Feat/cursor semgrep after file edit autofix

.agents/skills/code-security/README.md

@@ -0,0 +1,113 @@
+# Code Security Skill
+
+Comprehensive security guidelines for writing secure code across 15+ languages, covering OWASP Top 10, infrastructure security, and coding best practices.
+
+## Categories (28 Total)
+
+### Critical Impact
+- SQL Injection, Command Injection, XSS, XXE, Path Traversal
+- Insecure Deserialization, Code Injection, Hardcoded Secrets, Memory Safety
+
+### High Impact
+- Insecure Crypto, Insecure Transport, SSRF, JWT Auth, CSRF
+- Prototype Pollution, Unsafe Functions
+- Terraform (AWS/Azure/GCP), Kubernetes, Docker, GitHub Actions
+
+### Medium/Low Impact
+- Regex DoS, Race Conditions, Code Correctness
+- Best Practices, Performance, Maintainability
+
+## Structure
+
+```
+code-security/
+├── SKILL.md           # Skill definition (loaded by agents)
+├── rules/             # Security rule files
+│   ├── _sections.md   # Index of all categories
+│   ├── _template.md   # Template for new rules
+│   ├── sql-injection.md
+│   ├── xss.md
+│   └── ...            # 28 rule files total
+├── metadata.json      # Skill metadata
+└── README.md          # This file
+```
+
+## Usage
+
+### For End Users
+
+Install the skill:
+```bash
+npx skills add semgrep/skills
+```
+
+The agent will automatically reference these guidelines when writing or reviewing code.
+
+### For Contributors
+
+From the repo root:
+```bash
+make validate    # Validate all rule files
+make build       # Build the skill
+make zip         # Create distribution package
+make             # All of the above
+```
+
+Or from the build package:
+```bash
+cd packages/skill-build
+pnpm install
+pnpm validate code-security    # Validate rule files
+pnpm build-agents code-security  # Build AGENTS.md
+```
+
+## Creating a New Rule
+
+1. Copy `rules/_template.md` to `rules/{category}.md`
+2. Follow this structure:
+
+````markdown
+---
+title: Rule Title
+impact: HIGH
+tags: security, category-name
+---
+
+## Rule Title
+
+Brief explanation of the vulnerability.
+
+**Incorrect (description):**
+
+```python
+# Vulnerable code
+```
+
+**Correct (description):**
+
+```python
+# Secure code
+```
+````
+
+3. Run `make validate` to check formatting
+4. Run `make` to rebuild everything
+
+## Impact Levels
+
+| Level | Description |
+|-------|-------------|
+| CRITICAL | Remote code execution, data breach |
+| HIGH | Significant security risk |
+| MEDIUM | Moderate risk, defense in depth |
+| LOW | Best practices, code quality |
+
+## Languages Supported
+
+Python, JavaScript/TypeScript, Java, Go, Ruby, PHP, C/C++, C#, Scala, Kotlin, Rust, HCL (Terraform), YAML (Kubernetes/Docker)
+
+## Acknowledgments
+
+Created by [@DrewDennison](https://x.com/drewdennison) at [Semgrep](https://semgrep.dev).
+
+Rules derived from [Semgrep Registry](https://semgrep.dev/r) with 2000+ security patterns.

.agents/skills/code-security/SKILL.md

@@ -0,0 +1,62 @@
+---
+name: code-security
+description: Security guidelines for writing secure code. Use when writing code, reviewing code for vulnerabilities, or asking about secure coding practices like "check for SQL injection" or "review security".
+---
+
+# Code Security Guidelines
+
+Comprehensive security rules for writing secure code across multiple languages and frameworks. Covers OWASP Top 10 vulnerabilities, infrastructure security, and coding best practices.
+
+## How It Works
+
+1. When you write or review code, reference these security guidelines
+2. Each rule includes incorrect (vulnerable) and correct (secure) code examples
+3. Rules are organized by vulnerability category and impact level
+
+## Categories
+
+### Critical Impact
+- **SQL Injection** - Use parameterized queries, never concatenate user input
+- **Command Injection** - Avoid shell commands with user input, use safe APIs
+- **XSS** - Escape output, use framework protections
+- **XXE** - Disable external entities in XML parsers
+- **Path Traversal** - Validate and sanitize file paths
+- **Insecure Deserialization** - Never deserialize untrusted data
+- **Code Injection** - Never eval() user input
+- **Hardcoded Secrets** - Use environment variables or secret managers
+- **Memory Safety** - Prevent buffer overflows, use-after-free (C/C++)
+
+### High Impact
+- **Insecure Crypto** - Use SHA-256+, AES-256, avoid MD5/SHA1/DES
+- **Insecure Transport** - Use HTTPS, verify certificates
+- **SSRF** - Validate URLs, use allowlists
+- **JWT Issues** - Always verify signatures
+- **CSRF** - Use CSRF tokens on state-changing requests
+- **Prototype Pollution** - Validate object keys in JavaScript
+
+### Infrastructure
+- **Terraform AWS/Azure/GCP** - Encryption, least privilege, no public access
+- **Kubernetes** - No privileged containers, run as non-root
+- **Docker** - Don't run as root, pin image versions
+- **GitHub Actions** - Avoid script injection, pin action versions
+
+## Usage
+
+Reference the rules in `rules/` directory for detailed examples:
+
+- `rules/sql-injection.md` - SQL injection prevention
+- `rules/xss.md` - Cross-site scripting prevention
+- `rules/command-injection.md` - Command injection prevention
+- `rules/_sections.md` - Full index of all 28 rule categories
+
+## Quick Reference
+
+| Vulnerability | Key Prevention |
+|--------------|----------------|
+| SQL Injection | Parameterized queries |
+| XSS | Output encoding |
+| Command Injection | Avoid shell, use APIs |
+| Path Traversal | Validate paths |
+| SSRF | URL allowlists |
+| Secrets | Environment variables |
+| Crypto | SHA-256, AES-256 |

.agents/skills/code-security/rules/authentication-jwt.md

@@ -0,0 +1,99 @@
+---
+title: Secure JWT Authentication
+impact: HIGH
+impactDescription: Authentication bypass and token forgery
+tags: security, authentication, jwt, cwe-287, cwe-347, owasp-a07
+---
+
+## Secure JWT Authentication
+
+JSON Web Tokens (JWT) are widely used for authentication and authorization. However, improper implementation can lead to serious security vulnerabilities including authentication bypass and token forgery. The most critical JWT vulnerability is decoding tokens without verifying their signatures, which allows attackers to forge tokens with arbitrary claims, impersonate any user, or escalate privileges.
+
+Related CWEs: CWE-287 (Improper Authentication), CWE-345 (Insufficient Verification of Data Authenticity), CWE-347 (Improper Verification of Cryptographic Signature).
+
+**Incorrect (JavaScript jsonwebtoken - decode without verify):**
+
+```javascript
+const jwt = require('jsonwebtoken');
+
+function getUserData(token) {
+  const decoded = jwt.decode(token, true);
+  if (decoded.isAdmin) {
+    return getAdminData();
+  }
+}
+```
+
+**Correct (JavaScript jsonwebtoken - verify before decode):**
+
+```javascript
+const jwt = require('jsonwebtoken');
+
+function getUserData(token, secretKey) {
+  jwt.verify(token, secretKey);
+  const decoded = jwt.decode(token, true);
+  if (decoded.isAdmin) {
+    return getAdminData();
+  }
+}
+```
+
+**Incorrect (Python PyJWT - verify_signature disabled):**
+
+```python
+import jwt
+
+def get_user_claims(token, key):
+    decoded = jwt.decode(token, key, options={"verify_signature": False})
+    return decoded
+```
+
+**Correct (Python PyJWT - verify_signature enabled):**
+
+```python
+import jwt
+
+def get_user_claims(token, key):
+    decoded = jwt.decode(token, key, algorithms=["HS256"])
+    return decoded
+```
+
+**Incorrect (Java auth0 java-jwt - decode without verify):**
+
+```java
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.interfaces.DecodedJWT;
+
+public class TokenHandler {
+    public DecodedJWT getUserClaims(String token) {
+        DecodedJWT jwt = JWT.decode(token);
+        return jwt;
+    }
+}
+```
+
+**Correct (Java auth0 java-jwt - verify before use):**
+
+```java
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.auth0.jwt.interfaces.JWTVerifier;
+
+public class TokenHandler {
+    public DecodedJWT getUserClaims(String token, String secret) {
+        Algorithm algorithm = Algorithm.HMAC256(secret);
+        JWTVerifier verifier = JWT.require(algorithm)
+            .withIssuer("auth0")
+            .build();
+        DecodedJWT jwt = verifier.verify(token);
+        return jwt;
+    }
+}
+```
+
+**References:**
+- [OWASP Software and Data Integrity Failures](https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures)
+- [OWASP Cryptographic Failures](https://owasp.org/Top10/A02_2021-Cryptographic_Failures/)
+- [CWE-287: Improper Authentication](https://cwe.mitre.org/data/definitions/287)
+- [CWE-347: Improper Verification of Cryptographic Signature](https://cwe.mitre.org/data/definitions/347)