musubi-sdd 5.1.0 → 5.6.1

package/src/templates/agents/claude-code/skills/security-auditor/owasp-top-10.md

@@ -9,28 +9,32 @@ The OWASP Top 10 represents the most critical security risks to web applications
 ## A01:2021 - Broken Access Control
 
 ### Description
+
 Users can act outside their intended permissions.
 
 ### Examples
+
 - Accessing other users' data by modifying URL
 - Privilege escalation
 - CORS misconfiguration
 
 ### Prevention
+
 ```typescript
 // Always verify authorization
 async function getUserData(userId: string, requesterId: string) {
   const user = await userRepo.findById(userId);
-  
+
   if (user.id !== requesterId && !isAdmin(requesterId)) {
     throw new ForbiddenError('Access denied');
   }
-  
+
   return user;
 }
 ```
 
 ### Checklist
+
 - [ ] Deny by default
 - [ ] Implement access control at server side
 - [ ] Validate user permissions for every request
@@ -42,14 +46,17 @@ async function getUserData(userId: string, requesterId: string) {
 ## A02:2021 - Cryptographic Failures
 
 ### Description
+
 Failures related to cryptography leading to data exposure.
 
 ### Examples
+
 - Transmitting data in clear text
 - Using weak algorithms (MD5, SHA1)
 - Hardcoded secrets
 
 ### Prevention
+
 ```typescript
 // Use strong password hashing
 import bcrypt from 'bcrypt';
@@ -66,6 +73,7 @@ const apiKey = process.env.API_KEY; // Not hardcoded
 ```
 
 ### Checklist
+
 - [ ] Classify data by sensitivity
 - [ ] Use TLS for all data in transit
 - [ ] Use strong, up-to-date algorithms
@@ -77,15 +85,18 @@ const apiKey = process.env.API_KEY; // Not hardcoded
 ## A03:2021 - Injection
 
 ### Description
+
 Untrusted data is sent to an interpreter as part of a command or query.
 
 ### Examples
+
 - SQL injection
 - NoSQL injection
 - Command injection
 - LDAP injection
 
 ### Prevention
+
 ```typescript
 // BAD: SQL Injection vulnerable
 const query = `SELECT * FROM users WHERE id = '${userId}'`;
@@ -98,6 +109,7 @@ const user = await userRepo.findOne({ where: { id: userId } });
 ```
 
 ### Checklist
+
 - [ ] Use parameterized queries
 - [ ] Use ORM/ODM frameworks
 - [ ] Validate and sanitize input
@@ -109,14 +121,17 @@ const user = await userRepo.findOne({ where: { id: userId } });
 ## A04:2021 - Insecure Design
 
 ### Description
+
 Flaws in design that cannot be fixed by implementation.
 
 ### Examples
+
 - Missing rate limiting
 - No anti-automation
 - Insufficient fraud controls
 
 ### Prevention
+
 ```typescript
 // Implement rate limiting
 import rateLimit from 'express-rate-limit';
@@ -124,13 +139,14 @@ import rateLimit from 'express-rate-limit';
 const loginLimiter = rateLimit({
   windowMs: 15 * 60 * 1000, // 15 minutes
   max: 5, // 5 attempts
-  message: 'Too many login attempts'
+  message: 'Too many login attempts',
 });
 
 app.post('/login', loginLimiter, loginHandler);
 ```
 
 ### Checklist
+
 - [ ] Threat modeling during design
 - [ ] Security requirements defined
 - [ ] Rate limiting implemented
@@ -141,15 +157,18 @@ app.post('/login', loginLimiter, loginHandler);
 ## A05:2021 - Security Misconfiguration
 
 ### Description
+
 Insecure default configurations or missing security hardening.
 
 ### Examples
+
 - Default credentials
 - Unnecessary features enabled
 - Verbose error messages
 - Missing security headers
 
 ### Prevention
+
 ```typescript
 // Add security headers
 import helmet from 'helmet';
@@ -165,6 +184,7 @@ if (process.env.NODE_ENV === 'production') {
 ```
 
 ### Checklist
+
 - [ ] Remove unused features
 - [ ] Disable default accounts
 - [ ] Set security headers
@@ -176,9 +196,11 @@ if (process.env.NODE_ENV === 'production') {
 ## A06:2021 - Vulnerable Components
 
 ### Description
+
 Using components with known vulnerabilities.
 
 ### Prevention
+
 ```bash
 # Check for vulnerabilities
 npm audit
@@ -191,6 +213,7 @@ pip install --upgrade
 ```
 
 ### Checklist
+
 - [ ] Remove unused dependencies
 - [ ] Use only official sources
 - [ ] Monitor for vulnerabilities
@@ -201,38 +224,46 @@ pip install --upgrade
 ## A07:2021 - Authentication Failures
 
 ### Description
+
 Weak authentication mechanisms.
 
 ### Examples
+
 - Weak passwords allowed
 - Credential stuffing
 - Missing MFA
 - Session fixation
 
 ### Prevention
+
 ```typescript
 // Validate password strength
 function validatePassword(password: string): boolean {
-  return password.length >= 12 &&
-         /[A-Z]/.test(password) &&
-         /[a-z]/.test(password) &&
-         /[0-9]/.test(password) &&
-         /[^A-Za-z0-9]/.test(password);
+  return (
+    password.length >= 12 &&
+    /[A-Z]/.test(password) &&
+    /[a-z]/.test(password) &&
+    /[0-9]/.test(password) &&
+    /[^A-Za-z0-9]/.test(password)
+  );
 }
 
 // Secure session configuration
-app.use(session({
-  secret: process.env.SESSION_SECRET,
-  cookie: {
-    httpOnly: true,
-    secure: true,
-    sameSite: 'strict',
-    maxAge: 3600000 // 1 hour
-  }
-}));
+app.use(
+  session({
+    secret: process.env.SESSION_SECRET,
+    cookie: {
+      httpOnly: true,
+      secure: true,
+      sameSite: 'strict',
+      maxAge: 3600000, // 1 hour
+    },
+  })
+);
 ```
 
 ### Checklist
+
 - [ ] Enforce strong passwords
 - [ ] Implement MFA
 - [ ] Rate limit authentication
@@ -244,26 +275,30 @@ app.use(session({
 ## A08:2021 - Software and Data Integrity Failures
 
 ### Description
+
 Failures related to code and infrastructure that doesn't protect against integrity violations.
 
 ### Examples
+
 - Unsigned software updates
 - Insecure CI/CD pipelines
 - Deserialization attacks
 
 ### Prevention
+
 ```typescript
 // Verify package integrity
 // package-lock.json with integrity hashes
 
 // Subresource Integrity for CDN
-<script src="https://cdn.example.com/lib.js" 
-        integrity="sha384-hash..." 
+<script src="https://cdn.example.com/lib.js"
+        integrity="sha384-hash..."
         crossorigin="anonymous">
 </script>
 ```
 
 ### Checklist
+
 - [ ] Use signed packages
 - [ ] Verify integrity hashes
 - [ ] Secure CI/CD pipeline
@@ -274,9 +309,11 @@ Failures related to code and infrastructure that doesn't protect against integri
 ## A09:2021 - Security Logging and Monitoring Failures
 
 ### Description
+
 Insufficient logging and monitoring to detect attacks.
 
 ### Prevention
+
 ```typescript
 // Log security events
 logger.warn('Login failure', {
@@ -284,7 +321,7 @@ logger.warn('Login failure', {
   email: email,
   ip: req.ip,
   userAgent: req.headers['user-agent'],
-  timestamp: new Date().toISOString()
+  timestamp: new Date().toISOString(),
 });
 
 // Alert on suspicious activity
@@ -294,6 +331,7 @@ if (failedAttempts >= 5) {
 ```
 
 ### Checklist
+
 - [ ] Log authentication events
 - [ ] Log access control failures
 - [ ] Centralized log management
@@ -305,9 +343,11 @@ if (failedAttempts >= 5) {
 ## A10:2021 - Server-Side Request Forgery (SSRF)
 
 ### Description
+
 Application fetches remote resources without validating the URL.
 
 ### Prevention
+
 ```typescript
 // Validate and allowlist URLs
 const ALLOWED_HOSTS = ['api.trusted.com', 'cdn.example.com'];
@@ -326,6 +366,7 @@ async function fetchRemote(url: string) {
 ```
 
 ### Checklist
+
 - [ ] Validate and sanitize URLs
 - [ ] Use allowlists
 - [ ] Block internal addresses

package/src/templates/agents/claude-code/skills/security-auditor/vulnerability-patterns.md

@@ -11,6 +11,7 @@ Common vulnerability patterns and how to identify them in code review.
 ### Weak Password Storage
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: Plain text or weak hashing
 const passwordHash = md5(password);
@@ -18,6 +19,7 @@ const passwordHash = sha1(password);
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Strong adaptive hashing
 const passwordHash = await bcrypt.hash(password, 12);
@@ -26,6 +28,7 @@ const passwordHash = await bcrypt.hash(password, 12);
 ### Missing Rate Limiting
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: No rate limiting on login
 app.post('/login', async (req, res) => {
@@ -35,6 +38,7 @@ app.post('/login', async (req, res) => {
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Rate limited
 app.post('/login', rateLimiter({ max: 5, windowMs: 60000 }), ...);
@@ -47,12 +51,14 @@ app.post('/login', rateLimiter({ max: 5, windowMs: 60000 }), ...);
 ### SQL Injection
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: String concatenation
 const query = `SELECT * FROM users WHERE id = '${userId}'`;
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Parameterized query
 const result = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
@@ -61,12 +67,14 @@ const result = await db.query('SELECT * FROM users WHERE id = $1', [userId]);
 ### Command Injection
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: User input in shell command
 exec(`convert ${userFilename} output.png`);
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Validate and escape
 const sanitizedName = sanitize(userFilename);
@@ -76,15 +84,17 @@ execFile('convert', [sanitizedName, 'output.png']);
 ### NoSQL Injection
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: Object injection in MongoDB
-const user = await User.findOne({ 
+const user = await User.findOne({
   username: req.body.username,
-  password: req.body.password  // Could be { $gt: '' }
+  password: req.body.password, // Could be { $gt: '' }
 });
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Type validation
 const username = String(req.body.username);
@@ -98,12 +108,14 @@ const password = String(req.body.password);
 ### Reflected XSS
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: User input in response
 res.send(`<h1>Search: ${req.query.q}</h1>`);
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Escape output
 res.send(`<h1>Search: ${escapeHtml(req.query.q)}</h1>`);
@@ -112,12 +124,14 @@ res.send(`<h1>Search: ${escapeHtml(req.query.q)}</h1>`);
 ### Stored XSS
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: Unescaped database content
 <div dangerouslySetInnerHTML={{ __html: user.bio }} />
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Sanitize HTML
 <div dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(user.bio) }} />
@@ -130,21 +144,23 @@ res.send(`<h1>Search: ${escapeHtml(req.query.q)}</h1>`);
 ### IDOR (Insecure Direct Object Reference)
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: No ownership check
 app.get('/documents/:id', async (req, res) => {
   const doc = await Document.findById(req.params.id);
-  res.json(doc);  // Anyone can access any document
+  res.json(doc); // Anyone can access any document
 });
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Verify ownership
 app.get('/documents/:id', async (req, res) => {
   const doc = await Document.findOne({
     _id: req.params.id,
-    owner: req.user.id  // Only owner can access
+    owner: req.user.id, // Only owner can access
   });
   if (!doc) return res.status(404).end();
   res.json(doc);
@@ -154,21 +170,23 @@ app.get('/documents/:id', async (req, res) => {
 ### Privilege Escalation
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: Client-controlled role
 const user = await User.create({
   ...req.body,
-  role: req.body.role  // User can set admin role!
+  role: req.body.role, // User can set admin role!
 });
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Server-controlled role
 const user = await User.create({
   name: req.body.name,
   email: req.body.email,
-  role: 'user'  // Default role, not from request
+  role: 'user', // Default role, not from request
 });
 ```
 
@@ -179,6 +197,7 @@ const user = await User.create({
 ### Hardcoded Secrets
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: Secrets in code
 const API_KEY = 'sk_live_abc123xyz';
@@ -186,6 +205,7 @@ const dbPassword = 'admin123';
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Environment variables
 const API_KEY = process.env.API_KEY;
@@ -195,6 +215,7 @@ const dbPassword = process.env.DB_PASSWORD;
 ### Verbose Error Messages
 
 **Pattern**:
+
 ```typescript
 // ❌ BAD: Stack trace to client
 app.use((err, req, res, next) => {
@@ -203,10 +224,11 @@ app.use((err, req, res, next) => {
 ```
 
 **Fix**:
+
 ```typescript
 // ✅ GOOD: Generic error to client
 app.use((err, req, res, next) => {
-  logger.error(err);  // Log full error
+  logger.error(err); // Log full error
   res.status(500).json({ error: 'Internal server error' });
 });
 ```
@@ -218,20 +240,22 @@ app.use((err, req, res, next) => {
 ### Missing CSRF Token
 
 **Pattern**:
+
 ```html
 <!-- ❌ BAD: No CSRF protection -->
 <form action="/transfer" method="POST">
-  <input name="amount" value="1000">
-  <input name="to" value="attacker">
+  <input name="amount" value="1000" />
+  <input name="to" value="attacker" />
 </form>
 ```
 
 **Fix**:
+
 ```html
 <!-- ✅ GOOD: CSRF token included -->
 <form action="/transfer" method="POST">
-  <input type="hidden" name="_csrf" value="{{csrfToken}}">
-  <input name="amount" value="1000">
+  <input type="hidden" name="_csrf" value="{{csrfToken}}" />
+  <input name="amount" value="1000" />
 </form>
 ```
 
@@ -242,6 +266,7 @@ app.use((err, req, res, next) => {
 ### Outdated Packages
 
 **Detection**:
+
 ```bash
 npm audit
 snyk test
@@ -249,6 +274,7 @@ pip-audit
 ```
 
 **Prevention**:
+
 ```json
 // package.json
 {
@@ -263,33 +289,39 @@ pip-audit
 ## Code Review Security Checklist
 
 ### Input Handling
+
 - [ ] All user input validated
 - [ ] Type checking enforced
 - [ ] Length limits applied
 - [ ] Special characters escaped
 
 ### Authentication
+
 - [ ] Strong password hashing (bcrypt/Argon2)
 - [ ] Rate limiting on auth endpoints
 - [ ] Secure session management
 - [ ] MFA where appropriate
 
 ### Authorization
+
 - [ ] Ownership verified for resources
 - [ ] Roles checked on server side
 - [ ] Deny by default policy
 
 ### Output
+
 - [ ] HTML escaped for display
 - [ ] JSON properly encoded
 - [ ] Error messages sanitized
 
 ### Data Protection
+
 - [ ] Secrets in environment variables
 - [ ] Sensitive data encrypted
 - [ ] TLS for all connections
 
 ### Dependencies
+
 - [ ] No known vulnerabilities
 - [ ] From trusted sources
 - [ ] Minimal and necessary

package/src/templates/agents/claude-code/skills/site-reliability-engineer/SKILL.md

@@ -49,6 +49,7 @@ musubi-gui status
 ```
 
 **ダッシュボード機能**:
+
 - ワークフローステータスのリアルタイム可視化
 - 要件 → 設計 → タスク → コード トレーサビリティマトリックス
 - SDD Stage 進捗トラッキング