musubix 3.0.7 → 3.0.14

package/.github/prompts/sdd-security.prompt.md

@@ -0,0 +1,228 @@
+# MUSUBIX Security Scan Command
+
+Perform comprehensive security scanning and vulnerability detection.
+
+---
+
+## Instructions for AI Agent
+
+You are executing the `musubix security [feature-name]` command to perform security analysis.
+
+### Command Format
+
+```bash
+npx musubix codegen security <path>
+```
+
+### Your Task
+
+Perform comprehensive security analysis covering:
+
+1. OWASP Top 10 vulnerabilities
+2. Dependency vulnerabilities
+3. Authentication/Authorization issues
+4. Data validation gaps
+5. Sensitive data exposure
+
+---
+
+## Process
+
+### 1. Read Source Code and Dependencies
+
+```bash
+# Source Code
+packages/core/src/{{feature}}/**/*.ts
+packages/mcp-server/src/tools/**/*.ts
+
+# Dependencies
+package.json
+package-lock.json
+
+# Auth module
+packages/core/src/auth/**/*.ts
+```
+
+### 2. OWASP Top 10 Checks
+
+| # | Vulnerability | Check |
+|---|--------------|-------|
+| A01 | Broken Access Control | 認可チェックの実装確認 |
+| A02 | Cryptographic Failures | 暗号化の適切な使用 |
+| A03 | Injection | SQL/NoSQL/コマンドインジェクション |
+| A04 | Insecure Design | セキュリティパターンの適用 |
+| A05 | Security Misconfiguration | 設定の安全性 |
+| A06 | Vulnerable Components | 依存関係の脆弱性 |
+| A07 | Authentication Failures | 認証の実装不備 |
+| A08 | Software/Data Integrity | データ整合性の検証 |
+| A09 | Security Logging | ログと監視 |
+| A10 | SSRF | サーバーサイドリクエストフォージェリ |
+
+### 3. Code Pattern Analysis
+
+#### ❌ Dangerous Patterns
+
+```typescript
+// SQL Injection - 危険
+const query = `SELECT * FROM users WHERE id = ${userId}`;
+
+// Command Injection - 危険
+exec(`ls ${userInput}`);
+
+// Path Traversal - 危険
+const file = fs.readFileSync(`./uploads/${filename}`);
+
+// Hardcoded Secrets - 危険
+const apiKey = 'sk-1234567890abcdef';
+
+// eval() - 危険
+eval(userInput);
+```
+
+#### ✅ Safe Patterns
+
+```typescript
+// Parameterized Query - 安全
+const query = db.query('SELECT * FROM users WHERE id = ?', [userId]);
+
+// Input Validation - 安全
+const sanitized = sanitize(userInput);
+
+// Path Validation - 安全
+const safePath = path.resolve('./uploads', path.basename(filename));
+
+// Environment Variables - 安全
+const apiKey = process.env.API_KEY;
+
+// No eval - 安全
+const result = JSON.parse(jsonString);
+```
+
+### 4. Authentication & Authorization
+
+Check for:
+
+- [ ] JWT/Session token validation
+- [ ] Password hashing (bcrypt, argon2)
+- [ ] Role-based access control (RBAC)
+- [ ] Rate limiting
+- [ ] CSRF protection
+- [ ] Secure cookie flags
+
+### 5. Data Validation
+
+```typescript
+// ✅ Recommended: Zod schema validation
+import { z } from 'zod';
+
+const UserInputSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8).max(100),
+  age: z.number().int().positive().max(150),
+});
+
+// Validate all user inputs
+const result = UserInputSchema.safeParse(userInput);
+if (!result.success) {
+  return err(new ValidationError(result.error));
+}
+```
+
+### 6. Dependency Audit
+
+```bash
+# Check for known vulnerabilities
+npm audit
+npm audit --audit-level=moderate
+
+# Update vulnerable packages
+npm audit fix
+```
+
+---
+
+## Output Format
+
+```markdown
+# Security Scan Report: {{FEATURE}}
+
+## Summary
+- **Risk Level**: Critical/High/Medium/Low
+- **Vulnerabilities Found**: X critical, X high, X medium, X low
+- **Dependencies Audited**: X packages
+
+## OWASP Top 10 Assessment
+
+| Category | Status | Findings |
+|----------|--------|----------|
+| A01: Access Control | ✅/⚠️/❌ | ... |
+| A02: Cryptographic | ✅/⚠️/❌ | ... |
+| A03: Injection | ✅/⚠️/❌ | ... |
+| A04: Insecure Design | ✅/⚠️/❌ | ... |
+| A05: Misconfiguration | ✅/⚠️/❌ | ... |
+| A06: Vulnerable Deps | ✅/⚠️/❌ | ... |
+| A07: Auth Failures | ✅/⚠️/❌ | ... |
+| A08: Integrity | ✅/⚠️/❌ | ... |
+| A09: Logging | ✅/⚠️/❌ | ... |
+| A10: SSRF | ✅/⚠️/❌ | ... |
+
+## Critical Vulnerabilities
+
+### 1. [CRITICAL] SQL Injection in user-service.ts
+- **Location**: packages/core/src/user/user-service.ts:45
+- **Description**: User input directly concatenated in SQL query
+- **Remediation**: Use parameterized queries
+- **Reference**: CWE-89
+
+### 2. [HIGH] Hardcoded API Key
+- **Location**: packages/core/src/auth/config.ts:12
+- **Description**: API key stored in source code
+- **Remediation**: Use environment variables
+- **Reference**: CWE-798
+
+## Dependency Vulnerabilities
+
+| Package | Severity | Version | Fixed In |
+|---------|----------|---------|----------|
+| lodash | High | 4.17.20 | 4.17.21 |
+
+## Recommendations
+
+1. **Immediate**: Fix all critical vulnerabilities
+2. **Short-term**: Update vulnerable dependencies
+3. **Long-term**: Implement security testing in CI/CD
+
+## Compliance Checklist
+
+- [ ] Input validation on all user inputs
+- [ ] Output encoding for XSS prevention
+- [ ] Parameterized queries for database access
+- [ ] Secrets in environment variables
+- [ ] HTTPS enforced
+- [ ] Security headers configured
+- [ ] Rate limiting implemented
+- [ ] Audit logging enabled
+```
+
+---
+
+## Traceability
+
+This skill implements:
+- **Article IX**: Integration-First Testing (セキュリティテスト)
+- Security requirements validation
+
+---
+
+## Related Commands
+
+```bash
+# Security scan
+npx musubix codegen security <path>
+
+# Dependency audit
+npm audit
+
+# Static analysis
+npx musubix codegen analyze <file>
+```

package/.github/prompts/sdd-steering.prompt.md

@@ -0,0 +1,269 @@
+# MUSUBIX Steering Command
+
+Generate or update project memory (steering context).
+
+---
+
+## Instructions for AI Agent
+
+You are executing the `musubix steering` command to generate or update the project's steering context.
+
+### What is Steering?
+
+Steering provides **project memory** for AI agents. It consists of core files that document:
+
+1. **structure.ja.md** - Architecture patterns, directory structure
+2. **tech.ja.md** - Technology stack, frameworks
+3. **product.ja.md** - Business context, product goals
+4. **rules/constitution.md** - 9 Constitutional Articles
+
+### Your Task
+
+**Mode Detection**:
+
+1. **Bootstrap Mode** - No steering files exist → Generate initial files
+2. **Sync Mode** - Files exist, codebase changed → Update files
+3. **Review Mode** - User wants to review → Present and suggest improvements
+
+---
+
+## Mode 1: Bootstrap (First Time)
+
+### Detection
+
+- `steering/` directory doesn't exist OR
+- Core files missing
+
+### Steps
+
+1. **Analyze Codebase**:
+   - Directory structure
+   - Package.json files
+   - TypeScript configuration
+   - Test framework (Vitest)
+
+2. **Generate Steering Files**:
+
+**Create `steering/structure.ja.md`**:
+
+```markdown
+# Project Structure
+
+**Project**: MUSUBIX
+**Last Updated**: {{DATE}}
+
+## Architecture Pattern
+
+**Primary Pattern**: Monorepo (npm workspaces)
+
+## Package Structure
+
+\`\`\`
+packages/
+├── core/           # @nahisaho/musubix-core
+├── mcp-server/     # @nahisaho/musubix-mcp-server
+└── yata-client/    # @nahisaho/musubix-yata-client
+\`\`\`
+
+## Core Package Modules
+
+\`\`\`
+packages/core/src/
+├── auth/           # Authentication
+├── cli/            # CLI Interface (Article II)
+├── codegen/        # Code Generation
+├── design/         # Design Patterns
+├── error/          # Error Handling
+├── explanation/    # Explanations
+├── requirements/   # Requirements Analysis
+├── traceability/   # Traceability
+├── types/          # Type Definitions
+├── utils/          # Utilities
+└── validators/     # EARS Validation
+\`\`\`
+
+## Naming Conventions
+
+- Files: `kebab-case.ts`
+- Classes: `PascalCase`
+- Functions: `camelCase`
+- Constants: `SCREAMING_SNAKE_CASE`
+```
+
+**Create `steering/tech.ja.md`**:
+
+```markdown
+# Technology Stack
+
+**Project**: MUSUBIX
+**Last Updated**: {{DATE}}
+
+## Core Technologies
+
+| Category | Technology | Version |
+|----------|------------|---------|
+| Language | TypeScript | ^5.3 |
+| Runtime | Node.js | >= 20.0.0 |
+| Package Manager | npm | >= 10.0.0 |
+| Build | npm workspaces | - |
+| Test | Vitest | ^1.0.0 |
+| Lint | ESLint | ^8.0.0 |
+
+## Package Dependencies
+
+### @nahisaho/musubix-core
+
+- commander: CLI framework
+- chalk: Terminal styling
+
+### @nahisaho/musubix-mcp-server
+
+- MCP protocol support
+
+### @nahisaho/musubix-yata-client
+
+- Knowledge graph client
+
+## Development Tools
+
+- TypeScript strict mode
+- ESM modules (`"type": "module"`)
+- Vitest for testing
+```
+
+**Create `steering/product.ja.md`**:
+
+```markdown
+# Product Context
+
+**Project**: MUSUBIX
+**Last Updated**: {{DATE}}
+
+## Product Vision
+
+Neuro-Symbolic AI Integration System that combines:
+- **Neural (LLM)**: Creative code generation
+- **Symbolic (YATA)**: Knowledge graph precision
+
+## Target Users
+
+- Software Developers
+- AI/ML Engineers
+- Development Teams
+
+## Core Features
+
+1. EARS Requirements Analysis
+2. C4 Model Design Generation
+3. Test-First Development
+4. Complete Traceability
+5. MCP Server Integration
+```
+
+---
+
+## Mode 2: Sync (Update Existing)
+
+### Detection
+
+- Steering files exist
+- Codebase has changes
+
+### Steps
+
+1. **Compare Current State**:
+   - Read existing steering files
+   - Analyze current codebase
+   - Identify discrepancies
+
+2. **Update Files**:
+   - Add new modules/packages
+   - Update technology versions
+   - Reflect architecture changes
+
+3. **Generate Diff Report**:
+
+```markdown
+## Steering Sync Report
+
+### Changes Detected
+
+| File | Change | Action |
+|------|--------|--------|
+| structure.ja.md | New module: utils/ | Updated |
+| tech.ja.md | Vitest 1.0 → 2.0 | Updated |
+
+### Files Updated
+
+1. `steering/structure.ja.md` - Added utils module
+2. `steering/tech.ja.md` - Updated Vitest version
+```
+
+---
+
+## Mode 3: Review
+
+### Steps
+
+1. **Present Current Steering**:
+   - Show structure.ja.md content
+   - Show tech.ja.md content
+   - Show product.ja.md content
+
+2. **Analyze for Improvements**:
+   - Missing documentation
+   - Outdated information
+   - Inconsistencies
+
+3. **Suggest Improvements**:
+
+```markdown
+## Steering Review
+
+### Current State
+
+✅ structure.ja.md - Complete
+✅ tech.ja.md - Complete
+⚠️ product.ja.md - Missing user personas
+
+### Recommendations
+
+1. Add user personas to product.ja.md
+2. Update tech stack versions
+3. Add ADR index
+```
+
+---
+
+## Constitutional Articles Reference
+
+Always include reference to `steering/rules/constitution.md`:
+
+| Article | Name | Summary |
+|---------|------|---------|
+| I | Library-First | Features in packages/ |
+| II | CLI Interface | CLI for all libraries |
+| III | Test-First | Red-Green-Blue |
+| IV | EARS Format | Requirements syntax |
+| V | Traceability | 100% tracking |
+| VI | Project Memory | Read steering first |
+| VII | Design Patterns | Document patterns |
+| VIII | Decision Records | ADRs for decisions |
+| IX | Quality Gates | Validate phases |
+
+---
+
+## Output
+
+Save steering files to:
+
+- `steering/structure.ja.md`
+- `steering/tech.ja.md`
+- `steering/product.ja.md`
+- `steering/rules/constitution.md`
+- `steering/project.yml`
+
+---
+
+**MUSUBIX**: https://github.com/nahisaho/MUSUBIX
+**Version**: 1.0.0