UI5
diff --git a/‎plugins/ui5/skill-lint/src/cli/commands/analyze.ts‎
Lines changed: 97 additions & 45 deletions b/‎plugins/ui5/skill-lint/src/cli/commands/analyze.ts‎
Lines changed: 97 additions & 45 deletions
diff --git a/‎plugins/ui5/skill-lint/src/utils/extraction-constants.ts‎
Lines changed: 67 additions & 0 deletions b/‎plugins/ui5/skill-lint/src/utils/extraction-constants.ts‎
Lines changed: 67 additions & 0 deletions
diff --git a/‎plugins/ui5/skill-lint/src/utils/sanitization.ts‎
Lines changed: 63 additions & 0 deletions b/‎plugins/ui5/skill-lint/src/utils/sanitization.ts‎
Lines changed: 63 additions & 0 deletions
@@ -11,14 +11,18 @@
  */
 
 import { resolve } from 'path';
+import { writeFileSync } from 'fs';
 import { TriggerExtractor } from '../../validators/trigger-extractor.js';
 import { loadSkill } from '../../utils/file-utils.js';
 import { Logger } from '../../utils/logger.js';
+import { sanitizeForTerminal } from '../../utils/sanitization.js';
 import { DEFAULT_CONFIG } from '../../config/schema.js';
 
 export interface AnalyzeOptions {
+  /** Path to save extracted keywords as JSON */
   output?: string;
-  format?: string;
+  /** Output format (currently only 'text' and 'json' supported) */
+  format?: 'text' | 'json';
 }
 
 export async function analyzeCommand(
@@ -32,57 +36,40 @@ export async function analyzeCommand(
 
     // Load skill
     const skill = await loadSkill(resolvedPath);
+    const safeName = sanitizeForTerminal(skill.metadata.name);
 
     // Run extractor
     const extractor = new TriggerExtractor();
     const result = await extractor.validate(skill, DEFAULT_CONFIG);
 
-    // Display results
-    console.log(`\n📊 Trigger Keyword Analysis for "${skill.metadata.name}"\n`);
-    console.log('=' .repeat(70));
+    // Extract data from violations using helper
+    const extractedData = extractViolationData(result.violations);
 
-    result.violations.forEach(v => {
-      if (v.rule === 'extracted-primary-keywords') {
-        console.log(`\n✨ ${v.message}`);
-      } else if (v.rule === 'extracted-secondary-keywords') {
-        console.log(`\n🔤 ${v.message}`);
-      } else if (v.rule === 'extracted-code-patterns') {
-        console.log(`\n⚙️  ${v.message}`);
-      } else if (v.rule === 'extracted-action-phrases') {
-        console.log(`\n🎯 ${v.message}`);
-      } else if (v.rule === 'suggested-anti-keywords') {
-        console.log(`\n🚫 ${v.message}`);
-        if (v.metadata?.suggestion) {
-          console.log(`   💡 ${v.metadata.suggestion}`);
-        }
-      } else if (v.rule === 'extraction-summary') {
-        console.log(`\n${'='.repeat(70)}`);
-        console.log(`📈 ${v.message}`);
-        if (v.metadata?.suggestion) {
-          console.log(`💡 ${v.metadata.suggestion}`);
-        }
+    // Output based on format
+    if (options.format === 'json') {
+      const jsonOutput = {
+        skill: safeName,
+        ...extractedData,
+        duration: result.duration
+      };
+      
+      if (options.output) {
+        writeFileSync(options.output, JSON.stringify(jsonOutput, null, 2));
+        Logger.success(`Analysis saved to ${options.output}`);
+      } else {
+        console.log(JSON.stringify(jsonOutput, null, 2));
       }
-    });
-    
-    // Show example usage
-    console.log(`\n\n💾 Example trigger-cases.json structure:\n`);
-    console.log(JSON.stringify({
-      version: "3.0.0",
-      skill: {
-        name: skill.metadata.name,
-        triggerKeywords: "(use extracted primary keywords here)",
-        antiKeywords: "(use suggested anti-keywords here)",
-        detectionPatterns: "(use code patterns here)",
-      },
-      tests: [
-        {
-          prompt: "(create test prompts using action phrases)",
-          expected_skill: skill.metadata.name,
-          should_trigger: true,
-          category: "category-name"
-        }
-      ]
-    }, null, 2));
+    } else {
+      // Text format (default)
+      displayTextOutput(safeName, result.violations);
+      
+      // Save to file if requested
+      if (options.output) {
+        const jsonOutput = { skill: safeName, ...extractedData, duration: result.duration };
+        writeFileSync(options.output, JSON.stringify(jsonOutput, null, 2));
+        Logger.success(`\nAnalysis also saved to ${options.output}`);
+      }
+    }
 
     Logger.success(`\nAnalysis complete! Duration: ${result.duration}ms\n`);
 
@@ -93,3 +80,68 @@ export async function analyzeCommand(
     return 2;
   }
 }
+
+/**
+ * Extract structured data from violations (DRY helper)
+ */
+function extractViolationData(violations: readonly any[]) {
+  return {
+    primaryKeywords: violations.find(v => v.rule === 'extracted-primary-keywords')?.metadata?.keywords ?? [],
+    secondaryKeywords: violations.find(v => v.rule === 'extracted-secondary-keywords')?.metadata?.keywords ?? [],
+    codePatterns: violations.find(v => v.rule === 'extracted-code-patterns')?.metadata?.patterns ?? [],
+    actionPhrases: violations.find(v => v.rule === 'extracted-action-phrases')?.metadata?.phrases ?? [],
+    antiKeywords: violations.find(v => v.rule === 'suggested-anti-keywords')?.metadata?.antiKeywords ?? [],
+  };
+}
+
+/**
+ * Display text output (extracted from main function for readability)
+ */
+function displayTextOutput(skillName: string, violations: readonly any[]) {
+  console.log(`\n📊 Trigger Keyword Analysis for "${skillName}"\n`);
+  console.log('='.repeat(70));
+  
+  // Rule formatters map (DRY)
+  const formatters: Record<string, { emoji: string; showSuggestion?: boolean }> = {
+    'extracted-primary-keywords': { emoji: '✨' },
+    'extracted-secondary-keywords': { emoji: '🔤' },
+    'extracted-code-patterns': { emoji: '⚙️' },
+    'extracted-action-phrases': { emoji: '🎯' },
+    'suggested-anti-keywords': { emoji: '🚫', showSuggestion: true },
+    'extraction-summary': { emoji: '📈', showSuggestion: true },
+  };
+  
+  violations.forEach(v => {
+    const formatter = formatters[v.rule];
+    if (formatter) {
+      if (v.rule === 'extraction-summary') {
+        console.log(`\n${'='.repeat(70)}`);
+      }
+      console.log(`\n${formatter.emoji} ${v.message}`);
+      if (formatter.showSuggestion && v.suggestion) {
+        console.log(`💡 ${v.suggestion}`);
+      }
+    }
+  });
+  
+  // Show example usage
+  const data = extractViolationData(violations);
+  console.log(`\n\n💾 Example trigger-cases.json structure:\n`);
+  console.log(JSON.stringify({
+    version: "3.0.0",
+    skill: {
+      name: skillName,
+      triggerKeywords: data.primaryKeywords.slice(0, 10),
+      antiKeywords: data.antiKeywords,
+      detectionPatterns: data.codePatterns.slice(0, 10),
+    },
+    tests: [
+      {
+        prompt: data.actionPhrases[0] ?? "(create test prompts using action phrases)",
+        expected_skill: skillName,
+        should_trigger: true,
+        category: "category-name"
+      }
+    ]
+  }, null, 2));
+}
@@ -0,0 +1,67 @@
+/**
+ * Constants for TriggerExtractor
+ * Centralizes magic numbers and domain knowledge
+ */
+
+export const EXTRACTION_LIMITS = {
+  /** Max number of primary keywords to display in violation message */
+  PRIMARY_KEYWORDS_DISPLAY: 20,
+  /** Max number of secondary keywords to display */
+  SECONDARY_KEYWORDS_DISPLAY: 15,
+  /** Max number of code patterns to display */
+  CODE_PATTERNS_DISPLAY: 15,
+  /** Max number of action phrases to display */
+  ACTION_PHRASES_DISPLAY: 5,
+  /** Max number of code patterns to extract total */
+  CODE_PATTERNS_MAX: 30,
+  /** Max number of action phrases to extract total */
+  ACTION_PHRASES_MAX: 10,
+  /** Top N most frequent body words to include as keywords */
+  FREQUENT_WORDS_TOP_N: 20,
+  /** Minimum frequency count for body words */
+  WORD_FREQUENCY_MIN: 3,
+  /** Max skill content size in bytes (10MB) to prevent ReDoS */
+  MAX_CONTENT_SIZE: 10 * 1024 * 1024,
+  /** Max description size in bytes (100KB) */
+  MAX_DESCRIPTION_SIZE: 100 * 1024,
+} as const;
+
+export const AUTO_GENERATION_LIMITS = {
+  /** Number of prompts to generate from primary keywords */
+  KEYWORD_PROMPTS: 5,
+  /** Number of prompts to generate from action phrases */
+  ACTION_PROMPTS: 3,
+  /** Number of negative prompts to generate from anti-keywords */
+  NEGATIVE_PROMPTS: 3,
+} as const;
+
+/**
+ * Domain confusion mappings for anti-keyword suggestions
+ * Can be extended via config file in future
+ */
+export const DEFAULT_CONFUSION_DOMAINS: Record<string, string[]> = {
+  // Frontend frameworks
+  react: ['vue', 'angular', 'svelte'],
+  vue: ['react', 'angular'],
+  angular: ['react', 'vue'],
+  
+  // Backend frameworks
+  express: ['django', 'flask', 'fastapi'],
+  django: ['express', 'rails', 'laravel'],
+  
+  // Languages
+  typescript: ['python', 'java', 'rust'],
+  python: ['javascript', 'java', 'ruby'],
+  javascript: ['python', 'java'],
+  
+  // Mobile
+  ios: ['android', 'flutter'],
+  android: ['ios', 'flutter'],
+  
+  // SAP/UI5 (can be removed if tool should be fully agnostic)
+  ui5: ['react', 'vue', 'angular'],
+  sapui5: ['react', 'vue', 'angular'],
+  odata: ['rest', 'graphql'],
+  cap: ['express', 'nestjs'],
+  fiori: ['react', 'vue', 'angular'],
+} as const;
@@ -0,0 +1,63 @@
+/**
+ * Input sanitization utilities
+ * Prevents terminal injection, prompt injection, and other security issues
+ */
+
+/**
+ * Sanitize a string for safe display in terminal output
+ * Removes ANSI codes, control characters, and normalizes whitespace
+ */
+export function sanitizeForTerminal(input: string): string {
+  return input
+    // Remove ANSI escape codes
+    .replace(/\x1B\[[0-9;]*[a-zA-Z]/g, '')
+    // Remove other control characters except newline and tab
+    .replace(/[\x00-\x08\x0B-\x0C\x0E-\x1F\x7F]/g, '')
+    // Normalize multiple whitespace
+    .replace(/\s+/g, ' ')
+    .trim();
+}
+
+/**
+ * Sanitize a skill name for safe use in prompts and file names
+ * Removes potentially dangerous characters
+ */
+export function sanitizeSkillName(name: string): string {
+  return name
+    // Remove shell metacharacters
+    .replace(/[;&|`$(){}[\]<>]/g, '')
+    // Remove path traversal attempts
+    .replace(/\.\./g, '')
+    // Remove quotes and backslashes
+    .replace(/['"\\]/g, '')
+    // Normalize to single spaces
+    .replace(/\s+/g, ' ')
+    .trim();
+}
+
+/**
+ * Check if content size is within safe limits
+ * @throws Error if content exceeds limit
+ */
+export function validateContentSize(content: string, maxSize: number, label: string): void {
+  const size = Buffer.byteLength(content, 'utf8');
+  if (size > maxSize) {
+    throw new Error(
+      `${label} size (${Math.round(size / 1024)}KB) exceeds maximum (${Math.round(maxSize / 1024)}KB). ` +
+      `This may indicate a malformed file or potential security issue.`
+    );
+  }
+}
+
+/**
+ * Deduplicate an array of strings (case-insensitive)
+ */
+export function deduplicateStrings(items: string[]): string[] {
+  const seen = new Set<string>();
+  return items.filter(item => {
+    const lower = item.toLowerCase();
+    if (seen.has(lower)) return false;
+    seen.add(lower);
+    return true;
+  });
+}