create-brainerce-store 1.27.6 → 1.28.0

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "create-brainerce-store",
-      version: "1.27.6",
+      version: "1.28.0",
       description: "Scaffold a production-ready e-commerce storefront connected to Brainerce",
       bin: {
         "create-brainerce-store": "dist/index.js"
@@ -96,6 +96,9 @@ function validateConnectionId(id) {
   if (id.length < 6) {
     return "Connection ID is too short";
   }
+  if (id.length > 100) {
+    return "Connection ID is too long (max 100 characters)";
+  }
   if (!/^vc_[a-zA-Z0-9]+$/.test(id)) {
     return "Connection ID contains invalid characters";
   }
@@ -119,6 +122,23 @@ function validateProjectName(name) {
   }
   return null;
 }
+function validateApiUrl(url) {
+  if (!url) return null;
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return `Invalid --api-url "${url}": not a valid URL`;
+  }
+  if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+    return `Invalid --api-url "${url}": protocol must be http(s)`;
+  }
+  const isLocal = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname.endsWith(".localhost");
+  if (parsed.protocol === "http:" && !isLocal) {
+    return `Invalid --api-url "${url}": http:// is only allowed for localhost`;
+  }
+  return null;
+}
 
 // src/utils/package-manager.ts
 var import_child_process = require("child_process");
@@ -138,14 +158,17 @@ function detectPackageManager() {
   }
   return "npm";
 }
+var ALLOWED_PACKAGE_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
 async function installDependencies(projectDir, pkgManager) {
+  if (!ALLOWED_PACKAGE_MANAGERS.includes(pkgManager)) {
+    throw new Error(`Unsupported package manager: ${pkgManager}`);
+  }
   return new Promise((resolve, reject) => {
-    const { spawn } = require("child_process");
+    const cmd = process.platform === "win32" ? `${pkgManager}.cmd` : pkgManager;
     const args = pkgManager === "yarn" ? [] : ["install"];
-    const child = spawn(pkgManager, args, {
+    const child = (0, import_child_process.spawn)(cmd, args, {
       cwd: projectDir,
-      stdio: "ignore",
-      shell: true
+      stdio: "ignore"
     });
     child.on("close", (code) => {
       if (code === 0) {
@@ -267,6 +290,19 @@ var import_ejs = __toESM(require("ejs"));
 function getDirection(language) {
   return language === "he" ? "rtl" : "ltr";
 }
+function stripControlChars(value) {
+  return value.replace(/\p{Cc}/gu, "");
+}
+function toJsStringLiteral(value) {
+  return JSON.stringify(value);
+}
+function toEnvLiteral(value) {
+  const clean = stripControlChars(value).replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\$/g, "\\$");
+  return `"${clean}"`;
+}
+function isValidLocale(locale) {
+  return typeof locale === "string" && /^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})?$/.test(locale);
+}
 function getFontConfig(language, theme) {
   const isHebrew = language === "he";
   if (theme === "luxury") {
@@ -312,20 +348,30 @@ async function scaffold(options) {
   const direction = getDirection(options.language);
   const fontConfig = getFontConfig(options.language, theme);
   const ogLocale = options.language === "he" ? "he_IL" : "en_US";
-  const isMultiLocale = options.i18n?.enabled === true && options.i18n.supportedLocales.length > 1;
-  const supportedLocales = options.i18n?.supportedLocales || [options.language];
-  const defaultLocale = options.i18n?.defaultLocale || options.language;
+  const rawSupportedLocales = options.i18n?.supportedLocales || [options.language];
+  const supportedLocales = rawSupportedLocales.filter(isValidLocale);
+  if (supportedLocales.length === 0) {
+    throw new Error("No valid locales provided");
+  }
+  const rawDefaultLocale = options.i18n?.defaultLocale || options.language;
+  const defaultLocale = isValidLocale(rawDefaultLocale) ? rawDefaultLocale : options.language;
+  const isMultiLocale = options.i18n?.enabled === true && supportedLocales.length > 1;
+  const cleanStoreName = stripControlChars(options.storeName);
+  const cleanCurrency = stripControlChars(options.currency);
+  const cleanApiBaseUrl = stripControlChars(options.apiBaseUrl || "https://api.brainerce.com");
   const templateVars = {
     projectName: options.projectName,
     connectionId: options.connectionId,
-    storeName: options.storeName,
-    currency: options.currency,
+    storeNameJs: toJsStringLiteral(cleanStoreName),
+    titleTemplateJs: toJsStringLiteral(`%s | ${cleanStoreName}`),
+    storeNameEnv: toEnvLiteral(cleanStoreName),
+    currencyEnv: toEnvLiteral(cleanCurrency),
+    apiBaseUrlEnv: toEnvLiteral(cleanApiBaseUrl),
     language: options.language,
     direction,
     fontImport: fontConfig.fontImport,
     fontVariable: fontConfig.fontVariable,
     ogLocale,
-    apiBaseUrl: options.apiBaseUrl || "https://api.brainerce.com",
     i18nEnabled: isMultiLocale,
     supportedLocales: JSON.stringify(supportedLocales),
     defaultLocale
@@ -588,11 +634,47 @@ program.name("create-brainerce-store").description("Scaffold a production-ready
     }
     let connectionId = options.connectionId;
     const explicitApiUrl = (options.apiUrl || process.env.BRAINERCE_API_URL || "").replace(/\/$/, "");
+    const apiUrlError = validateApiUrl(explicitApiUrl);
+    if (apiUrlError) {
+      logger.error(apiUrlError);
+      process.exit(1);
+    }
+    if (explicitApiUrl && explicitApiUrl !== KNOWN_API_URLS.production && explicitApiUrl !== KNOWN_API_URLS.staging) {
+      logger.warn(
+        `Using non-standard API URL: ${explicitApiUrl} \u2014 make sure you trust this endpoint.`
+      );
+    }
     const candidateApiUrls = explicitApiUrl ? [explicitApiUrl] : [KNOWN_API_URLS.production, KNOWN_API_URLS.staging];
+    const VALID_LANGUAGES = ["en", "he"];
+    const VALID_PKG_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
+    const VALID_FRAMEWORKS = ["nextjs"];
+    const VALID_THEMES = ["minimal", "luxury", "playful"];
     let language = options.language;
+    if (language && !VALID_LANGUAGES.includes(language)) {
+      logger.error(
+        `Invalid --language "${language}". Expected one of: ${VALID_LANGUAGES.join(", ")}`
+      );
+      process.exit(1);
+    }
     let framework = options.framework;
+    if (!VALID_FRAMEWORKS.includes(framework)) {
+      logger.error(
+        `Invalid --framework "${framework}". Expected one of: ${VALID_FRAMEWORKS.join(", ")}`
+      );
+      process.exit(1);
+    }
     let theme = options.theme;
+    if (!VALID_THEMES.includes(theme)) {
+      logger.error(`Invalid --theme "${theme}". Expected one of: ${VALID_THEMES.join(", ")}`);
+      process.exit(1);
+    }
     let pkgManager = options.pkgManager;
+    if (pkgManager && !VALID_PKG_MANAGERS.includes(pkgManager)) {
+      logger.error(
+        `Invalid --pkg-manager "${pkgManager}". Expected one of: ${VALID_PKG_MANAGERS.join(", ")}`
+      );
+      process.exit(1);
+    }
     const skipGit = options.git === false;
     const skipInstall = options.install === false;
     let storeInfo = null;