practicode 0.1.8 → 0.1.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/Cargo.lock CHANGED
@@ -453,7 +453,7 @@ checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391"
453
453
 
454
454
  [[package]]
455
455
  name = "practicode"
456
- version = "0.1.8"
456
+ version = "0.1.9"
457
457
  dependencies = [
458
458
  "anyhow",
459
459
  "crossterm",
package/Cargo.toml CHANGED
@@ -1,6 +1,6 @@
1
1
  [package]
2
2
  name = "practicode"
3
- version = "0.1.8"
3
+ version = "0.1.9"
4
4
  edition = "2024"
5
5
  description = "Local-first coding-test practice in a Rust terminal UI with optional AI help."
6
6
  readme = "README.md"
package/README.md CHANGED
@@ -7,6 +7,7 @@
7
7
  ![crates.io](https://img.shields.io/crates/v/practicode?logo=rust)
8
8
  ![npm](https://img.shields.io/npm/v/practicode?logo=npm)
9
9
  ![CI](https://github.com/baba9811/practicode/actions/workflows/ci.yml/badge.svg)
10
+ [Socket.dev package health](https://socket.dev/npm/package/practicode)
10
11
 
11
12
  ![practicode terminal UI](assets/practicode-terminal.svg)
12
13
 
@@ -36,6 +37,8 @@ npm install -g practicode
36
37
  practicode
37
38
  ```
38
39
 
40
+ The npm package has a `postinstall` step that runs `cargo build --release --locked` from the package root so the Rust TUI binary is ready. Set `PRACTICODE_SKIP_BUILD=1` to skip that install-time build; the `practicode` launcher will try the same locked Cargo build on first run if the binary is missing.
41
+
39
42
  ### Cargo
40
43
 
41
44
  ```bash
@@ -176,6 +179,8 @@ cargo install --force practicode
176
179
  - `/run` executes your local submission as a normal process. practicode runs it from `.practicode/build/<problem-id>/run`, but this is not an OS sandbox. Only run code you trust.
177
180
  - `/hint` sends the current problem and submission to the selected AI provider CLI.
178
181
  - AI-backed `/next` and `/generate` can run a custom shell command from `settings.ai_next_command`; save only commands you trust.
182
+ - npm installs run the package `postinstall` script described above. It only invokes Cargo with the checked-in lockfile from this package root; it does not read local `.env`/`.npmrc` files or contact the configured AI provider.
183
+ - npm releases are published from GitHub Actions with registry signatures and provenance enabled in `package.json`. The release workflow is also prepared for npm Trusted Publishing/OIDC; maintainers should prefer that over long-lived publish tokens when the package setting is enabled on npm.
179
184
  - Local `.env`, `.npmrc`, `.practicode/`, `problems/`, and `submissions/` are ignored by git. Do not commit tokens, private prompts, or answer keys.
180
185
 
181
186
  ## Development Checks
package/SECURITY.md ADDED
@@ -0,0 +1,11 @@
1
+ # Security Policy
2
+
3
+ ## Reporting
4
+
5
+ Report vulnerabilities through GitHub Security Advisories for this repository when available. If that is not available, open a minimal public issue asking for a private security contact and avoid posting exploit details.
6
+
7
+ Do not include tokens, private prompts, `.env`, `.npmrc`, `.practicode/`, `problems/`, or `submissions/` contents in public reports.
8
+
9
+ ## Scope
10
+
11
+ Security-sensitive areas include npm install scripts, release publishing, command execution, local judging, AI provider prompts, update checks, and local user data handling.
@@ -45,11 +45,16 @@ Verify publication:
45
45
  ```bash
46
46
  gh run list --limit 5
47
47
  npm view practicode version
48
+ npm view practicode dist.signatures dist.attestations --json
48
49
  cargo search practicode --limit 1
49
50
  ```
50
51
 
51
52
  Do not print or commit tokens. Local `.env` and `.npmrc` are ignored; GitHub Actions uses `NPM_TOKEN` and `CRATES_TOKEN` repository secrets.
52
53
 
54
+ For npm supply-chain posture, keep `publishConfig.provenance` enabled and keep the release job's `id-token: write` permission. When the npm package's Trusted Publisher setting is configured for this repository and `.github/workflows/release.yml`, remove the long-lived `NPM_TOKEN` dependency from the npm publish steps and disallow token publishing in the npm package settings.
55
+
56
+ Socket.dev indexes the npm package page at <https://socket.dev/npm/package/practicode>. It may lag behind npm immediately after a release; verify npm first with `npm view practicode version`, then re-check Socket after indexing catches up. If Socket flags the npm `postinstall` script, confirm it still only runs the locked Cargo build documented in the README.
57
+
53
58
  ## Documentation Ownership
54
59
 
55
60
  | File | Audience |
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "practicode",
3
- "version": "0.1.8",
3
+ "version": "0.1.9",
4
4
  "description": "Local-first coding-test practice in a Rust terminal UI with optional AI help.",
5
5
  "license": "MIT",
6
6
  "repository": {
@@ -8,6 +8,9 @@
8
8
  "url": "git+https://github.com/baba9811/practicode.git"
9
9
  },
10
10
  "homepage": "https://github.com/baba9811/practicode#readme",
11
+ "bugs": {
12
+ "url": "https://github.com/baba9811/practicode/issues"
13
+ },
11
14
  "bin": {
12
15
  "practicode": "bin/practicode.js"
13
16
  },
@@ -27,6 +30,7 @@
27
30
  "Cargo.toml",
28
31
  "LICENSE",
29
32
  "README.md",
33
+ "SECURITY.md",
30
34
  "THIRD_PARTY_LICENSES.md"
31
35
  ],
32
36
  "keywords": [
@@ -41,6 +45,7 @@
41
45
  "node": ">=18"
42
46
  },
43
47
  "publishConfig": {
44
- "access": "public"
48
+ "access": "public",
49
+ "provenance": true
45
50
  }
46
51
  }