create-claude-cabinet 0.29.11 → 0.29.13

package/lib/site-audit-setup.js

@@ -120,6 +120,17 @@ function extractAndInstall(versionDir, tarballPath, results) {
     results.push('  ⚠ browser-driver-manager install failed — axe-core will be unavailable');
   }
 
+  // MDN Observatory needs postinstall data files (HSTS preload list, TLD list)
+  const obsDir = path.join(pkgDir, 'node_modules', '@mdn', 'mdn-http-observatory');
+  if (fs.existsSync(obsDir)) {
+    try {
+      execSync('node src/retrieve-hsts.js && node src/retrieve-tld-list.js', { cwd: obsDir, encoding: 'utf8', timeout: 60_000 });
+      results.push('  Initialized MDN Observatory data files');
+    } catch {
+      results.push('  ⚠ MDN Observatory postinstall failed — observatory may be unavailable');
+    }
+  }
+
   const binDir = path.join(versionDir, 'bin');
   fs.mkdirSync(binDir, { recursive: true });
   const binSrc = path.join(pkgDir, 'bin', 'cc-site-audit');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "create-claude-cabinet",
-  "version": "0.29.11",
+  "version": "0.29.13",
   "description": "Claude Cabinet — opinionated process scaffolding for Claude Code projects",
   "bin": {
     "create-claude-cabinet": "bin/create-claude-cabinet.js"

package/templates/site-audit-runtime/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@claude-cabinet/site-audit",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "Comprehensive deployed-site quality audit engine for Claude Cabinet. Runs checks across performance, accessibility, security, SEO, content, DNS, and privacy against a deployed URL; single-site and comparison modes; standalone HTML report.",
   "type": "module",
   "bin": {

package/templates/site-audit-runtime/src/checks/nuclei.mjs

@@ -12,7 +12,10 @@ export const defaultTimeoutMs = 300_000;
 export async function detect(executor) {
   try {
     const r = await executor.spawn('nuclei', ['-version'], { timeoutMs: 10_000 });
-    return r.code === 0;
+    if (r.code !== 0) return false;
+    // Ensure templates are downloaded (nuclei 3.x ships without them)
+    await executor.spawn('nuclei', ['-update-templates'], { timeoutMs: 60_000 });
+    return true;
   } catch {
     return false;
   }

package/templates/site-audit-runtime/src/checks/observatory.mjs

@@ -14,31 +14,74 @@ export async function run(url, executor) {
 
 const GRADE_SCORES = { 'A+': 100, 'A': 95, 'A-': 90, 'B+': 85, 'B': 80, 'B-': 75, 'C+': 70, 'C': 65, 'C-': 60, 'D+': 55, 'D': 50, 'D-': 45, 'F': 20 };
 
+const TEST_LABELS = {
+  'content-security-policy': 'Content Security Policy',
+  'cookies': 'Cookies',
+  'cross-origin-resource-sharing': 'CORS',
+  'redirection': 'HTTP Redirection',
+  'referrer-policy': 'Referrer Policy',
+  'strict-transport-security': 'Strict Transport Security',
+  'subresource-integrity': 'Subresource Integrity',
+  'x-content-type-options': 'X-Content-Type-Options',
+  'x-frame-options': 'X-Frame-Options',
+  'cross-origin-resource-policy': 'Cross-Origin Resource Policy',
+};
+
 export function normalize(raw, durationMs) {
   if (raw.code !== 0 && !raw.stdout) {
-    return { checkId, tool, status: 'error', score: null, grade: null, severity: null, findings: [], durationMs, reason: raw.stderr || 'observatory failed' };
+    return { checkId, tool, status: 'error', score: null, grade: null, severity: null, findings: [], durationMs, reason: raw.stderr?.slice(0, 200) || 'observatory failed' };
+  }
+
+  const text = (raw.stdout || '').trim();
+
+  // Try JSON parse first (mdn-http-observatory outputs JSON)
+  const jsonStart = text.indexOf('{');
+  if (jsonStart >= 0) {
+    try {
+      const data = JSON.parse(text.slice(jsonStart));
+      const scan = data.scan || {};
+      const tests = data.tests || {};
+      const grade = scan.grade || null;
+      const score = typeof scan.score === 'number' ? Math.min(100, scan.score) : (grade ? (GRADE_SCORES[grade] ?? null) : null);
+
+      const findings = [];
+      for (const [testId, test] of Object.entries(tests)) {
+        if (!test.pass) {
+          const label = TEST_LABELS[testId] || testId;
+          const severity = (test.scoreModifier != null && test.scoreModifier <= -20) ? 'serious' : 'moderate';
+          findings.push({
+            severity,
+            message: `${label}: ${test.result || 'failed'}`,
+            context: test.scoreModifier != null ? `Score impact: ${test.scoreModifier}` : undefined,
+          });
+        }
+      }
+
+      const isPass = grade && /^[A-B]/.test(grade);
+      const passed = Object.values(tests).filter(t => t.pass).length;
+      const total = Object.keys(tests).length;
+      const passSummary = isPass
+        ? `Observatory grade ${grade} (score: ${score}/100, ${passed}/${total} tests passed)`
+        : undefined;
+
+      return {
+        checkId, tool, status: isPass ? 'pass' : 'fail',
+        score, grade, severity: findings.length ? findings[0].severity : null,
+        findings, durationMs,
+        ...(passSummary && { passSummary }),
+      };
+    } catch { /* fall through to text parsing */ }
   }
 
-  const text = raw.stdout || '';
+  // Fallback: text parsing
   const gradeMatch = text.match(/Grade:\s*([A-F][+-]?)/i);
   const scoreMatch = text.match(/Score:\s*(\d+)/i);
   const grade = gradeMatch ? gradeMatch[1] : null;
   const score = scoreMatch ? Math.min(100, Number(scoreMatch[1])) : (grade ? (GRADE_SCORES[grade] ?? null) : null);
-
-  const findings = [];
-  const failLines = text.split('\n').filter(l => /fail|warn|not implemented/i.test(l));
-  for (const line of failLines.slice(0, 20)) {
-    findings.push({ severity: 'moderate', message: line.trim() });
-  }
-
   const isPass = grade && /^[A-B]/.test(grade);
-  const passSummary = isPass
-    ? `Observatory grade ${grade}${score != null ? ` (score: ${score}/100)` : ''}`
-    : undefined;
 
   return {
     checkId, tool, status: isPass ? 'pass' : 'fail',
-    score, grade, severity: findings.length ? 'moderate' : null, findings, durationMs,
-    ...(passSummary && { passSummary }),
+    score, grade, severity: null, findings: [], durationMs,
   };
 }

package/templates/site-audit-runtime/tests/fixtures/observatory.json

@@ -1,10 +1 @@
-Grade: B+
-Score: 85
-Tests passed: 8/11
-content-security-policy: PASS
-strict-transport-security: PASS
-x-content-type-options: PASS
-x-frame-options: FAIL - not implemented
-referrer-policy: PASS
-subresource-integrity: FAIL - not implemented
-cookies: WARN - SameSite not set
+{"scan":{"grade":"B+","score":85,"testsFailed":2,"testsPassed":8,"testsQuantity":10},"tests":{"content-security-policy":{"pass":true,"result":"csp-implemented","scoreModifier":0},"strict-transport-security":{"pass":true,"result":"hsts-implemented","scoreModifier":0},"x-content-type-options":{"pass":true,"result":"x-content-type-options-nosniff","scoreModifier":0},"x-frame-options":{"pass":false,"result":"x-frame-options-not-implemented","scoreModifier":-20},"referrer-policy":{"pass":true,"result":"referrer-policy-private","scoreModifier":0},"subresource-integrity":{"pass":false,"result":"sri-not-implemented","scoreModifier":-5},"cookies":{"pass":true,"result":"cookies-secure","scoreModifier":0}}}

package/templates/skills/onboard/phases/generate-session-loop.md

@@ -19,7 +19,7 @@ this project needs something different from the default.
 
 **`orient/phases/context.md`** — Point at the briefing files generated in
 the previous phase. At minimum:
-- Read `_briefing.md` for project identity and configuration
+- Read `.claude/cabinet/_briefing.md` for project identity and configuration
 - Read `system-status.md` for current state
 - Read `CLAUDE.md` if it has project-specific instructions beyond what
   Claude Code auto-loads