moai-adk 0.35.1__py3-none-any.whl

moai_adk/templates/.claude/skills/moai-security-auth0/modules/tenant-access-control.md

@@ -0,0 +1,180 @@
+# Tenant Access Control List
+
+Module: moai-security-auth0/modules/tenant-access-control.md
+Version: 1.0.0
+Last Updated: 2025-12-24
+
+---
+
+## Overview
+
+Tenant Access Control List (ACL) is an Auth0 security feature that allows you to manage traffic to Auth0 services with configurable rules. It helps protect tenants against DoS attacks and rate limit abuse while ensuring legitimate user access.
+
+---
+
+## Core Components
+
+### Rules Structure
+
+Each rule consists of five key elements:
+
+Signal: The identifying request information used to evaluate the rule. Available signals include IP address, geolocation, and user agent.
+
+Condition: Operator and value combinations that determine when the rule matches. For example, matching specific IP addresses or CIDR ranges.
+
+Action: The directive executed when criteria are met. Available actions include allow, block, and redirect.
+
+Scope: Defines where the rule applies. Options include Authentication API, Management API, or the entire tenant.
+
+Priority: Numerical value determining execution order. Smaller numbers execute first.
+
+### Rule Evaluation Logic
+
+Rules execute in numerical priority order - rule 1 evaluates before rule 2, and so on. Once a rule's conditions match, Tenant ACL performs the rule's action immediately and does not evaluate subsequent rules.
+
+Monitoring Mode Exception: Testing rules without impact is possible through monitoring mode, which logs events without executing actions or blocking subsequent rule evaluation.
+
+---
+
+## Configuration Steps
+
+### Step 1: Access Tenant ACL Settings
+
+Navigate to Auth0 Dashboard, then select Security, then Tenant ACL.
+
+### Step 2: Create Access Control Rule
+
+Click Create Rule to add a new access control entry.
+
+### Step 3: Configure Rule Parameters
+
+Define the signal type (IP address, geolocation, or user agent).
+
+Set the condition operator and value.
+
+Select the action (allow, block, redirect).
+
+Choose the scope (Authentication API, Management API, or tenant-wide).
+
+Assign priority number for execution order.
+
+### Step 4: Enable Rule
+
+Activate the rule or enable monitoring mode for testing first.
+
+### Step 5: Monitor Rule Effectiveness
+
+Review log events to verify rule behavior and adjust as needed.
+
+---
+
+## Implementation Patterns
+
+### IP-Based Access Control
+
+Create rules to allow or block specific IP addresses or CIDR ranges. Use this pattern for:
+
+- Allowing access from known corporate networks
+- Blocking known malicious IP addresses
+- Restricting access to specific geographic regions
+
+### Geographic Restrictions
+
+Configure geolocation-based rules to restrict access by country or region. Consider compliance requirements and legitimate user locations when implementing geographic restrictions.
+
+### User Agent Filtering
+
+Filter requests based on user agent strings to block automated tools or suspicious clients. Note that user agent identifier is not supported with custom domains.
+
+### Priority Management
+
+Careful assignment of priorities allows you to create granular access control policies tailored to your specific needs. Use lower priority numbers for more specific rules and higher numbers for general rules.
+
+---
+
+## Logging and Monitoring
+
+### Log Events
+
+Log events (acls_summary) generate every 10 minutes per rule, tracking:
+
+- Rule ID and description
+- Priority level
+- Match success count
+- Total request evaluations
+- Time period coverage
+
+### Monitoring Best Practices
+
+Enable monitoring mode for new rules before activating them.
+
+Review log events regularly to identify patterns and adjust rules.
+
+Set up alerts for unusual activity patterns.
+
+Document rule changes and their intended purposes.
+
+---
+
+## Service Limitations
+
+### Plan-Based Restrictions
+
+Enterprise plan: 1 Tenant ACL
+
+Enterprise with Attack Protection add-on: Up to 10 ACLs
+
+Maximum 10 entries per source identifier (IPv4, CIDR, etc.)
+
+User Agent identifier not supported with custom domains
+
+auth0-forwarded-for header not supported
+
+---
+
+## Best Practices
+
+### Rule Design
+
+Start with monitoring mode to understand traffic patterns.
+
+Use specific rules with lower priority numbers for critical access control.
+
+Implement fallback rules with higher priority numbers for general traffic.
+
+Document the purpose and expected behavior of each rule.
+
+### Security Considerations
+
+Regularly review and update rules based on threat intelligence.
+
+Test rule changes in monitoring mode before activating.
+
+Maintain an audit trail of rule modifications.
+
+Consider the impact on legitimate users when implementing restrictive rules.
+
+### Operational Guidelines
+
+Keep the number of rules manageable for easier maintenance.
+
+Use descriptive names and documentation for each rule.
+
+Establish a review schedule for access control policies.
+
+Coordinate rule changes with security and operations teams.
+
+---
+
+## Related Modules
+
+- attack-protection-overview.md: Complementary protection mechanisms
+- security-center.md: Monitoring and alerting integration
+- suspicious-ip-throttling.md: IP-based threat detection
+
+---
+
+## Resources
+
+Auth0 Documentation: Tenant Access Control List
+Context7 Library: /auth0/auth0-docs (topic: tenant-access-control)

moai_adk/templates/.claude/skills/moai-security-auth0/modules/webauthn-fido.md

@@ -0,0 +1,235 @@
+# WebAuthn and FIDO Implementation
+
+WebAuthn provides phishing-resistant authentication using security keys and device biometrics through the FIDO2 standard.
+
+## Overview
+
+WebAuthn (Web Authentication) is a W3C standard for passwordless and multi-factor authentication. Combined with FIDO2 (CTAP2), it enables secure, phishing-resistant authentication using cryptographic credentials.
+
+## Authentication Types
+
+### Security Keys
+
+Physical devices providing hardware-backed authentication.
+
+Types of Security Keys:
+- USB keys (plug into computer)
+- NFC keys (tap on device)
+- Bluetooth keys (wireless connection)
+- Hybrid (multiple connection types)
+
+Popular Security Key Vendors:
+- Yubico (YubiKey series)
+- Google (Titan Security Key)
+- Feitian
+- SoloKeys
+- Nitrokey
+
+### Device Biometrics
+
+Platform authenticators built into devices.
+
+Supported Platforms:
+- Face ID (iOS devices)
+- Touch ID (Apple devices)
+- Windows Hello (Windows 10/11)
+- Android Fingerprint/Face
+- Chrome profile with biometrics
+
+## User Verification
+
+WebAuthn supports different verification levels.
+
+Without User Verification:
+- Presence check only (touch the key)
+- Faster authentication
+- Lower security assurance
+
+With User Verification:
+- Requires PIN, biometric, or passcode
+- Proves both possession and identity
+- Stronger security assurance
+
+Configuring PIN for Security Keys:
+- Enable user verification requirement in Auth0
+- User sets PIN during first use
+- PIN stored only on security key
+
+## Benefits
+
+Phishing Resistance:
+- Credentials bound to specific domain
+- Cannot be tricked into authenticating to fake site
+- Origin validation built into protocol
+
+No Shared Secrets:
+- Private key never leaves device
+- Only public key stored on server
+- No credential database to breach
+
+Multi-Factor in Single Step:
+- Combines possession (device) with user verification
+- Achieves MFA without separate steps
+- Improved user experience
+
+Passwordless Potential:
+- Can replace passwords entirely
+- First-factor authentication support
+- Future-ready authentication
+
+## Configuration in Auth0
+
+### Enabling WebAuthn
+
+1. Navigate to Dashboard > Security > Multi-factor Auth
+2. Enable WebAuthn with Security Keys for hardware keys
+3. Enable WebAuthn with Device Biometrics for platform authenticators
+
+### User Verification Settings
+
+Configure verification requirements:
+- Discouraged: No user verification
+- Preferred: User verification if available
+- Required: User verification mandatory
+
+Recommendation: Use Required for high-security applications.
+
+### Attestation Settings
+
+Attestation provides device metadata:
+- None: No attestation requested
+- Indirect: Anonymized attestation
+- Direct: Full device attestation
+
+Enterprise Considerations:
+- Direct attestation for device policy enforcement
+- Validate specific device types
+- Requires attestation certificate management
+
+## Enrollment Flow
+
+### Security Key Enrollment
+
+User Steps:
+1. Initiate enrollment in MFA settings
+2. Browser prompts for security key
+3. Insert or tap security key
+4. Enter PIN if required
+5. Complete biometric if supported
+6. Enrollment confirmed
+
+### Device Biometrics Enrollment
+
+User Steps:
+1. Initiate enrollment in MFA settings
+2. Browser prompts for biometric
+3. Perform Face ID, Touch ID, or Windows Hello
+4. Enrollment confirmed
+
+Note: Device biometrics requires independent factor enrolled first.
+
+## Authentication Flow
+
+User Steps:
+1. Enter username/password (or passwordless)
+2. Prompted for WebAuthn authentication
+3. Insert security key or use biometric
+4. Complete user verification if required
+5. Authentication successful
+
+Behind the Scenes:
+1. Server sends challenge
+2. Authenticator signs challenge with private key
+3. Browser sends assertion to server
+4. Server validates signature with stored public key
+
+## Cross-Device Authentication
+
+Hybrid Transport (FIDO2.1):
+- Use phone as authenticator for computer login
+- QR code or Bluetooth connection
+- Supports roaming between devices
+
+Passkeys:
+- Syncable WebAuthn credentials
+- Available across user's devices
+- iCloud Keychain, Google Password Manager support
+
+## Browser Support
+
+Current Support:
+- Chrome (desktop and mobile)
+- Firefox
+- Safari
+- Edge
+- Opera
+
+Check webauthn.me for current browser compatibility.
+
+## Implementation Considerations
+
+Fallback Strategies:
+- Always provide alternative factor
+- Handle unsupported browsers gracefully
+- Clear messaging for users
+
+Account Recovery:
+- Recovery codes essential
+- Administrator reset capability
+- Clear recovery procedures
+
+Multiple Authenticators:
+- Allow enrolling multiple keys
+- Backup security key recommended
+- Mix of security key and biometric
+
+Enterprise Deployment:
+- Consider key provisioning
+- Establish replacement procedures
+- Train users on proper usage
+
+## Security Best Practices
+
+Enable User Verification:
+- Require PIN or biometric
+- Prevents unauthorized use of stolen key
+- Meets multi-factor requirement
+
+Require Attestation (Enterprise):
+- Validate device types
+- Enforce security key policy
+- Maintain approved device list
+
+Monitor Enrollments:
+- Track WebAuthn registrations
+- Alert on suspicious patterns
+- Regular enrollment audits
+
+Key Lifecycle Management:
+- User-initiated key removal
+- Admin key revocation
+- Regular key rotation encouragement
+
+## Troubleshooting
+
+Common Issues:
+
+Browser Not Prompting:
+- Check browser compatibility
+- Verify HTTPS connection
+- Review browser security settings
+
+Security Key Not Recognized:
+- Verify USB/NFC connection
+- Check key firmware version
+- Try different USB port
+
+Biometric Failure:
+- Re-enroll biometric on device
+- Check platform authenticator settings
+- Verify browser permissions
+
+PIN Errors:
+- Reset PIN on security key
+- Check PIN retry counter
+- Consider key replacement if locked