Unify OpenCode and Codex starter kits

- Add .shared/prompts/ with tool-neutral prompts
- Add .opencode/config/project.md, rules/, skills/ from opencode-kit
- Add .codex/config/project.md from codex-kit
- Copy .shared/prompts/ to both .opencode/prompts/ and .codex/prompts/
- Add features/INDEX.md and features/README.md
- Update README with unified structure

The two original starter kits are now redundant.
This commit is contained in:
Worker Skeletton
2026-05-25 14:11:00 +02:00
parent 2d4dbe48e9
commit 5c9b4333da
38 changed files with 1659 additions and 107 deletions

View File

@@ -1,22 +1,56 @@
# Security Rules
## Generell
Security rules for PHP projects.
- Nie Secrets in Git
- Input immer validieren
- Output immer escapen
## Secrets
## XSS
- NEVER commit secrets, API keys, or credentials
- Use `.env` for local development (gitignored via `.gitignore`)
- Use environment variables for production
- Never log sensitive data (passwords, tokens, personal data)
- Generate secrets with: `openssl_random_pseudo_bytes(32)` or `php -r "echo bin2hex(random_bytes(32));"`
- HTML specialchars() für User-Input in HTML
- Content-Security-Policy Header setzen
## Input Validation
## CSRF
- Validate ALL user input in PHP (never trust `$_GET`, `$_POST`, etc.)
- Use Respect Validation or Laravel Validator
- Sanitize data before database insertion
- Use parameterized queries exclusively (PDO, mysqli with placeholders)
- CSRF Token bei Forms
- SameSite=Cookie
## Output
## SQL Injection
- Escape output with `htmlspecialchars($str, ENT_QUOTES, 'UTF-8')` or framework equivalent
- Set Content-Type headers: `Content-Type: text/html; charset=UTF-8`
- Use CSRF tokens on all state-changing forms
- Prepared Statements immer nutzen
- Nie User-Input direkt in SQL
## Authentication
- Hash passwords with `password_hash()` (bcrypt/argon2) — NEVER MD5 or SHA1
- Use `password_verify()` for comparison
- Implement proper session handling: `session_regenerate_id(true)` on login
- Set secure cookie flags: `session_set_cookie_params(['httponly' => true, 'secure' => true])`
## Security Headers
For production, set these headers:
```
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: default-src 'self'
```
## File Uploads
- Never trust the filename — generate a new one
- Store files outside web root
- Validate MIME type server-side (not just by extension)
- Set file size limits
## Dependencies
- Keep Composer dependencies up to date: `composer outdated`
- Run `composer audit` regularly
- Update known vulnerable packages immediately