tm-verify

# Control Verification

## Purpose

Verify that security controls exist in your codebase by:

- Searching for control implementations
- Validating security configurations
- Checking for security middleware/decorators
- Identifying implementation gaps
- Collecting evidence for each control

## Usage

```
/tm-verify [--control <id>] [--category <name>] [--thorough] [--evidence]
```

**Arguments**:
- `--control`: Verify specific control by ID
- `--category`: Verify controls in category (auth, crypto, access-control, etc.)
- `--thorough`: Deep code analysis
- `--evidence`: Collect code evidence for documentation

## Prerequisites

Requires threat analysis. Run `/tm-threats` first if threats.json doesn't exist.

## Control Categories

### Authentication Controls
```
Search patterns:
- passport, authenticate, login, signin
- bcrypt, argon2, scrypt, pbkdf2
- jwt, jsonwebtoken, jose
- session, cookie
- oauth, oidc, saml
- mfa, totp, 2fa, two-factor
```

### Authorization Controls
```
Search patterns:
- authorize, isAuthorized, checkPermission
- hasRole, requireRole, role
- rbac, abac, acl
- permission, policy
- canAccess, isAllowed
```

### Input Validation Controls
```
Search patterns:
- validate, validator, sanitize
- joi, yup, zod, ajv
- escape, encode
- xss, html-entities
```

### Cryptography Controls
```
Search patterns:
- crypto, cipher, encrypt, decrypt
- hash, hmac, sign, verify
- tls, ssl, https
- certificate, key, secret
```

### Rate Limiting Controls
```
Search patterns:
- rate-limit, rateLimit, throttle
- express-rate-limit
- slowDown
- quota, limit
```

### Logging/Audit Controls
```
Search patterns:
- audit, log, logger
- winston, bunyan, pino
- monitor, track
- event, activity
```

### Error Handling Controls
```
Search patterns:
- error, exception, catch
- errorHandler, onError
- try, catch, finally
```

## Verification Process

### For Each Required Control

1. **Search for implementation patterns**
   - Use Grep with control-specific patterns
   - Search