@securitychecks/cli 0.1.1-rc.1

package/LICENSE

@@ -0,0 +1,87 @@
+SecurityChecks Proprietary License
+
+Copyright (c) 2024-2026 SecurityChecks. All rights reserved.
+
+TERMS AND CONDITIONS
+
+1. DEFINITIONS
+
+"Software" means the SecurityChecks CLI, collector, MCP server, and all
+associated documentation, source code, and compiled binaries.
+
+"License Key" means a valid subscription key obtained from SecurityChecks.
+
+"Free Tier" means usage of the Software without a License Key, subject to
+the limitations described in Section 3.
+
+2. GRANT OF LICENSE
+
+Subject to the terms of this License, SecurityChecks grants you a limited,
+non-exclusive, non-transferable license to:
+
+a) Install and use the Software for your internal business purposes
+b) Make copies of the Software for backup purposes only
+c) Use the Software in continuous integration/continuous deployment pipelines
+
+3. FREE TIER LIMITATIONS
+
+Without a valid License Key, you may use the Software subject to:
+
+a) Maximum of 10 scans per calendar month
+b) Basic finding output only (no SARIF export)
+c) No access to calibration API features
+d) No access to Pro patterns
+e) Community support only
+
+4. RESTRICTIONS
+
+You may NOT:
+
+a) Distribute, sublicense, lease, rent, or lend the Software to third parties
+b) Modify, adapt, translate, reverse engineer, decompile, or disassemble the Software
+c) Remove or alter any proprietary notices, labels, or marks on the Software
+d) Use the Software to create a competing product or service
+e) Share or publish License Keys
+f) Circumvent any license enforcement mechanisms
+g) Use the Software for illegal purposes
+
+5. INTELLECTUAL PROPERTY
+
+The Software and all copies thereof are proprietary to SecurityChecks and
+title thereto remains exclusively with SecurityChecks. All rights in the
+Software not specifically granted in this License are reserved to SecurityChecks.
+
+6. DISCLAIMER OF WARRANTY
+
+THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT.
+
+7. LIMITATION OF LIABILITY
+
+IN NO EVENT SHALL SECURITYCHECKS BE LIABLE FOR ANY INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ARISING OUT OF OR IN CONNECTION
+WITH THIS LICENSE OR THE USE OF THE SOFTWARE.
+
+8. TERMINATION
+
+This License is effective until terminated. SecurityChecks may terminate
+this License immediately if you breach any term. Upon termination, you must
+destroy all copies of the Software in your possession.
+
+9. GOVERNING LAW
+
+This License shall be governed by and construed in accordance with the laws
+of the State of Delaware, United States, without regard to its conflict of
+law provisions.
+
+10. ENTIRE AGREEMENT
+
+This License constitutes the entire agreement between you and SecurityChecks
+regarding the Software and supersedes all prior agreements and understandings.
+
+---
+
+For licensing inquiries: licensing@securitychecks.ai
+For support: support@securitychecks.ai
+Website: https://securitychecks.ai

package/README.md

@@ -0,0 +1,207 @@
+# @securitychecks/cli
+
+Enforce backend invariants in your codebase. Find authorization gaps, race conditions, and transaction bugs before they ship.
+
+## Quick Start
+
+```bash
+npx @securitychecks/cli run
+```
+
+That's it. No signup required. The CLI runs locally and your code never leaves your machine.
+
+## Installation
+
+```bash
+# Global install
+npm install -g @securitychecks/cli
+
+# Then run
+scheck run
+```
+
+## What It Checks
+
+SecurityChecks enforces backend invariants that cause production incidents:
+
+| Invariant | What It Catches |
+|-----------|-----------------|
+| `AUTHZ.SERVICE_LAYER` | Service methods callable without authorization |
+| `WEBHOOK.IDEMPOTENT` | Webhooks that double-process on retry |
+| `WEBHOOK.SIGNATURE.VERIFIED` | Unverified webhook signatures |
+| `TRANSACTION.SIDE_EFFECTS` | Emails/notifications sent before commit |
+| `CACHE.INVALIDATION` | Stale permissions after auth changes |
+| `DATAFLOW.UNTRUSTED.SQL` | SQL injection via string interpolation |
+| `AUTHZ.RLS.MULTI_TENANT` | Missing tenant isolation in queries |
+
+## Commands
+
+### `scheck run`
+
+Scan your codebase for security invariants.
+
+```bash
+# Basic scan
+scheck run
+
+# Scan specific path
+scheck run --path ./src
+
+# CI mode - fail on new violations
+scheck run --ci
+
+# Output as JSON
+scheck run --json
+
+# Generate SARIF report (for GitHub Code Scanning)
+scheck run --sarif report.sarif
+
+# Only check changed files
+scheck run --changed
+
+# Watch mode
+scheck run --watch
+```
+
+**Options:**
+- `-p, --path <path>` - Target path (default: current directory)
+- `--changed` - Only check changed files (requires git)
+- `--ci` - CI mode - fail on new violations
+- `--all` - Show all findings including P2
+- `--only <invariants...>` - Only run specific checks
+- `--skip <invariants...>` - Skip specific checks
+- `--json` - Output as JSON
+- `--sarif <path>` - Write SARIF report
+- `-v, --verbose` - Verbose output
+- `-w, --watch` - Watch for changes
+
+### `scheck explain <invariant>`
+
+Get a deep-dive on any invariant - why it matters, what good looks like.
+
+```bash
+scheck explain AUTHZ.SERVICE_LAYER
+scheck explain WEBHOOK.IDEMPOTENT
+```
+
+### `scheck list-invariants`
+
+List all supported invariants (optionally filtered).
+
+```bash
+# Human-readable list
+scheck list-invariants
+
+# Filter by severity/category
+scheck list-invariants --severity P0
+scheck list-invariants --category webhooks
+
+# JSON for scripting
+scheck list-invariants --json
+```
+
+### `scheck generate-test <invariantId>`
+
+Generate a test skeleton that proves an invariant is enforced.
+
+```bash
+scheck generate-test WEBHOOK.IDEMPOTENT
+scheck generate-test AUTHZ.SERVICE_LAYER.ENFORCED --framework jest
+```
+
+### `scheck baseline`
+
+Manage known issues so you can adopt incrementally.
+
+```bash
+# Mark current findings as known
+scheck baseline --update
+
+# Show current baseline
+scheck baseline --show
+
+# Remove stale entries
+scheck baseline --prune
+```
+
+### `scheck waive <findingId>`
+
+Temporarily waive a finding with a reason and expiration.
+
+```bash
+scheck waive AUTHZ.SERVICE_LAYER:src/services/user.ts:42 \
+  --reason-key will_fix_later \
+  --reason "Auth handled by upstream middleware" \
+  --expires 30d
+```
+
+### `scheck init`
+
+Initialize SecurityChecks in your project.
+
+```bash
+# Basic init
+scheck init
+
+# With git pre-commit hook
+scheck init --hooks
+```
+
+### `scheck feedback <invariantId>`
+
+Report whether a finding was a true positive or false positive.
+
+```bash
+scheck feedback WEBHOOK.IDEMPOTENT --verdict fp --reason not_applicable
+```
+
+## Cloud Features (Optional)
+
+Connect to SecurityChecks cloud for dashboards, team collaboration, and CI integration.
+
+```bash
+# Login with API key
+scheck login --api-key sk_xxx
+
+# Or set environment variable
+export SECURITYCHECKS_API_KEY=sk_xxx
+
+# Sync findings to dashboard
+scheck sync --project my-project
+```
+
+Get your API key at [securitychecks.ai](https://securitychecks.ai).
+
+## CI Integration
+
+### GitHub Actions
+
+```yaml
+- name: Run SecurityChecks
+  run: npx @securitychecks/cli run --ci
+```
+
+### With baseline (recommended)
+
+```yaml
+- name: Run SecurityChecks
+  run: |
+    npx @securitychecks/cli run --ci
+  # Fails only on NEW findings, not baselined ones
+```
+
+## Privacy
+
+- **Local execution**: All analysis runs on your machine
+- **No code upload**: Your code never leaves your environment
+- **Cloud optional**: Dashboard sync is opt-in only
+
+## Links
+
+- [Documentation](https://securitychecks.ai/docs)
+- [Invariant Reference](https://securitychecks.ai/docs/invariants)
+- [GitHub](https://github.com/CodeWheel-AI/securitychecks)
+
+## License
+
+Proprietary. See [LICENSE](../../LICENSE) for details.

package/bin/scheck.js

@@ -0,0 +1,17 @@
+#!/usr/bin/env node
+
+import { existsSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const here = dirname(fileURLToPath(import.meta.url));
+const entry = resolve(here, '../dist/index.js');
+
+if (!existsSync(entry)) {
+  console.error(
+    'scheck build artifacts are missing. Run `pnpm --filter @securitychecks/cli build` first.'
+  );
+  process.exit(1);
+}
+
+await import(entry);

package/dist/index.d.ts

@@ -0,0 +1 @@
+#!/usr/bin/env node