moai-adk 0.35.1__py3-none-any.whl

moai_adk/templates/.claude/skills/moai-platform-auth0/SKILL.md

@@ -0,0 +1,291 @@
+---
+name: moai-platform-auth0
+description: Auth0 enterprise authentication specialist covering SSO, SAML, OIDC, organizations, and B2B multi-tenancy. Use when implementing enterprise identity federation or complex auth workflows.
+version: 1.0.0
+category: platform
+tags: [auth0, sso, saml, oidc, enterprise, identity]
+context7-libraries: [/auth0/auth0-docs]
+related-skills: [moai-platform-clerk, moai-domain-backend, moai-security-auth0]
+updated: 2025-12-07
+status: active
+allowed-tools: Read, Write, Bash, Grep, Glob
+---
+
+# Auth0 Enterprise Authentication Specialist
+
+Enterprise identity federation platform for B2B SaaS applications with SSO, SAML, OIDC, ADFS, Organizations, Actions, and Universal Login customization.
+
+## Quick Reference (30 seconds)
+
+Auth0 Core Capabilities:
+
+- Enterprise SSO: SAML, OIDC, ADFS with 50+ pre-built connections
+- Organizations: B2B multi-tenancy with isolated authentication contexts
+- Actions: Serverless extensibility for custom auth logic
+- Universal Login: Customizable branded login experience
+- Management API: Comprehensive user and tenant management
+
+When to Use Auth0:
+
+- Enterprise SSO with SAML, OIDC, or ADFS required
+- B2B SaaS with organization-level isolation
+- 50+ enterprise identity provider integrations needed
+- Complex authentication workflows with custom logic
+- SOC2, HIPAA, or enterprise compliance requirements
+
+Context7 Access:
+
+Use resolve-library-id with "auth0" then get-library-docs for latest API documentation.
+
+---
+
+## Implementation Guide
+
+### Enterprise SSO Configuration
+
+SAML Identity Provider Integration:
+
+Step 1: Navigate to Auth0 Dashboard, select Authentication, then Enterprise
+Step 2: Select SAML and click Create Connection
+Step 3: Provide connection name and IdP metadata URL or upload XML
+Step 4: Configure attribute mappings for user profile synchronization
+Step 5: Map SAML attributes to Auth0 user profile fields
+Step 6: Enable connection for target applications
+
+SAML Attribute Mapping Configuration:
+
+Common attribute mappings include email from http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress, given_name from http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname, family_name from http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname, and groups from http://schemas.xmlsoap.org/claims/Group.
+
+OIDC Connection Setup:
+
+Step 1: Select OpenID Connect in enterprise connections
+Step 2: Provide discovery URL from identity provider
+Step 3: Configure client ID and client secret from IdP
+Step 4: Define required scopes (openid, profile, email)
+Step 5: Map OIDC claims to Auth0 user profile attributes
+Step 6: Configure token validation settings
+
+ADFS Integration:
+
+Step 1: Configure ADFS as SAML identity provider in ADFS console
+Step 2: Add Auth0 as relying party trust
+Step 3: Export ADFS federation metadata XML
+Step 4: Create SAML connection in Auth0 with ADFS metadata
+Step 5: Configure claim rules in ADFS for required attributes
+Step 6: Test connection with ADFS sign-in flow
+
+### Organizations for B2B Multi-Tenancy
+
+Organization Feature Overview:
+
+Auth0 Organizations enable multi-tenant B2B SaaS applications with isolated authentication contexts per customer organization.
+
+Organization Core Features:
+
+- Isolated user pools per organization
+- Organization-specific identity providers
+- Role-based access control per organization
+- Invitation and membership management
+- Custom branding per organization
+- Connection-level organization restrictions
+
+Creating Organizations Programmatically:
+
+Use Management API to create organizations with name, display_name, branding configuration (logo_url, colors), metadata for custom attributes, and enabled_connections for allowed identity providers.
+
+Organization Membership Management:
+
+Invite users via email with customizable invitation templates, assign roles during invitation, support multiple organization memberships per user, and implement domain-based auto-enrollment.
+
+Organization RBAC Configuration:
+
+Step 1: Enable Organizations in tenant settings
+Step 2: Define organization roles (org_admin, org_member, org_viewer)
+Step 3: Assign permissions to roles at organization level
+Step 4: Configure organization login experience
+Step 5: Implement role checks in application using organization claims
+
+Organization-Specific Connections:
+
+Enable different identity providers per organization, allowing Enterprise customers to use SAML SSO while standard customers use email/password.
+
+### Actions and Rules
+
+Actions Overview:
+
+Auth0 Actions replace deprecated Rules and Hooks with a modern serverless extensibility system.
+
+Action Triggers:
+
+- post-login: Execute after successful authentication
+- post-user-registration: Execute after user signs up
+- pre-user-registration: Validate user before registration
+- post-change-password: Execute after password change
+- send-phone-message: Custom phone message providers
+
+Post-Login Action Patterns:
+
+Add custom claims to tokens based on user metadata, enforce organization membership requirements, implement progressive profiling, log authentication events to external systems, and block users based on custom conditions.
+
+Post-Login Action Structure:
+
+The exports.onExecutePostLogin function receives event and api parameters. Access user information via event.user, organization via event.organization, and modify tokens using api.idToken.setCustomClaim and api.accessToken.setCustomClaim methods.
+
+Pre-User-Registration Actions:
+
+Validate email domains before allowing registration, check against external systems for user approval, populate initial user metadata, and enforce custom registration requirements.
+
+Action Secrets Management:
+
+Store sensitive values like API keys in Action secrets, access via event.secrets object, rotate secrets without redeploying actions, and audit secret access in logs.
+
+### Universal Login Customization
+
+Universal Login Overview:
+
+Auth0 Universal Login provides a centralized, secure authentication experience hosted on Auth0 infrastructure.
+
+New Universal Login Features:
+
+- Built-in customization without code
+- Passwordless authentication support
+- WebAuthn and passkeys integration
+- Organization login picker
+- Identifier-first authentication flow
+
+Branding Configuration:
+
+Configure logo, colors, and fonts in Dashboard under Branding. Set primary_color for buttons and links, page_background_color for login page, and upload logo images in recommended dimensions.
+
+Custom Universal Login:
+
+For advanced customization, use Auth0 Lock widget or custom HTML pages. Implement custom CSS, JavaScript logic, and integrate with design systems while maintaining security.
+
+Page Templates:
+
+Customize login, signup, password reset, and MFA pages. Support multiple languages with template variables. Implement A/B testing for conversion optimization.
+
+### Management API
+
+Management API Overview:
+
+Auth0 Management API provides comprehensive programmatic access for user management, application configuration, and tenant administration.
+
+Authentication for Management API:
+
+Obtain Machine-to-Machine access tokens with appropriate scopes. Use client credentials flow with application client_id and client_secret targeting the Management API audience.
+
+User Management Operations:
+
+Create users with connection, email, password, and metadata. Search users with Lucene query syntax. Update user metadata (user_metadata for user-editable, app_metadata for application-controlled). Delete users and revoke sessions.
+
+Application Management:
+
+Create and configure applications programmatically. Manage allowed callbacks, logout URLs, and web origins. Configure JWT settings including token lifetime and signing algorithm.
+
+Connection Management:
+
+Create enterprise connections via API. Configure connection options and attribute mappings. Enable connections for specific applications. Manage connection-level settings.
+
+Rate Limiting Considerations:
+
+Management API enforces rate limits per endpoint. Implement exponential backoff for retry logic. Cache frequently accessed data. Use bulk operations where available.
+
+---
+
+## Advanced Patterns
+
+### Enterprise Connection Patterns
+
+Connection Selector for Multiple IdPs:
+
+Implement Home Realm Discovery using email domain to route users to appropriate identity provider automatically.
+
+Connection Configuration per Environment:
+
+Maintain separate connections for development, staging, and production environments. Use environment-specific metadata for connection configuration.
+
+Fallback Authentication Strategy:
+
+Configure primary enterprise connection with database connection fallback. Allow password reset for users locked out of SSO.
+
+### Token Customization
+
+Custom Claims in Access Tokens:
+
+Add organization_id, roles, and permissions as custom claims. Use namespaced claims following JWT best practices (e.g., https://myapp.com/claims/role).
+
+Refresh Token Rotation:
+
+Enable refresh token rotation for enhanced security. Configure absolute and inactivity expiration. Implement reuse detection for compromised tokens.
+
+Token Lifetime Configuration:
+
+Set appropriate lifetimes based on security requirements: access_token (15 minutes default), id_token (36000 seconds default), refresh_token (absolute and inactivity expiration).
+
+### Migration Strategies
+
+Lazy Migration from Legacy Database:
+
+Step 1: Create custom database connection
+Step 2: Implement Login script to validate against legacy DB
+Step 3: Implement GetUser script for profile retrieval
+Step 4: Auth0 creates user on successful legacy authentication
+Step 5: Monitor migration progress via logs
+
+Bulk User Import:
+
+Export users from legacy system with password hashes. Format as Auth0 bulk import JSON with supported hash algorithms (bcrypt, argon2, pbkdf2). Submit import job via Management API. Monitor job status and handle errors.
+
+Organization Migration:
+
+Map legacy tenant structure to Auth0 Organizations. Migrate users with organization memberships. Configure organization-specific connections. Update application to use organization context.
+
+### Security Best Practices
+
+Anomaly Detection:
+
+Enable brute-force protection with configurable thresholds. Configure breached password detection. Set up suspicious IP throttling. Monitor authentication anomalies in logs.
+
+Adaptive MFA:
+
+Configure risk-based MFA challenges. Require MFA for sensitive operations. Support multiple factors (TOTP, SMS, WebAuthn, push). Implement step-up authentication for high-risk actions.
+
+Token Security:
+
+Use httpOnly cookies for token storage when possible. Implement token binding for enhanced security. Configure audience restrictions on access tokens. Validate tokens server-side before granting access.
+
+---
+
+## Resources
+
+Context7 Documentation Access:
+
+Use resolve-library-id with "auth0" then get-library-docs for comprehensive API reference and implementation guides.
+
+Works Well With:
+
+- moai-security-auth0: Auth0-specific security (Attack Protection, MFA, Token Security, Compliance)
+- moai-platform-clerk: Alternative for WebAuthn-first authentication
+- moai-platform-supabase: Supabase authentication integration
+- moai-platform-firebase-auth: Firebase authentication comparison
+- moai-platform-vercel: Vercel deployment with Auth0
+- moai-domain-backend: API development and token validation
+- moai-quality-security: OWASP compliance and security validation
+
+Auth0 Deployment Models:
+
+- Public Cloud: Multi-tenant SaaS deployment
+- Private Cloud: Dedicated tenant with enhanced isolation
+- Managed Private Cloud: Customer-controlled infrastructure
+
+Compliance Certifications:
+
+SOC 2 Type II, ISO 27001, ISO 27018, HIPAA BAA available, GDPR compliant, PCI DSS for applicable services.
+
+---
+
+Status: Production Ready
+Generated with: MoAI-ADK Skill Factory v1.0
+Last Updated: 2025-12-07
+Platform: Auth0 Enterprise Authentication

moai_adk/templates/.claude/skills/moai-platform-clerk/SKILL.md

@@ -0,0 +1,390 @@
+---
+name: moai-platform-clerk
+description: Clerk modern authentication specialist covering WebAuthn, passkeys, passwordless, and beautiful UI components. Use when implementing modern auth with great UX.
+version: 1.0.0
+category: platform
+tags: [clerk, webauthn, passkeys, passwordless, authentication]
+context7-libraries: [/clerk/clerk-docs]
+related-skills: [moai-platform-auth0, moai-lang-typescript]
+updated: 2025-12-07
+status: active
+allowed-tools: Read, Write, Bash, Grep, Glob
+---
+
+# Clerk Modern Authentication Specialist
+
+Modern authentication platform with WebAuthn, passkeys, passwordless flows, beautiful pre-built UI components, and multi-tenant organization support.
+
+## Quick Reference (30 seconds)
+
+Clerk Core Capabilities:
+
+- WebAuthn and Passkeys: First-class biometric and hardware key support
+- Passwordless: Email magic links, SMS OTP, email OTP
+- Pre-built UI: SignIn, SignUp, UserButton, OrganizationSwitcher components
+- Organizations: Multi-tenant team management with RBAC
+- Multi-Platform: React, Next.js, Vue, React Native, Node.js SDKs
+
+Context7 Access:
+
+- Library: /clerk/clerk-docs
+- Resolution: Use resolve-library-id with "clerk" then get-library-docs
+
+Quick Decision Criteria:
+
+- Need WebAuthn and passkeys? Clerk is ideal
+- Need beautiful pre-built auth UI? Clerk provides ready components
+- Need passwordless authentication? Clerk supports all methods
+- Need multi-tenant organizations? Clerk Organizations feature
+- Need React/Next.js integration? Clerk has first-class support
+
+---
+
+## Implementation Guide
+
+### WebAuthn and Passkey Implementation
+
+WebAuthn Configuration:
+
+Clerk provides first-class WebAuthn support enabling passwordless authentication with biometrics and hardware security keys.
+
+Step 1: Enable WebAuthn in Clerk Dashboard under User and Authentication
+Step 2: Configure passkey requirements (required, optional, or disabled)
+Step 3: Set verification requirements for passkey registration
+Step 4: Implement passkey UI using Clerk components or custom flow
+
+Passkey User Experience:
+
+- Registration flow prompts for biometric or security key
+- Login flow automatically detects available passkeys
+- Fallback to password if passkeys unavailable
+- Cross-device passkey support with FIDO Alliance standards
+
+Passkey Registration Flow:
+
+User clicks "Add Passkey" button in account settings
+Clerk prompts for device biometric or security key
+Browser WebAuthn API handles credential creation
+Passkey stored securely in Clerk backend
+User can manage multiple passkeys per account
+
+Passkey Login Flow:
+
+User navigates to sign-in page
+Clerk detects available passkeys for user
+User authenticates with biometric or security key
+Session created automatically upon successful verification
+
+### Passwordless Authentication
+
+Email Magic Links:
+
+Clerk sends secure magic links for passwordless sign-in with customizable email templates.
+
+Configuration Steps:
+
+Step 1: Enable Email magic link in Clerk Dashboard
+Step 2: Customize email template with branding
+Step 3: Configure link expiration time
+Step 4: Set redirect URL after successful authentication
+
+Magic Link Features:
+
+- Customizable email templates with branding
+- Configurable expiration times
+- Secure one-time use tokens
+- Automatic session creation on click
+
+SMS One-Time Passwords:
+
+Step 1: Enable SMS authentication in Dashboard
+Step 2: Configure phone number verification requirements
+Step 3: Set OTP expiration and retry limits
+Step 4: Customize SMS message template
+
+Email One-Time Passwords:
+
+Step 1: Enable Email OTP in authentication settings
+Step 2: Configure code length (6 or 8 digits)
+Step 3: Set code expiration time
+Step 4: Customize email template
+
+### Pre-built UI Components
+
+Available Components:
+
+SignIn Component: Complete sign-in form with social and email options
+SignUp Component: Registration form with verification
+UserButton Component: User avatar dropdown with profile management
+OrganizationSwitcher Component: Organization selection dropdown
+UserProfile Component: Full user profile management
+CreateOrganization Component: Organization creation flow
+
+React Integration:
+
+Install @clerk/clerk-react package
+Wrap application with ClerkProvider
+Use components directly in JSX
+Customize appearance via theme prop
+
+Next.js Integration:
+
+Install @clerk/nextjs package
+Add Clerk middleware for route protection
+Use components in pages and layouts
+Configure environment variables for API keys
+
+Component Customization:
+
+- Theme customization via appearance prop
+- Custom CSS with provided class names
+- Override individual elements
+- Dark mode support built-in
+
+### Organization Management (Multi-Tenancy)
+
+Organization Features:
+
+- Create and manage organizations programmatically
+- Invite users via email with customizable invitations
+- Role-based permissions (admin, member, custom roles)
+- Organization switching for users with multiple memberships
+- Domain verification for automatic organization membership
+
+Creating Organizations:
+
+Step 1: Enable Organizations feature in Dashboard
+Step 2: Configure default roles and permissions
+Step 3: Set invitation email templates
+Step 4: Implement CreateOrganization component
+
+Invitation System:
+
+Step 1: Admin initiates invitation via dashboard or API
+Step 2: Invitee receives customizable email invitation
+Step 3: Invitee clicks link and completes signup or signin
+Step 4: Automatic organization membership upon completion
+
+Role-Based Access Control:
+
+Default Roles:
+- org:admin: Full organization management
+- org:member: Standard member access
+
+Custom Roles:
+- Define custom roles in Dashboard
+- Assign permissions to roles
+- Check permissions in application code
+
+Domain Verification:
+
+Organizations can claim domains for automatic membership
+Users with verified email from claimed domain auto-join
+Reduces friction for enterprise onboarding
+
+### Session Management
+
+Session Features:
+
+- Automatic token refresh
+- Multi-device session tracking
+- Session revocation capability
+- Configurable session duration
+
+Session Configuration:
+
+Step 1: Configure session lifetime in Dashboard
+Step 2: Set multi-session or single-session mode
+Step 3: Configure token refresh behavior
+Step 4: Enable session activity tracking
+
+Token Management:
+
+- Access tokens for API authentication
+- Session tokens for frontend state
+- Automatic refresh before expiration
+- Secure httpOnly cookie storage option
+
+### Multi-Platform SDK Support
+
+Supported Platforms:
+
+React: @clerk/clerk-react
+Next.js: @clerk/nextjs with middleware support
+Vue: @clerk/vue (community maintained)
+React Native: @clerk/clerk-expo
+Node.js: @clerk/clerk-sdk-node
+Express: @clerk/express
+Fastify: @clerk/fastify
+
+Next.js Middleware:
+
+Clerk middleware protects routes at Edge
+Configure public and protected route patterns
+Automatic redirect to sign-in for unauthenticated users
+Access user session in middleware for custom logic
+
+Backend Verification:
+
+Node.js SDK verifies session tokens
+Extract user ID and organization from token
+Implement authorization logic in API routes
+Webhook signature verification for events
+
+---
+
+## Advanced Patterns
+
+### Custom Authentication Flows
+
+Building Custom Sign-In:
+
+Use useSignIn hook for programmatic control
+Implement multi-step verification flows
+Handle errors with custom UI
+Support social OAuth alongside email
+
+Building Custom Sign-Up:
+
+Use useSignUp hook for registration logic
+Implement progressive profiling
+Custom verification code entry UI
+Handle optional vs required fields
+
+Headless Mode:
+
+Full control over UI while using Clerk backend
+Access all functionality via hooks
+Implement completely custom designs
+Maintain security without pre-built components
+
+### Webhook Integration
+
+Available Webhook Events:
+
+user.created: New user registration completed
+user.updated: User profile changes
+user.deleted: User account deleted
+session.created: New session started
+session.ended: Session terminated
+organization.created: New organization created
+organization.membership.created: User joined organization
+
+Webhook Configuration:
+
+Step 1: Add webhook endpoint URL in Dashboard
+Step 2: Select events to subscribe
+Step 3: Copy signing secret for verification
+Step 4: Implement signature verification in endpoint
+
+Webhook Security:
+
+Verify webhook signatures using svix library
+Check timestamp to prevent replay attacks
+Return 200 status for successful processing
+Implement idempotency for duplicate handling
+
+### JWT Customization
+
+Custom Claims:
+
+Add custom claims to session tokens
+Include organization metadata
+Add user roles and permissions
+Configure claim templates in Dashboard
+
+JWT Templates:
+
+Create multiple JWT templates for different services
+Configure issuer and audience
+Set expiration times
+Add conditional claims based on user attributes
+
+### Integration Patterns
+
+Clerk with Database Providers:
+
+Clerk with Convex:
+- Use Clerk JWT verification in Convex functions
+- Sync user data via webhooks
+- Implement organization-based access control
+
+Clerk with Supabase:
+- Configure Clerk JWT in Supabase settings
+- Map Clerk claims to RLS policies
+- Use organization ID for multi-tenant isolation
+
+Clerk with Prisma:
+- Sync user ID from Clerk to database
+- Store additional user data with Clerk user ID as foreign key
+- Handle user lifecycle via webhooks
+
+Deployment Platforms:
+
+Vercel: Native integration with Edge Middleware
+Railway: Environment variable configuration
+Netlify: Serverless function integration
+AWS Lambda: SDK support for serverless
+
+### Security Best Practices
+
+Token Security:
+
+- Use short-lived access tokens
+- Enable automatic token refresh
+- Store tokens securely in httpOnly cookies
+- Validate tokens on backend for all requests
+
+Rate Limiting:
+
+- Clerk implements built-in rate limiting
+- Configure custom limits per organization
+- Monitor authentication attempts
+- Alert on suspicious patterns
+
+Multi-Factor Authentication:
+
+Enable MFA in Dashboard settings
+Support authenticator apps (TOTP)
+Backup codes for account recovery
+SMS as secondary verification option
+
+Account Protection:
+
+- Enable device verification for new logins
+- Configure suspicious activity detection
+- Implement session activity monitoring
+- Provide users with security notifications
+
+---
+
+## Resources
+
+Context7 Documentation Access:
+
+Library Resolution: Use resolve-library-id with "clerk"
+Documentation Fetch: Use get-library-docs with resolved ID
+
+API Documentation:
+
+Backend API: https://clerk.com/docs/reference/backend-api
+Frontend SDK: https://clerk.com/docs/references/react/overview
+Next.js SDK: https://clerk.com/docs/references/nextjs/overview
+Webhooks: https://clerk.com/docs/integrations/webhooks
+
+Works Well With:
+
+- moai-platform-auth0: Alternative enterprise SSO solution
+- moai-platform-supabase: Supabase authentication integration
+- moai-platform-vercel: Vercel deployment with Clerk
+- moai-platform-firebase-auth: Firebase authentication comparison
+- moai-lang-typescript: TypeScript development patterns
+- moai-domain-frontend: React and Next.js integration
+- moai-quality-security: Security validation and OWASP compliance
+
+---
+
+Status: Production Ready
+Generated with: MoAI-ADK Skill Factory v1.0
+Last Updated: 2025-12-07
+Provider Coverage: Clerk Authentication Platform