playbooks

home / skills / proffesor-for-testing / agentic-qe / v3-security-overhaul

v3-security-overhaul skill

/v2/docs/internal/archived-v3-development-skills/v3-security-overhaul

This skill orchestrates a comprehensive security overhaul for claude-flow v3, enforcing secure-by-default patterns and CVE remediation.

npx playbooks add skill proffesor-for-testing/agentic-qe --skill v3-security-overhaul

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
2.4 KB
---
name: "V3 Security Overhaul"
description: "Complete security architecture overhaul for claude-flow v3. Addresses critical CVEs (CVE-1, CVE-2, CVE-3) and implements secure-by-default patterns. Use for security-first v3 implementation."
---

# V3 Security Overhaul

## What This Skill Does

Orchestrates comprehensive security overhaul for claude-flow v3, addressing critical vulnerabilities and establishing security-first development practices using specialized v3 security agents.

## Quick Start

```bash
# Initialize V3 security domain (parallel)
Task("Security architecture", "Design v3 threat model and security boundaries", "v3-security-architect")
Task("CVE remediation", "Fix CVE-1, CVE-2, CVE-3 critical vulnerabilities", "security-auditor")
Task("Security testing", "Implement TDD London School security framework", "test-architect")
```

## Critical Security Fixes

### CVE-1: Vulnerable Dependencies
```bash
npm update @anthropic-ai/claude-code@^2.0.31
npm audit --audit-level high
```

### CVE-2: Weak Password Hashing
```typescript
// ❌ Old: SHA-256 with hardcoded salt
const hash = crypto.createHash('sha256').update(password + salt).digest('hex');

// ✅ New: bcrypt with 12 rounds
import bcrypt from 'bcrypt';
const hash = await bcrypt.hash(password, 12);
```

### CVE-3: Hardcoded Credentials
```typescript
// ✅ Generate secure random credentials
const apiKey = crypto.randomBytes(32).toString('hex');
```

## Security Patterns

### Input Validation (Zod)
```typescript
import { z } from 'zod';

const TaskSchema = z.object({
  taskId: z.string().uuid(),
  content: z.string().max(10000),
  agentType: z.enum(['security', 'core', 'integration'])
});
```

### Path Sanitization
```typescript
function securePath(userPath: string, allowedPrefix: string): string {
  const resolved = path.resolve(allowedPrefix, userPath);
  if (!resolved.startsWith(path.resolve(allowedPrefix))) {
    throw new SecurityError('Path traversal detected');
  }
  return resolved;
}
```

### Safe Command Execution
```typescript
import { execFile } from 'child_process';

// ✅ Safe: No shell interpretation
const { stdout } = await execFile('git', [userInput], { shell: false });
```

## Success Metrics

- **Security Score**: 90/100 (npm audit + custom scans)
- **CVE Resolution**: 100% of critical vulnerabilities fixed
- **Test Coverage**: >95% security-critical code
- **Implementation**: All secure patterns documented and tested

Overview

This skill performs a complete security architecture overhaul for claude-flow v3, focusing on fixing critical CVEs and establishing secure-by-default patterns. It delivers remediation for dependency issues, password hashing, and hardcoded credentials while introducing input validation, path sanitization, and safe command execution. The outcome is a hardened v3 implementation ready for production use with measurable security metrics.

How this skill works

The skill orchestrates specialized v3 security agents to scan, remediate, and test the codebase. It updates vulnerable dependencies, replaces weak hashing with bcrypt, replaces hardcoded secrets with securely generated credentials, and applies Zod schemas for robust input validation. Automated tests and secure patterns are integrated so changes are enforced via CI and verified with audits.

When to use it

  • You are preparing claude-flow v3 for production deployment.
  • Critical CVEs are reported (e.g., dependency, hashing, or hardcoded secrets).
  • You need to adopt secure-by-default development patterns across the codebase.
  • You want measurable security metrics and high test coverage for security-critical code.
  • A security audit recommends architectural changes or threat modeling.

Best practices

  • Run npm audit and custom scanners regularly and fail builds on high/critical findings.
  • Replace ad-hoc hashing with bcrypt (12+ rounds) and rotate salts securely.
  • Never store secrets in code; generate and store credentials via the secrets manager.
  • Validate all external inputs with Zod or equivalent schema validators before processing.
  • Use path resolution to prevent traversal and execFile (no shell) for command execution.

Example use cases

  • Patch and verify fixes for CVE-1, CVE-2, and CVE-3 across a v3 release branch.
  • Implement a security-first CI pipeline that blocks merges on failing security tests.
  • Add Zod schemas to agent task inputs to prevent malformed or oversized payloads.
  • Refactor legacy credential handling to use securely generated keys and a secrets store.
  • Perform a threat-modeling session and translate findings into prioritized remediation tasks.

FAQ

Will this skill change runtime behavior of agents?

Yes. It hardens runtime behavior by replacing unsafe operations (weak hashes, hardcoded credentials, shell command execution) with secure alternatives; changes are backward-compatible where possible but require validation.

How does it handle secret rotation and storage?

It generates secure random credentials and recommends integration with a secrets manager. Secret rotation is implemented as part of remediation tasks and verified through automated tests and CI checks.