zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-03-30 13:43:26 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add Kiro steering files, hooks, and scripts (#812)

Browse Source 
Co-authored-by: Sungmin Hong <hsungmin@amazon.com>
This commit is contained in:
Himanshu Sharma
2026-03-22 21:55:47 -07:00
committed by GitHub
parent 535120d6b1
commit bacc585b87
29 changed files with 1241 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
.kiro/steering/typescript-security.md Normal file
View File

@@ -0,0 +1,98 @@
---
inclusion: fileMatch
fileMatchPattern: "*.ts,*.tsx,*.js,*.jsx"
description: TypeScript/JavaScript security best practices extending common security rules with language-specific concerns
---
# TypeScript/JavaScript Security
> This file extends the common security rule with TypeScript/JavaScript specific content.
## Secret Management
```typescript
// NEVER: Hardcoded secrets
const apiKey = "sk-proj-xxxxx"
const dbPassword = "mypassword123"
// ALWAYS: Environment variables
const apiKey = process.env.OPENAI_API_KEY
const dbPassword = process.env.DATABASE_PASSWORD
if (!apiKey) {
throw new Error('OPENAI_API_KEY not configured')
}
```
## XSS Prevention
```typescript
// NEVER: Direct HTML injection
element.innerHTML = userInput
// ALWAYS: Sanitize or use textContent
import DOMPurify from 'dompurify'
element.innerHTML = DOMPurify.sanitize(userInput)
// OR
element.textContent = userInput
```
## Prototype Pollution
```typescript
// NEVER: Unsafe object merging
function merge(target: any, source: any) {
for (const key in source) {
target[key] = source[key] // Dangerous!
}
}
// ALWAYS: Validate keys
function merge(target: any, source: any) {
for (const key in source) {
if (key === '__proto__' || key === 'constructor' || key === 'prototype') {
continue
}
target[key] = source[key]
}
}
```
## SQL Injection (Node.js)
```typescript
// NEVER: String concatenation
const query = `SELECT * FROM users WHERE id = ${userId}`
// ALWAYS: Parameterized queries
const query = 'SELECT * FROM users WHERE id = ?'
db.query(query, [userId])
```
## Path Traversal
```typescript
// NEVER: Direct path construction
const filePath = `./uploads/${req.params.filename}`
// ALWAYS: Validate and sanitize
import path from 'path'
const filename = path.basename(req.params.filename)
const filePath = path.join('./uploads', filename)
```
## Dependency Security
```bash
# Regular security audits
npm audit
npm audit fix
# Use lock files
npm ci # Instead of npm install in CI/CD
```
## Agent Support
- Use **security-reviewer** agent for comprehensive security audits
- Invoke via `/agent swap security-reviewer` or use the security-review skill