timsquad 2.0.0

package/templates/common/claude/skills/security/SKILL.md

@@ -0,0 +1,234 @@
+---
+name: security
+description: 보안 검토 및 취약점 탐지 가이드라인
+user-invocable: false
+---
+
+<skill name="security">
+  <purpose>OWASP Top 10 기반 보안 취약점 탐지 및 방지 가이드라인</purpose>
+
+  <owasp-top-10>
+    <vulnerability id="1" name="Injection">
+      <description>SQL, NoSQL, OS, LDAP Injection</description>
+      <example type="bad">
+        <![CDATA[
+const query = `SELECT * FROM users WHERE email = '${email}'`;
+        ]]>
+      </example>
+      <example type="good">
+        <![CDATA[
+// Parameterized Query
+const query = 'SELECT * FROM users WHERE email = $1';
+await db.query(query, [email]);
+
+// ORM 사용
+await userRepository.findOne({ where: { email } });
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="2" name="Broken Authentication">
+      <description>취약한 인증 메커니즘</description>
+      <example type="bad">
+        <![CDATA[
+if (password.length >= 4) { ... }
+        ]]>
+      </example>
+      <example type="good">
+        <![CDATA[
+const passwordPolicy = {
+  minLength: 12,
+  requireUppercase: true,
+  requireLowercase: true,
+  requireNumber: true,
+  requireSpecialChar: true,
+};
+
+const hash = await bcrypt.hash(password, 12);
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="3" name="Sensitive Data Exposure">
+      <description>민감 정보 노출</description>
+      <example type="bad">
+        <![CDATA[
+logger.info('User login', { email, password });
+return { ...user }; // passwordHash 포함
+        ]]>
+      </example>
+      <example type="good">
+        <![CDATA[
+logger.info('User login', { email, password: '***' });
+return userToDto(user); // passwordHash 제외
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="5" name="Broken Access Control">
+      <description>부적절한 접근 제어</description>
+      <example type="bad">
+        <![CDATA[
+app.get('/api/users/:id', async (req, res) => {
+  const user = await userService.getUser(req.params.id);
+  return res.json(user);
+});
+        ]]>
+      </example>
+      <example type="good">
+        <![CDATA[
+app.get('/api/users/:id', authenticate, authorize('user:read'), async (req, res) => {
+  if (req.user.id !== req.params.id && !req.user.isAdmin) {
+    throw new ForbiddenError();
+  }
+  const user = await userService.getUser(req.params.id);
+  return res.json(user);
+});
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="6" name="Security Misconfiguration">
+      <description>보안 설정 오류</description>
+      <example type="good">
+        <![CDATA[
+// 보안 헤더 설정
+app.use(helmet());
+app.use(helmet.contentSecurityPolicy({
+  directives: {
+    defaultSrc: ["'self'"],
+    scriptSrc: ["'self'"],
+  },
+}));
+
+// CORS 제한
+app.use(cors({
+  origin: ['https://allowed-domain.com'],
+  credentials: true,
+}));
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="7" name="Cross-Site Scripting (XSS)">
+      <description>XSS 공격</description>
+      <example type="bad">
+        <![CDATA[
+element.innerHTML = userInput;
+        ]]>
+      </example>
+      <example type="good">
+        <![CDATA[
+element.textContent = userInput;
+
+// 또는 이스케이프 처리
+import { escape } from 'lodash';
+element.innerHTML = escape(userInput);
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="8" name="Insecure Deserialization">
+      <description>안전하지 않은 역직렬화</description>
+      <example type="bad">
+        <![CDATA[
+const data = JSON.parse(userInput);
+processData(data);
+        ]]>
+      </example>
+      <example type="good">
+        <![CDATA[
+import { z } from 'zod';
+const schema = z.object({
+  name: z.string().max(100),
+  age: z.number().min(0).max(150),
+});
+const data = schema.parse(JSON.parse(userInput));
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="9" name="Using Components with Known Vulnerabilities">
+      <description>취약한 컴포넌트 사용</description>
+      <example type="good">
+        <![CDATA[
+# 정기적 취약점 스캔
+npm audit
+npm audit fix
+
+# 의존성 업데이트
+npm outdated
+npm update
+        ]]>
+      </example>
+    </vulnerability>
+
+    <vulnerability id="10" name="Insufficient Logging">
+      <description>불충분한 로깅 및 모니터링</description>
+      <example type="good">
+        <![CDATA[
+logger.warn('Login failed', {
+  email,
+  ip: req.ip,
+  userAgent: req.headers['user-agent'],
+  timestamp: new Date().toISOString(),
+});
+
+if (failedAttempts >= 5) {
+  logger.error('Possible brute force attack', { email, ip: req.ip });
+  await lockAccount(email);
+}
+        ]]>
+      </example>
+    </vulnerability>
+  </owasp-top-10>
+
+  <additional-checks>
+    <check name="시크릿 관리">
+      <must-not>하드코딩: const apiKey = 'sk-1234567890';</must-not>
+      <must>환경변수: const apiKey = process.env.API_KEY;</must>
+      <must>시크릿 매니저: await secretManager.getSecret('api-key');</must>
+    </check>
+
+    <check name="Rate Limiting">
+      <example>
+        <![CDATA[
+import rateLimit from 'express-rate-limit';
+
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15분
+  max: 100, // 최대 100 요청
+  message: 'Too many requests',
+});
+
+app.use('/api/', limiter);
+        ]]>
+      </example>
+    </check>
+
+    <check name="CSRF 방지">
+      <example>
+        <![CDATA[
+import csrf from 'csurf';
+app.use(csrf({ cookie: true }));
+
+// 폼에 토큰 포함
+<input type="hidden" name="_csrf" value="{{csrfToken}}">
+        ]]>
+      </example>
+    </check>
+  </additional-checks>
+
+  <checklist>
+    <item priority="critical">SQL/NoSQL Injection 방지</item>
+    <item priority="critical">강력한 인증 구현</item>
+    <item priority="critical">민감 정보 보호</item>
+    <item priority="critical">접근 제어 구현</item>
+    <item priority="high">XSS 방지</item>
+    <item priority="high">입력 검증</item>
+    <item priority="high">의존성 취약점 확인</item>
+    <item priority="medium">보안 로깅 구현</item>
+    <item priority="medium">시크릿 안전하게 관리</item>
+    <item priority="medium">Rate Limiting 적용</item>
+  </checklist>
+</skill>

package/templates/common/claude/skills/testing/SKILL.md

@@ -0,0 +1,146 @@
+---
+name: testing
+description: 테스트 작성 규칙 및 패턴 가이드라인
+user-invocable: false
+---
+
+<skill name="testing">
+  <purpose>품질 보장을 위한 테스트 작성 가이드라인</purpose>
+
+  <tdd-cycle>
+    <step order="1" name="Red">실패하는 테스트 작성</step>
+    <step order="2" name="Green">테스트를 통과하는 최소 코드 작성</step>
+    <step order="3" name="Refactor">코드 정리 (테스트는 계속 통과)</step>
+  </tdd-cycle>
+
+  <test-pyramid>
+    <level name="Unit" quantity="다수">빠름, 격리됨, 저비용</level>
+    <level name="Integration" quantity="중간">컴포넌트 간 연동</level>
+    <level name="E2E" quantity="소수">전체 흐름, 고비용</level>
+  </test-pyramid>
+
+  <given-when-then>
+    <example>
+      <![CDATA[
+describe('UserService', () => {
+  describe('createUser', () => {
+    it('should create a new user when email is unique', async () => {
+      // Given: 테스트 조건 설정
+      const userRepository = createMockRepository();
+      userRepository.findByEmail.mockResolvedValue(null);
+      const service = new UserService(userRepository);
+
+      // When: 테스트 대상 실행
+      const result = await service.createUser({
+        email: 'test@example.com',
+        password: 'password123',
+      });
+
+      // Then: 결과 검증
+      expect(result.email).toBe('test@example.com');
+      expect(userRepository.save).toHaveBeenCalledTimes(1);
+    });
+
+    it('should throw error when email already exists', async () => {
+      // Given
+      const userRepository = createMockRepository();
+      userRepository.findByEmail.mockResolvedValue({ id: '1', email: 'test@example.com' });
+      const service = new UserService(userRepository);
+
+      // When & Then
+      await expect(
+        service.createUser({ email: 'test@example.com', password: 'password123' })
+      ).rejects.toThrow('EMAIL_ALREADY_EXISTS');
+    });
+  });
+});
+      ]]>
+    </example>
+  </given-when-then>
+
+  <test-categories>
+    <category name="Happy Path">
+      <description>정상적인 흐름 테스트</description>
+      <example>
+        <![CDATA[
+it('should return user when valid id is provided', async () => {
+  const user = await userService.getUser('valid-id');
+  expect(user).toBeDefined();
+  expect(user.id).toBe('valid-id');
+});
+        ]]>
+      </example>
+    </category>
+    <category name="Edge Cases">
+      <description>경계 조건 테스트</description>
+      <cases>
+        <case>빈 문자열</case>
+        <case>최대 길이 입력</case>
+        <case>0 값</case>
+        <case>null 입력</case>
+      </cases>
+    </category>
+    <category name="Error Cases">
+      <description>오류 상황 테스트</description>
+      <example>
+        <![CDATA[
+it('should throw NotFoundError when user does not exist', async () => {
+  await expect(userService.getUser('non-existent-id'))
+    .rejects
+    .toThrow(NotFoundError);
+});
+        ]]>
+      </example>
+    </category>
+  </test-categories>
+
+  <coverage-standards>
+    <metric name="Line Coverage" minimum="80%" recommended="90%"/>
+    <metric name="Branch Coverage" minimum="70%" recommended="80%"/>
+    <metric name="Function Coverage" minimum="80%" recommended="90%"/>
+  </coverage-standards>
+
+  <naming-pattern>
+    <format>should {expected behavior} when {condition}</format>
+    <examples>
+      <example type="good">should return null when user is not found</example>
+      <example type="good">should throw ValidationError when email is invalid</example>
+      <example type="good">should increment retry count when request fails</example>
+      <example type="bad">test getUser</example>
+      <example type="bad">user not found</example>
+      <example type="bad">works correctly</example>
+    </examples>
+  </naming-pattern>
+
+  <mock-guidelines>
+    <when-to-mock>
+      <case>외부 서비스 (DB, API, 파일시스템)</case>
+      <case>비결정적 요소 (시간, 랜덤)</case>
+      <case>느린 작업</case>
+    </when-to-mock>
+    <example>
+      <![CDATA[
+// Repository Mock
+const mockUserRepository: jest.Mocked<UserRepository> = {
+  findById: jest.fn(),
+  findByEmail: jest.fn(),
+  save: jest.fn(),
+  delete: jest.fn(),
+};
+
+// 시간 Mock
+jest.useFakeTimers();
+jest.setSystemTime(new Date('2024-01-01'));
+      ]]>
+    </example>
+  </mock-guidelines>
+
+  <checklist>
+    <item>Given-When-Then 패턴을 따르는가</item>
+    <item>Happy path, Edge case, Error case가 있는가</item>
+    <item>테스트 이름이 명확한가</item>
+    <item>커버리지 기준을 충족하는가</item>
+    <item>Mock이 적절히 사용되었는가</item>
+    <item>테스트가 독립적인가 (순서 무관)</item>
+  </checklist>
+</skill>