codymaster 4.1.1 → 4.1.2

package/CHANGELOG.md

@@ -4,6 +4,22 @@ All notable changes to this project will be documented in this file.
 
 Categories: 🚀 **Improvements** | 🐛 **Bug Fixes**
 
+## [4.1.1] - 2026-03-24
+
+### 🚀 Improvements
+- Documentation Changelog Integration — automated changelog generation added to VitePress docs
+- Setup NPM Publishing — configured package for npmjs.com publishing
+- CLI Interface Redesign — premium mobile-optimized ASCII art banner
+- Parallel Coding Page — added visual comparison and full i18n support
+- Open Source Docs — added section acknowledging referenced GitHub repositories
+
+### 🐛 Bug Fixes
+- Security Vulnerability Remediation — resolved Snyk Code findings including DOM XSS and Path Traversal
+- Fixed 401 Unauthorized authentication error for `/cm:cm-start` command
+
+---
+
+
 ## [4.1.0] - 2026-03-23
 
 ### 🚀 Improvements

package/dist/dashboard.js

@@ -17,7 +17,8 @@ const skill_chain_1 = require("./skill-chain");
 // ─── Dashboard Server ───────────────────────────────────────────────────────
 function launchDashboard(port = data_1.DEFAULT_PORT, silent = false) {
     const app = (0, express_1.default)();
-    app.use(express_1.default.json());
+    app.disable('x-powered-by');
+    app.use(express_1.default.json({ limit: '1mb' }));
     const publicDir = path_1.default.join(__dirname, '..', 'public', 'dashboard');
     app.use(express_1.default.static(publicDir));
     // ─── Project API ────────────────────────────────────────────────────────

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codymaster",
-  "version": "4.1.1",
+  "version": "4.1.2",
   "description": "34 Skills. Ship 10x faster. AI-powered coding skill kit for Claude, Cursor, Gemini & more.",
   "main": "dist/index.js",
   "repository": {
@@ -75,4 +75,4 @@
     "typescript": "^5.9.3",
     "vitest": "^4.1.0"
   }
-}
+}

package/skills/cm-code-review/SKILL.md

@@ -119,6 +119,33 @@ When implementation is complete and all tests pass.
 
 ---
 
+## Part D: Security Review Checklist (Learned: March 2026)
+
+> **Every code review MUST include a security pass.** Check these patterns:
+
+### Frontend
+- [ ] No `innerHTML` with unescaped dynamic data
+- [ ] `sanitize.js` loaded before any JS that uses `innerHTML`
+- [ ] URLs from params validated against allowlist
+- [ ] No `eval()`, `new Function()`, or `document.write()` with user data
+
+### Backend (Python)
+- [ ] All file paths from config/input use `safe_resolve(base, path)`
+- [ ] No `subprocess.run(..., shell=True)` with dynamic args
+- [ ] No `open(user_input)` without path validation
+
+### Backend (Node/Express)
+- [ ] `app.disable('x-powered-by')` set
+- [ ] Body size limits configured
+- [ ] No `Object.assign(config, userInput)` (prototype pollution)
+- [ ] API error responses don't leak stack traces
+
+### General
+- [ ] No secrets/API keys in committed code
+- [ ] `.snyk` exclusions documented with mitigation rationale
+
+---
+
 ### Step FINAL: Record Review Learnings
 
 After processing review feedback, ALWAYS update `.cm/CONTINUITY.md`:

package/skills/cm-execution/SKILL.md

@@ -245,6 +245,44 @@ After EVERY phase, you MUST:
 
 ---
 
+## Security Rules (Learned: March 2026)
+
+> **Code that touches files, subprocesses, or the DOM MUST follow these rules. No exceptions.**
+
+### Frontend — DOM Safety
+
+| Pattern | Risk | Fix |
+|---------|------|-----|
+| `innerHTML = \`...\${data}...\`` | DOM XSS | `innerHTML = \`...\${esc(data)}...\`` |
+| `innerHTML = variable` | DOM XSS | `textContent = variable` |
+| `eval(input)` / `new Function(input)` | Code injection | Avoid entirely |
+| `document.write(data)` | DOM XSS | Use DOM API |
+| `el.setAttribute('on*', data)` | Event injection | `el.addEventListener()` |
+
+**Always:** Escape before innerHTML, prefer `textContent`, validate URLs via allowlist.
+
+### Backend — Python
+
+| Pattern | Risk | Fix |
+|---------|------|-----|
+| `Path(user_input) / "file"` | Path Traversal | `safe_resolve(base, user_input)` |
+| `subprocess.run(f"cmd {arg}", shell=True)` | Command Injection | `subprocess.run(["cmd", arg])` |
+| `open(config["path"])` | Path Traversal | `safe_open(base, config["path"])` |
+| `json.load()` → paths unvalidated | Path Traversal | Validate ALL paths from config via `safe_resolve()` |
+
+**Always:** Import `safe_path`, validate EVERY path from CLI/config/API against a base directory.
+
+### Backend — Express/Node
+
+| Pattern | Risk | Fix |
+|---------|------|-----|
+| Missing `app.disable('x-powered-by')` | Info leak | Add after `express()` |
+| No body size limit | DoS | `express.json({ limit: '1mb' })` |
+| `path.resolve(userInput)` without validation | Path Traversal | Check null bytes + `relative_to(baseDir)` |
+| `Object.assign(config, userInput)` | Prototype Pollution | Filter `__proto__`, `constructor` keys |
+
+
+
 ## Integration
 
 | Skill | When |

package/skills/cm-planning/SKILL.md

@@ -35,6 +35,10 @@ description: "You MUST use this before any creative work or multi-step task. Exp
     -   Must-haves vs nice-to-haves
     -   Edge cases to handle
     -   Edge cases to explicitly NOT handle
+    -   **Security (if frontend):** How will dynamic data be rendered?
+        - `textContent` (preferred) or `innerHTML` with `escapeHtml()`?
+        - Is `sanitize.js` loaded in all affected HTML pages?
+        - Are URLs/params validated against allowlists?
 
 4.  **Skill Coverage Audit** — Do I have the right skills?
     -   List all technologies/frameworks/tools referenced in the scope

package/skills/cm-project-bootstrap/SKILL.md

@@ -46,12 +46,18 @@ description: Use when starting any new project from scratch. Asks for project id
 
 ## Phase 0.5: Security Foundation 🛡️
 
-> Calls `cm-secret-shield` for setup.
+> Calls `cm-secret-shield` for setup + adds code-level security utilities.
 
 1. Create `.gitleaks.toml` with Supabase + generic high-entropy rules
 2. Setup pre-commit hook (`.git/hooks/pre-commit`) — scans staged files
 3. Add `security:scan` script to `package.json`
 4. Create `.dev.vars.example` template (committed). `.dev.vars` = real secrets (gitignored)
+5. **[NEW] Security Utilities (Learned: March 2026):**
+   - **Python projects:** Copy `safe_path.py` to `scripts/` — provides `safe_resolve()`, `safe_join()`, `safe_open()` for path traversal prevention
+   - **JS/TS frontend:** Add `esc()` function to sanitize HTML — prevent DOM XSS
+   - **Express apps:** Add `app.disable('x-powered-by')` + `express.json({ limit: '1mb' })`
+   - **Create `.snyk`** policy file for managing false positives
+   - **Rule:** ALL paths from CLI/config/API → `safe_resolve()`. ALL innerHTML → `esc()`. No exceptions.
 
 ## Phase 1: Project Type Detection 🔍
 

package/skills/cm-quality-gate/SKILL.md

@@ -133,6 +133,32 @@ Setting up or enhancing test suites for projects with frontend JavaScript/TypeSc
 | 5. Corruption Patterns | Known bad patterns (empty functions, truncation) | Required |
 | 6. Import/Export | Module references resolve | Recommended |
 | 7. CSS Validation | CSS files parse correctly | Recommended |
+| 8. XSS/Injection Safety | No unescaped innerHTML with dynamic data | **CRITICAL** |
+
+### Layer 8: XSS/Injection Safety (Learned: March 2026)
+
+```javascript
+import { execSync } from 'child_process';
+
+test('no unescaped innerHTML with dynamic data', () => {
+  // Scan all JS files for innerHTML with template literals NOT using escape
+  const result = execSync(
+    `grep -rn 'innerHTML.*\\\${' public/js/*.js | grep -v 'esc\\|SecurityUtils' || true`,
+    { encoding: 'utf-8' }
+  );
+  expect(result.trim()).toBe(''); // Must be empty = all escaped
+});
+
+test('sanitize.js loaded in all HTML pages', () => {
+  const htmlFiles = execSync('ls public/*.html', { encoding: 'utf-8' }).trim().split('\n');
+  for (const file of htmlFiles) {
+    const content = fs.readFileSync(file, 'utf-8');
+    if (content.includes('kit.js')) {
+      expect(content).toContain('sanitize.js'); // Must load before kit.js
+    }
+  }
+});
+```
 
 ### Setup
 
@@ -205,6 +231,32 @@ After all gates execute, output a numeric quality score:
 
 ---
 
+### Gate 6: Security Scan (Snyk Code) (Added: March 2026)
+
+> Run SAST scan to catch path traversal, XSS, injection, and other vulnerabilities BEFORE deploy.
+
+```bash
+# If snyk CLI installed:
+snyk code test --severity-threshold=high
+
+# Gate decision:
+# 0 HIGH findings → proceed
+# Any HIGH findings → STOP. Fix before deploy.
+# MEDIUM findings → review, add to .snyk if mitigated
+```
+
+**When findings are false positives:**
+1. Verify the mitigation is real (e.g., `safe_resolve()` for path traversal, `esc()` for XSS)
+2. Add to `.snyk` exclude with documentation explaining the mitigation
+3. Never suppress without documenting WHY
+
+**Scoring:**
+| Component | Max | How to Score |
+|-----------|-----|-------------|
+| Security Scan | 10 | 10 = 0 HIGH, −5 per HIGH, −1 per unreviewed MEDIUM |
+
+---
+
 ## Integration
 | Skill | Relationship |
 |-------|-------------|

package/skills/cm-tdd/SKILL.md

@@ -360,6 +360,44 @@ Bug found? Write failing test reproducing it. Follow TDD cycle. Test proves fix
 
 Never fix bugs without a test.
 
+## Security TDD (Learned: March 2026)
+
+> **Security bugs get tests too.** Every XSS, path traversal, or injection fix starts with a failing test.
+
+### Example: XSS Prevention
+
+**RED**
+```javascript
+test('escapeHtml prevents script injection', () => {
+  const malicious = '<script>alert("xss")</script>';
+  const result = escapeHtml(malicious);
+  expect(result).not.toContain('<script>');
+  expect(result).toContain('&lt;script&gt;');
+});
+
+test('no unescaped innerHTML with dynamic data in JS files', () => {
+  const result = execSync(
+    `grep -rn 'innerHTML.*\\\${' public/js/*.js | grep -v 'esc\\|SecurityUtils' || true`,
+    { encoding: 'utf-8' }
+  );
+  expect(result.trim()).toBe('');
+});
+```
+
+### Example: Path Traversal Prevention
+
+**RED**
+```python
+def test_safe_resolve_blocks_traversal():
+    with pytest.raises(ValueError, match="Path traversal detected"):
+        safe_resolve("/app/data", "../../etc/passwd")
+```
+
+### Rule
+- **Every security fix = failing test first**
+- Test the ATTACK, not just the happy path
+- Security regression tests are permanent — never delete
+
 ## Final Rule
 
 ```