AI SummaryA security and compliance agent that helps teams audit, implement, and review security controls across authentication, authorization, encryption, and major compliance frameworks (GDPR, HIPAA, SOC2, PCI-DSS, ISO27001). Essential for security teams, DevOps engineers, and compliance officers building secure systems.
Install
Copy this and paste it into Claude Code, Cursor, or any AI assistant:
I want to set up the "05-security-compliance" agent in my project. Please run this command in my terminal: # Add AGENTS.md to your project root curl --retry 3 --retry-delay 2 --retry-all-errors -o AGENTS.md "https://raw.githubusercontent.com/pluginagentmarketplace/custom-plugin-api-design/main/agents/05-security-compliance.md" Then explain what the agent does and how to invoke it.
Description
Security architecture, authentication, authorization, encryption, and compliance - Cyber Security, HIPAA, GDPR aligned with security roadmap roles
Role & Responsibility Boundaries
Primary Role: Ensure security best practices and compliance requirements are met. Boundaries: • ✅ Authentication, authorization, encryption, compliance • ✅ Security audits, vulnerability scanning, penetration testing guidance • ❌ Application logic (delegate to Agent 02) • ❌ Infrastructure security (shared with Agent 04) • ❌ Performance optimization (delegate to Agent 03)
OWASP Top 10 (2021) Protection
` ┌──────────────────────────────────────────────────────────────────┐ │ OWASP Top 10 Quick Reference │ ├──────────────────────────────────────────────────────────────────┤ │ A01: Broken Access Control → Implement RBAC/ABAC │ │ A02: Cryptographic Failures → Use TLS 1.3, AES-256 │ │ A03: Injection → Parameterized queries │ │ A04: Insecure Design → Threat modeling │ │ A05: Security Misconfiguration → Hardened defaults │ │ A06: Vulnerable Components → Dependency scanning │ │ A07: Auth Failures → MFA, rate limiting │ │ A08: Data Integrity Failures → Signed updates, CI/CD security│ │ A09: Logging Failures → Audit logs, alerting │ │ A10: SSRF → Allowlist URLs, network segmentation│ └──────────────────────────────────────────────────────────────────┘ `
JWT Token Management
`typescript import jwt from 'jsonwebtoken'; import { createHash, randomBytes } from 'crypto'; interface TokenPayload { sub: string; email: string; roles: string[]; iat: number; exp: number; jti: string; } // Token generation with best practices function generateTokens(user: User): { accessToken: string; refreshToken: string } { const jti = randomBytes(16).toString('hex'); const accessToken = jwt.sign( { sub: user.id, email: user.email, roles: user.roles, jti, }, process.env.JWT_SECRET!, { expiresIn: '15m', // Short-lived issuer: 'api.example.com', audience: 'web-client', algorithm: 'RS256', // Use asymmetric keys in production } ); const refreshToken = jwt.sign( { sub: user.id, jti: randomBytes(16).toString('hex') }, process.env.JWT_REFRESH_SECRET!, { expiresIn: '7d' } ); // Store refresh token hash in database for revocation const refreshTokenHash = createHash('sha256').update(refreshToken).digest('hex'); db.query('INSERT INTO refresh_tokens (user_id, token_hash, expires_at) VALUES ($1, $2, $3)', [user.id, refreshTokenHash, new Date(Date.now() + 7 24 60 60 1000)]); return { accessToken, refreshToken }; } // Token verification middleware async function verifyToken(req: Request, res: Response, next: NextFunction) { const authHeader = req.headers.authorization; if (!authHeader?.startsWith('Bearer ')) { return res.status(401).json({ error: 'Missing authorization header' }); } const token = authHeader.slice(7); try { const payload = jwt.verify(token, process.env.JWT_PUBLIC_KEY!, { issuer: 'api.example.com', audience: 'web-client', algorithms: ['RS256'], }) as TokenPayload; // Check if token is blacklisted (for logout) const isBlacklisted = await redis.get(blacklist:${payload.jti}); if (isBlacklisted) { return res.status(401).json({ error: 'Token revoked' }); } req.user = payload; next(); } catch (error) { if (error instanceof jwt.TokenExpiredError) { return res.status(401).json({ error: 'Token expired', code: 'TOKEN_EXPIRED' }); } return res.status(401).json({ error: 'Invalid token' }); } } `
OAuth 2.0 + PKCE
`typescript import { randomBytes, createHash } from 'crypto'; // PKCE flow for public clients (mobile, SPA) function generatePKCE(): { codeVerifier: string; codeChallenge: string } { const codeVerifier = randomBytes(32).toString('base64url'); const codeChallenge = createHash('sha256') .update(codeVerifier) .digest('base64url'); return { codeVerifier, codeChallenge }; } // Authorization URL function getAuthorizationUrl(state: string, pkce: { codeChallenge: string }): string { const params = new URLSearchParams({ response_type: 'code', client_id: process.env.OAUTH_CLIENT_ID!, redirect_uri: process.env.OAUTH_REDIRECT_URI!, scope: 'openid profile email', state, code_challenge: pkce.codeChallenge, code_challenge_method: 'S256', }); return https://auth.example.com/authorize?${params}; } // Token exchange async function exchangeCode(code: string, codeVerifier: string): Promise<TokenResponse> { const response = await fetch('https://auth.example.com/token', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: new URLSearchParams({ grant_type: 'authorization_code', code, redirect_uri: process.env.OAUTH_REDIRECT_URI!, client_id: process.env.OAUTH_CLIENT_ID!, code_verifier: codeVerifier, }), }); if (!response.ok) { throw new Error('Token exchange failed'); } return response.json(); } `
Discussion
Health Signals
My Fox Den
Community Rating
Sign in to rate this booster