npm - seamshield - Versions diffs - 0.1.0 → 0.1.1 - Mend

seamshield 0.1.0 → 0.1.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +127 -0
package/package.json +30 -3

package/README.md ADDED Viewed

@@ -0,0 +1,127 @@
+# SeamShield
+SeamShield is the security layer for AI-built JavaScript and TypeScript apps. It scans for the predictable flaws that vibecoded projects ship: committed secrets, client-exposed server keys, client-only auth, open platform rules, unsafe agent config, and dependency supply-chain risks.
+The current product surface is:
+- `npx seamshield scan` - CLI scanner with table, JSON, and SARIF output.
+- `npx seamshield fix-plan` - writes agent-ready remediation prompts.
+- `npx seamshield agent-context` - writes SeamShield instructions for Claude Code or Cursor.
+- `npx seamshield guard install` / `guard check` - Claude Code PreToolUse guard for insecure edits and commands.
+## Install
+```bash
+npm install -g seamshield
+# or
+npx seamshield scan .
+```
+Requires Node.js 20 or newer.
+## Scan
+```bash
+npx seamshield scan .
+npx seamshield scan . --format json
+npx seamshield scan . --format sarif
+npx seamshield scan . --fail-on high
+npx seamshield scan . --offline
+```
+Exit codes:
+- `0` - no findings at or above the selected `--fail-on` threshold.
+- `1` - findings at or above the threshold.
+- `2` - CLI usage or scanner failure.
+`--offline` disables npm registry and OSV checks. Static rules still run.
+## Fix Plan
+```bash
+npx seamshield fix-plan .
+```
+This writes `.seamshield/fix-plan.json` with:
+- the finding list,
+- redacted evidence,
+- per-finding `agent_prompt` text,
+- one combined `agent_markdown` block for Claude Code, Cursor, or another coding agent.
+## Agent Context
+```bash
+npx seamshield agent-context . --claude
+npx seamshield agent-context . --cursor
+```
+Claude writes or updates `CLAUDE.md`. Cursor writes `.cursor/rules/seamshield.mdc`.
+## Claude Code Guard
+```bash
+npx seamshield guard install .
+```
+The guard installs a Claude Code `PreToolUse` hook for `Write`, `Edit`, `MultiEdit`, and `Bash`.
+It denies block-severity edits such as hardcoded provider keys, service-role keys, private keys, committed dotenv files, open Firebase rules, or RLS disablement. Bash checks deny obvious dangerous commands such as `git add .env*`, `curl ... | sh`, and installs of npm packages that do not resolve.
+Guard behavior is fail-open: if the hook errors, it allows the tool call and appends diagnostics to `.seamshield/guard.log`. CI/release gates should stay fail-closed.
+## Configuration
+Create `.seamshield/config.yaml`:
+```yaml
+ignore:
+  - vendored/**
+rules:
+  disable:
+    - ss/auth/client-only-guard
+```
+Suppress a single finding inline:
+```ts
+// seamshield-ignore ss/secrets/hardcoded-provider-key
+const fixtureKey = "sk_live_test_fixture_only";
+```
+## Privacy
+SeamShield v0.x runs locally. Static scanning does not transmit source code. Network dependency checks send package names and versions to the npm registry and OSV only; use `--offline` to disable them. Secret evidence is redacted before findings, JSON, SARIF, and fix plans are emitted.
+## Rule Coverage
+The rule pack covers:
+- secrets and client exposure,
+- Next.js auth footguns,
+- Supabase, Convex, and Firebase platform mistakes,
+- dependency lockfile, pinning, hallucinated-package, and OSV vulnerability checks,
+- agent config secrets and overbroad permissions.
+Rules map back to the SeamShield framework files under `seamshield-final-framework/` and `AI_AGENT_DROP_IN.md`.
+## Development
+```bash
+pnpm install
+pnpm build
+pnpm test
+pnpm typecheck
+```
+Before publishing:
+1. Revoke any exposed npm token and mint a fresh token.
+2. Run `pnpm build`, `pnpm test`, and `pnpm typecheck`.
+3. Verify `node packages/cli/dist/index.js scan examples/vulnerable-next-app --offline`.
+4. Publish from `packages/cli` after confirming package contents with `npm pack --dry-run`.
+## Framework
+The original SeamShield framework remains in `seamshield-final-framework/`: Runtime, Artifact, Update, and Evidence planes; OPA policies; schemas; validators; and adoption guidance.

package/package.json CHANGED Viewed

@@ -1,13 +1,39 @@
 {
   "name": "seamshield",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Security scanner for AI-generated apps: finds the flaws vibecoded projects predictably ship",
   "type": "module",
   "license": "MIT",
+  "homepage": "https://github.com/KaraboGerald/SeamShield#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/KaraboGerald/SeamShield.git",
+    "directory": "packages/cli"
+  },
+  "bugs": {
+    "url": "https://github.com/KaraboGerald/SeamShield/issues"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "cli",
+    "ai",
+    "vibecoding",
+    "secrets",
+    "sast",
+    "nextjs",
+    "supabase",
+    "firebase",
+    "claude-code",
+    "cursor",
+    "osv",
+    "sarif"
+  ],
   "bin": {
-    "seamshield": "./dist/index.js"
+    "seamshield": "dist/index.js"
   },
   "files": [
+    "README.md",
     "dist",
     "rules",
     "schemas"
@@ -16,7 +42,8 @@
     "node": ">=20"
   },
   "scripts": {
-    "build": "tsup src/index.ts --format esm --clean && tsc -p tsconfig.build.json && rm -rf rules schemas && cp -R ../rules/rules ../rules/schemas .",
+    "build": "tsup src/index.ts --format esm --clean && tsc -p tsconfig.build.json && rm -rf rules schemas && cp -R ../rules/rules ../rules/schemas . && cp ../../README.md README.md",
+    "prepack": "pnpm run build",
     "test": "vitest run"
   },
   "dependencies": {