musubix 3.4.1 → 3.4.3

package/.github/prompts/sdd-security.prompt.md

@@ -1,228 +0,0 @@
-# MUSUBIX Security Scan Command
-
-Perform comprehensive security scanning and vulnerability detection.
-
----
-
-## Instructions for AI Agent
-
-You are executing the `musubix security [feature-name]` command to perform security analysis.
-
-### Command Format
-
-```bash
-npx musubix codegen security <path>
-```
-
-### Your Task
-
-Perform comprehensive security analysis covering:
-
-1. OWASP Top 10 vulnerabilities
-2. Dependency vulnerabilities
-3. Authentication/Authorization issues
-4. Data validation gaps
-5. Sensitive data exposure
-
----
-
-## Process
-
-### 1. Read Source Code and Dependencies
-
-```bash
-# Source Code
-packages/core/src/{{feature}}/**/*.ts
-packages/mcp-server/src/tools/**/*.ts
-
-# Dependencies
-package.json
-package-lock.json
-
-# Auth module
-packages/core/src/auth/**/*.ts
-```
-
-### 2. OWASP Top 10 Checks
-
-| # | Vulnerability | Check |
-|---|--------------|-------|
-| A01 | Broken Access Control | 認可チェックの実装確認 |
-| A02 | Cryptographic Failures | 暗号化の適切な使用 |
-| A03 | Injection | SQL/NoSQL/コマンドインジェクション |
-| A04 | Insecure Design | セキュリティパターンの適用 |
-| A05 | Security Misconfiguration | 設定の安全性 |
-| A06 | Vulnerable Components | 依存関係の脆弱性 |
-| A07 | Authentication Failures | 認証の実装不備 |
-| A08 | Software/Data Integrity | データ整合性の検証 |
-| A09 | Security Logging | ログと監視 |
-| A10 | SSRF | サーバーサイドリクエストフォージェリ |
-
-### 3. Code Pattern Analysis
-
-#### ❌ Dangerous Patterns
-
-```typescript
-// SQL Injection - 危険
-const query = `SELECT * FROM users WHERE id = ${userId}`;
-
-// Command Injection - 危険
-exec(`ls ${userInput}`);
-
-// Path Traversal - 危険
-const file = fs.readFileSync(`./uploads/${filename}`);
-
-// Hardcoded Secrets - 危険
-const apiKey = 'sk-1234567890abcdef';
-
-// eval() - 危険
-eval(userInput);
-```
-
-#### ✅ Safe Patterns
-
-```typescript
-// Parameterized Query - 安全
-const query = db.query('SELECT * FROM users WHERE id = ?', [userId]);
-
-// Input Validation - 安全
-const sanitized = sanitize(userInput);
-
-// Path Validation - 安全
-const safePath = path.resolve('./uploads', path.basename(filename));
-
-// Environment Variables - 安全
-const apiKey = process.env.API_KEY;
-
-// No eval - 安全
-const result = JSON.parse(jsonString);
-```
-
-### 4. Authentication & Authorization
-
-Check for:
-
-- [ ] JWT/Session token validation
-- [ ] Password hashing (bcrypt, argon2)
-- [ ] Role-based access control (RBAC)
-- [ ] Rate limiting
-- [ ] CSRF protection
-- [ ] Secure cookie flags
-
-### 5. Data Validation
-
-```typescript
-// ✅ Recommended: Zod schema validation
-import { z } from 'zod';
-
-const UserInputSchema = z.object({
-  email: z.string().email(),
-  password: z.string().min(8).max(100),
-  age: z.number().int().positive().max(150),
-});
-
-// Validate all user inputs
-const result = UserInputSchema.safeParse(userInput);
-if (!result.success) {
-  return err(new ValidationError(result.error));
-}
-```
-
-### 6. Dependency Audit
-
-```bash
-# Check for known vulnerabilities
-npm audit
-npm audit --audit-level=moderate
-
-# Update vulnerable packages
-npm audit fix
-```
-
----
-
-## Output Format
-
-```markdown
-# Security Scan Report: {{FEATURE}}
-
-## Summary
-- **Risk Level**: Critical/High/Medium/Low
-- **Vulnerabilities Found**: X critical, X high, X medium, X low
-- **Dependencies Audited**: X packages
-
-## OWASP Top 10 Assessment
-
-| Category | Status | Findings |
-|----------|--------|----------|
-| A01: Access Control | ✅/⚠️/❌ | ... |
-| A02: Cryptographic | ✅/⚠️/❌ | ... |
-| A03: Injection | ✅/⚠️/❌ | ... |
-| A04: Insecure Design | ✅/⚠️/❌ | ... |
-| A05: Misconfiguration | ✅/⚠️/❌ | ... |
-| A06: Vulnerable Deps | ✅/⚠️/❌ | ... |
-| A07: Auth Failures | ✅/⚠️/❌ | ... |
-| A08: Integrity | ✅/⚠️/❌ | ... |
-| A09: Logging | ✅/⚠️/❌ | ... |
-| A10: SSRF | ✅/⚠️/❌ | ... |
-
-## Critical Vulnerabilities
-
-### 1. [CRITICAL] SQL Injection in user-service.ts
-- **Location**: packages/core/src/user/user-service.ts:45
-- **Description**: User input directly concatenated in SQL query
-- **Remediation**: Use parameterized queries
-- **Reference**: CWE-89
-
-### 2. [HIGH] Hardcoded API Key
-- **Location**: packages/core/src/auth/config.ts:12
-- **Description**: API key stored in source code
-- **Remediation**: Use environment variables
-- **Reference**: CWE-798
-
-## Dependency Vulnerabilities
-
-| Package | Severity | Version | Fixed In |
-|---------|----------|---------|----------|
-| lodash | High | 4.17.20 | 4.17.21 |
-
-## Recommendations
-
-1. **Immediate**: Fix all critical vulnerabilities
-2. **Short-term**: Update vulnerable dependencies
-3. **Long-term**: Implement security testing in CI/CD
-
-## Compliance Checklist
-
-- [ ] Input validation on all user inputs
-- [ ] Output encoding for XSS prevention
-- [ ] Parameterized queries for database access
-- [ ] Secrets in environment variables
-- [ ] HTTPS enforced
-- [ ] Security headers configured
-- [ ] Rate limiting implemented
-- [ ] Audit logging enabled
-```
-
----
-
-## Traceability
-
-This skill implements:
-- **Article IX**: Integration-First Testing (セキュリティテスト)
-- Security requirements validation
-
----
-
-## Related Commands
-
-```bash
-# Security scan
-npx musubix codegen security <path>
-
-# Dependency audit
-npm audit
-
-# Static analysis
-npx musubix codegen analyze <file>
-```

package/.github/prompts/sdd-steering.prompt.md

@@ -1,269 +0,0 @@
-# MUSUBIX Steering Command
-
-Generate or update project memory (steering context).
-
----
-
-## Instructions for AI Agent
-
-You are executing the `musubix steering` command to generate or update the project's steering context.
-
-### What is Steering?
-
-Steering provides **project memory** for AI agents. It consists of core files that document:
-
-1. **structure.ja.md** - Architecture patterns, directory structure
-2. **tech.ja.md** - Technology stack, frameworks
-3. **product.ja.md** - Business context, product goals
-4. **rules/constitution.md** - 9 Constitutional Articles
-
-### Your Task
-
-**Mode Detection**:
-
-1. **Bootstrap Mode** - No steering files exist → Generate initial files
-2. **Sync Mode** - Files exist, codebase changed → Update files
-3. **Review Mode** - User wants to review → Present and suggest improvements
-
----
-
-## Mode 1: Bootstrap (First Time)
-
-### Detection
-
-- `steering/` directory doesn't exist OR
-- Core files missing
-
-### Steps
-
-1. **Analyze Codebase**:
-   - Directory structure
-   - Package.json files
-   - TypeScript configuration
-   - Test framework (Vitest)
-
-2. **Generate Steering Files**:
-
-**Create `steering/structure.ja.md`**:
-
-```markdown
-# Project Structure
-
-**Project**: MUSUBIX
-**Last Updated**: {{DATE}}
-
-## Architecture Pattern
-
-**Primary Pattern**: Monorepo (npm workspaces)
-
-## Package Structure
-
-\`\`\`
-packages/
-├── core/           # @nahisaho/musubix-core
-├── mcp-server/     # @nahisaho/musubix-mcp-server
-└── yata-client/    # @nahisaho/musubix-yata-client
-\`\`\`
-
-## Core Package Modules
-
-\`\`\`
-packages/core/src/
-├── auth/           # Authentication
-├── cli/            # CLI Interface (Article II)
-├── codegen/        # Code Generation
-├── design/         # Design Patterns
-├── error/          # Error Handling
-├── explanation/    # Explanations
-├── requirements/   # Requirements Analysis
-├── traceability/   # Traceability
-├── types/          # Type Definitions
-├── utils/          # Utilities
-└── validators/     # EARS Validation
-\`\`\`
-
-## Naming Conventions
-
-- Files: `kebab-case.ts`
-- Classes: `PascalCase`
-- Functions: `camelCase`
-- Constants: `SCREAMING_SNAKE_CASE`
-```
-
-**Create `steering/tech.ja.md`**:
-
-```markdown
-# Technology Stack
-
-**Project**: MUSUBIX
-**Last Updated**: {{DATE}}
-
-## Core Technologies
-
-| Category | Technology | Version |
-|----------|------------|---------|
-| Language | TypeScript | ^5.3 |
-| Runtime | Node.js | >= 20.0.0 |
-| Package Manager | npm | >= 10.0.0 |
-| Build | npm workspaces | - |
-| Test | Vitest | ^1.0.0 |
-| Lint | ESLint | ^8.0.0 |
-
-## Package Dependencies
-
-### @nahisaho/musubix-core
-
-- commander: CLI framework
-- chalk: Terminal styling
-
-### @nahisaho/musubix-mcp-server
-
-- MCP protocol support
-
-### @nahisaho/musubix-yata-client
-
-- Knowledge graph client
-
-## Development Tools
-
-- TypeScript strict mode
-- ESM modules (`"type": "module"`)
-- Vitest for testing
-```
-
-**Create `steering/product.ja.md`**:
-
-```markdown
-# Product Context
-
-**Project**: MUSUBIX
-**Last Updated**: {{DATE}}
-
-## Product Vision
-
-Neuro-Symbolic AI Integration System that combines:
-- **Neural (LLM)**: Creative code generation
-- **Symbolic (YATA)**: Knowledge graph precision
-
-## Target Users
-
-- Software Developers
-- AI/ML Engineers
-- Development Teams
-
-## Core Features
-
-1. EARS Requirements Analysis
-2. C4 Model Design Generation
-3. Test-First Development
-4. Complete Traceability
-5. MCP Server Integration
-```
-
----
-
-## Mode 2: Sync (Update Existing)
-
-### Detection
-
-- Steering files exist
-- Codebase has changes
-
-### Steps
-
-1. **Compare Current State**:
-   - Read existing steering files
-   - Analyze current codebase
-   - Identify discrepancies
-
-2. **Update Files**:
-   - Add new modules/packages
-   - Update technology versions
-   - Reflect architecture changes
-
-3. **Generate Diff Report**:
-
-```markdown
-## Steering Sync Report
-
-### Changes Detected
-
-| File | Change | Action |
-|------|--------|--------|
-| structure.ja.md | New module: utils/ | Updated |
-| tech.ja.md | Vitest 1.0 → 2.0 | Updated |
-
-### Files Updated
-
-1. `steering/structure.ja.md` - Added utils module
-2. `steering/tech.ja.md` - Updated Vitest version
-```
-
----
-
-## Mode 3: Review
-
-### Steps
-
-1. **Present Current Steering**:
-   - Show structure.ja.md content
-   - Show tech.ja.md content
-   - Show product.ja.md content
-
-2. **Analyze for Improvements**:
-   - Missing documentation
-   - Outdated information
-   - Inconsistencies
-
-3. **Suggest Improvements**:
-
-```markdown
-## Steering Review
-
-### Current State
-
-✅ structure.ja.md - Complete
-✅ tech.ja.md - Complete
-⚠️ product.ja.md - Missing user personas
-
-### Recommendations
-
-1. Add user personas to product.ja.md
-2. Update tech stack versions
-3. Add ADR index
-```
-
----
-
-## Constitutional Articles Reference
-
-Always include reference to `steering/rules/constitution.md`:
-
-| Article | Name | Summary |
-|---------|------|---------|
-| I | Library-First | Features in packages/ |
-| II | CLI Interface | CLI for all libraries |
-| III | Test-First | Red-Green-Blue |
-| IV | EARS Format | Requirements syntax |
-| V | Traceability | 100% tracking |
-| VI | Project Memory | Read steering first |
-| VII | Design Patterns | Document patterns |
-| VIII | Decision Records | ADRs for decisions |
-| IX | Quality Gates | Validate phases |
-
----
-
-## Output
-
-Save steering files to:
-
-- `steering/structure.ja.md`
-- `steering/tech.ja.md`
-- `steering/product.ja.md`
-- `steering/rules/constitution.md`
-- `steering/project.yml`
-
----
-
-**MUSUBIX**: https://github.com/nahisaho/MUSUBIX
-**Version**: 1.0.0