@codyswann/lisa 1.14.0 → 1.16.0

package/nestjs/copy-overwrite/.zap/baseline.conf

@@ -0,0 +1,39 @@
+# OWASP ZAP Baseline Scan Configuration — NestJS GraphQL APIs
+# Format: <rule_id> <action> <description>
+# Actions: IGNORE (skip rule), WARN (report but don't fail), FAIL (fail on finding)
+#
+# Tuned for NestJS APIs behind API Gateway/load balancer in production.
+# Transport-level headers are enforced at infrastructure layer.
+
+# CSP header — API responses don't serve HTML; CSP is a browser concern
+10038	WARN	(Content Security Policy (CSP) Header Not Set)
+
+# X-Content-Type-Options — should be set but is infrastructure-level
+10021	WARN	(X-Content-Type-Options Header Missing)
+
+# Strict-Transport-Security — enforced at API Gateway/load balancer
+10035	WARN	(Strict-Transport-Security Header Not Set)
+
+# X-Frame-Options — API responses are not rendered in browsers
+10020	IGNORE	(X-Frame-Options Header Not Set)
+
+# Permissions-Policy — not applicable to API responses
+10063	IGNORE	(Permissions Policy Header Not Set)
+
+# Server header disclosure — NestJS/Express may leak version info;
+# should be suppressed in production via Helmet middleware
+10036	WARN	(Server Leaks Version Information via "Server" HTTP Response Header Field)
+
+# Cookie flags — GraphQL APIs may use session cookies for auth
+10010	FAIL	(Cookie No HttpOnly Flag)
+10011	FAIL	(Cookie Without Secure Flag)
+10054	WARN	(Cookie without SameSite Attribute)
+
+# Information disclosure in URL — GraphQL uses POST body, not URL params
+10024	IGNORE	(Information Disclosure - Sensitive Information in URL)
+
+# Cross-domain JavaScript source — not applicable to API
+10017	IGNORE	(Cross-Domain JavaScript Source File Inclusion)
+
+# Application error disclosure — NestJS should not leak stack traces
+10023	FAIL	(Information Disclosure - Debug Error Messages)

package/nestjs/copy-overwrite/scripts/zap-baseline.sh

@@ -0,0 +1,99 @@
+#!/usr/bin/env bash
+# OWASP ZAP Baseline Scan — NestJS GraphQL API
+# Builds and starts the NestJS server, then runs a ZAP baseline scan via Docker.
+# Outputs an HTML report to zap-report.html in the project root.
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+TARGET_URL="${ZAP_TARGET_URL:-http://host.docker.internal:3000/graphql}"
+ZAP_RULES_FILE="${ZAP_RULES_FILE:-.zap/baseline.conf}"
+REPORT_FILE="zap-report.html"
+
+cd "$PROJECT_ROOT"
+
+# Verify Docker is available
+if ! command -v docker &> /dev/null; then
+  echo "Error: Docker is required but not installed."
+  echo "Install Docker from https://docs.docker.com/get-docker/"
+  exit 1
+fi
+
+if ! docker info &> /dev/null 2>&1; then
+  echo "Error: Docker daemon is not running."
+  exit 1
+fi
+
+# Detect package manager
+if [ -f "bun.lockb" ]; then
+  PKG_MGR="bun"
+elif [ -f "yarn.lock" ]; then
+  PKG_MGR="yarn"
+elif [ -f "pnpm-lock.yaml" ]; then
+  PKG_MGR="pnpm"
+else
+  PKG_MGR="npm"
+fi
+
+echo "==> Building NestJS project..."
+$PKG_MGR run build
+
+echo "==> Starting NestJS server..."
+NODE_ENV=test PORT=3000 $PKG_MGR run start &
+SERVER_PID=$!
+
+cleanup() {
+  echo "==> Cleaning up..."
+  if [ -n "${SERVER_PID:-}" ]; then
+    kill "$SERVER_PID" 2>/dev/null || true
+  fi
+}
+trap cleanup EXIT
+
+echo "==> Waiting for server to be ready..."
+RETRIES=30
+until curl -sf http://localhost:3000/health > /dev/null 2>&1 || [ $RETRIES -eq 0 ]; do
+  RETRIES=$((RETRIES - 1))
+  sleep 2
+done
+
+if [ $RETRIES -eq 0 ]; then
+  echo "Error: Server failed to start within timeout"
+  exit 1
+fi
+echo "    Server is ready"
+
+echo "==> Running OWASP ZAP baseline scan..."
+ZAP_ARGS="-t $TARGET_URL"
+
+if [ -f "$ZAP_RULES_FILE" ]; then
+  echo "    Using rules file: $ZAP_RULES_FILE"
+  ZAP_ARGS="$ZAP_ARGS -c /zap/wrk/$(basename "$ZAP_RULES_FILE")"
+  MOUNT_RULES="-v $(dirname "$(realpath "$ZAP_RULES_FILE")"):/zap/wrk:ro"
+else
+  MOUNT_RULES=""
+fi
+
+docker run --rm \
+  --add-host=host.docker.internal:host-gateway \
+  -v "$(pwd)":/zap/wrk/:rw \
+  $MOUNT_RULES \
+  ghcr.io/zaproxy/zaproxy:stable \
+  zap-baseline.py $ZAP_ARGS \
+  -r "$REPORT_FILE" \
+  -J zap-report.json \
+  -w zap-report.md \
+  -l WARN || ZAP_EXIT=$?
+
+echo ""
+if [ -f "$REPORT_FILE" ]; then
+  echo "ZAP report saved to: $REPORT_FILE"
+fi
+
+if [ "${ZAP_EXIT:-0}" -ne 0 ]; then
+  echo "ZAP found medium+ severity findings (exit code: $ZAP_EXIT)"
+  echo "Review $REPORT_FILE for details."
+  exit "$ZAP_EXIT"
+else
+  echo "ZAP baseline scan passed — no medium+ severity findings."
+fi

package/nestjs/copy-overwrite/tsconfig.eslint.json

@@ -0,0 +1,10 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "rootDir": ".",
+    "noEmit": true,
+    "allowImportingTsExtensions": true
+  },
+  "include": ["src/**/*", "test/**/*", "*.config.ts", "eslint.*.ts", "jest.*.ts"],
+  "exclude": ["node_modules", ".build"]
+}

package/nestjs/copy-overwrite/tsconfig.nestjs.json

@@ -8,6 +8,9 @@
     "declaration": true,
     "sourceMap": true,
     "outDir": ".build",
-    "baseUrl": "./"
+    "baseUrl": "./",
+    "paths": {
+      "@/*": ["./src/*"]
+    }
   }
 }

package/nestjs/create-only/.github/workflows/ci.yml

@@ -18,6 +18,14 @@ jobs:
       skip_jobs: 'test,test:integration,test:e2e'
     secrets: inherit
 
+  zap:
+    name: 🕷️ ZAP Baseline Scan
+    needs: [quality]
+    uses: ./.github/workflows/zap-baseline.yml
+    with:
+      node_version: '22.21.1'
+      package_manager: 'bun'
+
   create_issue_on_failure:
     name: 📌 Create Issue on Failure
     needs: [quality]

package/nestjs/package-lisa/package.lisa.json

@@ -26,7 +26,8 @@
       "fetch:graphql:schema:production": "./scripts/fetch-graphql-schema.sh production",
       "deploy:dev": "sls deploy --stage dev",
       "deploy:staging": "sls deploy --stage staging",
-      "deploy:production": "sls deploy --stage production"
+      "deploy:production": "sls deploy --stage production",
+      "security:zap": "bash scripts/zap-baseline.sh"
     },
     "dependencies": {
       "@apollo/server": "^5.2.0",

package/package.json

@@ -85,7 +85,7 @@
   },
   "resolutions": {},
   "name": "@codyswann/lisa",
-  "version": "1.14.0",
+  "version": "1.16.0",
   "description": "Claude Code governance framework that applies guardrails, guidance, and automated enforcement to projects",
   "main": "dist/index.js",
   "bin": {

package/typescript/copy-contents/.husky/pre-push

@@ -79,7 +79,11 @@ elif [ "$PACKAGE_MANAGER" = "bun" ]; then
   # Excluding GHSA-8qq5-rm4j-mr97: node-tar path sanitization vulnerability
   # Nested dependency in @expo/cli - bun resolves to patched version but audit still flags it
   # Risk: Low - only affects tar extraction with malicious filenames, not our use case
-  if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97; then
+
+  # Excluding GHSA-37qj-frw5-hhjh: fast-xml-parser RangeError DoS with numeric entities
+  # Transitive dependency via @react-native-community/cli (Android/iOS build tooling)
+  # Risk: None - CLI build tool, not a production runtime dependency
+  if ! bun audit --audit-level=high --ignore GHSA-5j98-mcp5-4vw2 --ignore GHSA-8qq5-rm4j-mr97 --ignore GHSA-37qj-frw5-hhjh; then
     echo "⚠️ Security audit failed. Please fix high/critical vulnerabilities before pushing."
     exit 1
   fi

package/typescript/copy-overwrite/.claude/commands/security/zap-scan.md

@@ -0,0 +1,12 @@
+Run an OWASP ZAP baseline security scan locally using Docker.
+
+Steps:
+1. Check if Docker is installed and running: `docker info`
+2. Check if `scripts/zap-baseline.sh` exists in the project
+3. If it exists, run: `bash scripts/zap-baseline.sh`
+4. If it does not exist, inform the user that this project does not have a ZAP baseline scan configured
+5. After the scan completes, read `zap-report.html` (or `zap-report.md` for text) and summarize:
+   - Total number of alerts by risk level (High, Medium, Low, Informational)
+   - List each Medium+ finding with its rule ID, name, and recommended fix
+   - Categorize findings as "infrastructure-level" (fix at CDN/proxy) vs "application-level" (fix in code)
+6. If the scan failed, explain what failed and suggest concrete remediation steps

package/typescript/copy-overwrite/.claude/settings.json

@@ -11,6 +11,16 @@
           }
         ]
       },
+      {
+        "matcher": "",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "$CLAUDE_PROJECT_DIR/.claude/hooks/enforce-plan-rules.sh",
+            "timeout": 5
+          }
+        ]
+      },
       {
         "matcher": "",
         "hooks": [

package/typescript/copy-overwrite/.github/workflows/quality.yml

@@ -18,6 +18,7 @@
 #   - Snyk dependency vulnerability scanning
 #   - GitGuardian secret detection
 #   - FOSSA license compliance checking
+#   - OWASP ZAP DAST baseline scanning
 # - E2E testing:
 #   - Playwright web E2E tests (auto-detects playwright.config.ts)
 #   - Maestro Cloud mobile E2E tests (requires MAESTRO_API_KEY, project ID, and app binary)
@@ -54,10 +55,20 @@ on:
         default: 'npm'
         type: string
       skip_jobs:
-        description: 'Jobs to skip (comma-separated: lint,lint_slow,typecheck,test,test:unit,test:integration,test:e2e,maestro_e2e,playwright_e2e,format,build,dead_code,sg_scan,npm_security_scan,github_issue)'
+        description: 'Jobs to skip (comma-separated: lint,lint_slow,typecheck,test,test:unit,test:integration,test:e2e,maestro_e2e,playwright_e2e,format,build,dead_code,sg_scan,npm_security_scan,zap_baseline,github_issue)'
         required: false
         default: ''
         type: string
+      zap_target_url:
+        description: 'Target URL for OWASP ZAP baseline scan (leave empty to skip ZAP)'
+        required: false
+        default: ''
+        type: string
+      zap_rules_file:
+        description: 'Path to ZAP rules configuration file'
+        required: false
+        default: '.zap/baseline.conf'
+        type: string
       working_directory:
         description: 'Directory to run commands in (if not root)'
         required: false
@@ -1242,12 +1253,74 @@ jobs:
           echo "::warning::FOSSA license compliance check skipped - FOSSA_API_KEY not configured"
           echo "To enable license compliance checking, add FOSSA_API_KEY to your repository secrets"
 
+  zap_baseline:
+    name: 🕷️ OWASP ZAP Baseline
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    if: ${{ !contains(inputs.skip_jobs, 'zap_baseline') && inputs.zap_target_url != '' }}
+    steps:
+      - name: 📥 Checkout repository
+        uses: actions/checkout@v4
+
+      - name: 🔧 Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ inputs.node_version }}
+          cache: ${{ inputs.package_manager != 'bun' && inputs.package_manager || '' }}
+
+      - name: 🍞 Setup Bun
+        if: inputs.package_manager == 'bun'
+        uses: oven-sh/setup-bun@v2
+        with:
+          bun-version: '1.3.8'
+
+      - name: 📦 Install dependencies
+        run: |
+          if [ "${{ inputs.package_manager }}" = "npm" ]; then
+            npm ci
+          elif [ "${{ inputs.package_manager }}" = "yarn" ]; then
+            yarn install --frozen-lockfile
+          elif [ "${{ inputs.package_manager }}" = "bun" ]; then
+            bun install --frozen-lockfile
+          fi
+        working-directory: ${{ inputs.working_directory || '.' }}
+
+      - name: 🔍 Check for ZAP rules file
+        id: check_rules
+        run: |
+          if [ -f "${{ inputs.zap_rules_file }}" ]; then
+            echo "has_rules=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_rules=false" >> $GITHUB_OUTPUT
+          fi
+        working-directory: ${{ inputs.working_directory || '.' }}
+
+      - name: 🕷️ Run ZAP baseline scan
+        uses: zaproxy/action-baseline@v0.14.0
+        with:
+          target: ${{ inputs.zap_target_url }}
+          rules_file_name: ${{ steps.check_rules.outputs.has_rules == 'true' && inputs.zap_rules_file || '' }}
+          fail_action: true
+          allow_issue_writing: false
+          artifact_name: 'zap-report'
+
+      - name: 📤 Upload ZAP report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: zap-baseline-report-${{ github.run_id }}
+          path: |
+            zap-report.html
+            zap-report.json
+            zap-report.md
+          retention-days: 14
+
   # Enterprise security tools summary
   security_tools_summary:
     name: 🔒 Security Tools Summary
     runs-on: ubuntu-latest
-    if: always() && (needs.sonarcloud.result != 'skipped' || needs.snyk.result != 'skipped' || needs.secret_scanning.result != 'skipped' || needs.license_compliance.result != 'skipped')
-    needs: [sonarcloud, snyk, secret_scanning, license_compliance]
+    if: always() && (needs.sonarcloud.result != 'skipped' || needs.snyk.result != 'skipped' || needs.secret_scanning.result != 'skipped' || needs.license_compliance.result != 'skipped' || needs.zap_baseline.result != 'skipped')
+    needs: [sonarcloud, snyk, secret_scanning, license_compliance, zap_baseline]
     steps:
       - name: 📝 Generate security tools summary
         run: |
@@ -1292,6 +1365,15 @@ jobs:
             echo "- 📜 **FOSSA License Compliance**: ❌ Failed" >> $GITHUB_STEP_SUMMARY
           fi
 
+          # OWASP ZAP Baseline status
+          if [ "${{ needs.zap_baseline.result }}" == "skipped" ]; then
+            echo "- 🕷️ **OWASP ZAP Baseline**: ⏭️ Skipped (no target URL)" >> $GITHUB_STEP_SUMMARY
+          elif [ "${{ needs.zap_baseline.result }}" == "success" ]; then
+            echo "- 🕷️ **OWASP ZAP Baseline**: ✅ Passed" >> $GITHUB_STEP_SUMMARY
+          else
+            echo "- 🕷️ **OWASP ZAP Baseline**: ❌ Failed" >> $GITHUB_STEP_SUMMARY
+          fi
+
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## 📊 Security Posture" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
@@ -1328,7 +1410,14 @@ jobs:
             fi
           fi
 
-          echo "- **Active Security Tools**: $ACTIVE_TOOLS / 4" >> $GITHUB_STEP_SUMMARY
+          if [ "${{ needs.zap_baseline.result }}" != "skipped" ]; then
+            ACTIVE_TOOLS=$((ACTIVE_TOOLS + 1))
+            if [ "${{ needs.zap_baseline.result }}" == "success" ]; then
+              PASSED_TOOLS=$((PASSED_TOOLS + 1))
+            fi
+          fi
+
+          echo "- **Active Security Tools**: $ACTIVE_TOOLS / 5" >> $GITHUB_STEP_SUMMARY
           echo "- **Passed Checks**: $PASSED_TOOLS / $ACTIVE_TOOLS" >> $GITHUB_STEP_SUMMARY
 
           if [ $ACTIVE_TOOLS -gt 0 ]; then
@@ -1382,6 +1471,7 @@ jobs:
         snyk,
         secret_scanning,
         license_compliance,
+        zap_baseline,
       ]
     steps:
       - name: 📋 Validate compliance framework
@@ -1594,6 +1684,7 @@ jobs:
         snyk,
         secret_scanning,
         license_compliance,
+        zap_baseline,
         compliance_validation,
       ]
     steps:
@@ -1648,7 +1739,8 @@ jobs:
                   sonarcloud: '${{ needs.sonarcloud.result }}',
                   snyk: '${{ needs.snyk.result }}',
                   secret_scan: '${{ needs.secret_scanning.result }}',
-                  license_check: '${{ needs.license_compliance.result }}'
+                  license_check: '${{ needs.license_compliance.result }}',
+                  zap_baseline: '${{ needs.zap_baseline.result }}'
                 },
                 compliance: '${{ needs.compliance_validation.result }}'
               },
@@ -1806,6 +1898,7 @@ jobs:
         snyk,
         secret_scanning,
         license_compliance,
+        zap_baseline,
       ]
     steps:
       - name: 📊 Generate performance report
@@ -1856,6 +1949,7 @@ jobs:
           echo "| Snyk | ${{ needs.snyk.result }} | Security |" >> $GITHUB_STEP_SUMMARY
           echo "| Secret Scan | ${{ needs.secret_scanning.result }} | Security |" >> $GITHUB_STEP_SUMMARY
           echo "| License Check | ${{ needs.license_compliance.result }} | Security |" >> $GITHUB_STEP_SUMMARY
+          echo "| ZAP Baseline | ${{ needs.zap_baseline.result }} | Security |" >> $GITHUB_STEP_SUMMARY
 
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## 💡 Performance Tips" >> $GITHUB_STEP_SUMMARY
@@ -1885,6 +1979,7 @@ jobs:
           [ "${{ needs.snyk.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
           [ "${{ needs.secret_scanning.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
           [ "${{ needs.license_compliance.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
+          [ "${{ needs.zap_baseline.result }}" != "skipped" ] && SECURITY_JOBS=$((SECURITY_JOBS + 1))
 
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "## 🚀 Optimization Metrics" >> $GITHUB_STEP_SUMMARY

package/typescript/copy-overwrite/eslint.base.ts

@@ -109,7 +109,7 @@ export const getBaseConfigs = () => [
   },
 
   // Code quality
-  sonarjs.configs.recommended,
+  ...(sonarjs.configs?.recommended ? [sonarjs.configs.recommended] : []),
   {
     plugins: {
       "@eslint-community/eslint-comments": eslintComments,

package/typescript/copy-overwrite/eslint.ignore.config.json

@@ -31,6 +31,7 @@
 
     ".lisabak/**",
     ".claude-active-project/**",
+    ".claude-active-plan/**",
     "coverage/**",
     "**/*spec.ts",
     "resolver-test.setup.ts",

package/typescript/copy-overwrite/jest.base.ts

@@ -44,6 +44,7 @@ export const defaultCoverageExclusions: readonly string[] = [
   "!**/tests/**",
   "!**/__tests__/**",
   "!**/__mocks__/**",
+  "!**/components/ui/**",
 ];
 
 /**

package/typescript/copy-overwrite/tsconfig.eslint.json

@@ -2,8 +2,9 @@
   "extends": "./tsconfig.json",
   "compilerOptions": {
     "rootDir": ".",
-    "noEmit": true
+    "noEmit": true,
+    "allowImportingTsExtensions": true
   },
-  "include": ["src/**/*", "tests/**/*", "test/**/*", "*.config.ts", "eslint.*.ts"],
+  "include": ["src/**/*", "tests/**/*", "test/**/*", "*.config.ts", "eslint.*.ts", "jest.*.ts"],
   "exclude": ["node_modules", "dist", "build"]
 }