@nugehs/bouncer 0.1.0 → 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +20 -0
- package/README.md +57 -6
- package/package.json +2 -2
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,26 @@ All notable changes to `@nugehs/bouncer` are documented here.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [0.1.1] - 2026-06-09
|
|
9
|
+
### Added
|
|
10
|
+
|
|
11
|
+
- Brand alignment: toolchain footer/badges.
|
|
12
|
+
- README: badge row (npm version, CI, license, node, zero dependencies).
|
|
13
|
+
- README: "bouncer vs semgrep / policy-as-code" positioning section.
|
|
14
|
+
- README: prominent note that the shipped adapters today are `next` and
|
|
15
|
+
`react-native`, with an invitation for adapter PRs (nuxt, sveltekit, remix,
|
|
16
|
+
flutter, django).
|
|
17
|
+
- README: Tests section documenting the Node built-in test suite and CI matrix.
|
|
18
|
+
- Tag-triggered release workflow (`.github/workflows/release.yml`): runs tests,
|
|
19
|
+
creates a GitHub Release with notes extracted from this changelog, publishes
|
|
20
|
+
to npm.
|
|
21
|
+
|
|
22
|
+
### Changed
|
|
23
|
+
|
|
24
|
+
- Replaced a personal example target path with a generic `./my-app` in the
|
|
25
|
+
README and the repo-root `bouncer.config.json`.
|
|
26
|
+
- README link to tieline now points at its npm package page.
|
|
27
|
+
|
|
8
28
|
## [0.1.0] - 2026-06-07
|
|
9
29
|
|
|
10
30
|
Initial release.
|
package/README.md
CHANGED
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
# bouncer
|
|
2
2
|
|
|
3
|
-
**Static compliance-controls checker
|
|
3
|
+
**Static compliance-controls checker — the controls a regulation requires, verified in your code.**
|
|
4
|
+
|
|
5
|
+
[](https://www.npmjs.com/package/@nugehs/bouncer) [](https://github.com/nugehs/bouncer/actions/workflows/ci.yml) [](LICENSE) [](#) [](#)
|
|
6
|
+
|
|
7
|
+
**[nugehs.github.io/bouncer-web](https://nugehs.github.io/bouncer-web/)** (site)
|
|
8
|
+
|
|
9
|
+
bouncer verifies that the controls a
|
|
4
10
|
regulation *requires* actually exist in your code — UK Online Safety Act, ICO
|
|
5
11
|
Children's Code (AADC) — expressed as deterministic **rule packs**. It runs in CI,
|
|
6
12
|
exits non-zero when a required control is missing, and needs **no LLM**.
|
|
@@ -19,8 +25,23 @@ Regulators now expect *demonstrable* controls: age assurance, high-privacy
|
|
|
19
25
|
defaults for children, report/block affordances on user-generated content, a DPIA,
|
|
20
26
|
a risk assessment. Those are concrete things that either exist in a codebase or
|
|
21
27
|
don't. bouncer turns a regulation into a set of static checks over your repo, the
|
|
22
|
-
same way [tieline](https://
|
|
23
|
-
drift checks — the engine knows nothing about the law; the
|
|
28
|
+
same way [tieline](https://www.npmjs.com/package/@nugehs/tieline) turns an API
|
|
29
|
+
contract into drift checks — the engine knows nothing about the law; the
|
|
30
|
+
**rule packs** do.
|
|
31
|
+
|
|
32
|
+
### bouncer vs semgrep / policy-as-code
|
|
33
|
+
|
|
34
|
+
Scanners like semgrep, CodeQL, or Snyk answer *"is there bad code here?"* — they
|
|
35
|
+
hunt for vulnerabilities and dangerous patterns that **shouldn't exist**. bouncer
|
|
36
|
+
answers the opposite question: *"does the code the regulation requires actually
|
|
37
|
+
exist?"* — age assurance on sign-up, report/block on UGC surfaces, high-privacy
|
|
38
|
+
defaults for children. A repo can be vulnerability-free and still fail every one
|
|
39
|
+
of those obligations. Policy-as-code tools (OPA/Rego, Conftest) gate *configs and
|
|
40
|
+
infrastructure* against policy; bouncer gates *application source* against
|
|
41
|
+
regulatory rule packs, with `file:line` evidence for every control and an honest
|
|
42
|
+
`unknown` when a surface can't be located. In short: **semgrep finds
|
|
43
|
+
vulnerabilities; bouncer proves required controls exist.** They complement each
|
|
44
|
+
other — run both.
|
|
24
45
|
|
|
25
46
|
## Install
|
|
26
47
|
|
|
@@ -65,8 +86,8 @@ not find. Missing surface → honest "can't determine".
|
|
|
65
86
|
{
|
|
66
87
|
"target": {
|
|
67
88
|
"adapter": "next",
|
|
68
|
-
"repo": "
|
|
69
|
-
"roots": ["app", "src", "components"
|
|
89
|
+
"repo": "./my-app",
|
|
90
|
+
"roots": ["app", "src", "components"]
|
|
70
91
|
},
|
|
71
92
|
"packs": ["uk-osa", "uk-aadc"],
|
|
72
93
|
"packDirs": [],
|
|
@@ -76,7 +97,13 @@ not find. Missing surface → honest "can't determine".
|
|
|
76
97
|
```
|
|
77
98
|
|
|
78
99
|
- `adapter` — how regulation *surfaces* (sign-up, profile, chat, livestream…) map
|
|
79
|
-
onto files for your stack.
|
|
100
|
+
onto files for your stack.
|
|
101
|
+
|
|
102
|
+
> **Adapters shipped today: `next` (App Router) and `react-native`.** That's it —
|
|
103
|
+
> if your stack isn't covered, an adapter is a single small file mapping surface
|
|
104
|
+
> aliases to file globs (see `src/lib/adapters/next.js`). **Adapter PRs are very
|
|
105
|
+
> welcome** — `nuxt`, `sveltekit`, `remix`, `flutter`, `django` are all natural
|
|
106
|
+
> candidates.
|
|
80
107
|
- `packs` — which rule packs to run. Built-ins: `uk-osa`, `uk-aadc`.
|
|
81
108
|
- `packDirs` — extra directories of your own `*.json` packs.
|
|
82
109
|
- `ignore` — rule ids to skip.
|
|
@@ -142,6 +169,30 @@ results:
|
|
|
142
169
|
Fails the build when a required control goes missing — e.g. someone removes an
|
|
143
170
|
age-gate or a report button from a UGC surface.
|
|
144
171
|
|
|
172
|
+
## Tests
|
|
173
|
+
|
|
174
|
+
```bash
|
|
175
|
+
npm test # node --test — zero dependencies, nothing to install
|
|
176
|
+
```
|
|
177
|
+
|
|
178
|
+
The suite runs on Node's built-in test runner against throwaway fixture repos:
|
|
179
|
+
glob/brace expansion, every assertion probe (`find`, `allOf`/`anyOf`/`not`,
|
|
180
|
+
`allInFile` + `within` windows, `expect: "absent"`), the pass/fail/`unknown`
|
|
181
|
+
verdict semantics, and pack loading. CI runs it on Node 18, 20, and 22.
|
|
182
|
+
|
|
145
183
|
## License
|
|
146
184
|
|
|
147
185
|
MIT
|
|
186
|
+
|
|
187
|
+
---
|
|
188
|
+
|
|
189
|
+
## Part of the toolchain
|
|
190
|
+
|
|
191
|
+
**bouncer** is one of four tools that form a deterministic trust layer for AI-assisted development. Each answers a question people keep handing to an LLM — with static analysis instead.
|
|
192
|
+
|
|
193
|
+
- [repoctx](https://www.npmjs.com/package/@nugehs/repoctx) — context: what does this change actually touch?
|
|
194
|
+
- [tieline](https://www.npmjs.com/package/@nugehs/tieline) — contracts: did the front end and back end quietly stop agreeing?
|
|
195
|
+
- **bouncer** (this tool) — compliance: could you defend this to Ofcom?
|
|
196
|
+
- [aiglare](https://www.npmjs.com/package/@nugehs/aiglare) — governance: where can the model do something you can't undo?
|
|
197
|
+
|
|
198
|
+
More at [segunolumbe.com](https://segunolumbe.com). *static analysis, never the model.*
|
package/package.json
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nugehs/bouncer",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.1",
|
|
4
4
|
"mcpName": "io.github.nugehs/bouncer",
|
|
5
|
-
"description": "bouncer
|
|
5
|
+
"description": "bouncer \u2014 static compliance-controls checker. Verifies the controls a regulation requires actually exist in your code (UK Online Safety Act, ICO Children's Code), as deterministic rule packs. No LLM required.",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"bin": {
|
|
8
8
|
"bouncer": "src/cli.js"
|