@archpublicwebsite/eslint-config 1.0.13 → 1.0.16

package/tools/security/scan.mjs

@@ -0,0 +1,465 @@
+#!/usr/bin/env node
+/**
+ * @archipelago/security-scan
+ *
+ * Pre-commit scanner inspired by socket.dev.
+ * Detects malicious code in staged files and supply-chain risks in
+ * newly added packages — blocking zero-day attacks before they reach
+ * CI or production.
+ *
+ * ┌─────────────────────────────────────────────────────┐
+ * │  What is checked                                    │
+ * │  1. Staged .js/.ts/.vue files — eval, obfuscation,  │
+ * │     base64 payloads, net/dns/child_process in       │
+ * │     build-config files, prototype pollution         │
+ * │  2. Newly added npm packages — install scripts      │
+ * │     with curl/wget, base64-exec, credential theft   │
+ * │  3. Typosquatting — package names within edit-      │
+ * │     distance 1 of popular npm packages              │
+ * └─────────────────────────────────────────────────────┘
+ *
+ * Environment flags:
+ *   SKIP_SECURITY_SCAN=1   Bypass all checks (logged loudly to stderr)
+ *   SECURITY_AUDIT=1       Also run `pnpm audit` and surface known CVEs
+ */
+
+import { existsSync, readFileSync } from 'node:fs'
+import { extname, join } from 'node:path'
+import {
+  CONFIG_FILE_PATTERNS,
+  FILE_PATTERNS,
+  INSTALL_SCRIPT_PATTERNS,
+  POPULAR_PACKAGES,
+  SCAN_EXTENSIONS,
+} from './patterns.mjs'
+import {
+  getRepoRoot,
+  getStagedNameStatus,
+  runSafe,
+} from '../git-hooks/shared.mjs'
+
+// ─── ANSI colours ──────────────────────────────────────────────────────────────
+const R = '\x1b[0m'
+const RED = '\x1b[31m'
+const YLW = '\x1b[33m'
+const CYN = '\x1b[36m'
+const GRN = '\x1b[32m'
+const BOLD = '\x1b[1m'
+const DIM = '\x1b[2m'
+const HR = `${DIM}${'─'.repeat(62)}${R}`
+
+function badge(severity) {
+  switch (severity) {
+    case 'critical': return `${RED}${BOLD}[CRITICAL]${R}`
+    case 'high':     return `${RED}[HIGH]    ${R}`
+    case 'medium':   return `${YLW}[MEDIUM]  ${R}`
+    default:         return `${CYN}[LOW]     ${R}`
+  }
+}
+
+function isBlocking(severity) {
+  return severity === 'critical' || severity === 'high'
+}
+
+// ─── Helpers ───────────────────────────────────────────────────────────────────
+
+function isConfigFile(filePath) {
+  return CONFIG_FILE_PATTERNS.some(p => p.test(filePath))
+}
+
+// Files that intentionally contain dangerous-pattern literals for lint/security
+// rule definitions and scanner fixture tests. Scanning them with FILE_PATTERNS
+// causes self-referential false positives and blocks commits.
+const SELF_REFERENTIAL_SCAN_EXCLUSIONS = [
+  'packages/eslint-config/eslint.config.mjs',
+  'packages/eslint-config/tools/security/patterns.mjs',
+  'packages/eslint-config/tools/security/test-patterns.mjs',
+]
+
+function shouldSkipSelfReferentialFile(filePath) {
+  const normalizedPath = filePath.replaceAll('\\', '/')
+  return SELF_REFERENTIAL_SCAN_EXCLUSIONS.some(excluded => normalizedPath.endsWith(excluded))
+}
+
+function collectPatternFindings(lines, isConfig, filePath) {
+  const findings = []
+
+  for (const pattern of FILE_PATTERNS) {
+    if (pattern.configOnly && !isConfig) continue
+
+    for (let i = 0; i < lines.length; i++) {
+      if (pattern.regex.test(lines[i])) {
+        findings.push({
+          file: filePath,
+          line: i + 1,
+          lineContent: lines[i].trim().slice(0, 120),
+          patternId: pattern.id,
+          severity: pattern.severity,
+          message: pattern.message,
+        })
+      }
+    }
+  }
+
+  return findings
+}
+
+function collectObfuscatedLineFindings(lines, filePath) {
+  const findings = []
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (line.length <= 800) continue
+
+    // Encoded payload lines tend to have unusually high symbol density.
+    const nonWord = (line.match(/[^a-zA-Z0-9\s.,;:(){}[\]=<>+\-*/'"_]/g) || []).length
+    const density = nonWord / line.length
+    if (density <= 0.18) continue
+
+    findings.push({
+      file: filePath,
+      line: i + 1,
+      lineContent: `[${line.length} chars] ${line.trim().slice(0, 80)}…`,
+      patternId: 'long-obfuscated-line',
+      severity: 'critical',
+      message: `Line is ${line.length} chars with high symbol density (${(density * 100).toFixed(0)}%) — likely an embedded payload (dropper pattern)`,
+    })
+  }
+
+  return findings
+}
+
+/**
+ * Read the staged (index) version of a file so we scan exactly what will be
+ * committed — not any unsaved working-tree changes.
+ */
+function readStagedContent(filePath) {
+  return runSafe(`git show ":${filePath}"`)
+}
+
+/**
+ * Levenshtein distance between two strings.
+ * Used to detect typosquatted package names.
+ * @param {string} a
+ * @param {string} b
+ * @returns {number}
+ */
+function levenshtein(a, b) {
+  const dp = Array.from({ length: a.length + 1 }, (_, i) => [i])
+  for (let j = 0; j <= b.length; j++) dp[0][j] = j
+  for (let i = 1; i <= a.length; i++) {
+    for (let j = 1; j <= b.length; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1]
+        ? dp[i - 1][j - 1]
+        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1])
+    }
+  }
+  return dp[a.length][b.length]
+}
+
+/**
+ * Returns the popular package name that the given name is likely a typosquat
+ * of (edit distance === 1), or null if no match.
+ * @param {string} pkgName
+ * @returns {string|null}
+ */
+function detectTyposquat(pkgName) {
+  // Strip npm scope for comparison
+  const bare = pkgName.startsWith('@') ? (pkgName.split('/')[1] ?? pkgName) : pkgName
+  if (bare.length < 3) return null
+
+  for (const popular of POPULAR_PACKAGES) {
+    if (bare === popular) return null // exact match is fine
+    if (levenshtein(bare.toLowerCase(), popular.toLowerCase()) === 1) return popular
+  }
+  return null
+}
+
+// ─── Stage-file scanner ────────────────────────────────────────────────────────
+
+/**
+ * @typedef {{ file: string, line: number, lineContent: string,
+ *             patternId: string, severity: string, message: string }} FileFinding
+ */
+
+/**
+ * Scan every staged JS/TS/Vue file against FILE_PATTERNS.
+ * @param {string} _repoRoot   (unused here but kept for symmetry)
+ * @returns {FileFinding[]}
+ */
+function scanStagedFiles(_repoRoot) {
+  const staged = getStagedNameStatus()
+  const toScan = staged.filter(({ status, path }) =>
+    ['A', 'M'].includes(status[0]) && SCAN_EXTENSIONS.has(extname(path)),
+  )
+
+  if (toScan.length === 0) return []
+
+  process.stdout.write(`\nScanning ${toScan.length} staged source file(s)...\n`)
+
+  const findings = []
+  let skipped = 0
+
+  for (const { path: filePath } of toScan) {
+    if (shouldSkipSelfReferentialFile(filePath)) {
+      skipped++
+      continue
+    }
+
+    const content = readStagedContent(filePath)
+    if (!content) continue
+
+    const lines = content.split('\n')
+    const isConfig = isConfigFile(filePath)
+
+    findings.push(
+      ...collectPatternFindings(lines, isConfig, filePath),
+      ...collectObfuscatedLineFindings(lines, filePath),
+    )
+  }
+
+  if (skipped > 0) {
+    process.stdout.write(`Skipping ${skipped} self-referential security definition/test file(s).\n`)
+  }
+
+  return findings
+}
+
+// ─── Supply-chain scanner ──────────────────────────────────────────────────────
+
+/**
+ * Compare staged vs committed package.json files to find packages that were
+ * newly added in this commit (across all dependency fields).
+ * @returns {string[]} Array of package names
+ */
+function getNewlyAddedPackages() {
+  const staged = getStagedNameStatus()
+  const pkgFiles = staged.filter(({ status, path }) =>
+    ['A', 'M'].includes(status[0])
+    && path.endsWith('package.json')
+    && !path.includes('node_modules'),
+  )
+
+  if (pkgFiles.length === 0) return []
+
+  const depFields = ['dependencies', 'devDependencies', 'peerDependencies', 'optionalDependencies']
+
+  function extractDepNames(jsonContent) {
+    if (!jsonContent) return new Set()
+    try {
+      const pkg = JSON.parse(jsonContent)
+      const all = new Set()
+      for (const field of depFields) {
+        if (pkg[field] && typeof pkg[field] === 'object') {
+          for (const name of Object.keys(pkg[field])) all.add(name)
+        }
+      }
+      return all
+    }
+    catch {
+      return new Set()
+    }
+  }
+
+  const added = new Set()
+
+  for (const { path: pkgFile } of pkgFiles) {
+    const newContent = readStagedContent(pkgFile)
+    const oldContent = runSafe(`git show "HEAD:${pkgFile}"`)
+    const newDeps = extractDepNames(newContent)
+    const oldDeps = extractDepNames(oldContent)
+    for (const name of newDeps) {
+      if (!oldDeps.has(name)) added.add(name)
+    }
+  }
+
+  return [...added]
+}
+
+/**
+ * @typedef {{ pkg: string, scriptName?: string, patternId: string,
+ *             severity: string, message: string, lineContent: string }} SupplyFinding
+ */
+
+/**
+ * Inspect a single package's install scripts in node_modules.
+ * @param {string} pkgName
+ * @param {string} repoRoot
+ * @returns {SupplyFinding[]}
+ */
+function checkInstallScripts(pkgName, repoRoot) {
+  const pkgJsonPath = join(repoRoot, 'node_modules', pkgName, 'package.json')
+  if (!existsSync(pkgJsonPath)) return []
+
+  let pkg
+  try {
+    pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8'))
+  }
+  catch {
+    return []
+  }
+
+  const findings = []
+  const scriptFields = ['preinstall', 'install', 'postinstall']
+
+  for (const scriptName of scriptFields) {
+    const script = pkg.scripts?.[scriptName]
+    if (!script) continue
+
+    // Always surface that an install script exists (medium — for awareness)
+    findings.push({
+      pkg: pkgName,
+      scriptName,
+      patternId: 'install-script-present',
+      severity: 'medium',
+      message: `Package has a ${scriptName} script — verify it is legitimate`,
+      lineContent: script.slice(0, 120),
+    })
+
+    // Check for specific dangerous patterns (high/critical)
+    for (const pattern of INSTALL_SCRIPT_PATTERNS) {
+      if (pattern.regex.test(script)) {
+        findings.push({
+          pkg: pkgName,
+          scriptName,
+          patternId: pattern.id,
+          severity: pattern.severity,
+          message: pattern.message,
+          lineContent: script.slice(0, 120),
+        })
+      }
+    }
+  }
+
+  return findings
+}
+
+/**
+ * Run the full supply-chain scan: typosquatting + install-script analysis
+ * for every newly added package.
+ * @param {string} repoRoot
+ * @returns {SupplyFinding[]}
+ */
+function scanNewDependencies(repoRoot) {
+  const newPkgs = getNewlyAddedPackages()
+  if (newPkgs.length === 0) return []
+
+  process.stdout.write(`\nSupply-chain scan: ${newPkgs.length} newly added package(s)...\n`)
+
+  const findings = []
+
+  for (const pkgName of newPkgs) {
+    // 1. Typosquatting
+    const similar = detectTyposquat(pkgName)
+    if (similar) {
+      findings.push({
+        pkg: pkgName,
+        patternId: 'typosquat',
+        severity: 'high',
+        message: `Possible typosquat of "${similar}" — verify the package name is correct`,
+        lineContent: `"${pkgName}" is 1 edit away from "${similar}"`,
+      })
+    }
+
+    // 2. Install scripts
+    const scriptFindings = checkInstallScripts(pkgName, repoRoot)
+    findings.push(...scriptFindings)
+  }
+
+  return findings
+}
+
+// ─── Optional: pnpm/npm audit ─────────────────────────────────────────────────
+
+/**
+ * Run `pnpm audit --audit-level=high` when SECURITY_AUDIT=1 is set.
+ * Non-fatal: output is printed but does not block the commit so it doesn't
+ * slow down normal developer workflows.
+ */
+function runAudit(repoRoot) {
+  if (process.env.SECURITY_AUDIT !== '1') return
+
+  process.stdout.write(`\nRunning pnpm audit (SECURITY_AUDIT=1)...\n`)
+  const result = runSafe('pnpm audit --audit-level=high 2>&1')
+  if (result) {
+    process.stdout.write(`${DIM}${result}${R}\n`)
+  }
+}
+
+// ─── Output helpers ────────────────────────────────────────────────────────────
+
+function printFileFinding(f) {
+  console.log(`\n  ${badge(f.severity)} ${DIM}${f.file}:${f.line}${R}`)
+  console.log(`  ${BOLD}${f.message}${R}`)
+  console.log(`  ${DIM}│${R}  ${f.lineContent}`)
+}
+
+function printSupplyFinding(f) {
+  if (f.patternId === 'install-script-present') {
+    console.log(`  ${DIM}⚑${R}  ${BOLD}${f.pkg}${R} — ${f.scriptName}: ${DIM}${f.lineContent}${R}`)
+    return
+  }
+  const scriptLabel = f.scriptName ? ` (${DIM}${f.scriptName}${R})` : ''
+  console.log(`\n  ${badge(f.severity)} ${BOLD}${f.pkg}${R}${scriptLabel}`)
+  console.log(`  ${f.message}`)
+  console.log(`  ${DIM}│${R}  ${f.lineContent}`)
+}
+
+// ─── Entry point ───────────────────────────────────────────────────────────────
+
+function main() {
+  if (process.env.SKIP_SECURITY_SCAN === '1') {
+    process.stderr.write(
+      `\n${YLW}${BOLD}⚠  SKIP_SECURITY_SCAN=1 — all security checks bypassed.${R}\n`
+      + `${YLW}   This bypass is intentional and has been logged.${R}\n\n`,
+    )
+    return
+  }
+
+  const repoRoot = getRepoRoot()
+
+  console.log(`\n${HR}`)
+  console.log(`  ${BOLD}@archipelago/security-scan${R}  ${DIM}socket.dev-style pre-commit guard${R}`)
+  console.log(HR)
+
+  const fileFindings = scanStagedFiles(repoRoot)
+  const supplyFindings = scanNewDependencies(repoRoot)
+
+  runAudit(repoRoot)
+
+  const allFindings = [...fileFindings, ...supplyFindings]
+
+  if (fileFindings.length > 0) {
+    console.log(`\n${BOLD}Source-code findings:${R}`)
+    fileFindings.forEach(printFileFinding)
+  }
+
+  if (supplyFindings.length > 0) {
+    console.log(`\n${BOLD}Supply-chain findings:${R}`)
+    supplyFindings.forEach(printSupplyFinding)
+  }
+
+  const blocking = allFindings.filter(f => isBlocking(f.severity))
+  const warnings = allFindings.filter(f => !isBlocking(f.severity))
+
+  console.log(`\n${HR}`)
+
+  if (blocking.length === 0) {
+    const warnNote = warnings.length > 0 ? `  ${DIM}(${warnings.length} warning(s) — review recommended)${R}` : ''
+    console.log(`  ${GRN}${BOLD}✔  Security scan passed${R}${warnNote}`)
+    console.log(HR)
+    console.log()
+    return
+  }
+
+  console.log(
+    `  ${RED}${BOLD}✖  COMMIT BLOCKED${R} — ${blocking.length} critical/high security issue(s) found`,
+  )
+  console.log(`  ${DIM}To bypass (emergencies only): SKIP_SECURITY_SCAN=1 git commit …${R}`)
+  console.log(HR)
+  console.log()
+
+  process.exit(1)
+}
+
+main()

package/tools/security/test-patterns.mjs

@@ -0,0 +1,130 @@
+#!/usr/bin/env node
+/**
+ * Pattern-detection self-test
+ * Run: node packages/eslint-config/tools/security/test-patterns.mjs
+ *
+ * Validates that every attack vector in the wild (including the dropper from
+ * the supply-chain report) is caught by FILE_PATTERNS.
+ */
+import { FILE_PATTERNS } from './patterns.mjs'
+
+const RED = '\x1b[31m'
+const GRN = '\x1b[32m'
+const YLW = '\x1b[33m'
+const BOLD = '\x1b[1m'
+const R = '\x1b[0m'
+
+// ─── Test cases (real-world attack lines) ─────────────────────────────────────
+
+const testCases = [
+  // ── From the exact dropper submitted in the issue ─────────────────────────
+  {
+    label: 'Dropper — global require hijack',
+    expectedId: 'require-global-hijack',
+    line: "global[_$_1e42[0]]= require;",
+  },
+  {
+    label: 'Dropper — global bracket assignment via decoded array',
+    expectedId: 'global-bracket-assignment-index',
+    line: "global[_$_1e42[2]]= module",
+  },
+  {
+    label: 'Dropper — obfuscated _$_ variable names',
+    expectedId: 'obfuscated-variable-names',
+    line: "var _$_1e42=(function(l,e){var h=l.length;var g=[];",
+  },
+  {
+    label: 'Dropper — shuffle-cipher IIFE bootstrap',
+    expectedId: 'shuffle-cipher-iife',
+    line: `var _$_1e42=(function(l,e){var h=l.length;var g=[];for(var j=0;j<h;j++){g[j]=l.charAt(j)};for(var j=0;j<h;j++){var s=e*(j+489)+(e%19597);var w=e*(j+659)+(e%48014);var t=s%h;var p=w%h;var y=g[t];g[t]=g[p];g[p]=y;e=(s+w)%4573868};return g.join('')})("rmcej%otb%",2857687)`,
+  },
+  {
+    label: 'Dropper — array-based Function call chain (final execution)',
+    expectedId: 'array-fn-call-chain',
+    line: "var Tgw=jFD(LQI,pYd );Tgw(2509);",
+  },
+
+  // ── Classic attack patterns ───────────────────────────────────────────────
+  {
+    label: 'eval() call',
+    expectedId: 'no-eval',
+    line: "const x = eval(someVar)",
+  },
+  {
+    label: 'new Function() call',
+    expectedId: 'no-new-func',
+    line: "const fn = new Function('a','return a+1')",
+  },
+  {
+    label: 'Buffer base64 decode',
+    expectedId: 'base64-decode',
+    line: `const payload = Buffer.from('abc123', 'base64').toString()`,
+  },
+  {
+    label: 'String.fromCharCode obfuscation',
+    expectedId: 'charcode-obfuscation',
+    line: "const s = String.fromCharCode(104, 101, 108, 108, 111, 32, 119, 111, 114)",
+  },
+  {
+    label: 'Hex-escaped string payload',
+    expectedId: 'hex-string-obfuscation',
+    line: String.raw`const k='\x68\x65\x6c\x6c\x6f\x77\x6f\x72\x6c\x64\x68\x65\x6c\x6c\x6f\x77\x6f\x72\x6c\x64\x20\x68'`,
+  },
+  {
+    label: 'Trojan Source (unicode bidi control)',
+    expectedId: 'unicode-bidi-control',
+    line: 'const safe = true;\u202E // hidden direction override',
+  },
+  {
+    label: 'Zero-width hidden character',
+    expectedId: 'zero-width-hidden-char',
+    line: 'const key = "api\u200BToken"',
+  },
+  {
+    label: 'defineProperty hidden getter backdoor',
+    expectedId: 'define-property-backdoor-getter',
+    line: 'Object.defineProperty(globalThis, "loader", { get: function(){ return eval(secret) } })',
+  },
+  {
+    label: 'Prototype pollution',
+    expectedId: 'prototype-pollution',
+    line: "obj.__proto__ = { admin: true }",
+  },
+  {
+    label: 'child_process in config',
+    expectedId: 'child-process-in-config',
+    configOnly: true,
+    line: "const { execSync } = require('child_process')",
+  },
+]
+
+// ─── Run tests ────────────────────────────────────────────────────────────────
+
+let passed = 0
+let failed = 0
+
+for (const tc of testCases) {
+  // For configOnly patterns, the scanner applies them; we can test them directly
+  const matched = FILE_PATTERNS.filter(p => p.regex.test(tc.line))
+  const hit = matched.find(p => p.id === tc.expectedId)
+
+  if (hit) {
+    console.log(`${GRN}✔${R}  ${tc.label}`)
+    console.log(`   ${YLW}→ [${hit.severity.toUpperCase()}] ${hit.id}${R}`)
+    passed++
+  }
+  else {
+    console.log(`${RED}${BOLD}✖  ${tc.label}${R}`)
+    console.log(`   Expected pattern id: ${tc.expectedId}`)
+    if (matched.length > 0)
+      console.log(`   (other matches: ${matched.map(p => p.id).join(', ')})`)
+    else
+      console.log(`   (no patterns matched this line)`)
+    failed++
+  }
+}
+
+console.log(`\n${'─'.repeat(50)}`)
+const failedText = failed > 0 ? `${RED}${BOLD}${failed} FAILED${R}` : ''
+console.log(`${passed} passed  ${failedText}`)
+if (failed > 0) process.exit(1)

package/tools/setup/install.mjs

@@ -1,9 +1,11 @@
 import { execSync } from 'node:child_process'
-import { chmodSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
-import { join } from 'node:path'
+import { chmodSync, copyFileSync, existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs'
+import { dirname, join } from 'node:path'
+import { fileURLToPath } from 'node:url'
 import { ensureVscodeSettings } from './vscode.mjs'
 
 const TAG = '[@archpublicwebsite/eslint-config]'
+const __dirname = dirname(fileURLToPath(import.meta.url))
 
 function log(msg) {
   console.log(`${TAG} ${msg}`)
@@ -193,6 +195,70 @@ function ensureHooksPath(projectRoot) {
   }
 }
 
+// ─── security shell scripts ────────────────────────────────────────────────
+
+function ensureSecurityScripts(projectRoot) {
+  const securityDir = join(__dirname, '../security')
+  const scripts = ['safe-reinstall.sh', 'scan-global.sh']
+
+  let created = false
+
+  for (const scriptName of scripts) {
+    const sourcePath = join(securityDir, scriptName)
+    const targetPath = join(projectRoot, scriptName)
+
+    if (!existsSync(sourcePath) || existsSync(targetPath)) {
+      continue
+    }
+
+    copyFileSync(sourcePath, targetPath)
+    chmodSync(targetPath, 0o755)
+    created = true
+  }
+
+  if (created) {
+    log('Created security scripts (safe-reinstall.sh, scan-global.sh)')
+  }
+}
+
+function ensurePackageScripts(projectRoot) {
+  const packageJsonPath = join(projectRoot, 'package.json')
+  if (!existsSync(packageJsonPath)) {
+    return
+  }
+
+  let pkg
+  try {
+    pkg = JSON.parse(readFileSync(packageJsonPath, 'utf8'))
+  }
+  catch {
+    return
+  }
+
+  const scripts = pkg.scripts && typeof pkg.scripts === 'object' ? pkg.scripts : {}
+  const desiredScripts = {
+    precommit: 'node node_modules/@archpublicwebsite/eslint-config/tools/git-hooks/pre-commit.mjs',
+    'security:global-scan': 'bash ./node_modules/@archpublicwebsite/eslint-config/tools/security/scan-global.sh',
+    'security:safe-check': 'bash ./node_modules/@archpublicwebsite/eslint-config/tools/security/safe-reinstall.sh --check-only',
+  }
+
+  let updated = false
+  for (const [name, value] of Object.entries(desiredScripts)) {
+    if (!scripts[name]) {
+      scripts[name] = value
+      updated = true
+    }
+  }
+
+  if (!updated) {
+    return
+  }
+
+  pkg.scripts = scripts
+  writeFileSync(packageJsonPath, `${JSON.stringify(pkg, null, 2)}\n`, 'utf8')
+  log('Updated package.json scripts (precommit, security:global-scan, security:safe-check)')
+}
+
 // ─── .vscode/extensions.json ────────────────────────────────────────────────
 
 function ensureVscodeExtensions(projectRoot) {
@@ -240,6 +306,8 @@ function main() {
   ensurePrettierConfig(projectRoot)
   ensureHooks(projectRoot)
   ensureHooksPath(projectRoot)
+  ensureSecurityScripts(projectRoot)
+  ensurePackageScripts(projectRoot)
   ensureVscodeSettings(projectRoot)
   ensureVscodeExtensions(projectRoot)