create-brainerce-store 1.27.6 → 1.28.1

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "create-brainerce-store",
-      version: "1.27.6",
+      version: "1.28.1",
       description: "Scaffold a production-ready e-commerce storefront connected to Brainerce",
       bin: {
         "create-brainerce-store": "dist/index.js"
@@ -96,6 +96,9 @@ function validateConnectionId(id) {
   if (id.length < 6) {
     return "Connection ID is too short";
   }
+  if (id.length > 100) {
+    return "Connection ID is too long (max 100 characters)";
+  }
   if (!/^vc_[a-zA-Z0-9]+$/.test(id)) {
     return "Connection ID contains invalid characters";
   }
@@ -119,6 +122,23 @@ function validateProjectName(name) {
   }
   return null;
 }
+function validateApiUrl(url) {
+  if (!url) return null;
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch {
+    return `Invalid --api-url "${url}": not a valid URL`;
+  }
+  if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+    return `Invalid --api-url "${url}": protocol must be http(s)`;
+  }
+  const isLocal = parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname.endsWith(".localhost");
+  if (parsed.protocol === "http:" && !isLocal) {
+    return `Invalid --api-url "${url}": http:// is only allowed for localhost`;
+  }
+  return null;
+}
 
 // src/utils/package-manager.ts
 var import_child_process = require("child_process");
@@ -138,20 +158,34 @@ function detectPackageManager() {
   }
   return "npm";
 }
+var ALLOWED_PACKAGE_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
 async function installDependencies(projectDir, pkgManager) {
+  if (!ALLOWED_PACKAGE_MANAGERS.includes(pkgManager)) {
+    throw new Error(`Unsupported package manager: ${pkgManager}`);
+  }
   return new Promise((resolve, reject) => {
-    const { spawn } = require("child_process");
+    const isWindows = process.platform === "win32";
     const args = pkgManager === "yarn" ? [] : ["install"];
-    const child = spawn(pkgManager, args, {
+    const child = (0, import_child_process.spawn)(pkgManager, args, {
       cwd: projectDir,
-      stdio: "ignore",
-      shell: true
+      stdio: ["ignore", "ignore", "pipe"],
+      shell: isWindows
+    });
+    let stderrBuf = "";
+    child.stderr?.on("data", (chunk) => {
+      stderrBuf += chunk.toString();
+      if (stderrBuf.length > 8192) {
+        stderrBuf = stderrBuf.slice(-8192);
+      }
     });
     child.on("close", (code) => {
       if (code === 0) {
         resolve();
       } else {
-        reject(new Error(`${pkgManager} install exited with code ${code}`));
+        const tail = stderrBuf.trim();
+        const detail = tail ? `
+${tail}` : "";
+        reject(new Error(`${pkgManager} install exited with code ${code}${detail}`));
       }
     });
     child.on("error", (err) => {
@@ -267,6 +301,19 @@ var import_ejs = __toESM(require("ejs"));
 function getDirection(language) {
   return language === "he" ? "rtl" : "ltr";
 }
+function stripControlChars(value) {
+  return value.replace(/\p{Cc}/gu, "");
+}
+function toJsStringLiteral(value) {
+  return JSON.stringify(value);
+}
+function toEnvLiteral(value) {
+  const clean = stripControlChars(value).replace(/\\/g, "\\\\").replace(/"/g, '\\"').replace(/\$/g, "\\$");
+  return `"${clean}"`;
+}
+function isValidLocale(locale) {
+  return typeof locale === "string" && /^[a-zA-Z]{2,3}(-[a-zA-Z0-9]{2,8})?$/.test(locale);
+}
 function getFontConfig(language, theme) {
   const isHebrew = language === "he";
   if (theme === "luxury") {
@@ -312,20 +359,30 @@ async function scaffold(options) {
   const direction = getDirection(options.language);
   const fontConfig = getFontConfig(options.language, theme);
   const ogLocale = options.language === "he" ? "he_IL" : "en_US";
-  const isMultiLocale = options.i18n?.enabled === true && options.i18n.supportedLocales.length > 1;
-  const supportedLocales = options.i18n?.supportedLocales || [options.language];
-  const defaultLocale = options.i18n?.defaultLocale || options.language;
+  const rawSupportedLocales = options.i18n?.supportedLocales || [options.language];
+  const supportedLocales = rawSupportedLocales.filter(isValidLocale);
+  if (supportedLocales.length === 0) {
+    throw new Error("No valid locales provided");
+  }
+  const rawDefaultLocale = options.i18n?.defaultLocale || options.language;
+  const defaultLocale = isValidLocale(rawDefaultLocale) ? rawDefaultLocale : options.language;
+  const isMultiLocale = options.i18n?.enabled === true && supportedLocales.length > 1;
+  const cleanStoreName = stripControlChars(options.storeName);
+  const cleanCurrency = stripControlChars(options.currency);
+  const cleanApiBaseUrl = stripControlChars(options.apiBaseUrl || "https://api.brainerce.com");
   const templateVars = {
     projectName: options.projectName,
     connectionId: options.connectionId,
-    storeName: options.storeName,
-    currency: options.currency,
+    storeNameJs: toJsStringLiteral(cleanStoreName),
+    titleTemplateJs: toJsStringLiteral(`%s | ${cleanStoreName}`),
+    storeNameEnv: toEnvLiteral(cleanStoreName),
+    currencyEnv: toEnvLiteral(cleanCurrency),
+    apiBaseUrlEnv: toEnvLiteral(cleanApiBaseUrl),
     language: options.language,
     direction,
     fontImport: fontConfig.fontImport,
     fontVariable: fontConfig.fontVariable,
     ogLocale,
-    apiBaseUrl: options.apiBaseUrl || "https://api.brainerce.com",
     i18nEnabled: isMultiLocale,
     supportedLocales: JSON.stringify(supportedLocales),
     defaultLocale
@@ -588,11 +645,47 @@ program.name("create-brainerce-store").description("Scaffold a production-ready
     }
     let connectionId = options.connectionId;
     const explicitApiUrl = (options.apiUrl || process.env.BRAINERCE_API_URL || "").replace(/\/$/, "");
+    const apiUrlError = validateApiUrl(explicitApiUrl);
+    if (apiUrlError) {
+      logger.error(apiUrlError);
+      process.exit(1);
+    }
+    if (explicitApiUrl && explicitApiUrl !== KNOWN_API_URLS.production && explicitApiUrl !== KNOWN_API_URLS.staging) {
+      logger.warn(
+        `Using non-standard API URL: ${explicitApiUrl} \u2014 make sure you trust this endpoint.`
+      );
+    }
     const candidateApiUrls = explicitApiUrl ? [explicitApiUrl] : [KNOWN_API_URLS.production, KNOWN_API_URLS.staging];
+    const VALID_LANGUAGES = ["en", "he"];
+    const VALID_PKG_MANAGERS = ["npm", "pnpm", "yarn", "bun"];
+    const VALID_FRAMEWORKS = ["nextjs"];
+    const VALID_THEMES = ["minimal", "luxury", "playful"];
     let language = options.language;
+    if (language && !VALID_LANGUAGES.includes(language)) {
+      logger.error(
+        `Invalid --language "${language}". Expected one of: ${VALID_LANGUAGES.join(", ")}`
+      );
+      process.exit(1);
+    }
     let framework = options.framework;
+    if (!VALID_FRAMEWORKS.includes(framework)) {
+      logger.error(
+        `Invalid --framework "${framework}". Expected one of: ${VALID_FRAMEWORKS.join(", ")}`
+      );
+      process.exit(1);
+    }
     let theme = options.theme;
+    if (!VALID_THEMES.includes(theme)) {
+      logger.error(`Invalid --theme "${theme}". Expected one of: ${VALID_THEMES.join(", ")}`);
+      process.exit(1);
+    }
     let pkgManager = options.pkgManager;
+    if (pkgManager && !VALID_PKG_MANAGERS.includes(pkgManager)) {
+      logger.error(
+        `Invalid --pkg-manager "${pkgManager}". Expected one of: ${VALID_PKG_MANAGERS.join(", ")}`
+      );
+      process.exit(1);
+    }
     const skipGit = options.git === false;
     const skipInstall = options.install === false;
     let storeInfo = null;
@@ -703,17 +796,21 @@ program.name("create-brainerce-store").description("Scaffold a production-ready
       const gitSpinner = createSpinner("Initializing git...");
       gitSpinner.start();
       try {
-        const { execSync: execSync2 } = require("child_process");
+        const { execFileSync } = require("child_process");
         const cwd = scaffoldInPlace ? "." : projectName;
-        execSync2("git init", { cwd, stdio: "ignore" });
-        execSync2("git add -A", { cwd, stdio: "ignore" });
-        execSync2('git commit -m "Initial commit from create-brainerce-store"', {
-          cwd,
-          stdio: "ignore"
-        });
+        const gitOpts = { cwd, stdio: ["ignore", "ignore", "pipe"] };
+        execFileSync("git", ["init"], gitOpts);
+        execFileSync("git", ["add", "-A"], gitOpts);
+        execFileSync(
+          "git",
+          ["commit", "-m", "Initial commit from create-brainerce-store"],
+          gitOpts
+        );
         gitSpinner.succeed("Git initialized");
-      } catch {
-        gitSpinner.fail("Git initialization failed (git may not be installed)");
+      } catch (err) {
+        gitSpinner.fail("Git initialization failed");
+        const detail = err && typeof err === "object" && "stderr" in err ? String(err.stderr).trim() : err instanceof Error ? err.message : "";
+        if (detail) logger.warn(detail);
       }
     }
     if (!skipInstall) {
@@ -722,8 +819,9 @@ program.name("create-brainerce-store").description("Scaffold a production-ready
       try {
         await installDependencies(scaffoldInPlace ? "." : projectName, pkgManager);
         installSpinner.succeed("Dependencies installed");
-      } catch {
+      } catch (err) {
         installSpinner.fail("Dependency installation failed");
+        if (err instanceof Error && err.message) logger.warn(err.message);
         logger.warn(
           scaffoldInPlace ? `Run \`${pkgManager} install\` manually.` : `Run \`cd ${projectName} && ${pkgManager} install\` manually.`
         );