moai-adk 0.35.1__py3-none-any.whl

moai_adk/templates/.claude/skills/moai-security-auth0/modules/brute-force-protection.md

@@ -0,0 +1,189 @@
+# Brute Force Protection
+
+Auth0 Brute Force Protection safeguards tenants against attackers using repeated login attempts from a single IP address to compromise user accounts.
+
+## How It Works
+
+The system monitors failed login attempts per IP address targeting specific accounts. When the threshold is exceeded, it blocks the suspicious IP from further authentication attempts for that user and notifies the affected account holder.
+
+## Configuration
+
+### Dashboard Navigation
+
+Access: Dashboard > Security > Attack Protection > Brute-Force Protection
+
+### Threshold Settings
+
+Brute Force Threshold:
+- Default: 10 failed attempts
+- Configurable range: 1-100 attempts
+- Protection activates immediately after threshold is met
+
+Considerations for Threshold Selection:
+- Lower thresholds: More protection, more false positives
+- Higher thresholds: Fewer interruptions, less protection
+- Consider user patterns and password complexity requirements
+
+### IP AllowList
+
+Exempt trusted sources from brute force protection:
+- Individual IP addresses
+- CIDR range notation
+- Useful for office networks
+- Supports up to 100 entries
+
+### Response Options
+
+Block Brute-force Logins:
+- Blocks specific IP from logging in as targeted user
+- Does not affect other users from same IP
+- Does not affect targeted user from other IPs
+
+Account Lockout:
+- Blocks user account after consecutive failures from any IP
+- More aggressive protection
+- May impact legitimate users with forgotten passwords
+
+Send Notifications:
+- Email notification to affected user
+- Includes unblock link
+- Contains security guidance
+
+## Block Removal
+
+Automatic Removal Triggers:
+- 30 days pass since the last failed attempt
+- User changes password on all linked accounts
+- Administrator manually removes the block
+- User clicks unblock link in notification email
+
+Manual Removal by Administrator:
+1. Navigate to Dashboard > User Management > Users
+2. Find affected user
+3. Access user details
+4. Remove block status
+
+Password Change Requirements:
+- Must change password on all linked accounts
+- Partial password changes do not remove block
+- Applies to users with multiple identity connections
+
+## Special Considerations
+
+### Resource Owner Password Flow
+
+Applications using Resource Owner Password Grant must pass the user IP address for proper protection:
+
+Header: auth0-forwarded-for
+Value: Client IP address
+
+Without this header, all requests appear from application server IP, preventing accurate per-user-IP blocking.
+
+### Proxy Users
+
+Users behind shared proxies are more likely to trigger protection:
+- Corporate proxies share IP across many users
+- VPN services share IP across subscribers
+- Mobile carriers use NAT with shared IPs
+
+Mitigation:
+- Add proxy IPs to AllowList
+- Increase threshold for known proxy ranges
+- Consider alternative protection for proxy-heavy user bases
+
+### Multi-Account Users
+
+Users with multiple linked accounts (database + social):
+- Block applies to specific connection
+- Must change password on all connections to remove block
+- Consider user communication about linked accounts
+
+## Notification Details
+
+Email Content:
+- Security alert about blocked access
+- Explanation of protection mechanism
+- Unblock link (valid for limited time)
+- Guidance on password security
+
+Notification Frequency:
+- One notification per block event
+- Does not spam during ongoing attack
+- New notification if re-blocked
+
+## Integration with Other Features
+
+Combined with Bot Detection:
+- Bot detection triggers first (request level)
+- Brute force triggers on repeated failures
+- Layered protection approach
+
+Combined with Suspicious IP Throttling:
+- Suspicious IP applies across all accounts
+- Brute force applies per account per IP
+- Both can trigger on same IP
+
+Combined with Breached Password Detection:
+- Breached detection checks password content
+- Brute force checks attempt patterns
+- Complementary protection mechanisms
+
+## Monitoring and Metrics
+
+Tenant Log Events:
+- Failed login attempts
+- Block triggers
+- Unblock events
+- Notification deliveries
+
+Security Center Metrics:
+- Block counts over time
+- Top blocked IPs
+- Top targeted accounts
+- Geographic distribution
+
+## Best Practices
+
+Initial Configuration:
+1. Start with default threshold (10)
+2. Enable notifications
+3. Monitor false positive rate
+4. Adjust threshold based on data
+
+For Consumer Applications:
+- Higher threshold (15-20 attempts)
+- Enable notifications
+- Consider account lockout for sensitive accounts
+
+For Enterprise Applications:
+- Lower threshold (5-10 attempts)
+- Enable both IP blocking and account lockout
+- Integrate with enterprise identity providers
+
+For APIs:
+- Enable auth0-forwarded-for header
+- Lower threshold for machine credentials
+- Monitor for credential scanning patterns
+
+Ongoing Management:
+- Review blocked accounts regularly
+- Analyze attack patterns
+- Update AllowLists as needed
+- Communicate with affected users
+
+## Troubleshooting
+
+Legitimate Users Blocked:
+- Check if behind shared IP
+- Add IP to AllowList if appropriate
+- Provide unblock instructions
+
+Block Not Triggering:
+- Verify feature is enabled
+- Check if IP is in AllowList
+- Confirm threshold configuration
+
+Notifications Not Received:
+- Verify email configuration
+- Check spam folders
+- Confirm notification setting enabled

moai_adk/templates/.claude/skills/moai-security-auth0/modules/certifications.md

@@ -0,0 +1,282 @@
+# Security Certifications
+
+Auth0 maintains compliance with major security standards and industry certifications, providing assurance for enterprise and regulated industry deployments.
+
+## Security Standards
+
+### ISO 27001
+
+Information Security Management System (ISMS)
+
+Scope:
+- Comprehensive security management
+- Risk assessment and treatment
+- Security controls implementation
+- Continuous improvement
+
+Verification:
+- Annual independent audits
+- Certification renewal
+- Continuous compliance
+
+Benefits:
+- Internationally recognized
+- Systematic security approach
+- Risk-based framework
+
+### ISO 27017
+
+Cloud Security Controls
+
+Scope:
+- Cloud-specific security controls
+- Shared responsibility guidance
+- Cloud service provider requirements
+
+Additional to ISO 27001:
+- Cloud-specific extensions
+- Provider/customer responsibilities
+- Cloud security best practices
+
+### ISO 27018
+
+Protection of Personal Data in Cloud
+
+Scope:
+- Personal data protection
+- Privacy controls
+- Cloud processing requirements
+
+Focus Areas:
+- PII protection
+- Transparency
+- Customer control
+- Data handling
+
+### SOC 2 Type 2
+
+Service Organization Controls
+
+Trust Services Criteria:
+- Security
+- Availability
+- Processing Integrity
+- Confidentiality
+- Privacy
+
+Type 2 Significance:
+- Tests over extended period
+- Operating effectiveness verified
+- Not just point-in-time
+
+Audit Cycle: Annual
+
+Access: Report available to customers under NDA
+
+### CSA STAR
+
+Cloud Security Alliance Security Trust Assurance and Risk
+
+Features:
+- Cloud security assessment
+- Transparency registry
+- Industry-recognized
+
+Assessment Type:
+- Self-assessment (Level 1)
+- Third-party audit available
+
+Access: Publicly available self-assessment
+
+## Industry-Specific Certifications
+
+### FAPI (Financial-grade API)
+
+OpenID Foundation Certification
+
+Certified Profiles:
+- FAPI 1.0 Advanced OP
+- mTLS client authentication
+- Private Key JWT authentication
+
+Purpose:
+- Financial services security
+- Open banking compliance
+- High-security applications
+
+Requirements Met:
+- Strong authentication
+- Sender-constrained tokens
+- Secure authorization
+
+### HIPAA/HITECH
+
+Health Insurance Portability and Accountability Act
+
+Auth0 Role: Business Associate
+
+Features:
+- BAA available upon request
+- Technical safeguards implemented
+- Required controls in place
+
+Customer Requirements:
+- Execute BAA with Auth0
+- Implement required controls
+- Maintain compliance program
+
+### PCI DSS
+
+Payment Card Industry Data Security Standard
+
+Coverage:
+- Compliant deployment models
+- Security controls documented
+- Customer guidance available
+
+Customer Responsibility:
+- Follow Auth0 guidance
+- Implement required controls
+- Maintain own compliance
+
+## Regional Compliance
+
+### GDPR
+
+General Data Protection Regulation (EU)
+
+Status: GDPR ready
+
+Features:
+- Data processing documentation
+- User rights support
+- Data export capabilities
+- Deletion support
+
+Role: Data Processor (customer is Data Controller)
+
+### Privacy Regulations
+
+Various jurisdictions:
+- CCPA (California)
+- Regional privacy laws
+- Industry-specific requirements
+
+Support:
+- Privacy controls
+- Data handling documentation
+- Compliance features
+
+## Compliance Access
+
+### Auth0 Support Center
+
+Available Materials:
+- Certification certificates
+- Audit reports (under NDA)
+- Compliance documentation
+- Security questionnaires
+
+Access Requirements:
+- Customer account
+- Appropriate access level
+- NDA where required
+
+### Available Documents
+
+Upon Request:
+- SOC 2 Type 2 report
+- ISO certificates
+- Penetration test summary
+- Security questionnaire responses
+
+## Verification
+
+### Third-Party Audits
+
+Audit Providers:
+- Independent auditors
+- Recognized firms
+- Annual assessments
+
+Scope:
+- Controls testing
+- Compliance verification
+- Continuous monitoring
+
+### Certification Maintenance
+
+Continuous Compliance:
+- Ongoing control operation
+- Regular internal audits
+- Gap remediation
+- Certification renewal
+
+## Customer Benefits
+
+### Risk Reduction
+
+Using Certified Platform:
+- Proven security controls
+- Regular audits
+- Known security posture
+- Reduced assessment burden
+
+### Compliance Support
+
+For Customer Compliance:
+- Inherit platform compliance
+- Documented controls
+- Audit evidence
+- Compliance mapping
+
+### Due Diligence
+
+Vendor Assessment:
+- Certification evidence
+- Audit reports
+- Security documentation
+- Risk assessment support
+
+## Best Practices
+
+### Leveraging Certifications
+
+For Your Compliance:
+- Reference Auth0 certifications
+- Request relevant reports
+- Map to your requirements
+- Document in your assessments
+
+### Compliance Documentation
+
+Maintain Records:
+- Auth0 certification copies
+- Shared responsibility documentation
+- Configuration evidence
+- Compliance mapping
+
+### Regular Review
+
+Annual Activities:
+- Review Auth0 compliance status
+- Update certifications
+- Verify continued compliance
+- Update documentation
+
+## Requesting Documentation
+
+### Process
+
+1. Log in to Auth0 Support Center
+2. Navigate to compliance section
+3. Request specific documents
+4. Execute NDA if required
+5. Access documentation
+
+### Contact
+
+For specific compliance questions:
+- Auth0 Support
+- Account team
+- Security team

moai_adk/templates/.claude/skills/moai-security-auth0/modules/compliance-overview.md

@@ -0,0 +1,263 @@
+# Compliance Overview
+
+Auth0 maintains comprehensive compliance with major security standards and regulatory frameworks, providing organizations the foundation for building compliant identity solutions.
+
+## Security Standards
+
+### ISO 27001/27017/27018
+
+Scope: Information security management, cloud security, and privacy protection.
+
+Coverage:
+- ISO 27001: Information security management system (ISMS)
+- ISO 27017: Cloud-specific security controls
+- ISO 27018: Protection of personal data in cloud
+
+Verification:
+- Annual independent audits
+- Certificate renewal process
+- Continuous compliance monitoring
+
+### SOC 2 Type 2
+
+Scope: Service organization controls covering security, availability, processing integrity, confidentiality, and privacy.
+
+Coverage: All five Trust Services Criteria
+
+Type 2 Significance:
+- Tests operating effectiveness over time
+- Not just point-in-time assessment
+- Demonstrates sustained compliance
+
+Audit Cycle: Annual independent audits
+
+### CSA STAR
+
+Cloud Security Alliance Security Trust Assurance and Risk.
+
+Features:
+- Cloud-specific security assessment
+- Publicly available assessments
+- Industry-recognized framework
+
+Access: Self-assessment registry available publicly.
+
+### PCI DSS
+
+Payment Card Industry Data Security Standard.
+
+Coverage:
+- Compliant deployment models
+- Documentation available for customers
+- Supports payment processing requirements
+
+Customer Responsibility:
+- Must implement according to guidance
+- Shared responsibility model
+- Documentation of compliance measures
+
+## Industry-Specific Compliance
+
+### FAPI (Financial-grade API)
+
+Financial-grade API security profiles by OpenID Foundation.
+
+Certification:
+- FAPI 1 Advanced OP
+- mTLS client authentication
+- Private Key JWT authentication
+
+Features:
+- Robust authentication requirements
+- Enhanced authorization security
+- Financial sector specifications
+
+### HIPAA/HITECH
+
+Health Insurance Portability and Accountability Act.
+
+Auth0 Role: Functions as Business Associate
+
+Features:
+- Business Associate Agreements available
+- Upon request from customers
+- Technical safeguards implemented
+
+Customer Responsibility:
+- Implement required controls
+- Execute BAA with Auth0
+- Maintain compliance documentation
+
+### PSD2 (Payment Services Directive 2)
+
+European payment services regulation.
+
+Supported Features:
+- Strong Customer Authentication (SCA)
+- Dynamic Linking for transactions
+- Enhanced authentication requirements
+
+## Data Protection
+
+### GDPR
+
+General Data Protection Regulation (EU).
+
+Auth0 Status: GDPR ready
+
+Role Distribution:
+- Customer: Data Controller
+- Auth0: Data Processor
+
+Key Features:
+- Data processing documentation
+- User rights support
+- Breach notification procedures
+
+Customer Obligations:
+- Define data processing purposes
+- Manage user consent
+- Handle user rights requests
+
+### Data Handling
+
+Auth0 Documentation:
+- What data is stored
+- How data is used
+- Retention policies
+- Processing activities
+
+Data Location:
+- Configurable region selection
+- Data residency options
+- Multi-region deployment
+
+## Compliance Documentation Access
+
+### Auth0 Support Center
+
+Access compliance materials:
+- Certificates
+- Attestations
+- Compliance reports
+
+Requirements:
+- Appropriate access level
+- NDA where required
+- Customer account
+
+### Available Documents
+
+Upon Request:
+- SOC 2 Type 2 report
+- ISO certificates
+- Penetration test summaries
+- PCI attestation
+
+## Customer Responsibilities
+
+### Shared Responsibility Model
+
+Auth0 Responsibilities:
+- Platform security
+- Infrastructure compliance
+- Security controls
+- Compliance certifications
+
+Customer Responsibilities:
+- Application security
+- Data classification
+- Access management
+- Compliance configuration
+
+### Implementation Requirements
+
+For Full Compliance:
+- Configure Auth0 per compliance requirements
+- Implement required security controls
+- Document compliance measures
+- Regular compliance review
+
+## Compliance Features
+
+### Security Controls
+
+Available Features:
+- Multi-factor authentication
+- Encryption at rest and in transit
+- Access logging
+- Session management
+
+Configuration:
+- Enable required features
+- Configure appropriate settings
+- Monitor compliance status
+
+### Audit Logging
+
+Log Features:
+- User activities
+- Administrative actions
+- Authentication events
+- Security events
+
+Log Management:
+- Export capabilities
+- Retention configuration
+- SIEM integration
+
+### Data Protection
+
+Features:
+- Encryption
+- Access controls
+- Data minimization
+- Retention management
+
+## Best Practices
+
+### Compliance Assessment
+
+Before Implementation:
+1. Identify applicable regulations
+2. Review Auth0 compliance coverage
+3. Identify gaps and requirements
+4. Plan implementation
+
+### Configuration
+
+During Implementation:
+1. Enable required security features
+2. Configure compliance settings
+3. Implement audit logging
+4. Test compliance controls
+
+### Ongoing Compliance
+
+Post-Implementation:
+1. Regular compliance review
+2. Monitor for changes
+3. Update configurations
+4. Maintain documentation
+
+### Documentation
+
+Maintain Records:
+- Configuration decisions
+- Compliance mappings
+- Risk assessments
+- Audit evidence
+
+## Regulatory Updates
+
+### Staying Current
+
+Auth0 Resources:
+- Compliance documentation updates
+- Feature announcements
+- Security bulletins
+
+Customer Actions:
+- Monitor regulatory changes
+- Update configurations as needed
+- Review compliance periodically