musubix 1.1.15 → 1.3.1

package/.github/prompts/sdd-review.prompt.md

@@ -0,0 +1,155 @@
+# MUSUBIX Code Review Command
+
+Perform comprehensive code review with SOLID principles and quality checks.
+
+---
+
+## Instructions for AI Agent
+
+You are executing the `musubix review [feature-name]` command to perform code review.
+
+### Command Format
+
+```bash
+npx musubix codegen analyze <file>
+npx musubix trace validate
+```
+
+### Your Task
+
+Perform comprehensive code review focusing on:
+
+1. SOLID Principles Compliance
+2. Code Quality Metrics
+3. Design Pattern Usage
+4. Traceability Verification
+5. Best Practices Adherence
+
+---
+
+## Process
+
+### 1. Read Source Code and Context
+
+```bash
+# Source Code
+packages/core/src/{{feature}}/**/*.ts
+packages/mcp-server/src/tools/**/*.ts
+
+# Design Documentation
+storage/specs/DES-{{FEATURE}}-001.md
+
+# Steering Context
+steering/structure.ja.md
+steering/tech.ja.md
+steering/rules/constitution.md
+```
+
+### 2. SOLID Principles Check
+
+Review each file for:
+
+| Principle | Check |
+|-----------|-------|
+| **S**ingle Responsibility | 1つのクラス/関数は1つの責務のみ |
+| **O**pen/Closed | 拡張に開き、修正に閉じている |
+| **L**iskov Substitution | 派生クラスは基底クラスと置換可能 |
+| **I**nterface Segregation | クライアント固有のインターフェース |
+| **D**ependency Inversion | 抽象に依存、具象に依存しない |
+
+### 3. Code Quality Metrics
+
+Analyze:
+
+- **Cyclomatic Complexity**: 関数あたり10以下
+- **Lines per Function**: 50行以下
+- **Lines per File**: 300行以下
+- **Nesting Depth**: 3レベル以下
+- **Parameter Count**: 5個以下
+
+### 4. Design Pattern Review
+
+Check for:
+
+- [ ] Repository Pattern (データアクセス)
+- [ ] Service Layer (ビジネスロジック)
+- [ ] Factory Pattern (オブジェクト生成)
+- [ ] Value Objects (ドメイン概念)
+- [ ] Result Type (エラーハンドリング)
+
+### 5. Best Practices Check
+
+| カテゴリ | チェック項目 |
+|---------|-------------|
+| 命名規則 | PascalCase (型), camelCase (変数/関数), UPPER_CASE (定数) |
+| TypeScript | strict mode, 明示的な型定義, any禁止 |
+| エラー処理 | Result<T, E>パターン, 適切なエラーメッセージ |
+| コメント | JSDoc形式, 複雑なロジックの説明 |
+| インポート | 絶対パス, 循環参照なし |
+
+---
+
+## Output Format
+
+```markdown
+# Code Review Report: {{FEATURE}}
+
+## Summary
+- **Overall Score**: A/B/C/D/F
+- **Files Reviewed**: X files
+- **Issues Found**: X critical, X warnings, X suggestions
+
+## SOLID Compliance
+| Principle | Status | Notes |
+|-----------|--------|-------|
+| SRP | ✅/⚠️/❌ | ... |
+| OCP | ✅/⚠️/❌ | ... |
+| LSP | ✅/⚠️/❌ | ... |
+| ISP | ✅/⚠️/❌ | ... |
+| DIP | ✅/⚠️/❌ | ... |
+
+## Quality Metrics
+| Metric | Value | Status |
+|--------|-------|--------|
+| Avg Cyclomatic Complexity | X | ✅/⚠️/❌ |
+| Max Lines per Function | X | ✅/⚠️/❌ |
+| Max Nesting Depth | X | ✅/⚠️/❌ |
+
+## Issues
+
+### Critical (Must Fix)
+1. [FILE:LINE] Description
+
+### Warnings (Should Fix)
+1. [FILE:LINE] Description
+
+### Suggestions (Nice to Have)
+1. [FILE:LINE] Description
+
+## Recommendations
+1. ...
+2. ...
+```
+
+---
+
+## Traceability
+
+This skill implements:
+- **Article III**: Test-First Imperative (コードレビューによる品質確保)
+- **Article VII**: Simplicity Gate (コードの複雑性チェック)
+
+---
+
+## Related Commands
+
+```bash
+# Static analysis
+npx musubix codegen analyze <file>
+
+# Traceability validation
+npx musubix trace validate
+
+# Security scanning
+npx musubix codegen security <path>
+```

package/.github/prompts/sdd-security.prompt.md

@@ -0,0 +1,228 @@
+# MUSUBIX Security Scan Command
+
+Perform comprehensive security scanning and vulnerability detection.
+
+---
+
+## Instructions for AI Agent
+
+You are executing the `musubix security [feature-name]` command to perform security analysis.
+
+### Command Format
+
+```bash
+npx musubix codegen security <path>
+```
+
+### Your Task
+
+Perform comprehensive security analysis covering:
+
+1. OWASP Top 10 vulnerabilities
+2. Dependency vulnerabilities
+3. Authentication/Authorization issues
+4. Data validation gaps
+5. Sensitive data exposure
+
+---
+
+## Process
+
+### 1. Read Source Code and Dependencies
+
+```bash
+# Source Code
+packages/core/src/{{feature}}/**/*.ts
+packages/mcp-server/src/tools/**/*.ts
+
+# Dependencies
+package.json
+package-lock.json
+
+# Auth module
+packages/core/src/auth/**/*.ts
+```
+
+### 2. OWASP Top 10 Checks
+
+| # | Vulnerability | Check |
+|---|--------------|-------|
+| A01 | Broken Access Control | 認可チェックの実装確認 |
+| A02 | Cryptographic Failures | 暗号化の適切な使用 |
+| A03 | Injection | SQL/NoSQL/コマンドインジェクション |
+| A04 | Insecure Design | セキュリティパターンの適用 |
+| A05 | Security Misconfiguration | 設定の安全性 |
+| A06 | Vulnerable Components | 依存関係の脆弱性 |
+| A07 | Authentication Failures | 認証の実装不備 |
+| A08 | Software/Data Integrity | データ整合性の検証 |
+| A09 | Security Logging | ログと監視 |
+| A10 | SSRF | サーバーサイドリクエストフォージェリ |
+
+### 3. Code Pattern Analysis
+
+#### ❌ Dangerous Patterns
+
+```typescript
+// SQL Injection - 危険
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// Command Injection - 危険
+exec(`ls ${userInput}`);
+
+// Path Traversal - 危険
+const file = fs.readFileSync(`./uploads/${filename}`);
+
+// Hardcoded Secrets - 危険
+const apiKey = 'sk-1234567890abcdef';
+
+// eval() - 危険
+eval(userInput);
+```
+
+#### ✅ Safe Patterns
+
+```typescript
+// Parameterized Query - 安全
+const query = db.query('SELECT * FROM users WHERE id = ?', [userId]);
+
+// Input Validation - 安全
+const sanitized = sanitize(userInput);
+
+// Path Validation - 安全
+const safePath = path.resolve('./uploads', path.basename(filename));
+
+// Environment Variables - 安全
+const apiKey = process.env.API_KEY;
+
+// No eval - 安全
+const result = JSON.parse(jsonString);
+```
+
+### 4. Authentication & Authorization
+
+Check for:
+
+- [ ] JWT/Session token validation
+- [ ] Password hashing (bcrypt, argon2)
+- [ ] Role-based access control (RBAC)
+- [ ] Rate limiting
+- [ ] CSRF protection
+- [ ] Secure cookie flags
+
+### 5. Data Validation
+
+```typescript
+// ✅ Recommended: Zod schema validation
+import { z } from 'zod';
+
+const UserInputSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8).max(100),
+  age: z.number().int().positive().max(150),
+});
+
+// Validate all user inputs
+const result = UserInputSchema.safeParse(userInput);
+if (!result.success) {
+  return err(new ValidationError(result.error));
+}
+```
+
+### 6. Dependency Audit
+
+```bash
+# Check for known vulnerabilities
+npm audit
+npm audit --audit-level=moderate
+
+# Update vulnerable packages
+npm audit fix
+```
+
+---
+
+## Output Format
+
+```markdown
+# Security Scan Report: {{FEATURE}}
+
+## Summary
+- **Risk Level**: Critical/High/Medium/Low
+- **Vulnerabilities Found**: X critical, X high, X medium, X low
+- **Dependencies Audited**: X packages
+
+## OWASP Top 10 Assessment
+
+| Category | Status | Findings |
+|----------|--------|----------|
+| A01: Access Control | ✅/⚠️/❌ | ... |
+| A02: Cryptographic | ✅/⚠️/❌ | ... |
+| A03: Injection | ✅/⚠️/❌ | ... |
+| A04: Insecure Design | ✅/⚠️/❌ | ... |
+| A05: Misconfiguration | ✅/⚠️/❌ | ... |
+| A06: Vulnerable Deps | ✅/⚠️/❌ | ... |
+| A07: Auth Failures | ✅/⚠️/❌ | ... |
+| A08: Integrity | ✅/⚠️/❌ | ... |
+| A09: Logging | ✅/⚠️/❌ | ... |
+| A10: SSRF | ✅/⚠️/❌ | ... |
+
+## Critical Vulnerabilities
+
+### 1. [CRITICAL] SQL Injection in user-service.ts
+- **Location**: packages/core/src/user/user-service.ts:45
+- **Description**: User input directly concatenated in SQL query
+- **Remediation**: Use parameterized queries
+- **Reference**: CWE-89
+
+### 2. [HIGH] Hardcoded API Key
+- **Location**: packages/core/src/auth/config.ts:12
+- **Description**: API key stored in source code
+- **Remediation**: Use environment variables
+- **Reference**: CWE-798
+
+## Dependency Vulnerabilities
+
+| Package | Severity | Version | Fixed In |
+|---------|----------|---------|----------|
+| lodash | High | 4.17.20 | 4.17.21 |
+
+## Recommendations
+
+1. **Immediate**: Fix all critical vulnerabilities
+2. **Short-term**: Update vulnerable dependencies
+3. **Long-term**: Implement security testing in CI/CD
+
+## Compliance Checklist
+
+- [ ] Input validation on all user inputs
+- [ ] Output encoding for XSS prevention
+- [ ] Parameterized queries for database access
+- [ ] Secrets in environment variables
+- [ ] HTTPS enforced
+- [ ] Security headers configured
+- [ ] Rate limiting implemented
+- [ ] Audit logging enabled
+```
+
+---
+
+## Traceability
+
+This skill implements:
+- **Article IX**: Integration-First Testing (セキュリティテスト)
+- Security requirements validation
+
+---
+
+## Related Commands
+
+```bash
+# Security scan
+npx musubix codegen security <path>
+
+# Dependency audit
+npm audit
+
+# Static analysis
+npx musubix codegen analyze <file>
+```

package/.github/prompts/sdd-test.prompt.md

@@ -0,0 +1,230 @@
+# MUSUBIX Test Generation Command
+
+Generate comprehensive tests following Test-First (Red-Green-Blue) methodology.
+
+---
+
+## Instructions for AI Agent
+
+You are executing the `musubix test [feature-name]` command to generate tests.
+
+### Command Format
+
+```bash
+npx musubix test generate <file>
+npx musubix test coverage <dir>
+```
+
+### Your Task
+
+Generate comprehensive tests following:
+
+1. Test-First (Red-Green-Blue) methodology
+2. EARS requirements coverage
+3. Result Type testing patterns
+4. Status transition testing
+
+---
+
+## Process
+
+### 1. Read Requirements and Design
+
+```bash
+# Requirements (for test cases)
+storage/specs/REQ-{{FEATURE}}-001.md
+
+# Design (for component structure)
+storage/specs/DES-{{FEATURE}}-001.md
+
+# Existing implementation
+packages/core/src/{{feature}}/**/*.ts
+```
+
+### 2. Test Categories
+
+Generate tests for each category:
+
+| Category | Coverage Target | Priority |
+|----------|-----------------|----------|
+| Unit Tests | Functions, Value Objects | P0 |
+| Integration Tests | Services, Repositories | P0 |
+| E2E Tests | Full workflows | P1 |
+| Edge Cases | Boundary conditions | P0 |
+| Error Cases | Error handling | P0 |
+
+### 3. Test Structure
+
+```typescript
+import { describe, it, expect, beforeEach } from 'vitest';
+
+describe('FeatureName', () => {
+  beforeEach(() => {
+    // Reset counters for deterministic IDs
+    resetFeatureCounter();
+  });
+
+  describe('creation', () => {
+    it('should create valid entity', () => {
+      // Arrange
+      const input = { ... };
+      
+      // Act
+      const result = createEntity(input);
+      
+      // Assert
+      expect(result.isOk()).toBe(true);
+      if (result.isOk()) {
+        expect(result.value.id).toMatch(/^ENT-\d{8}-001$/);
+      }
+    });
+
+    it('should reject invalid input', () => {
+      // Arrange
+      const input = { invalid: true };
+      
+      // Act
+      const result = createEntity(input);
+      
+      // Assert
+      expect(result.isErr()).toBe(true);
+      if (result.isErr()) {
+        expect(result.error.message).toContain('validation');
+      }
+    });
+  });
+});
+```
+
+### 4. EARS Requirements Mapping
+
+Each requirement must have corresponding tests:
+
+```typescript
+/**
+ * REQ-AUTH-001: WHEN user provides valid credentials,
+ * THEN the system SHALL authenticate the user.
+ */
+describe('REQ-AUTH-001: User Authentication', () => {
+  it('should authenticate user with valid credentials', async () => {
+    // Test implementation
+  });
+});
+```
+
+### 5. Result Type Test Patterns
+
+```typescript
+// ✅ Test both success and failure cases
+describe('createPrice', () => {
+  it('should create valid price', () => {
+    const result = createPrice(1000);
+    expect(result.isOk()).toBe(true);
+    if (result.isOk()) {
+      expect(result.value.amount).toBe(1000);
+    }
+  });
+
+  it('should reject price below minimum', () => {
+    const result = createPrice(50);
+    expect(result.isErr()).toBe(true);
+    if (result.isErr()) {
+      expect(result.error.message).toContain('100');
+    }
+  });
+});
+```
+
+### 6. Status Transition Testing
+
+```typescript
+describe('Status Transitions', () => {
+  const validTransitions: [Status, Status][] = [
+    ['draft', 'active'],
+    ['active', 'completed'],
+    ['active', 'cancelled'],
+  ];
+
+  const invalidTransitions: [Status, Status][] = [
+    ['completed', 'active'],
+    ['cancelled', 'draft'],
+  ];
+
+  validTransitions.forEach(([from, to]) => {
+    it(`should allow transition from ${from} to ${to}`, () => {
+      const entity = createEntityWithStatus(from);
+      const result = entity.transitionTo(to);
+      expect(result.isOk()).toBe(true);
+    });
+  });
+
+  invalidTransitions.forEach(([from, to]) => {
+    it(`should reject transition from ${from} to ${to}`, () => {
+      const entity = createEntityWithStatus(from);
+      const result = entity.transitionTo(to);
+      expect(result.isErr()).toBe(true);
+    });
+  });
+});
+```
+
+---
+
+## Output Format
+
+```markdown
+# Test Generation Report: {{FEATURE}}
+
+## Summary
+- **Test Files Created**: X
+- **Test Cases**: X total (X unit, X integration, X e2e)
+- **Requirements Covered**: X/Y (Z%)
+
+## Generated Test Files
+
+### packages/core/__tests__/{{feature}}/entity.test.ts
+- X test cases
+- Covers: REQ-XXX-001, REQ-XXX-002
+
+### packages/core/__tests__/{{feature}}/service.test.ts
+- X test cases
+- Covers: REQ-XXX-003, REQ-XXX-004
+
+## Requirements Coverage Matrix
+
+| Requirement | Test File | Test Cases | Status |
+|-------------|-----------|------------|--------|
+| REQ-XXX-001 | entity.test.ts | 3 | ✅ |
+| REQ-XXX-002 | entity.test.ts | 2 | ✅ |
+| REQ-XXX-003 | service.test.ts | 4 | ✅ |
+
+## Run Tests
+
+\`\`\`bash
+npm run test -- packages/core/__tests__/{{feature}}/
+npm run test:coverage
+\`\`\`
+```
+
+---
+
+## Traceability
+
+This skill implements:
+- **Article III**: Test-First Imperative (テスト先行開発)
+- **Article V**: Traceability Mandate (要件↔テストの追跡)
+
+---
+
+## Related Commands
+
+```bash
+# Generate tests
+npx musubix test generate <file>
+
+# Run tests with coverage
+npm run test:coverage
+
+# Validate traceability
+npx musubix trace validate
+```