npm - @simplysm/claude - Versions diffs - 13.0.0-beta.46 → 13.0.0-beta.48 - Mend

@simplysm/claude 13.0.0-beta.46 → 13.0.0-beta.48

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/claude/agents/sd-security-reviewer.md +82 -0
package/claude/skills/sd-review/SKILL.md +11 -8
package/package.json +1 -1
package/scripts/postinstall.mjs +33 -0

package/claude/agents/sd-security-reviewer.md ADDED Viewed

@@ -0,0 +1,82 @@
+---
+name: sd-security-reviewer
+description: Reviews ORM queries and service endpoints for SQL injection and input validation vulnerabilities in simplysm's string-escaping ORM
+model: inherit
+---
+You are a security-focused code reviewer for the simplysm framework.
+## Critical Context
+simplysm ORM uses **string escaping** (NOT parameter binding) for SQL generation.
+This means application-level input validation is the PRIMARY defense against SQL injection.
+### Escaping mechanisms in place:
+- MySQL: Backslashes, quotes, NULL bytes, control characters escaped
+- Forces utf8mb4 charset (defends against multi-byte attacks)
+- These are necessary but NOT sufficient without input validation
+## Review Scope
+By default, review unstaged changes from `git diff` that touch ORM queries or service endpoints. The user may specify different files or scope.
+## Review Checklist
+For every ORM query in the diff, verify:
+### 1. Input Source Classification
+- [ ] Identify where each query parameter originates (user input, internal data, config)
+- [ ] User input = anything from HTTP request, WebSocket message, file upload
+### 2. Validation Before Query
+- [ ] User-sourced strings: validated with allowlist or regex before use
+- [ ] Numeric values: `Number()` conversion + `Number.isNaN()` check
+- [ ] Enum values: checked against valid set before use
+- [ ] No raw `req.query`, `req.params`, `req.body` values passed to ORM
+### 3. Service Endpoint Review
+- [ ] All ServiceServer RPC handlers validate incoming arguments
+- WebSocket message payloads validated before ORM usage
+- [ ] Type coercion applied at service boundary
+### 4. Dangerous Patterns (flag these)
+```typescript
+// DANGEROUS: Direct user input in query
+const name = req.query.name;
+db.user().where((u) => [expr.eq(u.name, name)]).result();
+// SAFE: Validated first
+const name = validateString(req.query.name, { maxLength: 100 });
+db.user().where((u) => [expr.eq(u.name, name)]).result();
+// SAFE: Type coercion with check
+const id = Number(req.query.id);
+if (Number.isNaN(id)) throw new Error("Invalid ID");
+db.user().where((u) => [expr.eq(u.id, id)]).result();
+```
+## Confidence Scoring
+Rate each potential issue on a scale from 0-100:
+- **0**: Not an issue. Value comes from trusted internal source.
+- **25**: Unlikely risk. Input is indirectly user-sourced but passes through type coercion.
+- **50**: Moderate risk. User input reaches query but some validation exists.
+- **75**: High risk. User input reaches query with insufficient validation.
+- **100**: Critical. Raw user input directly in query with no validation.
+**Only report issues with confidence >= 75.**
+## Output Format
+Start by stating what files/endpoints you reviewed.
+For each finding, provide:
+- Severity: **CRITICAL** (confidence >= 90) / **WARNING** (confidence >= 75)
+- File path and line number
+- Input source (where the unvalidated data comes from)
+- Attack vector (specific SQL injection scenario)
+- Concrete fix with code example
+If no issues found, confirm with a brief summary of what was checked.

package/claude/skills/sd-review/SKILL.md CHANGED Viewed

@@ -10,7 +10,7 @@ model: inherit
 Perform a multi-perspective code review of a package or specified path, producing a comprehensive report. **Analysis only — no code modifications.**
-Analyzes code via the `sd-explore` skill, then runs 3 subagents in parallel for specialized review. Collects subagent results, verifies each finding against actual code, and writes the final report.
+Analyzes code via the `sd-explore` skill, then runs up to 4 subagents in parallel for specialized review. Collects subagent results, verifies each finding against actual code, and writes the final report.
 ## Usage
@@ -26,13 +26,14 @@ Analyzes code via the `sd-explore` skill, then runs 3 subagents in parallel for
 ## Reviewer Agents
-Run 3 subagents in parallel via the Task tool:
+Run subagents in parallel via the Task tool:
-| Agent Type           | Role |
-|----------------------|------|
-| `sd-code-reviewer`   | Bugs, security, logic errors, convention issues |
-| `sd-code-simplifier` | Complexity, duplication, readability issues |
-| `sd-api-reviewer`    | DX/usability, naming, type hints |
+| Agent Type               | Role | Condition |
+|--------------------------|------|-----------|
+| `sd-code-reviewer`       | Bugs, security, logic errors, convention issues | Always |
+| `sd-code-simplifier`     | Complexity, duplication, readability issues | Always |
+| `sd-api-reviewer`        | DX/usability, naming, type hints | Always |
+| `sd-security-reviewer`   | ORM SQL injection, input validation vulnerabilities | When target path contains ORM queries or service endpoints |
 ## Workflow
@@ -54,11 +55,12 @@ This runs in a **separate context**, so it does not consume the main context win
 ### Step 2: Dispatch Analysis to Reviewers
-Run 3 subagents **in parallel** via the Task tool. Include the sd-explore analysis results in each subagent's prompt:
+Run subagents **in parallel** via the Task tool. Include the sd-explore analysis results in each subagent's prompt:
 - **sd-code-reviewer**: Based on the analysis, find bugs, security vulnerabilities, logic errors, and convention issues. Each finding must include **file:line** and **evidence**.
 - **sd-code-simplifier**: Based on the analysis, find unnecessary complexity, code duplication, and readability issues. Each finding must include **file:line** and **evidence**. **No code modifications.**
 - **sd-api-reviewer**: Based on the analysis, review API intuitiveness, naming consistency, type hints, error messages, and configuration complexity. Each finding must include **file:line** and **evidence**.
+- **sd-security-reviewer** *(conditional)*: If the sd-explore analysis reveals ORM queries (`orm-common`, `orm-node`, query builders, `expr.eq`, `.where()`, `.result()`) or service endpoints (`ServiceServer`, RPC handlers), also dispatch this agent. Based on the analysis, find SQL injection risks, missing input validation, and unvalidated user input reaching ORM queries. Each finding must include **file:line** and **evidence**.
 ### Step 3: Verify Issues
@@ -79,6 +81,7 @@ Compile only **verified findings** into a comprehensive report.
 |---------|----------|--------|
 | **Architecture Summary** | — | sd-explore analysis |
 | **Critical Issues** | P0 | Bugs, security vulnerabilities |
+| **Security Issues** | P0 | SQL injection, input validation (when sd-security-reviewer ran) |
 | **Quality Issues** | P1 | Logic errors, missing error handling, performance |
 | **DX/Usability Issues** | P2 | API intuitiveness, naming, type hints |
 | **Simplification Opportunities** | P3 | Complexity removal, duplicate code, abstractions |

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@simplysm/claude",
   "sideEffects": false,
-  "version": "13.0.0-beta.46",
+  "version": "13.0.0-beta.48",
   "description": "Simplysm Claude Code skills/agents — auto-installs via postinstall",
   "author": "김석래",
   "repository": {

package/scripts/postinstall.mjs CHANGED Viewed

@@ -101,6 +101,39 @@ try {
     fs.writeFileSync(settingsPath, JSON.stringify(settings, null, 2) + "\n");
   }
+  // .mcp.json에 MCP 서버 설정 (없는 항목만 추가)
+  const mcpPath = path.join(projectRoot, ".mcp.json");
+  let mcpConfig = { mcpServers: {} };
+  if (fs.existsSync(mcpPath)) {
+    mcpConfig = JSON.parse(fs.readFileSync(mcpPath, "utf-8"));
+    mcpConfig.mcpServers ??= {};
+  }
+  let mcpChanged = false;
+  if (!mcpConfig.mcpServers.context7) {
+    mcpConfig.mcpServers.context7 = {
+      command: "npx",
+      args: ["-y", "@upstash/context7-mcp"],
+    };
+    mcpChanged = true;
+  }
+  if (!mcpConfig.mcpServers.playwright) {
+    mcpConfig.mcpServers.playwright = {
+      command: "npx",
+      args: ["@anthropic-ai/mcp-server-playwright@latest"],
+      env: {
+        PLAYWRIGHT_OUTPUT_DIR: ".playwright-mcp",
+      },
+    };
+    mcpChanged = true;
+  }
+  if (mcpChanged) {
+    fs.writeFileSync(mcpPath, JSON.stringify(mcpConfig, null, 2) + "\n");
+  }
   console.log(`[@simplysm/claude] ${sourceEntries.length}개의 sd-* 항목을 설치했습니다.`);
 } catch (err) {
   // postinstall 실패가 pnpm install 전체를 막지 않도록 에러 무시