Vue 3与Nuxt 3开发技能：构建安全、高性能的JARVIS AI助手3D HUD界面

vue-nuxt by martinholovsky/claude-skills-generator

94 周安装量

29 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/martinholovsky/claude-skills-generator --skill vue-nuxt

Vue 前端架构安全

🇨🇳中文介绍

Vue 3 / Nuxt 3 开发技能

文件组织 : 此技能采用分割结构。高级模式和安全示例请参阅 references/ 目录。

1. 概述

此技能提供使用 Vue 3 和 Nuxt 3 构建 JARVIS AI 助手用户界面的专业知识。它专注于采用安全优先的开发实践，创建响应式、高性能的 3D HUD 界面。

风险等级 : 中等 - 处理用户输入、渲染动态内容，存在潜在的 XSS 攻击向量

主要用例 :

为 JARVIS 界面构建响应式 3D HUD 组件
服务器端渲染以提高初始加载性能
客户端状态管理集成
安全处理用户输入和 API 响应

2. 核心职责

2.1 基本原则

测试驱动开发优先 : 先写测试后实现 - 红/绿/重构循环
性能意识 : 使用 computed、shallowRef、懒加载组件以实现最佳响应性
组合式 API 优先 : 使用 Vue 3 组合式 API 和 <script setup> 以获得更好的 TypeScript 推断和代码组织
服务器端安全 : 利用 Nuxt 的服务器路由处理敏感操作，绝不向客户端暴露密钥
响应式状态安全 : 使用带正确类型声明的 ref() 和 reactive() 以防止状态损坏

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

3. 技术栈与版本

包	版本	安全说明
Vue	^3.4.0	最新稳定版，改进了响应性
Nuxt	^3.12.4+	关键 : 修复了 CVE-2024-34344 RCE
@nuxt/devtools	^1.3.9+	关键 : 修复了 CVE-2024-23657
vite	^5.0.0	最新版，包含安全补丁

3.2 安全关键依赖项

{
  "dependencies": {
    "nuxt": "^3.12.4",
    "vue": "^3.4.0",
    "dompurify": "^3.0.6",
    "isomorphic-dompurify": "^2.0.0"
  },
  "devDependencies": {
    "@nuxt/devtools": "^1.3.9",
    "eslint-plugin-vue": "^9.0.0",
    "eslint-plugin-security": "^2.0.0"
  }
}

4.1 安全组件结构

<script setup lang="ts">
// ✅ 带验证的类型安全 props
interface Props {
  hudData: HUDDisplayData
  userId: string
}

const props = defineProps<Props>()

// ✅ 带类型化载荷的事件发射
const emit = defineEmits<{
  'update:status': [status: string]
  'command:execute': [command: JARVISCommand]
}>()

// ✅ 安全的 ref 初始化
const displayState = ref<HUDState>({
  isActive: false,
  securityLevel: 'standard'
})
</script>

<template>
  <!-- ✅ 对用户内容使用 v-text 以防止 XSS -->
  <div class="hud-panel">
    <span v-text="props.hudData.title" />
  </div>
</template>

4.2 输入净化模式

// composables/useSanitize.ts
import DOMPurify from 'isomorphic-dompurify'

export function useSanitize() {
  const sanitizeHTML = (dirty: string): string => {
    // ✅ 对任何 HTML 内容进行严格净化
    return DOMPurify.sanitize(dirty, {
      ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'span'],
      ALLOWED_ATTR: ['class']
    })
  }

  const sanitizeText = (input: string): string => {
    // ✅ 为纯文本剥离所有 HTML
    return DOMPurify.sanitize(input, { ALLOWED_TAGS: [] })
  }

  return { sanitizeHTML, sanitizeText }
}

4.3 安全 API 路由模式

// server/api/jarvis/command.post.ts
import { z } from 'zod'

// ✅ 为命令验证定义严格模式
const commandSchema = z.object({
  action: z.enum(['status', 'control', 'query']),
  target: z.string().max(100).regex(/^[a-zA-Z0-9-_]+$/),
  parameters: z.record(z.string()).optional()
})

export default defineEventHandler(async (event) => {
  const body = await readBody(event)

  // ✅ 根据模式验证输入
  const result = commandSchema.safeParse(body)
  if (!result.success) {
    throw createError({
      statusCode: 400,
      message: '无效的命令格式'  // ✅ 通用错误消息
    })
  }

  // ✅ 处理已验证的命令
  const command = result.data

  // 绝不记录敏感数据
  console.log(`处理命令: ${command.action}`)

  return { success: true, commandId: generateSecureId() }
})

4.4 安全环境配置

// nuxt.config.ts
export default defineNuxtConfig({
  // ✅ 安全头部
  routeRules: {
    '/**': {
      headers: {
        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
        'X-Content-Type-Options': 'nosniff',
        'X-Frame-Options': 'DENY',
        'X-XSS-Protection': '1; mode=block'
      }
    }
  },

  // ✅ 运行时配置 - 密钥保留在服务器端
  runtimeConfig: {
    apiSecret: process.env.API_SECRET,  // 仅服务器端
    public: {
      apiBase: '/api'  // 客户端可访问
    }
  },

  // ✅ 在生产环境中禁用开发者工具
  devtools: { enabled: process.env.NODE_ENV === 'development' }
})

4.5 3D HUD 组件集成

<script setup lang="ts">
// components/HUDDisplay.vue
import { TresCanvas } from '@tresjs/core'

const props = defineProps<{
  metrics: SystemMetrics
}>()

// ✅ 在渲染前验证指标
const validatedMetrics = computed(() => {
  return {
    cpu: Math.min(100, Math.max(0, props.metrics.cpu)),
    memory: Math.min(100, Math.max(0, props.metrics.memory)),
    status: sanitizeText(props.metrics.status)
  }
})
</script>

<template>
  <TresCanvas>
    <HUDMetricsDisplay :data="validatedMetrics" />
  </TresCanvas>
</template>

5. 实现工作流 (测试驱动开发)

5.1 步骤 1: 首先编写失败的测试

始终从编写定义预期行为的测试开始:

// tests/components/VoiceIndicator.test.ts
import { describe, it, expect } from 'vitest'
import { mount } from '@vue/test-utils'
import VoiceIndicator from '@/components/VoiceIndicator.vue'

describe('VoiceIndicator', () => {
  it('默认显示空闲状态', () => {
    const wrapper = mount(VoiceIndicator)
    expect(wrapper.find('.indicator').classes()).toContain('idle')
    expect(wrapper.text()).toContain('就绪')
  })

  it('激活时显示监听状态', async () => {
    const wrapper = mount(VoiceIndicator, {
      props: { isListening: true }
    })
    expect(wrapper.find('.indicator').classes()).toContain('listening')
    expect(wrapper.find('.pulse-animation').exists()).toBe(true)
  })

  it('按下退出键时发出取消事件', async () => {
    const wrapper = mount(VoiceIndicator, {
      props: { isListening: true }
    })
    await wrapper.trigger('keydown.escape')
    expect(wrapper.emitted('cancel')).toBeTruthy()
  })
})

5.2 步骤 2: 实现通过测试所需的最小代码

仅编写足够使测试通过的代码:

<script setup lang="ts">
const props = defineProps<{ isListening?: boolean }>()
const emit = defineEmits<{ 'cancel': [] }>()

const handleKeydown = (e: KeyboardEvent) => {
  if (e.key === 'Escape') emit('cancel')
}
</script>

<template>
  <div
    class="indicator"
    :class="isListening ? 'listening' : 'idle'"
    @keydown="handleKeydown"
    tabindex="0"
  >
    <span v-if="!isListening">就绪</span>
    <div v-else class="pulse-animation" />
  </div>
</template>

5.3 步骤 3: 如有需要则重构

测试通过后，在不改变行为的前提下改进代码质量。每次重构后重新运行测试。

5.4 步骤 4: 运行完整验证

# 提交前运行所有验证步骤
npx vitest run                    # 单元测试
npx eslint . --ext .vue,.ts       # 代码检查
npx nuxi typecheck                # 类型检查
npm run build                     # 构建验证

6.1 用于派生状态的计算属性

// ❌ 错误 - 每次渲染时在模板中重新计算
<template>
  <div>{{ items.filter(i => i.active).length }} 个活跃</div>
</template>

// ✅ 正确 - 缓存直到依赖项改变
const activeCount = computed(() => items.value.filter(i => i.active).length)
<template>
  <div>{{ activeCount }} 个活跃</div>
</template>

6.2 对大型对象使用 shallowRef

// ❌ 错误 - 对大型 3D 数据进行深度响应式
const meshData = ref<MeshData>({ vertices: new Float32Array(100000), ... })

// ✅ 正确 - 浅层响应式，手动触发
const meshData = shallowRef<MeshData>({ vertices: new Float32Array(100000), ... })
// 显式触发更新
meshData.value = { ...newData }
triggerRef(meshData)

6.3 使用 defineAsyncComponent 进行懒加载

// ❌ 错误 - 所有组件预先加载
import HeavyChart from '@/components/HeavyChart.vue'

// ✅ 正确 - 仅在需要时加载
const HeavyChart = defineAsyncComponent(() =>
  import('@/components/HeavyChart.vue')
)

// 带加载状态
const HeavyChart = defineAsyncComponent({
  loader: () => import('@/components/HeavyChart.vue'),
  loadingComponent: LoadingSpinner,
  delay: 200
})

6.4 使用 v-memo 进行列表优化

<!-- ❌ 错误 - 任何更改时重新渲染所有项目 -->
<div v-for="item in items" :key="item.id">
  <ExpensiveComponent :data="item" />
</div>

<!-- ✅ 正确 - 如果项目未更改则跳过重新渲染 -->
<div v-for="item in items" :key="item.id" v-memo="[item.id, item.updated]">
  <ExpensiveComponent :data="item" />
</div>

6.5 对长列表使用虚拟滚动

<script setup lang="ts">
import { useVirtualList } from '@vueuse/core'

const { list, containerProps, wrapperProps } = useVirtualList(
  items,
  { itemHeight: 50 }
)
</script>

<template>
  <!-- ✅ 仅渲染可见项目 -->
  <div v-bind="containerProps" class="h-[400px] overflow-auto">
    <div v-bind="wrapperProps">
      <div v-for="{ data, index } in list" :key="index">
        {{ data.name }}
      </div>
    </div>
  </div>
</template>

// ❌ 错误 - 每次按键都会触发
watch(searchQuery, async (query) => {
  results.value = await searchAPI(query)
})

// ✅ 正确 - 防抖以减少 API 调用
import { watchDebounced } from '@vueuse/core'

watchDebounced(
  searchQuery,
  async (query) => {
    results.value = await searchAPI(query)
  },
  { debounce: 300 }
)

// 使用手动防抖的替代方案
watch(searchQuery, useDebounceFn(async (query) => {
  results.value = await searchAPI(query)
}, 300))

7.1 已知漏洞 (CVE 研究)

CVE	严重性	描述	缓解措施
CVE-2024-34344	高	通过测试组件的 Nuxt RCE	更新到 Nuxt 3.12.4+
CVE-2024-23657	高	开发者工具路径遍历/RCE	更新开发者工具到 1.3.9+
CVE-2023-3224	严重	开发服务器代码注入	更新到 Nuxt 3.4.4+，绝不暴露开发服务器

参见 : references/security-examples.md 获取详细的缓解代码

5.2 OWASP Top 10 覆盖范围

OWASP 类别	风险	缓解策略
A01 失效的访问控制	高	服务器端路由守卫、中间件认证
A03 注入	高	使用 Zod 进行输入验证、参数化查询
A05 安全配置错误	中	CSP 头部、安全的 nuxt.config
A07 XSS	高	v-text 指令、DOMPurify 净化

5.3 输入验证框架

// ❌ 危险 - 直接使用 v-html 与用户输入
<div v-html="userMessage" />

// ✅ 安全 - 净化的 HTML 或纯文本
<div v-html="sanitizeHTML(userMessage)" />
<span v-text="userMessage" />

// middleware/auth.ts
export default defineNuxtRouteMiddleware((to) => {
  const { authenticated } = useAuthState()

  if (!authenticated.value && to.meta.requiresAuth) {
    return navigateTo('/login')
  }
})

// tests/security/xss.test.ts
import { describe, it, expect } from 'vitest'
import { mount } from '@vue/test-utils'
import HUDPanel from '@/components/HUDPanel.vue'

describe('XSS 预防', () => {
  it('应净化恶意输入', () => {
    const wrapper = mount(HUDPanel, {
      props: {
        title: '<script>alert("xss")</script>Hello'
      }
    })

    expect(wrapper.html()).not.toContain('<script>')
    expect(wrapper.text()).toContain('Hello')
  })
})

// tests/components/HUDDisplay.test.ts
describe('HUDDisplay', () => {
  it('验证指标边界', () => {
    const wrapper = mount(HUDDisplay, {
      props: {
        metrics: { cpu: 150, memory: -10, status: 'active' }
      }
    })

    // 应将值限制在有效范围内
    expect(wrapper.vm.validatedMetrics.cpu).toBe(100)
    expect(wrapper.vm.validatedMetrics.memory).toBe(0)
  })
})

7. 常见模式 / 工作流

7.1 JARVIS HUD 组件工作流

定义 TypeScript 接口 用于所有数据结构
创建可组合项 用于共享逻辑
使用组合式 API 实现组件
在组件边界添加输入验证
为 XSS/注入编写安全测试
通过 TresJS 与 3D 场景集成

7.2 API 集成工作流

为请求/响应定义 Zod 模式
创建带验证的服务器路由
实现带错误处理的客户端可组合项
向 UI 添加加载/错误状态
测试错误情况和边界条件

8. 常见错误与反模式

8.1 关键安全反模式

切勿: 使用 v-html 与未净化的输入

<!-- ❌ 危险 - XSS 漏洞 -->
<div v-html="userProvidedContent" />

<!-- ✅ 安全 - 净化的内容 -->
<div v-html="sanitizeHTML(userProvidedContent)" />

<!-- ✅ 最佳 - 当不需要 HTML 时使用纯文本 -->
<span v-text="userProvidedContent" />

切勿: 在客户端代码中暴露密钥

// ❌ 危险 - 公共配置中的密钥
runtimeConfig: {
  public: {
    apiKey: process.env.API_KEY  // 暴露给客户端！
  }
}

// ✅ 安全 - 密钥保留在服务器端
runtimeConfig: {
  apiKey: process.env.API_KEY,  // 仅服务器端
  public: {
    apiBase: '/api'
  }
}

切勿: 仅依赖客户端验证

// ❌ 危险 - 仅客户端验证
const handleSubmit = () => {
  if (isValidEmail(email.value)) {
    $fetch('/api/subscribe', { body: { email: email.value } })
  }
}

// ✅ 安全 - 服务器端验证
// server/api/subscribe.post.ts
export default defineEventHandler(async (event) => {
  const body = await readBody(event)
  const result = emailSchema.safeParse(body)
  if (!result.success) {
    throw createError({ statusCode: 400, message: '无效的邮箱' })
  }
  // 处理已验证的邮箱
})

避免: 在计算属性中使用响应式数组

// ❌ 错误 - 每次访问都创建新数组
const filtered = computed(() => {
  return items.value.filter(i => i.active).sort()
})

// ✅ 正确 - 使用稳定引用进行记忆化
const filtered = computed(() => {
  const result = items.value.filter(i => i.active)
  result.sort((a, b) => a.name.localeCompare(b.name))
  return result
})

# 开发
npx nuxi dev --host  # 绝不暴露给公共网络！

# 安全审计
npm audit --audit-level=high
npx nuxi typecheck

# 生产构建
npx nuxi build

// 状态管理
const state = useState<T>('key', () => initialValue)

// 运行时配置访问
const config = useRuntimeConfig()

// 路由导航
const router = useRouter()
await navigateTo('/path')

13. 部署前检查清单

Nuxt 版本 >= 3.12.4 (修复了 CVE-2024-34344)
开发者工具版本 >= 1.3.9 (修复了 CVE-2024-23657)
在 nuxt.config 中配置了 CSP 头部
runtimeConfig.public 中没有密钥
所有用户输入都使用 DOMPurify 进行了净化
服务器路由使用 Zod 模式进行验证
受保护的路由上启用了认证中间件
在生产环境中禁用了开发者工具

npm audit 显示无高/严重漏洞
TypeScript 编译通过
所有安全测试通过
生产构建无错误完成

此 Vue/Nuxt 技能为构建 JARVIS AI 助手 HUD 界面提供了安全模式:

安全第一 : 始终净化输入、在服务器端验证、使用 CSP 头部
类型安全 : 全程使用 TypeScript 和严格的验证模式
性能 : 组合式 API、懒加载、高效的响应性
可维护性 : 清晰的组件结构、可复用的可组合项

记住 : JARVIS HUD 处理敏感的系统数据。每个组件都必须将用户输入视为潜在恶意，并验证所有数据边界。

references/advanced-patterns.md - 复杂组件模式
references/security-examples.md - 详细的安全实现

🇺🇸English

Vue 3 / Nuxt 3 Development Skill

File Organization : This skill uses split structure. See references/ for advanced patterns and security examples.

1. Overview

This skill provides expertise for building the JARVIS AI Assistant user interface using Vue 3 and Nuxt 3. It focuses on creating responsive, performant 3D HUD interfaces with security-first development practices.

Risk Level : MEDIUM - Handles user input, renders dynamic content, potential XSS vectors

Primary Use Cases :

Building reactive 3D HUD components for JARVIS interface
Server-side rendering for initial load performance
Client-side state management integration
Secure handling of user inputs and API responses

2. Core Responsibilities

2.1 Fundamental Principles

TDD First : Write tests before implementation - red/green/refactor cycle
Performance Aware : Use computed, shallowRef, lazy components for optimal reactivity
Composition API First : Use Vue 3 Composition API with <script setup> for better TypeScript inference and code organization
Server-Side Security : Leverage Nuxt's server routes for sensitive operations, never expose secrets to client
Reactive State Safety : Use ref() and reactive() with proper typing to prevent state corruption
Input Sanitization : Always sanitize user inputs before rendering or processing
Performance Optimization : Implement lazy loading, code splitting, and efficient reactivity for 3D HUD performance
Type Safety : Enforce TypeScript throughout for compile-time error detection
Secure Defaults : Configure CSP headers, disable dangerous features by default

3. Technology Stack & Versions

3.1 Recommended Versions

Package	Version	Security Notes
Vue	^3.4.0	Latest stable with improved reactivity
Nuxt	^3.12.4+	CRITICAL : Fixes CVE-2024-34344 RCE
@nuxt/devtools	^1.3.9+	CRITICAL : Fixes CVE-2024-23657
vite	^5.0.0	Latest with security patches

3.2 Security-Critical Dependencies

{
  "dependencies": {
    "nuxt": "^3.12.4",
    "vue": "^3.4.0",
    "dompurify": "^3.0.6",
    "isomorphic-dompurify": "^2.0.0"
  },
  "devDependencies": {
    "@nuxt/devtools": "^1.3.9",
    "eslint-plugin-vue": "^9.0.0",
    "eslint-plugin-security": "^2.0.0"
  }
}

4. Implementation Patterns

4.1 Secure Component Structure

<script setup lang="ts">
// ✅ Type-safe props with validation
interface Props {
  hudData: HUDDisplayData
  userId: string
}

const props = defineProps<Props>()

// ✅ Emit events with typed payloads
const emit = defineEmits<{
  'update:status': [status: string]
  'command:execute': [command: JARVISCommand]
}>()

// ✅ Secure ref initialization
const displayState = ref<HUDState>({
  isActive: false,
  securityLevel: 'standard'
})
</script>

<template>
  <!-- ✅ Use v-text for user content to prevent XSS -->
  <div class="hud-panel">
    <span v-text="props.hudData.title" />
  </div>
</template>

4.2 Input Sanitization Pattern

// composables/useSanitize.ts
import DOMPurify from 'isomorphic-dompurify'

export function useSanitize() {
  const sanitizeHTML = (dirty: string): string => {
    // ✅ Strict sanitization for any HTML content
    return DOMPurify.sanitize(dirty, {
      ALLOWED_TAGS: ['b', 'i', 'em', 'strong', 'span'],
      ALLOWED_ATTR: ['class']
    })
  }

  const sanitizeText = (input: string): string => {
    // ✅ Strip all HTML for plain text
    return DOMPurify.sanitize(input, { ALLOWED_TAGS: [] })
  }

  return { sanitizeHTML, sanitizeText }
}

4.3 Secure API Route Pattern

// server/api/jarvis/command.post.ts
import { z } from 'zod'

// ✅ Define strict schema for command validation
const commandSchema = z.object({
  action: z.enum(['status', 'control', 'query']),
  target: z.string().max(100).regex(/^[a-zA-Z0-9-_]+$/),
  parameters: z.record(z.string()).optional()
})

export default defineEventHandler(async (event) => {
  const body = await readBody(event)

  // ✅ Validate input against schema
  const result = commandSchema.safeParse(body)
  if (!result.success) {
    throw createError({
      statusCode: 400,
      message: 'Invalid command format'  // ✅ Generic error message
    })
  }

  // ✅ Process validated command
  const command = result.data

  // Never log sensitive data
  console.log(`Processing command: ${command.action}`)

  return { success: true, commandId: generateSecureId() }
})

4.4 Secure Environment Configuration

// nuxt.config.ts
export default defineNuxtConfig({
  // ✅ Security headers
  routeRules: {
    '/**': {
      headers: {
        'Content-Security-Policy': "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'",
        'X-Content-Type-Options': 'nosniff',
        'X-Frame-Options': 'DENY',
        'X-XSS-Protection': '1; mode=block'
      }
    }
  },

  // ✅ Runtime config - secrets stay server-side
  runtimeConfig: {
    apiSecret: process.env.API_SECRET,  // Server only
    public: {
      apiBase: '/api'  // Client accessible
    }
  },

  // ✅ Disable devtools in production
  devtools: { enabled: process.env.NODE_ENV === 'development' }
})

4.5 3D HUD Component Integration

<script setup lang="ts">
// components/HUDDisplay.vue
import { TresCanvas } from '@tresjs/core'

const props = defineProps<{
  metrics: SystemMetrics
}>()

// ✅ Validate metrics before rendering
const validatedMetrics = computed(() => {
  return {
    cpu: Math.min(100, Math.max(0, props.metrics.cpu)),
    memory: Math.min(100, Math.max(0, props.metrics.memory)),
    status: sanitizeText(props.metrics.status)
  }
})
</script>

<template>
  <TresCanvas>
    <HUDMetricsDisplay :data="validatedMetrics" />
  </TresCanvas>
</template>

5. Implementation Workflow (TDD)

5.1 Step 1: Write Failing Test First

Always start by writing tests that define expected behavior:

// tests/components/VoiceIndicator.test.ts
import { describe, it, expect } from 'vitest'
import { mount } from '@vue/test-utils'
import VoiceIndicator from '@/components/VoiceIndicator.vue'

describe('VoiceIndicator', () => {
  it('displays idle state by default', () => {
    const wrapper = mount(VoiceIndicator)
    expect(wrapper.find('.indicator').classes()).toContain('idle')
    expect(wrapper.text()).toContain('Ready')
  })

  it('shows listening state when active', async () => {
    const wrapper = mount(VoiceIndicator, {
      props: { isListening: true }
    })
    expect(wrapper.find('.indicator').classes()).toContain('listening')
    expect(wrapper.find('.pulse-animation').exists()).toBe(true)
  })

  it('emits cancel event on escape key', async () => {
    const wrapper = mount(VoiceIndicator, {
      props: { isListening: true }
    })
    await wrapper.trigger('keydown.escape')
    expect(wrapper.emitted('cancel')).toBeTruthy()
  })
})

5.2 Step 2: Implement Minimum to Pass

Write only enough code to make the tests pass:

<script setup lang="ts">
const props = defineProps<{ isListening?: boolean }>()
const emit = defineEmits<{ 'cancel': [] }>()

const handleKeydown = (e: KeyboardEvent) => {
  if (e.key === 'Escape') emit('cancel')
}
</script>

<template>
  <div
    class="indicator"
    :class="isListening ? 'listening' : 'idle'"
    @keydown="handleKeydown"
    tabindex="0"
  >
    <span v-if="!isListening">Ready</span>
    <div v-else class="pulse-animation" />
  </div>
</template>

5.3 Step 3: Refactor if Needed

After tests pass, improve code quality without changing behavior. Re-run tests after each refactor.

5.4 Step 4: Run Full Verification

# Run all verification steps before committing
npx vitest run                    # Unit tests
npx eslint . --ext .vue,.ts       # Linting
npx nuxi typecheck                # Type checking
npm run build                     # Build verification

6. Performance Patterns

6.1 Computed Properties for Derived State

// ❌ BAD - Recalculates in template on every render
<template>
  <div>{{ items.filter(i => i.active).length }} active</div>
</template>

// ✅ GOOD - Cached until dependencies change
const activeCount = computed(() => items.value.filter(i => i.active).length)
<template>
  <div>{{ activeCount }} active</div>
</template>

6.2 shallowRef for Large Objects

// ❌ BAD - Deep reactivity on large 3D data
const meshData = ref<MeshData>({ vertices: new Float32Array(100000), ... })

// ✅ GOOD - Shallow reactivity, manual trigger
const meshData = shallowRef<MeshData>({ vertices: new Float32Array(100000), ... })
// Trigger update explicitly
meshData.value = { ...newData }
triggerRef(meshData)

6.3 defineAsyncComponent for Lazy Loading

// ❌ BAD - All components loaded upfront
import HeavyChart from '@/components/HeavyChart.vue'

// ✅ GOOD - Load only when needed
const HeavyChart = defineAsyncComponent(() =>
  import('@/components/HeavyChart.vue')
)

// With loading state
const HeavyChart = defineAsyncComponent({
  loader: () => import('@/components/HeavyChart.vue'),
  loadingComponent: LoadingSpinner,
  delay: 200
})

6.4 v-memo for List Optimization

<!-- ❌ BAD - Re-renders all items on any change -->
<div v-for="item in items" :key="item.id">
  <ExpensiveComponent :data="item" />
</div>

<!-- ✅ GOOD - Skip re-render if item unchanged -->
<div v-for="item in items" :key="item.id" v-memo="[item.id, item.updated]">
  <ExpensiveComponent :data="item" />
</div>

6.5 Virtual Scrolling for Long Lists

<script setup lang="ts">
import { useVirtualList } from '@vueuse/core'

const { list, containerProps, wrapperProps } = useVirtualList(
  items,
  { itemHeight: 50 }
)
</script>

<template>
  <!-- ✅ Only renders visible items -->
  <div v-bind="containerProps" class="h-[400px] overflow-auto">
    <div v-bind="wrapperProps">
      <div v-for="{ data, index } in list" :key="index">
        {{ data.name }}
      </div>
    </div>
  </div>
</template>

6.6 Debounced Watchers

// ❌ BAD - Fires on every keystroke
watch(searchQuery, async (query) => {
  results.value = await searchAPI(query)
})

// ✅ GOOD - Debounced to reduce API calls
import { watchDebounced } from '@vueuse/core'

watchDebounced(
  searchQuery,
  async (query) => {
    results.value = await searchAPI(query)
  },
  { debounce: 300 }
)

// Alternative with manual debounce
watch(searchQuery, useDebounceFn(async (query) => {
  results.value = await searchAPI(query)
}, 300))

7. Security Standards

7.1 Known Vulnerabilities (CVE Research)

CVE	Severity	Description	Mitigation
CVE-2024-34344	HIGH	Nuxt RCE via test component	Update to Nuxt 3.12.4+
CVE-2024-23657	HIGH	Devtools path traversal/RCE	Update devtools to 1.3.9+
CVE-2023-3224	CRITICAL	Dev server code injection	Update to Nuxt 3.4.4+, never expose dev server

See : references/security-examples.md for detailed mitigation code

5.2 OWASP Top 10 Coverage

OWASP Category	Risk	Mitigation Strategy
A01 Broken Access Control	HIGH	Server-side route guards, middleware auth
A03 Injection	HIGH	Input validation with Zod, parameterized queries
A05 Security Misconfiguration	MEDIUM	CSP headers, secure nuxt.config
A07 XSS	HIGH	v-text directive, DOMPurify sanitization

5.3 Input Validation Framework

// ❌ DANGEROUS - Direct v-html with user input
<div v-html="userMessage" />

// ✅ SECURE - Sanitized HTML or plain text
<div v-html="sanitizeHTML(userMessage)" />
<span v-text="userMessage" />

5.4 Authentication Middleware

// middleware/auth.ts
export default defineNuxtRouteMiddleware((to) => {
  const { authenticated } = useAuthState()

  if (!authenticated.value && to.meta.requiresAuth) {
    return navigateTo('/login')
  }
})

6. Testing & Quality

6.1 Security Testing

// tests/security/xss.test.ts
import { describe, it, expect } from 'vitest'
import { mount } from '@vue/test-utils'
import HUDPanel from '@/components/HUDPanel.vue'

describe('XSS Prevention', () => {
  it('should sanitize malicious input', () => {
    const wrapper = mount(HUDPanel, {
      props: {
        title: '<script>alert("xss")</script>Hello'
      }
    })

    expect(wrapper.html()).not.toContain('<script>')
    expect(wrapper.text()).toContain('Hello')
  })
})

6.2 Component Testing

// tests/components/HUDDisplay.test.ts
describe('HUDDisplay', () => {
  it('validates metric bounds', () => {
    const wrapper = mount(HUDDisplay, {
      props: {
        metrics: { cpu: 150, memory: -10, status: 'active' }
      }
    })

    // Should clamp values to valid range
    expect(wrapper.vm.validatedMetrics.cpu).toBe(100)
    expect(wrapper.vm.validatedMetrics.memory).toBe(0)
  })
})

7. Common Patterns / Workflows

7.1 JARVIS HUD Component Workflow

Define TypeScript interfaces for all data structures
Create composable for shared logic
Implement component with Composition API
Add input validation at component boundary
Write security tests for XSS/injection
Integrate with 3D scene via TresJS

7.2 API Integration Workflow

Define Zod schema for request/response
Create server route with validation
Implement client composable with error handling
Add loading/error states to UI
Test error cases and edge conditions

8. Common Mistakes & Anti-Patterns

8.1 Critical Security Anti-Patterns

Never: Use v-html with Unsanitized Input

<!-- ❌ DANGEROUS - XSS vulnerability -->
<div v-html="userProvidedContent" />

<!-- ✅ SECURE - Sanitized content -->
<div v-html="sanitizeHTML(userProvidedContent)" />

<!-- ✅ BEST - Plain text when HTML not needed -->
<span v-text="userProvidedContent" />

Never: Expose Secrets in Client Code

// ❌ DANGEROUS - Secret in public config
runtimeConfig: {
  public: {
    apiKey: process.env.API_KEY  // Exposed to client!
  }
}

// ✅ SECURE - Secrets stay server-side
runtimeConfig: {
  apiKey: process.env.API_KEY,  // Server only
  public: {
    apiBase: '/api'
  }
}

Never: Trust Client-Side Validation Alone

// ❌ DANGEROUS - Client-only validation
const handleSubmit = () => {
  if (isValidEmail(email.value)) {
    $fetch('/api/subscribe', { body: { email: email.value } })
  }
}

// ✅ SECURE - Server-side validation
// server/api/subscribe.post.ts
export default defineEventHandler(async (event) => {
  const body = await readBody(event)
  const result = emailSchema.safeParse(body)
  if (!result.success) {
    throw createError({ statusCode: 400, message: 'Invalid email' })
  }
  // Process validated email
})

8.2 Performance Anti-Patterns

Avoid: Reactive Arrays in Computed

// ❌ BAD - Creates new array on every access
const filtered = computed(() => {
  return items.value.filter(i => i.active).sort()
})

// ✅ GOOD - Memoized with stable reference
const filtered = computed(() => {
  const result = items.value.filter(i => i.active)
  result.sort((a, b) => a.name.localeCompare(b.name))
  return result
})

9. Quick Reference

Essential Commands

# Development
npx nuxi dev --host  # Never expose to public network!

# Security audit
npm audit --audit-level=high
npx nuxi typecheck

# Production build
npx nuxi build

Key Composables

// State management
const state = useState<T>('key', () => initialValue)

// Runtime config access
const config = useRuntimeConfig()

// Route navigation
const router = useRouter()
await navigateTo('/path')

13. Pre-Deployment Checklist

Security Verification

Nuxt version >= 3.12.4 (CVE-2024-34344 fix)
Devtools version >= 1.3.9 (CVE-2024-23657 fix)
CSP headers configured in nuxt.config
No secrets in runtimeConfig.public
All user inputs sanitized with DOMPurify
Server routes validate with Zod schemas
Authentication middleware on protected routes
Devtools disabled in production

Build Verification

npm audit shows no high/critical vulnerabilities
TypeScript compilation passes
All security tests pass
Production build completes without errors

14. Summary

This Vue/Nuxt skill provides secure patterns for building the JARVIS AI Assistant HUD interface:

Security First : Always sanitize inputs, validate on server, use CSP headers
Type Safety : TypeScript throughout with strict validation schemas
Performance : Composition API, lazy loading, efficient reactivity
Maintainability : Clear component structure, composables for reuse

Remember : The JARVIS HUD handles sensitive system data. Every component must treat user input as potentially malicious and validate all data boundaries.

References :

references/advanced-patterns.md - Complex component patterns
references/security-examples.md - Detailed security implementations

Weekly Installs

Repository

martinholovsky/…enerator

GitHub Stars

First Seen

Jan 20, 2026

Security Audits

Gen Agent Trust HubFail SocketPass SnykPass

Installed on

codex74

gemini-cli74

opencode73

github-copilot70

cursor69

claude-code63

Azure PostgreSQL 无密码身份验证配置指南：Entra ID 迁移与访问管理

34,800 周安装