nrslib ea7ce54912 takt: # タスク指示書: resources/ → builtins/ リネーム + export-cc 修正

## 概要
`resources/` ディレクトリを `builtins/` にリネームし、用途を明確化。同時に export-cc コマンドを拡張して全リソースをコピーするように修正する。

---

## タスク一覧

### 1. ディレクトリリネーム（優先度: 高）

| 変更前 | 変更後 |
|--------|--------|
| `resources/` | `builtins/` |
| `resources/global/{lang}/` | `builtins/{lang}/`（global/ 階層を除去） |
| `resources/project/` | `builtins/project/` |
| `resources/skill/` | `builtins/skill/` |

### 2. 不要ファイル削除（優先度: 高）

- `builtins/{lang}/prompts/` を削除
  - 対象: `interactive-system.md`, `interactive-summary.md`
  - 理由: コードから未参照、実体は `src/shared/prompts/`

### 3. コード修正 — パス参照（優先度: 高）

`resources` → `builtins`、`global/{lang}` → `{lang}` に更新:

| ファイル | 修正内容 |
|----------|----------|
| `src/infra/resources/index.ts` | `getResourcesDir()`, `getGlobalResourcesDir()`, `getLanguageResourcesDir()` 等のパス |
| `src/infra/config/paths.ts` | `getBuiltinPiecesDir()`, `getBuiltinPersonasDir()` |
| `src/infra/config/global/initialization.ts` | `copyLanguageConfigYaml()` |
| `src/infra/config/loaders/pieceCategories.ts` | `getLanguageResourcesDir()` 参照 |
| `src/features/config/ejectBuiltin.ts` | `getLanguageResourcesDir()` 参照 |
| `src/features/config/deploySkill.ts` | `getResourcesDir()` 参照 |

### 4. export-cc 修正（優先度: 高）

ファイル: `src/features/config/deploySkill.ts`

**現状**: pieces/ と personas/ のみコピー

**修正後**:
- `builtins/{lang}/` 全体を `~/.claude/skills/takt/` にコピー
- `skill/` のファイル（SKILL.md, references/, takt-command.md）は従来通り
- サマリー表示を新リソースタイプ（stances, instructions, knowledge 等）に対応
- confirm メッセージ修正:
  - 現状: `'上書きしますか？'`
  - 修正後: `'既存のスキルファイルをすべて削除し、最新版に置き換えます。続行しますか？'`

### 5. テスト修正（優先度: 中）

| ファイル | 修正内容 |
|----------|----------|
| `src/__tests__/initialization.test.ts` | `getLanguageResourcesDir` のパス期待値 |
| `src/__tests__/piece-category-config.test.ts` | mock パス |
| その他 `resources` パスを参照しているテスト | パス更新 |

### 6. ビルド・パッケージ設定（優先度: 中）

| ファイル | 修正内容 |
|----------|----------|
| `package.json` | `files` フィールドで `resources/` → `builtins/` |
| `tsconfig.json` | `resources/` への参照があれば更新 |
| `.gitignore` | 必要に応じて更新 |

### 7. ドキュメント（優先度: 低）

- `CLAUDE.md` の Directory Structure セクションを更新
- JSDoc コメントから `prompts/` 記述を削除

---

## 制約

- `builtins/{lang}/` のフラット構造は変更不可（ピースYAML内の相対パス依存）
- eject のセーフティ（skip-if-exists）は変更不要
- export-cc のセーフティ（SKILL.md 存在チェック + confirm）は維持

---

## 確認方法

- `npm run build` が成功すること
- `npm test` が全てパスすること
- `takt init` / `takt eject` / `takt export-cc` が正常動作すること

2026-02-07 14:46:20 +09:00

4.4 KiB

Raw Blame History

Security Knowledge

AI-Generated Code Security Issues

AI-generated code has unique vulnerability patterns.

Pattern	Risk	Example
Plausible but dangerous defaults	High	`cors: { origin: '*' }` looks fine but is dangerous
Outdated security practices	Medium	Using deprecated encryption, old auth patterns
Incomplete validation	High	Validates format but not business rules
Over-trusting inputs	Critical	Assumes internal APIs are always safe
Copy-paste vulnerabilities	High	Same dangerous pattern repeated in multiple files

Require extra scrutiny:

Auth/authorization logic (AI tends to miss edge cases)
Input validation (AI may check syntax but miss semantics)
Error messages (AI may expose internal details)
Config files (AI may use dangerous defaults from training data)

Injection Attacks

SQL Injection:

SQL construction via string concatenation → REJECT
Not using parameterized queries → REJECT
Unsanitized input in ORM raw queries → REJECT

// NG
db.query(`SELECT * FROM users WHERE id = ${userId}`)

// OK
db.query('SELECT * FROM users WHERE id = ?', [userId])

Command Injection:

Unvalidated input in exec(), spawn() → REJECT
Insufficient escaping in shell command construction → REJECT

// NG
exec(`ls ${userInput}`)

// OK
execFile('ls', [sanitizedInput])

XSS (Cross-Site Scripting):

Unescaped output to HTML/JS → REJECT
Improper use of innerHTML, dangerouslySetInnerHTML → REJECT
Direct embedding of URL parameters → REJECT

Authentication & Authorization

Authentication issues:

Hardcoded credentials → Immediate REJECT
Plaintext password storage → Immediate REJECT
Weak hash algorithms (MD5, SHA1) → REJECT
Improper session token management → REJECT

Authorization issues:

Missing permission checks → REJECT
IDOR (Insecure Direct Object Reference) → REJECT
Privilege escalation possibility → REJECT

// NG - No permission check
app.get('/user/:id', (req, res) => {
  return db.getUser(req.params.id)
})

// OK
app.get('/user/:id', authorize('read:user'), (req, res) => {
  if (req.user.id !== req.params.id && !req.user.isAdmin) {
    return res.status(403).send('Forbidden')
  }
  return db.getUser(req.params.id)
})

Data Protection

Sensitive information exposure:

Hardcoded API keys, secrets → Immediate REJECT
Sensitive info in logs → REJECT
Internal info exposure in error messages → REJECT
Committed .env files → REJECT

Data validation:

Unvalidated input values → REJECT
Missing type checks → REJECT
No size limits set → REJECT

Cryptography

Use of weak crypto algorithms → REJECT
Fixed IV/Nonce usage → REJECT
Hardcoded encryption keys → Immediate REJECT
No HTTPS (production) → REJECT

File Operations

Path Traversal:

File paths containing user input → REJECT
Insufficient ../ sanitization → REJECT

// NG
const filePath = path.join(baseDir, userInput)
fs.readFile(filePath)

// OK
const safePath = path.resolve(baseDir, userInput)
if (!safePath.startsWith(path.resolve(baseDir))) {
  throw new Error('Invalid path')
}

File Upload:

No file type validation → REJECT
No file size limits → REJECT
Allowing executable file uploads → REJECT

Dependencies

Packages with known vulnerabilities → REJECT
Unmaintained packages → Warning
Unnecessary dependencies → Warning

Error Handling

Stack trace exposure in production → REJECT
Detailed error message exposure → REJECT
Swallowing security events → REJECT

Rate Limiting & DoS Protection

No rate limiting (auth endpoints) → Warning
Resource exhaustion attack possibility → Warning
Infinite loop possibility → REJECT

OWASP Top 10 Checklist

Category	Check Items
A01 Broken Access Control	Authorization checks, CORS config
A02 Cryptographic Failures	Encryption, sensitive data protection
A03 Injection	SQL, Command, XSS
A04 Insecure Design	Security design patterns
A05 Security Misconfiguration	Default settings, unnecessary features
A06 Vulnerable Components	Dependency vulnerabilities
A07 Auth Failures	Authentication mechanisms
A08 Software Integrity	Code signing, CI/CD
A09 Logging Failures	Security logging
A10 SSRF	Server-side requests

4.4 KiB Raw Blame History