a68ae3a05e
* chore: update gitignore for audit reports and playwright cache * fix: add YAML frontmatter (name + description) to all SKILL.md files - Added frontmatter to 34 skills that were missing it entirely (0% Tessl score) - Fixed name field format to kebab-case across all 169 skills - Resolves #284 * chore: sync codex skills symlinks [automated] * fix: optimize 14 low-scoring skills via Tessl review (#290) Tessl optimization: 14 skills improved from ≤69% to 85%+. Closes #285, #286. * chore: sync codex skills symlinks [automated] * fix: optimize 18 skills via Tessl review + compliance fix (closes #287) (#291) Phase 1: 18 skills optimized via Tessl (avg 77% → 95%). Closes #287. * feat: add scripts and references to 4 prompt-only skills + Tessl optimization (#292) Phase 2: 3 new scripts + 2 reference files for prompt-only skills. Tessl 45-55% → 94-100%. * feat: add 6 agents + 5 slash commands for full coverage (v2.7.0) (#293) Phase 3: 6 new agents (all 9 categories covered) + 5 slash commands. * fix: Phase 5 verification fixes + docs update (#294) Phase 5 verification fixes * chore: sync codex skills symlinks [automated] * fix: marketplace audit — all 11 plugins validated by Claude Code (#295) Marketplace audit: all 11 plugins validated + installed + tested in Claude Code * fix: restore 7 removed plugins + revert playwright-pro name to pw Reverts two overly aggressive audit changes: - Restored content-creator, demand-gen, fullstack-engineer, aws-architect, product-manager, scrum-master, skill-security-auditor to marketplace - Reverted playwright-pro plugin.json name back to 'pw' (intentional short name) * refactor: split 21 over-500-line skills into SKILL.md + references (#296) * chore: sync codex skills symlinks [automated] * docs: update all documentation with accurate counts and regenerated skill pages - Update skill count to 170, Python tools to 213, references to 314 across all docs - Regenerate all 170 skill doc pages from latest SKILL.md sources - Update CLAUDE.md with v2.1.1 highlights, accurate architecture tree, and roadmap - Update README.md badges and overview table - Update marketplace.json metadata description and version - Update mkdocs.yml, index.md, getting-started.md with correct numbers * fix: add root-level SKILL.md and .codex/instructions.md to all domains (#301) Root cause: CLI tools (ai-agent-skills, agent-skills-cli) look for SKILL.md at the specified install path. 7 of 9 domain directories were missing this file, causing "Skill not found" errors for bundle installs like: npx ai-agent-skills install alirezarezvani/claude-skills/engineering-team Fix: - Add root-level SKILL.md with YAML frontmatter to 7 domains - Add .codex/instructions.md to 8 domains (for Codex CLI discovery) - Update INSTALLATION.md with accurate skill counts (53→170) - Add troubleshooting entry for "Skill not found" error All 9 domains now have: SKILL.md + .codex/instructions.md + plugin.json Closes #301 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: add Gemini CLI + OpenClaw support, fix Codex missing 25 skills Gemini CLI: - Add GEMINI.md with activation instructions - Add scripts/gemini-install.sh setup script - Add scripts/sync-gemini-skills.py (194 skills indexed) - Add .gemini/skills/ with symlinks for all skills, agents, commands - Remove phantom medium-content-pro entries from sync script - Add top-level folder filter to prevent gitignored dirs from leaking Codex CLI: - Fix sync-codex-skills.py missing "engineering" domain (25 POWERFUL skills) - Regenerate .codex/skills-index.json: 124 → 149 skills - Add 25 new symlinks in .codex/skills/ OpenClaw: - Add OpenClaw installation section to INSTALLATION.md - Add ClawHub install + manual install + YAML frontmatter docs Documentation: - Update INSTALLATION.md with all 4 platforms + accurate counts - Update README.md: "three platforms" → "four platforms" + Gemini quick start - Update CLAUDE.md with Gemini CLI support in v2.1.1 highlights - Update SKILL-AUTHORING-STANDARD.md + SKILL_PIPELINE.md with Gemini steps - Add OpenClaw + Gemini to installation locations reference table Marketplace: all 18 plugins validated — sources exist, SKILL.md present Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat(product,pm): world-class product & PM skills audit — 6 scripts, 5 agents, 7 commands, 23 references/assets Phase 1 — Agent & Command Foundation: - Rewrite cs-project-manager agent (55→515 lines, 4 workflows, 6 skill integrations) - Expand cs-product-manager agent (408→684 lines, orchestrates all 8 product skills) - Add 7 slash commands: /rice, /okr, /persona, /user-story, /sprint-health, /project-health, /retro Phase 2 — Script Gap Closure (2,779 lines): - jira-expert: jql_query_builder.py (22 patterns), workflow_validator.py - confluence-expert: space_structure_generator.py, content_audit_analyzer.py - atlassian-admin: permission_audit_tool.py - atlassian-templates: template_scaffolder.py (Confluence XHTML generation) Phase 3 — Reference & Asset Enrichment: - 9 product references (competitive-teardown, landing-page-generator, saas-scaffolder) - 6 PM references (confluence-expert, atlassian-admin, atlassian-templates) - 7 product assets (templates for PRD, RICE, sprint, stories, OKR, research, design system) - 1 PM asset (permission_scheme_template.json) Phase 4 — New Agents: - cs-agile-product-owner, cs-product-strategist, cs-ux-researcher Phase 5 — Integration & Polish: - Related Skills cross-references in 8 SKILL.md files - Updated product-team/CLAUDE.md (5→8 skills, 6→9 tools, 4 agents, 5 commands) - Updated project-management/CLAUDE.md (0→12 scripts, 3 commands) - Regenerated docs site (177 pages), updated homepage and getting-started Quality audit: 31 files reviewed, 29 PASS, 2 fixed (copy-frameworks.md, governance-framework.md) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: audit and repair all plugins, agents, and commands - Fix 12 command files: correct CLI arg syntax, script paths, and usage docs - Fix 3 agents with broken script/reference paths (cs-content-creator, cs-demand-gen-specialist, cs-financial-analyst) - Add complete YAML frontmatter to 5 agents (cs-growth-strategist, cs-engineering-lead, cs-senior-engineer, cs-financial-analyst, cs-quality-regulatory) - Fix cs-ceo-advisor related agent path - Update marketplace.json metadata counts (224 tools, 341 refs, 14 agents, 12 commands) Verified: all 19 scripts pass --help, all 14 agent paths resolve, mkdocs builds clean. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: repair 25 Python scripts failing --help across all domains - Fix Python 3.10+ syntax (float | None → Optional[float]) in 2 scripts - Add argparse CLI handling to 9 marketing scripts using raw sys.argv - Fix 10 scripts crashing at module level (wrap in __main__, add argparse) - Make yaml/prefect/mcp imports conditional with stdlib fallbacks (4 scripts) - Fix f-string backslash syntax in project_bootstrapper.py - Fix -h flag conflict in pr_analyzer.py - Fix tech-debt.md description (score → prioritize) All 237 scripts now pass python3 --help verification. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix(product-team): close 3 verified gaps in product skills - Fix competitive-teardown/SKILL.md: replace broken references DATA_COLLECTION.md → references/data-collection-guide.md and TEMPLATES.md → references/analysis-templates.md (workflow was broken at steps 2 and 4) - Upgrade landing_page_scaffolder.py: add TSX + Tailwind output format (--format tsx) matching SKILL.md promise of Next.js/React components. 4 design styles (dark-saas, clean-minimal, bold-startup, enterprise). TSX is now default; HTML preserved via --format html - Rewrite README.md: fix stale counts (was 5 skills/15+ tools, now accurately shows 8 skills/9 tools), remove 7 ghost scripts that never existed (sprint_planner.py, velocity_tracker.py, etc.) - Fix tech-debt.md description (score → prioritize) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * release: v2.1.2 — landing page TSX output, brand voice integration, docs update - Landing page generator defaults to Next.js TSX + Tailwind CSS (4 design styles) - Brand voice analyzer integrated into landing page generation workflow - CHANGELOG, CLAUDE.md, README.md updated for v2.1.2 - All 13 plugin.json + marketplace.json bumped to 2.1.2 - Gemini/Codex skill indexes re-synced - Backward compatible: --format html preserved, no breaking changes Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: alirezarezvani <5697919+alirezarezvani@users.noreply.github.com> Co-authored-by: Leo <leo@openclaw.ai> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
7.7 KiB
7.7 KiB
Atlassian Cloud Security Hardening Guide
Overview
This guide provides a comprehensive security hardening checklist for Atlassian Cloud products (Jira, Confluence, Bitbucket). It covers identity management, access controls, data protection, and monitoring practices aligned with enterprise security standards.
Identity & Authentication
SSO / SAML Setup
Implementation Steps:
- Verify your domain in Atlassian Admin (admin.atlassian.com)
- Claim all company email accounts
- Configure SAML SSO with your identity provider (Okta, Azure AD, Google Workspace)
- Set authentication policy to enforce SSO for all managed accounts
- Test with a pilot group before full rollout
- Disable password-based login for managed accounts
Configuration Checklist:
- Domain verified and accounts claimed
- SAML IdP configured with correct entity ID and SSO URL
- Attribute mapping: email, displayName, groups
- Single Logout (SLO) configured
- Authentication policy enforcing SSO
- Fallback access configured for emergency admin accounts
- SCIM provisioning enabled for automatic user sync
Two-Factor Authentication (2FA)
Enforcement Policy:
- 2FA required for all managed accounts
- Enforce via authentication policy (not just recommended)
- Hardware security keys (FIDO2/WebAuthn) preferred for admin accounts
- TOTP (authenticator app) as minimum for all users
- SMS-based 2FA disabled (SIM swap vulnerability)
- Recovery codes generated and stored securely
Session Management
- Session timeout set to 8 hours of inactivity (maximum)
- Absolute session timeout: 24 hours
- Require re-authentication for sensitive operations
- Monitor concurrent sessions per user
- Enforce session termination on password change
Access Controls
IP Allowlisting
Configuration:
- Enable IP allowlisting for organization
- Add corporate office IP ranges
- Add VPN exit node IP addresses
- Add CI/CD server IPs for API access
- Test access from all approved locations
- Document approved IP ranges with justification
- Review IP allowlist quarterly
Exceptions:
- Mobile access may require VPN or MDM solution
- Remote workers need VPN or conditional access policies
- API integrations need stable IP ranges
API Token Management
Policies:
- Inventory all API tokens in use
- Set maximum token lifetime (90 days recommended)
- Require token rotation on schedule
- Use service accounts for integrations (not personal tokens)
- Monitor API token usage patterns
- Revoke tokens immediately on employee departure
- Document purpose and owner for each token
Best Practices:
- Use OAuth 2.0 (3LO) for user-context integrations
- Use API tokens only for service-to-service
- Store tokens in secrets management (never in code)
- Implement least-privilege scopes for OAuth apps
Permission Model
- Review global permissions quarterly
- Use groups for permission assignment (not individual users)
- Implement role-based access for Jira projects
- Restrict Confluence space admin to designated owners
- Limit Jira system admin to 2-3 people
- Audit "anyone" or "logged in users" permissions
- Remove direct user permissions where groups exist
Audit & Monitoring
Audit Log Configuration
What to Monitor:
- User authentication events (login, logout, failed attempts)
- Permission changes (project, space, global)
- User account changes (creation, deactivation, group changes)
- API token creation and revocation
- App installations and updates
- Data export operations
- Admin configuration changes
Setup Steps:
- Enable organization audit log
- Configure audit log retention (minimum 1 year)
- Set up automated export to SIEM (Splunk, Datadog, etc.)
- Create alerts for suspicious patterns
- Schedule monthly audit log review
- Document incident response procedures for alerts
Alerting Rules
Critical Alerts (Immediate Response):
- Multiple failed login attempts (>5 in 10 minutes)
- Admin permission grants to unexpected users
- API token created by non-service accounts
- Bulk data export or deletion
- New third-party app installed with broad permissions
Warning Alerts (Same-Day Review):
- New admin users added
- Permission scheme changes
- Authentication policy modifications
- IP allowlist changes
- User deactivation (verify it is expected)
Data Protection
Data Residency
- Configure data residency realm (US, EU, AU, etc.)
- Verify product data pinned to selected region
- Document data residency for compliance audits
- Review data residency coverage (some metadata may be global)
- Monitor for new residency options from Atlassian
Encryption
- Verify encryption at rest (AES-256, managed by Atlassian)
- Verify encryption in transit (TLS 1.2+)
- Review Atlassian's encryption key management practices
- Consider BYOK (Bring Your Own Key) for Atlassian Guard Premium
Data Loss Prevention
- Configure content restrictions for sensitive pages/issues
- Implement classification labels (public, internal, confidential)
- Restrict file attachment types if needed
- Monitor bulk exports and downloads
- Set up DLP rules for sensitive data patterns (PII, credentials)
Mobile Device Management
Mobile Access Controls
- Require MDM enrollment for mobile Atlassian apps
- Enforce device encryption
- Require screen lock with biometrics or PIN
- Enable remote wipe capability
- Block rooted/jailbroken devices
- Restrict copy/paste to managed apps
- Set app-level PIN for Atlassian apps
Mobile Policies
- Define approved mobile devices/OS versions
- Enforce automatic app updates
- Configure offline data access limits
- Set maximum offline cache duration
- Review mobile access logs monthly
Third-Party App Security
App Review Process
- Maintain approved app list (whitelist)
- Review app permissions before installation
- Verify app is Atlassian Marketplace certified
- Check app vendor security certifications
- Assess data access scope (read-only vs read-write)
- Review app privacy policy
- Document app owner and business justification
App Governance
- Audit installed apps quarterly
- Remove unused apps (no usage in 90 days)
- Monitor app permission changes
- Restrict app installation to admins only
- Review Atlassian Guard app access policies
- Set up alerts for new app installations
Compliance Documentation
Required Documentation
- Security policy for Atlassian Cloud usage
- Access control matrix (roles, permissions, justification)
- Incident response plan for Atlassian security events
- Data classification policy applied to Atlassian content
- Third-party app risk assessments
- Annual security review report
Compliance Frameworks
- SOC 2: Map Atlassian controls to Trust Service Criteria
- ISO 27001: Align with Annex A controls for cloud services
- GDPR: Configure data residency, right to deletion, DPAs
- HIPAA: Review BAA availability, encryption, access controls
Hardening Schedule
| Task | Frequency | Owner |
|---|---|---|
| Permission audit | Quarterly | IT Admin |
| API token rotation | Every 90 days | Integration owners |
| App review | Quarterly | IT Admin |
| Audit log review | Monthly | Security team |
| IP allowlist review | Quarterly | IT Admin |
| Authentication policy review | Semi-annually | Security team |
| Full security assessment | Annually | Security team |
| User access review | Quarterly | Managers + IT Admin |
| Data residency verification | Annually | Compliance |
| Mobile device audit | Quarterly | IT Admin |