npm - seamshield - Versions diffs - 0.2.0 → 0.2.1 - Mend

seamshield 0.2.0 → 0.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -28,6 +28,7 @@ seamshield access . --format table
 seamshield access . --format json
 seamshield scan . --offline
 seamshield fix-plan . --agent codex
+seamshield agent-context . --codex
 seamshield triage . --rule ss/auth/client-only-guard
 seamshield agent-context . --claude
 seamshield agent-context . --cursor
@@ -98,15 +99,19 @@ Writes `.seamshield/fix-plan.json` and a Markdown plan under
 ## Agent Guard
 ```bash
+seamshield agent-context . --codex
 seamshield agent-context . --claude
 seamshield agent-context . --cursor
 seamshield guard install .
 ```
-`agent-context` writes agent instructions. `guard install` adds a Claude Code
-`PreToolUse` hook that blocks high-confidence risky edits such as committed
-dotenv files, exposed server secrets, public database/storage writes, unsafe
-`.env` edits, dangerous shell installs, and obvious privileged route exposure.
+`agent-context --codex` writes `AGENTS.md`. `--claude` writes `CLAUDE.md`.
+`--cursor` writes `.cursor/rules/seamshield.mdc`.
+`guard install` adds a Claude Code `PreToolUse` hook that blocks
+high-confidence risky edits such as committed dotenv files, exposed server
+secrets, public database/storage writes, unsafe `.env` edits, dangerous shell
+installs, and obvious privileged route exposure.
 Guard behavior is fail-open: if the hook errors, it allows the tool call and
 appends diagnostics to `.seamshield/guard.log`.

package/dist/index.js CHANGED Viewed

@@ -1413,6 +1413,7 @@ var FORMATS = ["table", "json", "sarif"];
 var ACCESS_FORMATS = ["table", "json"];
 var FAIL_ON = ["block", "high", "warn", "never"];
 var FIX_AGENTS = ["claude", "cursor", "codex", "generic"];
+var CONTEXT_AGENTS = ["claude", "cursor", "codex"];
 function assertChoice(value, allowed, label) {
   if (value && !allowed.includes(value)) {
     console.error(`seamshield: unknown --${label} "${value}" (expected: ${allowed.join(", ")})`);
@@ -1470,31 +1471,33 @@ async function readScanForCommand(path, offline = true) {
     return null;
   }
 }
+function writeSection(path, marker, body) {
+  mkdirSync3(dirname3(path), { recursive: true });
+  const existing = existsSync2(path) ? readFileSync6(path, "utf8") : "";
+  const next = existing.includes(marker) ? existing.replace(new RegExp(`${marker}[\\s\\S]*?(?=\\n# |\\n?$)`), body.trimEnd()) : `${existing.trimEnd()}${existing.trim() ? "\n\n" : ""}${body}`;
+  writeFileSync3(path, next.endsWith("\n") ? next : `${next}
+`);
+  return path;
+}
 function writeAgentContext(target, kind) {
   const body = [
     "# SEAMSHIELD",
     "",
-    "- Run `npx seamshield scan --offline` before committing AI-generated changes.",
+    "- Run `npx seamshield ship .` before deploys and `npx seamshield scan --offline` before committing AI-generated changes.",
     "- Never hardcode provider keys, service-role keys, private keys, or dotenv contents.",
     "- Do not expose server secrets through `NEXT_PUBLIC_*` or client components.",
     "- Do not rely on client-only auth for private data; enforce auth server-side.",
-    "- Keep Supabase RLS enabled and Firebase rules closed by default.",
-    "- If SeamShield reports findings, apply the generated `npx seamshield fix-plan` prompts.",
+    "- Keep Supabase RLS enabled, Firebase rules closed by default, and Convex privileged mutations authenticated or internal.",
+    `- If SeamShield reports findings, inspect \`npx seamshield access .\` and apply \`npx seamshield fix-plan . --agent ${kind === "codex" ? "codex" : kind}\`.`,
     ""
   ].join("\n");
   if (kind === "cursor") {
-    const out2 = join7(target, ".cursor", "rules", "seamshield.mdc");
-    mkdirSync3(dirname3(out2), { recursive: true });
-    writeFileSync3(out2, body);
-    return out2;
+    const out = join7(target, ".cursor", "rules", "seamshield.mdc");
+    mkdirSync3(dirname3(out), { recursive: true });
+    writeFileSync3(out, body);
+    return out;
   }
-  const out = join7(target, "CLAUDE.md");
-  const existing = existsSync2(out) ? readFileSync6(out, "utf8") : "";
-  const marker = "# SEAMSHIELD";
-  const next = existing.includes(marker) ? existing.replace(/# SEAMSHIELD[\s\S]*?(?=\n# |\n?$)/, body.trimEnd()) : `${existing.trimEnd()}${existing.trim() ? "\n\n" : ""}${body}`;
-  writeFileSync3(out, next.endsWith("\n") ? next : `${next}
-`);
-  return out;
+  return writeSection(join7(target, kind === "codex" ? "AGENTS.md" : "CLAUDE.md"), "# SEAMSHIELD", body);
 }
 function readTriageConfig(target) {
   const path = join7(target, ".seamshield", "config.yaml");
@@ -1688,9 +1691,19 @@ program.command("learn").description("Update local controls from vulnerability i
 program.command("triage").description("Persist current false-positive decisions into .seamshield/config.yaml").argument("[path]", "directory to scan", ".").option("--rule <rule-id>", "only suppress current findings from one rule").option("--reason <text>", "suppression reason", "triaged false positive").option("--include-block", "also suppress block findings", false).option("--online", "include network-backed dependency intelligence").action(
   (path, opts) => writeTriageSuppressions(path, opts)
 );
-program.command("agent-context").description("Write SeamShield agent instructions into CLAUDE.md or Cursor rules").argument("[path]", "project directory", ".").option("--claude", "write CLAUDE.md", false).option("--cursor", "write .cursor/rules/seamshield.mdc", false).action((path, opts) => {
+program.command("agent-context").description("Write SeamShield agent instructions into AGENTS.md, CLAUDE.md, or Cursor rules").argument("[path]", "project directory", ".").option("--claude", "write CLAUDE.md", false).option("--cursor", "write .cursor/rules/seamshield.mdc", false).option("--codex", "write AGENTS.md", false).action((path, opts) => {
+  const selected = [
+    opts.claude ? "claude" : null,
+    opts.cursor ? "cursor" : null,
+    opts.codex ? "codex" : null
+  ].filter(Boolean);
+  if (selected.length > 1) {
+    console.error(`seamshield: choose one agent context (${CONTEXT_AGENTS.join(", ")})`);
+    process.exitCode = 2;
+    return;
+  }
   const target = resolve2(path);
-  const kind = opts.cursor ? "cursor" : "claude";
+  const kind = selected[0] ?? "codex";
   console.log(writeAgentContext(target, kind));
 });
 var guard = program.command("guard").description("Claude Code guard utilities");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "seamshield",
-  "version": "0.2.0",
+  "version": "0.2.1",
   "description": "Security scanner for AI-generated apps: finds the flaws vibecoded projects predictably ship",
   "type": "module",
   "license": "MIT",
@@ -57,7 +57,7 @@
     "@seamshield/rules": "0.1.0"
   },
   "scripts": {
-    "build": "tsup src/index.ts --format esm --clean && tsc -p tsconfig.build.json && rm -rf rules schemas && cp -R ../rules/rules ../rules/schemas .",
+    "build": "tsup src/index.ts --format esm --clean && tsc -p tsconfig.build.json && rm -rf rules schemas && ditto ../rules/rules rules && ditto ../rules/schemas schemas",
     "test": "vitest run"
   }
 }