@nexus_js/compiler 0.7.1 → 0.7.4

package/dist/client-security-scan.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Compiler-time security hints for `.nx` island / client script.
+ * Not exhaustive — defense in depth; review warnings in CI output.
+ */
+import type { CompileWarning } from './types.js';
+import type { ParsedComponent } from './types.js';
+/**
+ * Scans island `<script>` block and template for patterns that often indicate
+ * secret leakage or unsafe inline handlers.
+ */
+export declare function scanIslandSecurity(parsed: ParsedComponent): CompileWarning[];
+//# sourceMappingURL=client-security-scan.d.ts.map

package/dist/client-security-scan.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-security-scan.d.ts","sourceRoot":"","sources":["../src/client-security-scan.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AACjD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAWlD;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,eAAe,GAAG,cAAc,EAAE,CAwC5E"}

package/dist/client-security-scan.js

@@ -0,0 +1,54 @@
+/**
+ * Compiler-time security hints for `.nx` island / client script.
+ * Not exhaustive — defense in depth; review warnings in CI output.
+ */
+/** References that must not appear in code that ships to the browser bundle. */
+const PROCESS_ENV = /\bprocess\.env\b/;
+const IMPORT_META_ENV = /\bimport\.meta\.env\b/;
+const DENO_ENV = /\bDeno\.env\b/;
+const BUN_ENV = /\bBun\.env\b/;
+/** Inline HTML event attributes (discouraged — CSP / XSS footguns). */
+const INLINE_ON_ATTR = /\s(on[a-z]+)\s*=\s*["'][^"']*["']/i;
+/**
+ * Scans island `<script>` block and template for patterns that often indicate
+ * secret leakage or unsafe inline handlers.
+ */
+export function scanIslandSecurity(parsed) {
+    const out = [];
+    const script = parsed.script?.content ?? '';
+    const tmpl = parsed.template?.content ?? '';
+    const loc = parsed.filepath;
+    if (!script && !tmpl)
+        return out;
+    if (script) {
+        if (PROCESS_ENV.test(script)) {
+            out.push({
+                message: `[security] Island script references process.env — server-only; do not ship secrets to the client (${loc})`,
+            });
+        }
+        if (IMPORT_META_ENV.test(script)) {
+            out.push({
+                message: `[security] Island script references import.meta.env — only public Vite-style keys should be used here (${loc})`,
+            });
+        }
+        if (DENO_ENV.test(script)) {
+            out.push({
+                message: `[security] Island script references Deno.env — not available in browser bundles (${loc})`,
+            });
+        }
+        if (BUN_ENV.test(script)) {
+            out.push({
+                message: `[security] Island script references Bun.env — not available in browser bundles (${loc})`,
+            });
+        }
+    }
+    if (tmpl && INLINE_ON_ATTR.test(tmpl)) {
+        const m = INLINE_ON_ATTR.exec(tmpl);
+        const attr = m?.[1] ?? 'on*';
+        out.push({
+            message: `[security] Template uses inline ${attr}="..." — prefer bound handlers without string attribute JS (CSP-friendly) (${loc})`,
+        });
+    }
+    return out;
+}
+//# sourceMappingURL=client-security-scan.js.map

package/dist/client-security-scan.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-security-scan.js","sourceRoot":"","sources":["../src/client-security-scan.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAKH,gFAAgF;AAChF,MAAM,WAAW,GAAG,kBAAkB,CAAC;AACvC,MAAM,eAAe,GAAG,uBAAuB,CAAC;AAChD,MAAM,QAAQ,GAAG,eAAe,CAAC;AACjC,MAAM,OAAO,GAAG,cAAc,CAAC;AAE/B,uEAAuE;AACvE,MAAM,cAAc,GAAG,oCAAoC,CAAC;AAE5D;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAuB;IACxD,MAAM,GAAG,GAAqB,EAAE,CAAC;IACjC,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,IAAI,EAAE,CAAC;IAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,QAAQ,EAAE,OAAO,IAAI,EAAE,CAAC;IAC5C,MAAM,GAAG,GAAG,MAAM,CAAC,QAAQ,CAAC;IAE5B,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI;QAAE,OAAO,GAAG,CAAC;IAEjC,IAAI,MAAM,EAAE,CAAC;QACX,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC7B,GAAG,CAAC,IAAI,CAAC;gBACP,OAAO,EAAE,qGAAqG,GAAG,GAAG;aACrH,CAAC,CAAC;QACL,CAAC;QACD,IAAI,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACjC,GAAG,CAAC,IAAI,CAAC;gBACP,OAAO,EAAE,0GAA0G,GAAG,GAAG;aAC1H,CAAC,CAAC;QACL,CAAC;QACD,IAAI,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YAC1B,GAAG,CAAC,IAAI,CAAC;gBACP,OAAO,EAAE,oFAAoF,GAAG,GAAG;aACpG,CAAC,CAAC;QACL,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC;YACzB,GAAG,CAAC,IAAI,CAAC;gBACP,OAAO,EAAE,mFAAmF,GAAG,GAAG;aACnG,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,IAAI,IAAI,IAAI,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,MAAM,CAAC,GAAG,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC;QAC7B,GAAG,CAAC,IAAI,CAAC;YACP,OAAO,EAAE,mCAAmC,IAAI,8EAA8E,GAAG,GAAG;SACrI,CAAC,CAAC;IACL,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/client-security-scan.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=client-security-scan.test.d.ts.map

package/dist/client-security-scan.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-security-scan.test.d.ts","sourceRoot":"","sources":["../src/client-security-scan.test.ts"],"names":[],"mappings":""}

package/dist/client-security-scan.test.js

@@ -0,0 +1,31 @@
+import { describe, it, expect } from 'vitest';
+import { scanIslandSecurity } from './client-security-scan.js';
+function minimalParsed(over) {
+    return {
+        source: '',
+        filepath: '/app/src/routes/+page.nx',
+        frontmatter: null,
+        pretext: null,
+        script: null,
+        template: null,
+        style: null,
+        islandDirectives: [],
+        serverActions: [],
+        ...over,
+    };
+}
+describe('scanIslandSecurity', () => {
+    it('flags process.env in script', () => {
+        const w = scanIslandSecurity(minimalParsed({
+            script: { type: 'script', content: 'const x = process.env.API_KEY', start: 0, end: 1 },
+        }));
+        expect(w.some((x) => x.message.includes('process.env'))).toBe(true);
+    });
+    it('flags inline onclick in template', () => {
+        const w = scanIslandSecurity(minimalParsed({
+            template: { type: 'template', content: '<button onclick="evil()">x</button>', start: 0, end: 1 },
+        }));
+        expect(w.some((x) => x.message.includes('inline'))).toBe(true);
+    });
+});
+//# sourceMappingURL=client-security-scan.test.js.map

package/dist/client-security-scan.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client-security-scan.test.js","sourceRoot":"","sources":["../src/client-security-scan.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAG/D,SAAS,aAAa,CAAC,IAA8B;IACnD,OAAO;QACL,MAAM,EAAE,EAAE;QACV,QAAQ,EAAE,0BAA0B;QACpC,WAAW,EAAE,IAAI;QACjB,OAAO,EAAE,IAAI;QACb,MAAM,EAAE,IAAI;QACZ,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,IAAI;QACX,gBAAgB,EAAE,EAAE;QACpB,aAAa,EAAE,EAAE;QACjB,GAAG,IAAI;KACR,CAAC;AACJ,CAAC;AAED,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,6BAA6B,EAAE,GAAG,EAAE;QACrC,MAAM,CAAC,GAAG,kBAAkB,CAC1B,aAAa,CAAC;YACZ,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,+BAA+B,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;SACvF,CAAC,CACH,CAAC;QACF,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;QAC1C,MAAM,CAAC,GAAG,kBAAkB,CAC1B,aAAa,CAAC;YACZ,QAAQ,EAAE,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,qCAAqC,EAAE,KAAK,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE;SACjG,CAAC,CACH,CAAC;QACF,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACjE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/codegen.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"codegen.d.ts","sourceRoot":"","sources":["../src/codegen.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,cAAc,EACd,aAAa,EAKd,MAAM,YAAY,CAAC;AAuBpB,kEAAkE;AAClE,wBAAgB,QAAQ,CACtB,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,cAAc,GACnB,aAAa,CAgEf"}
+{"version":3,"file":"codegen.d.ts","sourceRoot":"","sources":["../src/codegen.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EACV,eAAe,EACf,cAAc,EACd,aAAa,EAKd,MAAM,YAAY,CAAC;AA+FpB,kEAAkE;AAClE,wBAAgB,QAAQ,CACtB,MAAM,EAAE,eAAe,EACvB,IAAI,EAAE,cAAc,GACnB,aAAa,CAiEf"}