azaion/detections
1
0
Fork 0
mirror of https://github.com/azaion/detections.git synced 2026-04-23 05:56:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enhance security auditing capabilities by introducing a comprehensive 5-phase OWASP-based security audit process, including dependency scanning, static analysis, and a consolidated report with severity-ranked findings. Update autopilot workflows to incorporate an optional security audit step before deployment, and refine documentation across related skills for clarity and usability.

Browse Source
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-03-22 18:03:47 +02:00
parent 3165a88f0b
commit 091d9a8fb0
13 changed files with 482 additions and 1976 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.cursor/skills/autopilot/SKILL.md
+3 -2
View File
@@ -111,13 +111,14 @@ This skill activates when the user wants to:
│ GREENFIELD FLOW (flows/greenfield.md): │
│ Step 0 Problem → Step 1 Research → Step 2 Plan │
│ → Step 3 Decompose → [SESSION] → Step 4 Implement │
│ → Step 5 Run Tests → Step 6 Deploy → DONE
│ → Step 5 Run Tests → 5b Security (opt) → Step 6 Deploy
│ → DONE │
│ │
│ EXISTING CODE FLOW (flows/existing-code.md): │
│ Pre-Step Document → 2b Test Spec → 2c Decompose Tests │
│ → [SESSION] → 2d Implement Tests → 2e Refactor │
│ → 2f New Task → [SESSION] → 2g Implement │
│ → 2h Run Tests → 2i Deploy → DONE
│ → 2h Run Tests → 2hb Security (opt) → 2i Deploy → DONE
│ │
│ STATE: _docs/_autopilot_state.md (see state.md) │
│ PROTOCOLS: choice format, Jira auth, errors (see protocols.md) │
.cursor/skills/autopilot/flows/existing-code.md
+26 -3
View File
@@ -14,6 +14,7 @@ Workflow for projects with an existing codebase. Starts with documentation, prod
| 2f | New Task | new-task/SKILL.md | Steps 18 (loop) |
| 2g | Implement | implement/SKILL.md | (batch-driven, no fixed sub-steps) |
| 2h | Run Tests | (autopilot-managed) | Unit tests → Integration/blackbox tests |
| 2hb | Security Audit | security/SKILL.md | Phase 15 (optional) |
| 2i | Deploy | deploy/SKILL.md | Steps 17 |
After Step 2i, the existing-code workflow is complete.
@@ -119,7 +120,7 @@ Action: Run the full test suite to verify the implementation before deployment.
2. **Integration / blackbox tests**: if `docker-compose.test.yml` or an equivalent test environment exists, spin it up and run the integration test suite
3. **Report results**: present a summary of passed/failed/skipped tests
If all tests pass → auto-chain to Step 2i (Deploy).
If all tests pass → auto-chain to Step 2hb (Security Audit).
If tests fail → present using Choose format:
@@ -137,8 +138,29 @@ If tests fail → present using Choose format:
---
**Step 2hb — Security Audit (optional)**
Condition: the autopilot state shows Step 2h (Run Tests) is completed AND the autopilot state does NOT show Step 2hb (Security Audit) as completed or skipped AND (`_docs/04_deploy/` does not exist or is incomplete)
Action: Present using Choose format:
```
══════════════════════════════════════
DECISION REQUIRED: Run security audit before deploy?
══════════════════════════════════════
A) Run security audit (recommended for production deployments)
B) Skip — proceed directly to deploy
══════════════════════════════════════
Recommendation: A — catches vulnerabilities before production
══════════════════════════════════════
```
- If user picks A → Read and execute `.cursor/skills/security/SKILL.md`. After completion, auto-chain to Step 2i (Deploy).
- If user picks B → Mark Step 2hb as `skipped` in the state file, auto-chain to Step 2i (Deploy).
---
**Step 2i — Deploy**
Condition: the autopilot state shows Step 2h (Run Tests) is completed AND (`_docs/04_deploy/` does not exist or is incomplete)
Condition: the autopilot state shows Step 2h (Run Tests) is completed AND (Step 2hb is completed or skipped) AND (`_docs/04_deploy/` does not exist or is incomplete)
Action: Read and execute `.cursor/skills/deploy/SKILL.md`
@@ -177,5 +199,6 @@ Action: The project completed a full cycle. Present status and loop back to New
| Refactor (Step 2e) | Auto-chain → New Task (Step 2f) |
| New Task (Step 2f) | **Session boundary** — suggest new conversation before Implement |
| Implement (Step 2g) | Auto-chain → Run Tests (Step 2h) |
| Run Tests (Step 2h, all pass) | Auto-chain → Deploy (Step 2i) |
| Run Tests (Step 2h, all pass) | Auto-chain → Security Audit choice (Step 2hb) |
| Security Audit (Step 2hb, done or skipped) | Auto-chain → Deploy (Step 2i) |
| Deploy (Step 2i) | **Workflow complete** — existing-code flow done |
.cursor/skills/autopilot/flows/greenfield.md
+29 -6
View File
@@ -1,6 +1,6 @@
# Greenfield Workflow
Workflow for new projects built from scratch. Flows linearly: Problem → Research → Plan → Decompose → Implement → Run Tests → Deploy.
Workflow for new projects built from scratch. Flows linearly: Problem → Research → Plan → Decompose → Implement → Run Tests → Security Audit (optional) → Deploy.
## Step Reference Table
@@ -8,10 +8,11 @@ Workflow for new projects built from scratch. Flows linearly: Problem → Resear
|------|-----------|------------------------|---------------------------------------|
| 0 | Problem | problem/SKILL.md | Phase 14 |
| 1 | Research | research/SKILL.md | Mode A: Phase 14 · Mode B: Step 08 |
| 2 | Plan | plan/SKILL.md | Step 16 |
| 2 | Plan | plan/SKILL.md | Step 16 + Final |
| 3 | Decompose | decompose/SKILL.md | Step 14 |
| 4 | Implement | implement/SKILL.md | (batch-driven, no fixed sub-steps) |
| 5 | Run Tests | (autopilot-managed) | Unit tests → Integration/blackbox tests |
| 5b | Security Audit | security/SKILL.md | Phase 15 (optional) |
| 6 | Deploy | deploy/SKILL.md | Step 17 |
## Detection Rules
@@ -76,7 +77,7 @@ If `_docs/02_document/` exists but is incomplete (has some artifacts but no `FIN
---
**Step 3 — Decompose**
Condition: `_docs/02_document/` contains `architecture.md` AND `_docs/02_document/components/` has at least one component AND `_docs/02_tasks/` does not exist or has no task files (excluding `_dependencies_table.md`) AND (workspace has no source code files OR the user explicitly chose normal workflow in Step 2c)
Condition: `_docs/02_document/` contains `architecture.md` AND `_docs/02_document/components/` has at least one component AND `_docs/02_tasks/` does not exist or has no task files (excluding `_dependencies_table.md`)
Action: Read and execute `.cursor/skills/decompose/SKILL.md`
@@ -102,7 +103,7 @@ Action: Run the full test suite to verify the implementation before deployment.
2. **Integration / blackbox tests**: if `docker-compose.test.yml` or an equivalent test environment exists, spin it up and run the integration test suite
3. **Report results**: present a summary of passed/failed/skipped tests
If all tests pass → auto-chain to Step 6 (Deploy).
If all tests pass → auto-chain to Step 5b (Security Audit).
If tests fail → present using Choose format:
@@ -120,8 +121,29 @@ If tests fail → present using Choose format:
---
**Step 5b — Security Audit (optional)**
Condition: the autopilot state shows Step 5 (Run Tests) is completed AND the autopilot state does NOT show Step 5b (Security Audit) as completed or skipped AND (`_docs/04_deploy/` does not exist or is incomplete)
Action: Present using Choose format:
```
══════════════════════════════════════
DECISION REQUIRED: Run security audit before deploy?
══════════════════════════════════════
A) Run security audit (recommended for production deployments)
B) Skip — proceed directly to deploy
══════════════════════════════════════
Recommendation: A — catches vulnerabilities before production
══════════════════════════════════════
```
- If user picks A → Read and execute `.cursor/skills/security/SKILL.md`. After completion, auto-chain to Step 6 (Deploy).
- If user picks B → Mark Step 5b as `skipped` in the state file, auto-chain to Step 6 (Deploy).
---
**Step 6 — Deploy**
Condition: the autopilot state shows Step 5 (Run Tests) is completed AND (`_docs/04_deploy/` does not exist or is incomplete)
Condition: the autopilot state shows Step 5 (Run Tests) is completed AND (Step 5b is completed or skipped) AND (`_docs/04_deploy/` does not exist or is incomplete)
Action: Read and execute `.cursor/skills/deploy/SKILL.md`
@@ -142,5 +164,6 @@ Action: Report project completion with summary. If the user runs autopilot again
| Plan | Auto-chain → Decompose |
| Decompose | **Session boundary** — suggest new conversation before Implement |
| Implement | Auto-chain → Run Tests (Step 5) |
| Run Tests (all pass) | Auto-chain → Deploy (Step 6) |
| Run Tests (all pass) | Auto-chain → Security Audit choice (Step 5b) |
| Security Audit (done or skipped) | Auto-chain → Deploy (Step 6) |
| Deploy | Report completion |
.cursor/skills/autopilot/protocols.md
+97
View File
@@ -106,6 +106,101 @@ All error situations that require user input MUST use the **Choose A / B / C / D
| User wants to go back to a previous step | Use Choose format: A) re-run (with overwrite warning), B) stay on current step |
| User asks "where am I?" without wanting to continue | Show Status Summary only, do not start execution |
## Error Recovery Protocol
### Stuck Detection
When executing a sub-skill, monitor for these signals:
- Same artifact overwritten 3+ times without meaningful change
- Sub-skill repeatedly asks the same question after receiving an answer
- No new artifacts saved for an extended period despite active execution
### Recovery Actions (ordered)
1. **Re-read state**: read `_docs/_autopilot_state.md` and cross-check against `_docs/` folders
2. **Retry current sub-step**: re-read the sub-skill's SKILL.md and restart from the current sub-step
3. **Escalate**: after 2 failed retries, present diagnostic summary to user using Choose format:
```
══════════════════════════════════════
RECOVERY: [skill name] stuck at [sub-step]
══════════════════════════════════════
A) Retry with fresh context (new conversation)
B) Skip this sub-step with warning
C) Abort and fix manually
══════════════════════════════════════
Recommendation: A — fresh context often resolves stuck loops
══════════════════════════════════════
```
### Circuit Breaker
If the same autopilot step fails 3 consecutive times across conversations:
- Record the failure pattern in the state file's `Blockers` section
- Do NOT auto-retry on next invocation
- Present the blocker and ask user for guidance before attempting again
## Context Management Protocol
### Principle
Disk is memory. Never rely on in-context accumulation — read from `_docs/` artifacts, not from conversation history.
### Minimal Re-Read Set Per Skill
When re-entering a skill (new conversation or context refresh):
- Always read: `_docs/_autopilot_state.md`
- Always read: the active skill's `SKILL.md`
- Conditionally read: only the `_docs/` artifacts the current sub-step requires (listed in each skill's Context Resolution section)
- Never bulk-read: do not load all `_docs/` files at once
### Mid-Skill Interruption
If context is filling up during a long skill (e.g., document, implement):
1. Save current sub-step progress to the skill's artifact directory
2. Update `_docs/_autopilot_state.md` with exact sub-step position
3. Suggest a new conversation: "Context is getting long — recommend continuing in a fresh conversation for better results"
4. On re-entry, the skill's resumability protocol picks up from the saved sub-step
### Large Artifact Handling
When a skill needs to read large files (e.g., full solution.md, architecture.md):
- Read only the sections relevant to the current sub-step
- Use search tools (Grep, SemanticSearch) to find specific sections rather than reading entire files
- Summarize key decisions from prior steps in the state file so they don't need to be re-read
## Rollback Protocol
### Implementation Steps (git-based)
Handled by `/implement` skill — each batch commit is a rollback checkpoint via `git revert`.
### Planning/Documentation Steps (artifact-based)
For steps that produce `_docs/` artifacts (problem, research, plan, decompose, document):
1. **Before overwriting**: if re-running a step that already has artifacts, the sub-skill's prerequisite check asks the user (resume/overwrite/skip)
2. **Rollback to previous step**: use Choose format:
```
══════════════════════════════════════
ROLLBACK: Re-run [step name]?
══════════════════════════════════════
A) Re-run the step (overwrites current artifacts)
B) Stay on current step
══════════════════════════════════════
Warning: This will overwrite files in _docs/[folder]/
══════════════════════════════════════
```
3. **Git safety net**: artifacts are committed with each autopilot step completion. To roll back: `git log --oneline _docs/` to find the commit, then `git checkout <commit> -- _docs/<folder>/`
4. **State file rollback**: when rolling back artifacts, also update `_docs/_autopilot_state.md` to reflect the rolled-back step (set it to `in_progress`, clear completed date)
## Status Summary
On every invocation, before executing any skill, present a status summary built from the state file (with folder scan fallback). Use the template matching the active flow (see Flow Resolution in SKILL.md).
@@ -122,6 +217,7 @@ On every invocation, before executing any skill, present a status summary built
Step 3 Decompose [DONE (N tasks) / IN PROGRESS / NOT STARTED]
Step 4 Implement [DONE / IN PROGRESS (batch M of ~N) / NOT STARTED]
Step 5 Run Tests [DONE (N passed, M failed) / IN PROGRESS / NOT STARTED]
Step 5b Security Audit [DONE / SKIPPED / IN PROGRESS / NOT STARTED]
Step 6 Deploy [DONE / IN PROGRESS / NOT STARTED]
═══════════════════════════════════════════════════
Current: Step N — Name
@@ -144,6 +240,7 @@ On every invocation, before executing any skill, present a status summary built
Step 2f New Task [DONE (N tasks) / IN PROGRESS / NOT STARTED]
Step 2g Implement [DONE / IN PROGRESS (batch M of ~N) / NOT STARTED]
Step 2h Run Tests [DONE (N passed, M failed) / IN PROGRESS / NOT STARTED]
Step 2hb Security Audit [DONE / SKIPPED / IN PROGRESS / NOT STARTED]
Step 2i Deploy [DONE / IN PROGRESS / NOT STARTED]
═══════════════════════════════════════════════════
Current: Step N — Name
.cursor/skills/autopilot/state.md
+4 -4
View File
@@ -10,16 +10,16 @@ The autopilot persists its state to `_docs/_autopilot_state.md`. This file is th
# Autopilot State
## Current Step
step: [0-6 or "2b" / "2c" / "2d" / "2e" / "2f" / "2g" / "2h" / "2i" or "done"]
name: [Problem / Research / Plan / Blackbox Test Spec / Decompose Tests / Implement Tests / Refactor / New Task / Implement / Run Tests / Deploy / Decompose / Done]
status: [not_started / in_progress / completed]
step: [0-6 or "2b" / "2c" / "2d" / "2e" / "2f" / "2g" / "2h" / "2hb" / "2i" or "5b" or "done"]
name: [Problem / Research / Plan / Blackbox Test Spec / Decompose Tests / Implement Tests / Refactor / New Task / Implement / Run Tests / Security Audit / Deploy / Decompose / Done]
status: [not_started / in_progress / completed / skipped]
sub_step: [optional — sub-skill internal step number + name if interrupted mid-step]
## Step ↔ SubStep Reference
(include the step reference table from the active flow file)
When updating `Current Step`, always write it as:
step: N ← autopilot step (06 or 2b/2c/2d/2e/2f/2g/2h/2i)
step: N ← autopilot step (06 or 2b/2c/2d/2e/2f/2g/2h/2hb/2i or 5b)
sub_step: M ← sub-skill's own internal step/phase number + name
Example:
step: 2