practicode 0.1.8 → 0.1.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/Cargo.lock +1 -1
- package/Cargo.toml +1 -1
- package/README.md +5 -0
- package/SECURITY.md +11 -0
- package/docs/MAINTAINING.md +5 -0
- package/package.json +7 -2
package/Cargo.lock
CHANGED
package/Cargo.toml
CHANGED
package/README.md
CHANGED
|
@@ -7,6 +7,7 @@
|
|
|
7
7
|

|
|
8
8
|

|
|
9
9
|

|
|
10
|
+
[Socket.dev package health](https://socket.dev/npm/package/practicode)
|
|
10
11
|
|
|
11
12
|

|
|
12
13
|
|
|
@@ -36,6 +37,8 @@ npm install -g practicode
|
|
|
36
37
|
practicode
|
|
37
38
|
```
|
|
38
39
|
|
|
40
|
+
The npm package has a `postinstall` step that runs `cargo build --release --locked` from the package root so the Rust TUI binary is ready. Set `PRACTICODE_SKIP_BUILD=1` to skip that install-time build; the `practicode` launcher will try the same locked Cargo build on first run if the binary is missing.
|
|
41
|
+
|
|
39
42
|
### Cargo
|
|
40
43
|
|
|
41
44
|
```bash
|
|
@@ -176,6 +179,8 @@ cargo install --force practicode
|
|
|
176
179
|
- `/run` executes your local submission as a normal process. practicode runs it from `.practicode/build/<problem-id>/run`, but this is not an OS sandbox. Only run code you trust.
|
|
177
180
|
- `/hint` sends the current problem and submission to the selected AI provider CLI.
|
|
178
181
|
- AI-backed `/next` and `/generate` can run a custom shell command from `settings.ai_next_command`; save only commands you trust.
|
|
182
|
+
- npm installs run the package `postinstall` script described above. It only invokes Cargo with the checked-in lockfile from this package root; it does not read local `.env`/`.npmrc` files or contact the configured AI provider.
|
|
183
|
+
- npm releases are published from GitHub Actions with registry signatures and provenance enabled in `package.json`. The release workflow is also prepared for npm Trusted Publishing/OIDC; maintainers should prefer that over long-lived publish tokens when the package setting is enabled on npm.
|
|
179
184
|
- Local `.env`, `.npmrc`, `.practicode/`, `problems/`, and `submissions/` are ignored by git. Do not commit tokens, private prompts, or answer keys.
|
|
180
185
|
|
|
181
186
|
## Development Checks
|
package/SECURITY.md
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
# Security Policy
|
|
2
|
+
|
|
3
|
+
## Reporting
|
|
4
|
+
|
|
5
|
+
Report vulnerabilities through GitHub Security Advisories for this repository when available. If that is not available, open a minimal public issue asking for a private security contact and avoid posting exploit details.
|
|
6
|
+
|
|
7
|
+
Do not include tokens, private prompts, `.env`, `.npmrc`, `.practicode/`, `problems/`, or `submissions/` contents in public reports.
|
|
8
|
+
|
|
9
|
+
## Scope
|
|
10
|
+
|
|
11
|
+
Security-sensitive areas include npm install scripts, release publishing, command execution, local judging, AI provider prompts, update checks, and local user data handling.
|
package/docs/MAINTAINING.md
CHANGED
|
@@ -45,11 +45,16 @@ Verify publication:
|
|
|
45
45
|
```bash
|
|
46
46
|
gh run list --limit 5
|
|
47
47
|
npm view practicode version
|
|
48
|
+
npm view practicode dist.signatures dist.attestations --json
|
|
48
49
|
cargo search practicode --limit 1
|
|
49
50
|
```
|
|
50
51
|
|
|
51
52
|
Do not print or commit tokens. Local `.env` and `.npmrc` are ignored; GitHub Actions uses `NPM_TOKEN` and `CRATES_TOKEN` repository secrets.
|
|
52
53
|
|
|
54
|
+
For npm supply-chain posture, keep `publishConfig.provenance` enabled and keep the release job's `id-token: write` permission. When the npm package's Trusted Publisher setting is configured for this repository and `.github/workflows/release.yml`, remove the long-lived `NPM_TOKEN` dependency from the npm publish steps and disallow token publishing in the npm package settings.
|
|
55
|
+
|
|
56
|
+
Socket.dev indexes the npm package page at <https://socket.dev/npm/package/practicode>. It may lag behind npm immediately after a release; verify npm first with `npm view practicode version`, then re-check Socket after indexing catches up. If Socket flags the npm `postinstall` script, confirm it still only runs the locked Cargo build documented in the README.
|
|
57
|
+
|
|
53
58
|
## Documentation Ownership
|
|
54
59
|
|
|
55
60
|
| File | Audience |
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "practicode",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.9",
|
|
4
4
|
"description": "Local-first coding-test practice in a Rust terminal UI with optional AI help.",
|
|
5
5
|
"license": "MIT",
|
|
6
6
|
"repository": {
|
|
@@ -8,6 +8,9 @@
|
|
|
8
8
|
"url": "git+https://github.com/baba9811/practicode.git"
|
|
9
9
|
},
|
|
10
10
|
"homepage": "https://github.com/baba9811/practicode#readme",
|
|
11
|
+
"bugs": {
|
|
12
|
+
"url": "https://github.com/baba9811/practicode/issues"
|
|
13
|
+
},
|
|
11
14
|
"bin": {
|
|
12
15
|
"practicode": "bin/practicode.js"
|
|
13
16
|
},
|
|
@@ -27,6 +30,7 @@
|
|
|
27
30
|
"Cargo.toml",
|
|
28
31
|
"LICENSE",
|
|
29
32
|
"README.md",
|
|
33
|
+
"SECURITY.md",
|
|
30
34
|
"THIRD_PARTY_LICENSES.md"
|
|
31
35
|
],
|
|
32
36
|
"keywords": [
|
|
@@ -41,6 +45,7 @@
|
|
|
41
45
|
"node": ">=18"
|
|
42
46
|
},
|
|
43
47
|
"publishConfig": {
|
|
44
|
-
"access": "public"
|
|
48
|
+
"access": "public",
|
|
49
|
+
"provenance": true
|
|
45
50
|
}
|
|
46
51
|
}
|