fix(security): Apply 3 critical security fixes

- sec-001: Add validateAllowedPath to /api/file endpoint (path traversal) - sec-002: Enable CSRF by default with CCW_DISABLE_CSRF opt-out - sec-003: Add validateAllowedPath to /api/dialog/browse and /api/dialog/open-file (path traversal) Ref: fix-1738072800000
2026-02-15 02:42:45 +08:00 · 2026-01-28 22:04:18 +08:00
parent ed0255b8a2
commit 502c8a09a1
5 changed files with 808 additions and 4 deletions
--- a/.claude/skills/lite-skill-generator/templates/simple-skill.md
+++ b/.claude/skills/lite-skill-generator/templates/simple-skill.md
@@ -0,0 +1,68 @@
+---
+name: {{SKILL_NAME}}
+description: {{SKILL_DESCRIPTION}}
+allowed-tools: {{ALLOWED_TOOLS}}
+---
+
+# {{SKILL_TITLE}}
+
+{{SKILL_DESCRIPTION}}
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────┐
+│               {{SKILL_TITLE}}                    │
+│                                                 │
+│  Input → {{PHASE_1}} → {{PHASE_2}} → Output    │
+└─────────────────────────────────────────────────┘
+```
+
+## Execution Flow
+
+```javascript
+async function {{SKILL_FUNCTION}}(input) {
+  // Phase 1: {{PHASE_1}}
+  const prepared = await phase1(input);
+
+  // Phase 2: {{PHASE_2}}
+  const result = await phase2(prepared);
+
+  return result;
+}
+```
+
+### Phase 1: {{PHASE_1}}
+
+```javascript
+async function phase1(input) {
+  // TODO: Implement {{PHASE_1_LOWER}} logic
+  return output;
+}
+```
+
+### Phase 2: {{PHASE_2}}
+
+```javascript
+async function phase2(input) {
+  // TODO: Implement {{PHASE_2_LOWER}} logic
+  return output;
+}
+```
+
+## Usage
+
+```bash
+/skill:{{SKILL_NAME}} "input description"
+```
+
+## Examples
+
+**Basic Usage**:
+```
+User: "{{EXAMPLE_INPUT}}"
+{{SKILL_NAME}}:
+  → Phase 1: {{PHASE_1_ACTION}}
+  → Phase 2: {{PHASE_2_ACTION}}
+  → Output: {{EXAMPLE_OUTPUT}}
+```
--- a/.claude/skills/lite-skill-generator/templates/style-guide.md
+++ b/.claude/skills/lite-skill-generator/templates/style-guide.md
@@ -0,0 +1,64 @@
+# Style Guide Template
+
+Generated by lite-skill-generator style analysis phase.
+
+## Detected Patterns
+
+### Structural Patterns
+
+| Pattern | Detected | Recommendation |
+|---------|----------|----------------|
+| YAML Frontmatter | {{HAS_FRONTMATTER}} | {{FRONTMATTER_REC}} |
+| ASCII Diagrams | {{HAS_DIAGRAMS}} | {{DIAGRAMS_REC}} |
+| Code Blocks | {{HAS_CODE_BLOCKS}} | {{CODE_BLOCKS_REC}} |
+| Phase Structure | {{PHASE_STRUCTURE}} | {{PHASE_REC}} |
+
+### Language Patterns
+
+| Pattern | Value | Notes |
+|---------|-------|-------|
+| Instruction Style | {{INSTRUCTION_STYLE}} | imperative/declarative/procedural |
+| Pseudocode Usage | {{PSEUDOCODE_USAGE}} | functional/imperative/none |
+| Verbosity Level | {{VERBOSITY}} | concise/detailed/verbose |
+| Common Terms | {{TERMINOLOGY}} | domain-specific vocabulary |
+
+### Organization Patterns
+
+| Pattern | Value |
+|---------|-------|
+| Phase Count | {{PHASE_COUNT}} |
+| Example Density | {{EXAMPLE_DENSITY}} |
+| Template Usage | {{TEMPLATE_USAGE}} |
+
+## Style Compliance Checklist
+
+- [ ] YAML frontmatter with name, description, allowed-tools
+- [ ] Architecture diagram (if pattern detected)
+- [ ] Execution flow section with pseudocode
+- [ ] Phase sections (sequential numbered)
+- [ ] Usage examples section
+- [ ] README.md for external documentation
+
+## Reference Skills Analyzed
+
+{{#REFERENCES}}
+- `{{REF_PATH}}`: {{REF_NOTES}}
+{{/REFERENCES}}
+
+## Generated Configuration
+
+```json
+{
+  "style": {
+    "structure": "{{STRUCTURE_TYPE}}",
+    "language": "{{LANGUAGE_TYPE}}",
+    "organization": "{{ORG_TYPE}}"
+  },
+  "recommendations": {
+    "usePseudocode": {{USE_PSEUDOCODE}},
+    "includeDiagrams": {{INCLUDE_DIAGRAMS}},
+    "verbosityLevel": "{{VERBOSITY}}",
+    "phaseCount": {{PHASE_COUNT}}
+  }
+}
+```