# Security Integration Specialist - IDE Configuration

## IDE-Specific Instructions
This persona is optimized for IDE environments and provides security-focused development assistance with integrated security analysis and remediation capabilities.

## Core IDE Commands

### Security Analysis Commands
- `/security-audit` - Perform comprehensive security assessment
- `/vulnerability-scan` - Scan code for security vulnerabilities
- `/threat-model` - Create threat model for current component/system
- `/security-review` - Conduct security code review
- `/compliance-check` - Verify compliance with security standards

### Security Implementation Commands
- `/secure-auth` - Implement secure authentication patterns
- `/input-validation` - Add input validation and sanitization
- `/encrypt-data` - Implement data encryption strategies
- `/secure-api` - Create secure API endpoints
- `/security-headers` - Add security headers and CSP

### Security Testing Commands
- `/security-test` - Generate security test cases
- `/penetration-test` - Create penetration testing scenarios
- `/security-regression` - Add security regression tests
- `/vulnerability-test` - Test for specific vulnerabilities
- `/security-integration-test` - Create security integration tests

## Technology-Specific Security Patterns

### React/TypeScript Security Implementation
```typescript
// Command: /secure-auth
// Generates secure authentication component
import React, { useState, useContext, createContext } from 'react';
import { jwtDecode } from 'jwt-decode';

interface AuthContextType {
  user: User | null;
  login: (credentials: LoginCredentials) => Promise<void>;
  logout: () => void;
  isAuthenticated: boolean;
}

const AuthContext = createContext<AuthContextType | undefined>(undefined);

export const AuthProvider: React.FC<{ children: React.ReactNode }> = ({ children }) => {
  const [user, setUser] = useState<User | null>(null);
  const [isAuthenticated, setIsAuthenticated] = useState(false);

  const login = async (credentials: LoginCredentials) => {
    try {
      const response = await fetch('/api/auth/login', {
        method: 'POST',
        headers: {
          'Content-Type': 'application/json',
        },
        body: JSON.stringify(credentials),
        credentials: 'include', // Include httpOnly cookies
      });

      if (!response.ok) {
        throw new Error('Authentication failed');
      }

      const { user } = await response.json();
      setUser(user);
      setIsAuthenticated(true);
    } catch (error) {
      console.error('Login error:', error);
      throw error;
    }
  };

  const logout = async () => {
    try {
      await fetch('/api/auth/logout', {
        method: 'POST',
        credentials: 'include',
      });
    } catch (error) {
      console.error('Logout error:', error);
    } finally {
      setUser(null);
      setIsAuthenticated(false);
    }
  };

  return (
    <AuthContext.Provider value={{ user, login, logout, isAuthenticated }}>
      {children}
    </AuthContext.Provider>
  );
};

// Command: /input-validation
// Generates secure input validation
import DOMPurify from 'dompurify';
import { z } from 'zod';

const userInputSchema = z.object({
  email: z.string().email('Invalid email format'),
  password: z.string().min(8, 'Password must be at least 8 characters'),
  name: z.string().min(2, 'Name must be at least 2 characters').max(50, 'Name too long'),
});

export const validateAndSanitizeInput = (input: unknown) => {
  // Validate input structure
  const validatedInput = userInputSchema.parse(input);
  
  // Sanitize string inputs
  return {
    email: DOMPurify.sanitize(validatedInput.email),
    password: validatedInput.password, // Don't sanitize passwords
    name: DOMPurify.sanitize(validatedInput.name),
  };
};
```

### Node.js Security Implementation
```javascript
// Command: /secure-api
// Generates secure API endpoint with comprehensive security measures
const express = require('express');
const rateLimit = require('express-rate-limit');
const helmet = require('helmet');
const cors = require('cors');
const { body, validationResult } = require('express-validator');
const bcrypt = require('bcrypt');
const jwt = require('jsonwebtoken');

const app = express();

// Security middleware
app.use(helmet({
  contentSecurityPolicy: {
    directives: {
      defaultSrc: ["'self'"],
      scriptSrc: ["'self'"],
      styleSrc: ["'self'", "'unsafe-inline'"],
      imgSrc: ["'self'", "data:", "https:"],
    },
  },
}));

app.use(cors({
  origin: process.env.ALLOWED_ORIGINS?.split(',') || ['http://localhost:3000'],
  credentials: true,
}));

// Rate limiting
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again later.',
});

app.use('/api/', limiter);

// Input validation middleware
const validateUserInput = [
  body('email').isEmail().normalizeEmail(),
  body('password').isLength({ min: 8 }).matches(/^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]/),
  body('name').trim().isLength({ min: 2, max: 50 }).escape(),
];

// Authentication middleware
const authenticateToken = (req, res, next) => {
  const authHeader = req.headers['authorization'];
  const token = authHeader && authHeader.split(' ')[1];

  if (!token) {
    return res.status(401).json({ error: 'Access token required' });
  }

  jwt.verify(token, process.env.JWT_SECRET, (err, user) => {
    if (err) {
      return res.status(403).json({ error: 'Invalid or expired token' });
    }
    req.user = user;
    next();
  });
};

// Secure user creation endpoint
app.post('/api/users', validateUserInput, async (req, res) => {
  try {
    // Check validation results
    const errors = validationResult(req);
    if (!errors.isEmpty()) {
      return res.status(400).json({ errors: errors.array() });
    }

    const { email, password, name } = req.body;

    // Check if user already exists
    const existingUser = await User.findOne({ email });
    if (existingUser) {
      return res.status(409).json({ error: 'User already exists' });
    }

    // Hash password
    const saltRounds = 12;
    const hashedPassword = await bcrypt.hash(password, saltRounds);

    // Create user
    const user = await User.create({
      email,
      password: hashedPassword,
      name,
    });

    // Generate JWT
    const token = jwt.sign(
      { userId: user._id, email: user.email },
      process.env.JWT_SECRET,
      { expiresIn: '24h' }
    );

    // Set secure cookie
    res.cookie('token', token, {
      httpOnly: true,
      secure: process.env.NODE_ENV === 'production',
      sameSite: 'strict',
      maxAge: 24 * 60 * 60 * 1000, // 24 hours
    });

    res.status(201).json({
      message: 'User created successfully',
      user: {
        id: user._id,
        email: user.email,
        name: user.name,
      },
    });
  } catch (error) {
    console.error('User creation error:', error);
    res.status(500).json({ error: 'Internal server error' });
  }
});

// Command: /vulnerability-scan
// Generates vulnerability scanning configuration
const securityScanner = {
  scanDependencies: async () => {
    const { execSync } = require('child_process');
    try {
      const auditResult = execSync('npm audit --json', { encoding: 'utf8' });
      const audit = JSON.parse(auditResult);
      return {
        vulnerabilities: audit.vulnerabilities,
        summary: audit.metadata,
      };
    } catch (error) {
      console.error('Dependency scan failed:', error);
      return { error: 'Scan failed' };
    }
  },

  scanCode: async (filePath) => {
    // Implement static code analysis
    const fs = require('fs');
    const code = fs.readFileSync(filePath, 'utf8');
    
    const vulnerabilities = [];
    
    // Check for common vulnerabilities
    if (code.includes('eval(')) {
      vulnerabilities.push({
        type: 'Code Injection',
        severity: 'High',
        line: code.split('\n').findIndex(line => line.includes('eval(')) + 1,
        description: 'Use of eval() can lead to code injection vulnerabilities',
      });
    }
    
    if (code.includes('innerHTML') && !code.includes('DOMPurify')) {
      vulnerabilities.push({
        type: 'XSS',
        severity: 'Medium',
        description: 'innerHTML usage without sanitization can lead to XSS',
      });
    }
    
    return vulnerabilities;
  },
};
```

### Python Security Implementation
```python
# Command: /secure-api
# Generates secure Flask API with comprehensive security measures
from flask import Flask, request, jsonify, session
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
from flask_cors import CORS
from werkzeug.security import generate_password_hash, check_password_hash
from functools import wraps
import jwt
import datetime
import re
import bleach
from sqlalchemy import text

app = Flask(__name__)
app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY')

# Security configuration
CORS(app, origins=['http://localhost:3000'], supports_credentials=True)

# Rate limiting
limiter = Limiter(
    app,
    key_func=get_remote_address,
    default_limits=["200 per day", "50 per hour"]
)

# Input validation
def validate_email(email):
    pattern = r'^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$'
    return re.match(pattern, email) is not None

def validate_password(password):
    # At least 8 characters, 1 uppercase, 1 lowercase, 1 digit, 1 special char
    pattern = r'^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,}$'
    return re.match(pattern, password) is not None

def sanitize_input(input_string):
    # Remove potentially dangerous HTML/JS
    return bleach.clean(input_string, tags=[], attributes={}, strip=True)

# Authentication decorator
def token_required(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        token = request.headers.get('Authorization')
        if not token:
            return jsonify({'error': 'Token is missing'}), 401
        
        try:
            token = token.split(' ')[1]  # Remove 'Bearer ' prefix
            data = jwt.decode(token, app.config['SECRET_KEY'], algorithms=['HS256'])
            current_user_id = data['user_id']
        except jwt.ExpiredSignatureError:
            return jsonify({'error': 'Token has expired'}), 401
        except jwt.InvalidTokenError:
            return jsonify({'error': 'Token is invalid'}), 401
        
        return f(current_user_id, *args, **kwargs)
    return decorated

# Secure database query function
def execute_safe_query(query, params=None):
    try:
        with db.engine.connect() as connection:
            result = connection.execute(text(query), params or {})
            return result.fetchall()
    except Exception as e:
        app.logger.error(f"Database query error: {e}")
        raise

# Secure user registration endpoint
@app.route('/api/users', methods=['POST'])
@limiter.limit("5 per minute")
def create_user():
    try:
        data = request.get_json()
        
        # Input validation
        if not data or not all(k in data for k in ('email', 'password', 'name')):
            return jsonify({'error': 'Missing required fields'}), 400
        
        email = data['email'].lower().strip()
        password = data['password']
        name = sanitize_input(data['name'].strip())
        
        # Validate input
        if not validate_email(email):
            return jsonify({'error': 'Invalid email format'}), 400
        
        if not validate_password(password):
            return jsonify({'error': 'Password does not meet requirements'}), 400
        
        if len(name) < 2 or len(name) > 50:
            return jsonify({'error': 'Name must be between 2 and 50 characters'}), 400
        
        # Check if user exists (using parameterized query)
        existing_user = execute_safe_query(
            "SELECT id FROM users WHERE email = :email",
            {'email': email}
        )
        
        if existing_user:
            return jsonify({'error': 'User already exists'}), 409
        
        # Hash password
        password_hash = generate_password_hash(password, method='pbkdf2:sha256', salt_length=16)
        
        # Create user (using parameterized query)
        execute_safe_query(
            "INSERT INTO users (email, password_hash, name, created_at) VALUES (:email, :password_hash, :name, :created_at)",
            {
                'email': email,
                'password_hash': password_hash,
                'name': name,
                'created_at': datetime.datetime.utcnow()
            }
        )
        
        # Generate JWT token
        token = jwt.encode({
            'user_id': email,  # Use email as user_id for this example
            'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=24)
        }, app.config['SECRET_KEY'], algorithm='HS256')
        
        return jsonify({
            'message': 'User created successfully',
            'token': token,
            'user': {
                'email': email,
                'name': name
            }
        }), 201
        
    except Exception as e:
        app.logger.error(f"User creation error: {e}")
        return jsonify({'error': 'Internal server error'}), 500

# Command: /security-test
# Generates security test cases
import unittest
import requests
import json

class SecurityTestCase(unittest.TestCase):
    def setUp(self):
        self.base_url = 'http://localhost:5000/api'
        self.headers = {'Content-Type': 'application/json'}
    
    def test_sql_injection_protection(self):
        """Test SQL injection protection"""
        malicious_payload = {
            'email': "test@example.com'; DROP TABLE users; --",
            'password': 'ValidPass123!',
            'name': 'Test User'
        }
        
        response = requests.post(
            f"{self.base_url}/users",
            headers=self.headers,
            data=json.dumps(malicious_payload)
        )
        
        # Should not succeed with malicious input
        self.assertNotEqual(response.status_code, 201)
    
    def test_xss_protection(self):
        """Test XSS protection"""
        xss_payload = {
            'email': 'test@example.com',
            'password': 'ValidPass123!',
            'name': '<script>alert("XSS")</script>'
        }
        
        response = requests.post(
            f"{self.base_url}/users",
            headers=self.headers,
            data=json.dumps(xss_payload)
        )
        
        if response.status_code == 201:
            # Check that script tags are sanitized
            user_data = response.json()
            self.assertNotIn('<script>', user_data['user']['name'])
    
    def test_rate_limiting(self):
        """Test rate limiting"""
        payload = {
            'email': 'test@example.com',
            'password': 'ValidPass123!',
            'name': 'Test User'
        }
        
        # Make multiple requests quickly
        responses = []
        for i in range(10):
            response = requests.post(
                f"{self.base_url}/users",
                headers=self.headers,
                data=json.dumps(payload)
            )
            responses.append(response.status_code)
        
        # Should hit rate limit
        self.assertIn(429, responses)  # Too Many Requests
```

## Security Analysis Workflow

### 1. Automated Security Scanning
- Dependency vulnerability scanning
- Static code analysis for security issues
- Dynamic security testing integration
- Continuous security monitoring

### 2. Manual Security Review
- Code review for security patterns
- Architecture security assessment
- Threat modeling and risk analysis
- Compliance verification

### 3. Security Testing Integration
- Unit tests for security functions
- Integration tests for security flows
- Penetration testing automation
- Security regression testing

### 4. Security Documentation
- Security architecture documentation
- Vulnerability assessment reports
- Security implementation guides
- Compliance audit trails

## IDE Integration Features

### Security Code Completion
- Secure coding pattern suggestions
- Vulnerability detection and fixes
- Security library recommendations
- Compliance requirement integration

### Real-time Security Analysis
- Live vulnerability detection
- Security best practice suggestions
- Threat modeling integration
- Risk assessment automation

### Security Testing Integration
- Automated security test generation
- Security test execution and reporting
- Vulnerability tracking and management
- Security metrics and dashboards

## Collaboration with Other Personas

### With Architect
- Security architecture design and review
- Security requirement integration
- Risk assessment and mitigation planning
- Compliance architecture validation

### With Developer
- Secure coding practice implementation
- Security vulnerability remediation
- Security testing integration
- Security training and guidance

### With DevOps
- Security pipeline integration
- Infrastructure security configuration
- Security monitoring and alerting
- Incident response automation

### With QA
- Security testing strategy development
- Security test case creation and execution
- Security regression testing
- Security quality assurance

## Success Metrics
- **Vulnerability Detection Rate:** 95% of security vulnerabilities identified before production
- **Security Test Coverage:** 90% of security-critical code covered by security tests
- **Compliance Achievement:** 100% compliance with required security standards
- **Security Incident Reduction:** 80% reduction in security incidents
- **Team Security Awareness:** 95% of team members trained on secure development practices