npm - ironcode-ai - Versions diffs - 1.20.8 → 1.20.9 - Mend

ironcode-ai 1.20.8 → 1.20.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -127,7 +127,7 @@ Press **`Ctrl+T`** to cycle between variants:
 ## Skills
-IronCode ships with **13 built-in skill workflows** — opinionated slash commands that switch the agent into a specialist mode. Instead of one generic assistant, you get: founder, tech lead, TDD coach, debugger, paranoid reviewer, release engineer, QA tester, technical writer, and engineering manager.
+IronCode ships with **15 built-in skill workflows** — opinionated slash commands that switch the agent into a specialist mode. Instead of one generic assistant, you get: founder, tech lead, TDD coach, debugger, paranoid reviewer, release engineer, QA tester, security auditor, technical writer, and engineering manager.
 | Skill               | Mode                | What it does                                                                                                                                               |
 | ------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -136,6 +136,8 @@ IronCode ships with **13 built-in skill workflows** — opinionated slash comman
 | `/tdd`              | Developer           | RED-GREEN-REFACTOR: write a failing test, minimal code to pass, refactor. No production code without a failing test first.                                 |
 | `/debug`            | Debugger            | Systematic 4-phase debugging: root cause investigation, pattern analysis, hypothesis testing, implementation. 3-fix rule escalates architectural problems. |
 | `/code-review`      | Staff engineer      | Find bugs that pass CI but blow up in production. Two-pass: critical + informational.                                                                      |
+| `/security-review`  | Security engineer   | Scan the current branch diff for OWASP Top 10 vulnerabilities before shipping. Two-pass: critical + informational. Integrates Semgrep MCP when available.  |
+| `/web-scan`         | Penetration tester  | Actively probe a live URL for misconfigs, exposed files, SSL issues, CORS, and info disclosure. Uses curl; optionally integrates Nikto and Nuclei.         |
 | `/verify`           | Gatekeeper          | Run the command, read the output, then claim the result. Evidence before assertions — no "should work now."                                                |
 | `/code-ship`        | Release engineer    | Merge, test, typecheck, review, changelog, bisectable commits, push, and PR — one command.                                                                 |
 | `/browse`           | QA engineer         | Headless Chromium via Playwright. Navigate, click, fill forms, screenshot, assert states, test responsive layouts.                                         |
@@ -208,6 +210,82 @@ Streak: 12 consecutive days.
 ````
+### Security Skills
+`/security-review` and `/web-scan` work out of the box with no extra setup. Install optional tools below for deeper scanning.
+#### Optional: Semgrep MCP (static analysis for `/security-review`)
+[Semgrep](https://semgrep.dev) adds pattern-based static analysis on top of the built-in OWASP checklist — detecting injection, hardcoded secrets, insecure APIs, and supply chain issues across 30+ languages.
+**1. Add to your ironcode config** (`~/.config/ironcode/ironcode.json` for global, or `ironcode.json` in your project):
+```json
+{
+  "mcp": {
+    "semgrep": {
+      "type": "local",
+      "command": ["npx", "@modular-intelligence/semgrep"]
+    }
+  }
+}
+```
+Optional — add `SEMGREP_APP_TOKEN` to unlock Pro rules (free at semgrep.dev):
+```json
+{
+  "mcp": {
+    "semgrep": {
+      "type": "local",
+      "command": ["npx", "@modular-intelligence/semgrep"],
+      "environment": {
+        "SEMGREP_APP_TOKEN": "your-token-here"
+      }
+    }
+  }
+}
+```
+**2. Install Semgrep CLI** (required by the MCP server):
+```bash
+# macOS
+brew install semgrep
+# pip
+pip install semgrep
+```
+**3. Restart IronCode**, then verify:
+```bash
+ironcode mcp list
+# semgrep  connected
+```
+When connected, `/security-review` runs three scans automatically — SAST (diff-aware), secrets detection, and supply chain — then merges all findings into the report under `[SEMGREP]`.
+> `npx` auto-downloads `@modular-intelligence/semgrep` on first run. The Semgrep CLI must be installed separately (step 2 above).
+#### Optional: Nikto + Nuclei (active scanning for `/web-scan`)
+`/web-scan` uses `curl` by default. Install Nikto and/or Nuclei for deeper active scanning:
+```bash
+# macOS
+brew install nikto
+brew install nuclei && nuclei -update-templates
+# Ubuntu / Debian
+sudo apt install nikto
+go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
+```
+When installed, `/web-scan` detects them automatically and appends their findings to the report.
+---
 ### Skills requiring Playwright MCP
 The `/browse`, `/qa`, `/qa-only`, and `/qa-browse` skills control a real browser via [Playwright MCP](https://github.com/microsoft/playwright-mcp). Set it up once before using them.

package/package.json CHANGED Viewed

@@ -6,13 +6,13 @@
   "scripts": {
     "postinstall": "bun ./postinstall.mjs || node ./postinstall.mjs"
   },
-  "version": "1.20.8",
+  "version": "1.20.9",
   "license": "MIT",
   "optionalDependencies": {
-    "ironcode-linux-x64-baseline": "1.20.8",
-    "ironcode-darwin-arm64": "1.20.8",
-    "ironcode-windows-x64-modern": "1.20.8",
-    "ironcode-linux-x64-modern": "1.20.8",
-    "ironcode-linux-x64-baseline-musl": "1.20.8"
+    "ironcode-linux-x64-modern": "1.20.9",
+    "ironcode-darwin-arm64": "1.20.9",
+    "ironcode-linux-x64-baseline-musl": "1.20.9",
+    "ironcode-windows-x64-modern": "1.20.9",
+    "ironcode-linux-x64-baseline": "1.20.9"
   }
 }

package/postinstall.mjs CHANGED Viewed

@@ -49,27 +49,33 @@ function detectPlatformAndArch() {
 function findBinary() {
   const { platform, arch } = detectPlatformAndArch()
-  // const packageName = `ironcode-${platform}-${arch}`
-  let packageName = `ironcode-${platform}-${arch}`
-  if (arch === "x64") {
-    packageName += "-modern"
-  }
   const binaryName = platform === "windows" ? "ironcode.exe" : "ironcode"
-  try {
-    // Use require.resolve to find the package
-    const packageJsonPath = require.resolve(`${packageName}/package.json`)
-    const packageDir = path.dirname(packageJsonPath)
-    const binaryPath = path.join(packageDir, "bin", binaryName)
+  // Build candidate package names in preference order
+  const candidates = []
+  if (arch === "x64") {
+    candidates.push(`ironcode-${platform}-${arch}-modern`)
+  }
+  candidates.push(`ironcode-${platform}-${arch}`)
+  // Fallback: on darwin-x64 try arm64 (runs via Rosetta 2)
+  if (platform === "darwin" && arch === "x64") {
+    candidates.push("ironcode-darwin-arm64")
+  }
-    if (!fs.existsSync(binaryPath)) {
-      throw new Error(`Binary not found at ${binaryPath}`)
+  for (const packageName of candidates) {
+    try {
+      const packageJsonPath = require.resolve(`${packageName}/package.json`)
+      const packageDir = path.dirname(packageJsonPath)
+      const binaryPath = path.join(packageDir, "bin", binaryName)
+      if (fs.existsSync(binaryPath)) {
+        return { binaryPath, binaryName }
+      }
+    } catch (_) {
+      // not installed, try next candidate
     }
-    return { binaryPath, binaryName }
-  } catch (error) {
-    throw new Error(`Could not find package ${packageName}: ${error.message}`)
   }
+  throw new Error(`Could not find a suitable ironcode binary package for ${platform}-${arch}`)
 }
 function prepareBinDirectory(binaryName) {