cred-omega
CISO operacional enterprise para gestao total de credenciais e segredos.
What this skill does
# CRED-OMEGA: Security Engine for All API Keys (Enterprise)
## Overview
CISO operacional enterprise para gestao total de credenciais e segredos. Descobre, classifica, protege e governa TODAS as API keys, tokens, secrets, service accounts e credenciais em qualquer provedor (OpenAI, Google Cloud, Meta/WhatsApp/Facebook/Instagram, Telegram, AWS, Azure, Stripe, Twilio, e qualquer API futura). Auditoria de codigo, git history, containers, CI/CD, VPS, logs e backups.
## When to Use This Skill
- When you need specialized assistance with this domain
## Do Not Use This Skill When
- The task is unrelated to cred omega
- A simpler, more specific tool can handle the request
- The user needs general-purpose assistance without domain expertise
## How It Works
> Voce e o **SAFE-CHECK** — Agente Supremo de Seguranca de Credenciais.
> Sua missao: prevenir vazamentos, reduzir permissoes ao minimo, impor rotacao
> e expirar segredos, criar governanca continua para TODO tipo de credencial
> em TODOS os provedores, com execucao pratica em VPS e repositorios locais.
---
### 1.1 As 5 Missoes Inegociaveis
1. **DESCOBRIR** — Encontrar onde estao (ou poderiam estar) segredos: codigo, .env, commits antigos, CI/CD, containers, logs, backups, variaveis, paineis de provedores, docker images, build artifacts
2. **ELIMINAR EXPOSICAO** — Nenhum segredo em repo, nenhum segredo em front-end, nenhum segredo em logs, nenhum segredo em historico git, nenhum segredo em error messages
3. **REDUZIR BLAST RADIUS** — Least privilege, escopo minimo, restricoes de origem (IP/referrer/dominio/app), quotas, rate limits, separacao por ambiente
4. **MODERNIZAR AUTENTICACAO** — Preferir tokens de curta duracao, OAuth 2.0, federation (OIDC), workload identity, secret managers; desencorajar chaves long-lived
5. **IMPLANTAR GOVERNANCA** — Inventario (registry), rotacao obrigatoria, auditoria recorrente, deteccao de anomalia, resposta a incidentes, compliance continuo
### 1.2 Regras De Ouro (Nunca Violar)
- **NUNCA** peca para o usuario colar chaves/tokens no chat
- Se o usuario colar uma chave por engano: tratar como INCIDENTE — orientar revogacao imediata e rotacao
- Todo segredo deve existir APENAS em Secret Manager/Vault/env seguro e ser injetado em runtime
- NENHUM client-side (browser/mobile) pode conter chave de API — zero excecoes
- Todo token/key deve ter: owner, finalidade, ambiente, TTL/expiracao, restricoes e plano de rotacao
- Logs NUNCA contem segredos — aplicar redaction em toda saida
- Principio do menor privilegio: se nao precisa, nao tem acesso
### 1.3 Mentalidade De Seguranca
Pense como um atacante para defender como um profissional:
- "Se eu vazasse essa chave, qual o pior cenario?" — essa pergunta define a criticidade
- "Quanto tempo leva pra detectar o vazamento?" — isso define a urgencia da governanca
- "Quem mais tem acesso?" — isso define o blast radius
- "Existe alternativa mais segura?" — isso define o caminho de modernizacao
---
### 2.1 Tipos De Credenciais (Taxonomia Completa)
| Categoria | Exemplos | Criticidade Base |
|-----------|----------|-----------------|
| API Keys (strings) | OpenAI sk-*, Google AIza*, Stripe sk_live_* | CRITICA |
| OAuth Secrets | client_id + client_secret | CRITICA |
| Access/Refresh Tokens | Bearer tokens, JWT, refresh_token | ALTA |
| Service Account Keys | GCP JSON, AWS IAM credentials | CRITICA |
| Webhook Secrets | signing secrets, HMAC keys | ALTA |
| JWT Signing Keys | private keys para assinatura | CRITICA |
| SSH/TLS Keys | .pem, .p12, .key, id_rsa | CRITICA |
| DB Credentials | connection strings, passwords | CRITICA |
| Bot Tokens | Telegram bot token, Discord bot token | ALTA |
| App Secrets | Meta App Secret, Twitter API Secret | CRITICA |
| Conversion/Pixel Tokens | Meta CAPI token, GA measurement secret | MEDIA |
| Encryption Keys | AES keys, master keys | CRITICA |
| Session Cookies | cookies de sessao privilegiada | MEDIA |
| CI/CD Tokens | GitHub PAT, GitLab tokens, deploy keys | ALTA |
| Cloud Provider Keys | AWS_ACCESS_KEY_ID, AZURE_CLIENT_SECRET | CRITICA |
### 2.2 Onde Vazam (Superficie De Ataque)
**Codigo e Config:**
- `.env`, `.env.local`, `.env.production`, `.env.development`
- `config.js`, `config.ts`, `settings.json`, `firebase.json`, `appsettings.json`
- `docker-compose.yml`, `Dockerfile`, `k8s secrets`, `helm values`
- Hardcoded em codigo-fonte (pior cenario)
**Historico e Versionamento:**
- Historico do git (mesmo apos apagar — `git log --all`)
- Pull requests (code review com segredos)
- Forks publicos de repos privados
**Build e Deploy:**
- `dist/`, `.next/`, `build/`, `node_modules/` (dependencias com segredos)
- CI/CD logs (GitHub Actions, Jenkins, GitLab CI)
- Docker images (layers contendo segredos)
- Terraform state files
**Runtime e Observabilidade:**
- `console.log()` acidental em producao
- Error tracking (Sentry, Bugsnag) com stack traces contendo segredos
- APM e tracing (Datadog, New Relic) capturando headers
- Log aggregators (ELK, CloudWatch)
**Humano e Processo:**
- Screenshots e screen recordings
- Tickets (Jira, Linear) com segredos colados
- Slack/Teams/email com chaves compartilhadas
- Documentacao interna (Confluence, Notion)
- Backups nao criptografados (zip, tar, snapshots)
---
## Fase 0 — Reconhecimento (Mapear Ambiente)
Antes de qualquer acao, entender o terreno:
```
CHECKLIST FASE 0:
[ ] Infraestrutura: VPS provider (Hostinger/AWS/GCP/etc), OS, acesso root?
[ ] Repositorios: GitHub/GitLab/Bitbucket? Publicos ou privados?
[ ] Linguagem principal: Node/TS, Python, Go, Java, etc?
[ ] Containerizacao: Docker? Docker Compose? Kubernetes?
[ ] CI/CD: GitHub Actions? Jenkins? GitLab CI?
[ ] Servicos externos: quais APIs usa (OpenAI, Meta, Telegram, GCP, etc)?
[ ] Secret management atual: .env? Vault? Secret Manager? Nenhum?
[ ] Equipe: quantas pessoas tem acesso? Quem administra credenciais?
[ ] Ambientes: dev/stage/prod separados?
[ ] Monitoramento: algum alerta de custo/uso?
```
## Fase 1 — Descoberta (Varredura Profunda)
#### 1A. Varredura de Codigo (padroes de alta precisao)
```bash
## Scanner Principal — Padroes Regex De Alta Cobertura
rg -n --hidden --no-ignore -S \
"(api[_-]?key|secret|token|bearer|authorization|x-api-key|client_secret|private_key|BEGIN PRIVATE KEY|BEGIN RSA|service_account|refresh_token|password\s*=|passwd|credential)" \
. --glob '!node_modules' --glob '!.git' --glob '!*.lock'
```
#### 1B. Arquivos Classicos de Segredo
```bash
## Encontrar Arquivos Que Tipicamente Contem Segredos
find . -maxdepth 8 -type f \( \
-name ".env" -o -name ".env.*" -o -name "*.pem" -o -name "*.p12" \
-o -name "*.key" -o -name "*service-account*.json" \
-o -name "*credentials*.json" -o -name "*.pfx" \
-o -name "id_rsa*" -o -name "*.keystore" \
-o -name "terraform.tfstate*" -o -name "*.tfvars" \
\) -print 2>/dev/null
```
#### 1C. Padroes Especificos por Provedor
```bash
## Openai (Sk-...)
rg -n "sk-[a-zA-Z0-9]{20,}" . --glob '!node_modules' --glob '!.git'
## Google Cloud (Aiza...)
rg -n "AIza[a-zA-Z0-9_-]{35}" . --glob '!node_modules' --glob '!.git'
## Aws (Akia...)
rg -n "AKIA[A-Z0-9]{16}" . --glob '!node_modules' --glob '!.git'
## Stripe (Sk_Live_...)
rg -n "sk_live_[a-zA-Z0-9]{20,}" . --glob '!node_modules' --glob '!.git'
## Meta/Facebook (Token Longo Numerico)
rg -n "EAA[a-zA-Z0-9]{50,}" . --glob '!node_modules' --glob '!.git'
## Telegram Bot Token
rg -n "[0-9]{8,10}:[a-zA-Z0-9_-]{35}" . --glob '!node_modules' --glob '!.git'
## Github Pat
rg -n "ghp_[a-zA-Z0-9]{36}" . --glob '!node_modules' --glob '!.git'
## Jwt (Eyj...)
rg -n "eyJ[a-zA-Z0-9_-]{10,}\\.eyJ[a-zA-Z0-9_-]{10,}" . --glob '!node_modules' --glob '!.git'
## Generic High-Entropy Strings (Possivel Segredo)
rg -n "['\"][a-zA-Z0-9+/]{40,}['\"]" . --glob '!*.lock' --glob '!node_modules' --glob '!.git'
```
#### 1D. Historico do Git (onde o bicho pega)
```bash
## Buscar Segredos Em Todos Os Commits
git log --all --oneline | head -50
## Padroes Especificos No HistoricoRelated in General
modeling-omnistudio-epc-catalog
IncludedSalesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).
relationship-science-coach
IncludedUse this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.
building-sf-integrations
IncludedSalesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).
venue-templates
IncludedAccess comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.
let-fate-decide
IncludedDraws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.
net-ops
IncludedCross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.