The ja-JP and zh-CN translations of the four Quarkus skills are missing
content (quarkus-tdd: 8/11 sections, quarkus-verification: 10/15 sections;
quarkus-security trimmed by 60-100 lines). Removing rather than shipping
partial translations. Turkish translations remain — they mirror the English
source. ja-JP and zh-CN to be redone in a focused follow-up.
Extends the hook command path correction from PR #1682 (English source) to
the zh-CN, zh-TW, and ja-JP translated mirrors so the PreToolUse hook
example matches the actual script location at
~/.claude/scripts/hooks/suggest-compact.js.
Changes per locale:
- docs/zh-CN/skills/strategic-compact/SKILL.md: update both command strings
from ~/.claude/skills/strategic-compact/suggest-compact.js to
~/.claude/scripts/hooks/suggest-compact.js.
- docs/zh-TW/skills/strategic-compact/SKILL.md: replace the outdated
suggest-compact.sh reference (the .sh variant was removed in merged PR
#41) with the current node-invoked suggest-compact.js, and align the
matcher block structure with the English canonical SKILL.md post-#1682.
- docs/ja-JP/skills/strategic-compact/SKILL.md: same .sh -> .js migration
and matcher alignment as zh-TW.
The ko-KR mirror already uses the correct CLAUDE_PLUGIN_ROOT-based hook
path and needs no change.
Refs #1675
Panache persist() returns void, so when().thenReturn() won't compile.
Replaced with doNothing().when().persist() which is the correct
Mockito pattern for void methods.
writeValueAsString throws checked JsonProcessingException which was
unhandled, causing a compile error. Wrapped in try/catch, rethrowing
as IllegalStateException.
Tests assert null-payload and blank-error-message guards but the
implementation had none. Added Objects.requireNonNull for payload
and blank check for errorMessage. Also added missing objectMapper
field to locale copies.
The custom auth filter only rejected invalid tokens but silently
passed through requests without an Authorization header, creating
a complete auth bypass. Inverted the guard to reject-first: abort
immediately when header is absent or malformed, then validate.
X-Forwarded-For is client-controlled and trivially bypassable for rate
limiting. Replaced with HttpServletRequest.getRemoteAddr() which uses
the container-provided remote address. Added note about configuring
quarkus.http.proxy.proxy-address-forwarding for trusted proxy setups.
org.apache.camel.quarkus:camel-quarkus-bom follows its own release
cadence and doesn't align with quarkus.platform.version. Replaced
with io.quarkus.platform:quarkus-camel-bom which is published at
the same version as quarkus-bom.
- Add missing @Slf4j and bucketName field to FileStorageService
- Fix PaginatedList → List type mismatch (Panache returns List)
- Fix executorService.submit → execute mock (supplyAsync uses execute)
- Update S3 failure test to throw from putObject instead of failed future
Applied to English + all 3 locale copies (tr, ja-JP, zh-CN).
The Camel route test example was missing the testPayload field
declaration, DocumentValidator mock, and @BeforeEach setup that
exist in the English source, making the snippet invalid.
Changed "Always use AssertJ" to "Prefer AssertJ for value checks" and
documented the intended pattern: JUnit assertThrows/assertDoesNotThrow
for exception lifecycle, AssertJ for value validation. This matches
the actual code examples in the document.
'unsafe-inline' for script-src negates XSS protection from CSP.
Removed it from the security headers example in quarkus-security
and all locale copies. Kept 'unsafe-inline' for style-src only
(commonly needed by CSS frameworks) with a comment recommending
nonces where possible.
Translate English prose inside plain text code blocks (```text, ```)
across ja-JP documentation to Japanese, following the same approach
as PR #753 (zh-CN translation).
Translated content includes:
- Output template labels and status messages
- Folder tree inline comments
- CLI workflow descriptions
- Error/warning message examples
- Commit message templates and PR title examples
Technical identifiers, file paths, and actual code remain untranslated.
New articles:
- the-security-guide.md: "The Shorthand Guide to Securing Your Agent" (595 lines)
Attack vectors, sandboxing, sanitization, OWASP Top 10, observability
- the-openclaw-guide.md: "The Hidden Danger of OpenClaw" (470 lines)
Security analysis of OpenClaw, MiniClaw thesis, industry evidence
External link sanitization (22 files across EN, zh-CN, zh-TW, ja-JP, .cursor):
- Removed third-party GitHub links from skills and guides
- Replaced with inline descriptions to prevent transitive prompt injection
- Kept official org links (Anthropic, Google, Supabase, Mixedbread)
