admin/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-02-08 15:34:56 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6b424e31ffd1ef368e2f90ae2da761a6cd153aba
everything-claude-code/.opencode/commands/security.md
Affaan Mustafa 6d440c036d feat: complete OpenCode plugin support with hooks, tools, and commands 
Major OpenCode integration overhaul:

- llms.txt: Comprehensive OpenCode documentation for LLMs (642 lines)
- .opencode/plugins/ecc-hooks.ts: All Claude Code hooks translated to OpenCode's plugin system
- .opencode/tools/*.ts: 3 custom tools (run-tests, check-coverage, security-audit)
- .opencode/commands/*.md: All 24 commands in OpenCode format
- .opencode/package.json: npm package structure for opencode-ecc
- .opencode/index.ts: Main plugin entry point

- Delete incorrect LIMITATIONS.md (hooks ARE supported via plugins)
- Rewrite MIGRATION.md with correct hook event mapping
- Update README.md OpenCode section to show full feature parity

OpenCode has 20+ events vs Claude Code's 3 phases:
- PreToolUse → tool.execute.before
- PostToolUse → tool.execute.after
- Stop → session.idle
- SessionStart → session.created
- SessionEnd → session.deleted
- Plus: file.edited, file.watcher.updated, permission.asked, todo.updated

- 12 agents: Full parity
- 24 commands: Full parity (+1 from original 23)
- 16 skills: Full parity
- Hooks: OpenCode has MORE (20+ events vs 3 phases)
- Custom Tools: 3 native OpenCode tools

The OpenCode configuration can now be:
1. Used directly: cd everything-claude-code && opencode
2. Installed via npm: npm install opencode-ecc
2026-02-05 05:14:33 -08:00

2.0 KiB
Raw Blame History

description, agent, subtask
description agent subtask
Run comprehensive security review security-reviewer true

Security Review Command

Conduct a comprehensive security review: $ARGUMENTS

Your Task

Analyze the specified code for security vulnerabilities following OWASP guidelines and security best practices.

Security Checklist

OWASP Top 10

  1. Injection (SQL, NoSQL, OS command, LDAP)

    • Check for parameterized queries
    • Verify input sanitization
    • Review dynamic query construction

  2. Broken Authentication

    • Password storage (bcrypt, argon2)
    • Session management
    • Multi-factor authentication
    • Password reset flows

  3. Sensitive Data Exposure

    • Encryption at rest and in transit
    • Proper key management
    • PII handling

  4. XML External Entities (XXE)

    • Disable DTD processing
    • Input validation for XML

  5. Broken Access Control

    • Authorization checks on every endpoint
    • Role-based access control
    • Resource ownership validation

  6. Security Misconfiguration

    • Default credentials removed
    • Error handling doesn't leak info
    • Security headers configured

  7. Cross-Site Scripting (XSS)

    • Output encoding
    • Content Security Policy
    • Input sanitization

  8. Insecure Deserialization

    • Validate serialized data
    • Implement integrity checks

  9. Using Components with Known Vulnerabilities

    • Run npm audit
    • Check for outdated dependencies

  10. Insufficient Logging & Monitoring

    • Security events logged
    • No sensitive data in logs
    • Alerting configured

Additional Checks

  • Secrets in code (API keys, passwords)
  • Environment variable handling
  • CORS configuration
  • Rate limiting
  • CSRF protection
  • Secure cookie flags

Report Format

Critical Issues

[Issues that must be fixed immediately]

High Priority

[Issues that should be fixed before release]

Recommendations

[Security improvements to consider]

IMPORTANT: Security issues are blockers. Do not proceed until critical issues are resolved.

Reference in New Issue View Git Blame Copy Permalink