seamshield 0.0.1 → 0.1.1

package/rules/ss-secrets-supabase-service-role-key.yaml

@@ -0,0 +1,25 @@
+id: ss/secrets/supabase-service-role-key
+severity: block
+title: Supabase service-role key hardcoded in source
+description: >
+  A Supabase service-role JWT is written directly in source code. The
+  service-role key bypasses Row Level Security entirely — anyone holding it
+  can read and write every row in the database.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  redact: true
+  include:
+    extensions: [".ts", ".tsx", ".js", ".jsx", ".mjs", ".cjs", ".json", ".yaml", ".yml", ".toml", ".html", ".svelte", ".vue", ".astro", ".md"]
+  exclude:
+    basenames: [".env*", "package-lock.json", "pnpm-lock.yaml", "yarn.lock", "*.min.js"]
+  patterns:
+    - name: supabase-service-role-jwt
+      regex: "eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]*(?:c2VydmljZV9yb2xl|NlcnZpY2Vfcm9sZ|zZXJ2aWNlX3JvbG)[A-Za-z0-9_-]*\\.[A-Za-z0-9_-]+"
+fix:
+  summary: Remove the service-role key from source, keep it server-side only, and rotate it.
+  agent_prompt: >
+    Delete this hardcoded Supabase service-role key. Read it from a
+    server-only environment variable instead, never expose it to client
+    code, and tell the user to rotate the key in the Supabase dashboard
+    (Settings > API) because the committed value is burned.

package/rules/ss-supabase-permissive-policy.yaml

@@ -0,0 +1,22 @@
+id: ss/supabase/permissive-policy
+severity: high
+title: RLS policy that allows everything
+description: >
+  A policy with USING (true) or WITH CHECK (true) grants the operation to
+  every requester, including the public anon role. RLS is technically on,
+  but it protects nothing.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    extensions: [".sql"]
+  patterns:
+    - name: policy-always-true
+      regex: "(?:USING|using|WITH CHECK|with check)\\s*\\(\\s*(?:true|TRUE)\\s*\\)"
+fix:
+  summary: Scope the policy to the requesting user (for example auth.uid() = user_id).
+  agent_prompt: >
+    Rewrite this policy condition to scope access to the requesting user —
+    typically `auth.uid() = user_id` for ownership, or a role check for
+    shared data. If the table is genuinely public read-only, restrict the
+    policy to SELECT and add a comment explaining why.

package/rules/ss-supabase-rls-disabled.yaml

@@ -0,0 +1,22 @@
+id: ss/supabase/rls-disabled
+severity: block
+title: Row Level Security disabled on a table
+description: >
+  A SQL migration disables Row Level Security. On Supabase the anon key is
+  public by design — RLS is the only thing standing between the internet
+  and this table's rows.
+framework_ref: AI_AGENT_DROP_IN.md#default-security-stance
+check:
+  type: regex
+  include:
+    extensions: [".sql"]
+  patterns:
+    - name: rls-disabled
+      regex: "(?:DISABLE ROW LEVEL SECURITY|disable row level security)"
+fix:
+  summary: Re-enable RLS and write policies for the access the app actually needs.
+  agent_prompt: >
+    Change this statement to ENABLE ROW LEVEL SECURITY and add explicit
+    CREATE POLICY statements for each access pattern the app needs (for
+    example: users can select/update their own rows). If RLS was disabled
+    to debug a policy, fix the policy instead of removing the protection.

package/schemas/finding.schema.json

@@ -0,0 +1,92 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://seamshield.dev/schemas/finding.schema.json",
+  "title": "SeamShield Scan Finding",
+  "description": "Profile of seamshield-final-framework canonical-security-ir for scanner findings, extended with a `finding` object. Spine fields keep canonical IR semantics.",
+  "type": "object",
+  "required": [
+    "event_id",
+    "event_type",
+    "time",
+    "tenant",
+    "decision",
+    "route",
+    "engines",
+    "provenance",
+    "spans",
+    "finding"
+  ],
+  "properties": {
+    "event_id": { "type": "string", "minLength": 8 },
+    "event_type": { "const": "scan.finding" },
+    "time": { "type": "string", "format": "date-time" },
+    "tenant": { "type": "string" },
+    "decision": { "enum": ["deny", "scan"] },
+    "route": {
+      "type": "object",
+      "required": ["plane", "lane", "reason"],
+      "properties": {
+        "plane": { "const": "evidence" },
+        "lane": { "const": "cpu" },
+        "reason": {
+          "type": "array",
+          "items": { "type": "string" },
+          "minItems": 1
+        }
+      }
+    },
+    "engines": {
+      "type": "array",
+      "minItems": 1,
+      "items": {
+        "type": "object",
+        "required": ["name", "version"],
+        "properties": {
+          "name": { "type": "string" },
+          "version": { "type": "string" },
+          "role": { "type": "string" }
+        }
+      }
+    },
+    "provenance": {
+      "type": "object",
+      "required": ["policy_bundle_digest"],
+      "properties": {
+        "policy_bundle_digest": { "type": "string", "pattern": "^[a-f0-9]{64}$" }
+      }
+    },
+    "spans": {
+      "type": "array",
+      "items": {
+        "type": "object",
+        "required": ["start", "end", "label", "evidence"],
+        "properties": {
+          "start": { "type": "integer", "minimum": 1 },
+          "end": { "type": "integer", "minimum": 1 },
+          "label": { "type": "string" },
+          "evidence": { "type": "string" }
+        }
+      }
+    },
+    "finding": {
+      "type": "object",
+      "required": ["rule_id", "severity", "title", "file", "line", "fix"],
+      "properties": {
+        "rule_id": { "type": "string", "pattern": "^ss/[a-z-]+/[a-z0-9-]+$" },
+        "severity": { "enum": ["block", "high", "warn", "info"] },
+        "title": { "type": "string" },
+        "file": { "type": "string" },
+        "line": { "type": "integer", "minimum": 1 },
+        "fix": {
+          "type": "object",
+          "required": ["summary", "agent_prompt"],
+          "properties": {
+            "summary": { "type": "string" },
+            "agent_prompt": { "type": "string" },
+            "doc_url": { "type": "string" }
+          }
+        }
+      }
+    }
+  }
+}

package/index.js

@@ -1,2 +0,0 @@
-console.error("seamshield v0.0.1 is a placeholder — v0.1 (the real scanner) is in active development.");
-process.exit(1);