npm - scan-debug-skill - Versions diffs - 1.0.0 → 1.0.2 - Mend

scan-debug-skill 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/LICENSE +21 -0
package/README.md +1 -1
package/bin/install.js +23 -9
package/js/reference/js-ts-best-practices.md +19 -5
package/js/reference/security-compliance.md +36 -11
package/package.json +2 -2

package/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+MIT License
+Copyright (c) 2026 契机
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md CHANGED Viewed

@@ -17,7 +17,7 @@ npx scan-debug-skill
 1.  **Trae**：安装到 `.trae/scan-debug-skill`
 2.  **Cursor**：安装到 `.cursor/scan-debug-skill`
-3.  **Both**：同时安装到上述两个位置
+3.  **Custom**：安装到指定目录
 ### 包含的内容

package/bin/install.js CHANGED Viewed

@@ -129,33 +129,47 @@ let defaultText = 'Trae';
 if (hasCursor && !hasTrae) {
   defaultChoice = '2';
   defaultText = 'Cursor';
-} else if (hasTrae && hasCursor) {
-  defaultChoice = '3';
-  defaultText = 'Both';
 }
+// 若两者都存在，默认保持为 1 (Trae)
 console.log('请选择要安装的目标 IDE (Please select target IDE):');
 console.log(`1. Trae   (.trae/scan-debug-skill)   ${hasTrae ? '[Detected]' : ''}`);
 console.log(`2. Cursor (.cursor/scan-debug-skill) ${hasCursor ? '[Detected]' : ''}`);
-console.log('3. Both   (同时安装/Install Both)');
+console.log('3. Custom (指定目录/Custom Directory)');
 rl.question(`请输入选项 (1/2/3) [默认: ${defaultChoice} (${defaultText})]: `, (answer) => {
   const choice = answer.trim() || defaultChoice;
+  // 选项 3：自定义目录
+  if (choice === '3') {
+    rl.question('请输入目标安装目录 (Please enter target directory): ', (inputPath) => {
+      const targetDir = inputPath.trim();
+      if (targetDir) {
+        // 处理相对路径和绝对路径
+        const finalPath = path.isAbsolute(targetDir) ? targetDir : path.resolve(cwd, targetDir);
+        install(finalPath);
+      } else {
+        console.log('❌ 未输入路径，已取消 (No path provided, cancelled).');
+      }
+      rl.close();
+    });
+    return;
+  }
   // 映射选择到目标目录
   const targets = [];
-  // 选项 1 或 3：安装到 Trae
-  if (choice === '1' || choice === '3') {
+  // 选项 1：安装到 Trae
+  if (choice === '1') {
     targets.push(path.join(cwd, '.trae', 'scan-debug-skill'));
   }
-  // 选项 2 或 3：安装到 Cursor
-  if (choice === '2' || choice === '3') {
+  // 选项 2：安装到 Cursor
+  if (choice === '2') {
     targets.push(path.join(cwd, '.cursor', 'scan-debug-skill'));
   }
-  // 如果没有有效选择（虽然有默认值保护），回退到默认
+  // 如果没有有效选择（且不是3），回退到默认
   if (targets.length === 0) {
     if (defaultChoice === '2') {
         targets.push(path.join(cwd, '.cursor', 'scan-debug-skill'));

package/js/reference/js-ts-best-practices.md CHANGED Viewed

@@ -8,6 +8,7 @@
 *   **异步处理**：
     *   优先使用 `async/await`。
     *   所有 Promise 链必须以 `.catch()` 结束，或在 `try...catch` 块中处理错误。
+*   **冗余条件判断**：当 `if` 和 `else` 分支执行逻辑完全一致时，应移除条件判断，直接执行公共逻辑。
 ## 示例：认知复杂度与魔法数字
@@ -37,13 +38,26 @@ function isDateFuture(date) {
 }
 ```
-## 示例：正则表达式安全 (ReDoS)
+## 示例：冗余条件判断
-**场景**：Sonar 提示 "Make sure the regex used here... cannot lead to denial of service"。
+**场景**：Sonar 提示 "This 'if' block is equivalent to the 'else' block"，即 `if` 和 `else` 分支执行了完全相同的逻辑。
 **修复后代码**：
 ```javascript
-// Compliant: 优化正则结构，避免嵌套量词，防止 ReDoS 攻击
-// 说明：匹配一个或多个 'a' 后跟一个 'b'
-const regex = /a+b/;
+/**
+ * 处理页面跳转
+ * @description 无论用户是否登录，点击该按钮都跳转到首页
+ */
+function handleRedirect() {
+  // Compliant: 移除冗余的条件判断
+  // 修复前：
+  // if (isLoggedIn) {
+  //   navigateTo('/home');
+  // } else {
+  //   navigateTo('/home');
+  // }
+  // 修复后：直接执行通用逻辑
+  navigateTo('/home');
+}
 ```

package/js/reference/security-compliance.md CHANGED Viewed

@@ -5,22 +5,47 @@
     *   严禁使用 `eval()`、`new Function()`。
     *   慎用 `v-html` (Vue) 或 `dangerouslySetInnerHTML` (React)，必须确保内容已经过 DOMPurify 等库的清洗。
 *   **敏感信息**：代码中禁止硬编码密码、Token、密钥（AK/SK）、内网 IP 等敏感信息，应通过环境变量或配置接口获取。
+*   **日志安全**：禁止在生产环境日志中输出敏感信息（如密码、Token 等）；**若变量名无明确语义化（如 `data`, `info`, `res`），视为潜在敏感信息禁止直接打印**；异常捕获时仅记录错误来源或通用提示，**严禁直接打印 `error.stack` 或完整的 `error` 对象**，防止堆栈信息泄露系统内部结构。
 *   **链接安全**：使用 `target="_blank"` 打开外部链接时，必须添加 `rel="noopener noreferrer"` 以防止钓鱼攻击。
-*   **禁止打印敏感堆栈**：在 `.catch()` 中禁止直接打印整个 Error 对象。
+*   **正则安全**：确保正则表达式不会导致拒绝服务攻击 (ReDoS)。
-## 示例：禁止打印敏感堆栈
+## 示例：日志安全与异常处理
-**场景**：Sonar 提示 "Define and throw a dedicated exception instead of using a generic one" 或敏感日志泄露。
+**场景**：Sonar/安全扫描提示 "User credentials should not be printed" 或 "Stack traces should not be disclosed"。
 **修复后代码**：
 ```javascript
-try {
-  await getUserInfo();
-} catch (error) {
-  // Compliant: 仅打印必要的错误摘要，隐藏堆栈详情
-  console.error('获取用户信息失败:', error.message || '未知错误');
-  // 可选：上报监控系统
-  // logger.report(error);
+/**
+ * 处理用户登录
+ * @param {string} username - 用户名
+ * @param {string} password - 密码
+ */
+async function handleLogin(username, password) {
+  try {
+    // 1. 敏感信息禁止打印
+    // Non-Compliant (敏感数据): console.log(`Attempting login for ${username} with password ${password}`);
+    // Non-Compliant (非语义化变量): console.log('Login info:', info); // info 语义不明确，可能包含敏感字段
+    console.log(`Attempting login for user: ${username}`); // Compliant: 仅记录明确的非敏感标识
+    await authService.login(username, password);
+  } catch (error) {
+    // 2. 异常捕获禁止泄露堆栈
+    // Non-Compliant: console.error(error); 或 console.error(error.stack);
+    // Compliant: 仅记录错误来源，不包含详细堆栈
+    console.error('LoginService: 用户登录请求失败');
+  }
 }
 ```
+## 示例：正则表达式安全 (ReDoS)
+**场景**：Sonar 提示 "Make sure the regex used here... cannot lead to denial of service"。
+**修复后代码**：
+```javascript
+// Compliant: 优化正则结构，避免嵌套量词，防止 ReDoS 攻击
+// 说明：匹配一个或多个 'a' 后跟一个 'b'
+const regex = /a+b/;
+```

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "scan-debug-skill",
-  "version": "1.0.0",
+  "version": "1.0.2",
   "description": "ScanDebugSkill for Trae IDE - Easily install debugging skills via npx",
   "bin": {
     "scan-debug-skill": "./bin/install.js"
@@ -15,7 +15,7 @@
     "scan"
   ],
   "author": "",
-  "license": "ISC",
+  "license": "MIT",
   "files": [
     "bin",
     "css",