@synth1s/cloak 2.1.0 → 2.2.0

package/.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: npm
+    directory: /
+    schedule:
+      interval: weekly
+    open-pull-requests-limit: 5

package/.github/workflows/ci.yml

@@ -0,0 +1,30 @@
+name: CI
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18, 20]
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: node --test tests/*.test.js
+
+  audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+      - run: npm audit --audit-level=high

package/.github/workflows/publish.yml

@@ -0,0 +1,40 @@
+name: Publish to npm
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          registry-url: https://registry.npmjs.org
+
+      - run: npm ci
+      - run: node --test tests/*.test.js
+
+      - name: Set version from release tag
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          npm version "$VERSION" --no-git-tag-version
+          echo "Publishing version $VERSION"
+
+      - name: Publish to npm
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Commit version bump
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+          git add package.json package-lock.json
+          git commit -m "chore: bump version to ${GITHUB_REF_NAME#v} [skip ci]" || true
+          git push origin HEAD:master

package/CONTRIBUTING.md

@@ -0,0 +1,48 @@
+# Contributing to @synth1s/cloak
+
+Thanks for your interest in contributing!
+
+## Development
+
+```bash
+git clone https://github.com/synth1s/cloak.git
+cd cloak
+npm install
+npm test
+```
+
+## Methodology
+
+This project follows **strict TDD**. Every change must follow:
+
+1. Write the test first (it must fail)
+2. Implement the minimum code to make it pass
+3. Refactor if needed
+
+## Running tests
+
+```bash
+npm test              # run all tests
+node --test tests/    # same thing
+```
+
+Tests use `node:test` (native Node.js test runner). No external test frameworks.
+
+## Code style
+
+- Node.js ESM (`type: "module"`)
+- All user-facing strings in `src/lib/messages.js`
+- All paths in `src/lib/paths.js`
+- One file per command in `src/commands/`
+- stderr for errors/warnings, stdout for data/success
+
+## Pull requests
+
+- One feature or fix per PR
+- Include tests for new behavior
+- Update documentation if the change affects user-facing behavior
+- Run `npm test` before submitting
+
+## Security
+
+See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.

package/README.md

@@ -1,5 +1,9 @@
 # @synth1s/cloak
 
+[![CI](https://github.com/synth1s/cloak/actions/workflows/ci.yml/badge.svg)](https://github.com/synth1s/cloak/actions/workflows/ci.yml)
+[![npm](https://img.shields.io/npm/v/@synth1s/cloak)](https://www.npmjs.com/package/@synth1s/cloak)
+[![license](https://img.shields.io/npm/l/@synth1s/cloak)](LICENSE)
+
 > Cloak your Claude. Switch identities in seconds.
 
 Every developer wears a different cloak. One for work, one for personal projects, one for that freelance gig. **Cloak** lets you dress your Claude Code in the right identity — and switch between them without breaking a sweat.

package/SECURITY.md

@@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in @synth1s/cloak, please report it responsibly.
+
+**Do NOT open a public issue.** Instead, email:
+
+**cloak@synth1s.com.br**
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+
+You will receive a response within 48 hours. Once confirmed, a fix will be released as a patch version and credited in the changelog (unless you prefer anonymity).
+
+## Scope
+
+This policy covers:
+- The `@synth1s/cloak` npm package
+- The shell integration code emitted by `cloak init`
+- File operations on `~/.cloak/` and shell rc files
+
+## Security Measures
+
+- Account names are validated against `^[a-zA-Z0-9][a-zA-Z0-9_-]{0,63}$` to prevent path traversal
+- Credential files are created with restrictive permissions (0o700 dirs, 0o600 files)
+- Shell eval output is quoted to prevent injection
+- OAuth tokens are never read, logged, or transmitted — only copied as files
+- `.bashrc` modifications include a backup (`.cloak-backup`) and a marker comment

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@synth1s/cloak",
-  "version": "2.1.0",
+  "version": "2.2.0",
   "description": "Cloak your Claude. Switch identities in seconds.",
   "type": "module",
   "bin": {