X-Forwarded-For is client-controlled and trivially bypassable for rate
limiting. Replaced with HttpServletRequest.getRemoteAddr() which uses
the container-provided remote address. Added note about configuring
quarkus.http.proxy.proxy-address-forwarding for trusted proxy setups.
org.apache.camel.quarkus:camel-quarkus-bom follows its own release
cadence and doesn't align with quarkus.platform.version. Replaced
with io.quarkus.platform:quarkus-camel-bom which is published at
the same version as quarkus-bom.
- Add missing @Slf4j and bucketName field to FileStorageService
- Fix PaginatedList → List type mismatch (Panache returns List)
- Fix executorService.submit → execute mock (supplyAsync uses execute)
- Update S3 failure test to throw from putObject instead of failed future
Applied to English + all 3 locale copies (tr, ja-JP, zh-CN).
The Camel route test example was missing the testPayload field
declaration, DocumentValidator mock, and @BeforeEach setup that
exist in the English source, making the snippet invalid.
Changed "Always use AssertJ" to "Prefer AssertJ for value checks" and
documented the intended pattern: JUnit assertThrows/assertDoesNotThrow
for exception lifecycle, AssertJ for value validation. This matches
the actual code examples in the document.
'unsafe-inline' for script-src negates XSS protection from CSP.
Removed it from the security headers example in quarkus-security
and all locale copies. Kept 'unsafe-inline' for style-src only
(commonly needed by CSS frameworks) with a comment recommending
nonces where possible.
Translate English prose inside plain text code blocks (```text, ```)
across ja-JP documentation to Japanese, following the same approach
as PR #753 (zh-CN translation).
Translated content includes:
- Output template labels and status messages
- Folder tree inline comments
- CLI workflow descriptions
- Error/warning message examples
- Commit message templates and PR title examples
Technical identifiers, file paths, and actual code remain untranslated.
The multi-* commands (multi-plan, multi-execute, multi-workflow, multi-backend,
multi-frontend) previously required ace-tool MCP (Augment Code) which is a paid
service. This change makes ace-tool completely optional by:
- Changing "MUST call" to "If ace-tool MCP is available" for enhance_prompt
- Changing mandatory search_context calls to optional with fallback procedures
- Adding detailed fallback instructions using Claude Code built-in tools
(Glob, Grep, Read, Task/Explore agent) when ace-tool is unavailable
- Updating all translations (ja-JP, zh-CN) to match
This ensures multi-* commands work out of the box without ace-tool MCP configured.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
When installed as a plugin, /plan triggers Claude Code's built-in plan
mode instead of the plugin's plan skill. Updated all 4 README files
(EN, zh-CN, zh-TW, ja-JP) to show the plugin-namespaced form with a
comment noting the shorter form works for manual installs.
Also fixes markdownlint MD012 violation in chief-of-staff.md (trailing
double blank line from #280 merge).
Fixes#297
New articles:
- the-security-guide.md: "The Shorthand Guide to Securing Your Agent" (595 lines)
Attack vectors, sandboxing, sanitization, OWASP Top 10, observability
- the-openclaw-guide.md: "The Hidden Danger of OpenClaw" (470 lines)
Security analysis of OpenClaw, MiniClaw thesis, industry evidence
External link sanitization (22 files across EN, zh-CN, zh-TW, ja-JP, .cursor):
- Removed third-party GitHub links from skills and guides
- Replaced with inline descriptions to prevent transitive prompt injection
- Kept official org links (Anthropic, Google, Supabase, Mixedbread)
New community skills: content-hash-cache-pattern, cost-aware-llm-pipeline,
regex-vs-llm-structured-text, swift-actor-persistence, swift-protocol-di-testing
