Skip to content

docmd-skills@1.2.0

Latest

Choose a tag to compare

@mgks mgks released this 08 Jul 12:57

A security and regression gate for framework work, distilled from docmd v0.8.x battle test.

Highlights

  • New docmd-dev security and regression checklist. references/security-and-regression-checklist.md covers the ten docmd-specific regression areas (container parser, plugin HTML-injection contract, public API honesty, i18n/versioning, deploy/Docker hardening, migration correctness, CLI honesty, rendering, TUI, engines). Every rule traces back to a report ID for auditability.
  • New "Workflow 5: Hard checks before any framework change ships" in docmd-dev/SKILL.md. Walks the generic Node triage (ai-dev nodejs-cautions.md + security-must-checks.md), then the docmd checklist, then pnpm prep, then one regression test per bug class. Codifies the lessons from the v0.8.x regressions: safety-named functions must enforce, no silent no-ops, no accepted-but-unused flags, documented API = real API, loud fallbacks.
  • Path and URL hardening for plugins (safePath, sanitizeUrl, safePath-by-accident), MCP tools, OpenAPI, and container fences.
  • Output injection beyond visible HTML: href/src URL-scheme allowlists (javascript:, data:, vbscript:), machine-readable outputs (llms.txt, search-index, CSV with formula-prefix stripping), and <meta> from frontmatter.
  • Plugin output-injection contract: generateMetaTags, generateScripts, getAssets, template slots, and translations returns are untrusted; head and body script generation are distinct typed returns; no legacy descriptor-less escape hatch; built-ins win over plugin engine overrides.
  • WebSocket and dev-server defaults: verifyClient on WebSocketServer, bind to 127.0.0.1 by default rather than 0.0.0.0.
  • i18n and versioning silent failures gone: missing translations warn instead of silently falling back, search index includes every locale, default-locale-at-root links resolve, RTL sets dir="rtl", missing version folder names the version.
  • Deploy and Docker hardening: every generated server config ships a security-header baseline (CSP, HSTS, Referrer-Policy, X-Content-Type-Options); Netlify [[redirects]] does not soft-404; Docker runs non-root with a Node base image consistent with the official image; WORKDIR writability is validated.
  • Migration correctness: nav: translated, frontmatter aliases translated, all legacy keys upgraded by --upgrade, no silent out rewrite, --dry-run available.
  • CLI honesty: exit codes are a contract, no dead flags, no silent no-ops in add/remove/migrate, validation errors are readable.
  • Loud fallbacks: Rust engine fallback to JS emits one warning line with the cause; per-platform binaries auto-resolve on Mac ARM.
  • docmd-dev/SKILL.md description updated to state that docmd is Node.js and TypeScript only and enforces the security and quality gate before any framework change ships.
  • Layered, not duplicated. docmd-dev owns the docmd-only layer and points back to ai-dev for generic Node rules rather than re-stating them.