66 lines
2.5 KiB
Markdown
66 lines
2.5 KiB
Markdown
# Safety and Data Integrity
|
|
|
|
This document defines path safety, input validation, and data-integrity rules for `user-thoughts`.
|
|
|
|
## Path Safety
|
|
|
|
All runtime file operations must stay inside `#ustht/` unless an import command reads project-local markdown files.
|
|
|
|
Dimension names are used to construct paths, so validate them strictly:
|
|
|
|
| Rule | Reason |
|
|
|---|---|
|
|
| Each path segment uses `[a-z0-9-]` only | Prevents shell and path surprises. |
|
|
| Each segment starts and ends with `[a-z0-9]` | Avoids hidden or malformed files. |
|
|
| `/` is allowed only as a dimension subdirectory separator | Supports `ui/outline`. |
|
|
| `..`, backslashes, spaces, and absolute paths are forbidden | Prevents path traversal. |
|
|
| Reserved names are forbidden | Avoids collisions with runtime folders. |
|
|
|
|
Reserved names: `backlog`, `readme-ai`, `export`, `raw`, `ignored`, `define`, `general`.
|
|
|
|
## Content Safety
|
|
|
|
Raw entries use this format:
|
|
|
|
```text
|
|
- [HH:MM] original user text | suggested-dim:dimension
|
|
```
|
|
|
|
The suffix is agent-generated metadata. User text may contain markdown and should be preserved as written. Parse the last ` | suggested-dim:` separator only.
|
|
|
|
`<!-- processed -->` is meaningful only as the first line of a raw file. If the user mentions that string inside a thought, treat it as normal content.
|
|
|
|
## define.ini Safety
|
|
|
|
Allowed keys and values:
|
|
|
|
| Key | Allowed value |
|
|
|---|---|
|
|
| `SKILL_STATUS` | `on` or `off` |
|
|
| `INSTANT_STATUS` | `on` or `off` |
|
|
| `LAST_SORTIN` | empty or `yyyy-mm-dd HH:MM` |
|
|
|
|
Values must not contain newlines or `=`. Write the whole file rather than appending partial fragments.
|
|
|
|
## Shell Safety
|
|
|
|
- Do not execute user-provided shell commands.
|
|
- Do not use `eval` or dynamic execution.
|
|
- Construct file paths only from validated dimensions or fixed template paths.
|
|
- During initialization, copy known template files safely instead of recursively shell-copying arbitrary directories.
|
|
|
|
## Data Integrity
|
|
|
|
`sortin` is not fully atomic. To reduce partial-write risk:
|
|
|
|
1. Parse raw entries first.
|
|
2. Write dimension files.
|
|
3. Mark raw files as processed only after writes succeed.
|
|
4. Update `LAST_SORTIN` last.
|
|
|
|
Processed raw files are retained for traceability. Dimension files should be appended or marked deprecated; do not silently delete user history.
|
|
|
|
## Sensitive Data
|
|
|
|
The skill preserves original wording and does not redact secrets or personal data. Users should use ignore commands before sensitive content is captured, and teams should protect `.ustht/` with normal repository and filesystem hygiene.
|