@ulrichc1/sparn 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/PRIVACY.md +350 -0
- package/README.md +683 -0
- package/SECURITY.md +247 -0
- package/dist/cli/index.cjs +1897 -0
- package/dist/cli/index.cjs.map +1 -0
- package/dist/cli/index.d.cts +1 -0
- package/dist/cli/index.d.ts +1 -0
- package/dist/cli/index.js +1868 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/index.cjs +948 -0
- package/dist/index.cjs.map +1 -0
- package/dist/index.d.cts +567 -0
- package/dist/index.d.ts +567 -0
- package/dist/index.js +900 -0
- package/dist/index.js.map +1 -0
- package/package.json +77 -0
package/SECURITY.md
ADDED
|
@@ -0,0 +1,247 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Supported Versions
|
|
4
|
+
|
|
5
|
+
We provide security updates for the following versions:
|
|
6
|
+
|
|
7
|
+
| Version | Supported |
|
|
8
|
+
| ------- | ------------------ |
|
|
9
|
+
| 0.1.x | :white_check_mark: |
|
|
10
|
+
|
|
11
|
+
## Reporting a Vulnerability
|
|
12
|
+
|
|
13
|
+
**DO NOT** open a public GitHub issue for security vulnerabilities.
|
|
14
|
+
|
|
15
|
+
Instead, please report security issues through one of these channels:
|
|
16
|
+
|
|
17
|
+
### 1. GitHub Security Advisories (Preferred)
|
|
18
|
+
Visit: https://github.com/ulrichc1/sparn/security/advisories/new
|
|
19
|
+
|
|
20
|
+
### 2. Email
|
|
21
|
+
Send details to: ulrichc1.dev@gmail.com
|
|
22
|
+
|
|
23
|
+
### What to Include
|
|
24
|
+
- Description of the vulnerability
|
|
25
|
+
- Steps to reproduce
|
|
26
|
+
- Potential impact
|
|
27
|
+
- Suggested fix (if any)
|
|
28
|
+
|
|
29
|
+
### Response Timeline
|
|
30
|
+
- **Initial Response**: Within 48 hours
|
|
31
|
+
- **Status Update**: Within 7 days
|
|
32
|
+
- **Patch Release**: Within 14 days (for confirmed vulnerabilities)
|
|
33
|
+
|
|
34
|
+
### What Happens Next
|
|
35
|
+
If the vulnerability is confirmed, we will:
|
|
36
|
+
1. Acknowledge the report
|
|
37
|
+
2. Develop and test a fix
|
|
38
|
+
3. Release a security patch
|
|
39
|
+
4. Publish an npm security advisory
|
|
40
|
+
5. Credit you in the release notes (unless you prefer to remain anonymous)
|
|
41
|
+
|
|
42
|
+
---
|
|
43
|
+
|
|
44
|
+
## Security Best Practices
|
|
45
|
+
|
|
46
|
+
### For Users
|
|
47
|
+
|
|
48
|
+
When using Sparn, follow these best practices:
|
|
49
|
+
|
|
50
|
+
1. **Validate Environment Variables**
|
|
51
|
+
- Check your `EDITOR` environment variable before using `sparn config`
|
|
52
|
+
- Avoid setting suspicious commands in `EDITOR`
|
|
53
|
+
|
|
54
|
+
2. **Process Trusted Context Only**
|
|
55
|
+
- Only optimize context from trusted sources
|
|
56
|
+
- Avoid processing arbitrary user-supplied content
|
|
57
|
+
|
|
58
|
+
3. **Regular Maintenance**
|
|
59
|
+
- Run `sparn consolidate` periodically to clean database
|
|
60
|
+
- Keep Sparn updated: `npm update sparn`
|
|
61
|
+
- Monitor database size (`.sparn/memory.db`)
|
|
62
|
+
|
|
63
|
+
4. **Resource Limits**
|
|
64
|
+
- Avoid processing extremely large context files (>100MB)
|
|
65
|
+
- Monitor memory usage during optimization
|
|
66
|
+
- Use `--dry-run` flag to preview optimizations first
|
|
67
|
+
|
|
68
|
+
5. **Update Regularly**
|
|
69
|
+
- Check for updates: `npm outdated sparn`
|
|
70
|
+
- Review changelogs before updating
|
|
71
|
+
- Run tests after updating if you use the programmatic API
|
|
72
|
+
|
|
73
|
+
### For Developers
|
|
74
|
+
|
|
75
|
+
If you're using Sparn's programmatic API:
|
|
76
|
+
|
|
77
|
+
1. **Input Validation**
|
|
78
|
+
- Validate context before passing to `optimize()`
|
|
79
|
+
- Set reasonable size limits
|
|
80
|
+
- Sanitize metadata and tags
|
|
81
|
+
|
|
82
|
+
2. **Error Handling**
|
|
83
|
+
- Wrap Sparn calls in try-catch blocks
|
|
84
|
+
- Handle database errors gracefully
|
|
85
|
+
- Don't expose internal errors to end users
|
|
86
|
+
|
|
87
|
+
3. **Resource Management**
|
|
88
|
+
- Close database connections: `await memory.close()`
|
|
89
|
+
- Limit concurrent optimizations
|
|
90
|
+
- Monitor memory usage in production
|
|
91
|
+
|
|
92
|
+
4. **Configuration**
|
|
93
|
+
- Use `.sparn/config.yaml` for settings
|
|
94
|
+
- Avoid hardcoding sensitive data
|
|
95
|
+
- Validate config values before use
|
|
96
|
+
|
|
97
|
+
---
|
|
98
|
+
|
|
99
|
+
## Security Features
|
|
100
|
+
|
|
101
|
+
Sparn includes several security features:
|
|
102
|
+
|
|
103
|
+
### 1. SQL Injection Protection
|
|
104
|
+
- All queries use prepared statements
|
|
105
|
+
- No dynamic SQL construction
|
|
106
|
+
- Parameterized queries with strict typing
|
|
107
|
+
|
|
108
|
+
### 2. Command Injection Protection
|
|
109
|
+
- `spawn()` used with separated arguments
|
|
110
|
+
- No shell interpolation
|
|
111
|
+
- User input never evaluated as code
|
|
112
|
+
|
|
113
|
+
### 3. Path Traversal Protection
|
|
114
|
+
- All paths resolved to `.sparn/` directory
|
|
115
|
+
- No user-controlled path construction
|
|
116
|
+
- Safe use of `path.join()` and `path.resolve()`
|
|
117
|
+
|
|
118
|
+
### 4. Input Validation
|
|
119
|
+
- Schema-based config validation
|
|
120
|
+
- Whitelist approach for allowed keys
|
|
121
|
+
- Type checking and range validation
|
|
122
|
+
|
|
123
|
+
### 5. Information Disclosure Prevention
|
|
124
|
+
- Generic error messages
|
|
125
|
+
- Stack traces only in debug mode (`SPARN_DEBUG=true`)
|
|
126
|
+
- No sensitive data in logs
|
|
127
|
+
|
|
128
|
+
---
|
|
129
|
+
|
|
130
|
+
## Known Limitations
|
|
131
|
+
|
|
132
|
+
### Current Limitations (v0.1.0)
|
|
133
|
+
|
|
134
|
+
1. **Resource Limits**
|
|
135
|
+
- No enforced maximum context size
|
|
136
|
+
- No database size limits
|
|
137
|
+
- No concurrent execution protection
|
|
138
|
+
|
|
139
|
+
**Mitigation**: Use reasonable input sizes, run `sparn consolidate` regularly
|
|
140
|
+
|
|
141
|
+
2. **Child Process Timeout**
|
|
142
|
+
- Relay command has no timeout
|
|
143
|
+
|
|
144
|
+
**Mitigation**: Use with trusted commands only
|
|
145
|
+
|
|
146
|
+
3. **DoS Protection**
|
|
147
|
+
- No rate limiting on CLI commands
|
|
148
|
+
|
|
149
|
+
**Mitigation**: CLI is local-only, low risk
|
|
150
|
+
|
|
151
|
+
These limitations are documented and will be addressed in future releases. See [ROADMAP] for planned enhancements.
|
|
152
|
+
|
|
153
|
+
---
|
|
154
|
+
|
|
155
|
+
## Dependency Security
|
|
156
|
+
|
|
157
|
+
Sparn uses well-maintained, trusted dependencies:
|
|
158
|
+
|
|
159
|
+
- **better-sqlite3**: Native SQLite binding (7k+ stars)
|
|
160
|
+
- **ora**: Terminal spinners by sindresorhus (9k+ stars)
|
|
161
|
+
- **chalk**: Terminal colors by sindresorhus (21k+ stars)
|
|
162
|
+
- **commander**: CLI framework (27k+ stars)
|
|
163
|
+
|
|
164
|
+
All dependencies are:
|
|
165
|
+
- ✅ Actively maintained
|
|
166
|
+
- ✅ Widely used in production
|
|
167
|
+
- ✅ MIT/ISC/Apache-2.0 licensed
|
|
168
|
+
- ✅ Regularly updated
|
|
169
|
+
|
|
170
|
+
### Automated Security
|
|
171
|
+
|
|
172
|
+
We use GitHub Dependabot to:
|
|
173
|
+
- Monitor dependencies for vulnerabilities
|
|
174
|
+
- Automatically open PRs for security updates
|
|
175
|
+
- Keep dependencies up-to-date
|
|
176
|
+
|
|
177
|
+
---
|
|
178
|
+
|
|
179
|
+
## Disclosure Policy
|
|
180
|
+
|
|
181
|
+
### Responsible Disclosure
|
|
182
|
+
We follow responsible disclosure practices:
|
|
183
|
+
1. Report received
|
|
184
|
+
2. Vulnerability confirmed (or rejected)
|
|
185
|
+
3. Fix developed privately
|
|
186
|
+
4. Patch released
|
|
187
|
+
5. Public disclosure after users have time to update
|
|
188
|
+
|
|
189
|
+
### Public Disclosure Timeline
|
|
190
|
+
- **Day 0**: Vulnerability reported
|
|
191
|
+
- **Day 7**: Status update provided
|
|
192
|
+
- **Day 14**: Patch released (if vulnerability confirmed)
|
|
193
|
+
- **Day 21**: Public disclosure (CVE filed, advisory published)
|
|
194
|
+
|
|
195
|
+
This gives users 7 days to update before public disclosure.
|
|
196
|
+
|
|
197
|
+
---
|
|
198
|
+
|
|
199
|
+
## Security Updates
|
|
200
|
+
|
|
201
|
+
### How to Stay Informed
|
|
202
|
+
|
|
203
|
+
1. **Watch the Repository**
|
|
204
|
+
- Enable "Releases only" notifications
|
|
205
|
+
- Security patches are tagged with [SECURITY] prefix
|
|
206
|
+
|
|
207
|
+
2. **npm Advisories**
|
|
208
|
+
- Run `npm audit` regularly
|
|
209
|
+
- Subscribe to npm security alerts
|
|
210
|
+
|
|
211
|
+
3. **GitHub Security Advisories**
|
|
212
|
+
- Follow the repository
|
|
213
|
+
- Enable security alert notifications
|
|
214
|
+
|
|
215
|
+
### Update Process
|
|
216
|
+
|
|
217
|
+
For security updates:
|
|
218
|
+
```bash
|
|
219
|
+
# Check for updates
|
|
220
|
+
npm outdated sparn
|
|
221
|
+
|
|
222
|
+
# Update to latest patch
|
|
223
|
+
npm update sparn
|
|
224
|
+
|
|
225
|
+
# Update to latest minor/major (review changelog first)
|
|
226
|
+
npm install sparn@latest
|
|
227
|
+
|
|
228
|
+
# Verify update
|
|
229
|
+
sparn --version
|
|
230
|
+
```
|
|
231
|
+
|
|
232
|
+
---
|
|
233
|
+
|
|
234
|
+
## Contact
|
|
235
|
+
|
|
236
|
+
For security-related questions (non-vulnerabilities):
|
|
237
|
+
- Open a discussion: https://github.com/ulrichc1/sparn/discussions
|
|
238
|
+
- Tag with `security` label
|
|
239
|
+
|
|
240
|
+
For security vulnerabilities:
|
|
241
|
+
- Use GitHub Security Advisories (preferred)
|
|
242
|
+
- Or email (to be added)
|
|
243
|
+
|
|
244
|
+
---
|
|
245
|
+
|
|
246
|
+
**Last Updated**: 2026-02-22
|
|
247
|
+
**Policy Version**: 1.0
|