secure-coding-rules 2.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025-2026 곽성재 (Gwak Seong-jae)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,168 @@
+# secure-coding-rules
+
+[![npm version](https://img.shields.io/npm/v/secure-coding-rules.svg)](https://www.npmjs.com/package/secure-coding-rules)
+[![license](https://img.shields.io/npm/l/secure-coding-rules.svg)](https://github.com/user/secure-coding-rules/blob/main/LICENSE)
+[![node](https://img.shields.io/node/v/secure-coding-rules.svg)](https://nodejs.org)
+
+**OWASP Top 10 2025** 기반 JavaScript/TypeScript 보안 코딩 룰을 AI 코딩 어시스턴트에 자동 적용하는 CLI 도구입니다.
+
+`npx secure-coding-rules` 한 줄이면 프로젝트의 CLAUDE.md, .cursor/rules, .windsurf/rules, copilot-instructions.md, AGENTS.md에 보안 룰이 적용됩니다.
+
+---
+
+## Quick Start
+
+```bash
+npx secure-coding-rules
+```
+
+인터랙티브 프롬프트:
+1. AI 도구 선택 (Claude Code / Cursor / Windsurf / Copilot / AGENTS.md)
+2. 프레임워크 선택 (React / Vue / Node.js / Vanilla) - **자동 감지됨**
+3. 보안 카테고리 선택 (전체 또는 개별)
+
+### Auto Mode
+
+프로젝트를 분석하여 자동으로 최적의 설정을 적용합니다:
+
+```bash
+npx secure-coding-rules --yes
+```
+
+- 기존 AI 도구 설정 파일이 있으면 자동 감지 후 업데이트
+- package.json에서 프레임워크 자동 감지 (React, Vue, Node.js 등)
+- CI/CD 등 non-interactive 환경에서도 동작
+
+### Status Check
+
+현재 프로젝트의 보안 룰 상태만 확인:
+
+```bash
+npx secure-coding-rules --check
+```
+
+## 지원 AI 도구
+
+| AI Tool | Output | 기존 파일 |
+|---------|--------|----------|
+| **Claude Code** | `CLAUDE.md` | 자동 병합 |
+| **Cursor** | `.cursor/rules/*.mdc` | 개별 파일 생성 |
+| **Windsurf** | `.windsurf/rules/*.md` | 개별 파일 생성 |
+| **GitHub Copilot** | `.github/copilot-instructions.md` | 자동 병합 |
+| **AGENTS.md** | `AGENTS.md` | 자동 병합 |
+
+## 보안 카테고리 (OWASP Top 10 2025)
+
+| Code | Category | Description |
+|------|----------|-------------|
+| A01 | Broken Access Control | RBAC/ABAC, IDOR 방지, 서버사이드 인가 |
+| A02 | Security Misconfiguration | 보안 헤더, CORS, 환경변수 관리 |
+| A03 | Supply Chain Failures | npm audit, lockfile 무결성, SRI **(2025 신규)** |
+| A04 | Cryptographic Failures | 안전한 해싱, 암호화, 키 관리 |
+| A05 | Injection | XSS, SQLi, NoSQLi, Command Injection |
+| A06 | Insecure Design | Threat modeling, 최소 권한 원칙 |
+| A07 | Authentication Failures | MFA, 세션 관리, 패스워드 정책 |
+| A08 | Data Integrity Failures | SRI, 안전한 역직렬화, CI/CD 보안 |
+| A09 | Logging & Alerting | 보안 로깅, 민감정보 마스킹, 알림 |
+| A10 | Error Handling | Fail-safe 기본값, 에러 정보 노출 방지 **(2025 신규)** |
+
+### Frontend Modules
+
+| Code | Category | Description |
+|------|----------|-------------|
+| FE-01 | XSS Prevention | DOM 조작 보안, sanitization |
+| FE-02 | CSRF Protection | 토큰 기반 방어, SameSite 쿠키 |
+| FE-03 | Content Security Policy | CSP 헤더, nonce, 리포팅 |
+| FE-04 | Secure State | 안전한 상태관리, 메모리 내 토큰 |
+
+## 동작 방식
+
+### 룰 형식
+
+모든 보안 룰은 AI가 이해하기 쉬운 일관된 구조를 따릅니다:
+
+```markdown
+### 1. Rule Title
+- **DO**: 구체적으로 해야 할 것
+- **DON'T**: 하지 말아야 할 것
+- **WHY**: 왜 중요한지
+
+## Code Examples
+### Bad Practice / Good Practice
+
+## Quick Checklist
+- [ ] 체크리스트 항목
+```
+
+### 기존 파일 병합
+
+이미 CLAUDE.md 등이 있으면 기존 내용을 보존하고 보안 섹션만 추가/업데이트합니다:
+
+```html
+<!-- js-secure-coding:start -->
+(이 영역만 업데이트됨)
+<!-- js-secure-coding:end -->
+```
+
+다시 실행하면 해당 영역만 최신 버전으로 교체됩니다.
+
+### 프로젝트 자동 감지
+
+`secure-coding-rules`는 실행 시 현재 프로젝트를 분석합니다:
+
+- **AI 도구 감지**: CLAUDE.md, .cursor/, .windsurf/, .github/ 존재 여부 확인
+- **프레임워크 감지**: package.json의 dependencies에서 React/Vue/Express 등 파악
+- **상태 표시**: 인터랙티브 모드에서 감지 결과를 보여주고, 관련 항목을 우선 추천
+
+## 수동 사용
+
+CLI 없이 `src/templates/` 마크다운 파일을 직접 복사하여 사용 가능합니다:
+
+```
+src/templates/
+├── core/           # OWASP Top 10 2025 (A01-A10)
+│   ├── access-control.md
+│   ├── authentication.md
+│   ├── cryptographic.md
+│   ├── data-integrity.md
+│   ├── error-handling.md
+│   ├── injection.md
+│   ├── logging-alerting.md
+│   ├── secure-design.md
+│   ├── security-config.md
+│   └── supply-chain.md
+└── frontend/       # Frontend 특화 보안 룰
+    ├── xss-prevention.md
+    ├── csrf-protection.md
+    ├── csp.md
+    └── secure-state.md
+```
+
+## CLI Options
+
+```
+npx secure-coding-rules              인터랙티브 모드 (자동 감지)
+npx secure-coding-rules --yes        스마트 기본값으로 자동 적용
+npx secure-coding-rules --check      프로젝트 보안 상태 확인
+npx secure-coding-rules --help       도움말
+npx secure-coding-rules --version    버전
+```
+
+## Legacy Templates
+
+v1.0 원본 템플릿은 `legacy/` 디렉토리에 보존되어 있습니다.
+
+## 참고 자료
+
+- [OWASP Top 10 2025](https://owasp.org/Top10/2025/)
+- [Node.js Security Best Practices](https://nodejs.org/en/learn/getting-started/security-best-practices)
+- [OWASP Cheat Sheet Series](https://cheatsheetseries.owasp.org/IndexTopTen.html)
+- [JavaScript Secure Coding Guide (KISA)](https://www.kisa.or.kr/2060204/form?postSeq=14&page=1)
+
+## Contributing
+
+PR을 환영합니다! 새로운 보안 룰, AI 도구 어댑터, 기존 내용 개선 등.
+
+## License
+
+[MIT](LICENSE) - 곽성재 (Gwak Seong-jae)

package/bin/cli.js

@@ -0,0 +1,8 @@
+#!/usr/bin/env node
+
+import { run } from '../src/index.js';
+
+run().catch((err) => {
+  console.error('Error:', err.message);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "secure-coding-rules",
+  "version": "2.0.0",
+  "description": "OWASP 2025 security rules for AI coding assistants. Auto-apply to CLAUDE.md, Cursor, Windsurf, Copilot, AGENTS.md with one command.",
+  "main": "src/index.js",
+  "exports": {
+    ".": "./src/index.js",
+    "./loader": "./src/loader.js"
+  },
+  "bin": {
+    "secure-coding-rules": "bin/cli.js"
+  },
+  "files": [
+    "bin/",
+    "src/",
+    "LICENSE",
+    "README.md"
+  ],
+  "scripts": {
+    "start": "node bin/cli.js",
+    "test": "node --test src/__tests__/*.test.js"
+  },
+  "keywords": [
+    "security",
+    "owasp",
+    "owasp-top-10",
+    "secure-coding",
+    "javascript",
+    "typescript",
+    "claude",
+    "claude-md",
+    "cursor",
+    "cursorrules",
+    "windsurf",
+    "copilot",
+    "agents-md",
+    "ai-coding",
+    "code-security",
+    "security-rules",
+    "xss",
+    "csrf",
+    "injection",
+    "access-control"
+  ],
+  "author": {
+    "name": "Gwak Seong-jae",
+    "url": "https://github.com/user"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/user/secure-coding-rules.git"
+  },
+  "homepage": "https://github.com/user/secure-coding-rules#readme",
+  "bugs": {
+    "url": "https://github.com/user/secure-coding-rules/issues"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "type": "module",
+  "dependencies": {},
+  "devDependencies": {}
+}

package/src/adapters/agents.js

@@ -0,0 +1,54 @@
+/**
+ * AGENTS.md adapter - vendor-neutral format
+ * Compatible with Sourcegraph Amp and other tools that support AGENTS.md
+ */
+
+import { getCategoryInfo } from '../loader.js';
+
+export const name = 'AGENTS.md (Vendor-neutral)';
+export const outputPath = 'AGENTS.md';
+export const description = 'Generates AGENTS.md (vendor-neutral AI assistant rules)';
+
+const SECTION_START = '<!-- js-secure-coding:start -->';
+const SECTION_END = '<!-- js-secure-coding:end -->';
+
+export function format(templates, options = {}) {
+  const { framework = 'vanilla' } = options;
+  const lines = [];
+
+  lines.push(SECTION_START);
+  lines.push('<!-- version: 2.0.0 -->');
+  lines.push('');
+  lines.push('# Security Guidelines');
+  lines.push('');
+  lines.push('Based on OWASP Top 10 2025. Follow these rules when writing or modifying JavaScript/TypeScript code.');
+  lines.push(`Framework context: ${framework}`);
+  lines.push('');
+
+  for (const [category, content] of templates) {
+    const info = getCategoryInfo(category);
+    lines.push(`## ${info.owasp}: ${info.title}`);
+    lines.push('');
+    lines.push(content.replace(/^# .+\n+(?:>.*\n+)*/, ''));
+    lines.push('');
+  }
+
+  lines.push(SECTION_END);
+
+  return lines.join('\n');
+}
+
+export function merge(existingContent, newSection) {
+  if (existingContent.includes(SECTION_START)) {
+    const before = existingContent.substring(
+      0,
+      existingContent.indexOf(SECTION_START)
+    );
+    const after = existingContent.substring(
+      existingContent.indexOf(SECTION_END) + SECTION_END.length
+    );
+    return before.trimEnd() + '\n\n' + newSection + '\n' + after.trimStart();
+  }
+  const trimmed = existingContent.trimEnd();
+  return (trimmed ? trimmed + '\n\n' : '') + newSection + '\n';
+}

package/src/adapters/claude.js

@@ -0,0 +1,88 @@
+/**
+ * Claude Code adapter - generates CLAUDE.md format
+ */
+
+import { getCategoryInfo } from '../loader.js';
+
+export const name = 'Claude Code';
+export const outputPath = 'CLAUDE.md';
+export const description = 'Generates CLAUDE.md for Claude Code';
+
+/**
+ * Check if an existing CLAUDE.md has a security section
+ */
+const SECTION_START = '<!-- js-secure-coding:start -->';
+const SECTION_END = '<!-- js-secure-coding:end -->';
+
+export function format(templates, options = {}) {
+  const { framework = 'vanilla' } = options;
+  const lines = [];
+
+  lines.push(SECTION_START);
+  lines.push('<!-- version: 2.0.0 -->');
+  lines.push('');
+  lines.push('# Security Rules (OWASP 2025)');
+  lines.push('');
+  lines.push(`> Auto-generated by js-secure-coding v2.0 | Framework: ${framework}`);
+  lines.push('> Reference: https://owasp.org/Top10/2025/');
+  lines.push('');
+
+  for (const [category, content] of templates) {
+    const info = getCategoryInfo(category);
+    lines.push(`## ${info.owasp}: ${info.title}`);
+    lines.push('');
+    // Extract just the Rules and Quick Checklist sections for conciseness
+    lines.push(extractEssentials(content));
+    lines.push('');
+  }
+
+  lines.push(SECTION_END);
+
+  return lines.join('\n');
+}
+
+/**
+ * Merge security rules into existing CLAUDE.md content
+ */
+export function merge(existingContent, newSection) {
+  if (existingContent.includes(SECTION_START)) {
+    // Replace existing section
+    const before = existingContent.substring(
+      0,
+      existingContent.indexOf(SECTION_START)
+    );
+    const after = existingContent.substring(
+      existingContent.indexOf(SECTION_END) + SECTION_END.length
+    );
+    return before.trimEnd() + '\n\n' + newSection + '\n' + after.trimStart();
+  }
+  // Append to end
+  const trimmed = existingContent.trimEnd();
+  return (trimmed ? trimmed + '\n\n' : '') + newSection + '\n';
+}
+
+function extractEssentials(content) {
+  const lines = content.split('\n');
+  const result = [];
+  let inRules = false;
+  let inChecklist = false;
+
+  for (const line of lines) {
+    if (line.startsWith('## Rules') || line.startsWith('## Quick Checklist')) {
+      inRules = line.startsWith('## Rules');
+      inChecklist = line.startsWith('## Quick Checklist');
+      result.push(line);
+      continue;
+    }
+    if (line.startsWith('## ') && (inRules || inChecklist)) {
+      inRules = false;
+      inChecklist = false;
+      continue;
+    }
+    if (inRules || inChecklist) {
+      result.push(line);
+    }
+  }
+
+  return result.join('\n').trim();
+}

package/src/adapters/copilot.js

@@ -0,0 +1,82 @@
+/**
+ * GitHub Copilot adapter - generates .github/copilot-instructions.md
+ */
+
+import { getCategoryInfo } from '../loader.js';
+
+export const name = 'GitHub Copilot';
+export const outputPath = '.github/copilot-instructions.md';
+export const description = 'Generates .github/copilot-instructions.md';
+
+const SECTION_START = '<!-- js-secure-coding:start -->';
+const SECTION_END = '<!-- js-secure-coding:end -->';
+
+export function format(templates, options = {}) {
+  const { framework = 'vanilla' } = options;
+  const lines = [];
+
+  lines.push(SECTION_START);
+  lines.push('<!-- version: 2.0.0 -->');
+  lines.push('');
+  lines.push('## Security Coding Guidelines (OWASP 2025)');
+  lines.push('');
+  lines.push(
+    'When writing or reviewing JavaScript/TypeScript code, follow these security rules:'
+  );
+  lines.push('');
+
+  for (const [category, content] of templates) {
+    const info = getCategoryInfo(category);
+    // Copilot instructions should be concise - extract rules only
+    lines.push(`### ${info.owasp}: ${info.title}`);
+    lines.push('');
+    lines.push(extractRulesOnly(content));
+    lines.push('');
+  }
+
+  lines.push(SECTION_END);
+
+  return lines.join('\n');
+}
+
+export function merge(existingContent, newSection) {
+  if (existingContent.includes(SECTION_START)) {
+    const before = existingContent.substring(
+      0,
+      existingContent.indexOf(SECTION_START)
+    );
+    const after = existingContent.substring(
+      existingContent.indexOf(SECTION_END) + SECTION_END.length
+    );
+    return before.trimEnd() + '\n\n' + newSection + '\n' + after.trimStart();
+  }
+  const trimmed = existingContent.trimEnd();
+  return (trimmed ? trimmed + '\n\n' : '') + newSection + '\n';
+}
+
+function extractRulesOnly(content) {
+  const lines = content.split('\n');
+  const result = [];
+  let inRules = false;
+
+  for (const line of lines) {
+    if (line.startsWith('## Rules')) {
+      inRules = true;
+      continue;
+    }
+    if (line.startsWith('## ') && inRules) {
+      inRules = false;
+      continue;
+    }
+    if (inRules) {
+      // Convert ### to bullet points for Copilot's flatter format
+      if (line.startsWith('### ')) {
+        result.push(`- **${line.replace('### ', '').replace(/^\d+\.\s*/, '')}**`);
+      } else if (line.startsWith('- **DO') || line.startsWith('- **DON\'T') || line.startsWith('- **WHY')) {
+        result.push(`  ${line}`);
+      }
+    }
+  }
+
+  return result.join('\n').trim();
+}

package/src/adapters/cursor.js

@@ -0,0 +1,68 @@
+/**
+ * Cursor adapter - generates .cursor/rules/*.mdc format
+ */
+
+import { getCategoryInfo } from '../loader.js';
+
+export const name = 'Cursor';
+export const outputDir = '.cursor/rules';
+export const description = 'Generates .cursor/rules/*.mdc files';
+
+/**
+ * Format templates into individual .mdc files
+ * Returns Map<filename, content>
+ */
+export function formatMultiple(templates, options = {}) {
+  const files = new Map();
+
+  for (const [category, content] of templates) {
+    const info = getCategoryInfo(category);
+    const filename = `security-${category}.mdc`;
+    const mdc = formatMdc(category, content, info, options);
+    files.set(filename, mdc);
+  }
+
+  return files;
+}
+
+/**
+ * Format a single template into .mdc format
+ * MDC files have frontmatter with description and globs
+ */
+function formatMdc(category, content, info, options = {}) {
+  const { framework = 'vanilla' } = options;
+
+  const globs = getGlobsForCategory(category, framework);
+  const lines = [];
+
+  lines.push('---');
+  lines.push(`description: "${info.owasp} ${info.title} - OWASP 2025 Security Rules"`);
+  if (globs) {
+    lines.push(`globs: "${globs}"`);
+  }
+  lines.push('---');
+  lines.push('');
+  lines.push(content);
+
+  return lines.join('\n');
+}
+
+function getGlobsForCategory(category, framework) {
+  const isReact = ['react', 'next', 'nextjs'].includes(framework);
+  const codeExts = isReact ? '{jsx,tsx,js,ts}' : '{js,ts,jsx,tsx}';
+
+  const globMap = {
+    'authentication': `**/{auth,login,signup,session}*.${codeExts}`,
+    'access-control': `**/{middleware,guard,policy,permission,role}*.${codeExts}`,
+    'injection': `**/{api,route,handler,query,db}*.${codeExts}`,
+    'cryptographic': `**/{crypto,hash,encrypt,token,secret}*.${codeExts}`,
+    'xss-prevention': isReact ? '**/*.{jsx,tsx}' : '**/*.{jsx,tsx,vue,svelte}',
+    'csrf-protection': `**/{form,api,fetch,request}*.${codeExts}`,
+    'csp': '**/{middleware,header,config,server}*.{js,ts}',
+    'secure-state': `**/{store,context,state,reducer}*.${codeExts}`,
+    'supply-chain': '**/package.json',
+    'logging-alerting': '**/{log,logger,monitor,alert}*.{js,ts}',
+    'error-handling': `**/{error,handler,middleware,catch}*.${codeExts}`,
+  };
+  return globMap[category] || null;
+}

package/src/adapters/windsurf.js

@@ -0,0 +1,57 @@
+/**
+ * Windsurf adapter - generates .windsurf/rules/*.md format
+ */
+
+import { getCategoryInfo } from '../loader.js';
+
+export const name = 'Windsurf';
+export const outputDir = '.windsurf/rules';
+export const description = 'Generates .windsurf/rules/*.md files';
+
+/**
+ * Format templates into individual .md files for Windsurf
+ * Returns Map<filename, content>
+ */
+export function formatMultiple(templates, options = {}) {
+  const files = new Map();
+
+  for (const [category, content] of templates) {
+    const info = getCategoryInfo(category);
+    const filename = `security-${category}.md`;
+    const formatted = formatWindsurfRule(category, content, info, options);
+    files.set(filename, formatted);
+  }
+
+  return files;
+}
+
+function formatWindsurfRule(category, content, info, options = {}) {
+  const { framework = 'vanilla' } = options;
+  const lines = [];
+
+  lines.push(`# ${info.owasp}: ${info.title}`);
+  lines.push('');
+  lines.push(`> OWASP 2025 Security Rule | Framework: ${framework}`);
+  lines.push('> Generated by js-secure-coding');
+  lines.push('');
+  lines.push(stripTitle(content));
+
+  return lines.join('\n');
+}
+
+function stripTitle(content) {
+  const lines = content.split('\n');
+  // Remove the first H1 title if present (we add our own)
+  if (lines[0]?.startsWith('# ')) {
+    lines.shift();
+    // Remove blank line after title
+    if (lines[0]?.trim() === '') lines.shift();
+    // Remove blockquote lines after title (e.g., > description)
+    while (lines[0]?.startsWith('>')) {
+      lines.shift();
+    }
+    // Remove blank line after blockquote
+    if (lines[0]?.trim() === '') lines.shift();
+  }
+  return lines.join('\n');
+}