docs: use secure mktemp pattern instead of predictable temp files

[sjnims]

Description

Replace predictable temp file pattern ${FILE}.tmp.$$ with secure mktemp pattern in documentation examples.

Type of Change

• Documentation update (improvements to README, CLAUDE.md, or component docs)

Component(s) Affected

• Skills (methodology and best practices)

Motivation and Context

The ${FILE}.tmp.$$ pattern is a known security anti-pattern because:

• $$ (PID) is predictable and can be enumerated
• Attackers could pre-create symlinks to sensitive files
• Race conditions between check and use

While this is documentation (not executable code), it teaches developers patterns they might copy into production scripts.

Fixes #153

Solution

Replaced all 6 instances with secure mktemp pattern:

TEMP_FILE=$(mktemp) || exit 1

Changes

File	Instances
parsing-techniques.md	3 (lines 202, 219, 228)
real-world-examples.md	3 (lines 204, 295, 359)

Testing

• Linting passes (markdownlint)
• Verified no remaining ${FILE}.tmp.$$ patterns

---

🤖 Generated with Claude Code

[claude]

Claude finished @sjnims's task in 1m 18s —— View job

---

PR Review Complete ✅

Summary

Approved - This is an excellent security improvement to the documentation examples.

---

What's Good

1. Important Security Fix: Replacing ${FILE}.tmp.$$ with mktemp addresses a real security vulnerability:

   • PID-based temp files are predictable (PIDs can be enumerated)
   • Vulnerable to symlink attacks where attackers pre-create symlinks to sensitive files
   • Race conditions between file creation and use (TOCTOU)

2. Comprehensive Coverage: All 6 instances replaced across both documentation files:

   • parsing-techniques.md: 3 instances (lines 202, 219, 228)
   • real-world-examples.md: 3 instances (lines 204, 295, 359)

3. Proper Error Handling: The new pattern includes proper error handling:

   TEMP_FILE=$(mktemp) || exit 1

   And in one case, even better error messaging:

   TEMP_FILE=$(mktemp) || { echo "Failed to create temp file" >&2; exit 1; }
   trap 'rm -f "$TEMP_FILE"' EXIT

4. Educational Value: The PR improves documentation quality by teaching developers the correct, secure pattern. This is especially important since these are examples that developers will copy.

5. Clean Implementation:

   • Markdownlint passes ✅
   • No remaining ${FILE}.tmp.$$ patterns found ✅
   • Clear commit message with rationale
   • Proper issue reference ([Docs]: Use secure mktemp pattern instead of predictable temp files #153)

Code Review Details

parsing-techniques.md changes:

• Line 202: Added error handling with trap for cleanup
• Line 219: Basic mktemp with error exit
• Line 228: Basic mktemp with error exit
• All changes include helpful comments explaining the security improvement

real-world-examples.md changes:

• Line 204: Updated example in ralph-wiggum hook
• Line 295: Updated "Best Practices" section with explanation
• Line 359: Updated "Anti-Patterns" section with improved example

The changes are consistent and follow the same secure pattern throughout.

---

Checklist Verification

• ✅ Security improvement: Valid and important fix
• ✅ Documentation quality: Examples now teach secure patterns
• ✅ Markdown linting: All files pass markdownlint
• ✅ Completeness: All instances replaced, none remaining
• ✅ Consistency: Same pattern used throughout
• ✅ Error handling: Proper error checks included

---

Recommendation

Merge this PR. This is a well-executed security improvement that enhances the educational value of the documentation. The changes are thorough, consistent, and follow security best practices.