@simplysm/claude 13.0.0-beta.50 → 13.0.1

package/claude/skills/sd-brainstorm/SKILL.md

@@ -52,15 +52,17 @@ Design complete! Here's how to proceed:
 1. /sd-worktree add <name>  — Create a worktree branch
 2. /sd-plan                 — Break into detailed tasks
 3. /sd-plan-dev             — Execute tasks in parallel (includes TDD + review)
-4. /sd-commit               — Commit
-5. /sd-worktree merge       — Merge back to main
-6. /sd-worktree clean       — Remove worktree
+4. /sd-check                — Verify All (typecheck + lint + tests)
+5. /sd-commit               — Commit
+6. /sd-worktree merge       — Merge back to main
+7. /sd-worktree clean       — Remove worktree
 
 --- Path B: Direct on current branch (quick fixes/small changes) ---
 
 1. /sd-plan                 — Break into detailed tasks
 2. /sd-plan-dev             — Execute tasks in parallel (includes TDD + review)
-3. /sd-commit               — Commit
+3. /sd-check                — Verify All (typecheck + lint + tests)
+4. /sd-commit               — Commit
 
 You can start from any step or skip steps as needed.
 ```

package/claude/skills/sd-plan/SKILL.md

@@ -96,7 +96,7 @@ git commit -m "feat: add specific feature"
 
 ## Execution Handoff
 
-After saving the plan:
+After saving the plan, display this message **in the system's configured language** (detect from the language setting and translate accordingly):
 
 **"Plan complete and saved to `docs/plans/<filename>.md`. Ready to execute with sd-plan-dev?"**
 

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@simplysm/claude",
   "sideEffects": false,
-  "version": "13.0.0-beta.50",
+  "version": "13.0.1",
   "description": "Simplysm Claude Code skills/agents — auto-installs via postinstall",
   "author": "김석래",
   "repository": {

package/claude/agents/sd-security-reviewer.md

@@ -1,82 +0,0 @@
----
-name: sd-security-reviewer
-description: Reviews ORM queries and service endpoints for SQL injection and input validation vulnerabilities in simplysm's string-escaping ORM
-model: inherit
----
-
-You are a security-focused code reviewer for the simplysm framework.
-
-## Critical Context
-
-simplysm ORM uses **string escaping** (NOT parameter binding) for SQL generation.
-This means application-level input validation is the PRIMARY defense against SQL injection.
-
-### Escaping mechanisms in place:
-- MySQL: Backslashes, quotes, NULL bytes, control characters escaped
-- Forces utf8mb4 charset (defends against multi-byte attacks)
-- These are necessary but NOT sufficient without input validation
-
-## Review Scope
-
-By default, review unstaged changes from `git diff` that touch ORM queries or service endpoints. The user may specify different files or scope.
-
-## Review Checklist
-
-For every ORM query in the diff, verify:
-
-### 1. Input Source Classification
-- [ ] Identify where each query parameter originates (user input, internal data, config)
-- [ ] User input = anything from HTTP request, WebSocket message, file upload
-
-### 2. Validation Before Query
-- [ ] User-sourced strings: validated with allowlist or regex before use
-- [ ] Numeric values: `Number()` conversion + `Number.isNaN()` check
-- [ ] Enum values: checked against valid set before use
-- [ ] No raw `req.query`, `req.params`, `req.body` values passed to ORM
-
-### 3. Service Endpoint Review
-- [ ] All ServiceServer RPC handlers validate incoming arguments
-- WebSocket message payloads validated before ORM usage
-- [ ] Type coercion applied at service boundary
-
-### 4. Dangerous Patterns (flag these)
-
-```typescript
-// DANGEROUS: Direct user input in query
-const name = req.query.name;
-db.user().where((u) => [expr.eq(u.name, name)]).result();
-
-// SAFE: Validated first
-const name = validateString(req.query.name, { maxLength: 100 });
-db.user().where((u) => [expr.eq(u.name, name)]).result();
-
-// SAFE: Type coercion with check
-const id = Number(req.query.id);
-if (Number.isNaN(id)) throw new Error("Invalid ID");
-db.user().where((u) => [expr.eq(u.id, id)]).result();
-```
-
-## Confidence Scoring
-
-Rate each potential issue on a scale from 0-100:
-
-- **0**: Not an issue. Value comes from trusted internal source.
-- **25**: Unlikely risk. Input is indirectly user-sourced but passes through type coercion.
-- **50**: Moderate risk. User input reaches query but some validation exists.
-- **75**: High risk. User input reaches query with insufficient validation.
-- **100**: Critical. Raw user input directly in query with no validation.
-
-**Only report issues with confidence >= 75.**
-
-## Output Format
-
-Start by stating what files/endpoints you reviewed.
-
-For each finding, provide:
-- Severity: **CRITICAL** (confidence >= 90) / **WARNING** (confidence >= 75)
-- File path and line number
-- Input source (where the unvalidated data comes from)
-- Attack vector (specific SQL injection scenario)
-- Concrete fix with code example
-
-If no issues found, confirm with a brief summary of what was checked.

package/claude/rules/sd-language.md

@@ -1,7 +0,0 @@
-# Language
-
-Respond in the **system's configured language** (set via Claude Code's language setting).
-
-- Technical terms, code identifiers (variable names, function names, etc.), and library names should remain as-is
-- Show English error messages and logs in their original form, but provide explanations in the system language
-- Files in `.claude/` folder and each package's `README.md` are written in English for consistent documentation

package/claude/rules/sd-naming-conventions.md

@@ -1,13 +0,0 @@
-# Function Naming Conventions
-
-- Do not use `Async` suffix on function names — Async is the default
-- When both sync and async versions exist, use `Sync` suffix on the sync function
-
-```typescript
-// Good
-async function readFile() { ... }      // Async (default)
-function readFileSync() { ... }        // Sync version
-
-// Bad
-async function readFileAsync() { ... } // Async suffix prohibited
-```

package/claude/rules/sd-simplysm-docs.md

@@ -1,47 +0,0 @@
-# @simplysm Package Documentation
-
-When you need API details, usage examples, or component props for `@simplysm/*` packages,
-read the package's README.md from node_modules.
-
-## How to use
-
-Read the package README directly:
-
-```
-node_modules/@simplysm/{package-name}/README.md
-```
-
-If not found (pnpm hoisting), try:
-
-```
-packages/*/node_modules/@simplysm/{package-name}/README.md
-```
-
-## When to use
-
-- Before writing code that uses an unfamiliar `@simplysm/*` API
-- When unsure about component props, method signatures, or configuration
-- When looking for usage patterns or code examples
-
-## Available Packages
-
-| Package | Description |
-|---------|-------------|
-| `core-common` | Common utilities, custom types (DateTime, DateOnly, Time, Uuid) |
-| `core-browser` | Browser-specific extensions |
-| `core-node` | Node.js utilities (filesystem, workers) |
-| `orm-common` | ORM query builder, table schema definitions |
-| `orm-node` | DB connectors (MySQL, MSSQL, PostgreSQL) |
-| `service-common` | Service protocol, type definitions |
-| `service-client` | WebSocket client |
-| `service-server` | Fastify-based HTTP/WebSocket server |
-| `solid` | SolidJS UI components + Tailwind CSS |
-| `excel` | Excel (.xlsx) read/write |
-| `storage` | FTP/SFTP client |
-| `sd-cli` | Build, lint, typecheck CLI tool |
-| `claude` | Claude Code skills/agents (auto-installs via postinstall) |
-| `eslint-plugin` | Custom ESLint rules |
-| `capacitor-plugin-auto-update` | Auto update |
-| `capacitor-plugin-broadcast` | Broadcast |
-| `capacitor-plugin-file-system` | File system |
-| `capacitor-plugin-usb-storage` | USB storage |

package/claude/rules/sd-workflow-rules.md

@@ -1,3 +0,0 @@
-# Workflow Rules
-
-- **No auto-proceeding after skill completion**: When the user explicitly invokes a skill, report the result and **stop** once the skill finishes. Do not guess the next step and proceed arbitrarily. Wait for explicit user instructions if further work is needed.