musubi-sdd 5.1.0 → 5.6.1

package/src/templates/agents/claude-code/skills/requirements-analyst/validation-rules.md

@@ -16,14 +16,15 @@ This document defines the validation rules for EARS requirements in MUSUBI SDD.
 def validate_unique_ids(requirements):
     ids = [req.id for req in requirements]
     duplicates = [id for id in ids if ids.count(id) > 1]
-    
+
     if duplicates:
         FAIL(f"Duplicate requirement IDs: {duplicates}")
-    
+
     PASS("All requirement IDs are unique")
 ```
 
 **Examples**:
+
 ```
 ✅ PASS: REQ-001, REQ-002, REQ-003
 ❌ FAIL: REQ-001, REQ-002, REQ-001 (duplicate)
@@ -48,7 +49,7 @@ def validate_ears_pattern(requirement):
     for pattern in EARS_PATTERNS:
         if re.match(pattern, requirement.text, re.IGNORECASE):
             return PASS(f"{requirement.id} follows EARS pattern")
-    
+
     return FAIL(f"{requirement.id} does not follow EARS pattern")
 ```
 
@@ -66,11 +67,11 @@ FORBIDDEN_KEYWORDS = [
 
 def validate_no_ambiguous_keywords(requirement):
     text_lower = requirement.text.lower()
-    
+
     for keyword in FORBIDDEN_KEYWORDS:
         if keyword in text_lower:
             FAIL(f"{requirement.id} contains ambiguous keyword: '{keyword}'")
-    
+
     PASS(f"{requirement.id} has no ambiguous keywords")
 ```
 
@@ -87,7 +88,7 @@ def validate_mandatory_keywords(requirement):
     for keyword in REQUIRED_KEYWORDS:
         if keyword in requirement.text.upper():
             return PASS(f"{requirement.id} contains '{keyword}'")
-    
+
     return FAIL(f"{requirement.id} missing SHALL or MUST")
 ```
 
@@ -108,7 +109,7 @@ def validate_atomic(requirement):
     for pattern in ATOMIC_VIOLATIONS:
         if re.search(pattern, requirement.text, re.IGNORECASE):
             WARN(f"{requirement.id} may not be atomic - consider splitting")
-    
+
     PASS(f"{requirement.id} appears atomic")
 ```
 
@@ -131,11 +132,11 @@ MEASUREMENT_PATTERNS = [
 def validate_measurable(requirement):
     if not re.match(NF_REQUIREMENT_PATTERN, requirement.id):
         return PASS(f"{requirement.id} is functional requirement")
-    
+
     for pattern in MEASUREMENT_PATTERNS:
         if re.search(pattern, requirement.text):
             return PASS(f"{requirement.id} has measurable criteria")
-    
+
     return WARN(f"{requirement.id} (non-functional) may lack measurable criteria")
 ```
 
@@ -160,7 +161,7 @@ def validate_testable(requirement):
     for pattern in UNTESTABLE_PATTERNS:
         if re.search(pattern, requirement.text, re.IGNORECASE):
             WARN(f"{requirement.id} contains vague term '{pattern}' - make testable")
-    
+
     PASS(f"{requirement.id} appears testable")
 ```
 
@@ -185,7 +186,7 @@ def validate_no_implementation(requirement):
     for pattern in IMPLEMENTATION_PATTERNS:
         if re.search(pattern, requirement.text):
             WARN(f"{requirement.id} contains implementation detail: '{pattern}'")
-    
+
     PASS(f"{requirement.id} appears technology-agnostic")
 ```
 
@@ -205,7 +206,7 @@ def validate_terminology(requirements, glossary):
             for synonym in synonyms:
                 if synonym in req.text and term not in req.text:
                     WARN(f"{req.id}: Use '{term}' instead of '{synonym}'")
-    
+
     PASS("Terminology is consistent")
 ```
 
@@ -219,13 +220,13 @@ def validate_terminology(requirements, glossary):
 def validate_no_conflicts(requirements):
     # Group by subject
     by_subject = group_by_subject(requirements)
-    
+
     for subject, reqs in by_subject.items():
         # Check for conflicting actions
         actions = [extract_action(req) for req in reqs]
         if has_conflicts(actions):
             FAIL(f"Conflicting requirements for {subject}")
-    
+
     PASS("No conflicts detected")
 ```
 
@@ -242,11 +243,11 @@ def validate_coverage(requirements, use_cases):
         use_case = extract_use_case(req)
         if use_case:
             covered.add(use_case)
-    
+
     missing = set(use_cases) - covered
     if missing:
         WARN(f"Use cases without requirements: {missing}")
-    
+
     coverage_percent = len(covered) / len(use_cases) * 100
     REPORT(f"Use case coverage: {coverage_percent:.1f}%")
 ```
@@ -265,10 +266,10 @@ def validate_forward_traceability(requirements, design):
     for req in requirements:
         if req.id not in design.requirement_references:
             untraced.append(req.id)
-    
+
     if untraced:
         FAIL(f"Requirements not traced to design: {untraced}")
-    
+
     PASS("All requirements traced to design")
 ```
 
@@ -282,15 +283,15 @@ def validate_forward_traceability(requirements, design):
 def validate_backward_traceability(design, requirements):
     req_ids = {req.id for req in requirements}
     orphaned = []
-    
+
     for component in design.components:
         for ref in component.requirement_refs:
             if ref not in req_ids:
                 orphaned.append((component.name, ref))
-    
+
     if orphaned:
         WARN(f"Design references non-existent requirements: {orphaned}")
-    
+
     PASS("All design elements trace to valid requirements")
 ```
 
@@ -307,22 +308,24 @@ def validate_backward_traceability(design, requirements):
 
 ## Summary
 
-| Rule | Status | Issues |
-|------|--------|--------|
-| Unique IDs | ✅ PASS | 0 |
-| EARS Pattern | ✅ PASS | 0 |
-| No Ambiguous Keywords | ✅ PASS | 0 |
-| Mandatory Keywords | ✅ PASS | 0 |
-| Atomic Requirements | ⚠️ WARN | 2 |
-| Measurable Criteria | ⚠️ WARN | 1 |
-| Testable | ✅ PASS | 0 |
-| No Implementation | ✅ PASS | 0 |
-| Forward Traceability | ✅ PASS | 0 |
+| Rule                  | Status  | Issues |
+| --------------------- | ------- | ------ |
+| Unique IDs            | ✅ PASS | 0      |
+| EARS Pattern          | ✅ PASS | 0      |
+| No Ambiguous Keywords | ✅ PASS | 0      |
+| Mandatory Keywords    | ✅ PASS | 0      |
+| Atomic Requirements   | ⚠️ WARN | 2      |
+| Measurable Criteria   | ⚠️ WARN | 1      |
+| Testable              | ✅ PASS | 0      |
+| No Implementation     | ✅ PASS | 0      |
+| Forward Traceability  | ✅ PASS | 0      |
 
 ## Total: 15 requirements validated
 
 ### Passed: 15 (100%)
+
 ### Warnings: 3
+
 ### Failures: 0
 
 ## Issues
@@ -330,7 +333,7 @@ def validate_backward_traceability(design, requirements):
 ### Warnings
 
 1. **REQ-USER-003**: May not be atomic - consider splitting
-2. **REQ-AUTH-005**: May not be atomic - consider splitting  
+2. **REQ-AUTH-005**: May not be atomic - consider splitting
 3. **REQ-NF-002**: May lack measurable criteria
 
 ## Recommendations

package/src/templates/agents/claude-code/skills/security-auditor/SKILL.md

@@ -103,15 +103,12 @@ The SecurityAnalyzer module provides automated security risk detection for code,
 ### Module Usage
 
 ```javascript
-const { 
-  SecurityAnalyzer, 
-  RiskLevel 
-} = require('musubi/src/analyzers/security-analyzer');
+const { SecurityAnalyzer, RiskLevel } = require('musubi/src/analyzers/security-analyzer');
 
 const analyzer = new SecurityAnalyzer({
-  strictMode: true,        // Block critical risks
+  strictMode: true, // Block critical risks
   allowedCommands: ['npm', 'git', 'node'],
-  ignorePaths: ['node_modules', '.git', 'test']
+  ignorePaths: ['node_modules', '.git', 'test'],
 });
 
 // Analyze code content
@@ -120,7 +117,7 @@ const result = analyzer.analyzeContent(code, 'src/auth/login.js');
 // Check validation status
 const validation = analyzer.validateAction({
   type: 'command',
-  command: 'rm -rf /tmp/cache'
+  command: 'rm -rf /tmp/cache',
 });
 
 if (validation.blocked) {
@@ -133,12 +130,12 @@ const report = analyzer.generateReport(result);
 
 ### Detection Categories
 
-| Category | Examples |
-|----------|----------|
-| **Secrets** | API keys, passwords, tokens, private keys |
-| **Dangerous Commands** | `rm -rf /`, `chmod 777`, `curl \| bash` |
-| **Vulnerabilities** | eval(), innerHTML, SQL injection |
-| **Network Risks** | Insecure HTTP, disabled TLS verification |
+| Category               | Examples                                  |
+| ---------------------- | ----------------------------------------- |
+| **Secrets**            | API keys, passwords, tokens, private keys |
+| **Dangerous Commands** | `rm -rf /`, `chmod 777`, `curl \| bash`   |
+| **Vulnerabilities**    | eval(), innerHTML, SQL injection          |
+| **Network Risks**      | Insecure HTTP, disabled TLS verification  |
 
 ### Risk Levels
 
@@ -162,6 +159,65 @@ musubi-analyze security --scan ./src --report markdown
 
 ---
 
+## MUSUBI RustMigrationGenerator Module (v5.5.0+)
+
+**Available Module**: `src/generators/rust-migration-generator.js`
+
+The RustMigrationGenerator module assists in migrating C/C++ code to Rust for improved memory safety.
+
+### Module Usage
+
+```javascript
+const { RustMigrationGenerator, UNSAFE_PATTERNS, SECURITY_COMPONENTS } = require('musubi-sdd');
+
+const generator = new RustMigrationGenerator();
+const analysis = await generator.analyzeRustMigration('src/buffer.c');
+
+console.log(`Risk Score: ${analysis.riskScore}`);
+console.log(`Unsafe Patterns Found: ${analysis.unsafePatterns.length}`);
+console.log(`Security Components: ${analysis.securityComponents.length}`);
+```
+
+### Unsafe Pattern Detection (27 Types)
+
+| Category               | Patterns                                   |
+| ---------------------- | ------------------------------------------ |
+| **Memory Management**  | malloc, calloc, realloc, free              |
+| **Buffer Overflow**    | strcpy, strcat, sprintf, gets              |
+| **Pointer Operations** | Pointer arithmetic, casts, double pointers |
+| **Concurrency**        | pthread misuse, volatile misuse            |
+| **Format Strings**     | printf with variable format                |
+
+### Security Component Identification
+
+- Stack protection (`_FORTIFY_SOURCE`, stack canaries)
+- Sanitizers (AddressSanitizer, MemorySanitizer)
+- Cryptography (OpenSSL, libsodium)
+- Authentication (PAM, SASL)
+
+### Risk Scoring
+
+```javascript
+// Risk weights
+const RISK_WEIGHTS = {
+  buffer_overflow: 10, // Critical: strcpy, gets, etc.
+  memory_management: 8, // High: malloc/free misuse
+  pointer_operation: 7, // High: pointer arithmetic
+  format_string: 9, // Critical: format string vulns
+  concurrency: 6, // Medium: race conditions
+};
+
+// Calculate total risk
+const totalRisk = analysis.riskScore; // 0-100 scale
+```
+
+### Integration with Security Audit
+
+1. **Identify unsafe code** in C/C++ projects
+2. **Prioritize migration** based on risk score
+3. **Generate migration roadmap** for Rust rewrite
+4. **Track security improvements** post-migration
+
 ---
 
 ## Project Memory (Steering System)
@@ -1286,14 +1342,15 @@ security-audit/
 
 Use MUSUBI Guardrails for automated security validation:
 
-| Command | Purpose | Example |
-|---------|---------|---------|
-| `musubi-validate guardrails --type input` | Input validation (injection prevention) | `npx musubi-validate guardrails "user input" --type input` |
-| `musubi-validate guardrails --type output --redact` | Output sanitization with PII redaction | `npx musubi-validate guardrails "output" --type output --redact` |
-| `musubi-validate guardrails --type safety` | Safety check with threat detection | `npx musubi-validate guardrails "code" --type safety --level high` |
-| `musubi-validate guardrails-chain` | Run complete security guardrail chain | `npx musubi-validate guardrails-chain "content" --parallel` |
+| Command                                             | Purpose                                 | Example                                                            |
+| --------------------------------------------------- | --------------------------------------- | ------------------------------------------------------------------ |
+| `musubi-validate guardrails --type input`           | Input validation (injection prevention) | `npx musubi-validate guardrails "user input" --type input`         |
+| `musubi-validate guardrails --type output --redact` | Output sanitization with PII redaction  | `npx musubi-validate guardrails "output" --type output --redact`   |
+| `musubi-validate guardrails --type safety`          | Safety check with threat detection      | `npx musubi-validate guardrails "code" --type safety --level high` |
+| `musubi-validate guardrails-chain`                  | Run complete security guardrail chain   | `npx musubi-validate guardrails-chain "content" --parallel`        |
 
 **Security Presets**:
+
 ```bash
 # Input validation with strict security
 npx musubi-validate guardrails --type input --preset strict
@@ -1306,6 +1363,7 @@ npx musubi-validate guardrails --type safety --constitutional --level critical
 ```
 
 **Batch Security Scan**:
+
 ```bash
 # Scan all source files
 npx musubi-validate guardrails --type safety --file "src/**/*.js" --level high

package/src/templates/agents/claude-code/skills/security-auditor/audit-checklists.md

@@ -161,18 +161,18 @@ Comprehensive security checklists for application and infrastructure audits.
 
 ### OWASP Top 10 (2021)
 
-| # | Vulnerability | Key Controls |
-|---|---------------|--------------|
-| A01 | Broken Access Control | RBAC, ABAC, deny by default |
-| A02 | Cryptographic Failures | TLS, encryption at rest |
-| A03 | Injection | Input validation, parameterized |
-| A04 | Insecure Design | Threat modeling, secure patterns |
-| A05 | Security Misconfiguration | Hardening, minimal install |
-| A06 | Vulnerable Components | SCA, dependency updates |
-| A07 | Auth Failures | MFA, session security |
-| A08 | Integrity Failures | CI/CD security, signing |
-| A09 | Logging Failures | Audit logs, monitoring |
-| A10 | SSRF | Input validation, allowlists |
+| #   | Vulnerability             | Key Controls                     |
+| --- | ------------------------- | -------------------------------- |
+| A01 | Broken Access Control     | RBAC, ABAC, deny by default      |
+| A02 | Cryptographic Failures    | TLS, encryption at rest          |
+| A03 | Injection                 | Input validation, parameterized  |
+| A04 | Insecure Design           | Threat modeling, secure patterns |
+| A05 | Security Misconfiguration | Hardening, minimal install       |
+| A06 | Vulnerable Components     | SCA, dependency updates          |
+| A07 | Auth Failures             | MFA, session security            |
+| A08 | Integrity Failures        | CI/CD security, signing          |
+| A09 | Logging Failures          | Audit logs, monitoring           |
+| A10 | SSRF                      | Input validation, allowlists     |
 
 ### Security Headers
 
@@ -210,27 +210,27 @@ Permissions-Policy: geolocation=(), camera=()
 
 ### Critical (Immediately address)
 
-| ID | Finding | Risk | Recommendation |
-|----|---------|------|----------------|
-| C1 | [Finding] | Critical | [Fix] |
+| ID  | Finding   | Risk     | Recommendation |
+| --- | --------- | -------- | -------------- |
+| C1  | [Finding] | Critical | [Fix]          |
 
 ### High (Address within 7 days)
 
-| ID | Finding | Risk | Recommendation |
-|----|---------|------|----------------|
-| H1 | [Finding] | High | [Fix] |
+| ID  | Finding   | Risk | Recommendation |
+| --- | --------- | ---- | -------------- |
+| H1  | [Finding] | High | [Fix]          |
 
 ### Medium (Address within 30 days)
 
-| ID | Finding | Risk | Recommendation |
-|----|---------|------|----------------|
-| M1 | [Finding] | Medium | [Fix] |
+| ID  | Finding   | Risk   | Recommendation |
+| --- | --------- | ------ | -------------- |
+| M1  | [Finding] | Medium | [Fix]          |
 
 ### Low (Address as resources allow)
 
-| ID | Finding | Risk | Recommendation |
-|----|---------|------|----------------|
-| L1 | [Finding] | Low | [Fix] |
+| ID  | Finding   | Risk | Recommendation |
+| --- | --------- | ---- | -------------- |
+| L1  | [Finding] | Low  | [Fix]          |
 
 ## Positive Findings