admin/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-02-08 23:43:07 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
6b424e31ffd1ef368e2f90ae2da761a6cd153aba
everything-claude-code/.opencode/commands/security.md
Affaan Mustafa 6d440c036d feat: complete OpenCode plugin support with hooks, tools, and commands 
Major OpenCode integration overhaul:

- llms.txt: Comprehensive OpenCode documentation for LLMs (642 lines)
- .opencode/plugins/ecc-hooks.ts: All Claude Code hooks translated to OpenCode's plugin system
- .opencode/tools/*.ts: 3 custom tools (run-tests, check-coverage, security-audit)
- .opencode/commands/*.md: All 24 commands in OpenCode format
- .opencode/package.json: npm package structure for opencode-ecc
- .opencode/index.ts: Main plugin entry point

- Delete incorrect LIMITATIONS.md (hooks ARE supported via plugins)
- Rewrite MIGRATION.md with correct hook event mapping
- Update README.md OpenCode section to show full feature parity

OpenCode has 20+ events vs Claude Code's 3 phases:
- PreToolUse → tool.execute.before
- PostToolUse → tool.execute.after
- Stop → session.idle
- SessionStart → session.created
- SessionEnd → session.deleted
- Plus: file.edited, file.watcher.updated, permission.asked, todo.updated

- 12 agents: Full parity
- 24 commands: Full parity (+1 from original 23)
- 16 skills: Full parity
- Hooks: OpenCode has MORE (20+ events vs 3 phases)
- Custom Tools: 3 native OpenCode tools

The OpenCode configuration can now be:
1. Used directly: cd everything-claude-code && opencode
2. Installed via npm: npm install opencode-ecc
2026-02-05 05:14:33 -08:00

90 lines
2.0 KiB
Markdown
Raw Blame History

---
description: Run comprehensive security review
agent: security-reviewer
subtask: true
---
# Security Review Command
Conduct a comprehensive security review: $ARGUMENTS
## Your Task
Analyze the specified code for security vulnerabilities following OWASP guidelines and security best practices.
## Security Checklist
### OWASP Top 10
1. **Injection** (SQL, NoSQL, OS command, LDAP)
- Check for parameterized queries
- Verify input sanitization
- Review dynamic query construction
2. **Broken Authentication**
- Password storage (bcrypt, argon2)
- Session management
- Multi-factor authentication
- Password reset flows
3. **Sensitive Data Exposure**
- Encryption at rest and in transit
- Proper key management
- PII handling
4. **XML External Entities (XXE)**
- Disable DTD processing
- Input validation for XML
5. **Broken Access Control**
- Authorization checks on every endpoint
- Role-based access control
- Resource ownership validation
6. **Security Misconfiguration**
- Default credentials removed
- Error handling doesn't leak info
- Security headers configured
7. **Cross-Site Scripting (XSS)**
- Output encoding
- Content Security Policy
- Input sanitization
8. **Insecure Deserialization**
- Validate serialized data
- Implement integrity checks
9. **Using Components with Known Vulnerabilities**
- Run `npm audit`
- Check for outdated dependencies
10. **Insufficient Logging & Monitoring**
- Security events logged
- No sensitive data in logs
- Alerting configured
### Additional Checks
- [ ] Secrets in code (API keys, passwords)
- [ ] Environment variable handling
- [ ] CORS configuration
- [ ] Rate limiting
- [ ] CSRF protection
- [ ] Secure cookie flags
## Report Format
### Critical Issues
[Issues that must be fixed immediately]
### High Priority
[Issues that should be fixed before release]
### Recommendations
[Security improvements to consider]
---
**IMPORTANT**: Security issues are blockers. Do not proceed until critical issues are resolved.
Reference in New Issue View Git Blame Copy Permalink