invar-tools 1.8.0__py3-none-any.whl → 1.11.0__py3-none-any.whl

invar/templates/skills/extensions/invar-onboard/templates/roadmap.md.jinja

@@ -0,0 +1,168 @@
+{#
+  Expected variables:
+  - project_name: str
+  - timestamp: str
+  - total_days: int
+  - session_count: int
+  - phases: list of {id: str, name: str, days: int, objective: str,
+                     tasks: [{day: int, files: [str], scope: str}],
+                     sessions: [{files: [str], estimate: str}],
+                     gates: [str], verification_command?: str, rollback_action?: str}
+  - result_library: str
+  - install_command: str
+  - additional_deps?: [{name: str, purpose: str, install: str}]
+  - target_coverage?: int (default 80)
+  - dependency_graph?: str
+  - notes?: str
+#}
+# Invar Onboarding Roadmap
+
+> Project: {{ project_name }}
+> Generated: {{ timestamp }}
+> Based on: docs/invar-onboard-assessment.md
+
+## Overview
+
+| Metric | Value |
+|--------|-------|
+| Total Phases | {{ phases | length }} |
+| Total Days | {{ total_days }} |
+| Agent Sessions | {{ session_count }} |
+
+---
+
+{% for phase in phases %}
+## Phase {{ loop.index }}: {{ phase.name }} ({{ phase.days }} days)
+
+### Objective
+
+{{ phase.objective }}
+
+### Tasks
+
+| Day | Files | Scope |
+|-----|-------|-------|
+{% for task in phase.tasks %}
+| {{ task.day }} | {{ task.files | join(", ") }} | {{ task.scope }} |
+{% endfor %}
+
+### Sessions
+
+| Session | Files | Estimated |
+|---------|-------|-----------|
+{% for session in phase.sessions %}
+| {{ phase.id }}.{{ loop.index }} | {{ session.files | join(", ") }} | {{ session.estimate }} |
+{% endfor %}
+
+### Gate Checklist
+
+{% for gate in phase.gates %}
+- [ ] {{ gate }}
+{% endfor %}
+
+### Verification
+
+```bash
+{{ phase.verification_command | default("invar guard") }}
+```
+
+---
+
+{% endfor %}
+
+## Rollback Strategy
+
+| Phase | Rollback Point | Recovery Action |
+|-------|----------------|-----------------|
+{% for phase in phases %}
+| {{ loop.index }} | Pre-{{ phase.name }} | {{ phase.rollback_action | default("Revert " + phase.name + " changes") }} |
+{% endfor %}
+
+## Session Guidelines
+
+### Context Limits
+
+Each agent session should:
+- Focus on 2-3 files maximum
+- Complete within 1 context window
+- End with successful `invar guard`
+
+### Handoff Protocol
+
+1. **Before session end:**
+   - Commit all changes
+   - Update this roadmap (mark completed)
+   - Document any deviations
+
+2. **Session start:**
+   - Read assessment and this roadmap
+   - Review previous session's changes
+   - Verify Guard passes before proceeding
+
+### Emergency Procedures
+
+| Situation | Action |
+|-----------|--------|
+| Guard fails after changes | Revert to last passing commit |
+| Unexpected dependency | Add to blockers, pause phase |
+| Scope creep detected | Stop, update assessment |
+
+## Progress Tracking
+
+### Phase Status
+
+| Phase | Status | Started | Completed | Notes |
+|-------|--------|---------|-----------|-------|
+{% for phase in phases %}
+| {{ loop.index }}. {{ phase.name }} | ⬜ Pending | - | - | |
+{% endfor %}
+
+### Session Log
+
+| Session | Date | Duration | Files Changed | Guard | Notes |
+|---------|------|----------|---------------|-------|-------|
+| - | - | - | - | - | - |
+
+## Dependencies
+
+### External Libraries
+
+| Library | Purpose | Install Command |
+|---------|---------|-----------------|
+| {{ result_library }} | Result types | {{ install_command }} |
+{% for dep in additional_deps %}
+| {{ dep.name }} | {{ dep.purpose }} | {{ dep.install }} |
+{% endfor %}
+
+### Internal Dependencies
+
+```
+{{ dependency_graph | default("No complex internal dependencies.") }}
+```
+
+## Success Criteria
+
+### Phase Completion
+
+Each phase is complete when:
+1. All tasks checked off
+2. Gate checklist passed
+3. `invar guard` passes
+4. E2E tests still pass (if applicable)
+
+### Project Completion
+
+Project migration complete when:
+- [ ] All phases completed
+- [ ] Full `invar guard` passes
+- [ ] Contract coverage > {{ target_coverage | default(80) }}%
+- [ ] All Core functions have doctests
+- [ ] Shell functions return Result types
+
+## Notes
+
+{{ notes | default("No additional notes.") }}
+
+---
+
+*Generated by /invar-onboard*

invar/templates/skills/extensions/security/SKILL.md

@@ -0,0 +1,382 @@
+<!--invar:skill-->
+# /security — Security Audit
+
+> Extension Skill | Tier: T0 | Isolation: Default
+
+## Purpose
+
+Identify security vulnerabilities using OWASP Top 10 as baseline. This skill performs systematic security audits with evidence-based reporting.
+
+## Triggers
+
+Use this skill when user says: "security", "audit", "vulnerabilities", "OWASP"
+
+## Relationship to Core Skills
+
+- `/review` includes security as one checklist item
+- `/security` is deep-dive security-focused audit
+
+---
+
+## Core Principles
+
+| Principle | Description |
+|-----------|-------------|
+| **Assume vulnerable** | Every input is malicious until proven safe |
+| **Defense in depth** | Check all layers, not just obvious entry points |
+| **Evidence-based** | Report with file:line and exploitation scenario |
+| **Context isolated** | Fresh perspective prevents "I know this is safe" bias |
+
+---
+
+## Depth Levels
+
+| Level | Scope | Use Case |
+|-------|-------|----------|
+| `--quick` | A03 (Injection) only | Fast CI gate |
+| `--standard` | A01-A05 (most common) | Regular development |
+| `--deep` (default) | Full OWASP A01-A10 + isolated agent | Release audit |
+
+**Default is `--deep`** — thorough security review is critical.
+
+---
+
+## Workflow
+
+### Step 0: Isolation Check
+
+```
+Parse depth: --quick / --standard / --deep (default)
+
+If --deep (default):
+┌─────────────────────────────────────────────────────────┐
+│ SPAWN ISOLATED AGENT                                     │
+│                                                          │
+│ Collect inputs:                                          │
+│ • Code scope (files/directories to audit)                │
+│ • Dependency manifest (package.json, requirements.txt)   │
+│ • Config files (if any)                                  │
+│                                                          │
+│ Spawn Task agent with:                                   │
+│ • Security Auditor persona (see below)                   │
+│ • NO conversation history                                │
+│ • Only the collected inputs                              │
+│                                                          │
+│ → Isolated agent executes steps 1-4 below                │
+│ → Returns structured security report                     │
+└─────────────────────────────────────────────────────────┘
+
+If --quick or --standard:
+└─ Continue in same context with attacker mindset
+```
+
+### Step 1: Entry + External Tools
+
+- Detect Invar (Enhanced/Standalone mode)
+- Identify scope (full project or specific files)
+- Run external security tools (if available)
+
+**External Tool Detection:**
+```
+package.json exists?     → npm audit --json
+requirements.txt exists? → pip-audit --format=json
+go.mod exists?           → govulncheck -json ./...
+.git exists?             → trufflehog git file://. --json (secrets)
+```
+
+| Tool | OWASP Category | Command |
+|------|----------------|---------|
+| `npm audit` | A06 | `npm audit --json` |
+| `pip-audit` | A06 | `pip-audit --format=json` |
+| `govulncheck` | A06 | `govulncheck -json ./...` |
+| `trufflehog` | A02 | `trufflehog git file://. --json` |
+| `semgrep` | A01-A10 | `semgrep --config=auto --json` |
+
+If tool not available → note in report, continue with manual analysis.
+
+### Step 2: Reconnaissance — Understand Attack Surface
+
+Identify:
+- **Entry points:** APIs, forms, file uploads
+- **Data flows:** user input → storage → output
+- **Auth points:** authentication/authorization checkpoints
+- **Dependencies:** external libraries and services
+
+**Enhanced Mode:** Use `invar_map` to find entry points
+**Standalone:** Grep for route definitions, handlers
+
+### Step 3: OWASP Check — Systematic Vulnerability Scan
+
+Check against OWASP Top 10 (2021):
+
+#### A01: Broken Access Control
+- [ ] Authorization checked on all endpoints?
+- [ ] IDOR vulnerabilities?
+- [ ] Missing function-level access control?
+
+#### A02: Cryptographic Failures
+- [ ] Sensitive data encrypted at rest?
+- [ ] Weak algorithms (MD5, SHA1)?
+- [ ] Hardcoded secrets?
+
+#### A03: Injection
+- [ ] SQL injection (raw queries)?
+- [ ] Command injection (shell exec)?
+- [ ] XSS (unescaped output)?
+
+#### A04: Insecure Design
+- [ ] Missing rate limiting?
+- [ ] No account lockout?
+- [ ] Predictable tokens?
+
+#### A05: Security Misconfiguration
+- [ ] Debug mode in production?
+- [ ] Default credentials?
+- [ ] Verbose error messages?
+
+#### A06: Vulnerable Components
+- [ ] Known CVEs in dependencies?
+- [ ] Outdated packages?
+
+#### A07: Authentication Failures
+- [ ] Weak password policy?
+- [ ] Missing MFA?
+- [ ] Session fixation?
+
+#### A08: Data Integrity Failures
+- [ ] Unsigned data trusted?
+- [ ] Deserialization of untrusted data?
+
+#### A09: Logging Failures
+- [ ] Security events logged?
+- [ ] Sensitive data in logs?
+
+#### A10: SSRF
+- [ ] User-controlled URLs fetched?
+- [ ] Internal network accessible?
+
+**Use language-specific patterns from `patterns/` directory.**
+
+### Step 4: Evidence — Document Findings
+
+For each finding, document:
+- **Location:** file:line
+- **Severity:** Critical/High/Medium/Low
+- **Evidence:** Code snippet
+- **Exploitation scenario:** How to exploit
+- **Remediation:** How to fix
+
+### Step 5: Report — Security Audit Report
+
+```markdown
+## Security Audit Report
+
+**Scope:** src/api/, src/auth/
+**Date:** [date]
+**Mode:** Enhanced / Standalone
+**Depth:** --deep
+
+### External Tool Results
+- npm audit: 2 vulnerabilities (1 high, 1 moderate)
+- trufflehog: 0 secrets found
+
+### Summary
+| Severity | Count |
+|----------|-------|
+| Critical | 1     |
+| High     | 2     |
+| Medium   | 3     |
+| Low      | 1     |
+
+### Critical Findings
+
+**[CRITICAL] SQL Injection in user search**
+- Location: api/users.py:45
+- Evidence: `query = f"SELECT * FROM users WHERE name='{n}'"`
+- Exploit: Input `' OR 1=1 --` returns all users
+- Risk: Full database compromise
+- Fix: Use parameterized queries
+
+### New Findings (not baselined)
+| ID | Severity | Category | Location | Description |
+|----|----------|----------|----------|-------------|
+| SEC-001 | Critical | A03 | api/users.py:45 | SQL injection |
+
+### Baselined (suppressed)
+| ID | Status | Reason |
+|----|--------|--------|
+| SEC-000 | false_positive | ORM handles escaping |
+
+### Recommendations
+1. [URGENT] Fix SQL injection
+2. Add rate limiting to login endpoint
+3. Implement account lockout
+
+### Statistics
+- New findings: 7
+- Baselined: 2
+- Total tracked: 9
+```
+
+---
+
+## Severity Classification
+
+**Decision Tree:**
+```
+Can attacker execute arbitrary code?
+    │
+YES ─┴─ NO
+│      │
+▼      ▼
+CRITICAL   Can read/write sensitive data?
+               │
+          YES ─┴─ NO
+           │      │
+           ▼      ▼
+         HIGH     Can access limited data / disrupt service?
+                      │
+                 YES ─┴─ NO
+                  │      │
+                  ▼      ▼
+               MEDIUM   LOW
+```
+
+| Severity | Impact | Examples |
+|----------|--------|----------|
+| **Critical** | Complete system compromise | RCE, SQL injection (write), command injection |
+| **High** | Significant data breach | SQL injection (read), stored XSS, session hijacking |
+| **Medium** | Limited exposure | Reflected XSS, user enumeration, missing rate limiting |
+| **Low** | Minimal direct impact | Missing security headers, debug info |
+
+---
+
+## False Positive Handling
+
+Baseline file: `.invar/security-baseline.yaml`
+
+```yaml
+version: 1
+findings:
+  SEC-2024-001:
+    pattern: sql_injection
+    file: src/db/queries.py
+    line: 45
+    content_hash: "a1b2c3d4"  # Re-evaluate if code changes
+    status: false_positive
+    reason: "ORM handles parameterization"
+    marked_by: "dev@example.com"
+    marked_at: "2026-01-01T10:30:00Z"
+```
+
+| Status | Meaning | Behavior |
+|--------|---------|----------|
+| `false_positive` | Not a real vulnerability | Suppress permanently (unless code changes) |
+| `accepted_risk` | Real but accepted | Suppress, can set expiry date |
+| `wont_fix` | Won't be fixed | Suppress, still counted in stats |
+| `in_progress` | Being fixed | Show but don't block |
+
+**To mark a finding:**
+```
+"Mark SEC-001 as false-positive: ORM handles escaping"
+```
+
+---
+
+## Language-Specific Patterns
+
+Patterns are loaded from `patterns/` directory based on project type.
+
+**Pattern file structure:**
+```yaml
+# patterns/python.yaml
+extends: _common
+patterns:
+  sql_injection:
+    category: A03
+    severity: Critical
+    description: "SQL injection via string formatting"
+    regex:
+      - 'f"[^"]*SELECT[^"]*\{[^}]+\}'
+      - '\.format\([^)]*\)[^"]*SELECT'
+```
+
+**Loading logic:**
+1. Detect language(s) from manifest files
+2. Load `_common.yaml` always
+3. Load language-specific YAML(s)
+4. Merge patterns (language-specific overrides common)
+
+---
+
+## Security Auditor Persona
+
+Used in `--deep` mode (isolated agent):
+
+```
+You are an independent Security Auditor.
+
+CRITICAL RULES:
+1. Assume all code is vulnerable until proven secure
+2. Think like an attacker — how would I exploit this?
+3. Check all layers, not just obvious entry points
+4. Provide exploitation scenarios, not just "vulnerable to X"
+5. Prioritize by impact, not likelihood
+
+OWASP TOP 10 CHECKLIST:
+You MUST check every item in A01-A10.
+
+INPUT YOU WILL RECEIVE:
+- Code files to audit
+- Dependency manifests
+- Configuration files
+
+INPUT YOU WILL NOT RECEIVE:
+- Developer assurances ("this is only internal")
+- Prior security review results
+- Context about "trusted" inputs
+
+OUTPUT: Structured Security Report (see Step 5)
+```
+
+---
+
+## CLI Override
+
+Override isolation level per-invocation:
+
+```
+/security              → Uses --deep (default, spawns isolated agent)
+/security --quick      → Same context, A03 only
+/security --standard   → Same context, A01-A05
+/security --deep       → Spawns isolated agent (explicit)
+```
+
+**No external configuration required.** Defaults are in this SKILL.md.
+
+---
+
+## Installation
+
+```bash
+# Via CLI
+invar skill add security
+
+# Manual copy
+cp -r /path/to/extensions/security .claude/skills/
+```
+
+---
+
+*Extension Skill v1.0 — LX-07*
+<!--/invar:skill--><!--invar:extensions-->
+<!-- ========================================================================
+     EXTENSIONS REGION - USER EDITABLE
+     Add project-specific extensions here. This section is preserved on update.
+
+     Examples of what to add:
+     - Custom security patterns for your tech stack
+     - Project-specific baseline rules
+     - Additional OWASP categories relevant to your domain
+     ======================================================================== -->
+<!--/invar:extensions-->

invar/templates/skills/extensions/security/patterns/_common.yaml

@@ -0,0 +1,126 @@
+# Common Security Patterns (Cross-Language)
+# These patterns apply to all languages
+
+version: "1.0"
+
+patterns:
+  # A02: Cryptographic Failures
+  hardcoded_secrets:
+    category: A02
+    severity: High
+    description: "Hardcoded credentials in source code"
+    regex:
+      - "password\\s*=\\s*[\"'][^\"']{4,}[\"']"
+      - "passwd\\s*=\\s*[\"'][^\"']{4,}[\"']"
+      - "api_key\\s*=\\s*[\"'][^\"']{8,}[\"']"
+      - "apikey\\s*=\\s*[\"'][^\"']{8,}[\"']"
+      - "secret\\s*=\\s*[\"'][^\"']{8,}[\"']"
+      - "token\\s*=\\s*[\"'][^\"']{8,}[\"']"
+      - "private_key\\s*=\\s*[\"']"
+      - "AWS_SECRET_ACCESS_KEY\\s*=\\s*[\"']"
+      - "GITHUB_TOKEN\\s*=\\s*[\"']"
+    exclude:
+      - '*_test.*'
+      - '*.test.*'
+      - '*.spec.*'
+      - '*.example.*'
+      - '.env.example'
+    false_positive_hints:
+      - "Check if value is a placeholder or environment variable reference"
+      - "Verify if file is meant for testing only"
+
+  weak_crypto_algorithms:
+    category: A02
+    severity: Medium
+    description: "Weak cryptographic algorithm usage"
+    regex:
+      - '\bmd5\b'
+      - '\bMD5\b'
+      - '\bsha1\b'
+      - '\bSHA1\b'
+      - '\bDES\b'
+      - '\bRC4\b'
+      - '\bRC2\b'
+    false_positive_hints:
+      - "MD5/SHA1 acceptable for non-security checksums"
+      - "Check if used for password hashing (bad) vs file integrity (ok)"
+
+  weak_random:
+    category: A02
+    severity: Medium
+    description: "Weak random number generation for security purposes"
+    regex:
+      - 'Math\.random\s*\('
+      - 'random\.random\s*\('
+      - 'rand\s*\('
+    false_positive_hints:
+      - "Check if used for security-sensitive purposes (tokens, keys)"
+      - "Non-security randomness (UI, tests) is acceptable"
+
+  # A03: Injection (generic patterns)
+  dangerous_regex:
+    category: A03
+    severity: Medium
+    description: "Potentially dangerous regular expression (ReDoS)"
+    regex:
+      - '\(\.\*\)\+'
+      - '\(\.\+\)\+'
+      - '\(\[.*\]\+\)\+'
+    false_positive_hints:
+      - "Check if regex is applied to untrusted input"
+      - "Consider regex timeout or input length limits"
+
+  # A05: Security Misconfiguration
+  debug_enabled:
+    category: A05
+    severity: Medium
+    description: "Debug mode potentially enabled in production"
+    regex:
+      - "DEBUG\\s*=\\s*[Tt]rue"
+      - "debug\\s*:\\s*true"
+      - "NODE_ENV\\s*=\\s*[\"']development[\"']"
+    false_positive_hints:
+      - "Check if this is production configuration"
+      - "Development-only files are acceptable"
+
+  verbose_errors:
+    category: A05
+    severity: Low
+    description: "Verbose error messages may leak information"
+    regex:
+      - 'stack\s*:\s*true'
+      - 'showStackTrace'
+      - 'print_exc\s*\('
+      - 'traceback\.print'
+    false_positive_hints:
+      - "Check if exposed to end users in production"
+
+  # A09: Logging Failures
+  sensitive_logging:
+    category: A09
+    severity: Medium
+    description: "Potentially logging sensitive data"
+    regex:
+      - 'log.*password'
+      - 'log.*token'
+      - 'log.*secret'
+      - 'log.*credit.?card'
+      - 'console\.log.*password'
+      - 'print.*password'
+    false_positive_hints:
+      - "Check if actual values are logged vs field names"
+      - "Verify log level and production exposure"
+
+  # A10: SSRF
+  ssrf_risk:
+    category: A10
+    severity: High
+    description: "User-controlled URL being fetched"
+    regex:
+      - 'fetch\s*\(\s*\w+\s*\)'
+      - 'requests\.get\s*\(\s*\w+\s*\)'
+      - 'http\.get\s*\(\s*\w+\s*\)'
+      - 'urllib\.request\.urlopen\s*\(\s*\w+\s*\)'
+    false_positive_hints:
+      - "Check if URL is user-controlled or hardcoded"
+      - "Verify URL validation/allowlisting exists"