safelaunch 1.0.20 → 1.0.22

package/README.md

@@ -1,60 +1,119 @@
 # safelaunch
 
-> Ship without breaking production.
+> The pre-deploy safety check for JavaScript projects.
 
 [![npm version](https://badge.fury.io/js/safelaunch.svg)](https://www.npmjs.com/package/safelaunch)
 
-safelaunch validates your environment before every push. Catches missing variables, empty values, duplicates, dependency drift, and prefix misconfigurations — before they reach production.
+Run one command before you deploy. safelaunch scans your entire project and tells you exactly what will break — before it breaks in production.
 
-Works with **Node.js, Next.js, Vite, and Create React App**. Not just backend. Any JavaScript project.
+Works with **Node.js, Next.js, Vite, and Create React App**.
 
 🌐 [orches.dev](https://karthicedric7-cloud.github.io/Orches)
 
 ---
 
-## Privacy & Security
-
-safelaunch runs **entirely on your machine**. It never sends your environment variables, secrets, or any project data to external servers. Your `.env` files stay local. Always.
+## Try it now — zero setup
 
----
-
-## Try it right now — zero setup
 ```bash
 npx safelaunch scan
 ```
 
 No installation. No config. Just run it in any JavaScript project.
 
-Scans your entire codebase, checks your `.env`, and tells you exactly what would break your next deploy.
 ```
 Scanning your project...
-
 Detected: Next.js
 
-Found 8 env variables in your codebase
+🚨 Safelaunch Scan Report
+
+This project is NOT safe to deploy
+
+3 issues found
+2 critical · 1 warning
+
+────────────────────────────
+
+🚨 CRITICAL (will break your app)
+
+1. DATABASE_URL is missing
 
-⚠️  DUPLICATE VARIABLES (1 found)
+   Impact:
+   Your app cannot use DATABASE_URL
+   → Will crash or behave incorrectly at runtime
 
-   DATABASE_URL   defined more than once in .env
+---
+
+2. STRIPE_SECRET_KEY is missing
+
+   Impact:
+   Your app cannot use STRIPE_SECRET_KEY
+   → Will crash or behave incorrectly at runtime
+
+────────────────────────────
+
+⚠️  WARNINGS (may cause issues)
 
-❌ MISSING VARIABLES (2 found)
+3. .env is not in .gitignore
 
-   NEXTAUTH_SECRET   missing from .env
-   STRIPE_SECRET_KEY   missing from .env
+   Impact:
+   .env is not in your .gitignore
+   → You are one git add away from leaking your secrets
 
-✅ PASSING (6)
+────────────────────────────
 
-   API_KEY   present
-   NODE_ENV   present
+✅ What's working (5 checks passed)
 
-Your next deploy would have failed.
+- Environment file detected
+- No hardcoded secrets found
+- Dependencies installed
+- No duplicate variables
+- NODE_ENV configured
 
-Run safelaunch init to lock this in permanently.
+────────────────────────────
+
+💡 Next step
+
+   Run:
+   safelaunch init
+
+   Lock this configuration and prevent future breakage
 ```
 
 ---
 
+## What safelaunch checks
+
+### Environment
+- Missing variables
+- Empty variables
+- Duplicate variables
+- `VITE_` prefix validation
+- `REACT_APP_` prefix validation
+- `.env.example` out of sync
+
+### Secrets & Security
+- `.env` committed to git
+- `.env` not in `.gitignore`
+- Hardcoded secrets in source files
+
+### Dependencies
+- `node_modules` not installed
+- Packages in `package.json` but not installed
+- Lockfile missing
+
+### Build Readiness
+- Build script missing
+- Required config files missing (next.config.js, vite.config.js)
+- TypeScript errors
+
+### Git State
+- Uncommitted changes before deploy
+- Unpushed commits
+
+---
+
 ## Installation
+
 ```bash
 npm install -g safelaunch
 ```
@@ -63,62 +122,38 @@ npm install -g safelaunch
 
 ## Lock it in permanently
 
-Once you've seen what scan finds, lock it in with two commands:
+Once scan shows you what's broken, lock your configuration so it never breaks again.
 
 **Step 1 — Generate your environment manifest**
+
 ```bash
 safelaunch init
 ```
 
-Scans your codebase and generates an `env.manifest.json` contract file automatically.
+Scans your codebase and creates an `env.manifest.json` — a contract file that defines exactly what your app needs to run.
+
+**Step 2 — Validate before every deploy**
 
-**Step 2 — Validate before every push**
 ```bash
 safelaunch validate
 ```
 
-Runs 11 checks against your `.env` and tells you exactly what will break before it does.
+Checks your live environment against the manifest and tells you exactly what will break before it does.
 
 ---
 
-## Never think about it again — install the git hook
+## Never think about it again
+
 ```bash
 safelaunch hook install
 ```
 
-Blocks `git push` automatically if validation fails. Set it once, forget about it.
-
----
-
-## What scan checks
-
-1. Missing variables
-2. Empty variables
-3. Duplicate variables
-4. Dependencies not installed
-5. Dependency drift
-6. `VITE_` prefix validation
-7. `REACT_APP_` prefix validation
-
-## What validate checks
-
-1. Missing required variables
-2. Empty variables
-3. Runtime version mismatch
-4. Duplicate variables
-5. Dependencies not installed
-6. Dependency drift
-7. `.env` vs `.env.example` sync
-8. `VITE_` prefix validation
-9. `REACT_APP_` prefix validation
-10. `NEXT_PUBLIC_` awareness
-11. `.env` file priority order
+Installs a git hook that blocks `git push` automatically if validation fails. Set it once, forget about it.
 
 ---
 
 ## CI Integration
 
-Block deployments automatically by adding this to your GitHub Actions workflow:
 ```yaml
 - name: Install safelaunch
   run: npm install -g safelaunch
@@ -127,6 +162,16 @@ Block deployments automatically by adding this to your GitHub Actions workflow:
   run: safelaunch validate
 ```
 
+Blocks deployments automatically if anything is missing or misconfigured.
+
+---
+
+## Privacy & Security
+
+safelaunch runs **entirely on your machine**. It never sends your environment variables, secrets, or project data to external servers. Your `.env` files stay local. Always.
+
+Anonymous usage telemetry is collected to help improve the product. No personal data, no secrets, no file contents — ever.
+
 ---
 
 Built by [Karthi Cedric](https://twitter.com/karthiced) · Part of [Orches](https://karthicedric7-cloud.github.io/Orches)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "safelaunch",
-  "version": "1.0.20",
+  "version": "1.0.22",
   "description": "Validate your environment before every push. Catch missing, empty, and misconfigured env variables before they break production.",
   "main": "index.js",
   "bin": {

package/safelaunch/README.md

@@ -1,61 +1,119 @@
 # safelaunch
 
-> Ship without breaking production ever.
+> The pre-deploy safety check for JavaScript projects.
 
 [![npm version](https://badge.fury.io/js/safelaunch.svg)](https://www.npmjs.com/package/safelaunch)
 
-safelaunch validates your environment before every push. Catches missing variables, empty values, duplicates, dependency drift, and prefix misconfigurations — before they reach production.
+Run one command before you deploy. safelaunch scans your entire project and tells you exactly what will break — before it breaks in production.
 
-Works with **Node.js, Next.js, Vite, and Create React App**. Not just backend. Any JavaScript project.
+Works with **Node.js, Next.js, Vite, and Create React App**.
 
 🌐 [orches.dev](https://karthicedric7-cloud.github.io/Orches)
 
 ---
 
-## Privacy & Security
-
-safelaunch runs **entirely on your machine**. It never sends your environment variables, secrets, or any project data to external servers. Your `.env` files stay local. Always.
-
----
+## Try it now — zero setup
 
-## Try it right now — zero setup
 ```bash
 npx safelaunch scan
 ```
 
 No installation. No config. Just run it in any JavaScript project.
 
-Scans your entire codebase, checks your `.env`, and tells you exactly what would break your next deploy.
 ```
 Scanning your project...
-
 Detected: Next.js
 
-Found 8 env variables in your codebase
+🚨 Safelaunch Scan Report
+
+This project is NOT safe to deploy
 
-⚠️  DUPLICATE VARIABLES (1 found)
+3 issues found
+2 critical · 1 warning
 
-   DATABASE_URL   defined more than once in .env
+────────────────────────────
+
+🚨 CRITICAL (will break your app)
+
+1. DATABASE_URL is missing
+
+   Impact:
+   Your app cannot use DATABASE_URL
+   → Will crash or behave incorrectly at runtime
+
+---
 
-❌ MISSING VARIABLES (2 found)
+2. STRIPE_SECRET_KEY is missing
 
-   NEXTAUTH_SECRET   missing from .env
-   STRIPE_SECRET_KEY   missing from .env
+   Impact:
+   Your app cannot use STRIPE_SECRET_KEY
+   → Will crash or behave incorrectly at runtime
 
-✅ PASSING (6)
+────────────────────────────
 
-   API_KEY   present
-   NODE_ENV   present
-   ...
+⚠️  WARNINGS (may cause issues)
 
-Your next deploy would have failed.
+3. .env is not in .gitignore
 
-Run safelaunch init to lock this in permanently.
+   Impact:
+   .env is not in your .gitignore
+   → You are one git add away from leaking your secrets
+
+────────────────────────────
+
+✅ What's working (5 checks passed)
+
+- Environment file detected
+- No hardcoded secrets found
+- Dependencies installed
+- No duplicate variables
+- NODE_ENV configured
+
+────────────────────────────
+
+💡 Next step
+
+   Run:
+   safelaunch init
+
+   Lock this configuration and prevent future breakage
 ```
 
 ---
 
+## What safelaunch checks
+
+### Environment
+- Missing variables
+- Empty variables
+- Duplicate variables
+- `VITE_` prefix validation
+- `REACT_APP_` prefix validation
+- `.env.example` out of sync
+
+### Secrets & Security
+- `.env` committed to git
+- `.env` not in `.gitignore`
+- Hardcoded secrets in source files
+
+### Dependencies
+- `node_modules` not installed
+- Packages in `package.json` but not installed
+- Lockfile missing
+
+### Build Readiness
+- Build script missing
+- Required config files missing (next.config.js, vite.config.js)
+- TypeScript errors
+
+### Git State
+- Uncommitted changes before deploy
+- Unpushed commits
+
+---
+
 ## Installation
+
 ```bash
 npm install -g safelaunch
 ```
@@ -64,52 +122,38 @@ npm install -g safelaunch
 
 ## Lock it in permanently
 
-Once you've seen what scan finds, lock it in with two commands:
+Once scan shows you what's broken, lock your configuration so it never breaks again.
 
 **Step 1 — Generate your environment manifest**
+
 ```bash
 safelaunch init
 ```
 
-Scans your codebase and generates an `env.manifest.json` contract file automatically.
+Scans your codebase and creates an `env.manifest.json` — a contract file that defines exactly what your app needs to run.
+
+**Step 2 — Validate before every deploy**
 
-**Step 2 — Validate before every push**
 ```bash
 safelaunch validate
 ```
 
-Runs 11 checks against your `.env` and tells you exactly what will break before it does.
+Checks your live environment against the manifest and tells you exactly what will break before it does.
 
 ---
 
-## Never think about it again — install the git hook
+## Never think about it again
+
 ```bash
 safelaunch hook install
 ```
 
-Blocks `git push` automatically if validation fails. Set it once, forget about it.
-
----
-
-## What it checks
-
-1. Missing required variables
-2. Empty variables
-3. Runtime version mismatch
-4. Duplicate variables
-5. Dependencies not installed
-6. Dependency drift
-7. `.env` vs `.env.example` sync
-8. `VITE_` prefix validation
-9. `REACT_APP_` prefix validation
-10. `NEXT_PUBLIC_` awareness
-11. `.env` file priority order
+Installs a git hook that blocks `git push` automatically if validation fails. Set it once, forget about it.
 
 ---
 
 ## CI Integration
 
-Block deployments automatically by adding this to your GitHub Actions workflow:
 ```yaml
 - name: Install safelaunch
   run: npm install -g safelaunch
@@ -118,6 +162,16 @@ Block deployments automatically by adding this to your GitHub Actions workflow:
   run: safelaunch validate
 ```
 
+Blocks deployments automatically if anything is missing or misconfigured.
+
+---
+
+## Privacy & Security
+
+safelaunch runs **entirely on your machine**. It never sends your environment variables, secrets, or project data to external servers. Your `.env` files stay local. Always.
+
+Anonymous usage telemetry is collected to help improve the product. No personal data, no secrets, no file contents — ever.
+
 ---
 
 Built by [Karthi Cedric](https://twitter.com/karthiced) · Part of [Orches](https://karthicedric7-cloud.github.io/Orches)

package/safelaunch/src/scan.js

@@ -72,6 +72,14 @@ const IMPACT = {
     'You have commits that have not been pushed',
     '\u2192 Your deploy may not include your latest changes'
   ]),
+  typescriptErrors: () => impactBlock([
+    'Your project has TypeScript type errors',
+    '\u2192 These may cause your build to fail in CI or production'
+  ]),
+  configFileMissing: (file) => impactBlock([
+    file + ' is missing',
+    '\u2192 Your framework will not know how to build or run this project'
+  ]),
 };
 
 const DIVIDER = '\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500';
@@ -91,11 +99,12 @@ function detectProjectType(cwd) {
 }
 
 function scanFiles(dir, extensions, pattern, found = new Set()) {
-  const items = fs.readdirSync(dir);
+  let items;
+  try { items = fs.readdirSync(dir); } catch (_) { return found; }
   for (const item of items) {
     if (item === 'node_modules' || item === '.git') continue;
     const full = path.join(dir, item);
-    const stat = fs.statSync(full);
+    let stat; try { stat = fs.statSync(full); } catch (_) { continue; }
     if (stat.isDirectory()) {
       scanFiles(full, extensions, pattern, found);
     } else if (extensions.some(ext => item.endsWith(ext))) {
@@ -187,11 +196,12 @@ function checkHardcodedSecrets(cwd) {
   const hits = [];
   function walk(dir) {
     try {
-      const items = fs.readdirSync(dir);
+      let items;
+  try { items = fs.readdirSync(dir); } catch (_) { return found; }
       for (const item of items) {
         if (item === 'node_modules' || item === '.git') continue;
         const full = path.join(dir, item);
-        const stat = fs.statSync(full);
+        let stat; try { stat = fs.statSync(full); } catch (_) { continue; }
         if (stat.isDirectory()) {
           walk(full);
         } else if (extensions.some(ext => item.endsWith(ext))) {
@@ -230,6 +240,33 @@ function checkGitStatus(cwd) {
   } catch (_) { return { uncommitted: false, unpushed: false }; }
 }
 
+function checkTypeScript(cwd) {
+  if (!fs.existsSync(path.join(cwd, 'tsconfig.json'))) return false;
+  try {
+    execSync('npx tsc --noEmit', { cwd, stdio: ['pipe', 'pipe', 'ignore'] });
+    return false;
+  } catch (_) {
+    return true;
+  }
+}
+
+function checkRequiredConfigFiles(cwd, projectType) {
+  const missing = [];
+  if (projectType === 'next') {
+    if (!fs.existsSync(path.join(cwd, 'next.config.js')) &&
+        !fs.existsSync(path.join(cwd, 'next.config.ts'))) {
+      missing.push('next.config.js');
+    }
+  }
+  if (projectType === 'vite') {
+    if (!fs.existsSync(path.join(cwd, 'vite.config.js')) &&
+        !fs.existsSync(path.join(cwd, 'vite.config.ts'))) {
+      missing.push('vite.config.js');
+    }
+  }
+  return missing;
+}
+
 function renderIssue(number, title, impact) {
   return number + '. ' + title + '\n\n' + impact + '\n';
 }
@@ -263,6 +300,8 @@ async function scan() {
   const hardcodedSecrets = checkHardcodedSecrets(cwd);
   const hasBuildScript = checkBuildScript(cwd);
   const gitStatus = checkGitStatus(cwd);
+  const hasTypeScriptErrors = checkTypeScript(cwd);
+  const missingConfigFiles = checkRequiredConfigFiles(cwd, projectType);
 
   let missing = [], empty = [], present = [], duplicates = [], envExampleOutOfSync = [];
 
@@ -296,6 +335,8 @@ async function scan() {
   if (drift && drift.notInstalled) criticalIssues.push({ title: 'Dependencies are not installed', impact: IMPACT.depsNotInstalled() });
   for (const file of envInGit) criticalIssues.push({ title: file + ' is tracked by git', impact: IMPACT.envInGit(file) });
   for (const file of hardcodedSecrets) criticalIssues.push({ title: 'Hardcoded secret in ' + file, impact: IMPACT.hardcodedSecret(file) });
+  for (const file of missingConfigFiles) criticalIssues.push({ title: file + ' is missing', impact: IMPACT.configFileMissing(file) });
+  if (hasTypeScriptErrors) criticalIssues.push({ title: 'TypeScript errors found', impact: IMPACT.typescriptErrors() });
 
   if (drift && !drift.notInstalled && drift.missing.length > 0) {
     for (const dep of drift.missing) warningIssues.push({ title: dep + ' is not installed', impact: IMPACT.depsDrift(dep) });
@@ -320,6 +361,8 @@ async function scan() {
   if (!drift || (!drift.notInstalled && drift.missing.length === 0)) passingChecks.push('Dependencies installed');
   if (duplicates.length === 0) passingChecks.push('No duplicate variables');
   if (hasBuildScript) passingChecks.push('Build script found');
+  if (!hasTypeScriptErrors && fs.existsSync(path.join(cwd, 'tsconfig.json'))) passingChecks.push('No TypeScript errors');
+  if (missingConfigFiles.length === 0) passingChecks.push('Config files present');
   if (!gitStatus.uncommitted) passingChecks.push('No uncommitted changes');
   if (!gitStatus.unpushed) passingChecks.push('No unpushed commits');
   for (const key of present) passingChecks.push(key + ' configured');
@@ -435,6 +478,8 @@ async function scan() {
     lockfile_missing: lockfileMissing,
     env_not_ignored: !envIgnored,
     build_script_missing: !hasBuildScript,
+    typescript_errors: hasTypeScriptErrors,
+    config_files_missing: missingConfigFiles.length,
     uncommitted: gitStatus.uncommitted,
     unpushed: gitStatus.unpushed
   });