@friedbotstudio/create-baseline 0.1.0 → 0.2.0

package/README.md

@@ -106,8 +106,13 @@ npx @friedbotstudio/create-baseline ./your-project --dry-run
 
 # Skip the install-time PlantUML jar download
 npx @friedbotstudio/create-baseline ./your-project --no-plantuml
+
+# Materialize a security-hardened target/.npmrc (opt-in)
+npx @friedbotstudio/create-baseline ./your-project --with-npmrc
 ```
 
+By default the scaffolder writes only inside `.claude/`, plus `CLAUDE.md`, `.mcp.json`, and `docs/init/seed.md`. Pass `--with-npmrc` to also drop `ignore-scripts=true` + `min-release-age=7` into `target/.npmrc`. Those defaults blunt the npm post-install-hook attack class and delay consumption of fresh malicious publishes. An existing `target/.npmrc` is preserved verbatim. Operators who already set these defaults in `~/.npmrc` don't need the flag.
+
 ### Doctor
 
 ```bash

package/bin/cli.js

@@ -43,6 +43,11 @@ PlantUML jar (~19 MB, fetched at install time from upstream):
   --no-plantuml       Skip the jar download entirely.
   --require-plantuml  Treat jar fetch failure (network/sha256) as fatal (exit 4).
 
+npm posture (off by default):
+  --with-npmrc        Materialize a security-hardened target/.npmrc
+                      (ignore-scripts=true, min-release-age=7). Existing
+                      target/.npmrc is preserved verbatim.
+
 Misc:
   --help, -h       Show this message.
   --version        Print version.
@@ -97,6 +102,7 @@ async function main(argv) {
         'dry-run': { type: 'boolean' },
         'no-plantuml': { type: 'boolean' },
         'require-plantuml': { type: 'boolean' },
+        'with-npmrc': { type: 'boolean' },
         strict: { type: 'boolean' },
       },
       strict: true,
@@ -209,10 +215,10 @@ async function main(argv) {
       }
     } else if (values.force) {
       if (dryRun) io.log(`Would force-install into ${target}`);
-      else await forceInstall(templateDir, target);
+      else await forceInstall(templateDir, target, { withNpmrc: !!values['with-npmrc'] });
     } else {
       if (dryRun) io.log(`Would fresh-install into ${target}`);
-      else await freshInstall(templateDir, target);
+      else await freshInstall(templateDir, target, { withNpmrc: !!values['with-npmrc'] });
     }
   } catch (err) {
     io.error(`install failed: ${err.message}`);

package/obj/template/manifest.json

@@ -1,6 +1,6 @@
 {
   "manifest_version": 2,
-  "generated_at": "2026-05-14T15:52:13.061Z",
+  "generated_at": "2026-05-14T19:28:02.322Z",
   "files": {
     ".claude/agents/swarm-worker.md": "1735a220f268c9765cb22e0567b728803f2edd7776cbde51dd017a9f062ae41f",
     ".claude/bin/LICENSE": "a8dcf2775ab71a58c7d4cc935e3a8e9974e87bb7d6082ee25ef52f8140be8e07",
@@ -15,7 +15,6 @@
     ".claude/hooks/env_guard.sh": "76ffc98fa9a2709526715132981699e46043183e2b1d043a05744a40384d1361",
     ".claude/hooks/git_commit_guard.sh": "1a78799f35cae7b52ee29d8adcddc5cd29427822c223a3be6e0d181f1e8e71c2",
     ".claude/hooks/harness_continuation.sh": "81b40138a66b24d93fcd8fde57f2f21804667952f466d84c2af7c9307c75b117",
-    ".claude/hooks/lib/__pycache__/resume_writer.cpython-314.pyc": "4c9afd22f475848f4007111bf325b406924faef16a6e90e963399febf3075cab",
     ".claude/hooks/lib/common.sh": "2c72b867acf08550f62f80c6b57024d35edd74260a9fd7ac6c709e71fd812319",
     ".claude/hooks/lib/resume_writer.py": "9592fb72de966cb797e51322fbf0160a6784de34934bd6587768689a34bd03b5",
     ".claude/hooks/lint_runner.sh": "267e08dbd9af246c0af124c32ad4aeac48dfe20ac926244ed89855deb7ff7940",
@@ -210,5 +209,6 @@
       "triage": "baseline",
       "verify": "baseline"
     }
-  }
+  },
+  "build_id": "gha-25880800910"
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@friedbotstudio/create-baseline",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Zero-dependency Node CLI scaffolder that materializes the Claude Code baseline (hooks, skills, commands, MCP servers, governance docs) into a target project. Run via `npx @friedbotstudio/create-baseline <target>`.",
   "type": "module",
   "bin": {
@@ -22,7 +22,7 @@
     "build:site": "eleventy",
     "dev:site": "eleventy --serve --port=4321",
     "publish:check": "bash scripts/publish-check.sh",
-    "publish:precheck": "npm publish --dry-run",
+    "publish:precheck": "npm pack --dry-run",
     "publish:files-diff": "node scripts/check-files-diff.mjs",
     "publish:smoke": "node scripts/smoke-tarball.mjs",
     "release": "semantic-release"
@@ -38,6 +38,11 @@
     "type": "git",
     "url": "git+https://github.com/friedbotstudio/baseline.git"
   },
+  "author": {
+    "name": "Friedbot Studio Pvt Ltd",
+    "email": "hello@friedbotstudio.com"
+  },
+  "homepage": "https://baseline.friedbotstudio.com",
   "devDependencies": {
     "@11ty/eleventy": "3.1.5",
     "@semantic-release/changelog": "6.0.3",

package/src/cli/install.js

@@ -12,6 +12,15 @@ const NPMRC_TEMPLATE_PATH = join(PACKAGE_ROOT, 'src/.npmrc.template');
 
 export const NEVER_TOUCH = Object.freeze(['.claude/project.json']);
 export const SPECIAL_MERGE = Object.freeze(['.mcp.json']);
+// Files present in the shipped template that must NOT be cp'd to target. These
+// are reference artifacts the CLI consults from templateDir (or that ship for
+// inspection-time provenance), never materialized at consumer project root.
+// `manifest.json`: the shipped sha256 table. The CLI's runtime manifest lives
+// at `target/.claude/.baseline-manifest.json` (written by writeBaselineManifest);
+// `target/manifest.json` would be a confusing duplicate. Keep the file in the
+// published tarball so anyone inspecting `node_modules/<pkg>/obj/template/` can
+// see what shipped, but exclude it from the fresh/force install copy.
+export const COPY_EXCLUDE = Object.freeze(['manifest.json']);
 
 async function listFiles(root, base = root, acc = []) {
   for (const entry of await readdir(root, { withFileTypes: true })) {
@@ -37,6 +46,7 @@ function makeFilter(opts) {
   return (src, _dest) => {
     const rel = relative(opts.templateRoot, src).split(sep).join('/');
     if (rel === '') return true;
+    if (COPY_EXCLUDE.includes(rel)) return false;
     if (NEVER_TOUCH.includes(rel) && opts.skipNeverTouch) return false;
     if (SPECIAL_MERGE.includes(rel) && opts.skipSpecialMerge) return false;
     return true;
@@ -76,18 +86,18 @@ async function materializeNpmrc(target) {
   await writeFile(dst, bytes);
 }
 
-export async function freshInstall(templateDir, target) {
+export async function freshInstall(templateDir, target, opts = {}) {
   const filter = makeFilter({ templateRoot: templateDir, skipNeverTouch: false, skipSpecialMerge: true });
   await cp(templateDir, target, { recursive: true, force: false, filter });
   await applySpecialAndNeverTouch(templateDir, target);
-  await materializeNpmrc(target);
+  if (opts.withNpmrc === true) await materializeNpmrc(target);
   await writeBaselineManifest(target);
 }
 
-export async function forceInstall(templateDir, target) {
+export async function forceInstall(templateDir, target, opts = {}) {
   const filter = makeFilter({ templateRoot: templateDir, skipNeverTouch: true, skipSpecialMerge: true });
   await cp(templateDir, target, { recursive: true, force: true, filter });
   await applySpecialAndNeverTouch(templateDir, target);
-  await materializeNpmrc(target);
+  if (opts.withNpmrc === true) await materializeNpmrc(target);
   await writeBaselineManifest(target);
 }