hai/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-14 08:28:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: salvage F# agent and language guidance

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-11 21:34:30 -04:00
committed by Affaan Mustafa
parent a8836d7bbd
commit fd9453f6ee
22 changed files with 843 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
rules/fsharp/security.md Normal file
View File

@@ -0,0 +1,76 @@
---
paths:
- "**/*.fs"
- "**/*.fsx"
- "**/*.fsproj"
- "**/appsettings*.json"
---
# F# Security
> This file extends [common/security.md](../common/security.md) with F#-specific content.
## Secret Management
- Never hardcode API keys, tokens, or connection strings in source code
- Use environment variables, user secrets for local development, and a secret manager in production
- Keep `appsettings.*.json` free of real credentials
```fsharp
// BAD
let apiKey = "sk-live-123"
// GOOD
let apiKey =
configuration["OpenAI:ApiKey"]
|> Option.ofObj
|> Option.defaultWith (fun () -> failwith "OpenAI:ApiKey is not configured.")
```
## SQL Injection Prevention
- Always use parameterized queries with ADO.NET, Dapper, or EF Core
- Never concatenate user input into SQL strings
- Validate sort fields and filter operators before using dynamic query composition
```fsharp
let findByCustomer (connection: IDbConnection) customerId =
task {
let sql = "SELECT * FROM Orders WHERE CustomerId = @customerId"
return! connection.QueryAsync<Order>(sql, {| customerId = customerId |})
}
```
## Input Validation
- Validate inputs at the application boundary using types
- Use single-case discriminated unions for validated values
- Reject invalid input before it enters domain logic
```fsharp
type ValidatedEmail = private ValidatedEmail of string
module ValidatedEmail =
let create (input: string) =
if System.Text.RegularExpressions.Regex.IsMatch(input, @"^[^@]+@[^@]+\.[^@]+$") then
Ok(ValidatedEmail input)
else
Error "Invalid email address"
let value (ValidatedEmail v) = v
```
## Authentication and Authorization
- Prefer framework auth handlers instead of custom token parsing
- Enforce authorization policies at endpoint or handler boundaries
- Never log raw tokens, passwords, or PII
## Error Handling
- Return safe client-facing messages
- Log detailed exceptions with structured context server-side
- Do not expose stack traces, SQL text, or filesystem paths in API responses
## References
See skill: `security-review` for broader application security review checklists.