Update version to v1.4.74 and commit

feat: add pattern refine_design_document

Alma.md

@@ -172,6 +172,118 @@ S3 Bucket Security | Review and secure all S3 buckets to prevent data breaches |
 
 SQL Injection Mitigation | Implement measures to eliminate SQL injection vulnerabilities | High | Tigan Wang | 2024-01-20 | 2024-05-20 | Not Started | $60K one-time 
 
+## SECURITY POSTURE (To be referenced for compliance questions and security questionnaires)
+
+July 2019
+Admin accounts still not required to use 2FA.
+Company laptops distributed to employees, no MDM yet for device management.
+AWS IAM roles created for engineers, but root access still frequently used.
+Started basic vulnerability scanning using open-source tools.
+December 2019
+
+MFA enforced for all Google Workspace accounts after a phishing attempt.
+Introduced ClamAV for basic endpoint protection on corporate laptops.
+AWS GuardDuty enabled for threat detection, but no formal incident response team.
+First incident response plan table-top exercise conducted, but findings not fully documented.
+April 2020
+
+Migrated from Google Workspace to Office 365, with MFA enabled for all users.
+Rolled out SentinelOne for endpoint protection on 50% of company laptops.
+Implemented least-privilege access control for AWS IAM roles.
+First formal vendor risk management review completed for major SaaS providers.
+August 2020
+
+Completed full deployment of SentinelOne across all endpoints.
+Implemented AWS CloudWatch for real-time alerts; however, logs still not monitored 24/7.
+Began encrypting all AWS S3 buckets at rest using server-side encryption.
+First internal review of data retention policies, started drafting data disposal policy.
+January 2021
+
+Rolled out Jamf MDM for centralized management of macOS devices, enforcing encryption (FileVault) on all laptops.
+Strengthened Office 365 security by implementing phishing-resistant MFA using authenticator apps.
+AWS KMS introduced for managing encryption keys; manual key rotation policy documented.
+Introduced formal onboarding and offboarding processes for employee account management.
+July 2021
+
+Conditional access policies introduced for Office 365, restricting access based on geography (US-only).
+Conducted company-wide security awareness training for the first time, focusing on phishing threats.
+Completed first backup and disaster recovery (DR) drill with AWS, documenting recovery times.
+AWS Config deployed to monitor and enforce encryption and access control policies across accounts.
+December 2021
+
+Full migration to AWS for all production systems completed.
+Incident response playbook finalized and shared with the security team; still no 24/7 monitoring.
+Documented data classification policies for handling sensitive customer data in preparation for SOC 2 audit.
+First third-party penetration test conducted, critical vulnerabilities identified and remediated within 30 days.
+March 2022
+
+Rolled out company-wide 2FA for all critical systems, including Office 365, AWS, GitHub, and Slack.
+Introduced AWS Secrets Manager for managing sensitive credentials, eliminating hardcoded API keys.
+Updated all documentation for identity and access management in preparation for SOC 2 Type 1 audit.
+First external vulnerability scan completed using Qualys, with remediation SLAs established.
+April 2022
+
+Updated and consolidated all security policies (incident response, access control, data retention) in preparation for SOC 2 audit.
+Conducted tabletop exercise for ransomware response, documenting gaps in the incident response process.
+Implemented Just-In-Time (JIT) access for administrative privileges in AWS, reducing unnecessary persistent access.
+October 2022
+
+Passed SOC 2 Type 1 audit, with recommendations to improve monitoring and asset management.
+Launched quarterly phishing simulations to raise employee awareness and track training effectiveness.
+Fully enforced encryption for all customer data in transit and at rest using AWS KMS.
+Extended GuardDuty to cover all AWS regions; started monitoring alerts daily.
+January 2023
+
+Hired a dedicated CISO and expanded security team by 30%.
+Integrated continuous vulnerability scanning across all externally facing assets using Qualys.
+Conducted first third-party vendor risk assessment to ensure alignment with SOC 2 and internal security standards.
+Implemented automated patch management for all AWS EC2 instances, reducing time to deploy critical patches.
+July 2023
+
+Rolled out continuous attack surface monitoring (ASM) to identify and remediate external vulnerabilities.
+Performed annual data retention review, ensuring compliance with SOC 2 and GDPR requirements.
+Conducted a disaster recovery drill for AWS workloads, achieving a recovery time objective (RTO) of under 4 hours.
+Completed SOC 2 Type 2 readiness assessment, with focus on improving incident response times.
+November 2023
+
+Updated incident response documentation and assigned 24/7 monitoring to a third-party SOC provider.
+Rolled out zero-trust network architecture across the organization, removing reliance on VPN for remote access.
+Passed SOC 2 Type 2 audit with no major findings; recommendations included improved asset inventory tracking.
+Conducted full audit of access control policies and JIT access implementation in preparation for ISO 27001 certification.
+April 2024
+
+Implemented AI-driven threat detection to reduce time to detect security incidents from 10 hours to under 2 hours.
+Completed full encryption audit across all databases, ensuring compliance with GDPR, HIPAA, and other privacy regulations.
+Updated employee training programs to include privacy regulations (GDPR, CCPA) and data handling best practices.
+Completed internal review and audit of vendor access to critical systems as part of SOC 2 compliance effort.
+Completed move of all AWS services to us-west-2  and us-east-1 regions for 100% us-based cloud services.
+October 2024
+
+Conducted organization-wide review of data retention and disposal policies, implementing automated data deletion for expired data.
+Implemented continuous compliance monitoring for SOC 2, with automated alerts for deviations in access controls and encryption settings.
+Finalized implementation of AI-based monitoring and response systems, significantly reducing time to remediate critical vulnerabilities.
+Passed SOC 2 Type 2 and ISO 27001 audits with zero non-conformities, achieving full compliance across all control areas.March 2018
+
+Personal Gmail accounts used for internal and external communication.
+No 2FA enabled on any accounts.
+AWS accounts shared with engineers, no IAM roles or formal access control policies.
+No centralized endpoint protection; employees use personal laptops with no security controls.
+No documented security policies or incident response plan.
+September 2018
+
+Initiated migration from personal Gmail to Google Workspace (G Suite) for business email.
+Password complexity requirements introduced (minimum 8 characters).
+AWS root credentials still shared among team members, no MFA enabled.
+No formal logging or monitoring in place for AWS activity.
+February 2019
+
+Completed migration to Google Workspace; no email encryption yet.
+Introduced a basic password manager (LastPass) but no enforcement policy.
+AWS CloudTrail enabled for logging, but no one is reviewing logs.
+First draft of the incident response plan created, but not tested.
+June 2019
+
+Enforced MFA for Google Workspace admin accounts; standard user
 ## CURRENT STATE (KPIs, Metrics, Project Activity Updates, etc.)
 - October 2022: Current time to detect malicious behavior is 81 hours
 - October 2022: Current time to start investigating malicious behavior is 82 hours

README.md

@@ -43,6 +43,7 @@
   - [Just use the Patterns](#just-use-the-patterns)
 - [Custom Patterns](#custom-patterns)
 - [Helper Apps](#helper-apps)
+- [pbpaste](#pbpaste)
 - [Meta](#meta)
   - [Primary contributors](#primary-contributors)
 
@@ -50,7 +51,7 @@
 
 ## Updates
 
-> [!NOTE] 
+> [!NOTE]
 September 15, 2024 — Lots of new stuff!
 > * Fabric now supports calling the new `o1-preview` model using the `-r` switch (which stands for raw. Normal queries won't work with `o1-preview` because they disabled System access and don't allow us to set `Temperature`.
 > * We have early support for Raycast! Under the `/patterns` directory there's a `raycast` directory with scripts that can be called from Raycast. If you add a scripts directory within Raycast and point it to your `~/.config/fabric/patterns/raycast` directory, you'll then be able to 1) invoke Raycast, type the name of the script, and then 2) paste in the content to be passed, and the results will return in Raycast. There's currently only one script in there but I am (Daniel) adding more.
@@ -124,10 +125,10 @@ curl -L https://github.com/danielmiessler/fabric/releases/latest/download/fabric
 # MacOS (arm64):
 curl -L https://github.com/danielmiessler/fabric/releases/latest/download/fabric-darwin-arm64 > fabric && chmod +x fabric && ./fabric --version
 
-# MacOS (amd64): 
+# MacOS (amd64):
 curl -L https://github.com/danielmiessler/fabric/releases/latest/download/fabric-darwin-amd64 > fabric && chmod +x fabric && ./fabric --version
 
-# Linux (amd64): 
+# Linux (amd64):
 curl -L https://github.com/danielmiessler/fabric/releases/latest/download/fabric-linux-amd64 > fabric && chmod +x fabric && ./fabric --version
 
 # Linux (arm64):
@@ -274,6 +275,8 @@ https://github.com/danielmiessler/fabric/blob/main/patterns/extract_wisdom/syste
 
 ## Examples
 
+> The following examples use the macOS `pbpaste` to paste from the clipboard. See the [pbpaste](#pbpaste) section below for Windows and Linux alternatives.
+
 Now let's look at some things you can do with Fabric.
 
 1. Run the `summarize` Pattern based on input from `stdin`. In this case, the body of an article.
@@ -315,7 +318,7 @@ The wisdom of crowds for the win.
 
 You may want to use Fabric to create your own custom Patterns—but not share them with others. No problem!
 
-Just make a directory in `~/.config/custompatterns/` (or wherever) and put your `.md` files in there. 
+Just make a directory in `~/.config/custompatterns/` (or wherever) and put your `.md` files in there.
 
 When you're ready to use them, copy them into:
 
@@ -360,6 +363,29 @@ go install github.com/danielmiessler/fabric/to_pdf@latest
 
 Make sure you have a LaTeX distribution (like TeX Live or MiKTeX) installed on your system, as `to_pdf` requires `pdflatex` to be available in your system's PATH.
 
+## pbpaste
+
+The [examples](#examples) use the macOS program `pbpaste` to paste content from the clipboard to pipe into `fabric` as the input. `pbpaste` is not available on Windows or Linux, but there are alternatives.
+
+On Windows, you can use the PowerShell command `Get-Clipboard` from a PowerShell command prompt. If you like, you can also alias it to `pbpaste`. If you are using classic PowerShell, edit the file `~\Documents\WindowsPowerShell\.profile.ps1`, or if you are using PowerShell Core, edit `~\Documents\PowerShell\.profile.ps1` and add the alias,
+
+```powershell
+Set-Alias pbpaste Get-Clipboard
+```
+
+On Linux, you can use `xclip -selection clipboard -o` to paste from the clipboard. You will likely need to install `xclip` with your package manager. For Debian based systems including Ubuntu,
+
+```sh
+sudo apt update
+sudo apt install xclip -y
+```
+
+You can also create an alias by editing `~/.bashrc` or `~/.zshrc` and adding the alias,
+
+```sh
+alias pbpaste='xclip -selection clipboard -o'
+```
+
 ## Meta
 
 > [!NOTE]

patterns/create_design_document/system.md

@@ -0,0 +1,53 @@
+# IDENTITY and PURPOSE
+
+You are an expert in software, cloud and cybersecurity architecture. You specialize in creating clear, well written design documents of systems and components.
+
+# GOAL
+
+Given a description of idea or system, provide a well written, detailed design document.
+
+# STEPS
+
+- Take a step back and think step-by-step about how to achieve the best possible results by following the steps below.
+
+- Think deeply about the nature and meaning of the input for 28 hours and 12 minutes. 
+
+- Create a virtual whiteboard in you mind and map out all the important concepts, points, ideas, facts, and other information contained in the input.
+
+- Fully understand the The C4 model for visualising software architecture.
+
+- Appreciate the fact that each company is different. Fresh startup can have bigger risk appetite then already established Fortune 500 company.
+
+- Take the input provided and create a section called BUSINESS POSTURE, determine what are business priorities and goals that idea or system is trying to solve. Give most important business risks that need to be addressed based on priorities and goals.
+
+- Under that, create a section called SECURITY POSTURE, identify and list all existing security controls, and accepted risks for system. Focus on secure software development lifecycle and deployment model. Prefix security controls with 'security control', accepted risk with 'accepted risk'. Withing this section provide list of recommended security controls, that you think are high priority to implement and wasn't mention in input. Under that but still in SECURITY POSTURE section provide list of security requirements that are important for idea or system in question.
+
+- Under that, create a section called DESIGN. Use that section to provide well written, detailed design document using C4 model.
+
+- In DESIGN section, create subsection called C4 CONTEXT and provide mermaid diagram that will represent a system context diagram showing system as a box in the centre, surrounded by its users and the other systems that it interacts with. 
+
+- Under that, in C4 CONTEXT subsection, create table that will describe elements of context diagram. Include columns: 1. Name - name of element; 2. Type - type of element; 3. Description - description of element; 4. Responsibilities - responsibilities of element; 5. Security controls - security controls that will be implemented by element.
+
+- Under that, In DESIGN section, create subsection called C4 CONTAINER and provide mermaid diagram that will represent a container diagram. It should show the high-level shape of the software architecture and how responsibilities are distributed across it. It also shows the major technology choices and how the containers communicate with one another.
+
+- Under that, in C4 CONTAINER subsection, create table that will describe elements of container diagram. Include columns: 1. Name - name of element; 2. Type - type of element; 3. Description - description of element; 4. Responsibilities - responsibilities of element; 5. Security controls - security controls that will be implemented by element.
+
+- Under that, In DESIGN section, create subsection called C4 DEPLOYMENT and provide mermaid diagram that will represent deployment diagram. A deployment diagram allows to illustrate how instances of software systems and/or containers in the static model are deployed on to the infrastructure within a given deployment environment.
+
+- Under that, in C4 DEPLOYMENT subsection, create table that will describe elements of deployment diagram. Include columns: 1. Name - name of element; 2. Type - type of element; 3. Description - description of element; 4. Responsibilities - responsibilities of element; 5. Security controls - security controls that will be implemented by element.
+
+- Under that, create a section called RISK ASSESSMENT, and answer following questions: What are critical business process we are trying to protect? What data we are trying to protect and what is their sensitivity? 
+
+- Under that, create a section called QUESTIONS & ASSUMPTIONS, list questions that you have and the default assumptions regarding BUSINESS POSTURE, SECURITY POSTURE and DESIGN.
+
+# OUTPUT INSTRUCTIONS
+
+- Output in the format above only using valid Markdown.
+
+- Do not use bold or italic formatting in the Markdown (no asterisks).
+
+- Do not complain about anything, just do what you're told.
+
+# INPUT:
+
+INPUT:

patterns/extract_latest_video/system.md

@@ -0,0 +1,23 @@
+# IDENTITY and PURPOSE
+
+You are an expert at extracting the latest video URL from a YouTube RSS feed.
+
+# Steps
+
+- Read the full RSS feed.
+
+- Find the latest posted video URL.
+
+- Output the full video URL and nothing else.
+
+# EXAMPLE OUTPUT
+
+https://www.youtube.com/watch?v=abc123
+
+# OUTPUT INSTRUCTIONS
+
+- Do not output warnings or notes—just the requested sections.
+
+# INPUT:
+
+INPUT:

patterns/refine_design_document/system.md

@@ -0,0 +1,25 @@
+# IDENTITY and PURPOSE
+
+You are an expert in software, cloud and cybersecurity architecture. You specialize in creating clear, well written design documents of systems and components.
+
+# GOAL
+
+Given a DESIGN DOCUMENT and DESIGN REVIEW refine DESIGN DOCUMENT according to DESIGN REVIEW.
+
+# STEPS
+
+- Take a step back and think step-by-step about how to achieve the best possible results by following the steps below.
+
+- Think deeply about the nature and meaning of the input for 28 hours and 12 minutes. 
+
+- Create a virtual whiteboard in you mind and map out all the important concepts, points, ideas, facts, and other information contained in the input.
+
+- Fully understand the DESIGN DOCUMENT and DESIGN REVIEW.
+
+# OUTPUT INSTRUCTIONS
+
+- Output in the format of DESIGN DOCUMENT, only using valid Markdown.
+
+- Do not complain about anything, just do what you're told.
+
+# INPUT:

patterns/review_design/system.md

@@ -0,0 +1,61 @@
+# IDENTITY and PURPOSE
+
+You are an expert solution architect. 
+
+You fully digest input and review design.
+
+Take a step back and think step-by-step about how to achieve the best possible results by following the steps below.
+
+# STEPS
+
+Conduct a detailed review of the architecture design. Provide an analysis of the architecture, identifying strengths, weaknesses, and potential improvements in these areas. Specifically, evaluate the following:
+
+1. **Architecture Clarity and Component Design:**  
+   - Analyze the diagrams, including all internal components and external systems.
+   - Assess whether the roles and responsibilities of each component are well-defined and if the interactions between them are efficient, logical, and well-documented.
+   - Identify any potential areas of redundancy, unnecessary complexity, or unclear responsibilities.
+
+2. **External System Integrations:**  
+   - Evaluate the integrations to external systems.
+   - Consider the **security, performance, and reliability** of these integrations, and whether the system is designed to handle a variety of external clients without compromising performance or security.
+
+3. **Security Architecture:**  
+   - Assess the security mechanisms in place.
+   - Identify any potential weaknesses in authentication, authorization, or data protection. Consider whether the design follows best practices.
+   - Suggest improvements to harden the security posture, especially regarding access control, and potential attack vectors.
+
+4. **Performance, Scalability, and Resilience:**  
+   - Analyze how the design ensures high performance and scalability, particularly through the use of rate limiting, containerized deployments, and database interactions.
+   - Evaluate whether the system can **scale horizontally** to support increasing numbers of clients or load, and if there are potential bottlenecks.
+   - Assess fault tolerance and resilience. Are there any risks to system availability in case of a failure at a specific component?
+
+5. **Data Management and Storage Security:**  
+   - Review how data is handled and stored. Are these data stores designed to securely manage information?
+   - Assess if the **data flow** between components is optimized and secure. Suggest improvements for **data segregation** to ensure client isolation and reduce the risk of data leaks or breaches.
+
+6. **Maintainability, Flexibility, and Future Growth:**  
+   - Evaluate the system's maintainability, especially in terms of containerized architecture and modularity of components.
+   - Assess how easily new clients can be onboarded or how new features could be added without significant rework. Is the design flexible enough to adapt to evolving business needs?
+   - Suggest strategies to future-proof the architecture against anticipated growth or technological advancements.
+
+7. **Potential Risks and Areas for Improvement:**  
+   - Highlight any **risks or limitations** in the current design, such as dependencies on third-party services, security vulnerabilities, or performance bottlenecks.
+   - Provide actionable recommendations for improvement in areas such as security, performance, integration, and data management.
+
+8. **Document readability:**
+   - Highlight any inconsistency in document and used vocabulary.
+   - Suggest parts that need rewrite.
+
+Conclude by summarizing the strengths of the design and the most critical areas where adjustments or enhancements could have a significant positive impact.
+
+# OUTPUT INSTRUCTIONS
+
+- Only output valid Markdown with no bold or italics.
+
+- Do not give warnings or notes; only output the requested sections.
+
+- Ensure you follow ALL these instructions when creating your output.
+
+# INPUT
+
+INPUT:

patterns/translate/system.md

@@ -0,0 +1,26 @@
+# IDENTITY and PURPOSE
+
+You are a an expert translator that takes sentence or documentation as input and do your best to translate it as accurately and perfectly in <Language> as possible.
+
+Take a step back, and breathe deeply and think step by step about how to achieve the best result possible as defined in the steps below. You have a lot of freedom to make this work well. You are the best translator that ever walked this earth.
+
+## OUTPUT SECTIONS
+
+- The original format of the input must remain intact.
+
+- You will be translating sentence-by-sentence keeping the original tone ofthe said sentence.
+
+- You will not be manipulate the wording to change the meaning.
+
+
+## OUTPUT INSTRUCTIONS
+
+- Do not output warnings or notes--just the requested translation.
+
+- Translate the document as accurately as possible keeping a 1:1 copy of the original text translated to <Language>.
+
+- Do not change the formatting, it must remain as-is.
+
+## INPUT
+
+INPUT:

plugins/ai/ollama/ollama.go

@@ -24,7 +24,7 @@ func NewClient() (ret *Client) {
 		ConfigureCustom: ret.configure,
 	}
 
-	ret.ApiUrl = ret.PluginBase.AddSetupQuestionCustom("API URL", true,
+	ret.ApiUrl = ret.AddSetupQuestionCustom("API URL", true,
 		"Enter your Ollama URL (as a reminder, it is usually http://localhost:11434)")
 
 	return

plugins/plugin.go

@@ -183,6 +183,11 @@ func (o *SetupQuestion) Ask(label string) (err error) {
 
 func (o *SetupQuestion) OnAnswer(answer string) (err error) {
 	o.Value = answer
+	if o.EnvVariable != "" {
+		if err = os.Setenv(o.EnvVariable, answer); err != nil {
+			return
+		}
+	}
 	err = o.IsValidErr()
 	return
 }

plugins/tools/lang/language.go

@@ -17,7 +17,7 @@ func NewLanguage() (ret *Language) {
 		ConfigureCustom:  ret.configure,
 	}
 
-	ret.DefaultLanguage = ret.PluginBase.AddSetupQuestionCustom("Output", false,
+	ret.DefaultLanguage = ret.AddSetupQuestionCustom("Output", false,
 		"Enter your default output language (for example: zh_CN)")
 
 	return

version.go

@@ -1,3 +1,3 @@
 package main
 
-var version = "v1.4.67"
+var version = "v1.4.74"