@kaademos/secure-sdlc 1.0.0 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/CHANGELOG.md +1 -1
  2. package/README.md +18 -0
  3. package/cli/bin/secure-sdlc.js +0 -0
  4. package/hooks/install.sh +0 -0
  5. package/hooks/pre-commit +0 -0
  6. package/hooks/pre-push +0 -0
  7. package/mcp/src/server.js +0 -0
  8. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -6,7 +6,7 @@ Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
6
6
 
7
7
  ---
8
8
 
9
- ## [Unreleased]
9
+ ## [1.0.2]
10
10
 
11
11
  ### Added
12
12
  - **npm package** `@kaademos/secure-sdlc` (root `package.json`) — global install via `npm install -g @kaademos/secure-sdlc`, `npx @kaademos/secure-sdlc`, semver releases;
package/README.md CHANGED
@@ -188,6 +188,24 @@ RELEASE release-manager (go/no-go)
188
188
  - **MEDIUM** — requires remediation plan or accepted risk before release
189
189
  - **LOW** — tracked in risk register, does not block
190
190
 
191
+ ---
192
+ ## Frequently Asked Questions
193
+
194
+ **Q: Where do I put my OpenAI or Anthropic API key?**
195
+ You don't need to provide an API key to `secure-sdlc`. This project does not make LLM API calls directly. Instead, it acts as an MCP server and prompt-generation engine that feeds specialized security context to your "host" AI tool (Cursor, Windsurf, Claude Code). Your API keys and billing are handled entirely by your host application.
196
+
197
+ **Q: Do I have to manually fill out the Markdown templates?**
198
+ No. While the project provides structured templates in `docs/templates/`, you do not fill them out by hand. When you invoke a tool like `sdlc_plan_feature`, the MCP server passes the blank template to your AI assistant, and the AI automatically writes the completed, project-specific markdown file directly to your `docs/` folder.
199
+
200
+ **Q: Do the AI agents run automatically in my CI/CD pipeline?**
201
+ No, the AI agents are designed to be used locally by developers during the coding process (e.g., in your IDE or terminal). The provided GitHub Actions workflow (`secure-sdlc-gate.yml`) does *not* invoke LLMs. Instead, it acts as a deterministic **gatekeeper**—it runs traditional tools (like Gitleaks, Checkov, CodeQL) and verifies that the AI-generated artifacts actually exist and are fully filled out before allowing a merge.
202
+
203
+ **Q: Will this use a lot of API tokens/credits?**
204
+ Because this tool feeds comprehensive security frameworks (like OWASP ASVS), infrastructure checklists, and full file templates into your AI's context window, it can consume a significant number of tokens. Ensure your host application (like Claude Code or your Cursor subscription) has sufficient limits for handling large context prompts.
205
+
206
+ **Q: Can I customize the templates for my own company's requirements?**
207
+ Yes. When you run `secure-sdlc init`, the default templates are copied into your local `docs/templates/` directory. You can modify these markdown files to include your own company's specific compliance headers, and the agents will use your customized versions going forward.
208
+
191
209
  ---
192
210
 
193
211
  ## MCP tools reference
package/cli/bin/secure-sdlc.js CHANGED
File without changes
package/hooks/install.sh CHANGED
File without changes
package/hooks/pre-commit CHANGED
File without changes
package/hooks/pre-push CHANGED
File without changes
package/mcp/src/server.js CHANGED
File without changes
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@kaademos/secure-sdlc",
3
- "version": "1.0.0",
3
+ "version": "1.0.2",
4
4
  "description": "Secure SDLC agent team — CLI to scaffold docs, hooks, CI, and MCP-ready security workflows",
5
5
  "type": "module",
6
6
  "bin": {