    severity: Critical
+    description: "Dynamic code execution"
+    regex:
+      - "\\beval\\s*\\("
+      - "new\\s+Function\\s*\\("
+      - "setTimeout\\s*\\(\\s*[\"'][^\"']*[\"']"
+      - "setInterval\\s*\\(\\s*[\"'][^\"']*[\"']"
+    false_positive_hints:
+      - "Avoid eval with user input"
+      - "Use JSON.parse for data parsing"
+
+  prototype_pollution:
+    category: A03
+    severity: High
+    description: "Prototype pollution vulnerability"
+    regex:
+      - "__proto__"
+      - "constructor\\s*\\[\\s*[\"']prototype[\"']\\s*\\]"
+      - "Object\\.assign\\s*\\(\\s*\\{\\s*\\}\\s*,"
+    false_positive_hints:
+      - "Check if object keys come from user input"
+      - "Use Object.create(null) for dictionaries"
+
+  sql_injection:
+    category: A03
+    severity: Critical
+    description: "SQL injection via string concatenation"
+    regex:
+      - "`[^`]*SELECT[^`]*\\$\\{[^}]+\\}`"
+      - "\"[^\"]*SELECT[^\"]*\"\\s*\\+"
+      - "'[^']*SELECT[^']*'\\s*\\+"
+    false_positive_hints:
+      - "Use parameterized queries or ORM"
+
+  nosql_injection:
+    category: A03
+    severity: High
+    description: "NoSQL injection (MongoDB)"
+    regex:
+      - "\\$where\\s*:"
+      - "\\$regex\\s*:\\s*\\w+"
+      - "find\\s*\\(\\s*\\{[^}]*\\$"
+    false_positive_hints:
+      - "Validate and sanitize query parameters"
+
+  command_injection:
+    category: A03
+    severity: Critical
+    description: "Command injection via child_process"
+    regex:
+      - "child_process\\.exec\\s*\\("
+      - "child_process\\.execSync\\s*\\("
+      - "exec\\s*\\(\\s*`"
+      - "execSync\\s*\\(\\s*`"
+    false_positive_hints:
+      - "Use execFile with array arguments instead"
+      - "Validate/sanitize command input"
+
+  # A01: Broken Access Control
+  cors_wildcard:
+    category: A01
+    severity: Medium
+    description: "CORS allows all origins"
+    regex:
+      - "Access-Control-Allow-Origin[\"']?\\s*:\\s*[\"']?\\*"
+      - "origin\\s*:\\s*[\"']?\\*"
+      - "cors\\s*\\(\\s*\\)"
+    false_positive_hints:
+      - "Specify allowed origins explicitly"
+      - "cors() without options allows all origins"
+
+  # A02: Cryptographic Failures (JS-specific)
+  weak_crypto:
+    category: A02
+    severity: Medium
+    description: "Weak cryptographic algorithm"
+    regex:
+      - "createHash\\s*\\([\"']md5[\"']\\)"
+      - "createHash\\s*\\([\"']sha1[\"']\\)"
+      - "createCipher\\s*\\([\"']des"
+    false_positive_hints:
+      - "Use SHA-256 or stronger for security"
+
+  jwt_none_algorithm:
+    category: A02
+    severity: Critical
+    description: "JWT with 'none' algorithm"
+    regex:
+      - "algorithm[\"']?\\s*:\\s*[\"']none[\"']"
+      - "algorithms\\s*:\\s*\\[[\"']none[\"']\\]"
+    false_positive_hints:
+      - "Never allow 'none' algorithm in production"
+
+  # A05: Security Misconfiguration
+  express_trust_proxy:
+    category: A05
+    severity: Low
+    description: "Express trust proxy configuration"
+    regex:
+      - "trust\\s+proxy[\"']?\\s*,\\s*true"
+    false_positive_hints:
+      - "Only enable if behind a trusted reverse proxy"
+
+  helmet_disabled:
+    category: A05
+    severity: Medium
+    description: "Security headers potentially disabled"
+    regex:
+      - "helmet\\s*\\(\\s*\\{\\s*[^}]*:\\s*false"
+    false_positive_hints:
+      - "Avoid disabling security headers"
+
+  # A08: Data Integrity Failures
+  unsafe_json_parse:
+    category: A08
+    severity: Low
+    description: "JSON.parse without error handling"
+    regex:
+      - "JSON\\.parse\\s*\\([^)]+\\)(?!\\s*\\.catch|\\s*\\)\\s*\\.catch)"
+    false_positive_hints:
+      - "Wrap in try-catch for untrusted input"
+
+  # A07: Authentication Failures
+  hardcoded_jwt_secret:
+    category: A07
+    severity: Critical
+    description: "Hardcoded JWT secret"
+    regex:
+      - "jwt\\.sign\\s*\\([^,]+,\\s*[\"'][^\"']+[\"']"
+      - "secret\\s*:\\s*[\"'][^\"']{8,}[\"']"
+    false_positive_hints:
+      - "Use environment variables for secrets"
+
+  session_insecure:
+    category: A07
+    severity: Medium
+    description: "Insecure session configuration"
+    regex:
+      - "secure\\s*:\\s*false"
+      - "httpOnly\\s*:\\s*false"
+    false_positive_hints:
+      - "Set secure: true and httpOnly: true in production"

invar/templates/skills/investigate/SKILL.md.jinja

@@ -11,6 +11,21 @@ _invar:
 
 > **Purpose:** Understand before acting. Gather information, analyze code, report findings.
 
+## Scope Boundaries
+
+**This skill IS for:**
+- Understanding vague or unclear tasks
+- Analyzing existing code and architecture
+- Researching before implementation
+- Answering "why", "what", "how does" questions
+
+**This skill is NOT for:**
+- Writing or modifying code → switch to `/develop`
+- Making design decisions → switch to `/propose`
+- Reviewing code quality → switch to `/review`
+
+**Drift detection:** If you find yourself wanting to edit files → STOP, exit to `/develop`.
+
 ## Constraints
 
 **FORBIDDEN in this phase:**

invar/templates/skills/propose/SKILL.md.jinja

@@ -10,6 +10,39 @@ _invar:
 # Proposal Mode
 
 > **Purpose:** Facilitate human decision-making with clear options and trade-offs.
+> **Mindset:** OPTIONS, not decisions — human chooses.
+
+## Scope Boundaries
+
+**This skill IS for:**
+- Presenting design choices with trade-offs
+- Facilitating architectural decisions
+- Comparing approaches (A vs B)
+- Creating formal proposals for complex decisions
+
+**This skill is NOT for:**
+- Implementing the chosen option → switch to `/develop`
+- Researching to understand the problem → switch to `/investigate`
+- Reviewing existing code → switch to `/review`
+
+**Drift detection:** If you find yourself writing implementation code → STOP, wait for user choice, then exit to `/develop`.
+
+## Constraints
+
+**FORBIDDEN in this phase:**
+- Writing implementation code (beyond examples)
+- Making decisions for the user
+- Creating files other than proposals
+- Committing changes
+
+**ALLOWED:**
+- Read, Glob, Grep (research for options)
+{% if syntax == "mcp" -%}
+- invar_sig, invar_map (understand current state)
+{% else -%}
+- invar sig, invar map (understand current state)
+{% endif -%}
+- Creating proposal documents in `docs/proposals/`
 
 ## Entry Actions