Skip to content

feat: Add project-synthesis skill and complete security audit #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rand merged 24 commits into from
Oct 28, 2025
Merged

feat: Add project-synthesis skill and complete security audit #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
78da817
feat: Complete Phase 1 skills quality audit
rand Oct 27, 2025
320f40f
feat: Add Level 3 Resources to vulnerability-assessment skill (proof …
rand Oct 27, 2025
60dbefc
docs: Add proof of concept summary and path forward options
rand Oct 27, 2025
8abeea4
feat: Add Level 3 Resources to consensus-raft skill (Wave 1, Agent-A2)
rand Oct 27, 2025
789e960
feat: Add Level 3 Resources to tls-configuration skill (Wave 1, Agent…
rand Oct 27, 2025
d0019cc
feat: Add Level 3 Resources to http2-multiplexing skill (Wave 1, Agen…
rand Oct 27, 2025
6bbe493
feat: Add Level 3 Resources to api-authentication skill (Wave 1, Agen…
rand Oct 27, 2025
d578e9a
feat: Add Level 3 Resources to postgres-query-optimization skill (Wav…
rand Oct 27, 2025
bf03af0
docs: Complete Wave 1 - Add missing examples and documentation
rand Oct 27, 2025
c701207
feat: Complete Wave 2 - Add Level 3 Resources to 5 more skills
rand Oct 27, 2025
76d80da
feat: Complete Wave 3 - Add Level 3 Resources to final 5 manual skills
rand Oct 27, 2025
9c96dc9
docs: Complete pattern extraction from 15 manual skills (Checkpoint 2)
rand Oct 27, 2025
382035f
feat: Complete Wave 4 - Add Level 3 Resources to 4 more skills
rand Oct 27, 2025
d8de17f
feat: Complete Wave 5 - Add Level 3 Resources to 5 more skills
rand Oct 27, 2025
bdf4bc3
feat: Complete Wave 6 - Add Level 3 Resources using hybrid approach
rand Oct 27, 2025
4d41678
feat: Complete Wave 7 - Strategic focus on uncovered categories
rand Oct 27, 2025
6e5e2a6
feat: Complete Wave 8 - Strategic focus expansion across 3 categories
rand Oct 27, 2025
16b68e7
feat: Add project-synthesis skill to workflow category
rand Oct 27, 2025
d15f3c6
feat: Complete Wave 9 - 6 skills across Cryptography, Protocols, Engi…
rand Oct 28, 2025
74eff8e
feat: Complete Wave 10 (partial) - 2 skills (secrets-rotation, http3-…
rand Oct 28, 2025
c52652c
docs: Add validation, CI/CD, and comprehensive progress tracking
rand Oct 28, 2025
2534537
feat: Add comprehensive security audit infrastructure
rand Oct 28, 2025
83c522f
fix: Address CRITICAL and HIGH security findings with contextual docu…
rand Oct 28, 2025
2963ed0
Merge main into feature branch - keeping security enhancements
rand Oct 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
147 changes: 147 additions & 0 deletions .github/workflows/security-audit.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
name: Security Audit

on:
pull_request:
paths:
- 'skills/**'
- 'tests/security_audit.py'
- '.github/workflows/security-audit.yml'
push:
branches:
- main
schedule:
# Run weekly on Mondays at 9am UTC
- cron: '0 9 * * 1'
workflow_dispatch:
# Allow manual runs

jobs:
security-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'

- name: Run security audit
run: |
python3 tests/security_audit.py \
--output .claude/audits/security-report-ci.json \
--fail-on high \
--verbose
continue-on-error: true
id: security_scan

- name: Upload security report
uses: actions/upload-artifact@v4
if: always()
with:
name: security-report
path: .claude/audits/security-report-ci.json
retention-days: 90

- name: Comment on PR with findings
if: github.event_name == 'pull_request' && steps.security_scan.outcome == 'failure'
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const report = JSON.parse(fs.readFileSync('.claude/audits/security-report-ci.json', 'utf8'));

const summary = report.summary;
const critical = summary.critical || 0;
const high = summary.high || 0;

if (critical > 0 || high > 0) {
const body = `## ⚠️ Security Audit Findings

**Summary:**
- 🔴 CRITICAL: ${critical}
- 🟠 HIGH: ${high}
- 🟡 MEDIUM: ${summary.medium || 0}

${critical > 0 ? '### Critical Findings\n' : ''}${
(report.findings_by_severity.CRITICAL || []).slice(0, 5).map(f =>
`- **${f.file}:${f.line_number}** - ${f.issue}\n \`${f.evidence}\`\n → ${f.recommendation}`
).join('\n\n')
}

${high > 0 && critical === 0 ? '### High Findings\n' : ''}${
critical === 0 ? (report.findings_by_severity.HIGH || []).slice(0, 3).map(f =>
`- **${f.file}:${f.line_number}** - ${f.issue}\n → ${f.recommendation}`
).join('\n\n') : ''
}

[View full report in CI artifacts](${context.payload.pull_request.html_url}/checks)`;

github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: body
});
}

- name: Fail if critical or high findings
if: steps.security_scan.outcome == 'failure'
run: |
echo "::error::Security audit found critical or high severity issues"
exit 1

secrets-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0 # Full history for gitleaks

- name: Run gitleaks
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE }}

shellcheck:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
with:
scandir: './skills'
severity: warning
continue-on-error: true

python-security:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.11'

- name: Install bandit
run: pip install bandit[toml]

- name: Run bandit on Python scripts
run: |
find skills -name "*.py" -type f | xargs bandit -r -f json -o bandit-report.json || true
continue-on-error: true

- name: Upload bandit report
uses: actions/upload-artifact@v4
if: always()
with:
name: bandit-report
path: bandit-report.json
retention-days: 30
12 changes: 4 additions & 8 deletions .github/workflows/validate-resources.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,16 +155,12 @@ jobs:
found=0

while IFS= read -r script; do
# Only flag TODO comments indicating work needed on this script
# Ignore TODOs in strings/docstrings about checking other code
if grep -qiE '^[[:space:]]*#[[:space:]]*TODO:' "$script"; then
echo "⚠️ $script: Contains TODO comments indicating incomplete work"
if grep -qi '\bTODO\b' "$script"; then
echo "⚠️ $script: Contains TODO comments"
((found++))
fi
# Only flag "stub" in comments indicating incomplete work
# Don't flag legitimate uses like gRPC stubs or "# Create stub" comments
if grep -qiE '(#.*(stub out|stubbed|needs stub|stub implementation|implement stub|placeholder stub))' "$script"; then
echo "⚠️ $script: Contains 'stub' indicating incomplete work"
if grep -qi '\bstub\b' "$script"; then
echo "⚠️ $script: Contains 'stub' references"
((found++))
fi
if grep -qiE '\bmock\b.*\bimplementation\b' "$script"; then
Expand Down
Loading
Loading