seamshield 0.0.1 → 0.1.0

package/rules/ss-supabase-permissive-policy.yaml

@@ -0,0 +1,22 @@
+id: ss/supabase/permissive-policy
+severity: high
+title: RLS policy that allows everything
+description: >
+  A policy with USING (true) or WITH CHECK (true) grants the operation to
+  every requester, including the public anon role. RLS is technically on,
+  but it protects nothing.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    extensions: [".sql"]
+  patterns:
+    - name: policy-always-true
+      regex: "(?:USING|using|WITH CHECK|with check)\\s*\\(\\s*(?:true|TRUE)\\s*\\)"
+fix:
+  summary: Scope the policy to the requesting user (for example auth.uid() = user_id).
+  agent_prompt: >
+    Rewrite this policy condition to scope access to the requesting user —
+    typically `auth.uid() = user_id` for ownership, or a role check for
+    shared data. If the table is genuinely public read-only, restrict the
+    policy to SELECT and add a comment explaining why.

package/rules/ss-supabase-rls-disabled.yaml

@@ -0,0 +1,22 @@
+id: ss/supabase/rls-disabled
+severity: block
+title: Row Level Security disabled on a table
+description: >
+  A SQL migration disables Row Level Security. On Supabase the anon key is
+  public by design — RLS is the only thing standing between the internet
+  and this table's rows.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    extensions: [".sql"]
+  patterns:
+    - name: rls-disabled
+      regex: "(?:DISABLE ROW LEVEL SECURITY|disable row level security)"
+fix:
+  summary: Re-enable RLS and write policies for the access the app actually needs.
+  agent_prompt: >
+    Change this statement to ENABLE ROW LEVEL SECURITY and add explicit
+    CREATE POLICY statements for each access pattern the app needs (for
+    example: users can select/update their own rows). If RLS was disabled
+    to debug a policy, fix the policy instead of removing the protection.

package/schemas/finding.schema.json

@@ -0,0 +1,92 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://seamshield.dev/schemas/finding.schema.json",
+  "title": "SeamShield Scan Finding",
+  "description": "Profile of seamshield-final-framework canonical-security-ir for scanner findings, extended with a `finding` object. Spine fields keep canonical IR semantics.",
+  "type": "object",
+  "required": [
+    "event_id",
+    "event_type",
+    "time",
+    "tenant",
+    "decision",
+    "route",
+    "engines",
+    "provenance",
+    "spans",
+    "finding"
+  ],
+  "properties": {
+    "event_id": { "type": "string", "minLength": 8 },
+    "event_type": { "const": "scan.finding" },
+    "time": { "type": "string", "format": "date-time" },
+    "tenant": { "type": "string" },
+    "decision": { "enum": ["deny", "scan"] },
+    "route": {
+      "type": "object",
+      "required": ["plane", "lane", "reason"],
+      "properties": {
+        "plane": { "const": "evidence" },
+        "lane": { "const": "cpu" },
+        "reason": {
+          "type": "array",
+          "items": { "type": "string" },
+          "minItems": 1
+        }
+      }
+    },
+    "engines": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "required": ["name", "version"],
+        "properties": {
+          "name": { "type": "string" },
+          "version": { "type": "string" },
+          "role": { "type": "string" }
+        }
+      }
+    },
+    "provenance": {
+      "type": "object",
+      "required": ["policy_bundle_digest"],
+      "properties": {
+        "policy_bundle_digest": { "type": "string", "pattern": "^[a-f0-9]{64}$" }
+      }
+    },
+    "spans": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["start", "end", "label", "evidence"],
+        "properties": {
+          "start": { "type": "integer", "minimum": 1 },
+          "end": { "type": "integer", "minimum": 1 },
+          "label": { "type": "string" },
+          "evidence": { "type": "string" }
+        }
+      }
+    },
+    "finding": {
+      "type": "object",
+      "required": ["rule_id", "severity", "title", "file", "line", "fix"],
+      "properties": {
+        "rule_id": { "type": "string", "pattern": "^ss/[a-z-]+/[a-z0-9-]+$" },
+        "severity": { "enum": ["block", "high", "warn", "info"] },
+        "title": { "type": "string" },
+        "file": { "type": "string" },
+        "line": { "type": "integer", "minimum": 1 },
+        "fix": {
+          "type": "object",
+          "required": ["summary", "agent_prompt"],
+          "properties": {
+            "summary": { "type": "string" },
+            "agent_prompt": { "type": "string" },
+            "doc_url": { "type": "string" }
+          }
+        }
+      }
+    }
+  }
+}

package/README.md

@@ -1,5 +0,0 @@
-# SeamShield
-
-The security layer for AI-built apps: a CLI scanner and AI-agent guard that catches the flaws vibecoded projects predictably ship — committed .env files, hardcoded API keys, secrets in client bundles, missing auth, and more.
-
-This is a placeholder release while v0.1 is in active development. Do not install yet.

package/index.js

@@ -1,2 +0,0 @@
-console.error("seamshield v0.0.1 is a placeholder — v0.1 (the real scanner) is in active development.");
-process.exit(1);