@ipation/specbridge 1.1.0 → 1.1.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +67 -1
- package/dist/cli.js +3 -3
- package/dist/cli.js.map +1 -1
- package/dist/index.js +3 -3
- package/dist/index.js.map +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,71 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [1.1.2] - 2026-02-02
|
|
11
|
+
|
|
12
|
+
### Documentation
|
|
13
|
+
|
|
14
|
+
#### Dogfooding Expansion
|
|
15
|
+
|
|
16
|
+
- **📚 Expanded Architectural Decisions** - Added 10 new decision files
|
|
17
|
+
- `arch-006`: Verifier Plugin Architecture - Base interface and registry pattern
|
|
18
|
+
- `arch-007`: Security Pattern Enforcement - ReDoS, XSS, SQL injection prevention
|
|
19
|
+
- `arch-008`: Autofix TextEdit Offset Model - 0-based byte offsets with descending sort
|
|
20
|
+
- `arch-009`: Server Integration Options Pattern - LSP/MCP lazy initialization
|
|
21
|
+
- `arch-010`: Configuration Merging Strategy - Recursive merge for nested objects
|
|
22
|
+
- `arch-011`: Testing Infrastructure Standards - Vitest with 90%+ coverage thresholds
|
|
23
|
+
- `arch-012`: Scope Matching Logic - Centralized applicability checking
|
|
24
|
+
- `arch-013`: Agent Context Format Conventions - Emoji icons and multiple formats
|
|
25
|
+
- `arch-014`: Violation Model Structure - createViolation helper usage
|
|
26
|
+
- `arch-015`: Verifier Extension Stability - API stability guarantees
|
|
27
|
+
|
|
28
|
+
- **📊 Compliance Achievement**
|
|
29
|
+
- Expanded dogfooding from 5 to 15 active architectural decisions
|
|
30
|
+
- 54 total constraints (up from 7)
|
|
31
|
+
- 100% compliance across codebase
|
|
32
|
+
- Documents all patterns introduced in v1.1.0
|
|
33
|
+
|
|
34
|
+
- **📖 Updated Documentation**
|
|
35
|
+
- Updated `docs/dogfooding-guide.md` with all 15 decisions
|
|
36
|
+
- Updated integration tests to verify all 15 decisions
|
|
37
|
+
- Comprehensive decision coverage for verifiers, security, autofix, servers, and testing
|
|
38
|
+
|
|
39
|
+
### Testing
|
|
40
|
+
|
|
41
|
+
- ✅ All 893 tests passing
|
|
42
|
+
- ✅ Commit-level verification < 5 seconds
|
|
43
|
+
- ✅ 100% architectural compliance
|
|
44
|
+
|
|
45
|
+
## [1.1.1] - 2026-02-01
|
|
46
|
+
|
|
47
|
+
### Security
|
|
48
|
+
|
|
49
|
+
#### Fixed Vulnerabilities
|
|
50
|
+
|
|
51
|
+
- **🔒 Polynomial ReDoS (3 instances)** - `src/verification/verifiers/dependencies.ts`
|
|
52
|
+
- Fixed unbounded regex quantifiers in `parseMaxImportDepth()`, `parseBannedDependency()`, `parseLayerRule()`
|
|
53
|
+
- Changed `\s+` to bounded `\s{1,5}` to prevent catastrophic backtracking
|
|
54
|
+
- Prevents denial-of-service attacks via malicious input strings
|
|
55
|
+
- Resolves GitHub CodeQL alerts #7, #8, #9
|
|
56
|
+
|
|
57
|
+
- **🔒 Incomplete Sanitization** - `src/integrations/github.ts`
|
|
58
|
+
- Enhanced markdown escaping to cover all special characters
|
|
59
|
+
- Now escapes: backslash, pipe, brackets, asterisk, underscore, backtick
|
|
60
|
+
- Prevents markdown table breaking and potential injection
|
|
61
|
+
- Resolves GitHub CodeQL alert #6
|
|
62
|
+
|
|
63
|
+
- **🔒 Shell Command Injection (3 instances)** - `tests/integration/dogfooding.test.ts`
|
|
64
|
+
- Replaced `execSync` with `execFileSync` for safer command execution
|
|
65
|
+
- Uses array form for arguments to prevent shell interpretation
|
|
66
|
+
- Eliminates risk of command injection in test environment
|
|
67
|
+
- Resolves GitHub CodeQL alerts #3, #4, #5
|
|
68
|
+
|
|
69
|
+
### Testing
|
|
70
|
+
|
|
71
|
+
- ✅ All 893 tests passing
|
|
72
|
+
- ✅ No functional regressions
|
|
73
|
+
- ✅ Test coverage maintained at 92%+
|
|
74
|
+
|
|
10
75
|
## [1.1.0] - 2026-02-01
|
|
11
76
|
|
|
12
77
|
### 🚀 Major Feature Release
|
|
@@ -641,7 +706,8 @@ This release adopts a **pragmatic testing approach**:
|
|
|
641
706
|
- Vitest for testing
|
|
642
707
|
- tsup for building
|
|
643
708
|
|
|
644
|
-
[Unreleased]: https://github.com/nouatzi/specbridge/compare/v1.1.
|
|
709
|
+
[Unreleased]: https://github.com/nouatzi/specbridge/compare/v1.1.1...HEAD
|
|
710
|
+
[1.1.1]: https://github.com/nouatzi/specbridge/compare/v1.1.0...v1.1.1
|
|
645
711
|
[1.1.0]: https://github.com/nouatzi/specbridge/compare/v1.0.6...v1.1.0
|
|
646
712
|
[1.0.0]: https://github.com/nouatzi/specbridge/compare/v0.2.1...v1.0.0
|
|
647
713
|
[0.2.1]: https://github.com/nouatzi/specbridge/compare/v0.2.0...v0.2.1
|
package/dist/cli.js
CHANGED
|
@@ -2190,17 +2190,17 @@ function tarjanScc(graph) {
|
|
|
2190
2190
|
return result;
|
|
2191
2191
|
}
|
|
2192
2192
|
function parseMaxImportDepth(rule) {
|
|
2193
|
-
const m = rule.match(/maximum\s
|
|
2193
|
+
const m = rule.match(/maximum\s{1,5}import\s{1,5}depth\s{0,5}[:=]?\s{0,5}(\d+)/i);
|
|
2194
2194
|
return m ? Number.parseInt(m[1], 10) : null;
|
|
2195
2195
|
}
|
|
2196
2196
|
function parseBannedDependency(rule) {
|
|
2197
|
-
const m = rule.match(/no\s
|
|
2197
|
+
const m = rule.match(/no\s{1,5}dependencies?\s{1,5}on\s{1,5}(?:package\s{1,5})?(.+?)(?:\.|$)/i);
|
|
2198
2198
|
if (!m) return null;
|
|
2199
2199
|
const value = m[1].trim();
|
|
2200
2200
|
return value.length > 0 ? value : null;
|
|
2201
2201
|
}
|
|
2202
2202
|
function parseLayerRule(rule) {
|
|
2203
|
-
const m = rule.match(/(\w+)\s
|
|
2203
|
+
const m = rule.match(/(\w+)\s{1,5}layer\s{1,5}cannot\s{1,5}depend\s{1,5}on\s{1,5}(\w+)\s{1,5}layer/i);
|
|
2204
2204
|
if (!m) return null;
|
|
2205
2205
|
return { fromLayer: m[1].toLowerCase(), toLayer: m[2].toLowerCase() };
|
|
2206
2206
|
}
|