@codyswann/lisa 1.13.0 → 1.15.0

package/expo/package-lisa/package.lisa.json

@@ -18,7 +18,8 @@
       "fetch:graphql:schema:staging": "./scripts/fetch-graphql-schema.sh staging",
       "fetch:graphql:schema:production": "./scripts/fetch-graphql-schema.sh production",
       "export:web": "expo export --platform web --source-maps",
-      "pre-build:eas": "cat .gitignore > .easignore && cat .easignore.extra >> .easignore"
+      "pre-build:eas": "cat .gitignore > .easignore && cat .easignore.extra >> .easignore",
+      "security:zap": "bash scripts/zap-baseline.sh"
     },
     "dependencies": {
       "@apollo/client": "^3.10.8",
@@ -117,7 +118,8 @@
       "expo-atlas": "^0.4.0",
       "globals": "^16.0.0",
       "jest-environment-jsdom": "^30.2.0",
-      "jest-expo": "^54.0.12"
+      "jest-expo": "^54.0.12",
+      "serve": "^14.2.0"
     },
     "resolutions": {
       "eslint-plugin-react-hooks": "^7.0.0",

package/nestjs/copy-overwrite/.github/workflows/zap-baseline.yml

@@ -0,0 +1,123 @@
+# This file is managed by Lisa.
+# Do not edit directly — changes will be overwritten on the next `lisa` run.
+
+name: ZAP Baseline Scan (NestJS)
+
+on:
+  workflow_call:
+    inputs:
+      node_version:
+        description: 'Node.js version to use'
+        required: false
+        default: '22.21.1'
+        type: string
+      package_manager:
+        description: 'Package manager to use (npm, yarn, or bun)'
+        required: false
+        default: 'bun'
+        type: string
+      zap_target_url:
+        description: 'Override URL for ZAP to scan (default: http://localhost:3000/graphql)'
+        required: false
+        default: 'http://localhost:3000/graphql'
+        type: string
+      zap_rules_file:
+        description: 'Path to ZAP rules configuration file'
+        required: false
+        default: '.zap/baseline.conf'
+        type: string
+
+jobs:
+  zap_baseline:
+    name: ZAP Baseline Scan
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+          cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
+
+      - name: Setup Bun
+        if: inputs.package_manager == 'bun'
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.3.8'
+
+      - name: Install dependencies
+        run: |
+          if [ "${{ inputs.package_manager }}" = "npm" ]; then
+            npm ci
+          elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
+            yarn install --frozen-lockfile
+          elif [ "${{ inputs.package_manager }}" = "bun" ]; then
+            bun install --frozen-lockfile
+          fi
+
+      - name: Build project
+        run: ${{ inputs.package_manager }} run build
+
+      - name: Start NestJS server
+        run: |
+          ${{ inputs.package_manager }} run start &
+          SERVER_PID=$!
+          echo "SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
+        env:
+          NODE_ENV: test
+          PORT: 3000
+
+      - name: Wait for server ready
+        run: |
+          echo "Waiting for NestJS server to be ready..."
+          RETRIES=30
+          until curl -sf http://localhost:3000/health > /dev/null 2>&1 || [ $RETRIES -eq 0 ]; do
+            echo "Waiting for server... ($RETRIES retries left)"
+            RETRIES=$((RETRIES - 1))
+            sleep 2
+          done
+          if [ $RETRIES -eq 0 ]; then
+            echo "Server failed to start within timeout"
+            exit 1
+          fi
+          echo "Server is ready"
+
+      - name: Check for ZAP rules file
+        id: check_rules
+        run: |
+          if [ -f "${{ inputs.zap_rules_file }}" ]; then
+            echo "has_rules=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_rules=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Run ZAP baseline scan
+        uses: zaproxy/action-baseline@v0.14.0
+        with:
+          target: ${{ inputs.zap_target_url }}
+          rules_file_name: ${{ steps.check_rules.outputs.has_rules == 'true' && inputs.zap_rules_file || '' }}
+          fail_action: true
+          allow_issue_writing: false
+          artifact_name: 'zap-report-nestjs'
+
+      - name: Stop NestJS server
+        if: always()
+        run: |
+          if [ -n "$SERVER_PID" ]; then
+            kill "$SERVER_PID" 2>/dev/null || true
+          fi
+
+      - name: Upload ZAP report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-baseline-report-nestjs-${{ github.run_id }}
+          path: |
+            zap-report.html
+            zap-report.json
+            zap-report.md
+          retention-days: 14

package/nestjs/copy-overwrite/.zap/baseline.conf

@@ -0,0 +1,39 @@
+# OWASP ZAP Baseline Scan Configuration — NestJS GraphQL APIs
+# Format: <rule_id> <action> <description>
+# Actions: IGNORE (skip rule), WARN (report but don't fail), FAIL (fail on finding)
+#
+# Tuned for NestJS APIs behind API Gateway/load balancer in production.
+# Transport-level headers are enforced at infrastructure layer.
+
+# CSP header — API responses don't serve HTML; CSP is a browser concern
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+
+# X-Content-Type-Options — should be set but is infrastructure-level
+10021	WARN	(X-Content-Type-Options Header Missing)
+
+# Strict-Transport-Security — enforced at API Gateway/load balancer
+10035	WARN	(Strict-Transport-Security Header Not Set)
+
+# X-Frame-Options — API responses are not rendered in browsers
+10020	IGNORE	(X-Frame-Options Header Not Set)
+
+# Permissions-Policy — not applicable to API responses
+10063	IGNORE	(Permissions Policy Header Not Set)
+
+# Server header disclosure — NestJS/Express may leak version info;
+# should be suppressed in production via Helmet middleware
+10036	WARN	(Server Leaks Version Information via "Server" HTTP Response Header Field)
+
+# Cookie flags — GraphQL APIs may use session cookies for auth
+10010	FAIL	(Cookie No HttpOnly Flag)
+10011	FAIL	(Cookie Without Secure Flag)
+10054	WARN	(Cookie without SameSite Attribute)
+
+# Information disclosure in URL — GraphQL uses POST body, not URL params
+10024	IGNORE	(Information Disclosure - Sensitive Information in URL)
+
+# Cross-domain JavaScript source — not applicable to API
+10017	IGNORE	(Cross-Domain JavaScript Source File Inclusion)
+
+# Application error disclosure — NestJS should not leak stack traces
+10023	FAIL	(Information Disclosure - Debug Error Messages)

package/nestjs/copy-overwrite/jest.config.ts

@@ -0,0 +1,28 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - Main Entry Point (NestJS)
+ *
+ * Imports the NestJS-specific configuration and project-local customizations.
+ * Do not modify this file directly - use jest.config.local.ts for project-specific settings.
+ *
+ * Inheritance chain:
+ *   jest.config.ts (this file)
+ *   └── jest.nestjs.ts
+ *       └── jest.base.ts
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.config
+ */
+import { mergeConfigs, mergeThresholds } from "./jest.base.ts";
+import { defaultThresholds, getNestjsJestConfig } from "./jest.nestjs.ts";
+
+import localConfig from "./jest.config.local.ts";
+import thresholdsOverrides from "./jest.thresholds.json" with { type: "json" };
+
+const thresholds = mergeThresholds(defaultThresholds, thresholdsOverrides);
+
+export default mergeConfigs(getNestjsJestConfig({ thresholds }), localConfig);

package/nestjs/copy-overwrite/jest.nestjs.ts

@@ -0,0 +1,89 @@
+/**
+ * This file is managed by Lisa.
+ * Do not edit directly — changes will be overwritten on the next `lisa` run.
+ */
+
+/**
+ * Jest Configuration - NestJS Stack
+ *
+ * Provides NestJS-specific Jest configuration with extensive coverage
+ * exclusions for generated files, DTOs, entities, and modules.
+ *
+ * Inheritance chain:
+ *   jest.nestjs.ts (this file)
+ *   └── jest.base.ts
+ *
+ * @see https://jestjs.io/docs/configuration
+ * @module jest.nestjs
+ */
+import type { Config } from "jest";
+
+import {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+} from "./jest.base.ts";
+
+// Re-export base utilities for entry-point configs
+export {
+  defaultCoverageExclusions,
+  defaultThresholds,
+  mergeConfigs,
+  mergeThresholds,
+};
+
+/**
+ * Options for configuring the NestJS Jest config factory.
+ */
+interface NestjsJestOptions {
+  /** Coverage thresholds (merged defaults + project overrides) */
+  readonly thresholds?: Config["coverageThreshold"];
+}
+
+/**
+ * NestJS-specific patterns excluded from coverage collection.
+ * These are generated or boilerplate files that don't benefit from coverage tracking.
+ */
+const nestjsCoverageExclusions: readonly string[] = [
+  ...defaultCoverageExclusions,
+  "!**/*.entity.ts",
+  "!**/*.dto.ts",
+  "!**/*.input.ts",
+  "!**/*.args.ts",
+  "!**/*.model.ts",
+  "!**/*.module.ts",
+  "!**/*.factory.ts",
+  "!**/*.enum.ts",
+  "!**/*.interface.ts",
+  "!**/*.constants.ts",
+  "!**/database/migrations/**",
+  "!**/database/seeds/**",
+  "!**/graphql/**",
+  "!**/main.ts",
+];
+
+/**
+ * Creates a Jest configuration for NestJS projects.
+ *
+ * @param options - Configuration options for threshold overrides
+ * @param options.thresholds - Coverage thresholds (merged defaults + project overrides)
+ * @returns Jest config object with ts-jest transform, node environment, and NestJS-specific exclusions
+ * @remarks NestJS projects use CommonJS modules and spec.ts test file convention.
+ * Coverage excludes entities, DTOs, modules, and other boilerplate files
+ * that are better validated through integration tests.
+ */
+export const getNestjsJestConfig = ({
+  thresholds = defaultThresholds,
+}: NestjsJestOptions = {}): Config => ({
+  testEnvironment: "node",
+  rootDir: "src",
+  testRegex: ".*\\.spec\\.ts$",
+  transform: {
+    "^.+\\.ts$": "ts-jest",
+  },
+  moduleFileExtensions: ["js", "json", "ts"],
+  collectCoverageFrom: ["**/*.ts", ...nestjsCoverageExclusions],
+  coverageThreshold: thresholds,
+  testTimeout: 10000,
+});

package/nestjs/copy-overwrite/scripts/zap-baseline.sh

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+# OWASP ZAP Baseline Scan — NestJS GraphQL API
+# Builds and starts the NestJS server, then runs a ZAP baseline scan via Docker.
+# Outputs an HTML report to zap-report.html in the project root.
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+TARGET_URL="${ZAP_TARGET_URL:-http://host.docker.internal:3000/graphql}"
+ZAP_RULES_FILE="${ZAP_RULES_FILE:-.zap/baseline.conf}"
+REPORT_FILE="zap-report.html"
+
+cd "$PROJECT_ROOT"
+
+# Verify Docker is available
+if ! command -v docker &> /dev/null; then
+  echo "Error: Docker is required but not installed."
+  echo "Install Docker from https://docs.docker.com/get-docker/"
+  exit 1
+fi
+
+if ! docker info &> /dev/null 2>&1; then
+  echo "Error: Docker daemon is not running."
+  exit 1
+fi
+
+# Detect package manager
+if [ -f "bun.lockb" ]; then
+  PKG_MGR="bun"
+elif [ -f "yarn.lock" ]; then
+  PKG_MGR="yarn"
+elif [ -f "pnpm-lock.yaml" ]; then
+  PKG_MGR="pnpm"
+else
+  PKG_MGR="npm"
+fi
+
+echo "==> Building NestJS project..."
+$PKG_MGR run build
+
+echo "==> Starting NestJS server..."
+NODE_ENV=test PORT=3000 $PKG_MGR run start &
+SERVER_PID=$!
+
+cleanup() {
+  echo "==> Cleaning up..."
+  if [ -n "${SERVER_PID:-}" ]; then
+    kill "$SERVER_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+echo "==> Waiting for server to be ready..."
+RETRIES=30
+until curl -sf http://localhost:3000/health > /dev/null 2>&1 || [ $RETRIES -eq 0 ]; do
+  RETRIES=$((RETRIES - 1))
+  sleep 2
+done
+
+if [ $RETRIES -eq 0 ]; then
+  echo "Error: Server failed to start within timeout"
+  exit 1
+fi
+echo "    Server is ready"
+
+echo "==> Running OWASP ZAP baseline scan..."
+ZAP_ARGS="-t $TARGET_URL"
+
+if [ -f "$ZAP_RULES_FILE" ]; then
+  echo "    Using rules file: $ZAP_RULES_FILE"
+  ZAP_ARGS="$ZAP_ARGS -c /zap/wrk/$(basename "$ZAP_RULES_FILE")"
+  MOUNT_RULES="-v $(dirname "$(realpath "$ZAP_RULES_FILE")"):/zap/wrk:ro"
+else
+  MOUNT_RULES=""
+fi
+
+docker run --rm \
+  --add-host=host.docker.internal:host-gateway \
+  -v "$(pwd)":/zap/wrk/:rw \
+  $MOUNT_RULES \
+  ghcr.io/zaproxy/zaproxy:stable \
+  zap-baseline.py $ZAP_ARGS \
+  -r "$REPORT_FILE" \
+  -J zap-report.json \
+  -w zap-report.md \
+  -l WARN || ZAP_EXIT=$?
+
+echo ""
+if [ -f "$REPORT_FILE" ]; then
+  echo "ZAP report saved to: $REPORT_FILE"
+fi
+
+if [ "${ZAP_EXIT:-0}" -ne 0 ]; then
+  echo "ZAP found medium+ severity findings (exit code: $ZAP_EXIT)"
+  echo "Review $REPORT_FILE for details."
+  exit "$ZAP_EXIT"
+else
+  echo "ZAP baseline scan passed — no medium+ severity findings."
+fi

package/nestjs/copy-overwrite/tsconfig.build.json

@@ -0,0 +1,5 @@
+{
+  "extends": "./tsconfig.json",
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "**/*.spec.ts"]
+}

package/nestjs/copy-overwrite/tsconfig.eslint.json

@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "rootDir": ".",
+    "noEmit": true,
+    "allowImportingTsExtensions": true
+  },
+  "include": ["src/**/*", "test/**/*", "*.config.ts", "eslint.*.ts", "jest.*.ts"],
+  "exclude": ["node_modules", ".build"]
+}

package/nestjs/copy-overwrite/tsconfig.json

@@ -0,0 +1,5 @@
+{
+  "extends": ["./tsconfig.nestjs.json", "./tsconfig.local.json"],
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", ".build"]
+}

package/nestjs/copy-overwrite/tsconfig.nestjs.json

@@ -0,0 +1,16 @@
+{
+  "extends": "./tsconfig.base.json",
+  "compilerOptions": {
+    "module": "commonjs",
+    "target": "ES2021",
+    "emitDecoratorMetadata": true,
+    "experimentalDecorators": true,
+    "declaration": true,
+    "sourceMap": true,
+    "outDir": ".build",
+    "baseUrl": "./",
+    "paths": {
+      "@/*": ["./src/*"]
+    }
+  }
+}

package/nestjs/copy-overwrite/tsconfig.spec.json

@@ -0,0 +1,7 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "types": ["jest", "node"]
+  },
+  "include": ["**/*.spec.ts", "**/*.d.ts"]
+}

package/nestjs/create-only/.github/workflows/ci.yml

@@ -18,6 +18,14 @@ jobs:
       skip_jobs: 'test,test:integration,test:e2e'
     secrets: inherit
 
+  zap:
+    name: 🕷️ ZAP Baseline Scan
+    needs: [quality]
+    uses: ./.github/workflows/zap-baseline.yml
+    with:
+      node_version: '22.21.1'
+      package_manager: 'bun'
+
   create_issue_on_failure:
     name: 📌 Create Issue on Failure
     needs: [quality]

package/nestjs/create-only/tsconfig.local.json

@@ -0,0 +1,6 @@
+{
+  "compilerOptions": {
+    "outDir": ".build",
+    "rootDir": "src"
+  }
+}

package/nestjs/package-lisa/package.lisa.json

@@ -26,7 +26,8 @@
       "fetch:graphql:schema:production": "./scripts/fetch-graphql-schema.sh production",
       "deploy:dev": "sls deploy --stage dev",
       "deploy:staging": "sls deploy --stage staging",
-      "deploy:production": "sls deploy --stage production"
+      "deploy:production": "sls deploy --stage production",
+      "security:zap": "bash scripts/zap-baseline.sh"
     },
     "dependencies": {
       "@apollo/server": "^5.2.0",

package/package.json

@@ -85,7 +85,7 @@
   },
   "resolutions": {},
   "name": "@codyswann/lisa",
-  "version": "1.13.0",
+  "version": "1.15.0",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "bin": {

package/typescript/copy-overwrite/.claude/commands/security/zap-scan.md

@@ -0,0 +1,12 @@
+Run an OWASP ZAP baseline security scan locally using Docker.
+
+Steps:
+1. Check if Docker is installed and running: `docker info`
+2. Check if `scripts/zap-baseline.sh` exists in the project
+3. If it exists, run: `bash scripts/zap-baseline.sh`
+4. If it does not exist, inform the user that this project does not have a ZAP baseline scan configured
+5. After the scan completes, read `zap-report.html` (or `zap-report.md` for text) and summarize:
+   - Total number of alerts by risk level (High, Medium, Low, Informational)
+   - List each Medium+ finding with its rule ID, name, and recommended fix
+   - Categorize findings as "infrastructure-level" (fix at CDN/proxy) vs "application-level" (fix in code)
+6. If the scan failed, explain what failed and suggest concrete remediation steps