fivedev/five
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ffafdc8fa55684a51b8d3296c2a4b34c8460f5fa
five/rag/INDEX.md
CharlesKWON f26911177f docs(rag): add security idioms & gotchas (06-security.md) 
Capture the hardening patterns from the solmade audit so future Five work
reuses them: authorize on resolved function name (not URL path), CSPRNG
session tokens stored as hashes, argon2id with legacy-verify + upgrade,
login rate-limit + timing-safe dummy hash, bluemonday HTML sanitize vs
EscHtml, security headers + nonce CSP, upload allowlist (no SVG), bind-all
SQL. Theme: thin Go RTL over an ecosystem crypto lib. INDEX/README updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 15:49:49 +09:00

22 lines
2.4 KiB
Markdown
Raw Blame History

# Five RAG — retrieval manifest
Route a query to the right doc(s). Each row: file · when to retrieve · keywords.
| File | Retrieve when the task involves… | Keywords |
|------|----------------------------------|----------|
| `01-overview.md` | orienting on what Five is, runtimes, compile model, "where do I look" | five, fivenode, overview, philosophy, token-density, harbour, xbase, compile, go, runtime, gengo intrinsic |
| `02-syntax.md` | writing any Five code — declarations, control flow, literals, operators, blocks | syntax, grammar, FUNCTION, PROCEDURE, LOCAL, STATIC, IF, FOR, FOR EACH, DO WHILE, DO CASE, BEGIN SEQUENCE, IIF, code block, array, hash, string literal, operators, := == $ |
| `03-rtl-catalog.md` | "what function does X" — string/array/hash/json/date/regex/charset/math/crypto builtins | rtl, builtin, Len, SubStr, Left, Right, At, Upper, AllTrim, PadL, PadR, StrTran, Chr, Asc, Val, Str, hb_NToS, hb_CStr, AAdd, AScan, AEval, hb_HGetDef, hb_HHasKey, hb_jsonDecode, hb_jsonEncode, ValType, HB_ISHASH, regex, HB_GETCHARSET, date, hb_ATokens |
| `04-idioms.md` | building an endpoint, DB access, async/queue work, calling the LLM, building/deploying | idioms, http, endpoint, routing, AP_BODY, AP_GETPAIRS, AP_JSONRESPONSE, ctx_set, ctx_get, LABDB_GET_PG, PG_QUERY, PG_EXEC, PG_LAST_ERROR, RETURNING, CREATE TABLE IF NOT EXISTS, text_tasks, FOR UPDATE SKIP LOCKED, job queue, LLM_CHAT, fnode, build.sh, launchctl |
| `05-gotchas.md` | debugging "why doesn't this work", or BEFORE editing string funcs / charset / SQL / LLM | gotcha, trap, intrinsic, gengo, charset, utf8, string escape, Chr, pgrtl string columns, Val, hb_CStr, model local, ResolveLlmModel, two runtimes, fnode, analyzer warning, CWD module resolution |
| `06-security.md` | adding auth/login, sessions, password hashing, file uploads, or rendering user content into HTML | security, auth, authorization, role gate, session token, csprng, crypto/rand, argon2, password hash, xss, bluemonday, sanitize, csp, security headers, rate limit, cookie, upload, sql injection |
## Quick routing heuristics
- Writing new code → `02` + `04`, and skim `05` first.
- "Which builtin?" → `03`.
- Bug that defies the grammar → `05` (almost always the answer is here).
- "Why is my hbrtl edit ignored?" → `05 §1` (inlined intrinsics).
- Korean/multibyte length/char issues → `05 §2,§3` + `03` charset section.
- Numbers read from DB are wrong → `05 §4`.
Reference in New Issue View Git Blame Copy Permalink