From 851e5d84fb34ea13a4a60cfe336e95b6e39cd083 Mon Sep 17 00:00:00 2001 From: ArthurAdrianoMM Date: Sat, 4 Jul 2026 01:25:50 -0300 Subject: [PATCH] feat: add env-example-generator skill and secure-config-advisor agent --- agents/secure-config-advisor.agent.md | 31 +++++++++++++ docs/README.agents.md | 1 + docs/README.skills.md | 1 + skills/env-example-generator/SKILL.md | 66 +++++++++++++++++++++++++++ 4 files changed, 99 insertions(+) create mode 100644 agents/secure-config-advisor.agent.md create mode 100644 skills/env-example-generator/SKILL.md diff --git a/agents/secure-config-advisor.agent.md b/agents/secure-config-advisor.agent.md new file mode 100644 index 000000000..7515fabf9 --- /dev/null +++ b/agents/secure-config-advisor.agent.md @@ -0,0 +1,31 @@ +--- +name: 'secure-config-advisor' +description: 'Application configuration security specialist for environment variables, secret management, config validation, and separating config from code following 12-factor principles' +tools: ['codebase', 'edit/editFiles', 'search', 'runCommands', 'terminalCommand'] +--- + +# Secure Config Advisor + +You are an application configuration security specialist. You keep secrets out of code, make configuration explicit, and ensure apps fail fast on bad config instead of misbehaving in production. + +## Core Expertise + +- **Secret hygiene**: detecting hardcoded credentials, `.env` files in git history, secrets in logs and error messages +- **Secret managers**: when and how to adopt Vault, AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Doppler; rotation strategy +- **Config structure**: 12-factor config via environment, per-environment overrides without per-environment code, `.env.example` upkeep +- **Startup validation**: schema-validated config (zod/envalid, pydantic Settings, Spring ConfigurationProperties, .NET Options pattern) that fails boot on missing/invalid values +- **Least privilege**: scoping credentials per service, avoiding shared god-credentials across environments + +## Working Method + +1. Audit first: scan tracked files and git history for secrets (`git log -p` patterns, common key formats) before proposing structure. +2. Treat any committed secret as compromised - the fix is rotate + purge + prevent (pre-commit scanning like gitleaks), never just delete the line. +3. Distinguish secret config (credentials, keys) from plain config (ports, flags, URLs); only the former needs a secret manager. +4. Introduce changes incrementally: `.env` + validation first, secret manager when multiple environments or team size justify it. +5. Wire prevention into CI: secret scanning, `.env` in `.gitignore`, and drift checks between code and `.env.example`. + +## Response Style + +- Findings ordered by severity, each with the exact file/line and a remediation snippet. +- Recommend the lightest tool that solves the problem; do not prescribe Vault for a two-person project. +- When rotation is required, provide the step order that avoids downtime (add new credential → deploy → revoke old). diff --git a/docs/README.agents.md b/docs/README.agents.md index 147e24b7f..9bddb4a6b 100644 --- a/docs/README.agents.md +++ b/docs/README.agents.md @@ -209,6 +209,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-agents) for guidelines on how to | [SE: Tech Writer](../agents/se-technical-writer.agent.md)
[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-technical-writer.agent.md)
[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-technical-writer.agent.md) | Technical writing specialist for creating developer documentation, technical blogs, tutorials, and educational content | | | [SE: UX Designer](../agents/se-ux-ui-designer.agent.md)
[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-ux-ui-designer.agent.md)
[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fse-ux-ui-designer.agent.md) | Jobs-to-be-Done analysis, user journey mapping, and UX research artifacts for Figma and design workflows | | | [Search & AI Optimization Expert](../agents/search-ai-optimization-expert.agent.md)
[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsearch-ai-optimization-expert.agent.md)
[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsearch-ai-optimization-expert.agent.md) | Expert guidance for modern search optimization: SEO, Answer Engine Optimization (AEO), and Generative Engine Optimization (GEO) with AI-ready content strategies | | +| [Secure Config Advisor](../agents/secure-config-advisor.agent.md)
[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsecure-config-advisor.agent.md)
[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fsecure-config-advisor.agent.md) | Application configuration security specialist for environment variables, secret management, config validation, and separating config from code following 12-factor principles | | | [Senior Cloud Architect](../agents/arch.agent.md)
[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Farch.agent.md)
[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Farch.agent.md) | Expert in modern architecture design patterns, NFR requirements, and creating comprehensive architectural diagrams and documentation | | | [Sensei Junior Mentor](../agents/mentoring-juniors.agent.md)
[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fmentoring-juniors.agent.md)
[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fmentoring-juniors.agent.md) | Socratic mentor for junior developers. Guides through questions, never gives direct answers. Helps beginners understand code, debug issues, and build autonomy using the PEAR Loop and progressive clue systems. | | | [Shopify Expert](../agents/shopify-expert.agent.md)
[![Install in VS Code](https://img.shields.io/badge/VS_Code-Install-0098FF?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fshopify-expert.agent.md)
[![Install in VS Code Insiders](https://img.shields.io/badge/VS_Code_Insiders-Install-24bfa5?style=flat-square&logo=visualstudiocode&logoColor=white)](https://aka.ms/awesome-copilot/install/agent?url=vscode-insiders%3Achat-agent%2Finstall%3Furl%3Dhttps%3A%2F%2Fraw.githubusercontent.com%2Fgithub%2Fawesome-copilot%2Fmain%2Fagents%2Fshopify-expert.agent.md) | Expert Shopify development assistant specializing in theme development, Liquid templating, app development, and Shopify APIs | | diff --git a/docs/README.skills.md b/docs/README.skills.md index 361c6be64..90fe9c5ba 100644 --- a/docs/README.skills.md +++ b/docs/README.skills.md @@ -157,6 +157,7 @@ See [CONTRIBUTING.md](../CONTRIBUTING.md#adding-skills) for guidelines on how to | [em-dash](../skills/em-dash/SKILL.md)
`gh skills install github/awesome-copilot em-dash` | Expert on the history, origin, and correct use of the em dash. Use when writing or reviewing code, comments, or data files to avoid em and en dashes, defaulting to never using them and replacing any found with a hyphen (-). Includes strong knowledge of punctuation marks and the proper usage of punctuation characters when writing comments. | None | | [email-drafter](../skills/email-drafter/SKILL.md)
`gh skills install github/awesome-copilot email-drafter` | Draft and review professional emails that match your personal writing style. Analyzes your sent emails for tone, greeting, structure, and sign-off patterns via WorkIQ, then generates context-aware drafts for any recipient. USE FOR: draft email, write email, compose email, reply email, follow-up email, analyze email tone, email style. | None | | [entra-agent-user](../skills/entra-agent-user/SKILL.md)
`gh skills install github/awesome-copilot entra-agent-user` | Create Agent Users in Microsoft Entra ID from Agent Identities, enabling AI agents to act as digital workers with user identity capabilities in Microsoft 365 and Azure environments. | None | +| [env-example-generator](../skills/env-example-generator/SKILL.md)
`gh skills install github/awesome-copilot env-example-generator` | Generate and maintain a .env.example that stays in sync with every environment variable the code actually reads. Use when the user asks to create or update .env.example, document environment variables, audit config for missing or unused variables, or onboard developers who need to know which variables a project requires. | None | | [eval-driven-dev](../skills/eval-driven-dev/SKILL.md)
`gh skills install github/awesome-copilot eval-driven-dev` | Improve AI application with evaluation-driven development. Define eval criteria, instrument the application, build golden datasets, observe and evaluate application runs, analyze results, and produce a concrete action plan for improvements. ALWAYS USE THIS SKILL when the user asks to set up QA, add tests, add evals, evaluate, benchmark, fix wrong behaviors, improve quality, or do quality assurance for any Python project that calls an LLM model. | `references/1-a-project-analysis.md`
`references/1-b-entry-point.md`
`references/1-c-eval-criteria.md`
`references/2a-instrumentation.md`
`references/2b-implement-runnable.md`
`references/2c-capture-and-verify-trace.md`
`references/3-define-evaluators.md`
`references/4-build-dataset.md`
`references/5-run-tests.md`
`references/6-analyze-outcomes.md`
`references/evaluators.md`
`references/runnable-examples`
`references/testing-api.md`
`references/wrap-api.md`
`resources` | | [exam-ready](../skills/exam-ready/SKILL.md)
`gh skills install github/awesome-copilot exam-ready` | Activate this skill when a student provides study material (PDF or pasted notes) and a syllabus, and wants to prepare for an exam. Extracts key definitions, points, keywords, diagrams, exam-ready sentences, and practice questions strictly from the provided material. | None | | [excalidraw-diagram-generator](../skills/excalidraw-diagram-generator/SKILL.md)
`gh skills install github/awesome-copilot excalidraw-diagram-generator` | Generate Excalidraw diagrams from natural language descriptions. Use when asked to "create a diagram", "make a flowchart", "visualize a process", "draw a system architecture", "create a mind map", or "generate an Excalidraw file". Supports flowcharts, relationship diagrams, mind maps, and system architecture diagrams. Outputs .excalidraw JSON files that can be opened directly in Excalidraw. | `references/element-types.md`
`references/excalidraw-schema.md`
`scripts/.gitignore`
`scripts/README.md`
`scripts/add-arrow.py`
`scripts/add-icon-to-diagram.py`
`scripts/split-excalidraw-library.py`
`templates` | diff --git a/skills/env-example-generator/SKILL.md b/skills/env-example-generator/SKILL.md new file mode 100644 index 000000000..9dbbd74a7 --- /dev/null +++ b/skills/env-example-generator/SKILL.md @@ -0,0 +1,66 @@ +--- +name: env-example-generator +description: 'Generate and maintain a .env.example that stays in sync with every environment variable the code actually reads. Use when the user asks to create or update .env.example, document environment variables, audit config for missing or unused variables, or onboard developers who need to know which variables a project requires.' +license: MIT +--- + +# Env Example Generator + +Scan the codebase for every environment variable it reads and generate a complete, documented `.env.example` - without ever copying real secret values. + +## When to Use This Skill + +Use this skill when you need to: +- Create a `.env.example` for a project that lacks one +- Detect drift: variables read in code but missing from `.env.example`, or documented but no longer used +- Document what each variable does, its format, and a safe default +- Prepare a project for new-developer onboarding or open-sourcing + +## Workflow + +1. **Scan for reads** across the stack: + - Node: `process.env.X`, `import.meta.env.X` + - Python: `os.environ[...]`, `os.getenv(...)`, pydantic `BaseSettings` fields + - Go: `os.Getenv(...)`; Java/Spring: `${X}` in properties/yml, `@Value`; .NET: `builder.Configuration[...]`, `IConfiguration` + - Infra: `docker-compose.yml` `environment:`/`env_file:`, Dockerfiles `ENV`/`ARG`, CI workflows, K8s manifests +2. **Merge and dedupe** into one inventory with file references. +3. **Classify each variable**: required (no fallback in code) vs. optional (has default), secret vs. non-secret. +4. **Generate `.env.example`** grouped by concern, with a comment and placeholder per variable. +5. **Report drift**: list variables in code but not in the example, and stale entries in the example no code reads. + +## Output Format + +```bash +# --------------------------------------------------------------- +# App +# --------------------------------------------------------------- +# Runtime environment: development | staging | production +NODE_ENV=development +# HTTP port the API listens on (default: 3000) +PORT=3000 + +# --------------------------------------------------------------- +# Database +# --------------------------------------------------------------- +# PostgreSQL connection string (required) +DATABASE_URL=postgresql://user:password@localhost:5432/appdb + +# --------------------------------------------------------------- +# Auth (secrets - generate real values, never commit them) +# --------------------------------------------------------------- +# JWT signing secret (required) - generate with: openssl rand -hex 32 +JWT_SECRET=change-me +``` + +## Guidelines + +1. **Never copy real values** - even from a local `.env`; placeholders only. If a real secret is spotted in tracked files, flag it and suggest rotation plus secret-manager adoption. +2. **Required variables get no default placeholder that "works"** - use `change-me` style values that fail loudly rather than silently connecting somewhere wrong. +3. **Comment format and origin** - each entry says what it is, its format, and (for secrets) how to generate one. +4. **Keep ordering stable and grouped** - diffs stay readable when variables are grouped by concern, alphabetical within groups. +5. **Suggest validation** - recommend fail-fast startup validation (zod/envalid, pydantic Settings, Spring `@ConfigurationProperties`) so missing variables break boot, not runtime. + +## Limitations + +- Dynamic access (`process.env[name]`) cannot be resolved statically; report these call sites for manual review. +- Variables consumed only by third-party libraries (e.g. `AWS_REGION`) may not appear in code scans; check docs of detected SDKs.