ea7ce54912
## 概要
`resources/` ディレクトリを `builtins/` にリネームし、用途を明確化。同時に export-cc コマンドを拡張して全リソースをコピーするように修正する。
---
## タスク一覧
### 1. ディレクトリリネーム(優先度: 高)
| 変更前 | 変更後 |
|--------|--------|
| `resources/` | `builtins/` |
| `resources/global/{lang}/` | `builtins/{lang}/`(global/ 階層を除去) |
| `resources/project/` | `builtins/project/` |
| `resources/skill/` | `builtins/skill/` |
### 2. 不要ファイル削除(優先度: 高)
- `builtins/{lang}/prompts/` を削除
- 対象: `interactive-system.md`, `interactive-summary.md`
- 理由: コードから未参照、実体は `src/shared/prompts/`
### 3. コード修正 — パス参照(優先度: 高)
`resources` → `builtins`、`global/{lang}` → `{lang}` に更新:
| ファイル | 修正内容 |
|----------|----------|
| `src/infra/resources/index.ts` | `getResourcesDir()`, `getGlobalResourcesDir()`, `getLanguageResourcesDir()` 等のパス |
| `src/infra/config/paths.ts` | `getBuiltinPiecesDir()`, `getBuiltinPersonasDir()` |
| `src/infra/config/global/initialization.ts` | `copyLanguageConfigYaml()` |
| `src/infra/config/loaders/pieceCategories.ts` | `getLanguageResourcesDir()` 参照 |
| `src/features/config/ejectBuiltin.ts` | `getLanguageResourcesDir()` 参照 |
| `src/features/config/deploySkill.ts` | `getResourcesDir()` 参照 |
### 4. export-cc 修正(優先度: 高)
ファイル: `src/features/config/deploySkill.ts`
**現状**: pieces/ と personas/ のみコピー
**修正後**:
- `builtins/{lang}/` 全体を `~/.claude/skills/takt/` にコピー
- `skill/` のファイル(SKILL.md, references/, takt-command.md)は従来通り
- サマリー表示を新リソースタイプ(stances, instructions, knowledge 等)に対応
- confirm メッセージ修正:
- 現状: `'上書きしますか?'`
- 修正後: `'既存のスキルファイルをすべて削除し、最新版に置き換えます。続行しますか?'`
### 5. テスト修正(優先度: 中)
| ファイル | 修正内容 |
|----------|----------|
| `src/__tests__/initialization.test.ts` | `getLanguageResourcesDir` のパス期待値 |
| `src/__tests__/piece-category-config.test.ts` | mock パス |
| その他 `resources` パスを参照しているテスト | パス更新 |
### 6. ビルド・パッケージ設定(優先度: 中)
| ファイル | 修正内容 |
|----------|----------|
| `package.json` | `files` フィールドで `resources/` → `builtins/` |
| `tsconfig.json` | `resources/` への参照があれば更新 |
| `.gitignore` | 必要に応じて更新 |
### 7. ドキュメント(優先度: 低)
- `CLAUDE.md` の Directory Structure セクションを更新
- JSDoc コメントから `prompts/` 記述を削除
---
## 制約
- `builtins/{lang}/` のフラット構造は変更不可(ピースYAML内の相対パス依存)
- eject のセーフティ(skip-if-exists)は変更不要
- export-cc のセーフティ(SKILL.md 存在チェック + confirm)は維持
---
## 確認方法
- `npm run build` が成功すること
- `npm test` が全てパスすること
- `takt init` / `takt eject` / `takt export-cc` が正常動作すること
165 lines
4.4 KiB
Markdown
165 lines
4.4 KiB
Markdown
# Security Knowledge
|
|
|
|
## AI-Generated Code Security Issues
|
|
|
|
AI-generated code has unique vulnerability patterns.
|
|
|
|
| Pattern | Risk | Example |
|
|
|---------|------|---------|
|
|
| Plausible but dangerous defaults | High | `cors: { origin: '*' }` looks fine but is dangerous |
|
|
| Outdated security practices | Medium | Using deprecated encryption, old auth patterns |
|
|
| Incomplete validation | High | Validates format but not business rules |
|
|
| Over-trusting inputs | Critical | Assumes internal APIs are always safe |
|
|
| Copy-paste vulnerabilities | High | Same dangerous pattern repeated in multiple files |
|
|
|
|
Require extra scrutiny:
|
|
- Auth/authorization logic (AI tends to miss edge cases)
|
|
- Input validation (AI may check syntax but miss semantics)
|
|
- Error messages (AI may expose internal details)
|
|
- Config files (AI may use dangerous defaults from training data)
|
|
|
|
## Injection Attacks
|
|
|
|
**SQL Injection:**
|
|
|
|
- SQL construction via string concatenation → REJECT
|
|
- Not using parameterized queries → REJECT
|
|
- Unsanitized input in ORM raw queries → REJECT
|
|
|
|
```typescript
|
|
// NG
|
|
db.query(`SELECT * FROM users WHERE id = ${userId}`)
|
|
|
|
// OK
|
|
db.query('SELECT * FROM users WHERE id = ?', [userId])
|
|
```
|
|
|
|
**Command Injection:**
|
|
|
|
- Unvalidated input in `exec()`, `spawn()` → REJECT
|
|
- Insufficient escaping in shell command construction → REJECT
|
|
|
|
```typescript
|
|
// NG
|
|
exec(`ls ${userInput}`)
|
|
|
|
// OK
|
|
execFile('ls', [sanitizedInput])
|
|
```
|
|
|
|
**XSS (Cross-Site Scripting):**
|
|
|
|
- Unescaped output to HTML/JS → REJECT
|
|
- Improper use of `innerHTML`, `dangerouslySetInnerHTML` → REJECT
|
|
- Direct embedding of URL parameters → REJECT
|
|
|
|
## Authentication & Authorization
|
|
|
|
**Authentication issues:**
|
|
|
|
- Hardcoded credentials → Immediate REJECT
|
|
- Plaintext password storage → Immediate REJECT
|
|
- Weak hash algorithms (MD5, SHA1) → REJECT
|
|
- Improper session token management → REJECT
|
|
|
|
**Authorization issues:**
|
|
|
|
- Missing permission checks → REJECT
|
|
- IDOR (Insecure Direct Object Reference) → REJECT
|
|
- Privilege escalation possibility → REJECT
|
|
|
|
```typescript
|
|
// NG - No permission check
|
|
app.get('/user/:id', (req, res) => {
|
|
return db.getUser(req.params.id)
|
|
})
|
|
|
|
// OK
|
|
app.get('/user/:id', authorize('read:user'), (req, res) => {
|
|
if (req.user.id !== req.params.id && !req.user.isAdmin) {
|
|
return res.status(403).send('Forbidden')
|
|
}
|
|
return db.getUser(req.params.id)
|
|
})
|
|
```
|
|
|
|
## Data Protection
|
|
|
|
**Sensitive information exposure:**
|
|
|
|
- Hardcoded API keys, secrets → Immediate REJECT
|
|
- Sensitive info in logs → REJECT
|
|
- Internal info exposure in error messages → REJECT
|
|
- Committed `.env` files → REJECT
|
|
|
|
**Data validation:**
|
|
|
|
- Unvalidated input values → REJECT
|
|
- Missing type checks → REJECT
|
|
- No size limits set → REJECT
|
|
|
|
## Cryptography
|
|
|
|
- Use of weak crypto algorithms → REJECT
|
|
- Fixed IV/Nonce usage → REJECT
|
|
- Hardcoded encryption keys → Immediate REJECT
|
|
- No HTTPS (production) → REJECT
|
|
|
|
## File Operations
|
|
|
|
**Path Traversal:**
|
|
|
|
- File paths containing user input → REJECT
|
|
- Insufficient `../` sanitization → REJECT
|
|
|
|
```typescript
|
|
// NG
|
|
const filePath = path.join(baseDir, userInput)
|
|
fs.readFile(filePath)
|
|
|
|
// OK
|
|
const safePath = path.resolve(baseDir, userInput)
|
|
if (!safePath.startsWith(path.resolve(baseDir))) {
|
|
throw new Error('Invalid path')
|
|
}
|
|
```
|
|
|
|
**File Upload:**
|
|
|
|
- No file type validation → REJECT
|
|
- No file size limits → REJECT
|
|
- Allowing executable file uploads → REJECT
|
|
|
|
## Dependencies
|
|
|
|
- Packages with known vulnerabilities → REJECT
|
|
- Unmaintained packages → Warning
|
|
- Unnecessary dependencies → Warning
|
|
|
|
## Error Handling
|
|
|
|
- Stack trace exposure in production → REJECT
|
|
- Detailed error message exposure → REJECT
|
|
- Swallowing security events → REJECT
|
|
|
|
## Rate Limiting & DoS Protection
|
|
|
|
- No rate limiting (auth endpoints) → Warning
|
|
- Resource exhaustion attack possibility → Warning
|
|
- Infinite loop possibility → REJECT
|
|
|
|
## OWASP Top 10 Checklist
|
|
|
|
| Category | Check Items |
|
|
|----------|-------------|
|
|
| A01 Broken Access Control | Authorization checks, CORS config |
|
|
| A02 Cryptographic Failures | Encryption, sensitive data protection |
|
|
| A03 Injection | SQL, Command, XSS |
|
|
| A04 Insecure Design | Security design patterns |
|
|
| A05 Security Misconfiguration | Default settings, unnecessary features |
|
|
| A06 Vulnerable Components | Dependency vulnerabilities |
|
|
| A07 Auth Failures | Authentication mechanisms |
|
|
| A08 Software Integrity | Code signing, CI/CD |
|
|
| A09 Logging Failures | Security logging |
|
|
| A10 SSRF | Server-side requests |
|